The recent public release of the iOS 6 jailbreak by evad3rs has made a lot of people really curious about what it takes to be a jailbreak developer. In a recent Ask Me Anything session with Reddit users, David Wang aka PlanetBeing has portrayed a sort of behind the scenes of the evasi0n jailbreaking iOS 6 tool.
“I’m happy to answer any questions anyone has for me, though the rest of the evad3rs seem to be asleep right now” PlanetBeing started the Q&A session. And questions were numerous, whereas subjects ranged from the future of iOS jailbreak, upcoming Apple products, ins-and-outs of the jailbreaking procedure to bugs and what it takes to find a hack for iOS.
“Apple has successfully mitigated many vectors of attack in iOS 6. In this current jailbreak, we ‘envaded’ Apple’s mitigations in the userland with several vulnerabilities” explained David Wang. He goes on to characterize the vulnerabilities found to be “lame” and “mistakes that are a throwback to earlier days of iOS jailbreaking” when developers employed “primarily… filesystem tricks”.
For the iOS 6 jailbreak on iPhone 5, 4S and iPad mini, the evad3rs team attacked only “Apple’s hardened security head-on in the kernel”. Using those lame vulnerabilities that “tend to be hard to find”, evad3rs were able to break into iPhone 5 and 4S. There are at least 5 bugs that evasi0n exploits and several programs that bypass Apple’s security and tricks the device and iOS into communicating and reading foreign code than that with the company’s signature.
Basically, if all it takes for you is performing a few common steps like downloading and launching an app, the evasi0n jailbreak works quite a little bit of magic under the hood. It starts by exploiting a bug in iOS 6 via a file time zone, where it inserts a symbolic link that creates a shortcut into the system. This socket is then altered to allow “programs to communicate with a program called Launch Daemon…a master process that loads first whenever an iOS device boots up”.
Launch Daemon or launchd can then run apps that will commonly require root access privileges. This is what makes evasi0n an untethered jailbreak. “That means that whenever an iPhone or iPad’s mobile backup runs, it automatically grants all programs access to the time zone file and, thanks to the symbolic link trick, access to launchd” explained David Wang in a previous interview with Forbes.