Roothide is a type of jailbreak environment with a focus of evading jailbreak detection. It can be considered as a type of rootless. However, in general usage, rootless refers to the jailbreak environment with fixed paths at /var/jb, and roothide refers to the type of environment that exclusively uses ramdomized paths for jailbreak.
Location of bootstrap
In roothide, the location of a bootstrap is an implementation detail, and is always randomized, so it should not be hardcoded. Currently, existing implementations uses a path under /var/containers/Bundle since it allows non-platform binaries to be executed, and does not cause detection problems. External packages are expected to use libroothide to obtain the bootstrap path at runtime.
Evading jailbreak detection
It is important to note that the randomized bootstrap path is merely one of the requisites of evading jailbreak detection. A jailbreak has many other aspects that could potentially be detected as well. So a jailbreak implementating roothide support will need to do more than using the roothide jailbreak environment to make itself undetectable.
Packaging
Roothide packages uses a deb Architecture value of iphoneos-arm64e. Despite its name, it has nothing to do with arm64e. The package structure is same as a rootful package, and dpkg will automatically install the files into the randomized bootstrap path.
Linking and loading libraries
All directories containing a Mach-O should contain a .jbroot symlink pointing to the root of the randomized path. This symlink could be created by dpkg, or by the jailbreak while loading a Mach-O. This way, binaries in the randomzied bootstrap path can refers to libraries as such:
@loader_path/.jbroot/usr/lib/libsubstrate.dylib
@loader_path/.jbroot/Library/Frameworks/Cephei.framework/Cepheijbroot path and real path
A jbroot path is a path rooted from the root directory of the randomized bootstrap path. A real path is a path rooted from the actual root directory of the system.
libroothide
libroothide is a support library that provides support functions and command line tools to convert a jbroot path from/to a real path. This library is intended for software that are specifically designed to run on roothide, such as tweaks compatible with roothide. It is internally used by libvroot which will be discussed in the next section.
libvroot
libvroot is a library that hooks many path APIs such that it appears that the root of the randomized bootstrap path is at /. It is intended for software in the bootstrap, which is generally not specifically designed to run on a jailbreak environment. As a result, tools in the bootstrap accepts jbroot paths instead of real paths. In libvroot, the actual root filesystem can be accessed at /rootfs. For example, a real path of /sbin/launchd is /rootfs/sbin/launchd in libvroot. The libvroot library removes the need to patch all hardcoded paths in all bootstrap softeare, which would have been highly tedious, and prone to missing out on some paths.
File mirroring
Some paths in the randomized bootstrap path are actually symbolic links to a path outside of the bootstrap path. It simplifies the maintenance of jailbreak applications or tweaks.
- (the randomized bootstrap path itself)
- /dev
- /private/preboot
- /var/containers
- /var/mobile/Containers
- /usr/share/misc/trace.codes
- /usr/share/zoneinfo
- /etc/hosts.equiv
- /etc/hosts
- /var/run/utmpx
- /var/db/timezone
- /System/Library/CoreServices/SystemVersion.plist
Ecosystem support
The following software supports roothide:
| Package | Support | Notes |
|---|---|---|
| Sileo | Yes | Only supported in roothide's fork of Sileo |
| Zebra | Yes | Only supported in roothide's fork of Zebra |
| Theos | Yes | Only supported in roothide's fork of Theos |
| ElleKit | Yes | Only supported in roothide's fork of ellekit. |
| Dopamine-roothide | Yes | Currently based on Dopamine 1.x |
| Serotonin | Yes | This tool supports the roothide environment, but might leave extra details that could potentially be detected by apps. |
| Bootstrap | Yes |