iOS Jailbreak News (And Confusion Clearing): tfp0 exploit for iOS 11.4-12.1.2 released, unc0ver/Electra jailbreaks updated for iOS 11.4.1 and a n0ncesetter released for iOS 12!
The last 2 days have been pretty crazy in the iOS jailbreak scene as there were a lot of releases, information being published and some confusion to go along with it. Among these, we find a tfp0 exploit released for iOS 11.4-12.1.2, two jailbreaks for iOS 11.4.1 and a n0ncesetter for iOS 12!
tfp0 exploit released for iOS 11.4-12.1.2
The iOS 12 jailbreak saga all started when Brandon Azad, a Google Project Zero member, released his voucher_swap exploit that grants the user tfp0 on iOS 11/12.
Getting tfp0 (task_for_pid(0)) is essentially the same as being able to execute code with kernel privileges which is the highest privilege that one can run code with. As of right now, the exploit only works on devices with a 16K page size (Apple A9 devices and newer) but Pwn20wnd is working on getting it to function on older devices (Apple A7/A8) that have a 4K page size.
With this exploit, work on an iOS 12 jailbreak can start being made although there are still various things that need to be figured out like a CoreTrust bypass in order for such a jailbreak to be created. However, users on iOS 11 have already started benefiting from this exploit as unc0ver and Electra (main iOS 11 jailbreaks) have been updated to work with this exploit which brings about a better success rate AND iOS 11.4/11.4.1 support!
Note about tihmstar’s exploits: Shortly before Brandon Azad released his exploit, tihmstar released treadm1ll which is a tfp0 exploit for iOS 11.4/11.4.1. This was released without the cleanup code and as a result, it doesn’t work in its current state. Then, earlier today, tihmstar released an exploit called v1ntex which is based on the same bug as voucher_swap (CVE-2019-6225) but apparently, this is not working out of the box either. However, this exploit has support for 4K devices so perhaps Apple A7/A8 devices will have tfp0 on iOS 12 soon!
unc0ver and Electra updated with iOS 11.4 / 11.4.1 support
Other than a tfp0 exploit being released, these last 2 days also brought us updates to unc0ver and Electra. These updates bring about two features namely a better success rate and support for iOS 11.4(.1). As a result, people who stayed on these versions can finally jailbreak their device and get tweak compatibility similar to that of iOS 11.3.1 since iOS 11.4 is a pretty minor update.
Due to the exploit compatibility issues mentioned above, these updated versions of unc0ver and Electra can only jailbreak iOS 11.4/11.4.1 on Apple A9 or newer devices since the exploit being used (voucher_swap) isn’t compatible with older devices yet. As of this writing this article, unc0ver is currently at version 3.0.0~b7 but you should probably stick with version 2.2.3 if you don’t need iOS 11.4/11.4.1 compatibility. On the other hand, Electra is currently at version 1.2.3 but users are reporting that it’s not working on Apple A7/A8 devices on any version of iOS so you should stick with version 1.1.0 if you’re using older devices.
UPDATE: Electra has been updated to version 1.2.7 and this fixes issues encountered on A7/A8 devices so now, you can jailbreak your iPhone 5S/6 on iOS 11.4/11.4.1 successfully 🙂
n0ncesetter released for iOS 12
Last but not least, umanghere released an updated version of Pwn20wnd’s noncreboot1131UI that works on iOS 12. This n0ncesetter, which is named NonceReboot12XX, uses the aforementioned voucher_swap exploit and currently works on iOS 12.0-12.1.2. However, it only works on Apple A9-A11 devices and has only been tested on the iPhone 7, iPhone 8 and iPad 2017.
Through this software, you can downgrade to other versions of iOS 12 which are currently unsigned provided you have SHSH2 blobs. Downgrading to iOS 11 is not possible since currently signed SEPs (i.e those of iOS 12.1.1-12.1.3) aren’t compatible with iOS 11.3-11.4.1 on Apple A9+ devices although they are compatible with iOS 11 on Apple A7/A8 devices. For more information about downgrading and SEP compatibility, it’s recommended to check this thread on Reddit which explains the situation in detail.
To grab this n0ncesetter, check out this link to download its IPA file. This IPA file (and other IPA files you may download from links in this article) are to be installed on your device through Cydia Impactor.
Right now, confusion is rife in the iOS jailbreak scene so you should hold off updating jailbroken devices for now especially if they have an Apple A7/A8 SoC.
Shortly before this article got published, pwn20wnd tweeted that he’s almost finished fixing voucher_swap to work with Apple A7/A8 (4K) devices so you might soon be able to downgrade those to iOS 11 (or iOS 10 for some A7 devices)!
I won’t use anything he or someone else may release. I am almost done fixing voucher_swap for 4K devices. So I will use that once it’s done.
— Pwn20wnd (@Pwn20wnd) January 31, 2019