Chinese jailbreakers, start running tonight

iOS 9 is officially released

Tonight, hundreds of millions of viewers will once again be watching their Apple devices, waiting for the release of new products by the company with the highest market value in the world. And then, amid the enthusiasm and abuse, most of them will always find time to start downloading or placing orders to get the latest generation of products to replace the hardware and software that have become the previous generation.

This process is repeated year after year and people never get tired of it.

Among them, there is a small group of top hackers who always listen carefully to every feature update of iOS from Cook and Craig (Apple Software VP), especially those technical details that are only briefly mentioned and a little difficult for ordinary people. They may be the first batch of users after the official version of iOS is available for download, and then they start testing, analyzing and modifying the code at night.

This process is different from the entertainment-first mentality of consumers. It is depressing and melodramatic.

The above hacker groups are usually called jailbreakers. Since the Chinese jailbreak teams (Pangu and Taiji) released multiple versions of jailbreak tools for iOS 7 and 8 in 2014, and with the background of the rapid increase of iOS devices in China in 2013, jailbreaks and jailbreakers here have become particularly eye-catching.

Top Hackers

On the other hand, many industry insiders told Leifeng.com that there are very few excellent iOS vulnerability miners in China. The current industry players engaged in iOS vulnerability mining mainly include:

The core development team of Taiji Jailbreak consists of only 4 people;

Pangu’s core development team consists of about 10 people;

Keen Team, a well-known security research team in the industry, also announced this year that it would join the development of jailbreak tools for iOS 9. Industry insiders told us that Keen has about a dozen people, but the main jailbreak tool development is probably only 2-3 people;

Alibaba, Tencent, 360 and other large companies each have small-scale iOS vulnerability research teams, and their daily work mainly focuses on vulnerability research and serves their main business. These teams will also devote some of their energy to jailbreak research, but generally will not launch jailbreak tools.

The above personnel may add up to less than 50 people.

Gao Xuefeng, the head of 360 Nirvana team, told Leifeng.com that the reason why there are so few Apple vulnerability diggers may be because iOS and Mac were popularized later in China. Most consumers are still most familiar with and use the Windows platform the most, and the first environment that developers come into contact with is generally Windows. Nirvana is an iOS vulnerability research team established by 360 this year, with a total of 5 people, and the business needs make them eager to recruit talents.

Hu Yalong from the Taiji jailbreak team told us that jailbreaking is highly confidential, so each team will not be very large. In Taiji's main development team, Hu Yalong is the only product manager, in addition to the founder Xie Lei (also the founder of the iOS third-party application market Kuaiyong), the great god XN (Chinese name Xiao Nan) is the only main programmer, and there is another person responsible for engineering and testing.

The vulnerabilities dug by these top talents are mainly used for six purposes: research, competition, business, training, sales and tools.

BAT3 mainly tends to the first three categories.

Stefan Esser, a former jailbreak master overseas, is a typical example of the vulnerability training industry. He is called a "former" jailbreak master because he no longer makes jailbreak tools after discovering vulnerabilities, but instead announces to the world, "I have jailbroken, come to my place for training." According to industry insiders, the price of a recent training session by Stefan Esser has been 30,000 yuan per person.

In addition, vulnerability diggers will sell vulnerabilities to official and unofficial channels. For example, Microsoft will offer high rewards for Windows vulnerabilities, but Apple has not yet made any similar statements, so some vulnerabilities will also enter unofficial channels - such as black market organizations and government agencies, and the selling price is sometimes as high as one million US dollars.

The remaining ones are the Pangu and Taiji jailbreak teams, as well as the newly joined Keen Team.

The Rapid Rise of China’s Jailbreak Team

China's jailbreak can be traced back to two years ago. At the end of December 2013, Apple's jailbreak team Evad3rs and Taiji team cooperated to release iOS 7.x jailbreak. After the jailbreak tool Evasi0n was run in the Chinese environment, Taiji Assistant was pre-installed. This was the first attempt related to jailbreak in China, but the cooperation soon ended unhappily, and Taiji team announced that it would develop jailbreak independently.

