pod2G Reveals Details About Corona Untether For iOS 5.0.1

iOS hacker pod2G has provided some more details about the Corona untether that has been used by the iPhone Dev team and Chronic Dev team in Redsn0w and Corona Untether jailbreak app for iOS 5.0.1.

pod2G explains what he was up against and how he managed to discover the userland and the kernel exploit.

He writes:

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :

- the interposition exploit

- the initializer exploit

Here is a detailed explanation of incomplete code sign tricks used before 5.0 : http://theiphonewiki.com/wiki/index.php?title=Incomplete_Codesign_Exploit

In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (https://twitter.com/#!/i0n1c/status/145132665325105152). We may see this in the 5.1 jailbreak.

Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That’s why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .

By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you’re interested !

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf

racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.

The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.

The ROP exploit payload triggers the kernel exploit.

He has also goes on to explain the kernel exploit, which you can read on his blog.

pod2G who is currently working on the untethered jailbreak for iPhone 4S and iPad 2 hasn’t provided any update on it. We’ll let you know if there are any further updates so stay tuned here at iPhone Hacks or join our Facebook Fan page or follow us on Twitter or  subscribe to our RSS feed.

In case you missed it, you can checkout our step by step guides to perform untethered jailbreak using Redsn0w and Corona iOS 5.0.1 Unterher:

Like this post? Share it!

  • Amazed

    I swear this guy is a freaken genius

    • WoW

      I was thinking the exact same thing, and then I saw your post… pretty dam smart!

  • Zuluhulu

    Doh!

  • Medowance

    Agree with that!!!!!

    Hmmmmm not sure to ask here or not, after untethered my IOS 5.0.1 on my Iphone 4
    I found out when I switch my phone to silent mode, there is no slash bell icon on my status bar… anyone have this problem??

    • BigDaddy

      There has never been a slash bell on the status bar. Unless you install a jailbreak tweak.

      • Medowance

        Thanks for the reply… just notice… i did not reinstall my Lockinfo….

        hahahahahhaha

  • Steve

    If this was 2 weeks ago, this comment section would be full of people calling pod2g every name under the sun. It’s funny how these low life’s get there jailbreak and then disappear without even the decency to admit they were wrong.

    • iOS hunter

      They disappear or changed their user name. Low life leaches are hiding under the the pig sty. They will resurface soon about iPad 2 and 4s and iOS 5.1. You’ll see. They will pop their heads real soon.

      • fu

        +1.

    • el

      agreed with that 100%. those whined and bit*h about pod2g was just talking and talking and no action had all disappeared and not surprising the first few to download this jb. what a shame !!

      thanks pod2g

    • achex

      Agree … forget about “sorry”, how about at least “thank you”. They know nothing but curse.

  • axe

    Seriously, I don’t understand why so many crybabies on his blog as he already said he or his team is working hard on A5. I really hope he won’t release too much A5 detailed updates because:
    1) Too many immature kids there don’t even understand or care about his technical updates. All they care about is how cool they can show off their little i-toydevice how to play pirated games to his friends of the same mentality.
    2) If just even as little as we could understand all these technical mean, Apple can understand, realize and predict more what’s the hackers’ next move and quickly kill A5 before iOS 5.1.

  • badboy303gamer

    Don’t know why they hate on the pod2g. Things take time. No mater how far down this rabbit hole we go, there always a way. Humans are the fault in there own security. Hack the planet!

  • http://expressreader.blogspot.com Arslan

    i used redsnow latest version 10b3 for untethered jailbreak.
    it has some bugs.
    how can i reinstall officail firmware and jailbreak my ipod touch 4G using corona.?

  • Steve

    I’m nearly certain comex’s job will involve finding exploits and patching them. I’m sure once he or any ther apple employee has 10 minutes with a jailbroken idevice they will soon work out the exploit. I really wouldn’t worry about apple finding it even without directions.

  • j3z

    Great Job Pod2g and thanks for the insight! ;)

  • Axe

    Sometimes i wonder maybe apple purposely left some tiny holes. Yes they hv to be responsible to their app store dev, but without jb scene, i doubt they can be as creative as dev in cydia. Apple needs jb hackers to boost their hardware sales. It’s called old fashion dirty legal business tactics.

  • AJ

    Ques for pod2g and all others:
    Should i jailbreak my iphone4 with redsnow or not? I dnt wanna mess it up like i messed up my ipod 1g long back with redsnow. So wanna be on a safer side. Do reply soon thanks..

  • Jason

    See i didn’t understand any of that. Just because you reach the root directory of the iPhone doesn’t mean its available for the public to use without bricking their phones. This all takes time. I tried some iphone coding myself and i’ll still on my 40th string lol. God know how many this dude had to go thru to find one that works. Looking forward for news on A5 progress.

  • Koovu

    Pod2g is the king! All his work is much appriciated by myself. I’d love to be involved/understand his work :)

  • Brendon

    Absolutely Genius. I only wish I could have a deep understanding of even 10% of what he went through to be successful with this JB. Hats off to you pod2g!

  • jacquesdupontd

    Of course , Brilliant , but i might ask : Are you so sure apple is gonna find the trick anyway so that you could explain them how you did it ? Couldn’t we had waited to see if the Jailbreak Failure was fixed in their upcommings Firmwares ? Just a question , and of course thanks again , i think people understood it was no speculations but as we all know , they know how to say thank you after they all understood they were a bit in fury for nothing :)

    If someone can answer my question i’d be pleased to read it .

    Jacques Dupont(d)

  • jacquesdupontd

    One better way would be for them to be loosing time looking in the wrong corner if you had 2 ways of doing it , but that’s just a thought (you understood ? i mean reveal something different but that could have worked of what you did so they’ll be searching where is that f….king failure).

    Jacques Dupont(d)

  • Psycho Realm

    Props to pod2g and the haters can keep hating cause that’s all they can do. Hating is a sign of weakness.

  • paul

    how i can jailbreack my iPad 2 iOS 5.0.1

  • Dave

    Also why would he post that? Apple can now easily fix this in next update knowing why they missed.

  • erick

    he know that the exploit will be fix with out him telling the secret plus apple is good at looking for holes after every jailbreack comes out

  • J

    Apple will be able to fix it any way

  • fu

    It’s a cat and mouse game.
    Jb scene will find something and Apple will either fix it or use it on their next iOS! lol

  • http://www.motorbeam.com/ fas

    but when is the question.