Difference between revisions of "Dual Boot Exploit"

From The iPhone Wiki
Jump to: navigation, search
m (Booting)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Credit ==
 
== Credit ==
[[the dev team]]
+
[[iPhone Dev Team]]
   
 
== Exploit ==
 
== Exploit ==
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTuens update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.
+
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.
   
 
=== Defeating Countermeasures ===
 
=== Defeating Countermeasures ===
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. [[the dev team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
+
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The [[iPhone Dev Team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
   
 
== Why it no longer works ==
 
== Why it no longer works ==
Line 12: Line 12:
   
 
=== Booting ===
 
=== Booting ===
In firmware 2.0b4 and beyond, [[iBoot]] no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.
+
In firmware 2.0 beta 4 and beyond, [[iBoot]] no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.
   
 
=== lstat(); ===
 
=== lstat(); ===
 
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();
 
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();
  +
  +
==External links==
  +
* [http://wikee.iphwn.org/s5l8900:dualboot Full writeup on the dev team wiki]
  +
* [http://wikee.iphwn.org/s5l8900:dualboot_logfile Logfile of session creating dual boot system]
   
 
[[Category:Jailbreaks]]
 
[[Category:Jailbreaks]]
 
[[Category:Exploits]]
 
[[Category:Exploits]]
  +
[[Category:Jailbreaking]]

Latest revision as of 12:28, 22 January 2016

Credit

iPhone Dev Team

Exploit

The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.

Defeating Countermeasures

In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The iPhone Dev Team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.

Why it no longer works

There are two reasons that it no longer works

Booting

In firmware 2.0 beta 4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.

lstat();

The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();

External links