Difference between revisions of "Jailbreak"

From The iPhone Wiki
Jump to: navigation, search
m (Exploits which are used in order to jailbreak 6.x)
m (Versions: add 16.x)
 
(733 intermediate revisions by 30 users not shown)
Line 1: Line 1:
 
{{float toc|right}}
 
{{float toc|right}}
This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching [[/private/etc/fstab]] to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.
+
The term "'''jailbreak'''" is the process by which full execute and write access is obtained on all the partitions of iOS, iPadOS, tvOS and watchOS. It used to be done by patching [[/private/etc/fstab]] to mount the System partition as 'read-write'. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial [[unlock]]ing can be applied.
   
The original jailbreak also included modifying the [[AFC]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC]]2) that allows access to the full filesystem.
+
Older jailbreaks also included modifying the [[AFC]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC]]2) that allows access to the full filesystem.
   
Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.
+
Modern jailbreaks now include patching the kernel to get around code signing and other restrictions. These are called [[Kernel Patches]].
   
  +
'''Note''': The legality of jailbreaking your device varies with each country/region. [[wikipedia:iOS jailbreaking#Legality|Wikipedia has a summary of legality for some countries]].
NOTE: Jailbreaking [[iPad]]s is now illegal in the USA. See [http://is.gd/vkAVQK this post] for details.
 
   
  +
== Types of Jailbreaks ==
== Exploits which were used in order to jailbreak 1.x ==
 
  +
When a device is booting, it loads Apple's own [[kernel]] initially, so a jailbroken device must be exploited and have the kernel patched each time it is booted up.
=== 1.0.2 ===
 
* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)
 
=== 1.1.1 ===
 
* [[Symlinks]] (an upgrade jailbreak)
 
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])
 
=== 1.1.2 ===
 
* [[Mknod]] (an upgrade jailbreak)
 
=== 1.1.3 / 1.1.4 / 1.1.5 ===
 
* [[Soft Upgrade]] (an upgrade jailbreak)
 
* [[Ramdisk Hack]]
 
* [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3
 
* [[diags]] - Works up to [[iOS]] 2.0 beta 5
 
   
  +
An [[untethered jailbreak|'''untethered''' jailbreak]] uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer – in other words, it will be jailbroken even after each reboot.
== Exploits which are used in order to jailbreak 2.x ==
 
=== 2.0 / 2.0.1 / 2.0.2 / 2.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]]
 
=== 2.1.1 ===
 
* [[ARM7 Go]] ([[tethered jailbreak]])
 
=== 2.2 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
=== 2.2.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] + [[ARM7 Go]] (from iOS 2.1.1) ([[n72ap|iPod touch 2G]])
 
   
  +
However, some jailbreaks are [[tethered jailbreak|'''tethered''']]. A tethered jailbreak is only able to temporarily jailbreak the device during a single boot. If the user turns the device off and then boots it back up without the help of a jailbreak tool, the device will no longer be running a patched kernel, and it may get stuck in a partially started state, such as [[Recovery Mode]]. In order for the device to start completely and with a patched kernel, it must be "re-jailbroken" with a computer (using the "boot tethered" feature of a tool) each time it is turned on. All changes to the files on the device (such as installed package files or edited system files) will persist between reboots, including changes that can only function if the device is jailbroken (such as installed package files).
== Exploits which are used in order to jailbreak 3.x ==
 
=== 3.0 / 3.0.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ( [[n72ap|iPod touch 2G]])
 
* [[Pwnage]] + [[iBoot Environment Variable Overflow]] ([[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] + [[iBoot Environment Variable Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]])
 
=== 3.1 / 3.1.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])
 
* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
=== 3.1.2 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], and [[n18ap|iPod touch 3G]])
 
* [[0x24000 Segment Overflow]] + [[usb_control_msg(0x21, 2) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
=== 3.1.3 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together for [[untethered jailbreak]] on [[m68ap|iPhone]], [[n45ap|iPod touch]], and [[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] (for [[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)
 
** + [[Limera1n Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]], used in [[sn0wbreeze]])
 
** + [[usb_control_msg(0xA1, 1) Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]], used in [[sn0wbreeze]])
 
* [[usb_control_msg(0xA1, 1) Exploit]]+ [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[n72ap|iPod touch 2G]] [[Bootrom 240.5.1|new bootrom]], used in [[sn0wbreeze]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[N18ap|iPod touch 3G]] and [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], used in [[sn0wbreeze]])
 
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
   
  +
In more recent years, two other solutions have been created - '''semi-tethered''' and '''semi-''un''tethered'''.
=== 3.2 ===
 
* [[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (all devices, used in [[Spirit]])
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] ([[K48ap|iPad]] used in [[sn0wbreeze]] 2.9.x)
 
=== 3.2.1 ===
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[Star]])
 
