Luca Todesco releases browser-based exploit for Pangu 9.3.3 jailbreak without certificate

By , Dec 8, 2016

todesco jbme

Noted iOS security researcher and hacker Luca Todesco has just released a WebKit-based loader for the Pangu 9.3.3 jailbreak. This impressive browser exploit is reminiscent of the original JailbreakMe exploits on iOS 1 and iOS 4, after which it is named.

All that is required for the technique to work is to follow a URL in mobile Safari, press a button, lock your device and wait for the respring.

Whilst this development is testament to Todesco’s hacking skills and has alleviated one major problem with the current 9.3.3 jailbreak: its reliance on developer certificates for the loader app, there is bound to be some confusion over what this tool actually does, and what it means for the jailbreak community. This post aims to bring some clarity to the topic.

Todesco’s tool relies on a vulnerability in mobile Safari, allowing arbitrary code to be run and re-enabling your Pangu 9.2-9.3.3 jailbreak. Let’s quickly go through what this tool can and can’t do.

It can:

  • Re-activate the Pangu semi-(un)tether on jailbreak devices.
  • Work without the certificate restrictions which have until now been a downside of this jailbreak.
  • Work without an app, directly from your browser.

It cannot:

  • Jailbreak devices on firmwares not supported by the Pangu jailbreak.
  • Install Cydia (which means it is not a suitable replacement for the initial Pangu jailbreak program, only for the re-activation payload).
  • Work on any 32-bit device (iPhone 5 or older).
  • Make your jailbreak permanently untethered.

In summary, this exploit is at present a straight replacement for the Pangu re-jailbreaking apps on iOS 9.3.x. It is however a remarkable achievement given that it works via a webpage in mobile Safari, traditionally a difficult place from which to mount an exploit.

I am putting together a demonstration tutorial which will go into greater detail regarding this interesting development, and walk users through its use and repercussions, but at present, it can be found at the following site for those who wish to try it:

https://jbme.qwertyoruiop.com

One last point to note for those hoping for a fully untethered 9.3.3 jailbreak is that Todesco has commented that an untether for this exploit is not out of the question. However, it is unclear at the moment whether he intends to work on this.

 

  • Share:
  • Follow:

  • gee thanks

  • deep desai

    @Luca Todesco
    please release ios 10 jailbreak…i can donate any amount you want.
    if you want donation for release ios 10 jailbreak DM me on twitter @loveofamu

    • Ducky

      You really don’t get it do you? It’s not about money, he owes us nothing so he’s in his own right to keep his exploits to himself. Not only has he released this, but he’s also released a Pegasus patch yet people like you still beg for his iOS 10 jailbreak.

      • Rowan09

        Can’t knock him for trying, at least he’s willing to pay.

    • Waldemar Sinicki

      what for? Had you have JB for 9.3.2 or 9.3.3?

  • Vic O

    iOS 9.3.3 Jailbreak. (…insert chuckle and head shake here…)

  • Diego Milano

    For those who have one of those enterprise certificates, this is of not much use, but great news anyway.
    Perhaps he should release an iOS 10 jailbreak when iOS 10.2 gets out instead.

    • Joaquim Barbosa

      Hi Diego, it’s true that if you have an enterprise certificate it will last a lot longer, but they still expire after a year I believe, so it might still be useful in a few months for you. Of course, there might be an iOS 10 jailbreak by then, but who knows? The only people who this makes no difference at all to is the people who managed to download the Pangu app from the Apple Store when it was on there for a day, and who can use that app without a certificate forever…
      Thanks for reading!

      • Diego Milano

        Oh yes, of course. It goes without saying that the certificate will expire after a year but to my knowledge you can run the Pangu jailbreak again, can’t you? In any case, I don’t plan to stick to iOS 9.3.3 for that long, so I assume there will be a way to jailbreak iOS 10 by then.
        I really can’t think of iOS living without a jailbreak, it would take me a real big effort to stick to the stock iOS without my tweaks, there are certain aspects of iOS that are simply horribly designed (eg., Control Center, and the Home Screen, to name a few).
        Thanks for sharing with us, by the way. 🙂 I’m sure this article caught everybody’s attention.

      • Joaquim Barbosa

        No problem, I hope you found it interesting! I have an article coming out tomorrow which goes into more detail about the exploit used in this tool. And yes, let’s hope an iOS 10 jailbreak is available before the certification really becomes an issue for everyone…

        Cheers

      • Diego Milano

        Yeah, I can only imagine how much I’ll panic when restarting my device and noting my jailbreak cannot be reactivated, ha.
        Quick question, you can have MORE than one certificate installed on your device, right? I ask this because the company I work for is implementing a certificate and I’m hoping by doing this the original Pangu one won’t be overridden or removed. Thanks!

      • Joaquim Barbosa

        Hi Diego, yes you can have more than one certificate at once on your device. Though sometimes part of the point of enterprise set-ups is to detect jailbreaks, which could be a problem. But in principle, yes, you can have multiple certificates on your device at once. If not, it looks like you’ll be using the jbme method through lack of choice!

      • Diego Milano

        Well, technically I could get rid of the certificate at any point in time if I wanted to, right? I’m running this on my personal device so I doubt the company I work for would exercise any radical actions towards it, although I could be wrong about this, considering how aggressive some enterprises can be.

