[Hack] remove a lockscreen pin via adb with sqlite3 - Android Software/Hacking General [Developers Only]

There are a couple other ways posted for folks who have forgotten lockscreen password or pattern, but this methods REMOVES the PIN. for pattern and password follow other methods
This method requires root access and debugging enabled.
*if debugging is not enabled it can be done from any custom recovery
-reboot recovery and follow code
PIN
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=65536 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot
step one
Code:
adb shell
make sure you have # in the command prompt/terminal (if not type su)
step two
Code:
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
you will now see sqlite>in command prompt/terminal
step 4
Code:
update secure set value=65536 where name='lockscreen.password_type';
still sqlite>
step 5
Code:
.exit
you will see the # again
step 6
Code:
exit
you will now be in the path/to/adb command prompt/terminal again
step 7
Code:
adb reboot
Enjoy full access to the device
Now lets say you think your wife is cheating on you (which she probably is) and you want to check her sext messages but return the PIN back when you are done.
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=131072 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot

I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?

BrotherG said:
I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?
Click to expand...
Click to collapse
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!

hahaha. .... these Feds could of used this method. They couldnt get past the lockscreen. Great read here.
How a Pimp’s Android Pattern Lock Foiled the Feds
http://gizmodo.com/5893410/how-a-pimps-android-pattern-lock-foiled-the-feds

Looks like CyanogenMod is working on securing ADB
Security and You
March 16th, 2012
jeagoss
1
Many of you may not give it a second glance, but among all the furor and concern about permissions requested by market apps and privacy, all Custom ROMs (CyanogenMod included) ship with one major security risk — root!
We have been struggling with how to handle this for quite a bit, and took a first step with the first public CyanogenMod 9 alpha builds, by disabling the previously-default root access over USB. You can still get adb root access by running “adb root” in terminal, should you ever need it.
We recently merged 3 patches into CyanogenMod 9, to further address this: http://goo.gl/eCjDV http://goo.gl/oWAFI and http://goo.gl/34vai.
What follows is an explanation of the changes, how they affect you and our reasoning behind them.
What do the patches do?
They disable root selectively and in a configurable way. Users will be able to configure their exposure to root as:
Disabled
Enabled for ADB only
Enabled for Apps only
Enabled for both
How does this change affect the usage of your device, and root apps you have installed?
On a default CyanogenMod installation, root usage will have to be explicitly enabled by the user. This means that the user is fully aware that any application that uses root may perform actions that could compromise security, stability and data integrity. Once enabled, the process mirrors that of the current process, apps that request root will be flagged by the SuperUser.apk and the user will have to grant selective access.
Why the change?
At CyanogenMod, security has always been one of our primary concerns, however, we were hesitant to make a change that might disrupt the current root ecosystem. With CyanogenMod 9 we have the opportunity to do things better, whether its the code in the OS, UI/UX, or security – we are taking this time to do things with a fresh approach.
Shipping root enabled by default to 1,000,000+ devices was a gaping hole. With these changes we believe we have reached a compromise that allows enthusiasts to keep using root if they so desire but also provide a good level of security to the majority of users.
What concerns remain?
Many of you reading this are savvy enough to note a remaining hole in this approach – recovery and unlocked bootloaders. The bootloaders are out of our hands, there is little to nothing we can do on that front.
Regarding recovery – with unlocked bootloaders, a malicious user could just flash a new recovery image (without any potential security we could apply) or just dump the data partition. This however, requires physical access to the device. As such, the security standards for this are highly reliant on you, the device owner. Data encryption is available in ICS to safeguard your data. (Warning for emmc only users – encrypted /data means recovery will be non-functional.)
The onus is on you to secure your device; take care of your possessions, and this risk is minimal. Always make sure you take devices out of your car before you go into the mall and remove them from pockets before washing laundry. Common sense is a basic security tool.
But Why?
We honestl
Click to expand...
Click to collapse
Source: http://www.cyanogenmod.com/blog/security-and-you

mDroidd said:
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!
Click to expand...
Click to collapse
All true, if speaking of a casual thief- maybe you left the phone on the bar and someone couldn't resist the temptation. A couple of months ago my wife's phone was recovered in such an occasion- got an sms from Avast Theft Aware with the new number, contacted the rather surprised "honest finder" and he decided to return it back to us.
Anyway, two weeks ago went scubadiving and when returning to the car found the window broken and sure, among other stuff (wallets, scuba gear etc) also both our phones were stolen. However, this time it looks like the thieves were not quick to put their own sim card. Actually, it looks like they've removed the batteries, thrown the sim cards away (the're useless anyway as the carrier blocks the sim).
Since then, no signs whatsoever that the phones have been turned on, sims replaced or that someone has tried to type wrong security pin or whatever- no sms notifications, no emails, no webtracking, nothing.
My guess- the thieves sell them for a small fee (20% of street price?) to some lab or someone who knows "how to deal with it"- do a good wipe (not just factory reset) and remove whatever stuff was installed- system app or not- then put them on market for sale as second hand. Or maybe they just wait with patience a few weeks until you stop looking for it?
So, sometimes these apps like Avast, Cerberus and the such work, sometimes not. Better to keep the phone safe and not rely on it being stolen by a stup!d thief...
On the bright side, one can consider it as an opportunity for upgrade

irst I typed in :
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
However, in spite of what he stated, sqlite>in command prompt doesn't appear.
Instead, I get
/system/bin/sh: sqlite3: not found
how do i set sqlite working?
I'm unable to launch sqlite3 from adb shell
I can manually launch sqlite from the folder but not in cmd

You have to install sqlite3 - https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en

Is there a tutorial for a password locked screen too?

Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on:
" /sbin/sh: sqlite3: not found "
I have installed sqlite from market

any idea?

whoa, you guys are amazing, this worked like a charm on a password locked tablet
polaroid pmid70c

this is a scary concept if you value your android device consider installing a paid service like dyndns and install the paid version of real vnc onto the device and have ssh setup as well this would help to recover your phone in the event it becomes stolen you could ssh into it launch apps view and control the phone remotely via vnc hell even take pictures ,, turn on gps all sorts of cool things

holm94 said:
Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on: " /sbin/sh: sqlite3: not found " I have installed sqlite from market
Click to expand...
Click to collapse
your phone is root enabled? Superuser or SuperSU app installed? Connect USB and run "adb root" and that works?
Try this installer app again https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en
I flashed the root feature with SuperSU update zip file in recovery mode, and rebooted.
I grabbed a 'sqlite3' binary made for ARM cpu from the 'net and manually pushed it to my phone's /system/xbin/ directory.
1. unzip this sqlite3 file
2. power on device in custom recovery mode, ('factory mode' also may work, such as in some chinese phones, including my Jiayu)
3. connect USB cable, and in recovery mode, mount the /system directory and any other directorys you will use (see screenshot)
4. open a command prompt (terminal) on computer and run these commands
Code:
[I]adb root[/I]
[I]adb remount[/I]
[I]adb push sqlite3 /system/xbin/sqlite3[/I]
[I]adb shell[/I]
[I]chmod 755 /system/xbin/sqlite3[/I]
[I]sqlite3 -h[/I]
...
exit
adb reboot
* alternate method: if #4 'adb root' does not work, then turn on phone to normal running mode and do:
Code:
adb push sqlite3 /data/local/tmp/sqlite3
adb shell
su
mount -o rw,remount /system
cp /data/local/tmp/sqlite3 /system/xbin/
rm /data/local/tmp/sqlite3
chmod 755 /system/xbin/sqlite3
sqlite3 -h
...
exit
exit
adb reboot
"exit" twice for alternate method.
All this can be done over Wifi instead of USB via a SSH server app.
^_^
I can run all the commands fine, but the PIN lock is still there on my phone after reboot. Android 4.2.1, Jiayu Chinese ROM. So method does not work.

help me, im stuck at " error: device unauthorized. Please check the confirmation dialog on your device."

I know this is super old thread but I used this method and combination with other commands I found on internet to bypass my lockscreen on att samsung galaxy s7 phone I had forgotten pin code on.
I was using fingerprint for a couple of months and rebooted phone for an update and it requires pin code first time before using fingerprint again and I had flat out forgot it. When it got to 1 hour wait between input retrys I searched and found this and other methods. I read no methods work unless rooted.
Luckily and thank God I'm rooted and usb debugging turned on and I have adb installed configured and have used with phone before....thank God. Because pretty much every and anything else on the phone is turned off on phone so I keep off the grid.
I know I'm dragging this out but I want to document and reiterate the value of xda. I will try and remember exactly what I did and may just redo it to be sure and list my exact steps.
One thing, I don't have sqlite3 curser when connecting with adb....I have hero2qltatt or something like that .....I'll get corrected with an edit when I go thru again to make sure.
Also, once I got past lockscreen, when I went into setting/lockscreen&security/ on the phone it still showed pin,fingerprint as security but somehow which still baffles me there was a pick for 'swipe' available....but I still don't know how that happened or how it appeared but I kept trying different pin codes to try to reset that which now there were no limits or time delays but still couldn't remember and then I saw a pick for 'swipe' and that solved it all. I rebooted again to be sure and perfect. Then I went in to recovery and wiped cache and now my phone is back exactly as before.
I wrote down the pin code this time.
Eventually soon I will rerun my steps and document exactly and maybe there is already a more recent account but I found this one first and it pretty much worked....thanks.
OK this is what I used:
adb shell
cd data/system
su
rm *.key

reboot

Related

Bloatware and beyond (removal)

