Apple on Monday released iOS & iPadOS 17.5, with a substantial part of that update incorporating a handful of security patches. At the very top of Apple’s “About the security content of iOS 17.5 and iPadOS 17.5” web page is CVE-2024-27804, a peculiar kernel vulnerability in AppleAVD which had the potential impact of an app being able to execute arbitrary code with kernel privileges.
These are exactly the types of things we like to hear in the jailbreak community, and CVE-2024-27804 is getting some attention by its discoverer, Meysam Firouzi (@R00tkitSMM) on X (formerly Twitter) right now because it seems that Firouzi plans to publish a proof of concept (POC) on the kernel vulnerable very soon:
So what does this mean? We’ll break it down for you below:
It means that a kernel vulnerability is about to get a proof of concept that could assist hackers in developing a kernel exploit that could be used for a variety of different things on iOS & iPadOS firmware 17.4.1 and older. That said, it’s a good idea for anyone hoping to hack their devices at any time in the future to refrain from updating to the newly released iOS & iPadOS 17.5 firmware.
We should also add that a PoC doesn’t guarantee the development of a kernel exploit, but it does help facilitate the development of one. Should a kernel exploit become possible because of this PoC, that doesn’t even guarantee that we’d be able to use it for a jailbreak, and that’s because we also need what’s called a Secure Page Table Monitor (SPTM) bypass for arm64e devices running iOS & iPadOS 17.
SPTM prevents hackers from tampering with the kernel memory on iOS & iPadOS 17, so we need to be able to bypass this mitigation to use a kernel exploit reliably for anything as significant as a jailbreak. SPTM is new to iOS & iPadOS 17, and in iOS & iPadOS 16 and earlier, jailbreak makers instead used Page Protection Layer (PPL) bypasses alongside kernel exploits to create jailbreaks. A PPL bypass was precisely what took so long for the Dopamine v2 jailbreak to come to fruition, as we already effectively had the Kernel File Descriptor (KFD) exploit, but no PPL bypass, until one finally materialized as a result of the Kaspersky team’s operation triangulation.
We don’t yet have a SPTM bypass at the time of this writing, so even if a kernel exploit were released based on this upcoming PoC, there wouldn’t be a way to make a jailbreak for arm64e devices yet. It would effectively be a lone-sitting kernel exploit that could potentially be used for hacks such as those used in Kernel File Descriptor (KFD) and MacDirtyCow (MDC) add-ons like those installed via Misaka and PureKFD.
Older arm64 devices, which are already susceptible to the checkm8 bootrom exploit, can use a kernel exploit without a SPTM bypass for jailbreaking, and due to being kernel exploit-based instead of bootrom exploit-based, the jailbreak would be semi-untethered instead of semi-tethered. Unfortunately, arm64 iPhones don’t support iOS 17, so only a small subset of obscure and old iPads running iPadOS 17 could take advantage of this.
That’s the short of it as this pertains to jailbreaking, but it’s still a step in the right direction.
For example, a kernel exploit is all we would need to get a TrollStore installation method up and running on newer iOS & iPadOS 16 versions and 17.0. After all, the popular TrollStore perma-signing utility works on iOS & iPadOS 17.0, but there isn’t yet a way to get it on this firmware (anymore) until a kernel exploit becomes available.
Given the hype that this brings to the table given the stereo silence regarding anything iOS & IPadOS 17-related in the realm of iPhone and iPad hacking lately, this is particularly good news and we’ll be following it closely for any developments that could benefit the iPhone hacking community.
Be sure to keep it tuned to iDB as we keep you updated on the latest.