iOS passcode hack / passcode cracker

Lost/forgotten your iOS7/8/9/10 iDevice Restrictions Code? Yeah, so had I, on my 32GB iPod Touch A1421. What a PIA, there’s no remote recovery option for that one. Stink. What I needed was an iOS Restrictions Passcode Cracker.

Without an iOS Restrictions Passcode Cracker, I was looking at a full iOS update/restore to rid the pesky forgotten code. The official word from the manufacturer was not good –

If you forget your Restrictions passcode, you need to erase your device, then set it up as a new device to remove the Restrictions passcode. Restoring your device using a backup won’t remove the Restrictions passcode.( source: Apple.com)

I’d lose my jailbreak & be forever pissed that a simple 4-digit code beat me. *shakes fist at sky* You could train a monkey to find the passcode – eventually. Probably end up with monkey spit all over your iDevice too, but that’s another story.

Look, recently Apple has shown that they can apply excellent security to protect their products (iCloud from iOS 7.1.2 on for example). Often though, they leave a hole so wide you can drive a truck through it. (rm /var/db/.applesetupdone anyone?)  One of their repeated shortcomings is to limit passcodes to a maximum of 4 digits – thereby reducing the possible target range to a maximum of 10,000 (0000 – 9999, your answer is somewhere in here.) By itself, this is not secure protection.

Apple obfuscate the Restrictions Passcode with pbkdf2-hmac-sha1 encryption, leaving a string of garbled text that requires decryption to be of any use. So, the process is – find the string, copy it, crack the encryption, pr0fit!!

Let’s Get Cracking!

If you have a Jailbreaked device, and therefore root-level access to the file system, search for com.apple.restrictionspassword.plist, using either iFile from the device or a PC tool like iTools or iFunbox. Open the .plist, copy the RestrictionsPasswordKey data and RestrictionsPasswordSalt data then paste it into the relevant form boxes below.

If your iDevice is not JB’d, then you need to extract the string from an unencrypted iTunes backup. Windows users can find your backup folders here: – %SYSTEMDRIVE%\Users\*Your Username*\Appdata\Roaming\Apple Computer\MobileSync\Backup\Long Random Number\ and on Mac – ~/Library/Application Support/MobileSync/Backup/

Inside the folders there’s a file named 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b – this contains the encrypted data string that we need. Open the file with a simple text editor like Notepad to expose data that reads like this:

RestrictionsPasswordKey M/p4734c8/SOXZnGgZot+BciAW0=
RestrictionsPasswordSalt aSbUXg==

So the required data is:

Key: M/p4734c8/SOXZnGgZot+BciAW0=
Salt: aSbUXg==

The Magic:

Simply copy/paste the two strings into the relevant form boxes below. (Really, copy/paste – it’s too easy to make a mistake transcribing manually) Next, hit the blue Crack It button & wait til it iterates through the possibilities. You can select your preferred range – if you know for sure that your lost passcode didn’t start with 00, for example, then enter 1000 in the Starting box.

Pro Tip:

Use a very analog version of distributed computing to decimate the time required to crack your iOS Restrictions Passcode. Open a bunch of browser tabs with this page loaded in each. Divide 10,000 (total passcode range) by the number of tabs you have open – say 5 tabs – that’s 2000 attempts/window. (I know, math was obviously my strong subject at school)
Set the Starting Passcodes at 0000, 2000, 4000, 6000, 8000, then hit the blue button in each tab. Your time saved is dependent on which tab finds the answer. If it’s the first tab, no time saved, sorry ’bout it. But if it’s the last tab – say 9000, then you’ve only calculated 1000 passcodes to get to an answer that’s revealed after 8999 guesses in a single-iteration system. Quantified, at 4 attempts/sec, your answer is revealed in just over 4 minutes, whereas the single tab approach wont reveal the solution for over half an hour yet.

Either way, soon enough, your Restrictions Passcode will be revealed.  This is not a maybe solution, if you’ve entered the Key & Salt data correctly then this app will find the answer. \0/

NB: This is a private transaction. No data is transmitted from this page. All the work is done in your browser by Crypto.js

iOS Passcode Cracker


This page would not exist without the work of Hashcat and John The Ripper.  You want cracking skills? Go visit them.

Do you like that? Did it work for you? Please leave a comment, tell me about it.

197 thoughts on “iOS passcode hack / passcode cracker

  1. Probably the simplest way Bill is to do a full wipe/restore process. You could try it first by just doing a standard wipe – Preferences / General / Reset / Erase All Content & Settings then restoring from your local backup. If it chokes on that, put your iPhone into DFU mode first then connect to iTunes which will install a fresh OS & then do your restore from backup.

    PS: What is it with you & iPhone passwords?

  2. How can it be possible that I have a password protected backup to which I remember the password. But when I connect my 5 and try to turn off the password protection it says wrong password, BUT when I backup from this copy using another phone – it takes the password no problem and starts the process! How do I turn off the password protection for my connected 5?