Hello so im just making this post to inform some people who are scared to disable certain things that a lot more can be done with the disable feature then just alleviated bloatware.
So far I've disabled sense launcher and I'm currently only using launcher pro. I've also disabled everything with the word twitter in it lol.
One of my pet peeves is redundent data so I was able to disable htc sense's facebook and just download the facebook app which kicks its asssss anyway.
I've disabled the lock screen however it did not actually disable the lockscreen, no idea what that lockscreen.apk is doing but i still have it disabled.
Here is a list of my disabled packages.
package:com.htc.fm
package:com.android.browser
package:com.htc.rosiewidgets.datastrip
package:com.htc.widget3d.watch
package:com.htc.lockscreen
package:com.htc.appsharing
package:com.htc.idlescreen.stock
package:com.logmein.rescue
package:com.htc.Sync3DWidget
package:com.telenav.app.android.telenav
package:com.htc.connectedMedia
package:com.htc.streamplayer
package:com.htc.clock3dwidget
package:com.mobitv.client.tmobiletvhd
package:com.htc.android.htcsetupwizard
package:com.htc.wdm
package:com.htc.FMRadioWidget
package:com.htc.htccompressviewer
package:com.htc.widget3d.weather
package:com.omnifone.android.app.htclistenstore
package:com.htc.htcsettingwidgets
package:com.android.setupwizard
package:com.htc.android.Stock
package:com.htc.rosiewidgets.photogridwidget3d
package:com.htc.rosiewidgets.powerstrip
package:com.android.protips
package:com.htc.friendstream
package:com.htc.rosiewidgets.tip
package:com.htc.MusicWidget3D
package:com.voxmobili.sync.MobileBackup2
package:com.htc.rosiewidgets.screenbrightness
package:com.muvee.video.trimer
package:com.qiktmobile.android
package:com.tmobile.vvm.application
package:com.htc.ereader.widget3d
package:com.htc.htcmailwidgets
package:com.htc.htctwitter
package:com.westtek.jcp
package:com.sdgtl.watch.pyramid
package:com.htc.feedback
package:com.htc.android.fusion.StockWidget
package:com.htc.mysketcher
package:com.android.magicsmoke
package:com.htc.idlescreen.socialnetwork
package:com.htc.launcher
package:com.htc.cs
package:com.htc.android.teeter
package:com.slacker.radio
package:com.htc.FriendStream3DWidget
package:com.htc.recommend
package:com.nuance.nmc.sihome
package:com.htc.Trends3DWidget
package:com.htc.photowidget3d
package:com.htc.Twitter3DWidget
package:com.logmein.rescuesecurity
package:com.htc.socialnetwork.facebook
package:com.htc.socialnetwork.flickr
package:com.gameloft.android.GAND.GloftNOHP
package:com.htc.fusion.htcbookmarkwidget
package:com.htc.htccontactwidgets_3d_fusion
package:com.tmobile.apppack
moral of my story, you got a lot of room to play around with. My phone runs incredible fast now and the battery life has increased but I also just bought a 1900mAh battery and popped that in.
Let me know if anyone else can add to this list. I plan on disabling the SMS client and solely using a third party in the very near future. Any words about this? Thanks!
Noob question, how exactly do you disabled that? I see some other post saying they can disable it but never really get into how they go around doing it. I'm also new to android T_T.
I had trouble at first too.
first google this: setting up android SDK for windows
Then since they probably won't tell you this, at the step where they tell you to download google usb drivers, do it anyway (can't hurt) but immediately after that- download HTC sync, and install just to get all the drivers you need for your HTC phone onto windows. At that point you want to then close HTC sync from your running applications to avoid a server out of date error in command prompt (this will get a lot easier to understand once you have the sdk tutorial infront of your face)
Once sdk is all set up and you can access your device (you will try to run adb shell in command promp in windows and you will get a $) You can go to the dev section and look at the fre3vo post.
From here you can drop the fre3vo file into C:/ and the first command in command prompt will be
adb push C:/fre3vo /data/local/tmp
- the C:\fre3vo is where the file is located on your computer and the /data/local/tmp is where your moving it onto the android device.
Next command is
adb shell chmod 777 /data/local/tmp/fre3vo - to my understanding this is just changing permissions so you can run the file thru our terminal set up.
Last command just runs the binary and is adb shell /data/local/tmp/fre3vo
After that you should be able to run the fre3vo exploit and it will kick you back to your original command promp something like C:\users\your name
Now comes the easy part: at this point type in adb shell and you will get a # sign which means you achieved temp root. The following commands will help and should only be ran after you see the # symbol because these are commands for android on your phone, not the ADB program we used to just place the fre3vo file onto the phone.
pm list packages - this shows all packages installed
pm disable (package name) use the package name from the list above where the brackets are but exclude the brackets
pm enable (package name) will enable the package incase your phone starts to bug
pm list packages -d -this will show you which packages are disabled and yes keep the minus sign infront of the d.
PM me if you have trouble.
alright i'll try to do this right now =) thanks a lot! c how it goes~
ignore post

