As you may know it is possible to get around the pin and password lock on an Android smartphone. In this post we will describe the following two ways to get around it:
- on a rooted smartphone
- with the help of the JTAG interface
Some Background Information
Since version 2.2 Android provides the option of a numeric PIN or alphanumeric password as an alternative to screen lock. Both pass phrases are required to be between 4 and 16 digits or characters in length.
Android stores this pattern in a special file called password.key in /data/system/. As storing the pattern in plain text wouldn’t be very save, this time Android stores an salted SHA1-hashsum and MD5-hashsum of the PIN or password. The numeric PIN and the alphanumeric passwords are processed in the same way (see the following code snippet).
public byte[] passwordToHash(String password) {
if (password == null) {
return null;
}
String algo = null;
byte[] hashed = null;
try {
byte[] saltedPassword = (password + getSalt()).getBytes();
byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);
hashed = (toHex(sha1) + toHex(md5)).getBytes();
} catch (NoSuchAlgorithmException e) {
Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
}
return hashed;
}
Due to the fact that the hash is salted this time, its unfeasible to crack the password with help of a dictionary attack. For cracking the password it is important to get the salt and enough time for attempting a brute force attack. The salt is a string of the hexadecimal representation of a random 64-bit integer. To get this salt, there are two ways from which you can choose.
On a Rooted Smartphone:
If you deal with a rooted smartphone and USB debugging is enabled, cracking of the pattern lock is quite simple. You just have to dump the file /data/system/password.key and the salt, which is stored in a SQLite database under the lockscreen.password_salt key. The corresponding database can be found in /data/data/com.android.providers.settings/databases and is called settings.db (see the figure below). After you got both information you just need to start brute forcing the password.
With the Help of the JTAG Interface:
If you deal with a stock or at least unrooted smartphone this whole process is a bit more complicated. First of all, you need special hardware like a Riff-Box and an JIG-adapter or some soldering skills. After you have gained a physical dump of the complete memory chip the chase for the password lock can start. To find the hashsums of the passphrase you need to have the following points in mind:
- The dump of the memory is broken into chunks of 2048 bytes
- The password.key file contains two hashes, together 72 bytes long:
- a SHA-1 hash (20 bytes long)
- a MD5 hash (16 bytes long)
- These hashes only contain the characters 0-9 and A-F
- The following 1960 bytes of the chunk are zeros
- The remaining 16 bytes of the chunk are random
Finding the SQLite-database an the salt in it is way harder as finding the hashes. As SQLite stores all data in plain text we have one first reference point – the lockscreen.password_salt string. When we find this string in our dump, we should be very close to the actual salt. At this point it is important to understand the SQLite-File-Format.
Using this information we can create two rulesets to find the position of the salt as well as the actual salt (refer to the figure below for a better understanding):
- Search for the string “lockscreen.password_salt”.
- The byte directly in front has to be between 0x0F and 0x35. This byte represents the length of our salt and is called byteA for a better understanding of the rest of this article.
- In front of this byte, there has to be a byte with 0x3D (indicates a serial type representing a string with a length of 24). This is the length of our string we searched for.
- In front of this byte has to be a zero byte
If the first ruleset applies, we have found the right position in our dump and we can now start to extract the salt.
- Decoding byteA gives us the length of the salt and has to between 1 and 20 bytes.
- Now we have to extract this amount of bytes directly after the string “lockscreen.password_salt”
- These bytes are the salt!
After we got both information (hashes and salt) we can again start our brute force attack! In our test we could crack PIN’s (with up to 10 digits) and simple passwords (with up to 5 chars) within one hour.
Update:
Have a look at the update to this post for more resent information and automated scripts!
I just hope Google doesn’t allow the FBI to mock the us constitution which was set forth by our forefathers. it’s more than them trying to unlock a pimp’s smart phone riding on this. there are laws that govern this kinda stuff. what about due-process? due-diligence? right to privacy? search and seizure? i’ve read many of articles and the actual search warrant regarding this matter, it’s all he say-she say, or mere assumptions from this man’s past-life. nothing factual.
if Google provides entry into this man’s phone; where does our society go from here? who’s rights are violated next? o yea, it will continue, think about it…. IT MAY BE YOU! are we a democracy? or, are we becoming a communist society? hnmmmmm!
Didn’t you mean:
If you deal with a rooted smartphone OR USB debugging is enabled
Because USB debugging allows easy access to all files with adb shell. Rooted phones often have options to make entire file system backups to the SD card (just boot into backup mode). I’m refering to: “just have to dump the file”. How?
Hi floyd,
no, in this case I really mean AND.
when you have a rooted device with enabled USB debugging you can run the following commands on your PC (with installed android sdk):
$ adb pull /data/system/password.key .
$ adb pull /data/data/com.android.providers.settings/databases/settings.db .
if your device is not rooted and USB debugging is enabled this commands won’t work because you have insufficient access rights for these two folders
if you have a rooted device with disabled USB debugging you can try to enable USB debugging remotely or boot into recovery mode, create a android backup and restore the files from this backup on your local PC.
I hope this answers your question.
Best Regards,
Michael
@mspreitz
If the phone is rooted, debugging disabled, encrypted using ICS, does that change anything?
@Whatevs
unfortunately, I hadn’t the chance to get my hands on an ICS running device yet.
For a newbie but interested in learning this. Can you tell me how to bruteforce ?
Some automatic way to bruteforce using the information acquired?
My phone is nexus S, rooted and running Icecream sandwitch
Hi PsyRead,
I’m not sure how it is working in ICS, as far as I have seen the Android source code right now, there were some modifications in this area (e.g. no md5 hashes anymore) and our own scripts inside ADEL are not working with Android 4.0.3 at present. But we are working on a solution!
