Unlike "Checkm8" (which is bootrom-based but requires a tethered boot on A11 devices), the iOS 9.3.6 bypass is unique because it is a complete filesystem remount.
There is one tool that has stood the test of time for iOS 9.3.6: Sliver 6.2 (or 6.3) by the legendary developer appletech752.
For users who are tech-savvy and have hardware experience, iOS 9.3.6 is vulnerable to the Checkm8 bootrom exploit. This is the only way to achieve a "full" bypass on certain devices (specifically the iPhone 4s and iPad 2/3).
How it works: The iPhone 4s has a hardware vulnerability that cannot be patched by Apple via software updates. This allows tools like Sliver (Mac) or Arduino-based hardware hacks to "jailbreak" the device tethered and remove the setup files. ios 936 icloud bypass best
You will see YouTube videos claiming "iOS 9.3.6 DNS Bypass 2025." Ignore them.
DNS bypasses (using lovemi.app or similar) only hide the activation screen. They do not activate the device's mail, notifications, or iMessage. They break as soon as you connect to a different Wi-Fi network. The "best" method is the kernel-level bypass using Sliver/alloc8.
To understand why the bypass for 9.3.6 is the "best," you have to understand the hardware. iOS 9.3.6 was the final stop for the iPhone 4s and iPad 2. These devices run on the A5 chip, a 32-bit processor. Unlike "Checkm8" (which is bootrom-based but requires a
Modern bypasses (for iOS 12+) use server-side exploits or DNS manipulation, which are often temporary or require activation tickets. However, iOS 9.3.6 has a fatal flaw that Apple never patched: The PurplingBird (or alloc8) exploit.
This exploit allows us to enter kDFU mode (Kernel Debugging File Utility) – a developer backdoor that Apple left open on 32-bit devices. Once in kDFU mode, we can read and write to the NAND chip directly, bypassing the need for Apple's activation servers entirely.
This process takes roughly 15 minutes.
Step 1: Enter PWNDFU Mode
Open Sliver and navigate to "iCloud Bypass" > "iOS 9.3.6 (32-bit)."
Put your device into DFU mode (Power + Home for 10 seconds). Sliver will send the alloc8 exploit. You will know it worked when the screen stays black but the computer recognizes a new device. This is Purple Mode.
Step 2: Relaying the Activation Records
Unlike modern iPhones, the iPhone 4s stores the activation ticket locally. With Sliver, you will click "Relay Device Info." The tool downloads a fake activation ticket from a local server (or from the developer's cache) and injects it into the com.apple.commcenter.device_specific_nobackup.plist file.
Step 3: The "Wi-Fi Fix"
The most common complaint about iOS 9.3.6 bypasses is that "Wi-Fi is grayed out." The best bypass fixes this via a lockdown file fix. Sliver automatically disables the "Setup.app" and restores the CommCenter. You will see YouTube videos claiming "iOS 9
Result: The device reboots. You slide to unlock, and you are on the home screen. You can use iMessage, FaceTime, YouTube, and Safari. Cellular data works (on iPhone 4s GSM models). The App Store works for downloading older versions of apps.
Disclaimer: This article is for educational purposes only. Bypassing an iCloud lock on a device you do not legally own is illegal in most jurisdictions (Computer Fraud and Abuse Act, etc.). This information is intended for users who have purchased a used device with a valid proof of purchase or for security researchers. UnlockUnit, F3arRa1n, and similar tools should only be used on devices you own.
This work is licensed under a Creative Commons Attribution 4.0 International License.
You are free to use the material for any purpose as long as you give appropriate credit to the original author.