Sun 14 Apr 2019 update: thanks to all commenters giving feedback, the instructions below are proven to work from iOS 7 up to iOS 12.2. Thanks to Gareth Watts, pinfinder version 1.7.0 released on Fri 19 Oct 2018 works with iTunes encrypted backups (decryption password must be known) for an iOS 12 device.
My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.
Sources of information:
- iTunes Backup wiki on the iPhone wiki
- Wikipedia article on SHA-1
- Wikipedia article on PBKDF2
- A good introduction to openssl by Steven Gordon
- Wikipedia article on Base64
- An interesting forum thread, in particular the posts from magnum and philsmd for his ios7.pl perl script (dependency on the Crypt::PBKDF2 perl library)
- Corresponding commit to JohnTheRipper
- Web based javascript implementation at http://ios7hash.derson.us
- Ultimate implementation written in Go: pinfinder by Gareth Watts (releases) with simple instructions.
Steps to recover your iOS restrictions PIN code:
1. Backup device
I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. If your iOS device is older than iOS 12, then your iTunes backup does not have to be encrypted unless you can use pinfinder version 1.6.0 or more. Since iOS 12, you must make an encrypted iTunes backup and use pinfinder version 1.7.0 or more. Note that in this instance, there is no point to backup to iCloud, since pinfinder needs to be able to read backup files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.
Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.
You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.
2. Use pinfinder to get your restrictions PIN
This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.
2.1 Download latest version of pinfinder
The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows and Linux.
Gareth Watts released pinfinder version 1.6.0 on Wed 27 Dec 2017. This version is the first one able to deal with iTunes encrypted backups (decryption password must be known). Version 1.7.0 released on Fri 19 Oct 2018 added support for iOS 12 devices.
2.2 Follow instructions in pinfinder‘s ReadMe
Simply refer to the instructions website referenced in the ReadMe, let the digital magic happen and consider supporting Gareth Watts’ excellent work!
To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).
In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.
The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.
Disclaimer: you should only use pinfinder for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
################################################################################
3. Get the restrictions password property list file
3.1 Slow, but easy way
Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.
The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist
This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.
Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.
3.2 Fast, but less easy way
Instead of the slow but easy way, you could use the following command in the Terminal:
echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1
You could substitute openssl sha1 with shasum since both would return the hashed file name you need:
398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
The full path to the file in the iTunes backup is:
~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.
4. Get restrictions hash and salt
The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:
- RestrictionPasswordKey (a.k.a hash)
- RestrictionsPasswordSalt
Sample contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>RestrictionsPasswordKey</key> <data> base64string_hash_value (28 character long) </data> <key>RestrictionsPasswordSalt</key> <data> base64string_salt_value (8 character long) </data> </dict> </plist>
The data values are encoded in base 64 with many ways to decode them:
- If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
- Use command
defaults read file.plistin the Terminal (hex dump) - Use command
plutil -p file.plistin the Terminal (hex dump) - Use command
/usr/libexec/PlistBuddy -c Print file.plistin the Terminal (text dump, pipe to commandxxdto convert hex) - My favourite, use command
echo -n base64string_from_plist | base64 -D | xxd -pin the Terminal (hex dump)
The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.
5. Get the restrictions PIN code
Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):
sudo cpan install Crypt::PBKDF2
Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:
#!/usr/bin/env perl
use Crypt::PBKDF2;
if (@ARGV < 2) {
print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
exit (1);
}
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40
my $salt = pack ("H*", $ARGV[1]); # of length 8?
my $iter = 1000;
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
my $pass = sprintf ("%04d", $num);
my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
if ($match eq $hash) {
printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
exit (0);
}
}
exit (1);
Use command:
time ios7.pl hex_hash hex_salt
Command time is added just to measure how long the command takes to run.
The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):
hex_hash:hex_salt:1000:XXXX real 0m39.239s user 0m39.130s sys 0m0.055s
Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
Cloudy Aide-Mémoire 
Jan 30, 2016 @ 18:49:09
it works
Feb 09, 2016 @ 07:37:01
This blog is excellent. Very much appreciated! Not only saved me from having to factory reboot my phone, but was a whole lot of fun along the way. #GeekOut
Feb 15, 2016 @ 07:27:18
Pinfinder worked like a dream! Thank you for the information.
Feb 17, 2016 @ 13:33:10
I used Gareth Watts PINFinder. This worked perfectly!! Thank you!!
Feb 21, 2016 @ 13:21:15
PINfinder was so easy, I almost couldn’t believe it. I had tried iPhone Backup Extractor with no luck–but I only downloaded the free version. It seems a bit more complicated than PINfinder. Thanks for this! I have got to disable the App store or my kid will never stop pestering me for new games!
