Ios 9.3.5 Untethered Jailbreak __full__ ✅

Because iOS 9.3.5 is a 32-bit firmware, the jailbreak landscape is different from modern 64-bit devices. There is no full untethered jailbreak for iOS 9.3.5 on all devices.

However, depending on your specific device model, you have two options that closely mimic an untethered experience:

  1. iPad 2, iPhone 4s, and iPhone 4: You can upgrade to iOS 9.3.6 and use the "Degrade" tool to convert the installation into a Kok3r9 Untether. This is a true untether (jailbreak persists after reboot).
  2. iPhone 5, 5c, iPad 4, and iPad Mini 1: These devices must use the SockPuppet 2.0 (Phoenix) jailbreak, which is "semi-untethered" (requires re-signing via an app every 7 days).

Here is the complete guide for both scenarios. ios 9.3.5 untethered jailbreak

The Future of the 9.3.5 Untether

Could a true untether ever be released? Technically, yes. There are likely undisclosed kernel vulnerabilities lingering in iOS 9.3.5 that could be chained with a persistent code-signing bypass. However, with Apple deprecating 32-bit support entirely in macOS and iOS, the likelihood of a developer spending dozens of hours to package that exploit is near zero.

The community has moved on. The last great untethered jailbreaks were for iOS 9.1 (Pangu) and iOS 8.4.1 (Etason). For iOS 9.3.5, the "Holy Grail" remains a myth. Because iOS 9

For 64-bit devices (iPhone 5 and above)

  • kok3shi9 (semi-untethered) – by SakuRα開發者. Supports iOS 9.3-9.3.5. Uses an old Mach portal + OOPS (offset overwrite) technique. Works, but older devices (iPhone 5) may kernel panic occasionally.

The Solution: The Phœnix Jailbreak and the Off-by-One

The hero of this story is Siguza, a German security researcher, who released the Phœnix untethered jailbreak for iOS 9.3.5 in late 2017. The core of Phœnix was not a new zero-day but a masterful exploitation of an older, misunderstood bug: CVE-2017-6979 (the “offsets” bug), combined with an additional kernel vulnerability (v0rtex). However, the key to the untethered nature lay in the persistence mechanism.

Siguza’s approach was a callback to earlier, more hardware-agnostic methods. He exploited a vulnerability in the way iOS handles resource properties (specifically in IOKit), allowing for an arbitrary read/write primitive in the kernel. But to make it untethered, he bypassed KPP not by patching the kernel directly—which KPP would detect on the next reboot—but by patching the kernel’s data structures in memory only and then forcing a specific system daemon (which runs as root) to load a dynamic library. More importantly, the jailbreak embedded a bootstrap script into the filesystem that would be executed by launchd (the init process) early in the boot cycle. This script would then re-trigger the IOKit exploit before KPP had fully armed itself. iPad 2, iPhone 4s, and iPhone 4: You can upgrade to iOS 9

The breakthrough was the “off-by-one” in the kernel’s task suspension logic. By carefully corrupting a single byte in a kernel map structure, Siguza could cause the kernel to skip certain security checks during the next boot. This is the hallmark of an untethered jailbreak: a tiny, persistent corruption that allows the full exploit chain to run again automatically.

Post-Jailbreak: What to Do Next

1. Open Cydia

Upon first launch, Cydia will "Prepare Filesystem." This may take a few minutes. Once done, it will respring again.