Thanks to recent discoveries, most notably by Ian Beer, it has become somewhat of a standard for *OS vulnerability PoCs to provide unrestricted access to kernel memory through the XNU kernel_task port. But that alone does not a full jailbreak make. There are significant hurdles to cross, notably kernel patch protection, in software and hardware, as well as the dual sentinels of AppleMobileFileIntegrity and the Sandbox.
This lab starts by reviewing all the countermeasures utilized by Apple to discourage exploitation. It then explains why all of them are essentially futile for a determined attacker with sufficient knowledge of system internals. It explores a freely available post-exploitation library provided by the author, which enables researchers or jailbreaking hobbyists to code a functional jailbreak in about 20 lines of code.
Detailed flow:
– What makes a jailbreak
– Apple countermeasures:
– KPP
– AMCC/KTRR
– AMFI.kext
– AMFId
– Sandbox
– Platform profile
– Counter-countermeasures
– Evading kernel text patches by data-only
– Remounting the root filesystem
– Manipulating the process list
– The Jailbreak daemon
– Possible fixes soon to be imposed
– The future of jailbreaking
