Security  
 

May 17, 2008: iPhone Passcode Easily Defeated

I had a request come in tonight from an agency in NZ, looking to perform forensics on a drug dealer's iPhone. The iPhone happened to be passcode protected which, to my surprise, actually presented a problem for iLiberty+. I quickly hacked together a simple solution, and am simply posting this as a warning to anyone who thinks their data is safe because they have a passcode. The iPhone's passcode is quite simple to circumvent, and the latest versions of my forensic toolkit and manual now cover a simple three-step process to do it. While I'm not about to make the files themselves publicly available, this method can be easily adapted to crack the passcode by simply deleting a property list file. What a shame, that Apple went to the trouble of storing the passcode in the keychain, and yet the switch to turn it on and off is sitting in a little property list you can delete.

  • Step 1: Prepare a custom iPhone RAM disk. There are numerous How-To's out there to do this. I hex-edited the one that came with iLiberty+ and added my own shell intructions where the credits used to be. Your custom RAM disk should mount /dev/rdisk0s2 (say, /mnt) and simply delete the file /mnt/mobile/Library/Preferences/com.apple.springboard.plist. This is the config file that tells springboard "passcode: on". In one case, I had to move the entire preferences folder out of the way - this was on an iPhone that had been "permanently" disabled by several failed passcode attempts. Opened it up like a charm.

  • Step 2: The iPhone must be placed into recovery mode, but with a clean shutdown. You can either use the iPhone Utility Client to place the device into recovery mode, or "Slide to Power off", then force it into recovery on next boot... then boot the RAM disk using something like: 
    (iPHUC Recovery) #: filecopytophone Bypass_Passcode.bin
(iPHUC Recovery) #: cmd setenv\ boot-args\ rd=md0\ -x\ -s\ pmd0=0x9340000.0xA00000
(iPHUC Recovery) #: cmd saveenv
(iPHUC Recovery) #: cmd bootx
  • Step 3: After your custom RAM disk blows away the springboard config, reboot the phone and the passcode will be circumvented, because SpringBoard's default is "no passcode".

 All Website Content © Jonathan A. Zdziarski. All Rights Reserved.
Reproduction prohibited without permission