Downgrading iOS 9.3.5 to iOS 6

Contents

1. Introduction
2. Jailbreak with Phoenix
3. OpenSSH
4. Downgrade to iOS 6

Introduction

I may be one of the only people left still rocking an iPad 2. The only purpose it has in my life is to consume video through YouTube, Netflix, and Put.io and for that it mostly works fine but at times it is painfully slow on the latest version of iOS it will run — 9.3.5.

It wasn't always slow though. I remember when I first got it and was amazed at how fast it was. Around iOS 7 when transparency, blurring, and all that crud was added was when slow down started to become apparent. With the help of a jailbreak and a command line tool it is however possible to restore an iPad 2 or iPhone 4 to its former glory.

Jailbreak with Phoenix

If you're already jailbroken then you're safe to skip this step. Otherwise this will assume you're on iOS 9.3.5 and a 32-bit device – that is an iPhone 5, iPad 4 or older (you will however only be able to downgrade iPad 2 and iPhone 4 using the process outlined in this article). You'll also need access to a computer for this step.

Mac or PC is fine but keep in mind that to downgrade to iOS 6 you will need a Mac or Linux machine (Windows users may be able to use the Ubuntu shell available on the store or a virtual machine but I've not confirmed that).

1. Download the Phoenix3.ipa file from phoenixpwn.com.

2. Download Cydia Impactor.

3. Open Impactor, drag the Phoenix3.ipa file into the top field and connect your device.

4. You'll need to enter your Apple credentials that Impactor will use to re-sign the Phoenix3.ipa file so it can be installed on your device.

If you've enabled 2-step authentication on your Apple ID you will need to create an application password at appleid.apple.com to continue.

5. Once Phoenix shows up on your device's home screen you'll need to head to Settings and go to "General > Device Management" to trust the certificate.

6. Run Phoenix and tap "Prepare For Jailbreak". It should re-spring and install Cydia. You're now jailbroken and will just need to run Phoenix again every time you reboot your device.

Phoenix failed a few times for me before jailbreaking successfully. If this happens for you just try again and it should eventually succeed.

Installing OpenSSH

Before you're able to downgrade you'll just need to install one package from Cydia on your device: OpenSSH. This will allow us to install some files to the device from terminal and trigger DFU mode without iTunes.

Once installed you're good to proceed to the next step.

Downgrade to iOS 6

Now your device is jailbroken and OpenSSH is installed it's possible to downgrade to iOS 6. This is only able to be done because Apple are still signing the 6.1.3 OTA update so if they ever decide to stop doing that this process will stop working.

The package used to complete the downgrade is called odysseusOTA and is a collection of command line tools that can be executed from terminal on a Mac or Linux computer.

• You can download odysseusOTA 2.4 here
• You'll also need to download the correct iOS 6.1.3 ISPW of your device.

Note: odysseusOTA currently only includes patched firmware bundles for iPad 2 and iPhone 4.

For the sake of brevity all the steps below are completed on a Mac but will be similar on Linux. You'll just need to use the linux64 directory instead.

1. Unzip odysseusOTA and the IPSW to your desktop. If you wish to copy the commands below you'll also need to rename the IPSW to unpatched.ispw.

2. Open Terminal.app and drag the macos directory within the odysseusOTA folder onto the window.

3. Run the following command to create a patched IPSW that can be flashed.

./ipsw ~/Desktop/unpatched.ipsw custom.ipsw -bbupdate

It's extremely important you do not omit the -bbupdate flag or you will not be able to activate your device with Apple as a baseband will not be included.

If successful a custom.ipsw file will appear in the macos directory.

4. Next, ensure the device you wish to downgrade is connected to your computer and run the following command.

./idevicerestore -t custom.ipsw

This will download the SHSH blobs required for downgrading.

5. Now you'll be able to run the following.

./xpwntool `unzip -j custom.ipsw 'Firmware/dfu/iBSS*' | awk '/inflating/{print $2}'` pwndiBSS

This generates a modified iBSS that will be installed to the device to allow it to be put in a modified DFU state.

6. It's now time to copy files over to your device. Take a note of your IP address from the WiFi settings on your iPhone or iPad.

scp pwndiBSS ../kloader root@YOURIPADDRESS:

If you're requested to accepted an RSA fingerprint type yes and hit enter.

The default password for the OpenSSH packaged is alpine so if you haven't changed it that's what it'll be.

7. With the custom kloader and iBSS on your device you'll now need to SSH in execute the kloader to put it into a DFU state. Use the following to connect to your device.

ssh root@YOURIPADDRESS

And with your device still connected to your computer run the command below.

./kloader pwndiBSS

This should make your device's screen go black while it puts it into DFU mode and the message "Magic happening now. (attempted!)" should appear in your terminal.

8. Open a new tab in Terminal and close the one running SSH to disconnect. Still within the macos folder the following command will start the restore process.

./idevicerestore -w ./custom.ipsw

If a device is found in DFU mode (which it should) then it should start restoring. Leave it connected to your computer as it flashes the firmware, baseband, and sends iOS 6 to your device.

Once Terminal says the following you should be good to disconnect.

Status: Restore Finished
Cleaning up...
DONE

iOS 6 will continue to install and when rebooted it will walk you through the setup process. Be careful not to restore from backup and to dismiss any requests to update to iOS 8.

That's it! You're all downgraded and your old iPad or iPhone should feel faster and restored to its former glory.