Here is a guide for automatically bruteforcing 4-digit passcodes on iPhone 5 using only a computer and a USB cable (without an MFC Dongle). My device is iPhone5,2 (iPhone 5 Global) iOS 9.2 (FMI OFF), the steps below may work on other 32-bit devices or other iOS versions (see below for tested working devices and iOS versions), but shall not work on any 64-bit devices.
See https://www.reddit.com/r/setupapp/comments/1ha2arg/bruteforce_4digit_passcode_on_iphone_5_ios_9_via/ for discussions.
Updated 10 Jan. 2025:
A more powerful guide for bruteforcing 32-bit devices was released by a reddit user: https://www.reddit.com/r/setupapp/comments/1hw5bfa/bruteforcing_32bit_iphones_ondevice_4_digit_pin/ I think all should try that guide, it seems more reliable and supports 4+ digit passcodes. Good luck!
- iPhone 5 Global (iPhone 5,2), iOS 9.2 (tested by myself).
- iPhone 5 A1429, iOS 10.3.3 (tested by Github user
ServePeak). - iPhone 4S, iOS 9.3.6, use
bruteforcewithout-u(tested by reddit useru/iPh0ne4s).
Here are the steps I did to bruteforce my passcode.
- Download Legacy-iOS-Kit release from https://github.com/LukeZGD/Legacy-iOS-Kit/releases/tag/latest.
- Execute
./restore.shin terminal from the root directory of Legacy-iOS-Kit, follow its instructions to boot an SSH Ramdisk. For iOS 9, enter ramdisk version number 13A452 as it recommands. - SSH into your device, execute command:
mount.shto mount/mnt1and/mnt2. - Download
bruteforcebinary executable from https://gist.github.com/bmwalters/8f3cb4bc212231c4a7474938cae4fbd6. - Use SCP or tools like Cyberduck to send the
bruteforcefile to your device's/mnt2/tmp/dir. - SSH into your device, execute command:
/mnt2/tmp/bruteforce -u, and wait for the magic!- If you get
permission deniedor something similar, runchmod +x /mnt2/tmp/bruteforceto add executable permission to the binary executable file. - If
bruteforce -udoes not run properly, that means your kernel needs to be patched to speed up the process. You cloud either simply usebruteforcewithout-u(but the process will be very slow, takes ~20s for each passcode), or use bmwalters's patched kernel to boot up your ramdisk (see https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain).
- If you get
- Your passcode should be printed into the SSH tunnel and displayed on your computer's terminal, then reboot your device and unlock!
- If your device is disabled with 10+ failed passcode attempts, do this after Step 3 and before Step 4:
- Delete
/mnt2/mobile/Library/SpringBoard/LockoutStateJournal.plist. - Download
/mnt2/mobile/Library/Preferences/com.apple.springboard.plist, change the value ofSBDeviceLockFailedAttemptsto-9999and delete all other strings starting withSBDevice, then overwrite originalcom.apple.springboard.plist. by these steps you should be able to get your device enabled again and have unlimited passcode attempts.
- Delete
u/iPh0ne4s finds that bruteforce -u does not work properly for iPhone 4S on iOS 9.3.6, but bruteforce without -u can at least work but very slow.
u/Stormzinn says that his iPhone 5 10.3.1 did not work with -u either, but later he tried bmwalters' patched kernel, which made -u working.
The -u option uses IOAESAccelerator kernel extension to accelerate the bruteforce process, however by default this would not be usable for our perpose (each passcode takes ~20s to be tried without acceleration), so as bmwalters says the kernel has to be patched before using the -u option.
There is indeed a chance for -u to work without patching the kernel (for my case and ServePeak's case), but if -u does not work with Legacy-iOS-Kit's stock ramdisk, that means only by bmwalters's patch shall you get -u working.
See https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain.
I've been through a lot of tutorials about this, many says it is impossible to do this without buying an MFC Dongle, and even appletech752's Silver app in 2022 said passcode bruteforce was only supported on iOS 6~8.
