Jailbreak

From The Apple Wiki

The term "jailbreak" is the process by which some form of arbitrary code execution (usually by spawning of an SSH shell) is obtained by exploiting the kernel (and other protections, such as AMFI, PAC, PPL, KPP, and KTRR - but these do not apply to every software version) of iOS, iPadOS, watchOS, tvOS, audioOS, or bridgeOS. It used to be done by patching /private/etc/fstab to mount the System partition as 'read-write'. This is entirely different from an unlock. Jailbreaking is the first action that must be taken before things like unofficial activation (hacktivation), and unofficial unlocking can be applied.

Older jailbreaks also included modifying the AFC service (used by iTunes to access the filesystem) to give full filesystem access from root. This was later updated to create a new service (AFC2) that allows access to the full filesystem.

Modern jailbreaks modifies kernel variable memory instead of outright patching the kernel, due to restrictions posed by KPP and KTRR, with the exception of checkm8-based jailbreaks.

Note: The legality of jailbreaking your device varies with each country/region. Wikipedia has a summary of legality for some countries.

Types of Jailbreaks

Tethered : The device must be booted using a computer every time, otherwise it won't boot at all. This type of jailbreak is uncommon. This is because, starting with the iPod touch 2 (new BR) and iPhone 3GS, Apple has signature checks for its bootchain, which includes LLB, iBoot, and the Kernel, meaning a custom bootchain cannot be loaded unless an exploit is used to patch these checks. Example of tethered jailbreaks are 4039, blackra1n, and orangesn0w.

Semi-tethered : The device must be jailbroken using a computer every time it's rebooted, otherwise it will boot in unjailbroken state. Examples of semi-tethered jailbreaks are opensn0w, geeksn0w, checkra1n, or palera1n. They are similar to tethered jailbreaks in how they jailbreak iOS, but they don't modify iOS' default bootchain - instead sending their own custom one.

Untethered : Untethered jailbreaks were originally how almost every jailbreak was - run the jailbreak once, and then you're jailbroken for life. They could be installed via Safari with JailbreakMe, or with a computer, using redsn0w, Absinthe, or Pangu. However, these types of jailbreaks started to die out in iOS 9.

Semi-untethered : Starting with iOS 9, it was no longer easy to make a fully untethered jailbreak, so devs instead created semi-untethered jailbreaks. These jailbreaks are run using an app which jailbreaks the device, but after a reboot, the app will need to be run again - otherwise the device will be unjailbroken. Examples of these are Home Depot, Meridian, unc0ver, Chimera, Taurine, or Dopamine. Due to Apple limitations, the app must be resigned every week (or every year with a paid developer account). Tools like ReProvision Reborn were created to automate this process. Additionally, with iOS versions compatible with TrollStore, it is possible to permanently sign the jailbreak app so it will never expire.

Bootstrap

This type of jailbreak is like between untethered and semi-untethered jailbreak in which when the device reboots, it stays jailbroken, but the key differences are that even without patched kernel, jailbreak bootstrap works without PC required and the jailbreak bootstrap features are very limited since the kernel is not RW (not patched). To get access to jailbreak apps, run bootstrap tool and with clicking the bootstrap button it will add all jb installed apps to the screen thanks to uicache command provided by it.

Some bootstrap tools are working on keeping apps on the screen even after reboots so that user don't need to open the app to access to all jb apps.

The only requirements are a CoreTrust bug (such as CoreTrust v2) and a Trollstore installation method (such as MacDirtyCow).

The things that are not supported in this type of jailbreak is:

1. Full Tweak Injection support (tweaks like AppSync Unified and similar that requires kernel rw and other bypasses will not work - that's why ElleKit cannot be used but it can be installed anyway, but it's not useable)

2. Using external terminals (many terminals are using kernel rw method to run session so only limited number of terminals, mostly provided by bootstrap tools are supported)

3. Using real unpatched sudo and su (sudo and su are compiled in the way that they also requires other bypasses and kernel rw to work since root sessions and services are started in kernel rw, not in userspace - that's why most bootstrap tools provides their custom versions of su and sudo that will run root sessions in userspace)

