iOS 6 Jailbreak: Planetbeing Reveals Intricacies of Evasi0n Tool in Forbes Interview
iOS 6 Jailbreak: Planetbeing Reveals Intricacies of Evasi0n Tool in Forbes Interview

The highly-anticipated release of evasi0n 6.x untethered jailbreak has been hogging the limelight for past two days, while jailbreakers and media folks seem eager to dig deeper into the intricacies of the evasi0n tool.

In a recent interview with Forbes, Planetbeing has revealed in-depth analysis of the technicalities and working principle of the new iOS 6 jailbreak. As iDownloadBlog notes, David Wang (aka planetbeing) explains how the evasi0n hack tool exploits at least five critical bugs in iOS 6's code, as he draws parallel reference to the infamous Stuxnet malware attack (which had one less exploit than evasi0n) on nuclear centrifuges by NSA.

According to Jay Freeman's report on Forbes, the first iOS 6 hack has already garnered more than 8,00,000 downloads within the first six hours of its release. However, the figures seem to be a conservative estimate, as the count was reportedly fouled by a tsunami disaster that knocked the Cydia server offline several times on the jailbreak release day. The report further reveals that the total count for evasi0n downloads had gone up to 1.7 million by Tuesday.

Excerpts of the Forbes Interview with Planetbeing

Explaining to Forbes' Andy Greenberg about the working principle of evasi0n jailbreak, planetbeing had this to say:

"Evasi0n begins by running libimobiledevice, a program that substitutes for iTunes to communicate with iOS devices via the same protocol as Apple's program. Using that tool, Evasi0n exploits a bug in iOS's mobile backup system to gain access to certain settings that it normally shouldn't be able to access, namely a file that indicates the device's time zone."

In other words, the hackers first gain access to a file pertaining to the device's time zone through a bug in the backup system and then a symbolic link is added to the time zone file, which leads to a manipulative socket that grants access to a master process called Launch Daemon or launchd.

Providing more insight into the working principle of core processes in iOS, planetbeing had this to say:

"Evasi0n alters the socket that allows programs to communicate with a program called Launch Daemon, abbreviated launchd, a master process that loads first whenever an iOS device boots up and can launch applications that require "root" privileges, a step beyond the control of the OS than users are granted by default. That means that whenever an iPhone or iPad's mobile backup runs, it automatically grants all programs access to the time zone file and, thanks to the symbolic link trick, access to launchd."

In the next step, bypassing Apple's code-signing restriction, hackers reportedly exploit the "Unix trick" called "Shebang" which calls code function from another signed application. Then a Remount command is activated via launchd process using the socket bypass created earlier.

Now, the root file system gets write access, as Remount command modifies the memory settings of the read-only root file system to make it writable. Evasi0n tool then creates a modified launchd.conf file with exploits that rerun the code everytime the device boots. Hence, it makes the jailbreak "persistent" or untethered (no need to connect the device to computer via USB cable). Now, that is how an untethered jailbreak works like a charm.

For further information, check out the Forbes source link given below.

[Source: Forbes]