Following closely, Pangu released the perfect jailbreak tool for iOS7.1 - iOS7.1.x in late June 2014. Hu Yalong still remembers that Xie Lei sent an email to the Taiji team late at night, in which he wrote: Chinese people are awesome (it did not violate the advertising law at that time). Although this meant that Taiji's months of hard preparation would have to start all over again - there is a tacit understanding in the jailbreak circle that once someone releases a jailbreak tool for a certain version of iOS, other teams will not release the same version of jailbreak tools to avoid wasting vulnerabilities.

Later, on October 22 of that year, the Pangu team released the latest iOS 8.0 - 8.1.x perfect jailbreak tool. In November, the iOS 8.1.1 perfect jailbreak developed by XN was released, and Taiji finally won the first place as expected.

Then on iOS 8.3 and 8.4, Tai Chi quickly released a perfect jailbreak tool.

At the same time, just three days after WWDC in June, Keen Team announced that it would also join the jailbreak development of iOS 9.

After the release of iOS 8.1.1 in 2014, a foreign media interviewed XN: Do you think that jailbreaking will be under Chinese leadership going forward?

XN’s answer is yes (It’s quite possible since I’m one of them).

The rise of jailbreaking in China is inseparable from the rare talent and diligence of Xiao Nan and others, but there is no doubt that they have also been indirectly supported and catalyzed by domestic Internet business giants.

The Taiji team told us that Xie Lei, the former CEO of Kuaiyong Assistant, wanted to jailbreak after he founded Kuaiyong, but he did not get internal support. He then left with XN and independently developed Taiji jailbreak. But in fact, Kuaiyong and Taiji have always had a very close cooperation.

In addition, Taiji has always built-in recommendations for another iOS third-party store, 3K Assistant. In July this year, when Leifeng.com reporters visited, they learned that Kuaiyong had officially acquired 3K Assistant (the difference between the two is that Kuaiyong is for pre-jailbreak, while 3K is for post-jailbreak).

Looking back at the publicly available industrial and commercial information, we can find 360 as a strategic investor.

The Pangu jailbreak team has always had a very close cooperation with PP Assistant. In 2013, PP was acquired by UC, and UC has also been acquired by Alibaba.

Keen Team is called 碁震团队 in Chinese. In the past two years, they have cooperated with Tencent team to win many international awards. To the outside world, the two sides call each other a cooperative relationship, but public information tells us that an important Tencent executive is indeed involved in this company.

Tencent, Alibaba and 360, with their hundreds of billions and tens of billions of dollars in market value and Android channels with over 100 million users (Alibaba is weaker in this respect), once "gently" helped this small group of technical teams. These actions may only be defensive and occupying positions for large companies now, but they have far-reaching impacts in the narrow technical circle of jailbreaking.

Conversations between jailbreakers

Among several vulnerability discovery and jailbreak developers interviewed by Leifeng.com, all mentioned that there were few conversations between teams, but there were exchanges between companies. In the security conferences of the past two years, we rarely see these top hacker forces gathered together. In reality, one party often appears with its stakeholders. In contrast, they seem to be more willing to communicate with overseas parties.

On March 27 this year, the Taiji Jailbreak Team hosted the MSS Mobile Security Summit in Beijing. This event was later described by Forbes as "a magical journey to the East for Western hackers":

Several of the most famous iPhone hackers in the Western world flew business class to Beijing and were put up at the five-star Park Hyatt.

A person close to the organization of the conference recounted the scene at the time: some hackers (these technology geeks may be even more geeky than ordinary Americans) did not know the level of development in China, and wrote to ask if they could buy matching adapters in Beijing because they were using Mac computers.

It is said that the conference cost about one million yuan, sponsored by Taiji's partner 3K Assistant. Of course, the main cost is not the air tickets and hotels, but the invitation fee of a group of jailbreak masters. The conference invited Chronic (Green Poison developer), Comex (JailbreakMe developer), P0sixninja (Green Poison boss), Pimskeks (Green Poison, Evasi0n developer), and XN, who played at home.

