When it comes to jailbreaking or iOS hacking, @pod2g has been very helpful for making the iOS 5.0.1 untethered jailbreak possible. In addition to that, pod2g has posted details on the Corona iOS 5.0.1 untethered jailbreak( that you can see below) via his blog as well Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works. 1. the user land exploit Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way. By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either : – the interposition exploit – the initializer exploit Here is a detailed explanation of incomplete code sign tricks used before 5.0 :
Recent Comments