The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Dual Boot Exploit"
m (→Exploit: FIxed iTunes typo.) |
m (→Booting) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
== Credit == |
== Credit == |
||
− | [[ |
+ | [[iPhone Dev Team]] |
== Exploit == |
== Exploit == |
||
Line 6: | Line 6: | ||
=== Defeating Countermeasures === |
=== Defeating Countermeasures === |
||
− | In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. [[ |
+ | In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The [[iPhone Dev Team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great. |
== Why it no longer works == |
== Why it no longer works == |
||
Line 12: | Line 12: | ||
=== Booting === |
=== Booting === |
||
− | In firmware 2. |
+ | In firmware 2.0 beta 4 and beyond, [[iBoot]] no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition. |
=== lstat(); === |
=== lstat(); === |
||
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat(); |
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat(); |
||
+ | |||
+ | ==External links== |
||
+ | * [http://wikee.iphwn.org/s5l8900:dualboot Full writeup on the dev team wiki] |
||
+ | * [http://wikee.iphwn.org/s5l8900:dualboot_logfile Logfile of session creating dual boot system] |
||
[[Category:Jailbreaks]] |
[[Category:Jailbreaks]] |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
||
+ | [[Category:Jailbreaking]] |
Latest revision as of 12:28, 22 January 2016
Contents
Credit
Exploit
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.
Defeating Countermeasures
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. The iPhone Dev Team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
Why it no longer works
There are two reasons that it no longer works
Booting
In firmware 2.0 beta 4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.
lstat();
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();