How to Hack an iPhone: Step-by-Step Guide to Accessing iOS Device Data

In this article, we’ll take a detailed look at what happens to an iPhone in a forensic lab. We’ll find out how realistic it is to bypass iOS security on different versions and what tools are needed in each case. We’ve covered parts of this process before, but today we’ll break it down completely and try to cover all possible scenarios.

Background: Can You Really Hack an iPhone in Nine Minutes?

On August 13, 2018, BBC Russian Service reported that the Russian Investigative Committee had purchased equipment to hack iPhones, claiming it could unlock the latest iPhone in just nine minutes. This statement, attributed to expert Dmitry Saturchenko, compared the Israeli Cellebrite system (which can take over a day and requires serious data analysis) to the MagiCube, which supposedly processes the same iPhone in nine minutes and is optimized for extracting sensitive data from messengers.

This might give the impression that anyone can simply extract messenger data from any iPhone, but that’s not the case for many reasons. For one, MagiCube is a hard drive duplicator, not a mobile device analyzer. It only works with iPhones running iOS 10.0–11.1.2 (never updated after December 2, 2017). You also need to know or crack the device’s passcode (using tools like GrayKey or Cellebrite). Only after unlocking the phone can you connect it to the system and extract information.

Despite this, the news spread widely, with some sources incorrectly stating that the MagiCube could unlock the latest iPhones in about ten minutes. So, what’s really possible? Can you hack an iPhone 7 or 8 in nine minutes? Is the iDC-4501 (not MagiCube) really better than Cellebrite and Grayshift? Let’s break down what was actually purchased, how and when it works, and what to do in the 99% of cases where the system fails.

It Depends on the Device and Situation

Before trying to access an iPhone, you need to understand what’s possible under different conditions. The device model and iOS version matter a lot (and sometimes you won’t even know which version is installed). Even with a known model and iOS version, the phone could be in various states, affecting which methods and tools are available.

For this guide, we’ll focus on iPhones with 64-bit processors: iPhone 5S, all iPhone 6/6s/7/8/Plus models, and the iPhone X. These devices are similar in terms of hacking, except for older models if you have access to Cellebrite services.

Is There a Passcode Set?

Apple uses strong encryption and multi-layered security, but if there’s no passcode, extracting data is trivial. You can start the process in those famous nine minutes, though copying 100GB of data can take about two hours. Here’s what you need to do:

1. Connect the phone to a computer, establish a trusted relationship, and create a backup. You can use iTunes (make sure to disable two-way sync), but professionals prefer specialized software.
2. If there’s no backup password, set one and make another backup. This ensures all data, including the keychain (passwords saved in Safari and apps), is encrypted with your chosen password.

If you don’t know the backup password, brute-forcing is possible on older iOS versions (8.x–10.x), but for iOS 10.2 and later, brute-force is extremely slow. You might try using passwords saved in Chrome or other browsers to build a dictionary for the attack—this works surprisingly often.

On iOS 11 and 12, you can reset the backup password directly from the iPhone settings (if you know the device passcode). This resets some settings but keeps all apps and data intact.

Without jailbreaking, you can extract the following from an unlocked iPhone:

• Full device information
• User info, Apple accounts, phone number (even without a SIM card)
• List of installed apps
• Media files: photos and videos
• App files (e.g., iBooks documents)
• System crash logs (which may include info about deleted apps)
• An iTunes backup containing data from many apps and user passwords

Jailbreak and Physical Data Extraction

If the backup doesn’t have what you need or you can’t crack the backup password, jailbreaking is the next step. Jailbreaks exist for all iOS 8.x, 9.x, 10.0–11.2.1 versions, and Electra works for iOS 11.3.x. Jailbreaking requires public tools (like Meridian, Electra, and Cydia Impactor) and a trusted computer connection. Alternatively, you can exploit known vulnerabilities for privilege escalation without a public jailbreak.

After jailbreaking, you can extract a full file system image via SSH or specialized tools. For iOS 11.4 and newer, jailbreaking isn’t currently possible, so you’re limited to backups and accessible files.

Note: Not all data is included in backups (e.g., Telegram chats, email messages, and detailed location history are missing), but backups still provide a lot of information.

What If the Device Has a Passcode?

Most users set a passcode, especially if required by work policies or to use Apple Pay. If you know the passcode, you can do almost anything: unlock the device, change Apple ID passwords, disable iCloud lock, extract keychain passwords, and more. On iOS 11+, the passcode is also needed to establish trust with a computer for backups or jailbreaking.

If you don’t know the passcode, your chances of extracting data drop, but it depends on the device’s state and iOS version.

Is the Device Locked or Unlocked?

