Dealing with a Locked iPhone

April 15th, 2016 by Oleg Afonin

So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.

What exactly can be done to the device depends on the following factors:

Hardware Generation

iphone2

From the point of view of mobile forensics, there are three distinct generations:

  1. iPhone 4 and older (acquisition is trivial)
  2. iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
  3. iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)

Jailbreak Status

If the iPhone is already jailbroken, a 32-bit device can be acquired even if locked. If you have a 64-bit device, it must be unlocked, and screen lock passcode must be removed in Settings.

Passcode Protection

If the device is locked with an unknown passcode and if it’s newer than iPhone 4, you may need to unlock it in order to perform acquisition. Depending on iOS version installed on the device, you may be able to use a commercial passcode recovery tool (e.g. IP-BOX). If you see a solution advertising compatibility with all versions of iOS, this in fact may not be the case. So far we found no solutions that work with iOS 9 and later.

Cloud Acquisition

If you know the user’s Apple ID and password, or if you have a binary authentication token acquired from the user’s computer, you may be able to download backups from iCloud (iOS 5.x through 8.x) or iCloud Drive (iOS 9.x).

Now let’s talk about these cases in more detail.

Acquiring iPhone 4 and Older

For these legacy devices, acquisition is trivial regardless of lock status. All you need is Elcomsoft iOS Forensic Toolkit. Launch EIFT, connect the phone to the computer, boot into DFU mode, and follow the prompts to recover the passcode, image the device, extract decryption keys and decrypt the keychain. No obstacles here.

Note, however, that you will still need to recover the passcode in order to recover all encrypted data on the iPhone 4 (but not on older models). In particular, without a passcode the following data remains encrypted: mail, keychain, and some protected app data. Breaking a 4-digit passcode on these devices is very straightforward and reasonably fast (4-5 passcodes per second on iPhone 4). No guarantee for longer and alphanumerical passcodes.

Acquiring iPhone 4S, 5 and 5C

These phones can only be acquired if jailbroken. For iPhone 4S, 5 and 5C, there acquisition process is different and does not require a DFU mode. The acquisition process looks like this:

Is jailbreak installed?

Yes: proceed to the next step.

No: you’ll have to jailbreak the device subject to jailbreak availability. If the device is locked and you don’t know the passcode, you will not be able to jailbreak it. Jailbreaking the device may require removing lock screen passcode and disabling Find My Phone, which in turn requires you to enter the correct Apple ID password. If jailbreak cannot be installed, stop right here and consider other acquisition options.

Install OpenSSH

OpenSSH is required. Install it on the iPhone from Cydia repository.

Use Elcomsoft iOS Forensic Toolkit

Once you launch Elcomsoft iOS Forensic Toolkit, you’ll see a list of available options. Use the following commands in this sequence: Get keys, Decrypt keychain, then Image disk, Decrypt disk. This will extract and decrypt the keychain, then extract user data and decrypt it.

Similar to older devices, without a passcode you can decrypt most but not all information extracted from the device. Mail, keychain, some apps data remains encrypted until you have the correct passcode. Brute-forcing a 4-digit passcode on jailbroken 32-bit devices is possible within reasonable time with 20 to 25 passwords per second. No guarantee for longer and alphanumerical passcodes.

Acquiring iPhone 5S, 6/6S/Plus

These 64-bit devices are equipped with Secure Enclave, and require a different process for physical acquisition. There is no way to acquire a 64-bit iOS device if it is locked with a passcode and the passcode is not known, even if the device is already jailbroken. You will need to unlock the device and disable passcode in Settings (which requires entering the original passcode) before you can perform physical acquisition.

For 64-bit devices, the acquisition process looks like this:

Is the device locked with an unknown passcode?

Yes: if it’s locked and you don’t know the passcode, stop right here. Consider other acquisition options.

No: unlock the device. Go to Settings -> Security and disable passcode protection (you’ll have to enter the passcode to do that).

Is jailbreak installed?

Yes: proceed to the next step.

No: you’ll have to jailbreak the device subject to jailbreak availability. Jailbreaking the device may require disabling Find My Phone, which in turn requires you to enter the correct Apple ID password. If jailbreak cannot be installed, stop right here and consider other acquisition options.

Install OpenSSH

OpenSSH is required. Install it on the iPhone from Cydia repository.

Use Elcomsoft iOS Forensic Toolkit

Once you launch Elcomsoft iOS Forensic Toolkit, you’ll see a list of available options. For 64-bit devices, the only acquisition option available is the “TAR FILES” command. Use it to image the device. The image will be automatically decrypted. Note that keychain database will be extracted but will NOT be decrypted. This is the property of Secure Enclave that makes it impossible to extract the required decryption key even from jailbroken devices.

