C3Subtitles: 36c3: Tales of old: untethering iOS 11
back

Tales of old: untethering iOS 11

Spoiler: Apple is bad at patching

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:39:14
Language
English
Abstract
This talk is about running unsigned code at boot on iOS 11. I will demonstrate how you can start out with a daemon config file and end up with kernel code execution.

This talk is about achieving unsigned code execution at boot on iOS 11 and using that to jailbreak the device, commonly known as "untethering". This used to be the norm for jailbreaks until iOS 9.1 (Pangu FuXi Qin - October 2015), but hasn't been publicly done since. I will unveil a yet unfixed vulnerability in the config file parser of a daemon process, and couple that with a kernel 1day for full system pwnage. I will run you through how either bug can be exploited, what challenges we faced along the way, and about the feasibility of building a kernel exploit entirely in ROP in this day and age, on one of the most secure platforms there are.

Talk ID
11034
Event:
36c3
Day
1
Room
Eliza
Start
12:50 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
littlelailo

Talk & Speaker speed statistics

Very rough underestimation:
166.5 wpm
903.6 spm
171.4 wpm
927.1 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%

Talk & Speaker speed statistics with word clouds

Whole talk:
166.5 wpm
903.6 spm
littlelailo:
171.4 wpm
927.1 spm