Tips & Tricks: Solving Error on iOS 15.x–16.x Semi-Tethered Jailbreak (palera1n)

Hello, everyone. It’s been quite a while since my last post was published, which was last year. Just to give you some background, I moved to another company in November 2022, which is why I haven’t been actively writing on this platform. Firstly, I’m grateful to God for landing me a new job, especially considering the competitiveness of the job market in these challenging economic times. Many tech professionals have faced layoffs, and new job openings are scarce.

Now, let’s dive into the topic.

Background

In my new role as a Red Teamer, I was assigned iOS apps for penetration testing. To begin, I needed to jailbreak an iPhone, as this would grant me access to various functionalities such as bypassing SSL pinning. This story aims to share an issue I encountered while jailbreaking an iPhone and how I resolved it.

According to OWASP Mobile Security Testing Guide (MASTG), there are four types of jailbreaks: tethered, semi-tethered, semi-untethered, and untethered.

• Tethered jailbreaks require the device to be connected to a computer during every reboot, as the jailbreak does not persist through reboots. The device may not even reboot if not connected to a computer.
• Semi-tethered jailbreaks can only be reapplied if the device is connected to a computer during reboot. The device can boot into a non-jailbroken mode independently.
• Semi-untethered jailbreaks allow the device to boot independently, but kernel patches or user-land modifications for disabling code signing aren’t applied automatically. The user needs to reapply the jailbreak by starting an app or visiting a website.
• Untethered jailbreaks are popular among users since they only need to be applied once, resulting in a permanently jailbroken device.

This story focuses more on semi-tethered jailbreaks, as they were beneficial in my case. I want to share how to solve errors specific to this type of jailbreak.

For iOS 14, we used checkra1n, a community project based on the ‘checkm8’ bootrom exploit, aimed at providing a high-quality semi-tethered jailbreak. Details can be found at https://checkra.in/. However, for iOS 15 and 16, we adopted a new project called palera1n, the first public semi-tethered checkm8 “jailbreak” for iOS 15 to 15.7.3 and iOS 16 to 16.4. You can find more about palera1n at https://github.com/palera1n/palera1n. Interestingly, one of the developers behind palera1n is a 13-year-old boy, which was quite a surprise!

How the Story Unfolded

Jailbreaking an iOS device using Windows proved to be a challenge until I discovered a solution involving a Linux bootable environment, detailed at https://github.com/palera1n/palen1x. This project, named palen1x, is an Alpine-based Linux distribution that facilitates the installation of palera1n-c, an implementation of palera1n written in C. palen1x aims to be user-friendly, feature a sleek interface, and support both 32 and 64-bit CPUs.

It’s worth noting that the issue I encountered had already been resolved on an iPhone 7 Plus (128GB) running iOS 15.7.3.

The initial release of palen1x was v1.0.4 on February 9th, 2023, while I’m writing this article on February 28th, 2023, and version v1.0.7 has been released. The issue I faced was present in the latest version as of my writing, v1.0.7, as shown in the image below.

After meticulously following the step-by-step instructions provided by the palera1n team at https://ios.cfw.guide/using-palen1x/ and watching a video by a YouTuber at https://www.youtube.com/watch?v=Esl89a_Sr4M, I encountered several errors.

1st Error: “Couldn’t Connect to lockdownd: Pairing dialog response pending”

To solve this error

Simply open your phone and select “Trust,” then unplug the cable from the laptop. Wait for 5–10 seconds and then plug it back in.

Root cause

This error occurs because your phone hasn’t yet been paired with this process. Even though we are in palen1x mode, the pairing needs to be re-established, even if you’ve already paired it on your main OS in daily use.

2nd Error: “Timed out waiting for download mode”

To solve this error:

• Unplug the cable connected to the iPhone (not the one connected to the computer/laptop). Wait for 5–10 seconds and plug it back in. You should be good to go.
• If the problem persists, exit the palera1n process and shut down your laptop. Afterward, unplug the charger (use battery mode), and then run palera1n again without charging your laptop. When the error appears, unplug the cable connected to the iPhone (not the one connected to the computer/laptop), wait for 5–10 seconds, and plug it back in.
• If the issue persists, pay close attention to the iPhone cable and the port being used. It’s highly recommended to use a USB 2.0 to Lightning cable and a USB 2.0 port.

Root Cause

I was initially confused about the root cause, but in my opinion, it’s stated on the official page.

The End.

And that’s the issue I encountered and how I resolved it. I hope this information proves helpful to you.

Resources:

• https://palera.in/
• https://ios.cfw.guide/using-palen1x/
• https://www.youtube.com/watch?v=Esl89a_Sr4M
• https://www.3u.com/tutorial/articles/11829/how-to-use-palera1n-jailbreak-palera1n-jailbreak-tutorial
• https://mas.owasp.org/MASTG/iOS/0x06b-Basic-Security-Testing/#jailbreak-types