Luca Todesco releases browser-based exploit for Pangu 9.3.3 jailbreak without certificate

todesco jbme

Noted iOS security researcher and hacker Luca Todesco has just released a WebKit-based loader for the Pangu 9.3.3 jailbreak. This impressive browser exploit is reminiscent of the original JailbreakMe exploits on iOS 1 and iOS 4, after which it is named.

All that is required for the technique to work is to follow a URL in mobile Safari, press a button, lock your device and wait for the respring.

Whilst this development is testament to Todesco’s hacking skills and has alleviated one major problem with the current 9.3.3 jailbreak: its reliance on developer certificates for the loader app, there is bound to be some confusion over what this tool actually does, and what it means for the jailbreak community. This post aims to bring some clarity to the topic.

Todesco’s tool relies on a vulnerability in mobile Safari, allowing arbitrary code to be run and re-enabling your Pangu 9.2-9.3.3 jailbreak. Let’s quickly go through what this tool can and can’t do.

It can:

  • Re-activate the Pangu semi-(un)tether on jailbreak devices.
  • Work without the certificate restrictions which have until now been a downside of this jailbreak.
  • Work without an app, directly from your browser.

It cannot:

  • Jailbreak devices on firmwares not supported by the Pangu jailbreak.
  • Install Cydia (which means it is not a suitable replacement for the initial Pangu jailbreak program, only for the re-activation payload).
  • Work on any 32-bit device (iPhone 5 or older).
  • Make your jailbreak permanently untethered.

In summary, this exploit is at present a straight replacement for the Pangu re-jailbreaking apps on iOS 9.3.x. It is however a remarkable achievement given that it works via a webpage in mobile Safari, traditionally a difficult place from which to mount an exploit.

I am putting together a demonstration tutorial which will go into greater detail regarding this interesting development, and walk users through its use and repercussions, but at present, it can be found at the following site for those who wish to try it:

https://jbme.qwertyoruiop.com

One last point to note for those hoping for a fully untethered 9.3.3 jailbreak is that Todesco has commented that an untether for this exploit is not out of the question. However, it is unclear at the moment whether he intends to work on this.