iOS Jailbreak [News] iOS 11.3.1 Kernel Exploit Released

---

• [News] iOS 11.3.1 Kernel Exploit Released
• [Discussion]This is how Apple completely prevented you from downgrading iOS.
• [Discussion] Lets clap for Joseph Shenton for offering coolstar a $99 dev account.
• [Discussion] A TL;DR for Ian Beer's tweets
• [Discussion] any developer want to help make my notification hub concept a reality?
• [Tutorial] iOS 11.3.1 Kernel Exploit explanation.
• [Discussion] Normally we'd have 3000 people online on this sub; today we have nearly 6000.
• [Discussion] It’s not 100% confirmed that Ian will drop it today.
• [Upcoming] Mikoto for iOS 11!
• [News]Ian Beer's Kernel Exploit can apply to iOS 11.0 ~ 11.3.1
• [Discussion] thanks for the suggestion, but no thanks
• [News] Houdini b3 requires developer account
• [News] Coolstar confirms a developer account WILL be needed
• [News] Houdini Beta 3 Released (iOS 11.x - 11.3.1)
• [Request] The ability to see what devices are connected to your hotspot, and to kick them off, and also set an “allowed devices” mode where only devices you have on a whitelist can connect
• [Discussion] tl;dr and explanation of what's happened so far (Coolstar's response on the exploit inside):
• [discussion] [News] Torngat Owner 1GamerDev has access to a developer account and the exploit thanks to JosephShenton!
• [News] Coolstar will be making a developer jailbreak first for users with developer accounts.
• [Request] PLEASE update Apex (2), willing to donate and test it out as well.
• [Discussion] Are we hitting records here?
• [Discussion] Can we, as a community, compile a list of tweaks that'll be ready for the 11.3.1 jailbreak?
• [Release] HostsBlock - An ad blocker for iOS
• [Discussion] List your tweaks worth downloading/purchasing after JB release.
• [Discussion] Today is the day!
• [request] Timer for “reset statistics” in settings-> mobile data so that it resets in sync with monthly phone bill

[News] iOS 11.3.1 Kernel Exploit Released Posted: 05 Jun 2018 03:40 PM PDT submitted by /u/fattyffat [link] [comments]

[Discussion]This is how Apple completely prevented you from downgrading iOS. Posted: 05 Jun 2018 10:13 PM PDT Feel free to correct me if I'm wrong, this is probably the first time I've posted something that long. Part 1 Long time ago, Apple allowed firmware updates while offline, this make it impossible for them to control the firmware version on these devices. After canceling this feature (in the early days), iOS devices will connect to an Apple server, send their device information, and through "signed" firmware, the devices receives a Digital Signature in order to upgrade their device. The way to bypass this function is to save the Digital Signature, and replay it in the future. (aka "Saving SHSH") The way Apple fixed this problem is to send a random string of code called "nonce" while upgrading the device, so you couldn't use that way to trick through the bootloader. We come to the first conclusion Verification logic is run by bootloader, the codes are protected by the main chip called "secure boot", so it's hard to change the code. (Changing the code as a "Middle man") The only key is hidden in OTP, you can only USE the key but you can't READ it, so it's theoretically impossible to fake a client request. It uses asymmetric cryptography, that surely makes it's hard to counterfeit the server's Digital Signature... Soooooo～～～Forced data exchange verification+protected logic verification+protected verification key, this is currently impossible to crack. Part 2 Part 1 gives detailed information about how the code is securely processed by the system, but I'll explain why you can't flash the device to a specific version whenever you like to and give you an easier concept to understand how the flash process works. A normal procedure of flashing a iOS device works like this—You download a firmware with the file extension .ipsw, open up iTunes, connect your phone, and the firmware can be easily flashed into your device. In fact, during the process of flashing a device, this shows how data is being transmitted: .ipsw —> iTunes —> iOS's CPU —> iOS's Flash/eMMC The key to this whole thing is that **ONLY the CPU can write the firmware into Flash/eMMC, so it all depends on if the CPU agrees you to flash the device**, if the CPU calls you fake news, the success rate of you flashing the firmware into the device is 0.00069%. (Now people would ask question like "why don't you just bypass the CPU and write directly into Flash/eMMC? The is because a iDevice is COMPLETELY ENCRYPTED (yes the whole damn thing), this means that everything (data) that's going towards Flash/eMMC HAS to be encrypted. This encryption key is written INSIDE the CPU, only the CPU knows the key, and every device has an different key.) (So without the key, you wont be able to write the correct data to Flash/eMMC, even soldering off the chips itself (pointing at Flash/eMMC) off the motherboard wont work) So how does the CPU decide if it should flash the device? You need the **firmware verification from the Apple Server**. Supposing the firmware signature is correct, then you can flash in the firmware. So iTunes has to request the firmware signature from the Apple server and provide it to the CPU. The Apple Server will check the firmware's authenticity and firmware version to decide if it should provide the Digital Signature. So, ONLY the Apple server has the power to flash the firmware You can think if it this way (Role-Play ya Boi): *iTunes：I wanna flash a device using this firmware* *CPU：you need to provide a verified signature that matches this firmware* *iTunes asks the Apple server for the signature* *iTunes：here's the signature* *CPU：this signature is real! This firmware can be used to flash this device* If Apple stops signing this firmware, it'll look like this *iTunes：I wanna flash a device using this firmware* *CPU：you need to provide a verified signature that matches this firmware* iTunes asks the Apple server for the signature *Apple server：this firmware is unsigned, I can't provide you a signature.* (Digital Signature uses asymmetric cryptography, meaning it's impossible to counterfeit a signature) But even tho Digital Signature can't be counterfeited, you can keep it and use it when you need to. **Few years ago you could use SHSH to flash in the firmware** is also using this principle. Think of it this way: *iTunes：I wanna flash a device using this firmware* *CPU：you need to provide a verified signature that matches this firmware* iTunes takes out the Digital Signature it collected a long time ago from your mom's computer *iTunes：here's the signature* *CPU：this signature is real! This firmware can be used to flash this device* (In reality, the tools you use for blobs/shsh would need to create a fake server to iTunes) This replay attack is really easy to be prevented, **now SHSH no longer works anymore**. Think of it this way: *iTunes：I wanna flash a device using this firmware* *CPU：you need to provide a verified signature, and that signature needs to include some random generated Digits/Number as follow "VErnyylYvxrGbRngNffQhevatZlWhavbeLrneJuvpuVfEvtugAbjNaqFhzzreBs2018JvyyOrZlSyrkFrnfba"; In this old Digital Signature, these random digits "VErnyylYvxrGbRngNffQhevatZlWhavbeLrneJuvpuVfEvtugAbjNaqFhzzreBs2018JvyyOrZlSyrkFrnfba" isn't included, so this Digital Signature is invalid* You can counterfeit the verification server, but the results of the verification cannot be counterfeited, you can only intercept the real server's Digital Signature and replay it to the CPU, and that's what made the Digital Signature so powerful. submitted by /u/SGpro-_- [link] [comments]

