
Unc0ver Jailbreak for iOS 11.0 to 13.5 - ValentineC
https://unc0ver.dev/?released
======
WantonQuantum
I absolutely support people's right to jailbreak devices they own and over the
years I've jailbroken my phone or ipad for one reason or another.

Having said that, unless there's something specific you're looking for, it's
not really worth the effort these days and has potential downsides.

The biggest downside is that you might find some existing apps on your phone
can detect that the phone is jailbroken and refuse to start. There are obvious
security reasons for apps like banking apps to do this but also many online
gaming apps won't run if they detect that the device is jailbroken in order to
deter cheating.

There's an ongoing arms-race between app developers and jailbreakers where
jailbreakers try to avoid detection and app developers find new ways to detect
jailbreaks. So a new jailbreak will probably not be detected until a few weeks
or months later when the app is updated.

Source: I used to work for a company that makes phone software that needs to
be secure and so would attempt to detect jailbreaks.

~~~
AnthonyMouse
> There are obvious security reasons for apps like banking apps to do this

This is obviously wrong. It's possible to do the same banking things using the
bank's website both from general purpose PCs and browsers on phones for which
jailbreak detection is not possible in the browser.

Jailbreak detection is done by testing for the presence of common things that
allow the device owner to control the device. The device owner controlling the
device is not a problem for banking. Meanwhile a malicious third party
wouldn't inherently need to make use of any of those and would have strong
incentives to avoid using any that trigger jailbreak detection, so it's no
help there either.

And for the same reason it's basically useless for detecting cheating. Because
if you jailbreak your phone so you can install some apps from outside the
store and then it breaks your games, you might grumble and decide you want to
play the game more. But if you jailbreak your phone because you want to cheat
at games, your next step is to thwart the jailbreak detection, which is not
that hard when you have the game software to inspect to see how it's doing
jailbreak detection. And you can also tell when the app is updated and then
run the new version on a test machine to see how the new version is doing
jailbreak detection.

It's hostile and a waste of time to do this when you're going to lose anyway.
You only inconvenience the people who jailbreak their phones for completely
unrelated reasons.

~~~
spideymans
If banks could secure their web portals to the same degree as their mobile
apps, they absolutely would. “Portal A (web) cant be as secure as Portal B
(mobile), so don’t bother securing Portal B” isn’t an acceptable security
model. The banks are naturally going to reduce their vectors of attack to the
greatest degree possible, and that naturally means that some access points
will be more secure than others.

~~~
cookiengineer
I am not sure where you come from, but around Europe banks are the worst when
it comes to security audits, and they don’t give a damn about it.

From trying to roll their own crypto, to still using legacy ssl to support
ie6...everything is shitty.

Even when they are forced by law [1] to integrate modern 2FA, they find ways
to implement it in a shitty, proprietary way.

PSD2 is required since September 2019 and every single bank rolled it out in
August and waited until the very last moment.

I mean, a photoTAN device with a 120x120 camera resolution? Seriously, what is
this? 1999? Why not use RFC 4226 or RFC 6238 [2] [3]?

[1] [https://ec.europa.eu/info/law/payment-services-
psd-2-directi...](https://ec.europa.eu/info/law/payment-services-
psd-2-directive-eu-2015-2366_en)

[2] [https://tools.ietf.org/html/](https://tools.ietf.org/html/)

[3] [https://tools.ietf.org/html/rfc6238](https://tools.ietf.org/html/rfc6238)

~~~
user5994461
Banks are usually following the currently "supported" versions. At least the
big ones that are all compliance based nowadays.

Windows XP and IE6 have been out of support for quite a while. They've long
been dropped in favor of windows 7 (LTS support until 2023) and 10 more
recently, which comes with internet explorer 10 or 11.

SSL would be quite easier to keep up-to-date if Microsoft actually upgraded
their operating system and applications to support TLS 1.2 by default, which
they don't for retro compatibility reasons.

For reference, working at JP Morgan, I can tell you that the company has
dropped support for Internet Explorer entirely. Half of the existing internal
apps don't even load on IE. Would be nice of vendors to stop wasting their
time praising IE support as a feature.

~~~
roblabla
> They've long been dropped in favor of windows 7 (LTS support until 2023)

Windows 8.1 has support until 2023. Windows 7 support is over since January
14, 2020. [https://support.microsoft.com/en-au/help/13853/windows-
lifec...](https://support.microsoft.com/en-au/help/13853/windows-lifecycle-
fact-sheet)

~~~
gruez
There’s extended support to 2023 through a paid support program.

------
Wowfunhappy
There's a Jailbreak app called PermaFlex that I worked with a developer to get
made about a year ago. It hasn't gotten a lot of attention, I suspect because
it's not especially easy to wrap your head around.

But it allows you to do something magical—permanently hide just about any
icon, button, or other UI element in just about any iOS app, all on your phone
and without writing code. There are some caveats you should read about at the
link below, but overall it works well!

I'm an interface minimalist. Mobile apps are so cluttered these days, and it
feels so good to hide all the random crap I don't need.

[https://www.reddit.com/r/jailbreak/comments/bfpso0/release_p...](https://www.reddit.com/r/jailbreak/comments/bfpso0/release_permaflex_permanently_hide_elements_with/elfgay6/)

~~~
chipperyman573
Does anyone know if there's an android version of this?

~~~
jeroenhd
This looks like it shouldn't be too hard to do on Android (in native apps,
you'd have problems with Unity3D and Flutter apps) with Xposed, but I don't
think there's an Xposed module that does specifically this.

It's a nice idea though and I hope someone with experience in it will take an
interest in writing this.

