Pod2g Details How the Corona 5.0.1 Untethered Jailbreak was Achieved

Gary Ng
14 years ago

The world has to thank @pod2g for uncovering an untethered jailbreak for iOS 5.0.1. After he figured out the jailbreak for A4-powered devices, he handed over the untether to the Chronic Dev Team and iPhone Dev Team to test and release updated tools. The latter released an updated version of redsn0w, and the Chronic Dev Team released Corona into Cydia.

Pod2g has now documented technical details about how he was able to uncover his untether–on his own. Details are provided around the userland and kernel exploits used. Here’s a snippet:

Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.

1. the user land exploit

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
– the interposition exploit
– the initializer exploit

If you understand what pod2g is talking about, it’s worth the read. Well done.

Want to see more of our stories on Google?

Add iPhone in Canada as a Preferred Source on Google

P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!

Subscribe
Notify of
guest
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Anonymous
Anonymous
14 years ago

Still waiting on being able to jailbreak my 4S…

0
Reply
Gary
Gary
Reply to  Anonymous
14 years ago

Yeah, that is the one we’re all waiting for. God speed, pod2g!

0
Reply
Anon
Anon
Reply to  Gary
14 years ago

I think pd2g is stumped on the A5 JB.  Not even a comment on it’s progress.  He really should work in collab with the devteam to speed things up, instead of trying to do it all by himself.

0
Reply
Kraken
Kraken
Reply to  Anon
14 years ago

There is only 1 person that has proven himself capable “doing it all by himself”, and that’s Geohot. 

0
Reply
Gary
Gary
Reply to  Kraken
14 years ago

He’s also a pretty ‘entertaining’ rapper.

0
Reply

Other articles in the category: Jailbreak

5
0
Would love your thoughts, please comment.x
()
x