A Word on Physical Acquisition

Physical acquisition is the most comprehensive acquisition method available. We have two articles explaining the benefits of physical compared to other acquisition methods:

Unknown Passcode: Can It Be Recovered?

You only need to recover the passcode if acquiring a recent (iPhone 4S and newer) iPhone. Older devices can be broken with Elcomsoft iOS Forensic Toolkit via DFU mode.

In certain cases, unknown passcodes can be recovered. However, this ability is subject to hardware generation, version of iOS and whether or not the iPhone is configured to erase after 10 unsuccessful unlock attempts (an optional setting).

Generally speaking, passcode recovery with a dedicated box (e.g. IP-BOX or similar) is available if all of the following is true:

  • The phone is protected with a 4-charater, numeric passcodes
  • You’re trying to unlock a 32-bit device without Secure Enclave *
  • The device is running iOS 8 or older **
  • You’re certain that an option to erase the device after 10 unsuccessful attempts is not enabled

* Secure Enclave (iPhone 5S and newer) enforces a progressively increasing delay when attempting to brute-force passcodes. Some products claim to bypass that protection by adding several seconds of an artificial delay between passcode attempts. Needless to say, this makes the recovery process extremely slow, but depending on your circumstances it may be still worth the wait.

** Compatibility with different versions of iOS varies between vendors. At this time, we know of no single solution to recover passcodes on iPhones running iOS 9 and newer.

Note, however, that some manufacturers (e.g. MFC Dongle, http://www.cellcorner.com/xshp/unlock-phone-codes/mfc-dongle-full-set-with-cable-set-and-ipower-adapter.html) may be able to recover passcodes on jailbroken iOS devices running iOS 8 through 8.4 (support for non-jailbroken devices ends on iOS 8.1).

We know of the following popular solutions employing a combination of custom hardware and software to crack iPhone passcodes:

  • IP-BOX (up to iOS 8.1.1)
  • MFC Dongle (up to iOS 8.1; up to iOS 8.4 for jailbroken devices)
  • HDB Box (up to iOS 8.1)
  • ViTool (up to iOS 7.x)
  • svStrike
  • XPIN CLIP (up to iOS 8.1)

A quick comparison table for these devices is available at http://www.cellcorner.com/xshp/unlock-phone-codes/xpin-clip-bruteforce-pincode-patter-lock-unlocker.html

While these combined software/hardware solutions are advertised to allow breaking device passcodes, they have too many limitations to be practical. Most solutions are limited to certain iPhone device models and iOS versions, and even for compatible models they are far less than 100% effective. For example, passcode recovery is not available for iPhones that are already disabled because of multiple entries of wrong passcodes. They cannot bypass the option to “Erase iPhone contents after 10 failed passcode attempts”. Many boxes don’t have the ability to deal with the increasing delay when trying passcodes (this delay is hardware enforced since iPhone 5s), and even those that do are extremely slow (thing of one passcode in several seconds). So try them at your own risk.

Other Acquisition Options

If jailbreak cannot be installed, you are limited to logical and over-the-air acquisition. In this context, logical acquisition simply means creating an iTunes backup of the device. Please note that all commercial mobile forensic tools have nothing special about “logical acquisition”; it’s always just a backup created with iTunes. Subsequent analysis options may vary.
If physical acquisition is not available for a given device, you may have other options. You can try locating a lockdown record and making a local backup; look for existing offline backups; look for iCloud authentication tokens on the user’s computer to attempt cloud acquisition or use Apple ID and password (if known) to do the same.

Lockdown Records

The first option is attempting to locate a lockdown record on the user’s computer (PC or Mac) that was synced to the iPhone. If the iPhone was unlocked at least once after the last cold boot, the lockdown record can be used to unlock the iPhone when connecting to the computer. Once this is done, you can use iTunes to make the phone create a local (offline) backup.

There are several things to note when going this route.

  1. Unlocking with a lockdown record only works if the iPhone was unlocked with a passcode at least once after the last reboot.
  2. When making a local backup with iTunes, you may see it’s password-protected. There is no way to remove, reset or replace that password one without first entering the original password. Password-protected backups are encrypted. You can use Elcomsoft Phone Breaker to run an attack on the backup password and decrypt the backup once the password is found. Depending on how long and complex the password is, the recovery may or may not work out. The recovery speed is fast, and the recovery process is performed offline on your computer with full hardware acceleration.
  3. On the other hand, if device backups are NOT protected with a password, the keychain will remain encrypted with a hardware key that is impossible to break. In order to access information stored in the keychain, you will need to specify your own known password before making a backup, then use Elcomsoft Phone Breaker to decrypt the backup (no need to break the password in this case, just enter the one you’ve specified).

