Dual Boot Exploit

From The iPhone Wiki
Revision as of 15:04, 9 May 2009 by ChronicDev (talk | contribs)
Jump to: navigation, search

Credit

the dev team

Exploit

The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTuens update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.

Defeating Countermeasures

In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. the dev team got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.

Why it no longer works

There are two reasons that it no longer works

Booting

In firmware 2.0b4 and beyond, iBoot no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.

lstat();

The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();