iOS Restrictions Passcode Cracker

iOS Restrictions Passcode Cracker

iOS Restrictions Passcode Cracker works on all iDevices running iOS 7 – 11.

NB: With iOS 12, Apple moved the Restrictions Passcode into the Keychain, meaning this service is no longer effective against iDevices on iOS 12 and higher. I know, sad isn’t it?
 
Nothing for you to worry about, your new solution is Pinfinder, a small, downloadable freeware cross-platform utility that will recover your Restrictions Passcode from an iOS 12+ backup. Easy & effective.
 
Forgotten your iOS Restrictions Passcode? Yeah, so had I, on my 32GB iPod Touch A1421. What a PIA, there’s no remote recovery option for that one. Stink. What I needed was an iOS Restrictions Passcode Cracker to remove the Restrictions Passcode.
 
Without an iOS Restrictions Passcode Cracker, I was looking at a full iOS update/restore to rid the pesky forgotten code. The official word from Apple was not good –
 
If you forget your Restrictions passcode, you need to erase your device, then set it up as a new device to remove the Restrictions passcode. Restoring your device using a backup won’t remove the Restrictions passcode.(source: Apple.com)
 
I’d lose my jailbreak & be forever pissed that a simple 4-digit code beat me. shakes fist at sky You could train a monkey to find the passcode – eventually. End up with monkey spit all over your iDevice too, but that’s another story.
 
Look, recently Apple has shown that they can apply excellent security to protect their products (iCloud from iOS 7.1.2 on for example). Often though, they leave a hole so wide you can drive a truck through it. (rm /var/db/.applesetupdone anyone? Or resetpassword even?)
 
One of the repeated shortcomings of technology in general is to limit PIN passcodes to 4 digits – thereby reducing the possible target range to a maximum of 10,000 (0000 – 9999, your answer is somewhere in here.) This shortcoming affects your bank PIN, Android device, TV lock code, and Apple too. By itself, this is not secure protection.
 
Apple have no record of Restrictions Passcodes via the Apple ID mechanism, therefore the passcode data is on your device, right? Well obviously it is. Let’s find it. Where should you look? In an unencrypted iTunes backup, that’s what backups are for – storing data from a device.
 
It’s public knowledge that Apple obfuscate data  with the pbkdf2-hmac-sha1 encryption, leaving a string of garbled text that requires decryption to be of any use. So, the process is – find the string, copy it, crack the encryption, pr0fit!!
 
Let’s Get Cracking!
 
If you have a Jailbreaked device, and thus root-level access to the file system, search for com.apple.restrictionspassword.plist, using either iFile from the device or a PC tool like iTools or iFunbox. Open the .plist, copy the RestrictionsPasswordKey data and RestrictionsPasswordSalt data then paste it into the relevant form boxes of the iOS Restrictions Passcode Cracker below.
 
If your iDevice is not JB’d, then you need to extract the string from an unencrypted iTunes backup. Windows users can find your backup folders here: – %SYSTEMDRIVE%/Users/*Your Username*/Appdata/Roaming/Apple Computer/MobileSync/Backup/Long Random Number/ and on Mac ~/Library/Application Support/MobileSync/Backup/
 
Inside the folders there’s a file named 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b – this contains the encrypted data string that we need. Copy that file name & use your OS Search function.
 
Found it? Good. Now open the file with a simple text editor (ie Notepad) to expose data that reads like this:

RestrictionsPasswordKey      M/p4734c8/SOXZnGgZot+BciAW0=
RestrictionsPasswordSalt     aSbUXg==

So the required data is:

Key: M/p4734c8/SOXZnGgZot+BciAW0=
Salt: aSbUXg==

The Magic:

Simply copy/paste the two strings into the relevant iOS Restrictions Passcode Cracker form boxes below. (Really, copy/paste – it’s too easy to make a mistake transcribing manually) Next, hit the blue Crack It button & wait til it iterates through the possibilities.

You can select your preferred range – if you know for sure that your lost passcode didn’t start with 00, for example, then enter 1000 in the Starting box.

NB: This is a private transaction. No data is transmitted from this page. All the work is done in your browser by Crypto.js

iOS Passcode Cracker

Pro Tip:

Use a very analog version of distributed computing to decimate the time required to crack your iOS Restrictions Passcode. Open 5 browser tabs with the iOS Restrictions Passcode Cracker loaded in each.  Set the Starting Passcodes at 0000 (default), 2000, 4000, 6000, 8000, then hit the blue button in each tab.

Your time saved is dependent on which tab finds the answer. If it’s the first tab, no time saved, sorry ’bout it. But if it’s the last tab & the answer is 9000, then you’ve only calculated 1000 passcodes to get to an answer that’s revealed after 9000 guesses in a single-iteration system. Quantified, at 4 attempts/sec, your answer is revealed in just over 4 minutes, whereas the single tab approach wont reveal the solution for well over half an hour yet.

