Dislcaimer: this is for educational purposes only,you shall not use this on other people phones without permission under any circumstances,and am not responsable to any misuse of this hack
Click to expand...
Click to collapse
ok so not long ago i had a problem with a locked android device with a pattern and i managed to unlock it using adb,so here's how in case you were stuck one day with a locked device.
the device needs to have usb debugging enabled in case usb debugging isn't enabled and you have cwm you can run the same instructions from cwm,root is not required (though it will be so better if the device was rooted)
this was tested on:gingerbread,ice cream sandwich and jelly bean.
both method are through adb.
method 1:
Code:
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit
-AND/OR-
method 2:
Code:
adb shell rm /data/system/gesture.key
and that's a video showing how method 2 is done (thanks to melvinchng) : http://www.youtube.com/watch?v=tVJ7T2oC_Zs&feature=player_embedded
you can try both of them,here is how i managed to remove the lock:
1- run the first method.
2-reboot
3-run the second method
4-reboot
NOTES:
-in the first method each line is a seperate command so click enter after typing each line.
-in the second method type all the command and then press enter.
-after running both methods and rebooting you may see the pattern lock,that doesn't necessarily mean it doesn't work,just try any random pattern and it may unlock then remove the pattern from settings.
-this may and may not work,it may work on some devices and don't on others,so all you can do is trying it but i can't assure it will work.
a small donation would be much appreciated thank (check my signature)
But What if i remember the password well enough, but didnt have data enabled the moment it got locked?
Explained elaborately here>>>http://forum.xda-developers.com/showthread.php?p=29963687
It will unlock either (Loook at the time of message above - I am time traveler )
i have better method than bot the above ones
look for smudges on the phone
Do the files need to be restored or are they just the user data for the pattern locks?
This is really great...
i wonder how do you discover this
you must be a hacker
Or you could boot into recovery backup data
wipe factory reset and reboot
Could try restoring data but most likely restore pattern lock
Or simply enter your gmail address as requested
2nd option...
if you have Custom recovery
use AROMA File Explorer and you can do the same thing through the recovery
or adb through the recovery
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Method #1 FAIL:
1|[email protected]:/data/data/com.android.providers.settings/databases $ ll
opendir failed, Permission denied
255|[email protected]:/data/data/com.android.providers.settings/databases $ sqlite3 settings.db
Error: unable to open database "settings.db": unable to open database file
Method #2 FAIL:
[email protected]:/data $ ll /data/system/gesture.key
-rw------- system system 20 2012-08-11 04:51 gesture.key
[email protected]:/data $ rm /data/system/gesture.key
rm failed for /data/system/gesture.key, Permission denied
(I use faceunlock + pattern (mostly to keep my kid outta my phone), but if I actually cared more about security I'd encrypt my phone and use a passphrase instead)
This is a useful guide, thanks, I will try it :good:
So I guess if Debugging wasn't previously enabled, you have no chance to unlock it...
I've noticed a locked Archos tablet in a shop (probably some stupid shopper locked it) and when I saw this thread announced on the first page I was thinking of helping the shop owner. But I guess I cannot.
Have a nice day!
I don't know whether this method can use on neither:
Rooted
Installed Busybox
Rom Version Older or Newer than CM7
This method require ADB Debugging On & A PC & A tool Provided
I found this trick a long time ago
I come for sharing
Click to expand...
Click to collapse
Download the By-pass security Hack.7z
http://www.mediafire.com/download.php?li2686c3jenmen6
Click to expand...
Click to collapse
Primary Step for all method:
Click to expand...
Click to collapse
Extract it to anywhere using 7-zip.
Open SQLite Database Browser 2.0.exe in SQLite Database Browser.
Run pull settings.db.cmd inside By-pass security Hacks folder to pull out the setting file out of your phone.
Drag settings.db and drop to SQLite Database Browser 2.0.exe program.
Navigate to Browse data tab, At table there, click to list down the selection & selete secure
Instruction To Remove Pattern Lock:
Click to expand...
Click to collapse
Now, find lock_pattern_autolock, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove PIN Lock:
Click to expand...
Click to collapse
Now, Find Or Create lockscreen.password_type, double-click & change it's value to 65536, Apply changes!
Now, find lock_pattern_autolock, Delete Record, If doesn't exist, Ignore
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove Password Lock:
Click to expand...
Click to collapse
Now, find lockscreen.password_salt, Delete Record
Now, find lockscreen.password_type, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
hmmm i hope those thief's don't find these thread lol
zmore said:
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Click to expand...
Click to collapse
Nor does either method work on unrooted Galaxy Nexus with stock Jelly Bean. Yay stock Android.
mixtapes08 said:
hmmm i hope those thief's don't find these thread lol
Click to expand...
Click to collapse
don't leave usb debugging checked on then.
I advise you guys to also post your Android version. My opinion is that the security hole that permits this hack has been removed in JellyBean, maybe even in an earlier version.
I will try it too a little later, just for the fun's sake.
aussiebum said:
don't leave usb debugging checked on then.
Click to expand...
Click to collapse
If you have forgotten to leave USB debugging enabled, reboot your phone into recovery and do the same. No USB debugging required.
You may however need to mount the partition being accessed by this method, and you can do that only if you have a custom recovery installed (which you more-than-likely have, since you're here on XDA). Just go to 'Mounts and Storage' and mount /data. Then use the method just the normal way. Cheers!
Useful guide for sure. Will keep this as reference!
Does this only work for the pattern unlock or will it also work on the password or the PIN unlock screen?
I can confirm that it is working on a CM7.2 Motorola Defy.
Thanks m.sabra!
Related
This tool is now deprecated. To root your Evo 4G running Gingerbread you will need to use the Revolutionary tool that can be found at http://www.revolutionary.io.
I'm sorry to do it but due to the ridiculous amount of people who are still asking for help rooting gingerbread, I will no longer be supporting this tool what so ever. Any further emails I receive about it will be deleted.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
I am proud to present the HTC EVO Auto Root script! It took me awhile but I finally got it fully automated, it probably would have been easier using VB to write it but I wanted it to be readable by everybody. I don't have working scripts for Linux or Mac yet but for older phones you should be able to follow the Alternative Method and use the code included at the end of the post with minimal changes. If you are new to rooting the Evo you should check out the Rooting Information and Common Problems thread to familiarize yourself with some of the screens you will see. At times your phone may shows ominous looking icons that look bad but really aren't, at times like that it is important that you don't panic and do anything that could damage your phone.
This will make a backup of your WiMAX partition and the RSA keys that are stored on it; backing up your RSA keys separate is not necessary. It will save it in the AutoRoot folder so be sure not to delete it.
If you run into any problems please include the following information with your post: Any methods you have previously tried to root with, what it did last plus any error messages it may have given (if you can right click, select all and copy it from the terminal), and if you are in the bootloader we need to know what the top two lines say. Running this will create a log file named: autorootlog.txt. Please post this as well.
Any feedback no matter good or bad is appreciated! Let me know how it works for you.
Randy (randyshear on youtube) has made a great video of the process if you would like to get an idea of what to expect before hand. It is important to note that, depending on your phone, the process may be slightly more involved or require more or less time.
