iOS Jailbreak

- 10 mins read
Imagen destacada

What is the iOS Jailbreak

Jailbreaking is the process of removing software restrictions imposed by the manufacturer. It’s basically about regaining full control (root access) over a system that’s been deliberately locked down.

Think of it like this: the device you bought is yours, but it comes with limits, what apps you can install, what system files you can access, etc. Jailbreaking is about busting through that walled garden and doing whatever the hell you want with your hardware.

How the jailbreak process works

It usually follows these steps:

  1. Finding a Vulnerability
  • You need an exploit — typically in the bootloader, kernel, or userland.
  • These vulnerabilities allow you to inject code that the system wasn’t expecting.
  • For example, an iOS kernel exploit might let you elevate privileges to root.
  1. Gaining Root Access
  • Once you’ve exploited the system, the goal is to run unsigned code with root-level permissions.
  • This often means patching security mechanisms like:
    • Code signing (AMFI)
    • Sandbox restrictions
    • Trust chains
  1. Persistence (Optional)
  • Some jailbreaks are tethered (you need to re-jailbreak after reboot).
  • Others are semi-untethered (you re-run an app to re-jailbreak).
  • A full untethered jailbreak is the holy grail — survives reboots without any help.
  1. Installing a Package Manager (like Cydia or Sileo)
  • This gives you access to a world of tweaks, themes, and unofficial apps — basically a hacker’s app store.
  • These tools let you modify the UI, add hidden features, or bypass restrictions like carrier locks.

Rootful vs Rootless

When we talk about rootful vs rootless jailbreaks, we’re really talking about how deep into the system you can go. A rootful jailbreak gives you full-blown, unrestricted access to the entire file system, the OG jailbreak style. You can modify system partitions like /System and /usr, inject your own binaries, and rewrite Apple’s rules from the inside out. It’s powerful, but risky, one wrong move and you could brick your device. Apple’s gotten smarter though, and with iOS 15 and beyond, they introduced a more locked-down system, leading to the rise of rootless jailbreaks. In a rootless setup, you don’t touch the system partition at all, it stays read-only. Instead, you operate from the userland, typically in writable directories like /var. You still get to run unsigned code and apply tweaks, but you’re working around Apple’s security model instead of smashing straight through it. Rootless jailbreaks are safer, more stable, and stealthier, but less powerful than a Rootful jailbreak.

Use a rootful jailbreak when:

  • You need full system access and modification capabilities (like writing to /System, /Applications)
  • Testing requires traditional security tools that expect full file system access
  • You’re analyzing system-level vulnerabilities or doing deep OS security research
  • You need persistence across reboots for long-term monitoring
  • Working with tools that haven’t been updated for rootless environments

Use a rootless jailbreak when:

  • You want a more stable testing environment with lower risk of bricking the device
  • Testing app-level security without needing deep system modifications
  • You need to maintain better iOS version compatibility (rootless often supports newer versions faster)
  • You want easier reversal - rootless jailbreaks are generally cleaner to remove
  • Running dynamic analysis tools, SSL proxying, runtime manipulation with tools like Frida
  • The target apps don’t have sophisticated jailbreak detection specifically looking for rootful indicators

Which jailbreak method should you choose

NOTE: I’ve tested on iPhone X (A11 Chip) with iOS 16.7.12 ; iPhone 8 (A11 Chip) with iOS 16.7.10 ; iPhone 6s (A9 Chip) with iOS 15.8.3

Jailbreak methods vary in their approach and convenience. Tethered jailbreaks like checkra1n and palera1n require a computer connection after each reboot, leveraging hardware-level exploits that cannot be patched by software updates. Semi-untethered jailbreaks such as unc0ver and Dopamine allow users to re-jailbreak directly from an on-device app without a computer, offering greater convenience for daily use. Fully untethered jailbreaks, which persist automatically through reboots, are extremely rare in modern iOS due to Apple’s security improvements. Each method represents different trade-offs between stability, convenience, and device compatibility. Regarding palera1n specifically:

I personally use Palera1n rootful, although rootless works perfectly fine for the purpose of this blog post. That’s because Palera1n supports newer iOS versions than many other jailbreaks, but it’s limited to A11 and earlier devices (iPhone X and older) due to its reliance on the checkm8 bootrom exploit.

