Closed zner0L closed 1 year ago
prefereably > 14.3 because of the tracking updates
It's 14.5, actually.
Ok, so I had success jailbreaking an iPhone 6S with iOS 15.4.7 using https://github.com/palera1n/palera1n as I suggested. I was pretty straightforward, I basically followed this tutorial: https://ios.cfw.guide/installing-palera1n/#installing-the-jailbreak (I case, like me, you don't know what DFU mode means, look here: https://www.theiphonewiki.com/wiki/DFU_Mode)
Cydia is broken on iOS 15+, so you need to use the (much nicer actually) Sileo that come with palera1n. To get it, after first starting the newly jailbroken phone, open the palera1n app and press "install".
Install OpenSSH and SQLite 3.x, those are easy. Some other requirements are not available, because they are not officially supported (and likely broken). But wee need some of these anyway, so add the repo to Sileo:
Now all apps are available in Sileo.
Activator seems to be broken, according to this list and also my tests. Some apps break seemingly only becasue of code signing, which is easily fixed by using ldid -s
like for Fliza:
ldid -s /Applications/Filza.app
ldid -s /usr/libexec/filza/Filza*
However, after signing /Applications/Activator.app
, /usr/bin/activator
and /usr/lib/libactivator.dylib
, the code signing errors stop and the logs (at /var/mobile/Library/Logs/CrashReporter/Activator-*
) show:
"exception" : {"port":16387,"signal":"SIGKILL","guardId":0,"codes":"0x0000000000004003, 0x0000000000000000","violations":["INVALID_RIGHT"],"message":"
INVALID_RIGHT on mach port 16387 (guarded with 0x0000000000000000)","subtype":"GUARD_TYPE_MACH_PORT","type":"EXC_GUARD","rawCodes":[16387,0]},
"termination" : {"namespace":"GUARD","flags":2,"code":2305844108725338115}
Open works, if you sign it using ldid -s /usr/bin/open
SSL Kill Switch 2 seems to install fine, I didn't come around to test it, yet. The same goes for frida. Any ideas on how to test them?
Any ideas on how to test them?
For SSL Kill Switch 2: I may be misremembering but I think that should have an item in the settings app. Otherwise, if you haven't installed the mitmproxy CA yet, start mitmproxy on your PC, set the proxy on the iPhone and check whether you can decrypt HTTPS traffic.
For Frida: Check whether frida-ps -U | grep frida
shows something (it does on Android at least, I'm assuming it's also the case on iOS). Otherwise, frida -U -F
.
I stumbled upon this stackoverflow question about simulating home button presses that might be helpful when replacing Activator.
We now have two iPhone X 64 GB. One is on iOS 15.6.1, the other is on iOS 16.0.
I can confirm that factory-resetting an iPhone is not a problem if you want to keep the iOS version currently installed. It does not force you to update when activating. I have tested that on iOS 16.0 and 15.6.1 on iPhone X. @zner0L said it was the same on an iPhone 6 running iOS 12.something.
Here's what it says on iOS 16.0 during the activation process:
The message is very similar but slightly different on iOS 15:
In neither case was I even prompted to update during the activation/setup process, even though there were updates available for both devices.
After setup, automatic updates can be disabled through Settings -> General -> Software Update -> Automatic Updates -> Off.
I have finally managed to jailbreak the first iPhone (iOS 15). A few notes:
I have now also managed to jailbreak the iOS 16 iPhone.
These are the full steps (adapted from https://ios.cfw.guide/installing-palera1n/#installing-the-jailbreak), tested on a mostly bare Ubuntu 22.04 on a computer with an Intel CPU:
apt install curl
sudo systemctl stop usbmuxd && sudo usbmuxd -f -p
git clone --recursive https://github.com/palera1n/palera1n && cd palera1n
(or cd palera1n
next time)sudo ./palera1n.sh --tweaks <iOS version> --semi-tethered
Re-jailbreaking after a phone reboot is significantly quicker. Essentially, you just run sudo ./palera1n.sh --tweaks <iOS version> --semi-tethered
, go into DFU mode, and after maybe a minute, the process is done. You just have to wait for the device to automatically respring after a few seconds.
I changed the following settings on the iPhones:
On the iOS 16 phone (though probably not related to the version shrug), after installing the openssh
meta package, no SSH server was running on the device and I wasn't able to connect. I was able to fix that by manually uninstalling all openssh*
packages and then reinstalling.
Regarding replacing Activator. We use that for two functions:
Despite many tries, I didn't manage to jailbreak the iOS 15 iPhone with the new palera1n-c after factory-resetting it.
The phone always reboots into normal mode shortly after entering DFU and palera1n fails with <Error>: Timed out waiting for download mode (error code: -status_exploit_timeout_error)
.
I am using a laptop with an Intel CPU and a USB A lightning cable. I don't have a passcode and Face ID is disabled. Things I've tried unsuccessfully:
usbmuxd
dance after a reboot.Another hour I am no closer.