HTC EVO 4G ** ROOT AND NAND UNLOCK ** AUTOROOT V 2.2 ** HOW TO **
This has been confirmed working with:
Software versions 1.32, 1.36, 3.29, 3.30 & 3.70
hBoot Version .76, .93, .97, 2.02 & 2.10
Thanks go to
HTC for making the phone to begin with
Sebastian Khramer for his rageagainstthecage exploit
Toastcfh for his tutorial and all of his work on improving the Evo, a lot of this is borrowed from his previous work
Amon_RA for his recoveries and for his quick work creating a recovery compatible with the new NAND blocks
Calkulin for collecting all of the radios and update images
Whosdaman, Football and Sniper911 for sharing the RUUs with us
The Unrevoked Crew for all of their hard work on the Unrevoked Forever s-off tool
amoamare and Zikronix for all of their hard work on rooting phones with the 2.02 hboot
chris1683 for his Sprint Lovers ROM
Netarchy for all of the great kernels
A huge thanks goes out to Dan0412 who took the time to debug this for version 003 2.02 phones
Schnick1 and tauzins for their help with getting ADB to act right
Props go to RyanZA and anyone else who worked on the z4root app. I wouldn't have got 3.70 rooted as fast as I did if I didn't have their app to learn from.
You Will Need:
A windows machine
HTC Sync that can be found on Sprint's website. HTC Sync 2.0.35.exe
At least 1 GB of free space on your SD card
A full or close to full battery (your phone will not charge during part of this and if it dies you will be SOL, aka Bricked)
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only and HTC's Evo drivers / HTC Sync installed.
The AutoRoot.zip File that can be found in this post
[*]I highly recommend you have the appropriate RUU, or PC36IMG, downloaded before you start. It is always good to have and if something does not go as planned it can get your phone back up and running with minimal down time.
Click to expand...
Click to collapse
IF YOU HAVE PREVIOUSLY TRIED ROOTING YOU MUST RESTORE FROM A RUU BEFORE RUNNING THIS. IT WILL NOT ROOT IT UNLESS YOU DO THIS.
Instructions:
This will try to back up your apps but it's not always able to, you will also lose all of your settings. Titanium Backup works well to save your apps however you will need to use z4root to temporarily root before you will be able to use it.
Download HTC Sync from Sprint's website here and install it. You may need to use the 'Repair' option for it to replace any old drivers.
Extract AutoRoot.zip into a folder that is easy to find and then open the folder.
Right click on 'AutoRoot.bat' and run it as Administrator.
Once it finds your phone it will start by checking out what kind of setup it uses and then attempt to get root access. If it fails usually it's from too many active apps or the phone being used, if so you will need to restart it before trying again. If you are using 3.70 it will let you know when it is running by blurring the screen.
When it is ready it will reboot your phone into the boot loader. Then, depending on your phones setup, it will either enter RUU mode and automatically flash the debugging firmware or give you instructions on how to flash it from the hBoot.
If you have to flash it manually just push Power to select "BOOTLOADER" and say Yes when it asks to flash the PC36IMG.zip. It will complain part of the way through about Boot Loader and/or radio errors and then skip them, this is normal. Once it finishes say No when asked to reboot and use the Vol Down button to highlight Recovery. Then press Power to select it.
If you are entering the Recovery your phone will show a Red Triangle with an Exclamation mark inside, at this point the script will take back over and attempt to flash Unrevoked Forever.
After it finishes flashing the engineering bootloader, or Unrevoked Forever, it will reboot into the bootloader and see if your NAND is unlocked. If so it will flash the Sprint Lovers ROM along with the Recovery and updated Radios. Afterward it may boot into the ROM and attempt to restore your Apps before finishing, try not to interrupt it until it tells you it has finished.
Once it's fully rooted and you have your phone set back up it's a good idea to make one more NANDroid with everything up to date. Then make one more backup of your WiMAX partition in case something happens to the first one.
Click to expand...
Click to collapse
If you have an older phone and don't want to flash Unrevoked Forever or Sprint Lovers w/ the radio updates you can have it skip them. It will just flash the engineering bootloader to unlock the NAND and then flash the recovery directly from there. You will need to update everything and flash a custom ROM on your own. This will only work if your phone has a version .9x hBoot.
Instructions for Quick method:
This will completely wipe your phone. If you would like to back up your apps you can use Titanium backup to save them. It also has an option to save the system files but this can result in a buggy ROM afterward.
Extract AutoRoot.zip into a folder that is easy to find.
Open a DOS prompt by running the OpenShell file.
Type 'autoroot quick' and press Enter
It will then flash the engineering bootloader and the recovery through fastboot. Once it is finished you can use the bootloader menu to boot into the recovery and make a NANDroid, flash a ROM, radios, etc.
Click to expand...
Click to collapse
Links:
Downloads
AutoRoot v2.5 - Full Root Zip (MD5: 5E1BF365F3B5479329896BD55C33678E)
AutoRoot v2.5 - Tools Only (MD5: 5DBA70A8CDD052A9908E4F43D6BBC669)
The following are the ROMs pulled out of the RUUs, you can flash them by renaming and putting it on your sd card or from your computer with fastboot using the included FlashZip script.
Sprint Evos (USA):
3.29.651.5_PC36IMG.zip (MD5: 2F5046C0FC6FE61114EBC53D5997B485)
3.30.651.2_PC36IMG.zip (MD5: 4A2CAB264244C79B2E2BE9E3CFE2B503)
3.70.651.1_PC36IMG.zip (MD5: 7056D42812AA5DF03FCC8DDDC2B64E85)
KDDI Evos (Japan):
1.05.970.1_PC36IMG.zip (MD5: 78F9E8BFEE705F34790A46C258268F02)
Sources
How to unlock Nand Protection ~ Part-2
RA-evo-v1.8.0 (a modified version is included)
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
RUU to restore 3.70.651.1 (Thanks to 911Sniper for the original mirror)
Sprint Lovers ROM (a modified version is included)
Click to expand...
Click to collapse
Changes for v2.5
Script now checks for Admin Priveledges and kills HTC Sync Services for Sync 3.05
Fixed issue recognizing build numbers
It will attempt to back up Apps now
Checks branding in order to recognize KDDI Evos
Unrevoked forever will now be retried if it doesn't get run the first try
Changed it so it will leave the phones in Fastboot mode if it fails
Recognizes ADB issues easier now
Changes for v2.4
Updated the ROM and Recovery
The working directory is now saved correctly when the path has a space in it
Fixed an error checking the firmware version that would cause the script to close
Made it more capable of recovering when the phone is in an unknown state
Fixed the SD card not being recognized with Eclair
Some parts will check for the 'daemon' error messages and will call to fix it
Made it so the MTD data is not saved unless it is recognized
The script will continue if it times out while waiting on Unrevoked Forever
The WiMAX partition is backed up through the ROM at the very beginning instead of through the Recovery
Changes for v2.3:
Updated the ROM, Recovery and Radios
The script will now recognize your phone at any point in the process and will continue where it left off
Fixed the FlashRecovery script and made it so you can choose what to flash, just put your PC36IMG of choice in the folder with it and let it do the work
Fixed the version checker so it doesn't get confused with custom ROMs anymore
Quick mode checks your hboot version from the ROM now so it won't even try if you have a new bootloader
It is much more tenacious going into the recovery, hopefully fixing the issue with ADB dropping out there
Fixed a bug where the MTD block sizes were not always being remembered correctly
Added more checks to make sure the phone is where it's supposed to be throughout the process
Made it try harder to get the recovery log so it doesn't get missed as much
Tweaked the timing some so it moves a little bit quicker and you only have to hit a button twice to exit instead of three times
Fixed the infinite loops so they are now 95% shorter
Changes for v2.2:
Updated the recovery to Amon RA's version 2.2.1
MTD information for each phone is saved in case it is restarted and unable to find out.
