Gone are the days of radio silence, followed by the single release of a finished jailbreak tool for all devices. As the scene moves from funded teams working in secrecy, to public exploits being worked on co-operatively by individual developers in an open forum, the workflow has also changed.

We now hear incremental updates, sometimes multiple times a day, which are more technical and reinforce, modify, or even invalidate previous news. That’s why we’ve put together a quick round-up of the current state of affairs, which will bring you up to date.

The exploits

There are two exploits at play here, but they both use the same vulnerability. What this means is that they both capitalise on the same fundamental weakness in iOS, but that the methods they use to do so are unrelated. For iOS 10.x (up to and including iOS 10.3.3), we have v0rtex by SiguzaThe source code for this exploit has been out for a while, as well as a useful write-up for other developers. Interestingly, this exploit can also be adapted for 32-bit devices, and may well be.

For iOS 11.x (up to and including iOS 11.1.2, not higher), we have async_wake by Ian BeerHe is known for finding iOS bugs as part of Google’s Project Zero, and was responsible for the bug behind the extra_recipe tool too.

The problems

Just because we have an exploit doesn’t mean we have a jailbreak tool yet. The raw code of the exploits must be combined with various patches to create what the average user would consider a jailbreak. These include disabling iOS protections (such as amfi), enabling filesystem access (r/w on /), and more.

Various offsets are usually also required to add support for all devices. It must then be wrapped into a foolproof package containing Cydia and Substrate, which may themselves need changes to work with a new jailbreak’s quirks.

Additionally, the iPhone 7 (Plus) and all newer devices have hardware protections which could require an extra workaround to avoid. So even a full jailbreak for older models does not necessarily mean the job is done for the recent flagships.

Having said that, progress is being made.

Current progress

async_wake for <=iOS 11.1.2
The original version consisted of the kernel exploit necessary to get tfp0. To that have been added:

  • A patchfinder
  • Support for all devices (using an offset-less method)
  • Read and write on “/” (the root of the filesystem)
  • Basic patches for amfi

What it needs:

  • A bypass for KPP, or a KPP-less approach. The latter is looking more likely now, though it will require a re-write of Cydia Substrate
  • Cydia and Substrate to be packaged with it. Cydia has been demoed, but is essentially broken at present
  • Further patching of system protections such as amfid
  • A solution to KTTR hardware protection on the iPhone 7 and newer might be needed; older devices would not need this

It seems that every one of the above things is being worked on to some extent currently, which is encouraging. Versions of the exploit which bundle a file browser and SSH are already floating around, though they are far from complete as of yet. I would hold off on trying anything until it’s all come together under one roof. All in all, it’s looking pretty hopeful!

v0rtex
The exploit gets tfp0 and works on all devices from A7 to A10 (iPhone 5s to iPhone 7(+)), i.e. every 64-bit device which ever had iOS 10. It now has read-write access on “/” too.

What it needs:

  • A bypass for KPP, or a KPP-less approach. The latter is looking more likely now, though it will require a re-write of Cydia Substrate
  • Patches to amfi for unsigned code execution
  • Cydia and Substrate to be packaged with it
  • A solution to KTTR hardware protection on the iPhone 7(+) might be needed; older devices would not need this
  • Offsets added to properly support all devices
  • 32-bit support – this might come from tihmstar at some point

It currently looks like the iOS 11 work is slightly ahead of iOS 10, probably due to community enthusiasm, though v0rtex can make use of more already-known techniques. I think it won’t be long before they’re both finished, to some usable extent.

Related news

Apple TV 4 and Apple TV 4K
The exploit present in <=iOS 11.1.2, and used by async_wake, is also present in <=tvOS 11.1! This means that a liberTV jailbreak for both the Apple TV 4 and 4K is possible using the same work. Based on Jonathan Levin’s comments it looks like it will be happening too, though patience is requested.

Jailbreak toolkit
Also from Levin, this developer toolkit aims to make constructing a jailbreak easier on future occasions, by providing certain core functionalities that can simply be combined with new exploits as they become available. Not much more information is available, but it is due to be released soon.

32-bit
A final jailbreak is now possible for legacy devices, meaning they will be capable of being jailbroken for their remaining lifespan. v0rtex has the potential to work on 32-bit, and will surely eventually arrive.

Saïgon
The iOS 10.2.1 tool now uses v0rtex to jailbreak, making it more reliable. It’s also good news because it gives v0rtex an already completed tool to piggyback on. This could increase the speed with which v0rtex becomes a full jailbreak, because some of the patches and wrapping up have already been done in Saïgon. We’ll have to see if that turns out to be true.

v0rtexNonce
This tool uses the vortex exploit to set a nonce on your device on iOS 10.3.x. This allows A7 devices to futurerestore to iOS 10.x and iOS 11.x, and other devices to futurerestore to iOS 11.x. This will be useful to move to iOS 11.1.2 later, to jailbreak with async_wake. I have used v0rtexNonce and it works well.

futurerestore/Prometheus
A final piece of encouraging news, though it has not been thoroughly tested yet, is that futurerestore may work on iOS 11 after all. With a few minor updates the tool still runs, and an early test seems to have shown that the iOS 11.2 SEP and baseband are compatible with iOS 11.1.2. This means, as I optimistically predicted previously, that people who saved iOS 11.1.2 blobs when it was being signed might be able to jump to iOS 11.1.2 at a later date, after async_wake is finished.

To work, futurerestore requires a SEP and baseband from a currently signed firmware, so if all the signed firmwares have a SEP incompatible with the version you want to move to, it will fail. This was what killed futurerestores to iOS 10: all the signed SEPs (iOS 11) are incompatible. Only A7 devices such as the iPhone 5s can futurerestore to iOS 10 now.

