Recover your forgotten iOS 7 to 11 restrictions PIN code iOS 12 Screen Time passcode

Sun 14 Apr 2019 update: thanks to all commenters giving feedback, the instructions below are proven to work from iOS 7 up to iOS 12.2. Thanks to Gareth Watts, pinfinder version 1.7.0 released on Fri 19 Oct 2018 works with iTunes encrypted backups (decryption password must be known) for an iOS 12 device.

My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.

Sources of information:

• iTunes Backup wiki on the iPhone wiki
• Wikipedia article on SHA-1
• Wikipedia article on PBKDF2
• A good introduction to openssl by Steven Gordon
• Wikipedia article on Base64
• An interesting forum thread, in particular the posts from magnum and philsmd for his ios7.pl perl script (dependency on the Crypt::PBKDF2 perl library)
• Corresponding commit to JohnTheRipper
• Web based javascript implementation at http://ios7hash.derson.us
• Ultimate implementation written in Go: pinfinder by Gareth Watts (releases) with simple instructions.

Steps to recover your iOS restrictions PIN code:

1. Backup device

I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. If your iOS device is older than iOS 12, then your iTunes backup does not have to be encrypted unless you can use pinfinder version 1.6.0 or more. Since iOS 12, you must make an encrypted iTunes backup and use pinfinder version 1.7.0 or more. Note that in this instance, there is no point to backup to iCloud, since pinfinder needs to be able to read backup files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.

Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.

You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.

2. Use pinfinder to get your restrictions PIN

This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.

2.1 Download latest version of pinfinder

The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows and Linux.

Gareth Watts released pinfinder version 1.6.0 on Wed 27 Dec 2017. This version is the first one able to deal with iTunes encrypted backups (decryption password must be known). Version 1.7.0 released on Fri 19 Oct 2018 added support for iOS 12 devices.

2.2 Follow instructions in pinfinder‘s ReadMe

Simply refer to the instructions website referenced in the ReadMe, let the digital magic happen and consider supporting Gareth Watts’ excellent work!

To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).

In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.

The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.

Disclaimer: you should only use pinfinder for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!

################################################################################

3. Get the restrictions password property list file

3.1 Slow, but easy way

Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.

The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist

This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.

Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.

3.2 Fast, but less easy way

Instead of the slow but easy way, you could use the following command in the Terminal:

echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1

You could substitute openssl sha1 with shasum since both would return the hashed file name you need:

398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

The full path to the file in the iTunes backup is:

~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.

4. Get restrictions hash and salt

The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:

1. RestrictionPasswordKey (a.k.a hash)
2. RestrictionsPasswordSalt

Sample contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>RestrictionsPasswordKey</key>
    <data>
    base64string_hash_value (28 character long)
    </data>
    <key>RestrictionsPasswordSalt</key>
    <data>
    base64string_salt_value (8 character long)
    </data>
</dict>
</plist>

The data values are encoded in base 64 with many ways to decode them:

• If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
• Use command defaults read file.plist in the Terminal (hex dump)
• Use command plutil -p file.plist in the Terminal (hex dump)
• Use command /usr/libexec/PlistBuddy -c Print file.plist in the Terminal (text dump, pipe to command xxd to convert hex)
• My favourite, use command echo -n base64string_from_plist | base64 -D | xxd -p in the Terminal (hex dump)

The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.

5. Get the restrictions PIN code

Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):

sudo cpan install Crypt::PBKDF2

Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:

#!/usr/bin/env perl
use Crypt::PBKDF2;

if (@ARGV < 2) {   
   print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
   exit (1); 
} 
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40 
my $salt  = pack ("H*", $ARGV[1]); # of length 8? 
my $iter  = 1000; 
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
   my $pass = sprintf ("%04d", $num);
   my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
   if ($match eq $hash) {
      printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
      exit (0);
   }
}
exit (1);

Use command:

time ios7.pl hex_hash hex_salt

Command time is added just to measure how long the command takes to run.

The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):

hex_hash:hex_salt:1000:XXXX

real	0m39.239s
user	0m39.130s
sys	0m0.055s

Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!

Advertisement

Finding your public IP address

Finding your public IP address is handy when you want to run a server at home to share with people on the internet (website hosting, file sharing, remote control, etc…).

