Pod2g Explains How the Corona Untether Package Was Achieved


The well known iOS hacker pod2g has documented the technical details about how he was able to perform the untethered jailbreak through a simple Cydia package.

Here’s a little section of the detailed post:

Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.
1. the user land exploit
Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn’t check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
– the interposition exploit
– the initializer exploit
This will be a good read for those of you that are interested in the low-level workings of this untethered jailbreak.

You might also like More from author