David Wang, a member of the evad3rs team who recently rolled out evasi0n, agreed to be interviewed this week to share some intriguing details about their work, and how they managed to circumvent Apple’s security measures.Forbes says evasi0n is the most elaborate jailbreak ever released for iOS devices.
The business mag is no expert in hacks, but they’ve managed to get ahold of David Wang (@planetbeing), who shared with them the entire method he and his fellow hackers used to jailbreak the latest software from Apple.
Wang says the jailbreak tool “alters the socket that allows programs to communicate with a program called Launch Daemon, abbreviated launchd, a master process that loads first whenever an iOS device boots up and can launch applications that require ‘root’ privileges, a step beyond the control of the OS than users are granted by default.”
He crunches down these definitions to a simpler explanation, saying, “That means that whenever an iPhone or iPad’s mobile backup runs, it automatically grants all programs access to the time zone file and, thanks to the symbolic link trick, access to launchd.”
Wang carefully describes every important detail of the jailbreak process, such as coming up with the first exploit in the iOS backup system to evading (pun intended) kernel code signing.
Forbes cites Wang as saying, “Once it’s beaten ASLR, the jailbreak uses one final bug in iOS’s USB interface that passes an address in the kernel’s memory to a program and ‘naively expects the user to pass it back unmolested’.”
“That allows evasi0n to write to any part of the kernel it wants. The first place it writes is to the part of the kernel that restricts changes to its code–the hacker equivalent of wishing for more wishes. ‘Once you get into the kernel, no security matters any more,” says Wang. ‘Then we win.’”
Check out Forbes for the full scoop.