Skip to content

Instantly share code, notes, and snippets.

@bmwalters

bmwalters/README.md Secret

Last active April 22, 2025 04:05
Show Gist options
  • Save bmwalters/8f3cb4bc212231c4a7474938cae4fbd6 to your computer and use it in GitHub Desktop.
Save bmwalters/8f3cb4bc212231c4a7474938cae4fbd6 to your computer and use it in GitHub Desktop.
Download ZIP
binaries for A6 bruteforce
Raw
README.md

binaries for 4-digit passcode bruteforce

includes kernel binaries with aes accelerator uid patch applied:

  • iPhone4,1 6.1.0 (10B142)
  • iPhone5,1 7.1.2 (11D257)
  • iPhone5,1 9.0.2 (13A452)
  • iPhone5,2 9.0.2 (13A452)
  • iPod5,1 9.0.2 (13A452)

see the linked gist for a guide to offline kernel patching

includes userspace binaries built for armv7 ios w/ minimum ios version 6.0

use the appropriate patched kernel instead of the stock kernel when booting your device. for example, hardcode this line in legacy ios kit to point to where you downloaded this kernel instead of the file in the ramdisk dir.

once the ramdisk is booted, scp these binaries to your device (to e.g. /mnt2/tmp) then add executable flag (chmod +x)

try executing /mnt2/tmp/hello to ensure the toolchain works

then try running /mnt2/tmp/bruteforce -u

the -u flag is important (at least for A5 iOS 9)

if it outputs any errors before starting to print numbers, it will not work. kill with ctrl+c and share the output with me.

if it runs successfully, nice.

Raw
kernelcache.release.n41.iPhone5,1.13A452.dec
View raw

(Sorry about that, but we can’t show files that are this big right now.)

Raw
kernelcache.release.n42.iPhone5,2.13A452.dec
View raw

(Sorry about that, but we can’t show files that are this big right now.)

Raw
kernelcache.release.n78.iPod5,1.13A452.dec
View raw

(Sorry about that, but we can’t show files that are this big right now.)

Raw
kernelcache.release.n94.iPhone4,1.10B142.dec
View raw

(Sorry about that, but we can’t show files that are this big right now.)

@tuanidf117
Copy link

Can you help me patch the 3 kernels?
iphone 5,2 ios 6
iphone 4,1 ios 9
ipod 5.1 ios 6

@bmwalters
Copy link
Author

@tuanidf117 try modifying these scripts to create patches for those devices and versions.

https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#ios-9-ioaesaccelerator-unprivileged-patch

here are the patch values for iOS 6 through iOS 8:

https://github.com/nabla-c0d3/iphone-dataprotection/blob/572dd5cd8c07f5f14f7ea9488041031dd22a26bb/ramdisk_tools/ttbthingy.c#L802

let me know where you get stuck.

@tuanidf117
Copy link

I don't really understand how to determine offset and use hopper to patch. If you are free, can you go back to the patching process?

@tuanidf117
Copy link

@tuanidf117hãy thử sửa đổi các tập lệnh này để tạo bản vá cho các thiết bị và phiên bản đó.

https://Gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#ios-9-ioaesaccelerator-unprivileged-patch

Dưới đây là các giá trị bản vá cho iOS 6 đến iOS 8:

https://github.com/nabla-c0d3/iphone-dataprotection/blob/572dd5cd8c07f5f14f7ea9488041031dd22a26bb/ramdisk_tools/ttbthingy.c#L802

Hãy cho tôi biết bạn gặp khó khăn ở đâu.

If you can help, that's good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment