Presented at Nullcon Goa 2020.
iOS jailbreaks have always been shrouded in mystery, with their inner workings known only to a select few. In this talk, I embark upon a journey with the audience to lift the curtain and put together a semi-untethered iOS jailbreak from the ground up. Starting from a memory corruption vulnerability, this talk covers defeating Kernel Address Space Layout Randomisation, escaping the iOS sandbox and remounting the root filesystem. Also, for the first time ever, this talk details how all of this can be done on the latest Apple devices without having to bypass ARMv8.3’s Pointer Authentication.