Legacy iOS Kit

• (formerly iOS-OTA-Downgrader)
• An all-in-one tool to restore/downgrade, save SHSH blobs, jailbreak legacy iOS devices, and more
• Supported on Linux and macOS
• Read the "How to Use" wiki page for instructions
• Read the "Troubleshooting" wiki page for tips, frequent questions, and troubleshooting

Features

• Legacy iOS Kit supports all 32-bit iOS devices, and some 64-bit (A7/A8/A9/A10/A11) devices
  • Devices that received iOS 16 and newer will only have limited functionality (e.g. sideloading) and some features like SSH ramdisk are not supported
  • Legacy iOS Kit defines legacy devices as all iOS devices that are vulnerable to a bootrom exploit (checkm8 and older)
• Restore to signed OTA versions (iOS 8.4.1 and/or 6.1.3) on A5/A6 devices
• Restore to iOS 10.3.3 (signed OTA version) on supported A7 devices
• Restore supported devices to unsigned versions with SHSH blobs
• Restore to unsigned iOS versions with iOS 7 blobs (powdersn0w)
• Restore supported 32-bit devices to unsigned iOS versions "without" blobs
  • Includes downgrading iPhone 2G, 3G, 3GS, iPhone 4 GSM and CDMA, iPod touch 1, 2, 3, iPad 1
  • "without" is in quotes because powdersn0w uses iOS 5/7 blobs for touch 3 and A4 devices, but it is signed for everyone to use
  • Other devices however are true blobless
• Tethered downgrades/restores to supported iOS versions for A5(X)/A6(X) and some other 32-bit devices
• Jailbreak all 32-bit iOS devices on nearly any iOS version
  • Available on iOS versions 3.0 to 9.3.4 with some small exceptions
• Hacktivation for iPhone 2G, 3G, 3GS, 4 GSM (activate without valid SIM card)
• Boot SSH Ramdisk for supported 32-bit and 64-bit devices
• Save Onboard SHSH blobs for supported 32-bit and 64-bit devices
• Sideload IPA files for supported devices on Linux (and macOS)
• Save SHSH blobs from Cydia servers for 32-bit devices
• Enter pwned iBSS/kDFU mode for supported 32-bit devices
• Save onboard SHSH blobs for jailbroken 64-bit devices (deverser)
  • This also saves onboard Cryptex APTicket and seed for iOS 16+ (x8A4)
• Install TrollStore using SSH Ramdisk for supported 64-bit devices on iOS 14/15
• Clear NVRAM for 32-bit devices
• Device activation using ideviceactivation (especially useful for iOS 4 and lower)
• The latest baseband will be flashed for certain A5/A6 devices (for iPhone 4S, 5, 5C, iPad 4, mini 1)
  • For more info on baseband, go to Baseband Update wiki page
• Dumping and stitching baseband to IPSW (requires --disable-bbupdate)
• Dumping and stitching activation records to IPSW (requires --activation-records)
• App Management - Install IPA (AppSync), dump apps as IPA, list installed apps
• Data Management - Backup and restore, mount device, erase all content and settings
• Misc Utilities - Pair device, export data and battery info, shutdown/restart device, and more

Supported devices

• Identify your device here
• iPhone 5C and iPad mini 3 devices are NOT supported by OTA downgrades
  • These devices still support restoring to other iOS versions with SHSH blobs, see below
• See the table below for OTA downgrading support:

Target Version	Supported Devices
iOS 10.3.3	A7 devices:
	iPhone 5S
	iPad Air 1
	iPad mini 2 (except iPad4,6)
iOS 8.4.1	32-bit devices:
	iPhone 4S
	iPhone 5
	iPad 2, iPad 3, iPad 4
	iPad mini 1
	iPod touch 5
iOS 6.1.3	iPhone 4S
	iPad 2 (except iPad2,4)

• Restoring with SHSH blobs, jailbreaking, and using SSH ramdisks are supported on the following devices:
  • iPhone 2G, 3G, iPod touch 1
  • iPhone 3GS, 4, 4S, 5, 5C
  • iPad 1, 2, 3, 4, mini 1
  • iPod touch 2, 3, 4, 5
• Restoring with SHSH blobs and using SSH Ramdisks are also supported on some 64-bit devices:
  • iPhone 5S, 6, 6S, SE 2016, 7 (including Plus variants)
  • iPad Air 1, 2
  • iPad mini 2, 3, 4
  • iPod touch 6, 7
  • Versions that can be restored to depend on SEP/BB compatibility
  • Although SEP/BB compatibility does not matter anymore for A9(X)/A10(X) devices thanks to turdus merula
• Restoring with iOS 14.3-15.x and 16.6+ SHSH blobs using futurerestore is also supported on these devices (SSH ramdisks not supported):
  • iPhone 8, X
  • iPad 5
  • iPad Pro 9.7/12.9 1st gen
• Restoring with powdersn0w is supported on the following devices and target version range:
  • iPhone 4 GSM - iOS 4.0 to 7.1.1
  • iPhone 4 CDMA - iOS 4.2.6 to 7.1.1
  • iPhone 4S, 5, 5C, iPad 2 Rev A, iPad 4, iPod touch 5 - iOS 5.0 to 9.3.5
  • iPad 1 - iOS 3.2 to 5.1
  • iPod touch 3 - iOS 3.1.1 to 5.1
  • Using powdersn0w requires iOS 7.1.x blobs for your device
    • No blob requirement for iPhone 4, iPad 1, iPod touch 3 (7.1.2 and 5.1.1 are signed)
    • For iPhone 5/5C and touch 5, both 7.0.x and 7.1.x blobs can be used
    • For iPad 4, only 7.0.x blobs can be used
• Restoring tethered to any version is supported on the following devices:
  • iPhone 4 (3,2 and 3,3), 4S, 5, 5C
  • iPad 2, 3, 4, mini 1
  • iPod touch 3, 4, 5
• Restoring to other unsigned versions without blobs is supported on the following devices and target version range:
  • iPhone 2G, 3G, 3GS, iPod touch 1, touch 2 - All versions are supported
  • Lowest downgradable version is 2.0. Going to 1.x does not work
  • For jailbreaking support, see below
• Restoring the iPod touch 3rd gen and iPad 1 to iOS 6 (and also iOS 7 for iPad 1) untethered
• Restoring the iPod touch 4th gen to iOS 7 tethered
• Jailbreaking for 32-bit devices and versions support:
  • iPhone 2G and touch 1 - 3.1.3 only
  • iPhone 3G and touch 2 - 4.2.1, 4.1, and 3.1.3
  • iPhone 3GS - All versions are supported (all release versions from 3.0 to 6.1.6)
  • Other devices - All versions from 3.1.3 to 9.3.4 are supported, with some exceptions
  • For more details, go to the "Jailbreaking" wiki page

Supported OS versions/distros

Supported architectures: x86_64, arm64

• macOS 10.11 and newer
  • macOS 12.6 and newer recommended for Apple Silicon Macs
• Ubuntu 22.04 and newer, and Ubuntu-based distros like Linux Mint
• Fedora 40 and newer, Atomic Desktop (Silverblue, Kinoite, Bazzite, etc.) also supported
• Debian 12 Bookworm and newer, Sid, and Debian-based distros
• Arch Linux and Arch-based distros like CachyOS and SteamOS
• Less tested distros: openSUSE Tumbleweed, Gentoo, Void Linux

