July 06, 2011, 6:53 PM — Early this morning, hacker comex released the third major version of his browser-based jailbreak tool called JailbreakMe. The tool supports the latest firmware 4.3.3 and every available iOS device, including iPad 2 (the first to do so, in fact). Users of JailbreakMe simply point their iOS device mobile-Safari browser to jailbreakme.com and the hack is performed remotely, unlike most other tools that require a software download on your computer, such as PwnageTool and redsn0w. So how does JailbreakMe 3.0 work?
JailbreakMe was first introduced way back in 2007 for iOS 1.1.1. It initially exploited a TIFF rendering vulnerability in Safari, which was quickly patched by Apple in iOS 1.1.2. Version 2.0 used a similar exploit in Adobe PDF rendering in iOS 3 (and was even present in iOS 4 when it was first released) but was again patched by Apple come iOS 4.0.2. Version 3.0 exploits a different vulnerability in the Safari PDF rendering system. Once again, Safari loads a hacked PDF file containing hidden jailbreak code which is then injected into the root file system of your iDevice- all from a regular ol', unsecured HTTP site.
The iPad 2 was notoriously difficult to jailbreak since the A5 chip still has no known bootrom exploits to this day. The JailbreakMe hack is unique in that in order to be browser-based must work completely in userland- meaning jailbreak code must be run in user space and can't be injected directly into the kernel, as other tools that force users to enter DFU mode do. I imagine that can make things a bit more difficult for creator comex in some respects, but also makes the iPad 2 hack possible in the first place.
JailbreakMe is an "untethered" jailbreak, meaning the user does not need to have their device plugged in to their computer while rebooting in order to keep the hack. Users may notice a line of colored pixels or other graphical glitches when rebooting. That's because once the JailbreakMe hack is installed, it overloads the device framebuffer (i.e. loads itself into video memory) on startup, injecting jailbreak code early in the startup sequence. That graphical glitch is the jailbreak code itself!