JailbreakMe Examined Header

As reported recently on iDB, Luca Todesco has decided to solve the certification problems which have plagued the most recent Pangu release for 9.2-9.3.3, by making public a web-based tool for re-activating the jailbreak.

After doing some testing and research it seemed appropriate for a more in-depth discussion of the tool, along with a walkthrough, in order to address some of the more technical questions surrounding this latest development in the jailbreaking scene.

Before we go through how to use the tool, here are a few more events which have occurred since its release.

Updates

Firstly, Todesco updated the website to use https instead of http, as a precaution against man-in-the-middle attacks. He also made small updates to the tool itself, modifying the respring code to use a version of Pangu’s (which he claims is slightly less reliable, but cleaner), and enabling HTML5 web app caching. The upshot of this last development is that if you add the webpage to your homescreen on iOS it will now be cached, meaning you can use it at a later date without any Internet connection. This is a very useful update and it removes the last functional difference between his tool and the original Pangu app.

The use of Pangu’s respring code suggests some level of co-operation between Todesco and the team, especially as he has mentioned that it uses a new version of the Pangu9.3.3 SDK, which he apparently has access to. Thanks to this SDK, the equivalent of a “tfp0” patch called “host_get_special_port” is enabled, which is required for many advanced tools, such as ones which save on-device blobs and downgrade devices. A nod to Todesco can also be found on Pangu’s official website, where they seem to advocate using his method from now on in place of the previous certification methods.

The tool

In terms of the make-up of the tool, some more information has now been confirmed by Todesco. He has said that the exploit used is indeed an implementation of the WebKit bug which formed part of the three zero-day vulnerabilities dubbed Trident. Most likely CVE-2016-4657, the bug allowed a website to be crafted in such a way as to allow arbitrary code execution upon interaction with it. This was utilised in the wild as part of the Pegasus spyware, and was patched in iOS 9.3.5, meaning Todesco’s web exploit works only up to iOS 9.3.4 (more on this later). For more information on this set of bugs, I recommend the write-up from Lookout, one of its discoverers.

One last thing about the tool’s construction is revealed by an inspection of the page’s source code. Here we find its licensing terms and some of the Wu-Tang magic that makes it go:

JailbreakMe Page Source
For those interested in these light-hearted legal stipulations and what exactly the license entails, the full document is available to peruse. As for “Da Mystery of Chessboxin”, your guess is as good as mine.

Requirements

  • A 64-bit device (iPhone 5s and later) which has previously been jailbroken by the Pangu 9.2-9.3.3 tool.
  • An internet connection (just the first time around).

How to use

1) Ensure your device is in “non-jailbroken mode”, that is, has been rebooted and not re-activated with the Pangu app.

2) Open mobile Safari and visit the following URL:

https://jbme.qwertyoruiop.com

Please note, this only works in the standalone Safari app, and not in-app browsers. Trying to follow the link via an app (for example Twitter or Reddit) results only in a blank screen.

3) Press the “go” button on the page, and wait whilst the page responds with “doing it”.

JailbreakMe Walkthrough
4)
When the pop-up appears, follow its instructions to dismiss the pop-up, and then press the screen-off/lock button on your device.

JailbreakMe Respring Alert
5)
The device will now become unresponsive whilst it resprings. Please note that this seems to take longer than with the Pangu app, and no Apple logo or respring animation will show while it progresses, so be patient.

6) Once the device has resprung it should be jailbroken again. Verify by checking any of your chosen tweaks are functioning.

7) Open Safari again and revisit the tool’s page. Once on it, press the “Share” button at the bottom of the screen and select “Add to Home Screen”. Pick a name for it and then press “Add” in the top-right. The page is now added as an icon to your Home screen for easier use in future and, as mentioned above, can be used without internet.

JailbreakMe Homescreen Add

Patching the exploit

Todesco is aware that whilst he is not the creator of this exploit, his release of the tool makes knowledge of the vulnerability more widespread. Consequently, people might use the vulnerability on seemingly innocuous websites to attack people’s devices without their knowledge. He has therefore, along with his tool, released a patch which will protect against the very vulnerability his tool exploits. It is advisable that everyone who is jailbroken with the Pangu 9.3.3 jailbreak tool install this patch immediately. It will protect you from similar attacks whilst you are in your jailbroken state, and its source code can be freely examined if you wish.

To install the patch

1) Launch Cydia and navigate to the “Sources” tab.

2) Hit the “Edit” button in the top-right, and then “Add” in the top-left.

3) In the field which comes up, enter the following repo URL (the same as the one for the exploit webpage):

https://jbme.qwertyoruiop.com/

4) Press the “Add Source” button, to add Todesco’s repository.

