iClarified
iClarified View Options
iClarified Add Bookmark
iClarified Search
PLACES
  iClarified News   News
  iClarified Tutorials   Tutorials
  iClarified Comments   Comments
  iClarified Calendar   Calendar
iClarified Down Arrow SEARCH
  iClarified Search   Today
  iClarified Search   Yesterday
  iClarified Search   Past Week
iClarified Down Arrow ADMIN
  iClarified Login   Login
  iClarified Contact Us   Contact Us


 
iClarified News   News iClarified Apple News   Apple News  
Apple News | GeoHot Explains How the PurpleRa1n Jailbreak Works  
Monday, 13th July 2009, 09:07 pm  Spanish    
This entry needs translation. To help us and submit a translation please click here

GeoHot has added an entry to TheiPhoneWiki explaining how his purplera1n iPhone 3GS jailbreak works.

Below you can read the step by step description of what the exploit does...

-----
* purplera1n sends the enter recovery commands using iTunesMobileDevice
* once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
* the exploit adds a "geohot" command to the phone which runs the payload
* the "geohot" command is run, control is now transferred from iboot to the payload
* the purplera1n client is done

Inside payload
* the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
* it patches iBoot to load unsigned img3s and not care about the tags
* it loads the purplera1n picture(sent with payload)
* the nor patcher starts
* llb is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
* a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
* iboot is decrypted, patched
* everything else is read as is
* nor is written back, nor patcher is done
* kernel is loaded, decrypted, and patched
* ramdisk is loaded(sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
* patched kernel is booted
* control is now transferred from payload to ramdisk

Inside ramdisk
* launchd is run, all stuff happens here
* /dev/disk0s1 is mounted
* fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
* Freeze.app is transferred and Freeze.app loader has SUID bit set
* patched kernel is read from end of ramdisk block device and written to filesystem
* ramdisk is done, rebooting...

Reboots as jailbroken phone
-----

Read More





  
30 comments [add] | 6659 views [digg it] [retweet] [facebook share] [buzz] [del.icio.us] [stumbleupon] [email]

 

Recent Apple News Entries
2010-02-09 14:35:21 - Google Buzz Integrates Social Sharing into Gmail [Video]
2010-02-09 13:51:05 - Google Takes Street View to the Slopes for the Olympics
2010-02-09 13:43:44 - Music Sales Slowing Due to iTunes Price Increase
2010-02-09 13:11:38 - iBlueNova (iBluetooth) Available in Cydia Store Soon
2010-02-09 12:59:18 - Adobe Demos iPhone Apps Built With Flash [Video]
2010-02-09 12:49:38 - TwitBird Pro for iPhone Gets an Update
2010-02-09 12:39:39 - DOOM II RPG Now Available for iPhone, iPod touch
2010-02-09 12:26:01 - Belkin Annouces New Laptop Cooling Pad
2010-02-09 11:49:11 - MobileNavigator iPhone Update Adds 3D Terrain View, Facebook
2010-02-09 11:40:17 - NETGEAR 3G to Wi-Fi Mobile Router
[more][rss]


  

iClarified Newsletter
If you would like to keep up to date with all the latest iClarified News and Tutorials you could use the RSS feeds linked above or sign up for our newsletter. The iClarified Newsletter is sent once a day and includes any news or tutorials posted in the last 24 hours.

To signup for the Newsletter click here. Make sure you choose "Yes" to be added to our Mailing List.