How the PurpleRa1n Jailbreak Works, GeoHot Explains

GeoHot has posted an entry at TheiPhoneWiki explaining how his jailbreak tool: PurpleRa1n jailbreaks iPhone 3GS.

Purplera1n is so simple, that it hides the complex work it’s doing from the user. Figured I’d describe it step by step

• purplera1n sends the enter recovery commands using iTunesMobileDevice
• once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
• the exploit adds a “geohot” command to the phone which runs the payload
• the “geohot” command is run, control is now transferred from iboot to the payload
• the purplera1n client is done

Inside payload

s

• the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
• it patches iBoot to load unsigned img3s and not care about the tags
• it loads the purplera1n picture(sent with payload)
• the nor patcher starts
• llb is decrypted, patched, and increased in size to 0×24200. this is the resident 0×24000 Segment Overflow exploit
• a little loader code is put @ 0×20000 in the LLB to load it and fix the stack
• iboot is decrypted, patched
• everything else is read as is
• nor is written back, nor patcher is done
• kernel is loaded, decrypted, and patched
• ramdisk is loaded(sent with payload) and moved to ramdisk region at 0×44000000, patched kernel is tacked on to the end
• patched kernel is booted
• control is now transferred from payload to ramdisk

Inside ramdisk

• launchd is run, all stuff happens here
• /dev/disk0s1 is mounted
• fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
• Freeze.app is transferred and Freeze.app loader has SUID bit set
• patched kernel is read from end of ramdisk block device and written to filesystem
• ramdisk is done, rebooting…

Reboots as jailbroken phone

If this page or section of the page needs to be updated, Submit Request