From The iPhone Wiki
Jump to: navigation, search


I think this page should be cleaned up and include information about the exploit and the tool in one page rather then split them up since little is known about the actual vulnerability. Also the video that is link to on here doesn't seem to be limera1n. The reasons I think that is because limera1n is tethered without the untether from comex, and at the time of this video the untether wasn't around. I hope geohot could shine some light in on this confusion and provide more information about the vulnerability for documentation purposes. Anyone agree with any of this? --Jacob 11:52, 22 September 2011 (MDT)

I think it should be separate. I think of having an article for each exploit. Tools are something else, which just use these exploits. I fully agree with the rest, like that we need a description, about untether, etc. --http 15:03, 22 September 2011 (MDT)
I just feel that there isn't much of a point of separating them due to the lack of information about the actual vulnerability. Did you catch the part where the video linked cannot be the same exploit in action? --Jacob 22:53, 22 September 2011 (MDT)

Drop size on image

Has anyone else noticed that on the picture, the lime raindrop us bigger than the rest of them? Could be nothing but could also mean that geohot has worked out SHAtter and use it on the three A4 devices that are there and just used the photos app for the 3GS. Also (if it's real) why is geohot's exploit not used and keep SHAtter for when there are more A4 devices around? --Shengis14 07:16, 9 October 2010 (UTC)

I did see that and assume it's just the same image everywhere, but on retina display it's just smaller due to higher resolution. --http 09:00, 9 October 2010 (UTC)
I also saw that and would ask you to look at the image again. iPod Touch 4g and iPhone 4, both retina, have smaller... This could be because geohot has a problem with the program as he didn't create a @2x.png image... I believe this is a true jailbreak. --5urd 13:57, 9 October 2010 (UTC)
In the dump, I found the lime drop and it is a 320x480 image. Therfore, when you jailbreak a retina device with a 320x480 it shrinks the image because there is no lime@2x.png file...


I think some more info may be needed. What is some background on it? I thought Limera1n was a fake from the 3.x days? --OMEGA RAZER 22:09, 8 October 2010 (UTC

It was never fake see (a cached copy). --GreySyntax 22:45, 8 October 2010 (UTC)
Thanks for the clarification. Not sure where I heard that. --OMEGA RAZER 23:09, 8 October 2010 (UTC)

Geohot made the web page when 3.1.3 come out but he said it used a bootrom exploit for untetherdness that he was saving for the iPhone 4 --liamchat 22:53, 8 October 2010 (UTC) Anything else we should mention? :P --dra1nerdrake 23:14, 8 October 2010 (UTC)

Why the insane secrecy of it? I'm not deep in the scene but this is the first I'm hearing more than the name lol. --OMEGA RAZER 23:18, 8 October 2010 (UTC)

Who is John Galt?

Look at the HTML source of the page. Is this comment new? Angelo 23:42, 8 October 2010 (UTC)

Yep. I've looked at the source of this page before and after this update. The John Galt is probably meant to throw us off. Geohot does that. :P But, yes, it's new. ~Drake
Where did you see that? --5urd 23:50, 8 October 2010 (UTC)
Type in Firefox URL bar: view-source: Angelo 23:47, 8 October 2010 (UTC)
I thought you meant the source of this page or the Limera1n page, not the website... Thanks for explaining that! --5urd 23:50, 8 October 2010 (UTC)
Who is John Galt Kind of funny actually when you read it and what's going on right now --alpineflip
yes I see why "learns that all of the stories have an element of truth to them." maybe it will ra1n again but not today --liamchat 00:35, 9 October 2010 (UTC)


So, I'm sure most, if not all, of you are confused. This Limera1n is nothing more than a plot by geohot to get the chronic dev team to incorporate the exploit used in limera1n into greenpois0n. This is not plausible because the exploit in limera1n is a bootrom level exploit, which can be used to make a jailbreak (albeit tethered) on its own. To make greenpois0n untethered, chronic dev has used a tweak by comex (in userland) to patch the kernel. The exploit in Limera1n can be used at a later date to make another untethered jailbreak, but it's better to leave the lower level exploits until later, after all, either way, it produces the same affect. To implement the limera1n exploit into greenpois0n, they'd have to rewrite the entire jailbreak, which would offset the release. This should clear up confusion. ~Drake

