Difference between revisions of "Purplera1n"

From The iPhone Wiki
Jump to: navigation, search
m
 
(31 intermediate revisions by 15 users not shown)
Line 1: Line 1:
  +
{{DISPLAYTITLE:purplera1n}}
 
== Credit ==
 
== Credit ==
  +
* '''Vulnerability, Exploit, and Windows client''': [[User:geohot|geohot]]
[[geohot]]
 
  +
* '''Mac OS X client''': AriX and westbaer
   
== Phase 1: Signature Grabber ==
+
== Signature Grabber ==
* '''Blog Post''': http://iphonejtag.blogspot.com/2009/06/usbdump-huh-how.html
 
   
Allows anyone with a [[N88AP|3G S]] right now to generate a file that contains:
+
Allowed anyone with an [[N88AP|iPhone 3GS]] to generate a file that contained:
* The [[ECID|Exclusive Chip ID tag]] for your device
+
* The [[ECID]] for your device.
* The new RSA signature for a 3.0GM [[N88AP|iPhone 3G S]] iBSS that includes your ECID
+
* The new [[SHSH]] for a 3.0 [[N88AP|iPhone 3GS]] [[iBSS]] that includes your [[ECID]].
   
  +
It has since been discontinued, however.
This way, if Apple tries to pull a fast one and disallow downgrades to earlier versions, you have a backup that can be used to still allow you to boot an older iBSS.
 
   
  +
This was done so you would have a backup that could be used to allow you to boot an older [[iBSS]]. However, no tool was ever created to utilize this backup.
Apple can not stop you from obtaining the ECID from your phone. But the webapp behind purplera1n calls the same Apple servers which are also used by iTunes for signing your personal iBSS ECID combination. So this will stop working, when
 
* a new firmware gets released and Apple does not allow downdating any more or
 
* Apple finds a way to disinguish between requests from iTunes and purplera1n
 
   
  +
== Jailbreak Tool ==
As purplera1n uses a distributed application hosting it is not easy for Apple to filter it using IP addresses.
 
 
== Phase 2: 3.0 Jailbreak Tool ==
 
 
* '''Web Site''': http://purplera1n.com
 
* '''Web Site''': http://purplera1n.com
   
One-Click, dead simple, jailbreak for the [[iPhone 3G S]]. Currently available for Windows, Mac, and Linux. It utilizes the [[iBoot Environment Variable Overflow]].
+
One-Click, dead simple, jailbreak for the [[M68AP|iPhone]], [[N88AP|iPhone 3GS]], [[N45AP|iPod touch]] and [[N72AP|iPod touch (2nd generation)]] on iPhone OS 3.0 only (not 3.0.1 or later). Currently available for Windows and Mac. It utilizes the [[iBoot Environment Variable Overflow]].
  +
  +
== How purplera1n Works ==
  +
===Exploitation===
  +
# purplera1n sends the enter recovery commands using [[MobileDevice Framework]]
  +
# once in [[Recovery Mode]] ([[iBoot]]), it sends the [[iBoot Environment Variable Overflow]] exploit
  +
# the exploit adds a "geohot" command to the phone which runs the payload
  +
# the "geohot" command is run, control is now transferred from [[iBoot]] to the payload
  +
# the purplera1n client is done
  +
  +
===Payload===
  +
# the payload restores the default environment variable ring buffer and saves the environment to nvram (sets auto-boot to true)
  +
# it patches [[iBoot]] to load unsigned [[IMG3 File Format|IMG3]]s and not care about the tags
  +
# it loads the purplera1n picture (sent with payload)
  +
# the [[NOR]] patcher starts
  +
# [[LLB]] is decrypted, patched, and increased in size to 0x24200. this is the resident [[0x24000 Segment Overflow]] exploit
  +
# a little loader code is put @ 0x20000 in the [[LLB]] to load it and fix the stack
  +
# [[iBoot]] is decrypted, patched
  +
# everything else is read as is
  +
# [[NOR]] is written back, nor patcher is done
  +
# [[kernel]] is loaded, decrypted, and patched
  +
# ramdisk is loaded (sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
  +
# patched kernel is booted
  +
# control is now transferred from payload to ramdisk
  +
  +
===Ramdisk===
  +
# launchd is run, all stuff happens here
  +
# /dev/disk0s1 is mounted
  +
# [[/private/etc/fstab]] and services are overwritten here to allow disk0s1 writes and [[AFC#AFC2|AFC2]] respectively
  +
# [[Freeze]] is transferred and Freeze loader has SUID bit set
  +
# patched kernel is read from end of ramdisk block device and written to filesystem
  +
# ramdisk is done, rebooting...
  +
# Reboots as jailbroken phone
  +
  +
[[Category:Jailbreaks]]
  +
[[Category:Jailbreaking]]

Latest revision as of 11:23, 24 March 2017

Credit

  • Vulnerability, Exploit, and Windows client: geohot
  • Mac OS X client: AriX and westbaer

Signature Grabber

Allowed anyone with an iPhone 3GS to generate a file that contained:

It has since been discontinued, however.

This was done so you would have a backup that could be used to allow you to boot an older iBSS. However, no tool was ever created to utilize this backup.

Jailbreak Tool

One-Click, dead simple, jailbreak for the iPhone, iPhone 3GS, iPod touch and iPod touch (2nd generation) on iPhone OS 3.0 only (not 3.0.1 or later). Currently available for Windows and Mac. It utilizes the iBoot Environment Variable Overflow.

How purplera1n Works

Exploitation

  1. purplera1n sends the enter recovery commands using MobileDevice Framework
  2. once in Recovery Mode (iBoot), it sends the iBoot Environment Variable Overflow exploit
  3. the exploit adds a "geohot" command to the phone which runs the payload
  4. the "geohot" command is run, control is now transferred from iBoot to the payload
  5. the purplera1n client is done

Payload

  1. the payload restores the default environment variable ring buffer and saves the environment to nvram (sets auto-boot to true)
  2. it patches iBoot to load unsigned IMG3s and not care about the tags
  3. it loads the purplera1n picture (sent with payload)
  4. the NOR patcher starts
  5. LLB is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
  6. a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
  7. iBoot is decrypted, patched
  8. everything else is read as is
  9. NOR is written back, nor patcher is done
  10. kernel is loaded, decrypted, and patched
  11. ramdisk is loaded (sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
  12. patched kernel is booted
  13. control is now transferred from payload to ramdisk

Ramdisk

  1. launchd is run, all stuff happens here
  2. /dev/disk0s1 is mounted
  3. /private/etc/fstab and services are overwritten here to allow disk0s1 writes and AFC2 respectively
  4. Freeze is transferred and Freeze loader has SUID bit set
  5. patched kernel is read from end of ramdisk block device and written to filesystem
  6. ramdisk is done, rebooting...
  7. Reboots as jailbroken phone