pod2g's iOS blog

A working GNU Debugger on iOS >= 4.3

2012-02-24T00:04:00.000+01:00

People know that the gdb package coming from Cydia is broken since 4.3.

But here is a simple way to have a working gdb running on your iOS device : use the one from the Apple SDK !

Prerequisites :

- a jailbroken iOS >= 4.3 device

- OpenSSH should be installed on the iOS device and should listen for connections

- an OSX machine with the iOS SDK >= 4.3 installed

How to :

- remove the gdb package from Cydia

- do the following in the OSX terminal :

cd /tmp

cp /Developer/Platforms/iPhoneOS.platform/Developer/usr/libexec/gdb/gdb-arm-apple-darwin .

lipo -thin armv7 gdb-arm-apple-darwin -output gdb

nano entitlements.xml

- paste the following to the OSX terminal :

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.springboard.debugapplications</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

</dict>

</plist>

- save the file by doing CTRL + X, then 'Y', then 'ENTER'

- now do the following in the OSX terminal :

ldid -Sentitlements.xml gdb

scp gdb root@<iOS Device IP Address>:/usr/bin/

- GDB is now installed to your iOS device.

Happy debugging !

~pod2g

Absinthe v0.3

2012-01-26T09:35:00.001+01:00

Chronic Dev Team has released a new version of the A5 jailbreak tool Absinthe.

Don't reapply if your 5.0.x device is already jailbroken as it won't change anything.

The untether payload is exactly the same, only the computer part has been improved for stability issues.

Here are the links:
- Absinthe Windows v0.3
- Absinthe MacOSX (>=10.6) v0.3
- Absinthe Linux v0.3

Absinthe update 0.1.2-2

2012-01-20T22:08:00.002+01:00

Chronic Dev Team has released a new build that'll point the web clip to greenpois0n.com instead of the absinthe dedicated page.

This will handle better the workload.

Here is the modified build link : Absinthe MacOSX (>=10.6) v0.1.2-2

Absinthe (iPhone 4S and iPad 2 untether installer) is out

2012-01-20T18:12:00.003+01:00

The greenpois0n blog is under heavy load... because it's indeed out !

Here is the download link of Chronic Dev Team's Absinthe : Absinthe MacOSX (>=10.6) v0.1.2-1

Happy Cydia !

iPhone 4S and iPad 2 untether to be released real soon

2012-01-20T15:10:00.002+01:00

Hello dear readers,

I know the wait was long, too much long, but it's about to end! You'd be able to free your iPhone in some hours.

A tool named Absinthe and developped by the Chronic Dev Team will install the untether on your device. Also the iPhone Dev Team will release a CLI (command line) tool to help diagnose issues and repair things if it goes wrong.

This is a little scary I know, but the chance you break something is really small, since we made lots of tests to verify the process on different devices. But it is the first time we use the backup / restore functions of iTunes to install software, and there are maybe things we are not aware of.

As you already know, different security researchers put a lot of energy to work out the different issues we had to install the untether on new devices.

Thus, a unified PayPal account was opened so that everyone who worked on the A5 exploits will receive a fair split of your contributions. Here is the link : contribute
As usual, contributions are not needed but are appreciated by developpers. By the way, thank you very much again for everyone who already participated. This is real nice.

Here is the complete list of Absinthe supported devices :

iPhone 4S running iOS 5.0, 5.0.1 (9A405 and 9A406)
iPad 2 Wifi/GSM/CDMA running iOS 5.0.1

Also, here is MuscleNerd's which explains the whole story in a really precise way: iPhone Dev Team blog post

~pod2g

iPad 2 5.0.1 untethered

2012-01-18T10:26:00.001+01:00

No more to say !

iPhone 4S 5.0.1 untethered

2012-01-16T01:49:00.001+01:00

My friend @DHowett made a video of an untethered 4S iPhone 4,1 running iOS 5.0.1 some days ago.

@DHowett is a famous iOS developer and a member of the Chronic Dev Team.

Only a few to wait now.

~pod2g

Corona 1.0.4 online

2012-01-16T01:17:00.001+01:00

@saurik posted version 1.0.4 of Corona in Cydia. Update now ;-)

This fixes both the launchd socket issue (last fix didn't work randomly) and iBooks.

Thanks to @xvolks for the development and @iH8sn0w for the testing.

Corona iBooks fixes

2012-01-12T19:46:00.006+01:00

@xvolks worked to include @comex sandbox patches into the Corona GIT.

