binaries for A6 bruteforce

README.md

binaries for 4-digit passcode bruteforce

includes kernel binaries with aes accelerator uid patch applied:

• iPhone4,1 6.1.0 (10B142)
• iPhone5,1 7.1.2 (11D257)
• iPhone5,1 9.0.2 (13A452)
• iPhone5,2 9.0.2 (13A452)
• iPod5,1 9.0.2 (13A452)

see the linked gist for a guide to offline kernel patching

includes userspace binaries built for armv7 ios w/ minimum ios version 6.0

---

use the appropriate patched kernel instead of the stock kernel when booting your device. for example, hardcode this line in legacy ios kit to point to where you downloaded this kernel instead of the file in the ramdisk dir.

once the ramdisk is booted, scp these binaries to your device (to e.g. /mnt2/tmp) then add executable flag (chmod +x)

try executing /mnt2/tmp/hello to ensure the toolchain works

then try running /mnt2/tmp/bruteforce -u

the -u flag is important (at least for A5 iOS 9)

if it outputs any errors before starting to print numbers, it will not work. kill with ctrl+c and share the output with me.

if it runs successfully, nice.

bruteforce

hello

kernelcache.release.n41.iPhone5,1.11D257.dec

kernelcache.release.n41.iPhone5,1.13A452.dec

kernelcache.release.n42.iPhone5,2.13A452.dec

kernelcache.release.n78.iPod5,1.13A452.dec

kernelcache.release.n94.iPhone4,1.10B142.dec

Can you help me patch the 3 kernels?
iphone 5,2 ios 6
iphone 4,1 ios 9
ipod 5.1 ios 6

@tuanidf117 try modifying these scripts to create patches for those devices and versions.

https://gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#ios-9-ioaesaccelerator-unprivileged-patch

here are the patch values for iOS 6 through iOS 8:

https://github.com/nabla-c0d3/iphone-dataprotection/blob/572dd5cd8c07f5f14f7ea9488041031dd22a26bb/ramdisk_tools/ttbthingy.c#L802

let me know where you get stuck.

I don't really understand how to determine offset and use hopper to patch. If you are free, can you go back to the patching process?

@tuanidf117hãy thử sửa đổi các tập lệnh này để tạo bản vá cho các thiết bị và phiên bản đó.

https://Gist.github.com/bmwalters/aff476d87dc750f4a7e49357e3c4596b#ios-9-ioaesaccelerator-unprivileged-patch

Dưới đây là các giá trị bản vá cho iOS 6 đến iOS 8:

https://github.com/nabla-c0d3/iphone-dataprotection/blob/572dd5cd8c07f5f14f7ea9488041031dd22a26bb/ramdisk_tools/ttbthingy.c#L802

Hãy cho tôi biết bạn gặp khó khăn ở đâu.

If you can help, that's good

@bmwalters incredible work. Your reverse engineering was really fun to read.

I plan to try this on an iPad 2,4 (k93aap) running iOS 9.3.5 (13G36). I used checkm8-a5 with an Arduino, and opened an SSH ramdisk and now I would like to brute the pin.

I'm still trying to conceptualize exactly how you arrived to your offsets for the patched kernel. In your README you write:

"I ran the systemkb-bruteforce tool on a stock kernel to find out at what point it would fail. The utility logged error code 0xe00002c1 (kIOReturnNotPrivileged) and after reading the source I understood that a patch to IOAESAccelerator was needed.

I used xpwntool to decrypt and unpack my Kernelcache, then I used joker to look inside the Kernelcache to find kexts that could contain this class."

Could you provide documentation on this systemkb-bruteforce tool? I cannot seem to find anything on it. Any help would be greatly appreciated.