Alloc8 Untethered bootroom exploit released for iPhone 3GS

We may find ourselves sitting with iPhone 7/7 Plus in our hands, and talking enthusiastically about what Apple has planned for this year’s anniversary edition iPhone, but attention today has taken a trip through the sands of time, focusing intently on Apple’s iPhone 3GS.

Released by Twitter user axi0mX, the exploit is called alloc8, and makes use of a vulnerability in the malloc function in the bootrom. The details of the exploit and how it works can be found on axi0mX’s GitHub page, where there is a comprehensive write-up. The majority of the write-up went over my head, but may prove invaluable to those trying to increase their knowledge of iOS exploitation and jailbreaking in general.

The original iPhone 3GS had a vulnerability in the bootrom which was exploited by 24Kpwn. Because of the low level nature of bootrom exploits, they give total control over upgrading, downgrading, untethered jailbreaking, and installing of custom firmwares, and are therefore considered incredibly serious by Apple, and incredibly valuable by developers. They can only be patched by a hardware update, not by any software measure or firmware update. No recent jailbreak has made use of such a vulnerability, and none have even been made public for any device since the iPhone 4. 24Kpwn was sufficiently worrying to Apple that they actually released a refresh of the iPhone 3GS halfway through its release cycle, with a new bootrom.

This new exploit works on both the old and new revisions of the iPhone 3GS bootrom, and due to Apple’s inability to patch or release new revisions, means that the device is now permanently pwned. Doubtless this will mean little to the majority of people for whom the 3GS is now a distant memory, but it could allow for more research to be done into the iPhone’s early boot components, and even if not, is a very impressive feat.
alloc8 brings freedom to millions of iPhone 3GS devices, forever, by exploiting a powerful vulnerability in function malloc in the bootrom. Both revisions of iPhone 3GS bootrom are vulnerable, but old bootrom is also vulnerable to 24Kpwn, which is faster than alloc8.
From a features perspective, the developer has listed a few on the official GitHub page, such as being able to jailbreak iPhone 3GS with the new bootrom. There’s also an extensive write-up on the discovery and instructions on how to get up and running the ipwndfu tool that puts this new alloc8 exploit to work.


blog comments powered by Disqus
Octofinder Blog Catalog