JailbreakMe Cydia Repo

5) Once the source has populated, use Cydia’s search tab to look for “jbmepatch”, and select it.

6) On the package page, press “Install” in the top-right, and on the following page touch “Confirm” in the top-right to install.

7) When the installation is complete, press “Restart SpringBoard” to respring and activate the patch.

8) You can test the patch by attempting to use Todesco’s tool again after your device has resprung. It should no longer have any effect.

Remember that the patch can only protect your device whilst it is in its jailbroken state. If you reboot your device you will not be protected by the patch until you re-activate your jailbreak with JailbreakMe or the Pangu app, so be careful which URLs you visit whilst in un-jailbroken mode. Just as the JailbreakMe tool does not work on 32-bit devices, neither does the patch; do not attempt to install it on a 32-bit device.

Future possibilities

All that remains to comment on is the future potential of the tool, as many people have been exploring the topic. The web-based exploit that Todesco uses was patched in iOS 9.3.5, so you’re out of luck if you were hoping that this would result in a >9.3.4 jailbreak, including iOS 10. However, it does imply that the exploit works on 9.3.4. Whether this fact means that an extension of the Pangu jailbreak to devices on 9.3.4 is possible is unclear, because whilst the WebKit exploit to deliver the payload works, the actual jailbreak payload itself is not for 9.3.4. It is not as simple, as some have been suggesting, as running Todesco’s tool on 9.3.4 and then side-loading Cydia, as many of the other requirements are still not met. It remains to be seen whether it can now be modified to include that firmware.

The other two points of interest are an untether, and 32-bit support. These are clearer. Todesco has stated that both of these are possible; Pangu’s jailbreak can be ported to 32-bit devices, and an untether for the payload injected by his tool could be created. However, he has not confirmed that he is working on either of these things, nor that he has any interest in doing so. We will simply have to wait and see if he or Pangu has the time or inclination to provide them, but I wouldn’t get my hopes up. Interest in supporting 32-bit devices is low and waning, and efforts are bound to be focussed on trying to develop an iOS 10 jailbreak over developing an untether for a now unsigned firmware.

Have you used JailbreakMe 9.3.3? Do you expect to see 32-bit support or an untether? Let me know in the comments.

 

  • MSiqueira

    Hello Joaquim, great article.

    However, we are demanding readers haha

    So, kinda n00b question
    For those – like many of us – who relies today on the Pangu re-jb tool and the certificate, etc…

    Is there a set of procedures to clear the phone from the “old” Pangu solution?
    For instance, can we just uninstall Pangu from Home screen? Can we uninstall the profile certificate? Is it safe to do so?

    Thanks in advance.

    • Joaquim Barbosa

      Greetings!

      So, regarding clearing the old Pangu solution, my advice would be this: leave it as it is for now.

      It has been proven over a long period to be safe, and it does not take up much space or slow your device. However, if for any reason Luca’s site gets taken down (unlikely but let’s be safe here), you will appreciate having the original solution still available to you

      Once the certificate runs out of its own accord, then I would consider moving over to this one exclusively, but for now, if you don’t have to choose between the two, why should we? Let’s keep our options open.

      However, if you absolutely must get rid of the Pangu method you can simply delete the Pangu app from your home screen. Then go to “Settings… General… Device Management…” and check that the certificate has disappeared. It should disappear when you delete the Pangu app, but otherwise you can delete it from there manually.

      But as I say, I’m keeping both for now on my device, as you just never know. Thanks for a great (demanding) question, and hope you enjoyed the article.

      Cheers

      • I wholly agree, even though I have been using this tool specifically for the last few days, I do have two other certificate and methods including the PG client. When I initially jailbroke using the seven day method and original Pangu tool, I didn’t know with the certificate was so I deleted it and it removed the re-jailbreak tool . That was easy enough to reinstall. But I have heard of people who we are simply trying to reactivate the jailbreak after a seven day time out and after reinstalling all of their tweaks were missing. So I’m kind of worried what will happen in April when the PP盘古越狱 apps enterprise certificate goes blooey.

    • I thought about that as I have both the PP tool and the PG client app, I think if anyone was lucky enough to get the PGClient from the App Store they could just keep on using that, before I had that I had the PP盘古越狱 app with the one-year certificate, which apparently ends in April. I think removing the tool that you used to initially jailbreak, removes the jailbreak completely. Whatever tool you used for the initial jailbreak leave that in otherwise you won’t have a jailbreak, and the WebKit tool will reboot you to a blank screen with no Cydia. But, I don’t know for sure. This is being discussed over at r/Jailbreak, there is a huge thread about it I think I will go and asked us over there because if there’s a way we can safely remove those, we should. I have already tested out the cached version of the site from my springboard, it works wonderfully.

