During today’s Jailbreak Live event at the Hack in the Box conference in Amsterdam, Pod2g and his “dream team” of iOS hackers took to the stage to unveil the long-awaited iOS 5.1.1 untethered jailbreak. The team also explained how the Absinthe 2.0 software works its magic and opens your device up to a world filled with apps and tweaks that Apple never wanted you to install on your device.
Here’s how it works.
GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for “racoon”, which is the primary victim for this attack. A format string vulnerability was located in racoon’s error handling routines, allowing the researchers to write arbitrary data to racoon’s stack, one byte at a time, if they can control racoon’s configuration file. Using this technique researchers were able to build a ROP payload on racoon’s stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren’t exploitable to LimeRa1n, so another injection vector was needed.
If you’re interested in finding out more about the Absinthe 2.0 jailbreak and how it works, you can check out the official Hack in the Box website where all of the presentation notes are now available.