Decide which iPhones we want to buy and set them up

[zner0L]

We need iPhones that can be jailbroken and support the SSL Kill Switch 2, Frida and Activator. The option that has been tested already is using an iPhone with iOS 14 (prefereably > 14.3 because of the tracking updates). These phones are hard to get, however, since iOS 14 is pretty outdated.

There is a new jailbreak, https://github.com/palera1n/palera1n, that seems to work for higher iOS versions. I bought a crappy iPhone 6S to test if it would work.

[baltpeter]

prefereably > 14.3 because of the tracking updates

It's 14.5, actually.

[zner0L]

Ok, so I had success jailbreaking an iPhone 6S with iOS 15.4.7 using https://github.com/palera1n/palera1n as I suggested. I was pretty straightforward, I basically followed this tutorial: https://ios.cfw.guide/installing-palera1n/#installing-the-jailbreak (I case, like me, you don't know what DFU mode means, look here: https://www.theiphonewiki.com/wiki/DFU_Mode)

Cydia is broken on iOS 15+, so you need to use the (much nicer actually) Sileo that come with palera1n. To get it, after first starting the newly jailbroken phone, open the palera1n app and press "install".

Install OpenSSH and SQLite 3.x, those are easy. Some other requirements are not available, because they are not officially supported (and likely broken). But wee need some of these anyway, so add the repo to Sileo:

1. go to the "Sources" tab
2. click on the plus and enter "https://apt.thebigboss.org/repofiles/cydia/"
3. Click "Add Source"

Now all apps are available in Sileo.

[zner0L]

Activator seems to be broken, according to this list and also my tests. Some apps break seemingly only becasue of code signing, which is easily fixed by using ldid -s like for Fliza:

ldid -s /Applications/Filza.app
ldid -s /usr/libexec/filza/Filza*

However, after signing /Applications/Activator.app, /usr/bin/activator and /usr/lib/libactivator.dylib, the code signing errors stop and the logs (at /var/mobile/Library/Logs/CrashReporter/Activator-*) show:

  "exception" : {"port":16387,"signal":"SIGKILL","guardId":0,"codes":"0x0000000000004003, 0x0000000000000000","violations":["INVALID_RIGHT"],"message":" 
INVALID_RIGHT on mach port 16387 (guarded with 0x0000000000000000)","subtype":"GUARD_TYPE_MACH_PORT","type":"EXC_GUARD","rawCodes":[16387,0]},
  "termination" : {"namespace":"GUARD","flags":2,"code":2305844108725338115}

[zner0L]

Open works, if you sign it using ldid -s /usr/bin/open SSL Kill Switch 2 seems to install fine, I didn't come around to test it, yet. The same goes for frida. Any ideas on how to test them?

[baltpeter]

Any ideas on how to test them?

For SSL Kill Switch 2: I may be misremembering but I think that should have an item in the settings app. Otherwise, if you haven't installed the mitmproxy CA yet, start mitmproxy on your PC, set the proxy on the iPhone and check whether you can decrypt HTTPS traffic.

For Frida: Check whether frida-ps -U | grep frida shows something (it does on Android at least, I'm assuming it's also the case on iOS). Otherwise, frida -U -F.

[zner0L]

I stumbled upon this stackoverflow question about simulating home button presses that might be helpful when replacing Activator.

[baltpeter]

We now have two iPhone X 64 GB. One is on iOS 15.6.1, the other is on iOS 16.0.

[baltpeter]

I can confirm that factory-resetting an iPhone is not a problem if you want to keep the iOS version currently installed. It does not force you to update when activating. I have tested that on iOS 16.0 and 15.6.1 on iPhone X. @zner0L said it was the same on an iPhone 6 running iOS 12.something.

Here's what it says on iOS 16.0 during the activation process:

The message is very similar but slightly different on iOS 15:

In neither case was I even prompted to update during the activation/setup process, even though there were updates available for both devices.

After setup, automatic updates can be disabled through Settings -> General -> Software Update -> Automatic Updates -> Off.