Conclusion

Everything’s coming up Milhouse! Good progress is being made on an iOS 11, an iOS 10, and a tvOS 11 jailbreak, 32-bit devices might get back in on the action one final time, and saved blobs might let currently jailbroken users join the iOS 11 party any time they feel like it.

However, although likely, not all of this is set in stone yet. For that reason, be cautious. Don’t take any risks updating, (future)restoring, or installing half-finished jailbreak tools until they are complete and tested. Do not pester developers about release dates. Save your blobs and block your updates. With luck, we’ll get a jailbreak for Christmas…

  • David Gow

    I still believe

  • Omri Kug

    Keep up the good work idb I love you guys

  • Umut Topuz

    Means you may not see a real jb for 10.3.3 below in 2 months. Don’t expect for iOS 11 in near future like till March or April. Nothing major

    • Joaquim Barbosa

      I’m not so sure. The list of things which have already been added to them (see above) came in the space of less than a week. It’s possible the list of things they still need (see above) could come just as quickly. We’ll just have to wait and see. Thanks for reading!

  • Dao Sasone

    I would say Xmas time for release. Iph x.

  • Joshfei

    Is there a way to buy an iPhone X with 11.1.2 or lower by going directly into a store?

    • Mut

      I would assume most of them don’t have 11.2 as it just came out last week.

      • Joshfei

        cool, I am planning on going Wednesday and keeping my fingers crossed for one.

      • Ian Ellis

        I just picked up one yesterday and it came with 11.1.2

      • Joshfei

        you must be a very happy consumer!

  • Chris Ryan

    Great article. Thorough, clear and concise

  • Andrew

    Very well written. I’ve been away from the community for the past little while due to exam season, and missed a lot. Now I think I’m all caught up, thanks!

    I’m glad futurerestore is still working. I missed the signing window for 11.1.2, but I have the blobs saved ??

  • pnh
  • What I’m glad about is that iDB is still covering all the latest jailbreaking news in such detail. You have always been my primary source for tutorials, tweaks reviews, and general news, and it’s great that you continue to be so.

  • Nigel Murray

    I love Christmas time.

    • Iskren Donev

      Indeed, Merry Christmas!

  • Kevin Ferenczi

    Savinf

  • Max Otten

    I feel kinda sad since I’m on jailbroken iOS 10.0.2 but I really want to go to iOS 11, but iDB suggested not to update to iOS 11.1.2 if you were already jailbroken on iOS 10. But now iOS 11 JB is getting closer, I feel kinda screwed, especially since I never found out how it exaclty works with saving blobs and such

    • Joaquim Barbosa

      I stand by that advice, but I did say to save blobs so that you could move later. There have always been guides on how to save them on this site. Anyway, 10.0.2 with a jailbreak is still better than 11.1.2 without a finished one. Let’s just wait and see what happens!

  • Abhinav Chaudhary

    Fearing this would be the future of jailbreaking (waiting in anticipation for a jailbreak) I sold my iPhone 7 to get a S8. While this cat and mosue chase continues over and over in a circle I am hapilly cistomising my phone, downloading torrents, playing youtube in background, trying out different launchers, custom roms. I am so glad I ditched iOS for a greatwr good.

    • burge

      The cat and mouse game has always been happening with iOS, and it seems you only had a iPhone because it could be jailbroken. Jail breaking is just a user choice and not a necessity. Android allow this on the simple fact they need sales and what better way to do it then allow customisation. And as for the notch it just breaks the status bar in 2 that’s not really an issue is it. One could argue that the s8 doesn’t utilise the full face of the device. Instead it has a black bar top and bottom of the display face. But you go ahead and download your torrents because you can afford the device but you can’t afford to pay for stuff on the device. No matter how you like it look at it your still little thief. Jailbreaking is not about what you can steel and get for free. So good riddance to you.

      • Abhinav Chaudhary

        Yes I only had iPhones since 2010 cause i was able to jailbreak them. No point paying 1600$ (Yes that’s how much it cost here) for a 64GB phone which I can’t even theme but look at the ugly stock iOS icons. Jail breaking may not be a necessity but I am from computer science background so it is for me. Notch just breaks the status bar in 2, It’s one way to look at it, for me it’s more of a nonsense. And for your information I don’t pirate digital media, I was using Apple music and now google music with amazon prime and couple other local streaming apps. i only mentioned downloading torrents cause that’s something I can. i got no grudge against you but I personally do not condone the new iPhone especially without a jailbreak.

      • burge

        I don’t use or look at the battery percentage and I don’t need to as there is a battery icon in the screen that works just fine. Nice try

        So what your really saying is you went for the cheaper option. And that’s ok as you think that having a phone is about theming it. Oh that so cute.

      • Abhinav Chaudhary

        Never argue with an idiot, he’ll drag you down to his level and beat you with experience.

      • burge

        Noob do you know what that even means. I say you don’t.

  • Javier Salinas

    Does anyone know if this will be a semi untethered jailbreak?

    • Joaquim Barbosa

      Yes. Barring a miracle, all future jailbreaks will be semi-untethered. It’s just not worth wasting the exploits needed to make it untethered anymore, and they’re too hard to find. Use Extender: Reloaded to avoid having to re-sign, and avoid rebooting your device, all you can do.

  • David Gow

    I k ow for a fact I am not receiving anything for Christmas nor am I giving anything. All I would like is a jailbreak for iOS 11.1.2 Thank you for all the work to the people who do this. Merry Christmas