|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Limera1n"
m (Link fixes.) |
m (Mention that explanation is an archived version) |
||
| (80 intermediate revisions by 24 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{lowercase}} |
||
| − | [[Image:Ra1ndrop.png|right]] |
||
| + | {{infobox software |
||
| − | This is [[User:Geohot|geohot's]] latest [[jailbreak]] utility. It uses an undisclosed bootrom exploit by [[User:geohot|geohot]] and an undisclosed kernel exploit found by [[User:Comex|comex]] to achieve an [[untethered jailbreak]] on newer devices. |
||
| + | | name = limera1n |
||
| + | | title = limera1n |
||
| + | | logo = [[File:ra1ndrop.png|85px]] |
||
| + | | author = [[User:geohot|George Hotz]] |
||
| + | | developer = George Hotz |
||
| + | | released = {{start date and age|2010|10|09}} |
||
| + | | discontinued = |
||
| + | | latest release version = RC1b |
||
| + | | latest release date = {{start date and age|2010|10|11}} |
||
| + | | programming language = C |
||
| + | | operating system = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]] |
||
| + | | size = Windows: 317.5 KiB [EXE]<br />OS X: 478.1 KiB [ZIP]<!-- As of {{date|2015|03|13}}, 325,120 and 489,598 bytes respectively --> |
||
| + | | platform = |
||
| + | | language = [[wikipedia:English|English]] |
||
| + | | status = Deprecated |
||
| + | | genre = Jailbreaking |
||
| + | | license = [[wikipedia:Freeware|Freeware]] |
||
| + | | website = [http://limera1n.com/ limera1n.com] |
||
| + | }} |
||
| + | '''limera1n''' is [[User:Geohot|geohot]]'s [[jailbreak]] utility. It uses a previously undisclosed bootrom exploit (the [[limera1n Exploit]]) and [[User:Comex|comex]]'s [[Packet Filter Kernel Exploit]] to achieve an [[untethered jailbreak]] on many devices. The following devices are supported: |
||
| + | * [[N88AP|iPhone 3GS]] |
||
| + | * [[N90AP|iPhone 4 (iPhone3,1)]] |
||
| + | * [[N18AP|iPod touch (3rd generation)]] |
||
| + | * [[N81AP|iPod touch (4th generation)]] |
||
| + | * [[K48AP|iPad]] |
||
| + | * [[K66AP|Apple TV (2nd generation)]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab) |
||
| + | limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] showed off a high-res picture of [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Cydia on an iPhone 4]. He displayed an [http://www.youtube.com/watch?v=__TR86PLiHw iPod touch (3rd generation) with an untethered jailbreak] that met [[User:MuscleNerd|MuscleNerd]]'s requirements for a good video. In addition, he took a picture of [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Cydia and blackra1n icons on an iPad]. |
||
| + | * '''Release Date:''' [[Timeline#October_11|{{date|2010|10|09}}]] |
||
| − | * [[N88ap|iPhone 3GS]] |
||
| + | * '''Supported OS's:''' Mac OS X, Windows |
||
| − | * [[N90ap|iPhone 4]] |
||
| + | * '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing |
||
| − | * [[N18ap|iPod touch 3G]] |
||
| + | * '''Supported iOS: 3.2.2-4.1 |
||
| − | * [[N81ap|iPod touch 4G]] |
||
| − | * [[K48ap|iPad]] |
||
| − | * [[K66ap|Apple TV 2G]] ([http://www.tuaw.com/2010/10/09/limera1n-jailbreak-released-greenpois0n-jailbreak-delayed/ However it's current usefulness is debatable]) |
||
| − | It has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png showed off a high-res picture of Cydia on an iPhone 4]. He [http://www.youtube.com/watch?v=__TR86PLiHw displayed an iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg picture of Cydia and blackra1n icons on his iPad's SpringBoard]. |
||
| + | == Release text == |
||
| − | limera1n was released to the public on October 9, 2010, delaying the release of [[greenpois0n]] using the SHAtter exploit. [[greenpois0n]] has been rewritten to use the same exploit that limera1n uses. It only supports Windows and Mac OS X at the moment, and there are some devices with issues. |
||
| + | <div style="text-align: center">limera1n, 6 months in the making<br /> |
||
| − | |||
| + | iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)<br /> |
||
| − | Limera1n also installs a hacktivation dynamic library (.dylib) to /usr/lib, no matter if the device is properly activated by [[iTunes]] or not. This is lazy and can pose some issues (such as Push Donor users having to restore their device). It's recommended to properly remove this dylib only if you can activate via iTunes. A guide to do so can be found [http://www.cmdshft.ipwn.me/blog/?p=555 here]. |