Either way, soon enough, your iOS Restrictions Passcode will be revealed.  This is not a maybe solution, if you’ve entered the Key & Salt data correctly then this app will find the answer.

This page would not exist without the work of Hashcat and John The Ripper.  You want cracking skills? Go visit them.

Did you like that? It worked for you? Please leave a comment, tell me about it.

249 thoughts on “iOS Restrictions Passcode Cracker

  1. Hi,
    I have the same issue, there is not a file named 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b.
    The iOS version of my iPhone6 is 10.3.3. iTune version is 12.9.1.4.

  2. FYI this technique will no longer work for iOS 12 – Apple migrated the passcode (now called a “screen time” code) into the keychain – This is only stored in an encrypted backup, and needs a bit more effort to decrypt that keychain and then extract.

    I’ve update my free (and open source) program pinfinder to extract it for iOS 12; hopefully it helps some people: https://pinfinder.net/

    1. I suggest you try copy & paste the required data, the algorithm is correct, it does work. The only error possible is incorrect input.

      Failing that, you can copy paste the demo key & salt on this page to your iTunes backup then restore. Now your passcode is 0001

  3. hey! just wanted to thank you! worked on my old iPhone 5s! you my friend are a genius! much appreciated!

    Now … please tell me you have something like this for the lock screen passcode?
    I forgot my unlock code on my iPhone 6splus!

    I’ve held onto my old phones all these years just so I can get all the photos off the devices but have only just seen this and got into my 5s now I need to get into my 6splus

    it has a whole year of photos of my son when he was born up until he turned 1 and I don’t want to lose all those gorgeous photos and I have been looking for a year now on how to crack the passcode but have been unsuccessful with my hunt

    thank you again

    1. Were you using iCloud to backup Sarah? If so, you pix are available @ iCloud.com.

      If you weren’t using iCloud then I hope you backed up locally through iTunes on your computer, because there is no publically-accessible way through an iDevice screen lock code.

      You’re not going to save the actual photos on the phone. If you’ve backed up through either iCloud or iTunes, you can DFU wipe the phone then restore it from backup – which will return copies of all your baby snaps & everything else.

      If you didn’t backup your data at all, then this is your expensive lesson that many of us learn, hopefully just once.

      Backup all your data all the time. Storage is cheap, data loss is expensive. Backup, backup, backup.

  4. legend! it worked on my old 5s! you are a genius!
    now … got something like this that will work to crack my unlock passcode on my 6sPlus? I forgot my passcode to get into the phone 🙁 not happy jan! please help meeeee

    1. You’ve forgotten the screen lock code on your 6S Plus? There’s no published method for cracking that, & the existing commercial applications (GrayKey) are expensive ($US15k) & limited to law enforcement purchasers. All of which is no help to you.

      Do you have an existing back up for that phone? Like, did you connect it to iTunes & tell it to backup locally?

    1. Thats because you’ve already created an encrypted backup on that computer. Apple assume that you’re only going to want to continue with encrypted backups so they lock the option.

      I’m not certain of the way to change this in iTunes. It could be as simple as moving your encrypted backup folder out of the iTunes storage folder. Another workaround is to download my favourite iTunes substitute, iTools, & backup with that. 3uTools or iMazing are two other apparently capable iTunes replacements although I haven’t tried them personally.

      Let me know how you get on!

  5. Amazing, works well, thanks go out to you and the people who helped you, you really saved me from formatting and manually putting 120gig worth of data back manually, pheeeewwww.

  6. Hey, will it’s still work with others devises such as ipads or iPods? My brother somehow locked himself out of many things with restrictions so I wasn’t hoping to see if it could crack the code for his iPod.

    1. I miss just wondering because I felt bad when he told me and I feel bad now for searching online and getting nothing 😓

  7. I have Iphone 6 plus with iOS 11.4, not JB’d. In the folder you mentioned above I can not find the file named “398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b”
    Any help please?
    Thank you in advance!

    1. Have you actually backed the iPhone up locally? Is there a MobileSync\Backup folder full of other stuff? I suspect that’s the reason for no 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40 file.

      1. Of course i backed up the iPhone using iTunes and i have locally MobileSync\Backup folder full of other stuff, but I do not have file 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40 ?

        1. Hmm, ok, I’d like to have a look at this. A basic way would be for you to screenshot that folder & email me the image.

          The more effective way would be through an AnyDesk remote desktop connection – AnyDesk is free, secure & real easy to use.

          You’re about 10 hours behind my clock here, so your 8pm is 10am for me. I’m good for connecting around then.

  8. Hi,
    I lost my access people of my spare 4S (iOS9.3.5) for two years already, reached to your page is such a encouragement and hope to me,

    However, when I finally put in the correct commands,
    It showed as 0001 was my access pw n which is not…another 5mins lock…

    I tested with my 5S (11.4), the password cracker just skipped my correct access pw…

    Is there anyway to solve this out?

