Following Apple's new releases including the new 4G-ready iPad, a revamped Apple TV unit and iOS 5.1, the makers of popular jailbreak tools are also apparently hard at work in an attempt to figure out new ways to jailbreak the updated firmware.
Although jailbreakers were able to release Redsn0w 0.9.10b6, allowing users to perform a tethered jailbreak on non-A5 devices like the iPhone 4, 3GS, the original iPad and the iPod touch, the users of A5 devices - iPhone 4S and iPad 2 - are still out of luck.
However, an update by French iOS hacker pod2g on Sunday brought a little ray of hope when he announced that he is working actively on finding vulnerabilities in iOS 5.1 that could ultimately be used to produce an untethered jailbreak for all devices.
With the growing popularity of jailbreak utilities like Redsn0w and Sn0wbreeze over the years, we have seen that Apple has also made significant progress in terms of both hardware and software, making it increasingly difficult for jailbreakers to find potential vulnerabilities, which can be used to create jailbreak tools.
In a bid to counter the issue, the Chronic Dev Team released the Chronc Dev Crash Reporter Tool last year, allowing iOS device users to anonymously send all device crash logs to the team, instead of sending them to Apple.
It seems that jailbreakers again want to use the same tactic of involving users in finding bugs, with pod2g calling on the jailbreak community, or any iOS device user for that matter, to help him find vulnerabilities in iOS 5.1 by sending crash reports to him.
In his official blog, pod2g has provided some helpful information on what is actually needed to produce a fully functional and distributable untethered jailbreak.
Here's what pod2g wants users to know:
How can I help the jailbreak community?
To jailbreak a device, hackers need a set of exploitable vulnerabilities:
- a code injection vector: a vulnerability in the core components of iOS that leads to custom, unsigned code execution.
- a privilege escalation vulnerability: it's usually not enough to have unsigned code execution. Nearly all iOS applications and services are sandboxed, so one often needs to escape from the jail to trigger the kernel exploit.
- a kernel vulnerability: the kernel is the real target of the jailbreak payload. The jailbreak has to patch it to remove the signed code enforcement. Only the kernel can patch the kernel, that's why a code execution vulnerability in the context of the kernel is needed.
- an untethering vulnerability: when the device boots, it is unpatched, thus cannot run unsigned code. Thus, to start the jailbreak payload at boot time, a code execution vector either in the services bootstrap or in the loading of binaries is mandatory.
You can help if you can crash either a core application (Safari, Mail, etc...) or the kernel in a repeatable way. A kernel crash is easy to recognize as it reboots the device.
There are some more important facts that users must be aware of:
- Always test on the latest iOS version before reporting a crash (at the time of writing, iOS 5.1)
- Be sure to not report crashes to Apple: on your iOS device, go to Settings/General/About/Diagnostics & Usage, and verify that Don't Send is checked.
- Not all crashes are interesting: aborts, timeouts or out of memory kind of crashes are useless. Verify the crash dump in Settings/General/About/Diagnostics & Usage/Diagnostic & Usage Data that the crash report you created is of Exception Type SIGILL, SIGBUS or SIGSEGV.
- The crash should be repeatable, which means you should know what exact steps produced it and how to produce it on another device.
Users can send crash reports to iOS.email@example.com. Before sending the crash, it must be noted that they fall under one exception types mentioned above.
Along with the report, users should also include the steps to reproduce the bug.
Crash reports are useless without explanations on how to reproduce them!!! pod2g tweeted.
He also asked users not to send reports of bugs of third party, AppStore apps like Angry Birds, Ultimate Soccer Sounds, etc.