iOS 5.x iBoot HFS+ Heap Buffer Overflow

Here is a detailed writeup about the exploitation of an heap buffer overflow in iBoot-1219.62.15~2 and prior HFS+ driver implementation. The trigger is to set catalog.extents[1].blockcount in the HFS+ header to a high value. According to Joshua Hill, this vulnerability is one among many similar ones that could exists on those iBoot versions.
Warning : Some parts of this writeup involve low-level components that may contain critical information for the device to work properly. A simple mistake can definitively brick the device, making it completely useless. Do not try to exploit this bug on a fixed firmware version, this will not work and will result in a bootloop.
No warranties given, follow this guide on your own risk, you are on your own

List of contents

Introduction

Part 1: Download iOS firmwares

Part 2: Prepare workspace

Part 3: Downgrade back to a vulnerable firmware

Part 4: Prepare on-device workspace

Part 5: Partition LwVM table

Part 6: Set HFSReadBlock( ) wrapper

Part 7: Trigger the heap buffer overflow

Part 8: Dump and overwrite TLB

Part 9: Overwrite current running iBoot

Part 10: Prepare and run shellcode

Part 11: The new iBoot

Credits/Thanks to

@p0sixninja for the discovery of this vulnerability and his BlackHat training class presentation material he released for us.

@nyan_satan for many precious and helpful advices. Honestly, I would not be at this point without and this writeup would have not existed.

@JonathanSeals for advices and his own implementation of this exploit as reference. See his Ancient-iBoot-Fun GitHub repository for more details.