An overview of all the current iOS 10 and 11 jailbreak developments, and what they mean

Gone are the days of radio silence, followed by the single release of a finished jailbreak tool for all devices. As the scene moves from funded teams working in secrecy, to public exploits being worked on co-operatively by individual developers in an open forum, the workflow has also changed.

We now hear incremental updates, sometimes multiple times a day, which are more technical and reinforce, modify, or even invalidate previous news. That’s why we’ve put together a quick round-up of the current state of affairs, which will bring you up to date.

The exploits

There are two exploits at play here, but they both use the same vulnerability. What this means is that they both capitalise on the same fundamental weakness in iOS, but that the methods they use to do so are unrelated. For iOS 10.x (up to and including iOS 10.3.3), we have v0rtex by SiguzaThe source code for this exploit has been out for a while, as well as a useful write-up for other developers. Interestingly, this exploit can also be adapted for 32-bit devices, and may well be.

For iOS 11.x (up to and including iOS 11.1.2, not higher), we have async_wake by Ian BeerHe is known for finding iOS bugs as part of Google’s Project Zero, and was responsible for the bug behind the extra_recipe tool too.

The problems

Just because we have an exploit doesn’t mean we have a jailbreak tool yet. The raw code of the exploits must be combined with various patches to create what the average user would consider a jailbreak. These include disabling iOS protections (such as amfi), enabling filesystem access (r/w on /), and more.

Various offsets are usually also required to add support for all devices. It must then be wrapped into a foolproof package containing Cydia and Substrate, which may themselves need changes to work with a new jailbreak’s quirks.

Additionally, the iPhone 7 (Plus) and all newer devices have hardware protections which could require an extra workaround to avoid. So even a full jailbreak for older models does not necessarily mean the job is done for the recent flagships.

Having said that, progress is being made.

Current progress

async_wake for <=iOS 11.1.2
The original version consisted of the kernel exploit necessary to get tfp0. To that have been added:

  • A patchfinder
  • Support for all devices (using an offset-less method)
  • Read and write on “/” (the root of the filesystem)
  • Basic patches for amfi

What it needs:

  • A bypass for KPP, or a KPP-less approach. The latter is looking more likely now, though it will require a re-write of Cydia Substrate
  • Cydia and Substrate to be packaged with it. Cydia has been demoed, but is essentially broken at present
  • Further patching of system protections such as amfid
  • A solution to KTTR hardware protection on the iPhone 7 and newer might be needed; older devices would not need this

It seems that every one of the above things is being worked on to some extent currently, which is encouraging. Versions of the exploit which bundle a file browser and SSH are already floating around, though they are far from complete as of yet. I would hold off on trying anything until it’s all come together under one roof. All in all, it’s looking pretty hopeful!

v0rtex
The exploit gets tfp0 and works on all devices from A7 to A10 (iPhone 5s to iPhone 7(+)), i.e. every 64-bit device which ever had iOS 10. It now has read-write access on “/” too.

What it needs:

  • A bypass for KPP, or a KPP-less approach. The latter is looking more likely now, though it will require a re-write of Cydia Substrate
  • Patches to amfi for unsigned code execution
  • Cydia and Substrate to be packaged with it
  • A solution to KTTR hardware protection on the iPhone 7(+) might be needed; older devices would not need this
  • Offsets added to properly support all devices
  • 32-bit support – this might come from tihmstar at some point

It currently looks like the iOS 11 work is slightly ahead of iOS 10, probably due to community enthusiasm, though v0rtex can make use of more already-known techniques. I think it won’t be long before they’re both finished, to some usable extent.

Related news

Apple TV 4 and Apple TV 4K
The exploit present in <=iOS 11.1.2, and used by async_wake, is also present in <=tvOS 11.1! This means that a liberTV jailbreak for both the Apple TV 4 and 4K is possible using the same work. Based on Jonathan Levin’s comments it looks like it will be happening too, though patience is requested.

Jailbreak toolkit
Also from Levin, this developer toolkit aims to make constructing a jailbreak easier on future occasions, by providing certain core functionalities that can simply be combined with new exploits as they become available. Not much more information is available, but it is due to be released soon.

32-bit
A final jailbreak is now possible for legacy devices, meaning they will be capable of being jailbroken for their remaining lifespan. v0rtex has the potential to work on 32-bit, and will surely eventually arrive.

Saïgon
The iOS 10.2.1 tool now uses v0rtex to jailbreak, making it more reliable. It’s also good news because it gives v0rtex an already completed tool to piggyback on. This could increase the speed with which v0rtex becomes a full jailbreak, because some of the patches and wrapping up have already been done in Saïgon. We’ll have to see if that turns out to be true.

v0rtexNonce
This tool uses the vortex exploit to set a nonce on your device on iOS 10.3.x. This allows A7 devices to futurerestore to iOS 10.x and iOS 11.x, and other devices to futurerestore to iOS 11.x. This will be useful to move to iOS 11.1.2 later, to jailbreak with async_wake. I have used v0rtexNonce and it works well.

futurerestore/Prometheus
A final piece of encouraging news, though it has not been thoroughly tested yet, is that futurerestore may work on iOS 11 after all. With a few minor updates the tool still runs, and an early test seems to have shown that the iOS 11.2 SEP and baseband are compatible with iOS 11.1.2. This means, as I optimistically predicted previously, that people who saved iOS 11.1.2 blobs when it was being signed might be able to jump to iOS 11.1.2 at a later date, after async_wake is finished.

To work, futurerestore requires a SEP and baseband from a currently signed firmware, so if all the signed firmwares have a SEP incompatible with the version you want to move to, it will fail. This was what killed futurerestores to iOS 10: all the signed SEPs (iOS 11) are incompatible. Only A7 devices such as the iPhone 5s can futurerestore to iOS 10 now.

Conclusion

Everything’s coming up Milhouse! Good progress is being made on an iOS 11, an iOS 10, and a tvOS 11 jailbreak, 32-bit devices might get back in on the action one final time, and saved blobs might let currently jailbroken users join the iOS 11 party any time they feel like it.

However, although likely, not all of this is set in stone yet. For that reason, be cautious. Don’t take any risks updating, (future)restoring, or installing half-finished jailbreak tools until they are complete and tested. Do not pester developers about release dates. Save your blobs and block your updates. With luck, we’ll get a jailbreak for Christmas…