Ios 9.3.5 Untethered Jailbreak [hot] [Ultra HD]
The Last of Its Kind: Dissecting the iOS 9.3.5 Untethered Jailbreak
In the annals of Apple’s mobile operating system history, iOS 9.3.5 occupies a unique and infamous position. Released in August 2016, it was not a feature-rich update but a panicked security patch. The update closed a chain of three zero-day vulnerabilities (collectively known as “Trident”) that had been actively used to deploy the Pegasus spyware against a single human rights activist in the UAE. For most users, iOS 9.3.5 was a mandatory security fortress. Yet, for the jailbreak community, it became a holy grail—a heavily fortified system that seemed impervious to public exploits. The eventual release of an untethered jailbreak for iOS 9.3.5, spearheaded by developer Siguza and the team at Phœnix, represents not just a technical triumph but a watershed moment marking the end of an era in iOS exploitation.
The Solution: The Phœnix Jailbreak and the Off-by-One
The hero of this story is Siguza, a German security researcher, who released the Phœnix untethered jailbreak for iOS 9.3.5 in late 2017. The core of Phœnix was not a new zero-day but a masterful exploitation of an older, misunderstood bug: CVE-2017-6979 (the “offsets” bug), combined with an additional kernel vulnerability (v0rtex). However, the key to the untethered nature lay in the persistence mechanism.
Siguza’s approach was a callback to earlier, more hardware-agnostic methods. He exploited a vulnerability in the way iOS handles resource properties (specifically in IOKit), allowing for an arbitrary read/write primitive in the kernel. But to make it untethered, he bypassed KPP not by patching the kernel directly—which KPP would detect on the next reboot—but by patching the kernel’s data structures in memory only and then forcing a specific system daemon (which runs as root) to load a dynamic library. More importantly, the jailbreak embedded a bootstrap script into the filesystem that would be executed by launchd (the init process) early in the boot cycle. This script would then re-trigger the IOKit exploit before KPP had fully armed itself. ios 9.3.5 untethered jailbreak
The breakthrough was the “off-by-one” in the kernel’s task suspension logic. By carefully corrupting a single byte in a kernel map structure, Siguza could cause the kernel to skip certain security checks during the next boot. This is the hallmark of an untethered jailbreak: a tiny, persistent corruption that allows the full exploit chain to run again automatically.
The Siguza Factor
Enter Siguza, a renowned security researcher and reverse engineer. He looked at the patched exploit and realized Apple hadn't fixed everything. The door was closed, but they had left a window open. The Last of Its Kind: Dissecting the iOS 9
Siguza discovered that while the specific exploit Moonshine used was patched, the underlying vulnerability in the IOHIDFamily kernel extension remained viable. Apple had fixed the "trigger," but not the "gun."
For months, Siguza worked in the shadows. The goal was ambitious: to build the first truly untethered jailbreak for iOS 9.3.5. He wasn't just building a tool; he was resurrecting a dead era. He collaborated with other legends, including tihmstar and mbazaliy, to weaponize the exploit. AppSync Unified: (Source: https://cydia
The "Untether" Workaround: Kok3shi
There is an outlier that fools many users: kok3shi. This jailbreak, developed by staturnz, supports iOS 9.3.5 on 32-bit devices. Is it untethered? No—kok3shi is also semi-untethered.
However, kok3shi offers a feature called "Untether via Bootloop Protection." This is a misnomer. It does not make your jailbreak survive a reboot. Instead, it installs a persistent daemon that attempts to automatically re-jailbreak your device shortly after booting. If it fails, it prevents a bootloop. While clever, this is not a true untether. It is an automation script.
2. Essential Tweaks for iOS 9
iOS 9 is old; the ecosystem is mature. Here are essential tweaks to modernize the experience:
- AppSync Unified: (Source:
https://cydia.akemi.ai/) Required to install unsigned IPAs. - ClassicBattery: Bring the classic battery percentage icon back.
- Virtual Home: If your Home button is broken (common on iPhone 5/5c), this creates an on-screen home button.
- Palido: Dark mode for older iOS versions.