[ROOT][HOWTO] WIP: Root the Verizon GSIII without flashing a ROM

UPDATE: I created a tool based on this method. Head over to the new thread.
---
WARNING: This is WIP for now. Don't run it if you aren't comfortable with the possibility of having something go wrong and having to re-Odin back to stock or worse. I was already rooted and had Busybox installed, so even though I temp-unrooted first, I don't know for certain if this will work on a stock device. If anyone wants to flash back to pure stock and give it a shot, I'd appreciate it. If it works, I'll try and make it easier to use.
NOTE: This may give you the custom unlock screen! I'm not 100% certain it was this root method that did it, though, as I had installed BusyBox and frozen several system apps with TiBu before my most recent reboot. I need someone willing to test. I don't have time to backup, flash to stock, and retry at the moment.
Background: Since some people seem to have mysterious issues after flashing the root66 image, I've been looking at existing ICS root methods which don't require flashing ROMs to see if any work on the GSIII. I think I've found one.
This is an adaptation of miloj's root method for the Asus TF300T. All credit goes to him and anyone else he mentioned in his post.
Instructions:
Install the USB drivers if you don't have them already: Verizon_Wireless_I535_GSIII_Samsung_USB_Driver_v1_4_6_0.exe
Download the attached binary package and extract them somewhere
Set up adb and make sure you can see your phone
Run the following commands in a shell. Red is a prompt you will see on the screen, black is something you type, blue is a comment.
Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local/
[COLOR="Red"]$[/COLOR] mv tmp tmp.bak
[COLOR="Red"]$[/COLOR] ln -s /dev/block/mmcblk0p14 tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local
[COLOR="Red"]$[/COLOR] toolbox chmod 755 /data/local/debugfs
[COLOR="Red"]$[/COLOR] /data/local/debugfs -w /data/local/tmp
[COLOR="Red"]debugfs:[/COLOR] cd xbin
[COLOR="Red"]debugfs:[/COLOR] rm su
[COLOR="Red"]debugfs:[/COLOR] write /data/local/su su
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su mode 0106755
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su uid 0
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su gid 0
[COLOR="Red"]debugfs:[/COLOR] quit
[COLOR="Red"]$[/COLOR] rm /data/local/tmp
[COLOR="Red"]$[/COLOR] mv /data/local/tmp.bak /data/local/tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] /system/xbin/su
[COLOR="Red"]#[/COLOR] id
[COLOR="RoyalBlue"]You should see: id=0(root) gid=0(root) ....[/COLOR]
[COLOR="Red"]#[/COLOR] exit
[COLOR="Red"]$[/COLOR] rm /data/local/su
[COLOR="Red"]$[/COLOR] rm /data/local/debugfs
[COLOR="Red"]$[/COLOR] exit
This is using miloj's insecure su, so you should install the superuser app and immediately use its binary update feature to install a proper binary. Otherwise, you're just asking to get malware.
I very much like this root method. Would be interested to see if anyone else is able to get this successfully done on their stock devices.
Worst case, I'll be getting a replacement phone on Wednesday due to some minor screen issues, so I'll be forced to try it then.
Let US know if it works...I have slow connection that times out at 80% because of these huge Rom files
Sent from my SCH-I535 using xda app-developers app
Thanks for working on this Ninja, and thanks for sharing with us. :good:
Sounds like it will be the cleanest root method yet.
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
---------- Post added at 05:46 PM ---------- Previous post was at 05:38 PM ----------
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
FlyingPoo said:
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
Click to expand...
Click to collapse
The perils of copy/pasting half from the original post and half from my local shell.
FlyingPoo said:
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
Click to expand...
Click to collapse
I'm working on one now. It's about 2/3 done. I have to go run a couple errands before I can finish it, though.
alrighty, cool beans!
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
May have to try this one out! Thanks
Tool here: http://forum.xda-developers.com/showthread.php?t=1792342
Did not want to post in the tool thread to confuse people so maybe this can be used a basic research to make this method as seamless as possible? Let us know what you prefer Ninja.
Wanted to give some more details on the "custom unlock" boot screen. There was some new findings from Lee (aka ralekdev) who is working on unlocking the bootloader.
Ralekdev said:
In other news, I found what keeps resetting the 16 byte encrypted romtype in param.img. It's libcordon.so, which is from /system/app/SysScope.apk (it'll also be copied to /system/lib/libcordon.so). It's using quite a few checks to see if you've modified your system.
There's an adb scanner, checking to see if you've changed the ro.secure or ro.debuggable props.
The root process scanner checks running processes and returns true if any are found running as root that are not one of:
"debuggerd", "init", "installd", "servicemanager", "vold", "zygote", "netd", "ueventd", "dock_kbd_attach", "pppd", "pppd_runner", "mpdecision", "thermald", "hdmid", "sec_keyboard", "seccmmond", "mfsc", "mfdp"
There's also a partition check, kernel checker, su scanner, and a file scanning mechanism using data from a sqlite db
So to completely remove the Samsung custom screen on bootup and 5 second delay you'd need to disable the SysScope.apk, then encrypt and write the 16 bytes yourself using 0xFF000000 as the first int to mark yourself as official
Click to expand...
Click to collapse
If I understand correctly, there is a SysScope.apk that does various checks detailed in that post so I'm assuming if that apk is disabled on a "virgin" system after doing this process would ensure that the custom flag never gets touched. There is also mention of a system dynamic library that does some checks but not sure impact of disabling that as well, maybe makes more sense to see what would other process would be using it besides SysScope.apk.
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
This root method reminds me of Motorola's infamous "zergRush" root exploit. A great way to root the device without even touching the ROM.
Noxious Ninja said:
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
Click to expand...
Click to collapse
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
lowg said:
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
Click to expand...
Click to collapse
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Noxious Ninja said:
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Click to expand...
Click to collapse
Ok, after rooting, I immediately disabled only SysScope.apk by renaming it, installed Superuser from market and updated binary, rebooted no unlock screen. Settings -> About device -> Status works fine. Device status section shows "Scanning..." for about two minutes after rebooting then simply "Modified".
After this tried soft reboot, hard reboot numerous times and still no "custom unlock" boot screen.
lowg said:
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
Click to expand...
Click to collapse
hmm. actually i do. Altho my Device status says normal.
FlyingPoo said:
hmm. actually i do.
Click to expand...
Click to collapse
hmmm, maybe it does have something to do with that apk then. originally that's all I renamed but since then froze a lot of apps and still no unlock, only showing modified status
Sent from my SCH-I535
FlyingPoo can you post more about what you did after rooting?
Did you immediately installs the ChainsDD version of su (via the binary updater in the Superuser market app) or did you stick with the version of su that came with the script for a while?
Did you ever enter "Odin/Download" mode of your device?
Just trying to figure out how our devices could have a different status if we both started from "virgin" GS3s.. Don't want to assume it's just SysScope either since I never disabled the libcordon.so and maybe it's used in other places in the system...

