iOS 9.3.x semi-untethered jailbreak tool.

What is this?

This is a tool for iOS 9.3.x semi-untethered jailbreak

Supported devices

64-bit devices

iPhone 5s, iPhone 6, iPhone 6 Plus

iPhone 6s, iPhone 6s Plus, iPhone SE

iPad Air, iPad Air 2

iPad Pro 12.9-inch, iPad Pro 9.7-inch

iPad mini 2, iPad mini 3, iPad mini 4

iPod touch 6G

32-bit devices (9.3.5/9.3.6, untested)

iPhone 4s, iPhone 5, iPhone 5c

iPad 2, iPad 3, iPad 4

iPad mini

iPod touch 5G

警告/免責事項

このツールは概念実証ツールです。この脱獄は、2016年にPangu Teamによって使用された古い脱獄を学習および実演するために作成されました。これらはすべて教育・学習目的で提供されるものであり、これらを悪用することは決して許されることではありません。絶対にしないでください。

このツールを悪用することや、ソースコードを悪用目的で使用することを固く禁じます。いかなる場合において、製作者および配布者がこれらのツールに対しての責任を負うことは一切無いものとします。このツールの使用は全て自己責任であり、これらのツールをダウンロードした時点で全てあなた自身の責任となります。これに同意できない場合、ツールのダウンロード、使用を一切禁じます。

本サイトでは、iOSを最新バージョンへ更新して、修正パッチを適用することを強くお勧めします。



Download

latest version (stable)

IPA Version

v2.2.1 [2D245a] (Released 2022/05/18)

SHA-256

0605d0f648972c4439ae27424b396bdd516f577e248708f5df3057bdb41fd97e

kok3shidoll_v2.2.1.ipa

Note

!!!!!! All at your own risk / 悪用厳禁 !!!!!!

Tested on iPhone 6s [iPhone8,1] with 9.3.4, iPhone 5s [iPhone6,1] with 9.3.1/9.3.3, iPod touch 5G [iPod5,1] with 9.3.5. No other operation is guaranteed.

Use this version if you sign with iOS App Signer: iOS App Signer v1.13.


tested

iPod5,1 [9.3.5]

iPhone4,1 [9.3.6]

iPhone5,2 [9.3.5]

iPhone6,1 [9.3.1]

iPhone6,1 [9.3.3]

iPhone8,1 [9.3.4]

reported: work fine.

iPod2,2 [9.3.5]

iPhone8,1 [9.3.2]

iPhone8,1 [9.3.5]

iPhone8,4 [9.3.2]

Version

2021/03/17 06:00 (JST): initial release [v1.0 beta 1]

2021/03/23 20:15 (JST): Support Cydia install, Enable tfp0 patch, Make pegasus kernel exploit available for some devices. [v1.0 beta 2]

2021/05/05 03:00 (JST): Fixed the behavior of the Install Cydia button, Add kernel patch. [v1.0 beta 3]

2021/12/04 08:45 (JST): Fixed amfi shellcode, Added __got hook style (no KPP race) option. [v2.0 beta 1]

2021/12/06 00:30 (JST): Minor bug fixes. [v2.0 beta 2]

2022/04/30 01:00 (JST): Re-added Cydia installation, Improved loading of JB daemons, Added 32-bit support(init). [v2.1]

2022/04/30 07:30 (JST): Fixed find_allproc for A6 devices. [v2.1.1]

2022/05/02 01:00 (JST): Fixed daemon loading problems. Support for A9 devices (but note that it is forever untested). [v2.1.2]

2022/05/16 03:20 (JST): Fixed for aarch64 9.3.4-9.3.5. [v2.2]

2022/05/86 05:35 (JST): Added additional options (disable legacy patch, disable reload, enable kpp etc..) [v2.2.1]


Technical on aarch64 9.3.4-9.3.5 support

Apple updated KPP silently in 9.3.4 after pangu 9 was released.

so, __got properly protected by KPP! You can no longer write there. But, KPP has logic flaw. Among other things, ios<11 it is possible to bypass KPP setting a fake TTBR1_EL1.


This means that KPP devices can be patched as follows

・ios<9.2: MAC policies are not properly protected. (pangu team's Pangu 9)

・ios<9.3.3: __DATA.__got is still writable. (pangu team's Pangu 9)

・ios<11: can set up fake pagetables by hooking CPACR_EL1 access. (qwertyoruiop's yalu102)

In the case of kok3shi: If aarch64 9.3.4 or later is detected, remap __DATA segment of kexts, bypass KPP. then, patch __got in the same way as 9.3.3 and below.


FAQ

Q, After Punching holes, device get a blue screen (64-bit).

A, kernel exploit execution sometimes fails. You will need to reboot and try again.

Q, Is there support for 32-bit devices?

A, Yes. only 9.3.5-9.3.6, untested. This is generally compatible with the kernel patches for 64-bit.

Q, Is there support for 16k devices?

A, Yes. But untested. It is extremely difficult to prepare test devices. In addition, those devices receive activation errors under iOS 9 environment, so they are virtually unusable.

Q, I would like to know what patches are used in this jailbreak, so can I access the source code?

A, Yes. Here it is.


old versions

Here it is.

Credits

Siguza, tihmstar : PhoenixNonce (kernel exploit)

Siguza : cl0ver (kernel exploit)

qwertyoruiopz : KPP bypass, kernel patches

xerub : patchfinder64

FriedApple Team : patchfinder64, KPP bypass

Pangu Team : __DATA.__got method


(c) sakuRdev/dora2ios