January 25, 2026
Pod2g Posts Details on How Corona Untethered Jailbreak Works

Pod2g Posts Details on How Corona Untethered Jailbreak Works

Posted January 2, 2012 at 8:41pm by
Pod2g has posted some details on how the Corona untethered jailbreak works.

In a new post on his blog, pod2g notes that Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0 so Corona had to do it another way.


For Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I searched for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code ! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .

Pod2g notes that the the ROP exploit payload triggers a kernel exploit that relies on an HFS heap overflow bug he found earlier.


I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser. I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject.

Read More


Pod2g Posts Details on How Corona Untethered Jailbreak Works
Follow iClarified
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (9)
Comments are closed for this article.
Snuf
Snuf - January 2, 2012 at 11:01pm
Hey Pod keep up the great work. It's amazing you are able to live your normal life and still have time to find a way to offer us a free JB. You will always have haters, unfortunately even the people you are helping. I (and many other grateful iPhone owners) look forward to your achievements in 2012. Happy New Year!
michael B
michael B - January 2, 2012 at 11:42pm
free JB!!!! he's earned almost 60,000 with donations.... Free JB is far far far from being real!
Me
Me - January 3, 2012 at 12:02am
He deserves to make $100,000 for this jailbreak..I personally sent him $450 ... My iPhone is worth more...we don't help people that help us.. If you are a clear fellow then you won't be reading this.. You would've been make your own shit!! Thats why doctors and surgeons make half millions dollars they went to college spent over 20 yr in school You work hard in America you will have a better life The kid is so smart... now with this $$ he will go to college for FREE.. Great job POD2... Release IPHONE4S JB i'll send you another $450 No prob here Abientot Mon Amis
DT
DT - January 3, 2012 at 12:51am
@the blog below.... Hey man u never donated$450 I checked with pod2g and said nothing over ten bucks for a single donation but....it added up to $60 thousand total for 4 months work
pod2g
pod2g - January 2, 2012 at 9:20pm
Pod2g wants the same deal as comes. He's showcasing his work to prove to apple that he understand their system, and so they should hire him.
Boywonda
Boywonda - January 2, 2012 at 9:14pm
Everyday I come here just to see that litre PWNED icon and get a little excited that it will say TETHERED or UNTETHERED JAILBREAK FOR A5 DEVICES....Im usually left always disappointed. sigh
david
david - January 2, 2012 at 9:33pm
exactly !!!
kijijij
kijijij - January 2, 2012 at 9:12pm
yeah mate thats my add. do you wanna give me 10 bucks? or download it here for free...
Yi
Yi - January 2, 2012 at 8:57pm
Can someone please explain me who wants to know how Corona works???? It wors and thats whats important. We need a way to jailbreak A5 de ices I don't care how its done. Just make it real.
Recent. Read the latest Apple News.
RECENT
Apple Asks Indian Court to Block Antitrust Probe From Accessing Global Financials [Report]
Apple Asks Indian Court to Block Antitrust Probe From Accessing Global Financials [Report]
Intel Poised to Secure Apple Chip Orders as 14A Node Hits Milestones [Analyst]
Intel Poised to Secure Apple Chip Orders as 14A Node Hits Milestones [Analyst]
Apple Invites Creators to 'Apple Experience' Event as M5 MacBook Pro Launch Nears
Apple Invites Creators to 'Apple Experience' Event as M5 MacBook Pro Launch Nears
iPhone 18 Pro Dynamic Island Could Shrink by 35% [Rumor]
iPhone 18 Pro Dynamic Island Could Shrink by 35% [Rumor]
TikTok Finalizes U.S. Joint Venture to Secure App's Operations
TikTok Finalizes U.S. Joint Venture to Secure App's Operations
More News
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Sonoma
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
More Tutorials
Deals. Save on Apple devices and accessories.
DEALS
Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]
Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]
Apple's 13-Inch M5 iPad Pro (1TB) Hits New All-Time Low at $1,706 [Deal]
Apple's 13-Inch M5 iPad Pro (1TB) Hits New All-Time Low at $1,706 [Deal]
Apple Launches Lunar New Year Sale in China With Up to RMB 1,000 Discounts
Apple Launches Lunar New Year Sale in China With Up to RMB 1,000 Discounts
Apple Pro Display XDR Drops to $3,999 With Massive $1,000 Discount [Deal]
Apple Pro Display XDR Drops to $3,999 With Massive $1,000 Discount [Deal]
Beats iPhone 17 Pro Kickstand Case Drops to $20.99, 64% Off [Deal]
Beats iPhone 17 Pro Kickstand Case Drops to $20.99, 64% Off [Deal]
More Deals