Limera1n

limera1n is geohot's jailbreak utility. It uses a previously undisclosed bootrom exploit (the limera1n Exploit) and comex's Packet Filter Kernel Exploit to achieve an untethered jailbreak on many devices. The following devices are supported: limera1n has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. He displayed an iPod touch (3rd generation) with an untethered jailbreak that met MuscleNerd's requirements for a good video. In addition, he took a picture of Cydia and blackra1n icons on an iPad.
 * iPhone 3GS
 * iPhone 4 (iPhone3,1)
 * iPod touch (3rd generation)
 * iPod touch (4th generation)
 * iPad
 * Apple TV (2nd generation) (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)


 * Release Date: 2010
 * Supported OS's: Mac OS X, Windows
 * Supported Operations: hacktivation, jailbreaking
 * '''Supported iOS: 3.2.2-4.1

Release text
 limera1n, 6 months in the making

iPhone 3GS, iPod Touch (3rd generation), iPad, iPhone 4, iPod Touch (4th generation)

4.0-4.1 and beyond+++

limera1n is unpatchable

untethered thanks to jailbreakme star comex

brought to you by geohot

hacktivates

Mac coming in 7 years

donations keep support alive

zero pictures of my face

Credit

 * geohot - The program itself, and the bootrom exploit.
 * comex - The userland exploit that allows limera1n to run untethered.

Basics

 * limera1n has nothing to do with SHAtter at all.
 * limera1n uses a bootrom exploit to achieve the tethered jailbreak and unsigned code execution.
 * limera1n uses a userland exploit to make it untethered, which was developed by comex.
 * limera1n uses a hacktivation dylib to perform hacktivation.

Exploits
limera1n reuses the usb_control_msg(0x21,2) but exploits a different vulnerability (see Limera1n Exploit).

Process
The jailbreak appears to execute something like the following (in no particular order): "setenv debug-uarts 1 setenv auto-boot false saveenv" "setenv auto-boot true reset  geohot done"
 * In recovery1,
 * In DFU Mode, it uploads a payload.
 * In recovery2, it uploads another payload and its ramdisk.

Interesting Messages
"geohot black is the new purple"

"blackra1n start: %d current IRQ mask is %8.8X usb irq disabled...shhh fxns found @ %8.8X %8.8X found iBoot @ %8.8X i'm back from IRQland... 3g detected, kicking nor nor kicked memcpy done iBoot restored!!! found command table @ %8.8X cmd_geohot added time to pray...%8.8X"

"2.2X send command(%d): %s send exploit!!! sent data to copy: %X  sent shellcode: %X has real length %X never freed: %X sent fake data to timeout: %X  sent exploit to heap overflow: %X  sending file with length: 0x%X Mingw runtime failure:   VirtualQuery failed for %d bytes at address %p      Unknown pseudo relocation protocol version %d.     Unknown pseudo relocation bit size %d."

Controversy
The release of this jailbreak was specifically designed to pressure the Chronic Dev Team into not releasing SHAtter, and instead implement the limera1n exploit into greenpois0n; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.

Geohot's rationale was that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because iBoot code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. Geohot observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time. Both vulnerabilities ended up being patched in the iPad 2. It was fixed before the release of limera1n according to the build number. This has been confirmed by p0sixninja.

limera1n's untethered userland exploit for iOS 4.0 and 4.1 was obtained by geohot under questionable circumstances from comex. Comex did end up fixing the kernel patching code by beta2, so as to not break users' devices.

Hacktivation
limera1n will copy hacktivation.dylib to /usr/lib and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.