iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak

August 24th, 2017 by Oleg Afonin
Category: «Did you know that...?», «Elcomsoft News», «Industry News», «Tips & Tricks»

If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.

Back to Phoenix. This thing is for real. Phoenix claims support for iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.3.5. We were able to verify these claims by successfully jailbreaking several test devices and using Elcomsoft iOS Forensic Toolkit to perform full physical acquisition (as in imaging and decrypting the physical data partition).

With Phoenix jailbreak, iOS Forensic Toolkit can perform physical acquisition of Apple’s 32-bit devices running iOS 9.3.5, which happens to be the last version of iOS 9. Users of iOS Forensic Toolkit can perform physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and enjoy full unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.

You can download the Phoenix jailbreak and instructions from

The Phoenix jailbreak is “semi-untethered”, or “semi-tethered”. This means that, while the jailbreak will survive through reboots, you will have to re-run the jailbreak app every time after the device restarts. In addition, the signing certificate expires after 7 days, so you would have to re-sign the IPA file and re-upload the jailbreak to your device if you still need the jailbreak. Alternatively, you can make this jailbreak untethered by following instructions on installing BetterHomeDepot. This, however, is not required and should be avoided for forensic purposes.

Steps to jailbreak:

  1. Back up data with iTunes (if backup password is empty, specify and record a temporary password)
  2. Obtain and install the Phoenix jailbreak tool using the link(s) below. This includes two files:
    1. Phoenix jailbreak IPA file ipa available at
    2. Cydia Impactor available at
  3. Cydia Impactor (developed by Saurik) is used to sign the IPA file so that the jailbreak tool can be executed on iOS devices. You will need to use valid Apple ID credentials for signing the IPA. We recommend using a newly created Apple ID for signing the certificate.
  4. Connect the iOS device to the computer, trust the computer on the iOS device and launch Cydia Impactor.
  5. Drag ipa onto Cydia Impactor app.
  6. Provide Apple ID and password when prompted. Click OK to allow Cydia Impactor to sign the IPA and upload it onto the iOS device.
  7. On the iOS device, open Settings > General > Device Management. You will see a developer profile under the “Apple ID” heading. Tap the profile to establish trust for this developer. (An Internet connection is required to verify the app developer’s certificate when establishing trust.)
  8. On the iOS device, find the jailbreak and run it.
  9. Click the “Start” button to jailbreak the device.
  10. After the jailbreak is complete, launch Cydia to install OpenSSH.



Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »