iOS hacker pod2g has posted a very enlightening synopsis of how he was able to pull off his 5.0.1 untethered exploit. Citing Apple’s blocking of the exploit methods used prior to iOS 5, he details the alternative methods used for the 5.0.1 untethered exploit and subsequent jailbreaks.
Apple has fixed all previous known ways of executing unsigned binaries in iOS 5.0. Corona does it another way.
Thus, for Corona, I searched for a way to start unsigned code at boot without using the Mach-O loader. That’s why I looked for vulnerabilities in existing Apple binaries that I could call using standard launchd plist mechanisms.
For those of you interested in the low-level workings of the latest untethered jailbreak to hit iOS 5 devices, we highly recommend you check out pod2g’s analysis on his blog.