palera1n/docs/palera1n.1

.\"-
.\" Copyright (c) 2024 Nick Chan
.\" SPDX-License-Identifier: MIT
.\"
.Dd "30 March 2024"
.Dt palera1n 1
.Sh NAME
.Nm palera1n
.Nd arm64 iOS/iPadOS/tvOS 15.0-17.4.1, bridgeOS 6.0-8.3 jailbreaking tool
.Sh SYNOPSIS
.Nm
.Op Fl cCdDEfhIlLnpRsSvV
.Op Fl e Ar Boot arguments
.Op Fl k Ar Pongo image
.Op Fl o Ar overlay file
.Op Fl r Ar ramdisk file
.Op Fl K Ar KPF file
.Op Fl i Ar checkra1n file
.Op Fl -version
.Op Fl -force-revert
.Sh DESCRIPTION
.Nm
jailbreaks an iOS/iPadOS/tvOS 15.0-17.4.1, bridgeOS 6.0-8.3 device with an arm64 (arm64e excluded) on iOS 15.0-17.4.1,
utilizing the
.Em checkm8
bootROM exploit.
.Pp
.Nm
provides rootful and rootless jailbreak modes.
On iOS/iPadOS,
.Nm
is able to jailbreak the device in fakefs-rootful mode, where /
is writable, as well as rootless mode, where / cannot be written to.
On tvOS and bridgeOS,
only rootful is supported, and it uses the actual filesystem instead of a fakefs.
.Pp
Due to the nature of the
.Em checkm8
exploit,
.Nm
is semi-tethered. That is, you must run the
.Nm
tool after the device reboot in order to enter the jailbroken state.
However, it is not required for the device to boot.
.Pp
On A11 devices, that is, iPhone 8, iPhone 8 Plus and iPhone X, the passcode cannot
be used.
.Pp
On iOS 15, the passcode must be off while jailbroken.
.Pp
On iOS 16, the passcode must be off since restore, and
.Sy Reset All Contents and Settings
from settings app counts as a restore.
A backup may be used in this case.
.Pp
In the remainder of this document, the term "iOS" and "iPadOS" will be used interchangably
as the difference is negligible as far as the jailbreak is concerened.
.Pp
.Sh SUPPORTED DEVICES
As described above, arm64 iOS 15.0-17.4.1 devices are supported, here is an explicit
list of supported devicecs:

.Bl -tag -compact
.It iPhone 6s
.It iPhone 6s Plus
.It iPhone SE (2016)
.It iPhone 7
.It iPhone 7 Plus
.It iPhone 8
.It iPhone 8 Plus
.It iPhone X
.El

.Bl -tag -compact
.It iPad mini 4
.It iPad Air 2
.It iPad (5th generation)
.It iPad (6th generation)
.It iPad (7th generation)
.It iPad Pro (9.7")
.It iPad Pro (12.9") (1st generation)
.It iPad Pro (10.5")
.It iPad Pro (12.9") (2nd generation)
.El

.Bl -tag -compact
.It iPod Touch (7th generation)
.El

.Bl -tag -compact
.It Apple TV HD
.It Apple TV 4K (1st generation)
.El

.Bl -tag -compact
.It Apple T2 iMacPro1,1
.It Apple T2 MacBookPro15,1
.It Apple T2 MacBookPro15,2
.It Apple T2 Macmini8,1
.It Apple T2 MacPro7,1
.It Apple T2 MacBookPro15,3
.It Apple T2 MacBookAir8,1
.It Apple T2 MacBookPro15,4
.It iBridge2,11 (Unknown Mac)
.It Apple T2 MacBookAir8,2
.It iBridge2,13 (Unknown Mac)
.It Apple T2 MacBookPro16,1
.It Apple T2 MacBookAir9,1
.It Apple T2 MacBookPro16,2
.It Apple T2 iMac20,1
.It Apple T2 iMac20,2
.It Apple T2 MacBookPro16,3
.It Apple T2 MacBookPro16,4
.El

Support for the A8 HomePod on Darwin 21 and above could be added,
but it is currently unsupported.

arm64e devices will NEVER be supported.