Below I have included guides on how to install both Palera1n and Dopamine.

Palen1x

To perform the jailbreak, I use a Live USB with Palen1x, as it’s an ISO ready to use Palera1n.

NOTE: I’ve had it sometimes that after the jailbreak process was completed, both WiFi and Bluetooth stopped working. In those cases, I had to power off the iPhone, power it back on, and redo the jailbreak from scratch.

NOTE: If any time during process the iPhone gets “bricked” you can try to use the next combination to reboot the iPhone: press and release volume up, press and release volume down and hold power button for about 20 seconds

Rootful

  1. Fully reset the iPhone
  • Settings > General > Transfer or reset iPhone > Erase all content and settings
  • Enter your iPhone’s passcode if it has one
  • Enter your Apple account’s password if you have one added
  • Erase all
  1. Set up the iPhone
  • Remember to not add a passcode / fingerprint / FaceID, that will make the process easier
  • Do not transfer data
  • Set up Apple ID later (Don’t have an Apple ID > Set Up later in Settings)
  • Wait until all apps are installed
  1. Boot to Palen1x on your computer
  2. Connect the iPhone to the computer
  • NOTE: it’s important that you use a usb-a <-> lighting cable, as a usb-c <-> lighting cable won’t work
  • Once connected select Trust
  1. Select option palera1n
  2. Then select Switch and choose Rootful
  3. Select Options and check Create FakeFS
  • To check an option use the space bar, and then tab and confirm with enter
  1. Select Start
  • The iPhone will restart to the recovery screen (the one with a laptop and a cable)
  1. Prepare to enter DFU mode
  • You will have to press volume up, volume down and hold the power button for 3 to 5 seconds until it gets all black, then click enter on your computer
  1. Enter DFU mode, palera1n will guide you, but here is another guide (in Spanish but with great images) that will help you
  2. The exploit will run
  • If you see an error you can unplug and plug the lighting cable cable from the iPhone and it will resume
  • Another choice if that does not work is to ctrl+c the script and launch it again
  • The process of creating FakeFS can take up to 10 minutes, so grab a cup of coffee :)
  • You’ll see that the script tells you to hit enter in order to quit but let the iPhone finish the process
  1. Once the iPhone is back to the recovery screen, select Switch from the palera1n screen and select Rootful
  2. Select Start
  3. Prepare to enter DFU mode
  • You will have to press volume up, volume down and hold the power button for 3 to 5 seconds again until you get a black screen, then click enter on your computer
  1. Enter DFU mode, follow the same process as before
  2. The exploit will run
  • Again, if you see an error you can unplug and plug the lighting cable cable from the iPhone and it will resume
  • Or again, another choice if that does not work is to ctrl+c the script and launch it again
  1. Once the iPhone reboots, you will see the Palera1n app, the iPhone is jailbroken and you can install Sileo / Zebra from the Palera1n app (make sure to have internet access)

Rootless

  1. Fully reset the iPhone
  • Settings > General > Transfer or reset iPhone > Erase all content and settings
  • Enter your iPhone’s passcode if it has one
  • Enter your Apple account’s password if you have one added
  • Erase all
  1. Set up the iPhone
  • Remember to not add a passcode / fingerprint / FaceID, that will make the process easier
  • Do not transfer data
  • Set up Apple ID later (Don’t have an Apple ID > Set Up later in Settings)
  • Wait until all apps are installed
  1. Boot to Palen1x on your computer
  2. Connect the iPhone to the computer
  • NOTE: it’s important that you use a usb-a <-> lighting cable, as a usb-c <-> lighting cable won’t work
  • Once connected select Trust
  1. Select option palera1n
  2. Then select Switch and choose Rootless
  3. Select Start
  • The iPhone will restart to the recovery screen (the one with a laptop and a cable)
  1. Prepare to enter DFU mode
  • You will have to press volume up, volume down and hold the power button for 3 to 5 seconds until you see a black, then click enter on your computer
  1. Enter DFU mode, palera1n will guide you, but here is another guide (in Spanish but with great images) that will help you
  2. The exploit will run
  • If you see an error you can unplug and plug the lighting cable cable from the iPhone and it will resume
  • Another choice if that does not work is to ctrl+c the script and launch it again
  1. Once the iPhone reboots, you will see the Palera1n app, the iPhone is jailbroken and you can install Sileo / Zebra from the Palera1n app (make sure to have internet access)

