Exploiting the iOS 6’s Kaslr Jailbreaking

Ever since the government ruled that users are able to jailbreak their iPhones, Apple has made anti-jailbreaking one of their top priorities with their iPhones. This could not be any more evident than in iOS 6 which includes an extra level of security to Apple’s ASLR found in previous iOS versions.

This new added security feature debuted alongside iOS 6 and goes by the name KASLR. KASLR stands for Kernel Address Space Layout Randomization. In simple terms, KASLR is here to make your iPhone more secure. This is great news for those who wish to only enjoy their stock iOS experience. However, for the jailbreak community, KASLR has been the center of their headaches. One developer steps from the shadows in order to share his findings and his take on exploiting the KASLR:

The iPhone Dev Team has been trying to find exploits in iOS 6 and iPhone 5 to be able to jailbreak it. Of course, any iPhone released prior to iPhone 4S will have an untethered jailbreak – that’s something that Apple can’t fix. Starting with iOS 4, Apple implemented ASLR, which, in a nutshell, randomizes where important files are loaded in RAM so it will make it harder to hack. All iPhones under the 4S have ASLR implemented after iOS 4, but that special exploit that Apple can’t fix allows developers to get around that.

The iPhone 4S and iPhone 5 don’t have that same exploit – publicly. The iPhone 4S was jailbroken by using a userland exploit. They have also found some userland exploits in iPhone 5, but they are extremely difficult to use plus the location changes in RAM whenever they are loaded. The iPhone 5 has an added piece of security called kernel ASLR, also known as KASLR. What KASLR does is randomizes the location of the kernel in RAM whenever loaded, therefore, it can’t be exploited. The kernel is, in layman’s terms, the control center of the operating system.

There is a way to get around KASLR that the devs haven’t been trying to do that I am legally unable to talk about, but with this exploit, it is also something that Apple can’t fix. Once this “exploit” is found and is able to be used, the iPhone 5 will always have a guaranteed jailbreak. This same flaw in the security is also in the iPhone 4S, yet the developers haven’t found it. It’s really not that hard to find, I’m surprised they haven’t found it. What I can say is that “Keys Open Doors.” There will always be a tethered jailbreak. With that, all you have to do is exploit the boot process, which is also influenced by ASLR, but it isn’t influenced much by KASLR. Also, for safekeeping, never pay for a jailbreak.

Does any of this information help any of you guys out there?

About the author

Tristan Thomas

Currently studying Information Technology at Georgia Southern University, Tristan uses Tech Analyzer as a venting outlet for how he interprets the technological world around him.

Leave a Comment