unc0ver — iOS 11-14.3 Jailbreak

1. App execution
   └─→ unc0ver app sideloaded via AltStore/TrollStore

2. Kernel vulnerability trigger
   └─→ Specific CVE cho từng iOS version:
       - iOS 14.0-14.3: CVE-2021-1782 (voucher_swap variant)
       - iOS 13.x: various IOKit/socket bugs
       - iOS 12.x: voucher_swap, sock_puppet, etc.
       - iOS 11.x: async_wake, empty_list, etc.

3. Kernel read/write primitive
   └─→ Từ vulnerability → fake task port hoặc IOSurface r/w

4. Post-exploitation
   ├─→ Set UID = 0 (root)
   ├─→ Escape sandbox
   ├─→ Patch AMFI / inject trust cache
   ├─→ Remount rootfs read-write
   └─→ Install Cydia/Substrate

5. Persistence
   └─→ Semi-untethered: app survives reboot nhưng jailbreak state lost
       └─→ Re-run unc0ver app after reboot

1. Trigger UAF hoặc heap overflow → controlled kernel memory
2. Craft fake ipc_port structure
3. Set IKOT_TASK type → point to fake task struct
4. Fake task's map = kernel_map
5. mach_vm_read/write qua fake port → kernel r/w

1. Exploit mach voucher IPC to create dangling port reference
2. Swap voucher port → replace freed port with controlled data
3. Use swapped port for kernel r/w

1. Find allproc → iterate to find own proc struct
2. Modify p_ucred → root
3. Null sandbox slot → unsandbox
4. Remount rootfs: clear MNT_RDONLY flag on root mount
5. Install bootstrap to /usr, /Library, /etc
6. Start substrate daemon
7. Load tweaks via DYLD_INSERT_LIBRARIES mechanism