[youtube]http://www.youtube.com/watch?v=Bwo088mMV10[/youtube]
At HITB 2012, the Chronic Dev Team together with Pod2G presented the Corona exploit based on which the untethered jailbreak solution for iOS 5.0.1 was developed. With its help, we jailbroken our iDevices on iOS 5.0.1 and although the solution is old, this was the first opportunity for those from the Chronic Dev Team to present it because the Absinthe exploit was also developed based on it. The whole presentation is no less than 55 minutes and in it you will see all those who developed and launch the untethered jailbreak solutions that we use now, so I wish you a pleasant viewing.
UPDATE: Here is the second part of the presentation.
[youtube]http://www.youtube.com/watch?v=JcuB4q1dEvE[/youtube]
GreenPois0n Absinthe was built upon @pod2g's Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for "raccoon", which is the primary victim for this attack. A format string vulnerability was located in racoon's error handling routines, allowing the researchers to write arbitrary data to racoon's stack, one byte at a time, if they can control racoon's configuration file. Using this technique researchers were able to build a ROP payload on racoon's stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren't exploitable to LimeRa1n, so another injection vector was needed.
ABOUT JOSHUA HILL (@p0sixninja)
Joshua Hill (@p0sixninja) is an independent Security Researcher for zImperium, as well as leader of the Chronic Dev Team and chief architect behind GreenPois0n, a cross-platform toolkit used by millions of people around the world to jailbreak their iOS mobile devices.
ABOUT CYRIL (@pod2g)
Cyril (@pod2g) is an iPhone hacker who has discovered and exploited several bootrom exploits on iDevices, including 24kpwn, steaks4uce, and SHAtter, as well as several userland and kernel exploits that have been used in various jailbreak tools. He's a member of Chronic-Dev Team and the original author of Corona untether jailbreak.
ABOUT NIKIAS BASSEN (@pimskeks)
Nikias Bassen (@pimskeks) is a Chronic-Dev Team member and main developer of libimobiledevice, usbmuxd, and other related projects that form an open source implementation of communication and service protocols for iDevices. He found several flaws in the iDevice service protocols that also helped create Absinthe.
ABOUT DAVID WANG (@planetbeing)
David Wang (@planetbeing) is a member of the iPhone Dev Team and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices.