[Discussion] Lets clap for Joseph Shenton for offering coolstar a $99 dev account. Posted: 05 Jun 2018 05:12 PM PDT submitted by /u/Axelbyte [link] [comments]

[Discussion] A TL;DR for Ian Beer's tweets Posted: 05 Jun 2018 04:02 PM PDT Basically, Ian just released two exploits: The one that requires a developer certificate ($99) and one that doesn't. The one that doesn't require a dev cert is way harder to exploit than the other, therefore the Electra team may take longer than expected to create the iOS 11.3.1 jailbreak. So it shouldn't be long until we get our hands on the iOS 11.3.1 jailbreak. Give Coolstar a few days, maybe even a week. It's worth it though. Edit: Apparently the second "exploit" which doesn't require a developer certificate is rather a bug that needs an exploit to be written for it to work. Coolstar just tweeted that he may just start working on the one that requires a developer certificate since it's easier. (This is bad news) Edit #2: For the exploit that requires a dev cert: It is unconfirmed, but there is a chance that a developer certificate is only needed to compile the jailbreak, not use it. Again, this is not confirmed. Source Edit to Edit #2: Coolstar just said on his Twitter that you need a developer account to use the jailbreak. submitted by /u/DocyodaX [link] [comments]

[Discussion] any developer want to help make my notification hub concept a reality? Posted: 05 Jun 2018 10:06 AM PDT submitted by /u/mikefromto [link] [comments]

