palera1n(1) | General Commands Manual | palera1n(1) |
palera1n
— iOS
15.0-16.5.1 arm64 iOS/iPadOS jailbreaking tool
palera1n |
[-dDEhILnpRsSvV ] [-e
Boot arguments] [-o
overlay file] [-r
ramdisk file] [-K
KPF file] [--version ]
[--force-revert ] |
palera1n
jailbreaks any iOS/iPadOS device
with an arm64 (arm64e excluded) on iOS 15.0-16.5.1, utilizing the
checkm8 bootROM exploit.
Due to the nature of the checkm8 exploit,
palera1n
is semi-tethered. That is, you must run the
palera1n
tool after the device reboot in order to
enter the jailbroken state. However, it is not required for the device to
boot.
On A11 devices, that is, iPhone 8, iPhone 8 Plus and iPhone X, the passcode cannot be used.
On iOS 15, the passcode must be off while jailbroken.
On iOS 16, the passcode must be off since restore, and Reset All Contents and Settings from settings app counts as a restore. A backup may be used in this case.
In the remainder of this document, the term "iOS" and "iPadOS" will be used interchangably as the difference is negligible as far as the jailbreak is concerened.
As described above, arm64 iOS 15.0-16.5.1 devices are supported, here is an explicit list of supported devicecs:
Support for other arm64 Darwin devices, including Apple TV, HomePod and iBridge on Darwin 21 and above could be added, but they are currently unsupported.
arm64e devices will NEVER be supported.
--version
--force-revert
-d
,
--demote
-D
,
--dfuhelper
-e
,
--boot-args
boot
argumentspalera1n
and cannot be
overriden.-E
,
--enter-recovery
-h
,
--help
-K
,
--override-kpf
KPF file-L
,
--jbinit-log-to-file
Makes jbinit log to
/cores/jbinit.log
This file may be viewed from sandboxed applications while jailbroken.-l
,
--rootless
-l
, --rootless
and
-f
, --fakefs
is specified.
>>>>>>> a8e6075 (paleinfo v2)-n
,
--exit-recovery
-o
,
--override-overlay
overlay
file-p
,
--pongo-shell
-P
,
--pongo-full
-p
, --pongo-shell
but
default images and options have been uploaded and applied
respectively.-r
,
--override-ramdisk
ramdisk
file-R
,
--reboot-device
-s
,
--safe-mode
-S
,
--no-colors
-v
,
--debug-logging
-V
,
--verbose-boot
-I
,
--device-info
TMPDIR
-i
,
--override-checkra1n
option, files must be
executable from it as the built-in checkra1n file is extracted and
executed here. When not set, /tmp is used.To (re-)jailbreak in rootless mode:
palera1n
To remove the jailbreak in rootless mode:
palera1n --force-revert
To exit recovery mode:
palera1n -n
-v is not a real XNU boot argument. It is
interpreted by iBoot. However, since XNU boot arguments are set in PongoOS,
which is ran after iBoot has ran, it does nothing. To verbose boot, use the
-V
, --verbose-boot
option
when jailbreaking.
iOS 15.0 requires DER entitlements, and iOS 15.1 requires hash
agility in code signatures. As a result, binaries with the old code
signature format need to be resigned with a recent version of the Procursus
fork of ldid(1) before they can be ran on a device
jailbroken with palera1n
.
The palera1n loader app will take up to 30 seconds to appear on the homescreen after the device has booted. If it does not appear, you can try using the shortcut:
https://www.icloud.com/shortcuts/8cd5f489c8854ee0ab9ee38f2e62f87d
to open it. After opening the loader app, press install to install a bootstrap as well as the Sileo package manager. You can install other package managers from settings of the loader app.
During the jailbreak process, a temporary filesystem is mounted on /cores as a place to stash jailbreak files needed during the boot process. No files are ever written onto the actual disk if you do not use the SSH server to write files or using the loader app to install additional jailbreak files.
-L
is used, the log file of jbinit. The log
file of jbinit.palera1n
may crash if the machine it is
running on:
- Has non-compliant USB devices
plugged in
The exploit may also work less reliably on some hosts, like AMD desktops, or some MediaTek devices.
The device may randomly crash and reboot due to launchd exiting with code 7.
palera1n
injects a dylib into launchd to
allow the
launchctl
runstats command to be used on the device.
The fakefs functionality was removed.
The palera1n
jailbreak was first written
by Nebula and Mineek on September 26, 2022, as a shell script. Tweak support
with DEVELOPMENT kernels are added on October 2, 2022. RELEASE kernel
support is added on November 14, 2022. iOS 16 Support is added on December
13, 2022. Later, the first attempt to rewrite palera1n into C begins on
January 01 2023. The palera1n
utility described here
is the second attempt, which first started on January 16, 2023, using
checkra1n 1337 and the plush KPF.
2 July 2023 |