Best regards,
Michael
Hi Michael,
In your comments, you’re talking about enable USB debugging remotely. How is it possible? Do you have some example?
Thanks a lot
Geo
If the phone is already locked, how do you get access to these files?
It depends on the phone type. On some phones you can use a modified recovery image with enabled adb and root shell, on other phones you can extract this data with the help of a JTAG box.
How do you perform the brute force operation?
I tried writing a script calling GetBytes(20) against the .NET library Security.Cryptography.PasswordDeriveBytes, but I’m not sure how many iterations to use in the constructor.
Is there any way to take the dump, overwrite the password and the salt with your own generated password and salt, then upload it back into the phone?
I got the device rooted through a custom Odin download and can access a rooted adb shell from stock recovery. However, it seems that I still can’t access /data/system or /data/data. It appears like they’re not there. USB debugging isn’t enabled and that’s the entire reason why I’m attempting to access it via recovery adb shell. Have any ideas before I whip out the JTAG interface?
Hi Anthony,
have you tried to mount these partitions manually?
Best regards,
Michael
Dear Is there anyone who can help me ….
My Phone Model is “Micromax Canvas A114 2.2 HD”
The condition is
a) The Phone is password protected.
b) USB Debugging not enabled
c) The phone is not rooted.
d) Gmail ID & Password is altered.
e) The connection with PC is in “Charge Mode Only”.
Is there any way that I can get the access to
1) take the complete backup of Phone Memory.
2) or,To remotely enable USB Debugging through some secret codes or something.
3) or, to root the device in the above mentioned conditions.
4) or, the unlock the device without memory erasing or hard reset.
Please help….
Rajeev Singh
Hi Rajeev,
is there a way to boot into recovery or fastboot mode?
best regards,
Michael
Yes,
Switch off the Mobile and while Switching on the mobile again
we need to press Volume- & Power button for some time and it will give us threeoptions
> Recovery Mode
> Fastboot Mode
> Normal Mode
Dear Is there anyone who can help me ….
My Phone Model is “samsung galaxy star advance”
The condition is
a) The Phone is password protected.
b) USB Debugging not enabled
c) The phone is not rooted.
d) Gmail ID & Password is altered.
e) The connection with PC is in “Charge Mode Only”.
Is there any way that I can get the access to
1) take the complete backup of Phone Memory.
2) or,To remotely enable USB Debugging through some secret codes or something.
3) or, to root the device in the above mentioned conditions.
4) or, the unlock the device without memory erasing or hard reset.
Please help….razu
please check if the data partition is mounted through the recovery image. In most cases the partitions are not mounted by default.
try to reboot into ODIN-mode and flash a custom recovery through odin on your desktop PC. Then boot into recovery, from there you can gain access to your data partition and do a full backup of the device if it wasn’t encrypted before.
Hello Michael
Work this also with new Android Verson 4.4.2 (Samsung Galaxy S5) ???
The phone is rooted, but I don’t know if debugging is on.
What should I install on my PC (Windows 7 64-bit) for connecting the phone, and acces the phone databases/files?
I need to find out the Screenlock PIN (not change the PIN, not disable the PIN, not factory reset)
Do I need to install some SQL programm on my Windows computer?
Many thanks in advance.
Hi everybody
Do I have chance to find the PIN if the Samsung Galaxy S5 is rooted but USB debugging not enabled?
Many thanks in advance.
Lili
How method can I use?
Hi Mary, you have to install the Android SDK and then try to check if debugging is enabled by executing the following command adb devices.
Hi Lili, try to reboot into ODIN-mode and flash a custom recovery (e.g., Clockworkmod Recovery) through odin on your desktop PC. Then boot into recovery, from there you can gain access to your data partition and the mentioned databases if the phone wasn’t encrypted before.
Thank you very much.
What is mean, …”if the phone wasn’t encrypted before” ?
The phone was rooted with G900F_NG2_Ker_W0lfDroid.tar.md5, and G900F_ROOT_Ker_W0lfDroid.tar.md5
Than was SU installed, and than some software, which has got SU rights and than it have hide SU, with message, that if SU hidden, can no other software get superuser rights.
So I have no idea, if it was encrypted or not. But USB debugging is definitely off.
I need remove or bypass or find out the PIN of this phone.
If I start in recovery mode, Volume up, home, power – I see some option, – apply update from ADB, apply update from external storage, wipe data, wipe cache, apply update from cache.
I have tried aroma file manager, but no success. Comes error with message, somthing about wrong signature.
What is Clockworkmod Recovery? Can I maybe brick the phone or delete all data with this?
Work it special for Samsung Galaxy S5?
MAny thanks for your answer in advance.
Lili
if you have root access. you simply just need to move the password.key file or the gesture.key file from the location above. My instance was a 2nd user on my tablet. once the files were removed access was granted.
Hi everybody, my situation is pretty similar to one above
– stock android 4.1.2 non rooted
– no USB debugging
– password protected lockscreen
– No Gmail ID or Pass
• Access to recovery fastboot Factory Wipe menu trough Volume up + PWR Button
• Allows me to Install packages (zip) via ADB Sideload, Memory Card or Cache (tried a few but displays error and reboots in a microsecond).
• Allows to full backup the phone and restore from backup
I did a full phone backup and outputs a *.backup file
is there a way that i can get into that backup to retrieve data incluiding “password.key”
Cannot find anything about android’s *.backup files (open with/reader/extractor/browser)
Thanks
A.
Isn’t it possible just to delete password.key file and just bypass the lockscreen
Yes, it is. But often you can use this password on other apps,too. Therefore, it is worth cracking it here.
its good