Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.

Overview

πŸ”“ πŸ“± Android-PIN-Bruteforce

Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.

Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices!

πŸ“± How it works

It uses a USB OTG cable to connect the locked phone to the Nethunter device. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses.

How to Connect Phones

[Nethunter phone] <--> [USB cable] <--> [USB OTG adaptor] <--> [Locked Android phone]

The USB HID Gadget driver provides emulation of USB Human Interface Devices (HID). This enables an Android Nethunter device to emulate keyboard input to the locked phone. It's just like plugging a keyboard into the locked phone and pressing keys.

⏱ This takes just over 16.6 hours with a Samsung S5 to try all possible 4 digit PINs, but with the optimised PIN list it should take you much less time.

You will need

  • A locked Android phone
  • A Nethunter phone (or any rooted Android with HID kernel support)
  • USB OTG (On The Go) cable/adapter (USB male Micro-B to female USB A), and a standard charging cable (USB male Micro-B to male A).
  • That's all!

🌟 Benefits

  • Turn your NetHunter phone into an Android PIN cracking machine
  • Unlike other methods, you do not need ADB or USB debugging enabled on the locked phone
  • The locked Android phone does not need to be rooted
  • You don't need to buy special hardware, e.g. Rubber Ducky, Teensy, Cellebrite, XPIN Clip, etc.
  • You can easily modify the backoff time to crack other types of devices
  • It works!

⭐ Features

  • Crack PINs of any length from 1 to 10 digits
  • Use config files to support different phones
  • Optimised PIN lists for 3,4,5, and 6 digit PINs
  • Bypasses phone pop-ups including the Low Power warning
  • Detects when the phone is unplugged or powered off, and waits while retrying every 5 seconds
  • Configurable delays of N seconds after every X PIN attempts
  • Log file

Installation

TBC

Executing the script

If you installed the script to /sdcard/, you can execute it with the following command.

bash ./android-pin-bruteforce

Note that Android mounts /sdcard with the noexec flag. You can verify this with mount.

Usage


Android-PIN-Bruteforce (0.1) is used to unlock an Android phone (or device) by bruteforcing the lockscreen PIN.
  Find more information at: https://github.com/urbanadventurer/Android-PIN-Bruteforce

Commands:
  crack                Begin cracking PINs
  resume               Resume from a chosen PIN
  rewind               Crack PINs in reverse from a chosen PIN
  diag                 Display diagnostic information
  version              Display version information and exit

Options:
  -f, --from PIN       Resume from this PIN
  -a, --attempts       Starting from NUM incorrect attempts
  -m, --mask REGEX     Use a mask for known digits in the PIN
  -t, --type TYPE      Select PIN or PATTERN cracking
  -l, --length NUM     Crack PINs of NUM length
  -c, --config FILE    Specify configuration file to load
  -p, --pinlist FILE   Specify a custom PIN list
  -d, --dry-run        Dry run for testing. Doesn't send any keys.
  -v, --verbose        Output verbose logs

Usage:
  android-pin-bruteforce  [options]

Supported Android Phones/Devices

This has been successfully tested with various phones including the Samsung S5, S7, Motorola G4 Plus and G5 Plus.

It can unlock Android versions 6.0.1 through to 10.0. The ability to perform a bruteforce attack doesn't depend on the Android version in use. It depends on how the device vendor developed their own lockscreen.

Check the Phone Database for more details https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database

🎳 PIN Lists

Optimised PIN lists are used by default unless the user selects a custom PIN list.

Cracking PINs of different lengths

Use the --length commandline option.

Use this command to crack a 3 digit PIN, ./android-pin-bruteforce crack --length 3

Use this command to crack a 6 digit PIN ./android-pin-bruteforce crack --length 6

Where did the optimised PIN lists come from?

The optimised PIN lists were generated by extracting numeric passwords from database leaks then sorting by frequency. All PINs that did not appear in the password leaks were appended to the list.

The optimised PIN lists were generated from Ga$$Pacc DB Leak (21GB decompressed, 688M Accounts, 243 Databases, 138920 numeric passwords).

The 4 digit PIN list

The reason that the 4 digit PIN list is used from a different source is because it gives better results than the generated list from Ga$$Pacc DB Leak.

optimised-pin-length-4.txt is an optimised list of all possible 4 digit PINs, sorted by order of likelihood. It can be found with the filename pinlist.txt at https://github.com/mandatoryprogrammer/droidbrute

This list is used with permission from Justin Engler & Paul Vines from Senior Security Engineer, iSEC Partners, and was used in their Defcon talk, Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)

Cracking with Masks

Masks use regular expressions with the standard grep extended format.