* [[Limera1n Exploit]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] ([[k48ap|iPad]], used in [[sn0wbreeze]] 2.9.x)
 
=== 3.2.2 ===
 
* [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[k48ap|iPad]])
 
   
  +
A [[semi-tethered jailbreak|'''semi-tethered''']] solution is one where the device is able to start up on its own, but it will no longer have a patched kernel, and therefore will not be able to run modified code. It will, however, still be usable for normal functions, just like stock iOS. To start with a patched kernel, the user must start the device with the help of the jailbreak tool.
== Exploits which are used in order to jailbreak 4.x ==
 
=== 4.0 / 4.0.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])
 
* [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]] and [[n88ap|iPhone 3GS]] devices with older bootroms)
 
* [[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (all devices, used in [[Star]])
 
* [[Limera1n Exploit]] + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] New bootrom, [[N18ap|iPod touch 3G]], [[n90ap|iPhone 4]])
 
   
  +
A [[semi-untethered jailbreak|'''semi-''un''tethered''']] jailbreak gives the ability to start the device on it's own. On first boot, the device will not be running a patched kernel. However, rather than having to run a tool from a computer to apply the kernel patches, the user is able to re-jailbreak their device with the help of an app (usually sideloaded using [[Cydia Impactor]]) running on their device. In the case of the iOS 9.2-9.3.3 jailbreak, a Safari-based exploit was available, thereby meaning a website could be used to rejailbreak.
=== 4.0.2 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] ([[n82ap|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] ([[n72ap|iPod touch 2G]])
 
* [[0x24000 Segment Overflow]] ([[n88ap|iPhone 3GS]])
 
* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] ([[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
=== 4.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]]))
 
* [[usb_control_msg(0xA1, 1) Exploit]] + [[Packet Filter Kernel Exploit]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])
 
=== 4.2.1 ===
 
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
 
* [[ARM7 Go]] (from iOS 2.1.1) + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]] [[Bootrom 240.4|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
 
* [[usb_control_msg(0xA1, 1) Exploit]] + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n72ap|iPod touch 2G]])
 
=== 4.2.6 / 4.2.7 / 4.2.8 ===
 
* [[limera1n]]'s bootrom exploit + [[HFS Legacy Volume Name Stack Buffer Overflow]] (together for [[untethered jailbreak]] on [[n92ap|iPhone 4 CDMA model]])
 
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
=== 4.3 ===
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], [[n81ap|iPod touch 4G]], and [[k66ap|Apple TV 2G]])
 
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
=== 4.3.1 / 4.3.2 / 4.3.3 ===
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit + [[ndrv_setspec() Integer Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
* [[T1 Font Integer Overflow]] (used for [[Saffron]])
 
=== 4.3.4 / 4.3.5 ===
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
   
  +
In more detail: Each iOS device has a [[bootchain]] that tries to make sure only trusted/signed code is loaded. A device with a tethered jailbreak is able to boot up with the help of a jailbreaking tool because the tool executes exploits via USB that bypass parts of that "chain of trust", bootstrapping to a [[pwned]] (no [[Signature Check Patch|signature check]]) [[iBSS]], [[iBEC]], or [[iBoot (Bootloader)|iBoot]] to finish the boot process.
== Exploits which are used in order to jailbreak 5.x ==
 
=== 5.0 ===
 
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
* [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]]- [[n94ap|iPhone 4S]] only
 
   
  +
== Jailbreak Tools ==
===5.0.1===
 
  +
Untethered or semi-untethered jailbreaks are shown with a green 'yes'. Tethered or semi-tethered jailbreaks will be stated in a yellow box. [[Beta Firmware]]s are not listed.
   
  +
===Versions===
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
* [[Jailbreak/1.x|1.x]]
* [[limera1n]]'s bootrom exploit + [[Racoon String Format Overflow Exploit]]+[[HFS Heap Overflow]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
  +
* [[Jailbreak/2.x|2.x]]
* [[Racoon String Format Overflow Exploit]] (used both for payload injection and untether)+[[HFS Heap Overflow]] - [[iPad 2]] and [[iPhone 4S]] with [[Absinthe]]
 
  +
* [[Jailbreak/3.x|3.x]]
  +
* [[Jailbreak/4.x|4.x]]
  +
* [[Jailbreak/5.x|5.x]]
  +
* [[Jailbreak/6.x|6.x]]
  +
* [[Jailbreak/7.x|7.x]]
  +
* [[Jailbreak/8.x|8.x]]
  +
* [[Jailbreak/9.x|9.x]]
  +
* [[Jailbreak/10.x|10.x]]
  +
* [[Jailbreak/11.x|11.x]]
  +
* [[Jailbreak/12.x|12.x]]
  +
* [[Jailbreak/13.x|13.x]]
  +
* [[Jailbreak/14.x|14.x]]
  +
* [[Jailbreak/15.x|15.x]]
  +
* [[Jailbreak/16.x|16.x]]
   
