Sun 14 Apr 2019 update: thanks to all commenters giving feedback, the instructions below are proven to work from iOS 7 up to iOS 12.2. Thanks to Gareth Watts, pinfinder version 1.7.0 released on Fri 19 Oct 2018 works with iTunes encrypted backups (decryption password must be known) for an iOS 12 device.
My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.
Sources of information:
- iTunes Backup wiki on the iPhone wiki
- Wikipedia article on SHA-1
- Wikipedia article on PBKDF2
- A good introduction to openssl by Steven Gordon
- Wikipedia article on Base64
- An interesting forum thread, in particular the posts from magnum and philsmd for his ios7.pl perl script (dependency on the Crypt::PBKDF2 perl library)
- Corresponding commit to JohnTheRipper
- Web based javascript implementation at http://ios7hash.derson.us
- Ultimate implementation written in Go: pinfinder by Gareth Watts (releases) with simple instructions.
Steps to recover your iOS restrictions PIN code:
1. Backup device
I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. If your iOS device is older than iOS 12, then your iTunes backup does not have to be encrypted unless you can use pinfinder version 1.6.0 or more. Since iOS 12, you must make an encrypted iTunes backup and use pinfinder version 1.7.0 or more. Note that in this instance, there is no point to backup to iCloud, since pinfinder needs to be able to read backup files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.
Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.
You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.
2. Use pinfinder to get your restrictions PIN
This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.
2.1 Download latest version of pinfinder
The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows and Linux.
Gareth Watts released pinfinder version 1.6.0 on Wed 27 Dec 2017. This version is the first one able to deal with iTunes encrypted backups (decryption password must be known). Version 1.7.0 released on Fri 19 Oct 2018 added support for iOS 12 devices.
2.2 Follow instructions in pinfinder‘s ReadMe
Simply refer to the instructions website referenced in the ReadMe, let the digital magic happen and consider supporting Gareth Watts’ excellent work!
To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).
In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.
The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.
Disclaimer: you should only use pinfinder for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
################################################################################
3. Get the restrictions password property list file
3.1 Slow, but easy way
Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.
The file you need is at iOS Files/Library/Preferences/com.apple.restrictionspassword.plist
This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.
Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.
3.2 Fast, but less easy way
Instead of the slow but easy way, you could use the following command in the Terminal:
echo -n "HomeDomain-Library/Preferences/com.apple.restrictionspassword.plist" | openssl sha1
You could substitute openssl sha1 with shasum since both would return the hashed file name you need:
398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
The full path to the file in the iTunes backup is:
~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b
This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.
4. Get restrictions hash and salt
The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:
- RestrictionPasswordKey (a.k.a hash)
- RestrictionsPasswordSalt
Sample contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>RestrictionsPasswordKey</key> <data> base64string_hash_value (28 character long) </data> <key>RestrictionsPasswordSalt</key> <data> base64string_salt_value (8 character long) </data> </dict> </plist>
The data values are encoded in base 64 with many ways to decode them:
- If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
- Use command
defaults read file.plistin the Terminal (hex dump) - Use command
plutil -p file.plistin the Terminal (hex dump) - Use command
/usr/libexec/PlistBuddy -c Print file.plistin the Terminal (text dump, pipe to commandxxdto convert hex) - My favourite, use command
echo -n base64string_from_plist | base64 -D | xxd -pin the Terminal (hex dump)
The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.
5. Get the restrictions PIN code
Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):
sudo cpan install Crypt::PBKDF2
Use the previously decoded hex values of hash and salt as arguments to the perl script ios7.pl from philsmd:
#!/usr/bin/env perl
use Crypt::PBKDF2;
if (@ARGV < 2) {
print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
exit (1);
}
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40
my $salt = pack ("H*", $ARGV[1]); # of length 8?
my $iter = 1000;
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
my $pass = sprintf ("%04d", $num);
my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
if ($match eq $hash) {
printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
exit (0);
}
}
exit (1);
Use command:
time ios7.pl hex_hash hex_salt
Command time is added just to measure how long the command takes to run.
