Sources suggest the first reported Oculus Quest 2 jailbreak is almost certainly not real.
If you’re unware; Oculus Quest 2 is an all-in-one virtual reality system made by Facebook. It runs Facebook’s VR-specific fork of Android. Quest is the first consumer VR headset (outside the China-focused Vive Focus Plus) offering a directly interactive room-scale experience without the need for a gaming computer or PlayStation. As such, Facebook currently has no real competition for this category of VR.
You need a working Facebook account to use Quest 2. That requires giving Facebook your real name and identity, and sometimes even providing photographic evidence.
You can’t install other operating systems on Oculus headsets, or even gain administrative (root) access. By declaring yourself a developer and agreeing to Facebook’s terms you can sideload apps via your PC- but otherwise you’re restricted to the Oculus Store.
The (Informal) Bounty
My offer of $5000 to jailbreak the Quest still stands. I’m moving the target to Quest 2 though seeing as Quest 1 is no longer in production. https://t.co/Bwd236FkpL
— Robert Long (@arobertlong) September 17, 2020
The day after Quest 2 was announced, Mozilla software engineer Robert Long tweeted out a bounty of $5000 for “jailbreaking” it. The term ‘jailbreak’ usually refers to removing Apple’s iOS restrictions, but Long is using it colloquially – in August he tweeted the same bounty for the original Quest, defining the specific goal as “to boot to Oculus Browser or Firefox Reality without a FB login”.
I will match this, who else is in? https://t.co/6r2FvJYB33
— Palmer Luckey (@PalmerLuckey) October 16, 2020
In October, Oculus founder Palmer Luckey pledged to match the $5000, with others in the VR community on Twitter following suit. From what we understand the whole effort is still pretty informal, with no formal prize pool organized to reward someone for accomplishing the jailbreak.
XRSI & Verification
XR Safety Initiative (XRSI) is a registered not-for-profit organization with a mission to promote “privacy, security, and ethics in the immersive environments (virtual reality, mixed reality, and augmented reality)”. In September, it released a comprehensive privacy framework for VR.
On October 15, Long set up a Discord to coordinate on the goal of jailbreaking Quest 2. XRSI contacted him shortly after to offer support on verifying the claims. XRSI’s ethics mission includes supporting the ‘Right to Repair’, which includes the ability to install what software you so choose.
Long tells us that within days, someone came forward claiming they’d achieved that goal. On October 26, XRSI (through its media arm Ready Hacker One) publicly announced “a researcher from the XR community has gained root access to Oculus Quest 2 and is able to bypass Facebook Login”.
“XRSI’s own researchers have validated this jailbreak”
The announcement seemed definitive in tone but was notably light on details. It claimed root access, which is the Android equivalent of administrator privileges. The announcement, however, said nothing about whether the bootloader was unlocked. That’s a much harder task than gaining root access and would allow you to write to the boot partition which contains the core of the operating system, aka the kernel.
The ability to modify the kernel is fundamental to iOS jailbreaking, and to having true full control over an Android-based device.
Verification Not As Planned
Last week, a reliable source told us this jailbreak doesn’t actually work. We began to investigate the situation in search of answers.
Two days ago, an anonymous user made a post to the Oculus Quest reddit community with a similar claim. The top moderator initially removed the post, but re-approved it after the anonymous user “provided some substantiated proof that this post is in good faith, but we cannot independently verify the claims“.
We reached out to that same reddit user and agreed not to reveal their source in order to receive the same evidence. The reddit post claims XRSI had been convinced by the hacker the bootloader had been unlocked. The post suggests XRSI believed they had verified that other operating systems, including Linux and Windows XP, could be installed. Linux is entirely conceivable, but, as the post points out, Windows XP is an x86 operating system from two decades ago, it can’t be run on a modern ARM processor.
The post goes on to claim XRSI tasked a third party with replicating the jailbreak, and this party was unable to verify.
