The world has to thank @pod2g for uncovering an untethered jailbreak for iOS 5.0.1. After he figured out the jailbreak for A4-powered devices, he handed over the untether to the Chronic Dev Team and iPhone Dev Team to test and release updated tools. The latter released an updated version of redsn0w, and the Chronic Dev Team released Corona into Cydia.
Pod2g has now documented technical details about how he was able to uncover his untether–on his own. Details are provided around the userland and kernel exploits used. Here’s a snippet:
Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.
1. the user land exploit
Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
– the interposition exploit
– the initializer exploit
If you understand what pod2g is talking about, it’s worth the read. Well done.