WWDC.app is downloaded from app store and uploaded over AFC to ~/Media/Downloads

An IPA containing WWDC.app is uploaded and installed using MobileInstall

but first, the Info.plist in the WWDC app in the IPA is changed so that CFBundleExecutable points to the untouched copy of the app in Downloads

when MobileInstall installs the app, it signature checks the copy in Downloads

signature check passes and app is installed

WWDC.app/WWDC is overwritten using AFC with a #! script to point to afcd

the command line in #! will expose the entire / over afc port 8888

a dylib (gameover) is uploaded which uses a CS bypass (vmsize 0) to neuter sandboxing in afcd using LINKEDIT section

(afcd starts its sandbox at runtime using sandbox_init*)

a LaunchServices bug is used to make that app load that library when it runs

the device reboots and the user is instructed to run the app

when the app runs, afcd runs exposing /, and the sandbox is neutered, allowing access everywhere

however, iOS 7 kernel still prevents remapping / as writable

so it's still just readonly

at this point, /var/mobile/Library/Logs/AppleSupport is symlinked to /dev/rdisk0s1

the device is rebooted, and something early in boot (i believe ReportCrash) will chown that path to mobile which chowns rdisk

they have an HFS library that has an AFC backend

so they're able to virtually mount the entire system partition via AFC by seeking around on the rdisk using AFC commands

so using that, they modify the system partition

the changes to the system partition are adding an executable which is signed with a self-signed cert at /evasi0n7 and a launchd plist to run it at boot

they use the same CS bypass ued before to modify libmis.dylib which is loaded by amfid (which checks code signatures) to neuter the amfi checks and alwys return true (i.e. to MISValidateSignature)

so evasi0n will run fine, and at that point it does the kernel portion