The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):
hex_hash:hex_salt:1000:XXXX real 0m39.239s user 0m39.130s sys 0m0.055s
Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!
Cloudy Aide-Mémoire 
Dec 31, 2016 @ 18:00:38
Thank you for the well-researched “paper”. Based on your Perl-script, I wrote a C-program, which needs only OpenSSL to compile. Posting the link here for all: http://aldan.algebra.com/~mi/ipin/
Jan 01, 2017 @ 09:32:47
Note that I am not the original author of the perl script. I am merely an information gatherer.
Thank you for coding a program in C. Your copyright statements made me smile. Your program could be improved in usability by matching the features in Gareth Watts’ pinfinder such as iOS backup discovery. However, maybe your code will have the edge in raw decoding speed, but this first version is intended for expert users able to compile and get the hash/salt the hard way.
Jan 02, 2017 @ 03:20:14
Unless you can use a pre-compiled pinfinder-binary (and I could not), compiling my program is much easier, than dealing with Go and pinfinder’s dependencies. And my program takes the BASE64-encoded strings, which can be copied/pasted from the backup easily — no need to decode them and then turn into hex as you describe (Xcode, plutil, …).
That said, maybe, I’ll simply reimplement the functionality in JavaScript, which anyone would be able to run in their browser…
Feb 16, 2017 @ 08:24:52
how do I do this on an iphone 6?
Feb 16, 2017 @ 08:28:17
Simply follow instructions to use pinfinder. Your backup must NOT be encrypted so make sure to select the relevant option in iTunes.
Feb 16, 2017 @ 08:26:03
also my iphone syncs automaticaly. how do I stop this please?
Feb 16, 2017 @ 08:30:18
Automatic sync is an option in the iTunes summary page when you connect the phone. Simply uncheck the option.
Feb 18, 2017 @ 23:10:02
Thank you kindly. Only had to do Step 1 and 2. This worked a treat 🙂
Feb 19, 2017 @ 08:36:48
I am no longer positive the place you are getting your info, but good topic. I must spend some time studying much more or figuring out more. Thank you for magnificent info I was searching for this info for my mission.
Feb 19, 2017 @ 08:41:20
You are welcome and please let me know if any of my links are dead.
Feb 20, 2017 @ 14:07:42
It seems i can’t do a backup because iTunes wants me to unlock the device first. I guess that’s not just me, but by design?
I won’t ask how to circumvent this, but i would like to know, why your guide doesn’t mention this happening, is it different on a Mac?
Iam on Windows..
Feb 20, 2017 @ 17:06:26
You are probably confusing the simple restrictions PIN code with the unlock code. This post is about the restrictions PIN not the screen unlock one. For obvious security reasons the screen unlock code / touch ID is incredibly more difficult to hack.
Ask the FBI (or rather Cellebrite) for help, they are getting better at cracking iPhones 😉
Mar 04, 2017 @ 13:01:14
i have gone through all the step the search ended without findings of my restriction code..help please
Mar 09, 2017 @ 23:48:54
Thank you very much. It worked on my Iphone 5 with ios 10.2.1
Apr 05, 2017 @ 16:46:32
It Worked! Sending love to all programmers, developers and hackers!
Apr 10, 2017 @ 11:41:38
the application pinfinder was great and solved my issue in a click
Thank you very much
May 18, 2017 @ 14:02:26
It worked like a charm! Thank you so much
May 20, 2017 @ 07:23:42
Hi! I tried using iBackupBot to recover forgotten restrictions passcode, it did not work. I have an iphone6 (iOS 10.2) backed-up on Mac (OS X El Capitan 10.11.6). Any assistance for a laymen would be greatly appreciated.
May 20, 2017 @ 09:55:35
Simply follow instructions, no need for a backup extrator software when you use pinfinder. Simply create a local unencrypted backup with iTunes and pinfinder will find it.
How to Reset Forgotten Restrictions Password on iPhone, iPad | iPhone iPad Apps Reviews
May 30, 2017 @ 14:54:08
Jun 14, 2017 @ 22:33:45
Used this on 6/14/17…simple clicked the link to pinfinder after doing a backup to iTunes on my laptop. Boom – – instantly returned my restriction code, was able to unlock no problem. THANK YOU!!!!!
