Those closely following the iOS & iPadOS software security sector might remember an iOS & iPadOS 15.0-15.1.1 kernel bug write-up published by Kunlun Lab security researcher @realBrightiup just last week. A day later, Alibaba Security Pandora Lab security researcher @Peterpan980927 showed off a proof-of-concept (PoC) using that write-up as a template.
This week, however, a name many jailbreakers will recognize created and released a PoC of his own. We’re talking, of course, about Jake James (@jakeashacks), a hacker who has earned quite the reputation for exploit efforts and releasing rootless jailbreaks.
James took to Twitter early Monday morning to share what appears to be a PoC based on Brightiup’s original write-up.
While both works by James and @Peterpan980927 are indeed PoCs and should be commended, James has actually published his on GitHub for the the world to view and learn from — perhaps even jailbreak developers who might be interested in developing an iOS & iPadOS 15.0-15.1.1-based exploit to assist with jailbreak development.
Just to reiterate, the PoC isn’t an exploit that can be used for jailbreaking, but it’s instead a guardrail that could be used as a guide to help create an exploit that could then be used for jailbreaking. It’s just another link in the chain.
Of course, iOS & iPadOS 15 have changed much about how jailbreaking will work in practice. By introducing a secure system volume (SSV) security mechanism, Apple has effectively made it to where future semi-untethered jailbreaks may need to be rootless. Thankfully, this shouldn’t impact our ability to install and use jailbreak tweaks and add-ons — it would merely bar access to the root volume.
The aforementioned changes mean that developing a dedicated semi-untethered iOS or iPadOS 15.0-15.1.1 jailbreak would take additional time, even if an exploit were to be created using this method.
For what it’s worth, the folks over at the checkra1n team are working on a totally different method for iOS & iPadOS 15 support that won’t be rootless. It could utilize bind mounts instead of union mounts and set up a separate volume for everything that can’t be blind-mounted. The checkra1n jailbreak, on the other hand, is a totally different beast and uses an unpatchable hardware-based bootrom exploit present on A7-A11-equipped handsets only.
Given all the excitement that seems to be swirling around Brightiup’s CVE-2021-30955 kernel bug for iOS & iPadOS 15.0-15.1.1, it will indeed be interesting to see what becomes of it.
Are you excited to see is James’ PoC goes on to sinoire the development of a full-blown exploit for iOS & iPadOS 15.0-15.1.1? Be sure to let us know in the comments section down below.