Expect a Corona update soon in Cydia that'll fix iBooks and other softwares having sandbox issues.

I'll update the blog when this is released.

Sandox broken

2012-01-12T10:06:00.001+01:00

Here are some news about the current work on the A5 research.

@planetbeing escaped from the sandbox with the help of @saurik. Thanks to their awesome work, there should be nothing left blocking for the A5 jailbreak.

Now it should be a matter of days. Still no precise ETA of course.

We all want this to be finished ASAP, we're getting tired!

Sandbox difficulties

2012-01-06T12:29:00.002+01:00

@planetbeing, the legendary hacker behind iPhone Linux and lot of jailbreaks (see the iPhone wiki) has joined the A5 research!

The famous @MuscleNerd (the iPhone wiki), the leader of the iPhone Dev Team, who did a lot of tests for Corona and whom integrated it and made it simple in redsn0w is willing to help also.

And last, but not least @p0sixninja (the iPhone wiki), the leader of the Chronic Dev Team, and my partner for years on iPhone security research has started to code and fuzz the Apple sandbox.

We now have a dream team to find a path for a public release of the A5 jailbreak.

Cross your fingers.

A5 FAQ

2012-01-05T10:00:00.010+01:00

How could pod2g have an untethered 4S and dev teams still haven't released tools to achieve this at home?

The exploit I used to inject the untethering files to the 4S relies on having a developer account, and can't be released publicly.

It's the same reason why @MuscleNerd has an iPad 2 tethered jailbreak but couldn't distribute it.

So, we need to find a distributable exploit to remount the system partition read/write and to set Corona files at the correct places.

Why A4 version of Corona was easier to release?

Because a tethered jailbreak is a good way to install Corona!

Why don't you do a tethered jailbreak then?

A tethered jailbreak also relies on an exploitable vulnerability that we still haven't found yet!

pod2g, release this stuff quick, [your insult here], I've waited enough now.

If I could, I would!

Details on Corona

2012-01-02T21:35:00.001+01:00

Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.

1. the user land exploit

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn't check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :

- the interposition exploit

- the initializer exploit

Here is a detailed explanation of incomplete code sign tricks used before 5.0 : the iPhone wiki

In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (he twitted). We may see this in the 5.1 jailbreak.

Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .

By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you're interested !

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf

racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.

The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.

The ROP exploit payload triggers the kernel exploit.

2. the kernel exploit

The kernel exploit relies on an HFS heap overflow bug I found earlier. I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser.

I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject. This helped me a lot. I may have given up without them.

The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 0x6 bytes) are trashed in the operation because I needed to respect the HFS protocol.

Thus, I restore them as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it.

The kernel exploit just patches the kernel security features, as usual. Nothing interesting there.

Happy New Year 2012 to you all, thanks a lot for the donations.

~pod2g

A4 release

2011-12-27T11:52:00.001+01:00

Hello, as expected, the Chronic Dev Team and the iPhone Dev Team have released the A4 untethered for 5.0.1 based on my research.

It is exactly the same set of files, either distributed as a Cydia package for those that are already tethered or a redsn0w bundle for new users.

They both did a great job testing and integrating the payload.

Here is a link to their respective blog posts :

- Chronic Dev Team : http://greenpois0n.com/?p=150

- iPhone Dev Team : http://blog.iphone-dev.org

temporary redsn0w download links: http://pastie.org/3078869

~pod2g

Focused on A5

2011-12-22T22:20:00.001+01:00

I read the comments on the blog, and I know that a lot of people are waiting for the A5 jailbreak.

Also, I know there are tons of people out there with A4 or even earlier devices who wants the untether now and don't care about it could be interesting to wait A5 is finished to release or even 5.1, so that we don't waste an exploit that took me months to find and develop.

I need to focus on A5 and hope I can find a path quick, and I have the feeling that chronic-dev could help me.

So, here is what I did:

- I gave all the details to the chronic dev team so that they can finish, test, integrate and release the A4 jb ASAP.

- I'll put all my energy from now on on the A5

Hope I don't disappoint.

See you.

iPhone 4 iOS 5.0.1 untethered jb demo

2011-12-21T18:52:00.001+01:00

Hello,

Here is a new video demo of the current status of the 5.0.1 jailbreak running on an iPhone 4.

This is meant to reassure people that were thinking it only works on older iPods.

The jailbreak is near ready for prime time (excluding 4S and iPad 2).

Patches are the same as redsn0w's. Expect the same level of stability.

Some more days to wait. Be patient, we're doing our best.

