How Corona Untethered Jailbreak Works on iOS 5.0.1! Pod2g Explains
Posted by 
January 3, 2012 • 
Corona is a very useful Cydia jailbreak tool released by Chronic Dev Team which simply converts your tethered jailbreak into untethered one on iOS 5.0.1. Now a famous iPhone developer and jailbreaker Pod2g explains with precise details about how Corona untethered jailbreak works on iOS 5.0.1 firmware, in a latest post on his official blog.
Pod2g notes that while Apple has patched all previous well-known techniques of executing unsigned binaries in iOS 5.0, therefore Corona should be used another way.
For Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That’s why I searched for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.
Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in the racoon configuration parsing code ! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection.
Now you got it, Corona is an anagram of racoon
.
Pod2g also points out that ROP exploit effectively activates a kernel exploit that relies on an HFS heap overflow bug which he had discovered earlier. He also thanks i0n1c for publishing a great paper on this particular subject;
I don’t know exactly what happens in the kernel code, I never figured it out exactly, I found it by fuzzing the HFS btree parser. I just realized that it is a heap overflow in the zone allocator, so I started to try to mount clean, overflowed and payload images in a Heap Feng Shui way
You would also like to read the following posts on Corona and its usage;
- Corona Simply Converts Your Tethered Jailbreak to Untethered on iOS 5.0.1! New Cydia Tweak
- How to Use Corona to Untether Your Previously Tethered iOS 5.0.1 Jailbreak! [Tutorial]
For more details, you can head on to pod2g.blog right now.
