Technical Features of Pangu Jailbreak Announced During SyScan360 Hacking Conference 2014

The Chinese Pangu team turned the world of jailbreak upside down by releasing Pangu untether jailbreak for iOS 7.1.x last month which supports all iOS 7 compatible devices. This is a great news for the whole community as finally there is real competiting among hackers which means it could become easier and quicker for different teams to launch future jailbreak utilities.

Even once the Pangu guys gathered all the vulnerabilities needed for an untether jailbreak, it still took them about two months to finish developing the tool. Since it’s the first time for them to develop an untethered jailbreak program, they faced various problems. Now the team thanks to all people who helped them to complete the utility and release it to public before other hackers managed to take this step with iOS 7.1, 7.1.1 and 7.1.2.

This article is mostly covering all the vulnerabilities found by Chinese hackers and used in Pangu jailbreak for untethering iPhone, iPod touch and iPad. They gave all the details about their code signing bypass, kernel information leak and kernel memory overwrite vulnerabilities. Then they demonstrate how to exploit these bugs so that Pangu jailbreak could work on iOS devices making them jailbroken.

Official Syscan 2014 Logo

Pangu Team spoke on “How Pangu Jailbreak Untethered on Your iOS Devices“ during the 2014 SyScan360 hacking conference. This event is well known among all the Internet security conferences in Asia and has been held for over 20 times since 2004. The goal of SyScan is not to promote any single brand or product, but to provide a forum through which the world’s top hacking and cyber-security specialists can meet, talk, discuss and exchange views and ideas.

Pangu Syscan 2014

Pangu Jailbreak is a free iOS jailbreaking tool developed by the Chinese team who call themselves PanGu. This first and only iOS 7.1.x jailbreak [as for July 20140 can execute jailbreaks on many iOS devices even for the latest iOS 7.1.2 version. Pangu is a desktop application for Windows and Mac systems that enables users to jailbreak an iOS device (connected to the desktop computer with a standard USB charging cable) by clicking a series of buttons and going through an easy-to-repeat instruction.

Syscan 2014 pangu speaker

iOS Code Signing

  • Installation
  • Command Line
  • Sandbox
  • Access Control
  • Kernel encryption
  • Hardware decryption operation time
  • System version limit

Pangu Jailbreak

  • Self-control plays the files from own equipment
  • Full file access files
  • Perform the lines of arbitrary code
  • Use with extension
  • System Restrictions Breakthrough

iOS Security

  • Layers should be used: ASLR / NX / Stack Cookie / AMFI / Sandbox / Entitlement / Code Signing
  • Kernel layers: KASLR / NX / Stack Cookie / User Space Isolation / Heap Randomization / Free List Protection
  • ARMv7s/ARM64
  • Almost can not get accustomed to debug the kernel
  • Low broken pieces of still images

Several Jailbreak Types

Failbreak - This is the program mostly not available to public. It only acquires Root Authority or is incomplete / flawed jailbreak that cannot run Mobile Substrate properly. Some failbreaks cannot be released to the public for various reasons, so “failbreak” is also sometimes used to refer to any jailbreak that cannot be released to users, whether or not that jailbreak is complete.
Tethered Jailbreak - This type of program makes users lose their jailbreak status after they manually restart their iPhone. This tool requires using a jailbreak app pretty often to gain the status back
Untethered Jailbreak -This is the best type of jailbreak program as it allows using your smartphone to the fullest without losing your jailbreak status once you manually restart your device. The status gets lost only after you decide to update to a newer firmware version

Jailbreak history

  • Saffron (JailBreakMe 3.0) for iOS 4.3.3 (2011.7)
  • Absinthe 2.0 for iOS 5.1.1 (2012.5)
  • Evasi0n for iOS 6.0-6.1.2 (2013.2)
  • Evasi0n7 for iOS 7.0.x (2013.12)
  • Pangu for iOS 7.1.x (2014.6)

pangu jailbreak history

Pangu jailbreak history

  • Originally released on 2014.6.24
  • Expensed all the world’s first frame and is the first tool to support iOS 7.1.x jailbreak full equipment
  • The first presentation by the Chinese team that developed and launched this jailbreak to public
  • Pangu team members: @dm557 @windknown @modikr @tb557 @zengbanxian

iOS Jailbreak process

  • Code injection out of the sandbox
  • Get Root Privilegies
  • Kernel Overflow
  • PatchKernel
  • Remount rootfs Writable
  • Release Untether

Pangu Jailbreak process

  • Manually restart the phone
  • Bypassing code signing
  • Kernel Overflow
  • PatchKernel
  • Remount rootfs Writable
  • Continue to boot the system

Using the application layer attacks should

  • Using the built-in should be used
  • MobileSafari / Mail / Message
  • Connected to the computer
  • Backup / File Relay / Sync / DDI /

Kernel-level attacks

  • IOKit
  • Syscall
  • Mach Trap
  • Mig System

Code Signing bypass

Since the developer betas of the iPhone firmwares, Apple requires all code on the device to be signed. This is done to thwart unauthorized applications being installed on the iPhone. To get around this (and thereby to install hacker’s own code onto the device) hackers patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy

  • Kernel layer - AMFI
  • Other layers should be used - Dyld

Patch Kernel

  • Fit all devices - Offset is not suitable for a fixed address
  • Smart Search - Real time dump after searching the kernel
  • Simple command interpreter
  • According to the instruction performed for line search feature

Short Biography of Pangu Team Speakers

windknown is currently working on security research and APP development of OSX/iOS. And he also has years of experience in Windows security. His major research field covers security of OSX/iOS/Windows, vulnerabilities, rootkit, virtualization technology etc. He has presented his research at different international security conferences, including XCON, POC, SyScan,SyScan360.

pangu tem biography

dm557 is a security researcher who focuses on advanced vulnerability exploitation research. He participated in network security field since 2000, and has over 15 years of experience in network security industry, and now he mainly focuses on innovative research, on software vulnerability, and exploitation for Microsoft and Apple system.

Sources:

http://www.syscan360.org/speakers.html

http://theiphonewiki.com/wiki/Bypassing_iPhone_Code_Signatures

Share PanGu Boot News ...Share on Google+0Tweet about this on Twitter0Share on Facebook0Email this to someone

, , ,