evasi0n – or how to milk a community for money


Unfortunately I am currently located in asia and do not have access to the data required to log into my “real” blog, which has been mostly dead since its creation in November. But this is due to reasons I will disclose in said blog at a later point in time.

Unable to write to this blog I previously vented my anger about the con-game “evad3rs” are running on the JB users all around the world on Twitter, which is the wrong place to do this, because longer arguments just don’t work. Also arguments go under when said people use their amount of Twitter followers to create one shitstorm after another against you.

Some Questions

So let me start with this simple question:

“Is it okay to earn money for your hard work?”

I guess everybody would agree that this is nothing to argue about. It is okay. And this is not the point of anger at all. It would be perfectly okay for the “evad3rs” to make money if they would do it in an honest way. But they don’t.

So to the next question:

“Is it okay to sell a jailbreak or an exploit?”

Here people are quite indifferent. Some say no, some say yes – and my opinion is: it comes down to who you sell to, for what reasons and if you can look at yourself in a mirror after doing it.

Now when you look at the interviews the members of the “evad3rs” have given over the past year their standpoint has always been: that they do not want to sell jailbreaks, they think/say it is morally wrong and they are only into jailbreaking because they want to free the system.

So far so good. Everybody has its own opinion and according to the “evad3rs” their opinion is that a) selling exploits is bad and b) money is not a motivation for doing a JB. So this comes down to: they are not interested in making money. This is also a nice statement when read in the media, which resulted in lots of love for them. Especially in a year where media hyped that everybody selling vulnerabilities or exploits is responsible for regimes using said bugs to spy on dissidents and later torture and kill them. Ignoring the fact that there are buyers who are not involved in such actions and actually really do nothing illegal with acquired bugs. Unless you consider scaring customers with 0-day into signing a contract with you, to be illegal. Or is it illegal for a research lab/security company to aquire a private JB so that they do not have to rely on the JB devs, who only produce jailbreaks months after a new iOS release. Buy buying a private version they sometimes just have to change a few “offsets” to get it working on a new iOS version.

Anyway the story is that “evad3rs” are not interested in money. Furthermore during the last year they were repeatedly stating during interviews that I would be against public jailbreaks because it has a negative influence on my business, or that I would sell jailbreaks to governments that then use said jailbreaks to spy on their people. Both accusations are a joke – especially because the most profit my company made in 2012 was out of a customer who would rather die than to touch an Apple product. But these statements in those interviews do not need to be the truth: they just need to picture themselves as saints and the others to be really bad guys.

Okay so far so good. After about a year of building up an image as saints/freedom fighters in JB (and other) news sites by talking down or denouncing others and a nearing of iOS 6.1 it was finally time to start the greatest JB scene milking of all times.

And the milking begins

Out of nowhere, after lots of security researchers like Charlie Miller or myself stated that we do not believe in another JB being released publicly, the members of now “evad3rs” suddenly announced that they have a JB ready and will release another JB based on other bugs in the near future. To no surprise at the same time their friends from the JB news sites started to report about this glorious news and started to interview them. And again they stated multiple times that they have defeated the evil oppression of Apple and freedom fighted the latest version of iOS.

So far so good. Up to here everything is fine (except for trash talking other people during interviews). We would now expect those freedom fighters (that continue until today to say they are not interested in money) to just release the JB on one of those “sunday is funday” opportunities. We would even expect the JB to have some kind of donation functionality because ever since iphone-dev and comex stopped producing jailbreaks, chronic-dev asked for donations. During the days of iOS 5 they even forced Musclenerd to add a donation button to redsn0w because otherwise they would not allow him to use their exploits. It is understandable that they want money for their work. But such an action makes the statement “we are not into it for the money” quite dubious.

But man were we wrong. What followed will be known as the greatest milking of the JB community in all times. Instead of just releasing the JB and asking for donations afterwards the “evad3rs” used a completely different trick. They first split themselves from the “dreamteam” or “chronic-dev” because it makes assigning and splitting the donations easier. They then released an interview that explained nothing more than WHO EXACTLY is responsible for the JB and who is not. (You shouldn’t donate to the wrong guy/group). And then they created a hype website that would announce an upcoming JB for an unknown later point in time. The site features a progressbar that was supposed to show the realtime progress they made on the jailbreak. The site itself did not contain more than some pictures, text and TWO banner ads combined with one Paypal donation button.

