Recover your forgotten iOS 7 to 11 restrictions PIN code iOS 12 Screen Time passcode


Sun 14 Apr 2019 update: thanks to all commenters giving feedback, the instructions below are proven to work from iOS 7 up to iOS 12.2. Thanks to Gareth Watts, pinfinder version 1.7.0 released on Fri 19 Oct 2018 works with iTunes encrypted backups (decryption password must be known) for an iOS 12 device.

My aunt recently updated her iPhone to iOS 7 and in doing so discovered she was no longer able to make FaceTime calls. After investigation, we found out it was due to iOS restrictions that disabled FaceTime. Unfortunately, she could not remember her restrictions PIN code to lift the restrictions…
Searching for a solution, I realised restoring to a previous backup would not help, since a backup preserves the restrictions PIN code. The thought of having to restore her iPhone to factory default was daunting (lose nearly everything, spend hours reconfiguring just for a forgotten 4 digit PIN code, really?).
Some commercial software claim to help you with recovering the restrictions PIN code, but I would rather try to learn something new and share my findings since I managed to recover my aunt’s restrictions PIN code for free using only knowledge shared on the internet.

Sources of information:

Steps to recover your iOS restrictions PIN code:

1. Backup device

I used iTunes to Backup her iPhone onto my Mac. Do NOT use Sync! Sync may prompt you to delete data because this device is synchronized with another computer. If your iOS device is older than iOS 12, then your iTunes backup does not have to be encrypted unless you can use pinfinder version 1.6.0 or more. Since iOS 12, you must make an encrypted iTunes backup and use pinfinder version 1.7.0 or more. Note that in this instance, there is no point to backup to iCloud, since pinfinder needs to be able to read backup files stored locally. Once you are done with the instructions below, you can revert your iTunes backup settings to what they were.

Rationale: her iPhone was on iOS 7.0.6 and was not jailbroken. The restrictions PIN code is contained in one of the backup files at ~/Library/Application Support/MobileSync/Backup/{UDID}.

You can use iTunes to reveal this location in the Finder: iTunes > Preferences… > Devices > right click on relevant backup > Show in Finder.

2. Use pinfinder to get your restrictions PIN

This excellent program written in Go was kindly developed by a commenter, Gareth Watts, who first released it on Sun 11 Oct 2015.

2.1 Download latest version of pinfinder

The source code is available for the greater good of humanity, but for those in a hurry, Gareth was kind enough to release binaries for Mac, Windows and Linux.

Gareth Watts released pinfinder version 1.6.0 on Wed 27 Dec 2017. This version is the first one able to deal with iTunes encrypted backups (decryption password must be known). Version 1.7.0 released on Fri 19 Oct 2018 added support for iOS 12 devices.

2.2 Follow instructions in pinfinder‘s ReadMe

Simply refer to the instructions website referenced in the ReadMe, let the digital magic happen and consider supporting Gareth Watts’ excellent work!

To all users of recent versions of Mac OS X (since Max OS X Lion 10.7.5), you can safely download Gareth’s binary for Mac (double click the *.tar.gz file to uncompress pinfinder), but make sure to run it by doing a right click > Open on pinfinder.
In effect, a simple double click on pinfinder will trigger a Gatekeeper dialog with the only option to cancel execution, but using the contextual menu triggers a Gatekeeper dialog with the option to open (run) the binary anyway (i.e. I trust the developer of this program…).

In the unlikely case where pinfinder runs but fails to return your code, then you may have a corrupt restrictions PIN code and your best chance would be to reset it using the instructions by J-dizzle in the comments for this post, comment dated 28 Apr 2015.

The following steps (3 onwards) below are now redundant and only kept for reference since they have been automated in pinfinder.

Disclaimer: you should only use pinfinder for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!


3. Get the restrictions password property list file

3.1 Slow, but easy way

Use iPhone Backup Extractor (not the one from Reincubate: the free edition does NOT allow you to recover your restrictions PIN code and is a terribly ugly Mac application) to extract the iOS Files from the backup.

The file you need is at iOS Files/Library/Preferences/

This method is slow because you need to extract many files, even if actually you only need one: the restrictions password plist file.

Improved method: use JuicePhone to mirror your iTunes backup or extract only the Home Folder to reveal the restrictions password plist file a bit faster.

3.2 Fast, but less easy way

Instead of the slow but easy way, you could use the following command in the Terminal:

echo -n "HomeDomain-Library/Preferences/" | openssl sha1

You could substitute openssl sha1 with shasum since both would return the hashed file name you need:


The full path to the file in the iTunes backup is:

~/Library/Application Support/MobileSync/Backup/{UDID}/398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

This method is more cryptic, but gets you the restrictions password plist file without any backup extraction software.

