Rethinking BFU support – A Lesson from the Show Floor

Techno East 2025, Wilmington – Where I Realized Everyone Misunderstands BFU support (Including Me)

Christoffer Kraft – Professional Services Consultant at MSAB. Add me on LinkedIn Christoffer Kraft | LinkedIn

Earlier this month I had the pleasure of presenting at Techno East in Wilmington while also helping out at the XRY Pro stand. Between coffee-fueled chats and showing people how to identify test points, I spent a lot of time showing off what XRY Pro can do – especially our BFU support.

Now, BFU (Before First Unlock) support is something I’ve proudly talked about for years. It’s something we’ve been doing confidently for a very long time – getting into locked, rebooted phones. I just assumed that was common knowledge.

Spoiler: It wasn’t.

“So… what do you think BFU support means?”

That was the question I started asking booth visitors. And the answers were… consistent.

Every time, I got something like:

“It’s a bare-bones extraction – mostly just the DE partition”

Which is technically correct – for some tools.

But here’s the problem: when we say “BFU support”, we mean something totally different.

At MSAB, when we say BFU, we’re talking about the state the device is in – locked and rebooted – not the limitations of the extraction. It’s the state we’re able to attack. BFU support means we can brute-force the PIN and unlock close to everything: user data, messages, apps, photos – the full file system. But unless I spell out that we’re actually brute-forcing the device in that state, most people assume it’s just a partial or limited extraction.

That’s when I realized: maybe we’ve been underselling ourselves.

The “You gotta prove it” moment

One particularly skeptical visitor said more or less:

“Sounds cool, but I’ll believe it when I see it.”

Challenge accepted.

So I pulled out my own phone – locked, restarted, and up-to-date, and ran a live demo using XRY Pro.

As the extraction progressed, I explained that the brute-force process happens at the decoding stage, not during acquisition. He stuck around.

I chose a PIN length and watched XRY Pro go to work.

A few moments later – boom – it cracked my actual PIN (which, yes, I changed immediately after).“Userdata decrypted. Full access achieved. This is what real BFU support looks like.”

He was visibly impressed, and later I found out – he placed an order for XRY Pro a week or so later.

So what did I learn?

Even though I’ve been confidently talking about our BFU support for years, it turns out that phrase doesn’t always land the way we think it does. For many, it still means “limited system data.”

But what we’re actually offering is BFU Brute Forcing – a completely different level of access.

It was a great reminder that in this industry, language matters almost as much as technology. We can build the most powerful tools in the world, but if we don’t clearly explain what they actually do, we risk being misunderstood.