Fixed a bug where pre 3.xx ROMs were not being recognized correctly.
Phones are explicitly called by their serial number to prevent confusion if an emulator starts or another phone gets plugged in.
Unresponsive ADB daemons are killed to help prevent them for hanging or randomly restarting.
Changed autoroot.log to autorootlog.txt to make it easier to attach
Minor bug fixes.
Changes for v2.1:
Updated the recovery to Amon RA's version 2.2
Minor bug fixes
Changes for v2.0:
Added an app to give ADB root and keep it active in 3.70
Updated Sprint Lovers and Amon RA
Removed the two separate kernels/recoveries for new and old phones
Added a battery life check before flashing
Checks Firmware versions in both the ROM and hBoot
Checks that the Misc partition was flashed properly
Fixed all of the bugs with Quick root, it no longer flashes Sprint Lovers if you run it with S-OFF
It automatically restarts adbd where it would occasionally reset itself and get hung up
It also kills adbd when it finishes so you can move/delete it
Changed the bat that restarted adbd so it kills it instead
Added a bat to flash AmonRA through Fastboot with non-Eng hBoots
Added a bat to open a Cmd prompt already in the autoroot folder
Rewrote a good portion of the script and cleaned it up a lot
Made it more flexible so it doesn't get lost as easily
Plus more I forgot
Click to expand...
Click to collapse
Contents of v2.5 Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
AutoRoot.bat
check.bat
fastboot.exe
fastboot-linux
fastboot-mac
FindPhone.bat
FlashZip.bat
OpenShell.bat
StartRecovery.bat
amon_ra_1.8-mod/
res/
....AutoRoot.apk
....autoroot.ini
....dump_image
....Escalate.vbs
....Escalater.bat
....EscSC.lnk
....exploid.com
....FindPhone.bat
....flash_image
....ini.cmd
....mtd-eng.img
....PC36IMG_UD.zip
....PC36IMG_AmonRA-v2.3-hausmod_revA.zip
....PC36IMG-SprintLovers-AmonRA_2.3-hausmod_revA.zip
....radios.zip
....rageagainstthecage-arm5.bin
....recovery-RA-v2.3-hausmod_revA.img
....URFSOff.zip
....URFSOn.zip
....WatchPhone.bat
Notes:
Recovery is recovery-RA-supersonic-v2.3 with Netarchy's 4.3.2 CFS NoHAVS NoSBC NoUV
radios.zip is EVO_Radio_2.15.00.11.19_WiMAX_27167_R01_PRI_NV_1.90_003
URFSOff.zip is the Unrevoked Forever S-OFF tool
URFSOn.zip is the Unrevoked Forever S-ON tool
Click to expand...
Click to collapse
As always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. Everything contained in this thread is for informational purposes only.
Click to expand...
Click to collapse
IMPORTANT: Everything contained in this post is meant for phones with the older bootloader. If you have hBoot version 2.02 or ROM version 3.30 you must use the above method.
Old Universal Root
(Scroll Down for Alternate Method)
You Will Need:
A windows machine and basic knowledge of DOS or a Linux/Mac box with a little bit of determination
At least 1 GB of free space on your SD card
A full or close to full battery
ADB debugging enabled (Settings > Applications > Development > ADB Debugging)
Your phone connected to your computer as Charge Only
The EVORoot.zip File that can be found in this post
Click to expand...
Click to collapse
Instructions:
Extract EVORoot.zip into a folder that is easy to find and go to that folder. Then copy the 'moveme' folder out of that one and on to your sdcard. Once it finishes copying unmount/eject the SD card through windows and change your phone back to Charge Only.
Double click on 'runexploit' and let it run. When it asks if you want to flash the hBoot push 'y' and then {enter}. If there are any errors follow the instructions given to try and resolve them. It will automatically reboot your phone once it is ready for it. If all you see is the prompt flashing press Ctrl+C or close the window to exit and re-run it as Administrator.
When the bootloader comes up push the Power button and you should see it start searching for updates. When it gets to PC36IMG.zip it will ask if you want to update with it, push Volume Up to say yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished push the power button to select 'fastboot' and use the volume buttons to select the yellow 'reboot' button. Push power one more time to select it and reboot your phone. It should start up rooted and ready to go, however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts back up run 'flashrecovery' through explorer. It will automatically flash and then reboot your phone into Amon_RA's recovery. When it reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery and need to reboot and try again.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Once there flash the Radios. It is again very important not to interrupt or reset the phone while the radios are being flashed, although it will probably want to reboot before flashing can be finalized, just follow the instructions.
Once it is finished Return to the previous menu and select Power Off. Then hold down the vol down button while turning the phone back on.
It will boot back up into the bootloader, select No if it asks to update or reboot. From here select Recovery and it should go back to the black background with green text.
Select Flash zip from sdcard and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash another one instead.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
When you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
The following are the ROMs pulled out of the RUUs and renamed, make sure you use the correct version for your phone but if you aren't able to find out start with the 3.29.
3.29.651.5_PC36IMG.zip
3.30.651.2_PC36IMG.zip
If you are having trouble flashing custom ROMs try using this kernel (Thanks to xxbabiboi228xx)
Stock kernel #17
Sources
How to unlock Nand Protection ~ Part-2
All EVO Radio, WiMAX, PRI & NV versions
RA-evo-v1.8.0
RUU to restore 3.29.651.5
RUU to restore 3.30.651.2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
exploid.com
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Click to expand...
Click to collapse
Alternate method
If you already have the EVORoot.zip file you can download the scripts below without the boot/ROM/radio.
Instructions:
Extract EVORoot.zip into a folder that is easy to find such as C:\EVORoot. Then copy the 'moveme' folder out of that one and on to your sdcard.
Open up a DOS prompt and go to the EVORoot directory. eg. 'cd C:\EVORoot'.
type: runexploit {enter}
It will scroll a few lines saying that the ADB server will be reset and to run it on the desktop, this is normal. If it says Permission Denied check to make sure your phone is set to charge only and your sd card is not mounted as a hard disk.
type: adb shell {enter}
If you see '$' then type: "./data/local/tmp/rageagainstthecage-arm5.bin", without the quotation marks, and push enter. After a few seconds it should kick you out to the \> prompt.