Jun 25, 2017 @ 23:14:25
That’s amazing!!! The pin finder app works!!! This should be more popular took me so long to find this result.
Jun 25, 2017 @ 23:14:42
THANK YOU!!!
Jul 06, 2017 @ 02:54:54
holy crap! pinfinder worked when nothing else did. thank you 6 million times!
Jul 22, 2017 @ 06:24:01
This is is awesome. It works both on iPhone 7, iPhone 6S. I used a Win64 machine. First backup your phone using iTunes then use the Pinfinder. Its a command line utility and finds your pins in fraction of seconds.
Thanks for sharing this it saved me a lot of trouble.
Aug 04, 2017 @ 02:43:55
Is any way to get the pin code from an encrypted backup file? It is iOS 10.3
Aug 04, 2017 @ 06:26:09
As stated, you need an unencrypted backup in order to use pinfinder. Simply create a new local backup in iTunes and make sure it is not encrypted.
Aug 04, 2017 @ 13:38:51
I can’t make the backup file again for some reason. Only the encrypted file is available… hopefully there are certain way to solve the problem.
Aug 05, 2017 @ 07:28:24
Strange. When you say you can’t backup unencrypted, then what is the error message from iTunes?
Dec 27, 2017 @ 01:19:39
For anyone reading along, I just released version 1.6.0 which can now recover passcodes from encrypted backups, so that should make life a bit easier 🙂
Dec 27, 2017 @ 10:36:25
Many thanks Gareth! Nice Christmas present! I revised the post accordingly 😉
Aug 07, 2017 @ 02:29:51
If I clear the check box to make an encrypted backup, the passwords don’t get backed up. I’m on iOS 10.3.2 so maybe it’s a new thing, but the only way I could get the restrictions passcode plist file was to make an encrypted backup, and then use the Free “Lite” version of the software from reincubate.com to grab the plist file. I am on Windows 10, and the sotware worked fine. The derson.us web site that brute forces all possible codes using the password key and salt took about 10 minutes to run but worked fine. I’m sure pinfinder would have been faster, but I found your site last. 🙂
Aug 07, 2017 @ 04:54:47
The paid version from reincubate claims to have built-in feature to recover the restrictions pin code.
Thanks for the tip for dealing with encrypted backups (for which you must know the password).
Aug 10, 2017 @ 10:44:04
A massive thanks to Gareth Watts for writing this app!
Sep 21, 2017 @ 19:40:00
Worked like a charm with iOS 11.0 and iPhone 7. Troubled me for years…
Oct 12, 2017 @ 18:23:27
Hi, I recently backed up my iPhone 6s with iOS 11.0.2 as not encrypted on my computer. This iPhone has had a forgotten restrictions code on it for two years now, but when I ran pinfinder on my last backup, it says that there is no passcode stored. I have a screenshot of the command prompt after it ran and was hoping you could assist me in identifying why pinfinder is not returning my restrictions code. Thank you for this post!
Oct 12, 2017 @ 19:59:44
Andrew, I doubt I could beat pinfinder. Unless iOS 11.0.2 introduced a change that breaks it… Maybe worth contacting its developer.
Oct 16, 2017 @ 17:21:20
I will have a new release of pinfinder (1.6.0) ready within the next week, all being well – i’ll be interested to know if that helps
Oct 17, 2017 @ 12:44:16
I’ll certainly try again with that new release!
Dec 12, 2017 @ 00:00:37
I’m having same issue, Andrew. Did you ever solve it? It keeps telling me no passcode stored.
Dec 13, 2017 @ 15:21:25
Jon, no, I did not. I tried it again after the new release, and I receive the same message you’re receiving. I wish this worked as well for me as it does for others!
Oct 18, 2017 @ 10:12:42
Absolutely awesome!!! Pinfinder is working. Thanks a lot.
Oct 21, 2017 @ 00:39:14
I got the hexadecimal hash and salt, but I can’t understand what to do next. How do I decode the hash and salt? Where do I run the code given in step 5?
