Category: iOS

Apple iOS/tvOS and macOS related articles and how to tutorials. Including jailbreaks, app dev, and security.

Installing Mac OS X 10.6 Snow Leopard (Retail) On Parallels Desktop

Background

Due to agreements with Apple, installation of unsupported OS's is intentionally blocked via the Parallels virtualizer. OS X 10.6 SERVER is supported though. We can trick this check by adding a single .plist file to the installation media.

Tutorial

Download the 10.6 Snow Leopard ISO

https://archive.org/details/mac-os-x-10.6-snow-leopard-retail

Once it's downloaded, mount the ISO with a double click. You should see the mounted volume appear.

Open a Terminal.

nano /Volumes/Mac\ OS\ X\ Install\ DVD/System/Library/CoreServices/ServerVersion.plist

Paste in the following (from OS X Server 10.6)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>ProductBuildVersion</key>
        <string>10A433</string>
        <key>ProductCopyright</key>
        <string>1983-2009 Apple Inc.</string>
        <key>ProductName</key>
        <string>Mac OS X Server</string>
        <key>ProductUserVisibleVersion</key>
        <string>10.6</string>
        <key>ProductVersion</key>
        <string>10.6</string>
</dict>
</plist>

This will create the required ServerVersion.plist; writing it will be on the installation media. There is no need to make a new image to apply these changes. Just Ctrl+X, Y, Enter to write the file.

Note: The installer/setup will say "Mac OS X Server" but you are actually running the retail OS X Snow Leopard installer. It's just the text.

Next, install from that ISO. Parallels Desktop -> New Virtual Machine -> "Install Windows, Linux, or macOS from an image file" -> Choose Manually -> "Mac_OS_X_10.6_Snow_Leopard_Retail.iso" -> Boot and Install

After the installation finishes you have one more thing to do. You need to copy the the ServerVersion.plist over to the boot drive.

Shutdown the VM -> Change the Boot Order to CD/DVD -> Boot Back into the Installer -> Utilities -> Terminal

cp /Volumes/Mac\ OS\ X\ Install\ DVD/System/Library/CoreServices/ServerVersion.plist /Volumes/Macintosh\ HD/System/Library/CoreServices/

Shutdown, Swap the boot order back to HDD first

Once it's finished installing, you're good to go. Boot it up as you would with any other VM and install the Parallels Tools. About This Mac will report that its Server 10.6 but you still get the Stock Retail experience.

Tools for 10.6 from Parallels Desktop 18.0 - https://github.com/downthecrop/misc/blob/main/prl-tools-mac.iso.zip

Note: Written January 29th, 2026, Parallels Desktop 20.4.0, Mac mini i7 Late 2014

How To: Reverse Engineer Any Private API (iOS/Android and Desktop)

Have you ever wanted to access data from an application that doesn't provide a Public API? Well I've got great news. That application is getting its data from somewhere. You just need to find out how to plug into it! This process is called Reverse Engineering (Or hacking if you want to pretend you're really smart) a Private API. I will document some tips and useful tools that will help you reverse any Private API from any application on any platform.

Reverse Engineer any Private API - Watch the YouTube video here! https://youtu.be/RchCi6E2hVs

Tools

There are a handful of tools that can be used to complete this task. Windows 10 was my platform of choice for working with the data so I'll be sharing what I used on here.

Fiddler: Fiddler is an HTTP/HTTPS Proxy that can be used to intercept and decrypt SSL/HTTPS traffic. This application is also useful for replaying requests, creating custom request, and exporting a request as cURL to be converted into Python 3. Fiddler is free to use, just sign in with your Google Account! Make sure you install the certificate and enable HTTPS mode so you don't miss any requests. https://www.telerik.com/fiddler

MitM Proxy: Man in the Middle Proxy is a great way to read data from Smart Phone Applications. This is what I used to get all the data I needed for my API reversal. Simply download the executable from https://mitmproxy.org/ to start up a server (disable your firewall or open port 8080) and then enter your PC's IP address into the Proxy Server settings of your Phones WiFi settings. After that navigate to http://mitm.it/ on your Phone and install the provided certificate. Follow the provided instructions on http://mitm.it/ and start sniffing!

Tips

Create a text document to save all your finding and especially any useful URL endpoints you find. Having your information organized will help to ensure that you don't waste time on the same thing twice or need to proxy your device over and over again to find what a request should look like.

For more information and an example of the API reversed you can watch my YouTube tutorial here.

Jailbreak iOS device with Android Phone – One Tap checkra1n TWRP App

One tap to jailbreak iOS with Android (checkra1n TWRP)
One tap to jailbreak iOS with Android (checkra1n TWRP) - Watch my video guide here!

