A new exploit discovered, might help in cracking 1.1.1 soon

**Locked** · 10-05-2007 11:40 PM

Originally Posted by shodanjr_gr

It's not better than decrypting the update files because we still dont have access to the baseband firmware (this isnt mapable to the filesystem).

Taking a look at the lockdown dir can reveal a lot of interesting stuff.

Patience my friend...

**aviegas** · 10-05-2007 11:46 PM

Actually the filesystem difference is not that the /dev/disk0s2 has the noexec flag (it's also there on 1.0.2), but the fact the /dev/disk0s1 is mounted RO under darwin, meaning that it's locked.

Gaining RW access to /dev/disk0s1 (that is the root directory) is the key to jailbreaking. Without RW access to it, one can't store files in /Application and thus can't run apps, or any other executable.

The challenge now is to find a way to change the fstab so that the fstab will reflect /dev/disk0s1 as mountable as RW. Then we are in serious business

**Ken** · 10-05-2007 11:46 PM

^^ +1

Fellas.. There is alot of action in the #iphone-dev channel.. Take a look and just watch.. It will come just be patient..

**aviegas** · 10-06-2007 12:22 AM

Maybe someone else has mentioned or thought about this, but it just came to my mind that with a unix shell it's very simple to revert the a RO filesystem to RW.

I've tried that with 1.0.2 it works, so apparently the iPhone darwin behave like a normal Unix, as far as moving a filesystem from RO to RW.

Just execute the mount command as part of the TIFF exploit and voila! Well I can't swear it will work, but I'm quite sure it will.

Then just replace the fstab and reboot to make it permanent.

**Locked** · 10-06-2007 12:52 AM

Originally Posted by aviegas

Maybe someone else has mentioned or thought about this, but it just came to my mind that with a unix shell it's very simple to revert the a RO filesystem to RW.

I've tried that with 1.0.2 it works, so apparently the iPhone darwin behave like a normal Unix, as far as moving a filesystem from RO to RW.

Just execute the mount command as part of the TIFF exploit and voila! Well I can't swear it will work, but I'm quite sure it will.

Then just replace the fstab and reboot to make it permanent.

It is not as easy as you might think. Try posting this on the dev channel and prepare to be slaughtered

**aviegas** · 10-06-2007 01:16 AM

Originally Posted by Locked

It is not as easy as you might think. Try posting this on the dev channel and prepare to be slaughtered

I'm not saying that it's simple, but in theory (and the 1.0.2 mount test) it could work.

The regular jailbreak uses iTunes as the conduit to change the fstab. I'm just thinking on ways to combine 2 things: the TIFF exploit and the symbolic-link-before-upgrade to gain access to the filesystem. Then the rest would follow. Never implying it's simple. It isn't.

**MATTkintosh** · 10-06-2007 01:59 AM

what is the irc connection and room #?

**mr_** · 10-06-2007 02:17 AM

by the way, to add to the useless tidbits, according to the irc channel we now know that the 1.1.1 root password is "alpine" (instead of "dottie")--since it is a word you find in a dictionary, it took only a few milliseconds of CPU time to figure it out. goodnight everyone for tonight

**997TT** · 10-06-2007 03:06 PM

Originally Posted by mr_

by the way, to add to the useless tidbits, according to the irc channel we now know that the 1.1.1 root password is "alpine" (instead of "dottie")--since it is a word you find in a dictionary, it took only a few milliseconds of CPU time to figure it out. goodnight everyone for tonight

So maybe, maybe Apple (or their software developers

) aren't as bad as we thought when FW 1.1.1 came out.

They have to put up a fight, at least "on paper" to please their carrier partners.