Skip to content

New Kernel exploit for iOS 15 – iOS 15.1.1 Jailbreak

    New Kernel exploit for iOS 15 – iOS 15.1.1 / Latest vulnerabilities and Kernel mitigations on iOS 15.2 – iOS 15.5

    New Kernel exploit for iOS 15 – iOS 15.1.1 released by John Åkerblom. He is also known as @jaakerblom on twitter. At zer0con 2022 in seoul, south korea, he demonstrated exploits as well as vulnerabilities and Kernel mitigations on iOS 15.2 – iOS 15.5 which is important for jailbreak.

    Latest iOS 15 Jailbreak status

    We are aware that there is a Palera1n jailbreak for iOS 15 and higher now. Also there are many iOS 15 & higher jailbreak solutions, please refer to the following pages for information.

    iOS 15.8 – iOS 15.8.2 Jailbreak

    iOS 15.7 – iOS 15.7.9 Jailbreak

    iOS 15.6 / iOS 15.6.1 Jailbreak

    iOS 15.5 Jailbreak

    iOS 15.4 / iOS 15.4.1 Jailbreak

    iOS 15.3 / iOS 15.3.1 Jailbreak

    iOS 15.2 / iOS 15.2.1 Jailbreak

    iOS 15.1 / iOS 15.1.1 Jailbreak

    iOS 15 – iOS 15.0.2 Jailbreak

    Also, this exploit differed from the one first published by b1n4r1b01 in that it could be adapted to support the most recent versions of iOS 14 – iOS 14.8.1. CoolStar, the Odyssey Team’s lead developer, appears to be interested in using AKerblom’s recently-unveiled kernel exploit to advance the development of the original Taurine jailbreak for iOS 14. Currently it is supported only for iOS 14 – iOS 14.3 jailbreak only. So, it might upgrade up to iOS 14.8.1 jailbreak.

    iOS Vulnerabilities

     IOMobileFramebuffer (Kernel Driver) : CVE-2021-30883

    • This was patched in iOS 15.0.2.
    • Affect iPhone 8/X to iPhone 11

    IOMobileFramebuffer (Kernel Driver) : CVE-2021-30983, CVE-2021-30985, CVE-2021-30991

    Kernel : CVE-2021-30937

    • This was patched in iOS 15.2
    • Affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Kernel Mitigations on iOS 15.2 – iOS 15.5

    More kernel memory randomization was finally added in iOS 15.2, significantly reducing the reliability of statically hardcoding.

    Predictions of kernel memory addresses

    • This means for example a hardcoded address that would always land in KHEAP_DATA_BUFFERS on 15.1.1 could now e.g land in KHEAP_KEXT instead
    • Whether zones start at their beginning or end is also random (50-50), making overflows and OOB vulnerabilities trickier to exploit (Recent Kernel Mitigations on iOS 15.2- iOS 15.5)
    • In iOS 15.3, mitigations for IOSurfaceClient were added
    • PAC signing was added to the IOSurfaceClients in the IOSurfaceClient array
    • Various back references checks also added to prevent IOSurfaceClient/IOSurface faking(Recent Kernel Mitigations on iOS 15.2- iOS 15.5)
    • In iOS 15.5 beta 1, PAC signing validation was finally added for the destroy path of kmsg
    • The kfree primitive covered in this talk now triggers a kernel panic

    According to him, there were many more mitigations in these versions.