      • Harsh Sac

        Hey there!
        Could you explain to me what the text snippet on the website actually says?
        This part specifically, “tyvm NSO, sick 0day (at the time)”
        Thanks!

      • Joaquim Barbosa

        “Thank you very much NSO Group (Israeli company responsible for Pegasus bugs). Amazing previously unknown bug you guys found!”

      • Harsh Sac

        Gotchya…Thanks!

  • Rodney Coleman

    Ok we need iOS 10

  • Legend

    No one gives a flying F&CK about 9.3.3… who the F^CK IS STILL ON THAT SH*T?

    • Joshua The-Legend Wiebe

      I am, I personally dislike iOS 10. I’m so far the only one in my area who doesn’t need to press the home button to unlock his iPhone.

      • burge

        I don’t press the home button, raise to wake and Touch ID.

      • Tom Canuck

        You could be incorrect. I use InstantTouchID tweak on my 6S. I just use Touch ID, don’t actually have to press any button to wake the phone first :p

      • mickey

        You can turn this off if anyone didn’t know. Accessibility – home button – rest finger to open

      • Legend

        YOU’RE AN idiot! YOU CAN DISABLE IN SETTINGS NOOB

    • Sohail Wahab

      Exactly!

    • Poporopo00

      9.0.2 here…

      …IOS 10 sucks!

    • AJM

      Everyone, who prefers a jailbreak over a few new emojis.

    • Joaquim Barbosa

      Everyone who has a jailbreak is by definition still on 9.3.3, or lower, in order to retain their jailbreak. Of course, many people are looking forward eagerly to an iOS 10 jailbreak…
      Thanks for reading

      • Legend

        if you don’t have an iPhone 7, you’re a poor BUM

    • MSiqueira

      Well… You know. AudioRecorder ftw.

  • F P

    Hahahaha pinky

  • Sohail Wahab

    Hopes!!!!!

  • Poporopo00

    …so by installing this thing i don’t have to worry about the certificate expiring?

    • Joaquim Barbosa

      That’s correct. It replaces the Pangu app if your device is already jailbroken, and doesn’t need a certificate.
      Thanks for reading!

      • cdlenfert

        I still think the best solution for anyone jailbroken on 9.3.3 is to have snagged the app store approved version of the re-jailbreak app. The certificate will never expire and it’s an app on your device vs a web site that you need internet to access and could be pulled down at an time. I think even the enterprise certificate is better than a web tool. Cool proof of concept, but I don’t know how many people need/want it.

      • Eric Draven

        What app store approved version are you talking about? If you were lucky to use the jailbreak early you get the one year certificate but where is the one that doesnt expire?

      • Joaquim Barbosa

        There was a Pangu app which snuck into the official App Store at one point, that is what cdlenfert is referring to. Any app from the App Store requires no certificate and will never expire, so people who downloaded it then can keep it forever. But Apple pulled the App in one day, so if you didn’t download it then, there’s no way to get it now unfortunately. Stick with your certificate, or Luca’s method.
        Thanks for reading!

      • Joaquim Barbosa

        Yes, the App Store app is definitely the best option, but is not really an option or solution for anyone who didn’t get it at the time. Also, Luca’s method does not need Internet after running it the first time, as long as you add the webpage as an icon to your home screen and use that. It avoids the danger that a developer could misuse the certificate you have accepted on your device which would allow them to run any further apps they wanted. Pangu are unlikely to misuse this of course, but I just wanted to highlight the merits of this method.

        Thanks for reading!

      • Gregg

        “Thanks for reading!” (every. time.!)

      • Joaquim Barbosa

        Hi Gregg.

        Thanks for reading!

        http://media2.giphy.com/media/cqcTjuggnRqIE/200w.gif

      • cdlenfert

        Thanks for the follow up. These are big pros of this tool that I was totally unaware of.

  • Mark S

    While I admire and respect very smart people that can figure out how to jailbreak the iOS, intelligence and common sense do not seem to go together.

    A lot of energy was wasted to jailbreak and outdated iOS version for a very small minority group. If no one else will point this out to you I will Luca: If you want to jailbreak something, jailbreak iOS10 you know, an OS that the majority of iPhone owners can actually install today.

    • Joaquim Barbosa

      Hi Mark, unfortunately that is not quite how this works out. Luca has actually already jailbroken iOS 10, he just hasn’t released it. He hasn’t burnt any new exploits on this 9.3.3 web-exploit, it is just an add-on to an existing jailbreak, and uses exploits already patched in 9.3.5 and above. He also hasn’t wasted much energy releasing this, as it is an already existing exploit called Pegasus, which he has adapted to deliver Pangu’s existing jailbreak.

      It is good practice to remain on the lowest firmware you can if you want to be able to jailbreak so you don’t have to rely on any upcoming iOS 10 jailbreak release, though of course if you bought an iP7 which came with iOS 10 then I understand that’s not an option for you. I am also hoping for an iOS 10 jailbreak soon, let’s keep our fingers crossed!

      Cheers

  • Very useful!! The previous method stopped working on my iPad for some reason. Thank you very much (Joaquim for the article and Luca for the jailbreak)!