Dopamine

NOTE: This will be a rootless Jailbreak. I’ve installed Dopamine on iPhone 6s (A9 Chip) with iOS 15.8.3 using Ubuntu 24.04 and python 3.12

  1. Fully reset the iPhone
  • Settings > General > Transfer or reset iPhone > Erase all content and settings
  • Enter your iPhone’s passcode if it has one
  • Enter your Apple account’s password if you have one added
  • Erase all
  1. Set up the iPhone
  • Remember to not add a passcode / fingerprint / FaceID, that will make the process easier
  • Do not transfer data
  • Set up Apple ID later (Don’t have an Apple ID > Set Up later in Settings)
  • Wait until all apps are installed
  1. Download TrollStore from releases
  • Unzip troll store
  • Create a virtual env to install the requirements
  1. Install TrollStore installer
  • TIP: if you are using python <= 3.12 you might have an error with the imports, to solve this problem, change requirements.txt to install the version 3.0.0 of pymobiledevice3
  • Install the requirements:pip install -r requirements.txt
  • Run the script: python trollstore.py
  • Choose the Tips app
  • NOTE: the iPhone will restart and the PC is no longer needed
  1. Install TrollStore
  • Open Tips app
  • Tap Install TrollStore
  • The SpringBoard will reboot and the TrollStore app will be installed
  1. Install Dopamine
  • Download Dopamine.ipa in your iPhone
  • Open TrollStore, click add and IPA and select Dopamine from Downloads
  • Click install
  1. Perform the Jailbreak
  • Reboot the iPhone
  • Open Dopamine
  • Click Jailbreak and select Sileo
  • Add a password (alpine is recommended as password, this will be the mobile user’s password)

What to do after Jailbreak

On your PC

  • Frida (Virtual env recommended, as you have to install the same version of frida as your frida server in your device - pip install frida frida-tools)
  • libimobiledevice suite
  • libusbmuxd-tools (for iproxy command)
sudo apt install libimobiledevice-utils libimobiledevice-dev libimobiledevice-doc libusbmuxd-tools

On the iPhone

Install from Sileo / Zebra

To install a package from the Sileo store:

  1. Open the Sileo app
  2. Click on Search on the bottom bar
  3. Look for the package (openssh for example)
    • If the package doesn’t show up you will have to add the source (like for frida)
  4. Click on the package
  5. Click GET
  6. Click on Queue, that showed up above the bottom bar
  7. Click Confirm

How to add a source to Sileo:

  1. Open the Sileo app
  2. Click on Sources on the bottom bar
  3. Click the + button top right
  4. Type the source (https://build.frida.re for frida)
  5. Click Add source
  6. Follow the steps above to install the package

Install .deb packages

Configure ssh:

  1. Install openssh package from Sileo / Zebra
  2. On your PC run the command iproxy 2222 22
    • This command will open the port 2222 on your localhost and redirect the connection to port 22 to the device that is plugged via USB
  3. SSH to your iPhone with mobile user and the password used before (alpine in this case)
  4. Change to root user (sudo su)
  5. Change root’s password (I recommend to use alpine as well)
  6. (Optional) Add an ssh key to /root/.ssh/authorized_keys so you can use an ssh key instead of password

Install the .deb package:

  1. Download the .deb package on your computer
  2. scp the .deb file to the iPhone’s /tmp directory (scp -P 2222 file.deb [email protected]:/tmp)
  3. SSH into the device with the root user
  4. cd to /tmp
  5. Install the package with apt (apt install ./file.deb)