The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Purplera1n"
m (Blog privatized) |
m |
||
Line 45: | Line 45: | ||
# launchd is run, all stuff happens here |
# launchd is run, all stuff happens here |
||
# /dev/disk0s1 is mounted |
# /dev/disk0s1 is mounted |
||
− | # [[/etc/ |
+ | # [[/private/etc/fstab]] and services are overwritten here to allow disk0s1 writes and [[AFC#AFC2|AFC2]] respectively |
# Freeze.app is transferred and Freeze.app loader has SUID bit set |
# Freeze.app is transferred and Freeze.app loader has SUID bit set |
||
# patched kernel is read from end of ramdisk block device and written to filesystem |
# patched kernel is read from end of ramdisk block device and written to filesystem |
Revision as of 01:23, 31 December 2012
Contents
Credit
- Vulnerability, Exploit, and Windows client: geohot
- Mac OS X client: AriX and westbaer
Signature Grabber
Allowed anyone with an iPhone 3GS to generate a file that contained:
- The ECID for your device.
- The new SHSH for a 3.0 iPhone 3GS iBSS that includes your ECID.
It has since been discontinued, however.
This was done so you would have a backup that could be used to allow you to boot an older iBSS. However, no tool was ever created to utilize this backup.
Jailbreak Tool
- Web Site: http://purplera1n.com
One-Click, dead simple, jailbreak for the iPhone 3GS on iOS 3.0 only (not 3.0.1 or later). Currently available for Windows and Mac. It utilizes the iBoot Environment Variable Overflow.
How purplera1n Works
Exploitation
- purplera1n sends the enter recovery commands using MobileDevice Framework
- once in Recovery Mode (iBoot), it sends the iBoot Environment Variable Overflow exploit
- the exploit adds a "geohot" command to the phone which runs the payload
- the "geohot" command is run, control is now transferred from iBoot to the payload
- the purplera1n client is done
Payload
- the payload restores the default environment variable ring buffer and saves the environment to nvram (sets auto-boot to true)
- it patches iBoot to load unsigned IMG3s and not care about the tags
- it loads the purplera1n picture (sent with payload)
- the NOR patcher starts
- LLB is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
- a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
- iBoot is decrypted, patched
- everything else is read as is
- NOR is written back, nor patcher is done
- kernel is loaded, decrypted, and patched
- ramdisk is loaded (sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
- patched kernel is booted
- control is now transferred from payload to ramdisk
Ramdisk
- launchd is run, all stuff happens here
- /dev/disk0s1 is mounted
- /private/etc/fstab and services are overwritten here to allow disk0s1 writes and AFC2 respectively
- Freeze.app is transferred and Freeze.app loader has SUID bit set
- patched kernel is read from end of ramdisk block device and written to filesystem
- ramdisk is done, rebooting...
- Reboots as jailbroken phone