Right when Apple is busy holding the WWDC event and showing off its new software to developers and users, Google developer Ian Beer has put the iOS 11.3.1 jailbreak exploit in the public domain. Now that the exploit is out in the wild, there is going to be a lot of activity in the jailbreak community over the next few days. Ian Beer, part of Google’s Project Zero, had said last week that he would soon release the exploit for Electra iOS 11.3.1 jailbreak.
Ian Beer is the guy who has discovered many iOS exploits, and he has been pretty active in the iOS jailbreak community in recent years. He announced the public release of the new exploit in a series of tweets. Beer noted in the first tweet that the iOS 11.4 patched kernel corruption bugs are reported in two areas: mptcp and vfs. You can find his exploit for the mptcp right here. Don’t forget to read the ‘README’ because an ‘Apple developer cert’ will be required.
iOS 11.4 patched kernel memory corruption bugs I reported in two distinct areas: mptcp and vfs. My exploit for the mptcp bug is here: https://t.co/Vj4AX1rNd5 Please read the README. It requires an Apple developer cert.
Gates Cap Management Reduces Risk After Rare Down YearGates Capital Management's ECF Value Funds have a fantastic track record. The funds (full-name Excess Cash Flow Value Funds), which invest in an event-driven equity and credit strategy Read More
— Ian Beer (@i41nbeer) June 5, 2018
The vfs bug doesn’t require an ‘Apple developer cert.’ However, Beer warned that it could be harder to exploit because you’ll have to write 8 NULL bytes off the end of a kalloc.16 buffer.
The vfs bug doesn't require an Apple developer cert but is considerably harder to exploit. You get to write 8 NULL bytes off the end of a kalloc.16 buffer. It's sufficiently hard to exploit that it's worth trying just to demonstrate that such issues are reliably exploitable…
— Ian Beer (@i41nbeer) June 5, 2018
see eg The Poisoned Nul Byte, 2014 by @scarybeasts https://t.co/tztOl3nHLn . But it takes time. The mptcp exploit is mostly recycled bits of earlier exploits. The getvolattrlist bug needs some new techniques.
— Ian Beer (@i41nbeer) June 5, 2018
The trigger is here: https://t.co/RIRYgy2cmE If you're in to iOS exploit dev take a go at it and blog about it! I'll publish what I have soon, hopefully this week.
— Ian Beer (@i41nbeer) June 5, 2018
Finally: always keep your personal iOS devices up to date and only use these tools on devices which don't have any personal information and are only used for research.
— Ian Beer (@i41nbeer) June 5, 2018
(footnote: for the vfs bug technically you can control a handful of bits in the 8 overflow bytes, the overflow value is actually two 4 byte flag fields. This may or may not help.)
— Ian Beer (@i41nbeer) June 5, 2018
Soon after Beer released his exploit, developer CoolStar began incorporating the exploit into the Electra codebase to bring a reliable iOS 11.3.1 jailbreak tool at the earliest. CoolStar has said previously that the Electra iOS 11.3.1 jailbreak would support all the iOS 11 compatible devices including the iPhone X. CoolStar is the developer behind Electra tool.
Beer’s exploit can’t be used by people interested in liberating their devices right now. But it forms the backbone of a public iOS 11.3.1 jailbreak in the near future. CoolStar said in a statement that Ian Beer has “released an exploit for mptcp (requires dev acct), and a bug that requires an exploit to be written for it (doesn’t require a developer account). Will try to get a hold of a dev account to get started, but for release dev acct isn’t too great.”
Have you prepared your device for the iOS 11.3.1 jailbreak?
While CoolStar works on the Electra iOS 11.3.1 jailbreak tool, you can prepare your device for its release. The developer hasn’t given a timeline for its release, but we expect the jailbreak to arrive sooner rather than later.
Apple has released the iOS 11.4 to the public, and it could stop signing iOS 11.3.1 anytime. CoolStar recommends that people on the iOS 11.2 to iOS 11.3 should update to iOS 11.3.1 at the earliest because the developer isn’t sure whether the exploit would work below 11.3.1. If you have already updated your iPhone or iPad to 11.4, you should downgrade it to 11.3.1 to be on the safe side.
The next thing you should do is to save the iOS 11.3.1 SHSH2 blobs. It will give you the option to upgrade to 11.3.1 with futurerestore in the future even if Apple stops signing the 11.3.1 firmware. Now your iPhone or iPad should be all set for the Electra iOS 11.3.1 jailbreak. Just wait for CoolStar to release the Electra tool to liberate devices running iOS 11.3.1. CoolStar seems determined to release the Electra tool. The developer recently thanked people who donated for the cause, allowing CoolStar to buy a test iPhone X handset.
CoolStar assured the jailbreak community that they won’t repeat the PR mistake they made while releasing the original Electra for the iOS 11.0-11.2 jailbreak. “This release will be drama-free,” said the developer.