.Sh OPTIONS
.Bl -tag -width -indent
.It Fl -version
Prints the program version and exit.
.It Fl -force-revert
Remove the jailbreak while keeping user data. Some jailbreak files may remain
after running this command. Additionally, jailbreak apps may remain on the
home screen on for a while even when the files are deleted as the icon cache
still has their icons. When used with
.Fl f , -fakefs ,
this will actually boot the device in rootless mode then delete the jailbreak
files. As a result, using the loader app to install the jailbreak environment
is not supported when this option is used together with
.Fl f , -fakefs
\[char46]
.It Fl B , -setup-fakefs-partial
Like
.Fl c , -setup-fakefs
but the size of the created fakefs is smaller at the expense of having unwritable
parts in rarely-written paths. When jailbreaking 16 GB devices, this option must be used
when setting up fakefs for rootful, as they do not have enough storage for full fakefs.
This flag is only supported on iOS/iPadOS.
.It Fl c , -setup-fakefs
When used with
.Fl f , -fakefs ,
creates the new APFS volume required for rootful. Will fail if one already exists.
This flag is only supported on iOS/iPadOS.
.It Fl C , -clean-fakefs
This option is not currently supported and is a no-operation in this version of
.Nm
\[char46]
.It Fl d , -demote
Set the effective production fuse to 0, so as to enable hardware debugging features.
.It Fl D , -dfuhelper
Execute the DFU helper to guide the user into putting the device into DFU mode
then exit.
.It Fl e , -boot-args Ar boot arguments
Specify custom XNU kernel command line. The
.Em rootdev=md0
argument is used by
.Nm
and cannot be overriden. Additionally, the
.Em wdt=-1
argument is used during fakefs setup.
.It Fl E , -enter-recovery
Exit after entering recovery mode.
.It Fl f , -fakefs
Proceed in rootful mode. This applies to both full, partial fakefs, as well as realfs.
This option is not supported on iOS/iPadOS 17.
.It Fl h , -help
Prints help text.
.It Fl i , -checkra1n-file Ar checkra1n file
Specify the path to a custom checkra1n file.
.It Fl k , -override-pongo Ar pongo file
Override PongoOS image. The raw image, named
.Em Pongo.bin
when built, should be used. PongoOS 2.6.0 or later is required.
.It Fl K , -override-kpf Ar KPF file
Override the kernel patchfinder PongoOS module. The module is required to support setting
root filesystem in paleinfo with
.Em rootfs
command. If in doubt, use
.Sy https://github.com/palera1n/PongoOS
iOS15 branch or your own fork of it.
.It Fl l , -rootless
Proceed in rootless mode. This option is only supported on iOS/iPadOS.
.It Fl L , -jbinit-log-to-file
This option is not currently supported and is a no-operation in this version of
.Nm
\[char46]
.It Fl n , -exit-recovery
Exit recovery mode and exit.
.It Fl o , -override-overlay Ar overlay file
Specify the path to a custom overlay file, which is then mounted onto /cores/binpack
during boot, if the default ramdisk is used. The default ramdisk expects the overlay
to contain a folder named
.Em Applications
at the root of it, as well as a dmg named
.Em loader.dmg
at the root of it. Otherwise, the device will not boot. It is also expected that it
contains a shell, a ssh server, and various command line utilities.
.It Fl p , -pongo-shell
Exit after booting into a clean PongoOS shell
.It Fl P , -pongo-full
Like
.Fl p , -pongo-shell
but default images and options have been uploaded and applied respectively.
.It Fl r , -override-ramdisk Ar ramdisk file
Override the ramdisk. At a very minimum, it should contain
.Em /cores/ploosh
as well as a fake dyld
.Em /usr/lib/dyld
where the logic is expected to be in.
.It Fl R , -reboot-device
Reboot device in normal mode and exit.
.It Fl s , -safe-mode
Enter safe mode. An alert will be displayed on iOS/iPadOS/tvOS. Jailbreak daemons nor early boot executable files
specified (see
.Sy FILES
section below) will be executed. The loader app and the built in SSH server can still be used,
as well as any jailbreak-specific apps you have installed.
.It Fl S , -no-colors
Disable colors on the command line. External programs like checkra1n clones may still output colors.
.It Fl v , -debug-logging
Enable debug logging. The option may be repeated for extra verbosity.
.It Fl V , -verbose-boot
Boots the device in verbose mode, allowing boot logs to be seen.
.It Fl I , -device-info
Prints info about device and exits.
.El
.Sh ENVIRONMENTAL VARIABLES
.Bl -tag -width -indent
.It Ev TMPDIR
This environmental variable should contain the a directory for temporary
files. Without the
.Fl i , -override-checkra1n
option, files must be executable from it as the built-in checkra1n file
is extracted and executed here. When not set, /tmp is used.
.El
.Sh EXAMPLES
To (re-)jailbreak in rootless mode:
.Pp
.Dl "palera1n"
.Pp
To setup fakefs for rootful mode:
.Pp
.Dl "palera1n -fc"
.Pp
After the device has rebooted, follow the following example.
.Pp
To re-jailbreak in rootful mode:
.Pp
.Dl "palera1n -f"
.Pp
To remove the jailbreak in rootful mode:
.Pp
.Dl "palera1n --force-revert -f"
.Pp
To remove the jailbreak in rootless mode:
.Pp
.Dl "palera1n --force-revert"
.Pp
To verbose boot in rootful mode:
.Pp
.Dl "palera1n -Vf"
.Pp
To create a partial fakefs with bind mounts:
.Pp
.Dl "palera1n -Bf"
.Pp
To exit recovery mode:
.Pp
.Dl "palera1n -n"
.Pp
.Sh CAVEATS
.Pp
.Em -v
is not a real XNU boot argument. It is interpreted by iBoot. However, since XNU
boot arguments are set in PongoOS, which is ran after iBoot has ran, it does nothing.
To verbose boot, use the
.Fl V , -verbose-boot
option when jailbreaking.
.Pp
Fakefs takes up around 5-10 GB of storage, and take up to 10 minutes to setup.
.Pp
iOS 15.0 requires DER entitlements, and iOS 15.1 requires hash agility in code signatures.
As a result, binaries with the old code signature format need to be resigned with a recent
version of the Procursus fork of
.Xr ldid 1
before they can be ran on a device jailbroken with
.Nm
\[char46]
.Pp
When using rootful mode, the
.Fl f , -fakefs
flag must be specified at all times. It does not matter whether you want to create fakefs,
create partial fakefs, rejailbreak or remove jailbreak.
.Pp
Due to a stock bug, using the
.Fl V , -verbose-boot
option might cause some versions for tvOS to crash and not boot.
.Sh POST INSTALLATION (iOS/iPadOS)
The palera1n loader app will take up to 30 seconds to appear on the homescreen after the
device has booted. If it does not appear, you can try using the shortcut:
.Pp
.Lk https://www.icloud.com/shortcuts/8cd5f489c8854ee0ab9ee38f2e62f87d
.Pp
to open it. After opening the loader app, select a package manager to install.
This will also bootstrap your device.
.Pp
A built-in SSH server runs on port 44 on loopback interfaces.
.Sh POST INSTALLATION (tvOS)
.Pp
The palera1n loader app will appear on homescreen. Open the loader and select a package manager to install.
This will also bootstrap your device.
.Pp
A built-in SSH server runs on port 44 on all interfaces.
.Sh POST INSTALLATION (bridgeOS)
.Pp
A built-in SSH server runs on port 22 on all interfaces.
.Pp
Bootstrapping is currently not supported on this device.
.Sh FILES
During the jailbreak process, a temporary filesystem is mounted on /cores as a place
to stash jailbreak files needed during the boot process. No files are ever written
onto the actual disk if you do not use the SSH server to write files or using the
loader app to install additional jailbreak files.

