Android hash to gesture

Отказ от ответсвенности: этот мануал предоставлен только для ознакомительных целей, вы не должны использовать эту возможность на чужих телефонах без разрешения владельца ни при каких обстоятельствах. Ни автор, ни переводчик не отвечают за различные случаи применения этого хака.

От переводчика (автора темы): не знаю, может эти способы уже обсуждались на форуме, но поиском ничего не нашел, поэтому решил выложить, так как часто встречаются проблемы с экраном блокировки.

Не так давно я у меня была проблема с девайсом на андроиде, который был заблокирован с помощью графического ключа и мне удалось разблокировать его через adb. Это мануал по тому, как вам справиться с этим, если когда-нибудь и вы столкнетесь с этой проблемой.

На устройстве необходимо чтобы было включен usb debugging, если он не включен, но у вас имеется cwm, вы можете выполнить теже инструкции через cwm, рут не обязателен (хотя лучше если устройство будет рутовано).

Этот методы был протестирован на Gingerbread, Ice Cream Sandwich и Jelly Bean.

Обо способа работают через adb.

Вы можете попробовать оба способа, вот пример того, как я действовал, чтобы удалить блокировку:

Воспользовался способом 1.
Перезагрузился.
Воспользовался способом 2.
Перезагрузился.

Если после второй перезагрузки изменений не произошло, тогда попробуйте:

И снова перезагрузиться.

Примечания:

В первом способе каждая строка это различная команда, так что нажимайте Enter после набора каждой строки.
Во втором способе наберите полностью команду, затем нажмите Enter.
После применения обох способов и перезагрузки вы можете увидеть экран блокировки, но это не значит, что он работает, просто попробуйте ввести любой ключ и он разблокируется, затем удалите экран блокировки в настройках.
Эти спобобы могут работать, а могут не работать на различных устройствах, так что все что вы можете это попытаться, но я не гарантирую работу.

P.S. я (автор темы), не являюсь автором мануала, я просто привел на 4pda вольный перевод этой инструкции: http://forum.xda-developers.com/showthread.php?t=1800799

Сообщение отредактировал vaalf — 16.01.17, 19:37

Источник

Android hash to gesture

Этот методы был протестирован на Gingerbread, Ice Cream Sandwich и Jelly Bean.

Обо способа работают через adb.

Вы можете попробовать оба способа, вот пример того, как я действовал, чтобы удалить блокировку:

Воспользовался способом 1.
Перезагрузился.
Воспользовался способом 2.
Перезагрузился.

Если после второй перезагрузки изменений не произошло, тогда попробуйте:

И снова перезагрузиться.

Примечания:

В первом способе каждая строка это различная команда, так что нажимайте Enter после набора каждой строки.
Во втором способе наберите полностью команду, затем нажмите Enter.
После применения обох способов и перезагрузки вы можете увидеть экран блокировки, но это не значит, что он работает, просто попробуйте ввести любой ключ и он разблокируется, затем удалите экран блокировки в настройках.
Эти спобобы могут работать, а могут не работать на различных устройствах, так что все что вы можете это попытаться, но я не гарантирую работу.

Сообщение отредактировал vaalf — 16.01.17, 19:37

Источник

Anthony’s Musings

How to crack android lockscreen passwords

So, you want to crack an android lockscreen password? Perhaps you locked yourself out and just want your password reset or maybe you’re trying to snoop. Whatever the case may be, the methods I’m listing are for educational purposes only! So don’t blame me if you do something dumb, break the device, or get in trouble. Anyways, you’ll need physical access to the device. I’m not going over network-related methods because (1) that would take forever and (2) I don’t trust you with such occult knowledge.

Alright, so some of these methods require sqlite3. Many devices have this program already, but some do not. If you need it, then you can download an installer app from the market or you can pull it from the android emulator via adb pull /system/xbin/sqlite3 , mount the system partition on the device as read/write via mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system , and then push sqlite3 onto the device via adb push sqlite3 /system/xbin/ . Alternatively, database files can be pulled and then inspected with SQLite Database Browser or a hex editor.

