Hacker News new | comments | show | ask | jobs | submit login
IPad 2 JailBreakMe (3.0) now available (jailbreakme.com)
92 points by Swannie on July 6, 2011 | hide | past | web | favorite | 64 comments

After all the trouble Apple went to to secure the boot loader, I expected this to be a really complicated procedure. I saw the Tweet today and I went on the site, clicked on "install" and Cydia started installing.

I was blown away. How is this even possible? Did they find another userland exploit that allows you to write to the boot loader? I am very, very impressed.

From http://blog.iphone-dev.org/post/7295551750/jailbreakme-times...

"Q: Do the holes discovered by @comex put my device at risk? A: Yes. We recommend installing PDF Patcher 2 in Cydia once you’re jailbroken to eliminate this risk (any firmware version)."

PDF really is the most dangerous file format around today.

Did you know the PDF spec includes its own LISP-like language? As well as basically anything else you can imagine. It is surely impossible to write a secure, conformant PDF reader.

If I ran any kind of super-sensitive organisation I'd include an outright ban on PDF renderers in my security policy. If anyone really needed to look at PDFs, I'd require them to be rendered down to TIFs or something on a "cleanroom" machine, preferably running some sort of locked-down linux build.

This talk has all the shocking details: http://www.youtube.com/watch?v=54XYqsf4JEY

How about the Mozilla project to do PDF in js? http://blog.mozilla.com/cjones/2011/07/03/pdf-js-first-miles...

That one wins by not bothering to conform to the PDF spec at all.

The spec is huge, and the insecurity comes from having to faithfully implement all its utterly insane features, like embedding flash files, executing javascript, rendering external assets, and so on.

The challenge is to decide which subset of those features you want to deliberately ignore.

Most of the esoteric ones are likely critical to obscure, in-house business applications created years ago by corporate coders lacking in sense. Adobe Reader obviously implements everything, and its the reference implementation, so it is installed in most businesses.

Unfortunately, business is the area most in need of security.

In summary: OMGWTFPDF!

Some rich clients deliberately ignore parts of the format. For example, the Windows-based Sumatra client did. It seems to have been acquiring more features in the last few releases, and I'm not sure of its current state. But in the past it has been useful for example in that it simply doesn't run embedded Javascript. Or Flash.

That's been my personal approach, such as it is, to the need to deal with some PDF files from third parties. I look for the environment that does no more than render the static page content.

Somewhat akin to using NoScript in the browser. I only execute when I need to, and then from a source for whom I have some trust.

I recently had to clean up some business systems belonging to a relative whose employee ran an infected PDF. By avoiding execution, I was able to examine the PDF and show them how it was indeed the source of their problems.

Unfortunately, these "business users" still have limited will to learn the techniques to avoid such problems. I've made some impression, but the Adobe PDF format is still a time bomb ticking away in the midst of their organization.

I'll mention that, for casual browsing, I use an extension that redirects PDF URL's to Google's Document Viewer (while not signed in to Google). Again, I get (usually) the static view without having to trust or execute the file on my own system. Thanks, Goog!

(Note that I don't do the latter with documents containing sensitive/personal information.)

The complexity of the PDF specification isn't what's relevant here. Even if pdf.js were to implement all of the PDF specification, it would still be more secure than Apple's renderer, because it's written in a memory-safe language.

This is one of the reasons pdf.js is so important: it reduces the attack surface of the browser.

PDF is the IE6 of document formats?

Did you know what you could also embed a flash file, 3D, and more into a PDF?

Watch Julia Wolf's talk "OMG WTF PDF" to learn more. http://www.youtube.com/watch?v=54XYqsf4JEY

I can't view the talk right now... do you mean its own scripting language or the fact that PostScript is turing complete? Either way you could execute it in a sandboxed environment and be pretty damn confident there won't be any problems.

You may also be shocked to discover that the HTML spec includes its own language with Scheme-like semantics and Java-like syntax.

Exactly. And look at how much of a nightmare it is every day! Fortunately on the web it is very useful. No need to invite that pain into an environment designed for replicating the printed page though.

And the thing is, the html spec doesnt include js. It specifies a way of marking it up. Thats not the same thing. The core pdf spec actually contains features so powerful, you could almost make a lisp machine out of them. See the video for details.