4. Executing custom LaunchDaemons (Every daemon/service execution was done via launchd binary provided by Apple and signed by Apple - that binary only allows platform binaries to run with those privileges - if the target binary are not platform binary signed by Apple, it will deny execution - CoreTrust bug cannot exploit this since kernel are checking and verify executions done by launchd binary. That also means that patching this binary directly without patching the kernel first will result in panic reboot)

The benefits of bootstraps are:

1. Since it doesn't patching the kernel the device is more stock and it's compatibility with apps and security will not be broken

2. No kernel panics can happen, much more safe for beginners

Semi jailbreak

Due to restriction posed by KPP, KTRR, PPL, SPTM, TXM and PAC, having kernel r/w alone cannot achieve a jailbreak on arm64e devices. However, with the CoreTrust bypass, it's possible to implement most parts of the jailbreak.

The following that's not possible in a bootstrap is possible:

1. (Mostly) full tweak injection support - by using kernel r/w to overwrite /sbin/launchd, it is possible to remove various checks in launchd to allow custom binaries to be executed.

2. Using LaunchDaemons - also by removing restrictions in launchd.

3. Kernel panics can happen, though generally rare after initialization.

4. Tweak applications without reregistering them as a system app. (with xpcproxy hook to spawn an alternative executable)

Jailbreak Tools

Latest firmware and Jailbreak status

Devices Latest firmware Last Jailbreakable Firmware Tool
iPhone 15, iPhone 15 Plus, iPhone 15 Pro, iPhone 15 Pro Max 17.4 No Jailbreak tool
iPad mini (6th generation), iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), iPhone 13 mini, iPhone 13, iPhone 13 Pro, iPhone 13 Pro Max, iPhone SE (3rd generation), iPhone 14, iPhone 14 Plus, iPhone 14 Pro, iPhone 14 Pro Max 16.5 Dopamine
iPad (8th generation), iPad (9th generation), iPad (10th generation), iPad Air (3rd generation), iPad Air (4th generation), iPad Air (5th generation), iPad mini (5th generation), iPad Pro (11-inch), iPad Pro (12.9-inch) (3rd generation), iPad Pro (11-inch) (2nd generation), iPad Pro (12.9-inch) (4th generation), iPad Pro (11-inch) (3rd generation), iPad Pro (12.9-inch) (5th generation), iPhone XR, iPhone XS, iPhone XS Max, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE (2nd generation), iPhone 12 mini, iPhone 12, iPhone 12 Pro, iPhone 12 Pro Max 16.5.1 Dopamine
iPad (6th generation), iPad (7th generation), iPad Pro (12.9-inch) (2nd generation), iPad Pro (10.5-inch) 17.4 palera1n
iPad (5th generation), iPad Pro (12.9-inch), iPad Pro (9.7-inch), iPhone 8, iPhone 8 Plus, iPhone X 16.7.6 (supported) palera1n
iPad Air 2, iPad mini 4, iPhone SE (1st generation), iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPod touch (7th generation) 15.8.2 (supported) palera1n, Dopamine (A9+) or meowbrek2
iPad Air, iPad mini 2, iPad mini 3, iPhone 5s, iPhone 6, iPhone 6 Plus, iPod touch (6th generation) 12.5.7 (possibly supported) checkra1n or Chimera
iPad (4th generation), iPhone 5, iPhone 5c 10.3.3 or 10.3.4 (obsolete) h3lix or kok3shiX or socket
iPad 2, iPad (3rd generation), iPad mini, iPhone 4S, iPod touch (5th generation) 9.3.5 or 9.3.6 (obsolete) Phœnix or p0laris or kok3shi9 or openpwnage or Blizzard
iPhone 4 7.1.2 (obsolete) Pangu
iPhone 3GS, iPod touch (4th generation) 6.1.6 (obsolete) p0sixspwn
iPad (1st generation), iPod touch (3rd generation) 5.1.1 (obsolete) redsn0w or Absinthe
iPhone 3G, iPod touch (2nd generation) 4.2.1 (obsolete) redsn0w
iPhone (1st generation), iPod touch (1st generation) 3.1.3 (obsolete)

For other devices, firmware versions and jailbreak tools, see the versions list below.

Versions

Untethered or semi-untethered jailbreaks are shown with a green 'yes'. Tethered or semi-tethered jailbreaks will be stated in a yellow box. Beta Firmwares are not listed.

See Also