Untethered jailbreak

2010-11-16T21:38:20Z

Jack:

An untethered jailbreak is a type of [[jailbreak]] where your device does not require you to reboot with a connection to an external device capable of executing commands on the device.

== Device support ==
Many device/firmware combinations can use an untethered jailbreak. The most current versions of iOS (3.2.2 and 4.1), as well as the [[N81ap|iPod touch 4G]], can be jailbroken already with [[limera1n]] or [[greenpois0n]].

Devices as new as the [[N81ap|iPod touch 4G]]/[[K66ap|Apple TV 2G]] have known [[bootrom]] exploits. However, the [[N88ap|iPhone 3GS]] ([[iBoot-359.3|old bootrom]]) and older have bootrom exploits that allow for an untethered jailbreak. Newer devices as old as the [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]), [[N72ap|iPod touch 2G]] ([[iBoot-240.5.1|new bootrom]]), and [[N18ap|iPod touch 3G]] have bootrom exploits that are limited to a [[tethered jailbreak]] (without the assistance of a firmware-based exploit).

==Utilities capable of untethered jailbreaks==
These jailbreak utilities can perform an untethered jailbreak, sorted by operating system.

===iOS===
[[Star]] runs on the device itself, and is completely independent of a computer's operating system.

===Mac OS X===
* [[Spirit]]
* [[blackra1n]]
* [[greenpois0n]]
* [[limera1n]]
* [[PwnageTool]]
* [[redsn0w]]

===Windows===
* [[Spirit]]
* [[blackra1n]]
* [[greenpois0n]]
* [[limera1n]]
* [[redsn0w]]
* [[sn0wbreeze]]

===Linux===
* [[Spirit]]
* [[greenpois0n]]
* [[redsn0w]] (Certain Versions)

MobileBackup Copy Exploit

2010-10-22T21:32:19Z

Jack:

BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:

Path contains sneaky dots to traverse up outside of the domain: %@

However, for some reason, this check isn't applied when taking alternate code paths for special handling of certain files. For example, a restore to HomeDomain with a path starting with Library/Preferences/SystemConfiguration/ is migrated to the new directory for system configuration, /var/preferences/SystemConfiguration. This bypasses the sneaky dots check, so spirit is able to restore to this path:

Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist

This was fixed in iOS 3.2.1 and 4.0.

Used in [[comex]]'s [[Spirit]] Jailbreak.

[[Category:Exploits]]

Malformed CFF Vulnerability

2010-10-11T20:54:46Z

Jack: New page: == Exploit Status: PATCHED == This is the exploit used in Comex's JailbreakMe 2.0 'star' (The First public Jailbreak for the iPhone 4 running 4.0 or 4.0.1) After this jailbreak/exploi...

== Exploit Status: PATCHED ==

This is the exploit used in Comex's JailbreakMe 2.0 'star' (The First public Jailbreak for the iPhone 4 running 4.0 or 4.0.1)

After this jailbreak/exploit was released, 10 days later, Apple fixed this exploit in the iOS 4.0.2 software update, rendering JailbreakMe useless on 4.0.2

Limera1n

2010-10-11T20:25:05Z

Jack:

[[Image:Ra1ndrop.png|right]]
This is [[User:Geohot|geohot's]] latest [[jailbreak]] utility. It uses his undisclosed exploit, along with [[User:Comex|comex]]'s [[userland exploit]], to achieve an [[untethered jailbreak]] on newer devices.
* [[N88ap|iPhone 3GS]]
* [[N90ap|iPhone 4]]
* [[N72ap|iPod touch 2G]] (support announced, not released)
* [[N18ap|iPod touch 3G]]
* [[N81ap|iPod touch 4G]]
* [[K48ap|iPad]]
* [[K66ap|AppleTV]] ([http://www.tuaw.com/2010/10/09/limera1n-jailbreak-released-greenpois0n-jailbreak-delayed/ However it's current usefulness is debatable])

It has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png showed off a high-res picture of Cydia on an iPhone 4]. He [http://www.youtube.com/watch?v=__TR86PLiHw displayed an iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg picture of Cydia and blackra1n icons on his iPad's SpringBoard].

limera1n was released to the public on October 9, 2010, delaying the release of [[greenpois0n]], because [[greenpois0n]] has to be rewritten to use the limera1n exploit instead of [[SHAtter]]. It only supports Windows at the moment, and there are some devices with issues.

