Evasi0n 1-click jailbreak is great, but how does it work!?

I first entered the world back in 2010 when I purchased an iPhone3Gs with 3.1.2. At that time, jailbreaking had already been simplified quite a bit and was easy as cake compared to a 74-step jailbreak that came about in the early years of iOS. Nowadays, jailbreakers are spoiled with easy-to-use single click jailbreaks, where all of the difficult commands and exploits are neatly compiled into scripts that run in the background.

evad3rs

Because of this, it is easy to forget just how much work actually goes into these jailbreaks. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas from Accuvant Labs have taken the time to dissect the new jailbreak and walk us through the entire process. I must say, that after reading this, I sure am glad we have people like the @evad3rs to do the dirty work for us. Here is an excerpt:

Evasi0n works in 3 stages that are described below.  All of the stages use functionality on the phone exposed by MobileBackup, the daemon used to backup user data from the device, and restore backups back to the device.  Since backups are created by the user’s device, and must be interchangeable between devices, they cannot be easily cryptographically signed, so they are essentially untrusted data.

MobileBackup uses both a domain, such as MediaDomain, and a relative path to identify every file. A static absolute path corresponding to the domain, joined with the file-specific relative path, determines the absolute path of every file.  Evasi0n creates all its files in MediaDomain, so all of the files are within /var/mobile/Media.

For a more in-depth look and a step-by-step of the Evasi0n process, check out their write-up here.