February 28, 2024
GeoHot Explains How the PurpleRa1n Jailbreak Works

GeoHot Explains How the PurpleRa1n Jailbreak Works

Posted July 13, 2009 at 9:22pm by iClarified
GeoHot has added an entry to TheiPhoneWiki explaining how his purplera1n iPhone 3GS jailbreak works.

Below you can read the step by step description of what the exploit does...

* purplera1n sends the enter recovery commands using iTunesMobileDevice
* once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
* the exploit adds a "geohot" command to the phone which runs the payload
* the "geohot" command is run, control is now transferred from iboot to the payload
* the purplera1n client is done

Inside payload
* the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
* it patches iBoot to load unsigned img3s and not care about the tags
* it loads the purplera1n picture(sent with payload)
* the nor patcher starts
* llb is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
* a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
* iboot is decrypted, patched
* everything else is read as is
* nor is written back, nor patcher is done
* kernel is loaded, decrypted, and patched
* ramdisk is loaded(sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
* patched kernel is booted
* control is now transferred from payload to ramdisk

Inside ramdisk
* launchd is run, all stuff happens here
* /dev/disk0s1 is mounted
* fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
* Freeze.app is transferred and Freeze.app loader has SUID bit set
* patched kernel is read from end of ramdisk block device and written to filesystem
* ramdisk is done, rebooting...