      • Joaquim Barbosa

        Hi XweAponX, I’d be interested to see if what you say is the case, as I would have assumed the opposite. Once the device has been initially jailbroken, Luca’s tool should do the same as the Pangu app, and deleting it *should* have no effect. However, I would keep both for now just in case.
        Cheers!

      • Well it’s just that I have done this before, you remove the tool you remove the jail break completely that includes all of the links to your springboard to Sadia and all of your jailbreak apps that have springboard icons it will all disappear this is from experience so I’m just saying, don’t delete the tool that you initially used you can delete anything else though

      • Hi there I was just considering this and on a hunch I removed my original PP helper app which is what I used. I deleted the one year certificate and check the app out and then rebooted. Then I read jailbroke using only the PG Client.

        It seems that when I installed the PG Client app iOS app, it superseded the PP helper tool that I originally used, it seems that the PG Client reinstalled Cydia right over what I had. So from now on all I need to use is the webkit, but even though I don’t really need to use the PG Client anymore it’s still has to stay installed because that’s where the Cydia came from. You see I hadn’t realized that PG client had taken over. I spoke to one of the guys who knows a lot about that tool and he said that I should be able to just remove that too but I’m not going to do that until I’m sure I can reinstall the PG Client. But there was a lot of discussion about this in r/jailbreak, i’ll have a look and see exactly what you can and can’t do because if I don’t really need to keep the client on my device, I want to know that. But it just seems safer to keep at least one initial-jailbreak client in.

        Ultimately what really matters is what I will do if I have to do a Cydia erase on this device which I might have to soon- and since the WebKit itself can’t reinstall Cydia I’ll have to choose one of these other tools. This would be a good solution for people who used the seven day certificate tool. Basically there’s two things going on, the initial Cydia install which you have to use a client to do, and then the rejailbreaking process, for which you don’t need the tool.

  • droid3000

    i am just about to use cydia eraser. can i use this to jailbreak after?

    • MSiqueira

      I don’t think so.

      If you use Cydia Eraser you’ll have to go to the entire process of full JB (sideload Cydia, install the enterprise certificate, install Pangu, etc.).

      This jbme web tool just replaces the Pangu tool that lies on your Home screen and you will use it only to rejb your iOS device every time you reboot.

    • Joaquim Barbosa

      No, you must use the original Pangu application for PC/Mac to initially jailbreak the device. This tool only replaces the Pangu app on your phone for re-activating the jailbreak after reboots. It does not jailbreak the device entirely from scratch.

      Why are you using Cydia Eraser by the way? It should generally be kept as a last resort, as a failed erase will mean having to restore to an unsigned firmware…

      Hope this helps!

      • I’ll leave this one tip for using Cydia eraser, I’ve used it two times on the device (i6/9.3.2) I have right now and about four times on my old 5S which is on 8.4 ( and will stay that way). Don’t run it unless you are in no-substrate mode. Don’t run it if you have installed extra fonts and have not restored the original fonts. Don’t run it if you have deleted any language packs, system fonts, or other things to “save space”, because Cydia eraser will re-download everything native that you have deleted from the device, and in the case of a font or language pack, it may take a week (or more) to restore that. I am pretty sketchy about using it as well but every time I have done it and has been successful, and my 64 gig 5S was filled to the brim with tweaks and apps when I ran it.

      • droid3000

        Random reaprings.

      • Joaquim Barbosa

        I see, good luck! You could also try removing tweaks to isolate the problem. Either way, I hope it goes well.

      • droid3000

        do you know if any of jailbreaks done directly over the phone still work?

      • Joaquim Barbosa

        If you’re asking if there’s a jailbreaking tool that works without a computer for iOS 9.x, then no there isn’t I’m afraid. You will need a computer to jailbreak the first time with Pangu on iOS 9. After that, you can use an app on your device or Luca’s tool to re-activate the jailbreak each time you reboot your device without a computer. But the first time needs a computer.

        Hope this helps, cheers.

    • Although the tool leaves you in a “jailbroken state”, you wouldn’t have any permissions to install Cydia. You would be able to SSH into the device, but I don’t think you would be able to change anything

    • You will have to re-jailbreak or actually re-initial-jailbreak, using whatever tool. If you can get the PG Client, use that. Otherwise use the PP盘古越狱 app with the one-year certificate, that will give you until April.

      That’s the tool that I initially used even though I have PG client installed now as well, so I’m kind of Skittish about what’s going to happen in April when the enterprise certificate runs out. I may have to remove that tool and then re-initialize using PG Client.