Oct 21, 2017 @ 11:11:55
You should not bother with the tricky steps anymore. Just use pinfinder and let it do the hard work for you!
Nov 25, 2017 @ 20:25:33
its not worked with me. Getting message: mismatch: tried to decode string into value ….. { key [juint8 “plist:\”restrictionsPasswordKey\””;salt [juint8 “plist:\”restrictionsPasswordSalt\””}
when i do back up, by mistake its encrypted. i noticed it after 5 minutes and aborted the process. Again i do the back up without encryption.
Thanks in advance
Nov 28, 2017 @ 16:09:44
Thank you Mr Watts and all other before you! Excellent work!
Dec 10, 2017 @ 04:27:52
Thank you for making this so easy with pincode. I can now begin gluing my hair back on…is there a terminal command for that? 🙂
Dec 10, 2017 @ 10:01:20
Still working on a capillary glue command…
Dec 12, 2017 @ 00:02:30
I’ve spent countless hours on this with an iphone 6s and it keeps telling me no passcode stored. I’m out of options to try. I’ve got latest versions of all software, and I’m guessing Apple has hidden the restrictions passcode under another file name. HELP!
Dec 30, 2017 @ 16:43:03
Thanks! It worked for me…
Jan 05, 2018 @ 02:21:20
i cant get it to work with ios 11
Jan 05, 2018 @ 02:31:44
and i cant get pinfinder to work it says that pinfinder is damaged and cant be opened
Feb 24, 2018 @ 10:31:31
i followed all steps but not see the code although it searched all code from 0001 to 9999. it shows the stopping situation. why?
Apr 01, 2018 @ 09:35:44
what if I accidentally deleted the RestrictionPasswordSalt, how can I recover it?
Apr 01, 2018 @ 11:26:48
You could recover it from a local backup you did using iTunes.
Apr 02, 2018 @ 21:07:27
Thank you Gareth Watts!!!! You saved me!
Apr 06, 2018 @ 04:04:08
I’m completely ecstatic, thankful and very grateful to finally have my Restrictions Passcode back! Many, many thanks to Gareth Watts for creating and nbalkota for writing about pinfinder. Have spent countless hours over the last 18 months trying to remember the code or find a way around it without starting over. Not having access to some web sites for school (in medicine) had become a major impediment to my learning. You truly are a lifesaver!
May 10, 2018 @ 14:56:54
Thanks for sharing the Pinfinder, worked a treat for an encrypted backup from an iOS 11 iPad which has all sorts of works stuff on it and wiping and restoring would be a major pain. Can restore all toddler game in-app purchases for a second child now!
Jun 26, 2018 @ 22:51:59
I put a restriction on my daughter’s phone and she can’t get the app store and when I get to step com.apple.re There is no restriction web that pops up only com.apple.reminders. PLEASE help!
Jun 26, 2018 @ 23:15:40
Carol,
Please clarity your problem. Have you forgotten the restrictions PIN on your daughter ‘s iPhone? If yes, then just download and run pinfinder.
Jul 09, 2018 @ 22:25:52
I think this doesn’t work with 11.4
Jul 10, 2018 @ 07:23:10
What message do you get from running pinfinder in Terminal?
Aug 20, 2018 @ 12:11:47
The code it gave me isn’t working and the numbers does not look like one I would use, I always use birthdays.
Aug 22, 2018 @ 07:32:45
Did you use pinfinder to get the code? Which version of iOS is on your device?
Aug 23, 2018 @ 10:34:14
Just did the latest update iOS 11.4.1
Aug 23, 2018 @ 17:56:42
Based on users comments the current version of pinfinder 1.6.0 was able to work up to iOS 11.2.1
It is quite possible that Apple changed something in more recent iOS versions that prevents pinfinder from working.
Please raise an issue on the pinfinder website or git repository.
Aug 25, 2018 @ 00:51:03
Thanks, i realised i was typing o instead of 0 in one of the codes. managed to retrieve my pass word. wasn’t a birthday but a zip code.
Aug 27, 2018 @ 12:29:38
Glad pinfinder worked for you. Consider a donation to Gareth Watts who developed it.
