Skip to content

Instantly share code, notes, and snippets.

@dayt0n dayt0n/bfrestrict.py
Last active Oct 19, 2018

Embed
What would you like to do?
quickly bruteforce iOS restrictions passcode
# bfrestrict.py - bruteforce iOS restrictions passcode
#
# if you don't have an unencrypted backup folder ready, just plug in the device and run this program
#
# Note: make sure you have libimobiledevice installed (we need idevicebackup2) if you plan to plug-and-play
#
# made by Dayton Hasty (c)2018
import os
import sys
import hashlib
import binascii
import time
import subprocess
import shutil
from multiprocessing import Process
def backup():
subprocess.call(['idevicebackup2','backup','.'])
restrictionsPasscodeFile = "398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b"
if len(sys.argv) >= 2 and sys.argv[1] == "-h":
print("usage: %s [backup directory]" % sys.argv[0])
sys.exit(-1)
if len(sys.argv) < 2:
print("Getting files from device...")
# we need to make a backup
# also make sure encryption is off
subprocess.call(['idevicebackup2','encryption','off','.'])
firstDirList = os.listdir(".")
p = Process(target=backup,args=())
p.daemon = True
p.start()
time.sleep(10)
nowDirList = os.listdir(".")
newFiles = list(set(nowDirList) - set(firstDirList))
backupDir = str(newFiles[0])
print("backup dir is " + backupDir)
while True:
print("Waiting for restrictions settings file...")
time.sleep(10)
if os.path.isfile(backupDir + "/Snapshot/39/" + restrictionsPasscodeFile):
print("\n[DONE] Restrictions file found, stopping backup service...")
time.sleep(2)
subprocess.call(['pkill','idevicebackup2'])
p.terminate()
time.sleep(0.1)
p.join()
passcodeFileLoc = backupDir + "/Snapshot/39/" + restrictionsPasscodeFile
break
else:
backupDir = sys.argv[1]
passcodeFileLoc = backupDir + "/" + restrictionsPasscodeFile
print("Attempting to bruteforce restrictions passcode (this could take a minute)...")
if not os.path.isfile(passcodeFileLoc):
print("There is no restrictions passcode set on this device.")
sys.exit(-1)
with open(passcodeFileLoc,'r') as encFile:
data = encFile.read().replace('\n','')
data = data.replace('\t','') # remove tabs and newlines in plist
bytes64 = (data.split("<key>RestrictionsPasswordKey</key><data>"))[1].split("</data>")[0]
salt64 = (data.split("<key>RestrictionsPasswordSalt</key><data>"))[1].split("</data>")[0]
encodedBytes = binascii.a2b_base64(bytes64.encode())
encodedSalt = binascii.a2b_base64(salt64.encode())
startTime = time.time()
for i in range(10000):
encodedTry = binascii.a2b_base64(binascii.b2a_base64((str(i).zfill(4)).encode()))
tried = hashlib.pbkdf2_hmac('sha1',encodedTry,encodedSalt,1000)
if tried == encodedBytes:
elapsedTime = (time.time()) - startTime;
print("[FOUND] Retrieved passcode in %d seconds" % elapsedTime)
print("Restrictions passcode is: " + str(i).zfill(4))
break
if len(sys.argv) < 2:
# cleanup
print("Cleaning up...")
shutil.rmtree(backupDir)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.