This might seriously be the most significant piece of jailbreak news this year. Finally, a proper Jailbreak Detection Bypass is here that cannot be defeated with a simple app update.
I am, of course, talking about RootHide which is a project that was posted a few hours ago on Reddit. According to the developer and the users who participated in beta testing, every app tested with Dopamine Jailbreak and RootHide could not detect that the user was jailbroken.
According to the users who have beta tested RootHide, everything from banking apps to social media, to games and more work even if you are jailbroken. Amazing!
Why do apps detect jailbreaks on iOS?
Jailbreaking is completely legal thanks to DMCA exemptions starting in 2010. There really is nothing wrong with customizing your device with custom icons, themes, fonts, and UI changes.
Even so, jailbreaking does involve using security vulnerabilities because Apple just doesn’t want to let you customize the device the way you want.
These security vulnerabilities are used by jailbreak developers to disable or temporarily skip various iOS security features in exchange for being able to customize the device, but this does leave the users vulnerable to these bugs and usually on a lower outdated iOS version.
Apple has a point, the problem isn’t that, it’s the fact that I should be able to decide if I wanna risk breaking my device or running insecure software.
Why RootHide works, and why the other Jailbreak Detection bypasses didn’t?
To better understand why RootHide works, we need to understand the difference between classic jailbreaks and rootless jailbreaks.
A classic jailbreak (up until iOS 14) re-mounts the ROOT File System as Read/Write as part of the jailbreak process. It also drops its base binaries and the installed tweaks and themes in the ROOT File System (aka the System partition).
The way iOS is designed, this partition should not ever be modified by the user. System files, daemons, config files, and the default iOS apps live there and the user data lives in a different partition called VAR.
Important Note: ROOT File System and root user / root privileges is not the same thing. A rootless jailbreak still has root privileges and apps can still run as root. A rootless jailbreak, contrary to popular belief is not weaker than a normal jailbreak. If you are avoiding rootless jailbreaks because you think they are weaker, you are believing in a myth.
Because of these modifications, it’s very easy for any app to simply test for the existence of certain files. For example, an app can do a quick test, see if Cydia is installed in /Applications/Cydia.app and if it is, the device is deemed jailbroken.
Some Jailbreak Detection bypass tweaks cleverly hid these jailbreak files when an app tried to check for their existence, so developers introduced different ways to check for jailbreak. They tested if tweak injection DYLIBs were injected in their apps, checked for known config files from Cydia, Sileo, tested URI schemes, etc.
For many years jailbreak detection was a cat-and-mouse game with most bypasses being specialized on specific apps rather than being a catch-all solution.
In recent years people had success with tools like VNODEBYPASS, KernBypass, ABypass, and Choicy, but even then the success was spotty.
Enter the rootless jailbreaks
Since iOS 15 rolled around, the jailbreak community was faced with a difficult task. Creating a normal jailbreak is no longer possible because attempting to remount the ROOT File System partition as Read / Write causes the device to panic and reboot.
The clever developers in the jailbreak community came up with rootless jailbreaks. This is essentially a normal jailbreak, but instead of remounting the System partition and dumping its files there, it leaves it untouched.
All the jailbreak files, tweaks, themes, and configs, are placed in the User partition which is mostly Read / Write to begin with. A quick Sandbox escape and you can read and write to any path in the User (VAR) partition.
Of course, tweaks and tools had to be updated to expect to be loaded from VAR instead of the System partition. but once those updates were done the jailbreaks built on this paradigm worked pretty well (See PaleRa1n and Dopamine Jailbreak).
RootHide is like no other jailbreak detection bypass
All the rest of the available bypasses are tweaks that you load after the jailbreak itself finishes loading. Being tweaks, they can’t really interact with the jailbreak proper and rather attempt to block file visibility, selectively disable tweak injection, etc.
RootHide is not a tweak. RootHide is built into the jailbreak. It’s actually integrated inside Dopamine’s code which means it can be aware of what the jailbreak is doing and control the jailbreak to effectively make it invisible when needed.
Since RootHide is built into the jailbreak tool’s code, you can imagine this as the jailbreak being able to hide itself, instead of relying on a third-party tweak to attempt it.
The result: All apps tested were not able to tell that the testers had Dopamine Jailbreak running. NONE of them.
Does RootHide work with any jailbreak?
Since RootHide is not a tweak, but rather it gets integrated into the jailbreak code, the biggest drawback with it is that it requires either the jailbreak to be open-source (so that the code can be added), or the jailbreak developer to manually integrate it in their closed-source tool.
According to the developer, any rootless jailbreak can be integrated with RootHide at the code level, and we can make rootless jailbreaks for any iOS version for which we could make a traditional jailbreak, so in theory yes, you can have support all the way down to iOS 12 or so if the jailbreak developers cooperate (or if the jailbreaks are open-source).
The way RootHide works is by minimizing the jailbreak’s changes to the system, rather than using injection/modifications/patches/hooks like other tweaks do.
Where can I find RootHide?
RootHide is currently free and open-source in Beta on GitHub. For now, they are still working on improving it but yous should be able to test it if you have a Dopamine Jailbreak-supported device / iOS version.
For now, just Dopamine is supported because expanding support requires other jailbreak developers to cooperate. You can also follow the Twitter account for the project here. You can follow us too for more news while you’re at it.