We are slowly progressing through all possibilities on the incredible root process. It’s just pretty decently well done, no simple mistakes we could take advantage of like the evo. A kernel exploit may prove to be the only way here, and we do have progress toward that end, but would like to find another way in. While I’d rather not point directly to what we are persuing, I will point out what we know won’t work:
1) Previous exploits of course are long since patched. This is to be expected.
2) installd is pretty darn nicely done. I’ve spent a good while digging through it and I can tell ya it checks for directory traversal’s, uid/gid escalations, and drops privs before any shell work. In short, I don’t think we’re getting anywhere with this.
More to come…