[GUIDE][HOW-TO]Crack android pattern lock!

Dislcaimer: this is for educational purposes only,you shall not use this on other people phones without permission under any circumstances,and am not responsable to any misuse of this hack
Click to expand...
Click to collapse
ok so not long ago i had a problem with a locked android device with a pattern and i managed to unlock it using adb,so here's how in case you were stuck one day with a locked device.
the device needs to have usb debugging enabled in case usb debugging isn't enabled and you have cwm you can run the same instructions from cwm,root is not required (though it will be so better if the device was rooted)
this was tested on:gingerbread,ice cream sandwich and jelly bean.
both method are through adb.
method 1:
Code:
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit
-AND/OR-
method 2:
Code:
adb shell rm /data/system/gesture.key
and that's a video showing how method 2 is done (thanks to melvinchng) : http://www.youtube.com/watch?v=tVJ7T2oC_Zs&feature=player_embedded
you can try both of them,here is how i managed to remove the lock:
1- run the first method.
2-reboot
3-run the second method
4-reboot
NOTES:
-in the first method each line is a seperate command so click enter after typing each line.
-in the second method type all the command and then press enter.
-after running both methods and rebooting you may see the pattern lock,that doesn't necessarily mean it doesn't work,just try any random pattern and it may unlock then remove the pattern from settings.
-this may and may not work,it may work on some devices and don't on others,so all you can do is trying it but i can't assure it will work.
a small donation would be much appreciated thank (check my signature)
But What if i remember the password well enough, but didnt have data enabled the moment it got locked?
Explained elaborately here>>>http://forum.xda-developers.com/showthread.php?p=29963687
It will unlock either (Loook at the time of message above - I am time traveler )
i have better method than bot the above ones
look for smudges on the phone
Do the files need to be restored or are they just the user data for the pattern locks?
This is really great...
i wonder how do you discover this
you must be a hacker
Or you could boot into recovery backup data
wipe factory reset and reboot
Could try restoring data but most likely restore pattern lock
Or simply enter your gmail address as requested
2nd option...
if you have Custom recovery
use AROMA File Explorer and you can do the same thing through the recovery
or adb through the recovery
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Method #1 FAIL:
1|[email protected]:/data/data/com.android.providers.settings/databases $ ll
opendir failed, Permission denied
255|[email protected]:/data/data/com.android.providers.settings/databases $ sqlite3 settings.db
Error: unable to open database "settings.db": unable to open database file
Method #2 FAIL:
[email protected]:/data $ ll /data/system/gesture.key
-rw------- system system 20 2012-08-11 04:51 gesture.key
[email protected]:/data $ rm /data/system/gesture.key
rm failed for /data/system/gesture.key, Permission denied
(I use faceunlock + pattern (mostly to keep my kid outta my phone), but if I actually cared more about security I'd encrypt my phone and use a passphrase instead)
This is a useful guide, thanks, I will try it :good:
So I guess if Debugging wasn't previously enabled, you have no chance to unlock it...
I've noticed a locked Archos tablet in a shop (probably some stupid shopper locked it) and when I saw this thread announced on the first page I was thinking of helping the shop owner. But I guess I cannot.
Have a nice day!
I don't know whether this method can use on neither:
Rooted
Installed Busybox
Rom Version Older or Newer than CM7
This method require ADB Debugging On & A PC & A tool Provided
I found this trick a long time ago
I come for sharing
Click to expand...
Click to collapse
Download the By-pass security Hack.7z
http://www.mediafire.com/download.php?li2686c3jenmen6
Click to expand...
Click to collapse
Primary Step for all method:
Click to expand...
Click to collapse
Extract it to anywhere using 7-zip.
Open SQLite Database Browser 2.0.exe in SQLite Database Browser.
Run pull settings.db.cmd inside By-pass security Hacks folder to pull out the setting file out of your phone.
Drag settings.db and drop to SQLite Database Browser 2.0.exe program.
Navigate to Browse data tab, At table there, click to list down the selection & selete secure
Instruction To Remove Pattern Lock:
Click to expand...
Click to collapse
Now, find lock_pattern_autolock, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove PIN Lock:
Click to expand...
Click to collapse
Now, Find Or Create lockscreen.password_type, double-click & change it's value to 65536, Apply changes!
Now, find lock_pattern_autolock, Delete Record, If doesn't exist, Ignore
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove Password Lock:
Click to expand...
Click to collapse
Now, find lockscreen.password_salt, Delete Record
Now, find lockscreen.password_type, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
hmmm i hope those thief's don't find these thread lol
zmore said:
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Click to expand...
Click to collapse
Nor does either method work on unrooted Galaxy Nexus with stock Jelly Bean. Yay stock Android.
mixtapes08 said:
hmmm i hope those thief's don't find these thread lol
Click to expand...
Click to collapse
don't leave usb debugging checked on then.
I advise you guys to also post your Android version. My opinion is that the security hole that permits this hack has been removed in JellyBean, maybe even in an earlier version.
I will try it too a little later, just for the fun's sake.
aussiebum said:
don't leave usb debugging checked on then.
Click to expand...
Click to collapse
If you have forgotten to leave USB debugging enabled, reboot your phone into recovery and do the same. No USB debugging required.
You may however need to mount the partition being accessed by this method, and you can do that only if you have a custom recovery installed (which you more-than-likely have, since you're here on XDA). Just go to 'Mounts and Storage' and mount /data. Then use the method just the normal way. Cheers!
Useful guide for sure. Will keep this as reference!
Does this only work for the pattern unlock or will it also work on the password or the PIN unlock screen?
I can confirm that it is working on a CM7.2 Motorola Defy.
Thanks m.sabra!

