The part geohot reversed in this article is the non-persistent set of exploits used to get root.
The persistent (and buggy) stage of the exploit used to "untether" (re-exploit on reboot) and patch the OS is obfuscated. That's where a backdoored exploit would be if there was one anyway.
I think it's unlikely the evad3rs actually included a backdoor in their payload, but the way they handled their release was still silly enough that I won't install it. iOS jailbreaks are all taken on faith (after all, nobody but them knows what's in that obfuscated untether/patch binary) and they didn't do a lot to build any.
> I think it's unlikely the evad3rs actually included a backdoor in their payload
They agreed to bundle an app store who's only purpose is piracy (0xabadidea and Paul Haddad worked to remove their piracy system previously) without in the slightest wondering what it would be used for. From what I've read there's still bits of the Chinese scumware installed when you jailbreak in another country, and given the opinion of the Chinese company involved.. I wouldn't put it past them.
I truly hope that geohot or another skilled developer repackages their jailbreak with a copy of MobileSubstrate that actually works and a Cydia build that's built properly by saurik. The evad3rs have completely lost any trust they have, and from pod2g's tweets they're extremely aware of how badly they fucked this up.
• evad3rs released an iOS7 jailbreak unexpectedly due to a leak
• it became apparent that it bundles some Chinese piracy store with no other legitimate purpose [0]
• information is made public that the evad3rs were paid $1M USD to include the piracy store
• evad3rs say they weren't aware it was for piracy (and never bothered to check)
• evad3rs aren't even sure if the Chinese bundle is malicious, it sends home encrypted something [1]
• evad3rs remove the Chinese bundles from their server and activate their kill switch [2]
• pod2g promises to release a clean jailbreak [3]
The end result is that the jailbreak ruined the trust of the community by including crapware and possibly malware, enabling mass piracy, ultimately not even bothering to check the binaries that they were paid to include. They've burnt Geohot's exploits for a 7.1 jailbreak, as the release timing means that they will be patched by Apple and be completely useless in the future. The jailbreak they released is worthless for the moment due to them not bothering to include the proper Substrate releases from saurik.
I'm just gonna throw this out there, even though it's wild speculation...
They've burnt Geohot's exploits for a 7.1
jailbreak, as the release timing means that
they will be patched by Apple and be completely
useless in the future.
The jailbreak they released is worthless for
the moment due to them not bothering to include
the proper Substrate releases from saurik.
This all comes through at a curious moment, when Apple announces a massive deal that opens up a truly vast Chinese market for them.
So, like, what if Apple and the Communist Chinese have colluded to prevent jailbroken iPhones in China, as part of the deal? Mostly because we're already talking about buy-offs and leaks with curious timing... So, somewhere along the line Xi Jinping and Tim Cook have a little sit down, and shortly thereafter, members of PLA Unit 61398 approach evad3rs on IRC all like:
"the people of china need iPhones, but the chinese
government, needs them to be 'safe' [wink]...
if we give you certain... packages, mr. hotz is uh...
known to have, maybe eh... well ...listen, i'm just
going to come out and say it... geohotz needs to
take a fall. here's a retainer, see what you can do."
</hand-wavey-magical-thinking>
It's kinda neat how they are sending disk/block-level reads and writes, probably using a user-space/local HFS file system implementation, to inject the exploit, since the mounted file system is read-only.
Yeah, very cool. It only works because the rootfs is mounted as read-only or else they might end up messing it up if the system was writing to the same block. But then again if it wasn't read-only this wouldn't be a problem.
A lot of the recent jailbreaks seem to depend on symlink shenanigans. I wonder why Apple can't simply remove symlink support from iOS' filesystem driver? Is there anything in iOS or the appstore apps that depend on it?
That's actually a lot less than I thought would be in the iOS filesystem.
It doesn't seem like it'd be incredibly hard to remove those symlinks. Although Apple would probably favor fixing the bugs that allow malicious symlinks rather than remove symlinks from their file system driver (the horror!)
They would also have to make sure no iOS applications make use of symlinks at any point. Since a ipa is simply a zip archive it's possible (and probable) that some applications already make use of symlinks on install or during operation. I think that's the major motivation.
Numerous App Store apps contain symlinks around the detached codesignature, most likely caused by changes over the years to the codesignature utility. Also in keeping with Xcode semantics, embedded frameworks often contain symlinks as well.
As evidenced by hash Geohot posted on his twitter on December 8th of http://geohot.com/mt.jpg he has had access to some of the vulnerabilities for some time. I know for sure the use of the signed WWDC application has been known by some of the jailbreak developers for over a year.
Something looks a bit off with that photo [1]. The screen size is wrong. It has the aspect ratio of a pre-5 iPhone (notice the extra-large gap between the bottom of the screen and the home button compared to [2]). It also appears to be running iOS 6, which I'm pretty sure isn't possible on a 5s.
The screen size looks wrong because the app is running in pillar box mode — it's only been compiled to run for 640x960 screens (i.e. iPhone 4S and older).
The keyboard is iOS 6 styled because the app hasn't been compiled for iOS 7.
