Absinthe 2.0 Jailbreaks iOS 5.1.1-equipped iDevices

Source: GreenPoison Absinthe 2.0/ GreenPoison

Last Friday, a new and untethered version of the Absinthe jailbreak has been announced during the Hack in the Box event in Amsterdam. Absinthe 2.0 is compatible to almost all Apple devices that are powered by A4 and A5 processors, and running on iOS 5.1.1. In addition, it is the first software that was able to unlock the new iPad.

Know More About Absinthe 2.0

Absinthe 2.0 is the result of the collaboration of Chronic Dev Team and iPhone Dev Team. The jailbreak software enables users to have wider access to system features that are normally prohibited by Apple. In turn, owners of jailbroken iDevices can now download applications that are unavailable in the official App Store.

Although it works on Apple devices running on iOS 5.1.1 only, it is compatible on almost all iPad, iPhone 3G, iPhone 4, iPhone 4S, the third and fourth-generation iPod Touch, and the second-generation Apple TV. Meanwhile, support for the new 8 GB iPad 2, which features custom-designed A5 chip, will be available on a later date.

How Absinthe 2.0 Works

The so-called iOS Jailbreak Dream Team explained to iClarified how the Absinthe 2.0 works:

GreenPois0n Absinthe was built upon @pod2g’s Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.

Corona is an acronym for “racoon”, which is the primary victim for this attack. A format string vulnerability was located in racoon’s error handling routines, allowing the researchers to write arbitrary data to racoon’s stack, one byte at a time, if they can control racoon’s configuration file. Using this technique researchers were able to build a ROP payload on racoon’s stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.

The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren’t exploitable to LimeRa1n, so another injection vector was needed.

An instruction on how to use the jailbreak software was also released by GreenPoison. However, iDevice owners have to bear in mind that jailbreaking may void Appleā€™s warranty and can cause damage to the unlocked device in rare cases. Users who want to run jailbreak software and tweaks can do so at their own risk.

Leave a Comment