Details On Exploiting iBoot Released, Could Lead To Fully Untethered Jailbreak On Older Firmwares
Xerub, one of the well-known old-hats in the jailbreak community, has put together and released a substantial write-up which goes into great depth of exploiting the “recursive stack overflow bug on the iOS 7 bootchain.”
To a lot of jailbreaks and jailbreak fans, the article is basically a historical look at hacking iBoot.
The first thing to mention here is that this article is of an overly technical nature and goes into great detail about the research element of the process as well as what was required to actually exploit the bugs in the iOS 7 bootchain.
The article concludes with a huge chunk of obfuscated source code as well as offering an array of references, including links to Wikipedia and iPhone Wiki articles to explain and reference some terms, and other GitHub sources where applicable and where the certain code is hosted.
Overall, it’s a wonderful read, but may be entirely lost on certain individuals who don’t understand the architecture of the system. With that said, the author suggests that “no prior exploitation knowledge” is required, and that “only basic knowledge of how little-endian stack-grows-downwards machines work and some ARM assembly basics” would be enough to allow a reader to get some benefit out of this text.
For most individuals who just want a basal level of understanding, the “Who’s who?” section does a great job of introducing the iPhone bootchain.
The SecureROM is a small piece of mask ROM or write-protected flash. It is the first thing that runs on the device after a reset.
The LLB is the Low Level Bootloader, responsible for the hardware bringup and loading the main bootloader.
The iBoot is the main Bootloader, effectively a kitchen-sink of all things a bootloader should do: USB, recovery mode, etc. It also handles FS access because it needs to read the kernel off the System partition and boot the OS.
Those opening paragraphs should immediately set the scene for the rest of the article and give readers to absorb in the first instance. If you want to educate yourself on the process, find out more about what was involved, or just read about a piece of iOS jailbreak history which was eradicated and patched by Apple with the release of iOS 8 all those years ago, then you can find the article – titled De Rebus Antiquis – at GitHub here.
Whether this could be translated into a full untethered jailbreak for iOS 7 and below devices remains to be seen, as for the latest iOS 11.3.1 firmware, tethered-jailbreaks on the line of those demonstrated by Min Zheng and Keen Security Labs are the only possibility.