Breaking Samsung Android Passwords/PIN
Try again with salt converted to lower-case hex.
(04-04-2013, 12:28 PM)blazer Wrote:
(04-04-2013, 12:22 PM)gat3way Wrote: Hm, how do you practically extract that? I am trying to extract it from Samsung Galaxy S3. Of course /data/data and /data/system are not readable by the adb user and it would require to root the phone. But then we have one problem: even if USB debugging is enabled, you can't connect to the phone while locked to upload the new image. Another problem is that you might be required to unlock the bootloader (haven't done that so not 100% sure) which according to what I read will erase user data including the hashes.

Please correct me if I am wrong.

It is possible to root without unlocking boot loader therefore you won't lose any data, works on unpatched samsung devices see the Exynos Kernel Exploit linked below

another method Smartphone

You could possibly craft an APK which obviously will require root privileges allowing you to grab the data. Won't exactly be 'undetected' if the user already has a rooted phone, if the phone can be exploited then you could probably make it undetectable.
I think that might work in the event that you have the telephone opened (in the feeling of PIN effectively entered and not identified with bootloader). Still on the off chance that it is bolted, you shouldn't have the capacity to transfer anything by means of adb. I figure one probability might be to introduce a pin open applications (which don't oblige root) regardless reboot, that might oblige the google play record and the telephone being joined with the web around then. In any case yes, that bodes well for PIN recuperation - then you can root the telephone and move ahead.
how to covert easily password salt to lowercase hex
i want to convert -5526519674132311473
There are many ways to do it. Using your shell:
$ printf "%016x\n" -5526519674132311473
Very insightful stuff, thanks.

Just to clarify, is this algorithm only applied for samsung phones (as the subject would imply)?

or does it apply to all android phones?

thanks for the manual, but it didn't work for me. I tried to crack


which turned out to be "kingkalle". I used the mask ?l?l?l?l?l?l?l?l?l knowing that the pw has 9 lower case letters. I used hash 5800 (android pin) as 10 and Sha 1 and Sha 512. None of them worked.

Any ideas?
All formats (also -m 5800) are explained here:

For -m 5800 for instance it is important that the hash (and most importantly the salt) is in lower-case (yes, it is currently case-sensitive, but could possibly be changed for -m 5800).

so hashConfusedalt (everything in lowercase) should be used instead of HASH:SALT
Thanks a lot! Solved the problem. Sorry for being so foolish :-)
Hi. I have a problem decoding my phone's pin.

The pin is: 4870
My device is LG G2 (D802) and Android version is Stock 5.0.2.

As being said in the topic:
Location of password.key is: /data/system/password.key
The file contained this hash: 7baad69b719fe341bfb23b500abd1bf6730702453556ba277abc4b98422e97b18b3f34b1

Location of SQLite database containing Hash salt is: data/system/locksettings.db -> locksettings/lockscreen.password_salt
The salt was: -1615050273476347751

So, using first 40 bytes of hash (the sha1 part): 7baad69b719fe341bfb23b500abd1bf673070245

and Hexing the signed salt integer gives me: e99630554b0b7899

so hashConfusedalt is: 7baad69b719fe341bfb23b500abd1bf673070245:e99630554b0b7899

I saved above in a text file called "sha1-salt.txt".

Also /data/system/device_policies.xml indicated:
<active-password quality="196608" length="4" uppercase="0" lowercase="0" letters="0" numeric="4" symbols="0" nonletter="4" />

Using Hashcat Win v0.49, i executed:
hashcat-cli64.exe -a 3 -m 5800 sha1-salt.txt ?d?d?d?d

and it couldnt decrypt it.

Am I doing anything wrong?
AFAIK Android 5.x uses a different scheme, therefore it will not work