MDX-Tom

Bruteforce 4-digit passcode on iPhone 5 iOS 9~10 via SSH Ramdisk

Here is a guide for automatically bruteforcing 4-digit passcodes on iPhone 5 using only a computer and a USB cable (without an MFC Dongle). My device is iPhone5,2 (iPhone 5 Global) iOS 9.2 (FMI OFF), the steps below may work on other 32-bit devices or other iOS versions (see below for tested working devices and iOS versions), but shall not work on any 64-bit devices.

See https://www.reddit.com/r/setupapp/comments/1ha2arg/bruteforce_4digit_passcode_on_iphone_5_ios_9_via/ for discussions.

Updated 10 Jan. 2025:

A more powerful guide for bruteforcing 32-bit devices was released by a reddit user: https://www.reddit.com/r/setupapp/comments/1hw5bfa/bruteforcing_32bit_iphones_ondevice_4_digit_pin/

dhinakg

tools.lancely.tech archive

Please link to this page instead of linking to the direct download links.

Direct download links

Warning

If this gets maliciously high traffic (ie. abusing multiple connections), I will have to shut this down. This is hosted on Azure Block Storage, it's not free, so be kind.

• itunes_app_202308250852.csv

LukeZGD

Home Depot Offsets iOS 8.x.
Found with the help of https://github.com/Merculous/OF32
bufattr_cpx and bx_lr offsets: first result of searching hex 00687047
A5 offsets should work. tested working: 8.0, 8.3, 8.4.1
A6 does not seem to work at all on Home Depot, possibly because of something to do with the Trident exploit.

A5 8.0-8.0.2
0x2c5308
0x2c73e8
0x1ba80

MTACS

Hosted Preference Bundles

Create a "hosted" view of a preference bundle outside of Preferences.app, and in a dedicated application.

For application

• Create new tweak using "iphone/application_modern" template
• In the app's delegate file add the following to the -(void)applicationDidFinishLaunching:(UIApplication *)application; method:

m1stadev

What's nonce entanglement?

Beginning with devices using an A12 SoC or higher, Apple introduced nonce entangling.

• This meant that, when saving SHSH blobs, a nonce generator would generate a different ApNonce for each device.
• When saving SHSH blobs for an A12+ device, you now must find a generator-ApNonce pair for your device, then use that generator-ApNonce pair when saving SHSH blobs.
• After you have found a generator-ApNonce pair for your device, you can save it and re-use it whenever you save SHSH blobs again.

Getting a generator-ApNonce pair (jailbroken)

1. (iOS 14+ only) Install an iOS kernel r/w library.
   • On Taurine, install libkernrw.

• On unc0ver, install libkrw.

LukeZGD

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>SectionsEnabledIdentifiers</key>
	<array>
		<string>com.apple.controlcenter.settings</string>
		<string>com.apple.controlcenter.brightness</string>
		<string>com.atwiiks.controlcenterx.volume-slider</string>
		<string>com.atwiiks.controlcenterx.air-night</string>

Siguza

// Bugs by NSO Group / Ian Beer.
// Exploit by Siguza & tihmstar.
// Thanks also to Max Bazaliy.

#include <stdint.h>             // uint32_t, uint64_t
#include <stdio.h>              // fprintf, stderr
#include <string.h>             // memcpy, memset, strncmp
#include <unistd.h>             // getpid
#include <mach/mach.h>
#include <stdlib.h>

LukeZGD

• Patch: https://github.com/LukeZGD/iOS-OTA-Downgrader-Keys/releases/download/jailbreak/untether.patch
• Commands:

# Patch
bspatch untether.bin untethermod.bin untether.patch
# Get diff
xxd untether.bin u1.hex
xxd untethermod.bin u2.hex
diff u1.hex u2.hex

tihmstar

extern "C"
void initKernRw(mach_port_t dstTask, uint64_t dstTaskAddr, uint64_t (*kread64)(uint64_t addr), void (*write_20)(uint64_t addr, const void *buf)){
    KernelRW *newKrw = new KernelRW;

    auto p = newKrw->getPrimitivepatches(kread64,dstTaskAddr);

    {
        uint8_t buf[20];
        for (int i=0; i<sizeof(buf); i+=8) {
            *((uint64_t*)&buf[i]) = kread64(p.where-20+8+4+i);

LukeZGD

Downgrade and dualboot status of almost all iOS devices

UPDATED: 2025-04-04

• Reddit mirror: https://www.reddit.com/r/iOSDowngrade/comments/j1x7iv/downgrade_and_dualboot_status_of_almost_all_ios/
• GitHub Gist mirror: https://gist.github.com/LukeZGD/9d781f1b03a69fa46869384a9407a41a
• As of updating this post, there is now a free downgrade tool that utilizes a SEP exploit released for A9-A10X devices, turdus merula: https://sep.lol/
  • Untethered with blobs guide: https://ios.cfw.guide/turdusmerula/
  • Tethered guide: https://ios.cfw.guide/turdusmerula-tethered/
• Save SHSH blobs for signed iOS versions using TSS Saver or blobsaver