How the iPhone 4 and iOS4 Jailbreak Works – Jailbreakme.com, Comex

I’m sure many other hackers and tinkerers like me are wondering how the iPhone 4 Jailbreak (released yesterday) was accomplished.  Furthermore, I feel that people are most interested in how this exploit could be maliciously used against NON-JAILBROKEN iPhone users.  I’m spreading this information with the hopes that the exploit will be promptly patched — as you will recall, with one of the original iOS jailbreaks (version 1.1.1, I believe), the jailbreakers actually took the liberty of patching the jailbreak exploit after the jailbreak was performed.  This jailbreak was also accomplished through Safari, and the way it handled .TIFF files.

Now, on to the dirty stuff…

@chpwn has explained that @comex uses the CFF font stack overflow to jailbreak, which is essentially a font file placed in a FlateDecode stream.

If you copy jailbreakme.com to a local server, you can dissect the small web-app and see how it works.  Essentially, the site checks for your device’s user-agent, and loads the correct PDF file for the exploit from http://www.jailbreakme.com/_/ through the Javascript function new Image()

One can then open the PDF files with a hex editor, and examine them more closely.  The jailbreak uses a FlateDecode stream (which allows any data, including plain-text, to be compressed with zlib and inserted into a PDF) to load a font file which in turn causes a stack overflow:

If you decode the FlateDecode stream with GhostView, you can see the actual code used to perform the jailbreak.  I’ve highlighted a line that should be familiar if you’ve visited jailbreakme.com on your iOS device recently.