Next-Generation Jailbreak: How to Hack iOS 11, What the Risks Are, and How the New Method Works

At the end of last year, a Google Project Zero specialist published an exploit for a vulnerability present in all versions of iOS 10 and 11 up to 11.1.2. This opened up an enticing opportunity for jailbreaking. But did the expectations of device hacking enthusiasts come true? What risks does this vulnerability (and working jailbreaks) pose to regular users, and how can hackers benefit from it? Let’s break it down.

What Does Google Have to Do With It?

The jailbreak community has been struggling in recent years. This is not so much because new operating systems are especially secure, but because companies pay big money for discovered bugs. New vulnerabilities are extremely hard to find, and when they are found, they’re usually sold to Apple or vulnerability hunters. The temptation to earn $50,000–$100,000 is strong, so few vulnerabilities become public knowledge.

Enter Google—Apple’s “frenemy.” Yes, Apple pays Google huge sums to store iCloud data on Google’s servers (iCloud is an Apple-managed combination of cloud servers owned by Google, Microsoft, Amazon, and AT&T), and yes, Google releases its own software for iOS devices—but that doesn’t stop Google from publishing information about vulnerabilities found by its Project Zero lab.

The latest vulnerability was discovered by Google’s Ian Beer. The vulnerability, called tfp0 (derived from task_for_pid(0)), allowed the researcher to write ready-to-use code for privilege escalation in all versions of iOS 10, some versions of macOS, and iOS 11.0–11.1.2.

Google reported the vulnerability to Apple, and Apple released iOS 11.2 to patch it. Later, the information and source code were published.

This move by Google was met with mixed reactions from both regular users and the jailbreak community. Some users felt Google went too far—especially since Project Zero staff have published Microsoft OS vulnerabilities before Microsoft could release patches.

Jailbreak developers also had mixed feelings. Some teams released their own jailbreaks using the ready-made code, without even trying to integrate Cydia (available as open source). Jay Freeman (saurik), creator of Cydia, openly criticized both those rushing to release raw jailbreaks and developers criticizing Cydia.

Regardless, jailbreaks are available. Let’s see how to install them and what makes them different. But first—let’s prepare for the jailbreak process.

Preparing for Jailbreak

Preparation is often overlooked, but if something goes wrong, you may have to update your device to the latest iOS version and restore your data.

Here’s what you should do before attempting a jailbreak:

• Create a fresh backup using iTunes. Be sure to set a password for the backup—even if you think you have “nothing to hide.” A password allows you to restore all data, including saved passwords from the keychain, to your current or another iPhone or iPad. If you don’t set a password, all keys and passwords will be encrypted with a hardware key, and you’ll only be able to fully restore the backup on the same device it was created from.
• If something goes wrong, you can always restore your phone from the backup to almost the same state as before the jailbreak.
• Unfortunately, you won’t be able to save SHSH2 blobs: Apple has stopped signing all firmware versions for which jailbreaks are available. The exception is the old iPhone 5 or 5c, which can still be signed for iOS 10.3.3.

Installation

All new jailbreaks based on the Google Project Zero vulnerability are installed the same way. Existing Yalu jailbreaks are installed similarly. Here are the steps:

1. Download the jailbreak IPA file (links below) and the Cydia Impactor app.
2. Connect your iPhone to your computer and establish trust by confirming the “Trust this computer?” prompt. (Note: For iOS 11, you’ll need to enter your device passcode at this stage; for iOS 10, you won’t.)
3. Launch Cydia Impactor and drag the jailbreak IPA file onto it.
4. Cydia Impactor will ask for your Apple ID and password. Enter the credentials for any active Apple account (you can use a newly created account).
5. The IPA file will be signed (the certificate is valid for only seven days!) and uploaded to your device. You’re not done yet; to launch the file, you’ll need to confirm that you trust the digital signature.
6. To confirm trust, go to Settings → General → Profiles → Profiles & Device Management. (If your device is set to Russian, it’s “Настройки → Основные → Профили” or “Профили и управление устройством.”) You’ll need to allow your phone to access the internet to verify the certificate with Apple’s servers.
7. Only after this can you finally launch the jailbreak. If successful, your phone will be jailbroken and you’ll have access to the device’s file system.

