If you’re curious to know what’s causing the delay in the release of the much anticipated Electra iOS 11.3.1 jailbreak, then we have got some answers.
reddit user Samg_is_a_Ninja explains the reason why the iOS 11.3.1 jailbreak hasn’t been released yet.
Ian Beer, the security researcher at Google’s Project Zero, had released two exploits: multi_path (which he calls “mp”) and empty_list (which he calls “el”). The reddit user explains that the first “mp” exploit has a greater success rate, but requires an Apple Developer account, which costs $99 per month year as it requires a developer certificate. The second “el” exploit doesn’t require a developer certificate, but has a low success rate. pwn20wnd has made some improvements, but the success rate is still 1/3, which is still quite low.
The reddit user goes on to explain that developing the iOS 11.3.1 jailbreak hasn’t been as easy as Apple has added new security features which uses “an APFS snapshot over a typical root partition.”
Everyone assumed that it would be fairly easy to recycle the old code from Electra 11.1.X and simply swap out the kernel exploits, replace the
async_wake
exploit with mp or el. However, after running the new kernel exploits, it was discovered that Apple has added a new security feature: using an APFS snapshot over a typical root partition.
We have previously reported that the delay has been because the initial remount code is not very stable. The reddit user goes on to explain the remount problem, and the reason why Electra iOS 11.3.1 jailbreak hasn’t been released so far.
One of the main features of a jailbreak is being able to access the entire filesystem of the device. Think of your device’s filesystem as two toy boxes. One of the boxes is labeled “disk0s1s1” and the other is labeled “disk0s1s2”. disk0s1s2 is the bigger box that contains everything under /var, and is divided into sections, one for each app you have installed (the sandbox), plus some extra space for photos, iBooks, etc. disk0s1s1 is the smaller box, and it contains everything under all the other folders (/Applications, /System, /Library, etc) system apps and files needed by the system. Stock iOS has disk0s1s2 mounted as read-write, and lets each app write only to it’s own sandbox, and all other parts of disk0s1s2 are only writable by the system. disk0s1s1 is only writable during software updates/restores.
On 11.2.6 and older, once you have
task_for_pid(0)
(which is given by mp and el), it’s relatively easy to mount both disk0s1s1 and disk0s1s2 as read-write. However, on 11.3, Apple introduced a new feature: when you set up your device, the system takes a picture of all the objects inside the disk0s1s1 box. From there on, every time you boot your device, the system looks at the picture, and then looks inside the box, and basically plays a game of spot the difference, meticulously going through the entire disk0s1s1, and if it notices any of the objects in that box have been moved or changed, it moves them back. Any new objects are thrown out, and any missing objects are magically replaced. This is a problem, because that means, for example, /Applications/Cydia.app/ would get removed after every reboot.
The good news is that the security feature introduced by Apple is new so it seems to be “littered with exploits”. Initially, Johnathan Levin aka @Morpheus______ was planning to work on writing an exploit that would make the vulnerability that allows initial remount of / discovered by @SparkZheng even better, but he seems to have lowered the priority of finishing the exploit as he got spammed on Twitter.
The reddit user also points out that the WebKit version of el has been released, which has the potential of jailbreaking iOS 11.3.1 using Safari instead of a sideloaded app.
The other exciting news is that security nerd Tim Michaud has discovered a vulnerability in the launch daemon, which could even result in an untethered iOS 11.3.1 jailbreak. It is similar to the vulnerability used in the evasi0n jailbreak, which was an untethered jailbreak.
Jailbreakers need to be patient as we’re talking about jailbreaking the most secure operating system in the world. It is important that the jailbreak is reliable and is thoroughly tested as there is a risk of bricking the iOS device.
We will let you know as soon as there is an update about the iOS 11.3.1 jailbreak, so don’t forget to signup for our Daily Newsletter so you don’t miss the latest jailbreak news. Check out our iOS 11 – iOS 11.3.1 jailbreak FAQ if you’ve any questions.
[via reddit]