The work that Pod2g put into an untethered jailbreak iOS 5.0.1 was released by iPhone-Dev Team and Chronic Dev Team as ‘Corona.’ Through Corona, untethered jailbreak of iOS 5.0.1 can be easily accomplished. In his latest post, Pod2g has released the details of how exactly Corona works and what exploits it makes use of in order to accomplish untethered jailbreak of iOS 5.0.1.
According to Pod2g, the unsigned binaries exploits that made earlier jailbreaks possible in iOS 5.0 was fixed by Apple. So he had to go another way to work on the iOS 5.0.1 untethered jailbreak. Here’s how he did it:
The ROP exploit:
Pod2g tried to look some unsigned code at the boot of the system so that he wouldn’t have to rely on the Mach-O Loader. And he did find such code, after hours of hard work. He found this in the racoon configuration parsing code which had a format string vulnerability. Racoon is a part of iOS by default and automatically starts working as soon as you establish and IPsec connection.
Jailbreak is accomplished at every boot by launching racoon through a command every time the device boots. This exploits the string vulnerability mentioned above and starts the unsigned code. The rest of the work is done by ROP bootstrap payload.
The ROP boostrap payload further instigates another exploit: the kernel exploit. According to Pod2g, he particularly found this hard to handle and had to consult the papers of @i0n1c to resolve this issue. You can find the details of the exact commands as well as a by-step procedure of how Corona works in his post here.
Image courtesy Markcooz.