4. Get restrictions hash and salt

The restrictions password property list (plist) file should be 335 bytes in size. It is an XML file containing 2 keys:

  1. RestrictionPasswordKey (a.k.a hash)
  2. RestrictionsPasswordSalt

Sample contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
    base64string_hash_value (28 character long)
    base64string_salt_value (8 character long)

The data values are encoded in base 64 with many ways to decode them:

  • If you have Xcode installed, you could use its plist editor to decode the values (hex dump)
  • Use command defaults read file.plist in the Terminal (hex dump)
  • Use command plutil -p file.plist in the Terminal (hex dump)
  • Use command /usr/libexec/PlistBuddy -c Print file.plist in the Terminal (text dump, pipe to command xxd to convert hex)
  • My favourite, use command echo -n base64string_from_plist | base64 -D | xxd -p in the Terminal (hex dump)

The hex value for the hash should be 40 character long and the hex value for the salt should be 8 character long.

5. Get the restrictions PIN code

Install the perl library Crypt::PBKDF2 with command (requires an internet connection and an admin account):

sudo cpan install Crypt::PBKDF2

Use the previously decoded hex values of hash and salt as arguments to the perl script from philsmd:

#!/usr/bin/env perl
use Crypt::PBKDF2;

if (@ARGV < 2) {   
   print "[!] Error: please specify hash (first argument) and salt (second argument)\n";
   exit (1); 
my $match = pack ("H*", $ARGV[0]); # TODO: check if it is of length 40 
my $salt  = pack ("H*", $ARGV[1]); # of length 8? 
my $iter  = 1000; 
my $pbkdf2 = Crypt::PBKDF2->new (hash_class => 'HMACSHA1', iterations => $iter);
my $num;
for ($num = 0; $num < 10000; $num++) {
   my $pass = sprintf ("%04d", $num);
   my $hash = $pbkdf2->PBKDF2 ($salt, $pass);
   if ($match eq $hash) {
      printf ("%s:%s:%s:%s\n", unpack ("H*", $hash), unpack ("H*", $salt), $iter, $pass);
      exit (0);
exit (1);

Use command:

time hex_hash hex_salt

Command time is added just to measure how long the command takes to run.

The restrictions PIN code should be returned in less than a minute (depending on how fast your computer is):


real	0m39.239s
user	0m39.130s
sys	0m0.055s

Disclaimer: you should only use the above tip for legitimate iOS restrictions PIN code retrieval to save you, a friend or a family member a factory restore. Any other use is probably forbidden and likely to be illegal!


Finding your public IP address

Leave a comment

Finding your public IP address is handy when you want to run a server at home to share with people on the internet (website hosting, file sharing, remote control, etc…).

There are many ways to get it, but most of the time, they rely on reading information from a website such as What Is My IP, even a google search will return your address.

However, if you need to get it programmatically, the easiest way on Mac OS X is probably to use a UNIX command in the Terminal. The concept of public IP address becomes useless if you are not connected to the internet. Hence for this trick to work you will need:

  • To be connected to the internet (with no proxy)
  • To know a hostname or IP address on the web that you know would always be live online (you cannot use a local address or host)

The command to use in the Terminal is:
ping -R -c 1

Refer to man ping for more details, but -R triggers the routing trace option and -c 1 makes ping use only 1 packet so the command returns as quickly as possible.

This returns something like:

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=58 time=61.766 ms
RR: ( ( ( ( ( ( (

--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 61.766/61.766/61.766/0.000 ms

The first IP address returned is the IP address of the hostname you used. Your public IP is the second IP address listed or the first one on the line starting with “RR: “. In the above example, that is

Alternatively, you could subscribe to a Dynamic DNS service and install a software that updates your IP address as it changes. That way, your server becomes accessible from the internet using a static hostname.

Create a Mac OS X application from a Java jar

Leave a comment

Apple’s developer tools come with a neat utility for bundling Java jar file into a Mac OS X application: Jar Bundler.

It can be found at /usr/share/java/Tools on Lion.

First add your Jar file to the “Additional Files and Resources” panel. It should contain a Main Class (i.e. be a Java Application).

Specify the Java Main Class name and other Mac OS X specific options (e.g. Application icon, whether Java Swing’s JMenuBar should use the Mac OS X menu bar…).

Finally, specify other Application specific properties (e.g. version). You can also specify the JVM heap memory size (in MB) and other JVM options from here.

There you go, here is the Package Contents of the resulting Mac OS X application!

The resulting application is now well integrated into Mac OS X as shown in this Finder Get Info dialog.

The Java app used in the above example is PageSucker. The latest version is 3.2 but only exists for Windows, Mac OS 9 (Classic) and Mac OS X, but for PowerPC only. Using the instructions in this post will allow you to create an Intel compatible application for Mac OS X (including Lion…).

If you are lazy, you can get the version I did for Mac OS X 10.7 Lion: (not a real PDF, but a zip file…).