Difference between revisions of "Dual Boot Exploit"

Credit

the dev team

Exploit

The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.

Defeating Countermeasures

In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. the dev team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.

Why it no longer works

There are two reasons that it no longer works

Booting

In firmware 2.0b4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.

lstat();

The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();

External links

• Full writeup on the dev team wiki
• Logfile of session creating dual boot system