[Q] Bypassing lock screen, various devices

Hi,
I know this topic has been beaten into the ground but I have been looking around and have found no solutions for this issue relating to my position.
Why do I need to a solution to?
I work in a business which deals with a lot of phones which are mostly faulty/cracked screen/need data retrieved while they have a lock screen;
I see mainly Samsung phones come in with these issues;
Factory reset is not always an option for data recovery reasons, etc etc.
The situation?
Rooting the devices is not an option.
Touch screen may not work or lock code may have been forgotten.
USB debugging probably isn't enabled.
What do I need to know?
How do I enable USB debugging from without going to settings; and
How can I remove the lock without inputting the code?
What I have tried:
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit
Click to expand...
Click to collapse
Why it didn't work?
sqlite3: not found
adb shell rm /data/system/gesture.key
Click to expand...
Click to collapse
Why it didn't work?
Permission denied
And all the other threads I found pretty much all lead to the same two results.
Any help that leads to a solution for me would be greatly appreciated!!
You can't use sqlite3 or rm if the adb doesn't have root access.
It has to show a # instead of a $ sign. So just root the device and unroot it later if you want
And some phones give root access on adb even if you don't root them. So on adb shell type "su". If it showed a # sign then everything will work fine.
If it gave an error that su wasn't found then you need to root it.
Or you can try using adb pull commands to pull files from sdcard
You cannot enable USB debugging without going to settings. But there are some custom recoveries that gives full adb access. So just flash a custom recovery.
Sent from my One X+ using XDA Premium 4 mobile app

