Absinthe 2.0 jailbreaks most iDevices running iOS 5.1.1
Disclaimer: Jailbreaking may void Apple's warranty and in rare cases cause damage to the device being unlocked. Users opting to run jailbreak software and tweaks do so at their own risk.
Announced at the Hack in the Box event in Amsterdam, GreenPois0n Absinthe v2.0 is the result of a collaboration between the Chronic-Dev Team and iPhone Dev Team and gives iDevice users wider access to system features normally prohibited by Apple thus allowing for the download of applications and extensions unavailable in the official App Store.
Currently, the iOS 5.1.1-only jailbreak can be applied to nearly all iPads, the iPhone 3G, 4 and 4S, third and fourth generation iPod touch media players, and the second-generation Apple TV. Support for the new 8GB iPad 2, which features a custom-designed A5 chip, will be available soon though the team notes that Apple TV compatibility will not be included in the version 2.0 build.
During the event, the "dream team" of hackers explained (via iClarified) how Absinthe v2.0 works:
GreenPois0n Absinthe was built upon @pod2g's Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym (sic) for "racoon", which is the primary victim for this attack. A format string vulnerability was located in racoon's error handling routines, allowing the researchers to write arbitrary data to racoon's stack, one byte at a time, if they can control racoon's configuration file. Using this technique researchers were able to build a ROP payload on racoon's stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren't exploitable to LimeRa1n, so another injection vector was needed.
Basically, the jailbreak takes advantage of certain exploits found in iOS to gain higher levels of systems access to "breakout" of the Apple-imposed sandboxing, or the iPad maker's stringent set of operating rules for apps running on the device. For example, jailbreaking gives apps the power to change certain system settings, like Wi-Fi or Bluetooth, on or off.
Friday's announcement saw such high levels of interest that the Cydia app store became overloaded with a flood of new users.