Since releasing its first jailbreak last June, the Pangu jailbreak team from China has been the subject of criticism from other members of the hacking community. Now, in a lengthy post on their blog, the team has addressed some of the “vilification” it has received.
“As a team of “nerds”, we did not want to waste time on responding such useless things and hoped that eventually these things would stop after a while,” the post reads, in response to the criticism it has received “especially from Stefan Esser (i0n1c),” famed iOS hacker.
“We hereby just want to clarify the rumors, discriminations, and vilifications on our team.”
One of the first rumors addressed by Pangu is the supposed $1 million sponsorship it received shortly after it released the evasi0n 7 jailbreak. While they have received sponsorship for things like software testing and to maintain download severs — and all of the iOS devices needed for testing — they say it certainly hasn’t been $1 million.
Pangu also rubbishes reports that they allegedly bought vulnerabilities for their Pangu 7 jailbreak. They admit they used “kernel information leaks discussed in Stefan Esser’s training course,” which were already out in the wild, so they they could save their own vulnerabilities for future jailbreaks.
“But after receiving Stefan Esser’s criticism, we immediately released a new version of the jailbreak tool in which we replaced the vulnerability with our own vulnerability,” Pangu adds, before insisting they have their own ability and skills to find vulnerabilities and develop jailbreak tools based on them.
Pangu also dismisses suggested it stole enterprise certificates. In Pangu 7 and Pangu 8 it did leverage expired enterprise certificates, and use certificates donated by fans, which they say they are very grateful for. But they insist they didn’t steal any.
“An enterprise certificate only costs a few hundreds dollars,” Pangu adds. “We don’t see any reason to steal an enterprise certificate.”
Pangu’s post ends by addressing feedback from the community, and its own contributions. They acknowledge they learned a lot from previous jailbreaks and other hackers, and they remind fans that they’ve given back to the community by presenting their techniques at events like Syscan360 2014, POC 2012, and CanSecWest 2015.
They also point to their work with Cydia creator Saurik in enabling the platform to work on iOS 8.
Pangu says it did “obfuscate the code of our jailbreak tools,” but only to prevent their exploits from being used by others, and to stop Apple from easily finding and fixing the vulnerabilities they have discovered.
“We felt very sad for wasting time on writing such a non-technical article,” Pangu concludes. “In our future talks at any security conference, we will only focus on technical stuff to respect all attendees, rather than wasting their time with balderdash.”
Pangu say they are grateful to the jailbreak community and proud members of it, and they will continue to contribute in the future. But they hope that one day, the community will not judge a work based on “its developers’ race, creed, color, or religion.”