[Tutorial] iOS 11.3.1 Kernel Exploit explanation. Posted: 05 Jun 2018 06:49 PM PDT Hey all, I saw that there was a lot of confusion in the release thread for the new VFS kernel vulnerability (not exploit, whoops) that's been released so I'm going to try my best to explain it in a moderately technical manner. The vulnerability occurs in the code used for networking (specifically MultiPath TCP) on both MacOS and iOS. MultiPath TCP is only for use over IP (internet protocol), not over any other transport protocol. Network programming in C uses the abstraction of sockets. When declaring a socket (sockaddr struct) you can initialize it to connect to other hosts using IPv4 (AF_INET), IPv6 (AF_INET6), Bluetooth (AF_BTH), or a number of other different protocols that are declared on the system. The function responsible for handling MultiPath TCP connections in the XNU kernel can only correctly handle IPv4 or IPv6 sockaddr structs. When passed a sockaddr struct with a source and destination type that is not IP, instead of gracefully failing when the configuration is not for an internet protocol, the kernel continues with the connection function with a critical code snipped below. // code doesn't bail if sa_family was neither AF_INET nor AF_INET6 if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) { if (mptcp_entitlement_check(mp_so) < 0) { error = EPERM; goto out; } mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED; } // copies up to 255 bytes of memory from within the application if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) { memcpy(&mpte->mpte_dst, dst, dst->sa_len); } With the error checking failing we are able to provide arbitrary data which is trusted and not verified in the sockaddr struct. We're able to pass in a payload and the length of that payload. By trusting the length that we pass a crafted exploit can overwrite a pointer (8 bytes) in the kernel's address space from the sandbox of a user application. In the proof of concept this causes a kernel panic as when the socket is closed kfree() is called on non allocated memory. But with a correctly crafted overflow, could potentially allow a sandboxed application to escalate to kernel mode. TL;DR: We have the ability to write to a pointer which is used within kernel code. We don't know how to exploit that yet to create a break out of the sandbox, but it's in the works and exploits of this type have worked for jailbreaks in the past. Here's a very simplified, well explained similar type of attack using the stack instead of the heap from Syracuse. If anybody has any questions regarding this exploit feel free to comment. submitted by /u/trillic [link] [comments]

[Discussion] Normally we'd have 3000 people online on this sub; today we have nearly 6000. Posted: 05 Jun 2018 08:54 AM PDT The hype is real submitted by /u/RCD-Y [link] [comments]

[Discussion] It’s not 100% confirmed that Ian will drop it today. Posted: 05 Jun 2018 01:07 PM PDT submitted by /u/derekkered37 [link] [comments]

[Upcoming] Mikoto for iOS 11! Posted: 05 Jun 2018 07:38 PM PDT With all the recent hype, it seems this was missed! https://twitter.com/angelXwind/status/1004089557552390144 submitted by /u/NuPontius [link] [comments]

[News]Ian Beer's Kernel Exploit can apply to iOS 11.0 ~ 11.3.1 Posted: 05 Jun 2018 04:28 PM PDT https://imgur.com/a/vC74ln7 https://bugs.chromium.org/p/project-zero/issues/detail?id=1558 submitted by /u/new88888 [link] [comments]

[Discussion] thanks for the suggestion, but no thanks Posted: 05 Jun 2018 03:48 PM PDT submitted by /u/tomhmoses [link] [comments]

[News] Houdini b3 requires developer account Posted: 05 Jun 2018 09:52 PM PDT submitted by /u/iphoneian [link] [comments]

[News] Coolstar confirms a developer account WILL be needed Posted: 05 Jun 2018 08:48 PM PDT Against subreddit rules to post his tweets so this is what he said "A common misconception is floating around that a developer account is only needed to compile it: this is false. A developer account is required to both compile and to install it. The type of account you all are looking for is a stolen enterprise account" Update: "That being said, I do not recommend going out and buying developer accounts just yet. Stand by. Updates will be posted when ready and appropriate." Update 11:15 CST: there seems to be conflicting answers. Joseph Shenton replies saying "Coolstar, YOU ONLY NEED THE ACCOUNT TO COMPILE IT! I can let you use my account." https://twitter.com/notjosephs/status/1004207520078954496?s=21 submitted by /u/ObamaTookMyToast [link] [comments]

[News] Houdini Beta 3 Released (iOS 11.x - 11.3.1) Posted: 05 Jun 2018 09:55 PM PDT submitted by /u/kooz12341 [link] [comments]

[Request] The ability to see what devices are connected to your hotspot, and to kick them off, and also set an “allowed devices” mode where only devices you have on a whitelist can connect Posted: 05 Jun 2018 10:16 AM PDT submitted by /u/M1staAwesome [link] [comments]

