How does purplera1n Tool Works

Purplera1n is a tool to jailbreak iPhone 3GS and is currently available for Windows, Mac, and Linux. George Hotz, developer of purplera1n, has advised iPhone 3GS users to generate a file that contains the Exclusive Chip ID tag and the new RSA signature for a 3.0GM iPhone 3GS iBSS that includes your ECID which will allow you to boot to an older iBSS whenever Apple releases a new firmware that does not allow downgrading. Refer our previous article on how to Capture iPhone 3GS iBEC and iBSS Signature Certificates. George Hotz has shared the steps on how actually the purplera1n Works.

How purplera1n Works?

1. Purplera1n sends the enter recovery commands using iTunesMobileDevice
2. Once in recovery(iBoot), it sends the IBoot Environment Variable Overflow exploit.
3. The exploit adds a “geohot” command to the phone which runs the payload.
4. The “geohot” command is run, control is now transferred from iboot to the payload.
5. The purplera1n client is done.
6. Inside payload.
7. The payload restores the default environment variable ring buffer and saves the environment to nvram(sets auto-boot to true).
8. It patches iBoot to load unsigned img3s and not care about the tags.
9. It loads the purplera1n picture(sent with payload).
10. The nor patcher starts.
11. llb is decrypted, patched, and increased in size to 0×24200. this is the resident 0×24000 Segment Overflow exploit.
12. A little loader code is put @ 0×20000 in the LLB to load it and fix the stack.
13. iboot is decrypted, patched.
14. Everything else is read as is.
15. Nor is written back, nor patcher is done.
16. Kernel is loaded, decrypted, and patched.
17. Ramdisk is loaded(sent with payload) and moved to ramdisk region at 0×44000000, patched kernel is tacked on to the end.
18. Patched kernel is booted.
19. Control is now transferred from payload to ramdisk.
20. Inside ramdisk.
21. Launchd is run, all stuff happens here
22. /dev/disk0s1 is mounted.
23. fstab and services are overwritten here to allow disk0s1 writes and afc2 respectively.
24. Freeze.app is transferred and Freeze.app loader has SUID bit set.
25. Patched kernel is read from end of ramdisk block device and written to filesystem..
26. Ramdisk is done, rebooting… Reboots as jailbroken phone

Once that you’ve got your jailbreak done, you can then use the ultrasn0w utility from Cydia to unlock your iPhone 3GS. You can also use redsn0w to unlock your iPhone 3G. If you are looking to unlock or jailbreak your iPhone 3G S you are advised not to upgrade to 3.1. If you have updated your iPhone to OS 3.1 beta firmware (intentionally or accidentally) and now wants to downgrade back to iPhone OS 3.0 firmware then you may read our previous article on how to Downgrade iPhone 3GS 3.1 to 3.0 OS Firmware. It is important to note that, only iPhone firmware will be downgraded from 3.1 to 3.0 but not the baseband which ill remain 05.08.01.

Related posts:

1. Download Purplera1n (beta) to Jailbreak iPhone 3G S
2. Download Purplera1n for Mac to Jailbreak iPhone 3GS
3. How to Jailbreak iPhone 3G S using Purplera1n (No IPSW Required)
4. How to use Purplera1n to Jailbreak iPhone 3GS on Mac
5. iPhone OS 3.0.1 will Apply brakes on iPhone 3GS Jailbreak and Unlock
6. ZiPhone V3.0 – iPhone Jailbreak & Unlock Tool
7. Redsn0w Tool Jailbreak and Unlock the iPhone 3GS
8. Download ultrasn0w 0.92 to Fix Carrier Name & Logo in iPhone OS 3.1.2
9. Unlock iPhone 3G/3GS OS 3.1.2 using blacksn0w via Cydia (Mac/Windows)
10. Downgrade iPhone 3GS 3.1 to 3.0 OS Firmware

Tagged as: iPhone