[baltpeter]

I have finally managed to jailbreak the first iPhone (iOS 15). A few notes:

• Despite what the linked guide says, the device doesn't have to be in DFU mode already. Just start the palera1n script with the phone booted in normal mode. It will automatically boot into recovery mode and prompt you to press the buttons for DFU mode. That is much easier to do than manually DFUing.
• The guide warns against running this on an AMD processor. This seems to be true. I was not able to get it working on my Ryzen computer and had to switch to an Intel one.

[baltpeter]

I have now also managed to jailbreak the iOS 16 iPhone.

These are the full steps (adapted from https://ios.cfw.guide/installing-palera1n/#installing-the-jailbreak), tested on a mostly bare Ubuntu 22.04 on a computer with an Intel CPU:

• apt install curl
• In one terminal: sudo systemctl stop usbmuxd && sudo usbmuxd -f -p
• In another terminal: git clone --recursive https://github.com/palera1n/palera1n && cd palera1n (or cd palera1n next time)
• Connect the device via USB. It can be booted into the OS regularly. Make sure to trust the computer if you haven't already.
• Run: sudo ./palera1n.sh --tweaks <iOS version> --semi-tethered
• Follow the instructions on how to get into DFU mode (it will first boot into recovery mode automatically): Press and hold the side and volume down button for a few seconds, then let go of the side button but keep holding the volume down button for a few more seconds.
• Wait (potentially a long time, especially at the "waiting for connection" message—this is expected). If the command fails with "An error occurred." (it did for me in both cases), just re-run it.
• After the first step is done, the device will automatically reboot into normal mode. That shouldn't take long. If it does, you need to force a reboot (see https://help.ifixit.com/article/108-dfu-restore under "Exiting DFU Mode"). On an iPhone X: Quick-press the volume up followed by the volume down button, then press and hold the side button until the Apple logo appears.
• After the device has rebooted, it will automatically be put into recovery mode. Follow the instructions to put it into DFU mode again.
• It's no problem if the process fails shortly after this (it did for me in both cases). You can just re-run the command; it won't go through the whole process again.
• The second step is a lot quicker. You'll soon see terminal text scrolling on the phone and then it will boot regularly.
• Unlock the device and wait around 30 seconds. It will automatically respring (you'll see a spinner on a black screen).
• You should see a palera1n app on the homescreen. Open that and click Install. Decide whether you want to send logs. Click Respring.
• And with that, the device is jailbroken. You can now disconnect the USB cable.

Re-jailbreaking after a phone reboot is significantly quicker. Essentially, you just run sudo ./palera1n.sh --tweaks <iOS version> --semi-tethered, go into DFU mode, and after maybe a minute, the process is done. You just have to wait for the device to automatically respring after a few seconds.

[baltpeter]

I changed the following settings on the iPhones:

• Settings
  • General
    • Background App Refresh: off (to hopefully minimize background network traffic)
    • Software Update
      • Automatic Updates: off
  • Display & Brightness
    • Auto-Lock: never
  • Privacy & Security
    • Location Services: on
    • Analytics & Improvements
      • Share iPhone Analytics: off
    • Apple Advertising
      • Personalised Ads: on (default)
  • App Store
    • Automatic Downloads
      • Apps: off
      • App Updates: off

[baltpeter]

On the iOS 16 phone (though probably not related to the version shrug), after installing the openssh meta package, no SSH server was running on the device and I wasn't able to connect. I was able to fix that by manually uninstalling all openssh* packages and then reinstalling.

[baltpeter]

Regarding replacing Activator. We use that for two functions:

• Opening apps. We can also do that through Frida, see https://github.com/tweaselORG/appstraction/issues/11.
• Pressing the home button. I've opened https://github.com/tweaselORG/appstraction/issues/12 to find a replacement.

[baltpeter]

Despite many tries, I didn't manage to jailbreak the iOS 15 iPhone with the new palera1n-c after factory-resetting it.

