How to downgrade any 32 bit device to almost any iOS (TETHERED AND HARD METHOD)

WARNING

This is for advanced users only and the risk is high. If you ever slide to power off your device you'll be forced to restore because iBoot will refuse to boot the old kernel. You have been warned.
WARNING: Some iPhone 4S and iPod touch 5 models don't support iOS 5 and 6 respectively due to NAND differences. If you see 'Still waiting for root device' error the device most likely does not support iOS 5/6. If you want to downgrade an iPhone 4S/iPod touch 5 to iOS 5/6 check production date before starting.

WHAT YOU NEED TO KNOW: 

 All Github repositories are down for the time being. Use pmbonneau.com/cydia and download GPTfdisk, HFS resize, and MKSysBag if you are downgrading to iOS 6. You'll have to extract ASR from restore ramdisk of any iOS version.
Read the instructions carefully.
Remember that you can go to almost any iOS execpt iOS 4.3 on the iPad 2
First, here are the compatible devices:
iPhone 4S
iPhone 5(C)
iPad 2 (including iPad2,4)
iPad 3
iPad 4
iPod touch 5
iPad mini 1

Requirements

On pc
 
xpwntool - Exists on odysseus macos or linux folder
dmg - Exists on odysseus macos or linux folder
irecovery - also on odysseus macos or linux subfolder
SSH client - Built-in on macOS or linux
image3maker - Used to pack files into an img3 container. Available here
iBoot32Patcher - tool written by @iH8sn0w. Patches iOS bootloaders out of signature checks, inject boot-args. Available on GitHub

On device

Apple File Conduit '2' - allows full filesystem access over USB
CoolBooter - All in one iOS dual booting tool. Available in repository coolbooter.com
diskdev-cmds - Only needed for umount; and only needed on the CoolBooter OS
OpenSSH if main OS is <=9.3.5 or Dropbear on iOS 10+ Dropbear deb can be found on http://cydia.ichitaso.com/test/Dropbear.deb
dualbootstuff - Only needed on the CoolBooter OS. It contains ASR, gptfdisk, hfs_resize, and kloader. Available on Cydia repo nyansatan.github.io/apt.

OK; let's start.

1. Download the firmware of choice and dual boot your device with CoolBooter Before you start, back up systembag.kb, and baseband files if you have an iPhone 4S or newer, not sure about iPad 2, which are located in /usr/local/standalone/firmware/Baseband On iPhone 5/iPad 4, It is called Mav5, and on iPhone 4s it is called Trek, not sure what iPad 3 baseband is called.
   
   1. Boot the second OS with CoolBooter. Important: If you have a Lightning device you must first reboot the device, if you are already downgraded you must use kloader to reboot device, after you send kernelcache and type bootx quickly unplug the device after 1-2 seconds. Important: If you are downgrading a Lightning-adapter device to iOS 6 it must be unplugged during the entire downgrading proccess. On all other iOS versions and on 30-pin devices it is OK to plug it in.
2. Decrypt the root filesystem DMG. You also need to convert it to UDZO (compressed) format after decrypting it. First type this on the computer terminal:
   dmg extract XXX-XXXXX-XXX.dmg XXX-XXXXX-XXX_decrypted.dmg -k <insert rootfs key here>

Keys can be found on TheiPhoneWiki Keys must match the device model and the iOS version. Next type:

hdiutil convert -format UDZO XXX-XXXXX-XXX_decrypted.dmg -o XXX-XXXXX-XXX.dmg

Now you can delete the original encrypted DMG. Finally, use ASR on the computer to add checksums:

asr -imagescan XXX-XXXXX-XXX.dmg

An alternative way to build a read only DMG (UDZO) is to type:

dmg build XXX-XXXXX-XXX-decrypted.dmg XXX-XXXXX-XXX.dmg

1. Decrypt the bootchain files including applelogo, devicetree, and kernelcache, the keys can also be found on TheiPhoneWiki:

xpwntool /path/to/encrypted/files /path/to/decrypted/file -iv <iv-here> -k <key-here> -decrypt
Important: You must add the -decrypt flag or else the kernel will be uncompressed.
Next, decrypt and patch iBEC. You can skip this step if you already have a patched iBEC:

xpwntool /path/to/encrypted/iBEC /path/to/decrypted/iBEC -iv <iv-here> -k <key-here>

Note: Do NOT add the -decrypt flag this time because we are going to use iBoot32Patcher to patch iBEC.
Important: If you have an iPhone or an iPod you need to decrypt and patch iBSS. This step is not needed for iPads. Alternatively you can use kDFUApp if you have a supported device.

xpwntool /path/to/original/iBSS /path/to/decrypted/iBSS -iv <iv-here> -k <key-here>

Next; Patch iBEC and iBSS if you have an iPhone or iPod out of signature checks and also change boot args:

iBoot32Patcher /path/to/decrypted/iBSS /path/to/patched/iBSS

iBoot32Patcher /path/to/decrypted/iBEC /path/to/patched/iBEC -b "rd=disk0s1s1 -v"
Note: You do not need any boot-args for iBSS.
Now repack the patched iBEC, you don't need to repack iBSS, You actually should not repack iBSS, as you may get a black screen.:

image3maker -t ibec -f /path/to/patched/iBEC -o /path/to/packed/iBEC

1. Back on the device, download Apple File Conduit "2", diskdev-cmds; only needed for umount, dualbootstuff, and openSSH. dualbootstuff can be found on the repo nyansatan.github.io/apt.
2. SSH into the device. If it asks you to connect for the first time type yes. The default password is alpine:
   ssh root@device_ip
3. Now for the hard part. To repartition the storage. Now on the device type:
   gptfdisk /dev/rdisk0s1

Now type p to print the partition table. Note the logical sector size. It is 8192 for the iPad 2 and 4096 for the iPhone 4S/iPad 3 and newer. Now request info of the first 2 partitions:

i

1
i

2

Note: You should write down the Partition unique GUID and the attribute flags for the second partition which is Data. For me it is usually 0003000000000000. It may be different for yous. Now delete first and second partitions. Don't worry we'll create new but smaller or bigger partitions:

d

1
d
2
n
1
Leave the first sector default. How to calculate the last sector: First decrypt the restore ramdisk with xpwntool but without the -decrypt flag. Now open the decrypted ramdisk and go to /usr/local/share/restore. Open the options.plist. Now note ths SystemPartitionSize. Now look at SystemPartitonPadding. There are values of 8, 16, 32, 64, and 128, which are how many MBs to add to the SystemPartitonSize. For example, 16 means 16GB device, while 128 means a 128GB device. For example 1500 MB MinimumSystemPartition size on a 16GB device would be 1660MB. Now go to this website to calculate bytes. 1660MB means the size in bytes is 1740636160 bytes. Now divide it by 8192 on iPad 2 or 4096 on iPhone 4S/iPad 3 and newer, and add to the first usable sector.
Leave the default Hex code, now type this:
c
1
System
n
2
Leave the first and last sectors default.
c
2
Data
x
a
2
Note: If your attribute flags were 000000000000000, hit <Enter>. If your attribute flags were 000100000000000, type:
x
a
2
48

<Enter>

Type i and 2; It should say Data after partition name. Example: Data (correct); Partition name: System (incorrect)
If your attribute flags were 0003000000000000:
x
a
2
48
49

<Enter>

Now copy the unique GUID. It must be the one you copied. Or else the device nodes for System and Data partitions will change to /dev/disk0s1s6 and /dev/disk0s1s5 respectively until next reboot.:
c
1
<guid-here>
c
2
<guid-here>
Verify what you have. If something has gone wrong or you want to restart or redo a change type 'q' or press Ctrl+C and start again.
w
Y
This will write the changes.
Type: sync; sync; sync
Do a quick fsck to be safe: fsck_hfs -q /dev/disk0s1s1; fsck_hfs -q /dev/disk0s1s2

1. Now run newfs_hfs, if you have an iPad 2, type:
   newfs_hfs -s -v System -J -b 8192 -n a=8192,c=8192,e=8192 /dev/disk0s1s1

If you want to erase all data:

newfs_hfs -s -v Data -J -P -b 8192 -n a=8192,c=8192,e=8192 /dev/disk0s1s2

If you have an iPad 3/iPhone 4S or newer, type:

newfs_hfs -s -v System -J -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s1

newfs_hfs -s -v Data -J -P -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s2
THIS WILL ERASE THE SYSTEM AND/OR DATA PARTITIONS!
NOTE: If you want to preserve data, only run newfs_hfs on /dev/disk0s1s1.

1. Copy the decrypted and read only DMG to /var of the second iOS using iFunBox.
2. Run ASR to copy the DMG to /dev/disk0s1s1:
   asr restore -source /var/XXX-XXXXX-XXX.dmg -target /dev/disk0s1s1 -erase

To save time you can add the -noprompt flag to stop it from asking 'Erase contents of /dev/disk0s1s1 [n/y]'
Now run fsck_hfs:

fsck_hfs -f /dev/disk0s1s1

1. Make a few changes to the filesystem. You need to move /var to /dev/disk0s1s2. Now the tactic depends if you erased the data partition or preserved the data partition. First is if you erased the data partition. Now type mkdir /mnt1, and mkdir /mnt2.

Mount the System partition:

mount -t hfs /dev/disk0s1s1 /mnt1

Mount the Data partiton:

mount -t hfs /dev/disk0s1s2 /mnt2

Fixup /var:

mv -v /mnt1/private/var/* /mnt2

Now patch fstab to match the partiton layout. It should look like this:

/dev/disk0s1s1 / hfs ro 0 1 /dev/disk0s1s2 /private/var hfs rw,nosuid,nodev 0 2

Important note: If you are downgrading to iOS 5/6 an additional step is required. You need to generate older version of system key bag.
First mount /dev/disk0s1s2 to /private/var:

umount /mnt2; mount -t hfs /dev/disk0s1s2 /var

Run fixkeybag:

fixkeybag

Eject /dev/disk0s1s2:

umount -f /var; mount -t hfs /dev/disk0s1s2 /mnt2

If you are downgrading to iOS 7 or newer just copy systembag.kb from the computer that was saved from before to /mnt2/keybags. Keep in mind that if you restore you need to copy the system key bag to the computer.

1. Pack the baseband firmware - Very important thing if you have an iPhone 4S or newer. Skip this step if you have an iPod or an WiFi-only iPad. If you fail to copy baseband firmware, your device will fail to activate and the device will after 3 minutes panic saying "Debugger message: WDT timeout"

First, type this:

mkdir -p /usr/local/standalone/firmware/Baseband/Mav5

Important: On iPhone 5 and iPad 4, it is called Mav5, while on iPhone 4S it is called Trek, not sure about iPad 3.
Then copy the baseband files from the computer to the Mav5/Trek folder. If you are downgrading to iOS 6 or earlier, you need to zip the baseband files and name it Mav5-personalized.zip or Trek-personalized.zip if you have an iPhone 4S.
Now here's how to modify filesystem if you are preserving data:
Mount /dev/disk0s1s1:

mount -t hfs /dev/disk0s1s1 /mnt1

Remove /mnt1/private/var/:

rm -rf /mnt1/private/var/*

Now patch fstab and copy baseband firmware the same way as described earlier.
IMPORTANT: You must erase all data if you are going from iOS 9+ to to iOS 8.2 or earlier, even if you first downgrade to iOS 8.4.1 or else you'll get 'mount_hfs: Operation not permitted', when trying to boot the downgraded iOS.

1. Now we need to make the system partition a little bit smaller. First copy the encrypted kernel cache (as is in a IPSW, the only purpose is to calculate the system partition size). Next type df -B1. Now note the output of used space of /dev/disk0s1s1. Now calculate the size in megabytes once again in http://whatsabyte.com/P1/byteconverter.htm. For example, if the df -B1' used space output is 1929379840 bytes, that means in MBs it's 1840 MBs. Now add the SystemPartitionPadding size to the output in MBs. If for example 1840 MBs is the output on a 16GB device that means the real system partiton size is 2000 MBs. Next typehfs_resize /mnt1 <size-in-bytes>`

Next run gptfdisk again: gptfdisk /dev/rdisk0s1
Now request info of partitions. (important!):
i
1
i
2
Delete and make new partitions:
d
1
d
2
n
1
Leave the first sector default. Now to calculate last sector, divide the output by 4096 if you have an iPhone 4S or later or 8192 if you have an iPad 2. Leave the hex code default. Now type:
c
1
System
n
2
Leave first and last sectors default. Now rename data partition and toggle attributes:
c
2
Data
x
a
2
48
49
Now hit enter. If your attributes were 0001000000000000; only type 48, if your attributes were already 0000000000000000; skip this step. Now you must copy the unique GUID. If you fail with this step, you'll corrupt the partitions and you'll have to start over.
c
1
<guid-here>
c
2
<guid-here>
Now write changes. Check everything before proceeding.
w
Y
Hit enter. Then type: sync; sync; sync. Now run fsck to be safe.

fsck_hfs -f /dev/disk0s1s1

fsck_hfs -f /dev/disk0s1s2
If fsck says that the volume appears to be OK, congratulations, you successfully resized the system partition. If fsck says 'The volume could not be verified completely', that means you did it incorrectly and you need to start over.

