iOS passcode hack / passcode cracker

Lost/forgotten your iOS7/8/9/10 iDevice Restrictions Code? Yeah, so had I, on my 32GB iPod Touch A1421. What a PIA, there’s no remote recovery option for that one. Stink. What I needed was an iOS Restrictions Passcode Cracker.

Without an iOS Restrictions Passcode Cracker, I was looking at a full iOS update/restore to rid the pesky forgotten code. The official word from the manufacturer was not good –

If you forget your Restrictions passcode, you need to erase your device, then set it up as a new device to remove the Restrictions passcode. Restoring your device using a backup won’t remove the Restrictions passcode.( source:

I’d lose my jailbreak & be forever pissed that a simple 4-digit code beat me. *shakes fist at sky* You could train a monkey to find the passcode – eventually. Probably end up with monkey spit all over your iDevice too, but that’s another story.

Look, recently Apple has shown that they can apply excellent security to protect their products (iCloud from iOS 7.1.2 on for example). Often though, they leave a hole so wide you can drive a truck through it. (rm /var/db/.applesetupdone anyone?)  One of their repeated shortcomings is to limit passcodes to a maximum of 4 digits – thereby reducing the possible target range to a maximum of 10,000 (0000 – 9999, your answer is somewhere in here.) By itself, this is not secure protection.

Apple obfuscate the Restrictions Passcode with pbkdf2-hmac-sha1 encryption, leaving a string of garbled text that requires decryption to be of any use. So, the process is – find the string, copy it, crack the encryption, pr0fit!!

Let’s Get Cracking!

If you have a Jailbreaked device, and therefore root-level access to the file system, search for, using either iFile from the device or a PC tool like iTools or iFunbox. Open the .plist, copy the RestrictionsPasswordKey data and RestrictionsPasswordSalt data then paste it into the relevant form boxes below.

If your iDevice is not JB’d, then you need to extract the string from an unencrypted iTunes backup. Windows users can find your backup folders here: – %SYSTEMDRIVE%\Users\*Your Username*\Appdata\Roaming\Apple Computer\MobileSync\Backup\Long Random Number\ and on Mac – ~/Library/Application Support/MobileSync/Backup/

Inside the folders there’s a file named 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b – this contains the encrypted data string that we need. Open the file with a simple text editor like Notepad to expose data that reads like this:

RestrictionsPasswordKey M/p4734c8/SOXZnGgZot+BciAW0=
RestrictionsPasswordSalt aSbUXg==

So the required data is:

Key: M/p4734c8/SOXZnGgZot+BciAW0=
Salt: aSbUXg==

The Magic:

Simply copy/paste the two strings into the relevant form boxes below. (Really, copy/paste – it’s too easy to make a mistake transcribing manually) Next, hit the blue Crack It button & wait til it iterates through the possibilities. You can select your preferred range – if you know for sure that your lost passcode didn’t start with 00, for example, then enter 1000 in the Starting box.

Pro Tip:

Use a very analog version of distributed computing to decimate the time required to crack your iOS Restrictions Passcode. Open a bunch of browser tabs with this page loaded in each. Divide 10,000 (total passcode range) by the number of tabs you have open – say 5 tabs – that’s 2000 attempts/window. (I know, math was obviously my strong subject at school)
Set the Starting Passcodes at 0000, 2000, 4000, 6000, 8000, then hit the blue button in each tab. Your time saved is dependent on which tab finds the answer. If it’s the first tab, no time saved, sorry ’bout it. But if it’s the last tab – say 9000, then you’ve only calculated 1000 passcodes to get to an answer that’s revealed after 8999 guesses in a single-iteration system. Quantified, at 4 attempts/sec, your answer is revealed in just over 4 minutes, whereas the single tab approach wont reveal the solution for over half an hour yet.

Either way, soon enough, your Restrictions Passcode will be revealed.  This is not a maybe solution, if you’ve entered the Key & Salt data correctly then this app will find the answer. \0/

NB: This is a private transaction. No data is transmitted from this page. All the work is done in your browser by Crypto.js

iOS Passcode Cracker

This page would not exist without the work of Hashcat and John The Ripper.  You want cracking skills? Go visit them.

Do you like that? Did it work for you? Please leave a comment, tell me about it.

205 thoughts on “iOS passcode hack / passcode cracker

  1. I’ve got an iPhone SE here, I’ll update the iOS & check the passcode recovery today.
    OK Don, I’ve just run a Restrictions Passcode recovery on 10.3.2 – data recovered from backup was:
    Key – lyRr+z1GX1SlnLFrkSQHwHBL2HU=
    Salt – x2TdPg==
    For which the Passcode Cracker returned the correct response – 1024

    I suggest that you might want to read the instructions again, or try copy/paste the Key/Salt data instead of typing it in.

    View Comment
  2. Hi, I’m having trouble cracking the password of my Ipod Touch A1367 with iOS 6.1.6. I can’t find any file named 398bc9c… I placed the restriction on my iPhone 6 and made the back up, then tried again and I did find the file, so I guess the obstacle is iOS 6.1.6. Can you help me retrieve my restriction password or do you know of anyone who can?

    View Comment

talk to us... tell it your way