Toward the end of last week, iOS developer and security researcher @alfiecg_dev posted a teaser video on social media platform X (formerly Twitter) of what appears to be a new breed of iOS 14 jailbreak running on an iPhone 7.
Citing the post, the jailbreak works on older arm64 devices (A11 and older). It features noteworthy achievements, including:
- A custom kernel exploit
- Full physical read & write privileges
- Trustcache injection
- Persistence
Importantly, the list above includes persistence. In fact, @alfiecg_dev mentions in the post that installed jailbreak tweaks load at boot, and the video teaser included in the post confirms this. We also learn that persistence is optional to the end user.
In responses to some of the follow-up comments, we learn that libhooker is being used for tweak injection due to issues that prevent ElleKit from being used instead. We also learn that there are built-in protections to assist users in repairing their device without restoring when they install faulty jailbreak tweaks.
Another interested poster asked if the jailbreak would ever get support for arm64e devices (A12 and newer), and @alfiecg_dev said that they don’t currently have any test devices and that making that happen will require removing a dependency on a PAC bypass. The developer plans to add support in the future if they can find devices and the time to do so.
So what is this jailbreak? In another post shared not even 24 hours ago, @alfiecg_dev published a screenshot of the bottom of the Sileo package manager, which appears to reveal “Apex” as the name of the jailbreak:
Apex isn’t yet available to the general public, but when it is released, it will be open source on the developer’s GitHub page for the world to learn from. Additionally, unlike some other jailbreaks, Apex doesn’t inhibit the use of passcodes or biometric authentication methods like Touch ID or Face ID.
Apex appears to be based on @alfiecg_dev‘s Vertex kernel exploit for iOS 14, which was made possible with the help of @staturnzdev. The entire project for that is open source on GitHub, and as it would seem, it the vulnerability exploited by Vertex is the same as that used by the PhysPuppet exploit in the Kernel File Descriptor (KFD) exploit and the IOSurface kernel read & write technique originally used in weightBufs.
Your friends at iDB will continue following the Apex jailbreak project and keep you apprised of any updates in its development.