How does a Jailbreak Work?
Jailbreak allows you to get control over the root and media partition of your device. This is where all the iOS files are stores. To do this, /private/etc/fstab must be patched.
fstab is like a switch that controls permissions to the root and media partitions. By default, this is set to a ‘read-only’ mode allowing you to only view but not make any changes. To be able to make modifications, we have to set the fstab to ‘read-write’ mode. It is the switch room of your iDevice, controlling the permission of the root and media partition.
While this might sound easy, the biggest problem is getting in all the files that you need through the various checkpoints. The checkpoints are Apple’s way of ensuring that the file is legit or a third-party. Every file is signed by a key, and without it, the file will be put aside and be unusable.
So where do we get the key? Well, it’s not as easy as it sounds. Now, we’ll have to act like Sherlock and solve the mystery of the hidden keys. In simple words, the access to the door can be provided if we either unscrew the lock (patch all checkpoints) or find a back door entry (bypass). Patching is a difficult task and mostly not worth the effort. So most people who jailbreak will try to find a backdoor entry or a bypass.
Before we understand how we can bypass these checkpoints, we must enlighten ourselves with some more information.
Essential Things to Understand Jailbreak Further
The Boot Process
Every time an Apple device boots up, it goes through something called as a “chain of trust.” This is basically a series of checks that ensures everything that is running is something that Apple approves of. Usually, the order is as follows:
- Runs Bootrom: Also called “SecureROM” by Apple, it is the first significant code that runs on an iDevice.
- Runs Bootloader: Generally, it is responsible for loading the main firmware.
- Loads Kernel: Bridge between the iOS and the actual data processing done at the hardware level.
- Loads iOS: The final step to the chain, iOS starts and we get our nice “Slide to Unlock” view.
Now that you know how to boot your device let’s go a step further.
Every movie has to have a villain. The bad guy is what makes everything challenging. In this case, the signature checks are the bad guys. While the kernel is loading, there are thousands of tests being done to make sure everything being loaded is Apple approved.
To be more specific, there are many checks throughout the boot process which look, for one thing, a signature, or a key. If the key is correct we get a green light, if it is wrong, depending where the check was at or what file it was, it will either crash the iDevice causing a loop, or simply ignore it and does not execute that particular file at all.
The Objective of a Jailbreak
As a Jailbreaker, your objective is to either patch the checks or bypass them. As mentioned before, the conventional and fairly less cumbersome process is to bypass. This brings us to two broad categories of exploits:
- bootrom exploit: Exploit done during the bootrom. It can’t be patched by a conventional firmware update, and must be patched by new hardware. Since it’s before almost any checkpoint, the malicious code is injected before everything, thus allowing a passageway to be created to bypass all checks or simply disable them.
- userland exploit: Exploit done during or after the kernel has loaded and can easily be patched by Apple with a software update. Since it’s after all the checks, it injects the malicious code directly into the openings back into the kernel. These openings are not so easy to find, and once found can be patched.
To Sum It Up
It is not easy to Jailbreak a device. It requires a lot of skill, experience and a hell lot of patience. I hope this post helps establish that point. I hope that next time you think about jailbreaking your device, you understand the whole process and are also aware of the security issues that come along with it.
Apps that are installed on jailbroken devices are more exposed of their critical information.Ensure your app is secured even if it sits on a jailbroken device.
If you have any questions, please feel free to write it in the comments below.
Credits: Synchronizing on Reddit