Home > iOS Pentesting

Jailbreaking iPhones (Checkra1n, Palera1n)

Jailbreaking is required for deep iOS pentesting because it unlocks filesystem access, allows unsigned code execution, enables dynamic instrumentation and exposes app internals. This chapter provides a full practical workflow for jailbreaking using Checkra1n and Palera1n, including device requirements, setup, step-by-step jailbreak procedures and post-jailbreak validation.

Supported Devices

Checkra1n and Palera1n only work on devices vulnerable to the checkm8 bootrom exploit.

Supported chipsets: A7, A8, A9, A10, A11
Supported devices include:

  • iPhone 5s

  • iPhone 6 / 6 Plus

  • iPhone 6s / 6s Plus

  • iPhone SE (1st gen)

  • iPhone 7 / 7 Plus

  • iPhone 8 / 8 Plus

  • iPhone X

Newer devices (A12 and above) cannot use these jailbreaks.

Requirements

  • A supported iPhone

  • macOS or Linux system

  • USB-to-Lightning cable

  • Stable network for SSH access

  • Basic terminal tools

  • Backup of the device (optional but recommended)

Putting the Device into DFU Mode

DFU mode allows the bootrom exploit to run. The timing must be precise.

General DFU sequence for iPhone 7 and later (A10/A11 devices):

  1. Connect device to computer.

  2. Hold Power + Volume Down for 10 seconds.

  3. Release Power but keep holding Volume Down for 5 more seconds.

  4. Screen must stay black; otherwise restart and repeat.

General DFU sequence for iPhone 6s and earlier:

  1. Hold Power + Home for 10 seconds.

  2. Release Power but continue holding Home for 5–8 seconds.

  3. Screen must remain black.

Confirm DFU mode on macOS or Linux:

lsusb | grep -i apple

You should see Apple Mobile Device in recovery/DFU mode.

Jailbreaking with Checkra1n (Practical)

Checkra1n is preferred when stability and simplicity are required.

Install Checkra1n (Linux)

Add repository:

echo "deb https://assets.checkra.in/debian /" | sudo tee /etc/apt/sources.list.d/checkra1n.list
sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key
sudo apt update
sudo apt install checkra1n

Run Checkra1n

Start the tool:

sudo checkra1n

Steps:

  1. Connect the device.

  2. Checkra1n will detect the model.

  3. Select “Start”.

  4. Follow the on-screen DFU instructions identical to the DFU steps above.

  5. Once exploited, the device reboots into a patched environment.

  6. On the device, open the Checkra1n loader and install the package manager.

Verify Success

Install SSH:

sudo apt install usbmuxd
iproxy 2222 22
ssh root@localhost -p 2222

Default password: alpine
(Change immediately.)

Check filesystem access:

ls /var/mobile/Containers/Data/Application/

If directories are visible, the jailbreak is working.

Jailbreaking with Palera1n (Practical)

Palera1n is used for newer iOS versions on the same A8–A11 devices.

Install Palera1n (Linux)

Clone the repository:

git clone https://github.com/palera1n/palera1n.git
cd palera1n
sudo ./install.sh

Choose Mode

Rootful mode

  • Full filesystem modification

  • Best for deep pentesting

Rootless mode

  • Safer

  • Less system alteration

  • Some tools behave differently

Run the Jailbreak (Rootful Example)

  1. Put the device into DFU mode.

  2. Run:

sudo palera1n -f -c

This tells Palera1n to perform a rootful jailbreak.

  1. Follow the onscreen DFU countdown.

  2. Device boots with jailbreak patches.

  3. On the device, open the palera1n-app and tap “Bootstrap”.

  4. Install Sileo (package manager).

Validate the Jailbreak

Start SSH via USB:

iproxy 2222 22
ssh root@localhost -p 2222

Check elevated permissions:

whoami

Expected output: root

Check access to protected directories:

ls /var/containers/Bundle/Application/

If successful, the jailbreak is complete.

Post-Jailbreak: Pentesting Setup

Install File Manager (Filza)

Allows on-device inspection:

apt install filza

Install Frida

Used for runtime hook-based pentesting:

apt install frida

Verify:

frida-ps -U

Enable Substrate / Tweaks

This enables SSL pinning bypass, API hooking and dynamic patches.

Install OpenSSH

If not installed:

apt install openssh

Set a new root password:

passwd

Real Pentesting Actions Possible After Jailbreak

  • Decrypt installed apps in memory

  • Dump keychain entries

  • Inspect Data Protection classes

  • Patch authentication logic

  • Bypass SSL pinning via dynamic hooks

  • Modify Info.plist capabilities

  • Observe runtime API calls

  • Capture HTTP/HTTPS traffic with full visibility

  • Extract logs, caches and databases

  • Examine entitlements and binary metadata

  • Inject custom hooks into any running app

These actions cannot be performed on a stock iPhone.

Intel Dump

  • Checkm8 makes A7–A11 devices permanently jailbreakable

  • Checkra1n provides stable semi-tethered jailbreaks

  • Palera1n supports newer iOS versions and rootful/rootless modes

  • DFU mode is required before running either jailbreak

  • SSH over USB provides reliable access

  • Filesystem, keychain and runtime introspection become possible

  • Post-jailbreak setup includes Filza, Frida, OpenSSH and substrate

  • Jailbreaking unlocks deep pentesting capabilities not available on stock devices

HOME COMMUNITY CAREERS DASHBOARD