Reboots as jailbroken phone

Read More

GeoHot Explains How the PurpleRa1n Jailbreak Works
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
iClarified Icon
Would you like to be notified when we post a new Apple news article or tutorial?
You must login or register to add a comment...
RRR - August 4, 2009 at 6:25am
i got an iphone 3gs w/c wont turned on. it got stuck on purplera1n's entering recovery mode.. the iphone wont turn on now.. can you help? i tried to connect to itunes sa i can do a recovery but it doesnt seem to see the iphone
Edge777 - July 15, 2009 at 2:36pm
Well, lol, at least I know how to write a sentence. It was painful to read your post! I do have to say, I don't think I trust a "hacker" (cough... ya... right...) who doesn't even know how to turn on his spell check (although, to be honest, most of your mistakes were at a 4th grade grammar level). That being said, I should be fair, you don't get a lot of opportunity to socialize and talk like a normal person when you play video games in your parents basement all day... just sayin'
yasha - July 15, 2009 at 8:48am
Real hax0rs not afraid to show code cuz they know there's always another bug waiting... much respect to geohot!
ayyywa - July 14, 2009 at 11:26am
What is somewhat frustrating is that Apple is taking North America for a ride. many other countries banned the sale of locked iPhones ande I don't see a reason why we can't lobby for that in US and Canada. I know that JB is different but an unlocked phone is a right since we are entering in a contract for service. Price with no contract should include an officially unlocked phone too. Unless we all go for this, it won't happen. cheers
MOCHA - July 13, 2009 at 11:07pm
I just think he released this information knowing that there is another way to jailbreak. And even without him releasing this information Apple probably only knows how to fix this bug.He seems like pretty smart guy and totally not like an idiot. What I know for sure that he really likes public attention,so he feels like a rock star or something lol
ernstlustig - July 14, 2009 at 3:34am
1st thought: It is impossible to write flawless software once it has reached a certain level of complexity. So there will always be a way to break in. 2nd thought: The only thing that counts for Apple is profit. They have no other mission. Many customers (me included) wouldn't pay for an iPhone without the ability to bypass Apple's censorship. Jailbreaking is fun and attracts customers == $$$ for Apple. This is why I'm persuaded that Apple will always and deliberately leave a hole open for jailbreaking. Just follow the money.
ernstlustig - July 16, 2009 at 4:30am
Oh fredrik! Compared to what people pay for their overpriced contracts AppStore is peanuts. Jailbreak is not Crackul0us. All jailbreakers I know pay deliberately for the apps. I want to support the independent developers.
Jeff - July 13, 2009 at 10:27pm
Guess you Bought it Hook-Lin-Sinker also?.. YEP your Boys are still Behind the game!.. BET: George will beat them to the NEXT Jailbreak, BUT the Dev-Team will "SAY" there doing the Right thing! George will let it out, Then the Dev-Team "AGAIN" will say they HAD the SAME Break!.. NOBODY will convince you of this, but that is JUST what happened this time and will happen again.. YOUR boys are behind George and they KNOW it! But it's for the BEST!....
mr.sudoku - July 13, 2009 at 10:29pm
You're wrong. GeoHotz is a good man. If he didn't release the ra1n Dev-Team wouldn't release the sn0w. What are you scare of, it's the cat & mouse game. Let's play & enjoy.
Edge777 - July 13, 2009 at 10:32pm
Oh ya Jeff, not sure if you're quite smart enough to know all this stuff, but.... RedSn0w is not a reworked version of purplerain. It works differently (and in this case, works better, without the bugs). I know more than a few people who used purplerain, and then decided to do a full restore and re-jailbreak with RedSn0w just so that their phones weren't screwed up. This I know - the Dev Team always acts professionally, and humbly, being very good at communicating and keeping people in the loop. Georgie has always come across as arrogant, conceited, and a know-it-all. I don't know about you, but I don't tend to trust those kind of people.
Edge777 - July 13, 2009 at 10:00pm
Um, noooooooo, they were doing the responsible thing, for the good of the most people, rather than just wanting to be self promoting. It's quite evident from Georgie's comments that he could care less about the people and is only in this for his own fame. He rushed out a faulty product, so that Apple could close the holes before the iPhone arrived in the rest of the world (yes, there are actually real countries with real people, outside of the USA). And, tell me this, why, now after the Dev Team has releases RedSn0w, does Georgie feel the need to once again have his name out there, explaining exactly everything? Methinks he wants Apple to plug the hole, so that he can get the great savior... however, what happens if he can't find another hole. Think about it, Apple has been getting better and better at making jailbreaking harder and harder.
Jeff - July 13, 2009 at 10:23pm
Guess you Bought the "Responsible" Thing Huh? They didn't have it, it was released as Purplera1n . THEN the Dev-Team said "Oh We had the Same Break".. With out George they had Nada!.. But NOBODY will convince you of this, You Bought it, Hook-Line-Sinker!
Jeff - July 13, 2009 at 10:32pm
But he did it First!.. Even following Twitter Posts of ALL of them!.. Again, YOU will Never be convinced. I ran Purplera1n, & Redsn0w.. I had ZERO problem with Either, and after the original Package for Windows of PR a Mac Version came out, I ran this also. THEY all do the SAME IDENTICAL thing, So WHY hold it back (If you have it) when 3.01 has been announced and 3.1 in the Works? I Don't think they Had it till George Released it, then there Reply was "WE HAD the SAME BREAK"?.... Either way, Spilled Milk Now!
Edge777 - July 13, 2009 at 11:01pm
NOT spilled milk now. This is NOT about purplerain being released first. This is about Georgie releasing all the how's and what's. You have yet to answer why one would do that???
Edge777 - July 14, 2009 at 12:02am
Hmm, you don't seem know much, lol. And um, Apple DOES care. It's why they've made jailbreaking harder on the 3GS (having to be registered and all).
Awayze - July 14, 2009 at 7:27am
GeoHot knows more than one exploit, Dev Team don't. Even if Apple close it, GeoHot can use one of the other exploits he found. 3GS will always be unlockable according to GeoHot and he knows more about the iPhone than Dev Team put together.
Aaron Wright
Aaron Wright - July 13, 2009 at 9:32pm
Good job guys! Now apple can fix everything you just described in detail!
Recent. Read the latest Apple News.
Tutorials. Help is here.
Where to Download macOS Monterey
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.