In light of summer and all the chaos it brings, ModMyi has the pleasure of featuring another exclusive article for Behind The Code
. Many great developers have been featured so far and the trend continues. For articles on those who have been featured already, click below:
Dan Zimmerman (@DanZimm)
Grant Paul (@chpwn
Christian Heusinger (@iRealSMS)
Elias Limneos (@limneos)
One key component to note is that developers / hackers are generally extremely busy. They have much work to do in regards to keeping our jailbreak community vibrant and pursuing their own personal endeavors. Taking time out of their schedule is difficult so their efforts to answer questions, undertake interviews, and the like is beyond appreciated. With this said, Behind The Code
and the information it brings will continue despite whatever time, schedule, and communication constraints come about.
It is with great pleasure to have with us today Stefan Esser (@i0n1c)
, commonly known as i0n1c
. He is must well known for his work on the untethered exploit for 4.3+ firmwares. Not much else is known about him so the dialogue below gives a true look into Stefan's involvement and future pursuits. You will be truly surprised how knowledgeable he is and the insight he brings to the jailbreaking scene.
Tell us a little about yourself; age, occupation, location, and any other information you wish to share (if applicable).
STEFAN: I am 32 years old and live in Cologne; the 4th biggest city in Germany. I have been working in information security since 1998. In 2007, I co-founded SektionEins (a German company specialised in (web-)application security). From July 1st of this year, I took a time out from full-time consulting work for SektionEins and now I work on own research projects.
When did you first start learning how to code? What languages are you proficient in and is there a particular language or languages that you code in the most?
STEFAN: I got my first PC at Christmas when I was 8 years old. My parents gave me a PC instead of an AMIGA because they wanted me to actually use the computer and not play games. The PC came with its own dialect of Basic and I learned to code simple things. However, one of my neighbour kids who was way older than me, told me about this wonderful Pascal language so I learned it and coded in it for many years. At the same time I also learned x86 assembly language because I loved to do low level programming. But then I learned that Pascal isn't cool anymore and that C is the real deal. So I started to program in C.
Over the years, I added a bunch of other languages like Logo, Java, Prolog, PHP, C#, Python and nowadays ARM assembly language. In Objective-C, I consider myself an absolute beginner. There are other languages I can read like Ruby and most of the Microsoft inventions but I only read them and never use them for my own code.
You're generally referred to by your alias i0n1c. How'd you come up with that name?
STEFAN: Actually people know me by many nicks. Since joining the internet, I have tried out a bunch of scenes. The choice i0n1c was just a coincidence. Many years ago I wanted to get into IRC with my previous nick and it was already taken. So I choose the first word that came to my mind. This was ionic because there was a bottle of deodorant on my desk and its flavour was called ionic.
How long have you been in the jailbreak community? What got you first involved?
STEFAN: I don't know if I really consider myself to be in the jailbreak community. I am an information security professional and iPhone and iOS security was just an interesting topic for me. When I first had contact with iOS security, I realized that the lack of ASLR was a major security problem and challenged myself to add ASLR to iOS on jailbroken iPhones. I managed to do that and presented about it at information security conferences. I demonstrated on stage that it was real and working but then I never released it to the public because I was working on other things and Apple decided to add ASLR to their phone themselves. In theory, combining my Antid0te and Apple's own ASLR would be a way better security shield but Apple broke some stuff in iOS 4.3 so that it is no longer possible to just switch the library cache at runtime. However, a lot of media sites got it wrong and believed that ASLR would put an end to jailbreaking, which is not true. It seemed the jailbreaking scene was troubled and divided by this whole ASLR thing and then Apple also killed a shortcut in 4.2.1 that made developing an untether exploit a lot harder. Basically they removed write access to some runtime configuration flag that enables or disables co-designing. Because I had some kernel bugs that were only useable for untethers, I just decided to donate them to the cause and wrote that complicated exploit.
People know you most commonly by the fact that you discovered and exploited 4.3+ to allow an untethered jailbreak. Was this discovery in a collaboration with any of the teams (iPhone Dev-Team or Chronic Dev-Team) or was this strictly on your own? Upon discovering this exploit, how long did it take you to formulate it into a workable jailbreak exploit?
STEFAN: I am not involved with any of the jailbreaking teams except for the fact that I got some support from the iPhone Dev-Team in form of an expert version of redsn0w. This version allowed me to boot arbitrary kernels and add boot arguments. But over the time I convinced them to put these expert features back into the public redsn0w. Therefore, the only big difference between the non-public redsn0w and the public one is that it is comes with a command line interface only, which is better while developing exploits. The iPhone Dev-Team also beta tested the untether exploit and comex (@comex) had made all his kernel patches public at that time. But aside from that, there was no involvement in discovery and exploitation.
