The Chinese Pangu team turned the world of jailbreak upside down by releasing Pangu untether jailbreak for iOS 7.1.x last month which supports all iOS 7 compatible devices. This is a great news for the whole community as finally there is real competiting among hackers which means it could become easier and quicker for different teams to launch future jailbreak utilities.
Even once the Pangu guys gathered all the vulnerabilities needed for an untether jailbreak, it still took them about two months to finish developing the tool. Since it’s the first time for them to develop an untethered jailbreak program, they faced various problems. Now the team thanks to all people who helped them to complete the utility and release it to public before other hackers managed to take this step with iOS 7.1, 7.1.1 and 7.1.2.
This article is mostly covering all the vulnerabilities found by Chinese hackers and used in Pangu jailbreak for untethering iPhone, iPod touch and iPad. They gave all the details about their code signing bypass, kernel information leak and kernel memory overwrite vulnerabilities. Then they demonstrate how to exploit these bugs so that Pangu jailbreak could work on iOS devices making them jailbroken.
Pangu Team spoke on “How Pangu Jailbreak Untethered on Your iOS Devices“ during the 2014 SyScan360 hacking conference. This event is well known among all the Internet security conferences in Asia and has been held for over 20 times since 2004. The goal of SyScan is not to promote any single brand or product, but to provide a forum through which the world’s top hacking and cyber-security specialists can meet, talk, discuss and exchange views and ideas.
Pangu Jailbreak is a free iOS jailbreaking tool developed by the Chinese team who call themselves PanGu. This first and only iOS 7.1.x jailbreak [as for July 20140 can execute jailbreaks on many iOS devices even for the latest iOS 7.1.2 version. Pangu is a desktop application for Windows and Mac systems that enables users to jailbreak an iOS device (connected to the desktop computer with a standard USB charging cable) by clicking a series of buttons and going through an easy-to-repeat instruction.
iOS Code Signing
- Command Line
- Access Control
- Kernel encryption
- Hardware decryption operation time
- System version limit
- Self-control plays the files from own equipment
- Full file access files
- Perform the lines of arbitrary code
- Use with extension
- System Restrictions Breakthrough
- Layers should be used: ASLR / NX / Stack Cookie / AMFI / Sandbox / Entitlement / Code Signing
- Kernel layers: KASLR / NX / Stack Cookie / User Space Isolation / Heap Randomization / Free List Protection
- Almost can not get accustomed to debug the kernel
- Low broken pieces of still images
Several Jailbreak Types
- Saffron (JailBreakMe 3.0) for iOS 4.3.3 (2011.7)
- Absinthe 2.0 for iOS 5.1.1 (2012.5)
- Evasi0n for iOS 6.0-6.1.2 (2013.2)
- Evasi0n7 for iOS 7.0.x (2013.12)
- Pangu for iOS 7.1.x (2014.6)
Pangu jailbreak history
iOS Jailbreak process
- Code injection out of the sandbox
- Get Root Privilegies
- Kernel Overflow
- Remount rootfs Writable
- Release Untether
Pangu Jailbreak process
- Manually restart the phone
- Bypassing code signing
- Kernel Overflow
- Remount rootfs Writable
- Continue to boot the system
Using the application layer attacks should
- Using the built-in should be used
- MobileSafari / Mail / Message
- Connected to the computer
- Backup / File Relay / Sync / DDI /
- Mach Trap
- Mig System
Code Signing bypass
Since the developer betas of the iPhone firmwares, Apple requires all code on the device to be signed. This is done to thwart unauthorized applications being installed on the iPhone. To get around this (and thereby to install hacker’s own code onto the device) hackers patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy
- Kernel layer - AMFI
- Other layers should be used - Dyld
- Fit all devices - Offset is not suitable for a fixed address
- Smart Search - Real time dump after searching the kernel
- Simple command interpreter
- According to the instruction performed for line search feature
Short Biography of Pangu Team Speakers
windknown is currently working on security research and APP development of OSX/iOS. And he also has years of experience in Windows security. His major research field covers security of OSX/iOS/Windows, vulnerabilities, rootkit, virtualization technology etc. He has presented his research at different international security conferences, including XCON, POC, SyScan,SyScan360.
dm557 is a security researcher who focuses on advanced vulnerability exploitation research. He participated in network security field since 2000, and has over 15 years of experience in network security industry, and now he mainly focuses on innovative research, on software vulnerability, and exploitation for Microsoft and Apple system.