ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Breaking Into iCloud: No Password Required

June 17th, 2014 by Vladimir Katalov
  • 4

With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups.

Update 25.07.2019: things have changed! The most up to date information on this topic is now available at:

But don’t get overly excited: this feature is mostly intended for our law enforcement and forensic customers, as using a password-free entry into iCloud requires a binary authentication token that must be extracted from the suspect’s computer. Don’t get me wrong: over-the-air acquisition from Apple iCloud without requiring the user’s Apple ID or password is great news, and no other company in the world can do it. But you’ll still need the suspect’s PC with iCloud Control Panel installed.

Acquiring iCloud Authentication Tokens

You’ll need the original Windows or Mac computer that was used to log into iCloud, and the Forensic edition of Elcomsoft Phone Password Breaker ($399 for North American customers) in order to extract iCloud authentication tokens. Of course, just any random PC won’t do the trick. You’ll need a computer which has iCloud Control Panel installed, and the user must’ve been logged in to iCloud Control Panel on that PC at the time the computer is seized. If the user logged out of the Panel, the authentication tokens are then deleted. You may be able to carve them; this is something we’ll look into in future versions of Phone Password Breaker.

What is iCloud Control Panel? It’s an integral part of iTunes, but requires a separate installation on Windows PCs. Mac OS systems have it pre-installed. Most users will stay logged in to their iCloud Control Panel for syncing contacts, passwords (iCloud Keychain), notes, photo stream and other types of data between their iOS devices and their computer. In other words, you have a high chance of obtaining authentication tokens from a computer that has iCloud Control Panel installed.

Below are the screenshots of iCloud Control Panel. As you can see, while the backups are “available” in the Control Panel, the only thing you can do with them is viewing the list of available files and deleting selected backups (and even then, you can only view the date, time and size of the latest backup out of the three versions stored, and can only delete all three versions at once).

Opening iCloud Control Panel in Windows:


Opening iCloud Control Panel in Mac:


And here is the iCloud Control Panel itself (Win/Mac):




These are the actual backups as listed by iCloud Control Panel (Win/Mac):



If you are not familiar with iCloud, you can get more information from Apple’s official Web site:

How It Works

So now you have the right PC, and are pretty sure it has iCloud authentication tokens. What next?

You’ll need to use command-line tools supplied with Elcomsoft Phone Password Breaker to search for and to extract authentication tokens. Note that you can extract tokens that belong to all users on that system, including domain users (if you have their system login and password).

After extracting the authentication tokens, just save them somewhere (e.g. on a USB flash drive), launch Elcomsoft Phone Password Breaker and start iCloud acquisition. You will be prompted for authentication credentials. Instead of entering login and password, you’ll need to paste the authentication token files you’ve just extracted. Done! Phone Password Breaker will now use the extracted authentication tokens to access iCloud – no login and no password needed.

The tool for extracting authentication tokens is called ATEX (Apple Token Extractor). The file is saved into the same folder where Elcomsoft Phone Password Breaker is installed under the following name:

  • atex.exe (Windows)
  • atex.dmg (MacOS X)

Most likely, you wouldn’t want to run the token extraction tool from the folder where it is installed. In Windows this is simply impossible, as the token file cannot be saved into the Program Files folder (unless you have administrative privileges; even if you do have them but UAC is enabled, the token might not be saved). The tool is fully portable and works on any computer without requiring installation. We recommend saving the relevant tool (atex.exe for Windows, or mounting atex.dmg on a Mac by double-clicking the file) onto a USB flash drive, and running them from that USB drive plugged to the computer you are acquiring.


Assuming you already put the tool onto a USB drive, open command prompt (cmd.exe) and launch the tool:

>atex.exe <parameters>
-h // Shows help message
-l // Shows system users with iCloud tokens
-t [username] [password] // Get auth token for specified user

In order to extract the token for currently logged in Windows user, you may simply launch atex.exe with no parameters. Normally, you will see the following output:

Authentication Token is successfully saved to \\?\C:\TOKENS\icloud_token_20140611_145234.txt
Press any key to exit...


In order to list users with authentication tokens, launch ATEX with “-l” option:

>atex -l
iCloud users:
Press any key to exit...

