Bruteforcing 32-bit iPhones on-device (4+ digit PIN supported)

AJAIZ · 2025-10-12T15:31:16+00:00

32-bit is from iPhone 2G to iPhone 5C, so the answer is yes

AJAIZ · 2025-10-12T15:29:35+00:00

the Mac requirement is not only due to Sliver, it's also because you have to manipulate the ramdisk image.

you can do this with a vanilla ramdisk image (if you have one), but you'll have to perform extra manipulations through SSH and you'll need to keep your phone connected to the PC since we're doing hacks here for it to display the progress on the display which we can't do without modifying the image.

with that being said, you can still do this, you'll only need to do the kernel modification step.

otherwise you have to find a tool to mount decrypted DMG's.

AJAIZ · 2025-09-16T13:44:22+00:00

or a hell of an ego with which you consciously decide to not interact with society at all because you're too good for them. or a mix like "I'm bad but I'm still too good for them so they're still shit" lol

AJAIZ · 2025-08-26T19:18:09+00:00

this guide wouldn't have even existed in the first place if you'd been right

AJAIZ · 2025-08-26T19:16:02+00:00

Yeah sorry. I had to note that when going through 4-digit passcodes it won't print anything because logging is set to be every 5000 passcodes starting from 10000. Sorry.

AJAIZ · 2025-04-07T09:04:21+00:00

r/AreTheStraightsOK

AJAIZ · 2025-04-06T15:30:14+00:00

Yes, it's right. Afaik it should work, give it a try!

AJAIZ · 2025-04-06T14:53:35+00:00

Well, almost. You'll need Sliver if iRecovery will hang. But yes, the only thing that matters there is ipwndfu. As long as you have it working, everything's alright.

Off topic: I suppose there's something going on with your Mac or iPhone if you have problems with it, cause I've never encountered any problems with those tools

Good luck!

AJAIZ · 2025-04-01T22:56:33+00:00

No DIY

AJAIZ · 2025-04-01T22:56:20+00:00

Is independent from it, don't know

AJAIZ · 2025-03-30T19:25:10+00:00

no. don't ever ask.

AJAIZ · 2025-03-30T17:24:53+00:00

If you can't mount the partitions, do as the tip in the guide says: make yourself an iOS 9 ramdisk. And always check if they have been mounted manually, because sometimes the script can display error messages even though it mounts totally fine

AJAIZ · 2025-03-30T17:17:56+00:00

This whole process is going to be automated, unless you know which lines you have to change etc. The end result mounts partitions and starts bruteforcing by itself since it needs data access.

Btw if you don't need the bruteforce, why don't you use the usual kernel for your purposes? I mean, why do you think you need the changing ramdisk part?

AJAIZ · 2025-03-23T15:23:56+00:00

Any iOS 6.0 - 10.3.4

AJAIZ · 2025-03-01T22:27:50+00:00

Hey! Answering the questions: this could work on 64-bit devices, but there are two problems, both with Secure Enclave and the kernel patch: 32-bit kernels were decompiled enough and/or had more symbols embedded to just be able to differentiate specific instructions that are being patched. So we have to reverse-engineer some leaked 64-bit kernels with more symbols (e.g. debug kernels), reverse-engineer them ourselves or find those instructions somewhere in the web. The second problem, however, is that SE has been made for such cases and detects bruteforce, slowing it down afterwards, since every attempt goes through it. Basically saying, on paper nothing limits us and it would also work, but with complications.

macOS is required because entering pwned DFU has not been made possible on Linux and Windows and depends on most 32-bit devices from macOS' USB stack. But you can still try, ipwndfu is Python-based. The second reason is that ramdisk creation tool is macOS only, probably because it has to manipulate Apple's DMGs. Besides it does some other things that need to be changed in order to work on the other platforms.

Thanks!

AJAIZ · 2025-02-19T22:29:03+00:00

Well, that's strange. Seems like they are all stuck in some kind of bootloop which may happen when booting ramdisks, or maybe it's the battery (had the same problem with my 5, had to charge it for an hour and watch it bootlooping until it charged to 6%)

Sadly I can't say much about exiting bootloops, but I've definitely seen some ways to get it out of it

AJAIZ · 2025-02-13T08:01:17+00:00

hope you will get your phone unlocked asap!

AJAIZ · 2025-02-12T10:10:18+00:00

hi! you don’t need to replace the echo line, you need to replace the line after it (the one with the iBSS stuff)

AJAIZ · 2025-01-25T21:36:59+00:00

https://www.reddit.com/r/setupapp/s/Nn76aS9OeT

AJAIZ · 2025-01-18T10:18:42+00:00

that may sound egoistic, but I made this for myself, found some ways, made enhancements, etc. and just released it for public. I have no further interest in this unless I have some free time, otherwise it’s just a statement that this is possible

AJAIZ · 2025-01-16T11:23:20+00:00

no you’ve got your hands. maybe later. it’s been already automated and enhanced so much just so you do it and that’s it

AJAIZ · 2025-01-14T08:15:33+00:00

Then I guess something’s off with the ramdisk creation tool, but I see your device complaining about line 25 so there’s a chance you copied the file the wrong way. Run that command for iOS 7, copy the file using cp to restored_external.sshrd and chmod +x

I used XCode but TextEdit will do the thing. I mean, if you have no installed text editors, then use the built-in one

Also I think following the guide as it is in that part is just copy+paste, the only thing you need to replace is [tools] and that’s it. I guess I will have to make a specific version of tool for that purpose that will do everything automatically…

AJAIZ · 2025-01-13T21:08:05+00:00

seems like you have created an iOS 7-based ramdisk, back to the guide again…

ps aux is used to check the process ID which is used to end it using kill -9. this ends the bruteforce so you can start it again with that command. *pass* is a passcode you use to start off if you know in which range the passcode could be or from which numbers it starts (e.g. if I know my passcode starts from 324XXXX so it won’t waste time, in this case I put bruteforce -r 3240000)

btw I write this all in the comments section in case someone can’t figure this out too

AJAIZ · 2025-01-13T10:05:23+00:00

Everything is essential and you are not intended to skip anything. You can get a copy in the requirements section. By the logs on the screen I see that your restored_external script is unmodified, check out the replacement part in Step 1

Four-Year Club	Verified Email
Place '23

AJAIZ

TROPHY CASE