Pod2g Posts Details on How Corona Untethered Jailbreak Works

POST

MAIL

Posted January 2, 2012 at 8:41pm by iClarified

Pod2g has posted some details on how the Corona untethered jailbreak works.

In a new post on his blog, pod2g notes that Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0 so Corona had to do it another way.

For Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I searched for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code ! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .

Pod2g notes that the the ROP exploit payload triggers a kernel exploit that relies on an HFS heap overflow bug he found earlier.

I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser. I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject.

Pod2g Posts Details on How Corona Untethered Jailbreak Works

Follow iClarified

Snuf - January 2, 2012 at 11:01pm

Hey Pod keep up the great work. It's amazing you are able to live your normal life and still have time to find a way to offer us a free JB. You will always have haters, unfortunately even the people you are helping. I (and many other grateful iPhone owners) look forward to your achievements in 2012. Happy New Year!

Reply · Like

michael B - January 2, 2012 at 11:42pm

free JB!!!! he's earned almost 60,000 with donations.... Free JB is far far far from being real!

Me - January 3, 2012 at 12:02am

He deserves to make $100,000 for this jailbreak..I personally sent him $450 ... My iPhone is worth more...we don't help people that help us.. If you are a clear fellow then you won't be reading this.. You would've been make your own shit!! Thats why doctors and surgeons make half millions dollars they went to college spent over 20 yr in school You work hard in America you will have a better life The kid is so smart... now with this $$ he will go to college for FREE.. Great job POD2... Release IPHONE4S JB i'll send you another $450 No prob here Abientot Mon Amis

DT - January 3, 2012 at 12:51am

@the blog below.... Hey man u never donated$450 I checked with pod2g and said nothing over ten bucks for a single donation but....it added up to $60 thousand total for 4 months work

pod2g - January 2, 2012 at 9:20pm

Pod2g wants the same deal as comes. He's showcasing his work to prove to apple that he understand their system, and so they should hire him.

Boywonda - January 2, 2012 at 9:14pm

Everyday I come here just to see that litre PWNED icon and get a little excited that it will say TETHERED or UNTETHERED JAILBREAK FOR A5 DEVICES....Im usually left always disappointed. sigh

david - January 2, 2012 at 9:33pm

exactly !!!

kijijij - January 2, 2012 at 9:12pm

yeah mate thats my add. do you wanna give me 10 bucks? or download it here for free...

Yi - January 2, 2012 at 8:57pm

Can someone please explain me who wants to know how Corona works???? It wors and thats whats important. We need a way to jailbreak A5 de ices I don't care how its done. Just make it real.