To sum it up, if you’re able to unlock the device and produce a local backup, set your own known backup password instead of producing an unencrypted backup (you’ll get more data this way).

Why an unknown backup password is a problem? The thing is, the backup password is the property of the device itself and not just a setting in iTunes. If the password is set, all backups of the given device created on all computers will be encrypted with the same password, and that password cannot be changed until you enter the original one. Elcomsoft Phone Breaker can be used to break the backup password, although long and complex passwords may take forever to break. Sometimes, however, you may be able to extract the backup password from the computer the device was connected to.

We’ll briefly mention advanced logical as yet another acquisition method that existed before iOS 8 (so it’s applicable to older devices running iOS 7 and earlier). Advanced logical acquisition allows extracting more information than available in backups; however, Apple shut the door for this method in iOS 8. If you have a lockdown record and if the device is running iOS 7 or earlier, you can try this method.

Cloud Acquisition

Since iOS 5, Apple provides a convenient way to back up information into the cloud. iOS devices can be configured to automatically backup to iCloud (up to iOS 8) or iCloud Drive (since iOS 9). These cloud backups contain as much information as unencrypted local backups. Cloud backups are encrypted; however, Apple has decryption keys, and those keys are stored alongside with the data.

These backups can be downloaded and decrypted with Elcomsoft Phone Breaker if either of the following is true:

  • You know the user’s Apple ID and password. If two-step verification or two-factor authentication is enabled, you have access to the secondary authentication factor. If you don’t know the user’s Apple ID password, you may be able to extract it (http://blog.elcomsoft.com/2015/03/acquiring-and-utilizing-apple-id-passwords-mitigating-the-risks-and-protecting-personal-information/).
  • You possess a non-expired authentication token extracted from the user’s PC or Mac. iCloud authentication tokens (iOS 5 through 8) expire within an hour, while iCloud Drive tokens (iOS 9) have a much longer lifespan. Two-step verification and two-factor authentication are automatically bypassed if you are using the token.

Note that existing cloud backups may be very old (which, by the way, can be used to your advantage as you may obtain information that was deleted from the device a long time ago). You may be able to force a locked iOS device to produce a fresh cloud backup if all of the following conditions are met:

  • The iPhone has been unlocked at least once after last cold boot (otherwise, Wi-Fi password remains encrypted)
  • The iPhone is connected to a known Wi-Fi network (you can set up your own Wi-Fi network with the same SSID and password as the user’s)
  • The iPhone is connected to a charger
  • The iPhone is locked

Any of the following can prevent cloud acquisition:

  • The Apple ID password was changed. If this is the case, the iPhone will not be able to connect to the cloud.
  • “Find My Phone” was used to remotely lock or erase the device. If remote erase was activated, the iPhone will wipe evidence immediately after getting online.
  • If two-factor authentication is enabled, and if the device you’re trying to acquire is the only trusted device, you may not be able to receive the secondary authentication code. You can try to request the code to be delivered as a text message/SMS to the SIM card, which you may try using in another phone. (The SIM card may have its own PIN protection enabled, which is not very likely these days).

 

Tags: , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

28 Comments on "Dealing with a Locked iPhone"

Notify of
avatar
Aud
Guest
My iPhone 4 is not locked but my backup is encrypted and I have tried every password I can think of to no avail. I tried the password breaker wizard and got zero results. Is this because it’s a trial copy? I would buy the software if I thought it would actually work! I want to transfer my voicemails off my phone to my computer but I can’t get around the encrypted backup! I’m no longer using the iPhone having transported my number to a Nexus 5x. I like Apple products but it sure is difficult! I’m starting to think… Read more »
Invalid
Guest

Hi

Just commenting here since it’s the latest blog post. I haven’t been able to download my icloud for at least a weak. I keep getting the message “invalid data”. I have version 5.30 build 9935 but it’s weird because when check for updates it takes me to the updating since, but I have the newest one.

Anyways hope you can fix the error.

Thanks

Vladimir Katalov
Guest
Vladimir Katalov

Invalid,

Please create the support ticket describing your problem in details, of course we will help.

Vladimir Katalov
Guest
Vladimir Katalov

Aud,

Recovery of backup password is not always possible — if it is long and well selected. Do you have an idea what the password could be? You can try using larger wordlists and maximum mutations settings.