==Release text==
<center>limera1n, 6 months in the making 
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G 
4.0-4.1 and beyond+++ 
limera1n is unpatchable 
untethered thanks to jailbreakme star '''comex''' 
released today to get chronicdev to do the right thing 
brought to you by '''geohot''' 
hacktivates 
Mac coming soon 
follow the instructions in the box, sadly limera1n isn't one click 
that's the price of unpatchability 
as usual, donations appreciated but not required 
still in beta, pardon my ragged edges 
AppleTV is technically supported, but theres no apps yet 
zero pictures of my face</center>

==Credit==
*[[User:Geohot|geohot]] - the program itself, and [[bootrom exploit]].
*[[User:Comex|comex]] - [[userland exploit]] that allows limera1n to run [[untethered jailbreak|untethered]].

==Changelog==
{| class="wikitable" style="border-collapse:collapse;" border="1"
|-
|<center>'''Version'''</center>
|<center>'''Release time'''</center>
|<center>'''MD5 Hash'''</center>
|<center>'''Change comment'''</center>
|-
|beta 1
|9 Oct 2010 XX:XX GMT
|2f2b09a6ed5c5613d5361d8a9d0696b6
|First release.
|-
|beta 2
|9 Oct 2010 XX:XX GMT
|a70dccb3dfc0e505687424184dc3d1ce
|Fixed kernel patching magic. Rerun BETA2+ over BETA1.
|-
|beta 3
|9 Oct 2010 XX:XX GMT
|81730090f7de1576268ee8c2407c3d35
|Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]])
|-
| beta 4
|9 Oct 2010 XX:XX GMT
|d901c4b3a544983f095b0d03eb94e4db
|Uninstall fixed, respring fixed
|-
| RC1
|11 Oct 2010 XX:XX GMT
|0622d99ffe4c25f75c720a689853845f
|out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller
|-
| RC1b
|11 Oct 2010 XX:XX GMT
|fc6f7d696a57c3baede49bdff8a7f43f
|Fixed an iPad install bug
|}

==Technical Information==
=== Basics ===
* limera1n does not use [[SHAtter]].
* limera1n uses a [[bootrom exploit]] to achieve the [[tethered jailbreak]] and [[unsigned code execution]].
* limera1n uses a userland exploit to make the jailbreak [[Untethered jailbreak|untethered]], which was developed by [[User:Comex|comex]].

=== Exploits ===
Details of the [[bootrom exploit]] to follow.

=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In [[recovery1]],
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In [[DFU]], it uploads a [[payload]].
* In [[recovery2]], it uploads another [[payload]] and its [[ramdisk]].
"setenv auto-boot true
reset
geohot done"

=== Interesting Messages ===
*
"geohot black is the new purple"
*
"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"
*
"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."

==Controversy==
The release of this jailbreak is specifically designed to pressure [[Chronic Dev]] into not releasing the SHAtter exploit, instead implementing the limera1n exploit into [[greenpois0n]]. Now that [[User:Geohot|geohot]] has released limera1n, releasing [[SHAtter]] would uselessly disclose another [[bootrom exploit]] to Apple.

[[User:Geohot|geohot]]'s rationale is that Apple has already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful in the 5th generation iPhone should it not be disclosed at this time.

limera1n's [[Untethered jailbreak|untethered]] userland exploit was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|comex]] did in fact end up giving his approval for the exploit to be included in limera1n.

==External Links==
* [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action]
* [http://limera1n.com/ limera1n.com Actual limera1n domain] <nowiki>(using </nowiki>
* [http://theiphonewiki.com/limera1n Actual site http://theiphonewiki.com/limera1n]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire]
* [http://www.pastie.org/1210054 Veence's explanation for release]

The iPhone Wiki - User contributions [en]

Untethered jailbreak

MobileBackup Copy Exploit

Malformed CFF Vulnerability

Limera1n