dayt0n · April 23, 2025 22:10 · jenneodiugekdse · Jan 28, 2023 · Anu-Pri25 · Oct 7, 2024
diff --git a/bfrestrict.py b/bfrestrict.py
 # bfrestrict.py - bruteforce iOS restrictions passcode
 #
 # if you don't have an unencrypted backup folder ready, just plug in the device and run this program
 #
 # Note: make sure you have libimobiledevice installed (we need idevicebackup2) if you plan to plug-and-play
 #
 # made by Dayton Hasty (c)2018
 import os
 import sys
 import hashlib
 import binascii
 import time
 import subprocess
 import shutil
 from multiprocessing import Process

 def backup():
 	subprocess.call(['idevicebackup2','backup','.'])

 restrictionsPasscodeFile = "398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b"

 if len(sys.argv) >= 2 and sys.argv[1] == "-h":
 	print("usage: %s [backup directory]" % sys.argv[0])
 	sys.exit(-1)
 if len(sys.argv) < 2:
 	print("Getting files from device...")
 	# we need to make a backup
 	# also make sure encryption is off 
 	subprocess.call(['idevicebackup2','encryption','off','.'])
 	firstDirList = os.listdir(".")
 	p = Process(target=backup,args=())
 	p.daemon = True
 	p.start()
 	time.sleep(10)
 	nowDirList = os.listdir(".")
 	newFiles = list(set(nowDirList) - set(firstDirList))
 	backupDir = str(newFiles[0])
 	print("backup dir is " + backupDir)
 	while True:
 		print("Waiting for restrictions settings file...")
 		time.sleep(10)
 		if os.path.isfile(backupDir + "/Snapshot/39/" + restrictionsPasscodeFile):
 			print("\n[DONE] Restrictions file found, stopping backup service...")
 			time.sleep(2)
 			subprocess.call(['pkill','idevicebackup2'])
 			p.terminate()
 			time.sleep(0.1)
 			p.join()
 			passcodeFileLoc = backupDir + "/Snapshot/39/" + restrictionsPasscodeFile
 			break
 else:
 	backupDir = sys.argv[1]
 	passcodeFileLoc = backupDir + "/" + restrictionsPasscodeFile
 print("Attempting to bruteforce restrictions passcode (this could take a minute)...")
 if not os.path.isfile(passcodeFileLoc):
 	print("There is no restrictions passcode set on this device.")
 	sys.exit(-1)

 with open(passcodeFileLoc,'r') as encFile:
 	data = encFile.read().replace('\n','')
 	data = data.replace('\t','') # remove tabs and newlines in plist

 bytes64 = (data.split("<key>RestrictionsPasswordKey</key><data>"))[1].split("</data>")[0]
 salt64 = (data.split("<key>RestrictionsPasswordSalt</key><data>"))[1].split("</data>")[0]

 encodedBytes = binascii.a2b_base64(bytes64.encode())
 encodedSalt = binascii.a2b_base64(salt64.encode())

 startTime = time.time()
 for i in range(10000):
 	encodedTry = binascii.a2b_base64(binascii.b2a_base64((str(i).zfill(4)).encode()))
 	tried = hashlib.pbkdf2_hmac('sha1',encodedTry,encodedSalt,1000)
 	if tried == encodedBytes:
 		elapsedTime = (time.time()) - startTime;
 		print("[FOUND] Retrieved passcode in %d seconds" % elapsedTime)
 		print("Restrictions passcode is: " + str(i).zfill(4))
 		break

 if len(sys.argv) < 2:
 	# cleanup
 	print("Cleaning up...")
 	shutil.rmtree(backupDir)
	# bfrestrict.py - bruteforce iOS restrictions passcode
	#
	# if you don't have an unencrypted backup folder ready, just plug in the device and run this program
	#
	# Note: make sure you have libimobiledevice installed (we need idevicebackup2) if you plan to plug-and-play
	#
	# made by Dayton Hasty (c)2018
	import os
	import sys
	import hashlib
	import binascii
	import time
	import subprocess
	import shutil
	from multiprocessing import Process

	def backup():
	subprocess.call(['idevicebackup2','backup','.'])

	restrictionsPasscodeFile = "398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b"

	if len(sys.argv) >= 2 and sys.argv[1] == "-h":
	print("usage: %s [backup directory]" % sys.argv[0])
	sys.exit(-1)
	if len(sys.argv) < 2:
	print("Getting files from device...")
	# we need to make a backup
	# also make sure encryption is off
	subprocess.call(['idevicebackup2','encryption','off','.'])
	firstDirList = os.listdir(".")
	p = Process(target=backup,args=())
	p.daemon = True
	p.start()
	time.sleep(10)
	nowDirList = os.listdir(".")
	newFiles = list(set(nowDirList) - set(firstDirList))
	backupDir = str(newFiles[0])
	print("backup dir is " + backupDir)
	while True:
	print("Waiting for restrictions settings file...")
	time.sleep(10)
	if os.path.isfile(backupDir + "/Snapshot/39/" + restrictionsPasscodeFile):
	print("\n[DONE] Restrictions file found, stopping backup service...")
	time.sleep(2)
	subprocess.call(['pkill','idevicebackup2'])
	p.terminate()
	time.sleep(0.1)
	p.join()
	passcodeFileLoc = backupDir + "/Snapshot/39/" + restrictionsPasscodeFile
	break
	else:
	backupDir = sys.argv[1]
	passcodeFileLoc = backupDir + "/" + restrictionsPasscodeFile
	print("Attempting to bruteforce restrictions passcode (this could take a minute)...")
	if not os.path.isfile(passcodeFileLoc):
	print("There is no restrictions passcode set on this device.")
	sys.exit(-1)

	with open(passcodeFileLoc,'r') as encFile:
	data = encFile.read().replace('\n','')
	data = data.replace('\t','') # remove tabs and newlines in plist

	bytes64 = (data.split("<key>RestrictionsPasswordKey</key><data>"))[1].split("</data>")[0]
	salt64 = (data.split("<key>RestrictionsPasswordSalt</key><data>"))[1].split("</data>")[0]

	encodedBytes = binascii.a2b_base64(bytes64.encode())
	encodedSalt = binascii.a2b_base64(salt64.encode())

	startTime = time.time()
	for i in range(10000):
	encodedTry = binascii.a2b_base64(binascii.b2a_base64((str(i).zfill(4)).encode()))
	tried = hashlib.pbkdf2_hmac('sha1',encodedTry,encodedSalt,1000)
	if tried == encodedBytes:
	elapsedTime = (time.time()) - startTime;
	print("[FOUND] Retrieved passcode in %d seconds" % elapsedTime)
	print("Restrictions passcode is: " + str(i).zfill(4))
	break

	if len(sys.argv) < 2:
	# cleanup
	print("Cleaning up...")
	shutil.rmtree(backupDir)