Difference between revisions of "Dual Boot Exploit"

From The iPhone Wiki
Jump to: navigation, search
m (Fixed redirecting links.)
Line 1: Line 1:
 
== Credit ==
 
== Credit ==
[[the dev team]]
+
[[iPhone Dev Team]]
   
 
== Exploit ==
 
== Exploit ==
Line 6: Line 6:
   
 
=== Defeating Countermeasures ===
 
=== Defeating Countermeasures ===
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. [[the dev team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
+
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The [[iPhone Dev Team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
   
 
== Why it no longer works ==
 
== Why it no longer works ==

Revision as of 22:31, 16 July 2010

Credit

iPhone Dev Team

Exploit

The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.

Defeating Countermeasures

In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The iPhone Dev Team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.

Why it no longer works

There are two reasons that it no longer works

Booting

In firmware 2.0b4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.

lstat();

The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();

External links