Feb 25, 2016 @ 01:51:14
I am so glad I found this blog, I ran pinfinder and could not believe the pass code was found so quickly. I tried numerous jailbreak steps and free apps and none of them would find it. Thanks for taking your time and creating this program for us dumb asses who couldn’t remember what we originally put in.
Feb 25, 2016 @ 12:43:50
why the search do not stop?? im waiting for many minutes and the search dosnt find the code?
Mar 01, 2016 @ 09:12:50
I don’t know where do you even start this page or the other because my brain hurts from complex computer stuff and having to search and search all afternoon. please reply because I’m not able to go anywhere and my chances of even knowing where to start is another big problem. can you please make another video or better instructions because I still don’t understand. I got up to the restrictions thing where I have to add key something and salt I have got up to what the text looks like but my text looks a bit more different it doesn’t have the M/p444c etc. I don’t know what the hint 0001 is. what do I copy and do i paste. do I do the test code generator or follow this page. please answer I would be really REALLY happy.
Mar 01, 2016 @ 17:49:57
You do not need hash / salt anymore. Just use pinfinder as instructed above. You only need to go through steps 1 and 2. The other steps are for information only and you do not need to read all the linked articles unless you have an interest in cryptography.
Mar 01, 2016 @ 18:54:12
Hello,
I just did it with iOS 9.2 and Windows 10 so…
Here is a working guide (with obvious steps too) to decrypt your restrictions code using your computer :
1. Download and install the appropriate iTunes version for your computer (here http://www.apple.com/fr/itunes/download/) and install it with default setting, if not already done
(if you have troubles with the next steps, you should uninstall iTunes and reinstall it using a new user account, so you’ll be sure that it’ll work)
2. Start iTunes and connect your device to your computer with USB cable (if your device then asks you by a pop-up on device screen to authorize the pc first, authorize it) (if your computer asks you to authorize the device, authorize it and connect to your Apple ID)
3. Go to the “device” tab on iTunes by clicking on iPad/iPod/iPhone icon in the top left corner of iTunes
4. In the “Backup” section, click on the radio button “This computer”
5. IMPORTANT : UNCKECK THE “Encrypt backup” checkbox (or backup will not be read-able)… It may ask you the password you set on your iDevice when you configured encryption before Enabling Safari password save, for example
5. Click on “Back Up Now” on the right… Then wait, don’t disconnect your device, progress is showed on top center of iTunes window
NOW, LESS OBVIOUS THINGS
6. Now, close iTunes. You’ll use pinfinder. It should find the key in less than one minute if your backups are in the default folder location for iTunes in your computer
7. Download the appropriate archive of pinfinder for your computer here
https://github.com/gwatts/pinfinder/releases/tag/1.3.1
8. Extract the pinfinder file to somewhere like your Desktop, then you’ll have to run pinfinder file in a command prompt (Windows 7 you’ll find it by opening start menu, typing “cmd” and pressing return. Windows 8/10: Right-click on the start button, and select Command Prompt
Drag the pinfinder file from the Desktop to the command prompt window, and press return to run it. Other system, read the readme.md text on github page)
9. The program should run for every iTunes backup on your computer, you’ll see restriction code in the RESTRICTIONS PASSCODE colum, facing your device name on left, once it’ll be calculated. So wait one minute or more
10. Now you normally have your 4-digit code, type it on your iOS device in Settings > Restrictions. Now disable
Jul 02, 2016 @ 23:08:39
Thank you for the clarification! needed it!
Oct 28, 2016 @ 16:10:13
Thanks a lot
Mar 08, 2016 @ 08:38:05
you are awsomeeeeee ,
done thank you
Mar 19, 2016 @ 02:40:04
Why isn’t this the most upvoted site on the topic? No other site provides a free and easy way to recover our restriction passcodes. Plus, Pinfinder is incredible!
Mar 23, 2016 @ 09:46:52
Does pinfinder work with iOS 9.2.1?
Mar 23, 2016 @ 20:56:17
It should work with 9.2.1 but please confirm here.
Mar 23, 2016 @ 21:01:56
Yes, I can confirm
Just give it a try! 😉
Mar 25, 2016 @ 07:31:37
How do you back up the iphone on itunes if it requires the passcode? I have one backup but it is from a year ago when my passcode was only 4 digits instead of 6…would this method still work?
Mar 25, 2016 @ 07:38:35
Tina, do not confuse the screen lock with the parental restrictions passcode. Pinfinder only works for the restrictions passcode. If you have lost your screen lock passcode then you will need to ask the FBI for help. You have nothing to lose trying pinfinder on your old backup, so give it a try.
