Link to this headingJailbreaking an iOS Device

Link to this headingInstalling Jailbreak Apps

  • Visit this page to create a throw-away Apple ID. BE SURE TO ASSOCIATE THIS ACCOUNT WITH A THROW-AWAY GMAIL ACCOUNT THAT IS NOT TIED TO THE COMPANY.
  • Download/install Cydia Impactor from here.
    • Impactor takes care of properly signing and installing the target application onto the iOS device
  • To install the app:
  1. Start Impactor
  2. Drag the target application IPA file (from GUI application, such as Explorer or Finder) into the Impactor window
  3. Enter the throw-away Apple ID credentials when prompted
  4. Navigate (on the iOS device) to Settings > General > Profiles or Profiles & Device Management and tap the profile listed with the email address associated with your Apple ID
  5. Choose “Trust [APPLE ID]” and tap through warnings
  6. Choose “Verify App” and tap through warnings

Link to this headingBootloader Jailbreaks

Link to this headingCheckrain (iPhone 5s-iPhone X, iOS 12+)

MAC and Linux:
checkrain Download

Link to this heading32-bit Devices

Link to this headingiOS 9 (before 9.3.5)

  1. Download the wall.supplies (Home Depot) jailbreak app from internal data store
  2. Follow the “Installing Jailbreak Apps” instructions
  3. Open the installed app and enable jailbreak (using “provided offsets”, if prompted)
  4. This is not a permanent jailbreak. If the device is powered off or rebooted, you’ll need to repeat step 3.

Link to this headingiOS 9.3.5

  • Phoenix by tihmstar (TO-DO)

Link to this headingiOS 10

  • h3lix by tihmstar and S1guza (TO-DO)

Link to this heading64-bit Devices

Link to this headingiOS 9.3.2-9.3.3

  1. Download the Pangu jailbreak app from internal data store
  2. Follow the “Installing Jailbreak Apps” instructions
  3. Open the installed app and tap the button to jailbreak
  4. Wait a few seconds and lock the device screen
  5. This is not a permanent jailbreak. If the device is powered off or rebooted, you’ll need to repeat steps 3 and 4.

Link to this headingiOS 10 (before 10.2.1)

  1. Download the Yalu jailbreak app from internal data store
  2. Follow the “Installing Jailbreak Apps” instructions
  3. IF YOU’RE USING AN iPAD MINI 4 DEVICE, YOU’LL NEED TO OPEN A LARGE PDF FILE BEFORE ADVANCING TO THE NEXT STEP. An example can be found here. Open this file on the device using Safari.
  4. Open the installed app and tap “go”
    • If the jailbreak fails, the device may crash. In which case, you’ll need to reboot and try again. If the device does not crash, simply tap the “retry” button
  5. This is not a permanent jailbreak. If the device is powered off or rebooted, you’ll need to repeat steps 3 (if you’re using an iPad Mini 4) and 4.

Link to this headingiOS 11 (before 11.4)

Install command line apps in /electra to bypass the Sandbox execution policy

  1. Download the Electra Jailbreak app. https://coolstar.org/electra/
  2. Follow the “Installing Jailbreak Apps” instructions
  3. Open the Installed app and tap “jailbreak”
  4. This is not a permanent jailbreak. If the device is powered off or rebooted, you’ll need to repeat step 3-4.
  5. If the jailbreak app doesnt load up that means that the certificate that the app is signed with has expired and has to be resigned using the instructions in Installing Jailbreak Apps

Link to this headingiOS 11.0-13.3

Uncover Download

Link to this headingRestoring iOS Versions with SHSH Blobs

How the Nonces work

Link to this headingDownload the Devices SHSH Blobs

This is the signed update information that makes the device trust the updater

Getting the information needed to download the shsh2 files:

>>> ideviceinfo | ag "ProductType|UniqueChipID|ProductVersion" ProductType: iPhone9,1 ProductVersion: 12.2 UniqueChipID: 5463035531821094

Downloading the Latest SHSH files with the Erase Ticket:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d iPhone9,1 -l -s --save-path ./erase

Downloading the Latest SHSH files with the Update Ticket:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d iPhone9,1 -l -s -u --save-path ./update

Downloading the Latest SHSH files with the Update Ticket with specifying the ap_nonce:

/opt/iOS/tsschecker/tsschecker/tsschecker -e 5463035531821094 -d "iPhone9,1" -l -s -u --apnonce 5ba82669b625bae6596dea482bb1f44eac501fe1560bc2d69bbb24c13715b9f4

Link to this headingDownload the IPSW Update Package

This is the update package for the version of the iphone what would be used to download the Software Update from apple

This file can be downloaded from IPSW Downloads.

Link to this headingGetting the Nonce Information

The Anonce is the NONC that is shown below

#Get Device Information >>> ideviceinfo | grep Unique UniqueChipID: 5463035531821094 UniqueDeviceID: 70a58077f305c2a6e64f5eb74660a8619cfda34e #Put device into recovery mode ideviceenterrecovery -d 70a58077f305c2a6e64f5eb74660a8619cfda34e #Get Nonce Information >>> sudo irecovery -i 5463035531821094 -q CPID: 8010 CPRV: 11 BDID: 08 ECID: 5463035531821094 CPFM: 03 SCEP: 01 IBFL: 3d SRNM: DX4YHJEYHG6W IMEI: N/A NONC: 5ba82669b625bae6596dea482bb1f44eac501fe1560bc2d69bbb24c13715b9f4 SNON: 54b098757387e4bc72622869ebbfced21c7cb194 MODE: Recovery #Reboot the Phone into Regular mode >>> sudo irecovery -n

Link to this headingSetting the Nonce Information

  1. Open unc0ver. (You may get a popup about an untrusted certificate, go to Settings > General > Device Management and Trust your certificate)
  2. Go to the Settings tab in unc0ver.
  3. Make sure “Overwrite Boot Nonce” is enabled and that “Boot Nonce” is set to 0x1111111111111111 or what ever is in the SHSH file.
  4. Go to the Jailbreak tab and press Jailbreak.
  5. You’re done with this part of the tutorial.

Link to this headingRestoring/Upgrading iOS Version

Restoring/Upgrading iOS Version:

./futurestore -t 5463035531821094_iPhone9,1_12.4-16G77_627633ce34dbf0734dbd5e24886feaefdd5e088545a01932582d51e0793c3138.shsh2 --latest-baseband --latest-sep iPhone_5.5_P3_12.4_16G77_Restore.ipsw -d

Link to this headingBacking Up the iPhone

Setting a Backup Password (Optional):

>>> idevicebackup2 -i encryption on Started "com.apple.mobilebackup2" service on port 49439. Negotiated Protocol Version 2.1 Enter new backup password: ********* Enter new backup password (repeat): ********* Backup encryption has been enabled successfully.

Backing up the Device:

idevicebackup2 -u 70a58077f305c2a6e64f5eb74660a8619cfda34e --debug -i backup --full . Backup directory is "."

Link to this headingPackage Managers

Most Jailbreaks use Cydia as the package manager to install programs for the jailbreaked system.
Chimera Jailbreak uses Sileo