+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Huawei Safebox (/thread-9885.html)
Pages:
1
2
Huawei Safebox - dekao - 02-17-2021
Hello guys, does anyone know what hash type are used in the Huawei Safebox function on Android Huawei devices?
Is it the 4711 (Huawei sha1(md5($pass).$salt)) can anyione tell?
The datebase msb.db holds the hash safe.
Best
RE: Huawei Safebox - buka - 09-20-2024
(02-17-2021, 08:12 AM)dekao Wrote: Hello guys, does anyone know what hash type are used in the Huawei Safebox function on Android Huawei devices?
Is it the 4711 (Huawei sha1(md5($pass).$salt)) can anyione tell?
The datebase msb.db holds the hash safe.
Best
They rolled up their own encryption scheme for this. I recently recovered two passwords from two "Safes" from an old Huawei Honor 6X after much reverse engineering.
RE: Huawei Safebox - Bielecki - 07-28-2025
(09-20-2024, 04:57 PM)buka Wrote: I recently recovered two passwords from two "Safes" from an old Huawei Honor 6X after much reverse engineering.
Hi, would you mind sharing your experience?
I have a backup of the safe with a lost password from a Huawei P10 Lite. I still have the device, but it has been already factory reset - still recognises the safe though. I've pulled the apk, decompiled it and found some clues about db structure and encryption methods, but as I'm more of a sysadmin than a programmer, I've got pretty stuck while applying that knowledge to hashcat.
Thanks in advance
RE: Huawei Safebox - buka - 08-23-2025
(07-28-2025, 06:52 PM)Bielecki Wrote:It has nothing to do with hashcat. Hashcat doesn't support this. What's your DB structure? Did you get msb.db at all?(09-20-2024, 04:57 PM)buka Wrote: I recently recovered two passwords from two "Safes" from an old Huawei Honor 6X after much reverse engineering.
Hi, would you mind sharing your experience?
I have a backup of the safe with a lost password from a Huawei P10 Lite. I still have the device, but it has been already factory reset - still recognises the safe though. I've pulled the apk, decompiled it and found some clues about db structure and encryption methods, but as I'm more of a sysadmin than a programmer, I've got pretty stuck while applying that knowledge to hashcat.
Thanks in advance
RE: Huawei Safebox - Bielecki - 08-25-2025
(08-23-2025, 09:39 AM)buka Wrote:(07-28-2025, 06:52 PM)Bielecki Wrote:It has nothing to do with hashcat. Hashcat doesn't support this. What's your DB structure? Did you get msb.db at all?(09-20-2024, 04:57 PM)buka Wrote: I recently recovered two passwords from two "Safes" from an old Huawei Honor 6X after much reverse engineering.
Hi, would you mind sharing your experience?
I have a backup of the safe with a lost password from a Huawei P10 Lite. I still have the device, but it has been already factory reset - still recognises the safe though. I've pulled the apk, decompiled it and found some clues about db structure and encryption methods, but as I'm more of a sysadmin than a programmer, I've got pretty stuck while applying that knowledge to hashcat.
Thanks in advance
Yes, I have a full safebox, including files and msb.db. DB structure goes like this (column,comment (mine)):
Code:
_id,MyInfo
wt,workType
wf1,workInfo1
wf2,workInfo2
wf3,workInfo3
qd,qtId First question ID (100 if custom)
st,salt (?)
ct,createTime
cp,createrType
cd,createrId
op,originPos (?)
al,Safe name (alias)
ut,userId
cq,First question in cleartext (null if not custom)
awt,?
es1,encryptSalt1
es2,encryptSalt2
qd2,qtId2 Second question ID (100 if custom)
cq2,Second question in cleartext (null if not custom)
qt,qt (?)RE: Huawei Safebox - buka - 08-26-2025
Okay. So, I found that only these four fields participated in hashing the password: workInfo1, workInfo2, salt, and encryptSalt1.
SELECT wf1, wf2, st, es1 FROM mf;
Do you know whether your password was human-generated or random?
RE: Huawei Safebox - buka - 08-26-2025
If you create a new safe with a known password and give me those values, I'll be able to verify whether my method works for your phone or not.
RE: Huawei Safebox - Bielecki - 09-04-2025
(08-26-2025, 02:23 AM)buka Wrote: Okay. So, I found that only these four fields participated in hashing the password: workInfo1, workInfo2, salt, and encryptSalt1.
