Skip to content

Jailbreaking

Jailbreaking an iOS Device

Installing Jailbreak Apps

  • Visit this page to create a throw-away Apple ID. BE SURE TO ASSOCIATE THIS ACCOUNT WITH A THROW-AWAY GMAIL ACCOUNT THAT IS NOT TIED TO THE COMPANY.
  • Download/install Cydia Impactor from here.
    • Impactor takes care of properly signing and installing the target application onto the iOS device
  • To install the app:
  1. Start Impactor
  2. Drag the target application IPA file (from GUI application, such as Explorer or Finder) into the Impactor window
  3. Enter the throw-away Apple ID credentials when prompted
  4. Navigate (on the iOS device) to Settings > General > Profiles or Profiles & Device Management and tap the profile listed with the email address associated with your Apple ID
  5. Choose "Trust [APPLE ID]" and tap through warnings
  6. Choose "Verify App" and tap through warnings

Bootloader Jailbreaks

Checkrain (iPhone 5s-iPhone X, iOS 12+)

MAC and Linux:
https://checkra.in/releases/#all-downloads

Note

doesn't work on any device that uses A12 or A13. Including iPhone XS and XS Max, iPhone XR, iPad Mini (5th generation), iPad Air (3rd generation), iPad (8th generation) Apple TV 4K (2nd generation, 2021), iPhone 11, iPhone 11 Pro and 11 Pro Max, iPhone SE (2nd generation), iPad (9th generation), iPad Air (4th generation), iPhone 12 and iPhone 12 Mini, iPhone 12 Pro and iPhone 12 Pro Max, iPhone 13 and iPhone 13 Mini, iPhone 13 Pro and iPhone 13 Pro Max, iPad mini (6th generation)

32-bit Devices

iOS 9 (before 9.3.5)

  1. Download the wall.supplies (Home Depot) jailbreak app from internal data store
  2. Follow the "Installing Jailbreak Apps" instructions
  3. Open the installed app and enable jailbreak (using "provided offsets", if prompted)
  4. This is not a permanent jailbreak. If the device is powered off or rebooted, you'll need to repeat step 3.

iOS 9.3.5

  • Phoenix by tihmstar (TO-DO)

iOS 10

  • h3lix by tihmstar and S1guza (TO-DO)

64-bit Devices

iOS 9.3.2-9.3.3

  1. Download the Pangu jailbreak app from internal data store
  2. Follow the "Installing Jailbreak Apps" instructions
  3. Open the installed app and tap the button to jailbreak
  4. Wait a few seconds and lock the device screen
  5. This is not a permanent jailbreak. If the device is powered off or rebooted, you'll need to repeat steps 3 and 4.

iOS 10 (before 10.2.1)

  1. Download the Yalu jailbreak app from internal data store
  2. Follow the "Installing Jailbreak Apps" instructions
  3. IF YOU'RE USING AN iPAD MINI 4 DEVICE, YOU'LL NEED TO OPEN A LARGE PDF FILE BEFORE ADVANCING TO THE NEXT STEP. An example can be found here. Open this file on the device using Safari.
  4. Open the installed app and tap "go"
    • If the jailbreak fails, the device may crash. In which case, you'll need to reboot and try again. If the device does not crash, simply tap the "retry" button
  5. This is not a permanent jailbreak. If the device is powered off or rebooted, you'll need to repeat steps 3 (if you're using an iPad Mini 4) and 4.

iOS 11 (before 11.4)

Install command line apps in /electra to bypass the Sandbox execution policy

  1. Download the Electra Jailbreak app. https://coolstar.org/electra/
  2. Follow the "Installing Jailbreak Apps" instructions
  3. Open the Installed app and tap "jailbreak"
  4. This is not a permanent jailbreak. If the device is powered off or rebooted, you'll need to repeat step 3-4.
  5. If the jailbreak app doesnt load up that means that the certificate that the app is signed with has expired and has to be resigned using the instructions in Installing Jailbreak Apps

iOS 11.0-13.3

https://unc0ver.dev/

Restoring iOS Versions with SHSH Blobs

How the Nonces work

Download the Devices SHSH Blobs

This is the signed update information that makes the device trust the updater

Getting the information needed to download the shsh2 files:

>>> ideviceinfo | ag "ProductType|UniqueChipID|ProductVersion"                  
ProductType: iPhone9,1
ProductVersion: 12.2
UniqueChipID: 5463035531821094

Downloading the Latest SHSH files with the Erase Ticket:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d iPhone9,1 -l -s --save-path ./erase

Downloading the Latest SHSH files with the Update Ticket:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d iPhone9,1 -l -s -u --save-path ./update

Downloading the Latest SHSH files with the Update Ticket with specifying the ap_nonce:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d "iPhone9,1" -l -s -u --apnonce 5ba82669b625bae6596dea482bb1f44eac501fe1560bc2d69bbb24c13715b9f4

Download the IPSW Update Package

This is the update package for the version of the iphone what would be used to download the Software Update from apple

This file can be downloaded from IPSW Downloads.

Getting the Nonce Information

The Anonce is the NONC that is shown below

#Get Device Information
>>> ideviceinfo | grep Unique  
UniqueChipID: 5463035531821094
UniqueDeviceID: 70a58077f305c2a6e64f5eb74660a8619cfda34e

#Put device into recovery mode
ideviceenterrecovery -d 70a58077f305c2a6e64f5eb74660a8619cfda34e

#Get Nonce Information
>>> sudo irecovery -i 5463035531821094 -q
CPID: 8010
CPRV: 11
BDID: 08
ECID: 5463035531821094
CPFM: 03
SCEP: 01
IBFL: 3d
SRNM: DX4YHJEYHG6W
IMEI: N/A
NONC: 5ba82669b625bae6596dea482bb1f44eac501fe1560bc2d69bbb24c13715b9f4
SNON: 54b098757387e4bc72622869ebbfced21c7cb194
MODE: Recovery

#Reboot the Phone into Regular mode
>>> sudo irecovery -n

Setting the Nonce Information

  1. Open unc0ver. (You may get a popup about an untrusted certificate, go to Settings > General > Device Management and Trust your certificate)
  2. Go to the Settings tab in unc0ver.
  3. Make sure "Overwrite Boot Nonce" is enabled and that "Boot Nonce" is set to 0x1111111111111111 or what ever is in the SHSH file.
  4. Go to the Jailbreak tab and press Jailbreak.
  5. You're done with this part of the tutorial.

Restoring/Upgrading iOS Version

Restoring/Upgrading iOS Version:

./futurestore -t 5463035531821094_iPhone9,1_12.4-16G77_627633ce34dbf0734dbd5e24886feaefdd5e088545a01932582d51e0793c3138.shsh2 --latest-baseband --latest-sep iPhone_5.5_P3_12.4_16G77_Restore.ipsw -d

Backing Up the iPhone

Setting a Backup Password (Optional):

>>> idevicebackup2 -i encryption on
Started "com.apple.mobilebackup2" service on port 49439.
Negotiated Protocol Version 2.1
Enter new backup password: *********
Enter new backup password (repeat): *********
Backup encryption has been enabled successfully.

Backing up the Device:

 idevicebackup2 -u 70a58077f305c2a6e64f5eb74660a8619cfda34e --debug -i backup --full .
Backup directory is "."

Package Managers

Most Jailbreaks use Cydia as the package manager to install programs for the jailbreaked system.
Chimera Jailbreak uses Sileo