Just having a look at the
JavaScript source of the jailbreak method, and the _getSunspiderInterval is one obscure function. It always returns 84 in FireFox, 11 or 12 in Safari and between 15 and 24 on Google Chrome. I assume it is a benchmark function derived from
webkit's sunspider test to determine the speed of the processor in the device and hence a way to identify the device model. A lower number (milliseconds) means a faster cpu and it can be used to identify hardware model as well as ARM cpu version (6 or 7).
What's also interesting is that he does the following:
Code:
var ssi = getSunSpiderInterval();
window.location = "#" + ssi;
if (ssi > 1625) {
model = "iPod1,1"
} else {
if (ssi >= (firmware.indexOf("4.0") != -1 ? 800 : 1000)) {
model = "iPod2,1"
} else {
model = "iPod3,1"
}
}
So, the higher the number, the slower the device. But, interpreting this code, the assumption is made that iOS 4.0 actually is a speed improvement over previous versions.
The actual exploit seems to lie in the pdf/image viewer, as after the identification of the device has been performed, a pdf is referenced based on firmware and device model ( for example
http://www.jailbreakme.com/_/iPhone2,1_4.0.pdf ) which is then dynamically instantiated as an Image:
Code:
function get_page() {
return model == null ? null : ("/_/" + model + "_" + firmware + ".pdf")
}
window.page = get_page();
...
if (window.page != null) {
_ = new Image(window.page)
}
Where it is later (in the jailbreak_real function) dynamically inserted as a hidden iFrame (z-index -9999):
Code:
var a = document.createElement("iframe");
a.setAttribute("src", page);
...
document.body.appendChild(a);
The rest of the functions seem to handle look and feel of the page, keep the page scrolled to its topmost position and handle orientation so you will not be able to scroll down or see the actual iFrame which is dynamically inserted.
So, it seems like a pdf/image viewer exploit to me?
