Corona is an untethered jailbreak that works on iOS 5.0.1 released by pod2g. This A4 only exploit is now released to the public and pod2g has explained in a blog post exactly what Corona is, what it does and how it has sped up the process of finding an untethered jailbreak.It has previously been the userland exploit that hackers were using in order to breach the stringent iOS security structure. With the iOS 5.0.1 release, Apple has patched all the pre-existing userland holes. This meant that pod2g and other hackers had to look for other ways to deliver jailbreaks. If you are not familiar with the jargon used in software development you might find the explanation below a little difficult to comprehend.
Pre-iOS 5, security researchers used to include the untethered payload as a data page, rather than a code page in the Mach-O binary. The Mach-O loader never bothered checking the authenticity which was great when hackers were looking for security flaws. ROP enabled the execution of code to occur by using signed code in the dyld cache as opposed to writing new executable code. Techniques discovered by the likes of Comex enabled ROP to be started by the Mach-O loader.
Now that Apple has upped its security game, data pages now require signature via their servers in order for the loader to authenticate the binary. @i0n1c has demonstrated ways of passing through the verification process and this method could possibly be used in an iOS 5.1 jailbreak.
With the Corona exploit, pod2g looked for a way to initialize unsigned code without using the Mach-O loader, looking for flaws in the existing Apple binaries that could be found using standard launched plist mechanisms. By using a fuzzer he discovered a format string vulnerability in theracoon configuration parsing code.
In order to apply the jailbreak at boot, racoon is started by a launched plist file which then executes the file which exploits the format string bug and gets the unsigned code going. There is a lot of in-depth information in pod2g�s blog post and for those who aren�t familiar with the jargon it may be too much to read. All that readers need to know is that this untethered jailbreak works.
