Although Chronic and iPhone Dev teams will rightfully take a share of the plaudits for releasing utilities enabling an untethered jailbreak on iOS 5.0.1, it was Corona, developed by pod2g, which made it all possible. Now the A4-only exploit is out in the open, he explains in a blog post exactly what Corona is, what it does, and how it has sped up the process to finding that elusive unmanned jailbreak.
Initially, the userland exploit was the main door bashed on by hackers in order to breach the stringent iOS security structure. This time around, though, Apple had patched all the pre-existing userland holes, meaning pod2g and others had to look for other ways to deliver the goods.
Unless you’re particularly familiar with the jargon of software development, you may find the explanation a little difficult to comprehend.
Pre-iOS 5, security researchers used to include the untethering payload as a data page, rather than a code page in the Mach-O binary. The Mach-O loader never bothered checking its authenticity, which was very advantageous when seeking security flaws. ROP enabled the execution of code to occur by utilizing signed code in the dyld cache as opposed to writing new executable code. Techniques discovered by JailbreakMe wizkid Comex (interposition and initializer exploits) enabled ROP to be started by the Mach-O loader
For a more in-depth explanation, on the older techniques, check out the iPhone Wiki.
With Apple having upped its security game, data pages require signature via fruit company servers in order for the loader to authenticate the binary. With @i0n1c demonstrating ways of passing through the verification process, this method could certainly used in an iOS 5.1 jailbreak.
For the Corona exploit, pod2g sought a way to initialize unsigned code without using the Mach-O loader, looking for flaws in existing Apple binaries that could be found using standard launchd plist mechanisms. By using a fuzzer, he discovered a format string vulnerability in theracoon configuration parsing code, which is where the name corona comes from (It’s an anagram!). And there was us thinking he just liked a beer..
In order to apply the jailbreak at boot, racoon is started by a launchd plist file, which executes: racoon -f racoon-exploit.conf – the file which exploits the format string bug and gets the unsigned code going. The format string bug copies the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.
The ROP bootstrap payload then copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The ROP exploit payload then triggers the kernel exploit.
With such an involved and lengthy process, those of us enjoying untethered jailbreaks have a lot to be grateful for, and although jailbreaking is – and always will be – free, a donation of any amount to those hard working hackers will surely help the process in future.
For jailbreaking iOS 5.0.1 untethered, follow our complete step by step instructions posted here to jailbreak iPhone, iPad, iPod touch on iOS 5.0.1 using Redsn0w.
iPhone 4 GSM, jailbroken on iOS 5.0.1