Skip to content

doadam/ziVA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

Makefile

Makefile

 
 

README.md

README.md

 
 

apple_ave_pwn.h

apple_ave_pwn.h

 
 

apple_ave_pwn.m

apple_ave_pwn.m

 
 

apple_ave_utils.h

apple_ave_utils.h

 
 

apple_ave_utils.m

apple_ave_utils.m

 
 

device_port.h

device_port.h

 
 

device_types.h

device_types.h

 
 

heap_spray.h

heap_spray.h

 
 

heap_spray.m

heap_spray.m

 
 

iokit.h

iokit.h

 
 

iokitUser.m

iokitUser.m

 
 

iosurface_utils.h

iosurface_utils.h

 
 

iosurface_utils.m

iosurface_utils.m

 
 

kernel_read.h

kernel_read.h

 
 

kernel_read.m

kernel_read.m

 
 

log.h

log.h

 
 

log.m

log.m

 
 

main.m

main.m

 
 

offsets.h

offsets.h

 
 

offsets.m

offsets.m

 
 

post_exploit.h

post_exploit.h

 
 

post_exploit.m

post_exploit.m

 
 

rwx.h

rwx.h

 
 

rwx.m

rwx.m

 
 

utils.h

utils.h

 
 

utils.m

utils.m

 
 

Repository files navigation

ziVA

An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1

More general information

https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/

https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/

Offsets modifications for other iOS devices

Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them).

Sandbox escape

Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak.

Is it a Jailbreak?

This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak.

Is this going to be a jailbreak?

Maybe, if someone wants to work on that

Credits

Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck).

About

An iOS kernel exploit designated to work on all iOS devices <= 10.3.1

Resources

Readme
Activity

Stars

330 stars

Watchers

34 watching

Forks

104 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages