This guide will instruct you on how to downgrade any A9 or A9X-based iOS device to any version that the device supports. This method does not require SHSH blobs, however, it is tethered, meaning that you will need to plug the device into a computer every time it is rebooted in order to boot the phone.
This tutorial will use a tool called turdus merula. Downgrades are made possible thanks to the checkm8 bootrom exploit, as well as the Blackbird SEP exploit. turdus merula is the first public downgrade tool to use the Blackbird exploit - downgrades were possible without it, however, several functions of the phone did not work if the SEP was bypassed. This tool supports both A9 and A10 devices, however, the process is slightly different between the two. If you have an A10 device, see here for a guide for your device.
Many A9-based devices will fail to activate on iOS 9, due to a problem with Apple's activation server. If your device is affected by this, you will either need to bypass/hacktivate the device, or just downgrade to iOS 10 or newer instead.
1. Extract turdus_merula to a folder. Open Terminal, and navigate to the turdus_merula directory. You can do this by typing cd into the terminal, then dragging the folder from Finder into the terminal.
2. Run the following command in Terminal: /usr/bin/xattr -c ./bin/turdusra1n && /usr/bin/xattr -c ./bin/turdus_merula
3. Place your device into recovery mode by holding the power and home buttons until it displays the Connect to iTunes/Connect to Computer screen. Then, plug your device into the computer.
4. Run the command ./bin/turdusra1n -ED in Terminal. The tool will then instruct you on how to place your device into DFU mode. Once in DFU mode, the tool will put the device into Pwned DFU mode.
5. Run the following command, replacing [ipsw file] with the IPSW file you downloaded (like before, you can just drag and drop it from Finder into Terminal): ./bin/turdus_merula --get-shcblock [ipsw file]. This will generate an shcblock file, which we will use in the next step.
You will be promped to select from a list of signed firmware versions to use for Baseband/SEP/RestoreSEP. What you select here doesn't matter - just input "1" and press enter.
After the process finishes, the shcblock file will be saved to the blocks folder in the turdus_merula directory.
6. Run ./bin/turdusra1n -ED again to place your device back into Pwned DFU mode.
7. Run the following command, replacing [shcblock] with the shcblock file you just created, and replacing [ipsw] with your IPSW file: ./bin/turdus_merula -o --load-pteblock [pteblock] [ipsw file]. Like with the shcblock, you'll have to select a signed version of iOS to get the SEP data from.
This step may or may not fail the first few times you try it. If you get the error "Failed to execute pongo shell", try again until it succeeds. Once done, this will save a pteblock file to the blocks folder.
8. We are now ready to restore the device. First, place the device pack into Pwned DFU mode with the ./bin/turdusra1n -ED command. Then, run the following command, replacing [pteblock] with the pteblock file, and [ipsw] with your target IPSW file: ./bin/turdus_merula -o --load-pteblock [pteblock] [ipsw file]
You'll be prompted again to select a signed iOS version, and then prompted to input YES to confirm you would like to erase and restore the device. After this, your device should be restored to your target version.
You will need to do this every time you want to boot the device, including after restoring.
1. Run the following command in Terminal, replacing [pteblock] with the pteblock file you created for your device: ./bin/turdusra1n -TP [pteblock]
2. The device should now boot into iOS.