خير دوست عزيز هنوز جيلبريك 5.0.1 براي هيچ A5 نيومده
معلوم هم نيست كه كي ريليز بشه هنوز pod2g حتي خبري از پيشرفت ياكنسل شدن اون نداده

نمر شود برگرداند به٤.٣.٣

اگه shsh ندارین نه

من ios 5 هستم برم وی ios5.0.1 یا نه

اره حتما برو احتمال 50 %جیلبریک برای 5.0.1 میاد 50% برای 5.1

5 که دیگه احتمالش خیلی کمه

خب چرا به ٥.٠.١ از الان آپديت كنيم؟ الان من كه رو ٥ هستم. هم shsh ٥.٠.١ و هم ٥.١b رو دارم
حالا صبر ميكنم اگه واسه ٥.٠.١ اومد اپل هم چيزي بيرون نداده بود كه آپديت ميكنم
اگر هم تا اون موقع اپل ٥.١ رو بده بيرون كه نهايت با shsh دانگريد ميكنم به ٥.٠.١
كمي گيج كننده هست اما بهتر اينه كه واسه هميشه شانس جيلريك رو از دست بدم
شانس بد من اگه ٥ جيلبريك شد كلا آيپد رو ميبرم بازار سيا ميفروشم

دوست عزیز اخه امکانش هم هست که اپل در 5.1 ریستور به 5.0.1 رو ببنده و اجازه نده که به 5.0.1 برگردی
دستگاهای A4 که جیلبریک برای ورژن 5.0.1 بود چیزی که خود pod2g هم تو وبلاگش گفته بود فقط 5.0.1 بود و حرفی از 5 نبود.. این که هم بمونید سر 5 ریسک به حساب میاد.. ممکنه 5.1 بیاد و امکان ریستور بسته بشه

كاملا درسته ، يادم به اين نكته نبود
شما آپديت كردين به ٥.٠.١ ؟

بله من اپديت كردم عزيز البته من shsh ٥ رو دارم ، اما به نظر خودم بهتره به ٥.٠.١ بريم چون pod2g هم هيچي نگفت در مورد ٥ و جيلبريكي هم كه داده بود براي A4 به گفته ي خودش تو وبلاگش براي 5.0.1 بود از ٥ حرفي نزده بود

به اپديت وبلاگ pod2g توجه كنيد:
Details on Corona
Now that Corona was released by the iPhone Dev Team and the Chronic Dev Team, I can give details about how it works.

1. the user land exploit

Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.

By the past, the trick security researchers used was to include the untethering payload as a data page (as opposed to a code page) in the Mach-O binary. The advantage of a data page was that the Macho-O loader didn't check its authenticity. ROP is used so that code execution happens without writing executable code but rather by utilizing existing signed code in the dyld cache. To have the ROP started by the Mach-O loader, they relied on different technics found by @comex, either :
- the interposition exploit
- the initializer exploit

Here is a detailed explanation of incomplete code sign tricks used before 5.0 : http://theiphonewiki.com/wiki/index....design_Exploit

In iOS 5.0, data pages need also to be signed by Apple for the loader to authenticate the binary. @i0n1c seems to be able to pass through these verifications though (https://twitter.com/#!/i0n1c/status/145132665325105152). We may see this in the 5.1 jailbreak.

Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That's why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.

Using a fuzzer, I found after some hours of work that there's a format string vulnerability in the racoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.

Now you got it, Corona is an anagram of racoon :-) .

By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you're interested !

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf

racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget.

The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming.

The ROP exploit payload triggers the kernel exploit.

2. the kernel exploit

The kernel exploit relies on an HFS heap overflow bug I found earlier. I don't know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser.

I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way :-) And hey, that worked :p Thanks to @i0n1c for his papers on this subject. This helped me a lot. I may have given up without them.

The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 0x6 bytes) are trashed in the operation because I needed to respect the HFS protocol.

Thus, I restore them as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it.

The kernel exploit just patches the kernel security features, as usual. Nothing interesting there.


Happy New Year 2012 to you all, thanks a lot for the donations.

هيچ . طرف هر روز دونيشن ميگيره بعد هم مياد ٢ تا كلمه تخصصي ميگه و ميره

وحشتناك تخصصي هست به خدا فكر كنم خودشم نفهميده چيگفته ،
تنها چيزي كه فهميدم اينه كه نقطه اسيب پذيري به نام راكون انگار وجود داذه ، تو نظرتش هم كه هيچكس نفهميده چي ميگه

سرعت واقعا گنده.
صفحه سایت معمولی باز نمیشه باید با چیز پی ان وارد شد.
واسه شما هم همین طوره؟

چرا امروز انجمن انقدر ساكت شده ؟ ايران اينترنت قطع شده؟

برای من هم همینطوره. فاجعه س.