||
| − | |||
| − | ==Release text== |
||
| − | <center>limera1n, 6 months in the making<br /> |
||
| − | iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G<br /> |
||
4.0-4.1 and beyond+++<br /> |
4.0-4.1 and beyond+++<br /> |
||
limera1n is unpatchable<br /> |
limera1n is unpatchable<br /> |
||
| Line 25: | Line 45: | ||
Mac coming in 7 years<br /> |
Mac coming in 7 years<br /> |
||
donations keep support alive<br /> |
donations keep support alive<br /> |
||
| − | zero pictures of my face</ |
+ | zero pictures of my face</div> |
| − | ==Credit== |
+ | == Credit == |
| − | *[[User:Geohot|geohot]] - |
+ | * '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit. |
| − | *[[User:Comex|comex]] - |
+ | * '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]]. |
| − | ==Changelog== |
+ | == Changelog == |
| − | {| class="wikitable |
+ | {| class="wikitable" |
|- |
|- |
||
| − | + | ! Version |
|
| − | + | ! Release Date |
|
| − | + | ! MD5 Hash |
|
| + | ! Changelog |
||
| − | |<center>'''Change comment'''</center> |
||
|- |
|- |
||
| − | | |
+ | | Beta 1 |
| − | | |
+ | | {{date|2010|10|9}} |
| − | |2f2b09a6ed5c5613d5361d8a9d0696b6 |
+ | | 2f2b09a6ed5c5613d5361d8a9d0696b6 |
| − | |First release |
+ | | First release |
|- |
|- |
||
| − | | |
+ | | Beta 2 |
| − | | |
+ | | {{date|2010|10|10}} |
| − | |a70dccb3dfc0e505687424184dc3d1ce |
+ | | a70dccb3dfc0e505687424184dc3d1ce |
| − | |Fixed kernel patching magic. |
+ | | Fixed "kernel patching magic". Should be run over a beta 1 jailbreak |
|- |
|- |
||
| − | | |
+ | | Beta 3 |
| − | | |
+ | | {{date|2010|10|10}} |
| − | |81730090f7de1576268ee8c2407c3d35 |
+ | | 81730090f7de1576268ee8c2407c3d35 |
| − | |Fixed an issue with [[ |
+ | | Fixed an issue with [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) |
|- |
|- |
||
| − | | |
+ | | Beta 4 |
| − | | |
+ | | {{date|2010|10|10}} |
| − | |d901c4b3a544983f095b0d03eb94e4db |
+ | | d901c4b3a544983f095b0d03eb94e4db |
| − | |Uninstall |
+ | | Uninstall and respring bugs fixed |
|- |
|- |
||
| − | |RC1 |
+ | | RC1 |
| − | | |
+ | | {{date|2010|10|11}} |
| − | |0622d99ffe4c25f75c720a689853845f |
+ | | 0622d99ffe4c25f75c720a689853845f |
| − | | |
+ | | [[AFC#AFC2|afc2]], reliability improvements, reboot no longer needed for Cydia; Also ~2 KB smaller |
|- |
|- |
||
| − | |RC1b |
+ | | RC1b |
| − | | |
+ | | {{date|2010|10|11|}} |
| − | |fc6f7d696a57c3baede49bdff8a7f43f |
+ | | fc6f7d696a57c3baede49bdff8a7f43f<!-- Still the same as of {{date|2015|03|13}} --> |
| − | | |
+ | | Addresses an installation issue that mainly affected [[List of iPads|iPads]] |
| − | |- |
||
| − | |Final |
||
| − | |11 Oct 2010 23:XX GMT |
||
| − | |fc6f7d696a57c3baede49bdff8a7f43f |
||
| − | |(same as RC1b) |
||
|} |
|} |
||
| − | ==Technical Information== |
+ | == Technical Information == |
=== Basics === |
=== Basics === |
||
| − | * limera1n |
+ | * limera1n has nothing to do with [[SHA-1 Image Segment Overflow|SHAtter]] at all. |
| − | * limera1n uses a bootrom exploit to achieve the [[tethered jailbreak]] and |
+ | * limera1n uses a [[bootrom]] exploit to achieve the [[tethered jailbreak]] and unsigned code execution. |
| − | * limera1n uses a userland exploit to make it untethered, which was developed by [[User:Comex|comex]]. |
+ | * limera1n uses a [[userland]] exploit to make it [[untethered]], which was developed by [[User:Comex|comex]]. |
| − | * limera1n uses a hacktivation dylib to |
+ | * limera1n uses a hacktivation dylib to perform [[hacktivation]]. |
=== Exploits === |
=== Exploits === |
||
| + | limera1n reuses the [[Usb_control_msg(0x21,_2)_Exploit|usb_control_msg(0x21,2)]] but exploits a different vulnerability (see [[Limera1n Exploit]]). |
||
| − | Details of the [[bootrom exploit]] to follow. |
||
=== Process === |
=== Process === |
||
The jailbreak appears to execute something like the following (in no particular order): |
The jailbreak appears to execute something like the following (in no particular order): |
||
| − | * In |
+ | * In recovery1, |
"setenv debug-uarts 1 |
