Sources suggest the first reported Oculus Quest 2 jailbreak is almost certainly not real.
If you’re unware; Oculus Quest 2 is an all-in-one virtual reality system made by Facebook. It runs Facebook’s VR-specific fork of Android. Quest is the first consumer VR headset (outside the China-focused Vive Focus Plus) offering a directly interactive room-scale experience without the need for a gaming computer or PlayStation. As such, Facebook currently has no real competition for this category of VR.
You need a working Facebook account to use Quest 2. That requires giving Facebook your real name and identity, and sometimes even providing photographic evidence.
You can’t install other operating systems on Oculus headsets, or even gain administrative (root) access. By declaring yourself a developer and agreeing to Facebook’s terms you can sideload apps via your PC- but otherwise you’re restricted to the Oculus Store.
The (Informal) Bounty
My offer of $5000 to jailbreak the Quest still stands. I’m moving the target to Quest 2 though seeing as Quest 1 is no longer in production. https://t.co/Bwd236FkpL
— Robert Long (@arobertlong) September 17, 2020
The day after Quest 2 was announced, Mozilla software engineer Robert Long tweeted out a bounty of $5000 for “jailbreaking” it. The term ‘jailbreak’ usually refers to removing Apple’s iOS restrictions, but Long is using it colloquially – in August he tweeted the same bounty for the original Quest, defining the specific goal as “to boot to Oculus Browser or Firefox Reality without a FB login”.
I will match this, who else is in? https://t.co/6r2FvJYB33
— Palmer Luckey (@PalmerLuckey) October 16, 2020
In October, Oculus founder Palmer Luckey pledged to match the $5000, with others in the VR community on Twitter following suit. From what we understand the whole effort is still pretty informal, with no formal prize pool organized to reward someone for accomplishing the jailbreak.
XRSI & Verification
XR Safety Initiative (XRSI) is a registered not-for-profit organization with a mission to promote “privacy, security, and ethics in the immersive environments (virtual reality, mixed reality, and augmented reality)”. In September, it released a comprehensive privacy framework for VR.
On October 15, Long set up a Discord to coordinate on the goal of jailbreaking Quest 2. XRSI contacted him shortly after to offer support on verifying the claims. XRSI’s ethics mission includes supporting the ‘Right to Repair’, which includes the ability to install what software you so choose.
Long tells us that within days, someone came forward claiming they’d achieved that goal. On October 26, XRSI (through its media arm Ready Hacker One) publicly announced “a researcher from the XR community has gained root access to Oculus Quest 2 and is able to bypass Facebook Login”.
“XRSI’s own researchers have validated this jailbreak”
The announcement seemed definitive in tone but was notably light on details. It claimed root access, which is the Android equivalent of administrator privileges. The announcement, however, said nothing about whether the bootloader was unlocked. That’s a much harder task than gaining root access and would allow you to write to the boot partition which contains the core of the operating system, aka the kernel.
The ability to modify the kernel is fundamental to iOS jailbreaking, and to having true full control over an Android-based device.
Verification Not As Planned
Last week, a reliable source told us this jailbreak doesn’t actually work. We began to investigate the situation in search of answers.
Two days ago, an anonymous user made a post to the Oculus Quest reddit community with a similar claim. The top moderator initially removed the post, but re-approved it after the anonymous user “provided some substantiated proof that this post is in good faith, but we cannot independently verify the claims“.
We reached out to that same reddit user and agreed not to reveal their source in order to receive the same evidence. The reddit post claims XRSI had been convinced by the hacker the bootloader had been unlocked. The post suggests XRSI believed they had verified that other operating systems, including Linux and Windows XP, could be installed. Linux is entirely conceivable, but, as the post points out, Windows XP is an x86 operating system from two decades ago, it can’t be run on a modern ARM processor.
The post goes on to claim XRSI tasked a third party with replicating the jailbreak, and this party was unable to verify.
XRSI’s Response
We reached out to XRSI asking about this reddit post and the claims circulating. Its communication director confirmed the initial verification process was a remote demonstration of installing other operating systems, just as the reddit post claimed. He then continued:
“At that point, after the validation of what was seen, we started the second part of the process, asking the independent researchers to reproduce the whole set of actions. Unfortunately, the results are not as straightforward and regular as they must be. I would like to reiterate what we said in the original announcements – ‘We are currently working to gather assurances to protect the individuals who discovered these methods of jailbreak.’“
It’s unclear what exactly is meant by “straightforward and regular”. It’s possible Facebook remotely patched the exploit, but if the demonstration involved installing Windows XP it is almost certainly a scam. ARM-based Qualcomm chips like the Quest’s can’t even run x86 apps natively, never mind a two decade old x86 operating system. The only way to “run” Windows XP on such a device would be through something like Limbo Emulator, an Android port of a Linux-based virtual machine (VM) emulator and virtualizer. But this doesn’t grant hardware access, or even necessitate it.
Robert Long told us he believes XRSI is acting in good faith but no longer believes the jailbreak is legitimate:
“I spoke with the security researcher and their story wasn’t very reassuring. There were similar red flags in the verification process. At this point I thought it was more likely that the jailbreak was fake than real.
I think there was a mistake made by the security researcher in the verification process. I think the jailbreaker may have been malicious or confused and the researcher made a critical error in claiming it was verified before they should have. XRSI definitely should not have made a public statement saying it was verified when they did.“
The Bounty Still Stands
The announcement of a supposed jailbreak may have stopped or paused other efforts from achieving the same. Now that there are doubts about this initial effort it is possible others may pursue opening up Oculus Quest again.
Robert Long and Palmer Luckey both told us their bounties still stand.
Oculus will do better with a jailbreak available, not worse.
— Palmer Luckey (@PalmerLuckey) October 22, 2020
A true jailbreak of Oculus Quest 2 would give users full freedom over their device and open up experimentation at a much deeper level than currently possible. Such access, however, is unlikely to go unnoticed by Facebook.
In response to a game developer claiming his support of the project was “sabotage”, Oculus founder Palmer Luckey responded “Oculus will do better with a jailbreak available, not worse.“
Root access without unlocking the bootloader could be subject to Facebook remotely patching the exploit, and even a bootloader exploit could be patched on all newly produced headsets.
“I was tempted to offer more, but I expect this will be an ongoing cat and mouse game,” Luckey wrote in a direct message to us.
Managing Editor Ian Hamilton contributed to this report.
