Languages: English • 日本語
The term "jailbreak" is the process by which some form of arbitrary code execution (usually by spawning of an SSH shell) is obtained by exploiting the kernel (and other protections, such as AMFI, PAC, PPL, KPP, and KTRR - but these do not apply to every software version) of iOS, iPadOS, watchOS, tvOS, audioOS, or bridgeOS. It used to be done by patching /private/etc/fstab to mount the System partition as 'read-write'. This is entirely different from an unlock. Jailbreaking is the first action that must be taken before things like unofficial activation (hacktivation), and unofficial unlocking can be applied.
Older jailbreaks also included modifying the AFC service (used by iTunes to access the filesystem) to give full filesystem access from root. This was later updated to create a new service (AFC2) that allows access to the full filesystem.
Modern jailbreaks modifies kernel variable memory instead of outright patching the kernel, due to restrictions posed by KPP and KTRR, with the exception of checkm8-based jailbreaks.
Note: The legality of jailbreaking your device varies with each country/region. Wikipedia has a summary of legality for some countries.
Types of Jailbreaks
- Tethered: The device must be booted using a computer every time, otherwise it won't boot at all. This type of jailbreak is uncommon. This is because, starting with the iPod touch 2 (new BR) and iPhone 3GS, Apple has signature checks for its bootchain, which includes LLB, iBoot, and the Kernel, meaning a custom bootchain cannot be loaded unless an exploit is used to patch these checks. Example of tethered jailbreaks are 4039, blackra1n, and orangesn0w.
- Semi-tethered: The device must be jailbroken using a computer every time it's rebooted, otherwise it will boot in unjailbroken state. Examples of semi-tethered jailbreaks are opensn0w, geeksn0w, checkra1n, or palera1n. They are similar to tethered jailbreaks in how they jailbreak iOS, but they don't modify iOS' default bootchain - instead sending their own custom one.
- Untethered: Untethered jailbreaks were originally how almost every jailbreak was - run the jailbreak once, and then you're jailbroken for life. They could be installed via Safari with JailbreakMe, or with a computer, using redsn0w, Absinthe, or Pangu. However, these types of jailbreaks started to die out in iOS 9.
- Semi-untethered: Starting with iOS 9, it was no longer easy to make a fully untethered jailbreak, so devs instead created semi-untethered jailbreaks. These jailbreaks are run using an app which jailbreaks the device, but after a reboot, the app will need to be run again - otherwise the device will be unjailbroken. Examples of these are Home Depot, Meridian, unc0ver, Chimera, Taurine, or Dopamine.
Due to Apple limitations, the app must be resigned every week (or every year with a paid developer account). Tools like ReProvision Reborn were created to automate this process. Additionally, with iOS versions compatible with TrollStore, it is possible to permanently sign the jailbreak app so it will never expire.
Jailbreak Tools
Latest firmware and Jailbreak status
For other devices, firmware versions and jailbreak tools, see the versions list below.
Versions
Untethered or semi-untethered jailbreaks are shown with a green 'yes'. Tethered or semi-tethered jailbreaks will be stated in a yellow box. Beta Firmwares are not listed.
Bootstrap
This type of utility is a method that can be used to run some basic app tweaks, with features as a whole being very limited since the kernel is not read/write (not patched).
The only requirements for this type of utility are a CoreTrust bug and a method to install anything with said CoreTrust bug (such as TrollStore).
The main things that are not supported in this type of utility are:
1. Full Tweak Injection support (tweaks like AppSync Unified, Springboard tweaks, and tweaks that modify daemons - which generally requires kernel r/w and other bypasses - will not work - that's why tweak injection libraries such as ElleKit are not functional)
2. Using external terminals (many terminals use kernel r/w methods to run sessions, so only a limited number of terminals - mostly provided by bootstrap tools - are supported)
3. Executing custom LaunchDaemons (Every daemon/service execution was done via launchd binary provided by Apple and signed by Apple - that binary only allows platform binaries to run with those privileges - if the target binary is not platform binary signed by Apple, it will deny execution - CoreTrust bugs cannot exploit this since the kernel will check and verify executions done by launchd binary. That also means that patching this binary directly without patching the kernel first will result in a kernel panic)
The benefits of bootstraps are:
1. The device is closer to a stock environment, and compatibility with apps shouldn't be any worse than just having TrollStore.
2. For the most part, kernel panics should not happen.
Semi jailbreak
Due to restriction posed by KPP, KTRR, PPL, SPTM, TXM and PAC, having kernel r/w alone cannot achieve a jailbreak on arm64e devices. However, with the CoreTrust bypass, it's possible to implement most baseline functionality of the jailbreak.
The following that's not possible with a standard bootstrap is possible:
1. Significantly improved tweak injection support - by using kernel r/w to overwrite /sbin/launchd, it is possible to remove various checks in launchd to allow most custom binaries to be executed.
2. Using LaunchDaemons (also by removing restrictions in launchd).
3. Tweaking applications without needing to reregister them as a system app. (with xpcproxy hook to spawn an alternative executable)