"setenv debug-uarts 1 |
||
setenv auto-boot false |
setenv auto-boot false |
||
saveenv" |
saveenv" |
||
| − | * In [[DFU]], it uploads a [[payload]]. |
+ | * In [[DFU Mode]], it uploads a [[payload]]. |
| − | * In |
+ | * In recovery2, it uploads another [[payload]] and its [[ramdisk]]. |
"setenv auto-boot true |
"setenv auto-boot true |
||
reset |
reset |
||
| Line 98: | Line 113: | ||
=== Interesting Messages === |
=== Interesting Messages === |
||
| − | * |
||
"geohot black is the new purple" |
"geohot black is the new purple" |
||
| + | |||
| − | * |
||
"blackra1n start: %d current IRQ mask is %8.8X |
"blackra1n start: %d current IRQ mask is %8.8X |
||
usb irq disabled...shhh |
usb irq disabled...shhh |
||
| Line 113: | Line 127: | ||
cmd_geohot added |
cmd_geohot added |
||
time to pray...%8.8X" |
time to pray...%8.8X" |
||
| + | |||
| − | * |
||
"2.2X send command(%d): %s |
"2.2X send command(%d): %s |
||
send exploit!!! |
send exploit!!! |
||
| Line 125: | Line 139: | ||
Unknown pseudo relocation bit size %d." |
Unknown pseudo relocation bit size %d." |
||
| − | ==Controversy== |
+ | == Controversy == |
| − | The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)|Chronic Dev]] into not releasing |
+ | The release of this jailbreak was specifically designed to pressure the [[Chronic Dev (team)|Chronic Dev Team]] into not releasing [[SHA-1 Image Segment Overflow|SHAtter]], and instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing [[SHA-1 Image Segment Overflow|SHAtter]] would uselessly disclose another bootrom exploit to Apple. |
| − | After releasing limera1n, releasing [[SHAtter]] would uselessly disclose another [[bootrom exploit]] to Apple. |
||
| − | [[User:Geohot| |
+ | [[User:Geohot|Geohot]]'s rationale was that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas [[SHA-1 Image Segment Overflow|SHAtter]] still has a chance of remaining useful for an indefinite amount of time. Both vulnerabilities ended up being patched in the [[iPad 2]]. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]]. |
| − | limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex| |
+ | limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices. |
| + | == Hacktivation == |
||
| − | ==External Links== |
||
| + | limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below. |
||
| − | * [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action] |
||
| + | |||
| + | == External Links == |
||
* [http://limera1n.com/ Official domain] |
* [http://limera1n.com/ Official domain] |
||
| + | * [https://web.archive.org/web/20141026000127/http://www.pastie.org/1210054 (Archive) Veeence's explanation for release] |
||
| − | * [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror] |
||
| + | * [https://web.archive.org/web/20140226135748/http://www.hackint0sh.org/blackra1n-3g-s-jailbreak-220/how-removing-blackra1n-limera1n-hacktivation-130992.htm (Archive) Hacktivation removal guide] |
||
| − | * [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.] |
||
| + | |||
| − | * [http://www.pastie.org/1210054 Veence's explanation for release] |
||
| + | [[Category:Hacking Software]] |
||
| + | [[Category:Jailbreaks]] |
||
| + | [[Category:Jailbreaking]] |
||
Latest revision as of 15:59, 21 May 2022
 | |
|---|---|
| Original author(s) | George Hotz |
| Developer(s) | George Hotz |
| Initial release | 9 October 2010 |
| Stable release | RC1b / 11 October 2010 |
| Development status | Deprecated |
| Written in | C |
| Operating system | Windows / OS X |
| Size |
Windows: 317.5 KiB [EXE] OS X: 478.1 KiB [ZIP] |
| Available in | English |
| Type | Jailbreaking |
| License | Freeware |
| Website | limera1n.com |
limera1n is geohot's jailbreak utility. It uses a previously undisclosed bootrom exploit (the limera1n Exploit) and comex's Packet Filter Kernel Exploit to achieve an untethered jailbreak on many devices. The following devices are supported:
- iPhone 3GS
- iPhone 4 (iPhone3,1)
- iPod touch (3rd generation)
- iPod touch (4th generation)
- iPad
- Apple TV (2nd generation) (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)
limera1n has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch (3rd generation) with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on an iPad.