If you see '#' then type: exit {enter}
type: flashboot {enter}
If you don't see any errors let it continue, if you do see an error push Ctrl+X to stop
Your phone will then reboot, when it comes back up the bootloader option should be highlight. Press the power button to select it. It should then search for a second and ask if you want to install the pc36img.zip, push Volume Up for Yes.
*DO NOT TURN OFF THE PHONE OR LET THE BATTERY DIE WHILE UPDATING*
When it's finished go into fastboot and select the yellow 'reboot' through the menu, it should start up rooted and ready to go however you will still need a custom Recovery so you can make NANDroid back-ups and flash an up to date ROM.
Once the phone starts up do step #4 to check for root (# prompt), if it is a '$' try typing 'su {enter}'. If that does not work use runexploit and then check again. Return to the DOS prompt once finished.
type: flashrecovery {enter}
Let it continue as long as there are no errors, otherwise Ctrl+X will stop it. If you run this more than once you can ignore the file not found errors from when it first starts. When the phone reboots you should see green text on a black background, if you see a triangle with an exclamation mark then you still have the stock recovery.
Use the volume buttons to select Backup/Restore then push Power to select it.
Select Nand backup and push power. This will make an exact copy of your phone as it is. If you get an error that says 'run mobile-nandroid...." make sure you have at least 3 or 400MB free on your memory card. You can use USB-MS toggle to mount your SD card if you need to make room or copy a ROM to your phone. The moveme folder can also be deleted from your SD card at this point and you can make copies or move the backup once it is complete. Just make sure you have one good backup before continuing.
The NANDroids are saved under 'nandroid/??????????/backupfolder-date-time/'. The folders need to be moved whole.
Return to previous menu, select Wipe, then have it Wipe data/factory reset, Wipe cache & Wipe dalvik-cache. If you get stuck in a bootloop try these steps again and try wiping the SD:ext partition as well.
Return, then go in Flash zip from sdcard. Select and Flash ROM-Supersonic_3.30....zip. If you have a different ROM you want to use you can flash that one instead.
Flash the Radios, it is again very important not to interrupt or reset the phone while the radios are being flashed. It will probably want to reboot itself afterward, just follow the instructions.
Once it is finished Return to the main menu and have it Reboot system. Your phone should start up normally and ask to be set up, complete the set up like normal.
Once you have it set up and are sure everything is working properly I would make one more NANDroid so you have a copy with the updated radios. At this point you can also flash another recovery and do anything else you would normally do. Just be sure to use unrevoked forever if you plan on using a different hBoot.
Click to expand...
Click to collapse
Links:
Downloads
EVORoot.zip
EVORoot.zip - No bootloader, ROM or Radio updates
eng-PC36IMG.zip mirror 1, mirror 2
Click to expand...
Click to collapse
Contents Include:
adb.exe
adb-linux
adb-mac
adbWinapi.dll
adbWinusbapi.dll
flashboot.bat
flashrecovery.bat
runexploit.bat
moveme/
.....eng-PC36IMG.zip
.....evo_radios_wimax_pri_nv_3.30.zip
.....flash_image
.....mtd-eng.img
.....rageagainstthecage-arm5.bin
.....recovery-RA-evo-v1.8.0.img
.....SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip
Batch Files
runexploit.bat
Code:
adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.bat
Code:
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
adb shell sync
adb reboot bootloader
flashrecovery.bat
Code:
adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
adb shell sync
adb reboot recovery
Click to expand...
Click to collapse
This uses HTC's eng hBoot to unlock NAND protection so it is relatively safe, but, as always, this will void your warranty and may possibly damage your phone. You and you alone are responsible for anything that you do. This is for informational purposes only.
Click to expand...
Click to collapse
Here are linux and mac versions. You just need to get adb from somewhere (I don't think the packaged windows version will work).
If it's in your path, just change all of the "./adb" to "adb", or if you copy the executable to the same directory as these scripts, leave them as is.
Put them in the same directory, as the kit, and they should work.
I haven't tested, but thought I would write them up quickly to help with mutli-os support.
runexploit.sh
Code:
#!/bin/bash
./adb shell "cat /sdcard/moveme/rageagainstthecage-arm5.bin > /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "chmod 0755 /data/local/tmp/rageagainstthecage-arm5.bin"
./adb shell "./data/local/tmp/rageagainstthecage-arm5.bin"
flashboot.sh
Code:
#/bin/bash
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image misc /sdcard/moveme/mtd-eng.img"
./adb shell "mv /sdcard/moveme/eng-pc36img.zip /sdcard/pc36img.zip"
./adb shell sync
./adb reboot bootloader
flashrecovery.sh
Code:
#!/bin/bash
./adb shell "mv /sdcard/PC36IMG.zip /sdcard/moveme/eng-PC36IMG.zip"
./adb shell "mv /sdcard/moveme/evo_radio_wimax_pri_nv_3.30.zip /sdcard/evo_radio_wimax_pri_nv_3.30.zip"
./adb shell "mv /sdcard/moveme/SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip /sdcard/ROM-SuperSonic_3.30.651.2_Rooted_BB_DeOdexed_Bash_ADP_BattPrcnt.zip"
./adb shell "cat /sdcard/moveme/flash_image > /data/flash_image"
./adb shell "chmod 755 /data/flash_image"
./adb shell "/data/flash_image recovery /sdcard/moveme/recovery-RA-evo-v1.8.0.img"
./adb shell sync
./adb reboot recovery
I'm getting a permission denied when I try to runexploit
Can you post an alternate mirror for the rootkit?
jacobzamarripa said:
I'm getting a permission denied when I try to runexploit
Click to expand...
Click to collapse
Do you have debugging enabled?
MJStephens said:
Do you have debugging enabled?
Click to expand...
Click to collapse
usb debugging. yes
jacobzamarripa said:
usb debugging. yes
Click to expand...
Click to collapse
Are you running cmd.exe as admin?
Do you guys have a youtube video of step by step for this? Because i cant even get past the third step
BrashL said:
Are you running cmd.exe as admin?
Click to expand...
Click to collapse
im not quite sure how. im on windows xp
jacobzamarripa said:
im not quite sure how. im on windows xp
Click to expand...
Click to collapse
Im pretty sure he just means that your on an user name on windows that has Master rights.
Bravo, bravo. You really outdid yourself on this hauss. What a fabulous tutorial for noobs. In my spare time, I would be happy to make a Mac version of this tutorial for you. I think the Mac part jut confuses people more. Seriously, great work. I will be referring people to this. Replaces the need to do 20 commands with like 4 homemade batch scripts. Pm me or email at [email protected] and I will build a Mac tutorial (giving you full credit of course)...
Confirm?
This looks and sounds awesome. I would LOVE a mac version of this and like to donate to good work
Can I get a confirmation from someone reporting success using this method?
