HitB2012Ams iPhone Jailbreak part 1: Corona Jailbreak for iOS 5.0.1Frank Breedijk
GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this talk the crew presents a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
iOS was introduced in 2007 as iPhoneOS1.0, Its current release is iOS 5.1.1
Apple introduced more and more security features over time. Flaws are getting harder to exploit and quickly patched. iOS is currently considered one of the best secured operating system around.
Current iOS has solid security features:
- Boot Chain: firmware file signatures
- Code signing: approved binaries only
- W^X: Data Execute Prevention
- ASLR: Address Space Layout Randomization
- Stack Canaries: __stack-chk()
- partitions: system vs user partition
- Users: root vs mobile
- Sandboxing: even finer restrictions
But there are exploits: Bootroom exploit: heap overflow, this is typically used in a tethered jailbreak.
For the corona exploit more had to be done:
- ASLR bypass
- Code singing: using the original binary
- Sandbox: entitlement patch
- Format string vulnerability
- DEP: Bypassed using Return Oriented Programming (ROP)
- Kernel exploit: HFS+ vulnerability
The details of how these hurdles were overcome, can best be seen in the presentation materials: http://conference.hitb.org/hitbsecconf2012ams/materials/. To be completely honest this stuff is over my head, but I have respect for the work they have put in.
ABOUT JOSHUA HILL (@p0sixninja)
Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.
ABOUT CYRIL (@pod2g)
Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He’s a member of Chronic-Dev Team and the original author the of Corona untether jailbreak.
ABOUT NIKIAS BASSEN (@pimskeks)
Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped creating Absinthe.