Wednesday, September 29, 2010

SHAtter Exploite Jailbreak iOS 4.1 [Full Story]

Do you like this story?

A few days ago we showed you the Jailbreak of iPod Touch 4G with SHAtter Exploit in Video and we made a post for our Spiritjb.org readers talked about
All what they Want to Know about Greenpois0n Jailbreak iOS 4.1, [Ask & Answer] Now Hackers have begun to tell the story of the SHAtter exploit, how it was discovered, and how it is being used to bring the next iPhone jailbreak.

SHAtter : is an unsigned code execution vulnerability that resides in DFU mode of the S5L8930 bootrom. Uses of this exploit have already involved uploading a pwned iBSS/iBEC to provide access to the AES engine and to run custom ramdisks.

pod2g wrote before a USB fuzzer and tested every single USB control message possible on his iPod2,1. The fuzzer found 2 vulnerabilities: - a heap overflow caused by the A1,1 control message - a way to dump the bootrom using USB descriptors request

The team tested both PoC on new generation devices (iPhone2,1, iPod3,1, iPad) and both were already fixed by Apple.

posixninja continued the fuzzing on new gens and found that with a particular sequence of USB messages it was possible to dump the BSS+Heap+Stack (on new gens only). Having a memory dump is really helpful to make exploits and it was also the first time we had this kind of dump, previous bootrom exploits (ex: 24kpwn) were done blind!

Also, his first attempts to dump the memory resulted in rebooting the device. Interesting! We'll see after that this reboot is the base of the SHAtter exploit

Stay connected with us to tell you the latest news about the Jailbreak news of [ Greenpois0n - SHAtter ] on @Spirit and Facebook

Via [The iPhonewiki]

You may also like :