10/6/2017 How to Bypass PIN and Password Locks in Android?

- InfoSec Addicts

UA-90624906-1

How to Bypass PIN and Password Locks in

Android?
By hsamanoudy - July 26, 2017

What do I need to know?

Santoku Linux:

https://infosecaddicts.com/bypass-pin-password-locks-android/ 1/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

First, let’s get into much more details about Santuko Linux. It is an open source platform
which is utilized for the purpose of mobile forensics. Santuko Linux could also be
harnessed for analyzing and securing such devices thereafter.

It depends mainly on a Linux environment –which is bootable– where it is easy and also
simple to play around with various tools. Software development kits (SDKs) are con gured
in such environment. Drivers and utilities are also pre-installed inside the operating
system. In addition, Graphical User Interfaces (GUIs) are supported by the operating
system in order to enable a user-friendly experience for the user. Any newly connected
mobile devices are automatically recognized and setup.

Data could be perfectly collected and analyzed through several methods. Multiple
manufacturers have their rmware ashing tools inside the Santoku Linux. Forensics tools
for some commercials are o ered as free ones as well. A plenty of valuable scripts and
utilities are also designed for mobile forensics and used for this purpose.

Mobile malware is able to be examined through mobile device emulators. Moreover, the
dynamic analysis could be achieved by simulating network services, depending on several
utilities in this regard. Databases of such malware could be accessed through Santoku’s
di erent utilities.

Mobile applications could be tested for their security and also be assessed via tools which
are able to make any disassembly or decompilation. Common issues in a mobile
application could be easily discovered by certain scripts. Di erent scripts have the
capability to get the binaries decrypted, the apps deployed, and also the app details
enumerated.

Types of screen locks:

In fact, there are a plenty of screen lock types which are available to use on an Android
device. Five main categories exist in this regard:

https://infosecaddicts.com/bypass-pin-password-locks-android/ 2/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

1. None: this means for sure that there are not any screen locks on this device
2. Slide: this means that a device could be simply unlocked by moving the slider
3. Pattern: this means that a device could be unlocked by getting the dots connected to form the right
pattern.
4. PIN: this means that a device could be unlocked by getting the correct number inputted
5. Password: this means that a device could be unlocked by getting the correct characters forming the
password inputted.

How to setup a PIN/Password lock?

The following are the steps for setting a Pin up for an Android emulator. For password, the
steps are pretty similar.

https://infosecaddicts.com/bypass-pin-password-locks-android/ 3/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

1. On the created Android emulator, “Settings” should be visited rst of all. From there get into
“Security” where the option of “screen lock” has to be chosen.
2. A PIN could also be created by simply having chosen “PIN” instead of “Pattern”
3. Choose the new Pin and type it now.
4. This PIN has to be con rmed with the same PIN inputted again for the sake of making sure of such
number.
5. “OK” should be pressed at the moment and get out of the wizard through the back button on the
emulator.
6. The power key of the emulator has to be pressed in order to get the device locked right now.

How to get a password/PINlock bypassed using adb?

https://infosecaddicts.com/bypass-pin-password-locks-android/ 4/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

1. Get logged in into the emulator as a root.

2. Make sure that the real device enables USB debugging before getting to start the process.
3. We need to get two les named “password.key” and “locksettings.db” and manipulate them in order
to crack the password or the PIN code.
4. First of all, the location of the hashed password is inside “/data/system” and the le inside which the
hash exists is called “password.key”
5. In the same location of “/data/system” exists another le named “locksettings.db” where a
generated random salt gets stored. Both les of the hash and salt have to be utilized when
attempting the brute force cracking method against the PIN code.
6. First of all, we need to pull the two folders into the local machine, for this purpose we should go
through three main steps:
a. Change the working directory to become /data/system on the emulator:

/data/system/password.key

/data/system/locksettings.key

b. Get the two files copied onto the SDcard using the following commands:

# cp /data/system/password.key /mnt/sdcard/

# cp /data/system/locksettings.db /mnt/sdcard/

c. Get the les right then pulled from the SDcard to get mounted onto the local machine using the
following commands:

$ adb pull /mnt/sdcard/password.key

$ adb pull /mnt/sdcard/locksettings.db

7. Let’s have a look on the hash stored the le of “password.key”. This could be basically accomplished
through the following command:

“cat password.key” 

8. The le of “locksettings.db” could be as well opened yet with another command this time since it
follows an SQLite database format. The command speci ed for this is as follows:

https://infosecaddicts.com/bypass-pin-password-locks-android/ 5/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

“sqlite3locksettings.db”.

The salt is got this way.

9. It is apparent that “locksettings” is the table where the salt is contained. The following image shows
how to query this speci c table from the database using the following command of

“select * from locksettings”

10. Inside such table, the entry named “lockscreen.password_salt” is actually the one which has the salt.

12|lockscreen.password_salt|0|6305598215633793568

11. After we have got the hash and salt, a Santoku’s tool has to get bene ted from now. It is called

“recover-android-pin.zip”.

12. Such compressed folder could be found in the following location

“~/Desktop/files/screenlock bypass/Password&Pin/”

13. Now, we have to change the current directory to such directory and get the folder uncompressed
with relying heavily on the “unzip” utility recognized inside Santoku.

Ls –l recover-android-pin.zip

14. Inside it, there exists a python code which is to crack the password using brute force method. The
following command will actually take care of this aspect.

“Python BruteForceAndroidPin.py”

after which our hash should be typed then our salt which we extracted and nally we shall
type the maximum length of a user PIN.

15. We should at the moment get the PIN displayed on the screen.
16. One last note is that this process may take some time depending on how complex the used PIN
actually is.

https://infosecaddicts.com/bypass-pin-password-locks-android/ 6/7
10/6/2017 How to Bypass PIN and Password Locks in Android? - InfoSec Addicts

References

http://resources.infosecinstitute.com/android-forensics-labs/

https://infosecaddicts.com/bypass-pin-password-locks-android/ 7/7