Chronic Dev Team member pod2g has an interesting New Year gift for his fans - the French hacker has uploaded his blog with juicy details of Corona, the untethered jailbreak for non-A5 devices that are running on iOS 5.0.1, but many of his followers did not appreciate his hard work and criticized him instead for not releasing A5 jailbreak yet.
Pod2g made headlines by being the first hacker to release an untethered jailbreak for iOS 5.0.1 (non-A5 devices). Pod2g and rival MuscleNerd (a big name among jailbreakers, when he found a semi-tethered jailbreak - redSn0w - for iOS 5 within a day of its release) were working round the clock last month to find the untethered jailbreak for iOS 5.0.1.
Both Chronic Dev Team and iPhone Dev Team (of which MuscleNerd is a member) has released the A4 untethered jailbreak for 5.0.1 based on pod2g's work. They are Corona 5.0.1 and Redsn0w 0.9.10b3.
It is exactly the same set of files, either distributed as a Cydia package for those that are already tethered or a redsn0w bundle for new users, pod2g posted on his blog. They both did a great job testing and integrating the payload.
Here is a link to their respective blog posts :
- Chronic Dev Team : http://greenpois0n.com/?p=150
- iPhone Dev Team : http://blog.iphone-dev.org
In his most recent blog post, pod2g shared the latest details on Corona jailbreak:
Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.
1. the user land exploit
Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn't check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
- the interposition exploit
- the initializer exploit
Here is a detailed explanation of incomplete code sign tricks used before 5.0 : http://theiphonewiki.com/wiki/index.php?title=Incomplete_Codesign_Exploit
In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (https://twitter.com/#!/i0n1c/status/145132665325105152). We may see this in the 5.1 jailbreak.
Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.
Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
Now you got it, Corona is an anagram of racoon :-) .
By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you're interested !
For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf
racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.
The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.
The ROP exploit payload triggers the kernel exploit.
2. the kernel exploit
The kernel exploit relies on an HFS heap overflow bug I found earlier. I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser.
I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject. This helped me a lot. I may have given up without them.
The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 0x6 bytes) are trashed in the operation because I needed to respect the HFS protocol.
Thus, I restore them as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it.
The kernel exploit just patches the kernel security features, as usual. Nothing interesting there.
Happy New Year 2012 to you all, thanks a lot for the donations.
However, the hacker's followers were not amused. Rather, they were disappointed that pod2g did not post any update on the progress made by him on A5 jailbreak.
Some followers pleaded with him to update his progress on A5 jailbreak:
Please update us on a5 jailbreak (THE FAULKNERS)
We need you update for A5 please. (Cobra)
hey man, when will a5 jailbreak come out
-iphone 4s user waiting patiently (yosin12)
Where is the Jb for iPad 2 and iPhone 4s we need it man (XODOX)
Others were quite scathing with their remarks:
lol....he just made a blog update and a long one that is with no mention of the A5......Anyone believing he is still working on the A5 is a fucking morron. (Tom)
Boring!! work on A5 - iPad 2 PLEASE (StevenKotler)
This Info is defenetly unusefull for the most People
We all want the A5 jailbreak
Why dont you Post some news about that?
Cant understand it.... (der-sascha)
plz JB A5, after that i'll donate !!!
no one wants to know how corona works .. (david)
I have been waiting patiently for an A5 Release forget about an Update I could care less about an Update....Just release the A5 Jailbreak already at this rate it will be 2013 and still no A5 Jailbreak... When the A5 Jailbreak is released then i'll donate as you will deserve it...A4 jailbreaks are walks in the park for these developers not worth any donations (DeeJayBebo401)
We have been patiently waiting for a long time now for the A5 jailbreak, It seems as if he is just waiting for more money he started with donations and now he is getting quite a bit of cash from google adsense ads running on this site. OK he does need rewards for his hard work however I advise you people do not donate until we have the A5 jailbreak. Do not even check out this blog just follow him on twitter as he is getting to greedy with the ads provided by google, Therefore he is not going to release it anytime soon. People that donated don't even get a update. Please do not donate until we have the jailbreak.Last year we had the same situation with chronic dev team and their greenpoision they took so long and wanted all the publicity and then geohot came out of the blue and released his much more stable limera1n, And geohot asked for donations once he published the fully downloadable jailbreak. Please only follow pod2g from his twitter on https://twitter.com/#!/pod2g (NeO23)
However, pod2g had his fair share of supporters as well:
People please don't be stupid and ungrateful. This is a constructive blog post explaining what has he been doing and how, he has the right to say whatever the hell he wants.
STOP asking about the A5 because he already said HE'S WORKING ON IT!
what else do you want if you were stupid enough to buy a device later to be moaning about the lack of jailbreak. Deal with it and wait. (Leo)
This comment board is overcrowded with unicellular, ungrateful twats. The guy's working on his free time, as a hobby, to do these things. It's not like you are entitled to anything here. Get a life. (Charles Beaulieu)
Holy fucking shit you people are ungrateful, undeserving cunts. It's clear this post was generously made to satisfy the curiosity for those of us who would understand. It's disturbing how these stupid pricks think they're ENTITLED to an A5 jailbreak.
Amazing work, pod2g (Tony Ta)
What in the hell is everyone bitching about?! This man has worked for nothing. For fun. For the challenge. And then you ungrateful bastards complain about the A5 jailbreak? You should be ashamed of yourselves. Pod2g, if I were you, I would quit because of their bullshit. I myself am awaiting this jailbreak but I would definitely understand if you decide not to release it. (fro455)
This article is quite captivating! If you don't understand this it's not his or our problem. He can write whatever he pleases to and if you don't like it, go buy an Android, he surely didn't promise you an A5 jailbreak for you buying this device.
Ungrateful twats you are! (Erunestian)
WTF, stop asking about A5 device !!
He already said, Focus on A5 devices
* I also got the iPhone 4S but i'm keep waiting quietly
Amazing article about the jailbreak process !! to many steps until you can really get it work.
Pod2g, I'm really appreciate your works. and thanks for sharing this post !!!!
btw, remember why geohot left the scene.
because you didn't stop asking about jailbreak release !!
so, don't do the same mistake with pod2g :] (Kirma)
6 million sperms, and you lot were the fastest??!
Sheesh.. Seriously .. ENOUGH with asking for the JB. He can't do it quicker than he is now, and won't release it quicker because you demand or swear.
If you don't like it, PISS OFF this site and create your own JB.. Or STFU and post useful comments. (Xushi)
fuck all of you whining about A5. do the A5 jailbreak yourself. thanks @pod2g. (Jeremy)
Are you one of those waiting for A5 jailbreak impatiently? Do you think pod2g's doing a great job on the jailbreak? Leave your comments below.