Hash Crack Method (Pins and Passwords)

The file password.key contains SHA1 (20 bytes) and MD5 (16 bytes) salted hashsums of the password concatenated together in their hexadecimal representation. The salt is a 64-bit integer obtained from the settings.db SQL database file. With these pieces of information, the password can be attacked with a dictionary or brute forced.

Alternatively, this data can be accessed via the JTAG interface inside your phone (you have to physically open the phone through the battery compartment). If you do this, there are a few key things to remember:

The dump of the memory is broken into chunks of 2048 bytes.
The password.key file is 36 bytes long.
- SHA1 is 20 bytes.
- MD5 is 16 bytes.
The following 1960 bytes of the chunk are zero.
The remaining 16 bytes are random.

The salt can be fonud via the JTAG interface by looking for the string lockscreen.password_salt. There are a few key points to keep in mind here also:

The byte in front of the string must be between 0x0F and 0x35. This represents the length of the salt, which will be between 1 and 20 bytes.
In front of this byte, there must be 0x3D. This indicates a serial type representing a string with a length of 24. (this is the lockscreen.password_salt we searched).
In front of this byte must be a null byte.
The salt is directly after the string and ends according to its length.

Information on password handling obtained from LockPatternUtils.java at line 771.

Gesture Hash Crack Method (Patterns only)

In the LockPatternUtils.java class, we can see on line 624 that the pattern is stored as a SHA-1 hashsum of the pattern according to the following 3 by 3 matrix:

The hashsum is stored in the /data/system/gesture.key file. Since no two points can be used twice, the minimum number of points is 4, and the max is 9; we can generate a dictionary from 0123 to 876543210 and then match the key in our dictionary. If we had an SQL dictionary, then we might run the query: select * from RainbowTable where hash=»*hash*» . Where hash is the hashsum found in gesture.key. Additionally, we can generate our own SHA-1 and use our own pattern.

Slide Switch Method

This vulnerability was found in ChooseGenericLock.java and has been fixed in Android 4.4 (KitKat). This class allows the user to change the lock mechanism. By setting the defaults of confirm_credentials to false, we control the flow to updatePreferencesOrFinish() and IF a password type is specified, the code continues to updateUnlockMethodAndFinish() and IF the password is of type PASSWORD_QUALITY_UNSPECIFIED, the method gets executed.

Key Removal Method

Now reboot and unlock the device using any arbitrary pattern, pin, or password.

Key Removal via Recovery Method

Download Pattern-Password-disable.zip (may need to rename to update.zip).
Put the zip file onto your SD card and put the SD card into your phone.
Boot into recovery mode and flash the zip file.
Reboot, done.

The structure of the zip file is as follows:

The busybox binary and source can be found at busybox.net. It provides several stripped down Unix tools in a single binary file. The update-binary file is created when we sign our archive (as are the certificate files), it parses the updater-script (which is written in Edify script). Let’s have a look at the two remaining files which are scripts:

Once you create these scripts and compile or download busybox then place them in their appropriate directories, create the update zip package and sign it. Essentially, this method is the same as the key removal method when you can’t access an adb shell. Similar techniques can be applied to other methods.

Key Removal via Aroma File Manager

Download Aroma File Manager and put it in your SD card.
Boot into recovery and mount everything.
Apply update from the Aroma File Manager zip package.

Once the file manager has been opened, go into Menu > Settings and select “mount all partition in startup” located at the bottom. Exit the file manager, reflash it, and delete any .key files in /data/system. Exit the file manager, reboot, and use an arbitrary password.

SQL Method

Patterns :

Pins :

Passwords :

Now reboot and unlock device using an arbitrary pattern, pin, or password.

Google It Method

This enables WiFi so you can enter your credentials via Google. Not much of a crack, but useful if you only know your Google password. Note that you must have a WiFi profile already on the device. If there is no such profile, you will not connect.

SMS Bypass Method

This method requires that your phone is rooted and you’ve set this up beforehand. This will not work for a phone that is currently locked out. Download the SMS bypass application and then set your secret code.

If your secret code is “1234” (which is the default), then you’d change your password by sending an SMS (from another phone or an email via an SMS gateway) to your phone that says “reset 1234”. Your phone will reboot and you can use an arbitrary password.