Mar 25, 2016 @ 07:51:17
Just tried the pinfinder on my backups from a year ago, no passcodes were found 😦 please help
Mar 25, 2016 @ 07:54:16
This only means that a year ago you did not have activated the parental restrictions. Please confirm which passcode you are after: lock screen or parental restrictions?
Mar 25, 2016 @ 07:52:36
Sorry just read your comment above. Looks like they only way to fix it is a factory reset I’m presuming?
Mar 25, 2016 @ 07:58:44
Or someone who can hack an iPhone such as the company helping the FBI on the terrorist cases 😉
Apr 01, 2016 @ 07:10:36
Factory restriction code ?
Apr 01, 2016 @ 07:25:03
No, pinfinder will work for the Settings > General > Restrictions’ code.
Apr 12, 2016 @ 16:47:14
Does it work with 9.3.1? I made the backup, the restriction is on and i always fail the pin. But the the pinfinder returns “No passcode found”
Apr 13, 2016 @ 04:43:01
It works with 9.3.1 for me (I just changed my restrictions code and re-synced to double check).. are the other details (device name and backup time) it lists about the backup correct?
Apr 13, 2016 @ 09:05:52
They are correct. Both name and backup time. Just gave a try with another backup and same issue.
Apr 15, 2016 @ 05:28:10
Odd – Is the “encrypt iPhone backup” option disabled for your device in iTunes? It will not work with it turned on.
Apr 15, 2016 @ 05:52:42
Gareth, could pinfinder detect when a backup is encrypted and advise the user accordingly?
Apr 15, 2016 @ 17:53:21
Yeah that’s on my todo list (which never seems to get any shorter); perhaps a task for the weekend
Apr 20, 2016 @ 05:25:50
Version 1.4.0 of pinfinder is up now which can detect encrypted backups and warn accordingly!
Apr 20, 2016 @ 05:31:49
Thank you so much Gareth!
Apr 13, 2016 @ 02:39:10
i used the pinfinder program by gwatts and had my passcode in a matter of minutes, after weeks of not being able to successfully guess the code i had forgotten. i can now reset my phone without having to update it. thanks for the info!
Apr 23, 2016 @ 22:28:30
Awesome awesome awesome
May 07, 2016 @ 07:25:15
life saver……hats offffffffffff…..thanks a ton
May 08, 2016 @ 08:34:57
Very thankful for the pin finder app and advice on this blog. Wish I had found sooner.
May 10, 2016 @ 09:01:37
where can i get pinfinder app?
May 10, 2016 @ 11:54:56
Please read the post carefully. There are links to the pinfinder website in the section about it.
May 14, 2016 @ 19:17:23
Thank you so much! This totally worked for me. I’m on an iPhone 6 with iOS 9.3.1. You are a lifesaver!
May 20, 2016 @ 22:30:17
Thank you so much!!!! You saved my life!!
Jun 05, 2016 @ 03:55:59
I forgot my iphone restriction password
Jun 06, 2016 @ 13:42:56
Pin finder is weird af it’s just code
Jun 17, 2016 @ 07:03:46
Total legends, thank you so much for being you! (Both nbalkota and Gareth!) I would never in a million years have guessed the pin it came back with so very very much appreciated
Jun 25, 2016 @ 05:47:23
Hi
I used your method for recovering my restriction code and yes it did work, giving me the number I thought it was..I have entered this number numerous times and it still won’t open the restrictions area..is there a reason why this could be happening..maybe a keyboard error..?
MJK
Jul 02, 2016 @ 21:17:46
Works great! Thanks
Jul 07, 2016 @ 21:51:33
I tried this on an iPod touch and it works. Can you use the same method on the lock screen passcode? For example, when a user creates a passcode to lock an iPad or you want to find out someone’s passcode to there ipod or iPhone.
Jul 08, 2016 @ 05:51:16
No, this method cannot recover a lock screen passcode. For obvious privacy protection / security reasons Apple made this virtually impossible.
Jul 16, 2016 @ 15:40:46
Oh my god, thank you so much! You are a lifesaver! Pinfinder is an amazing tool. I fucking love the developer. ❤
Aug 01, 2016 @ 16:48:41
Thank you, thank you, thank you!!!!!! Pinfinder is amazing!!!!! It worked on the first try, and I am skeptical. PERFECT. God bless!
Aug 21, 2016 @ 23:49:38
works on ios 10 beta 6
Sep 24, 2016 @ 18:33:44
Just to add that I’ve released pinfinder 1.5.0 – This version supports recovering passcodes from iOS 10 devices: https://github.com/gwatts/pinfinder
Oct 18, 2016 @ 15:42:58
Pinfinder works with IOS 10.0.2 – I just tried it! Thanks Gareth. I had been stuck for over a year wanting to upgrade my iPhone, but being unwilling either to set up the new phone from a backup and replicate a lost restrictions code, or to set up without using the backup and lose all my data and settings. Problem solved.
