10 Mar 2017 update: thanks to the commenters, the instructions below are proven to work from iOS 7 up to iOS 10.2.1

My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.

Sources of information:

Steps to recover your iOS restrictions PIN code:

1. Backup device

I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. Make sure your backup is NOT encrypted, so untick the relevant checkbox in iTunes. Finally, in this instance, there is no point to backup to iCloud, since we need to be able to read unencrypted files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.

Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.

You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.

2. Use pinfinder to get your restrictions PIN

This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.

2.1 Download latest version of pinfinder

The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows (32 and 64 bit, from XP to 10) and Linux.

2.2 Follow instructions in pinfinder‘s ReadMe

Simply refer to the Usage notes in the ReadMe and let the digital magic happen!

To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).

In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.

The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.

3. Get the restrictions password property list file

3.1 Slow, but easy way

Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.

The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist

This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.

Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.

3.2 Fast, but less easy way

Instead of the slow but easy way, you could use the following command in the Terminal:

echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1

You could substitute openssl sha1 with shasum since both would return the hashed file name you need:

398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

The full path to the file in the iTunes backup is:

~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.

4. Get restrictions hash and salt

The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:

  1. RestrictionPasswordKey (a.k.a hash)
  2. RestrictionsPasswordSalt

Sample contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>RestrictionsPasswordKey</key>
    <data>
    base64string_hash_value (28 character long)
    </data>
    <key>RestrictionsPasswordSalt</key>
    <data>
    base64string_salt_value (8 character long)
    </data>
</dict>
</plist>

The data values are encoded in base 64 with many ways to decode them:

  • If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
  • Use command defaults read file.plist in the Terminal (hex dump)
  • Use command plutil -p file.plist in the Terminal (hex dump)
  • Use command /usr/libexec/PlistBuddy -c Print file.plist in the Terminal (text dump, pipe to command xxd to convert hex)
  • My favourite, use command echo -n base64string_from_plist | base64 -D | xxd -p in the Terminal (hex dump)

The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.

5. Get the restrictions PIN code

Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):

sudo cpan install Crypt::PBKDF2

Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:

#!/usr/bin/env perl
use Crypt::PBKDF2;

if (@ARGV < 2) {   
   print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
   exit (1); 
} 
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40 
my $salt  = pack ("H*", $ARGV[1]); # of length 8? 
my $iter  = 1000; 
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
   my $pass = sprintf ("%04d", $num);
   my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
   if ($match eq $hash) {
      printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
      exit (0);
   }
}
exit (1);

Use command:

time ios7.pl hex_hash hex_salt

Command time is added just to measure how long the command takes to run.

The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):

hex_hash:hex_salt:1000:XXXX

real	0m39.239s
user	0m39.130s
sys	0m0.055s

Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!