Purplera1n

Credit

 * Vulnerability, Exploit, and Windows client: geohot
 * Mac OS X client: AriX and westbaer

Signature Grabber
Allowed anyone with an iPhone 3GS to generate a file that contained:
 * The ECID for your device.
 * The new SHSH for a 3.0 iPhone 3GS iBSS that includes your ECID.

It has since been discontinued, however.

This was done so you would have a backup that could be used to allow you to boot an older iBSS. However, no tool was ever created to utilize this backup.

Jailbreak Tool

 * Web Site: http://purplera1n.com

One-Click, dead simple, jailbreak for the iPhone 3GS on iOS 3.0 only (not 3.0.1 or later). Currently available for Windows and Mac. It utilizes the iBoot Environment Variable Overflow.

Exploitation

 * 1) purplera1n sends the enter recovery commands using MobileDevice Framework
 * 2) once in Recovery Mode (iBoot), it sends the iBoot Environment Variable Overflow exploit
 * 3) the exploit adds a "geohot" command to the phone which runs the payload
 * 4) the "geohot" command is run, control is now transferred from iBoot to the payload
 * 5) the purplera1n client is done

Payload

 * 1) the payload restores the default environment variable ring buffer and saves the environment to nvram (sets auto-boot to true)
 * 2) it patches iBoot to load unsigned IMG3s and not care about the tags
 * 3) it loads the purplera1n picture (sent with payload)
 * 4) the NOR patcher starts
 * 5) LLB is decrypted, patched, and increased in size to 0x24200. this is the resident 0x24000 Segment Overflow exploit
 * 6) a little loader code is put @ 0x20000 in the LLB to load it and fix the stack
 * 7) iBoot is decrypted, patched
 * 8) everything else is read as is
 * 9) NOR is written back, nor patcher is done
 * 10) kernel is loaded, decrypted, and patched
 * 11) ramdisk is loaded (sent with payload) and moved to ramdisk region at 0x44000000, patched kernel is tacked on to the end
 * 12) patched kernel is booted
 * 13) control is now transferred from payload to ramdisk

Ramdisk

 * 1) launchd is run, all stuff happens here
 * 2) /dev/disk0s1 is mounted
 * 3) /private/etc/fstab and services are overwritten here to allow disk0s1 writes and AFC2 respectively
 * 4) Freeze is transferred and Freeze loader has SUID bit set
 * 5) patched kernel is read from end of ramdisk block device and written to filesystem
 * 6) ramdisk is done, rebooting...
 * 7) Reboots as jailbroken phone