iPhone Bypass / iCloud Remove / Xmapp / Fidller
Solution Searcher by Code:DRA
パスコード関連
■端末のバックアップファイルからパスコード確認する方法
バックアップが取れていればそもそも解除方法はあるので、あくまで技術情報としてご参考ください。(英語)
Recover your forgotten iOS 7 or iOS 8 restrictions PIN code
2014/04/05
nbalkota Apple, Code, iOS, UNIX 39 Comments
My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.
Sources of information:
Read the iTunes Backup wiki on the iPhone wiki.
Read the Wikipedia article on SHA-1.
Read the Wikipedia article on PBKDF2.
Read this good introduction to openssl by Steven Gordon.
Read the wikipedia article on Base64.
Read this forum thread, in particular the posts from magnum and philsmd for his ios7.pl perl script (dependency on the Crypt::PBKDF2 perl library).
Read this commit to JohnTheRipper.
Steps to recover the iOS 7 restrictions PIN code:
1. Backup device
I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer.
Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.
Use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.
2. Get the restrictions password property list file
2.1 Slow, but easy way
Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.
The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist
This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.
Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.
2.2 Fast, but less easy way
Instead of the slow but easy way, you could use the following command in the Terminal:
echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1
You could substitute openssl sha1 with shasum since both would return the hashed file name you need:
398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
The full path to the file in the iTunes backup is:
~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.
3. Get restrictions hash and salt
The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:
1.RestrictionPasswordKey (a.k.a hash)
2.RestrictionsPasswordSalt
Sample contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>RestrictionsPasswordKey</key>
<data>
base64string_hash_value (28 character long)
</data>
<key>RestrictionsPasswordSalt</key>
<data>
base64string_salt_value (8 character long)
</data>
</dict>
</plist>
The data values are encoded in base 64 with many ways to decode them:
If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
Use command defaults read file.plist in the Terminal (hex dump)
Use command plutil -p file.plist in the Terminal (hex dump)
Use command /usr/libexec/PlistBuddy -c Print file.plist in the Terminal (text dump, pipe to command xxd to convert hex)
My favourite, use command echo -n base64string_from_plist | base64 -D | xxd -p in the Terminal (hex dump)
The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.
4. Get the restrictions PIN code
Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):
sudo cpan install Crypt::PBKDF2
Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:
#!/usr/bin/env perl
use Crypt::PBKDF2;
if (@ARGV < 2) {
print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
exit (1);
}
my $match=pack ("H*", $ARGV[0]); # TODO: check if it is of length 40
my $salt =pack ("H*", $ARGV[1]); # of length 8?
my $iter =1000;
my $pbkdf2=Crypt::PBKDF2->new (hash_class=> 'HMACSHA1', iterations=> $iter);
my $num;
for ($num=0; $num < 10000; $num++) {
my $pass=sprintf ("%04d", $num);
my $hash=$pbkdf2->PBKDF2 ($salt, $pass);
if ($match eq $hash) {
printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
exit (0);
}
}
exit (1);
Use command:
time ios7.pl hex_hash hex_salt
Command time is added just to measure how long the command takes to run.
The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):
hex_hash:hex_salt:1000:XXXX
real 0m39.239s
user 0m39.130s
sys 0m0.055s
Disclaimer: you should only use the above tip for legitimate iOS 7 restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
22Dec2014 update: thanks to the WordPress commenters, the above instructions are proven to work from iOS 7 up to iOS 8.1.2