GUIDE: How to avoid the Captive Portal Checkin to Google

Dear XDA community,
this my first own thread and guide so please be forbear with me
And i hope i choose the right section
As the topic in the thread says it handles about the Captive Portal Checkin done by Android.
So first some general info about this.
1. What is the Captive Portal Checkin?
Every time your android phone connects to the internet via mobile connection or wlan it sends a request to the following url:
http://connectivitycheck.gstatic.com (Google URL).
After that your gets device gets http 204 answer from the mentioned url and at that point the x-symbol at your network icon in the status bar disappears.
The reason for that behavior is that Android wants to be sure that your connection has internet access.
If you block that request via AfWall for example the dns fails in some cases and you can't go into the Internet.
Silly.
2. Why is this problematic?
That's a good question because this answer from Google doesn't much hold data. But every time when this connection is done Google get the following information:
- IP-adress
- Time of the internet access
- the Browser which you use
In my case i use custom roms and no Gapps to avoid Google as much as i can. So i don't want that "ping" to Google.
That's the reason why i searched for possibilitys to get rid of this ping. And thanks to a german security and privacy specalist i found a possibilty to avoid the ping to Google and have working Internet, too.
3. What did that guy do?
Very simple. He just started his own Captive Portal Checkin Service. So no need for Google anymore
WHAT YOU NEED:
- Computer with installed ADB
- Active USB Debugging at your phone
- At least Android 7
TESTED ON:
I tested his instructions on my old Xperia Z3 phone (CarbonROM 7.0 based on Android 9, Custom Rom).
IMPORTANT:
You need to execute the commands with a booted system (valid for both posts where i write the instructions). It DOESN'T work in the terminal of recoveries (e.g. twrp).
Thanks @jaysir for the information.
INSTRUCTIONS:
Android 7:
1. Connect the phone with your computer
2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
3. Execute these commands in your terminal:
=> adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '
Android 8 and 9:
1. Connect the phone with your computer
2. Activate ADB and test the connection with the "adb devices" command. If your phone shows up go to step 3.
3. Execute these commands in your terminal:
=> adb shell 'settings put global captive_portal_http_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_https_url "https://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.kuketz.de" '
=> adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.kuketz.de" '
Well that's it. When you want to revert back just execute the commands again with this url:
http command: http://connectivitycheck.gstatic.com/generate_204
https command:
https://connectivitycheck.gstatic.com/generate_204
Link to the source:
https://www.kuketz-blog.de/android-...204-http-antwort-von-captiveportal-kuketz-de/
If i make any typos tell me
Thanks again to the german security researcher and his community there is a way to deactivate the captive portal checkin completly.
It works on Android 7 and Android 8.1/9. But in comparision to the method in my first post this needs root access on your phone.
For all new users:
I recommend Magisk to gain root.
So now the instructions:
For Android 8/9:
1. Open a terminal on your phone (via terminal apps).
2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
For Android 7:
1. Open a terminal on your phone (via terminal apps).
2. Type the following commands:
- su
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global captive_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
Link to Source
https://www.kuketz-blog.de/empfehlungsecke/#captive-portal
Very nice and very important tutorial!
Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.
I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.
Oswald Boelcke said:
Very nice and very important tutorial!
Just for completeness; and I don't claim and definitely don't have a copyright. I reported these procedures already here end of April in the thread "Enhanced Privacy, Security and Battery Duration! My Measures...". I mentioned it also once here in the AFWall+ thread.
I'm very glad that these procedures get repeated and repeated again. From my personal point of view it's so important to develop the stance to not allow Google to collect our data. I've subscribed to Mike Kuketz and am very grateful for his job and dedication.
Click to expand...
Click to collapse
I agree to you. It's a pity that so much people don't care about it.
I must admit i forgot to search in forum whether the instructions was already posted but as you said every mention helps.
Thanks, however, not working on pixel experience rom.
Update:
Seems no settings command under ADB shell, worked when turning on Usb debugging.
jaysir said:
Thanks, however, not working on pixel experience rom.
seems no settings command under ADB shell
Click to expand...
Click to collapse
Thx for your info. And i will try it on my old z3 with the custom rom which you mentioned.
I know there is a Android 9 based Pixel Experience for the z3.
Will report then.
dhacke said:
Thx for your info. And i will try it on my old z3 with the custom rom which you mentioned.
I know there is a Android 9 based Pixel Experience for the z3.
Will report then.
Click to expand...
Click to collapse
Sorry, I did not make myself clear.
It just not working under recovery mode.
After booting to the system and opening the USB debugging, it is working.
jaysir said:
Sorry, I did not make myself clear.
It just not working under recovery mode.
After booting to the system and opening the USB debugging, it is working.
Click to expand...
Click to collapse
Good to know (and i'm happy that now everything works)
I will edit the guide and add your information to it.
Thanks.
Thanks dhacke for all this information.
I got here from a link on an XDA forum for the Huawei Watch 2 LTE smartwatch. Do you know if this can be done to the watch as well?
ajlajluk said:
Thanks dhacke for all this information.
I got here from a link on an XDA forum for the Huawei Watch 2 LTE smartwatch. Do you know if this can be done to the watch as well?
Click to expand...
Click to collapse
As far as i see it the adb method (post 1) could working because according to the Internet the device runs Wear OS which is basically a android version for smartwatches.
