[SOLVED] How can a userland untetherd jailbreak work ???

Discussion in 'iOS Jailbreak & Cydia' started by kw kernel, Jul 9, 2012.

Thread Status:
Not open for further replies.
Page 1 of 2

  1. kw kernel Active Member

    Member Since:
    Dec 13, 2011
    Message Count:
    410
    Device:
    3G iPod touch
    Hello Guys :D
    I asked myself a while ago, how can an untethered userland jailbreak (like JailbreakMe) actually be untethered ???? i could not answer it myself, so i thought i could post it here :D
    I understand that you can get root access with a Userland exploit, form where you can trigger a kernel exploit... ;)

    BUT... how about the next bootup ???

    Dosan't the Boot-ROM sing anything thats loaded on it ???

    Well i can understand it on older Devices like the iPhone 3g or older where the Boot-ROM (VROM) did Not sing the LLB ;)

    But you can even jailbreak devices with jailbreaks like JailbreakMe or Absinthe that are not even vulnerable the limer1an Boot-ROM exploit... ;) (like A5 or A5X devices)

    How can this work ???? ;)
    kw kernel, Jul 9, 2012
    #1
    tw23 likes this.

  2. pandaa Banned

    Member Since:
    Nov 7, 2011
    Message Count:
    7,438
    Device:
    4G iPod touch
    Once you have root access, I believe you can alter the boot process to bypass these checks.
    pandaa, Jul 9, 2012
    #2
    kw kernel likes this.

  3. Tkf1 Community Development Team

    Member Since:
    Oct 12, 2009
    Message Count:
    15,811
    Device:
    iPad mini
    It works around the kernal so you don't need to mess around with iBoot and whatnot.
    Tkf1, Jul 9, 2012
    #3
    kw kernel likes this.

  4. kw kernel Active Member

    Member Since:
    Dec 13, 2011
    Message Count:
    410
    Device:
    3G iPod touch
    Ok... but iBoot sing's the kernel.
    iBoot is singed by the LLB (Low Level Bootloader)
    and the LLB is singed by the Boot-ROM that you can't hack without a Boot-ROM exploit of course...


    so how would that work ??? ;)
    kw kernel, Jul 10, 2012
    #4

  5. JacobVengeance Well-Known Member

    Member Since:
    Apr 12, 2010
    Message Count:
    3,741
    Device:
    Nexus 7
    Kernel is usually tweaked.
    JacobVengeance, Jul 10, 2012
    #5
    kw kernel and pandaa like this.

  6. kw kernel Active Member

    Member Since:
    Dec 13, 2011
    Message Count:
    410
    Device:
    3G iPod touch
    yes ;)
    but you cannot just tweak the kernel...
    after a reboot, iBoot would not load the kernel :(
    You can patch iBoot to do so, BUT then LLB would not load iBoot :(
    You can also patch LLB, but then the Boot-ROM would not load LLB :( (exept for iPhone 3g and older)

    The only way to get LLB up to the Boot-ROM is to Exploit it with a Boot-ROM exploit...
    But A5 and A5X (iPad 2 and 3, iPhone 4s, Apple tv 3) devices do not have one yet :(

    So how do you break the Boot-Chain ??? ;)
    kw kernel, Jul 11, 2012
    #6

  7. JacobVengeance Well-Known Member

    Member Since:
    Apr 12, 2010
    Message Count:
    3,741
    Device:
    Nexus 7
    Well, you see the Kernel isn't as strict as iBoot and prior. Usually they just keep retriggering the initial kernel/userland vulnerability on boot up or they add in launch daemons and other tricks to resend the code or just patch things.
    JacobVengeance, Jul 11, 2012
    #7
    kw kernel likes this.

  8. tw23 Community Development Team

    Member Since:
    Sep 11, 2010
    Message Count:
    3,830
    Device:
    iPhone 4S (Black)
    Ermm... it's pretty easy.
    these are the steps they take:

    For iOS 5.x
    1. use a regular launchd daemon to launch an already signed process, like racoon
    2. then they trigger the vulnerability in the process they are exploiting, to gain code-execution
    3. after they do that they use, what is called return-oriented programming, also known as ROP, to trigger the kernel exploit
    4. they use ROP to write the kernel exploit, which in most cases or probably all cases, they patch security checks in the kernel, which allows an untethered jailbreak :) !

    For iOS 4.x
    1. in iOS 4, there was something called incomplete code-signing, which basically allowed code execution (it is now patched in iOS 5.x)
    2. they exploit the incomplete code-signing vulnerability, which allows code execution
    3. like in iOS 5.x they use ROP to trigger the kernel exploit
    4. the kernel exploit is written in ROP which then patches security checks, so it lets you have untethered jailbreak :) !

    Also, all these methods needed an already jailbroken device. You can't jailbreak your device using incomplete code-signing (though you could with the racoon vulnerability, which just requires some more work)...
    If you're wondering why iBoot doesn't check to see if the kernel isn't signed or modified it's because it checks it before we patch the kernel.

    This is the process it takes:
    BootROM -> LLB -> iBoot -> Kernel -> iOS booting up
    in between all those steps ^^ it does a security check. But we patch the kernel during the boot up, so iBoot has already checked the kernel to see if it is signed by Apple, so we can patch it all we want :) ;) !

    Hope that explains things ;) .
    tw23, Jul 11, 2012
    #8
    Tkf1 and kw kernel like this.

  9. kw kernel Active Member

    Member Since:
    Dec 13, 2011
    Message Count:
    410
    Device:
    3G iPod touch
    Thank you soo much :D
    So the kernel exploit actually gets re-triggered AFTER iBoot singed it :D
    Simple, but genius ;)


    That's a really great explanation BTW :D
    Thank you for all that work :)
    kw kernel, Jul 11, 2012
    #9

  10. kw kernel Active Member

    Member Since:
    Dec 13, 2011
    Message Count:
    410
    Device:
    3G iPod touch
    Thank's to all of you guys for helping me :D
    kw kernel, Jul 11, 2012
    #10
    tw23 likes this.
Page 1 of 2
Thread Status:
Not open for further replies.