For these overseas hackers, Tai Chi’s demands are not just to receive training. The speeches of XN and Xie Lei both revealed the meaning of introduction, communication and exchange.

Hu Yalong described the difference between domestic and foreign jailbreak works as follows: the jailbreak tools developed early abroad, such as Hongxue and Green Poison, are more complicated to operate, and even have various branching situations, which are not so user-friendly; while the domestic ones are more mature and fool-proof.

This is related to the fact that domestic jailbreaking tools came later and have already learned from the experience of predecessors; it is also because most foreigners prefer to fight alone or in groups, while domestic users prefer to fight in teams; it is also related to the fact that domestic users have a stronger demand for jailbreaking and there is a commercial drive behind it.

On the other hand, the communication between several domestic teams is more cautious. At the 360 ​​HackPwn (an event mainly in the form of security competition) held last month, Leifeng.com reporters saw a very interesting scene:

The Pangu team was the last to perform after many other teams’ presentations, and they ran the jailbreak of iOS 8.4.1 on site. Compared with other teams, Pangu did not explain what vulnerabilities or techniques were used.

Then there was applause from the audience, and the Pangu team won the championship of the day (and donated all the 200,000 yuan in prize money). 360 Chief Hacker Zheng Wenbin commented that it was "very good and very exciting", but no one mentioned the details.

The scene was probably that of two masters fighting each other with a single move, and in an instant, the winner was decided and they smiled at each other.

Benefits and frictions

Stefan Esser and Pangu once had a dispute over the jailbreak of iOS 7.1.x. The core of the dispute was that Stefan Esser believed that Pangu used a vulnerability that Stefan Esser had provided to his team in the jailbreak, and the vulnerability in the training was "for learning only and not for commercial use."

On iOS 8.4 and iOS 8.3, the Taiji team accused PP Assistant of plagiarism, and released the PP jailbreak assistant by repackaging the core modules and invoking Taiji jailbreak, and even "copied the vulnerabilities."

The above two problems are currently unsolvable due to the fact that they are cross-regional and fall within the legal fringe. iOS jailbreaking tools themselves are not profitable, but the revenue from application distribution and game operation brought by installing third-party markets with the help of jailbreaking tools is lucrative. Coincidentally, Kuaiyong and PP, which are closely related to Taiji and Pangu, are two of the top three largest iOS third-party stores in China (the other one is XY Assistant). In the future, such friction may continue.

On the other hand, domestic iPhone research data over the past two years shows that the proportion and total number of iOS jailbroken users have declined. Several industry insiders familiar with app distribution expressed a surprisingly consistent view: in the long run, a decline is almost certain.

Regarding Apple's official attitude, Leifeng.com has heard several statements:

“They invest a lot in safety.”

“The pace of updates is very fast.”

"In the update logs of the last few versions, it is mentioned from time to time that the Taichi jailbreak xx vulnerability has been blocked."

But Apple has never publicly explained its security strategy in detail, nor has it encouraged or criticized jailbreaking. As for vulnerability feedback, it is just as cold and aloof as other systems of Apple (such as the app store) - "You have no way of predicting whether it will respond quickly or ignore it. It is also difficult for us to figure out its vulnerability review rules from experience."

Gao Xuefeng from 360 told us that compared with the previously released iOS 9 beta version, the official version of iOS 9 will be a relatively large upgrade. One of the important improvements is the addition of Rootless in the security protection system, which is equivalent to adding a wall to the original permission management system, weakening the authority of the Root role, which means that jailbreaking will become more difficult than before.

Putting aside the disputes over interests between third-party application markets, most of the developers who have come into contact with the Leifeng.com reporters are simple and even idealistic. The official version of iOS 9 is destined to be a major version update, which means that jailbreakers should expect to start a pursuit of top technology in a frustrated and depressed night.