1. Most difficult part of the entire tutorial. Now to delete CoolBooter partitions and quickly run kloader to boot iBEC or iBSS. Skip this step if you are downgrading to iOS 8.4.1 on 5C or iOS 9.1 or newer or if you are able to extract Cydia.tar from an untethered jailbreak.

First set Auto-lock to Never and close all apps from the app switcher for best chance of success.
Now copy hfs_resize, kloader, and iBSS/iBEC to /mnt1:

cp -a /usr/bin/hfs_resize /mnt1; cp -a /usr/bin/kloader /mnt1

Copy iBEC/iBSS from the computer to /mnt1. Now run /mnt1/hfs_resize and /mnt1/kloader without any args to be safe. Now run gptfdisk again.

gptfdisk /dev/rdisk0s1

Request info of first data partition, (very important!):
i
2
Now delete second, third, and fourth partitions and make new second partitions. THIS WILL DELETE COOLBOOTER PARTITIONS. Don't worry yet, the changes were now saved yet:
d
2
d
3
d
4
n
2
Leave the first and last sectors default. Now rename data partition:
c
2
Data
Now toggle attributes like before:
x
a
2
48
49
Hit enter. Now copy the unique GUID. It must be the one you copied! Very important!
c
2
<guid-here>
Now get info of partition 2:
i
2
Note the Partition size. Get the partition size and multiply the size by 4096 on iPhone 4S/iPad 3 or newer or 8192 on iPad 2 and you'll have your size in bytes.
Double check everything! If you are sure, write changes:
w
y
Now immediately run hfs_resize and kloader to boot iBSS/iBEC. DON'T DO ANYTHING ON THE DEVICE, OR ELSE IT WILL FREEZE AND REBOOT.

/mnt1/hfs_resize /mnt2 <size-in-bytes>

/mnt1/kloader /mnt1/iBSS
Note: If you are downgrading to iOS 8.4.1 on iPhone 5C or any device to iOS =>9.1, skip the partition removing step, just type kloader /iBSS or use kDFUApp, boot with iRecovery, jailbreak and use CoolBooter to delete dual boot partitions.
You can just boot iBEC if you have an iPad, however you must use iBSS if you have an iPhone/iPod because you may get the dreaded Dead LCD bug. Now wait for iBSS/iBEC to boot, if iTunes detects an iPhone in recovery mode, now back on the computer, type:

irecovery -f iBEC.*

Now unplug and replug device, wait for backlight to turn on, then type:

irecovery -s

Send applelogo:

/send applelogo*

setpicture
bgcolor 0 0 0
Send DeviceTree:

/send DeviceTree.*

Execute the device tree:

devicetree

Send the kernel and start the boot proccess:

/send kernelcache.*

Boot the kernel:

bootx

Important: If you have downgraded a Lightning-device to iOS 6, quickly unplug it, or else AppleTristar kernel extension will panic the device.
Now the device should successfully boot the downgraded iOS, simply set it up, and you will have a downgraded device!

Now for some FAQs:

Q: Does this work on 64-bit devices?
A: Yes, but we need an updated kloader64 that supports iOS 10/11
Q: Can I jailbreak the device post downgrade?
A: You can for semi-untethered jailbreaks, beware that if there is even ONE kernel panic, the device will be forced into recovery loop that can only be fixed by a restore because there is no iBoot/bootrom exploit. For untethered jailbreaks, you need to extract Cydia.tar using jtool, because untethered jailbreaks will reboot the device.
Q: Does this work on A5 Rev A devices (iPad mini, iPad2,4)?
A: Yes.
Q: How do I reboot or shut down device?
A: You need to be jailbroken to do this. First ssh into device and copy iBEC/iBSS to the root directory. Type kloader /iBSS if you want to shut down device or you are rebooting an iPhone/iPod. If you are rebooting an iPad, type kloader /iBEC. Then use iRecovery to boot the device.
Q: Do you need any SHSH blobs?
A: No.
Q: Can this be patched by Apple?
A: No, since 32 bit devices are now unsupported anyway. The only way Apple can patch this is to patch the jailbreak.