Ios 9.3.5 Untethered Jailbreak 【UHD • 8K】

Because iOS 9.3.5 is a 32-bit firmware, the jailbreak landscape is different from modern 64-bit devices. There is no full untethered jailbreak for iOS 9.3.5 on all devices.

However, depending on your specific device model, you have two options that closely mimic an untethered experience:

1. iPad 2, iPhone 4s, and iPhone 4: You can upgrade to iOS 9.3.6 and use the "Degrade" tool to convert the installation into a Kok3r9 Untether. This is a true untether (jailbreak persists after reboot).
2. iPhone 5, 5c, iPad 4, and iPad Mini 1: These devices must use the SockPuppet 2.0 (Phoenix) jailbreak, which is "semi-untethered" (requires re-signing via an app every 7 days).

Here is the complete guide for both scenarios.

Legacy and Significance

The iOS 9.3.5 untethered jailbreak is significant for several reasons. First, it proved that Apple’s most aggressively patched system could still be tamed. Second, it extended the life of 32-bit and older 64-bit devices (iPhone 4s, iPhone 5, iPad 2, iPad 3) that could not upgrade past iOS 9.3.5, allowing them to run modern tweaks and customization years after their official support ended. ios 9.3.5 untethered jailbreak

More poignantly, the Phœnix jailbreak is considered the last true untethered jailbreak for a shipping version of iOS. After iOS 9.3.5, Apple introduced rootless security, APFS snapshots, and more robust KPP/KTRR (Kernel Text Read-Only Region) protections on the A11 chip and later. Subsequent jailbreaks—for iOS 10 through iOS 16—have been semi-untethered or semi-tethered (e.g., Electra, unc0ver, Taurine, Dopamine). As of 2026, no untethered jailbreak has been publicly released for any iOS version beyond 9.3.5.

Step 2: The "Degrade" Process (If on 9.3.5)

Note: This does not actually downgrade; it upgrades you to 9.3.6 and patches the kernel.

1. Connect your device to the computer.
2. Put your device into DFU mode.
3. Use the specific "Degrade" tool (often built into newer Kok3r9 installers) to flash the modified firmware.
4. Once completed, your device will boot into iOS 9.3.6 with the jailbreak applied automatically.

For 32-bit devices (iPhone 4s, iPad 2, etc.)

• Phoenix (semi-untethered) – uses CVE-2017-6979 (Pegasus 2.0 exploit). Works reliably. Re-jailbreak with the Phoenix app after every reboot.

C. The "Why Bother?" Factor

Most users stay on 9.3.5 for legacy app compatibility, not daily driving. An untethered jailbreak requires: Because iOS 9

• Finding two new vulnerabilities (one for persistence, one for KPP bypass).
• Building a reliable installer.
• Testing across 10+ devices.

Security researchers sell these chains to Zerodium (paying up to $500k for iOS 9 untethered). No one has donated one to the public community.

Technical Deep Dive: The Boot Chain

To visualize the untethered process on iOS 9.3.5:

1. Initial Application: The user runs the Phœnix app (side-loaded via Cydia Impactor). The app deploys the v0rtex exploit to gain root and disable KPP for the current session.
2. Persistence Installation: The jailbreak writes a small plist file and a bootstrap executable to /System/Library/LaunchDaemons (a directory that launchd reads at boot). Crucially, it modifies a low-level kernel flag stored in NVRAM (non-volatile RAM) that tells the kernel to treat a specific memory region as executable during early boot.
3. Reboot: When the device restarts, iBoot loads the kernel. Launchd starts system daemons.
4. Auto-Re-exploitation: The modified launch daemon triggers the off-by-one memory corruption before the kernel has completely initialized KPP. This gives the exploit a narrow window to patch the kernel’s security flags. Because the patch is applied before KPP is fully active, KPP never detects the change.
5. Result: The device boots directly into a jailbroken state. Cydia is fully functional, and all tweaks load automatically.

This contrasts sharply with a semi-tethered jailbreak like Yalu102 for iOS 10.2, which required re-running an app after every reboot. Phœnix’s untethered nature was a regression to the golden age of iOS 4-6, but on far more hostile hardware. iPad 2, iPhone 4s, and iPhone 4: You can upgrade to iOS 9

2. What "Untethered" Actually Means

| Type | Boot Requirement | Persistence | |------|------------------|--------------| | Untethered | Device boots directly into jailbroken state. No computer or re-application needed. | Survives full power cycles. | | Semi-Untethered | Boots into stock iOS. Must re-run an app (e.g., Phoenix, kok3shi9) to re-enable jailbreak after each reboot. | Lost after reboot. | | Tethered | Requires computer to boot every single time. | Device won't boot at all without computer. |

The last untethered jailbreak for any modern-ish iOS was Pangu9 for iOS 9.0-9.1 (released 2015). Since then, Apple has systematically killed the primitives that enable untethered persistence.

The Holy Grail of Legacy Devices: Why iOS 9.3.5 Still Lacks a Public Untethered Jailbreak

TL;DR: There is no public untethered jailbreak for iOS 9.3.5. The only public jailbreaks are semi-untethered (Phoenix for 32-bit, kok3shi9 for 64-bit). This post explains why the untethered dream remains unrealized and what that actually means for end users.

Post-Jailbreak: What to Do Next