

Geohot presents an evasi0n7 writeup - innoying
http://geohot.com/e7writeup.html

======
innoying
Additional/Duplicate Information:
[http://pastebin.com/mT2n7uyj](http://pastebin.com/mT2n7uyj)

~~~
foobarqux
That one is actually understandable.

------
sheetjs
most interesting part:

> I found nothing sketchy in my reversing, your phones most likely aren't
> being backdoored by Chinese.

~~~
bri3d
The part geohot reversed in this article is the non-persistent set of exploits
used to get root.

The persistent (and buggy) stage of the exploit used to "untether" (re-exploit
on reboot) and patch the OS is obfuscated. That's where a backdoored exploit
would be if there was one anyway.

I think it's unlikely the evad3rs actually included a backdoor in their
payload, but the way they handled their release was still silly enough that I
won't install it. iOS jailbreaks are all taken on faith (after all, nobody but
them knows what's in that obfuscated untether/patch binary) and they didn't do
a lot to build any.

~~~
nwh
> _I think it 's unlikely the evad3rs actually included a backdoor in their
> payload_

They agreed to bundle an app store who's only purpose is piracy ( _0xabadidea_
and Paul Haddad worked to remove their piracy system previously) without in
the slightest wondering what it would be used for. From what I've read there's
still bits of the Chinese scumware installed when you jailbreak in another
country, and given the opinion of the Chinese company involved.. I wouldn't
put it past them.

I truly hope that _geohot_ or another skilled developer repackages their
jailbreak with a copy of MobileSubstrate that actually works and a Cydia build
that's built properly by _saurik_. The evad3rs have completely lost any trust
they have, and from _pod2g_ 's tweets they're extremely aware of how badly
they fucked this up.

~~~
stingraycharles
I've just come across this write-up by the evasion team, I'm not sure how to
interpret it:

[http://evasi0n.com/l.html](http://evasi0n.com/l.html)

------
0x0
It's kinda neat how they are sending disk/block-level reads and writes,
probably using a user-space/local HFS file system implementation, to inject
the exploit, since the mounted file system is read-only.

~~~
innoying
Yeah, very cool. It only works because the rootfs is mounted as read-only or
else they might end up messing it up if the system was writing to the same
block. But then again if it wasn't read-only this wouldn't be a problem.

~~~
0x0
A lot of the recent jailbreaks seem to depend on symlink shenanigans. I wonder
why Apple can't simply remove symlink support from iOS' filesystem driver? Is
there anything in iOS or the appstore apps that depend on it?

~~~
innoying
Many parts of the internal system depend on it. Here's a run of `find / -type
l` on a jailbroken iPhone 5:
[https://gist.github.com/innoying/8cd04821e17b3f67aa4b](https://gist.github.com/innoying/8cd04821e17b3f67aa4b)

A few of those are created by the jailbreak but most are core parts of the
system.

~~~
gluxon
That's actually a lot less than I thought would be in the iOS filesystem.

It doesn't seem like it'd be incredibly hard to remove those symlinks.
Although Apple would probably favor fixing the bugs that allow malicious
symlinks rather than remove symlinks from their file system driver (the
horror!)

~~~
innoying
They would also have to make sure no iOS applications make use of symlinks at
any point. Since a ipa is simply a zip archive it's possible (and probable)
that some applications already make use of symlinks on install or during
operation. I think that's the major motivation.

~~~
0x0
I'm pretty sure symlinks aren't anything any regular xcode ios sdk project
would end up delivering in normal use, though.

Plus, old binaries break all the time due to incompatible software or hardware
changes (AVFoundation, GL shaders, UDID bans, etc.).

And new builds certainly get new requirements imposed (forced minimum SDK
version etc)

~~~
void-star
Numerous App Store apps contain symlinks around the detached codesignature,
most likely caused by changes over the years to the codesignature utility.
Also in keeping with Xcode semantics, embedded frameworks often contain
symlinks as well.

------
gluxon
How does reverse engineering binaries like this work? Did geohot really go
through the entire disassemble during the time of a plane ride?

~~~
innoying
As evidenced by hash Geohot posted on his twitter on December 8th of
[http://geohot.com/mt.jpg](http://geohot.com/mt.jpg) he has had access to some
of the vulnerabilities for some time. I know for sure the use of the signed
WWDC application has been known by some of the jailbreak developers for over a
year.

------
quarterto
Something looks a bit off with that photo [1]. The screen size is wrong. It
has the aspect ratio of a pre-5 iPhone (notice the extra-large gap between the
bottom of the screen and the home button compared to [2]). It also appears to
be running iOS 6, which I'm pretty sure isn't possible on a 5s.

[1]: [http://geohot.com/mt.jpg](http://geohot.com/mt.jpg) [2]:
[http://images.apple.com/iphone/compare/images/compare_iphone...](http://images.apple.com/iphone/compare/images/compare_iphone5s_2x.jpg)

~~~
tmgrhm
The screen size looks wrong because the app is running in pillar box mode —
it's only been compiled to run for 640x960 screens (i.e. iPhone 4S and older).

The keyboard is iOS 6 styled because the app hasn't been compiled for iOS 7.

Nothing out of the ordinary here.

------
tomphoolery
george, you are amazing.

------
innoying
Mods, please don't remove the title as the original page does not have a
title.

~~~
scott_karana
Looks like geohot noticed your post: there's a title now. ;)

~~~
innoying
Cool! That's better than what I had before.

