Difference between revisions of "Limera1n"

#REDIRECT [[User:RobertXD]]* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit.

* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]].

== Changelog ==

{| class="wikitable"

|-

| <div style="text-align: center">'''Version'''</div>

| <div style="text-align: center">'''Release time'''</div>

| <div style="text-align: center">'''MD5 Hash'''</div>

| <div style="text-align: center">'''Change comment'''</div>

|-

| BETA 1

| 9 Oct 2010 XX:XX GMT

| 2f2b09a6ed5c5613d5361d8a9d0696b6

| First release.

|-

| BETA 2

| 10 Oct 2010 XX:XX GMT

| a70dccb3dfc0e505687424184dc3d1ce

| Fixed kernel patching magic. Rerun BETA2+ over BETA1.

|-

| BETA 3

| 10 Oct 2010 XX:XX GMT

| 81730090f7de1576268ee8c2407c3d35

| Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]])

|-

| BETA 4

| 10 Oct 2010 XX:XX GMT

| d901c4b3a544983f095b0d03eb94e4db

| Uninstall fixed, respring fixed

|-

| RC1

| 11 Oct 2010 XX:XX GMT

| 0622d99ffe4c25f75c720a689853845f

| out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller

|-

| RC1b

| 11 Oct 2010 XX:XX GMT

| fc6f7d696a57c3baede49bdff8a7f43f

| addresses an install issue, mainly with iPads

|-

| Final

| 11 Oct 2010 23:XX GMT

| fc6f7d696a57c3baede49bdff8a7f43f

| (same as RC1b)

|}

== Technical Information ==

=== Basics ===

* limera1n has nothing to do with [[SHAtter]] at all.

* limera1n uses a [[bootrom]] exploit to achieve the [[tethered jailbreak]] and unsigned code execution.

* limera1n uses a [[userland]] exploit to make it [[untethered]], which was developed by [[User:Comex|comex]].

* limera1n uses a hacktivation dylib to perform [[hacktivation]].

=== Exploits ===

limera1n reuses the [[Usb_control_msg(0x21,_2)_Exploit|usb_control_msg(0x21,2)]] but exploits a different vulnerability (see [[Limera1n Exploit]]).

=== Process ===

The jailbreak appears to execute something like the following (in no particular order):

* In recovery1,

"setenv debug-uarts 1

setenv auto-boot false

saveenv"

* In [[DFU Mode]], it uploads a [[payload]].

* In recovery2, it uploads another [[payload]] and its [[ramdisk]].

"setenv auto-boot true

reset

geohot done"

=== Interesting Messages ===

"geohot black is the new purple"

"blackra1n start: %d current IRQ mask is %8.8X

usb irq disabled...shhh

fxns found @ %8.8X %8.8X

found iBoot @ %8.8X

i'm back from IRQland...

3g detected, kicking nor

nor kicked

memcpy done

iBoot restored!!!

found command table @ %8.8X

cmd_geohot added

time to pray...%8.8X"

"2.2X send command(%d): %s

send exploit!!!

sent data to copy: %X

sent shellcode: %X has real length %X

never freed: %X

sent fake data to timeout: %X

sent exploit to heap overflow: %X

sending file with length: 0x%X Mingw runtime failure:

VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d."

== Controversy ==

The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing SHAtter, but to instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing [[SHAtter]] would uselessly disclose another bootrom exploit to Apple.

[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas [[SHAtter]] still has a chance of remaining useful for an indefinite amount of time. In the [[iPad 2]], the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]].

limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.

== Hacktivation ==

limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.

== External Links ==

* [http://limera1n.com/ Official domain]

* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror]

* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]

* [http://www.pastie.org/1210054 Veeence's explanation for release]

* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.]

[[Category:Hacking Software]]