Difference between revisions of "Limera1n"

From The iPhone Wiki
Jump to: navigation, search
(Background Information: removed ipod touch 2g. limera1n.com doesn't list as commpatable. Before adding, discuss it on the Talk page: Talk:Limera1n)
m (Mention that explanation is an archived version)
 
(181 intermediate revisions by 40 users not shown)
Line 1: Line 1:
  +
{{lowercase}}
== Release ==
 
  +
{{infobox software
On the 9th of October 2010 [[Limera1n]] was released, delaying the release of [[SHAtter]]. [[Limera1n]] is now in Beta 2. It only supports Windows at the moment and a large number of devices have issues.
 
  +
| name = limera1n
  +
| title = limera1n
  +
| logo = [[File:ra1ndrop.png|85px]]
  +
| author = [[User:geohot|George Hotz]]
  +
| developer = George Hotz
  +
| released = {{start date and age|2010|10|09}}
  +
| discontinued =
  +
| latest release version = RC1b
  +
| latest release date = {{start date and age|2010|10|11}}
  +
| programming language = C
  +
| operating system = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]]
  +
| size = Windows:&nbsp;317.5&nbsp;KiB&nbsp;[EXE]<br />OS&nbsp;X:&nbsp;478.1&nbsp;KiB&nbsp;[ZIP]<!-- As of {{date|2015|03|13}}, 325,120 and 489,598 bytes respectively -->
  +
| platform =
  +
| language = [[wikipedia:English|English]]
  +
| status = Deprecated
  +
| genre = Jailbreaking
  +
| license = [[wikipedia:Freeware|Freeware]]
  +
| website = [http://limera1n.com/ limera1n.com]
  +
}}
  +
'''limera1n''' is [[User:Geohot|geohot]]'s [[jailbreak]] utility. It uses a previously undisclosed bootrom exploit (the [[limera1n Exploit]]) and [[User:Comex|comex]]'s [[Packet Filter Kernel Exploit]] to achieve an [[untethered jailbreak]] on many devices. The following devices are supported:
  +
* [[N88AP|iPhone 3GS]]
  +
* [[N90AP|iPhone 4 (iPhone3,1)]]
  +
* [[N18AP|iPod touch (3rd generation)]]
  +
* [[N81AP|iPod touch (4th generation)]]
  +
* [[K48AP|iPad]]
  +
* [[K66AP|Apple TV (2nd generation)]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)
  +
limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] showed off a high-res picture of [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Cydia on an iPhone 4]. He displayed an [http://www.youtube.com/watch?v=__TR86PLiHw iPod touch (3rd generation) with an untethered jailbreak] that met [[User:MuscleNerd|MuscleNerd]]'s requirements for a good video. In addition, he took a picture of [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Cydia and blackra1n icons on an iPad].
   
  +
* '''Release Date:''' [[Timeline#October_11|{{date|2010|10|09}}]]
== Download ==
 
  +
* '''Supported OS's:''' Mac OS X, Windows
<!-- DO NOT CHANGE ANY LINKS! THESE ARE HERE FOR A REASON. ONLY CHANGE TO ADD YOUR OWN MIRROR LINKS! -->
 
  +
* '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing
{| border=3
 
  +
* '''Supported iOS: 3.2.2-4.1
  +
  +
  +
== Release text ==
  +
<div style="text-align: center">limera1n, 6 months in the making<br />
  +
iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)<br />
  +
4.0-4.1 and beyond+++<br />
  +
limera1n is unpatchable<br />
  +
untethered thanks to jailbreakme star '''comex'''<br />
  +
brought to you by '''geohot'''<br />
  +
hacktivates<br />
  +
Mac coming in 7 years<br />
  +
donations keep support alive<br />
  +
zero pictures of my face</div>
  +
  +
== Credit ==
  +
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit.
  +
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]].
  +
  +
== Changelog ==
  +
{| class="wikitable"
 
|-
 
|-
  +
! Version
| Current <!-- DO NOT CHANGE THIS LINK UNLESS THE LINK ON LIMERA1N.com CHANGES! -->
 
  +
! Release Date
| [http://limera1n.com/limera1n.exe HTTP]
 
  +
! MD5 Hash
  +
! Changelog
 
|-
 
|-
| BETA 2
+
| Beta 1
  +
| {{date|2010|10|9}}
| [http://www.box.net/shared/5hm3ce8s3c Box.NET Mirror]
 