There are many ways to get it, but most of the time, they rely on reading information from a website such as What Is My IP, even a google search will return your address.

However, if you need to get it programmatically, the easiest way on Mac OS X is probably to use a UNIX command in the Terminal. The concept of public IP address becomes useless if you are not connected to the internet. Hence for this trick to work you will need:

• To be connected to the internet (with no proxy)
• To know a hostname or IP address on the web that you know would always be live online (you cannot use a local address or host)

The command to use in the Terminal is:
ping -R -c 1 nbalkota.wordpress.com

Refer to man ping for more details, but -R triggers the routing trace option and -c 1 makes ping use only 1 packet so the command returns as quickly as possible.

This returns something like:

PING e3191.dscc.akamaiedge.net (2.18.125.15): 56 data bytes
64 bytes from 2.18.125.15: icmp_seq=0 ttl=58 time=61.766 ms
RR: host-78-150-157-159.as13285.net (78.150.157.159)
host-78-150-144-1.as13285.net (78.150.144.1)
10.160.1.3
loop0-rt001.man.as13285.net (62.24.240.248)
talktalk-ic.lon2.uk.atrato.net (80.94.66.14)
eth1-1.r1.lon2.uk.atrato.net (78.152.44.163)
eth1-3.core1.lon1.uk.atrato.net (78.152.44.102)
78.152.40.32
a92-122-210-1.deploy.akamaitechnologies.com (92.122.210.1)

--- e3191.dscc.akamaiedge.net ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 61.766/61.766/61.766/0.000 ms

The first IP address returned is the IP address of the hostname you used. Your public IP is the second IP address listed or the first one on the line starting with “RR: “. In the above example, that is 78.150.157.159

Alternatively, you could subscribe to a Dynamic DNS service and install a software that updates your IP address as it changes. That way, your server becomes accessible from the internet using a static hostname.

Recovering a non-readable disk on Mac OS X

Today, as I intended to perform my regular Time Machine backup, I got welcomed by a very scary message when I connected my external hard disk to my MacBook.

The disk you inserted you inserted was not readable by this computer.

Now, I take pride in having never ever lost any data on my Macs since 1998, so I was concerned this might be the end of my record…

In Disk Utility the drive device was listed, but no volume could be mounted due to a corrupted partition map. Don’t ask me how it got corrupted in the first place. I would guess the disk did not like being unplugged without using the eject command…

Anyway, salvation can come at no cost by using the Terminal in Mac OS X (assuming you have administrative rights):

1. Connect your external disk
2. Start terminal and use the 3 commands in bold red below (make sure to change the disk number to match your setup based on the first command)
3. If the last command was successful, disconnect and reconnect your disk, which should now be OK

IronMan:~ nbalkota$ diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *250.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS IronMan 249.2 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *1.0 TB disk1
1: 0xEE 1.0 TB disk1s1
IronMan:~ nbalkota$ sudo gpt recover /dev/disk1

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
gpt recover: /dev/disk1: recovered primary GPT table from secondary
gpt recover: /dev/disk1: recovered primary GPT header from secondary
IronMan:~ nbalkota$ diskutil eject /dev/disk1
Disk /dev/disk1 ejected

An alternative to the second command (gpt) would be diskutil repairDisk /dev/disk1

Note than the manpage for gpt does not cover the recover option whereas the manpage for diskutil does cover the repairDisk option.

Create a Mac OS X application from a Java jar

Apple’s developer tools come with a neat utility for bundling Java jar file into a Mac OS X application: Jar Bundler.

It can be found at /usr/share/java/Tools on Lion.

First add your Jar file to the “Additional Files and Resources” panel. It should contain a Main Class (i.e. be a Java Application).

Specify the Java Main Class name and other Mac OS X specific options (e.g. Application icon, whether Java Swing’s JMenuBar should use the Mac OS X menu bar…).

Finally, specify other Application specific properties (e.g. version). You can also specify the JVM heap memory size (in MB) and other JVM options from here.

There you go, here is the Package Contents of the resulting Mac OS X application!

The resulting application is now well integrated into Mac OS X as shown in this Finder Get Info dialog.

The Java app used in the above example is PageSucker. The latest version is 3.2 but only exists for Windows, Mac OS 9 (Classic) and Mac OS X, but for PowerPC only. Using the instructions in this post will allow you to create an Intel compatible application for Mac OS X (including Lion…).