  3. Yeah Bill, because you’ve got your original computer that the iPhone synced with, it should do a local backup without needing the screen to be unlocked.

    Because it’s not an encrypted backup you’ll be taking, it won’t bring your security options with the backup – no passwords, no keychain etc.

    Then, after it’s backed up to your computer (check the backup folder for size to be sure), you can go through the process of saving your shsh blobs & re-installing your existing iOS (I think that’s available to you) – if you want to be bothered with such an effort to get a well-outdated OS back on board.

    Look at ih8sn0w’s excellent tools iReb, iFaith & Sn0wbreeze to achieve that work, on ih8sn0w.com. You can trust his products too, the man is an iOS guru.

  4. So you don’t know your Restrictions passcode or your Encrypted Backup passcode? You need to use a computer that has already had iTunes contact with your iPhone, a computer that “knows” your iDevice. I’m pretty sure you’ll be able to switch the Encryption option off without passcode then. If you haven’t got that, then I’d say you’re staring down the barrel of a full wipe & reset. If you’ve been using iCloud to backup, most of your data will return.

  5. Excuse me . I find encrypt iphone backup and its selected so i try to unselect and it ask me passcode of backup which passcode I’ve to write iCloud, iPhone unlocking passcode. Idk I try both of them but passcode is wrong can you help me

  6. If your file is written in plain English, it’s not encrypted. If, however, it’s garbled – full of odd characters & utterly unreadable then it’s encrypted. The easy way to tell is the window pane in iTunes where you define Local or iCloud backup. There’s an Encrypt Backup option there. If it’s selected, then you need to unselect it and re-run your backup.

  7. Hello i want to hack restriction passcode and followed your instructions and I’m opening the file with notepad and I can’t understand what is written in there I can’t find any word smth like RestrictionsPasswordKey M/p4734c8/SOXZnGgZot+BciAW0=
    RestrictionsPasswordSalt aSbUXg== please help me asap. Btw I don’t understand what is encrypted and unencrypted explain me that also please

  8. It worked!
    I’m pretty excited. My dad forgot the restrictions passcode, and now that I’m 17 I convinced him to take it off my iPod. He had forgotten it, and I thought I would be stuck with a restricted device, or have to completely reset it. The passcode ended up being something so random that I’m not surprised he couldn’t remember it.

  9. Try connecting your iDevice to your computer, fire up iTunes & back your device up locally, not to iCloud. (Make sure the Encrypt Backup option is NOT checked.)

    That’ll create the MobileSync folder & all it’s contents.

  10. There’s a way through this, somehow. I haven’t had an iDevice for over a year now so I need to find some time to think it through. I’ll get back to you. The old iOS helps though.

  11. Restrictions lockout Dave? Or screen lock? If it’s anything other than a forgotten restrictions passcode, I can’t help you.

  12. Yes, read this page & follow the instructions. That’ll have you sorted in no time. (It doesn’t matter who set the password, the iDevice has no knowledge of that. The important thing is that the password is lost & needs to be recovered.)

  13. Wow, 5.0.1, really? from back in the golden days of jailbreaking. Ok, what’s your iDevice again Bill? iPhone 4?

  14. Uuuh, unfortunately it did not work for me (iPhone 6, iOS 10.3.1)…it ran through from 0 to 9999 without matching the key. Any suggestions?

  15. no, not that time. But I have the computer that was synced with the phone. So I need the way to get my screen passcode using my restrictions code which I remember.

  16. Well Bill, you can just put your iPhone into Recovery or DFU mode & reinstall iOS through iTunes. Choose a new screen security code & try your hardest not to forget it.

  17. Sorry Bill, that’s a whole other implementation. The screen code isn’t, as far as I’m aware, available in such a manner.

    You’ve got me thinking though…

  18. I remember my restrictions code but I can’t remember my screen lock passcode. Can I use it somehow to remind me a screen lock one?

  19. Hello again, I originally typed it in but made a mistake. After I copied and pasted the info, it worked perfectly. THANK YOU very much for your help!

  20. Did you copy/paste the Key & Salt? Or type it in? Because there’s not room for failed results, input correct Key & Salt, iterate through the possibilities, ka-ching.

    Anyway, see my reply to msoulz above for the alternative solution.

  21. Hi, great tool but it didn’t work for me. My key is ruIBezCrx1PA11Su0rtccFPX2RU= and the salt is1yFP/w==

  22. I emailed msoulz with the alternative workaround for this issue – replacing his Key & Salt data in his backup with the demo data in this post, saving the file then restoring the iPhone from backup & using 0001 as the passcode. It works.

  23. Sorry, I forgot to say thanks!! Didn’t work for me but I appreciate that you put this out there.

  24. Interesting – it gave me the passcode that I thought it was, and have been entering all along, and it still didn’t work. Must be a phone issue.

  25. I look after a bunch of iPads and the restrictions code on a number was unknown (lost in history and staff change). Took a while to locate the right file but when i did the cracker sorted the problem. Saved me a heap of rebuilds…. big thanks!

talk to us... tell it your way