Ios 9.3.5 Untethered Jailbreak Review

The hero of this story is Siguza, a German security researcher, who released the Phœnix untethered jailbreak for iOS 9.3.5 in late 2017. The core of Phœnix was not a new zero-day but a masterful exploitation of an older, misunderstood bug: CVE-2017-6979 (the “offsets” bug), combined with an additional kernel vulnerability (v0rtex). However, the key to the untethered nature lay in the persistence mechanism.

Siguza’s approach was a callback to earlier, more hardware-agnostic methods. He exploited a vulnerability in the way iOS handles resource properties (specifically in IOKit), allowing for an arbitrary read/write primitive in the kernel. But to make it untethered, he bypassed KPP not by patching the kernel directly—which KPP would detect on the next reboot—but by patching the kernel’s data structures in memory only and then forcing a specific system daemon (which runs as root) to load a dynamic library. More importantly, the jailbreak embedded a bootstrap script into the filesystem that would be executed by launchd (the init process) early in the boot cycle. This script would then re-trigger the IOKit exploit before KPP had fully armed itself.

The breakthrough was the “off-by-one” in the kernel’s task suspension logic. By carefully corrupting a single byte in a kernel map structure, Siguza could cause the kernel to skip certain security checks during the next boot. This is the hallmark of an untethered jailbreak: a tiny, persistent corruption that allows the full exploit chain to run again automatically. ios 9.3.5 untethered jailbreak

If you are sitting on an iPhone 4s, 5, or 5c running iOS 9.3.5, here is your realistic path:

In the world of iPhone modding, few phrases generate as much nostalgia and technical intrigue as "iOS 9.3.5 untethered jailbreak." The hero of this story is Siguza, a

For users clinging to legacy devices like the iPhone 4s, iPhone 5, iPhone 5c, or the original iPad mini, iOS 9.3.5 represents the final, bittersweet chapter. It was the last version of iOS supported by these 32-bit classics. However, it is also infamous for being patched against the powerful Trident exploit chain—making it one of the most secure (and locked-down) versions of iOS ever released for that architecture.

But the question remains for collectors, gamers, and tinkerers: Does a true untethered jailbreak exist for iOS 9.3.5? Siguza’s approach was a callback to earlier, more

The short answer is complicated. The long answer requires a deep dive into exploit types, tool compatibility, and a major evolution in how we define "jailbreak."

Could a true untether ever be released? Technically, yes. There are likely undisclosed kernel vulnerabilities lingering in iOS 9.3.5 that could be chained with a persistent code-signing bypass. However, with Apple deprecating 32-bit support entirely in macOS and iOS, the likelihood of a developer spending dozens of hours to package that exploit is near zero.

The community has moved on. The last great untethered jailbreaks were for iOS 9.1 (Pangu) and iOS 8.4.1 (Etason). For iOS 9.3.5, the "Holy Grail" remains a myth.