If you are lazy, you can get the version I did for Mac OS X 10.7 Lion: PageSucker.app.zip (not a real PDF, but a zip file…).

Set the visibility of files and folders on Mac OS X

This is a bit of legacy from Apple’s Pre-Mac OS X systems: files or folders could be set invisible (via software like FileBuddy) or locked (via the Finder)…

In Mac OS X, if you have installed Apple’s free developer tools, these contain a command line utility to manipulate HFS+ attributes:

which setfile ; setfile -h
/usr/bin/setfile
Usage: SetFile [option...] file...
-a attributes # attributes (lowercase = 0, uppercase = 1)*
-c creator # file creator
-d date # creation date (mm/dd/[yy]yy [hh:mm[:ss] [AM | PM]])*
-m date # modification date (mm/dd/[yy]yy [hh:mm[:ss] [AM | PM]])*
-P # perform action on symlink instead of following it
-t type # file type

Note: The following attributes may be used with the -a option:
A Alias file
B Bundle
C Custom icon*
D Desktop*
E Hidden extension*
I Inited*
M Shared (can run multiple times)
N No INIT resources
L Locked
S System (name locked)
T Stationery
V Invisible*
Z Busy*

Note: Items marked with an asterisk (*) are allowed with folders
Note: Period (.) represents the current date and time.
Note: [yy]yy < 100 assumes 21st century, e.g. 20yy

See also man SetFile…

File sharing with Mac OS X 10.7 Lion

Before Mac OS X Lion, in System Preferences > Sharing > File Sharing > Options… you had the option to use FTP to share your files. Note that this did not enable the FTP anonymous user, which needed some Terminal wizardry. Instead, you could use PureFTPd Manager to have a nice GUI to configure FTP with anonymous user access, but Lion is not supported (yet?).

Since Mac OS X Lion, Apple removed the GUI to enable FTP file sharing. FTP protocol has probably been deemed too unsecure (your password string and any data would travel the ether without any encryption).

Only AFP or SMB (CIFS) remain in Lion’s File Sharing Preference Pane. The FTP checkbox is gone…

What if I simply want a quick and easy way to share files with others without the need for an account or password?

This is the whole point of setting up a FTP server with an anonymous user!

So what’s the alternative for Lion’s users?

You can still enable FTP in Lion, but now only via the Terminal with administrative permissions:

1. Add the FTP service to the launchd database (the FTP daemon will be started at the same time and restarted on demand):
sudo launchctl load -w /System/Library/LaunchDaemons/ftp.plist
2. Stop (temporarily) the FTP daemon: 
sudo launchctl stop com.apple.ftpd
3. Start (after a stop) the FTP daemon: 
sudo launchctl start com.apple.ftpd
4. Remove the FTP service from the launchd database:
sudo launchctl unload /System/Library/LaunchDaemons/ftp.plist

Easy for the Terminal addicts, but like before via the GUI, FTP in Mac OS X still lacks an anonymous user (see man ftpd for more info).

Luckily, for the rest of Mac users, there is a more secure protocol and it can be easily configured using only the System Preferences GUI.

Simply create a standard user in the Users & Groups System Preference Pane. You can decide to set it with a password that you will share with others (e.g. the same as its userid).

In the absence of a pre-configured anonymous FTP user in Mac OS X, the next best thing is to create a dummy user with permissions restricted to only upload / download files…

You can further limit what this user could do (particularly locally) by enabling Parental Controls (i.e. degrade it from standard to managed user).

If you go for a no password dummy user account, remember to enable Parental Controls to restrict what this user can do (e.g. disable changing the password, Time Limits…)

Finally, enable Remote Login in the Sharing Preference Pane. This will enable ssh remote login, but implicitly and more importantly for us: sftp.

Enabling Remote Login will also enable the SecureFTP service. Also consider limiting access only to the dummy user if you created one…

Others can now access the files held by user with the address sftp://user@<ip or hostname> or by using the equivalent command in a Terminal: sftp user@<ip or hostname>.

If you do not want to have to share an IP address, consider using a free dynamic DNS service…

Mac OS X Lion – opendirectoryd bug?

