The prospect of an iOS 6 untethered jailbreak for iPhone 5 is definitely looking hopeful again. Within the last couple of weeks, two stars of the jailbreaking community, former Chronic Dev Team member Cyril Cattiaux aka @pod2g, and iPhone Dev team member David Wang aka @planetbeing have reemerged, tweeting and sharing information about their progress on an iOS 6 untethered jailbreak for iPhone 5, 4S and other non-jailbroken devices.
In a recent landmark Reddit admission, we saw @planetbeing informing the community that an iOS 6.0.2 untethered jailbreak was indeed working on his iPhone 5 and that a release was in the future though the exact ETA is yet to be released.
"Yeah, I'm not really sure what all the doom and gloom is about. The fact is, I have an untethered iOS 6.0.2 JB running on my iPhone 5 right now. The reasons it's not released are because:
1.) Releasing it would burn an exploit we want to save for ourselves so we can always get in to look at new firmware and help JB in the future
2.) iOS 6.1 is coming very soon and will likely break a small part of it anyway, there's no point in sacrificing the many bugs it won't break. Anyway, where there are 4+ bugs (that it took to get this to work), there's gotta be one or two more so while jailbreaking is getting harder, reports of its death are highly exaggerated."
With hopes renewed, the jailbreak community was indeed briefly satisfied despite the over three month wait to jailbreak iOS 6 on iPhone 5 and 4S. Many within the community voiced their thanks to @planetbeing for his update as it was just enough to keep their hopes alive.
As one Redditor posted last Friday,
"I think the best thing is actually hearing that work is going on behind the scenes. Too often I think many of the JB Devs believe that we want detailed status updates, but I know for me that isn't the case at all. Even just something that states 'Hey we're still working over here. Still exploring.'"
Now that rumors have emerged that the iOS 6.1 GM or goldenmaster will be soon released to developers, the hope is, an iOS 6, or 6.1 untethered jailbreak for iPhone 5 and other non-jailbroken devices won't be too much further away.
It seems @planetbeing must have heard the thankfulness in the text of this jailbreak follower as since this time, we have seen him become quite active on twitter, posting tidbits of information about his work with the iOS 6 kernel hacking, including both his frustrations and successes.
One post which emerged on Sunday was of particular interest to those in the community awaiting a jailbreak for iOS 6. It seemed not only to convey that progress had been made, but also that David Wang aka @planetbeing was preparing a way to ease some of the work in future iOS jailbreaks.
Here is what he tweeted:
"Wrote part of an ARM disassembler to automatically find JB patches in the era of PIC. Thinking about maybe open-sourcing this part later. With this we can mostly patch variables instead of patching text, since apparently iBooks is allergic to patching text. Interesting note is that I always use the iOS Hacker's Handbook to figure out what patches to do instead of trying to read old code."
It didn't take long after this post for comments to flood @planetbeing's Twitter page, including some quips from a recently silent fellow iPhone Dream Team member, Joshua Hill aka @p0sixninja.
"lol, you don't have them memorized yet?" Hill quipped "Also, I did that last month ... you should of just asked"
At this point another face in the jailbreak community Joshua Tucker chimed in with a joke of his own,
"Isn't that pretty much like anything else? You have it written down so you don't have to remember? LOL."
@p0sixninja continued the friendly banter adding this,
"I don't know about everyone, but I've done it enough times, I've had dreams about applying kernel patches"
To which modest @planetbeing added this reply,
"I'm not enough of a savant to trust myself to memorize eight independent patches (and how to find them)."
To which @joshmtucker added one last joke,
"I bet Josh is just lying and he actually has them laminated on a portable cue card."
The banter continued for several moments more as Twitter lurkers like myself became more and more fascinated by a discussion we couldn't understand but felt was vital to the release of an iOS 6 untethered jailbreak for iPhone 5, 4S and other non-jailbroken devices.
At this point, being the nosy and obsessed jailbreak writer I am, I decided to email David and ask him to explain in a bit more detail what exactly his tweets meant.
I was indeed surprised when two hours later he sent me quite a thorough explanation that even now, I barely understand
I had contemplated publishing the entire email, but as it is easily 1,000 plus words. I will attempt to pull out the highlights and feebly explain them in my layman's way.
I must warn you though, as @planetbeing told me:
"It's hard to describe it without an essay, but here goes ..."
