Presentation Material

Abstract

iOS jailbreaks have always been shrouded in mystery, with their inner workings known only to a select few. In this talk, I embark upon a journey with the audience to lift the curtain and put together a semi-untethered iOS jailbreak from the ground up. Starting from a memory corruption vulnerability, this talk covers defeating Kernel Address Space Layout Randomisation, escaping the iOS sandbox, remounting the root filesystem and defeating code signing and library validation to inject code into other processes. Also, for the first time ever, this talk details how all of this can be done on the latest Apple devices without having to bypass ARMv8.3’s Pointer Authentication.