I just saw that two minutes ago, so it is a userland exploit. That's fantastic, I can install Grooveshark now!

When you can rewrite your bootloader from the web, I think it's safe to say there is a nasty browser & userland exploit out there for all iPads. Just like rooting an Android-phone without adb or pre-rooted images usually involves OS-level exploits.

The only way to be safe from these is usually to root/jailbreak your system and then patch it up using your newly acquired powers to close the hole before anyone else gets cheeky.

Will be interesting to see if any virus-makers will decide to exploit this before Apple patches it up in a later iOS release.

I never bothered with any Jailbreaks before. I have a 3GS since 2 years back.

Visited the site with my iPhone. Pressed Install. No confirmation or anything.

Now I have a Cydia app on my phone that I can move but not delete. Was that all it took to jailbreak my phone? (It took like 10 seconds)

You should probably change your root password at this point since the default root password is the same for all devices.

The first thing I tried was to change the password (iPhone 4 4.3.3) after jailbreaking but the MobileTerminal crashes upon launch. Same story after a phone restart.

Edit: Figured out the problem. Looks like the MobileTerminal in the CYdia repo doesn't work for iOS 4.0 onwards. The following is a working version from the author of the app:


Even if I don't install OpenSSH from Cydia?

No real need if you don't: there's no additional vector added by the jailbreak to even try entering a password if you don't have sshd installed.

It seems like random packages like to install OpenSSH as a dependency though.

Yep, your phone is now jailbroken.

I've got a 3gs with an old tethering crack on it, and am considering upgrading to 4.3.3 to get this jailbreak. How can I be sure that this will work for me, and how do I go about tethering afterwards? Googling only seems to turn up some app that I have to buy from some other store (a cydia store?). Is it more complicated than the help.benm.at tethering hack that I used?

I used Fiddler to sniff traffic between iPad 2 and Jailbreakme during jailbreaking but I did not found where the PDF files are located. Could you help me find out where are PDFs that contains the exploits?

There is no PDF file, the pdf is a base64 encoded data-uri in the javascript, in the page itself, not even in a separate asset.

For those who fancy doing some analysis, here's the curl command with the required ipad UA string:

    curl -A "Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5" http://www.jailbreakme.com
EDIT: here's the b64 pdf: http://pastebin.com/69tnPMdV

the PDF is very invalid, because it never needs to masquerade as a real document, it doesn't have to pretend to implement the PDF spec correctly. This makes it somewhat resistant to analysis, it doesn't even have the required '%%EOF' marker so many tools choke on it immediately.

EDIT: There's an unterminated stream object in there which doesn't have a type, and it also has a declared length of 61 bytes and an actual length of well over 400. I think we have a winner... Unfortunately iOS shellcode analysis is waaaay over my head so I'll have to do something useful instead.

I decoded base64 & got this: https://gist.github.com/1067129

bunch of random gibberish?

When decoding to ASCII instead of UTF-8 (like you've done) I got this. It makes a little bit more sense at least, but not much.


I guess the actual shell code starts from line 40 ">>stream..."

It must be using some other encoding, only if we knew which!

It's a PDF FlateDecode block, i.e. it's DEFLATEd. The actual payload within may be different, but this much has been used before.


It's presumably just a lump of binary ARM opcodes.

We need a debugger or a disassmbler like IDA Pro to make reverse engineering of that code

It's compressed with FlateDecode; if you decompress it you can see the embedded .pfb, which has the actual exploit.

thank you comex, I did not actually found how to decompress it, I keep trying with pdf-parser with no luck

I've succesfully extraced the font with pdf-parser with this command: "python pdf-parser.py --object 4 --filter --raw pdfexploit.pdf > font.pfb" everything is documented here http://www.bufferoverflow.it/2011/07/06/jailbreakme-ecco-com...

Is there a way to decompile the base64 code into the actual script? I'm guessing the shellcode is the bits after the AAAAAAA's?


It doesn't make that much more sense to me, but atleast you can see some commands.

The release of this is probably related to the leak [1]. My guess is that they intended to save this for iOS5, but had to release it now due to the beta leak.