I found the bug before iOS 4.3 was made available, writing the actual exploit was done in a few days. Therefore the exploit was working way before iOS 4.3 was released. However when iOS 4.3 betas came out people announced the presence of ASLR and that some trick everyone used before 4.3 did not work anymore. That was bad because it broke my exploit completely. I had to rewrite the whole exploit as ROP payload. This means you cannot bring in your own code but have to search the iOS libraries for small code snippset and then combine them to do what you want to do. To re-write complicated exploits this way is a time consuming process and therefore required about a week to get it stable.
Upon discovering that your exploit was blocked in iOS 5, has this encouraged you to find another hole to exploit for future iOS 5 users? Are you currently working on projects in relation to exploits or components of that nature?
STEFAN: I have been researching iOS kernel security for several months now. I talk about finding bugs in the iOS kernel and how to exploit them at international security conferences. I would be a fraud if I did not have knowledge of a number of bugs by now.
For quite sometime, people believed that you were working on an iPad 2 jailbreak known as elevat0r. Although you unconfirmed your part in the iPad 2 jailbreak, was there ever a time that you contemplated giving it a shot? Tell us a little about elevat0r; how the rumor and story got started and what it has become now (the website).
STEFAN: The iPad 2 jailbreak rumour was created at the time of SyScan Singapore. @msuiche and I were tweating about having discussed iPad 2 jailbreaking over dinner. Actually we had discussed it, but our discussion was more about me explaning to him what is required/missing to do an iPad 2 jailbreak. Anyway, people started bugging me and and him on Twitter for an ETA. So he said something about it will be done soon.
A few weeks later, I was tweeting about a broken elevator in my home and someone replied. "OMG the new iPad2 Jailbreak is called elevator". This was enough for a bunch of news sites in the jailbreak community to claim that there is an iPhone jailbreak comming soon called elevator. My friends and I were very amused about the jailbreak community considering every single of my tweets an information source for the next jailbreak. So we had a lot of fun tweeting about elevators, stairs, repairs, elevator parties, etc.. And people did not even get it when I repeatedly denied working on an iPad jailbreak and showed pictures of the real elevator. This whole thing was really funny because it divided my Twitter followers; those who still did not get it and those that enjoyed every single elevator tweet.
At some point I thought it would be a nice experiment to see how many of my followers are actually cool and so I created the website elevat0r.com and asked them to send me pictures of elevators and waiting iPads. Meanwhile I got about 150 submissions, but I had to remove some of them because they did not show elevators but stairs, etc.. Because I love to give back, I decided to give out a free AppleTV to one of the guys who sent in an elevator picture. I will choose a winner by random the second week of this upcoming August.
However, I never worked on an iPad 2 jailbreak because this one was already covered by comex. I never saw a need of a new jailbreak. I don't play exploit race games because they lead to nothing else than useless fights. I also do not care about being the first to release a solution. I only care about a solution existing and it is okay with me if I am the only one having access to that solution. The upside of this is also that Apple doesn't know about it and cannot fix it :P
Other then exploit and hardware related implementations for iOS, have you created any Cydia tweaks or AppStore applications. If not, are you working on anything of this nature now or in the future?
STEFAN: I will start working on a simple application for information security professionals that will allow them to configure the kernel patches used in the untether soon. The idea behind this is that a lot of people doing hardcore iPhone security research realized that their exploits behave very differently on jailbroken phones. The reason for this is that the jailbreak disables a bunch of protections and also overrides the sandbox. My tool will allow to specify what protections you want disabled/enabled on next boot. It has to be ready before the end of July.
How do you see the jailbreak community unfolding in the future. What potential do you see the jailbreak community having as iOS continues to evolve?
STEFAN: I guess the jailbreak community might kill itself very soon. It is swamped by supposedly 12 year olds that only want to jailbreak to install pirated software and heavily insult everyone involved in making jailbreaks. And now these people already started hacking developer systems in order to steal jailbreaks. Comex and other keyplayers will soon get so tired of the iPhone jailbreaking scene that they will move to another target. I guess it just depends on the availability and coolness of the next closed system that comes around.
Follow Stefan (@i0n1c)
on Twitter for more information about what he has in store for the jailbreak community and other emerging advances.
: Stefan Esser (@i0n1c)