We reached out to XRSI asking about this reddit post and the claims circulating. Its communication director confirmed the initial verification process was a remote demonstration of installing other operating systems, just as the reddit post claimed. He then continued:
“At that point, after the validation of what was seen, we started the second part of the process, asking the independent researchers to reproduce the whole set of actions. Unfortunately, the results are not as straightforward and regular as they must be. I would like to reiterate what we said in the original announcements – ‘We are currently working to gather assurances to protect the individuals who discovered these methods of jailbreak.’“
It’s unclear what exactly is meant by “straightforward and regular”. It’s possible Facebook remotely patched the exploit, but if the demonstration involved installing Windows XP it is almost certainly a scam. ARM-based Qualcomm chips like the Quest’s can’t even run x86 apps natively, never mind a two decade old x86 operating system. The only way to “run” Windows XP on such a device would be through something like Limbo Emulator, an Android port of a Linux-based virtual machine (VM) emulator and virtualizer. But this doesn’t grant hardware access, or even necessitate it.
Robert Long told us he believes XRSI is acting in good faith but no longer believes the jailbreak is legitimate:
“I think there is merit to the claims, but I also think that XRSI is acting in good faith and the source is being impatient.
After I posted the bounty I received a lot of interest. I decided I would create a crowdfund to allow people interested in contributing to do so. I started up a Discord to give people a channel to organize while I figured out the details. Very shortly after, XRSI reached out to help. Which I desperately needed.
They’ve been instrumental in the whole jailbreak effort. It wouldn’t have gone anywhere without them. It’s a huge risk for them to take on a project like this. It’s not really something they’ve done in the past, but they went all in on helping in any way they could.
The Discord was up for a couple days before someone came forward with claims that they had rooted the device. I was skeptical, but I also know that the Quest 2 is an Android device and there may be existing methods of rooting similar hardware. I didn’t do any verification myself. I wanted to make sure that this user was protected and passed them on to a security researcher at XRSI.
They did an initial pass to see if it was at all credible and they let me know that they would need to investigate further, but it seemed worth a look.
XRSI also advised me to shut down the Discord at that time to keep users safe. People were beginning to get irresponsible so I agreed to shut it down.
9 days later they had a public announcement that it had been verified. I didn’t have any details of the methods used. I wanted to stay separated from those details until it could be shared publicly, but I trusted XRSI to have done their due diligence.
Late last week I received a message from your source, who I haven’t worked with before, but generally trust. I had talked with them previously about the jailbreak and I thought they would be a good partner.
They had apparently been working with XRSI in the last couple weeks and had seen some of the details of the jailbreak. They said it was likely fake and had some credible evidence to think so.
I didn’t know any of the details they shared with me so I immediately reached out to XRSI. I spoke with the security researcher and their story wasn’t very reassuring. There were similar red flags in the verification process. At this point I thought it was more likely that the jailbreak was fake than real.
I think there was a mistake made by the security researcher in the verification process. I think the jailbreaker may have been malicious or confused and the researcher made a critical error in claiming it was verified before they should have. XRSI definitely should not have made a public statement saying it was verified when they did.
Now there is a feud between your source and XRSI about how to deal with this information. XRSI is trying to be responsible in taking the time to legally assess and disclose these details so they can speak publicly and your source is rushing them and trying to slander them. There are legal issues that still need to be worked out and your source is not respecting the process.
From my perspective, XRSI likely made a bad mistake, but they are handling it correctly.
This whole situation is unfortunate. I had hoped these two parties could work together because they ultimately have the same goals.
I do hope that we can continue the work towards finding a jailbreak. I think XRSI can still be the home for that work, but I think they need additional security research resources.“
The Bounty Still Stands
The announcement of a supposed jailbreak may have stopped or paused other efforts from achieving the same. Now that there are doubts about this initial effort it is possible others may pursue opening up Oculus Quest again.
Robert Long and Palmer Luckey both told us their bounties still stand.
Oculus will do better with a jailbreak available, not worse.
— Palmer Luckey (@PalmerLuckey) October 22, 2020
A true jailbreak of Oculus Quest 2 would give users full freedom over their device and open up experimentation at a much deeper level than currently possible. Such access, however, is unlikely to go unnoticed by Facebook.
In response to a game developer claiming his support of the project was “sabotage”, Oculus founder Palmer Luckey responded “Oculus will do better with a jailbreak available, not worse.“
Root access without unlocking the bootloader could be subject to Facebook remotely patching the exploit, and even a bootloader exploit could be patched on all newly produced headsets.
“I was tempted to offer more, but I expect this will be an ongoing cat and mouse game,” Luckey wrote in a direct message to us.
Article updated 20 minutes after publication to include a full statement from Robert Long rather than the few sentences quoted with initial publication. Managing Editor Ian Hamilton contributed to this report.