Sun 14 Apr 2019 update: thanks to all commenters giving feedback, the instructions below are proven to work from iOS 7 up to iOS 12.2. Thanks to Gareth Watts, pinfinder version 1.7.0 released on Fri 19 Oct 2018 works with iTunes encrypted backups (decryption password must be known) for an iOS 12 device.
My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.
Sources of information:
- iTunes Backup wiki on the iPhone wiki
- Wikipedia article on SHA-1
- Wikipedia article on PBKDF2
- A good introduction to openssl by Steven Gordon
- Wikipedia article on Base64
- An interesting forum thread, in particular the posts from magnum and philsmd for his ios7.pl perl script (dependency on the Crypt::PBKDF2 perl library)
- Corresponding commit to JohnTheRipper
- Web based javascript implementation at http://ios7hash.derson.us
- Ultimate implementation written in Go: pinfinder by Gareth Watts (releases) with simple instructions.
Steps to recover your iOS restrictions PIN code:
1. Backup device
I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. If your iOS device is older than iOS 12, then your iTunes backup does not have to be encrypted unless you can use pinfinder version 1.6.0 or more. Since iOS 12, you must make an encrypted iTunes backup and use pinfinder version 1.7.0 or more. Note that in this instance, there is no point to backup to iCloud, since pinfinder needs to be able to read backup files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.
Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.
You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.
2. Use pinfinder to get your restrictions PIN
This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.
2.1 Download latest version of pinfinder
The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows and Linux.
Gareth Watts released pinfinder version 1.6.0 on Wed 27 Dec 2017. This version is the first one able to deal with iTunes encrypted backups (decryption password must be known). Version 1.7.0 released on Fri 19 Oct 2018 added support for iOS 12 devices.
2.2 Follow instructions in pinfinder‘s ReadMe
Simply refer to the instructions website referenced in the ReadMe, let the digital magic happen and consider supporting Gareth Watts’ excellent work!
To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).
In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.
The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.
Disclaimer: you should only use pinfinder for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
################################################################################
3. Get the restrictions password property list file
3.1 Slow, but easy way
Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.
The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist
This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.
Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.
3.2 Fast, but less easy way
Instead of the slow but easy way, you could use the following command in the Terminal:
echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1
You could substitute openssl sha1 with shasum since both would return the hashed file name you need:
398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
The full path to the file in the iTunes backup is:
~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.
4. Get restrictions hash and salt
The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:
- RestrictionPasswordKey (a.k.a hash)
- RestrictionsPasswordSalt
Sample contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>RestrictionsPasswordKey</key> <data> base64string_hash_value (28 character long) </data> <key>RestrictionsPasswordSalt</key> <data> base64string_salt_value (8 character long) </data> </dict> </plist>
The data values are encoded in base 64 with many ways to decode them:
- If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
- Use command
defaults read file.plistin the Terminal (hex dump) - Use command
plutil -p file.plistin the Terminal (hex dump) - Use command
/usr/libexec/PlistBuddy -c Print file.plistin the Terminal (text dump, pipe to commandxxdto convert hex) - My favourite, use command
echo -n base64string_from_plist | base64 -D | xxd -pin the Terminal (hex dump)
The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.
5. Get the restrictions PIN code
Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):
sudo cpan install Crypt::PBKDF2
Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:
#!/usr/bin/env perl
use Crypt::PBKDF2;
if (@ARGV < 2) {
print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
exit (1);
}
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40
my $salt = pack ("H*", $ARGV[1]); # of length 8?
my $iter = 1000;
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
my $pass = sprintf ("%04d", $num);
my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
if ($match eq $hash) {
printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
exit (0);
}
}
exit (1);
Use command:
time ios7.pl hex_hash hex_salt
Command time is added just to measure how long the command takes to run.
The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):
hex_hash:hex_salt:1000:XXXX real 0m39.239s user 0m39.130s sys 0m0.055s
Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
Cloudy Aide-Mémoire 