Locked iPhone & BadUSB

Hello everyone,

I am having trouble with a locked iPhone that uses an alphanumeric password. Could anyone recommend a script to help solve this issue?

Have you already tried

265_4_Digit_Pin_BF.txt

Android_top65_4digit_pin_bf.txt Android PIN attack (thanks rf-bandit!)

?

To understand the topic, we need to make clear BadUSB is not more than a keyboard. If you attach a keyboard to your iPhone and type random sequences, you will have nearly the same success as with the Flipper.
Of course you could get away from random sequences to more structured ones and at least try to have a list with already tried sequences. A Flipper with BadUSB could enter the list faster and longer than a human could.

Next part to understand is that DuckyScript1.0 does only support a sequence of key press that are send to the device. There is no program logic like a loop. This results to a very long .txt file and no real ā€˜brute forceā€™.

ā€˜A script to bypass the loginā€™ does not exist. And as long as the iPhones iOS does not have known bug it never will. BadUSB does not sneak around the login screen.

Any accessory plugged into an modern iOS device prompts whether or not you wish to ā€œTrustā€ the device that is connected to your phone. To enable that, you have to unlock it first.

And - there is no reasonable way to unlock an iPhone using a bruteforcing flipper. After each attempt, the delay to the next attempt is increased.

Apart from that - if set - the data will be deleted after the tenth failed attempt.

1 Like

Sir_Fap_A_Lot solved the script for you. Maybe you need solve delay for model you have . You can unlock the iPhone with iTunesā€¦ if that doesnā€™t work, you have checkra1n.

1 Like

Hi LupusE,

According to the message, it is not possible to use a script to try to crack the password of a device, such as an iPhone, using BadUSB. BadUSB acts similarly to an external keyboard, and even though it automates key sequence entry through something like DuckyScript1.0, this is still limited to predetermined sequences and does not include complex programmable logic, such as loops, that would be required to an effective attempt at ā€œbrute forceā€.

Furthermore, as long as there are no known vulnerabilities in iOS that allow you to bypass the login screen, any attempt to ā€œbypass loginā€ through methods like BadUSB will not be successful. BadUSB cannot interact in an unauthorized manner with the login screen, acting only as a keyboard and relying on predefined inputs, without the ability to adapt or modify these inputs in response to target system conditions.

Tks.

Hi hightechlappen,

Thanks for the valuable information. Itā€™s really important to understand how the security mechanisms in iOS devices are designed to prevent unauthorized access.

I started using it, but I havenā€™t made progress. Are these scripts only for four-digit passwords, or can I adapt this script to also test alphanumeric passwords?

Tks.

1 Like

Thank you for the iPhone/iOS specific additional information. I am not really a iPhone expert. It is my company phone and I do nothing with it than update, when an email I have to appears.
So I wanted just make clear, again, that the Flipper as ā€œhacking toyā€ is not able to get magically behind the lock screen.

I assume you are talking about the default settings of iOS, maybe this is even different in a MDM (Mobile Device Management) setup.

Depending on the model and fingerprint scanner and display specs, there are some other ways of unlocking it but it will involve fuzzing the fingerprint chip, also depending on the board/bga types there are some other unlocking features available changing hardware IDā€™s etc but from here it depends on what you want to accomplish. Actually brute the pincode? Get data from the phone? Or remove hardware lock to reuse it as a new device? But those could involve removing, and placing them back after flash, and reballing a bga at home with cheap tools can take some time and anger to get it right so it depends on what is most important you want to accomplish. ( my first reballing trials where bga153 with laptops that had cheap ssdā€™s soldered to the mainboard. Eventually you will get the feeling after a gallon of flux , but it will be a long annoying weekend for the first trials , trust me , those videos on yt of those indian guys doing this in 5 minutes will be a proper deā€“motivational video cause IRL you will do it at least 3 times before the first time you get a working reball and you will be cleaning the bga for the first time a lot more often then they show on the videos)

Depending on model some are more easy to break into then others, my last iPhone issue was a couple of years ago, so I am not fully update on most recent models but I expect the known vendors of sockets and flashers are still having some rebuilt images to start from, depending on what you want to waste on tools , software, or time.

If it is purely on badusb, yeah you could go for 6 digit pinā€™s but this way they warranty of the phone will run out before it is unlocked so letā€™s say it is not the most efficient way of going at a 6 digit pin, especially with the delays that make it pretty unrealistic this way.

Also depending on the camera, you could even atack it with pictures if it has face recognition and things like that but stillā€¦ it really depends on what your goal is, do you need data from it ? do you want to unlock it this way to show you can? or do you want to change the UID so you can flash it like it is a new phone?