./android-pin-bruteforce crack --mask "...[45]" --dry-run

  • To try all years from 1900 to 1999, use a mask of 19..
  • To try PINs that have a 1 in the first digit, and a 1 in the last digit, use a mask of 1..1
  • To try PINs that end in 4 or 5, use ...[45]

πŸ“± Configuration for different phones

Device manufacturers create their own lock screens that are different to the default or stock Android. To find out what keys your phone needs, plug a keyboard into the phone and try out different combinations.

Load a different configuration file, with the --config FILE commandline parameter.

Example: ./android-pin-bruteforce --config ./config.samsung.s5 crack

You can also edit the config file by customising the timing and keys sent.

The following configuration variables can be used to support a different phone's lockscreen.

# Timing
## DELAY_BETWEEN_KEYS is the period of time in seconds to wait after each key is sent
DELAY_BETWEEN_KEYS=0.25

## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown
## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number
## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down
## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds

PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1  11 41)
PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5   1  1)
PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60)

## SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END defines how many seconds before the end of the cooldown period, keys will be sent
# set to 0 to disable
SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END=5
## SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END configures the keys that are sent to dismiss messages and popups before the end of the cooldown period
SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END="enter enter enter"

## KEYS_BEFORE_EACH_PIN configures the keys that are sent to prompt the lock screen to appear. This is sent before each PIN.
## By default it sends "escape enter", but some phones will respond to other keys.

# Examples:
# KEYS_BEFORE_EACH_PIN="ctrl_escape enter"
# KEYS_BEFORE_EACH_PIN="escape space"
KEYS_BEFORE_EACH_PIN="escape enter"

## KEYS_STAY_AWAKE_DURING_COOLDOWN the keys that are sent during the cooldown period to keep the phone awake
KEYS_STAY_AWAKE_DURING_COOLDOWN="enter"

## SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS how often the keys are sent, in seconds
SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS=5

## DELAY_BEFORE_STARTING is the period of time in seconds to wait before the bruteforce begins
DELAY_BEFORE_STARTING=2
## KEYS_BEFORE_STARTING configures the keys that are sent before the bruteforce begins
KEYS_BEFORE_STARTING="enter"

Popups

We send keys before the end of the cooldown period, or optionally during the cooldown period. This is to keep the lockscreen app active and to dismiss any popups about the number of incorrect PIN attempts or a low battery warning.

Test sending keys from the NetHunter phone

Test sending keys from the terminal

Use ssh from your laptop to the NetHunter phone, and use this command to test sending keys:

In this example, the enter key is sent.

echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

In this example, ctrl-escape is sent.

echo "left-ctrl escape" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

Note: Sending combinations of keys in config file variables is different. Currently only ctrl_escape is supported.

In this example, keys a, b, c are sent.

echo a b c | /system/xbin/hid-keyboard /dev/hidg0 keyboard

Test sending keys from an app

This Android app is a virtual USB Keyboard that you can use to test sending keys.

https://store.nethunter.com/en/packages/remote.hid.keyboard.client/

How to send special keys

Use this list for the following variables:

  • KEYS_BEFORE_EACH_PIN
  • KEYS_STAY_AWAKE_DURING_COOLDOWN
  • KEYS_BEFORE_STARTING

To send special keys use the following labels. This list can be found in the hid_gadget_test source code.

Key label Key label
left-ctrl f6
right-ctrl f7
left-shift f8
right-shift f9
left-alt f10
right-alt f11
left-meta f12
right-meta insert
return home
esc pageup
bckspc del
tab end
spacebar pagedown
caps-lock right
f1 left
f2 down
f3 kp-enter
f4 up
f5 num-lock

To send more than one key at the same time, use the following list:

  • ctrl_escape (This sends left-ctrl and escape)

If you need more key combinations please open a new issue in the GitHub issues list.

Customising the Progressive Cooldown

The following section of the config file controls the progressive cooldown.

## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown
## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number
## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down
## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds

PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1  11 41)
PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5   1  1)
PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60)

The array is the same as this table.

attempt number attempts until cooldown cooldown
1 5 30
11 1 30
41 1 60

Why can't you use a laptop?

This works from an Android phone because the USB ports are not bidirectional, unlike the ports on a laptop.

How Android emulates a keyboard

Keys are sent using /system/xbin/hid-keyboard. To test this and send the key 1 you can use echo 1 | /system/xbin/hid-keyboard dev/hidg0 keyboard

In Kali Nethunter, /system/xbin/hid-keyboard is a compiled copy of hid_gadget_test.c. This is a small program for testing the HID gadget driver that is included in the Linux Kernel. The source code for this file can be found at https://www.kernel.org/doc/html/latest/usb/gadget_hid.html and https://github.com/aagallag/hid_gadget_test.

πŸ”§ Troubleshooting

If it is not bruteforcing PINs

Check the orientation of the cables

The Nethunter phone should have a regular USB cable attached, while the locked phone should have an OTG adaptor attached.

The OTG cable should be connected to the locked Android phone. The regular USB cable should be connected to the Nethunter phone.

Refer to the graphic on how to connect the phones.

Check it is emulating a keyboard

You can verify that the NetHunter phone is succesfully emulating a keyboard by connecting it to a computer using a regular charging/data USB cable. Open a text editor like Notepad while it is cracking and you should see it entering PIN numbers into the text editor.

Note that you will not need an OTG cable for this.

Try restarting the phones

Try powering off the phones and even taking out the batteries if that is possible.

Try new cables

Try using new cables/adaptors as you may have a faulty cable/adaptor.

If it doesn't unlock the phone with a correct PIN

You might be sending keys too fast for the phone to process. Increase the DELAY_BETWEEN_KEYS variable in the config file. πŸ’‘ If you don't see 4 dots come up on the phone's screen then maybe it is not receiving 4 keys.

πŸ”‹ Managing Power Consumption

If your phone runs out of power too soon, follow these steps:

  • Make sure both phones are fully charged to 100% before you begin
  • Reduce the screen brightness on both the victim phone and NetHunter phone if possible
  • Place both phones into Airplane mode, however you may want to enable WiFi to access the NetHunter phone via SSH.
  • The locked phone will power the NetHunter phone, because it appears as a keyboard accessory
  • Use a USB OTG cable with a Y splitter for an external power supply, to allow charging of the NetHunter phone while cracking
  • Take breaks to charge your devices. Pause the script with CTRL-Z and resume with the fg shell command.
  • Avoid the SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS configuration option. This will cause the locked phone to use more battery to keep the screen powered. Instead use the SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END option (Default).

Check the Diagnostics Report

Use the command diag display diagnostic information.

bash ./android-pin-bruteforce diag

If you receive this message when the USB cable is plugged in then try taking the battery out of the locked Android phone and power cycling it.

[FAIL] HID USB device not ready. Return code from /system/xbin/hid-keyboard was 5.

How the usb-devices command works

The diagnostics command uses the usb-devices script but it is only necessary as part of determining whether the USB cables are incorrectly connected. This can be downloaded from https://github.com/gregkh/usbutils/blob/master/usb-devices

Use verbose output

Use the --verbose option to check the configuration is as expected. This is especially useful when you are modifying the configuration.

Use the dry-run

Use the --dry-run option to check how it operates without sending any keys to a device. This is especially useful when you are modifying the configuration or during development.

Dry run will:

  • Not send any keys
  • Will continue instead of aborting if the KEYBOARD_DEVICE or HID_KEYBOARD is missing.

HID USB Mode

Try this command in a shell on the NetHunter phone: /system/bin/setprop sys.usb.config hid

πŸ’£ Known Issues

  • This cannot detect when the correct PIN is guessed and the phone unlocks.
  • Your phones may run out of πŸ”‹ battery before the correct PIN is found.
  • Don't trust phone configuration files from unknown sources without reviewing them first. The configuration files are shell scripts and could include malicious commands.

πŸš€ Roadmap

  • [DONE] Works
  • [DONE] Detects USB HID failures
  • [DONE] Improve Usage and commandline options/config files
  • [DONE] Add bruteforce for n digit PINs
  • [DONE] Mask for known digits
  • [DONE] Crack PIN list in reverse (to find which recent PIN unlocked the device)
  • [DONE] Implement configurable lockscreen prompt
  • [DONE] Implement cooldown change after 10 attempts
  • [WORKING] Find/test more devices to bruteforce
  • Add progress bar
  • Add ETA
  • ASCII art
  • Nicer GUI for NetHunter
  • Implement for iPhone
  • Detect when a phone is unlocked (Use Nethunter camera as a sensor?)
  • Crack Android Patterns (try common patterns first)

πŸ™‹ Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

😎 Authors and acknowledgment

Developed by Andrew Horton (@urbanadventurer).

πŸ‘ The following people have been very helpful:

  • Vlad Filatov (@v1adf): Testing many phones for the Wiki Phone Database

Motivation

My original motivation to develop this was to unlock a Samsung S5 Android phone. It had belonged to someone who had passed away, and their family needed access to the data on it. As I didn't have a USB Rubber Ducky or any other hardware handy, I tried using a variety of methods, and eventually realised I had to develop something new.

