Limera1n

This is geohot's latest jailbreak utility. It uses his undisclosed exploit, along with comex's userland exploit, to achieve an untethered jailbreak on newer devices.

• iPhone 3GS
• iPhone 4
• iPod touch 2G (support announced, not released)
• iPod touch 3G
• iPod touch 4G
• iPad
• AppleTV (However it's current usefulness is debatable)

It has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch 3G with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on his iPad's SpringBoard.

limera1n was released to the public on October 9, 2010, delaying the release of greenpois0n, because greenpois0n has to be rewritten to use the limera1n exploit instead of SHAtter. It only supports Windows at the moment, and there are some devices with issues.

Release text

Credit

• geohot - the program itself, and bootrom exploit.
• comex - userland exploit that allows limera1n to run untethered.

Changelog

Technical Information

Basics

• limera1n does not use SHAtter.
• limera1n uses a bootrom exploit to achieve the tethered jailbreak and unsigned code execution.
• limera1n uses a userland exploit to make the jailbreak untethered, which was developed by comex.

Exploits

Details of the bootrom exploit to follow.

Process

The jailbreak appears to execute something like the following (in no particular order):

• In recovery1,

"setenv debug-uarts 1
setenv auto-boot false
saveenv"

• In DFU, it uploads a payload.
• In recovery2, it uploads another payload and its ramdisk.

"setenv auto-boot true
 reset
 geohot done"

Interesting Messages

"geohot black is the new purple"

"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"

"2.2X  send command(%d): %s
send exploit!!!
sent data to copy: %X
 sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
 sent exploit to heap overflow: %X
 sending file with length: 0x%X Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p      Unknown pseudo relocation protocol version %d.
    Unknown pseudo relocation bit size %d."

Controversy

The release of this jailbreak is specifically designed to pressure Chronic Dev into not releasing the SHAtter exploit, instead implementing the limera1n exploit into greenpois0n. Now that geohot has released limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.

geohot's rationale is that Apple has already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful in the 5th generation iPhone should it not be disclosed at this time.

limera1n's untethered userland exploit was obtained by geohot under questionable circumstances from comex. comex did in fact end up giving his approval for the exploit to be included in limera1n.

External Links

• Picture of limera1n in action
• limera1n.com Actual limera1n domain (using <!--#include file="http://www.theiphonewiki.com/limera1n" -->
• Actual site http://theiphonewiki.com/limera1n
• Limera1n RC Beta2 Dump on Mediafire
• Veence's explanation for release