------
aklemm
Remind me what I get for jailbreaking these days? Long ago I wanted to tether,
but can’t think of what I need today.

~~~
Lammy
This turned into way, way too big of a comment, but I'm on jailbroken iOS 13.3
right now and love it. It's not like the Old Days where tweaks often added
huge new pieces of functionality, and that seems to make many people say
jailbreaking is no longer worth it. For me it's more like a bunch of very
small usability improvements that add up to make my phone much much more
pleasant, polishing its usability to perfection. My favorite iOS 13 tweaks
are, in no particular order:

\- "powerlogHelperdFix": Listing this first because it's the only workaround I
needed for a bug in the jailbreak, to fix the Battery stats Settings pane.

\- "AlarmVolume": Custom (read: very loud) volume for my wake-up alarm,
separate from the normal volume setting that I like to leave low or muted.
Similar to how Android allows separate volume settings for calls / notifs /
alarms: [https://i.imgur.com/dV4URQT.jpg](https://i.imgur.com/dV4URQT.jpg)

\- "Mega-Untrusted-Hosts-Blocker IPv4+IPv6": Adblocking hosts file for web
content in all apps that works on mobile data or any random Wi-Fi network
where you don't have an adblocking DNS server.

\- "TwitterNoAds" \+ "AlwaysLatestTimelineTwitter": Blocking promoted tweets
and forcing reverse-chronological feed (as opposed to algorithmically-sorted-
feed) in the Twitter app.

\- "AlwaysLow": Make my phone willing to always stay in Low Power Mode instead
of turning LPM off once charged past 80%:
[https://i.imgur.com/wgn7Lj9.jpg](https://i.imgur.com/wgn7Lj9.jpg)

\- "A-Font", "Noctis Neo", "ColorBadges", "iPadStatusBar13", "Cuboid": System
UI customization. No real need; just to keep things fresh by changing up every
once in a while.
[https://i.imgur.com/7Iy0gUs.jpg](https://i.imgur.com/7Iy0gUs.jpg)

Currently: [https://i.imgur.com/1lbe3I2.jpg](https://i.imgur.com/1lbe3I2.jpg)

\- "Jellyfish": Customizable replacement for the standard lock screen.
[https://i.imgur.com/oQSaSl9.jpg](https://i.imgur.com/oQSaSl9.jpg)

Currently: [https://i.imgur.com/kQ0ITWC.jpg](https://i.imgur.com/kQ0ITWC.jpg)

\- "Clean Home Screen" \+ "FDots": Hide tiny UI annoyances like the blue
Recently-updated-app dots, the text reminding me that I have to unlock my
phone to use it, the text reminding me of what the Notification Center is,
etc: [https://i.imgur.com/x34If3d.jpg](https://i.imgur.com/x34If3d.jpg)

\- "StopPlayin12'": Stops the Apple Music app from auto-playing any time a
bluetooth device (like my car) reconnects to my phone. I usually use a third-
party music app, but iOS only ever wants to start the built in player. I still
have to go manually start the app I want, but at least I get to do it in
silence: [https://i.imgur.com/90JPuqa.jpg](https://i.imgur.com/90JPuqa.jpg)

\- "System Sound Disabler": Truly disable excessive UI sound effects so I can
leave my volume up and not have to hear them:
[https://i.imgur.com/nTOrgH1.jpg](https://i.imgur.com/nTOrgH1.jpg)

\- "AskBeforeCalling Too 13": Prevent accidental pocket-dials by adding a
confirmation dialog to any action that would initiate a call/text/whatever:
[https://i.imgur.com/3vw5fkw.jpg](https://i.imgur.com/3vw5fkw.jpg)

\- "NoAutoStraighten", "NoDNDBanner", "NoLowPowerAlert", "NoMoreSuggestions",
"NoMoreSkinToneSuggestions", "NoNCHeaderView", "NoYellowBattery",
"AppStoreUpdatesTab13", "Ultrasound", etc: Lots of small single-purpose UI
tweaks that often don't even need settings panes.

\- "NoYTNo" \+ "Youtube Tools": Automatically dismiss the constant Youtube
Premium upsells when you open the app, re-enable background playback support,
block ads in Youtube videos, etc.

\- "NXBoot": Jailbreak my exploitable Nintendo Switch with any boot code using
Apple's USB3 Lightning Camera Adapter:
[https://i.imgur.com/pySTOVO.jpg](https://i.imgur.com/pySTOVO.jpg)

\- "RealCC": Reverts the Control Center Wi-Fi/BT toggles to their pre-iOS-11
functionality of fully disabling the associated radios instead of merely
disconnecting your WiFi until 3AM the next morning like it does now.

\- "DNDMyRecording": Automatically enables Do Not Disturb mode when taking a
screen recording so unwanted notifications don't end up in your video.

\- "GoodWifi": Display saved passwords for known Wi-Fi networks, display base
station MAC, display true signal values, etc:
[https://i.imgur.com/xSVLhFU.jpg](https://i.imgur.com/xSVLhFU.jpg)

\- "DLEasy": Video downloader for all social media apps, including Reddit-
style DASH/HLS segmented videos:
[https://i.imgur.com/IU1ZFWf.jpg](https://i.imgur.com/IU1ZFWf.jpg)

\- "CopyLyrics" \+ "YTCopyDescription": Allows you to copy the plain text from
the lyrics pane in Apple Music or the description of a video in the YouTube
app.

\- "Keyboard Accio": Makes the 'Globe' button on the keyboard only switch
between the first two keyboards in my list of enabled keyboards, so I can
leave several enabled without making it a tedious process to get through them
all back to QWERTY. The full list is still available via a long press.

\- "iKeyWi 4": Total layout customization for the standard keyboard without
having to replace it with a third-party keyboard. I keep the layout pretty
much the same aside from adding a fifth row of keys up top for a permanent
number row: [https://i.imgur.com/OQ0ITve.jpg](https://i.imgur.com/OQ0ITve.jpg)
[https://i.imgur.com/Nj2UMQ7.jpg](https://i.imgur.com/Nj2UMQ7.jpg)

\- "Filza" \+ "Safari Plus": A fully-fledged graphical file manager that makes
a great pairing with a tweak that gives Safari a native download manager:
[https://i.imgur.com/IoWrHKn.jpg](https://i.imgur.com/IoWrHKn.jpg)

I'm sure most (if not all) of these probably sound unnecessary to many people,
but I love feeling in control of my own phone instead of the other way around
:)

~~~
aspenmayer
Thanks for the list. My favorite has to be mikoto by angelxwind. I will have
to test it on 13.5.

