Tuesday, February 15, 2011

About exploits for iOS, bootrom and conflict with Geohot

The recent release of the jailbreak Geohot for devices based on Apple A4 aroused great attention in the circles Dev Team. Most developers implication George Hotz of the selfishness of his intentions, vanity and folly. Why did this happen?

limera1n - untethered jailbreak from geohot second uses a known vulnerability in bootrom iOS all new devices. Earlier in September this year, members of the Dev Team pod2g and posixninja excavated and partially documented the first known vulnerability in bootrom Apple A4 devices. Now Apple is aware of two vulnerabilities that are likely to be closed with the next revision of the hardware devices.

The thing that bootrom (or SecureROM) - is a small downloader, that's called iPhone / iPad as soon as you turn on the device. Bootrom usually sewn in read-only NAND (flash memory), which is stitched at the factory during manufacture of the device. All subsequent updates iOS does not affect this portion of memory: update bootrom only possible with the new hardware revision of devices. That's why all found vulnerabilities in this area code are strategically important.

Upon completion of bootrom passes control to the loader iBoot. iBoot - this is the second stage boot, whose task is to conduct a partial initialization of the device, load the kernel iOS and give him control. iBoot easily alter the upgrade iOS, on this all found in him the vulnerability of a temporary nature.

The whole chained iOS boot process looks something like this: bootrom -> iBoot -> iOS

Ongoing vulnerability bootrom always a guarantee that sooner or later jailbreak will be taken. Vulnerabilities in iBoot or iOS unreliable and Apple closed during the upgrade iOS. In addition jailbreak, which runs through vulnerabilities in iBoot usually is tethered, ie, After rebooting the device you need to jailbreak again.

After a hasty release limera1n Dev Team have postponed exit greenpois0n to hide the implementation of the exploit bootrom - SHAtter from Apple to the next generation of devices, in which 100% will be shut down vulnerabilities exploited geohot.

If you are interested in this subject, the next time we can consider the operating principle exploits for jailbreak.

No comments:

Post a Comment