In the Tianfu Cup competition in November this year, I demonstrated the remote jailbreak of the iPhoneX’s latest iOS system. This article is about the stage of this exploit chain. 2. Here I use a kernel vulnerability that can be reached directly in the sandbox. (I name it Chaos), so after getting the RCE of Safari, we can trigger this vulnerability directly from the Safari sandbox, and finally reach the remote jailbreak.

http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202.html