|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Limera1n"
m (Shouldn't link to pages that don't exit ;)) |
(the links were way too long + some rework) |
||
| Line 8: | Line 8: | ||
* [[k48ap|iPad]] |
* [[k48ap|iPad]] |
||
* [[k66ap|AppleTV 2G]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab) |
* [[k66ap|AppleTV 2G]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab) |
||
| − | limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png |
+ | limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] showed off a high-res picture of [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Cydia on an iPhone 4]. He displayed an [http://www.youtube.com/watch?v=__TR86PLiHw iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a picture of [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Cydia and blackra1n icons on an iPad]. |
| − | '''Release Date:''' [[Timeline#October|October 9, 2010]] |
+ | * '''Release Date:''' [[Timeline#October|October 9, 2010]] |
| + | * '''Supported OS's:''' Mac OS X, Windows |
||
| + | * '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing |
||
| + | * '''Supported iOS ([[untethered jailbreak|untethered]]): 4.0-4.1 |
||
| + | * '''Supported iOS: 4.0+ |
||
| − | '''Supported OS's:''' Mac OS X, Windows |
||
| + | == Release text == |
||
| − | '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing |
||
| − | |||
| − | |||
| − | ==Release text== |
||
<div style="text-align: center">limera1n, 6 months in the making<br /> |
<div style="text-align: center">limera1n, 6 months in the making<br /> |
||
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G<br /> |
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G<br /> |
||
| Line 29: | Line 29: | ||
zero pictures of my face</div> |
zero pictures of my face</div> |
||
| − | ==Credit== |
+ | == Credit == |
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit. |
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit. |
||
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]]. |
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]]. |
||
| − | ==Changelog== |
+ | == Changelog == |
| − | {| class="wikitable |
+ | {| class="wikitable" |
|- |
|- |
||
| − | |<center>'''Version'''</ |
+ | | <div style="text-align: center">'''Version'''</div> |
| − | |<center>'''Release time'''</ |
+ | | <div style="text-align: center">'''Release time'''</div> |
| − | |<center>'''MD5 Hash'''</ |
+ | | <div style="text-align: center">'''MD5 Hash'''</div> |
| − | |<center>'''Change comment'''</ |
+ | | <div style="text-align: center">'''Change comment'''</div> |
|- |
|- |
||
| − | |BETA 1 |
+ | | BETA 1 |
| − | |9 Oct 2010 XX:XX GMT |
+ | | 9 Oct 2010 XX:XX GMT |
| − | |2f2b09a6ed5c5613d5361d8a9d0696b6 |
+ | | 2f2b09a6ed5c5613d5361d8a9d0696b6 |
| − | |First release. |
+ | | First release. |
|- |
|- |
||
| − | |BETA 2 |
+ | | BETA 2 |
| − | |10 Oct 2010 XX:XX GMT |
+ | | 10 Oct 2010 XX:XX GMT |
| − | |a70dccb3dfc0e505687424184dc3d1ce |
+ | | a70dccb3dfc0e505687424184dc3d1ce |
| − | |Fixed kernel patching magic. Rerun BETA2+ over BETA1. |
+ | | Fixed kernel patching magic. Rerun BETA2+ over BETA1. |
|- |
|- |
||
| − | |BETA 3 |
+ | | BETA 3 |
| − | |10 Oct 2010 XX:XX GMT |
+ | | 10 Oct 2010 XX:XX GMT |
| − | |81730090f7de1576268ee8c2407c3d35 |
+ | | 81730090f7de1576268ee8c2407c3d35 |
| − | |Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) |
+ | | Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) |
|- |
|- |
||
| − | |BETA 4 |
+ | | BETA 4 |
| − | |10 Oct 2010 XX:XX GMT |
+ | | 10 Oct 2010 XX:XX GMT |
| − | |d901c4b3a544983f095b0d03eb94e4db |
+ | | d901c4b3a544983f095b0d03eb94e4db |
| − | |Uninstall fixed, respring fixed |
+ | | Uninstall fixed, respring fixed |
|- |
|- |
||
| − | |RC1 |
+ | | RC1 |
| − | |11 Oct 2010 XX:XX GMT |
+ | | 11 Oct 2010 XX:XX GMT |
| − | |0622d99ffe4c25f75c720a689853845f |
+ | | 0622d99ffe4c25f75c720a689853845f |
| − | |out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller |
+ | | out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller |
|- |
|- |
||
| − | |RC1b |
+ | | RC1b |
| − | |11 Oct 2010 XX:XX GMT |
+ | | 11 Oct 2010 XX:XX GMT |
| − | |fc6f7d696a57c3baede49bdff8a7f43f |
+ | | fc6f7d696a57c3baede49bdff8a7f43f |
| − | |addresses an install issue, mainly with iPads |
+ | | addresses an install issue, mainly with iPads |
|- |
|- |
||
| − | |Final |
+ | | Final |
| − | |11 Oct 2010 23:XX GMT |
+ | | 11 Oct 2010 23:XX GMT |
| − | |fc6f7d696a57c3baede49bdff8a7f43f |
+ | | fc6f7d696a57c3baede49bdff8a7f43f |
| − | |(same as RC1b) |
+ | | (same as RC1b) |
|} |
|} |
||
| − | ==Technical Information== |
+ | == Technical Information == |
=== Basics === |
=== Basics === |
||
* limera1n has nothing to do with SHAtter at all. |
* limera1n has nothing to do with SHAtter at all. |
||
| Line 124: | Line 124: | ||
Unknown pseudo relocation bit size %d." |
Unknown pseudo relocation bit size %d." |
||
| − | ==Controversy== |
+ | == Controversy == |
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing SHAtter, but to instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple. |
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing SHAtter, but to instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple. |
||
[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. In the [[iPad 2]], the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]]. |
