Since it’s release, the tool has been downloaded 1.7 million times according to Saurik – the creator Cydia. According to a chart tweeted by Saurik (Jay Freeman), at it’s peak Cydia was receiving 14,000 hits per minute. But, in what was considered a successful launch of the Evasi0n tool, we take a look inside the complexities behind what makes a Jailbreak.
Planetbeing (David Wang), one of the main developers behind the new Evasi0n tool, gives Forbes an insight into just how much work is needed to release a Jailbreak of this scale.
According to David Wang, one of the evad3rs’ four developers, the program takes advantage of at least five distinct, new bugs in iOS’s code. (For reference, that’s one more than Stuxnet, the malware built by the NSA to destroy centrifuges in Iran’s nuclear enrichment facilities.)
Evasi0n alters the socket that allows programs to communicate with a program called Launch Daemon, abbreviated launchd, a master process that loads first whenever an iOS device boots up and can launch applications that require “root” privileges, a step beyond the control of the OS than users are granted by default. That means that whenever an iPhone or iPad’s mobile backup runs, it automatically grants all programs access to the time zone file and, thanks to the symbolic link trick, access to launchd.
Wang detailed the entire process, from finding the exploit, down to encoding it into a useable format for a public release.
Once it’s beaten ASLR, the jailbreak uses one final bug in iOS’s USB interface that passes an address in the kernel’s memory to a program and “naively expects the user to pass it back unmolested,” according to Wang. That allows evasi0n to write to any part of the kernel it wants. The first place it writes is to the part of the kernel that restricts changes to its code–the hacker equivalent of wishing for more wishes. ”Once you get into the kernel, no security matters any more,” says Wang. “Then we win.”
Read the full report here, but it gives an amazing insight into just how complex something we almost take for granted now is. It’s an unbelievable achievement, and something that will probably get patched pretty quickly, but let us know in the comments section below if you have Jailbroken your iDevice.