Police often ask suspects to unlock their phones on the spot. If the device is unlocked, you should:

• Disable auto-lock in settings (if possible; corporate policies may prevent this)
• Connect to a computer and establish trust (iOS 11+ requires the passcode)
• Create a backup if trust is established
• If trust can’t be established, try to find the lockdown file on the user’s computer

Lockdown files store cryptographic keys for trusted computers and can be used to access data without unlocking the phone, as long as the file is still valid. Their location varies by OS:

• Windows Vista/7/8/8.1/10: %ProgramData%\Apple\Lockdown
• Windows XP: %AllUsersProfile%\Application Data\Apple\Lockdown
• macOS: /var/db/lockdown

Lockdown files expire after a while (about two months of inactivity on iOS 11+), so old files may not work.

If you have access to the user’s biometrics (fingerprint or face), you can view passwords stored in the local keychain.

Is the iPhone On or Off?

This is crucial. If the iPhone is on and has been unlocked at least once since boot, you can access the encrypted user partition, apps, logs, and more. Services like AFC and backup are available, and you can extract photos and other data using a valid lockdown file. If the phone is off, you’ll need the passcode to access any data, as the user partition is encrypted and the key is derived from the passcode and hardware key.

On iOS 11.4.1 and newer, if the device is locked and more than an hour has passed since the last unlock or accessory connection, USB data transfer is blocked (USB Restricted Mode). In this case, you can’t even get device info or iOS version without unlocking the phone.

When Can You Hack the Passcode?

Now for the big question: Can you hack an iPhone in nine minutes? It depends on the device’s state:

1. Old iOS (pre-11.4), unlocked at least once since boot: You can use GrayKey or Cellebrite (if you’re law enforcement). Four-digit codes can be cracked in under an hour; six-digit codes are fast for the first 300,000 attempts, then slow down due to Secure Enclave protections.
2. Old iOS (pre-11.4), never unlocked since boot, or iOS 11.4/11.4.1+ (USB Restricted Mode not active): Brute-force is very slow—four-digit codes may take a week, six-digit codes up to two years.
3. iOS 11.4.1+ with USB Restricted Mode active: Only biometric unlock or the correct passcode will work. Automated brute-force is impossible, and data wipe after ten failed attempts (if enabled) can’t be bypassed.

How Passcode Hacking Works

For iOS 10 and 11, there are two main solutions: Cellebrite (a service for law enforcement) and GrayKey (a device for law enforcement and select organizations). GrayKey doesn’t use DFU mode but loads an agent in system mode. Brute-force speed is much faster if the device has been unlocked since boot; otherwise, it’s extremely slow (one attempt every ten minutes). After 300,000 attempts, the speed drops further.

However, fast brute-force is only possible on iOS up to 11.3.1. On iOS 11.4 and newer, GrayKey is limited to one attempt every ten minutes, making six-digit codes nearly impossible to crack.

USB Restricted Mode

Starting with iOS 11.4.1, iPhones and iPads block USB data transfer one hour after the last unlock or accessory connection. This was introduced to counteract GrayKey and Cellebrite. If the device enters this mode, you can’t connect it to hacking systems, and brute-force attacks won’t work. The only way around is to unlock the phone with biometrics or the passcode, or to connect it to a compatible accessory within an hour of the last unlock.

Apple is working on making USB data transfer block instantly after locking the device in future iOS versions.

What If the Phone Is Locked, Broken, or Missing?

If you can’t access the device, you can try extracting data from iCloud. Law enforcement can request all user data from Apple with a warrant, including cloud backups. Others can try logging in with the Apple ID and password, which might be found using password recovery tools or by resetting via email. Two-factor authentication can sometimes be bypassed if you have the SIM card. You can also look for an authentication token on the user’s computer to access iCloud without a password or 2FA.

With the right credentials or token, specialized software (like Elcomsoft Phone Breaker) can download:

• Cloud backups (up to two per device)
• Synchronized data: Safari history, calendars, notes, contacts, call logs, text messages (including iMessage, with the right credentials), files synced from a Mac, and even FileVault 2 decryption keys
• Photos (if iCloud Photo Library is enabled)
• Passwords (if iCloud Keychain is enabled and you have a trusted device’s passcode)

Conclusion

If you’ve read this far, you know that hacking an iPhone in nine minutes with a “magic cube” or similar device is only possible if the phone is running iOS 10–11.2.1 (never updated after December 2, 2017) and is unlocked or the passcode is known. If the device has been updated or is locked with an unknown passcode, you’ll need GrayKey or Cellebrite (which will extract all data if successful). If the phone is running iOS 11.4.1 or newer and more than an hour has passed since the last unlock or accessory connection, even these tools won’t help.

As of August 2018, about 57% of devices were running iOS 11.4.1, making them impossible to hack with technical means alone unless the user unlocks the device or provides the passcode. With iOS 12, which is faster and more secure, most users will upgrade, spreading USB Restricted Mode even further.

For iOS 11.4, a jailbreak vulnerability has been found and a jailbreak is expected soon. For iOS 11.4.1 and iOS 12, no critical vulnerabilities have been found yet, but it’s likely only a matter of time.