I'd like to use this on a friends phone today but am a bit hesitant because it's so new.
thanks!
i will confirm that all the scripts work on thier own. i have no idea if hauss's batch scripts work. all the exploits are legit though. i will download and proofread. either way, it should work. i know hauss is experianced at rooting and stuff.
wait, huge file. does someone mind sending me everything except the pc36img.zip and eng-pc36img.zip? email is [email protected]
does anyone know if it will work on parallels on mac.
adb connection will be reset. restart adb server on desktop and re-login
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
rukshmani said:
I keep getting error message saying "adb connection will be reset. restart adb server on desktop and re-login"
--------------------------------------------
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3316, 3316}
[*] Searching for adb ...
[+] Found adb as PID 1400
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] [email protected] so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
Click to expand...
Click to collapse
Actually i kept getting this same message when i was on the adb server and was attempting to get to the recovery screeen on the phone. Do you by any chance have HBoot 2.2 on your evo?
Hi Noobe , yes unfortunately..am i SOL
rukshmani said:
i keep getting error message saying "adb connection will be reset. Restart adb server on desktop and re-login"
--------------------------------------------
[*] cve-2010-easy android local root exploit (c) 2010 by 743c
[*] checking nproc limit ...
[+] rlimit_nproc={3316, 3316}
[*] searching for adb ...
[+] found adb as pid 1400
[*] spawning children. Dont type anything and wait for reset!
[*]
[*] if you like what we are doing you can send us paypal money to
[*] [email protected] so we can compensate time, effort and hw costs.
[*] if you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 usd!
[*]
[*] adb connection will be reset. Restart adb server on desktop and re-login.
Click to expand...
Click to collapse
this is not an error message! This means it is working! Just move on to the next step. If there is nothing that says the word error, there is probably no error!
There are a couple other ways posted for folks who have forgotten lockscreen password or pattern, but this methods REMOVES the PIN. for pattern and password follow other methods
This method requires root access and debugging enabled.
*if debugging is not enabled it can be done from any custom recovery
-reboot recovery and follow code
PIN
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=65536 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot
step one
Code:
adb shell
make sure you have # in the command prompt/terminal (if not type su)
step two
Code:
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
you will now see sqlite>in command prompt/terminal
step 4
Code:
update secure set value=65536 where name='lockscreen.password_type';
still sqlite>
step 5
Code:
.exit
you will see the # again
step 6
Code:
exit
you will now be in the path/to/adb command prompt/terminal again
step 7
Code:
adb reboot
Enjoy full access to the device
Now lets say you think your wife is cheating on you (which she probably is) and you want to check her sext messages but return the PIN back when you are done.
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=131072 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot
I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?
BrotherG said:
I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?
Click to expand...
Click to collapse
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!
hahaha. .... these Feds could of used this method. They couldnt get past the lockscreen. Great read here.
How a Pimp’s Android Pattern Lock Foiled the Feds
http://gizmodo.com/5893410/how-a-pimps-android-pattern-lock-foiled-the-feds
Looks like CyanogenMod is working on securing ADB
Security and You
March 16th, 2012
jeagoss
1
Many of you may not give it a second glance, but among all the furor and concern about permissions requested by market apps and privacy, all Custom ROMs (CyanogenMod included) ship with one major security risk — root!
We have been struggling with how to handle this for quite a bit, and took a first step with the first public CyanogenMod 9 alpha builds, by disabling the previously-default root access over USB. You can still get adb root access by running “adb root” in terminal, should you ever need it.
We recently merged 3 patches into CyanogenMod 9, to further address this: http://goo.gl/eCjDV http://goo.gl/oWAFI and http://goo.gl/34vai.
What follows is an explanation of the changes, how they affect you and our reasoning behind them.
What do the patches do?
They disable root selectively and in a configurable way. Users will be able to configure their exposure to root as:
Disabled
Enabled for ADB only
Enabled for Apps only
Enabled for both
How does this change affect the usage of your device, and root apps you have installed?
On a default CyanogenMod installation, root usage will have to be explicitly enabled by the user. This means that the user is fully aware that any application that uses root may perform actions that could compromise security, stability and data integrity. Once enabled, the process mirrors that of the current process, apps that request root will be flagged by the SuperUser.apk and the user will have to grant selective access.
Why the change?
At CyanogenMod, security has always been one of our primary concerns, however, we were hesitant to make a change that might disrupt the current root ecosystem. With CyanogenMod 9 we have the opportunity to do things better, whether its the code in the OS, UI/UX, or security – we are taking this time to do things with a fresh approach.
Shipping root enabled by default to 1,000,000+ devices was a gaping hole. With these changes we believe we have reached a compromise that allows enthusiasts to keep using root if they so desire but also provide a good level of security to the majority of users.
What concerns remain?
Many of you reading this are savvy enough to note a remaining hole in this approach – recovery and unlocked bootloaders. The bootloaders are out of our hands, there is little to nothing we can do on that front.
Regarding recovery – with unlocked bootloaders, a malicious user could just flash a new recovery image (without any potential security we could apply) or just dump the data partition. This however, requires physical access to the device. As such, the security standards for this are highly reliant on you, the device owner. Data encryption is available in ICS to safeguard your data. (Warning for emmc only users – encrypted /data means recovery will be non-functional.)
The onus is on you to secure your device; take care of your possessions, and this risk is minimal. Always make sure you take devices out of your car before you go into the mall and remove them from pockets before washing laundry. Common sense is a basic security tool.
But Why?
We honestl
Click to expand...
Click to collapse
Source: http://www.cyanogenmod.com/blog/security-and-you
mDroidd said:
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!
Click to expand...
Click to collapse
All true, if speaking of a casual thief- maybe you left the phone on the bar and someone couldn't resist the temptation. A couple of months ago my wife's phone was recovered in such an occasion- got an sms from Avast Theft Aware with the new number, contacted the rather surprised "honest finder" and he decided to return it back to us.
Anyway, two weeks ago went scubadiving and when returning to the car found the window broken and sure, among other stuff (wallets, scuba gear etc) also both our phones were stolen. However, this time it looks like the thieves were not quick to put their own sim card. Actually, it looks like they've removed the batteries, thrown the sim cards away (the're useless anyway as the carrier blocks the sim).
Since then, no signs whatsoever that the phones have been turned on, sims replaced or that someone has tried to type wrong security pin or whatever- no sms notifications, no emails, no webtracking, nothing.
My guess- the thieves sell them for a small fee (20% of street price?) to some lab or someone who knows "how to deal with it"- do a good wipe (not just factory reset) and remove whatever stuff was installed- system app or not- then put them on market for sale as second hand. Or maybe they just wait with patience a few weeks until you stop looking for it?
So, sometimes these apps like Avast, Cerberus and the such work, sometimes not. Better to keep the phone safe and not rely on it being stolen by a stup!d thief...
On the bright side, one can consider it as an opportunity for upgrade
irst I typed in :
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
However, in spite of what he stated, sqlite>in command prompt doesn't appear.
Instead, I get
/system/bin/sh: sqlite3: not found
how do i set sqlite working?
I'm unable to launch sqlite3 from adb shell
I can manually launch sqlite from the folder but not in cmd
You have to install sqlite3 - https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en
Is there a tutorial for a password locked screen too?
Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on:
" /sbin/sh: sqlite3: not found "
I have installed sqlite from market
any idea?
whoa, you guys are amazing, this worked like a charm on a password locked tablet
polaroid pmid70c
this is a scary concept if you value your android device consider installing a paid service like dyndns and install the paid version of real vnc onto the device and have ssh setup as well this would help to recover your phone in the event it becomes stolen you could ssh into it launch apps view and control the phone remotely via vnc hell even take pictures ,, turn on gps all sorts of cool things
holm94 said:
Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on: " /sbin/sh: sqlite3: not found " I have installed sqlite from market
Click to expand...
Click to collapse
your phone is root enabled? Superuser or SuperSU app installed? Connect USB and run "adb root" and that works?
Try this installer app again https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en
I flashed the root feature with SuperSU update zip file in recovery mode, and rebooted.
I grabbed a 'sqlite3' binary made for ARM cpu from the 'net and manually pushed it to my phone's /system/xbin/ directory.
1. unzip this sqlite3 file
2. power on device in custom recovery mode, ('factory mode' also may work, such as in some chinese phones, including my Jiayu)
3. connect USB cable, and in recovery mode, mount the /system directory and any other directorys you will use (see screenshot)
4. open a command prompt (terminal) on computer and run these commands
Code:
[I]adb root[/I]
[I]adb remount[/I]
[I]adb push sqlite3 /system/xbin/sqlite3[/I]
[I]adb shell[/I]
[I]chmod 755 /system/xbin/sqlite3[/I]
[I]sqlite3 -h[/I]
...
exit
adb reboot
* alternate method: if #4 'adb root' does not work, then turn on phone to normal running mode and do:
Code:
adb push sqlite3 /data/local/tmp/sqlite3
adb shell
su
mount -o rw,remount /system
cp /data/local/tmp/sqlite3 /system/xbin/
rm /data/local/tmp/sqlite3
chmod 755 /system/xbin/sqlite3
sqlite3 -h
...
exit
exit
adb reboot
"exit" twice for alternate method.
All this can be done over Wifi instead of USB via a SSH server app.
^_^
I can run all the commands fine, but the PIN lock is still there on my phone after reboot. Android 4.2.1, Jiayu Chinese ROM. So method does not work.
help me, im stuck at " error: device unauthorized. Please check the confirmation dialog on your device."
I know this is super old thread but I used this method and combination with other commands I found on internet to bypass my lockscreen on att samsung galaxy s7 phone I had forgotten pin code on.
I was using fingerprint for a couple of months and rebooted phone for an update and it requires pin code first time before using fingerprint again and I had flat out forgot it. When it got to 1 hour wait between input retrys I searched and found this and other methods. I read no methods work unless rooted.
Luckily and thank God I'm rooted and usb debugging turned on and I have adb installed configured and have used with phone before....thank God. Because pretty much every and anything else on the phone is turned off on phone so I keep off the grid.
I know I'm dragging this out but I want to document and reiterate the value of xda. I will try and remember exactly what I did and may just redo it to be sure and list my exact steps.
One thing, I don't have sqlite3 curser when connecting with adb....I have hero2qltatt or something like that .....I'll get corrected with an edit when I go thru again to make sure.
Also, once I got past lockscreen, when I went into setting/lockscreen&security/ on the phone it still showed pin,fingerprint as security but somehow which still baffles me there was a pick for 'swipe' available....but I still don't know how that happened or how it appeared but I kept trying different pin codes to try to reset that which now there were no limits or time delays but still couldn't remember and then I saw a pick for 'swipe' and that solved it all. I rebooted again to be sure and perfect. Then I went in to recovery and wiped cache and now my phone is back exactly as before.
I wrote down the pin code this time.
Eventually soon I will rerun my steps and document exactly and maybe there is already a more recent account but I found this one first and it pretty much worked....thanks.
OK this is what I used:
adb shell
cd data/system
su
rm *.key
reboot
I am not responsible for anything that may come of or from this information. Use at your own risk!
Step #1)
Create security lock through Settings (pattern, pin, password).
Step #2)
Add VPN connections
Step #3)
Plug the phone in and run these commands (requires adb to be setup properly and drivers). I am sure there is a way to do this directly on the phone but this is easier for me.
Commands to remove security:
Code:
adb shell
sqlite3 /data/system/locksettings.db
update locksettings set value=0 where name='lockscreen.password_type';
.exit
exit
Finished!
For me no reboot was required and you do not have to restore pattern in order to create more VPN connections.
Optional Step:
If you decide that you want to restore the security run the one that fits you.
Commands to restore pattern:
Code:
adb shell
sqlite3 /data/system/locksettings.db
update locksettings set value=65536 where name='lockscreen.password_type';
.exit
exit
Commands to restore pin:
Code:
adb shell
sqlite3 /data/system/locksettings.db
update locksettings set value=131072 where name='lockscreen.password_type';
.exit
exit
Commands to restore password:
Code:
adb shell
sqlite3 /data/system/locksettings.db
update locksettings set value=262144 where name='lockscreen.password_type';
.exit
exit
Great! Thank you!
really helpful, i've been fed up with stupid design.
Brilliant, does it also work for ICS?
I don't have an ICS device. If I can find someone that is willing to let me take a look at their ICS device I can see.
When I restart my phone, it needs a password to access VPN menu. what should I do? I don't want to run these commands every time I restart my phone. any solutions?
does it work with exchange password policy as well?
Sent from my GT-I9300 using xda app-developers app
P30SiNa said:
When I restart my phone, it needs a password to access VPN menu. what should I do? I don't want to run these commands every time I restart my phone. any solutions?
Click to expand...
Click to collapse
Hmm did notice that before I will see whats up with that,
portnoy.vitaly said:
does it work with exchange password policy as well?
Sent from my GT-I9300 using xda app-developers app
Click to expand...
Click to collapse
I am not sure but I would imagine so. I would try with pattern lock and not PIN or Password.
Says that "sqlite3: not found" ....
I justd used Forget password option and entered pin , then i didnt choose any options , and the pattern removed
Just tried this. Added vpn, removed lock pattern. It went back to slide, worked fine.
Rebooted, not visiting VPN settings it's asking me to enter credential storage...any ideas how I can a) get past this without wiping my wifi/vpns, or b) remove this but keep my vpns and slide lock?
sorset said:
Says that "sqlite3: not found" ....
I justd used Forget password option and entered pin , then i didnt choose any options , and the pattern removed
Click to expand...
Click to collapse
Same here.
Works great, thanks for sharing :good:
spumanti said:
Same here.
Works great, thanks for sharing :good:
Click to expand...
Click to collapse
Works for me, too, until I reboot :/
Doesn't work. Apparently it's problem with sqlite.
soinfo_relocate(linker.cpp:1013): cannot locate symbol "sqlite3_enable_load_extension" referenced by "sqlite3"...CANNOT LINK EXECUTABLE
Any help please?
Use Script Manager to make this done on every boot.
1. Make this a batch file:
Code:
#!/system/bin/sh
echo "update locksettings set value=0 where name='lockscreen.password_type';" | sqlite3 /data/system/locksettings.db
and save it to your sdcard
2. Use Script Manager to run it on boot and enable su (root).
3. Test it by running it from script manager and see if it runs correctly. You can try enabling PIN and it should be disabled after running this.