In order to retrieve the token for a different Windows user, specify that user’s password (in our example the user is a domain user):

>atex -t v.katalov@ELCOMSOFT password
Authorization Token is successfully saved to \\?\C:\TOKENS\icloud_token_20140611_151109.txt
Press any key to exit...

You will need administrative privileges to retrieve another user’s token, even with the correct password. ATEX will automatically request elevated privileges, so you may see a UAC prompt as well.

This is how a token file looks in Windows:



In MacOS X, ATEX comes as a .DMG (disk image) with ‘atex’ (Mac executable) only. We did it on purpose in order to preserve rights to execute on that file (Windows does not support that). In order to extract the executable file (atex with no extension), simply double-click on the DMG file to mount it (on MacOS X). You can then copy the executable file onto a USB flash drive; if you want to preserve execution rights, make sure the flash drive is formatted with HFS+. Alternatively, you can use it from any folder on that Mac computer.

Using ATEX on Mac systems is similar to Windows usage. The differences are slim. In Windows, if you want to extract a token from a different user, you’ll be specifying the password in the command line. On a Mac, the password is prompted by the system in interactive mode. In addition, in Mac environments, you’ll be using the “-u” option before the user name. The final difference is in the output format. In Windows, you’re getting a plain text file. On a Mac, you’ll receive a .plist (XML) file.

The correct way of launching ATEX on a Mac is launching the console, changing the current folder (‘cd’) to one where ‘atex’ is stored, and then launching APEX.


In order to list users with authorization tokens, and in order to extract tokens for users other than the currently logged in user, you’ll need root privileges. As a result, you’ll need to use sudo to launch ATEX (you’ll be prompted for root password):

sudo atex -l
sudo atex --iCloudUserList

To extract a token for a certain user:

sudo atex --getToken -u <username>

Finally, when you first launch ATEX on a Mac, the system will prompt you to allow access to keychain. Naturally, you’ll have to allow access.

Using the Token

So now you have extracted one or more tokens. How do you actually use them? Let’s start from what’s inside the token file. On Mac, you’ll see a .plist file with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

In this file, the following line is a token. You’ll need to enter the entire line into EPPB:


The second part of the line is the actual token; the first part is the user’s Apple ID in Apple’s internal notation.




Everything else in that .plist file (such as the user’s actual Apple ID) is stored for your information only, and is not used for the acquisition process.

The rest is simple, and has no differences from acquiring iCloud backups using the Apple ID and password. There are several notes to take:

  • There is no way to recover the original password from the token.
  • If the user logs out of iCloud Control Panel, the system deletes the token, and Elcomsoft Phone Password Breaker cannot obtain it. However, you can try carving the disk.
  • A new token is created every time the user logs in to iCloud Control Panel with their login and password. Interestingly, existing tokens are not invalidated, and can be used to retrieve iCloud backups just like the latest token.
  • If the user logs in to iCloud Control Panel on different computers (but using a single Apple ID), the tokens will be different, but any of them will work with EPPB.
  • While the tokens may expire after awhile, we don’t know their exact expiration.
  • If the user changes their password, old tokens will no longer work.
  • You can use ATEX from a USB flash drive with no installation. The tokens will be stored onto the same flash drive.

What Else Is New

Did I just say the new Phone Password Breaker is all about iCloud access? While password-free access is major news, we have many new improvements made to the latest Phone Password Breaker. In particular, we added GPU acceleration support for the latest generation of NVIDIA Maxwell video cards and updated our Open SSL code to a new version non susceptible to the Heart Bleed bug. There are other additions and enhancements. The full list includes:

Added GPU acceleration support for NVIDIA Maxwell video cards. The new Maxwell architecture is fantastic! At this time, only one board based on this architecture is available. This is the entry-level GTX 750. However, we expect new high-performance cards (the 800-series) to come soon. I think they are going to beat top AMD cards which, at the time, are power-hungry beasts.

Open SSL has been updated to a version not vulnerable to HeartBleed. You probably heard about HeartBleed. If not, you can get more information here. EPPB uses OpenSSL to download iCloud and Windows Phone backups. The latest release uses an updated version of OpenSSL having no HeartBleed bug.

The current password and the number of remaining passwords are displayed during the attack. This progress data can come handy during the attack.