So in theory you can activate USB debugging and redirect the captive portal to mike kuketz service as long as the commands are accepted.
Regarding method 2 i can't say anything because i don't own a smartwatch and have zero knowledge whether root is possible/how it is done on those smartwatches (which is needed for that method).
dhacke said:
As far as i see it the adb method (post 1) could working because according to the Internet the device runs Wear OS which is basically a android version for smartwatches.
So in theory you can activate USB debugging and redirect the captive portal to mike kuketz service as long as the commands are accepted.
Regarding method 2 i can't say anything because i don't own a smartwatch and have zero knowledge whether root is possible/how it is done on those smartwatches (which is needed for that method).
Click to expand...
Click to collapse
Just as you said, I enabled adb debugging, opened a terminal session from my mac to the watch and sent the commands from version 1 and they were both accepted. I should be able to check if it has worked tomorrow so will keep everyone updated when I've tested it.
OK. My watch appeared to connect to wifi but then said "No Internet".
I've now done the same mod to my phone, deleted the supermarket wifi I'm trying to connect my watch to from both the watch and the phone and will try again. I'm also wondering whether haveing BT on at the same time is causing a problem so I'll try with it on and then off and see if it makes any difference.
Thanks again for giving me hope I'll be able to connect WearOS 2 to a captive portal wifi network.
Further to above, unfortunately still no joy. Watch says "Connected" for the briefest moment then "No Internet" and won't go any further.
Never mind.
Thanks again for your work for the Android community.
Is it safe?
We are sending data to completely unknown server, that's why asking.
Datta258 said:
Is it safe?
We are sending data to completely unknown server, that's why asking.
Click to expand...
Click to collapse
In my opinion yes. The mentioned security expert has a good reputation afaik and he didn't make any things in the past which give me a reason to distrust him.
And in the near future he will work for german commissioner for data protection and freedom of Informationen. So i think he is a trustworthy person.
In the privacy policy on his site for the captive portal check service he writes that no information at all will be logged.
Of course you can ask him directly via e-mail if my words don't soothe you; i can only share my opinion about that guy
Thanks.
dhacke said:
For Android 8/9:
1. Open a terminal on your phone (via terminal apps).
2. Type the following command:
- su
- su
- pm disable com.android.captiveportallogin
- settings put global captive_portal_detection_enabled 0
- settings put global captive_portal_server localhost
- settings put global_portal_mode 0
3. Then reboot your phone (via hardware buttons, system or terminal app).
Click to expand...
Click to collapse
Does this still work on Pie?
On my rooted Galaxy Note 10 (Pie, 1st Sept. Patch) it does not.
Btw. there is a typo, should it be "settings put global captive_portal_mode 0"? This is what I tried. If I then check the values by "settings get..." I get
1: 0
2: localhost
3: 0
So the values were taken, but it still tries to connect to captiveportal.kuketz.de or google (whatever I have set). If I block it, I will get the exclamation next to the wifi symbol.
ZXR said:
Does this still work on Pie?
On my rooted Galaxy Note 10 (Pie, 1st Sept. Patch) it does not.
Btw. there is a typo, should it be "settings put global captive_portal_mode 0"? This is what I tried. If I then check the values by "settings get..." I get
1: 0
2: localhost
3: 0
So the values were taken, but it still tries to connect to captiveportal.kuketz.de or google (whatever I have set). If I block it, I will get the exclamation next to the wifi symbol.
Click to expand...
Click to collapse
Oh yes you are right. There was a typo. It must be 'settings put global captive_portal_mode 0'.
Now it's corrected. Thanks.
Did you make a reboot after execute the commands?
On my side it works on Pie too. I have a z3 with Lineage 16 and my device doesn't make the check.
When it' still not work after the reboot and the commands are typed in right (=> no issue notification in the terminal comes up) the Samsung stock rom could be the problem.
In that case i would recommend to use kuketz server.
dhacke said:
Did you make a reboot after execute the commands?
Click to expand...
Click to collapse
Yes and even after several reboots I get:
adb shell settings get global captive_portal_detection_enabled
0
adb shell settings get global captive_portal_server
localhost
adb shell settings get global captive_portal_mode
0
But, if not opened via script, I can see 185.163.119.132 (kuketz) being blocked by AFWall and the exclamation mark. So I open it with
$IPTABLES -A "afwall" -d 185.163.119.132 -m owner --uid-owner 1000 -p tcp -j ACCEPT
This works but I would prefer no C-P check.
One off-topic question:
Do you have an idea how to open the IP 0.1.0.1:0 in AFWall? It is used for VoLTE, but even I use th script line above (with 0.1.0.1) it still gets blocked. I have to open UID 1000 completely...
ZXR said:
Yes and even after several reboots I get:
adb shell settings get global captive_portal_detection_enabled
0
adb shell settings get global captive_portal_server
localhost
adb shell settings get global captive_portal_mode
0
But, if not opened via script, I can see 185.163.119.132 (kuketz) being blocked by AFWall and the exclamation mark. So I open it with
$IPTABLES -A "afwall" -d 185.163.119.132 -m owner --uid-owner 1000 -p tcp -j ACCEPT
This works but I would prefer no C-P check.
Click to expand...
Click to collapse
You wrote 'adb'. Does it mean that you tried the commands in the adb shell from your Computer with connected phone?
That could explain why it isn't working. The commands must be typed in directly on the phone for deactivation.
I use the App 'Terminal Emulator' from F-Droid for this.
Link: https://f-droid.org/app/jackpal.androidterm
You could try it with that app once more. Apart from that i'm running out of ideas atm.
ZXR said:
One off-topic question:
Do you have an idea how to open the IP 0.1.0.1:0 in AFWall? It is used for VoLTE, but even I use th script line above (with 0.1.0.1) it still gets blocked. I have to open UID 1000 completely...
Click to expand...
Click to collapse
Sorry, but no. I don't use VoLTE or Scripts in AfWall+.

Categories

Resources