Downgrade and jailbreak from iOS 9 to 8.4.1

10-minute read
iOS Apple M1 Jailbreak

Downgrading a legacy iOS device can be tricky but luckily for us, there are two different methods we can use. We’ll first explore a method which doesn’t require a computer and it can be done directly on the iOS device. Then we’ll see how to downgrade using a script called Legacy-iOS-Kit, I then forked the repo to do some changes specifically for macOS to use the latest bash version from homebrew.

It’s recommended to do a backup first to avoid losing all the data you have stored. If you are on Windows, you will need iTunes to restore iOS.

Supported devices

32 bit devices are supported for both methods:

  • iPhone 4S
  • iPhone 5
  • iPad 2, iPad 3, iPad 4
  • iPad mini 1
  • iPod touch 5

Why the downgrade ?

We’re specifically targeting an older iOS version which received a untethered jailbreak, which is a persistent jailbreak that doesn’t require to jailbreak the device another time after rebooting. Unfortunately the iOS versions 9.3.5 and 9.3.6 only have a semi-tethered jailbreak (so after each reboot you will have to jailbreak again), but we can still use it to downgrade iOS.

How do I go back if anything goes wrong ?

Unfortunately if your device is stucked in a bootloop or it can’t boot into iOS, the only way to fix it is to restore iOS through iTunes. So let’s say you managed to downgrade from iOS 9.3.6 to 8.4.1 but something went wrong when installing the jailbreak, in this case when restoring through iTunes, you will go back to iOS 9.3.6. This is because the last two signed IPSW by Apple are 9.3.5 and 9.3.6 so it’s not possible to restore to 8.4.1 because the latter is not signed. If you ever need the IPSW (a file format used to install iOS firmware) of a specific version, you can use IPSW Downloads.

Depending on your device, entering into recovering mode might be different, for instance on the iPad (the one with the home button) you just need to keep pressing the home and power button at the same time until it tells you to connect the device to iTunes. For any doubt you can check the Apple documentation to restore and enter into recovery mode.

As an alternative to iTunes, if you managed to jailbreak your device and you have Cydia installed, you can use a tweak called Cydia Eraser which resets iOS to its original state before the jailbreak without updating iOS. This assumes you are able to boot into your system of course.

To sideload or not to sideload

Sideloading allows you to install applications on your device without using the appstore, it’s relatively an easy process, you just need Sideloadly and preferably a separate Apple account with a free developer subscription just to sideload.

So we need to sideload an application to jailbreak our device but there’s also another way which doesn’t require Sideloadly. A website named jailbreaks.app has some links which allow you to directly install the application you’re insterested in, directly on your iOS device when they are opened through a browser.

This is something that will come in handy later when we’ll need to fully jailbreak the device with Daibutsu, the IPA you download through the official website needs to be signed first, so if the process is not done correctly, you will be stucked in a bootloop. Instead if you install Daibutsu through jailbreaks.app, the IPA is already signed so you won’t get any issue when jailbreaking.

The semi-tethered and untethered jailbreaks can both be installed through jailbreaks.app, so Sideloadly is not needed since the applications will be installed directly on the device.

Is Daibutsu the only untethered jailbreak available ?

Technically there are other jailbreaks that can be used:

  • Etasonjb is quite unstable, there’s a tweak that needs to be installed to fix some bugs. For instance when rebooting your device, you will need to jailbreak again unless you install the tweak I was mentioning. I also ran into an issue where iOS wasn’t loading the tweaks in the settings app, Cydia and the other tweaks I already installed were usable for the most part, but you couldn’t change any of their settings. I was able to fix it but then after rebooting, the tweaks were not showing again so I had to restore the iPad and try Daibutsu. The tweak can be installed by adding this repo to Cydia and looking for Etason untether:

    http://repo.tihmstar.net/

  • Although Home Depot is a semi-tethered jailbreak, you can still apply a untethered jailbreak by using the Etason untether tweak in the tihmstar repo. You might stumble on Lukezgd’s repo which contains a tweak named UntetherHomeDepot, avoid installing it! First it is not made for iOS 8.4.1 and second as mentioned on the Home Depot wiki, it can bootloop your device so if you’re afraid of bootloops do not install it!

On the other hand Daibutsu doesn’t require any extra tweaks to make it work, unless you decide to pick the hard way and sign the IPA manually which as I already mentioned if not done correctly can bootloop your device.

Downgrade first method - update SystemVersion.plist no computer required

For both methods you will have to first jailbreak your device, then downgrade to iOS 8.4.1. It is highly recommended to both disable the passcode and log out of iCloud or else when you try to jailbreak and after the device reboots, the latter will not be jailbroken and you’ll have to reapply the jailbreak again until it works.