I reckon it was the iphone dev teams fault if they just had to release spirit after the iphone 4 was released there would be no drama because the ipod touch 4 would hav been jailbroken via star. --robinhood

I think Geohot told someone about his exploit and apple attempted to patch it in a4 bootrom [1] --liamchat 01:54, 9 October 2010 (UTC)


A recent tweet from iPhone hacker p0sixninja has just confirmed that the date WILL NOT be changed. If they can implement geohot's exploit before 10/10, they will use that. If they can't they won't. --dra1nerdrake 00:53, 9 October 2010 (UTC)

This has nothing to-do with Limera1n. -- Shorty 01:06, 9 October 2010 (UTC)
It does. If they can integrate it into GP then there's not going to be a Limera1n. If they can't in time then there will be two jailbreaks released... --OMEGA RAZER 01:11, 9 October 2010 (UTC)
This is a grand waste of a bootrom exploit though. ~Drake
Geohot will not waste the exploit's used in limera1n but greenpois0n is using a bootrom exploit to inject a userland exploit that is odd --liamchat 01:20, 9 October 2010 (UTC)
Yes it does limera1n will use an untetherd bootrom and iboot exploit but Why does Geohot not want us to use comex's kernel patch just for 4.1 then when 4.2 is out we can use shatter to reuse the iboot exploit --liamchat 01:20, 9 October 2010 (UTC)
@dra1nerdrake - Sorry if I didn't make myself more clear, I was basically on about the first part, not the last bit. -- Shorty 01:25, 9 October 2010 (UTC)

the exploit used by limera1n is a 24kPwn like bootrom exploit and a IBoot exploit ( read the second to last paragraph [2] ) --liamchat 12:55, 9 October 2010 (UTC)

Image Taken Down

I'm just speculating here. With all this controversy, I am on the edge of believing... Also, the image was taken down from the site... It gives you a bitly link that takes you back to the bitly link... --5urd 14:20, 9 October 2010 (UTC)

It is now very real greenpois0n will be cancelled (said by MuscleNerd Twitter Status) and Limera1n will be used to jailbreak on 4.1 but Apple knows about both exploit's but Geohot's has already being patched (patched in 4.2 beta 2 iboot [3]) --liamchat 19:21, 9 October 2010 (UTC)
The exploit has not been patched though, but because of the code similarities geohot can tell his exploit will be patched anyway by iPad2,1 so he wants it to be used instead of wasted, greenpois0n and SHAtter should be kept as they will affect a larger crowd of iOS devices (assuming apple continue to use the A4 chip. --Shengis14 19:36, 9 October 2010 (UTC)
Geohot's exploit will be used in greenpois0n if it can be utilised in time. Otherwise both exploits will be burned. In relation to the image being taken down, it was proving to be too popular, so imageshack moved it. --Mushroom 19:47, 9 October 2010 (UTC)
I dont think so we said a lot about SHAtter (if apple patch one of the three BSS+Heap+Stack the exploit wont work) so it may be to late to protect SHAtter but Geohot's exploit was fixed in iBoot so Apple knows 100% what his exploit is --liamchat 20:06, 9 October 2010 (UTC)