4. Final test: reboot your phone and see if PIN/password is disabled.
Keep in mind this gets executed after everything else, so if you try to wake your phone right away, you might still see the PIN prompt.
Another way without script manager:
1. Make this a batch file:
Code:
#!/system/bin/sh
echo "update locksettings set value=0 where name='lockscreen.password_type';" | sqlite3 /data/system/locksettings.db
and save it to your sdcard as 99pinremove
2. Run the following using adb:
Code:
adb shell
su
mount -o remount rw /system
cp /sdcard/99pinremove /etc/init.d/99pinremove
chmod 755 /etc/init.d/99pinremove
chown root:shell /etc/init.d/99pinremove
exit
exit
In 4.4 there is no such file
Code:
/data/system/locksettings.db
.. any ideas?
Hello, as the title states I have found a way to bypass the password with the pin, pattern, and password option on the lockscreen without doing a factory data reset. I have not tried face unlock, I will try it soon. I would first like to thank Kosborn for his p2p-adb which bothe helped and gave me the idea. His p2p-adb can be located here.
I will also be adding this feature to Kosborn's p2p-adb soon as well.
Now to get down to it.
What you will need:
Phone with eithier 'USB Debugging" enabled or a Custom Recovery
ADB
A file editor (I use Notepad++)
Basic adb skills
*If you already have "USB Debugging enabled please skip to Step 5*
Step 1)
If the phone does not have USB Debugging enabled you need to flash a custom recovery to the phone. I will not post a step to step guide to on how to flash a custom recovery, just google it.
Step 2)
When you have the custom recovery flashed to the phone boot into recovery mode and mount /system. In CWM it can be found under "Mounts and Storage"
Step 3)
When /system is mounted pull build.prop and open it with the file editor I mentioned above.
Code:
adb pull /system/build.prop
You will have to add one line into the build.prop file for adb to be enabled when you reboot the phone
Add the line below to the build.prop file.
Code:
persist.service.adb.enable=1
Save build.prop file.
Now we have to push the file back to the phone so
Code:
adb push build.prop /system/build.prop
adb shell chmod 0644 /system/build.prop
Step 4)
Reboot phone
Run command below and you should see you device attached, If not make sure you have the correct drivers installed.
Code:
adb devices
Step 5)
Using adb type the following commands
Code:
adb shell mv /data/system/gesture.key /data/system/gesture.key.bak
adb shell mv /data/system/password.key /data/system/password.key.bak
Step 6)
Reboot phone
You should now be able to unlock your phone without having any password. And more importantly with having all of your data on the phone still.
If you found this helpful please hit the thanks button.
RESERVED
So this will work on any device correct?
---------- Post added at 10:55 PM ---------- Previous post was at 10:55 PM ----------
With either pin lock or pattern?
prairiedogn said:
So this will work on any device correct?
---------- Post added at 10:55 PM ---------- Previous post was at 10:55 PM ----------
With either pin lock or pattern?
Click to expand...
Click to collapse
In theory yes. I can't be for sure. It won't hurt it
When I had to use I typed "adb shell rm /data/system/gesture.key", not "adb shell mv /data/system/gesture.key" and that worked well.
eduds said:
When I had to use I typed "adb shell rm /data/system/gesture.key", not "adb shell mv /data/system/gesture.key" and that worked well.
Click to expand...
Click to collapse
That will work as well the reason why I used adb shell mv /data/system/gesture.key is to keep the file there when i was testing just incase but it could be removed as well.
not trying to be too much of a smart-butt, but heres the full version to do it, what u did is the basic commands, but leaves an empty pin/pattern for ANY input will be correct, heres each command (new line=new command):
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update secure set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
update secure set value=0 where name='lockscreen.lockedoutpermanently';
.quit
busybox rm /data/system/gesture.key
busybox rm /data/system/cm-gesture.key
busybox rm /data/system/password.key
busybox rm /data/system/cm-password.key
busybox rm /data/system/locksettings.db
busybox rm /data/system/locksettings.db-wal
busybox rm /data/system/locksettings.db-shm
reboot
some kernels+file-systems(or user actions) convert databases to "wal", or "shm" so they will have different names, as for some newer CM-based rom builds, the pattern, gesture unlock (if implemented), and sometimes pin get put into a different file "cm-***.key" but pin+password goes into "cm-password.key";
u need to only do first two commands(adb shell, and the cd), then skip to after the .quit if u ARE NOT locked out, if u are u need to do ALL these commands, and if it says "file/directory not found" or simmalier errors when doing the "gesture.key","cm-gesture.key","cm-password.key", the "locksettings.db-wal" +"locksettings.db-wal"; just ignore those errors as u dont have the configurations stored in there like some other custom roms do =)
i found and compiled this list from my app i made, if u heard about it "SMS Tasks", and this is acually the exact code (in adb shell form, not in java command line with added characters, voids, etc...) to unlock the phone remotely =), idk why people tell me not to share this code, as its good for users to have so they dont lose their data incase of forgotten passwords on devices stored in their dressers/storages for ages and got out for whatever reason (maybee a new rom-tree was born for it and u want to see it in action, idk =S) but use this if u want, if not u can ignore this post, just wanted to share this with u incase u want to add some to the OP as the commands u do some roms might not fully unlock (it will erase pass/pin, but some roms keep the config that its still set, but any pass (even one characters+a single_space, or one-three dot patterns), so if anyone got those errors, or want more understanding on what files are used, this is my most resent list of things to delete by what i see used on rom developer's github's anyways =S
but hope this helps any of u in any ways =)
much simpler way
download aroma file manager from
http://forum.xda-developers.com/showthread.php?t=1646108
flash aroma file manager in cwm with system mounted
browse to data/system
delete gestures.key
delete password.key
restart
of course you will need aroma file manager on the root of your sd card so download it and put it there now for safe keeping
you can always put it there via a card reader or pop your sd card into another phone if your phone is already locked
Using Aroma File Manager would be the easiest way!
Thanks for the share Marcussmith2626!
There is a way to do this without USB Debugging enabled nor Custom Recovery installed, as long as stock Android system recovery <3e> "backup user data" option is working:
- create a backup
- modify the backup file
- root the phone
- restore backup
root is not required for backup, but for restore. i prefer restore from custom recovery. but i have done this without flashing, too.
please see this link
Android system recovery <3e> alternative restoring program
i know this is an old thread, but im trying to bypass the screen where it says that youve tried your pattern too many times on a zte z932l (also known as the rapido) for a friends sister. She really just wants the pictures that are stored on the internal memory is all because they are of her kids. Any ideas on how to get this done? I would up on this thread because i was hoping that usb debugging had been enabled, but it hasnt
no "backup user data" option in Android system recovery <3e> i guess? if you can't create a backup then my friend, this is the hardest case for unlocking... if playstore is working and wifi enabled, you can unlock using Android Device Manager first. if this not help, check if fastboot is working. you can boot custom recovery with "fastboot boot recovery.img" if no fastboot mode available, find any way to make a backup of usrdata partition (maybe in download mode?) once you have a backup, its easy to modify and restore (as long as FRP lock is disabled)
with usb debugging enabler you can modify a rom and flash it via odin (without losing data???), and with Android Multi Tools you can unlock the screen. if this is possible for samsung devices, then there should be a way for other phones, too. another way is to enable adb via sideload, if someone will create such app.
and of course, if fastboot mode is available, the easiest way is booting a custom recovery without flashing it. then just delete /data/system/locksettings.db* files from adb or with aroma file manager (try calung version 1.80)
Hello guys, this guide is for creating backup of persist partion which is holding important data about sensors, wifi + bluetooth data, imei and other stuff.
