The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Dual Boot Exploit"
m (→Exploit: FIxed iTunes typo.) |
MuscleNerd (talk | contribs) |
||
Line 16: | Line 16: | ||
=== lstat(); === |
=== lstat(); === |
||
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat(); |
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat(); |
||
+ | |||
+ | ==External links== |
||
+ | * [http://wikee.iphwn.org/s5l8900:dualboot Full writeup on the dev team wiki] |
||
+ | * [http://wikee.iphwn.org/s5l8900:dualboot_logfile Logfile of session creating dual boot system] |
||
[[Category:Jailbreaks]] |
[[Category:Jailbreaks]] |
Revision as of 21:15, 9 May 2009
Contents
Credit
Exploit
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.
Defeating Countermeasures
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. the dev team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.
Why it no longer works
There are two reasons that it no longer works
Booting
In firmware 2.0b4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.
lstat();
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();