  • Mio Kasic

    Thanks for sharing this!

  • Poporopo00

    Interesting.

    What about the Pegasus patch for 9.0.2?

  • workin

    Using jailbreakme ONLY means Cydia isn’t installed? Then must be installed separately?

    Using jbme patch results in not being able to run jailbreakme again. So uninstalling patch is required to rerun jailbreakme?

    • BasedOnAir

      the jailbreakme is only required to get you into a jailbroken state after a reboot, since rebooting leaves your device unjailbroken. The patch only functions when jailbroken so removing it is unnecessary because when you need jailbreakme you’ll be unjailbroken and thus unpatched. When you run jailbreakme it jailbreaks the phone and therefore activates the patch along with it.

      The patch’s purpose is to prevent someone from using it for malicious intent when it’s no longer needed.

  • Zevet Carlitos

    I’m having trouble with my wifi and some apps won’t open while I am in non jailbreak mode https://uploads.disquscdn.com/images/68b78e340f8cbb219630651f24829779040d1871f0ecd11b2f4176db1faa2c89.png

    • leart

      that’s why most of people prefer a “stock” ios .. with jailbreaking those days you don’t really know what are you putting on your device

    • Joaquim Barbosa

      Hi Zevet, I’ve never had any problems like that before. Try uninstalling some of the tweaks you installed around the time you started having problems. You could also try resetting you Network Settings (do NOT press Reset All Settings however).

      Let me know how it goes, or if you find out what the trouble was…

  • Diego Milano

    Wow, definitely agree with MSiqueira here, this is a GREAT article. And I also find it awesome that you even took the time to mention the security patch (for those who claim jailbreak is pointless, here once again proving the fact that jailbreaking CAN sometimes bring more security fixes quicker than Apple

    • BasedOnAir

      Everyone on 9.2-9.3.3 should install the patch. I can confirm it does not get in the way of existing pp/certificate methods. Think of it as a Pegasus patch for security, because that’s what it is. Jailbreakme web site is based on Pegasus.

      • Diego Milano

        But my question still remains. If I install the patch before running JailbreakMe, would I still be able to run it in the future? I know it must sound like a stupid question but…

      • BasedOnAir

        Yes, because the patch only works when your jailbroken. Even though the patch prevents jailbreakme from working, you only need jailbreakme when you are not jailbroken, after each reboot, when you’re not jailbroken yet and the patch isn’t yet loaded, thus not working to prevent jailbreakme (until you’re jailbroken again).

        Think of it this way: the patch makes it so you can only be exploited by Pegasus/jailbreakme one time per reboot.

      • Diego Milano

        Wow, marvelously explained, makes perfect sense now!

      • BasedOnAir

        Your welcome

      • Joaquim Barbosa

        BasedOnAir is completely right. I would only add that it’s not just 9.2-9.3.3 devices that should install the patch. All 64-bit devices on 9.x should install it.

        Thanks for reading guys!

      • Diego Milano

        I got it installed last night at last. Another proof that jailbreaking is not THAT insecure after all since we can still patch these vulnerabilities.

      • BasedOnAir

        See my edit

  • 7000rpm

    There’s still hope.

    • BasedOnAir

      16500 rpm.
      Yamaha R6

      • 7000rpm

        Dangerous lol

      • BasedOnAir

        9 second quarter miles/1440. 0-60mph/0-100kph in 2 seconds.

        My personal best is 11.7 quarter mile. Too scared of wheelies getting out of control. Though the front wheel lifts off the ground whilst at 60mph/100kph when I shift hard into 2nd gear, sets back down by 80mph/125kph though.

  • Agneev Mukherjee

    I really don’t know why SwiftKey hasn’t rolled out support for 3D Touch typing…

  • Rahimo

    it took forever to respring !!!! I’ve followed the steps and my device’s screen showing the “waiting rolling wheel” for about 25 minutes !!!! what should I do? @joaquimbarbosadiscuss:disqus

    • BasedOnAir

      Hard reset and try again

      • Rahimo

        it doesn’t work :'(

    • Joaquim Barbosa

      @rahimo:disqus did you get it sorted in the end? My iP6 doesn’t show a wheel at all with this tool, just a black screen. It does take a while compared to the Pangu app, but more like 2 minutes than 25! Hard reset and/or go back to Pangu app for now?

      Hope you got it fixed!

      • Rahimo

        unfortunately 🙁 doesn’t work !! and I lost the jailbreak :'( even Pangu app couldn’t wake the jailbroken state of the iPhone !!!!!

      • Joaquim Barbosa

        I’m sorry to hear that, fingers crossed for another jailbreak soon!