~pod2g

No more cache troubles

2011-12-20T02:02:00.001+01:00

OK, figured it out, the A5 cache is not a problem anymore.

I sorted it out by doing the untether in a single thread and by flushing all the dcache then all the icache in a row at a strategical point of the process.

It took me like a hundred of tests to find the key. Hard for the nerves.

For the tech guys, here is a link explaining issues related to self modifying code ( or code patching ) on the ARM platform : http://blogs.arm.com/software-enablement/141-caches-and-self-modifying-code/

Another news : I discussed with @saurik today about the launchd boot process, and he's found one missing piece of the puzzle I needed to have a perfectly stable jailbreak. He's definitly one of the best iOS gurus out there. Thank you saurik!

News

2011-12-19T14:17:00.001+01:00

Hello.

Here are the news of the 4S week-end.

The untether fails right now because I'm having processor cache issues.

I'm close, but I can't figure out what happens. It certainly has something to do with the Cortex-A9 cache management.

I could sort it out quick, it's a matter of chance.

I'll report you my progress tomorrow.

BTW: I removed (sorry) the greetings messages so that only articles related to the jailbreak remain in the main page. AFAIK Blogger don't have the option to move or fusion messages while keeping the comments.

Ciao!

4S 5.0.1 Build 9A406 fail

2011-12-16T00:11:00.001+01:00

@MuscleNerd tweeted something really interesting today:

The latest ipsw released by Apple for the 4S contains an unencrypted
ramdisk with the vfdecrypt key in plain text.

Everybody can decrypt the filesystem with it !

Is it a Christmas gift from Apple ?

Weird, isn't it ?

Tested !

2011-12-15T14:06:00.001+01:00

IPhone 3Gs 5.0.1 jb worked.

Remaining to test: iPod 4G & iPhone 4 CDMA running 5.0.1.

Progress

2011-12-15T08:54:00.001+01:00

Hello my friends,I know that I've been silent yesterday and that it was annoying.

Sorry for this, but I had to organize things for the release.
Also, I've tested iPad 1 and it worked.
Today I hope I can test a 3Gs.

BTW: please don't propose to be a beta tester because I'm too paranoid, fearing leaks.

Now the time to finalize the jailbreak for old devices, fix some stability issues and package the whole.That will take some days.

In the meanwhile, I'm starting the research for iPad 2 and 4S.I'll take you informed of my progress.

Finally, I want to thank all who donated. I now can buy both devices! I don't know what to say.

Thank you very much my friends.
Have a good day!

See ya.

Apple TV 2 4.4.3 untethered

2011-12-14T00:25:00.000+01:00

Done also. Rush mode = off for today.

Will be able to test in some days, thanks to @firecore that'd ship me an Apple TV 2 for testing !

Thanks mate ! That's awesome.

iPod 4G 5.0.1 untethered

2011-12-13T23:56:00.001+01:00

This one too ! :-)

iPhone 3Gs 5.0.1 untethered

2011-12-13T23:31:00.000+01:00

Code done. Testing tomorrow also !

iPad 1 5.0.1 untethered

2011-12-13T21:49:00.001+01:00

Code is done, testing tomorrow with a friend's device.

Just to let you know my progress in real time.

iPod 3G 5.0.1 untethered

2011-12-12T22:50:00.000+01:00

Hey, this one's done.

Next: iPad 1, iPhone 3Gs, iPod 4G, Apple TV 2.

Rushing the best I can.

Bye !

iPhone 4 5.0.1 untethered

2011-12-12T01:28:00.001+01:00

It's late, time to pass out.

I just want to let you know my iPhone 4 (iOS 5.0.1) is untethered.

Some progress today heh ;-)

Next : iPod 3G, iPad 1, iPhone 3Gs, iPod 4G, Apple TV 2.

See ya.

iOS 5.0 iPod3,1 untethered

2011-12-09T21:00:00.000+01:00

Today I succeed in jailbreaking my iPod 3G.

The exploit is user-land, rely on a user ROP payload and a kernel write anywhere exploit.

I can't give much details right now, but here are the next steps :

- upgrade the iPod 3G to iOS 5.0.1

- do the same on iPhone 4 / iOS 5.0.1

- then iPad 1 & iPod 4G

At every step, the exploit code needs certainly to be reworked, but I really don't know right now.

Next, I'll return to the research for iPad 2 and iPhone 4S. I don't know if I gonna release first for other devices or not. I've to think about it. Feel free to give your opinion.

I'll update the blog when I have news.

Cya.