Jailbreaking an iOS 15.4 Device with Palera1n
Warning: When using Palera1n if the jailbroken device powers off or dies then the jailbroken device will no longer be jailbroken and will require the user to jailbreak the device again.
When working on our Capstone Project, “Apple AirTag Forensics; The Phantom Menace,” we had to jailbreak the phone that we are using so that we could gain access to the root of the device and get better information when we image the device.
At first, this seemed like a daunting task, with many of the methods that we tried to employ failing because of one simple reason: We had an iPhone that was in iOS version 15.4. The only reason this is a problem is that starting with iOS 15 and up, Apple started to crack down on Jailbreaking more and improved the security of their devices, sealing the root file so that it was a lot harder to get access to the root of the device. Recently, however, there have been some breakthroughs in rooting iOS devices with a version higher than iOS 15, but there are even restrictions to that as well.
Through our research, the team was able to find a relatively new jailbreaking method called Palera1n1 which would be able to gain access to the root of our device, given the requirements of the jailbreak are met and followed closely. To ensure that Palera1n worked, we needed to make sure that the device we were using was a vulnerable iOS 15.x or 16.x device, meaning the security chip inside had to be an A8 through an A11.
The next requirement would be to ensure that if you are using a semi-tethered jailbreak, the device needs enough space (5-10 GB) to create the fake file system (fakefs) that would allow the device to be rooted without being hooked up to a computer.
Lastly, passcodes have to be disabled to allow the phone to enter a jailbroken state, with the caveat that on iOS 16 or higher devices, a passcode has never been used on the device, often forcing the user to reset their device.
As long as all of the strict requirements for the device to be jailbroken are met, then you would be able to gain Root Access to the system and be able to successfully complete your Jailbreak. It took our team a few attempts to succeed in this process, but with a lot of work and effort, we were able to successfully jailbreak the device we were using, allowing us to access applications that would not otherwise be available and image the device more thoroughly, providing us with valuable information for our project going forward.
In this section, we will go through the process that we followed when jailbreaking our device, with some images to help explain the processes that are taking place. In the version of Palera1n that was out when we were doing our jailbreak, the first step was to clone the git repository that contained all of the information and tools needed for the jailbreak onto the mac system that we were working with. Once the clone was complete, we changed into the directory that contained all of the Palera1n files and started the jailbreaking process. Using the command found in Figure 1 below, you can start the jailbreaking process. Note: Make sure to follow the updated directions that are found on the Palera1n GitHub page to ensure that you are using the most up to date method for the jailbreak
Figure 1: When you start the script provided with the GitHub repository, you get a screen similar to the following.
Once you have started the process, the script will run until it is ready to enter DFU (Device Firmware Upgrade) mode for the first time. The script will prompt the user to press any key and then instruct you on how to get the device into DFU mode. In Figure 2 below, you can see a failed attempt to enter DFU mode. Don’t worry though, the script will jump back to the start and attempt to enter DFU mode again if you mess up any of the steps. In Figure 3 below, you can see what a successful attempt to enter DFU mode looks like on the device.
Figure 2: Shows a failed attempt at trying to jailbreak the device
Figure 3: Shows the device entering DFU mode successfully.
Once the device enters DFU mode, it can begin the long process of jailbreaking the device. There will be a lot going on with your screen at this point, with all of the tools needed being used to add things to the device and prepare things on the phone for the jailbreak and the fake filesystem. In Figure 4 below, you can see some of the progress bars that will appear on your screen during the completion of the jailbreak, with many different tools needed for the jailbreak to complete. Figure 4 below also demonstrates the longest part of the jailbreaking process, as with this portion, the script needs to create the fakefs on the system that allows for us to achieve a complete jailbreak, and takes around 10 minutes to complete.
Figure 4: Part of the process that Palera1n has to go through to jailbreak.
Once the fakefs is installed on the device, it will reboot and enter recovery mode again, and prompt the user to enter the device into DFU mode one last time for final checks, and the completion of the jailbreak, loading the Palera1n app onto the device which is needed for the final installation and addition of several applications. Figure 5 below shows what the palera1n application looks like as it waits for the user to click the install button and complete the installation process. Figure 6 shows the end of that process, with a button to do a soft reboot (respring) of the device, and lastly Figure 7 shows the applications that are added to the device by default after palera1n is complete, including Sileo and Substitute.
Figure 5: shows the Palra1n app when you hit install it will download three apps and
Figure 6 shows that the Palera1n app has finished its installation and you should now see the apps.
Figure 7 shows the three apps that come with Palera1n
SUMMARY
Jailbreaking devices that are later in IOS versions can be a very difficult task to do with a lot of jailbreaking applications not being able to crack recent IOS versions. However our team has discovered Palera1n was able to do this with a fairly straightforward process that does not require a lot of outside tools or the possibility of bricking your device the only downside to using palera1n is it forces the user to ensure that their device does not get powered off or die. Because if this happens palera1n will no longer work on the IOS device and will require you to repeat your jailbreaking process in order to restore full access.
Special thanks to Leahy Center and Champlain College for the resources that they have provided for the project and for securing the tools that we needed to complete what we have done so far with our Project.
References
Nebula. (n.d.). Palera1n/Palera1n: IOS 15.0-16.3 (semi-)tethered Checkm8 Jailbreak. GitHub. Retrieved from https://github.com/palera1n/palera1n [1]
Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!
Written by:
Michael Bedard ‘23 // Computer and Digital Forensics
Keegan Thomas ‘23 // Computer and Digital Forensics