Explore the intricacies of creating an untethered jailbreak for iOS 9.0-9.3.x in this 42-minute Black Hat conference talk. Delve into the internal structure of modern jailbreaks, covering low-level details such as achieving persistence, developing a universal patchfinder, and bypassing kernel patch protection. Learn about iOS security, jailbreak types, attack vectors, privilege escalation, and kernel patching strategies. Discover techniques for bypassing KASLR, DEP, and KPP, as well as methods for achieving persistence. Gain insights into iOS 10 security enhancements and discuss the future of jailbreaking. Presented by Max Bazaliy, Vlad Putin, and Alex Hude, this comprehensive talk provides a deep dive into the world of iOS jailbreaking for security professionals and enthusiasts alike.
Overview
Syllabus
Intro
iOS Security Overview
What is jailbreak?
Jailbreak types
Initial attack vector strategies
Making jailbreak if you have bugs
Making jailbreak if you don't have bugs
Arbitrary code execution strategies
Escalating privileges strategies
Bypassing KASLR strategies
Bypassing DEP strategies
Seeking for patches in kernel
Kernel patches in detail
Escalate privileges patch detailed
Kernel task patch detailed
Apple Mobile File Integrity (AMFI)
AMFI policy patch detailed
Sandbox patch detailed
Sandbox policies
_mapForlo lock patch detailed
Bypassing KPP strategies
How KPP works?
Original translation table
Create fake Level 3 table
BBQit Framework
Achieving persistence strategies
Achieving persistence example
Achieving persistence details
Cydia
iOS 10 security enhancements
KPP hardware mitigations
Future of jailbreaks
Black Hat Sound Bytes
Taught by
Black Hat
