Jailbreaking iPhone for Beginners — Theory
Hi Everyone,
In this short blogpost, we will look at concept of Jailbreak and how it works. It will help you take educated choice towards which jailbreak methods to be used for your version of iPhone.
What is meaning of “Jail”?
Before getting at jailbreak, let’s understand what the Jail is.
Apple operating systems i.e. MacOS, iOS, tvOS etc. works seamlessly with their respective hardware, and integrated well in overall Apple Ecosystem. This is possible because all components of that ecosystem are completely owned & managed by Apple, be it Hardware, OS, APIs etc. Unlike fragmented Android market, Apple dictates what goes in the ecosystem and what not. This makes Apple devices relatively secure than it’s competitors.
One example of how Apple ensures security of ecosystem is their stringent App Store Review. This makes relatively difficult for malicious apps to get into App Store. Another way Apple implemented this control is by discouraging side-loading apps nor extracting apps (.ipa files) from device.
In-short, Apple devices are enclosed “Jail”. External apps cannot enter into it nor internal apps can exit it.
Concept of Jailbreak
From above description, you can imagine that Apple do not provides much liberty to play with unverified apps. There are couple of work arounds to sideload apps, but they are bit limited. Enters “Jailbreak”.
Jailbreak removes application sideloading restrictions and provides higher privilege access to users. This can be handled by third-party Appstores like Cydia, Sileo etc.
How Jailbreak works?
Jailbreak is a process of obtaining full RWX permission on all partitions of iOS, iPadOS, tvOS, watchOS etc. This is done by patching /private/etc/fstab file to mount System partition as RW. To make this happen, they they create new AFC2 (Apple File Conduit “2”) to get full filesystem access.
As iOS (and other Apple OSes) versions progressed, Apple implemented multiple security mechanisms such as Code signing by patching kernel or boot ROMs.
Types of Jailbreak
Whenever iDevice get booted, it loads it’s own kernel. So to keep iDevice in jailbroken state, kernel need to be patched during boot up. Depending on how this process is don, jailbreaks are categorized into 4 types:
a. Fully Tethered Jailbreak:- Tethering means attaching device to Workstation/Laptop. In this type of jailbreaking, iDevice can stay in jailbroken for single boot. If you reboot device, jailbreak get lost and it may get stuck in Recovery mode. To run device again, re-jailbreaking by connecting device to Workstation/Laptop is needed. Very inconvenient I know :P
b. Semi Tethered Jailbreak:- In this type of jailbreaking, iDevice can stay in Jailbroken state for single boot. If you reboot device, jailbreak get lost but device do not get stuck in Recovery mode. You can use it as non-jailbroken device. To re-jailbreak, you need to connect it to Workstation/Laptop to load jailbreak exploit.
c. Semi Untethered Jailbreak:- In this type of jailbreaking, iDevice can stay in Jailbroken state for single boot. If you reboot device, jailbreak get lost but device do not get stuck in Recovery mode. You can use it as non-jailbroken device. To re-jailbreak, you have do not need Workstation/Laptop. You get app installed on iDevice to jailbreak and re-jailbreak. (In future blogpost, we will look at this, as these are most common jailbreaks nowadays!!!)
d. Fully Untethered Jailbreak:- In this type of jailbreaking, iDevice can stay in jailbroken state after every reboot. Kernel patches are applied in such way that they get applied after every reboot on its own. Unfortunately these jailbreaks are nowhere to be seen in last many years!!!!
Well-known Jailbreaks
There are two open source jailbreaks which are very famous nowadays are Checkra1n and Unc0ver.
a. Checkra1n: Checkr@1n is semi-tethered, boot rom based jailbreak. It is based on bootrom exploit named “checkm8”. Since this exploit is present in certain hardware, this issue is unpatchable. Due to this, Checkra1n became sensational. If you jailbreak iDevice with Checkra1n, it cannot be made non-jailbroken by upgrading iOS version. (This is the reason I don’t prefer this jailbreak)
b. Unc0ver:- Unc0ver is semi-untethered jailbreak. Unlike Checkra1n, Unc0ver relies on multiple kernel exploits like Sock puppet, CVE-2021–1782 etc. to running jailbreak on iOS version 11 to 14.3. Since these are kernel exploits, Apple can patch them by pushing security updates. But this makes sure that by restoring or upgrading iOS, you can make your device non-jail broken.
Apart from these two, there are exploits developed by many private companies like Tencent Labs, Alibaba Security Labs etc. But they are not made available publicly.
In next post, we will look step by step iPhone jailbreaking using Unc0ver jailbreak. Stay tuned!!!!
References
