palera1n(1) | General Commands Manual | palera1n(1) |
palera1n
— arm64
iOS/iPadOS/tvOS 15.0-18.0, bridgeOS 5.0-9.0 jailbreaking tool
palera1n |
[-cCdDEfhIlLnpRsSTvV ]
[-e Boot arguments]
[-k Pongo image]
[-o overlay file]
[-r ramdisk file]
[-K KPF file]
[-i checkra1n file]
[--version ]
[--force-revert ] |
palera1n
jailbreaks an arm64 (arm64e
excluded) iOS/iPadOS/tvOS 15.0-18.0, bridgeOS 5.0-9.0 device, utilizing the
checkm8 bootROM exploit.
palera1n
provides rootful and rootless
jailbreak modes. On iOS/iPadOS, palera1n
is able to
jailbreak the device in fakefs-rootful mode, where / is writable, as well as
rootless mode, where / cannot be written to. On tvOS and bridgeOS, only
rootful is supported, and it uses the actual filesystem instead of a
fakefs.
Due to the nature of the checkm8 exploit,
palera1n
is semi-tethered. That is, you must run the
palera1n
tool after the device reboot in order to
enter the jailbroken state. However, it is not required for the device to
boot.
On A11 devices, that is, iPhone 8, iPhone 8 Plus and iPhone X, the passcode cannot be used.
On iOS 15, the passcode must be off while jailbroken.
On iOS 16, the passcode must be off since restore, and Reset All Contents and Settings from settings app counts as a restore. A backup may be used in this case.
In the remainder of this document, the term "iOS" and "iPadOS" will be used interchangably as the difference is negligible as far as the jailbreak is concerened.
As described above, arm64 iOS 15.0-18.0 devices are supported, here is an explicit list of supported devicecs:
Support for the A8 HomePod on Darwin 21 and above could be added, but it is currently unsupported.
arm64e devices will NEVER be supported.
--version
--force-revert
-f
, --fakefs
, this will
actually boot the device in rootless mode then delete the jailbreak files.
As a result, using the loader app to install the jailbreak environment is
not supported when this option is used together with
-f
, --fakefs
.-B
,
--setup-fakefs-partial
-c
, --setup-fakefs
but the size of the created fakefs is smaller at the expense of having
unwritable parts in rarely-written paths. When jailbreaking 16 GB devices,
this option must be used when setting up fakefs for rootful, as they do
not have enough storage for full fakefs. This flag is only supported on
iOS/iPadOS.-c
,
--setup-fakefs
-f
,
--fakefs
, creates the new APFS volume required for
rootful. Will fail if one already exists. This flag is only supported on
iOS/iPadOS.-C
,
--clean-fakefs
palera1n
.-d
,
--demote
-D
,
--dfuhelper
-e
,
--boot-args
boot
arguments-E
,
--enter-recovery
-f
,
--fakefs
-h
,
--help
-i
,
--checkra1n-file
checkra1n
file-k
,
--override-pongo
pongo
file-K
,
--override-kpf
KPF file-l
,
--rootless
-n
,
--exit-recovery
-o
,
--override-overlay
overlay
file-p
,
--pongo-shell
-P
,
--pongo-full
-p
, --pongo-shell
but
default images and options have been uploaded and applied
respectively.-r
,
--override-ramdisk
ramdisk
file-R
,
--reboot-device
-s
,
--safe-mode
-S
,
--no-colors
-T
,
--telnetd
-v
,
--debug-logging
-V
,
--verbose-boot
-I
,
--device-info
TMPDIR
-i
,
--override-checkra1n
option, files must be
executable from it as the built-in checkra1n file is extracted and
executed here. When not set, /tmp is used.To (re-)jailbreak in rootless mode:
palera1n -l
To setup fakefs for rootful mode:
palera1n -fc
After the device has rebooted into recovery mode, follow the following example.
To re-jailbreak in rootful mode:
palera1n -f
To remove the jailbreak in rootful mode:
palera1n --force-revert
-f
To remove the jailbreak in rootless mode:
palera1n --force-revert
To verbose boot in rootful mode:
palera1n -Vf
To create a partial fakefs with bind mounts:
palera1n -Bf
To exit recovery mode:
palera1n -n
-v is not a real XNU boot argument. It is
interpreted by iBoot. However, since XNU boot arguments are set in PongoOS,
which is ran after iBoot has ran, it does nothing. To verbose boot, use the
-V
, --verbose-boot
option
when jailbreaking.
Fakefs takes up around 5-10 GB of storage, and take up to 10 minutes to setup.
iOS 15.0 requires DER entitlements, and iOS 15.1 requires hash
agility in code signatures. As a result, binaries with the old code
signature format need to be resigned with a recent version of the Procursus
fork of ldid(1) before they can be ran on a device
jailbroken with palera1n
.
When using rootful mode, the -f
,
--fakefs
flag must be specified at all times. It
does not matter whether you want to create fakefs, create partial fakefs,
rejailbreak or remove jailbreak.
Due to a stock bug, using the -V
,
--verbose-boot
option might cause some versions for
tvOS to crash and not boot.
Offical Apple USB-C cables as well as some other USB-C cables cannot be used to enter DFU mode. USB-A cable with male USB-C to female USB-A adapter works fine.
The palera1n loader app will take up to 1 minute to appear on the homescreen after the device has booted. If it does not appear, you can try using the shortcut:
https://www.icloud.com/shortcuts/8cd5f489c8854ee0ab9ee38f2e62f87d
to open it. After opening the loader app, select a package manager to install. This will also bootstrap your device.
A built-in SSH server runs on port 44 on loopback interfaces.
The palera1n loader app will appear on homescreen. Open the loader and select a package manager to install. This will also bootstrap your device.
A built-in SSH server runs on port 44 on all interfaces.
A built-in SSH server runs on port 44 on all interfaces.
Bootstrapping is currently not supported on this device.
During the jailbreak process, a temporary filesystem is mounted on /cores as a place to stash jailbreak files needed during the boot process. No files are ever written onto the actual disk if you do not use the SSH server to write files or using the loader app to install additional jailbreak files.
palera1n
may crash if the machine it is
running on:
- Has non-compliant USB devices
plugged in
The exploit may also work less reliably on some hosts, like AMD desktops, or some MediaTek devices.
The built-in SSH server might be not accessible with password after bootstrapping rootful, since the bootstrap uses a custom crypt() function that is not supported by the built-in SSH server.
There are no DFU instructions for iBridge T2 as there are no known ways to connect to the T2's USB interface when macOS has been booted.
There was an option in palera1n
to force
create the fakefs even when one already exists (which would overwrite the
existing fakefs), by setting the palerain_option_setup_rootful_forced flag
in palera1n flags. This option was removed because using
--force-revert
and -c
at the
same time has exactly the same effect.
The hook that enabled launchctl runstats has been removed, since it leaks memory in launchd.
The palera1n
jailbreak was first written
by Nebula and Mineek on September 26, 2022, as a shell script. Tweak support
with DEVELOPMENT kernels are added on October 2, 2022. RELEASE kernel
support is added on November 14, 2022. iOS 16 Support is added on December
13, 2022. Later, the first attempt to rewrite palera1n into C begins on
January 01 2023. The palera1n
utility described here
is the second attempt, which first started on January 16, 2023, using
checkra1n 1337 and a custom KPF. Something happened on August 15, 2023.
24 July 2024 |