- Release Date: 9 October 2010
- Supported OS's: Mac OS X, Windows
- Supported Operations: hacktivation, jailbreaking
- Supported iOS: 3.2.2-4.1
Contents
Release text
limera1n, 6 months in the making
iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)
4.0-4.1 and beyond+++
limera1n is unpatchable
untethered thanks to jailbreakme star comex
brought to you by geohot
hacktivates
Mac coming in 7 years
donations keep support alive
Credit
- geohot - The program itself, and the bootrom exploit.
- comex - The userland exploit that allows limera1n to run untethered.
Changelog
| Version | Release Date | MD5 Hash | Changelog |
|---|---|---|---|
| Beta 1 | 9 October 2010 | 2f2b09a6ed5c5613d5361d8a9d0696b6 | First release |
| Beta 2 | 10 October 2010 | a70dccb3dfc0e505687424184dc3d1ce | Fixed "kernel patching magic". Should be run over a beta 1 jailbreak |
| Beta 3 | 10 October 2010 | 81730090f7de1576268ee8c2407c3d35 | Fixed an issue with iPhone 3GS (new bootrom) |
| Beta 4 | 10 October 2010 | d901c4b3a544983f095b0d03eb94e4db | Uninstall and respring bugs fixed |
| RC1 | 11 October 2010 | 0622d99ffe4c25f75c720a689853845f | afc2, reliability improvements, reboot no longer needed for Cydia; Also ~2 KB smaller |
| RC1b | 11 October 2010 | fc6f7d696a57c3baede49bdff8a7f43f | Addresses an installation issue that mainly affected iPads |
Technical Information
Basics
- limera1n has nothing to do with SHAtter at all.
- limera1n uses a bootrom exploit to achieve the tethered jailbreak and unsigned code execution.
- limera1n uses a userland exploit to make it untethered, which was developed by comex.
- limera1n uses a hacktivation dylib to perform hacktivation.
Exploits
limera1n reuses the usb_control_msg(0x21,2) but exploits a different vulnerability (see Limera1n Exploit).
Process
The jailbreak appears to execute something like the following (in no particular order):
- In recovery1,
"setenv debug-uarts 1 setenv auto-boot false saveenv"
"setenv auto-boot true reset geohot done"
Interesting Messages
"geohot black is the new purple"
"blackra1n start: %d current IRQ mask is %8.8X usb irq disabled...shhh fxns found @ %8.8X %8.8X found iBoot @ %8.8X i'm back from IRQland... 3g detected, kicking nor nor kicked memcpy done iBoot restored!!! found command table @ %8.8X cmd_geohot added time to pray...%8.8X"
"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."
Controversy
The release of this jailbreak was specifically designed to pressure the Chronic Dev Team into not releasing SHAtter, and instead implement the limera1n exploit into greenpois0n; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.
Geohot's rationale was that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. Geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. Both vulnerabilities ended up being patched in the iPad 2. It was fixed before the release of limera1n according to the build number. This has been confirmed by p0sixninja.
limera1n's untethered userland exploit for iOS 4.0 and 4.1 was obtained by geohot under questionable circumstances from comex. Comex did end up fixing the kernel patching code by beta2, so as to not break users' devices.
Hacktivation
limera1n will copy hacktivation.dylib to /usr/lib and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.
