dayt0n/bfrestrict.py

## bfrestrict.py
# bfrestrict.py - bruteforce iOS restrictions passcode
#
# if you don't have an unencrypted backup folder ready, just plug in the device and run this program
#
# Note: make sure you have libimobiledevice installed (we need idevicebackup2) if you plan to plug-and-play
#
# made by Dayton Hasty (c)2018
import os
import sys
import hashlib
import binascii
import time
import subprocess
import shutil
from multiprocessing import Process

def backup():
	subprocess.call(['idevicebackup2','backup','.'])

restrictionsPasscodeFile = "398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b"

if len(sys.argv) >= 2 and sys.argv[1] == "-h":
	print("usage: %s [backup directory]" % sys.argv[0])
	sys.exit(-1)
if len(sys.argv) < 2:
	print("Getting files from device...")
	# we need to make a backup
	# also make sure encryption is off
	subprocess.call(['idevicebackup2','encryption','off','.'])
	firstDirList = os.listdir(".")
	p = Process(target=backup,args=())
	p.daemon = True
	p.start()
	time.sleep(10)
	nowDirList = os.listdir(".")
	newFiles = list(set(nowDirList) - set(firstDirList))
	backupDir = str(newFiles[0])
	print("backup dir is " + backupDir)
	while True:
		print("Waiting for restrictions settings file...")
		time.sleep(10)
		if os.path.isfile(backupDir + "/Snapshot/39/" + restrictionsPasscodeFile):
			print("\n[DONE] Restrictions file found, stopping backup service...")
			time.sleep(2)
			subprocess.call(['pkill','idevicebackup2'])
			p.terminate()
			time.sleep(0.1)
			p.join()
			passcodeFileLoc = backupDir + "/Snapshot/39/" + restrictionsPasscodeFile
			break
else:
	backupDir = sys.argv[1]
	passcodeFileLoc = backupDir + "/" + restrictionsPasscodeFile
print("Attempting to bruteforce restrictions passcode (this could take a minute)...")
if not os.path.isfile(passcodeFileLoc):
	print("There is no restrictions passcode set on this device.")
	sys.exit(-1)

with open(passcodeFileLoc,'r') as encFile:
	data = encFile.read().replace('\n','')
	data = data.replace('\t','') # remove tabs and newlines in plist

bytes64 = (data.split("<key>RestrictionsPasswordKey</key><data>"))[1].split("</data>")[0]
salt64 = (data.split("<key>RestrictionsPasswordSalt</key><data>"))[1].split("</data>")[0]

encodedBytes = binascii.a2b_base64(bytes64.encode())
encodedSalt = binascii.a2b_base64(salt64.encode())

startTime = time.time()
for i in range(10000):
	encodedTry = binascii.a2b_base64(binascii.b2a_base64((str(i).zfill(4)).encode()))
	tried = hashlib.pbkdf2_hmac('sha1',encodedTry,encodedSalt,1000)
	if tried == encodedBytes:
		elapsedTime = (time.time()) - startTime;
		print("[FOUND] Retrieved passcode in %d seconds" % elapsedTime)
		print("Restrictions passcode is: " + str(i).zfill(4))
		break

if len(sys.argv) < 2:
	# cleanup
	print("Cleaning up...")
	shutil.rmtree(backupDir)
	# bfrestrict.py - bruteforce iOS restrictions passcode
	#
	# if you don't have an unencrypted backup folder ready, just plug in the device and run this program
	#
	# Note: make sure you have libimobiledevice installed (we need idevicebackup2) if you plan to plug-and-play
	#
	# made by Dayton Hasty (c)2018
	import os
	import sys
	import hashlib
	import binascii
	import time
	import subprocess
	import shutil
	from multiprocessing import Process

	def backup():
	subprocess.call(['idevicebackup2','backup','.'])

	restrictionsPasscodeFile = "398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b"

	if len(sys.argv) >= 2 and sys.argv[1] == "-h":
	print("usage: %s [backup directory]" % sys.argv[0])
	sys.exit(-1)
	if len(sys.argv) < 2:
	print("Getting files from device...")
	# we need to make a backup
	# also make sure encryption is off
	subprocess.call(['idevicebackup2','encryption','off','.'])
	firstDirList = os.listdir(".")
	p = Process(target=backup,args=())
	p.daemon = True
	p.start()
	time.sleep(10)
	nowDirList = os.listdir(".")
	newFiles = list(set(nowDirList) - set(firstDirList))
	backupDir = str(newFiles[0])
	print("backup dir is " + backupDir)
	while True:
	print("Waiting for restrictions settings file...")
	time.sleep(10)
	if os.path.isfile(backupDir + "/Snapshot/39/" + restrictionsPasscodeFile):
	print("\n[DONE] Restrictions file found, stopping backup service...")
	time.sleep(2)
	subprocess.call(['pkill','idevicebackup2'])
	p.terminate()
	time.sleep(0.1)
	p.join()
	passcodeFileLoc = backupDir + "/Snapshot/39/" + restrictionsPasscodeFile
	break
	else:
	backupDir = sys.argv[1]
	passcodeFileLoc = backupDir + "/" + restrictionsPasscodeFile
	print("Attempting to bruteforce restrictions passcode (this could take a minute)...")
	if not os.path.isfile(passcodeFileLoc):
	print("There is no restrictions passcode set on this device.")
	sys.exit(-1)

	with open(passcodeFileLoc,'r') as encFile:
	data = encFile.read().replace('\n','')
	data = data.replace('\t','') # remove tabs and newlines in plist

	bytes64 = (data.split("<key>RestrictionsPasswordKey</key><data>"))[1].split("</data>")[0]
	salt64 = (data.split("<key>RestrictionsPasswordSalt</key><data>"))[1].split("</data>")[0]

	encodedBytes = binascii.a2b_base64(bytes64.encode())
	encodedSalt = binascii.a2b_base64(salt64.encode())

	startTime = time.time()
	for i in range(10000):
	encodedTry = binascii.a2b_base64(binascii.b2a_base64((str(i).zfill(4)).encode()))
	tried = hashlib.pbkdf2_hmac('sha1',encodedTry,encodedSalt,1000)
	if tried == encodedBytes:
	elapsedTime = (time.time()) - startTime;
	print("[FOUND] Retrieved passcode in %d seconds" % elapsedTime)
	print("Restrictions passcode is: " + str(i).zfill(4))
	break

	if len(sys.argv) < 2:
	# cleanup
	print("Cleaning up...")
	shutil.rmtree(backupDir)