Brett
Guest

I have an iPhone 5S from my old company. I did a reset on it, but for me to access it, it says it needs to be configured by the company. How do I bypass/remove the configuration profile since I cannot access it without it first being configured?

Vladimir Katalov
Guest
Vladimir Katalov

Brett,

Sorry, no way.

Lindy
Guest

Hello,

please help!

I forgot my passcode on my iphone6 right after I set it. After around 10 attempts it has disabled my iPhone. I have never synced or backed up my iPhone. Ive only “trust” my computer a few times when I charge my phone (with my old passcode). Is there any way to break the passcode? or give me a few more attempts to try the passcode?
Is it possible to have some one “decrypt” my 4 digit passcode?

thanks a lot!!!

Vladimir Katalov
Admin

Lindy,

The only way to break the passcode on iPhone 6 is using the hardware solution like IP-BOX (no warranties of any kind though).

srujal patel
Guest
srujal patel

i have iphone 6s plus , i got an app, cant remeber user id or email anymore, and accidentaly created new id, deleted app, reinstalled it. Is there a way i can extract username on my iphone from hx stored some where on iphone for that app.

Vladimir Katalov
Admin

Srujal,

Apple ID is stored in many places in the keychain. To find it, create password-protected iTunes backup of your device, and then use Phone Password Breaker (in particular, “Explore keychain” feature)

Claire
Guest

New iPhone 7 has a power call quality. The quality gets better when the phone volume is decreased. Any idea how to solve this issue??

ashraf
Guest

My Iphone 6 Running on ios 10 . i forgot the passcode of my phone .and i also dont remember my apple id or email i used for it is there any ways to unlock it?

Vladimir Katalov
Admin

Ashraf,

There is no way to break the passcode on iPhone 6 running iOS 10, sorry. As for Apple ID password, you can reset it here:

https://iforgot.apple.com/password/verify/appleid

BluHeaven
Guest

Hi, my iPhone 6 (iOS8.4) has been disabled because of too many passcode tries. Is it possible to enable it with your product?

Vladimir Katalov
Admin

Unfortunately, no, sorry.

BluHeaven
Guest

Thanks for answering!

Is it possible if the device is jailbreaked?

Vladimir Katalov
Admin

Sorry, hard to say — we have not tried in such situation. In fact just the jailbreak is not enough, one also need to have OpenSSH installed on the device; the question is whether it is accessible when the device is disabled (if yes, then at least you should be able to get a copy of the device).

chris
Guest

IPhone 4s. Ios 8.1.1. Disabled connect to iTunes. Someone thought they were being funny. I know that pass code. Is there anything I can do? Please help! Ipbox says it works up to 8.1.1, but Idk if it’ll work for me? Any help is appreciated.

Vladimir Katalov
Admin

It’s better to contact IP-BOX developers, because I’m not sure. I’ve definitely seen a similar device (or was that IP-BOX itself?) that works with disabled iPhones as well. But there is a big risk, unfortunately.

Guest
Guest
I have an iphone 4s that still had the old ios version 6. I forgot my new passcode & it went to the disabled screen that says “connect to itunes” because I tried too many times to unlock it. Is there anything at all I can do, or someone I could send it to, who would be able to unlock it or at least get the photos off? I am not that tech savvy, so some of the stuff talked about in this article is over my head & I would not feel comfortable doing that myself for fear of… Read more »
Vladimir Katalov
Admin

Until you have the jailbreak installed on your iPhone, there is definitely no software-only solution, but devices like IP-BOX *may* help.

jud
Guest

howz the best way of getting rid of 33 million yr lock 4s

Vladimir Katalov
Admin

No way, sorry.

¤¤¤¤¤¤¤
Guest
¤¤¤¤¤¤¤

what about cellebrite?

Vladimir Katalov
Admin

You mean Cellebrite UFED product, or there unlocking service? They do have “in-house” service to unlock some specific iPhone models (with particular iOS versions), but better contact them directly.

jud
Guest

my 4s has 33 million yr lock hows the easiest way to get rid of

arianna
Guest

Hi, how do I find he amount of storage on a ios locked iphone 6? I bouht a lost phone from some scammer on craigslist and now am stuck with it. expensive lesson learnt. I want to sell it for parts to recover some of my money. please help.

Vladimir Katalov
Admin

There are some free online services that show the memory size by IMEI (that can be found on SIM tray); also, there is a software method — e.g. using iMobileDevice:

http://quamotion.mobi/iMobileDevice/Download

wpDiscuz