Here’s How evasi0n Jailbreak Works

evasi0n_wallpaper

The evad3rs team released evasi0n close to a week back. Now that we’ve all jailbroken our iOS devices and installed the best tweaks, let’s take a look at how the unbelievably simple on the outside, yet incredibly complicated on the inside evasi0n jailbreak works.

As Apple strengthens security in iOS, hackers can no longer simply find a single exploit like earlier days and use it to gain root access to a device. evasi0n is a combination of five different bugs, most of them harmless individually, but together capable enough to crack open iOS.

evasi0n begins by exploiting in iOS’ iTunes back-up system, called the “MobileBackup” daemon. It does this by running “libmobiledevice,” a program on your PC/Mac that communicates with iOS devices using the iTunes protocol.

evasi0n restores a backup that contains a few files needed for the jailbreak. Since MobileBackup can’t store files outside /var/Mobile/Media, evasi0n works around this by creating a “symlink” or a shortcut in /var/Mobile/Media named .haxx that points to /var/Media. MobileBackup is now able to write files to /var/mobile through the .haxx symlink. The copied files collectively form the app that you’re told to launch in the middle of the jailbreak process.

Using the symlink trick, evasi0n also gains access to a timezone file, which is again symlinked to point to launchd, a daemon that runs processes with “root” privileges. The access to launchd is now exploited and the timezone file is made accessible to all users (not just root) by changing its permissions. A similar trick is employed to make a socket, which handles communications between launchd and other processes, accessible to mobile user, under which all apps on iOS are run.

Now the user is told to launch the app that had been copied to the iOS filesystem in an earlier step. This app, using the exposed launchd socket, makes the read-only system partition writeable.

Now that the system partition has become writeable, evasi0n again fires up MobileBackup, and writes a bunch of files, one of which is launchd.conf that contains a bunch of commands constituting the exploit. This file runs on boot each time, thus making the jailbreak persistent.

One of the commands in launchd.conf is responsible for evading AppleMobileFileIntegrity’s check code signing check by loading a dynamic library, which replaces the built in checking function with one that always returns true.

evasi0n also has another roadblock ahead of it — Address Space Layout Randomisation, or ASLR, that introduces randomness into flash memory addresses, making it difficult to predict. However, there still is a location on ARM chips that’s easy to locate, and using this evasi0n can map the entire memory. From here, evasi0n, exploiting a bug in iOS’ USB interface, finally gets into the kernel of device, which is where everything opens up.

Via: Forbes, Acuvant Labs

  • j4nuS

    sounds quick when you just read it but i’m sure a lot of time was spent looking for these bugs and exploits… and a lot of talent too… jailbreaking is the only reason i stay with the iphone and i hope the jailbreaking community stays ahead of apple…

    • Alex

      “…jailbreaking is the only reason I stay with the iPhone…”

      - And that’s why Apple let this happen at this time, why they haven’t blocked it yet, and why they’ll so carefully time when and how they do block it.

      All you Jailbreakers contribute to Apple being cool again; and little bursts of Jailbreaking now and then contributes a ton of free function R&D and field testing.

  • sammyjay

    should they really be giving info on how all these are done – Apple will be able to patch or change what ever method they used. just wondering ….

    • http://www.iphonehacks.com iPhoneHacks

      After the evasi0n jailbreak was released, Apple would have figured out how it works, so there is nothing to hide.

      • nzhong168

        If Apple changed its app reviews standard, then there would be no need for jailbreaking mine such as allowing theme, SBSetting type of apps and custom keyboards (5-row keyboard).

        Many of my friends only care these basic features that are the standard in my company’s Android based corporate phones.

        • red fruit bite

          also a free trial for the apps is a good idea…… no return no exchange.
          jailbreak is also known as piracy, think of a cracked apps

  • http://twitter.com/Shadow_Daemon Christian Manuel

    yesss apple can read this and do something about it D:

    • http://twitter.com/Shadow_Daemon Christian Manuel

      i think

  • http://www.facebook.com/marius.zotea Marius Zotea

    Great article, even though it’s written by someone else it’s nice to see this kinds of articles here at iphonehacks. I hope to see more articles like this in the future.

  • Damani Brown

    I guess it’s just awesome to blog about how the jailbreak works. It will be fixed in the next beta for sure.

    • moe22

      LOL your so dumb. Your parents must buy all your things for you.

      • Damani Brown

        Coming from the guy who uses the wrong “you’re”. I’m guessing you still live with your parents, and you’re 12?

        • http://www.facebook.com/THExREALxTACO Jeremy Taco Patterson

          He is correct though. Apple can jailbreak a phone and analyze the code and within a few hours see exactly how it was broken.

          No need to try to keep it secret. I wouldn’t be surprised at all if Apple didn’t “leak” the bugs to the jailbreakers.

  • diddle

    Idiots.
    Apple will know how the jailbreak works within hours of its release. Go back to playing with your Lego bricks children.