He did it

It's in the wild. Thoughts? ~Drake

It's just BETA2 though... --5urd 22:28, 9 October 2010 (UTC)
Has anyone being able to grab information about the exploit we need to delete shatter and name the new dfu exploit --liamchat 23:22, 9 October 2010 (UTC)
BETA2 naming means nothing. We need to delete SHAtter? Wtf? And also this exploit will either be named by Geohot or by it's technical name (like Environment Variable Overflow). Iemit737 00:03, 10 October 2010 (UTC)
I'd like to disassemble this and see what's in that exe of his. Anyone take a gander into this magical land of software yet? The payload's bound to be in there somewhere. ~Drake
A dump has been released by ih8sn0w, see links. So much for the protection he put on it. It uses the ramdisk from purplera1n ( lulz). You'll need IDA Pro... Pwnd-v1 13:12, 10 October 2010 (UTC)
Blackra1n uses purpled1sk too :/ All it is is an exploit like arm7_go in DFU that pwns iBoot (temporarily) and applies a userland jailbreak from a ramdisk. --Palz 22:16, 15 October 2010 (UTC)

the exploit ( it is a heap overflow ) is used to create a command called geohot ( in the NOR_(NVRAM) same as in Purplera1n ) maybe purpled1sk is the best for the job iBoot cannot be changed it will remove SHSH preventing the device from booting --liamchat 22:32, 15 October 2010 (UTC)

do u hear urself talk? the bootrom exploit in limera1n is not a heap overflow. -__- the heap overflow is the userland exploit used to achieve an untethered status.Leobruh 20:20, 19 October 2010 (UTC)!

The kernel patch ocurs after the lime logo is shown ( when a ramdisk is mounted ) after the ramdisk is sent you can disconnect the device --liamchat 21:23, 19 October 2010 (UTC)


Does limera1n flash the NOR? I never managed to install a custom firmware after using limera1n.--Ryccardo, 11 October 2010 (UTC)

Sign your posts, please. And, limera1n leaves your NOR untouched. All it does is patch the kernel (which is on your NAND). Theoretically, one might be able to restore to a custom firmware by jumping to a pwned iBSS or iBEC through the limera1n exploit and using that to trick the device into accepting the firmware, but I'm probably mistaken. --dra1nerdrake 19:28, 11 October 2010 (UTC)
It leaves the NOR un-touched otherwise the signature checks would fail during boot. Hence the kernel exploit from comex is used to patch the kernel at runtime. --GreySyntax 19:49, 11 October 2010 (UTC)
Thanks, [iH8Sn0w confirms.] Sorry for the signature, I always forget to use that button. --Ryccardo 20:43, 11 October 2010 (UTC)


I propose that appleTV should be removed from the supported list until further notice as while the exploit interacts with the bootrom, the ramdisk never executes to jailbreak the OS and leaves you in recovery mode (yet to establish if it is in a pwned state or not) --Lilstevie 07:29, 12 October 2010 (UTC)

Why no ipt2g support?

I have an ipt2g mc model. I currently have no 4.1 jailbreak, since sn0wbreeze is messed up and redsn0w hangs. Why doesn't this exploit work with the new bootrom touches? Have we been forgotten? --Palz 21:13, 12 October 2010 (UTC)

It works for the ipt2g new bootrom, but geohot didn't take his time to remake anything so that it would work with our device. greenpois0n will support our devices, just takes a little while to write up everything needed. --JakeAnthraX 05:24, 13 October 2010 (UTC)
IPT2G support is now in greenpois0n --FClinton 23:39, 19 October 2010 (UTC)
It's not a matter of time, the exploit itself is not compatible with ipt2g bootrom. GreenPois0n use another bootrom exploit to achieve the compatiblity with ipt2g. --Pod2g


I added info about it and how to remove it for people who activate with iTunes. Hope no one minds. --cmdshft 04:31, 13 October 2010 (UTC)

I have my 3GS officially activated and had no problems at all with this dylib or anything else related to activation so far... I'm officially unlocked too... Should I still remove the dylib even if I had no problems?? --Luxiel 17:02, 19 October 2010 (UTC)
Nevermind, i just followed that tutorial and end up fucking my 3GS, restoring it ATM... So, I will use greenpois0n once it is done... That tutorial just fucked my activation... thx for the one that posted it... --Luxiel 02:26, 21 October 2010 (UTC)
Just completing this history... I followed those commands with my officially activated 3GS and I had to clean restore and rejailbreak with limera1n... So I guess this "hacktivation may be harmfull" thing may be wrong... --Luxiel 19:56, 21 October 2010 (UTC)