===5.1===
+
==See Also==
  +
* [[Failbreak]]
* [[limera1n]]'s bootrom exploit (Tethered jailbreak) on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[n90ap|iPhone 4 GSM model]], and [[n81ap|iPod touch 4G]])
 
  +
* [[Jailbreak Exploits]]
* [[limera1n]]'s bootrom exploit + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
  +
* [[Kernel Patches]]
   
  +
[[Category:Jailbreaking]]
===5.1.1===
 
* [[limera1n Exploit]] + [[0x24000 Segment Overflow]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]])
 
* [[limera1n Exploit]] + [[Rocky Racoon]] (together for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3.2|new bootrom]], [[iPhone 4]], [[n18ap|iPod touch 3G]], and [[n81ap|iPod touch 4G]])
 
 
== Exploits which are used in order to jailbreak 6.x ==
 
=== 6.0 - 6.1.2 ===
 
* [[Symbolic Link Vulnerability]]
 
* [[Malformed PairRequest]]
 
* [[Shebang Trick]]
 
* [[AMFID code signing evasion]]
 
* [[launchd.conf untether]]
 
* [[IOUSBDeviceFamily Vulnerability]]
 
* [[ARM Exception Vector Info Leak]]
 
* [[dynamic memmove() locating]]
 
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
 
* [[kernel memory write via ROP gadget]]
 
 
== Jailbreak Tools ==
 
{{:Jailbreak/Apple TV}}
 
{{:Jailbreak/Deprecated iPads}}
 
{{:Jailbreak/iPad}}
 
{{:Jailbreak/iPad mini}}
 
{{:Jailbreak/Deprecated iPhones}}
 
{{:Jailbreak/iPhone}}
 
{{:Jailbreak/Deprecated iPod touches}}
 
{{:Jailbreak/iPod touch}}
 

Latest revision as of 10:55, 13 February 2023

The term "jailbreak" is the process by which full execute and write access is obtained on all the partitions of iOS, iPadOS, tvOS and watchOS. It used to be done by patching /private/etc/fstab to mount the System partition as 'read-write'. This is entirely different from an unlock. Jailbreaking is the first action that must be taken before things like unofficial activation (hacktivation), and unofficial unlocking can be applied.

Older jailbreaks also included modifying the AFC service (used by iTunes to access the filesystem) to give full filesystem access from root. This was later updated to create a new service (AFC2) that allows access to the full filesystem.

Modern jailbreaks now include patching the kernel to get around code signing and other restrictions. These are called Kernel Patches.

Note: The legality of jailbreaking your device varies with each country/region. Wikipedia has a summary of legality for some countries.

Types of Jailbreaks

When a device is booting, it loads Apple's own kernel initially, so a jailbroken device must be exploited and have the kernel patched each time it is booted up.

An untethered jailbreak uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer – in other words, it will be jailbroken even after each reboot.

However, some jailbreaks are tethered. A tethered jailbreak is only able to temporarily jailbreak the device during a single boot. If the user turns the device off and then boots it back up without the help of a jailbreak tool, the device will no longer be running a patched kernel, and it may get stuck in a partially started state, such as Recovery Mode. In order for the device to start completely and with a patched kernel, it must be "re-jailbroken" with a computer (using the "boot tethered" feature of a tool) each time it is turned on. All changes to the files on the device (such as installed package files or edited system files) will persist between reboots, including changes that can only function if the device is jailbroken (such as installed package files).

In more recent years, two other solutions have been created - semi-tethered and semi-untethered.

A semi-tethered solution is one where the device is able to start up on its own, but it will no longer have a patched kernel, and therefore will not be able to run modified code. It will, however, still be usable for normal functions, just like stock iOS. To start with a patched kernel, the user must start the device with the help of the jailbreak tool.

A semi-untethered jailbreak gives the ability to start the device on it's own. On first boot, the device will not be running a patched kernel. However, rather than having to run a tool from a computer to apply the kernel patches, the user is able to re-jailbreak their device with the help of an app (usually sideloaded using Cydia Impactor) running on their device. In the case of the iOS 9.2-9.3.3 jailbreak, a Safari-based exploit was available, thereby meaning a website could be used to rejailbreak.

In more detail: Each iOS device has a bootchain that tries to make sure only trusted/signed code is loaded. A device with a tethered jailbreak is able to boot up with the help of a jailbreaking tool because the tool executes exploits via USB that bypass parts of that "chain of trust", bootstrapping to a pwned (no signature check) iBSS, iBEC, or iBoot to finish the boot process.

Jailbreak Tools

Untethered or semi-untethered jailbreaks are shown with a green 'yes'. Tethered or semi-tethered jailbreaks will be stated in a yellow box. Beta Firmwares are not listed.

Versions

See Also