Dopamine — iOS 15-16 Rootless Jailbreak
Dopamine là state-of-the-art public jailbreak, đại diện cho thế hệ modern rootless jailbreaks. Source code mở — rất tốt để study.
Overview
| Field | Detail |
|---|---|
| Developer | opa334 |
| iOS range | 15.0 — 16.6.1 |
| Devices | A9 — A16 (iPhone 6s → iPhone 14 Pro Max) |
| Type | Semi-untethered, rootless |
| Source | github.com/opa334/Dopamine |
| Tweak injection | Ellekit |
Exploit Chain
Step 1: Kernel Exploit (kfd)
└─→ Physical Use-After-Free (PUAF)
├── smith method (VM copy-on-write bug)
├── landa method (VM race condition)
└── physpuppet method (page lifecycle)
│
└─→ Dangling mapping to freed physical page
└─→ kread/kwrite primitives:
├── kread: kqueue_workloop_ctl / sem_open
└── kwrite: dup / sem_open
Step 2: PPL Bypass
└─→ Based on Operation Triangulation technique
└─→ Hardware MMIO registers modify page tables
└─→ Bypass PPL page table protection
└─→ Can now create arbitrary mappings
Step 3: CoreTrust Bypass
└─→ Trust cache injection
└─→ Add jailbreak binary cd_hashes to loadedTrustCaches
└─→ AMFI trusts jailbreak binaries
Step 4: Rootless Installation
└─→ /var/jb/ directory structure
├── Bind mounts: /var/jb/usr/lib → /usr/lib
├── launchd injection: hook process spawning
├── Ellekit: tweak injection framework
└── Sileo: package manager
Tại Sao Dopamine Quan Trọng Để Study
1. Modern Techniques
- PUAF-based exploitation (thay vì classic heap overflow)
- kfd primitives (newer than fake task port)
- PPL bypass (real-world example)
- Rootless architecture
2. Full Source Code
Dopamine/
├── Packages/ ← Jailbreak packages
├── BaseBin/ ← Core jailbreak binaries
│ ├── jailbreakd/ ← Jailbreak daemon
│ ├── launchdhook/ ← launchd injection
│ ├── forkfix/ ← Fork handling fixes
│ └── ...
├── Application/ ← Dopamine app (UI)
├── KernelExploit/ ← kfd kernel exploit
└── PPLBypass/ ← PPL bypass implementation
3. Rootless Design
Không modify system partition:
/System/... → read-only, untouched
/var/jb/ → jailbreak files
Bind mounts:
mount --bind /var/jb/usr/lib/TweakInject /usr/lib/TweakInject
→ System paths serve jailbreak content
→ SSV (Signed System Volume) intact
→ Reboot removes bind mounts → clean state
4. Ellekit
Modern tweak injection framework:
- Hook mechanism cho arm64e (PAC-aware)
- Faster than Substrate/Substitute
- Supports iOS 15+ features
Deep Dive: kfd Exploit
PUAF (Physical Use-After-Free)
smith method:
1. mach_vm_copy triggers COW (copy-on-write) page
2. Race condition: COW completes but mapping not properly updated
3. Physical page freed but virtual mapping retained
4. Process retains access to freed physical page
Result:
- Can read/write to physical page that kernel may reallocate
- If page becomes kernel data → read/write kernel objects
- If page becomes page table → modify page tables
kread via kqueue_workloop_ctl
1. Setup kqueue workloop with specific parameters
2. Exploit allows reading arbitrary kernel addresses
3. Return data to userspace
kwrite via dup
1. dup() file descriptor manipulation
2. Exploit allows writing arbitrary values to kernel addresses