[Jailbreak News] iOS 11.3.1 Jailbreak Release - Delay Reasons - [Electra]

Some reasons that explain the delay in the release of the Electra iOS 11.3.1 Jailbreak:

According to Samg_is_a_Ninja the reason why the iOS 11.3.1 jailbreak hasn’t been released yet.

Ian Beer, the security researcher at Google’s Project Zero, had released two exploits: multi_path (mp) and empty_list (el). The the first “mp” exploit has a greater success rate, but requires an Apple Developer account ($99 per year). The second “el” exploit doesn’t require a developer certificate, but has a low success rate. pwn20wnd has made some improvements, but the success rate is still 1/3.

He also explains that developing the iOS 11.3.1 jailbreak hasn’t been as easy, because Apple has added new security features which uses an APFS snapshot over a typical root partition.

Everyone assumed that it would be fairly easy to recycle the old code from Electra 11.1.X and simply swap out the kernel exploits, replace the async_wake exploit with mp or el. However, after running the new kernel exploits, it was discovered that Apple has added a new security feature: using an APFS snapshot over a typical root partition.

.. and the reason why Electra iOS 11.3.1 Jailbreak hasn’t been released so far.

One of the main features of a jailbreak is being able to access the entire filesystem of the device. Think of your device’s filesystem as two toy boxes. One of the boxes is labeled “disk0s1s1” and the other is labeled “disk0s1s2”. disk0s1s2 is the bigger box that contains everything under /var, and is divided into sections, one for each app you have installed (the sandbox), plus some extra space for photos, iBooks, etc. disk0s1s1 is the smaller box, and it contains everything under all the other folders (/Applications, /System, /Library, etc) system apps and files needed by the system. Stock iOS has disk0s1s2 mounted as read-write, and lets each app write only to it’s own sandbox, and all other parts of disk0s1s2 are only writable by the system. disk0s1s1 is only writable during software updates/restores.
On 11.2.6 and older, once you have task_for_pid(0) (which is given by mp and el), it’s relatively easy to mount both disk0s1s1 and disk0s1s2 as read-write. However, on 11.3, Apple introduced a new feature: when you set up your device, the system takes a picture of all the objects inside the disk0s1s1 box. From there on, every time you boot your device, the system looks at the picture, and then looks inside the box, and basically plays a game of spot the difference, meticulously going through the entire disk0s1s1, and if it notices any of the objects in that box have been moved or changed, it moves them back. Any new objects are thrown out, and any missing objects are magically replaced. This is a problem, because that means, for example, /Applications/Cydia.app/ would get removed after every reboot.

Initially, Johnathan Levin aka @Morpheus______ was planning to work on writing an exploit that would make the vulnerability that allows initial remount of / discovered by @SparkZheng even better, but he seems to have lowered the priority of finishing the exploit as he got spammed on Twitter.

He also points out that the WebKit version of "el" has been released, which has the potential of Jailbreaking iOS 11.3.1 using Safari instead of a sideloaded app.

Security nerd Tim Michaud has discovered a vulnerability in the launch daemon, which could even result in an untethered iOS 11.3.1 jailbreak. Similar to the vulnerability used in the evasi0n jailbreak, which was an untethered jailbreak.

Stay up to date with the development and release of the iOS 11.3.1 Jailbreak Electra Release.

Update: iOS 11.3.1 Jailbreak with Electra Tool has been Released: