The reason for making this post was I came to the realization how little documentation there is on iOS dualbooting as a whole. Yes I know there's a guide (nyansatan.github.io/dualboot) but in the guide it's not really explained how everything works. So I decided to create an explanation of how the iOS dualboot process works! I would also like to mention that this applies to 32bit devices as there is no public way to dualboot 64bit devices yet!
Before even getting into this let's just assume you have a little bit of low level iOS knowledge and have a general idea of the iOS bootchain components. Components of the bootchain include the iBSS (iBoot Single Stage) which is a cut down version of iBoot missing things like support for interacting with filesystems on the NAND, it can be uploaded via DFU and additionally can be executed from an already existing instance of iOS using utilities such as kloader. There's also the iBEC (iBoot Epoch Change) which is a cut down version of iBoot which is the thing we're interested with the dualboot method, it can be uploaded through recovery or DFU mode and can also be uploaded using tools such as kloader from an already existing instance of iOS.
Components we use for dualbooting include the iBSS (it is used for initializing the display function before giving control to iBEC), the iBEC (it is used to boot strap the kernelcache and boot the second OS), the kernelcache (it is the kernel that the iBEC is bootstrapping), the devicetree (contains information about the device and is used for representing the hardware inside the device), the ramdisk (I think it's used as a base FS before transfering control to the second partition, sorta like initrdfs on Linux but I may be wrong).
So how can we use all this for dualbooting? Well it's quite simple! You might think this is all complicated stuff but it really isn't! We use the same method used by Apple to bootstrap an OTA update and update the OS on the device without a computer. In 2014 @winocm released ios-kexec-utils, there are various tools included but the one that is relevent to this explanation is called kloader (kernel image loader). It is used to load an image into memory and bootstrap it, must be executed from userland and have task_for_pid(0) or another way of getting kernel task port such as host_get_special_port(4) enabled which most jailbreaks have, essentially it destroys the current running instance of iOS and boots the second OS. It is used for things such as downgrading iOS with SHSH blobs as well as dualbooting!
Now that we know what tools we use for dualbooting iOS, let's see how the process works! We start by patching the iBSS to point to the iBEC in memory using multi_kloader, then we patch the iBEC to bootstrap the kernel from the second partition using OTA routines. We change the value in iBEC from fsboot to upgrade which tells it to initialize an OTA upgrade which we are abusing and using to our own advantage! We aren't OTA upgrading anything we are instead booting a second filesystem located on a second partition! There is an additional iBEC patch to do which prevents the device from setting auto-boot to false by simply replacing the bytes of false with true. This can be done using a disassembler such as IDA! We also patch out signature checks from the bootloaders so it does not check for a valid signature. Additionally we need to patch in our boot-args so iBEC knows which filesystem to load from and knows not to use amfi and other security measures. On iOS 8 the patching process is a bit different but the general concept is still relatively the same. On iPads you don't need an iBSS since iBEC is enough to initialize the display.
Tethered dualboots work a bit differently than untethered dualboots. Tethered dualboots instead use components sent over from a computer. iBSS and iBEC are patched with their signature checks removed, but they aren't patched to load off a filesystem. Instead we manually transfer our kernelcache and devicetree to the device using a tool called irecovery or redsn0w.
This should give a general idea about how dualbooting iOS works, if I'm wrong about anything please contact me on twitter! Hope this teaches you something.
My twitter NoriTech(@devfusediboot)
Jonathan Seals (@JonathanSeals), winocm (@winocm), NyanSatan (@nyan_satan), iH8sn0w (@iH8sn0w), danzatt (@danzatt)