iOS Restrictions Passcode Cracker
A JavaScript implementation using CryptoJS

Special thanks to these folks: Hashcat and John the Ripper
who figured out the encryption scheme & a way to break it VERY FAST!
This is a much slower way, but accessible by all through a simple webpage!

Directions in many languanges available on YouTube: https://www.youtube.com/results?search_query=ios7hash

iOS7+ encrypts the Restrictions Passcode using pbkdf2-hmac-sha1, which is very strong!
However the keyspace (0000 to 9999) is very small, so it is fast to try every code!

NOTE: I hate downloading unknown software that might contain malware, so I built this webpage!
Nothing is transmitted to the server, Javascript does all the work within your browser.
To speed up the search, you can open multiple windows and stagger the start & end codes.

RestrictionsPasswordKey:
RestrictionsPasswordSalt:
Starting Passcode: Last Search Code:

Notes:

I love hearing when the site has helped others! ios7hash (at) derson.us
A few generous people have said thanks through: Paypal or Venmo

You need access to unecrypted iOS backup files or a jailbroken device to find the keys.
From a jailbroken device, you need this file: com.apple.restrictionspassword.plist

On Windows or a Mac, the file can be found in an unencrypted iTunes backup:
On Windows, the file is located here: "%AppData%\Apple Computer\MobileSync\Backup\" xxxRandomxxx\ 39\
Mac: ~/Library/Application Support/MobileSync/Backup/ where the "~" represents your Home folder.
-- note, if you don't see Library in your Home folder, hold Option and click the Go menu.

The file you need has this crazy name: 398bc9c2aeeab4cb0c12ada0f52eea12cf14f40b

If the backup is not encrypted, within that file, you should see text like this: <dict> <key>RestrictionsPasswordKey</key> <data> FklNcq4P3mJYSNjDFWvv2ei2+uE= </data> <key>RestrictionsPasswordSalt</key> <data> aSbUXg== </data> </dict> The key is: FklNcq4P3mJYSNjDFWvv2ei2+uE= and the salt is: aSbUXg==

You can copy & paste the key and salt above to watch the webpage work. (hint: 0020)
The webpage will automatically stop & a pop-up will appear with your restrictions code when finished.

If you have questions or need additional directions, check out a great blog by nbalkota.

I host this site on GitHub so you can read the code yourself.


To create an unecrypted backup through iTunes, uncheck Encrypt local backup


You must know the backup password to create an unencrypted backup or decrypt an existing backup.
There are tools you can download to directly read the encrypted files, but you always need the backup password!
PinFinder is a free and fast recovery solution.

There are many other tools available to read/decrypt iTunes backups, search Google.
My favorite is iBackupBot because it has a built in viewer & can decrypt backups.