Occationally, I saw this post: https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain, which gives a kernel patch to iOS 9's IOCryptoAcceleratorFamily.kext that makes bruteforcing passcodes in iOS 9 possible.
However when I applied this patch to the ramdisk's kernelcache, the ramdisk refuses to boot,
so I wanted to give a last try on Legacy-iOS-Kit's un-patched iOS 9 ramdisk and ran the bruteforce executable
(thanks to bmwalters for compiling iOS-dataprotection's source code for armv7 ios w/ minimum iOS version 7.0).
Then THE MAGIC HAPPENS! The bruteforce binary worked and my passcode is cracked, and this turned out that bruteforce can function well without bmwalters's iOS 9 ramdisk kernalcache patch.
So the conclusion is: The posts saing bruteforcing passcodes on iOS 9~10 impossible were based on
there were no usable ramdisks that could mount iOS 9's /var partition 4~5 years ago.
Now thanks to Legacy-iOS-Kit and the creators of iOS 9 ramdisks, bruteforcing passcodes on 32-bit iOS 9+ devices are possible and such simple just like the old days!
_-sh-4.0# ### mount.sh
/bin/mount.sh: line 26: cannot create temp file for here-document: Read-only file system
Waiting for disks...
Mounting /dev/disk0s1s1 on /mnt1
mount_hfs: Could not create property for re-key environment check: No such file or directory
Mounting /dev/disk0s1s2 on /mnt2
mount_hfs: Could not create property for re-key environment check: No such file or directory
-sh-4.0#_
=======================================================================
take a look for the full commands bellow
=======================================================================
*** Legacy iOS Kit ***
Version: v25.09.06 (77c25ce)
Platform: macos (Monterey 12.7.6 - x86_64)
Device: iPhone 4S (iPhone4,1 - n94ap) in Normal mode
Activated A5(X) device detected. Activation record stitching enabled.
iOS Version: 9.1 (13B143)
ECID: 4247623107371
*** Legacy iOS Kit ***
Version: v25.09.06 (77c25ce)
Platform: macos (Monterey 12.7.6 - x86_64)
Device: iPhone 4S (iPhone4,1 - n94ap) in Normal mode
Activated A5(X) device detected. Activation record stitching enabled.
iOS Version: 9.1 (13B143)
ECID: 4247623107371
[Log] Device is on iOS 9+, using 9.0.2 (13A452) ramdisk
[Log] Checking firmware keys in ../saved/firmware/iPhone4,1/13A452
[Log] Checking URL in ../saved/firmware/iPhone4,1/13A452/url
[Log] iBSS
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 604ca9a4aca0dc1fb90b851a72b1724318b71387353ee95594858693eaa1cc8578f8b1e2ef631fd6699bf904d9e7c14e
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 604ca9a4aca0dc1fb90b851a72b1724318b71387353ee95594858693eaa1cc8578f8b1e2ef631fd6699bf904d9e7c14e
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 604ca9a4aca0dc1fb90b851a72b1724318b71387353ee95594858693eaa1cc8578f8b1e2ef631fd6699bf904d9e7c14e
[Log] iBEC
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 48d818c42d6af34f6df17b632be74731847aaf45a4f8ca24168a52f2fc4273884e3e486101703ae742d6d6f0559eaef9
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 48d818c42d6af34f6df17b632be74731847aaf45a4f8ca24168a52f2fc4273884e3e486101703ae742d6d6f0559eaef9
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 48d818c42d6af34f6df17b632be74731847aaf45a4f8ca24168a52f2fc4273884e3e486101703ae742d6d6f0559eaef9
[Log] DeviceTree
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8396a6238977905748e9954b46c89583d80884cf88055e36010aab932d07f858f1504dd789eefa3d1c87bf1dd0443e6c
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8396a6238977905748e9954b46c89583d80884cf88055e36010aab932d07f858f1504dd789eefa3d1c87bf1dd0443e6c
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8396a6238977905748e9954b46c89583d80884cf88055e36010aab932d07f858f1504dd789eefa3d1c87bf1dd0443e6c