Symptoms since using Mac OS X Lion (still relevant in the latest version of Lion: 10.7.5 released on 19 September 2012):

• Your Mac starts feeling sluggish with some unexplained CPU usage
• Your are unable to start any Application (even logout or restart as this needs to spawn a new process under the hood… your only chance is to switch user)
• You are unable to open the Terminal or use certain commands in it:
  • id
  • sudo
  • whoami
• You are no longer you (reported as User ‘????’ in Activity Monitor)
• Your console is filled with message similar to this:

  • xpchelper[123]: getpwuid_r() failed for UID: 501, ret: 0, errno: 0

If you search the web for the above, you will see that you are not alone having this problem…

Activity Monitor showing higher than usual CPU usage. Note that the sum of highest % CPU Processes is less than the reported % User and % System combined.

Oh my God!!! Terminal won’t even start!

No wonder your Mac is slow… Look at the rate of logging in the Console application! One pid gets created every 20 ms on my MacBook…

So, what is the way to deal with this until Apple issues a fix in a future update (this bug seems to have been fixed since Mac OS X Mountain Lion 10.8)?

Well, if you had Activity Monitor or a Terminal running before the problem occurred, you can simply quit the process named opendirectoryd (it will be automatically restarted by launchd) and then magically, your Mac will behave normally again.

Alternatively, switch user to kill opendirectoryd from the new session with administrative rights.

Quit / Force Quit opendirectoryd from the list to get back to normal…

There you go, %CPU back to normal, opendirectoryd automatically restarted, your Mac is now back to normal.

To all MobileMe users…

… It is now time to backup before moving to alternative online hosting solutions…

If you are looking for a replacement for iWeb, look no further than here: WordPress.com has matured into a convenient website creation tool. Sure, it is not an App as it is web based, but it allows to work your site on any Apple iDevices (iWeb was never release for iPad, iPhone or iPod touch). Sure, it might not be as WYSIWYG as iWeb or other App, but the template are nice and flexible enough for most users. Contrary to iWeb, you will also find that a WordPress.com website is much lighter and hence faster to load and dynamic (i.e. presentation changes based on which device is used to access it, like an iPhone…).

The MobileMe galleries were well integrated with iPhoto, but creating one in WordPress.com is as easy as drag and drop. Alternatively, for galleries, consider ZangZing (Edit 2012-08-05: ZangZing will be shutting down on 2012-08-31).

I will miss the iDisk: its integration in MacOS X and how easy it was to share files hosted on it… However, by then, people must already know DropBox. It is an excellent alternative (and didn’t you find the rate of transfer of the iDisk appalling? Slower than old good FTP/SSH…).

For the Mails, Contacts, Calendars, look no further than Apple’s own iCloud. The first 5 GB come free with every account you create…

Forgotten dotMac, farewell MobileMe, long live iCloud!

Swatch watch batteries

Here is some information about the various batteries used in Swatch® watches I have around me.

• Irony Medium (e.g. Black Flower): 
  • Reference: 177 / 376 / 377 / SR66 / AG4 / SR626SW
  • Size: 6.8 x 2.6 mm
• Mini (e.g. Red Cherry):
  • Reference: 329 / SR731SW
  • Size: 7.9 x 3.1 mm
• Skin (e.g. Flower Delight):
  • Reference: SR516 / 317
  • Size: 5.8 x 1.6 mm
• Original / Lumi:
  • Reference: SR54 / AG10 / 189 / 387 / 389 / 390
  • Size: 11.6 x 3.1 mm
• Chrono Standard (Iron/Alu):
  • Reference: SR45 / AG9 / 194 / 394
  • Size: 9.5 x 3.6 mm

The alternative… solar powered watches like the Citizen Eco-Drive. These require no maintenance that might compromise their water resistance!

Step 1 – Pick a theme…

I cannot make up my mind for my first online memento…

WordPress offers so many themes! I am looking for something that is comfortable to read and not over stylish.

After playing a bit with the live previews, I am tempted by (in alphabetical order):

• Elegant Grunge (a bit too monochromatic)
• Notepad (very iOS Notes inspired)
• Twenty Eleven (if I switch to a dark theme, I think I would go with this one…)

I will get started with Notepad as it ticks all my boxes in terms of functionality and it has a very clear layout.

Make sense to use a notepad as an aide-mémoire anyway…