Create a security research device through a Jailbreak
Disclaimer: It is educational purpose for ios mobile security researchers.
The term “jailbreak” refers to the process of achieving arbitrary code execution on devices running iOS, iPadOS, watchOS, tvOS, audioOS, or bridgeOS. This is typically done by exploiting the device’s kernel and other protections, such as AMFI, PAC, PPL, KPP, and KTRR, though these protections may vary by software version.
Historically, jailbreaking involved patching the /private/etc/fstab file to mount the System partition as ‘read-write.’ It is important to note that jailbreaking is distinct from unlocking a device. Jailbreaking is usually the first step before applying unofficial activation (often referred to as hacktivation) and unofficial unlocking. Earlier methods of jailbreaking included modifying the AFC service, which iTunes uses to access the filesystem, to allow full filesystem access from the root. This process was later updated to establish a new service, known as AFC2, which provides access to the entire filesystem.
Modern jailbreaks generally modify kernel variable memory instead of directly patching the kernel due to the limitations imposed by KPP and KTRR. An exception to this is found in jailbreaks based on the checkm8 exploit.
It’s important to note that the legality of jailbreaking your device varies by country and region. For more detailed information on the legality in specific areas, you can refer to Wikipedia, which provides a summary for several countries.
Types of Jailbreaks:
Tethered Jailbreak: This type of jailbreak requires the device to be booted using a computer every time. If it is not booted this way, it will not boot at all. Tethered jailbreaks are relatively uncommon because, starting with the iPod Touch 2 (new bootroom) and iPhone 3GS, Apple implemented signature checks for its boot chain. This includes the Low-Level Bootloader (LLB), iBoot, and the Kernel, which means a custom boot chain cannot be loaded unless an exploit is utilized to bypass these checks. Examples of tethered jailbreaks include 4039, blackra1n, and orangesn0w.
Semi-Tethered Jailbreak: A semi-tethered jailbreak allows the device to boot without a computer but will run in an unjailbroken state until it is re-jailbroken using a computer. This type of jailbreak does not modify iOS’s default boot chain; instead, it sends its own custom one. Examples of semi-tethered jailbreaks are opensn0w, geeksn0w, checkra1n, and palera1n.
Untethered Jailbreak: Untethered jailbreaks were once the standard for almost all jailbreaks. Users could run the jailbreak once and remain jailbroken indefinitely. These jailbreaks could be installed via Safari using JailbreakMe or through a computer with tools like redsn0w, Absinthe, or Pangu. However, the popularity of fully untethered jailbreaks began to decline with the advent of iOS 9.
Semi-Untethered Jailbreak:With iOS 9, creating a fully untethered jailbreak became increasingly difficult, leading developers to invent semi-untethered jailbreaks. These involve running an app to jailbreak the device, but after a reboot, the app needs to be run again to re-enable the jailbreak; otherwise, the device will revert to its unjailbroken state. Examples of semi-untethered jailbreaks include Home Depot, Meridian, unc0ver, Chimera, Taurine, and Dopamine.
Due to Apple’s restrictions, the app used for semi-untethered jailbreaks must be re-signed every week (or every year with a paid developer account). Tools like ReProvision Reborn were created to automate this re-signing process. Additionally, for iOS versions that support TrollStore, it is possible to permanently sign the jailbreak app so that it never expires.
POC:
Yesterday, we attempted a semi-untethered jailbreak on my iPhone 7, which is running iOS version 15.8. We first tried using checkra1n, but it didn’t work. Next, we installed winra1n, but we still had no success in rootless mode. Finally, we decided to use dopamine. At that time, we were using a Windows operating system and referred to the documentation for guidance.
Installed the trollRestore executable file on Windows and launched the trollRestore application. Then, I typed the app name “TIPS” in the command prompt. Please ensure that your iOS device is connected to your computer via a USB cable during this process.
For more details, refer to the documentation mentioned earlier.
Once everything is set up, you can proceed with the jailbreak.
https://www.ios-repo-updates.com/
You can use 3uTools to jailbreak your device if it’s supported.
It was the easiest method for me. I hope this helps you.
