Full Kernel R/W.
Completely Untethered.
Utilizing the new kfd_pointer_leak vulnerability found in the A15-A19 chipsets, QuantumBreak bypasses PAC (Pointer Authentication Codes) and PPL to grant persistent root access on iOS 26.
Exploit Methodology
SEP Mirroring Technique
By creating a virtualized mirror of the Secure Enclave Processor (SEP) in the upper RAM partition, we can intercept biometrics requests before they hit the hardware level. This effectively "tricks" the kernel into authorizing unsigned code signatures without triggering a Kernel Panic.
Hypervisor Passthrough
Apple's new Hypervisor in iOS 26 attempts to lock down the boot chain. QuantumBreak overloads the Neural Engine's task scheduler, creating a race condition that allows our payload to slip through during the userspace_reboot sequence.
Fig 2.1: Heap Spray Alignment Visualization
Kernel Panic Log (PanicString)
/private/var/logs/panic.logSandbox Escape
Full r/w access to rootfs. Install .deb files, modify SystemVersion.plist, and inject dylibs into any daemon.
Cycle Count Reset
Our exploit allows write access to the battery management unit (BMU), letting you freeze cycle counts via software.
FaceID Spoofer
Inject custom biometrics data into the SEP buffer to unlock apps without physical presence.
"i, the great skadz108, developer of dirtyzero, avarksign, skadzthemer, kfdBootlooper, SparseBootlooper, Omega, poc26, poc19, metalPoC25, and many more, and half of the critically acclaimed jailbreak community development team "jailbreak.party", fully endorse this jailbreak"
Device Compatibility Matrix
- iPhone 13 Plus (A15 Bionic)
- iPhone 14 / 14 Pro / 14 Max
- iPhone 15 Series (USB-C Gen 1)
- iPhone 16 / 16 Ultra
- iPhone 17 Oxy (Supported!)
- iPad Pro M4/M5 (Cellular Only)
* Note: iPhone 17 Oxy models require the battery to be exactly 15% to trigger the low-power mode race condition needed for the exploit.
MD5: 8f4a2c91b3e7d5f6 | Exploit Author: @s1guza_fake
Use at your own risk. Manipulating the kernel may void your warranty.