What happens next depends on the specific jailbreak. The presence (and functionality) of Cydia, support for Cydia Substrate, code injection, and bypassing unsigned app restrictions may or may not be included in different tools.

All jailbreaks share one limitation: they only work for a limited time. After each device reboot, you’ll need to re-run the jailbreak utility on the device, and every seven days, you’ll have to repeat the entire process because the digital certificate expires. The exception is if you have a registered developer or enterprise Apple ID, but using such accounts for signing jailbreaks is risky.

Jailbreak Tools for iOS 10–11.1.2

So, what jailbreaks based on this vulnerability are available? There are quite a few, but only a handful are truly useful. Here are the main ones:

• h3lix (iOS 10.0–10.3.3, 32-bit)
• Meridian (iOS 10.0–10.3.3, 64-bit)
• g0blin (iOS 10.3.x, 64-bit, A7–A9 only)
• LiberIOS (iOS 11.0–11.1.2)
• Electra (iOS 11.0–11.1.2)

h3lix: iOS 10 for 32-bit Devices

h3lix is a typical representative of the new generation of jailbreaks. It supports all 32-bit devices running any version of iOS 10, including iPhone 5, 5c, and 32-bit iPads and iPod Touch. The developers included Cydia, so installing unsigned apps is easy. We found no major issues with this jailbreak and recommend it for any 32-bit device on iOS 10.

Meridian: iOS 10 for 64-bit Devices

Meridian jailbreak helps hack 64-bit devices (iPhone 5s–iPhone X and corresponding iPads) running any iOS 10 version. In our testing, this jailbreak was quite finicky, so if your phone is on iOS 10.2.1 or older, it’s better to use Yalu or Saigon. Cydia is included; to get the app store working, don’t forget to tap “extract dpkg” right after jailbreaking.

g0blin: iOS 10.3.x, 64-bit, A7–A9 Only

g0blin stands out for supporting only a limited set of device and iOS combinations: iPhone 5s through iPhone 7/Plus, and iPads with A7, A8, and A9 processors. Supported iOS versions are limited to 10.3–10.3.3.

Why use this specialized jailbreak if h3lix exists? g0blin is a bit more stable and better compatible with the devices and iOS versions it supports. The first version (RC1) includes SSH (dropbear); the second (RC2) does not, so you’ll need to install OpenSSH from Cydia.

iOS 11.0–11.2: LiberIOS and Electra

For iOS 11, there are at least two jailbreaks: LiberIOS and Electra. Both use the same code, but the developers’ approaches differ.

The LiberIOS developer is strongly against Cydia. Cydia is not included (and won’t be), so this jailbreak is mainly for research purposes.

Electra, on the other hand, includes both SSH and the Cydia app store. This is the jailbreak we recommend.

Features of iOS 11 Jailbreaks

iOS 11 jailbreak tools use a new approach called KPP-less. KPP (Kernel Patch Protection) is a kernel integrity check mechanism first used by Apple in iOS 9. It checks the kernel’s integrity both at boot and during operation, and checks can happen at random times. If you hack the device and KPP detects kernel changes, the phone simply reboots. KPP was designed to protect against jailbreaks and, in theory, malware.

Classic jailbreaks tried to disable KPP (KPP bypass), as seen in Pangu and Yalu jailbreaks. iOS 11 jailbreaks based on the new vulnerability take a different approach: instead of modifying the kernel, they modify other system parts not checked by KPP. Apple could add checks for these areas in future updates, but for now, this works.

The downside? This method requires major changes to Cydia Substrate, which relies on KPP not being present. Currently, Electra is the only jailbreak with Cydia support on iOS 11.

If you’re interested in how KPP works and how hackers bypass it, check out: How Kernel Patch Protection Works and How Hackers Bypass KPP.

Rollback Possibility

Keep in mind: jailbreaking may be irreversible. This doesn’t mean you can’t restore your device via iTunes or reset it to factory settings. Let’s see what happens in each case.

Suppose you jailbroke your phone on iOS 11.1.2. After some time, errors from experiments cause problems. What are your options?

• You can try resetting the phone to factory settings. Your data will be erased, but traces of the jailbreak (and possibly some tweaks) may remain, causing instability and preventing proper OTA updates. So, a factory reset may help, but not if there are serious issues.
• You can always restore the device via iTunes, which downloads and installs the latest iOS version.

But what if you don’t want the latest iOS version, which may not have a jailbreak? If you want to stay on the version you jailbroke:

To update or reinstall iOS, your iPhone must contact Apple’s server for a digital signature, valid only for your device and a specific iOS version. Apple controls this process. If Apple stops signing a version, you can’t install it. For iOS 11, Apple stopped signing 11.1.2 long ago, so you can only restore to the current (or sometimes previous) signed version.

If Apple were still signing iOS 11.1.2, you could save SHSH2 blobs (see instructions on 4PDA or similar guides) and use them to restore your iPhone to that version in the future. But you can only save blobs while Apple is still signing the version.

There’s still a way! Instead of SHSH2 blobs, you can try saving an APFS root file system snapshot right after jailbreaking. With Electra, the necessary APFS snapshot is created during the jailbreak. Restoring the APFS image after jailbreaking lets you roll back to a known good system copy.

How does this work, and what is an “APFS image”?

APFS snapshots aren’t files stored in a folder. The closest analogy is a Windows “System Restore” image. Here’s how Electra works (info from Coolstar, Electra’s developer):

• Before jailbreaking, Electra checks the file system’s state (if another jailbreak or many tweaks are installed, the check fails).
• If the file system is “clean enough” (jailbreak is installed on a clean system or a pre-release Electra build without tweaks), an APFS root snapshot is created.
• If another jailbreak or dangerous modifications are detected, Electra asks for confirmation before proceeding.

Great, the snapshot is created! But how do you restore a clean OS from this image and remove jailbreak traces? The required tool (called SemiRestore11) isn’t ready yet, but Coolstar promises to release it soon.

In the future, you’ll be able to use this tool, but note: it restores the snapshot to the state “right after jailbreaking,” so file system changes made during jailbreak installation won’t be restored.

To fully remove jailbreak traces, you’ll need to reset the device to factory settings (Reset → Erase all Contents and Settings). This deletes all data from /var, giving you a clean system (iOS 11.0–11.1.2).

For now, just wait. Using old versions of SemiRestore or unknown tools from untrusted sources is strongly discouraged.

What Are the Risks?

A vulnerability that allows superuser access is serious. But is this iOS vulnerability really dangerous for regular users?

Let’s see. To exploit the vulnerability and hack a device, you need to make a conscious effort, perform several non-trivial steps, and unlock the phone and establish a trusted connection with a computer. For iOS 11, you need to unlock the phone and enter the passcode. If the passcode is known, you can create a backup (including all browser passwords—like social media logins), and if the backup is password-protected, the password can be reset in a few clicks. With the passcode, you can reset or change the iCloud password, lock or erase all devices on the same Apple account, and even unlink the phone from iCloud without knowing the Apple ID password. We’ve covered this in the article “What You Can Do With an iPhone If You Know the Passcode.”

So what extra risk does this vulnerability pose? For regular users, not much. Most will never encounter it: all App Store apps are moderated, and an app exploiting this vulnerability won’t be approved.

Police may use jailbreaks to extract extra information from devices (physical data extraction, e.g., with Elcomsoft iOS Forensic Toolkit). You could do this too, but is it worth it? Compared to what you can get from a password-protected backup, physical extraction gives access to downloaded emails, system logs, and detailed device location history. You can access app sandboxes—like analyzing chats in Telegram, WhatsApp, or Facebook Messenger—and view browser temp files. This is useful for law enforcement, but do you need it? Given that there are few useful tweaks for iOS 11 (and old ones may not work), iOS 11 jailbreaks are mainly for developers, security experts, and police.