Researcher publishes kernel exploit for 64-bit devices on iOS 10.3.1 and below

You may recall hearing of the slew of kernel bugs that were patched in iOS 10.3.2, all of which were reported by Adam Donenfeld, an iOS and Android security researcher. At the time, he stated that an exploit using the bugs was already written and would be released at the HITBGSEC conference in the summer.

Well, summer is here, and with it both the conference and the promised exploit.

Is this a jailbreak?

Of course, what most people want to know about this exploit chain is whether or not it is, or could be, a jailbreak. The answer is that no, it is not currently a jailbreak, and yes, it could become one in the future. Donenfeld himself never had the intention of converting his exploit into a full jailbreak, and was very clear on the matter, though he also added that it was possible and that others were welcome to do so.

How close to a jailbreak is it?

An estimate from Security Engineer Min(Spark) Zheng describes the existing work as about 66% of a full jailbreak. This figure is derived from Donenfeld’s kernel exploit (33%), combined with Ian Beer’s triple_fetch sandbox escape, which was already known (33%). According to Zheng, the missing 33% is a kernel protection bypass patch. However, Donenfeld appears to think such a patch is not necessary, and KPP is not a problem. It remains to be seen if that is the case, but if so, the existing exploit would be much closer to 100%.

Of course, even with the full set of exploits, someone would still need to package them together, include Cydia (possibly rewriting some of it), and add offsets for every different device and firmware. It’s likely that Saurik would have to be the one to perform any modifications to Cydia, though the offsets for all 64-bit devices from iOS 10.2-10.3.1 have already been published, which removes some of the hassle for anyone seeking to bundle the exploit into a jailbreak utility.

Which devices does the exploit run on?

It apparently works on all 64-bit devices, including the iPhone 7 and iPhone 7 Plus, and on all firmwares up to and including iOS 10.3.1.

This is great news as any jailbreak arising from it should cover every 64-bit device, including the flagship, and wouldn’t leave an unsupported gap between Yalu (up to iOS 10.2) and itself. However, 32-bit devices will have to sit out this round.

What can it do?

Aside from the possibility of a full jailbreak, there are a couple of other useful consequences which could come out of it. It’s possible that the bugs used in the exploit could be back-ported to the mach_portal jailbreak, increasing stability for users jailbroken on iOS 10.1.1 or lower. Another possibility is that it will allow users to set a nonce on firmwares up to iOS 10.3.1, which will let them downgrade with blobs to a jailbreakable firmware such as iOS 10.2, using futurerestore. This will be less important if a full jailbreak is released of course, but it would at least give some users a way to return to a jailbreakable firmware if they’re stuck on iOS 10.2.1-10.3.1.

What now?

For now, there’s not much to do except wait and see. Although this is the most encouraging news 64-bit devices have had in a while, it is not a jailbreak, and we’ll have to see whether anyone can make it one. In the meantime, if you want to check out what is a very impressive list of kernel bugs, as well as the workings of the exploit, you can. Zimperium (the security company Donenfeld works for) have posted his treatment of the bugs, and HITBGSEC (the conference his exploit was unveiled at) have posted the full set of slides from his presentation on the exploit’s internals, as well as the whitepaper accompanying it.

With luck, someone will be able to make use of this great bit of research to provide us with a jailbreak, but until then, don’t update any devices on iOS 10.3.1 or lower (or any at all in fact), and guard your blobs jealously.

Have any comments or questions? Let me know below.