Difference between revisions of "Limera1n"

From The iPhone Wiki
Jump to: navigation, search
m (Link fixes.)
(This thing was attrocious.)
Line 1: Line 1:
 
[[Image:Ra1ndrop.png|right]]
 
[[Image:Ra1ndrop.png|right]]
This is [[User:Geohot|geohot's]] latest [[jailbreak]] utility. It uses an undisclosed bootrom exploit by [[User:geohot|geohot]] and an undisclosed kernel exploit found by [[User:Comex|comex]] to achieve an [[untethered jailbreak]] on newer devices.
+
This is [[User:Geohot|geohot's]] latest [[jailbreak]] utility. It uses an undisclosed bootrom exploit and an undisclosed kernel exploit found by [[User:Comex|comex]] to achieve an [[untethered jailbreak]] on newer devices.
   
 
* [[N88ap|iPhone 3GS]]
 
* [[N88ap|iPhone 3GS]]
Line 7: Line 7:
 
* [[N81ap|iPod touch 4G]]
 
* [[N81ap|iPod touch 4G]]
 
* [[K48ap|iPad]]
 
* [[K48ap|iPad]]
* [[K66ap|Apple TV 2G]] ([http://www.tuaw.com/2010/10/09/limera1n-jailbreak-released-greenpois0n-jailbreak-delayed/ However it's current usefulness is debatable])
+
* [[K66ap|AppleTV 2G]] ([http://www.tuaw.com/2010/10/09/limera1n-jailbreak-released-greenpois0n-jailbreak-delayed/ However it's current usefulness is debatable])
   
 
It has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png showed off a high-res picture of Cydia on an iPhone 4]. He [http://www.youtube.com/watch?v=__TR86PLiHw displayed an iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg picture of Cydia and blackra1n icons on his iPad's SpringBoard].
 
It has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png showed off a high-res picture of Cydia on an iPhone 4]. He [http://www.youtube.com/watch?v=__TR86PLiHw displayed an iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg picture of Cydia and blackra1n icons on his iPad's SpringBoard].
   
  +
'''Release Date:''' October 9, 2010
limera1n was released to the public on October 9, 2010, delaying the release of [[greenpois0n]] using the SHAtter exploit. [[greenpois0n]] has been rewritten to use the same exploit that limera1n uses. It only supports Windows and Mac OS X at the moment, and there are some devices with issues.
 
  +
'''Supported OS's:''' Mac OS X, Windows
  +
'''Supported Operations:''' Hacktivation, jailbreaking
   
Limera1n also installs a hacktivation dynamic library (.dylib) to /usr/lib, no matter if the device is properly activated by [[iTunes]] or not. This is lazy and can pose some issues (such as Push Donor users having to restore their device). It's recommended to properly remove this dylib only if you can activate via iTunes. A guide to do so can be found [http://www.cmdshft.ipwn.me/blog/?p=555 here].
 
   
 
==Release text==
 
==Release text==
Line 87: Line 88:
 
=== Process ===
 
=== Process ===
 
The jailbreak appears to execute something like the following (in no particular order):
 
The jailbreak appears to execute something like the following (in no particular order):
* In [[recovery1]],
+
* In recovery1,
 
"setenv debug-uarts 1
 
"setenv debug-uarts 1
 
setenv auto-boot false
 
setenv auto-boot false
 
saveenv"
 
saveenv"
 
* In [[DFU]], it uploads a [[payload]].
 
* In [[DFU]], it uploads a [[payload]].
* In [[recovery2]], it uploads another [[payload]] and its [[ramdisk]].
+
* In recovery2, it uploads another [[payload]] and its [[ramdisk]].
 
"setenv auto-boot true
 
"setenv auto-boot true
 
reset
 
reset
Line 126: Line 127:
   
 
==Controversy==
 
==Controversy==
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)|Chronic Dev]] into not releasing the SHAtter exploit, instead implementing the limera1n exploit into [[greenpois0n]].
+
The release of this jailbreak was specifically designed to pressure [[Chronic Dev]] into not releasing the SHAtter exploit, but to instead implement the limera1n exploit into [[greenpois0n]]; after releasing limera1n, releasing [[SHAtter]] would uselessly disclose another [[bootrom exploit]] to Apple.
After releasing limera1n, releasing [[SHAtter]] would uselessly disclose another [[bootrom exploit]] to Apple.
 