The phone always reboots into normal mode shortly after entering DFU and palera1n fails with <Error>: Timed out waiting for download mode (error code: -status_exploit_timeout_error).

I am using a laptop with an Intel CPU and a USB A lightning cable. I don't have a passcode and Face ID is disabled. Things I've tried unsuccessfully:

• Rebooting the laptop.
• Rebooting the phone.
• Not doing the usbmuxd dance after a reboot.
• Manually going into recovery mode first (as recommended in https://discord.com/channels/1028398973452570725/1028693596469207191/1074454510669410416).
• Manually going into DFU mode first.
• Using a different USB port.
• Using a different USB cable.

[baltpeter]

Another hour I am no closer.

Even though I factory-reset the device, I tried the steps to remove palera1n legacy. Running this for the first time fails with "An error occurred" (just like when initially jailbreaking). Rerunning the command afterwards does stuff for a while and then gets stuck trying to connect via SSH while an icon of a hard disk with a colorful symbol atop is on screen. I waited for at least 15 minutes with no change. Dis- and reconnecting the cable and restarting the command doesn't change anything. I was able to get out of this mode using the steps for getting out of DFU mode. I have no idea whether doing this had any effect in the end.

Afterwards, palera1n-c still doesn't work.

[baltpeter]

Running palera1n legacy at least stays in DFU mode and does stuff for a while. But then it also gets stuck at that hard disk symbol.

I'm giving up. Guess I only have one jailbroken device now…

[zner0L]

I'd recommend completely resetting the device, not just factory-resetting it, e.g. via the restore function on a computer or macbook. That help me get out of situations like this before.

[zner0L]

Also for the future: You should always remove the jailbreak first before resetting the device. I don’t know why, but it creates less problems.

[baltpeter]

iTunes insisted on upgrading to iOS 16.5 when using the "Restore" button, which I obviously don't want. I tried 3u Tools but I think that just did the regular factory reset. The problem still persists after that.

[baltpeter]

I'll try this: https://www.imyfone.com/unlock-iphone/how-to-restore-iphone-without-updating-in-recovery-mode/

[baltpeter]

That method didn't work either. It said I needed to update iTunes but the iTunes updater/installer always failed, saying it was missing a .msi file (happen both when updating through Apple Software Update and 3u, and even after uninstalling and trying to reinstall).

But besides, it said "To upgrade to 16.5, you need the latest iTunes" (something along those lines), so I'm pretty sure that would have updated anyway.

[baltpeter]

Well, I just tried palera1n-c on my old MacBook, and there it worked first try. shrug (I followed the steps in https://web.archive.org/web/20230606113213/https://ios.cfw.guide/installing-palera1n/ exactly.)

[zner0L]

We want to switch to palera1n-c, so here is how to jailbreak the devices (based on this guide):

1. Remember to remove the old jailbreak, if you installed one. If you used legacy palera1n, use ./palera1n.sh --restorerootfs <iOS version you're on> --tweaks (see https://ios.cfw.guide/removing-palera1n-legacy/ for more details). Otherwise you should use palera1n -f --force-revert if you installed in rootful mode and palera1n --force-revert in rootless mode (you’ll need a version > 2.0.0 beta 7 for that as the was a bug: https://github.com/palera1n/palera1n/releases/tag/v2.0.0-beta.7).
2. We need rootful mode, so on first startup you’ll need to use palera1n -fc to create the fakefs. This might take a bit to install.
3. After that, you can always start into rootful mode using palera1n -f.

I tested it on my Macbook Pro, running macOS Monterey. On Linux, some additional steps might be required.

[baltpeter]

Tested this again on a different Intel laptop with Ubuntu. Same problem. I really don't want to recommend people get a Mac for jailbreaking, but this isn't looking good. And I'm not too fond of wasting more time installing Linux on random laptops I have laying around to test this (the ones I tested have very similar CPUs, so maybe the issue is more specific?).

