Elcomsoft iOS Forensic Toolkit 6.40: iPhone 5 and 5c passcode unlock

Elcomsoft iOS Forensic Toolkit 6.40 adds major functionality, enabling passcode unlock for iPhone 5 and iPhone 5c devices. The software-based unlock brute-forces 4-digit and 6-digit screen lock PINs. No soldering, disassembly or extra hardware required.

In Elcomsoft iOS Forensic Toolkit 6.40, we are introducing the ability to unlock encrypted iPhones protected with an unknown screen lock passcode. Our method supports two legacy iPhone models, the iPhone 5 and 5c, and requires no additional hardware except a Mac computer. Our unlock method is decidedly software-only; it does not require soldering, disassembling, or buying extra hardware. All you need is iOS Forensic Toolkit, a Mac computer, and a USB-A to Lightning cable. In this guide, we’ll demonstrate how to unlock and image the iPhone 5 and 5c devices.

Unlocking the iPhone 5 and iPhone 5c at maximum speed

Apple implements strong protection to defend its devices against brute force attacks. While newer devices (the iPhone 5s and subsequent models) rely on a hardware coprocessor to slow down attacks, 32-bit devices such as the iPhone 5 and 5c are not equipped with Secure Enclave. On these devices, both the escalating time delays after the entry of an invalid passcode at the Lock screen and the optional setting to wipe the device after 10 unsuccessful attempts are enforced in software by iOS.

Our solution disables both of these mechanisms, removes the risk of losing the data, and turns off the escalating time delay, enabling the attack to work at a full speed of exactly 13.6 passcodes per second, which is the maximum speed on these devices.

Elcomsoft iOS Forensic Toolkit 6.40 can try all possible 4-digit combinations in less than 12 minutes, while 6-digit PIN codes take up to 21 hours to complete. For this reason, we’ve developed a smart attack on 6-digit passcodes, trying the list of the most common passwords first. There are only 2910 entries in this list, and it only takes about 4 minutes to test them all. Examples on this list include the world hit 123456, repeated digits, as well as the digital passcodes representing certain combinations (e.g. 131313 or 287287). Following this list are the 6-digit PINs based on the user’s date of birth. After trying all of those combinations, which takes about 1.5 hours, the tool starts the full brute-force attack.

Release notes:

  • Breaking iPhone 5/5c passcode (macOS version only; experimental)
  • Improved Agent installation with Apple IDs that are connected to multiple developer accounts
  • Minor improvements and bug fixes

See also