    1. If you copy/paste the Key & Salt data correctly, then this utility will give you the correct answer. Apple use 1 algorithm to encrypt the Restrictions Passcode on all iDevices, every single one. Yours is no different.

      If this cracker works on one iDevice (it obviously does) then it works on all of them.

  9. It got the wrong passcode for me. However it seems reliable. It said my restrictions passcode was 4921, but when I put it in it doesn’t work 🙁

    1. There’s an error in your input then Adam, check your data & try again. You see, the thing is that it can’t work for some & not for others. It’ll work.

  10. Awesome! Worked great for my wife’s iPhone running 10.3.3 when she somehow enabled restrictions but didn’t remember the restrictions pin. Thanks a ton!!!

    1. I’ve got an iPhone SE here, I’ll update the iOS & check the passcode recovery today.
      (edit)
      OK Don, I’ve just run a Restrictions Passcode recovery on 10.3.2 – data recovered from backup was:
      Key – lyRr+z1GX1SlnLFrkSQHwHBL2HU=
      Salt – x2TdPg==
      For which the Passcode Cracker returned the correct response – 1024

      I suggest that you might want to read the instructions again, or try copy/paste the Key/Salt data instead of typing it in.

      1. it not working,my iphone is ios 10.3.2
        key:fFbM5Es6tdxoploS4hnjdPZErAs=
        salt:HQhVKg==
        can you check for me please?

        1. Is the data you’ve entered copy/paste Joni? I’m running a check myself now, but by far the most recurrent cause of failure is that the Key or Salt has been transcribed incorrectly. Lower L for upper i, zero for upper o, that type of thing. If the input isn’t true, no calculation will reveal the correct answer.

          You can however cheat. Take the example Key / Salt data I provide in the instructions, paste that over your existing Key / Salt pair in your backup, then save that file. Now wipe & restore your I device. Unlock your Restrictions Passcode with 0001.

  11. Hi, I’m having trouble cracking the password of my Ipod Touch A1367 with iOS 6.1.6. I can’t find any file named 398bc9c… I placed the restriction on my iPhone 6 and made the back up, then tried again and I did find the file, so I guess the obstacle is iOS 6.1.6. Can you help me retrieve my restriction password or do you know of anyone who can?

  12. It worked for me! Iphone 4 ios 7–I had 10 failed attempts, one more and the phone would have been wiped clean! Thank you!!!

    1. Hi James – I’ve just successfully completed a passcode recovery on an iPhone 6S running 10.2.1. Maybe try it again & if you still can’t make it work then post another comment detailing the steps & we’ll see what can be done to help.
      (PS: You can always replace your existing key with M/p4734c8/SOXZnGgZot+BciAW0= & salt with aSbUXg== and then restore to your iDevice. Use 0001 to unlock)

  13. How can it be possible that I have a password protected backup to which I remember the password. But when I connect my 5 and try to turn off the password protection it says wrong password, BUT when I backup from this copy using another phone – it takes the password no problem and starts the process! How do I turn off the password protection for my connected 5?

    1. Probably the simplest way Bill is to do a full wipe/restore process. You could try it first by just doing a standard wipe – Preferences / General / Reset / Erase All Content & Settings then restoring from your local backup. If it chokes on that, put your iPhone into DFU mode first then connect to iTunes which will install a fresh OS & then do your restore from backup.

      PS: What is it with you & iPhone passwords?

  14. Excuse me . I find encrypt iphone backup and its selected so i try to unselect and it ask me passcode of backup which passcode I’ve to write iCloud, iPhone unlocking passcode. Idk I try both of them but passcode is wrong can you help me

    1. So you don’t know your Restrictions passcode or your Encrypted Backup passcode? You need to use a computer that has already had iTunes contact with your iPhone, a computer that “knows” your iDevice. I’m pretty sure you’ll be able to switch the Encryption option off without passcode then. If you haven’t got that, then I’d say you’re staring down the barrel of a full wipe & reset. If you’ve been using iCloud to backup, most of your data will return.

  15. Hello i want to hack restriction passcode and followed your instructions and I’m opening the file with notepad and I can’t understand what is written in there I can’t find any word smth like RestrictionsPasswordKey M/p4734c8/SOXZnGgZot+BciAW0=
    RestrictionsPasswordSalt aSbUXg== please help me asap. Btw I don’t understand what is encrypted and unencrypted explain me that also please

    1. If your file is written in plain English, it’s not encrypted. If, however, it’s garbled – full of odd characters & utterly unreadable then it’s encrypted. The easy way to tell is the window pane in iTunes where you define Local or iCloud backup. There’s an Encrypt Backup option there. If it’s selected, then you need to unselect it and re-run your backup.

make a comment...

This site uses Akismet to reduce spam. Learn how your comment data is processed.