SELECT wf1, wf2, st, es1 FROM mf;
Do you know whether your password was human-generated or random?
Unfortunately I don't remember.
I have created a safe, the password is "hashcat1", this is my DB:
Code:
wf1|0874e1b1508ee50b30e0a0ca2b8a1c70665d9a6248790cc6
wf2|7924e4c2a0637af4d8269f15d096f0b32d16c33be14dae67afaaae5ede71809d28aa6df5f4912ddd5c710e5c1857bf2d
st|9b13ae95829b2b6832177ee55deba59737ecc51bdfc44392ae35281b401468fe
es1|a92c2d93815090e60cd83c1c9ff54f4b2fb44f363cb00a3efd61789b16f6a754aeb0989c9e8b468c4ad6dd1ba74bc4f184dcdb2b9e5281b314bebc063fbe8d80a3f0f12ce91839c7b1762df1404e6794RE: Huawei Safebox - buka - 09-05-2025
(09-04-2025, 11:43 PM)Bielecki Wrote: I have created a safe, the password is "hashcat1", this is my DB:
Code:wf1|0874e1b1508ee50b30e0a0ca2b8a1c70665d9a6248790cc6
wf2|7924e4c2a0637af4d8269f15d096f0b32d16c33be14dae67afaaae5ede71809d28aa6df5f4912ddd5c710e5c1857bf2d
st|9b13ae95829b2b6832177ee55deba59737ecc51bdfc44392ae35281b401468fe
es1|a92c2d93815090e60cd83c1c9ff54f4b2fb44f363cb00a3efd61789b16f6a754aeb0989c9e8b468c4ad6dd1ba74bc4f184dcdb2b9e5281b314bebc063fbe8d80a3f0f12ce91839c7b1762df1404e6794
Okay, it works. I'll prepare and post a Hashcat plugin soon, so you'll be able to try any attacks Hashcat supports.
RE: Huawei Safebox - buka - 09-05-2025
You can download the plugin here: https://mega.nz/file/dhtSXCCT#ak33hjPPBySLmOqKPCwasOA7ne6BysbrvM0I8XbKa9Q
The generic mode (-m 74000) is new, so you also need a beta version of Hashcat. Download it here:
https://hashcat.net/beta/
Prepare your hash like this: join the wf1, wf2, st, es1 values (in this order) using '*' as a separator:
Code:
0874e1b1508ee50b30e0a0ca2b8a1c70665d9a6248790cc6*7924e4c2a0637af4d8269f15d096f0b32d16c33be14dae67afaaae5ede71809d28aa6df5f4912ddd5c710e5c1857bf2d*9b13ae95829b2b6832177ee55deba59737ecc51bdfc44392ae35281b401468fe*a92c2d93815090e60cd83c1c9ff54f4b2fb44f363cb00a3efd61789b16f6a754aeb0989c9e8b468c4ad6dd1ba74bc4f184dcdb2b9e5281b314bebc063fbe8d80a3f0f12ce91839c7b1762df1404e6794An example attack (use safebox.dll instead of safebox.so if you're on Windows):
Code:
$ ./hashcat -m 74000 safebox.hash --bridge-parameter1 /path/to/safebox.so -a 3 hash?l?l?l?d
hashcat (v7.1.2-73-gb2d231a2c) starting
Assimilation Bridge
===================
* Unit #01 -> #04: Rust [safebox.so]
CUDA API (CUDA 12.9)
====================
* Device #01 -> #04: NVIDIA GeForce RTX 3050, 7336/7831 MB, 20MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 513 MB (22419 MB free)
0874e1b1508ee50b30e0a0ca2b8a1c70665d9a6248790cc6*7924e4c2a0637af4d8269f15d096f0b32d16c33be14dae67afaaae5ede71809d28aa6df5f4912ddd5c710e5c1857bf2d*9b13ae95829b2b6832177ee55deba59737ecc51bdfc44392ae35281b401468fe*a92c2d93815090e60cd83c1c9ff54f4b2fb44f363cb00a3efd61789b16f6a754aeb0989c9e8b468c4ad6dd1ba74bc4f184dcdb2b9e5281b314bebc063fbe8d80a3f0f12ce91839c7b1762df1404e6794:hashcat1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 74000 (Generic Hash [Bridged: Rust])