Within the span of 48 hours there have been two significant — if as of yet fruitless — developments in the quest to jailbreak (gain write access to) the iPhone 1.1.1 filesystem, which will make it possible to install third-party native applications on the device.
First there was the discovery of a TIFF buffer overflow exploit that will cause MobileSafari on the iPhone software/firmware 1.1.1 or iPod touch software 1.1.x to crash. This means that arbitrary code can be written to the device.
Next came the incredibly simple realization that generating a symlink for the iPhone’s media directory on a Mac OS X system then upgrading an iPhone from firmware 1.0.2 to 1.1.1 triggers the ability to view the entire filesystem through tools like the iPhone Utility Client. This method also allows the writing of files to the private/var/root directory, where the iPhone stores files that are specific to the user rather than the operating system. This includes the Media folder, where images, iTunes tracks and more are stored.
So what does this mean? Potentially a lot for the future, but not much in the near term. Here’s why:
Write access to the private/var/root directory is nothing new. Ambrosia Software has been doing it without the aid of any jailbreak/hack activity for several iPhone software iterations in iToner, a tool for adding custom ringtones to the iPhone. Ambrosia does it by using Apple’s own API, and can still perform the same basic routine under software 1.1.1. The reason iToner hasn’t been released in a 1.1.1-compatible version is because of a mysterious new signing mechanism used for ringtones that allows some tracks to play, and disallows others, with no discernible basis for discrimination.
What is new: this method for writing to the private directory doesn’t require the use of Apple’s API. “They are approaching it a different way than we are,” Andrew Welch, President of Ambrosia Software told iPhone Atlas. “We’re using Apple’s APIs to access the user area of the phone; they are trying to hack their way in.”
The ability to write to private/var/root has limited implications, however. This directory and its subdirectories cannot currently be accessed to execute code. That means that third-party native apps can’t be written to and run from within it.
Furthermore, the ability to read the rest of the filesystem — which could prove instrumental to a jailbreak at some point — has yet to yield any real results. Attempts to move applications, like the WiFi iTunes Music Store, from iPhones running software 1.1.1 to iPhones running software 1.0.2 have, thus far, proven unsuccessful.
Still, there’s reason to be optimistic. Maksim Rashiv of Nullriver Software (whose Installer.app/AppTapp combination largely popularized third-party native apps on the iPhone) tells us that if one were able to trigger code execution in private/var/root via the loading of a plug-in used by one of the iPhone’s applications, it could lead to real solution for running third-party binaries.
“We need to find any plugin that (the iPhone) will load from private/var/root/Library/, then we can get in. That’s one sure way.”
We leave you with our favorite quote at the moment:
“It’s a cat-and-mouse game. We try to stay ahead. People will try to break in, and it’s our job to stop them breaking in.” — Steve Jobs.