MOBILedit Forensic Express is able to connect to iPhones protected by passcodes. Many iPhone users use iTunes, especially for managing music and almost everyone has connected their iPhone to iTunes at least once. To get through the passcode, you need to access the computer that the locked iPhone was connected to and obtain the 'lockdown file' that iTunes creates automatically for any iPhone that connects to that PC.

You will find the lockdown files located in the iTunes folder along with one of these file paths, depending on your operating system. 

  • Windows Vista, 7, 8, 10

C:\ProgramData\Apple\Lockdown

  • Windows 2000/XP

C:\Documents and Settings\All Users\Application Data\Apple\Lockdown

  • Mac OS X

/var/db/lockdown

After finding these files, move them to a different location on the disk or transfer them to the computer with MOBILedit Forensic Express installed if needed. Once you have the file, click on the "Upload lockdown file".

Then select your lockdown file.

Click on Open and your iPhone will reconnect and will be unlocked.

If your device is running iOS 9, or higher, the device will not connect if it was rebooted after it was locked. If the phone is still running you can use this method without any issue.

The lockdown files method works in different ways for certain iOS versions.

  • for iOS 8 and lower, it works basically without any limitations (even factory reset is not an issue)

  • for iOS 9 - 11, it does work without any significant limitations (rebooting still does not reset the lockdown file)

  • for iOS 11 - 11.3  an additional protection mechanism was added, now requiring a passcode to establish the trust feature.  (The reboot still does not corrupt the file though)

  • for iOS 11.3 and above the expiration date for the lockdown file added, meaning that you have to enter the passcode at least once a week. 

  • for iOS versions 11.4 and above the "restricted mode" was introduced, which means if the device is disconnected from the PC for more than an hour, the user is forced to insert the passcode (or touch/face id) again.

This feature is turned on by default, however, the user can disable it in the settings.