"Basically the end-goal of jailbreaking has been to apply a set of patches to the kernel to allow unsigned code to execute, and to do cool stuff like allowing MobileSubstrate to rewrite code while programs are still running, allowing tweaks to hook into functions and change their behavior.
We have to patch the machine code of the kernel while it's in memory and so we have to know exactly what parts of it to patch and how to patch it so we change the behavior of a few kernel functions to do what we want.
The most manual way we 'find' these patches by looking through with a disassembler, spotting functions we have to patch by recognizing them from seeing them in previous iOS versions, and then patching those locations. In addition, during the course of exploitation, we often need to find locations of gadgets, or functions in the operating system that we can use to run the exploit. Because we need to know the exact address of these things, and the exact addresses can change even if Apple changes the source code in an entirely unrelated area, or chooses to compile things a little differently, these addresses for patches and gadgets change for every device and iOS version. Since there are a lot of devices, the process can get fairly ridiculous. Therefore, we typically write a tool to find these addresses automatically."
In, asking him what impact this new tool would have upon the speedy release of the iOS 6 untethered jailbreak for iPhone 5, 4S and other non-jailbroken devices, and why he was making it open source, this is what he had to say:
"This stuff is pretty open-sourceable because while it is common to all jailbreaks, it's not really related to actually exploiting vulnerabilities, so it's nothing Apple would want to or can fix. Making the engine smart about finding patches is also a problem that many people can work on. However, the caveat is that it would not really make releasing jailbreaks significantly faster, but it may lighten the more boring parts of the workload of making a jailbreak from those who do so."
Here I will insert a bit of a note -- when he discusses locating addresses for functions, I have to tell you, this is no easy feat. Over the years Apple has increasingly upped their security features with one of the most interesting and challenging being addition of ASLR at every level of the boot up chain, the kernel, userland application software, sandbox application security and so forth all contain ASLR.
So what is ASLR? Well, let me explain. You see, back at the beginning of the jailbreak timeline, to run unsigned code you just had to include the code with your buffer overflow and make the processor execute it, unfortunately though, that doesn't work anymore. Data now can no longer execute code because of a protections added called DEP (Data Execution Protection).
Jailbreakers and hackers however wouldn't be beaten by this change to code execution and at that point, ROP -- Return Oriented Programming -- was born. ROP basically chains together the end of functions to be able to execute the instructions or unsigned code. Comex used a ROP payload method in his jailbreaks. Still though, in order to do this, ROP depends on knowing the exact address of all the functions so you can know where the instructions are and this is why Apple added ASLR -- Address Space Layout Randomization.
ASLR has the job of randomizing all the addresses of functions so jailbreakers can't use ROP. Being the brilliant guys that they are, however, these Devs have figured out ways to find information leaks that allow calculation of random addresses and, from there, they create a dynamic ROP code.
(This information is courtesy of discussions I've held with @p0sixninja. I reworded it, but trust me, I wasn't that smart to explain it.)
If your head is spinning right now, no worries...you'll come to in a few days, read it again and still be confused, yet at least you have a small bit more understanding of what these guys go through to develop your jailbreaks.
So what is the takeaway here?
The takeaway is, a tool has been created to help jailbreak developers with the current iOS 6 jailbreak and future jailbreaks. Though Apple has added more challenges such as PIC and some interesting new functions of iBooks (these I may discuss in an upcoming article depending on the response to this one) which increase security and make the job more complex, @planetbeing and other Devs are in no way defeated.
It's tidbits like those he tweeted that are enough to let us know, that until Apple chooses to free up their system, jailbreaking will continue to be a part of @planetbeing and other dev's to-do list.
When I asked him about if he ever intended to quit the jailbreak scene or if he hoped some new blood would emerge. Here is how he responded:
"I love working on the jailbreak and I also love not working on the jailbreak. I will most likely continue helping out whenever I'm useful but honestly I'd be pretty happy as long as iOS was still being jailbroken, no matter who was doing it."
I'm not sure about you, but for this go around, David Wang aka @planetbeing might be my favorite hacker working on the iOS 6 untethered jailbreak for iPhone 5.
Until next time, make sure to send out you appreciate to David (@planetbeing), Joshua (@p0sixninja), Cyril (@pod2g), @MuscleNerd and other leading developers of the latest and future jailbreaks.
iPhone Dream Team from the left: @iOPK, @p0sixninja @pod2g, @pimskeks @planetbeing