Tools and other stuff used

• curl
• bspatch
• powdersn0w_pub - dora2ios; LukeZGD fork
  • Most of the exploit ramdisks used are from kok3shidoll's repo
  • iPhone 5C 7.0.x exploit ramdisk is from m1zole
  • Other iPhone 5/5C ramdisks are from Ralph0045's iloader repo
  • iPad 1 exploit ramdisk is from Ralph0045
  • iPad 4 and touch 5 7.0.x exploit ramdisks are from Pingzi610
• ipwndfu - axi0mX; LukeZGD fork
• iPwnder32 libusb - dora2ios; LukeZGD fork
• ipwnder_lite - dora2ios; LukeZGD fork
• gaster - 0x7ff; LukeZGD fork
• primepwn
• a6meowing - dora/kok3shidoll; LukeZGD fork with changes from retr0id for Linux support
• daibutsuCFW - dora2ios; LukeZGD fork
• daibutsu - dora/kok3shidoll, Clarity
• libimobiledevice - libimobiledevice
• libirecovery - libimobiledevice
• libideviceactivation - libimobiledevice
• ideviceinstaller - libimobiledevice
• ifuse - libimobiledevice
• static-cross-openssh - scp and ssh binaries (used on Linux only)
• Motrix - aria2c binaries
• usbmuxd2 - tihmstar; LukeZGD fork (used on Linux only, optional)
• anisette-server from Provision - Dadoum (used for sideloading on Linux)
• AltServer-Linux - NyaMisty (used for sideloading on Linux)
• Sideloader - Dadoum (used for sideloading on Linux and macOS)
• tsschecker - tihmstar; 1Conan fork (v413)
• darkhttpd
• x8A4 - Cryptiiiic (for getting Cryptex seed)
• futurerestore - tihmstar
  • LukeZGD fork used for restoring 32-bit devices (not used in macos arm64)
  • LukeeGD fork used for restoring A7 devices (mostly not used though)
  • futurerestore nightly used for restoring A8/A9/A10/A11 devices
• iBoot32Patcher - Merculous fork
• idevicerestore - libimobiledevice; LukeZGD fork
• kloader from Odysseus
• kloader from axi0mX (used on iOS 4/5 only)
• kloader for iOS 5
• jq
• partialZipBrowser
• zenity; macOS build
• 32-bit bundles from OdysseusOTA, OdysseusOTA2, alitek12, gjest (modified bundles for daibutsuCFW)
• A7 patches from MatthewPierson
• iPad 2 iOS 4.3.x bundles from selfisht, Ralph0045
• datautils0 - comex (used for iPad 2 4.3.x kernel diffs)
• sshpass
• Bootstrap tar from SpiritNET
• Cydia HTTPatch for 3.1.3 downgrades/jailbreaks
• EverPwnage
• Aquila
• Pangu
• p0sixspwn
• evasi0n7
• evasi0n
• g1lbertJB
• UntetherHomeDepot
• greenpois0n
• Some patches from PwnageTool, sn0wbreeze, redsn0w
• Many patches for the 3GS are made using patchers by Merculous (including Bundle-Creation)
• SSH Ramdisk tars from Ralph0045's SSH-Ramdisk-Maker-and-Loader and msftguy's ssh-rd
• 64-bit SSH Ramdisk stuff is based on Nathan's SSHRD_Script (iOS 12+), and exploit3dguy's iram tar from iarchive.app (iOS 8)
  • img4lib - xerub
  • img4tool - tihmstar
• Tools used for dumping IPA - forks by rcky844
  • ipainstaller
  • Clutch
• For iPhone X restore patches:
  • Method by Mineek and Nathan
  • Mineek's restored_external patcher for iPhone X downgrades to 14.3-15.x
  • KPlooshFinder
  • kerneldiff
• iPad 1 and iPod touch 3 unofficial upgrades:
  • SundanceInH2A - NyanSatan
  • ipad-1-ios-7 - amy-and-nicole and pwnerblu, also uses stuff from SundanceInH2A
• kurouta dori (turdus merula A6(X)) - dora/kok3shidoll (used for A6(X) pwning on Linux, and iOS 10 tethered restores)