More reliable iCloud acquisition over slow connections. iCloud is not the fastest cloud on the market. Combined with a slow, unreliable connection it could become a true headache. We have much improved our algorithms to make acquisition over slow, unreliable connections much more reliable.

Improved reliability on multi-GPU configurations. Fixed intermediate crashes when two or more GPUs were used.

Multiple GUI improvements. We gold-plated the bells and whistles, coloring some UI controls to make them more readable.

Keychain data loaded and decrypted much faster. The beta version had a delay opening the keychain in the “Keychain explorer”. We fixed the bottlenecks to eliminate the delay.

No authentication is required when re-downloading iCloud backups. While no substitute for true multi-user acquisition (please stay tuned!), we implemented a mechanism allowing you to re-download information from iCloud (e.g. with different options applied, such as categories) without having to enter the password again.

More information in the Journal. We expanded information stored in the Journal, in particular adding snapshots processing data.

Bug fixes. We fixed a few annoying bugs here and there, for example, fixing the crash when displaying the keychain in full screen.

  • 4

Tags: , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

54 Responses to “Breaking Into iCloud: No Password Required”

  1. Oscar Molina says:

    Hello Vladimir! I,ve been downloading Icloud backups for sometime with Elcomsoft, but since like 10 days ago, I can,t. And it always leaves a message saying something like “There was a network problem performing the task. Peer certificate cannot be authenticated with given CA certidicates” Error code 60. Last http response:0

    Can you help me with this?

    Thank you very much.

  2. Oscar,

    What version of EPPB do you use, and what the iOS version (for the devices with iCloud backups)?

    Best of all, please create the ticket in our online support system (we may need to request more information from you).

  3. Thaddeus says:

    Same error code 60 message here.
    Please post answer when solved.

  4. Thaddeus,

    The same question — what is your version of EPPB, and what version of iOS your backups have been created from?

  5. Thaddeus says:

    1.90/1432 Prof / 7.1.1

  6. bazhef says:

    Sorry to bump this again but i’m having the same problem.
    My version of EPPB is 1.92
    Not sure what the iOS is though but its an iPhone 5 so i’d imagine its the latest version of iOS.

  7. Thaddeus, Bazhef,

    Please update your EPPB to the latest version (3.0). Apple make some changes to the iCloud protocol from time to time, as well as to iCloud backup data format — so old versions of EPPB cannot work with modern backups.

  8. Kala says:


    I’ve got a question. Is there any chance of adding a possibility to download the backups of the apps that are separate from device backups? Is that even possible?

    Thank you

  9. Kala,

    Yes, it is possible — we are working on that and almost done. The next version of EPPB (to be released later this month) will be able to browse and download all files from the iCloud, not just device backups.

  10. Kala says:

    Thank you very much for the information.

  11. Joe says:

    Hi Vladimir,

    I’d like to chat to you in confidence about this tool – is there an email address I can use?


  12. james says:

    icloud control panel is installed on pc, is functional, has cloud access, and remains open.
    user then changes the apple id password, using the device itself.
    the current tokens on the pc are now useless to access the cloud.

  13. Bill says:

    Can someone please contact me I have submitted 3 request for reseller status and you fine folks don’t seem to have the ability to respond. I want to purchase the product but if this indicative of the support it concerns me!!!!

  14. Bill,

    I am really sorry for the inconvenience. Please contact me at v.katalov@elcomsoft.com, and I will take care.

  15. shall kstorin says:

    I already have the apple id and password but regular icloud.com didn’t show me anything but basic contact and keynote, etc. I downloaded it on pc a wile back but didnt see all the data and storage option or a control panel, but i think it wasnt set to backup and that was not hooked up correctly. I just redownloaded iclousd for windows and it looks different, but havent explored what i can access yet.
    I wanted to know if i have the id and password is authentication token and encomsoft download required or am i already have what i need now with windows download and bakups enable right?

    • Shall,

      If you have a normal account (without two-step verification) and know the password for the Apple ID, you can use EPPB to download complete device backups. If, of course, your device is set to create them (instead of loical iTunes backups). Your Windows (COntrol Panel) settings does not matter at all.

  16. Мурадым says:

    как открыть Apple ID и пороль у меня iphone 4S gjvjubnt я его купи с рук

  17. Мурадым,

    Способа обойти Activation Lock не существует. Разлочить Ваш телефон может только сам Apple (если вы предоставите доказательства того, что приобрели его легальным путём). Либо обратитесь к продавцу, чтобы он удалил устройство из своего аккаунта.

  18. Mohit says:

    Is their any possibility to recover my iPhone cos I forgot my icloud password and my iPhone 5s stuck on icloud Password,
    Is their any hope please tell me
    I’ll be waiting for your response

  19. nancy says:

    hi , i already succeeded to get the apple ID and password(of someone else of course), and i need to access these backups through the pc without the notifying the real owner of the icloud, please assist me

  20. Mohit,

    Sorry, no way (technically). You can start from iCloud password reset, there are several options there:


    If it does not work you can only ask Apple to unlock the device, if you have proof of purchase.

  21. Nancy,

    Once iCloud backup is being downloaded, the owner of the account now receives a notification (by email), and there is no workaround.

  22. Nancy says:

    Hi Vladimir
    Can u tell me how to read someone’s imessage?

  23. Nancy,

    Well, you need to know (at least) Apple ID and password of that person.

  24. amir says:

    hi with this service is possible remove icloud activation lock ?

  25. aria says:

    haloo vladimir… i have found ipad mini.. and the position is icloud lock..from old owner…

    how i break the icloud and i can use the ipad like ussual. and use my id thank you vladimir

  26. Arpit Jain says:

    Hello Vladimir,

    Am using Iphone 4 before a day i reset my device and now my device asked Apple ID & Password for Activate iPhone but i don’t know ID & Password. Actually some of my uncle gifted me this phone and he bought this from his one friend in Canada but unfortunately my uncle is no more.
    So can u help me in this??


  27. Arpit Jain,

    Sorry, if the device uses ‘Activation lock’ but password is not know, only Apple itself can unlock it (you will have to provide proof of purchase, though).

  28. Lucky says:

    Hello sir I buy second hand mobile this I cloud lock can you hell me

  29. Karne Ajay says:

    Hi Vladimir katalov.
    By this can we make “find my iPhone” OFF.
    and use it with another Apple ID.
    If the above thing is not possible can i find my Apple ID and password which was lost before two days by using my mobile number or by extracting token.

  30. krishna dahal says:

    Dear sir
    my I phone 4s
    forgot may i cloud id and password how to solv this probelms

  31. krishna dahal says:

    how to break icloud id

  32. krishna dahal form nepal says:

    when i phone switch on first of display i cloud id and password

  33. BOB says:

    Can I just get the Icloud Email, so I can email the original owner of the Icloud locked device with this software/

  34. Dicky says:

    Vlad, i got a locked 6S. How do i unlocked the icloud?
    Currently locked by passcode.

  35. Dicky says:

    currently works on 9.3.1. Locked with passcode.

    Recently saw alot phone posted but locked with i-cloud.

  36. Vladimir Katalov says:


    Sorry, unlocking from the iCloud is only possible with the original password (to Apple ID this device is connected with) — or by Apple themselves (once you get the purchase receipt). There is no other way.

  37. Dicky says:

    Thanks man, is that any way to break the passcode? Once i getting in, i reset the apple id.

  38. sazam says:

    Forget icloud ID & Pass word for iphone 4s, pls let me know how I can creak it?

  39. louiebose@yahoo.com says:

    thanks man

  40. Shah Md. Enamul Hoque says:

    i bought a iphone. but it was icloud lock. what can i do?

  41. prithivi says:

    HELLO sir i have got a i phone 6 from someone as a gift past 6/7 moth. he is from US as per he says . i was unable to cheak that phone at the time because i was in remot area so that was not any network and electricity fo charging battary. now i am trying use from some days but it display in put apple id and password previews owner i have not his contact how can i get his contact mail can you sages me please ?

  42. aprithivi says:

    Thank you for Response sir
    i have got a i phone 6 from some one as a gift before 6/7 month.i could not check that time because of i was in remote area that time no battery charging no network .now
    day i am in city in kathmandu Nepal i am trying to use from some month but it has been displaying put the Apple id and password rite owner .He is from America as per his say but i have no his contact if may get his mail address i will contact him asked about the matter .this phone IMEI no is 359238069628272 if you help me this matter i will very great full to you