iOS 9.3.x semi-untethered jailbreak tool.

What is this?

This is a tool for iOS 9.3.x semi-untethered jailbreak

Supported devices

64-bit devices

iPhone 5s, iPhone 6, iPhone 6 Plus

iPhone 6s, iPhone 6s Plus, iPhone SE

iPad Air, iPad Air 2

iPad Pro 12.9-inch, iPad Pro 9.7-inch

iPad mini 2, iPad mini 3, iPad mini 4

iPod touch 6G

32-bit devices (9.3.5/9.3.6, untested)

iPhone 4s, iPhone 5, iPhone 5c

iPad 2, iPad 3, iPad 4

iPad mini

iPod touch 5G


このツールは概念実証ツールです。この脱獄は、2016年にPangu Teamによって使用された古い脱獄を学習および実演するために作成されました。これらはすべて教育・学習目的で提供されるものであり、これらを悪用することは決して許されることではありません。絶対にしないでください。




latest version (stable)

IPA Version

v2.2.1 [2D245a] (Released 2022/05/18)





!!!!!! All at your own risk / 悪用厳禁 !!!!!!

Tested on iPhone 6s [iPhone8,1] with 9.3.4, iPhone 5s [iPhone6,1] with 9.3.1/9.3.3, iPod touch 5G [iPod5,1] with 9.3.5. No other operation is guaranteed.

Use this version if you sign with iOS App Signer: iOS App Signer v1.13.


iPod5,1 [9.3.5]

iPhone4,1 [9.3.6]

iPhone5,2 [9.3.5]

iPhone6,1 [9.3.1]

iPhone6,1 [9.3.3]

iPhone8,1 [9.3.4]

reported: work fine.

iPod2,2 [9.3.5]

iPhone8,1 [9.3.2]

iPhone8,1 [9.3.5]

iPhone8,4 [9.3.2]


2021/03/17 06:00 (JST): initial release [v1.0 beta 1]

2021/03/23 20:15 (JST): Support Cydia install, Enable tfp0 patch, Make pegasus kernel exploit available for some devices. [v1.0 beta 2]

2021/05/05 03:00 (JST): Fixed the behavior of the Install Cydia button, Add kernel patch. [v1.0 beta 3]

2021/12/04 08:45 (JST): Fixed amfi shellcode, Added __got hook style (no KPP race) option. [v2.0 beta 1]

2021/12/06 00:30 (JST): Minor bug fixes. [v2.0 beta 2]

2022/04/30 01:00 (JST): Re-added Cydia installation, Improved loading of JB daemons, Added 32-bit support(init). [v2.1]

2022/04/30 07:30 (JST): Fixed find_allproc for A6 devices. [v2.1.1]

2022/05/02 01:00 (JST): Fixed daemon loading problems. Support for A9 devices (but note that it is forever untested). [v2.1.2]

2022/05/16 03:20 (JST): Fixed for aarch64 9.3.4-9.3.5. [v2.2]

2022/05/86 05:35 (JST): Added additional options (disable legacy patch, disable reload, enable kpp etc..) [v2.2.1]

Technical on aarch64 9.3.4-9.3.5 support

Apple updated KPP silently in 9.3.4 after pangu 9 was released.

so, __got properly protected by KPP! You can no longer write there. But, KPP has logic flaw. Among other things, ios<11 it is possible to bypass KPP setting a fake TTBR1_EL1.

This means that KPP devices can be patched as follows

・ios<9.2: MAC policies are not properly protected. (pangu team's Pangu 9)

・ios<9.3.3: __DATA.__got is still writable. (pangu team's Pangu 9)

・ios<11: can set up fake pagetables by hooking CPACR_EL1 access. (qwertyoruiop's yalu102)

In the case of kok3shi: If aarch64 9.3.4 or later is detected, remap __DATA segment of kexts, bypass KPP. then, patch __got in the same way as 9.3.3 and below.


Q, After Punching holes, device get a blue screen (64-bit).

A, kernel exploit execution sometimes fails. You will need to reboot and try again.

Q, Is there support for 32-bit devices?

A, Yes. only 9.3.5-9.3.6, untested. This is generally compatible with the kernel patches for 64-bit.

Q, Is there support for 16k devices?

A, Yes. But untested. It is extremely difficult to prepare test devices. In addition, those devices receive activation errors under iOS 9 environment, so they are virtually unusable.

Q, I would like to know what patches are used in this jailbreak, so can I access the source code?

A, Yes. Here it is.

old versions

Here it is.


Siguza, tihmstar : PhoenixNonce (kernel exploit)

Siguza : cl0ver (kernel exploit)

qwertyoruiopz : KPP bypass, kernel patches

xerub : patchfinder64

FriedApple Team : patchfinder64, KPP bypass

Pangu Team : __DATA.__got method

(c) sakuRdev/dora2ios