[Log] Kernelcache
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2c0e2bbeb2bec3bcdde1ecfb7012a81342d41d2412acbea5b5881e9ee718bbdaca40d265412230652b58b513085f8b2a
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2c0e2bbeb2bec3bcdde1ecfb7012a81342d41d2412acbea5b5881e9ee718bbdaca40d265412230652b58b513085f8b2a
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2c0e2bbeb2bec3bcdde1ecfb7012a81342d41d2412acbea5b5881e9ee718bbdaca40d265412230652b58b513085f8b2a
[Log] RestoreRamdisk
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: d5346d366f6c80d8b1b8fc452074b81b03df1cc3a7c149544eb663d9cb043544bdab91275f98e908bbf0eb52dbb15885
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: d5346d366f6c80d8b1b8fc452074b81b03df1cc3a7c149544eb663d9cb043544bdab91275f98e908bbf0eb52dbb15885
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: d5346d366f6c80d8b1b8fc452074b81b03df1cc3a7c149544eb663d9cb043544bdab91275f98e908bbf0eb52dbb15885
[Log] Patch RestoreRamdisk
grew volume: 30000000
file: com.apple.springboard.plist (0644), size = 333
ignoring usr, type = 5
ignoring usr/bin, type = 5
file: usr/bin/gptfdisk (0755), size = 164368
file: usr/bin/du (0755), size = 178736
file: usr/bin/df (0755), size = 143296
file: usr/bin/nano (0755), size = 209008
file: usr/bin/date (0755), size = 140704
file: usr/bin/device_infos (0755), size = 75936
file: usr/bin/ibsspatch (0755), size = 51840
file: usr/bin/scp (0755), size = 49008
file: usr/bin/hfs_resize (0755), size = 12960
symlink: usr/bin/rnano (0777) -> nano
ignoring usr/libexec, type = 5
file: usr/libexec/sftp-server (0755), size = 44240
ignoring usr/lib, type = 5
symlink: usr/lib/libncursesw.dylib (0755) -> libncursesw.5.dylib
symlink: usr/lib/libncurses.5.dylib (0755) -> libncurses.5.4.dylib
file: usr/lib/libiconv.2.dylib (0755), size = 1022528
file: usr/lib/libncurses.5.4.dylib (0755), size = 335968
file: usr/lib/libhistory.6.0.dylib (0755), size = 54752
file: usr/lib/libreadline.6.0.dylib (0755), size = 198112
file: usr/lib/libcrypto.0.9.8.dylib (0755), size = 1604336
file: usr/lib/libncursesw.5.dylib (0755), size = 390032
ignoring bin, type = 5
file: bin/mount.sh (0755), size = 1366
file: bin/bash (0755), size = 546768
symlink: bin/sh (0777) -> bash
file: bin/dd (0755), size = 124896
file: bin/ls (0755), size = 152096
file: bin/cp (0755), size = 162560
file: bin/chown (0755), size = 125616
file: bin/chmod (0755), size = 125168
file: bin/tar (0755), size = 430304
ignoring sbin, type = 5
file: sbin/sshd (0755), size = 722848
file: sbin/umount (4755), size = 22784
ignoring private, type = 5
ignoring private/etc, type = 5
file: private/etc/rc.boot (0755), size = 369
directory: private/etc/ssh (0700)
file: private/etc/ssh/ssh_host_rsa_key (0600), size = 1675
file: private/etc/ssh/ssh_host_dsa_key.pub (0644), size = 590
file: private/etc/ssh/sshd_config (0644), size = 3227
file: private/etc/ssh/ssh_host_key.pub (0644), size = 627
file: private/etc/ssh/ssh_config (0644), size = 1526
file: private/etc/ssh/ssh_host_dsa_key (0600), size = 668
file: private/etc/ssh/ssh_host_rsa_key.pub (0644), size = 382
file: private/etc/ssh/moduli (0644), size = 125811
file: private/etc/ssh/ssh_host_key (0600), size = 963
ignoring private/var, type = 5
directory: private/var/root (0700)
file: private/var/root/.profile (0644), size = 391
[Log] Patch iBSS
main: Starting...
main: iBoot-2817 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x6066
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x6392
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x6392...
patch_rsa_check: Leaving...
main: Writing out patched file to iBSS.patched...
main: Quitting...
