During the Jailbreak Live event at the Hack in the Box conference in Amsterdam, Absinthe 2.0 was released. pod2g and the “dream team” also took the time to explain exactly how to jailbreak works its magic…
Jailbreaking a device may seem like one click of a button to the end-user but there’s a lot of complicated work that goes into injecting the code that liberates your iOS device.
Here’s the breakdown:
GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for “racoon”, which is the primary victim for this attack. A format string vulnerability was located in racoon’s error handling routines, allowing the researchers to write arbitrary data to racoon’s stack, one byte at a time, if they can control racoon’s configuration file. Using this technique researchers were able to build a ROP payload on racoon’s stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren’t exploitable to LimeRa1n, so another injection vector was needed.
So as you can see it’s no simple process. These fellas work day and night to make these things possible and bring the latest jailbroken version of iOS to our devices. If you’re interested in learning more visit the Hack in the Box official website to check out all of the presentation notes.