[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. In the [[iPad 2]], the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]]. |
||
| − | + | limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices. |
|
== Hacktivation == |
== Hacktivation == |
||
| − | + | limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below. |
|
| − | ==External Links== |
+ | == External Links == |
* [http://limera1n.com/ Official domain] |
* [http://limera1n.com/ Official domain] |
||
* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror] |
* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror] |
||
| Line 140: | Line 140: | ||
* [http://www.pastie.org/1210054 Veence's explanation for release] |
* [http://www.pastie.org/1210054 Veence's explanation for release] |
||
* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.] |
* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.] |
||
| + | * [cole.freehostingcloud.com/download.php?dev=geohot&os=mcro_win&app=limera1n&version=1.0 limera1n] for Windows Mirror |
||
| + | * [cole.freehostingcloud.com/download.php?dev=geohot&os=appl_osx&app=limera1n&version=1.0 limera1n] for OSX Mirror |
||
[[Category:Hacking Software]] |
[[Category:Hacking Software]] |
||
Revision as of 18:27, 12 August 2011
This is geohot's jailbreak utility. It uses an undisclosed bootrom exploit and comex's Packet Filter Kernel Exploit to achieve an untethered jailbreak on newer devices. The following devices are technically supported:
- iPhone 3GS
- iPhone 4
- iPod touch 3G
- iPod touch 4G
- iPad
- AppleTV 2G (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)
limera1n has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch 3G with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on an iPad.
- Release Date: October 9, 2010
- Supported OS's: Mac OS X, Windows
- Supported Operations: hacktivation, jailbreaking
- Supported iOS (untethered): 4.0-4.1
- Supported iOS: 4.0+
Contents
Release text
limera1n, 6 months in the making
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G
4.0-4.1 and beyond+++
limera1n is unpatchable
untethered thanks to jailbreakme star comex
brought to you by geohot
hacktivates
Mac coming in 7 years
donations keep support alive
Credit
- geohot - The program itself, and the bootrom exploit.
- comex - The userland exploit that allows limera1n to run untethered.
Changelog
Version
|
Release time
|
MD5 Hash
|
Change comment
|
| BETA 1 | 9 Oct 2010 XX:XX GMT | 2f2b09a6ed5c5613d5361d8a9d0696b6 | First release. |
| BETA 2 | 10 Oct 2010 XX:XX GMT | a70dccb3dfc0e505687424184dc3d1ce | Fixed kernel patching magic. Rerun BETA2+ over BETA1. |
| BETA 3 | 10 Oct 2010 XX:XX GMT | 81730090f7de1576268ee8c2407c3d35 | Fixed an issue with iPhone 3GS (new bootrom) |
| BETA 4 | 10 Oct 2010 XX:XX GMT | d901c4b3a544983f095b0d03eb94e4db | Uninstall fixed, respring fixed |
| RC1 | 11 Oct 2010 XX:XX GMT | 0622d99ffe4c25f75c720a689853845f | out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller |
| RC1b | 11 Oct 2010 XX:XX GMT | fc6f7d696a57c3baede49bdff8a7f43f | addresses an install issue, mainly with iPads |
| Final | 11 Oct 2010 23:XX GMT | fc6f7d696a57c3baede49bdff8a7f43f | (same as RC1b) |
Technical Information
Basics
- limera1n has nothing to do with SHAtter at all.
- limera1n uses a bootrom exploit to achieve the tethered jailbreak and unsigned code execution.
- limera1n uses a userland exploit to make it untethered, which was developed by comex.
- limera1n uses a hacktivation dylib to perform hacktivation.
Exploits
limera1n reuses the usb_control_msg(0x21,2) but exploits a different vulnerability.
Process
The jailbreak appears to execute something like the following (in no particular order):
- In recovery1,
"setenv debug-uarts 1 setenv auto-boot false saveenv"
"setenv auto-boot true reset geohot done"
Interesting Messages
"geohot black is the new purple"
"blackra1n start: %d current IRQ mask is %8.8X usb irq disabled...shhh fxns found @ %8.8X %8.8X found iBoot @ %8.8X i'm back from IRQland... 3g detected, kicking nor nor kicked memcpy done iBoot restored!!! found command table @ %8.8X cmd_geohot added time to pray...%8.8X"
"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."
Controversy
The release of this jailbreak was specifically designed to pressure Chronic Dev (team) into not releasing SHAtter, but to instead implement the limera1n exploit into greenpois0n; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.
Geohot's rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. Geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. In the iPad 2, the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by p0sixninja.
limera1n's untethered userland exploit for iOS 4.0 and 4.1 was obtained by geohot under questionable circumstances from comex. Comex did end up fixing the kernel patching code by beta2, so as to not break users' devices.
Hacktivation
limera1n will copy hacktivation.dylib to /usr/lib and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.
External Links
- Official domain
- The iPhone Wiki Mirror
- Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.
- Veence's explanation for release
- Hacktivation removal guide.
- [cole.freehostingcloud.com/download.php?dev=geohot&os=mcro_win&app=limera1n&version=1.0 limera1n] for Windows Mirror
- [cole.freehostingcloud.com/download.php?dev=geohot&os=appl_osx&app=limera1n&version=1.0 limera1n] for OSX Mirror