[https://cydia.akemi.ai/?page/net.angelxwind.mikoto](https://cydia.akemi.ai/?page/net.angelxwind.mikoto)

Another great one is Flex 3, which allows you to sort of disassemble functions
of installed apps and patch the functionality. It even has a simple community
sharing/cloud aspect to find cool patches for a selected installed app.

[https://www.reddit.com/r/flextweak/comments/17z57c/mod_what_...](https://www.reddit.com/r/flextweak/comments/17z57c/mod_what_are_the_capabilities_of_flex_or_is_this/)

Old repo, but has description:

[http://cydia.saurik.com/package/com.johncoates.flex3/](http://cydia.saurik.com/package/com.johncoates.flex3/)

New repo:

[http://getdelta.co/](http://getdelta.co/)

~~~
Lammy
Karen is great, but I've come to dislike and avoid "kitchen-sink" type bundles
of tweaks like mikoto. I find it way more straightforward to back up and
reinstall a "NoWhateverAnnoyance"-type single-use tweak that needs no
settings, and it lets me avoid situations like when I first jailbroke iOS 11
and half of mikoto's features were broken on it.

~~~
aspenmayer
I understand that. I think mikoto is fully configurable, with sensible
defaults, so any feature can be disabled independently of others. Of course,
there is something to be said for single purpose tools which I also like.
That’s what I like about jailbreaking. It allows people to have a preference.
Stock iOS is just not for power users.

------
0x0
Does anyone have any technical information about the (0day?) exploits used by
this new jailbreak? The source code on github seems to be very out of date.

Will Apple delay the release of macOS 10.15.5, which is expected this week?
(Curious to know if the same exploit applies to macOS).

------
fastball
Remember when Comex released JailbreakMe 2.0, when jailbreaking was only a
webpage + "slide to jailbreak" away?

Those were the days.

------
leoh
Went to do this for extra iPhone X I have. Made me download an app, supply
Apple ID credentials, and provide my system login/password to a dialog. I want
to use it, but I won't touch it without a VM and a six foot stick.

~~~
Lammy
You don't need unc0ver at all to jailbreak your phone! Everything older than
and including the iPhone X has a hardware-level bootloader exploit known as
"checkm8". You can use a jailbreak called "checkra1n" via that hardware-level
exploit with just a USB/Lightning cable and any computer running macOS or
Linux (Windows support Real Soon Now™):
[https://checkra.in/](https://checkra.in/)

unc0ver is necessary for newer phones that need a software entry point to
jailbreak. It should work just the same on your phone too, but the hardware
exploit is way way easier and should automatically* work with any new iOS
updates as they are released.

[*] Any tweaks you have installed may of course be incompatible with a major
OS update

~~~
sp332
Doesn't checkm8 require re-jailbreaking on every boot?

~~~
Lammy
To stay jailbroken, yes. The phone will still boot fine by itself, however,
just in the normal unjailbroken state. Same limitation as unc0ver except
without the conveniently-portable app entry point. I prefer using the hardware
entry point that doesn't depend on Apple's goodwill to let me sideload since I
usually get at least a month or two of uptime anyway. My recent record has
been 66 days, then I rebooted intentionally for something:
[https://i.imgur.com/l9tL9dw.png](https://i.imgur.com/l9tL9dw.png)

------
PieUser
I remember the JB scene during the early days, iOS 3-6. Those were good
times...

~~~
zigzaggy
Yep. I loved rooting droids and jailbreaking iPhones back then. It almost
seems like it ain’t worth it these days. I can’t think of much I can get in JB
that I can’t have anyway

~~~
thakoppno
at one point i had the original iphone running android. it was a hot mess
usability wise but still kinda marvelous in a way.

~~~
aspenmayer
Have you tried any of the Project Sandcastle builds?

[https://projectsandcastle.org](https://projectsandcastle.org)

~~~
zigzaggy
Thanks for sharing this! I just decommissioned an iPhone 7 and I think this is
the perfect project for it.

~~~
aspenmayer
It’s definitely interesting! I think the iPhone hardware is amazing, and
Android is the only alternate OS I would consider running so it’s just a great
match. Fun project.

------
Thorrez
So it sounds like sometimes jailbreaks use known vulnerabilities, but this one
uses a 0day

[https://twitter.com/Pwn20wnd/status/1264258454610259968](https://twitter.com/Pwn20wnd/status/1264258454610259968)

------
AnonC
> Utilizing native system sandbox exceptions, security remains intact while
> enabling access to jailbreak files.

This is not very clear to me. Does this only mean that other security
protections remain for apps that respect the restrictions? After jailbreaking,
any malicious apps (even the ones that get through App Store reviews, not just
the apps from Cydia) can get wider access to resources, right?

------
leoh
Isn't a theoretical large reason for jailbreaking (not your main phone) to be
able to read the contents of all installed apps, say, via SSH? I don't know of
another way to do this.

~~~
judge2020
It technically is, but iOS apps are compiled ARM64 so decompiling them isn't
trivial. It's often easier to find the app's config files and mess around, or
to use an app like Flex that allows you to override return values for an app's
methods.

[https://twitter.com/flextweak](https://twitter.com/flextweak)

~~~
leoh
Super interesting. I suspect Ghidra might support reasonably well.

~~~
_kbh_
Ghidra doesn't do a great job of decompiling Swift and ObjC which most most
iOS apps would be written in now days. You are better off with something like
Hopper. Hopper does a better job of decompiling Swift and ObjC but its
decompiler output is no where near as good unfortunately.

------
clairity
are there any good firewall apps for jailbroken iphones? something that works
more holistically than at the dns level (like IP addresses, stateful packet
inspection, etc). there used to be "firewall iP" but that seems long abandoned
now.

that's the one thing i'd love to jailbreak for. and a UI tweak or two can be
nice too.

~~~
sneak
I would so eagerly jailbreak for something like Little Snitch for iOS.

~~~
leoh
You definitely don't need too! Charles Proxy is really impressive on iOS.

~~~
AnonC
How does it compare to Little Snitch, which on the Mac asks the user to check
the connection attempt and allow/disallow each one based on some patterns
(domain, port, etc.)? I don’t think such a functionality is possible on non-
jailbroken iOS. Charles Proxy seems to be targeted at just examining traffic,
and not prompting the user for connection attempts and controlling them.

~~~
saagarjha
You can’t ask dynamically, but setting up filtering rules is not out of the
question.

------
rektide
I wish Android had such a hope for it. Getting root to do basic kernel level
tasks like working with networking or uhid is some extreme bizarre exploit
special to most every device. It's so detestable.

This device is my device. It needs to be trusted & manipulable by me. But
these manufacturers, they look on users & what they would do as the enemy, as
power they grant only to themselves. It's sad being in this post-general-
purpose computing age, maligned by my own machines.

------
_eht
I’ve had an iPad that’s been locked for at least a year (forgot pin) and I
don’t have a computer that runs iTunes to plug it in to and unlock it. Would
this get past that?

~~~
ValentineC
> _I’ve had an iPad that’s been locked for at least a year (forgot pin) and I
> don’t have a computer that runs iTunes to plug it in to and unlock it._

If you have the proof of purchase, an Apple Store should be able to unlock it
for you.

~~~
choward
Are you serious? People are okay with this? What's the point of encryption if
Apple can unlock it? If the same thing happens on an encrypted computer you
won't be able to access the data, but at least the device isn't bricked.

~~~
ggreer
You misunderstand. Apple can erase the device and let a new user set it up
from scratch, but they can't read the data off it. The feature is called
Activation Lock and it exists to discourage theft.

~~~
choward
Thanks for clarifying. The only part missing is being able to do this yourself
instead of having to involve a third party.

~~~
ggreer
Activation Lock is only enabled when you have the "Find My" service enabled.
I'm pretty sure the device asks you during setup whether you want it on or
off. You can toggle it in settings whenever you want.

Users only need to get Apple involved if they forget their iCloud credentials.

~~~
_eht
Not true. You can have your iCloud credentials but no device that runs iTunes.
The iTunes requirement is the catch here for me personally.

------
Qahlel
It's 2020 and ppl are still forced to jb their own phones.

~~~
varenc
You're going to hate 2030...

I think by then macOS will need a jailbreak if you want to disable SIP and
have genuine root access.

------
sys_64738
Can you downgrade iOS if you jailbreak?

~~~
Lammy
Downgrades are possible on certain older models, but as far as I know it
requires a bootloader exploit and the boot may be tethered i.e. requires a PC
to poke it before it will boot.

32 bit devices can use coolbooter:
[https://coolbooter.com/](https://coolbooter.com/)

And I've not used this tool but am aware of it:
[https://github.com/MatthewPierson/Vieux](https://github.com/MatthewPierson/Vieux)

------
jmull3n
This doesn't work without a $99 developer certificate when you get to the
Cydia Impactor step

~~~
Lammy
You can use AltStore to sideload it for free:
[https://altstore.io/](https://altstore.io/)

And if you have an iPhone X or older (iPhone 8, 7, etc) you have a hardware
exploit and can jailbreak using checkra1n with just a computer and a USB
Lightning cable: [https://checkra.in/](https://checkra.in/)

~~~
birdiesanders
I tried this, it doesn't seem to work, unless I am missing the obvious
somewhere along the line.

~~~
Lammy
Tried which one, sorry? I haven't used AltStore much myself since I have an
older model with the hardware exploit, but it did work the one time I tried
it. It's just a heck of a lot jankier than the old method of using Cydia
Impactor (Computer-based) or ReProvision (iOS-based) to sign the app for seven
days with your personal free dev account. Apple changed something on their end
and broke those apps.

Here's a video demo (not mine) of how the AltServer method should work for
you:
[https://twitter.com/InvoxiPlayGames/status/12129681066095656...](https://twitter.com/InvoxiPlayGames/status/1212968106609565697)

------
betaby
Can one unlock carrier locked phone with that tool?

~~~
RL_Quine
No. Different chip.

~~~
Nextgrid
I believe the carrier lock is now handled in software. The modem itself is
never carrier locked and the lock is enforced at the activation step by
sending the SIM details to Apple for validation, so I believe once you're
jailbroken you should be able to bypass that behavior.

------
proverbialbunny
Anyone know what the best ad blockers are for iOS?

~~~
jmull3n
I use NextDNS, works pretty well.

~~~
proverbialbunny
Does this block ads in apps?

It looks like I may have not had to jailbreak after all. I assumed it was a
necessary prerequisite.

~~~
ornornor
Yes. I only still see ads in the YouTube app (stopped using YT on my phone for
that reason), and some websites that do some clever ads reinjection after the
page ha aliases still have ads too (but that’s really a minority of websites
and they’re not very good anyway son or using them much)

Otherwise it blocks all ads in every other app (especially free to play games
that are unusable with ads)

Nextdns will also work on your tv and block all ads (hello Samsung) and
telemetry too (there is a smarttv block list you can select at the end of the
choices on nextdns)