[Discussion] tl;dr and explanation of what's happened so far (Coolstar's response on the exploit inside): Posted: 05 Jun 2018 05:11 PM PDT Firstly with Ian and the exploits. Many have seen the explanation I've given in other posts, but here's for those that haven't: "To clear confusion Ian has released two bugs patched in IOS 11.4. kernel memory corruption bugs reported in two distinct areas: mptcp and vfs. mptcp requires a Apple Developer Cert mptcp is the same bug as already publicly documented from the patch by @elvanderb and exploited by @jaakerblom. Which can be found here Ian states, " The mptcp exploit is mostly recycled bits of earlier exploits." vfs doesn't require a Apple Developer Cert but is a lot harder to exploit. Ian states, " The vfs bug doesn't require an Apple developer cert but is considerably harder to exploit. You get to write 8 NULL bytes off the end of a kalloc.16 buffer. It's sufficiently hard to exploit that it's worth trying just to demonstrate that such issues are reliably exploitable.." vfs is the main exploit needed for the enduser (us) because most of us aren't developers and don't pay $99 for an account, I hope to see the community come together and make something out of this pretty soon as always :)"   As for the two exploits they have been released many people are confused by Ian's tweets and believe that he has only released mptcp. Mptcp can be located here Vfs can be located here   On to coolstar, so far this is what he has to say, "Re: Ian's recent release. He has released an exploit for mptcp (requires dev acct), and a bug that requires an exploit to be written for it (doesn't require a developer account). Will try to get a hold of a dev account to get started, but for release dev acct isn't too great." (I can't link the tweet because he doesn't want his twitter linked here) I hope I could help people better understand the current progress and situation of everything so far, have a great day and let's get this jailbreak going :)   Update #1: The dev account is only needed to compile and release the app. Joseph Shenton & 1GamerDev both confirm this. Joseph Shenton also offers coolstar his account to use!!! Joseph Shenton says here, "Also, from what I see you only need a developer account to compile it not to install it. Correct me if I'm wrong please " 1GamerDev says in a reply to a tweet, "yea. i need torngat compiled via a dev account to release it. i know users dont need one to install it but i personally dont have one." submitted by /u/sonicx161 [link] [comments]

[discussion] [News] Torngat Owner 1GamerDev has access to a developer account and the exploit thanks to JosephShenton! Posted: 05 Jun 2018 06:56 PM PDT submitted by /u/Unja1lbroken [link] [comments]

[News] Coolstar will be making a developer jailbreak first for users with developer accounts. Posted: 05 Jun 2018 08:42 PM PDT It's on his Twitter. Unfortunately I can't post links of his tweets due to subreddit rules. Edit: just tweeted "This one will likely not be released, but it will give us a good head start for the public 11.3.1 jailbreak" submitted by /u/ObamaTookMyToast [link] [comments]

[Request] PLEASE update Apex (2), willing to donate and test it out as well. Posted: 05 Jun 2018 03:30 AM PDT submitted by /u/kdoge69 [link] [comments]

[Discussion] Are we hitting records here? Posted: 05 Jun 2018 03:52 PM PDT More than 8k users online Let the hype continue submitted by /u/evolutionlg [link] [comments]

[Discussion] Can we, as a community, compile a list of tweaks that'll be ready for the 11.3.1 jailbreak? Posted: 05 Jun 2018 06:48 AM PDT Given that the exploit is going to be releasing today, it seems like a good idea for everyone to share any info they have on tweaks that will be ready for 11.3.1 as soon as the jb comes out. Also, if you have any recommendations as to what you find are the best tweaks, or what tweaks you're excited for, join the discussion! Edit: Removed an extra "a". submitted by /u/bigboatyachty [link] [comments]

[Release] HostsBlock - An ad blocker for iOS Posted: 05 Jun 2018 04:40 AM PDT So here I just came up with a quick package that backs up your hosts and file and modifies it so you don't get ads. And also restores the backup on uninstallation. It should (theoretically) work on every iOS version. It's light weight. It's great. You just install it and it works. Even in the non-jailbroken state. Here's my repo —> http://xnu.science/repo/ EDIT: If you wanna get even more updates about my stuff, my Twitter is https://twitter.com/Pwn20wnd If you wanna support my research and the efforts on keeping the community up to date with stuff, then my patreon is https://patreon.com/Pwn20wnd, pledge as much as you want. Any pledge is appreciated. That does really motivate me as I do nothing but work for the community these days. ~ Pwn20wnd submitted by /u/Daily1Jb [link] [comments]

[Discussion] List your tweaks worth downloading/purchasing after JB release. Posted: 05 Jun 2018 10:16 PM PDT As we wait for the Jailbreak to release, id thought I could get some input from the community on what tweaks people suggest having. I think I would help out a lot of those who are just getting in the JB game or re joining after a few years. Make sure state your device type! submitted by /u/OneLessLagger [link] [comments]

[Discussion] Today is the day! Posted: 05 Jun 2018 04:39 AM PDT This is the day Ian releases his exploit! EDIT: He's done it now! I'm so stoked!! submitted by /u/HowDoIBlox [link] [comments]

[request] Timer for “reset statistics” in settings-> mobile data so that it resets in sync with monthly phone bill Posted: 05 Jun 2018 03:11 PM PDT submitted by /u/leon5921 [link] [comments]

You are subscribed to email updates from iOS Jailbreak (iPhone, iPad, iPod Touch). To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States