Credit

The optimised PIN list is from Justin Engler (@justinengler) & Paul Vines from Senior Security Engineer, iSEC Partners and was used in their Defcon talk, Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)..

Graphics

Designed by Andrew Horton and gratefully using these free vector packs:

πŸ—Ώ Comparison with other projects and methods to unlock a locked Android phone

What makes this project unique?

I've been asked what makes this project unique when there are other open-source Android PIN cracking projects.

Android-PIN-Bruteforce is unique because it cracks the PIN on Android phones from a NetHunter phone and it doesn't need the locked phone to be pre-hacked.

It works:

  • Without having to buy special hardware, such as a Rubber Ducky, Celebrite, or XPIN Clip.
  • Without ADB or root access (the phone doesn't have to be pre-hacked).
Project ADB/USB Debugging Requires root Requires $ hardware Commercial
⭐ Android-PIN-Bruteforce No No Nethunter phone No
github.com/PentesterES/AndroidPINCrack Yes Yes No No
github.com/ByteRockstar1996/Cracking-Android-Pin-Lock Yes Yes No No
github.com/sch3m4/androidpatternlock Yes Yes No No
github.com/georgenicolaou/androidlockcracker Yes Yes No No
github.com/MGF15/P-Decode Yes Yes No No
github.com/BitesFor/ABL Yes Yes No No
github.com/wuseman/WBRUTER Yes No No No
github.com/Gh005t/Android-BruteForce Yes No No No
github.com/mandatoryprogrammer/droidbrute No No Rubber Ducky $ No
github.com/hak5darren/USB-Rubber-Ducky No No Rubber Ducky $ Yes
github.com/bbrother/stm32f4androidbruteforce No No STM32F4 dev board $ No
hdb-team.com/product/hdbox/ No No HDBOX $$ Yes
xpinclip.com No No XPINClip $$ Yes
cellebrite.com/en/ufed/ No No Cellebrite UFED $$$ Yes

Some of these projects/products are really awesome but they achieve a different goal to Android-PIN-Bruteforce.

If a project requires a gestures.key or password.key, I've listed it as requiring root. If a project requires a custom bootloader, I've listed that as requiring both ADB and root. If you would like your project listed in this table then please open a new issue. There are links to each of these projects in the ?? Related Projects & Futher Reading section.

😭 Regular phone users

  • Try the top 20 PINs from the DataGenetics PIN analysis that apparently unlocks 26.83% of phones.
  • Use an SMS lock-screen bypass app (requires app install before phone is locked)
  • Use Samsung Find My Mobile (requires you set it up before phone is locked)
  • Crash the Lock Screen UI (Android 5.0 and 5.1)
  • Use the Google Forgot pattern, Forgot PIN, or Forgot password (Android 4.4 KitKat and earlier)
  • Factory Reset (you lose all your data 😭 )

πŸ€– Users who have already replaced their Android ROM

If the phone has already been rooted, has USB debugging enabled, or has adb enabled.

  • Flash the Pattern Password Disable ZIP using a custom recovery (Requires TWRP, CMW, Xrec, etc.)
  • Delete /data/system/gesture.key or password.key (requires root and adb on locked device)
  • Crack /data/system/gesture.key and password.key (requires root and adb on locked device)
  • Update sqlite3 database settings.db (requires root and adb on locked device)

πŸ”¬ Forensic Investigators

These methods can be expensive and are usually only used by specialised phone forensic investigators.

In order of difficulty and expense:

  • Taking advantage of USB debugging being enabled (Oxygen Forensic Suite)
  • Bruteforce with keyboard emulation ( ⭐ Android-PIN-Bruteforce, RubberDucky attack, XPIN Clip, HBbox)
  • JTAG (Interface with TAPs (Test Access Ports) on the device board)
  • In-System Programming (ISP) (Involves directly connecting to pins on flash memory chips on the device board)
  • Chip Off (Desolder and remove flash memory chips from the device)
  • Clock Glitching / Voltage Fault Injection (Hardware CPU timing attacks to bypass PIN restrictions)
  • Bootloader exploits (Zero-day exploits that attack the bootloader. GrayKey from Grayshift and Cellebrite)

JTAG, ISP, and Chip Off techniques are less useful now because most devices are encrypted. I don't know of any practical attacks on phone PINs that use clock glitching, if you know of a product that uses this technique please let me know so I can include it.

πŸ•΅ Security Professionals and Technical Phone Users

Use the USB HID Keyboard Bruteforce with some dedicated hardware.

  • A RubberDucky and Darren Kitchen's Hak5 brute-force script
  • Write a script for a USB Teensy
  • Buy expensive forensic hardware
  • Or you can use Android-PIN-Bruteforce with your NetHunter phone!