      • Rahimo

        Still waiting!!! 🙁 thank you anyway 🙂

      • Marina

        Do a hard reset an keep holding the “volume up” (+). Maybe you can go to the safe mode. No guarantee.

  • Ben$

    Is it good to install the patch after JB by the pangu app?

    • Joaquim Barbosa

      All 64-bit devices jailbroken on 9.x should install the patch, regardless of the re-jailbreak method they use.

      Thanks

  • leart
    • Joaquim Barbosa

      What iOS version is that you’re running there @leart78:disqus? The patch is only for 64-bit devices (iPhone 5s and later) running iOS 9.x or later.

      Cheers!

      • leart

        I was just kidding .. I don’t jailbreak anymore since iOS 6 and that is my higher iOS version jailbreaked 😉

  • Diego Milano

    Anyone else came across this while trying to install the patch? Instead of saying “Install,” it says “Modify,” and when I tap on it I get two options: Install and Downgrade. However, I never installed this patch before on my device, so I’m not sure what’s going on here.

    • Joaquim Barbosa

      Interesting!
      Thanks for info. Not sure why that is, but I doubt it means any harm…

      • Diego Milano

        Yeah, I went for “Install,” I didn’t want to try the “Downgrade” option just in case.

  • Joaquim Barbosa

    Yes, all 64-bit 9.x devices should install the patch. So not install it on a 32-bit device however.

    Hope this helps

  • Sleetui

    Anyone have blue screens when re-activating the jailbreak via Pangu or any other app? If so, any fixes? I think it’s known as a kernel panic but it can be quite annoying to see; especially if the jailbreak failed to load properly.

  • Matrixnubee

    After my phone restarted last night I noticed my messages app and icon have disappeared! After reactivating the jailbreaking it still doesn’t show anywhere. There’s not even a settings tab for messages in settings anymore. No luck using spotlight and when resetting the home screen layout it still doesn’t show up.

    Any help?? I’m afraid I’ll need to restore and lose my 9.3.3 jailbreak huh 🙁 🙁

    • Joaquim Barbosa

      Have you tried a hard reset? Or booting into safe mode to see if they reappear? Sounds like an unusual problem you have…

      • Matrixnubee

        Very unusual…

        I’ve tried both with no luck. The weird part is, is that in settings there’s no more tab for messages anymore. The messages app completely got messed up and gone…

      • Joaquim Barbosa

        Try resetting network settings, NOT all Settings though as it will lose your jb. I don’t think it’ll work, but you can at least try…

  • MrE23

    Thanks! Very helpful 🙂

    • Joaquim Barbosa

      Glad you liked it, and thanks for the comment!

  • Diego Milano

    Joaquim, can you add a big disclaimer to this article that if for any reason you decide to clear all Safari history and cache and you don’t have an Internet connection, you WILL indeed require a connection to use this tool, please. I just tried this as I wanted to rule it out as a possibility and if you clear the history and cache, restart your device, and try to run the tool, it just won’t work because the offline files won’t be available anymore.

  • Marina

    Art first: thanks for JBme!!! BUT, I still need Internet connection to re-jailbreak. I saved the icon like in the description on my homescreen. I saved it after the re-jaikbreaking, in jailbreak mode.
    What did I do wrong?
    If it will work without Internet:
    Will the cache also be deleted if I use “iCleaner”?

  • Henry Ardiyono

    does this also works to 9.2.1 ?

    or only for 9.3.3 ?

  • Chuck_Anom

    I’m (still) using iPhone 5S on iOS 9.3.3 and jailbroken using Pangus’s english version. The certificate will valid until April 2017 (correct me if i’m wrong). The question is, what’ll happen when it’s expired? Can I still re-jailbreak it? Or worse, will i loose my jailbreak? In my thought, I can still keep the jailbreak as long as my phone is not restarted.

    ==edited==
    That’s a great article! The ultimate question is what should i do to keep my jailbreak? Please give a hint and i’ll find out the details later.
    Thanks.

  • Milo

    So the enterprise certificate is now expired as it is now April 29th. I still have my pangu app on my phone but it doesn’t open while I am in “unjailbroken mode” but using this link works beautifully for getting my phone back into “jailbroken mode”. I’m guessing I should just keep the pangu app on my phone just in case, as I really don’t want to lose my jailbreak and have to upgrade or use my crappy laptop to jailbreak again.

  • Najib Badri

    why i cant using any apps when in non jb mode. everything will crash. iphone 5s ios 9.3.2. can enter safari. still using pangu 7 day certificate

  • Eric Wayne Thomas

    Site is down 🙁

  • The site says temporarily down