The emergence of a KTRR bypass for arm64e devices has raised a lot more questions than there are answers. If you’re one of many who are confused about what’s happening and whether this will result in a jailbreak anytime soon, then you’ve come to the right place.
At iDB, we strive to break advanced information down to simple language terms, making it so that even the average iPhone and iPad user can understand what something means for them. Today, we’re continuing that tradition with an in-depth Frequently Asked Questions (F.A.Q.) post about the KTRR bypass.
If you find yourself grappling to understand what the latest developments mean for you and the future of iPhone jailbreaking, then perhaps you’ll find your answer here.
KTRR Bypass: Frequently Asked Questions
What is a KTRR Bypass?
To understand what a KTRR bypass is, you must first understand what KTRR is. KTRR is short for Kernel Text Read-only Region.
The name is particularly telling in that it’s a part of the kernel memory that’s supposed to be “read only.” Citing a blog post written by established security researcher Siguza, Apple implemented this mechanism starting with the A10 chip to prevent unauthorized modifications to the iOS kernel at runtime and maintain system integrity – even if the attacker has a kernel exploit up their sleeve.
A KTRR bypass merely bypasses the aforementioned mechanism. Consequently, an attacker can circumvent the “read-only” aspect of this particular region of the kernel memory and charge forward with whatever modifications they like by making it writable, regardless of the security mitigations put in place by Apple.
In short, a KTRR bypass lets an attacker sidestep Apple’s KTRR protections, allowing them to play with the kernel memory however they see fit.
Why am I hearing so much about a KTRR bypass lately?
If you haven’t heard by now, Kaspersky security researchers Boris Larin (@oct0xor), Leonid Bezvershenko (@bzvr_), and Georgy Kucherin (@kucher1n) are aware of and plan to release a KTRR bypass that can be used by jailbreak developers to make a jailbreak tool for certain firmware and device combinations.
The security researchers named above recently unveiled and showed off their research at the 37c3 conference, but no write-ups have been published just yet. That should change in the near future.
What firmware and devices will the KTRR bypass support?
This KTRR bypass in particular will support arm64e devices, namely those with A12-A16 chips inside. M1 and M2 chips are also affected. It’s possible that A17 chips may also be supported, however this isn’t yet confirmed and may remain unconfirmed for some time.
Arm64e devices include the iPhone XS to the iPhone 15 Pro Max. iPhone XS to iPhone 14 Pro Max devices are confirmed to be supported at this time, but we’ll have to wait and see if the iPhone 15 lineup is supported.
In terms of firmware, this is where things get confusing very quickly. Let’s break it down below:
The KTRR bypass will work right out of the box with iOS & iPadOS 16.5.1 and older with simple kernel read/write privileges. To make it work in this situation, any kernel exploit such as the now famous kernel file descriptor (kfd) exploit will suffice.
Worthy of note, kfd only supports up to iOS & iPadOS 16.5, and not 16.5.1, so a separate kernel exploit would be required for the latter. For this reason, a jailbreak for arm64e devices on iOS & iPadOS 16.5 and below seems imminent, but perhaps not for iOS & iPadOS 16.5.1 until another kernel exploit surfaces that supports it.
As for even newer firmware, including iOS & iPadOS 16.6 and later, the KTR bypass must be paired with additional things to achieve a jailbreak. These things may include another kernel exploit, a PPL (Page Protection Layer) bypass, and a PAC (Pointer Authentication Codes) bypass, but other attack chain components may also be required.
Specifically, using the KTRR bypass on iOS & iPadOS 16.6-16.x on any supported arm64e device will require a kernel exploit and a PPL bypass to make a jailbreak. On iOS & iPadOS 17.x, A12-A14 and M1-M2 chip-equipped devices will also require only a kernel exploit and a PPL bypass. Newer A15-A16 (and maybe A17, if supported) chip-equipped devices will require a kernel exploit and something else called a SPTM (Secure Page Table Monitor) bypass to make a jailbreak.
Consequently, a jailbreak on arm64e devices running iOS & iPadOS 16.5.1 and later won’t happen immediately, but a jailbreak on iOS & iPadOS 16.5.1 seems more likely to happen in the short-term than a jailbreak on iOS & iPadOS 16.6 and later due to the PPL bypass requirements for the latter that aren’t associated with the former.
We reiterate that this KTRR bypass is only intended for arm64e devices – A12-A16 (and maybe A17). Older arm64 devices, including the iPhone X and older aren’t affected, and they don’t need to be because those devices already have the unpatchable checkm8 bootrom exploit.
Got it? It’s a little tricky to follow because there are so many device and firmware types and prerequisites for each. But read it over slowly, perhaps one or two more times, and you’ll understand it eventually.
What’s with all the bypasses?
Once upon a time, jailbreak makers only needed to achieve kernel read/write capabilities with a simple kernel exploit. The times of easy hacking are over, as Apple continues to harden iPhone & iPad security with every iteration.
You’re hearing about all these bypasses because Apple continues to put new band-aids over a hemorrhaging problem. While those band-aids make it tougher for attackers to touch what’s underneath, it’s not impossible. Each bypass you read about is a successful circumvention of one of those band-aids.
Is a KTRR bypass the same as a kernel exploit?
This may seem obvious to some, but perhaps not to others. A KTRR bypass is a security vulnerability in Apple’s system, but it is not the same as a kernel exploit. In fact, a KTRR bypass must work alongside a kernel exploit as a part of the larger attack chain to achieve a desired result – generally a jailbreak.
Can the KTRR bypass be patched by Apple?
A KTRR bypass is a hardware-based vulnerability that circumvents security mechanisms in Apple’s SoC (system on a chip) to grant unauthorized access kernel memory.
Since it is hardware-based instead of software based, Apple can’t fix it with a mere software update. All affected devices in circulation today will remain affected by the KTRR bypass for their operational lives, even as they receive major software updates on an annual basis.
Apple can only put software barricades in front of hackers who might try to utilize the KTRR bypass, but a skilled hacker can penetrate even those defenses.
I’ve heard that a KTRR bypass is like checkm8 for newer devices, is that true?
I’ve witnessed a lot of people on Reddit and X claiming that the recent KTRR bypass discovery is tantamount to checkm8 2.0. Let me get something straight here. It’s not.
If you recall, checkm8 was a bootrom exploit. On the contrary, a KTRR bypass is a vulnerability in one of Apple’s kernel memory security mitigations. While both are hardware-based exploits, and neither one can be patched by Apple with a software update, they are not one in the same.
Since checkm8 was a full-blown bootrom exploit, it could be used to jailbreak a device in and of itself. A KTRR bypass can’t be used to jailbreak a device by itself; instead, it needs to be paired with a kernel exploit, and potentially other bypasses as a part of an attack chain to make a jailbreak.
Both are powerful, both are hardware-based, and the KTR bypass likely is the biggest thing to happen in jailbreaking since checkm8. But KTRR bypasses are not the same as bootrom exploits such as checkm8 or limera1n. Understand this distinction and you can easily debunk misinformation online.
When will we get a jailbreak based on the KTRR bypass?
Hold your horses, pal.
The KTRR bypass was only just discussed, and no documentation has been uploaded online for the public to view yet. This means that even jailbreak makers haven’t had the chance to go over the documentation yet.
What does this mean? It means that a jailbreak hasn’t even been started yet. When the documentation is uploaded, jailbreak makers will analyze it to decide their best approach to making a jailbreak, after which they will begin their work.
Creating a jailbreak tool after the documentation gets published can take weeks or even months. Not only does the tool need to be built, but a user interface needs to be made, it needs to be thoroughly tested to ensure it doesn’t throw your iPhone or iPad into a boot loop, and then software dependencies need to be updated to support the newer firmware. All of this must happen before you, the end user, can use it.
Will the jailbreak be semi-tethered, or semi-untethered?
The KTRR bypass really doesn’t have anything to do with the tether status of the jailbreak. We’re likely to get a semi-untethered jailbreak app that we can perma-sign with TrollStore, just like most jailbreak tools today.
To learn more about the differences between tethered, semi-tethered, semi-untethered, and untethered jailbreaks, be sure to read our detailed piece about them.
What should I do?
If you’re awaiting a jailbreak, the best thing to do is to stay on the lowest possible firmware and avoid software updates.
Lots of people just recently updated to iOS & iPadOS 17.0 by using the DelayOTA method to enjoy TrollStore 2.0 on the latest supported version of iOS & iPadOS, but I’m sure many of them are kicking themselves right about now as they could have stayed on a soon-to-be-jailbroken firmware.
I personally advocated against doing this because I have followed the cardinal rule of staying on the lowest possible firmware for years. I also knew that with the kfd exploit lingering about, it was only a matter of time before a bypass of some kind dropped. And now here we are with a KTRR bypass…
Stay where you are and avoid the temptation to update unless you’re sure that you can jailbreak or that you will be able to jailbreak in the near future.
Will iDB tell me when a jailbreak is available?
Yes. Your friends at iDB are always ready to report on the latest jailbreaking news as it happens.
We recently procured an arm64e device on iOS 16.2, so we’re ready to pounce on a jailbreak as soon as one drops. When we do, you’ll get the convenience of illustrated step-by-step tutorials to follow, in-depth jailbreak tweak reviews, and much more.
Wrapping up
There’s a lot to digest when it comes to the KTRR bypass. This is big news, and it has the potential to shape the jailbreaking community to years to come – especially since Apple only just this year killed the iPhone X, the last checkm8-compatible device, with iOS 17.
The KTRR bypass affects devices as new as the iPhone 14 lineup, and if we’re lucky, perhaps even the iPhone 15 lineup. It’ll be a while before Apple kills those devices off…
If you have any further questions about the KTRR bypass, or how it may affect jailbreaking, feel free to drop a comment below.