For some reason this setup was not enough so the next day the website even had THREE banner ads. And here the fun started. Everytime there was a slight change in status the “evad3rs” would update the status bar. Not forgetting to end every status message with: “check back later”. And at the same time they would use Twitter to tell people to go to this website again for status updates. See: Twitter’s purpose is to tell people about status updates, but you usually tell them the new status and do not ask them to go a website full of ads to read about the new status.

So if they really were not in it for the money they would just use Twitter the way it is supposed to be used. But instead they have chosen to ask people to come to said website over and over again. And after a while this whole process was automated by the hype machinery their friends (who run the JB “news” sites) run. How convenient when these sites or Reddit users create their own articles about every little status update and tell people to go check the site again. The people from the JB community fell for it every time and some of them even announced on Twitter that they would click-fraud the hell out of Google, because it would be so much cheaper to just click ads instead of donating. (I hope Google is looking into this issue.)

Anyway during all this time I commented about this on Twitter because I believe if you want to be paid for releasing a jailbreak, it would be honest to say so and not to claim you are not interested in money, while you extend your hand like a beggar on the street waiting for passengers to drop some coins in it. What I (and everybody else who shares this opinion) got was one shit storm after another as reply, which was not really surprising because the “evad3rs” would continue to tell them that they are are not in it for the money and I would spray jealous statements. They even told people that I would be a fake, not able to do jailbreaking myself and that I had learned all my tricks from them. Because on Twitter the easiest way to discredit someone is to just trash talk him 😛 No one really cares if it is the truth.

Credits? Who needs Credits?

Anyway so after about a week of milking the community the “evad3rs” finally decided to release their jailbreak and people started to analyse it. One of the first things analyzed were the actual untethering technique they are using, which is one of the KEY ELEMENTS of a jailbreak, because it offers the persistence. This untethering part relied on:

  1. to use launchd.conf to bypass the latest launch daemon code signing – a trick that is not new because it was used in all public iOS 5 jailbreaks before
  2. a trick to use a dynamic shared library to manipulate the user space daemon of AMFI into accepting false signatures that is as old as iOS 3
  3. a vulnerability in dyld to get the malicious dynamic library loaded, which is a direct descendant of a vulnerability I discussed in March 2012 during my CanSecWest talk
  4. and finally a kernel vulnerability that seems to be new and found by them (and the exploit makes use of kext_request for getting the offset between Mach-O headers which is an API also discussed by Mark Dowd in 2012 during his talks)

 So basically a large part of this untether (maybe with the exception) of the kernel vulnerability is directly based on work or vulnerabilities of others, which is not mentioned at all.

So why do people defend them?

To answer this question you must understand where people come from.

  1. there are JB “news” site that would die instantly if there would be no public JB. Also they rely on friendship to the JB devs to get “special interviews” which will pull more people to their site – which equals more ad revenue
  2. there are JB/iOS devs who sell apps in Cydia and simply cannot sell if there is no public jailbreak
  3. there are security researchers that can only do iOS research if they have a JB to start from (or it saves them a lot of work not being forced to do their own)
  4. there are exploit developers that have a lot harder time doing exploits if there are no JB to start from
  5. there are countless of pirates (90% of jailbreakers) that prefer a jailbroken device

All of those parties have ulterior motives for loving the “evad3rs” and most of these parties benefit financially (or in other ways) a lot from their work. So they would be pretty stupid to destroy their own business by taking a stand against them.

Final Words

I have enjoyed writing this down. Because unlike Twitter I can put the whole story into a picture and do not have the problem of being cut off every 140 characters. I personally do not believe that this little blog posting will have any impact whatsoever on the general JB community, because those involved will continue to deny that money is a motivation and will continue to tell their followers that they are freedom fighters and that I am just a troll that should be ignored and hated.

And no, I will not surrender my opinion to a Twitter shitstorm. Never ever.

PS: And finally every banner ad or other kind of ad you see on this page is the work of WordPress.com, not mine.