Learn How to Jailbreak iOS with Pangu

Finally good news for all iOS 7.1.x users who are looking to jailbreak their devices. Now you can download Pangu tool and jailbreak your iPhone or iPad for free!Years and years before, when in late 2007 famous hacker GeoHot found exploits in iOS (limera1n) that allowed to jailbreak iOS, it was a start of Apple jailbreaking epopee.  However when iOS 7.1 was released and evad3rs didn’t updated evasi0n7 for iOS 7.1 (it supports iOS 7.0.x only) many thought that epopee was ended. But they was wrong.This summer Chinese hackers released Pangu iOS jailbreak. From now on you can free iOS 7.1.1 and iOS 7.1.2 using this new tool. Here are the tutorial guides which you can use for iOS jailbreaking with Pangu:

  • Jailbreak iOS 7.1 Using Pangu 1.0
  • Jailbreak iOS 7.1.2 Using Pangu 1.1
  • Jailbreak iOS 8 / 8.1 Using Pangu

First version of Pangu iOS jailbreak contained the Chinese alternate store called “25PP”. But such store was on Chinese and also there were complaints that the performance of iPhone / iPad was not as usual. Pangu 1.1 came on Englush and without 22PP whicj=h make such tool to be ideal for iOS jailbreking worldwide.

Jailbreak is the most popular unofficial procedure on Apple mobile gadgets. You can jailbreak iPhone, iPad or iPod Touch and get access to the unofficial software, apps and games. The famous hacker saurik developed a store for unofficial software called Cydia. In other words you can instal any app that was developed for iOS but was not authorized by Apple on your device having Cydia. You can’t find such tweaks on App Store but when you have Cydia(app like IPA Library for iOS )you get access to apps that are able to change your iPhone from standard configurations to a not recognizable interface and settings.

Pangu tool is safe and it was confirmed by hackers like iH8snow, musclenerd, pod2g and even i0n1c. Such names point that we can trust this tool and jailbreak iOS device right now!

Technical Features of Pangu Jailbreak Announced During SyScan360 Hacking Conference 2014

The Chinese Pangu team turned the world of jailbreak upside down by releasing Pangu untether jailbreak for iOS 7.1.x last month which supports all iOS 7 compatible devices. This is a great news for the whole community as finally there is real competiting among hackers which means it could become easier and quicker for different teams to launch future jailbreak utilities.

Even once the Pangu guys gathered all the vulnerabilities needed for an untether jailbreak, it still took them about two months to finish developing the tool. Since it’s the first time for them to develop an untethered jailbreak program, they faced various problems. Now the team thanks to all people who helped them to complete the utility and release it to public before other hackers managed to take this step with iOS 7.1, 7.1.1 and 7.1.2.

This article is mostly covering all the vulnerabilities found by Chinese hackers and used in Pangu jailbreak for untethering iPhone, iPod touch and iPad. They gave all the details about their code signing bypass, kernel information leak and kernel memory overwrite vulnerabilities. Then they demonstrate how to exploit these bugs so that Pangu jailbreak could work on iOS devices making them jailbroken.

Pangu Team spoke on “How Pangu Jailbreak Untethered on Your iOS Devices“ during the 2014 SyScan360 hacking conference. This event is well known among all the Internet security conferences in Asia and has been held for over 20 times since 2004. The goal of SyScan is not to promote any single brand or product, but to provide a forum through which the world’s top hacking and cyber-security specialists can meet, talk, discuss and exchange views and ideas.

Pangu Jailbreak is a free iOS jailbreaking tool developed by the Chinese team who call themselves PanGu. This first and only iOS 7.1.x jailbreak [as for July 20140 can execute jailbreaks on many iOS devices even for the latest iOS 7.1.2 version. Pangu is a desktop application for Windows and Mac systems that enables users to jailbreak an iOS device (connected to the desktop computer with a standard USB charging cable) by clicking a series of buttons and going through an easy-to-repeat instruction.

iOS Code Signing

  • Installation
  • Command Line
  • Sandbox
  • Access Control
  • Kernel encryption
  • Hardware decryption operation time
  • System version limit

Pangu Jailbreak

  • Self-control plays the files from own equipment
  • Full file access files
  • Perform the lines of arbitrary code
  • Use with extension
  • System Restrictions Breakthrough

iOS Security

  • Layers should be used: ASLR / NX / Stack Cookie / AMFI / Sandbox / Entitlement / Code Signing
  • Kernel layers: KASLR / NX / Stack Cookie / User Space Isolation / Heap Randomization / Free List Protection
  • ARMv7s/ARM64
  • Almost can not get accustomed to debug the kernel
  • Low broken pieces of still images

Several Jailbreak Types

Failbreak – This is the program mostly not available to public. It only acquires Root Authority or is incomplete / flawed jailbreak that cannot run Mobile Substrate properly. Some failbreaks cannot be released to the public for various reasons, so “failbreak�? is also sometimes used to refer to any jailbreak that cannot be released to users, whether or not that jailbreak is complete.
Tethered Jailbreak – This type of program makes users lose their jailbreak status after they manually restart their iPhone. This tool requires using a jailbreak app pretty often to gain the status back
Untethered Jailbreak –This is the best type of jailbreak program as it allows using your smartphone to the fullest without losing your jailbreak status once you manually restart your device. The status gets lost only after you decide to update to a newer firmware version

Jailbreak history

  • Saffron (JailBreakMe 3.0) for iOS 4.3.3 (2011.7)
  • Absinthe 2.0 for iOS 5.1.1 (2012.5)
  • Evasi0n for iOS 6.0-6.1.2 (2013.2)
  • Evasi0n7 for iOS 7.0.x (2013.12)
  • Pangu for iOS 7.1.x (2014.6)

