GeoHot Explains How the PurpleRa1n Jailbreak Works

Below you can read the step by step description of what the exploit does…

—–
* purplera1n sends the enter recovery commands using iTunesMobileDevice
* once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
* the exploit adds a “geohot” command to the phone which runs the payload
* the “geohot” command is run, control is now transferred from iboot to the payload
* the purplera1n client is done

Inside payload
* the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
* it patches iBoot to load unsigned img3s and not care about the tags
* it loads the purplera1n picture(sent with payload)
* the nor patcher starts
* llb is decrypted, patched, and increased in size to 0×24200. this is the resident 0×24000 Segment Overflow exploit
* a little loader code is put @ 0×20000 in the LLB to load it and fix the stack
* iboot is decrypted, patched
* everything else is read as is
* nor is written back, nor patcher is done
* kernel is loaded, decrypted, and patched
* ramdisk is loaded(sent with payload) and moved to ramdisk region at 0×44000000, patched kernel is tacked on to the end
* patched kernel is booted

* control is now transferred from payload to ramdisk

Inside ramdisk
* launchd is run, all stuff happens here
* /dev/disk0s1 is mounted
* fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
* Freeze.app is transferred and Freeze.app loader has SUID bit set
* patched kernel is read from end of ramdisk block device and written to filesystem
* ramdisk is done, rebooting…

Reboots as jailbroken phone
—–

Read More