iOS Pentesting Lab Setup with Palera1n
Dear Awesome Hackers,
Let’s deep dive into the iOS pentesting lab setup with Palera1n
Let’s deep dive into the iOS pentesting lab setup with Palera1n on ios 15/16 devices.
First of all, let’s understand what is Palera1n
Palera1n, also known as Checkra1n, is a semi-tethered jailbreak tool for iOS devices. Jailbreaking is the process of removing software restrictions imposed by Apple on its iOS operating system, allowing users to gain more control over their devices and install third-party apps and customizations that are not available through the official App Store.
Checkra1n is unique because it leverages a hardware vulnerability in the bootrom of certain iOS devices, making it difficult for Apple to patch through software updates. This means that it can work on older iOS devices and iOS versions that would not typically be jailbreakable using other methods.
The Palera1n supports rootful and rootless methods of jailbreaking the phones.
Rooless vs fully-flagged (rootful) jailbreak difference?
The main distinction between traditional full-fledged jailbreaks and the newer rootless jailbreaks designed for iOS and iPadOS 15 and later is that users no longer have access to the OS/root volume. This means that they cannot install or make modifications to files within this specific space.
Instead, those using rootless jailbreaks are limited to making changes to files located in the /var and /private/preboot volumes. Notably, the latter is a newly introduced volume by the Odyssey Team, specifically intended for housing jailbreak-related files that would typically be placed in the now read-only OS/root volume.
It’s essential to clarify the terminology used in this context. “Root” can refer to two different things: the OS/root volume and the root user. While a rootless jailbreak restricts access to the OS/root volume, users can still function as the root user and establish an SSH connection to their device for file modifications within the /var and /private/preboot volumes. This aspect has not changed, underscoring the continued importance of changing the root password for security purposes.
Does the absence of access to the OS/root volume significantly impact jailbreak functionality?
The absence of access to the OS/root volume does introduce limitations for jailbreakers. It restricts the resources that they can work with, especially when compared to a full-fledged jailbreak. This constrained access space can have implications for various aspects of the jailbreak process, including the bootstrap, certain jailbreak tweaks, and the package manager application used.
The bootstrap is a critical component of the jailbreak that installs essential Unix tools and a package manager, enabling users to install and run modifications like jailbreak tweaks on their iPhone or iPad. Traditional bootstraps have traditionally relied on full-fledged jailbreaks, benefiting from full OS/root access. With rootless jailbreaks, developers must adapt to a new bootstrap that can write to a volume other than the OS/root volume.
It’s important to note that jailbreak tweaks designed to modify files within the OS/root volume will not function on a rootless jailbreak. However, those tweaks that receive updates to support the rootless paradigm should work just as smoothly on a rootless jailbreak as they did on a full-fledged jailbreak. It’s worth mentioning that not all jailbreak tweaks and add-ons may be adaptable to this new paradigm, but many can be made compatible with the necessary adjustments
Now that we know about the foundation of palera1n. it’s time to discuss the jailbreaking process.
Note- You will require a Mac machine or a Linux OS base machine in order to jailbreak the iOS devices of the 15/16 version. The jailbreak on iOS 16.5 and above may go tricky with palera1n so this blog is focused on devices under the 16.5 iOS version for pentesting purposes.
Here in my case, I have the iPhone SE 1st generation which is running on 15.7.9 but in your case, if you have a device with up to 16.5 versions it will work similarly.
Step 1 . Install the palera1n in the mac
Download the palera1n from the official github – Releases · palera1n/palera1n · GitHub
enable the full disk access to terminal in mac
follow the below mentioend commands
sudo mkdir -p -m 775 /usr/local/bin export PATH=$PATH:/usr/local/bin cd Downloads;mv palera1m-mac-unversal palera1n sudo mv palera1n /usr/local/bin/palera1n sudo xattr -cr /usr/local/bin/palera1n sudo chmod +x /usr/local/bin/palera1n now all we have everything ready -
Step 2 – connect your device’s USB A to the lightening cable ( USB type c to lightening cable will not work in jailbreaking )
Step 3 – execute the palera1n command for rootful break – palera1n -f -c -v
Note- some devices always go in a continuous loop or pongoOS will never boot. So we have a fix for that as well.
just type cntrl +c and start the palera1n without the -c flag and boom we have jailbroken our device. Connect with wifi and you will see palera1n app on the device
Now come back to the phone and install Selio and Zebra package managers.
Install Repos in the Zebra package manager for assessment purposes.
Now you can install your favorite tools. like Filza file manager, SSL kill switch, and many more.
We probably don’t need Cydia anymore now as most of the tools are available already in the modern package managers.
Feel free to suggest more repos for assessment purposes so that we can add them to the blog for the community.
Thanks for reading the blog! we have dedicated cyber security training available on codefensive.com feel free to reach out there and inquire about the latest cyber security training.