Hi,

with FW 3.1.x it was possible to bypass a passcode by deleting the keychain-2.db (or the entry in genp witch acct="DeviceLockPassword") and com.apple.springboard.plist on the device.

As far as I can see this is not longer working with iOS 4. If you delete keychain-2.db it is create automatically after a reboot and the passcode is still active. genp does not longer have a entry acct="DeviceLockPassword". There are two entries (passwords) in the automatically create keychain-2.db. One for the service "EnhancedVoicemail" and one for "PortableStorage".

Does anyone has more or detailled information about the changes with iOS 4?

GrisoMG

Any update on this?

I have same issue on iphone 4 4.0.1 jailbroken.
I have access to file system. I'm able to reset passcode retry count, but removing keychain-2.db does not reset the password, it looks they store it in different place now..

Originally Posted by timmo4ka

Any update on this?

I have same issue on iphone 4 4.0.1 jailbroken.
I have access to file system. I'm able to reset passcode retry count, but removing keychain-2.db does not reset the password, it looks they store it in different place now..

Yes they do.. I haven't yet had the time to dig and find out where they store it now.

There's a flaw on 4.1:
"An iPhone glitch spotted by 9to5Mac lets users access locked iPhone 4 devices running iOS 4.1 by pressing a series of buttons. If a user taps "Emergency Call," on an iPhone 4, dials a non-emergency number, and then clicks "Send," the user will then be able to access the main Phone application, which includes the dial pad, contacts (send an email or SMS), voicemails, favorites, and recent calls. Engadget said that if you hold down the menu button to access voice controls, you'll be able to access the iPhone's music, too."

Originally Posted by aneagle

There's a flaw on 4.1:
"An iPhone glitch spotted by 9to5Mac lets users access locked iPhone 4 devices running iOS 4.1 by pressing a series of buttons. If a user taps "Emergency Call," on an iPhone 4, dials a non-emergency number, and then clicks "Send," the user will then be able to access the main Phone application, which includes the dial pad, contacts (send an email or SMS), voicemails, favorites, and recent calls. Engadget said that if you hold down the menu button to access voice controls, you'll be able to access the iPhone's music, too."

This is not what the original poster was after. The glitch you speak about only allows access to the phone and music functions. Not to settings or other apps.

Anethema (one of the key people behind Push Doctor / Push Donor) has figured out how to disable this passcode on 4.x I will ask him next time I find the time.

Bump - I have found the same thing. Deleting the DeviceLockPassword row from keychain-2.db table 'genp' worked fine on 3.1.3 but that value no longer exists in 4.1. Deleting the springboard file doesn't clear it either. The info doesn't seem to be out there...

Has anyone figured it out or do I need to do a DD image before and after enabling it? :p

Try to delete both "com.apple.springboard.plist" AND "keychain-2.db" , then reboot .

in /var/mobile/Library/Preferences/
and /var/Keychains/

Originally Posted by Pygmalion

Try to delete both "com.apple.springboard.plist" AND "keychain-2.db" , then reboot .

in /var/mobile/Library/Preferences/
and /var/Keychains/

Did you read the whole thread? This is about iOS 4.x where the technique you described no longer works. Don't give bad/incorrect advice!

Sorry about that. I did read the whole thread and I understand that the 3.1.3 methode doesn't work on ios 4 anymore but I thought I read somewhere that by deleting both files at the same time and rebooting was the solution. Although I havent tested it before my post and I just tryed it and it doesn't work. I will not post untested "steps" anymore.

Anyway, going back to the problem, the key in finding how to bypass the passcode is to understand how it works and where it stores its data on ios 4.
Maybe a way to do that is by watching what files have been changed after a passcode change/removal .
SSH: / # find . -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort | tail -n 25
This will list the last 25 files changed ...

I'd like to help...

It looks like these two files are working together:

//private/var/Keychains/keychain-2.db
//private/var/keybags/systembag.kb

What does systembag.kb do ?


Things to try:

Change passcode to 1234
Backup keychain-2.db and systembag.kb
Change passcode to whatever
restore keychain-2.db and systembag.kb
Reboot and check if passcode came back to 1234

I can't work on this now but becarefull and make sure to backup everything , you my get locked out playing with these files.

Also it would be nice to see if these two files were working together back in ios 3.1.3 . If not then it's a good sign .