On May 30, security research Ian Beer, well-known in the industry for uncovering bugs in Apple software, announced the discovery of two new exploits in iOS — specifically 11.3.1, which until recently was the most up-to-date build. Shortly afterwards, the jailbreaking community went bonkers, the promise of an updated jailbreak for Apple gadgets, both new and old, seemingly around the corner. But, here we are, well into June, with no public jailbreak in sight. So, what's going on?
Until the release of iOS 10, you could often depend on a jailbreak being released in short order. However, that changed with the big ten, when it became clear that Apple was getting very serious about closing exploits in its mobile platform as quickly as they were found.
It took longer than usual for a workable exploit to be uncovered and when iOS 10 did fall, the damage had been done. Many popular tweak repositories had already shut their doors, with even Jay Freeman of Cydia fame apparently throwing in the towel.
'.Jailbreaking your iOS device has always been a pastime for tinkerers and users who want a little more from their iPhone or iPad, though the practice has fallen out of favour as of late. The process of unlocking your device never stays stagnant, however, so we're here to let you know how to jailbreak your device..'
Basically, while you could jailbreak, your options to do anything with it were much reduced. And it wasn't like iOS hadn't changed over the years, with many of the improvements users sought via jailbreaking slowly incorporated into the platform itself.
So, up until a few weeks ago, it was looking more and more like jailbreaking was done. Apple had won, with those adamant about keeping their devices "free" stranded on outdated iOS versions and ageing hardware.
But all this changed on May 30.
A Tale of Two Exploits
If a viable jailbreak was to be released for 11.3.1, it could be the kick in the pants the community needs to get back on track. The only thing standing in the way is finding an exploit to use in order to create said jailbreak.
Beer, whose Twitter account had been silent since mid-December, came out of hibernation at the end of last month to post this tidbit about vulnerabilities in iOS 11.3.1:
If you're interested in bootstrapping iOS kernel security research keep a research-only device on iOS 11.3.1 for more tfp0. Release probably next week. Oh, and the 11.1.2 KDP-compatible kernel debugger really is coming soon!
— Ian Beer (@i41nbeer) May 29, 2018
"CoolStar", best known as the programmer behind the Electra jailbreaks for iOS 11.0-11.1, mentioned on the same day that Electra "might be updated to support 11.3.1 soon" and recommended interested users "save 11.3.1 blobs".
By "blobs", CoolStar is referring to the data Apple uses to sign off iOS updates. Blobs are unique to each device and iOS version and can only be acquired while Apple is still "signing" that version. You cannot upgrade / downgrade an iOS device to a version you do not have the blob for.
Beer followed up on his original tweet on June 6 by revealing not one, but two exploits:
iOS 11.4 patched kernel memory corruption bugs I reported in two distinct areas: mptcp and vfs. My exploit for the mptcp bug is here: https://t.co/Vj4AX1rNd5 Please read the README. It requires an Apple developer cert.
— Ian Beer (@i41nbeer) June 5, 2018
The first, which takes advantage of a heap overflow in iOS' multi-path TCP code, was quickly determined to be the easier one to leverage for a jailbreak. The problem? It requires a developer account, which costs $US99. Not horrible, but obviously not ideal for a public jailbreak.
The second bug, the one Beer describes as "considerably harder to exploit", involves a sloppy buffer size check in iOS' Virtual File System, or VFS. The good news is, this doesn't need a developer account. The bad news is, well, someone has to figure out how it can be used to create a jailbreak.
And that takes time.
Right now, none of the approaches attempted so far are stable or reliable enough to be used for a widespread jailbreak, but it's only a matter of time before something sticks.
For now, here's what you need to know about the jailbreak situation as it stands.
iOS 11.3.1 Jailbreak FAQ
Is the jailbreak out yet?
Short answer? No. As of June 15, there is nothing out that could be considered a proper, usable jailbreak.
The somewhat longer answer is: yes, if you're a developer (or have an Apple dev account) or don't mind running what is still just proof-of-concept. For example, developer GeoSn0w has one that uses the VFS exploit, but you can't really do anything productive with it — well, anything you'd expect from a fully-fledged jailbreak.
There's also several other 11.3.1 jailbreaks, all in various states of usability, but you'd be out of your mind to use them on your everyday device. So don't do that.
Will I be able to jailbreak [insert device here]?
At the moment, it looks like any iPhone or iPad running iOS 11.3.1 or lower — including everything from the iPhone X, down to the iPhone 5s — will be compatible with the jailbreak.
I updated my device to iOS 11.4. Will I be able jailbreak?
While a jailbreak for 11.4 could be on the cards, it won't use either exploit from Ian Beer, both patched in 11.4. These exploits are the ones getting the most attention, so until they're worked from every angle and result in a usable jailbreak (or not), it's unlikely anyone will be looking at 11.4.
I updated my device to iOS 11.4. Can I go back to 11.3.1?
If you saved your blobs while Apple was still signing them, then yes you can... but it's ugly, especially if you have a newer device. It looks like downgrading will break Face ID, if you can get back to 11.3.1 at all.
As such you're out of luck, at least for now.
What type of jailbreak will it be?
Unless something magical happens, it will be what's called a "semi-untethered" or "semi-tethered" jailbreak.
In the case of the former, if you reboot your phone, you'll have to run an app to re-jailbreak it. Semi-tethered is the same, except you'll need to plug your phone into a PC (and run a program) for it to work.
How can I be notified when the jailbreak is out?
CoolStar will almost certainly be the first to release something, so best to follow his Twitter and keep an eye out for Electra mentions.
Alternatively, /r/jailbreak is an option, if you're willing to sift through all the crap.