Here is a guide for automatically bruteforcing 4-digit passcodes on iPhone 5 using only a computer and a USB cable (without an MFC Dongle). My device is iPhone5,2 (iPhone 5 Global) iOS 9.2 (FMI OFF), the steps below may work on other 32-bit devices or other iOS versions (see below for tested working devices and iOS versions), but shall not work on any 64-bit devices.
See https://www.reddit.com/r/setupapp/comments/1ha2arg/bruteforce_4digit_passcode_on_iphone_5_ios_9_via/ for discussions.
Updated 10 Jan. 2025:
A more powerful guide for bruteforcing 32-bit devices was released by a reddit user: https://www.reddit.com/r/setupapp/comments/1hw5bfa/bruteforcing_32bit_iphones_ondevice_4_digit_pin/ I think all should try that guide, it seems more reliable and supports 4+ digit passcodes. Good luck!
- iPhone 5 Global (iPhone 5,2), iOS 9.2 (tested by myself).
- iPhone 5 A1429, iOS 10.3.3 (tested by Github user
ServePeak). - iPhone 4S, iOS 9.3.6, use
bruteforcewithout-u(tested by reddit useru/iPh0ne4s).
Here are the steps I did to bruteforce my passcode.
- Download Legacy-iOS-Kit release from https://github.com/LukeZGD/Legacy-iOS-Kit/releases/tag/latest.
- Execute
./restore.shin terminal from the root directory of Legacy-iOS-Kit, follow its instructions to boot an SSH Ramdisk. For iOS 9, enter ramdisk version number 13A452 as it recommands. - SSH into your device, execute command:
mount.shto mount/mnt1and/mnt2. - Download
bruteforcebinary executable from https://gist.github.com/bmwalters/8f3cb4bc212231c4a7474938cae4fbd6. - Use SCP or tools like Cyberduck to send the
bruteforcefile to your device's/mnt2/tmp/dir. - SSH into your device, execute command:
/mnt2/tmp/bruteforce -u, and wait for the magic!- If you get
permission deniedor something similar, runchmod +x /mnt2/tmp/bruteforceto add executable permission to the binary executable file. - If
bruteforce -udoes not run properly, that means your kernel needs to be patched to speed up the process. You cloud either simply usebruteforcewithout-u(but the process will be very slow, takes ~20s for each passcode), or use bmwalters's patched kernel to boot up your ramdisk (see https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain).
- If you get
- Your passcode should be printed into the SSH tunnel and displayed on your computer's terminal, then reboot your device and unlock!
- If your device is disabled with 10+ failed passcode attempts, do this after Step 3 and before Step 4:
- Delete
/mnt2/mobile/Library/SpringBoard/LockoutStateJournal.plist. - Download
/mnt2/mobile/Library/Preferences/com.apple.springboard.plist, change the value ofSBDeviceLockFailedAttemptsto-9999and delete all other strings starting withSBDevice, then overwrite originalcom.apple.springboard.plist. by these steps you should be able to get your device enabled again and have unlimited passcode attempts.
- Delete
u/iPh0ne4s finds that bruteforce -u does not work properly for iPhone 4S on iOS 9.3.6, but bruteforce without -u can at least work but very slow.
u/Stormzinn says that his iPhone 5 10.3.1 did not work with -u either, but later he tried bmwalters' patched kernel, which made -u working.
The -u option uses IOAESAccelerator kernel extension to accelerate the bruteforce process, however by default this would not be usable for our perpose (each passcode takes ~20s to be tried without acceleration), so as bmwalters says the kernel has to be patched before using the -u option.
There is indeed a chance for -u to work without patching the kernel (for my case and ServePeak's case), but if -u does not work with Legacy-iOS-Kit's stock ramdisk, that means only by bmwalters's patch shall you get -u working.
See https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain.
I've been through a lot of tutorials about this, many says it is impossible to do this without buying an MFC Dongle, and even appletech752's Silver app in 2022 said passcode bruteforce was only supported on iOS 6~8.
Occationally, I saw this post: https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#toolchain, which gives a kernel patch to iOS 9's IOCryptoAcceleratorFamily.kext that makes bruteforcing passcodes in iOS 9 possible.
However when I applied this patch to the ramdisk's kernelcache, the ramdisk refuses to boot,
so I wanted to give a last try on Legacy-iOS-Kit's un-patched iOS 9 ramdisk and ran the bruteforce executable
(thanks to bmwalters for compiling iOS-dataprotection's source code for armv7 ios w/ minimum iOS version 7.0).
Then THE MAGIC HAPPENS! The bruteforce binary worked and my passcode is cracked, and this turned out that bruteforce can function well without bmwalters's iOS 9 ramdisk kernalcache patch.
So the conclusion is: The posts saing bruteforcing passcodes on iOS 9~10 impossible were based on
there were no usable ramdisks that could mount iOS 9's /var partition 4~5 years ago.
Now thanks to Legacy-iOS-Kit and the creators of iOS 9 ramdisks, bruteforcing passcodes on 32-bit iOS 9+ devices are possible and such simple just like the old days!
I'm stuck here and nothing helps, tell me what's wrong. IPH5 ios10.3.3
/bin/mount.sh: line 26: cannot create temp file for here-document: Read-only file system
Waiting for disks...
Mounting /dev/disk0s1s1 on /mnt1
mount_hfs: Could not create property for re-key environment check: No such file or directory
mount_hfs: error on mount(): error = -1.
mount_hfs: Resource busy
Mounting /dev/disk0s1s2 on /mnt2
mount_hfs: Could not create property for re-key environment check: No such file or directory
mount_hfs: error on mount(): error = -1.
mount_hfs: Resource busy
P.S. If anyone else encounters this, here's the solution: after the mounting error, enter "mount -o remount,rw" and you're done.