GeoHot has posted an entry at TheiPhoneWiki explaining how his jailbreak tool: PurpleRa1n jailbreaks iPhone 3GS.
Purplera1n is so simple, that it hides the complex work it’s doing from the user. Figured I’d describe it step by step
- purplera1n sends the enter recovery commands using iTunesMobileDevice
- once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit
- the exploit adds a “geohot” command to the phone which runs the payload
- the “geohot” command is run, control is now transferred from iboot to the payload
- the purplera1n client is done
Inside payload
s
- the payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true)
- it patches iBoot to load unsigned img3s and not care about the tags
- it loads the purplera1n picture(sent with payload)
- the nor patcher starts
- llb is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
- a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
- iboot is decrypted, patched
- everything else is read as is
- nor is written back, nor patcher is done
- kernel is loaded, decrypted, and patched
- ramdisk is loaded(sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
- patched kernel is booted
- control is now transferred from payload to ramdisk
Inside ramdisk
- launchd is run, all stuff happens here
- /dev/disk0s1 is mounted
- fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively
- Freeze.app is transferred and Freeze.app loader has SUID bit set
- patched kernel is read from end of ramdisk block device and written to filesystem
- ramdisk is done, rebooting…
Reboots as jailbroken phone