Tuesday, August 4, 2015

How To Bypass The Android Phone Pattern Lock

9:27 PM    No comments

Introduction

Android is an open source operating system based on the Linux kernel, initially developed by Android Inc., which Google bought in 2005. Initially, Android was developed to support touch screen devices like smartphones. These devices support different types of screen locks, like swipe lock, PIN lock, pattern lock, gesture lock, facial lock, etc.

Swipe lock unlocks the screen just by swiping a defined area on the screen with your fingertips. PIN lock is when you enter a correct pin, the screen will be unlocked. Pattern lock unlocks the screen when the user creates a pattern by joining nine circles on the screen, which is already saved on your system. This article is only based on the pattern locking system and does not cover biometric locking systems available on the phones.
Understanding Android Pattern Locks

                                  

                                       Figure 1: Android Pattern lock with numbering

Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure above. If we select
 a pattern 1478, the pattern would look as shown in Figure 2.

                                    

                                                           Figure 2: Pattern for 1478

This pattern is saved with a 20-byte SHA-1 Hash. So the SHA-1 hash for 1478 will be “06CF96F30A7283FF7258FCEF5CF587ED51156C37” which is stored in a file named gesture.key in /data/system folder in Android’s internal memory.
The Catch

The catch to change the pattern is replace this file with a known pattern gesture.key file.
Prerequisite
Debugging mode should be enabled.
Android adb (Android Debugger Bridge) tool.
AVD (Android Virtual Device) Manager Tool.
Device USB Cable
Device whose password needed to be changed
Methodology

Step 1

Start an AVD (Android Virtual Device), and create a pattern in the AVD. Open a command prompt. Execute the following command to check whether the AVD has been connected to the debugger or not.1. adb devices


The output of the command should look as shown in Figure 3. If you see the name of your emulator on the screen, then your device is perfectly connected.
                                      

                                                         Figure 3: Output of adb devices

Step 2

Now pull out the gesture.key file from the AVD. For this execute the command that is mentioned below. This file is located in /data/system.1. adb pull /data/system/gesture.key gesture.key


The gesture.key file will be pulled to your current working directory. Here the syntax of command is adb pull . Here my current working directory is my home folder. So the gesture.key file will be pulled out in my local file system in my home directory.

The output of the command is as shown n Figure 4.

                           

                                                Figure 4: Pulling out gesture.key file

Step 3

Now connect the other device, whose password is to be changed and close the AVD. For my example I will be using the same AVD. So now my password in my AVD is 1478 according to the pattern cell numbers. Figure 5 illustrates the pattern.

                                     

                                              Figure 5: Current pattern of the Device

In next step, it will be shown how to change the pattern of new device to a known pattern from the previous AVD which was 1236. Figure 6 illustrates the new pattern.

                                     

                                        Figure 6: The new pattern which is not stored in the AVD

Step 4

Now to change the password with a known pattern, we will push our known pattern file to the new device. The command for pushing a file into an android system is shown below. This file has to be pushed into /data/system of the new device.adb push gesture.key /data/system/gesture.key


The gesture.key file will be pushed into the Android’s file system replacing the previous file. So now android will be having a new gesture file which contains a known password, and when we use this pattern to unlock the screen, the screen will be unlocked. The syntax for pushing a file into an Android system is adb push .

The output of the command is shown in Figure 7.

                                

                                   Figure 7: Pushing the known pattern file into the android system

Now this changes the pattern of the new device with a known pattern. Figure 8 illustrates the known pattern unlock.

                                 

                                     Figure 8: Pattern replaced with a known pattern


Limitations
The device should be rooted
The device should have USB debugging mode enabled
Reference

You can also look for the SHA-1 Hash values of the gesture key and match it with the database to find out the pattern lock combination. For this you can use my python script (https://github.com/c0d3sh3lf/Android_Forensics) to automate the decoding process.

You can download the dictionary file from http://www.android-forensics.com/tools/AndroidGestureSHA1.rar (25 MB)

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)