Pangu jailbreak history

  • Originally released on 2014.6.24
  • Expensed all the world’s first frame and is the first tool to support iOS 7.1.x jailbreak full equipment
  • The first presentation by the Chinese team that developed and launched this jailbreak to public
  • Pangu team members: @dm557 @windknown @modikr @tb557 @zengbanxian

iOS Jailbreak process

  • Code injection out of the sandbox
  • Get Root Privilegies
  • Kernel Overflow
  • PatchKernel
  • Remount rootfs Writable
  • Release Untether

Pangu Jailbreak process

  • Manually restart the phone
  • Bypassing code signing
  • Kernel Overflow
  • PatchKernel
  • Remount rootfs Writable
  • Continue to boot the system

Using the application layer attacks should

  • Using the built-in should be used
  • MobileSafari / Mail / Message
  • Connected to the computer
  • Backup / File Relay / Sync / DDI /

Kernel-level attacks

  • IOKit
  • Syscall
  • Mach Trap
  • Mig System

Code Signing bypass

Since the developer betas of the iPhone firmwares, Apple requires all code on the device to be signed. This is done to thwart unauthorized applications being installed on the iPhone. To get around this (and thereby to install hacker’s own code onto the device) hackers patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy

  • Kernel layer – AMFI
  • Other layers should be used – Dyld

Patch Kernel

  • Fit all devices – Offset is not suitable for a fixed address
  • Smart Search – Real time dump after searching the kernel
  • Simple command interpreter
  • According to the instruction performed for line search feature

Short Biography of Pangu Team Speakers

windknown is currently working on security research and APP development of OSX/iOS. And he also has years of experience in Windows security. His major research field covers security of OSX/iOS/Windows, vulnerabilities, rootkit, virtualization technology etc. He has presented his research at different international security conferences, including XCON, POC, SyScan,SyScan360.

dm557 is a security researcher who focuses on advanced vulnerability exploitation research. He participated in network security field since 2000, and has over 15 years of experience in network security industry, and now he mainly focuses on innovative research, on software vulnerability, and exploitation for Microsoft and Apple system.

The last jailbreaking tool from Chinese hackers is Pangu. This tool supports from iOS 7.1 to 7.1.2. Almost 2 million users installed such tool on their devices. The surge in traffic from jailbreakers has caused availability issues on several Cydia repositories, which has made it difficult to install jailbreak apps and tweaks.As for 07.02.2014 the statistic of evasi0n jailbreak project states:

  • Pangu site received 3.56 million visitors

  • Total 7,820,000 jailbreak requests

  • Total 2,050,000 device jailbreak attampts

  • Successful Jailbreak for 1.81 million devices

These charts were to presented to public by PanguTeam member @Windknown during the Syscan 360 conference in Beijing.

Pangu Website Statistic from All Over the World

The pangu website has received more than 3 million unique visitors since the site was launched. The most traffic is from China:

  • China
  • U.S.
  • Vietnam
  • Saudi Arabia

You can see the breakdown of the other countries where pangu tool was used:

Pangu Jailbreak Distribution Statistic Worldwide

Such traffic is not a surprise as pangu was released for the newest iOS devices like iPhone 5, 5S, 5C or iPad 4 / 5, iPad Mini running iOS 7.1.x. Also the big popularity of this tool was made by the developers of pangu – Pangu team.

Pangu Jailbreak Stats From China

Here are some surprising statistics from a Chinese company: Nearly a half of iOS devices — iPhone, iPad, iPod Touch — in China were jailbroken in May – June, 2014. The number skyrocketed to an incredible another half in the next few months, which means one out of two iOS devices were jailbroken. As 2014 winds down, these numbers are steadily declining.

Almost half of the Chinese iFuns downloaded Pangu from following cities. It is not surprising that firstly and mostly Pangu was downloaded by Chinese users. Here you can see the cities where the tool was most popular.

  • Guangdong
  • Fujian
  • Beijing
  • Jiangsu

Over 200 million Android and iOS devices have been circulated in China. Even a minuscule 10% change reflects a huge portion of users moving away from jailbreak.

Pangu Jailbreak Distribution Statistic in China

Here is one interesting thing. Apple was also interested in Pangu website and here below you can see a tablet of the Pangu website page views by Apple employees. This makes us think that Apple is really interested in jailbreaking. The reason is in the security.

Pangu Jailbreak Distribution Statistic Apple


Now we’re waiting for the bigger popularity from Pangu iOS 7.1.x untethered jailbreak than from Evasi0n. As we all know that evasi0n doesn’t support iOS 7.1 devices. There are rumours that hacker keep their exploits for the new iOS 8 jailbreaking tool.

Pangu vs Evasi0n

It’s actually difficult to compare Evasi0n and Pangu untether jailbreak tools as they serve the same goal. There are a lot of differences when you try to look at Pangu vs Evasion. Firstly, Evasi0n supports iOS 7, 7.0.1 and up to 7.0.6 versions while Pangu is designed only for iOS 7.1 and 7.1.x firmwares. Secondly, Evasi0n was launched by famous Eva3rs team while Pangu was created by a group of hackers from China who were not known before this program. It is great to see the new blood in the jailbreaking community. The more hackers will try to develop jailbreak tools the more choices users will get.

According to iPhoneHacks the evasi0n statistics

evasi0n.com hit rate

The traffic is 5 million unique visitors and over 40 million page views durring the first 5 months of evasi0n tools was launched.

evasi0n.com traffic overview

20% or 3 million of the visitors came from China, 17% from the U.S. and 6% from France. Here’s the breakdown of the top 10 countries:

evasi0n.com visitors – top countries breakdown

Chinese ifuns was also the most active visitors of evasi0n website.

Leave a Reply

Your email address will not be published. Required fields are marked *