Misleading title, in the thread the creator explicitly states not to have native code exec, and everything is 100% userland ROP (return-oriented-programming).
phire · 1d ago
I find it interesting that "rooted" and "jailbroken" have become synonymous with "exploited" in many peoples minds.
But they have very explicit meanings. Rooted means you have access to the root account (uid=1), and usually only applies to devices where you already have userspace access.
And the term "jailbreak" came along because the first iPhones exposed access to the media folder for iTunes sync over USB, and that folder was in a "chroot jail". (And I think that sync process was already running as root?)
The first iPhone jailbreak was literally using the sync protocol to create a symlink to "../../../". After apple blocked creating symlinks over sync, the next exploit had a ROP chain payload that simply created that same symlink, allowing previous tools to work. It wasn't until later that we got the first JailbreakMe, which didn't just create the symlink for breaking out of the jail, it would bootstrap a full homebrew experience.
And that complete package became standard for the "jailbreak" experience, establishing the now incorrect terminology.
throwaway314155 · 1d ago
> the first iPhones exposed access to the media folder for iTunes sync over USB, and that folder was in a "chroot jail"
I was maybe 14 at the time and probably couldn't parse this back then. So thanks for the background! Had no idea. If I recall I was jailbreaking an iPod Touch in those days.
nicman23 · 1d ago
still very impressive though having exec on day 1
_def · 1d ago
People used to hold back on sharing findings like this publicly until they got much farther. This way Nintendo will force patches early and make it harder to fully own the console. But I get it, it's great to be able to claim this on day 1.
But they have very explicit meanings. Rooted means you have access to the root account (uid=1), and usually only applies to devices where you already have userspace access.
And the term "jailbreak" came along because the first iPhones exposed access to the media folder for iTunes sync over USB, and that folder was in a "chroot jail". (And I think that sync process was already running as root?)
The first iPhone jailbreak was literally using the sync protocol to create a symlink to "../../../". After apple blocked creating symlinks over sync, the next exploit had a ROP chain payload that simply created that same symlink, allowing previous tools to work. It wasn't until later that we got the first JailbreakMe, which didn't just create the symlink for breaking out of the jail, it would bootstrap a full homebrew experience.
And that complete package became standard for the "jailbreak" experience, establishing the now incorrect terminology.
I was maybe 14 at the time and probably couldn't parse this back then. So thanks for the background! Had no idea. If I recall I was jailbreaking an iPod Touch in those days.