.Bl -tag -width "/var/jb/Library/LaunchDaemons"
.It Pa /cores
The location of the temporary filesystem where jailbreak files are stash during boot.
.It Pa /Library/LaunchDaemons
The directory where jailbreak-specific
.Xr launchd.plist 5
property list files should be placed on rootful.
.It Pa /var/jb/Library/LaunchDaemons
The directory where jailbreak-specific
.Xr launchd.plist 5
property list files should be placed on rootless.
.It Pa /etc/rc.d
The directory where executable filse that needs to be executed during boot, before
daemons are launched, are placed rootful. They are executed after all filesystems
has been mounted.
.It Pa /var/jb/etc/rc.d
The directory where executable files that needs to be executed during boot, before
daemons are launched, are placed on rootless. They are executed after all filesystems
has been mounted.
.El
.Sh BUGS
.Nm
may crash if the machine it is running on:
.Pp
.Dl "- Has non-compliant USB devices plugged in"
.Pp
The exploit may also work less reliably on some hosts, like AMD desktops, or some MediaTek devices.
.Pp
The device may randomly crash and reboot due to launchd using too much memory.
.Pp
The built-in SSH server might be not accessible with password after bootstrapping rootful,
since the bootstrap uses a custom crypt() function that is not supported
by the built-in SSH server.
.Sh DEPRECATED AND REMOVED FUNCTIONALITY
There was an option in
.Nm
to force create the fakefs even when one already exists (which would overwrite
the existing fakefs), by setting the palerain_option_setup_rootful_forced flag
in palera1n flags. This option was removed because using
.Fl -force-revert
and
.Fl c
at the same time has exactly the same effect.
.Pp
The hook that enabled
.Sy launchctl runstats
has been removed, since it leaks memory in launchd.
.Sh SEE ALSO
.Xr launchd 8
.Xr launchd.plist 5
.Xr ldid 1
.Sh HISTORY
The
.Nm
jailbreak was first written by Nebula and Mineek on September 26, 2022, as a shell
script. Tweak support with DEVELOPMENT kernels are added on October 2, 2022. RELEASE
kernel support is added on November 14, 2022. iOS 16 Support is added on
December 13, 2022. Later, the first attempt to rewrite palera1n into C begins on January
01 2023. The
.Nm
utility described here is the second attempt, which first started on January 16, 2023,
using checkra1n 1337 and a custom KPF.
Something happened on August 15, 2023.