Smudge Attack

This is a method to discern password patterns on touchscreen devices by relying on the oily smudges left behind by the user’s fingers. It was developed at the University of Pennsylvania by Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. Using the proper camera, lighting conditions, and image processing software, the researchers broke passwords 68% of the time.

Face Attack

For users that use facial recognition, this can be unlocked simply by downloading a clear picture of the users face from social media like Facebook or by capturing a picture of the user by means of social engineering. Additionally, you could simply crack the PIN fallback when the face isn’t recognized.

Firmware Update

If, for whatever reason, none of the above methods work for you, simply update the firmware of the device. This can be done via recovery or JTAG. But if you’re going to interface via JTAG, then you could probably come up with something more clever than a firmware update. Usually, the manufacturer has a proprietary tool, which works through recovery mode, and firmware images which are used to update the device to the stock ROM. Note that your data may be erased depending on the nature of the update (usually it is).

Источник

danzek / bruteforcegesture.py

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

#!/usr/bin/env python

«»»Cracks a gesture.key file (Android pattern lock), reverse-engineers the Android method of creating an unsalted SHA1

hash value from the 3-9 digit pattern code (each digit consisting of 9 possible values: 0-8).

Note that Android > v2.33 requires minimum of four values, but three makes this work for old ones too.

The original Android source code for pattern locks:

* Generate an SHA-1 hash for the pattern. Not the most secure, but it is

* at least a second level of protection. First level is that the file

* is in a location only readable by the system process.

* @param pattern the gesture pattern.

* @return the hash of the pattern in a byte array.

private static byte[] patternToHash(List pattern) <

if (pattern == null) <

return null;

final int patternSize = pattern.size();

byte[] res = new byte[patternSize];

for (int i = 0; i

LockPatternView.Cell cell = pattern.get(i);

res[i] = (byte) (cell.getRow() * 3 + cell.getColumn());

try <

MessageDigest md = MessageDigest.getInstance(«SHA-1»);

byte[] hash = md.digest(res);

return hash;

> catch (NoSuchAlgorithmException nsa) <

return res;

Credit must be given to Michael Spreitzenbarth’s helpful blog post:

http://forensics.spreitzenbarth.de/2012/02/28/cracking-the-pattern-lock-on-android/

THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR

OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

«»»

import binascii

import hashlib

import itertools

import os

import sys

__author__ = «Dan O’Day»

__credits__ = [ «Michael Spreitzenbarth» , «Chema Garcia» , «Kieron Craggs» ]

__version__ = «0.1»

__maintainer__ = «Dan O’Day»

__email__ = «d@4n68r.com»

__status__ = «Prototype»

def brute_force_gesture_key_file ( gestureSHA1 ):

«»»

Brute forces possible permutations of gesture.key file until one of them matches the supplied SHA1 hash sum.

:param sha1sum: SHA1 hash sum value from gesture.key file

:return: numeric permutation that matches the supplied SHA1 hash sum or null value (None) if not found

«»»

for i in range ( 3 , 10 ): # pattern length between 3-9 digits

print ‘checking patterns with length %d. ‘ % i

perms = itertools . permutations ([ 0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 ], i )

for combo in perms :

pattern = » . join ( str ( v ) for v in combo )

key = binascii . unhexlify ( » . join ( ‘%02x’ % int ( c ) for c in pattern ))

sha1 = hashlib . sha1 ( key ). hexdigest ()

if sha1 == gestureSHA1 : # eureka! we found it!

return pattern

return None # fail

def main ():

fn = sys . argv [ 1 ]

if not fn and not os . path . isfile ( fn ):

print ‘usage: bruteforcegesture.py gesture.key [more gesture.key files]’

sys . exit ( 1 )

with open ( fn , ‘rb’ ) as f :

gestureSHA1 = f . read ( hashlib . sha1 (). digest_size ). encode ( ‘hex’ )

if len ( gestureSHA1 ) / 2 != hashlib . sha1 (). digest_size :

print ‘invalid gesture.key file’

sys . exit ( 1 )

cracked_pattern = brute_force_gesture_key_file ( gestureSHA1 )

if cracked_pattern :

print ‘pattern found:’ , cracked_pattern

else :

print ‘pattern not found’

if __name__ == ‘__main__’ :

main ()

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник