What is Jailbreak?

A jailbreak is the process of obtaining arbitrary code execution on an Apple device by exploiting the kernel and associated security mechanisms, including AMFI, PAC, PPL, KPP, and KTRR. The result is root-level access to the operating system, allowing users to install unapproved software, customise the interface, and modify system behaviour beyond what Apple permits.

Jailbreaking is distinct from carrier unlocking: an unlock allows a device to work on different networks, while a jailbreak grants system-level code execution. It is the prerequisite for unofficial activation (hacktivation) and unofficial unlocking.

How it works

Early jailbreaks patched /private/etc/fstab to remount the system partition as read-write, and modified the AFC service used by iTunes to expose the full filesystem. Modern jailbreaks manipulate kernel variable memory at runtime rather than patching the kernel directly, working around the hardened protections introduced by KPP and KTRR. An exception is jailbreaks based on the checkm8 bootrom exploit, which operates at the hardware level and bypasses these restrictions entirely.

Types

Tethered

The device must be connected to a computer and the jailbreak re-applied every time it boots. Without a computer it will not boot at all. This type is rare today, as Apple introduced signature checks for the bootchain starting with the iPod touch 2G and iPhone 3GS. Examples: blackra1n, 4039, orangesn0w.

Semi-tethered

Similar to tethered, but the device can boot on its own into an unjailbroken state. A computer is only needed to restore jailbreak functionality after a reboot. These tools send a custom bootchain without modifying the default one. Examples: checkra1n, palera1n, opensn0w.

Untethered

Run the jailbreak once and remain jailbroken indefinitely, including across reboots. Historically the dominant method, deliverable via Safari (JailbreakMe) or a computer (redsn0w, Absinthe, Pangu). Largely obsolete after iOS 9. Examples: Pangu, Absinthe, JailbreakMe.

Semi-untethered

The device boots into an unjailbroken state; an on-device app re-applies the jailbreak each time. The most common modern approach. Due to Apple signing restrictions, the app must be re-signed every 7 days (or annually with a paid developer account). Tools like ReProvision Reborn automate this; on firmwares compatible with TrollStore, the app can be permanently signed to avoid expiry. Examples: unc0ver, Taurine, Chimera, Dopamine.

Notable tools

checkra1n is a semi-tethered jailbreak based on the checkm8 bootrom exploit, covering iPhone 5s through iPhone X. Because the flaw exists in hardware, Apple cannot patch it through software updates, making it permanently viable for supported devices.

unc0ver, developed by Pwn20wnd, is a semi-untethered jailbreak using software-based tfp0 exploits. It supports a wide range of devices from iOS 11 through iOS 14 and beyond, and does not require a computer after the initial installation.

palera1n is the modern successor for checkm8-compatible devices targeting iOS 15 and later. It is semi-tethered and, like checkra1n, requires a computer to restore the jailbreak state after each reboot.

Dopamine and Taurine, both from the Odyssey Team, are semi-untethered jailbreaks targeting iOS 15/16 and iOS 14 respectively. Both use Sileo as their default package manager.

Bootstraps and semi-jailbreaks

Some tools stop short of a full jailbreak. A bootstrap uses a CoreTrust bug to run basic tweaks without kernel read/write access. The device stays close to a stock environment, reducing the risk of kernel panics, but tweak injection (SpringBoard tweaks, AppSync Unified, custom LaunchDaemons) is not supported.

A semi-jailbreak adds kernel read/write on top of the CoreTrust bypass, enabling most jailbreak functionality. This allows patching of launchd to support custom binaries and LaunchDaemons, and improved tweak injection, even on arm64e devices where full jailbreaks remain difficult due to PAC, SPTM, and TXM restrictions.

Legal status

The legality of jailbreaking varies by jurisdiction. In the United States it is permitted under a DMCA exemption for phones, though it voids the manufacturer warranty. Several other countries also allow it; others restrict or prohibit the practice. Wikipedia maintains a country-by-country overview.