To understand the legend of 9.3.5, you have to look at what came before. For years, the jailbreak scene was dominated by "untethered" tools. You ran the software once, and your device was free forever. You could reboot, turn it off, and turn it back on, and it would boot up already jailbroken.
But by 2016, the landscape had changed. Apple had hardened the kernel. The "Golden Age" was ending. As iOS 9 gave way to iOS 10, the legendary development teams began to go quiet.
Then, a tragedy shifted the tectonic plates of the community. In October 2016, a brilliant hacker known as "Moonshine" passed away. He was a key figure in the community, and his death left a void. But in the world of hacking, data never truly dies. ios 9.3.5 untethered jailbreak
iOS 9.3.5 was released in August 2016. It is the final version of iOS 9. It supports two distinct device families:
This split is critical because exploit primitives differ drastically between ARMv7s and ARM64. To understand the legend of 9
The hero of this story is Siguza, a German security researcher, who released the Phœnix untethered jailbreak for iOS 9.3.5 in late 2017. The core of Phœnix was not a new zero-day but a masterful exploitation of an older, misunderstood bug: CVE-2017-6979 (the “offsets” bug), combined with an additional kernel vulnerability (v0rtex). However, the key to the untethered nature lay in the persistence mechanism.
Siguza’s approach was a callback to earlier, more hardware-agnostic methods. He exploited a vulnerability in the way iOS handles resource properties (specifically in IOKit), allowing for an arbitrary read/write primitive in the kernel. But to make it untethered, he bypassed KPP not by patching the kernel directly—which KPP would detect on the next reboot—but by patching the kernel’s data structures in memory only and then forcing a specific system daemon (which runs as root) to load a dynamic library. More importantly, the jailbreak embedded a bootstrap script into the filesystem that would be executed by launchd (the init process) early in the boot cycle. This script would then re-trigger the IOKit exploit before KPP had fully armed itself. This split is critical because exploit primitives differ
The breakthrough was the “off-by-one” in the kernel’s task suspension logic. By carefully corrupting a single byte in a kernel map structure, Siguza could cause the kernel to skip certain security checks during the next boot. This is the hallmark of an untethered jailbreak: a tiny, persistent corruption that allows the full exploit chain to run again automatically.
| Type | Boot Requirement | Persistence | |------|------------------|--------------| | Untethered | Device boots directly into jailbroken state. No computer or re-application needed. | Survives full power cycles. | | Semi-Untethered | Boots into stock iOS. Must re-run an app (e.g., Phoenix, kok3shi9) to re-enable jailbreak after each reboot. | Lost after reboot. | | Tethered | Requires computer to boot every single time. | Device won't boot at all without computer. |
The last untethered jailbreak for any modern-ish iOS was Pangu9 for iOS 9.0-9.1 (released 2015). Since then, Apple has systematically killed the primitives that enable untethered persistence.