Untethered Jailbreak | Ios 9.3.5
In late 2017, whispers began on Reddit and Twitter. A developer known as S0rryMyBad (also known as Jacky C) demonstrated a true untethered jailbreak for iOS 9.3.5 running on an iPhone 4s. The community went wild.
The exploit supposedly used a race condition in the XNU kernel combined with a persistent code-signing bypass. For approximately two weeks, the dream was alive.
However, the developer never released the tool publicly. Citing "undisclosed security research" and potential resale value to bounty programs, the untether remained behind closed doors. To this day, no public, one-click untethered jailbreak for iOS 9.3.5 exists. ios 9.3.5 untethered jailbreak
The hero of this story is Siguza, a German security researcher, who released the Phœnix untethered jailbreak for iOS 9.3.5 in late 2017. The core of Phœnix was not a new zero-day but a masterful exploitation of an older, misunderstood bug: CVE-2017-6979 (the “offsets” bug), combined with an additional kernel vulnerability (v0rtex). However, the key to the untethered nature lay in the persistence mechanism.
Siguza’s approach was a callback to earlier, more hardware-agnostic methods. He exploited a vulnerability in the way iOS handles resource properties (specifically in IOKit), allowing for an arbitrary read/write primitive in the kernel. But to make it untethered, he bypassed KPP not by patching the kernel directly—which KPP would detect on the next reboot—but by patching the kernel’s data structures in memory only and then forcing a specific system daemon (which runs as root) to load a dynamic library. More importantly, the jailbreak embedded a bootstrap script into the filesystem that would be executed by launchd (the init process) early in the boot cycle. This script would then re-trigger the IOKit exploit before KPP had fully armed itself. In late 2017, whispers began on Reddit and Twitter
The breakthrough was the “off-by-one” in the kernel’s task suspension logic. By carefully corrupting a single byte in a kernel map structure, Siguza could cause the kernel to skip certain security checks during the next boot. This is the hallmark of an untethered jailbreak: a tiny, persistent corruption that allows the full exploit chain to run again automatically.
Note: This does not actually downgrade; it upgrades you to 9.3.6 and patches the kernel. The exploit supposedly used a race condition in
In the annals of Apple’s mobile operating system history, iOS 9.3.5 occupies a unique and infamous position. Released in August 2016, it was not a feature-rich update but a panicked security patch. The update closed a chain of three zero-day vulnerabilities (collectively known as “Trident”) that had been actively used to deploy the Pegasus spyware against a single human rights activist in the UAE. For most users, iOS 9.3.5 was a mandatory security fortress. Yet, for the jailbreak community, it became a holy grail—a heavily fortified system that seemed impervious to public exploits. The eventual release of an untethered jailbreak for iOS 9.3.5, spearheaded by developer Siguza and the team at Phœnix, represents not just a technical triumph but a watershed moment marking the end of an era in iOS exploitation.
| Type | Boot Requirement | Persistence | |------|------------------|--------------| | Untethered | Device boots directly into jailbroken state. No computer or re-application needed. | Survives full power cycles. | | Semi-Untethered | Boots into stock iOS. Must re-run an app (e.g., Phoenix, kok3shi9) to re-enable jailbreak after each reboot. | Lost after reboot. | | Tethered | Requires computer to boot every single time. | Device won't boot at all without computer. |
The last untethered jailbreak for any modern-ish iOS was Pangu9 for iOS 9.0-9.1 (released 2015). Since then, Apple has systematically killed the primitives that enable untethered persistence.