Geohot has made a re-entry in the jailbreaking scene after a long absence, having tried to race the evad3rs team to an iOS 7 jailbreak, and also trying to sell it for $350k. Following these unsuccessful attempts, he has posted a breakdown of how exactly the userland portion of evasi0n works.
In his writeup, geohot admits that the jailbreak he was working on was based on “leaked” exploits:
I was working on a public, free of charge, china not involved, old school jailbreak with a few others. evad3rs released first. That jailbreak overlapped this one 80%, partly due to leaks, but mainly due to the exploits and methodology being the obvious choice(great minds, well you know), meaning the exploits won’t be usable next time. No more jailbreaks ever?
Based on what information he obtained by reverse engineering the evasi0n binary, geohot says that the jailbreak doesn’t contain any Chinese backdoors, putting to rest privacy concerns and suspicions of evasi0n being malware.
geohot has also explained how the userland portion of the jailbreak works with a first-person narration from the perspective of the evasi0n7 binary. The userland portion is the part used to achieve root access, after which there’s the difficult task of patching the kernel permanently to achieve the untethered jailbreak.
The explanation is fairly complex, and involves the exploitation of a number of bugs one after the other to overcome sandboxing, gain write privileges over the filesystem and of course achieve root access. You can read the whole explanation on geohot’s website. For an alternative explanation, you can also refer to this link.
Read also: How the evasi0n jailbreak for iOS 6 works