Why CheckRa1n Jailbreak Doesn't Work on iOS 15 and Will it Ever Work Again?

The iOS world was shaken back in 2019 when security researcher @axi0mX released checkm8, the first BootROM exploit for modern iOS devices since geohot’s release of limera1n back in 2010.

Checkm8 was special because Apple could not patch it. The BootROM, which is the vulnerable component, in this case, cannot be updated by Apple after the phone has shipped because it’s burned into the Silicon forever. This was very good news for jailbreak enthusiasts with iPhone X or older devices.

Shortly after the checkm8 exploit was released, the CheckRa1n team started building CheckRa1n jailbreak, a semi-tethered computer-based jailbreak that cannot technically be patched by Apple, or so we thought. iOS 12, iOS 13, and iOS 14 up until the latest iOS 14 version (14.8) have enjoyed jailbreak after jailbreak because checkra1n was often times already compatible with the new update by the time it was released.




It was a new golden era for jailbreaking.

Why doesn’t CheckRa1n Work on iOS 15 and Will it Ever Work Again?

You can imagine Apple was not exactly happy with an unpatchable jailbreak for their latest iOS versions. Even more so considering that iOS 15 kept supporting the checkra1n-compatible devices until iOS 16 Developer Beta 1 was released.

Even as of iOS 16 Developer Beta 1, some CheckRa1n-compatible devices are still supported and have iOS 16, such as iPhone X, iPhone 8, and iPhone 8 Plus.

In iOS 15, Apple decided to step up their game by introducing a sealed ROOT File System. The System partition doesn’t really have any reason to be Read / Write, it can be Read Only and the device would still work.

In fact, here’s how the iPhone storage works:

  • System Partition / ROOT FS – This contains the operating system itself, with all the necessary binaries like daemons, default apps, etc. These files don’t need to change in order to work, so this partition can easily be Read-Only.
  • User Partition / VAR Partition (/dev/disk0s1s2) – This is where everything related to the user is kept. Installed applications, settings, application data, Activation Tickets, Carrier Bundles, everything.

The System partition was never Read / Write on modern iOS, because it didn’t need to, but jailbreak easily patched things up then called mount() on that partition to make it Read / Write. The device wouldn’t complain and you could use the partition normally.

Traditionally, all jailbreak placed files here, including the main jailbreak binaries that allow the jailbreak tweaks and Cydia to work, such as apt, dpkg, standard UNIX binaries, etc. Cydia was also installed directly into /Applications which is a path reserved for the default system applications, like Weather, FaceTime, Notes, etc.




Installed tweaks from Cydia were also traditionally put in /Library/MobileSubstrate/DynamicLibraries which is also a path belonging to the System Partition.

With iOS 15, the technique used to remount the System Partition and make it writeable is dead. Attempting to remount would cause the device to panic and reboot, and it may even cause a bootloop.

This is not the only problem either!

Starting from iOS 15.3, Apple removed SoftDFU from LLB, which was used by CheckRa1n during the boot process to be able to jailbreak (remember you used to put the device in DFU mode to jailbreak it?).

According to CheckRa1n developer @siguza, to be able to bring SoftDFU back, about 200 or so functions would need to be injected and linked back into LLB which is not feasible.

Does this mean CheckRa1n is dead as of iOS 15?

Not even close.

For the SoftDFU in LLB issue, @siguza said they’ve already refactored CheckRa1n to not need it at all, but it now requires some additional patches. So this issue is more or less dealt with.

For the sealed System Partition / ROOT FS, things are a bit more complicated. The CheckRa1n team has two options here:

  • Option 1: Accept defeat and change CheckRa1n to be Rootless.
  • Option 2: Find a way around the sealed ROOT FS and build a normal CheckRa1n with proper System Partition access.

Both options have their upsides and downsides, let’s see.

Option 1: Accept defeat and change CheckRa1n to be Rootless.

In the case of option one, they can simply modify CheckRa1n to not require access to the System Partition. This means placing Cydia and the tweaks somewhere in the User Partition which is Read / Write by default. They would need to deal with the Sandbox being annoying, but that’s very simple to do with their level of access.

Tweaks would need to be updated to expect to be dumped into the User Partition instead of the System Partition, but other than that, they would work fine because tweaks almost never do direct file modifications to the System Partition. If they do, they are doing it wrong.

This would require some extensive rewrites to CheckRa1n and would be best done in a separate iOS 15-only build so that iOS 14 and lower still enjoy full ROOT FS access, but it can definitely be done.

Whether or not it’s a desirable way to do it is uncertain, but this has been done before back in iOS 12 (RootlessJB by Jake James) and it worked well.

Option 2: Find a way around the sealed ROOT FS and build a normal CheckRa1n with proper System Partition access.

This is easier said than done. It would require some extensive patching on the system and while there are ideas on how to do this, the CheckRa1n team doesn’t work on CheckRa1n full time. It seems that this is the option they are going with for now, but it’s a complicated mess.

Bypassing this security mitigation would allow for a normal CheckRa1n to be created and this has the advantage that tweaks don’t need to be updated to work with a new method of installation, but this is a moot point, to begin with, because tweaks will need to be updated anyway for Taurine and Unc0ver as those jailbreaks if ever updated, will almost certainly be rootless too.




There’s also the option to completely nuke the ROOT FS seal and its checks from iOS 15, but that would make the jailbreak fully tethered, which means the phone would not boot at all unless in jailbroken mode. Every reboot would need the computer. There have been such jailbreaks many years back but they are usually not desired.

Click to rate this post!
1

By GeoSn0w

An iOS and Jailbreak enthusiast who has been around for quite some time in the community. I've developed my own jailbreaks before and I am currently maintaining iSecureOS, one of the first iOS Anti-Malware tools for jailbroken devices. I also run iDevice Central on YouTube with over 142.000 Subscribers! Thank you for being part of this awesome community.

Leave a Reply

Your email address will not be published. Required fields are marked *