Wednesday, January 4, 2012

Untethered Jailbreak iOS 5.0.1: Pod2G published information about Corona 5.0.1 Untether

The jailbreak developers Pod2G has published two days ago more technical details Untethered Jailbreak for iOS 5.0.1. The easiest way for owners of a device with a tethered jailbreak, Cydia to install the package "Corona 5.0.1 Untether" via Cydia. In his blog entry about his jailbreak Pod2G reveals why the jailbreak has ever got this funny name. Corona is therefore an anagram of the IPSec "racoon" IKE daemon.
Interestingly, however, the finer details to implement the Untethered jailbreak. It has expressed itself Pod2G closer and published some information on his blog. Decisive is the jailbreak consists of two vulnerabilities used to inject the "foreign" code in iOS 5.0.1:

Userland exploit:
Pod2G The developer has found a vulnerability in a config file from the IKE daemon "racoon". This vulnerability allows unsigned code to run. This method uses the developer by a modified config file to trigger the kernel. Unfortunately, the vulnerability to lift slightly and is expected to be quickly closed by IOS IOS 5.0.2 and 5.1.
Thus, for Corona, I searched for a way to start at boot unsigned code without using the Mach-O loader. That's why I looked for vulnerabilities in Apple's existing binaries that I could call launchd plist using standard mechanisms.Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the configuration parsing code theracoon! racoon is the IPsec IKE daemon. It comes by default with IOS and is started when you setup to IPsec connection.Now you got it, Corona is an anagram of racoon :-).

Kernel Exploit:In order for the modified config file and the unsigned code is accepted by the kernel must be turned off by the security kernel. This is accomplished through a buffer overflow (buffer overflow).
I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui Way :-) And hey, that worked: p Thanks to @ i0n1c for his papers on this subject . This helped me a lot. I may have given up without them.The kernel heap overflow exploit 0 × 200 copies bytes from the file to the kernel vnimage.payload sysent replacing a syscall to write a gadget anywhere. Some syscalls (First 0xA0 bytes and the last 0 × 6 bytes) are trashed in the operation because I needed to respect the HFS protocol.

Find a more detailed description of their topic on the appropriate blog entry by Pod2G . In addition, can also owned an iPhone or iPad 2 4S forward to an Untethered Jailbreak, because now the developer has made ​​some progress and the jailbreak could be released sometime next week.
You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest.


You can unlock your iPhone 4 by remote unlocking, it is both simple and safe. A lot of websites offer this unlocking service. I unlocked my iPhone at, and found their service and support to be good. You can have a clear idea on how to unlock your iPhone using remote unlocking at …; this site gives you free instructions on how to unlock cell phones!!

Post a Comment


Twitter Delicious Facebook Digg Stumbleupon Favorites More