   
[[User:Geohot|geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful in the 5th generation iPhone should it not be disclosed at this time.
+
[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time.
   
limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|comex]] did in fact end up giving his approval for the exploit to be included in limera1n as of beta 2.
+
Limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.
  +
  +
== Hacktivation ==
  +
Limera1n will copy a dylib to unlock the phone to /usr/lib, whether it has been activated using iTunes or not. This, while helpful to many, is also harmful to legitimate activators. For a good guide, see the link below.
   
 
==External Links==
 
==External Links==
Line 139: Line 142:
 
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]
 
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]
 
* [http://www.pastie.org/1210054 Veence's explanation for release]
 
* [http://www.pastie.org/1210054 Veence's explanation for release]
  +
* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.]

Revision as of 19:46, 17 October 2010

Ra1ndrop.png

This is geohot's latest jailbreak utility. It uses an undisclosed bootrom exploit and an undisclosed kernel exploit found by comex to achieve an untethered jailbreak on newer devices.

It has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch 3G with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on his iPad's SpringBoard.

Release Date: October 9, 2010 Supported OS's: Mac OS X, Windows Supported Operations: Hacktivation, jailbreaking


Release text

limera1n, 6 months in the making

iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G
4.0-4.1 and beyond+++
limera1n is unpatchable
untethered thanks to jailbreakme star comex
brought to you by geohot
hacktivates
Mac coming in 7 years
donations keep support alive

zero pictures of my face

Credit

Changelog

Version
Release time
MD5 Hash
Change comment
BETA 1 9 Oct 2010 XX:XX GMT 2f2b09a6ed5c5613d5361d8a9d0696b6 First release.
BETA 2 10 Oct 2010 XX:XX GMT a70dccb3dfc0e505687424184dc3d1ce Fixed kernel patching magic. Rerun BETA2+ over BETA1.
BETA 3 10 Oct 2010 XX:XX GMT 81730090f7de1576268ee8c2407c3d35 Fixed an issue with iPhone 3GS (new bootrom)
BETA 4 10 Oct 2010 XX:XX GMT d901c4b3a544983f095b0d03eb94e4db Uninstall fixed, respring fixed
RC1 11 Oct 2010 XX:XX GMT 0622d99ffe4c25f75c720a689853845f out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller
RC1b 11 Oct 2010 XX:XX GMT fc6f7d696a57c3baede49bdff8a7f43f addresses an install issue, mainly with iPads
Final 11 Oct 2010 23:XX GMT fc6f7d696a57c3baede49bdff8a7f43f (same as RC1b)

Technical Information

Basics

  • limera1n uses a different exploit to SHAtter.
  • limera1n uses a bootrom exploit to achieve the tethered jailbreak and unsigned code execution.
  • limera1n uses a userland exploit to make it untethered, which was developed by comex.
  • limera1n uses a hacktivation dylib to activate, even on devices already activated by iTunes

Exploits

Details of the bootrom exploit to follow.

Process

The jailbreak appears to execute something like the following (in no particular order):

  • In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
"setenv auto-boot true
 reset
 geohot done"

Interesting Messages

"geohot black is the new purple"
"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"
"2.2X  send command(%d): %s
send exploit!!!
sent data to copy: %X
 sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
 sent exploit to heap overflow: %X
 sending file with length: 0x%X Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p      Unknown pseudo relocation protocol version %d.
    Unknown pseudo relocation bit size %d."

Controversy

The release of this jailbreak was specifically designed to pressure Chronic Dev into not releasing the SHAtter exploit, but to instead implement the limera1n exploit into greenpois0n; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.

Geohot's rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. Geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time.

Limera1n's untethered userland exploit for iOS 4.0 and 4.1 was obtained by geohot under questionable circumstances from comex. Comex did end up fixing the kernel patching code by beta2, so as to not break users' devices.

Hacktivation

Limera1n will copy a dylib to unlock the phone to /usr/lib, whether it has been activated using iTunes or not. This, while helpful to many, is also harmful to legitimate activators. For a good guide, see the link below.

External Links