    • Damani Brown

      I agree. It’s not even patched yet, and these guys basically surrendered it to them. Idiots. Let Apple figure it out for themselves…

      • Kraziie

        Lol trust me apple keeps an eye on these websites to stay updated with the jailbreak community and spy on information an once the jailbreak is realeased trust me they download it and read every single action and step the jailbreak does and the bugs it used and then patch it straight away without us telling them how it works. Thats why everysingle updat NEEDS A NEW JAILBREAK. :-)

        • Damani Brown

          Well of course they are going to do that. But, they must FIGURE OUT where the problem is so they can fix it. This article just TOLD them STEP BY STEP how to fix the problem. Let them decode the whole thing and figure it out for themselves. Who knows, this could be a similar method for the other jailbreaks they claim they are “holding” then they fix that method and wipe out the other jailbreaks. Didn’t think that far did you? Unless the dev team writes about it, it shouldn’t be written.

    • Diddlederp

      If you don’t think Apple knows how they were able to jailbreak 6.x, then you’re the idiot.

  • http://profiles.google.com/sebastian.rasch Sebastian Rasch

    Very interesting!

  • http://www.facebook.com/yztechs Felipe Evangelista

    Let me say …… just amazing what these guys can do. Thank you so much for the jailbreak !

  • anonymous

    Apple depends on jailbreak to make their product better. They get the best ideas from the jailbreak community to add new features in their product.

  • http://www.facebook.com/stephen.kennard Steve Kennard

    Love the wallpaper on the i devices in the pix, what is it?

    • D4

      Matrix, google is the place to be.

      • http://www.facebook.com/stephen.kennard Steve Kennard

        cheers

        • D4

          Welcome dude, on front page theres now a theme, that be best to go for id say.

          • http://www.facebook.com/stephen.kennard Steve Kennard

            yea, saw that.
            Thanks again.

  • Hadu

    Simple as pie ;)

  • CUBANAZO

    Let’s make sure our EVAD3RS get something back and donate!!!…Thanks guys!!!

  • jaybeans821

    wondering if all the hackers had to learn this stuff or do some of them just took a look at code one day and said “wow that makes sense to me”….i love the Geniuses, and im not sure if i would have my idevices without jailbreaking, but im sure glad its here and hopefully here too stay…

    • Woody

      It’s called Autism and Aspergers we’d still be living in Caves if there were no Autistic and Asperger people they just see what we don’t see

      • http://www.facebook.com/THExREALxTACO Jeremy Taco Patterson

        Those guys actually use more than then 10-13% of their brain like most of us. They are truly amazing!

        • Woody

          Exactly they are not normal functioning people like Jobs and Woz look at their social skills read Job’s biography classic High functioning ASD no people skills and was very good at what he did

          • http://www.facebook.com/THExREALxTACO Jeremy Taco Patterson

            I am not 100% sure Jobs was. Woz I’d say almost definitely. Jobs was above average intelligence and grasped the technology, but he was MUCH more a salesman and visionary than he was a tech genius.

            That’s what I personally took from his Autobiography.

  • Amyn

    Anyone have problem with there sound not working after jailbreaking

  • http://www.facebook.com/hannah.m.reynolds.9 Hannah Mariah Reynolds

    After downloading Cydia using envasi0n, i cannot connect to wifi! i have tried everything. please reply.

  • Joe

    All you people that are worried about Apple now knowing how the jailbreak works are morons. Do you think that Apple engineers didn’t immediately download a copy of the jailbreak tool to see how it works? Idiots!

    Great job dev team. I donated, how about the rest of you? Or are you too self-centered and selfish to throw these brilliant men a bone.

    • Damani Brown

      They’ve “obviously” haven’t figured it out yet. As, it’s not patched in 6.1.1… Guess those engineers aren’t that good. But, after this crap I’ll be patched for sure in the next beta.

  • IOS7

    Simply put, this article is to encourage more hackers to come out and test, evad3rs need help and I guess they are tired of doing this alone. Evad3rs has done a great great job, not sure though if they will still be there by IOS7, hopefully YES.

  • Ali Imam

    Thanks a lot to the team for their great effort.

  • http://www.facebook.com/ZedSefi Zed Sefi

    OK this was a fascinating read, but why telling the whole world about it? Now Apple know how to shut down everything, and this means the next jailbreak will be impossible!! :(

  • Rumours

    When jailbreak for iOS 6.1.3 on iPhone 5 will be released???

  • lilt

    I’m not technical at all…. I bought a used Verizon iPhone 4S and didn’t know it was locked (or is it blocked??). I have the latest iOS version 6.1.3, I think. I want to use my phone in Europe by changing out the SIM card, but wasn’t able to get it fixed while there. Now I’m going back again. I use a cellular service on the Verizon network, (not Verizon), so having no contract with Verizon, they won’t unlock my phone. Can anyone help me, pretty please? I won’t know how to follow a half hour worth of technical instructions.