Just over 24 hours, the iOS 6.X untethered jailbreak tool evasi0n has been downloaded over 2 million times, Planetbeing has revealed some details about how the evasi0n jailbreak works to Forbes.
Evasi0n, the jailbreak recently released by the Evad3rs, is an untethered jailbreak for iOS 6.0 through iOS 6.1. The developers used at least five distinct new bugs in iOS 6.x to make the jailbreak work. According to saurik, over 1.7 million jailbreaks were performed by Tuesday morning.
First, the hackers gain access to a file that indicates the device's time zone via a bug in the backup system, then a symbolic link is entered into the time zone file to a socket granting access to launchd.
The next part of the jailbreak uses a trick called 'shebang' that summons up code from another signed application. Notably, this is the only part of the jailbreak process that requires user interaction. When the user taps the 'Jailbreak' app icon that is placed on their SpringBoard it summons up launchd, which can be accessed thanks to the earlier exploit, and uses it to run a 'remount' command that makes the root file system writable.
Evasi0n also uses launchd to load a library of functions into the Apple Mobile File Integrity Daemon that swaps out the code signature function called each time a program launches for one that always returns 'approved'.
To bypass ASLR (Address Space Layout Randomization) and locate the kernel, evasi0n simulates a crash and checks the ARM exception vector to determine the location of the crash. This information is used to map out the location of the kernel in the device's memory.
Finally, a bug in iOS’s USB interface that passes a kernel address without checking that it's returned unchanged is used to allow evasi0n to write to any part of the kernel.