  +
| 2f2b09a6ed5c5613d5361d8a9d0696b6
  +
| First release
  +
|-
  +
| Beta 2
  +
| {{date|2010|10|10}}
  +
| a70dccb3dfc0e505687424184dc3d1ce
  +
| Fixed "kernel patching magic". Should be run over a beta 1 jailbreak
  +
|-
  +
| Beta 3
  +
| {{date|2010|10|10}}
  +
| 81730090f7de1576268ee8c2407c3d35
  +
| Fixed an issue with [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]])
  +
|-
  +
| Beta 4
  +
| {{date|2010|10|10}}
  +
| d901c4b3a544983f095b0d03eb94e4db
  +
| Uninstall and respring bugs fixed
  +
|-
  +
| RC1
  +
| {{date|2010|10|11}}
  +
| 0622d99ffe4c25f75c720a689853845f
  +
| [[AFC#AFC2|afc2]], reliability improvements, reboot no longer needed for Cydia; Also ~2&nbsp;KB smaller
  +
|-
  +
| RC1b
  +
| {{date|2010|10|11|}}
  +
| fc6f7d696a57c3baede49bdff8a7f43f<!-- Still the same as of {{date|2015|03|13}} -->
  +
| Addresses an installation issue that mainly affected [[List of iPads|iPads]]
 
|}
 
|}
   
== Background Information ==
+
== Technical Information ==
  +
=== Basics ===
Limera1n is a jailbreak by [[User:Geohot|geohot]]. It is untethered on all supported devices, which include the following (but aren't necessarily limited to):
 
  +
* limera1n has nothing to do with [[SHA-1 Image Segment Overflow|SHAtter]] at all.
* [[N88ap|iPhone 3GS]]
 
  +
* limera1n uses a [[bootrom]] exploit to achieve the [[tethered jailbreak]] and unsigned code execution.
* [[N90ap|iPhone 4]]
 
  +
* limera1n uses a [[userland]] exploit to make it [[untethered]], which was developed by [[User:Comex|comex]].
* [[N18ap|iPod touch 3G]]
 
  +
* limera1n uses a hacktivation dylib to perform [[hacktivation]].
* [[N81ap|iPod touch 4G]]
 
* [[K48ap|iPad]]
 
* Any other [[iOS]] device released thus far (though support for the AppleTV is negligible and hasn't been clarified)
 
   
  +
=== Exploits ===
It has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png] He displayed an [[untethered jailbreak]] that met MuscleNerd's requirements for a good video on the iPod touch 3G: [http://www.youtube.com/watch?v=__TR86PLiHw YouTube Video] In addition, he demonstrated Cydia, blackra1n, and a verbose boot on an iPad (before Spirit was released): [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Image]
 
  +
limera1n reuses the [[Usb_control_msg(0x21,_2)_Exploit|usb_control_msg(0x21,2)]] but exploits a different vulnerability (see [[Limera1n Exploit]]).
   
== Technical Information ==
+
=== Process ===
  +
The jailbreak appears to execute something like the following (in no particular order):
* This does not use [[SHAtter]].
 
  +
* In recovery1,
* This uses a [[bootrom]] exploit (different to the [[greenpois0n]] one) to achieve the tethered jailbreak and unsigned code execution
 
  +
"setenv debug-uarts 1
* This also uses the same userland exploit discovered independently by [[User:comex|comex]]
 
  +
setenv auto-boot false
* [[Chronic Dev (team)|Chronic Dev]] knows about this exploit and has confirmed its legitimacy
 
  +
saveenv"
  +
* In [[DFU Mode]], it uploads a [[payload]].
  +
* In recovery2, it uploads another [[payload]] and its [[ramdisk]].
  +
"setenv auto-boot true
  +
reset
  +
geohot done"
  +
  +
=== Interesting Messages ===
  +
"geohot black is the new purple"
  +
  +
"blackra1n start: %d current IRQ mask is %8.8X
  +
usb irq disabled...shhh
  +
fxns found @ %8.8X %8.8X
  +
found iBoot @ %8.8X
  +
i'm back from IRQland...
  +
3g detected, kicking nor
  +
nor kicked
  +
memcpy done
  +
iBoot restored!!!
  +
found command table @ %8.8X
  +
cmd_geohot added
  +
time to pray...%8.8X"
  +
  +
"2.2X send command(%d): %s
  +
send exploit!!!
  +
sent data to copy: %X
  +
sent shellcode: %X has real length %X
  +
never freed: %X
  +
sent fake data to timeout: %X
  +
sent exploit to heap overflow: %X
  +
sending file with length: 0x%X Mingw runtime failure:
  +
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
  +
Unknown pseudo relocation bit size %d."
   
 
== Controversy ==
 
== Controversy ==
  +
The release of this jailbreak was specifically designed to pressure the [[Chronic Dev (team)|Chronic Dev Team]] into not releasing [[SHA-1 Image Segment Overflow|SHAtter]], and instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing [[SHA-1 Image Segment Overflow|SHAtter]] would uselessly disclose another bootrom exploit to Apple.
The timing impact of this jailbreak release will have major negative consequences on everyone, especially since this jailbreak IS patchable. If this jailbreak is released, the holes used in it might be needlessly burned, seeing as how [[greenpois0n]] is expected to be released the day before limera1n.
 
  +
* Limera1n is probably only being released to pressure chronic dev into using the exploit in greenpois0n. [http://twitter.com/p0sixninja/status/26795401167] Geohot used a similar tactic to pressure the iPhone Dev Team into releasing a 2.0 jailbreak.
 
  +
[[User:Geohot|Geohot]]'s rationale was that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas [[SHA-1 Image Segment Overflow|SHAtter]] still has a chance of remaining useful for an indefinite amount of time. Both vulnerabilities ended up being patched in the [[iPad 2]]. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]].
* The [[Chronic Dev (team)|Chronic Dev Team]] are working extremely hard to implement [[User:geohot|geohot's]] limera1n exploit before the [[greenpois0n]] release date, though it will probably not use that exploit because timing is tight.
 
  +
  +
limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.
  +
  +
== Hacktivation ==
  +
limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.
   
 
== External Links ==
 
== External Links ==
  +
* [http://limera1n.com/ Official domain]
* [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action]
 
  +
* [https://web.archive.org/web/20141026000127/http://www.pastie.org/1210054 (Archive) Veeence's explanation for release]
* http://limera1n.com/
 
  +
* [https://web.archive.org/web/20140226135748/http://www.hackint0sh.org/blackra1n-3g-s-jailbreak-220/how-removing-blackra1n-limera1n-hacktivation-130992.htm (Archive) Hacktivation removal guide]
* http://theiphonewiki.com/limera1n (cached copy)
 
  +
* [http://www.twitlonger.com/show/6d31jr Info from cdevwill]
 
  +
[[Category:Hacking Software]]
  +
[[Category:Jailbreaks]]
  +
[[Category:Jailbreaking]]

Latest revision as of 15:59, 21 May 2022

limera1n
Ra1ndrop.png
Original author(s) George Hotz
Developer(s) George Hotz
Initial release 9 October 2010; 14 years ago
Stable release RC1b / 11 October 2010; 14 years ago
Development status Deprecated
Written in C
Operating system Windows / OS X
Size Windows: 317.5 KiB [EXE]
OS X: 478.1 KiB [ZIP]
Available in English
Type Jailbreaking
License Freeware
Website limera1n.com

limera1n is geohot's jailbreak utility. It uses a previously undisclosed bootrom exploit (the limera1n Exploit) and comex's Packet Filter Kernel Exploit to achieve an untethered jailbreak on many devices. The following devices are supported:

limera1n has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch (3rd generation) with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on an iPad.


Release text

limera1n, 6 months in the making

iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)
4.0-4.1 and beyond+++
limera1n is unpatchable
untethered thanks to jailbreakme star comex
brought to you by geohot
hacktivates
Mac coming in 7 years
donations keep support alive

zero pictures of my face

Credit

  • geohot - The program itself, and the bootrom exploit.
  • comex - The userland exploit that allows limera1n to run untethered.

Changelog

Version Release Date MD5 Hash Changelog
Beta 1 9 October 2010 2f2b09a6ed5c5613d5361d8a9d0696b6 First release
Beta 2 10 October 2010 a70dccb3dfc0e505687424184dc3d1ce Fixed "kernel patching magic". Should be run over a beta 1 jailbreak
Beta 3 10 October 2010 81730090f7de1576268ee8c2407c3d35 Fixed an issue with iPhone 3GS (new bootrom)
Beta 4 10 October 2010 d901c4b3a544983f095b0d03eb94e4db Uninstall and respring bugs fixed
RC1 11 October 2010 0622d99ffe4c25f75c720a689853845f afc2, reliability improvements, reboot no longer needed for Cydia; Also ~2 KB smaller
RC1b 11 October 2010 fc6f7d696a57c3baede49bdff8a7f43f Addresses an installation issue that mainly affected iPads

Technical Information

Basics

Exploits

limera1n reuses the usb_control_msg(0x21,2) but exploits a different vulnerability (see Limera1n Exploit).

Process

The jailbreak appears to execute something like the following (in no particular order):

  • In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
"setenv auto-boot true
 reset
 geohot done"

Interesting Messages

"geohot black is the new purple"
"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"
"2.2X  send command(%d): %s
send exploit!!!
sent data to copy: %X
 sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
 sent exploit to heap overflow: %X
 sending file with length: 0x%X Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p      Unknown pseudo relocation protocol version %d.
    Unknown pseudo relocation bit size %d."

Controversy

The release of this jailbreak was specifically designed to pressure the Chronic Dev Team into not releasing SHAtter, and instead implement the limera1n exploit into greenpois0n; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.

Geohot's rationale was that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. Geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. Both vulnerabilities ended up being patched in the iPad 2. It was fixed before the release of limera1n according to the build number. This has been confirmed by p0sixninja.

limera1n's untethered userland exploit for iOS 4.0 and 4.1 was obtained by geohot under questionable circumstances from comex. Comex did end up fixing the kernel patching code by beta2, so as to not break users' devices.

Hacktivation

limera1n will copy hacktivation.dylib to /usr/lib and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.

External Links