This New Untethered Bootrom Exploit is for iPhone 3GS Only

Today saw the release of a new bootrom exploit for the iPhone 3GS, an unpatchable vulnerability which gives jailbreakers total control of this device forever.
Although the iPhone 3GS is now very much a legacy device and few users will be actively using them, the rarity of a bootrom exploit makes it worthy of note. There have been no publicly released exploits of this kind since limera1n, which supported only up to the iPhone 4.
Released by Twitter user axi0mX, the exploit is called alloc8, and makes use of a vulnerability in the malloc function in the bootrom. The details of the exploit and how it works can be found on axi0mX’s GitHub page, where there is a comprehensive write-up. The majority of the write-up went over my head, but may prove invaluable to those trying to increase their knowledge of iOS exploitation and jailbreaking in general.

From this page: https://github.com/axi0mX/ipwndfu



This new exploit works on both the old and new revisions of the iPhone 3GS bootrom, and due to Apple’s inability to patch or release new revisions, means that the device is now permanently pwned. Doubtless this will mean little to the majority of people for whom the 3GS is now a distant memory, but it could allow for more research to be done into the iPhone’s early boot components, and even if not, is a very impressive feat.
There have already been reports of the exploit in action, with a downgrade without blobs to an arbitrary iOS version one of the outcomes. I’m sure tinkerers everywhere will enjoy trying out this powerful new release if they have a 3GS lying around. Apparently, while alloc8 works on both revisions of the 3GS, the older 24Kpwn exploit is the faster on the older bootrom.
Congratulations are in order to axi0mX for this rare achievement, even if we can all lament that this exploit was not for a current device family, as a bootrom exploit for new devices would be an event unheard of in the jailbreak community since limera1n. axi0mX is also responsible for the apticket-nonce-checker tool, and is useful for checking the validity of your blobs for use with the Re-restore tool. Clearly, he’s been busy of late.
Do you still have an iPhone 3GS lying around which you could try this exploit out on? Do you think we’ll ever see another publicly-released bootrom exploit for current devices?

Join our Facebook User's group, or visit 3uTools official site for the latest iPhone and jailbreak info.


Comments