Difference between revisions of "Absinthe"

From The iPhone Wiki
Jump to: navigation, search
m (Exploit: I read the console logs. and was very entertained.)
(Exploit: ran factcheck.org on my own writing)
Line 13: Line 13:
 
The exact exploit to jailbreak the two devices is not known yet, but it is assumed that the web clip loads a page that requires an IPsec VPN connection, which causes the [http://ipsec-tools.sourceforge.net racoon] daemon to start and run the jailbreak payload.
 
The exact exploit to jailbreak the two devices is not known yet, but it is assumed that the web clip loads a page that requires an IPsec VPN connection, which causes the [http://ipsec-tools.sourceforge.net racoon] daemon to start and run the jailbreak payload.
   
However, some poking reveals some unique means of injection. At some point in the jailbreak process, libmobilecopy.dylib and/or MobileBackup are intentionally crashed to produce a crash log. The jailbreak payload reads this crash log in order to obtain memory addresses to continue with the exploit.
+
However, some poking reveals some unique means of injection. At some point in the jailbreak process, BackupAgent is intentionally crashed to produce a crash log. The jailbreak payload reads this crash log in order to obtain the memory address of libcopyfile.dylib to continue with the exploit.
   
 
[[Category:Hacking Software]]
 
[[Category:Hacking Software]]

Revision as of 06:18, 21 January 2012

Absinthe is the S5L8940 userland jailbreak tool for iPhone 4S and iPad 2 on iOS 5.0 (iPhone 4S only), 5.0.1 (9A405) and iOS 5.0.1 build 9A406 on iPhone 4S. This tool was released on January 20, 2012, and is available in three incarnations:

Installation

The jailbreak packs Corona for the S5L8940 and the rest of the firmware patches in a regular iTunes backup and then restores this backup on to the device, which injects the required files. It is then completed by opening a web clip added to the home screen by Absinthe that uses an exploit in Safari to install Cydia. If this doesn't work, for example, because the greenpois0n website is down due to the number of people attempting to jailbreak, an alternative is to enable a specially crafted VPN connection in the Settings app.

Exploit

Main article: Corona


This jailbreak uses the Racoon String Format Overflow Exploit and HFS Heap Overflow from Corona for untether. The exact exploit to jailbreak the two devices is not known yet, but it is assumed that the web clip loads a page that requires an IPsec VPN connection, which causes the racoon daemon to start and run the jailbreak payload.

However, some poking reveals some unique means of injection. At some point in the jailbreak process, BackupAgent is intentionally crashed to produce a crash log. The jailbreak payload reads this crash log in order to obtain the memory address of libcopyfile.dylib to continue with the exploit.