[1] http://www.iphonedownloadblog.com/2011/07/02/jailbreakme-ipa...

Indeed, his twitter stream has him complaining about people asking him to hurry up :P (http://twitter.com/#!/comex/status/84126363598065664)

The leak prompted quick action, lest Apple close the bus sized hole.

It doesn't work on my iPhone on 4.3.3 with that 4.10.01 baseband. The cydia icon comes up, but when the icon changes to "Installing..." it just disappears.


Try rebooting, it usually fixes some of the issues. (Disclosure: I made the JailbreakMe website; not the jailbreak itself.)

Definitely still doesn't work for me.

Same problem here. 4.3.3(8J2) os build, 04.10.01 modem firmware, MC608LL model

If Apple made an official jailbreak they'd stop getting all this free penetration testing.

Would they? Windows still seems to get lots of free penetration testing...

So I've installed Cydia for the first time on my 3GS, and am wanting to use the 'PDF Patcher 2' fix to stop other sites doing driveby exploits.

Seems that results for the bigboss repository aren't being returned in Cydia, and the repo backend isn't responding to requests. http://apt.thebigboss.org/onepackage.php?bundleid=pdfpatch2

Anyone else thinking the bigboss repo (only source of the pdf patcher 2, as far as I can tell) is being kept down on purpose?

(I just asked BigBoss about this.)

No, it's down due to an insane traffic load. It'll be up as soon as either a) traffic gets less insane (not likely to happen soon) or b) BigBoss adds more capacity. I'd also suggest to just keep trying: it'll likely work to install just that if you just keep trying to download it (eventually).

Edit: I've put up a copy of it here, you can install this with "dpkg -i" on the device (via SSH): http://dl.dropbox.com/u/3177211/pdfpatch2_1_iphoneos-arm.deb

Does anyone know how Cydia licensing actually works? I jailbroke just to install RetinaPad, and I managed to buy it and install it. Cydia says "Package Officially Purchased". RetinaPad says "RetinaPad license missing!" and doesn't work. I guess the license download failed or something (due to high load?) but I don't see how to fix it.

It really makes me appreciate the Apple App Store, to be honest.

All Cydia Store purchases go through SaurikIT's centralized payment processing server. When the user attempts installing a store package, the repo that hosts it queries the central licensing server to see if the device is authorized before returning the package. Some packages make additional calls after the package has been installed on the device to download a license.

It is this final step that was failing intermittently on my servers due to the insane load (~300x usual sales on this package, ~125x traffic load overall). Please give it a try now, I have verified that it is up.

Thanks! Interesting. It still isn't working, after uninstalling / reinstalling in Cydia, but I guess I'll give it a day or too. Is the Authorize button in RetinaPad supposed to actually do something?

I doubt it. The last time there was a public jailbreakme.com exploit many of the popular Cydia repositories had major load issues for a few days.

I know it's obvious enough and not really scary - but that page is tracking every jailbreak and failed jailbreak:

    // track jailbreaks!
    _gaq.push(['_trackEvent', 'jailbreak', 'jailbreak']); 
    timeout = setTimeout(function() {
        _gaq.push(['_trackEvent', 'failed', 'failure']);
    }, 5000);

It's just Google Analytics, with custom events so we can get statistics about failure.

Works fine on my 3GS running 4.3.3

+1. flawless.

It works on the iPhone 4 as well (or at least: it did on mine). Was amazed by how fast and easy that was.

I hope they fix this fast, this is a huge security risk.

Indeed, and Comex gave them a heads up ~3.5 weeks ago that something was amiss in PDF. Let's hope they found it and are just going through the last testing cycles for the new patch?!

I'm intrigued how OTA OS updates will affect Apple's response time to exploits like this.

Given that they are delta updates, they will probably be able to push a patch within a few days. Let's hope they take advantage of it.

I wrote this when the original Jailbreak for iOS came out. Think mitigations still apply but not implemented by Apple


Meh, didn't work for me. iPad.

Sure you're on 4.3.3 and not 4.3.2/4.3.1?

i think its 4.3.2

Ive not bothered to update yet. iPad 1

4.3.2 worked for me (iPad 1). Perhaps you have a previous version?

What iOS version?

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact