Legacy-iOS-Kit/README.md

iOS-OTA-Downgrader

(formerly 32bit-OTA-Downgrader)

Downgrade/restore and jailbreak iOS devices to signed OTA firmwares

• Linux and macOS are supported by this downgrade script/tool
  • Windows users can create a Linux live USB (see Requirements)
• iOS 8.4.1 and 6.1.3 downgrades have the option to jailbreak the install
  • For iOS 10.3.3, use TotallyNotSpyware to jailbreak
• You do NOT need blobs to use this, the script will get them for you
• This script can also restore your device to other iOS versions that you have SHSH blobs for (32-bit devices only, listed under Supported devices)
• Please read the "Other notes" section for frequent questions and troubleshooting

Supported devices:

• You can identify your device here
• iPhone 5C and iPad mini 3 devices are NOT supported (OTA versions are not signed)
• iPhone 5C can still be restored to versions that you have SHSH blobs for

Target Version	Supported Devices
iOS 10.3.3	A7 devices:
	iPhone 5S
	iPad Air 1
	iPad mini 2 (except iPad4,6)
iOS 8.4.1	32-bit devices:
	iPhone 4S
	iPhone 5
	iPad 2, iPad 3, iPad 4
	iPod 5th gen
iOS 6.1.3	iPhone 4S
	iPad 2 (except iPad2,4)

Requirements:

• A supported device in any iOS version (listed above):
  • A 32-bit device (jailbreak needed)
  • An A7 device (jailbreak not needed)
• An IPSW for the version you want to downgrade to
  • Links: iOS 10.3.3, iOS 8.4.1, iOS 6.1.3
  • The script can also download it for you
• A 64-bit Linux install/live USB or a supported macOS version
  • See supported OS versions and Linux distros below
  • A Linux live USB can be easily created with tools like balenaEtcher or Rufus
• Users with 32-bit devices must install OpenSSH
  • Users in iOS 10 (A6/A6X) must also install Dropbear (Cydia repo)

For Pangu 32-bit users:

• For 32-bit users using Pangu, install the latest untether for your iOS version here

How to use:

1. Download iOS-OTA-Downgrader here and extract the zip archive
2. Plug in your iOS device
3. Open a Terminal window
4. cd to where the zip archive is extracted, and run ./restore.sh
   • You can also drag restore.sh to the Terminal window and press ENTER
5. Select option to be used
6. Follow instructions

Supported OS versions/distros:

• Ubuntu 20.04 and 20.10; and Ubuntu-based distros like Linux Mint
• Ubuntu 16.04 and 18.04
  • Use 20.04 and newer as older versions are untested
• Arch Linux and Arch-based distros like EndeavourOS
• Fedora 32 to 33
• openSUSE Tumbleweed, Leap 15.2
• macOS 10.12 to 11

Other notes:

• If something in the process does not work for you, try switching USB ports and/or cables (also try using a USB 2.0 port)
• This script will verify the IPSW SHA1 before restoring
• For users having issues related to missing libraries or tools, re-install dependencies with ./restore.sh Install
  • Alternatively, delete the libimobiledevice or libirecovery folder in resources then run the script again
• For A7 devices:
  • Do not use USB-C to lightning cables as this can prevent a successful restore
  • checkm8 ipwndfu is unfortunately pretty unreliable, you may have to try multiple times (for Linux users, also try in a live USB)
  • If the script can't find your device in pwnREC mode or gets stuck, you may have to start over
  • Use an Intel PC/Mac as entering pwnDFU (checkm8) may be a lot more unreliable on AMD devices
  • Other than the above, unfortunately there's not much else I can do to help regarding entering pwnDFU mode.
• For 32-bit devices:
  • To make sure that SSH is successful, try these steps: Reinstall OpenSSH/Dropbear, reboot and rejailbreak, then reinstall them again
  • To devices with baseband, this script will restore your device with the latest baseband (except when jailbreak is enabled, and on iPhone5,1 as there are reported issues)
  • This script can also be used to just enter kDFU mode for all supported devices
  • As alternatives to kloader/kDFU, checkm8 A5 or ipwndfu can also be used in DFU advanced menu
    • To enter DFU advanced menu, put your iOS device in DFU mode before running the script
  • This script can work on virtual machines, but I won't provide support for them
  • If you want to use manually saved blobs for 6.1.3/8.4.1, create a folder named saved, then within it create another folder named after your ProductType (example: iPad2,1). You can then put your blob inside that folder.
    • The naming should be: (ECID in Decimal)_(ProductType)_(Version)-(BuildVer).shsh(2)
    • Example: 123456789012_iPad2,1_8.4.1_12H321.shsh
• For jailbreak option:
  • If you have problems with Cydia, remove the ultrasn0w repo and close Cydia using the app switcher, then try opening Cydia again
  • If you can't find Cydia in your home screen, try accessing Cydia through Safari with cydia:// and install "Jailbreak App Icons Fix" package (Cydia repo)
• For jailbreak option (on iOS 8.4.1 downgrades only):
  • Stashing is already enabled and nosuid is removed from fstab, so no need to install "Stashing for #etasonJB" package
  • To fix LaunchDaemons not loading on startup, install "Infigo" package (Cydia repo)
  • Warning: On some but not all 8942/8945 devices, your device might take a very long time to boot, possibly 20 minutes or more

Tools and other stuff used by this script:

• cURL
• bspatch
• ipwndfu
• iPwnder32
• irecovery
• libimobiledevice
• imobiledevice-net (macOS)
• idevicerestore
• ipsw tool from OdysseusOTA/2
• python2
• tsschecker
• futurerestore 152 (32-bit)
• futurerestore 251 (Linux) (A7)
• futurerestore 245 (macOS) (A7)
• kloader
• kloader5 for iOS 5
• kloader_hgsp for iOS 10
• partial-zip
• 32-bit iBSS patches are from OdysseusOTA, OdysseusOTA2, alitek12, gjest
• A7 iBSS and iBEC patches are from MatthewPierson