New Blizzard Jailbreak released by GeoSn0w For iOS 9.0 – 9.3.6, 32-Bit Devices

Ever since I started my YouTube channel, iDevice Central, back in the iOS 9 days, I’ve always dreamt of being able to one day create my own jailbreak tool (as I mentioned on my YouTube channel) for the iPhone 5, iPhone 5C, and the rest of the devices that I’ve started my channel with.

Today, after many years of trial and error, I successfully managed to build my own fully working jailbreak that works on iOS 9.0 all the way up to iOS 9.3.6 on 32-Bit devices. The Blizzard Jailbreak comes with Cydia by default, but you can also install Zebra package manager as it supports iOS 9.

What is Blizzard Jailbreak?

Blizzard Jailbreak is a semi-untethered jailbreak utility developed by GeoSn0w (me) that can jailbreak iOS 9.0 all the way up to iOS 9.3.6 on 32-Bit devices and installs Cydia and Dropbear for SSH by default.

The jailbreak is fully functional and allows tweaks to run on the device. There’s also an option to remove the jailbreak if you want to go back to stock iOS. The Un-jailbreak option had to be created by hand because iOS 9 doesn’t have APFS snapshots like modern iOS versions do, so no ROOT FS restore exists on iOS 9.

In order to un-jailbreak, I had to account for each file by hand. However, the unjailbreak feature seems to work fine and it’s also capable to uninstall other jailbreaks like Home Depot, OpenPwnage, P0laris, and so on.

Blizzard Jailbreak Features

This iOS Jailbreak comes with the following features, making it a fully working modern jailbreak for legacy firmware:

Patches AMFI / Codesign
Patches Sandbox
Patches tfp0 so you can use tools like kloader and kDFU for downgrades.

Remounts the ROOT File System.
Installs Cydia or Zebra as package manager.
Installs Dropbear for SSH and generates the keys automatically.

Runs Tweaks thanks to Substrate. You can install any iOS 9 compatible tweaks.
Jailbreaks your device in a couple of seconds.
Available in IPA format, you can sideload it with any tool you like.

Fully Open-Source on GitHub.

DOWNLOAD Blizzard Jailbreak

The Blizzard Jailbreak is available in IPA format and it can be DOWNLOADED HERE (GitHub Releases).

Blizzard Jailbreak now fully working! My very first COMPLETE non-developer-only jailbreak. Release soon. pic.twitter.com/jDYcESVLwG
— GeoSn0w (@FCE365) July 28, 2022

How to install Blizzard Jailbreak?

To install Blizzard Jailbreak we recommend using Sideloadly as it is compatible with iOS 9. AltStore is not compatible with iOS 9 devices. Follow the steps below in order to install Blizzard Jailbreak on your device:

Download the latest Blizzard Jailbreak IPA file from the official GitHub.

Open the IPA file in Sideloadly with the device plugged-in and unlocked.
In Sideloadly, complete your Apple ID for Signing and press Start.
If it’s the first time you sign something with Sideloadly, you may need to input your Apple ID password. If you want to, you can use a throwaway Apple ID.

Once installed on the device, navigate to Settings -> General -> Profiles and Device Management -> Your Apple ID e-mail -> Trust.
Open Blizzard Jailbreak and press the “Jailbreak” button.

That’s all, you should be jailbroken with Blizzard Jailbreak.

What iOS versions are supported by Blizzard Jailbreak?

Blizzard Jailbreak supports all iOS versions between iOS 9.0 up to iOS 9.3.6 on all 32-Bit devices, those are:

iOS 9.3.6
iOS 9.3.5

iOS 9.3.4
iOS 9.3.3
iOS 9.3.2

iOS 9.3.1
iOS 9.3
iOS 9.2.1

iOS 9.2
iOS 9.1
iOS 9.0.2

iOS 9.0.1
iOS 9.0
All iOS 9 Betas.

The devices supported by Blizzard Jailbreak are the following:

iPhone 5C (all models)
iPhone 5 (all models)

iPhone 4S (all models)
iPod Touch 5th Generation
iPad 2 (WiFi)

iPad 2 (GSM)
iPad 2 (CDMA)
iPad 2 (Mid-2012)

iPad 3 (WiFi)
iPad 3 (GSM)
iPad 3 (CDMA)

iPad Mini (WiFi)
iPad Mini (GSM)
iPad Mini (Global)

iPad 4 (WiFi)
iPad 4 (GSM)
iPad 4 (Global)

How does Blizzard Jailbreak work? (Technical Stuff)

Blizzard jailbreak first runs the Phoenix Kernel Exploit by @siguza in order to get the kernel task port (tfp0). After this is complete, Blizzard Jailbreak starts patching the kernel so that the jailbreak would be able to run tweaks, install Cydia, run its base binaries, etc.

At this stage, Blizzard Jailbreak patches the Kernel PMAP (Page Map), patches the Sandbox permissions, gets root permissions (UID 0 (root), instead of UID 501 (mobile) which grants additional privileges), patches the task_for_pid() function so that tfp0 can be achieved by any tweak such as kloader / kDFU for downgrades, patches AMFI / CodeSign so that unsigned binaries can run, remounts the file system as Read / Write, and finally, drops the Bootstrap binaries including Cydia.

Another important patch that Blizzard Jailbreak applies is mount_common. In the mount_common() function, there is a Mandatory Access Control Framework (MACF) verification called mac_mount_check_remount() which will check whether the remount is allowed. This check is done by the Apple Sandbox kernel extension in the hook_mount_check_remount() function, which checks whether the filesystem to be remounted is the ROOT FS. If it is, this function will stop the filesystem from being remounted which will essentially cause the whole jailbreak to fail.

The Sandbox kext is involved in a lot of restrictions on the system, so Blizzard Jailbreak patches a lot of the MACF policies handled by the Sandbox kext. Here are all the patches for MACF that Blizzard Jailbreak applies:

WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_access), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_create), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_chroot), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_exchangedata), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_deleteextattr), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_notify_create), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_listextattr), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_open), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setattrlist), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_link), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_exec), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_stat), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_unlink), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_getattrlist), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_getextattr), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_file_check_mmap), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_cred_label_update_execve), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_mount_check_stat), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_proc_check_fork), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_readlink), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setextattr), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setflags), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_fsgetpath), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setmode), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setowner), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_truncate), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_vnode_check_getattr), 0);
WriteKernel32(KernelBase + sandbox_sbops + offsetof(struct mac_policy_ops, mpo_iokit_check_get_property), 0);

The WriteKernel32 function is a primitive that uses tfp0 obtained using the kernel exploit in order to directly write bytes to the kernel memory at a specified address/offset. Using it, literally the whole kernel memory can be overwritten, but it must be used with care. A wrong byte at the wrong address and the kernel panics & device reboots. Blizzard Jailbreak also has a ReadKernel32 primitive which is used for reading arbitrary parts of the kernel.

Blizzard jailbreak patches that function first, and then attempt to remount which causes the remount to succeed without the Sandbox kext complaining.

Another important part is patching Springboard to ensure non-default System Applications are shown (Cydia, Filza, and any app installed in /Applications rather than the less-privileged mobile path that AppStore apps use).

The Bootstrap contains normally fake-signed or unsigned binaries. AMFI (Apple Mobile File Integrity) will immediately kill them on a normal device, but Blizzard Jailbreak patches amfi_pe_i_can_has_debugger, cs_enforcement_disable, and amfi_mmap which essentially allows any unsigned binary to run without being checked anymore. This technique has been used to death and beyond on iOS up to about iOS 11 or so, when Apple started hardening AMFI more and more.

After the Bootstrap tar file is extracted and all binaries are in place, including Cydia, Blizzard jailbreak issues an uicache command so that the newly patched Springboard will show up Cydia as an icon on the screen.

After this is done, backboardd daemon is killed so that the device resprings. With this, all LaunchDaemons installed by Blizzard will also start up, this includes Dropbear for SSH. As far as I am aware, Blizzard is currently the only jailbreak to pack Dropbear by default on iOS 9. OpenSSH is more popular on iOS 9 but must be installed manually from Cydia. Still, Dropbear works perfectly.

If you want to check out the jailbreak patches and the code that makes it tick, it’s available on GitHub, mostly in the blizzardJailbreak.m file.