[zner0L]

I’ll test this at home on my Laptop. That has an Intel i5 type processor and runs Fedora.

[baltpeter]

As expected, it doesn't work on my Ryzen PC either. Keeps spamming:

 - [06/06/23 17:22:51] <Verbose>: UaF race: heuristic strategy failed, setup packet was not accepted

[baltpeter]

On the MacBook, it once again worked flawlessly.

[zner0L]

I tested it now on my Laptop running Fedora 37 (I know, I should update) on an Intel i5. It also fails. Steps I did:

1. Disable usbmuxd systemd daemon: sudo systemctl stop usbmuxd
2. Start usbmuxd manually: sudo usbmuxd -f -p

3. In a new terminal, start palera1n:

   
   [zner0l@fedora ~]$ sudo palera1n -fc
   # == palera1n-c == 
   #
   # Made by: Nick Chan, Ploosh, Samara, Nebula, staturnz, kok3shidoll 
   #
   # Thanks to: pythonplayer123, llsc12, Mineek, tihmstar, nikias
   # (libimobiledevice), checkra1n team (Siguza, axi0mx, littlelailo
   # et al.), Procursus Team (Hayden Seay, Cameron Katri, Keto et.al)
   
   - [06/07/23 12:03:29] <Info>: Waiting for devices
   - [06/07/23 12:03:57] <Info>: Press Enter when ready for DFU mode

Get ready (0) Hold home + power button (0) Hold home button (4)

• [06/07/23 12:04:12] : Device entered DFU mode successfully

• [06/07/23 12:04:12] : About to execute checkra1n #

  Checkra1n 0.1337.1

  #

  Proudly written in nano

  (c) 2019-2023 Kim Jong Cracks

  #

  ======== Made by =======

  argp, axi0mx, danyl931, jaywalker, kirb, littlelailo, nitoTV

  never_released, nullpixel, pimskeks, qwertyoruiop, sbingner, siguza

  ======== Thanks to =======

  haifisch, jndok, jonseals, xerub, lilstevie, psychotea, sferrini

  Cellebrite (ih8sn0w, cjori, ronyrus et al.)

  ==========================

• [06/07/23 12:04:13] : Waiting for DFU mode devices

• [06/07/23 12:04:13] : DFU mode device found

• [06/07/23 12:04:13] : Checking if device is ready

• [06/07/23 12:04:13] : Attempting to perform checkm8 on 8003 01

• [06/07/23 12:04:13] : Setting up the exploit

• [06/07/23 12:04:13] : == checkm8 setup stage ==

• [06/07/23 12:04:13] : UaF race: setup packet was accepted, attempting heuristic strategy

• [06/07/23 12:04:13] : UaF race: heuristic strategy was successful

• [06/07/23 12:04:13] : Entered initial checkm8 state after 1 steps

• [06/07/23 12:04:13] : DFU mode device disconnected

• [06/07/23 12:04:13] : DFU mode device found

• [06/07/23 12:04:13] : == checkm8 trigger stage ==

• [06/07/23 12:04:14] : Checkmate!

• [06/07/23 12:04:14] : Device should now reconnect in download mode

• [06/07/23 12:04:14] : DFU mode device disconnected

• [06/07/23 12:04:34] : Timed out waiting for download mode (error code: -status_exploit_timeout_error)

I used version 2.0.0 beta 7.

[zner0L]

I also saw other people on the discord have the same problem. They were recommended to unplug and replug the device, though this didn’t seem to help in my case. Also, other users reported seeing the Apple logo appear on the screen whereas in my case, the screen just stays black.

[zner0L]

Also noteable: On my Macbook I need to run the command twice, when the iPhone gets stuck in PongoOS. This is also mentioned in the guide:

A9(X) and earlier devices have an issue where they will get stuck midway through this process in pongoOS. To work around this issue, you'll need to do the following:

1. In the terminal window, press Control + C on your keyboard
2. Rerun the command that you just ran

You'll need to do this every time you rejailbreak your device as well.