diff --git a/include/libjailbreak/libjailbreak.h b/include/libjailbreak/libjailbreak.h
index 7c2b02f..6337265 100644
--- a/include/libjailbreak/libjailbreak.h
+++ b/include/libjailbreak/libjailbreak.h
@@ -53,5 +53,6 @@ const char* jailbreak_str_pinfo_flag(uint64_t flag);
 xpc_object_t jailbreak_send_jailbreakd_message_with_reply_sync(xpc_object_t xdict);
 xpc_object_t jailbreak_send_jailbreakd_command_with_reply_sync(uint64_t cmd);
 int jailbreak_send_launchd_message(xpc_object_t xdict, xpc_object_t *xreply);
+int jailbreak_get_bmhash_path(char jbPath[150]);
 
 #endif
diff --git a/src/libjailbreak/prebootpath.c b/src/libjailbreak/prebootpath.c
index e163360..00aed92 100644
--- a/src/libjailbreak/prebootpath.c
+++ b/src/libjailbreak/prebootpath.c
@@ -46,3 +46,14 @@ int jailbreak_get_prebootPath(char jbPath[150]) {
     }
     return KERN_SUCCESS;
 }
+
+int jailbreak_get_bmhash_path(char jbPath[150]) {
+    struct utsname name;
+    int ret = uname(&name);
+    if (ret) return errno;
+    if (atoi(name.release) < 20) return ENOTSUP;
+    char bmhash[97];
+    jailbreak_get_bmhash(bmhash);
+    snprintf(jbPath, 150, "/private/preboot/%s", bmhash);
+    return 0;
+}
diff --git a/src/payload/loader/sysstatuscheck.c b/src/payload/loader/sysstatuscheck.c
index 98ef39f..90dd423 100644
--- a/src/payload/loader/sysstatuscheck.c
+++ b/src/payload/loader/sysstatuscheck.c
@@ -13,6 +13,7 @@
 #include <sys/kern_memorystatus.h>
 #include <sys/snapshot.h>
 #include <sys/mount.h>
+#include <sys/stat.h>
 
 uint32_t dyld_get_active_platform(void);
 
@@ -233,6 +234,22 @@ int sysstatuscheck(uint32_t __unused payload_options, uint64_t pflags) {
     } else {
         remove_bogus_var_jb();
         create_var_jb();
+        char fixupPath[150];
+        if (jailbreak_get_prebootPath(fixupPath) == 0) {
+            chown(fixupPath, 0, 0);
+            chmod(fixupPath, 0755);
+            char fixupPath2[160];
+            snprintf(fixupPath2, 160, "%s/..", fixupPath);
+            chown(fixupPath2, 0, 0);
+            chmod(fixupPath2, 0755);
+        }
+        if (jailbreak_get_bmhash_path(fixupPath) == 0) {
+            chown(fixupPath, 0, 0);
+            chmod(fixupPath, 0755);
+        }
+        chown("/private/preboot", 0, 0);
+        chmod("/private/preboot", 0755);
+        
 #ifdef HAVE_SYSTEMWIDE_IOSEXEC
         if (access("/var/jb", F_OK) == 0) {
             fixup_databases();