iOS Jailbreaking: _simo36 releases PoC of vulnerability allowing for arbitrary code execution on iOS 14.1 & CoolStar advises users to stay on this version & save blobs!
While iOS jailbreaking had a good run in the iOS 13 days thanks to checkra1n, iOS 14 managed to be a tough cookie and with more A12+ devices available, kernel exploits are becoming more relevant again. In this article, we’re going to be looking at simo releasing a PoC for a kernel vulnerability that’s present on iOS 14.1 together with CoolStar’s recommendations on the matter!
simo releases PoC demonstrating iOS 14.1 kernel vulnerability
When it comes to app-based jailbreaks such as unc0ver and Odyssey, new kernel exploits are always essential in order to jailbreak newer iOS releases. This is because kernel exploits, unlike hardware exploits such as checkm8 (supports A11 & older), can be patched through an iOS update thus eliminating previously-used methods to obtain arbitrary code execution with kernel privileges which are key to jailbreak development.
Now, simo (@_simo36 on Twitter) has released a PoC for CVE-2020-27905 (fixed in iOS 14.2 released 2 days ago) which is a vulnerability in the IOAcceleratorFamily component found within iOS that allows for arbitrary code execution with system privileges according to Apple. It is important to mention that simo has released a PoC not a fully-fledged exploit meaning that the code in its current form does not grant tfp0 and/or kernel R/W. However, simo also mentioned that he might release an exploit later on although someone else in the community might decide to write an exploit themselves with the PoC to expedite the creation of a jailbreak for an app-based iOS 14.1 supporting all devices!
CoolStar advises users to stay on iOS 14.1 & save blobs
Staying on the topic of jailbreaking iOS 14.1, CoolStar advised on Discord that:
- Users on iOS 14 should not update past iOS 14.1
- This means that if you’re on iOS 14.2, you should downgrade while you still have the chance. This can be done by restoring your device to iOS 14.1 using its IPSW file (Shift+Restore to choose IPSW file). Alternatively, this can be done by holding down Shift while pressing the Update button on iTunes allowing you to choose the IPSW thus performing a downgrade without wiping your device
- Those on iOS 13 or earlier should save iOS 14.1 blobs which can be done by following the links to the free SHSH blob saving services below
- You need to obtain your ECID to save blobs for all devices with extra procedures, which require a jailbreak, needed for A12+ devices
This advice continues to cement the importance of simo’s disclosure of his kernel vulnerability which may lead to a jailbreak for all iPhone, iPad and iPod Touch devices running iOS 14.1 (and probably iOS 14.0) including A12, A13 and A14 devices which are not vulnerable to the checkm8 exploit!
As usual, the advice of not updating if you’re on a jailbroken version of iOS stands because only time will tell when an iOS 14.1 jailbreak will drop as it may happen in a few days, weeks or perhaps even months. To follow the latest updates from various parts of the community, it is recommended to follow the r/jailbreak subreddit which is linked below together with two free SHSH blob saving services.
r/jailbreak subreddit (further updates): https://www.reddit.com/r/jailbreak/
shsh.host blob saving service: https://shsh.host/
1Conan’s blob saving service: https://tsssaver.1conan.com/