Download on GitHub: checkra1n TWRP: Jailbreak iOS with Android

Long time no see iOS/Android enthusiasts. I wanted to share a useful app I created to automated the process of running checkra1n for arm64 (Android Phone/Tablet) in TWRP (Team Win Recovery Project). This is a fully open source program (excluding the checkra1n binary) licensed under Zero Clause BSD. View it on GitHub here.

TWRP has a built in functionality to queue commands for the next recovery boot. These commands are located in /cache/recovery/command which is just a text file that TWRP reads. This is the same functionality that allows Over The Air (OTA) updates for custom ROMs to boot and reflash themselves.

Using this queue system the checkra1n TWRP app copies an Open Recovery Script (flashable .zip) to /data/checkra1n/checkra1n.zip and boots to recovery by invoking reboot recovery. The included checkra1n.zip then executes and boots back to system reboot system after the checkra1n log message of [*]: All Done is received.

This will not increase the comparability of checkra1n for Android devices but my 2015 Nexus 5X and 2018 Mi Mix 3 both run this application flawlessly. If you were already using your Android device to run checkra1n this should make things easier for you as you don't need to interact with a shell at all on invoke/remember commands.

To flash the .zip within TWRP without running the app, which is useful if you leave your Android turned off until you need it for a retether, you can find the flashable Open Recovery Script in /data/checkra1n/ and flash it from the Install menu within TWRP.

Happy jailbreaking! (please report bugs on the Github Bug Tracker)

Edit: Removed from Google Play for TOS https://github.com/downthecrop/checkra1n-twrp/issues/3

If you would rather run the binary directly you can follow my old guide here: https://downthecrop.xyz/blog/jailbreak-ios-device-with-android-phone-checkra1n-for-android-tutorial/

Jailbreak iOS device with Android Phone – checkra1n for Android Tutorial

How to run checkra1n on Android to jailbreak iOS - Watch my video guide here!

Edit : 9/9/2020 I've made an app to easily run the required commands! Check out my updated guide here: https://downthecrop.xyz/blog/jailbreak-ios-device-with-android-phone-checkra1n-twrp-app/

Did you know you can use an Android Phone to jailbreak iOS using checkra1n? Here's the step by step guide and tutorial to explain how to run checkra1n on Android.

  • Rooted Android device
  • USB-C to USB-A Adapter
  • Lightning cable
  • TWRP Custom Recovery

When you have gathered the supplies navigate to the official checkra1n website and download the lastest arm64 Linux binary of checkra1n

https://checkra.in/

Note the location you downloaded the file to. You will need to know the absolute path the file is located so you can execute it from a terminal command line.

Once you have the file downloaded boot your Android phone into Custom Recovery. Running the tool from Custom Recovery instead of directly inside Android you don't need to worry about a conflict between different processes fighting over the USB controller. I wasn't able to run checkra1n from a fully booted Android 10 but I was able to run it from Custom Recovery! Your luck may vary but Custom Recovery is the most reliable option.

Open a Terminal in Custom Recovery (TWRP 3.3.1-17 was used in my video) and change directory to where you saved checkra1n

cd /sdcard/Download

Next we need to add the execute flag to the binary so it can be run as a program

chmod +x checkra1n

Finally we can run checkra1n from Android

./checkra1n -c -v

Connect your iOS device using your USB-C to USB-A adapter and your Lightning cable.

Now we need to manually enter DFU mode on our iOS device. This is done differently on different devices so if you are unsure just look up "How to put iPhone X into DFU mode" replacing iPhone X with your model and you should find some button combinations to enter DFU.

If you have successfully put your iOS device into DFU and it is connected to your Android Phone running checkra1n the program should recognize the DFU mode USB device and run the exploit!

For a complete step by step guide of using the new checkra1n for Android you can follow my YouTube guide here

checkra1n Linux Live USB (Minimal Linux)

When it was first announced that the iOS and tvOS jailbreaking tool checkra1n would get an official release I had a new idea for a project. An absolute bare-bones minimal Linux environment that could be used to kick start your device back to a jailbroken state. The original goal of the project was to keep the complete ISO file including Linux 5.4 and the latest checkra1n binary under 50MB. I was unable to squeeze in under my goal but the total required disk size for install is 64MB. Still substantially smaller than any other live environment with a modern Linux Kernel. Read more about my project or download from my GitHub page downthecrop/checkra1n-linux

EDIT: Version 0.9.8.2 has been reduced in size to 44MB and boot times have been reduced! Please update if you are using 0.9.8

Installation Guide

Writing Instrutions:
Download Rufus: https://rufus.ie/
Burn to USB Flash Drive or CD/DVD

When booting please wait for the timeouts of both prompts to ensure correct mounting.

You can run checkra1n again while in Linux with #: ./checkra1n or #: ./checkra1n -c

Write using DD mode instead of ISO mode.

Want to jailbreak iOS using your Android phone? Check out my checkra1n Android TWRP app here: https://downthecrop.xyz/blog/jailbreak-ios-device-with-android-phone-checkra1n-twrp-app/