So let’s breakdown the steps we need to do:

  1. Connect your device through a reliable power source, you don’t want your device to be 10% of the current battery when jailbreaking.
  2. On your device, open Safari and go on jailbreaks.app to pick one semi-tethered jailbreak compatible with iOS 9 like p0laris, Phoenix or HomeDepot.
  3. When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed.
  4. Open Cydia and install iFile or Filza File Manager, ignore the updates Cydia is requesting.
  5. Open iFile or Filza File Manager, go to /System/Library/CoreServices and open the SystemVersion.plist file.
  6. We need to update the ProductVersion and ProductBuildVersion, depending on your device, these two values will be different. So to find out the correct values you can use IPSW.me, for example I’m using the iPad mini first gen. so I need to look inside the OTAs tab to find a ProductVersion and ProductBuildVersion which can allow me to downgrade to an older version. In my case I picked 6.1.3 for the ProductVersion and 10B329 ProductBuildVersion.
  7. Save the SystemVersion.plist file and reboot your device.
  8. After the device rebooted, open Settings, General then Software Update. You should get an update for iOS 8.4.1 to install if not you did something wrong, in that case you have to restore and start over.
  9. After the installation is complete, if you go to Settings, General, About you should see the old version 8.4.1
  10. Go to Settings, General, Reset, then click Erase All Content and Settings.

As you can see this process is very long and tedious but it doesn’t require a computer, just your device. But luckily for us there’s another way which involves a script but the other hand it requires a computer.

Downgrade second method - use the script Legacy-iOS-Kit

As mentioned on the official repo on Github, it is not recommended to launch the script through Windows, so you have to choose between macOS or Linux.

On Windows you have to create a bootable usb just for Linux. You could also use a VM to launch the script but there some extra steps involved to connect the usb and it may not work.

On macOS you can use the fork I made to use the latest version of bash with homebrew. The reason I forked the repo it’s because if you launch the script, you’ll get an error saying to update bash with a more recent version:

[Error] Your bash version (3) is too old. Install a newer version of bash to continue.
* For macOS users, install bash, libimobiledevice, and libirecovery from Homebrew or MacPorts
* For Homebrew: brew install bash libimobiledevice libirecovery
* For MacPorts: sudo port install bash libimobiledevice libirecovery

You have potentionally two options:

  • The original script code is using the version inside /usr/bin/env so technically it should use the first occurence it founds of an interpreter in the environment. When I typed the command:
    $ /usr/bin/env bash
    it was still using the old version of bash so not the one from homebrew. So I added
    export PATH="/opt/homebrew/bin:$PATH"
    to my ~/.zshrc and it worked, although it seemed a bit forced since the path was already in the environment but in a different position after the bash version installed in /bin/bash.
  • On the other hand if you don’t like messing around the environment that much, you can use my fork of the script which is going to use directly the bash version from homebrew.

Whatever option you choose, before using the script you need to install a couple of packages as mentioned in the error message above:

$ brew install bash libimobiledevice libirecovery

Let’s breakdown the steps to run the script:

  1. Make sure your device has enough battery left, we’ll connect it later to the computer.
  2. On your device, open Safari and go on jailbreaks.app to pick one semi-tethered jailbreak compatible with iOS 9 like p0laris, Phoenix or HomeDepot.
  3. When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed.
  4. Open Cydia and install OpenSSH
  5. Add this repo to Cydia
https://lukezgd.github.io/repo/
  1. Install kDFUApp which will be used to enter into a different recovery mode, not available just by pressing the power and home button.
  2. Optional: depending on your device, it may be necessary to install kDFUApp Bundles which offers a wider device support.
  3. Open kDFUApp and select all the options available, when they’re all selected you’ll be able to click on enter kDFU at the bottom of your screen.
  4. Plug in your device.
  5. Launch the script through the terminal by typing:
$ ./restore.sh
  1. Select Restore Firmware by typing 1
  2. Select iOS 8.4.1 by typing 1
  3. If you already have an IPSW file in the same directory where you launched the script, it will be used to downgrade iOS in that case type 3 to start restore otherwise type 2 to download the IPSW.
  4. The script will ask you to jailbreak directly your device while downgrading, select n it is recommended to do it manually.
  5. When asked Is your device already in pwned iBSS/kDFU mode? (y/N) select y, your device will now apply the downgrade and reboot.

Some more steps unlike the first method but everything is done automatically and you don’t need to erase everything to fix some instabilities caused when forcing iOS to downgrade.

Jailbreak with Daibutsu

We’re almost there, just a few more steps:

  1. On your device open Safari and go on jailbreaks.app and select Daibutsu.
  2. When opening the application, iOS will ask you to trust the developer, after that you can open it and jailbreak your device and wait for it to reboot. If everything worked correctly, you should see Cydia installed. There might be a scenario where the device is still not jailbroken, if that’s the case repeat the jailbreak.
  3. Add this repo to Cydia which can also be found on dora2ios to install feature updates of Daibutsu:
https://kok3shidoll.github.io/repo/
  1. Install a modern certificate to add more repositories to Cydia which are using a new certificate.

Congrats, you’ve successfully downgraded and jailbreaked an iDevice from iOS 9 to 8.4.1!

Where to go from there ?

There are many tweaks and repositories available but before installing anything unless it comes from a reliable source, do some research. Cydia will already mark any weird repo you’re trying to add which has been flagged several times by other users. Since you’re using a jailbroken device, you’re also more vulnerable to malwares but if you’re careful it’s not a big deal. I recommend taking a look at the Legacy Jailbreak subreddit, they also have a discord channel with a couple of repositories you can add to Cydia. The wiki has also some awesome content I haven’t covered in this article!