Tag Archives: jailbreak

Regaining access to a passcode-disabled iOS device

Update 2016-03-16: This 2012 post discussed iOS 5 on iPhone 3GS. Both the iOS hardware and software are more secure these days. I don’t use iOS much these days either. I’m keeping the post up for archival, but chances that I can help you are very low.

You have a passcode-disabled iOS device? You get a message similar to “iPhone disabled for XYZ minutes”? Especially if the message mentions millions of minutes, this may be a problem. Or if the iPhone instructs you to plug it in iTunes, and then iTunes says that you need to unlock the passcode, without a way for you to enter it?

One way is to restore the device. Unacceptable if you have important info on the device.

Let’s instead destroy the passwords and Springboard settings. You’ll still need to enter your passcode, but at least you’ll be able to unlock the device. If you forgot the passcode, you’ll at least have SSH installed and a way to connect to the device. If you find the instructions on how to remove the passcode completely, leave a comment below.

Instructions for OS X. Tested on iPhone 3GS with 5.0.1. You’re expected to have at least a brain, some experience with jailbreaking, and understanding of UNIX systems.

1. Grab latest redsn0w. (At the time of writing, redsn0w 0.9.11b4)

2. Grab “SSH_bundle.tgz“.

3. Run redsn0w and click “Jailbreak”.

4. Follow instructions and choose “Install custom bundle”

5. Wait until device reboots.

6. Grab “usbmuxd”. Tested with “usbmuxd-1.0.7.tar.gz

7. Unpack it, open Terminal, and go into the newly created “usbmuxd-1.0.7” folder.

8. Go to “python-client” subfolder. Type “python tcprelay.py 22:2023”. This allows you to connect to the device via the USB cable.

9. In a new Terminal window or tab, type “ssh root@localhost -p 2023”. This’ll work about 30 seconds after the device boots successfully.

10. Try typing “alpine” as the password. If it works, congratulations! Let’s move on.

11. In terminal that is connected via SSH to your iPhone, type “rm /var/mobile/Library/Preferences/com.apple.springboard.plist”.

12. In terminal that is connected via SSH to your iPhone, type “rm /var/Keychains/keychain-2.db”.

13. Just to be sure, let’s check your date. In your local Mac terminal, type “date”. Copy the result to the clipboard. In terminal that is connected via SSH to your iPhone, type “date”. If the dates aren’t reasonably close (a couple of hours of difference max), type “date -s PASTETHEDATEFROMYOURMAC” into terminal for your iPhone. Now type “date” on iPhone terminal just to be sure.

14. Reboot the device. Enter the passcode.


Information source: this post, research


Again, if you are able to remove the passcode completely, tell me. Thread in which the post I linked to is located contains some info, but I haven’t been able to verify it. (I don’t plan on locking customer’s iPhone again just to check, thank you very much ;))

Figuring out software version of a passcode-disabled iPhone

If you have an iPhone that’s passcode-locked, especially with message that iPhone needs to be connected to iTunes, you may want to try to unlock it by jailbreaking, installing SSH and messing with the filesystem. (tcprelay.py from usbmuxd is very helpful for SSHing if the iPhone doesn’t connect to a known wireless network.) There’s this tutorial on installing SSH on a disabled iPod, which doesn’t use tcprelay.py and is targeted for Windows users, but it should nonetheless give you the starting info.

Before you start you may want to discover which software version is installed on the iPhone.

Current redsn0w, 0.9.11b4, displays the device name, ECID, and software build when you use the “Fetch SHSH” functionality. There’s also “Identify” functionality which should do the same thing, but you won’t be collecting SHSH blob (it’s a good idea if you want to downgrade in the future.) Build name is a string similar to iPhone2,1_5.0.1_9A405 and can be used to obtain the correct .IPSW for your device, enabling you to jailbreak the device and to install contents of “SSH Bundle.tgz”. Most important thing is – fetching SHSH blobs is a non-destructive operation.

You’re welcome.

(All files mentioned are googleable.)