Even though I factory-reset the device, I tried the steps to remove palera1n legacy. Running this for the first time fails with "An error occurred" (just like when initially jailbreaking). Rerunning the command afterwards does stuff for a while and then gets stuck trying to connect via SSH while an icon of a hard disk with a colorful symbol atop is on screen. I waited for at least 15 minutes with no change. Dis- and reconnecting the cable and restarting the command doesn't change anything. I was able to get out of this mode using the steps for getting out of DFU mode. I have no idea whether doing this had any effect in the end.
Afterwards, palera1n-c still doesn't work.
Running palera1n legacy at least stays in DFU mode and does stuff for a while. But then it also gets stuck at that hard disk symbol.
I'm giving up. Guess I only have one jailbroken device now…
I'd recommend completely resetting the device, not just factory-resetting it, e.g. via the restore function on a computer or macbook. That help me get out of situations like this before.
Also for the future: You should always remove the jailbreak first before resetting the device. I don’t know why, but it creates less problems.
iTunes insisted on upgrading to iOS 16.5 when using the "Restore" button, which I obviously don't want. I tried 3u Tools but I think that just did the regular factory reset. The problem still persists after that.
That method didn't work either. It said I needed to update iTunes but the iTunes updater/installer always failed, saying it was missing a .msi
file (happen both when updating through Apple Software Update and 3u, and even after uninstalling and trying to reinstall).
But besides, it said "To upgrade to 16.5, you need the latest iTunes" (something along those lines), so I'm pretty sure that would have updated anyway.
Well, I just tried palera1n-c on my old MacBook, and there it worked first try. shrug (I followed the steps in https://web.archive.org/web/20230606113213/https://ios.cfw.guide/installing-palera1n/ exactly.)
We want to switch to palera1n-c
, so here is how to jailbreak the devices (based on this guide):
./palera1n.sh --restorerootfs <iOS version you're on> --tweaks
(see https://ios.cfw.guide/removing-palera1n-legacy/ for more details). Otherwise you should use palera1n -f --force-revert
if you installed in rootful mode and palera1n --force-revert
in rootless mode (you’ll need a version > 2.0.0 beta 7 for that as the was a bug: https://github.com/palera1n/palera1n/releases/tag/v2.0.0-beta.7).palera1n -fc
to create the fakefs. This might take a bit to install.palera1n -f
.I tested it on my Macbook Pro, running macOS Monterey. On Linux, some additional steps might be required.
Tested this again on a different Intel laptop with Ubuntu. Same problem. I really don't want to recommend people get a Mac for jailbreaking, but this isn't looking good. And I'm not too fond of wasting more time installing Linux on random laptops I have laying around to test this (the ones I tested have very similar CPUs, so maybe the issue is more specific?).
I’ll test this at home on my Laptop. That has an Intel i5 type processor and runs Fedora.
As expected, it doesn't work on my Ryzen PC either. Keeps spamming:
- [06/06/23 17:22:51] <Verbose>: UaF race: heuristic strategy failed, setup packet was not accepted
On the MacBook, it once again worked flawlessly.
I tested it now on my Laptop running Fedora 37 (I know, I should update) on an Intel i5. It also fails. Steps I did:
usbmuxd
systemd daemon: sudo systemctl stop usbmuxd
usbmuxd
manually: sudo usbmuxd -f -p
In a new terminal, start palera1n
:
[zner0l@fedora ~]$ sudo palera1n -fc
# == palera1n-c ==
#
# Made by: Nick Chan, Ploosh, Samara, Nebula, staturnz, kok3shidoll
#
# Thanks to: pythonplayer123, llsc12, Mineek, tihmstar, nikias
# (libimobiledevice), checkra1n team (Siguza, axi0mx, littlelailo
# et al.), Procursus Team (Hayden Seay, Cameron Katri, Keto et.al)
- [06/07/23 12:03:29] <Info>: Waiting for devices
- [06/07/23 12:03:57] <Info>: Press Enter when ready for DFU mode
Get ready (0) Hold home + power button (0) Hold home button (4)
[06/07/23 12:04:12]
[06/07/23 12:04:12]
#
#
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:13]
[06/07/23 12:04:14]
[06/07/23 12:04:14]
[06/07/23 12:04:14]
[06/07/23 12:04:34]
I used version 2.0.0 beta 7.
I also saw other people on the discord have the same problem. They were recommended to unplug and replug the device, though this didn’t seem to help in my case. Also, other users reported seeing the Apple logo appear on the screen whereas in my case, the screen just stays black.
Also noteable: On my Macbook I need to run the command twice, when the iPhone gets stuck in PongoOS. This is also mentioned in the guide:
A9(X) and earlier devices have an issue where they will get stuck midway through this process in pongoOS. To work around this issue, you'll need to do the following:
- In the terminal window, press Control + C on your keyboard
- Rerun the command that you just ran
You'll need to do this every time you rejailbreak your device as well.
We need iPhones that can be jailbroken and support the SSL Kill Switch 2, Frida and Activator. The option that has been tested already is using an iPhone with iOS 14 (prefereably > 14.3 because of the tracking updates). These phones are hard to get, however, since iOS 14 is pretty outdated.
There is a new jailbreak, https://github.com/palera1n/palera1n, that seems to work for higher iOS versions. I bought a crappy iPhone 6S to test if it would work.