Ios 9.3 6 Jailbreak Untethered May 2026
On 64-bit devices, Apple introduced KPP (Kernel Patch Protection). iOS 9 on 32-bit devices does not have KPP, but it does have KASLR (Kernel Address Space Layout Randomization). While 32-bit devices are easier to exploit, untethered requires a bootrom-level exploit or a persistent kernel code injection that survives a reboot.
The last true untethered jailbreak for a 32-bit device was iOS 9.1 (Pangu9). Everything after 9.1 moved to semi-untethered because the exploits required to persist across reboots were burned by Apple or reserved for higher bounties.
There is currently no official fully untethered jailbreak released for iOS 9.3.6. While some community projects like p0laris aimed to develop one, they remain unfinished or abandoned.
Existing methods for iOS 9.3.6 are semi-untethered, meaning you must re-run a "kickstart" app every time your device reboots to reactivate Cydia and your tweaks. Recommended Jailbreak Tools ios 9.3 6 jailbreak untethered
For 32-bit devices (iPhone 4S, iPad 2/3, iPad Mini 1, iPod Touch 5), the following tools are standard:
Phoenix: The most common tool for these versions. It is semi-untethered and requires sideloading an IPA file.
kok3shi9: Often cited as more modern and reliable than Phoenix, with a higher exploit success rate. On 64-bit devices, Apple introduced KPP (Kernel Patch
p0laris: Another semi-untethered option developed specifically for legacy devices. How to Jailbreak (Phoenix Method)
Since certificates for "no computer" methods are often revoked, using a computer is the most reliable way to install the jailbreak.
Here’s a concise, step-by-step guide to jailbreak iOS 9.3.6 on a 6 (iPhone 6) with an untethered approach — covering preparation, the tool to use, and post-jailbreak steps. (Assumes device is iPhone 6 running iOS 9.3.6.) When combined, this allows a true bootROM-level persistence
Warning: Jailbreaking can void warranty, may cause instability, and can expose device to security risks. Back up before proceeding.
The exploit chain uses three core components:
When combined, this allows a true bootROM-level persistence – meaning even a hard reboot retains full root access.