The evad3rs team released evasi0n close to a week back. Now that we’ve all jailbroken our iOS devices and installed the best tweaks, let’s take a look at how the unbelievably simple on the outside, yet incredibly complicated on the inside evasi0n jailbreak works.
As Apple strengthens security in iOS, hackers can no longer simply find a single exploit like earlier days and use it to gain root access to a device. evasi0n is a combination of five different bugs, most of them harmless individually, but together capable enough to crack open iOS.
evasi0n begins by exploiting in iOS’ iTunes back-up system, called the “MobileBackup” daemon. It does this by running “libmobiledevice,” a program on your PC/Mac that communicates with iOS devices using the iTunes protocol.
evasi0n restores a backup that contains a few files needed for the jailbreak. Since MobileBackup can’t store files outside
/var/Mobile/Media, evasi0n works around this by creating a “symlink” or a shortcut in
/var/Mobile/Media named .haxx that points to
/var/Media. MobileBackup is now able to write files to
/var/mobile through the
.haxx symlink. The copied files collectively form the app that you’re told to launch in the middle of the jailbreak process.
Using the symlink trick, evasi0n also gains access to a timezone file, which is again symlinked to point to launchd, a daemon that runs processes with “root” privileges. The access to launchd is now exploited and the timezone file is made accessible to all users (not just root) by changing its permissions. A similar trick is employed to make a socket, which handles communications between launchd and other processes, accessible to mobile user, under which all apps on iOS are run.
Now the user is told to launch the app that had been copied to the iOS filesystem in an earlier step. This app, using the exposed launchd socket, makes the read-only system partition writeable.
Now that the system partition has become writeable, evasi0n again fires up MobileBackup, and writes a bunch of files, one of which is launchd.conf that contains a bunch of commands constituting the exploit. This file runs on boot each time, thus making the jailbreak persistent.
One of the commands in launchd.conf is responsible for evading AppleMobileFileIntegrity’s check code signing check by loading a dynamic library, which replaces the built in checking function with one that always returns true.
evasi0n also has another roadblock ahead of it — Address Space Layout Randomisation, or ASLR, that introduces randomness into flash memory addresses, making it difficult to predict. However, there still is a location on ARM chips that’s easy to locate, and using this evasi0n can map the entire memory. From here, evasi0n, exploiting a bug in iOS’ USB interface, finally gets into the kernel of device, which is where everything opens up.