[Log] Patch iBEC
main: Starting...
main: iBoot-2817 inputted.
patch_boot_args: Entering...
patch_boot_args: Default boot-args string is at 0x3cf48
patch_boot_args: boot-args xref is at 0x1990c
patch_boot_args: Relocating boot-args string...
patch_boot_args: "Reliance on this certificate" string found at 0x41a04
patch_boot_args: Pointing default boot-args xref to 0x9ff41a04...
patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff amfi_get_out_of_my_way=1 cs_enforcement_disable=1 pio-error=0"
patch_boot_args: Found LDR R1, =boot_args at 0x1969a
patch_boot_args: Found IT instruction at 0x196ba
patch_boot_args: Found CMP Rx, #0 at 0x196b8
patch_boot_args: Found MOV R6, R1 at 0x196bc
patch_boot_args: Found LDR R6, =null_str at 0x196b6
patch_boot_args: Pointing LDR R6, =null_str to boot-args xref...
patch_boot_args: Leaving...
patch_debug_enabled: Entering...
find_dtre_get_value_bl_insn: Entering...
find_dtre_get_value_bl_insn: debug-enabled string is at 0x3c955
find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1871c
find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x18700
find_dtre_get_value_bl_insn: Found BL instruction at 0x18722
find_dtre_get_value_bl_insn: Leaving...
patch_debug_enabled: Patching BL insn at 0x18722...
patch_debug_enabled: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x17492
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x17bc4
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x17bc4...
patch_rsa_check: Leaving...
main: Writing out patched file to iBEC.patched...
main: Quitting...
[Input] pwnDFU/kDFU Mode Option
This device needs to be in pwnDFU/kDFU mode before proceeding.
Selecting kDFU is recommended. Your device must be jailbroken and have OpenSSH installed for this option.
Selecting pwnDFU is only for those that have the option to use checkm8-a5 (needs Arduino+USB Host Shield or Pi Pico).
[WARNING] Selecting pwnDFU will require usage of checkm8-a5.
For more info about checkm8-a5, go here: https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/checkm8-a5
[Input] Select your option:
kDFU
-> pwnDFU
The device needs to be in Recovery/DFU mode before proceeding.
[Input] Send device to recovery mode? (Y/n):
-> Yes
No
[Log] Entering recovery mode...
If the device does not enter recovery mode automatically, try putting the device in Recovery/DFU mode manually. You may also press Ctrl+C to cancel
[Log] Finding device in Recovery mode...
[Log] Found device in Recovery mode.
DFU Mode Helper - Get ready to enter DFU mode.
If you already know how to enter DFU mode, you may do so right now before continuing.
[Input] Select Y to continue, N to exit recovery mode (Y/n):
-> Yes
No
Get ready...
3 2 1
Hold TOP and HOME buttons.
8 7 6 5 4 3 2 1
Release TOP button and keep holding HOME button.
8 7 6 5 4 3 2 1
[Log] Finding device in DFU mode...
[Log] Found device in DFU mode.
[Log] Device is now in DFU mode. Now put your device in PWNED DFU mode using checkm8-a5.
DFU mode for A5(X) device - Make sure that your device is in PWNED DFU mode.
You need to have an Arduino and USB Host Shield for checkm8-a5.
Use my fork of checkm8-a5: https://github.com/LukeZGD/checkm8-a5
You may also use checkm8-a5 for the Pi Pico: https://www.reddit.com/r/LegacyJailbreak/comments/1djuprf/working_checkm8a5_on_the_raspberry_pi_pico/
Also make sure that you have NOT sent a pwned iBSS yet.