Before installing any other custom room, this is best thing to do, lot of custom roms rewrites persist partition with different data than your mobile devices has, you will have problem with calling(missing imei), problems with Wifi and other stuff, i think you get it...
REQUIRED TOOLS:
Code:
[URL="https://drive.google.com/open?id=1LW1CM6gLT9wRyy950rC6GmWAzEbcyfzE"]PersistBackupTool[/URL]
Follow this steps:
Code:
1. Root your device, this is pretty much easy guide: [URL="https://forum.xda-developers.com/mi-a1/how-to/root-mi-a1-oreo-8-0-disabling-ota-magisk-t3728654"]LINK[/URL]
2. After rooting your device, enable Developer options (Go to settings >> System >> About phone >> tap Build number 7 times)
3. Enable usb debugging, go to Settings >> System >> Developer options >> and enable USB debugging
4. Run PersistBackup.bat and wait
5. Your persist partition will be saved in Backup folder.
ENJOY!!!
When I lauch the PersistBackup.exe it tells me "This program was made with an Unlicensed compiler. Please buy the PRO version to distribute your exe. " And then it closes when you press any key.
I guess you missed this in your last compile
VolpeXDA said:
When I lauch the PersistBackup.exe it tells me "This program was made with an Unlicensed compiler. Please buy the PRO version to distribute your exe. " And then it closes when you press any key.
I guess you missed this in your last compile
Click to expand...
Click to collapse
Damn, thanks for the info, will fix it soon!
Does it do the same as the following adb commands?
Code:
adb shell "su -c dd if=/dev/block/mmcblk0p27 of=/sdcard/Download/persistbackup.img"
adb pull /sdcard/Download/persistbackup.img
oreo27 said:
Does it do the same as the following adb commands?
Code:
adb shell "su -c dd if=/dev/block/mmcblk0p27 of=/sdcard/Download/persistbackup.img"
adb pull /sdcard/Download/persistbackup.img
Click to expand...
Click to collapse
Yes it is the same
VolpeXDA said:
When I lauch the PersistBackup.exe it tells me "This program was made with an Unlicensed compiler. Please buy the PRO version to distribute your exe. " And then it closes when you press any key.
I guess you missed this in your last compile
Click to expand...
Click to collapse
Fixed, thanks again for the info!
pulja9 said:
Yes it is the same
Click to expand...
Click to collapse
Cool. I think you'll want to update the OP though. As far as I know, the IMEI data is stored on the modemst1 and modemst2 partitions.
(EDITED, check the end)
First, I've tried with the "adb" commands, but I get "Permission Denied".
So, I decided to try the tool, which still gives me a "Permission Denied", but still prints a sucess message at the end "Persist partition has been successfully backed up! Partition has been saved in Backup folder!"
Not sure if it's my mistake. I'm rooted + USB_debugging.
EDIT:
OK, I've read that for adb "su" to work, you need to have device unlocked, with screen on, and grant permission.
Turns out Magisk was rejecting root permissions to Perfdump automatically.
Should work now. Nevertheless, perhaps you could check why it prints that backup worked when permission was denied. Someone could be fooled there =D
Finally: Thanks for the app
ok, this do the backup! but how to restore it?
jucaftp said:
(EDITED, check the end)
First, I've tried with the "adb" commands, but I get "Permission Denied".
So, I decided to try the tool, which still gives me a "Permission Denied", but still prints a sucess message at the end "Persist partition has been successfully backed up! Partition has been saved in Backup folder!"
Not sure if it's my mistake. I'm rooted + USB_debugging.
EDIT:
OK, I've read that for adb "su" to work, you need to have device unlocked, with screen on, and grant permission.
Turns out Magisk was rejecting root permissions to Perfdump automatically.
Should work now. Nevertheless, perhaps you could check why it prints that backup worked when permission was denied. Someone could be fooled there =D
Finally: Thanks for the app
Click to expand...
Click to collapse
riccetto80 said:
ok, this do the backup! but how to restore it?
Click to expand...
Click to collapse
I will create this week improved tool with gui, and it will have backup, restore and maybe root option.
Suspicious EXE from a junior member.
Why is it not just a script?
pulja9 said:
I will create this week improved tool with gui, and it will have backup, restore and maybe root option.
Click to expand...
Click to collapse
soo this is really work if my mac, bt wiped with rr .,, or i just need to place that original file or i need to flash stock rom and place this backup file
How can I locate the Backup folder to also backup the /persist files in another folder/device?
how to restore?
Sir, can you please help me , i totally messed up my phone , mac address -unavailable, Bluetooth- unavailable , how to get back all , i m on RR latest build , i want to back to stock . Please help me if possible .
pulja9 said:
Hello guys, this guide is for creating backup of persist partion which is holding important data about sensors, wifi + bluetooth data, imei and other stuff.
Before installing any other custom room, this is best thing to do, lot of custom roms rewrites persist partition with different data than your mobile devices has, you will have problem with calling(missing imei), problems with Wifi and other stuff, i think you get it...
REQUIRED TOOLS:
Code:
[URL="https://drive.google.com/open?id=1LW1CM6gLT9wRyy950rC6GmWAzEbcyfzE"]PersistBackupTool[/URL]
Follow this steps:
Code:
1. Root your device, this is pretty much easy guide: [URL="https://forum.xda-developers.com/mi-a1/how-to/root-mi-a1-oreo-8-0-disabling-ota-magisk-t3728654"]LINK[/URL]
2. After rooting your device, enable Developer options (Go to settings >> System >> About phone >> tap Build number 7 times)
3. Enable usb debugging, go to Settings >> System >> Developer options >> and enable USB debugging
4. Run PersistBackup.bat and wait
5. Your persist partition will be saved in Backup folder.
ENJOY!!!
Click to expand...
Click to collapse
Lots of thanks @devs you guys are really awesome
where is my backup? i not found that
I have tried the setup procedure that was in op, however it comes up and says not recognised, can I have a step by step procedure eg do I have to go to EDL mode.
Thanks
enricogrim said:
Hello,
I see that this tool creates a .img file. Can I restore using TWRP?
thank you
Click to expand...
Click to collapse
I don't think so
TWRP recognize ISO as a recovery
I think it's dangerous because backup don't have any instructions for twrp to tell it where recover it, on which partition
Correct me if I'm wrong
Sent from my Mi A1 using Tapatalk
Does anyone know how to restore a backup?
Can we use fastboot? Or tool have restore option?