Security researcher and iOS developer @alfiecg_dev, perhaps best known for being a co-developer of the TrollStore perma-signing utility for iPhones and iPads, as well as the TrollInstallerX TrollStore installation method, surprised all of us on Monday when they took to X (formerly Twitter) to share a teaser regarding a 0-day PAC bypass on an iPad Air (3rd generation) running iPadOS 15.5.
For those unaware, PAC stands for Pointer Authentication Codes, and they’re used by the arm64e architecture (A12 and later) to both detect and guard against unexpected changes to pointers residing in a device’s kernel memory. PAC bypasses are often used in both jailbreaks and hacks that utilize kernel exploits to achieve read and write access to this sector, and without them, a device would simply panic.
Because this PAC bypass is of the 0-day variety, this means that the vendor (Apple, in this case), isn’t yet aware of the vulnerability and that they haven’t yet devised a patch or a fix for it yet. Consequently, it can be deduced that this PAC bypass may support the latest available firmware at the time of this writing. No official announcements have either confirmed or denied this, so there’s certainly wiggle room for interpretation.
Upon sharing the 0-day teaser on social media platform X, @alfiecg_dev said they have no plans to release the PAC bypass at this time, which is probably a good call considering it isn’t yet patched. That’s because the moment Apple becomes aware of how this PAC bypass works, they will quickly patch it in a software update like they usually do with security vulnerabilities.
As we mentioned earlier, PAC bypasses are often used in jailbreaks, but they’re not the only puzzle piece required to make one. Page Protection Layer (PPL) bypasses were required in iOS & iPadOS 16 and earlier on arm64e devices, while Secure Page Table Monitor (SPTM) bypasses are required in iOS & iPadOS 17 and later on arm64e devices.
Older arm64 devices (A11 and older) don’t require these additional puzzle pieces, which is why palera1n can still be used to jailbreak those devices via the checkm8 hardware-based bootrom exploit, even when running the latest and greatest firmware from Apple.
Given everything we discussed above, this PAC bypass doesn’t mean that a jailbreak is right around the corner for the latest devices running the newest firmware – so don’t get too excited just yet. We commend @alfiecg_dev on this achievement.