For more details, go to: https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/checkm8-a5
As much as possible, RESTART YOUR DEVICE IN NORMAL MODE AND USE THE JAILBREAK/KDFU METHOD INSTEAD.
[Log] After putting your device in PWNED DFU, plug it back in your PC/Mac before pressing Enter/Return.
[Input] Press Enter/Return to continue (or press Ctrl+C to cancel)
[Log] Checking for device
[Log] Found device in pwned DFU mode.
Pwned: checkm8
[Log] Checking URL in ../saved/firmware/iPhone4,1/12H321/url
[Log] Checking firmware keys in ../saved/firmware/iPhone4,1/12H321
[Log] Decrypting iBSS...
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ca0b54a96b22a813f562eb257cb02afb9518b73701007b43c5e8712146a3eb75482800d2ac9cecc643aac17f9132ff2f
[Log] Patching iBSS...
main: Starting...
main: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x60ac
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x6452
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x6452...
patch_rsa_check: Leaving...
main: Writing out patched file to pwnediBSS...
main: Quitting...
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ca0b54a96b22a813f562eb257cb02afb9518b73701007b43c5e8712146a3eb75482800d2ac9cecc643aac17f9132ff2f
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ca0b54a96b22a813f562eb257cb02afb9518b73701007b43c5e8712146a3eb75482800d2ac9cecc643aac17f9132ff2f
[Log] Pwned iBSS saved at: saved/iPhone4,1/pwnediBSS
[Log] Pwned iBSS img3 saved at: saved/iPhone4,1/pwnediBSS.dfu
[Log] Sending unpacked iBSS...
Acquiring device handle.
iBSS file found: pwnediBSS
Sending 0x10 bytes of data to device.
Sending 0x13000 bytes of data to device.
Releasing device handle.
[Log] Checking for device
[Log] Device should now be in pwned iBSS mode.
[Log] Sending iBEC...
[==================================================] 100.0%
[Log] Finding device in Recovery mode...
[Log] Found device in Recovery mode.
[Log] Sending ramdisk...
[==================================================] 100.0%
[Log] Running ramdisk
[Log] Sending DeviceTree...
[==================================================] 100.0%
[Log] Running devicetree
[Log] Sending KernelCache...
[==================================================] 100.0%
[Log] Booting, please wait...
[Log] Running iproxy for SSH...
[Log] iproxy PID: 1661
[Log] Waiting for device...
You may need to unplug and replug your device.
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts.
[Log] Device should now boot to SSH ramdisk mode.
Mount filesystems with this command:
mount.sh
For more details, go to: https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/SSH-Ramdisk
For accessing data, note the following:
Host: sftp://127.0.0.1 | User: root | Password: alpine | Port: 6414
Other Useful SSH Ramdisk commands:
Clear NVRAM with this command:
nvram -c
Erase All Content and Settings with this command (iOS 9+ only):
nvram oblit-inprogress=5
To reboot, use this command:
reboot_bak
SSH Ramdisk Menu
[Input] Select an option:
-> Connect to SSH
Dump Blobs
Dump Baseband/Activation
Erase All (iOS 7 and 8)
Erase All (iOS 9+)
Disable/Enable Exploit
Clear NVRAM
Get iOS Version
Update DateTime
Reboot Device
Exit
[Log] Use the "exit" command to go back to SSH Ramdisk Menu
Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts.
Use mount.sh script to mount the partitions
Use reboot_bak to reboot
Use 'device_infos' to dump EMF keys (when imaging user volume)
_-sh-4.0# ### mount.sh
/bin/mount.sh: line 26: cannot create temp file for here-document: Read-only file system
Waiting for disks...
Mounting /dev/disk0s1s1 on /mnt1
mount_hfs: Could not create property for re-key environment check: No such file or directory
Mounting /dev/disk0s1s2 on /mnt2
mount_hfs: Could not create property for re-key environment check: No such file or directory
-sh-4.0#_