GeoHot has added an entry to TheiPhoneWiki explaining how his purplera1n iPhone 3GS jailbreak works.
Below you can read the step by step description of what the exploit does...
-----
* purplera1n sends the enter recovery commands using iTunesMobileDevice
* once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
* the exploit adds a "geohot" command to the phone which runs the payload
* the "geohot" command is run, control is now transferred from iboot to the payload
* the purplera1n client is done
Inside payload
* the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
* it patches iBoot to load unsigned img3s and not care about the tags
* it loads the purplera1n picture(sent with payload)
* the nor patcher starts
* llb is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
* a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
* iboot is decrypted, patched
* everything else is read as is
* nor is written back, nor patcher is done
* kernel is loaded, decrypted, and patched
* ramdisk is loaded(sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
* patched kernel is booted
* control is now transferred from payload to ramdisk
Inside ramdisk
* launchd is run, all stuff happens here
* /dev/disk0s1 is mounted
* fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
* Freeze.app is transferred and Freeze.app loader has SUID bit set
* patched kernel is read from end of ramdisk block device and written to filesystem
* ramdisk is done, rebooting...
Reboots as jailbroken phone
-----
Read More
Below you can read the step by step description of what the exploit does...
-----
* purplera1n sends the enter recovery commands using iTunesMobileDevice
* once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
* the exploit adds a "geohot" command to the phone which runs the payload
* the "geohot" command is run, control is now transferred from iboot to the payload
* the purplera1n client is done
Inside payload
* the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
* it patches iBoot to load unsigned img3s and not care about the tags
* it loads the purplera1n picture(sent with payload)
* the nor patcher starts
* llb is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
* a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
* iboot is decrypted, patched
* everything else is read as is
* nor is written back, nor patcher is done
* kernel is loaded, decrypted, and patched
* ramdisk is loaded(sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
* patched kernel is booted
* control is now transferred from payload to ramdisk
Inside ramdisk
* launchd is run, all stuff happens here
* /dev/disk0s1 is mounted
* fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
* Freeze.app is transferred and Freeze.app loader has SUID bit set
* patched kernel is read from end of ramdisk block device and written to filesystem
* ramdisk is done, rebooting...
Reboots as jailbroken phone
-----
Read More