Aug 21, 2018 @ 12:15:18
Acquired codes but am not able to copy and paste to search so had to write down. Having difficulty deciphering the number one with small letter “l” and zero with small letter “o”. Tried 3 times with 3 different combos and it searched all the way thru with no end result other than inserting 9999 in the “start search” box, replacing the 0000. Any suggestions on how I can insert this code without doing it manually? Copy,paste isn’t an option for me for some reason. BTW… it worked fine for a different phone. Does the phone need to be connected to computer while searching?
Aug 22, 2018 @ 07:35:40
No need to keep the iPhone connected to the computer. An iTunes backup of your iPhone is all that is needed.
Please read instructions carefully and make sure to use pinfinder. It is fast and easy to use.
Aug 22, 2018 @ 13:45:42
Still didn’t work with pinfinder. Its finding code for the earlier phone( that I tested with a code I already knew) I backed up 2 days prior
Aug 23, 2018 @ 17:46:39
If your earlier phone is working with pinfinder, then so should your new one provided:
– local backup is used in iTunes, not iCloud
– iOS version is the same for both phones
What version of iOS is on your current newer phone?
Aug 26, 2018 @ 03:02:33
hello good evening I have been on this for hours, trying to find a way to restore from factory an IPhone6 Plus that I purchased. I have tried as much as possible this being the last 6 place I tried. After waiting a long while this did not work. What am I doing wrong? I purchased a phone not in a store and it has a restriction passcode on it and all I want to do is restore it from factory. So that I may use it.. Please Help!!!
Aug 26, 2018 @ 07:48:01
Did you buy your iPhone 6 plus second hand? Could you contact the previous owner to check if they properly prepared the phone to change ownership to you?
Aug 27, 2018 @ 11:57:30
Additionally, I followed the updated instructions above:
You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.
There was no option to “Show in Finder”…so backup is there
Aug 27, 2018 @ 12:27:15
The updated instructions only mention the use of pinfinder. If pinfinder cannot find the backup or the restrictions code then I guarantee you the other complicated manual method won’t work either: pinfinder is automating the complex manual steps.
Sep 20, 2018 @ 15:19:34
when do you think you can have an update solution for IOS 12?
i updated my phone to IOS 12 yesterday and didn’t backup IOS11. now I can’t find my passcode for screen time. when I look into my IOS 12 backup files, there is no long a file call 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b.
Do you know where and what is the new file that contain the passcode info?
thanks in advance!
Sep 20, 2018 @ 20:17:33
This post is only to retrieve restrictions pin code, simply using pinfinder, not the lock screen passcode!
Sep 20, 2018 @ 20:13:36
Is this meant to work on ios 12? I have followed instructions but cannot locate the filename 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b. I believe I am looking in the correct folder but this particular file doesn’t exist there. Thanks.
Sep 20, 2018 @ 20:19:09
Please ignore my old complicated instructions and just try using pinfinder instead. It is much simpler!
Oct 25, 2018 @ 04:53:37
THE BEST! Thank you so much, this worked a treat.
Oct 29, 2018 @ 16:04:52
For anyone who tried pinfinder and had problems with iOS 12 – The new version (1.7.0) I released recently now fully supports the latest iOS 12. Full details at https://pinfinder.net/
Note: Apple only includes the data pinfinder needs if you enable “encrypted backups” in iTunes, so make sure you check that “Encrypt iPhone backup” checkbox
Nov 29, 2018 @ 09:20:25
Thank you so much. it worked
Apr 13, 2019 @ 05:30:17
I’m using using ios12.2 how can i get the restriction pass code
Apr 13, 2019 @ 16:19:10
Follow instructions on pinfinder website: https://pinfinder.net/
You need to use an encrypted backup in iTunes since iOS 12 otherwise the pin won’t be included in the backup!
Apr 12, 2020 @ 15:04:26
Thanks for doing the research and documenting your findings…. and to Gareth for Pinfinder…. made a small donation….
Как сбросить забытый пароль ограничений на iPhone, iPad - btip.ru
Jan 22, 2021 @ 05:13:52