You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
To determine whe<str<strong>on</strong>g>the</str<strong>on</strong>g>r <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> device has already been jailbroken, Stage 2 attempts to acquire a<br />
valid mach port (a handle) into <str<strong>on</strong>g>the</str<strong>on</strong>g> <strong>iOS</strong> kernel using a comm<strong>on</strong> jailbreak backdoor. This check is<br />
performed simply by calling task_for_pid with <str<strong>on</strong>g>the</str<strong>on</strong>g> PID value set to 0. Patching<br />
task_for_pid in this way is a comm<strong>on</strong> backdoor mechanism used by <strong>iOS</strong> jailbreaks that<br />
provides direct kernel memory access to a user mode process. Calling task_for_pid with a<br />
PID <str<strong>on</strong>g>of</str<strong>on</strong>g> 0 is not normally allowed by <strong>iOS</strong>. If task_for_pid returns a valid task port, <str<strong>on</strong>g>the</str<strong>on</strong>g>n <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
Stage 2 process has elevated access to <str<strong>on</strong>g>the</str<strong>on</strong>g> kernel and can forgo <str<strong>on</strong>g>the</str<strong>on</strong>g> privilege escalati<strong>on</strong> steps<br />
described previously.<br />
Stage 2 also checks for <str<strong>on</strong>g>the</str<strong>on</strong>g> presence <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> binary /bin/sh. On a n<strong>on</strong>-jailbroken ph<strong>on</strong>e, this<br />
binary should never exist. When Stage 2 detects <str<strong>on</strong>g>the</str<strong>on</strong>g> presence <str<strong>on</strong>g>of</str<strong>on</strong>g> this binary, it assumes that <str<strong>on</strong>g>the</str<strong>on</strong>g><br />
existing jailbreak is ei<str<strong>on</strong>g>the</str<strong>on</strong>g>r incompatible with <str<strong>on</strong>g>Pegasus</str<strong>on</strong>g> or that all required kernel patches are<br />
already in place and no fur<str<strong>on</strong>g>the</str<strong>on</strong>g>r acti<strong>on</strong> is needed. When /bin/sh is identified <strong>on</strong> a device, prior<br />
to exploitati<strong>on</strong>, Stage 2 simply exits cleanly.<br />
Page 37