The iphone-dataprotection project (GiHub mirror) includes a tool to determine an iOS device's 4-digit passcode using a brute force technique. That project only claims support for devices <= iOS 8 and < A5. It turns out the code also supports A5 devices on iOS 9.
However the brute force utility also requires a companion kernel patch to enable access to keys such as 0x835 in calls to the AES accelerator from userland. This doc confirms the value of said patches for 32-bit iOS 9.
This writeup also describes the various st