Oct 19, 2016 @ 05:24:14
Many thanks for this. Saved me tons of work and effort.
Oct 30, 2016 @ 07:15:47
I can not open PinFinder on my Mac computer. It said that “pinfinder” is damaged and can’t be opened.
Oct 30, 2016 @ 08:14:59
Which version of pinfinder did you download? Which version of macOS is your Mac running?
Oct 30, 2016 @ 23:26:19
Hi nbalkota, thanks for your reply!
My macOS is El Capitan (10.11.6), and I downloaded most recent versions of pinfinder (from 1.3.1 to 1.5.0), but none of them were able to be opened.
Oct 30, 2016 @ 23:48:20
I also still run El Capitan 10.11.6 and manage to run pinfinder OK. I used version 1.5.0 of pinfinder.
Are you able to uncompress it without any error message?
Could you clarify if the “damaged” error message is about the archive (*.tar.gz) or the actual pinfinder executable file extracted from the archive?
Oct 30, 2016 @ 23:51:12
Hi nbalkota,
Yes I can uncompress it succefully (I used the default app “Archive Utility” to uncompress it). The error is about the executable file: “”pinfinder” is damaged and can’t be opened. You should move it to the Trash.” I don’t know why. 😦
Oct 31, 2016 @ 00:06:48
What happens if you try to uncompress and execute using the Terminal app?
cd ~/Downloads
tar -xzvf pinfinder-mac-1.5.0.tar.gz
./pinfinder
Oct 31, 2016 @ 00:10:21
Wow, it works! Thank you very much nbalkota!!! Wonderful!
Oct 31, 2016 @ 00:13:06
So, because I can’t open it directly but through Terminal, there could be a bug in pinfinder code huh?
Oct 31, 2016 @ 00:18:31
No bug to be expected from pinfinder 😉
My gut feel is the Archive Utility is more to blame… Do you let Safari expand archives automatically? I would recommend to disable this option.
Oct 31, 2016 @ 00:22:24
Oh yeah, it could be the Archive Utility the culprit of my issue. Which uncompressing app are you using?
Nov 06, 2016 @ 20:56:24
John, The Unarchiver never failed me and so did the standard UNIX command line compression utilities. Your issue is really odd though, because I could not reproduce it using the same OS version and hence Archive Utility.
Nov 14, 2016 @ 20:14:52
Thank you, nbalkota, for your information.
Nov 08, 2016 @ 05:55:57
Maybe i should switch to .dmg for the next release; never occurred to me that they’d be any issues with .tar.gz on OS X.
Nov 03, 2016 @ 04:39:02
Thank you! Thank you! Thank you!
Don’t know why the pin finder couldn’t come up in the first 500 searches I did to learn how to unlock. Very grateful that I did not need to reset to factory settings!!!
Pin finder was super easy!
Nov 12, 2016 @ 10:02:12
Thank u so much. I got my iPhone 4S code
Nov 19, 2016 @ 01:55:40
amazing! wow, so easy and no issues with it.
Nov 21, 2016 @ 22:11:44
THANK YOU. Just thank you
Nov 22, 2016 @ 02:00:20
Recovered my restrictions code (IOS 10.1.1) literally within seconds of launching pinfinder. Thanks to Gareth Watts and you for this post. Google should place your post at the very top for people searching for help with the restrictions code.
Nov 26, 2016 @ 06:31:17
very informative knowledge about iphone development. Thanks for sharing this valuable information.
Nov 30, 2016 @ 14:49:39
Hello. Pinfinder and Hash + Salt found the same passcode…but it doesn´t work!
Dec 02, 2016 @ 01:16:31
please i need for ios 10.1.1
Dec 02, 2016 @ 14:21:41
Try pinfinder, it is likely to work.
Dec 05, 2016 @ 18:33:25
THANK YOU!!!!!!!! It worked! For free!!!
Dec 06, 2016 @ 18:03:38
hey i dont have a backup of my device. nor can i remember the passcode. my phone is jailbroken and i have ifunbox and plenty of other downloads that are telling me to delete the keycain.db file (which keeps re-appearing after every reboot) Will this pinfinder be able to help me?
Dec 06, 2016 @ 21:25:19
No. An unencrypted backup is needed and pinfinder only deals with restrictions pin, not the passcode to unlock the phone.
Dec 06, 2016 @ 21:37:18
aw ok, thanks
Dec 09, 2016 @ 10:43:48
I was looking at some of your posts on this site and I believe this web site is really informative! Keep posting.
Cara Reset Restrictions Passcode di Perangkat iOS - iTunes Gift Card Indonesia
Dec 29, 2016 @ 16:10:31