Attempts to use an otherwise awesome project Duck Hunter, to emulate a RubberDucky payload for Android PIN cracking did not work. It crashed the phone probably because of the payload length.

πŸ“š Related Projects & Futher Reading

USB HID Hardware without NetHunter

hak5 12x17: Hack Any 4-digit Android PIN in 16 hours with a USB Rubber Ducky https://archive.org/details/hak5_12x17

Hak5: USB Rubber Ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe

USB-Rubber-Ducky Payloads https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

Teensy https://www.pjrc.com/teensy/

Brute Forcing An Android Phone with a STM32F4Discovery Development Board https://github.com/bbrother/stm32f4androidbruteforce https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/

Automated brute force attack against the Mac EFI PIN (Using a Teensy) https://orvtech.com/atacar-efi-pin-macbook-pro-en.html https://hackaday.io/project/2196-efi-bruteforcer

Droidbrute: An Android PIN cracking USB rubber ducky payload made efficient with a statistically generated wordlist. https://github.com/mandatoryprogrammer/droidbrute

Discussion forum about the hak5 episode, and Android Brute Force 4-digit pin https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/

NetHunter HID keyboard attacks

NetHunter HID Keyboard Attacks https://www.kali.org/docs/nethunter/nethunter-hid-attacks/

Linux Kernel HID support

Human Interface Devices (HID) https://www.kernel.org/doc/html/latest/hid/index.html#

Linux USB HID gadget driver and hid-keyboard program https://www.kernel.org/doc/html/latest/usb/gadget_hid.html https://github.com/aagallag/hid_gadget_test

The usb-devices script https://github.com/gregkh/usbutils/blob/master/usb-devices

Cracking Android PIN and Pattern files

AndroidPINCrack - bruteforce the Android Passcode given the hash and salt (requires root on the phone) https://github.com/PentesterES/AndroidPINCrack

Android Pattern Lock Cracker - bruteforce the Android Pattern given an SHA1 hash (requires root on the phone) https://github.com/sch3m4/androidpatternlock

General Recovery Methods

[Android][Guide]Hacking And Bypassing Android Password/Pattern/Face/PI https://forum.xda-developers.com/showthread.php?t=2620456

Android BruteForce using ADB & Shell Scripting https://github.com/Gh005t/Android-BruteForce

Forensic Methods and Hardware

PATCtech Digital Forensics: Getting Past the Android Passcode http://patc.com/online/a/Portals/965/Android%20Passcode.pdf

XPIN Clip https://xpinclip.com/

HDBox from HDB Team https://hdb-team.com/product/hdbox/

Cellebrite UFED https://www.cellebrite.com/en/ufed/

GrayKey from Grayshift https://www.grayshift.com/graykey/

PIN Analysis

Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO) https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler

DataGenetics PIN analysis https://datagenetics.com/blog/september32012/index.html

Comments
  • hid-keyboard works with computer but not with phone (HID USB device not ready)

    hid-keyboard works with computer but not with phone (HID USB device not ready)

    I went through couple of issues listed here and my initials issues are sorted out. Now when I connect to computer and kept a notepad open and when executed bash ./android-pin-bruteforce crack I can see pin numbers being printed on notepad. However when connected the locked phone (motog 1st gen (falcon) ) and try , I get error HID USB device not ready. I connected the OTG cable on the locked phone and normal cable on nethunter phone (redmi note 3 (kenzo) Any tips?

    opened by simtcrom 6
  • Locked phone: Xiaomi, Nethunter phone: nexus 6 - Bug description

    Locked phone: Xiaomi, Nethunter phone: nexus 6 - Bug description

    I launched the application, but my Xiaomi phone requires pressing the 'windows' key (winkey, GUI) to display the pin screen - I did not find another key combination. Is it possible to send the 'windows' key to my phone?

    opened by k05tuni0 2
  • [FAIL] HID device (/dev/hidg0) not found

    [FAIL] HID device (/dev/hidg0) not found

    β”Œβ”€β”€(kaliγ‰Ώkali)-[~/Downloads/Android-PIN-Bruteforce-master] └─$ ./android-pin-bruteforce crack -p optimised-pin-length-4.txt 1 β¨― Android PIN brute-force :: version 0.1 [INFO] Loading user specified PIN list optimised-pin-length-4.txt for 4 digits [INFO] PIN list contains 10000 PINs [INFO] Checking environment [FAIL] HID device (/dev/hidg0) not found

    mobile model - xiaomi redmi k20 pro

    opened by atom7890 2
  • ./android-pin-bruteforce: config.default: line 24: syntax error: unexpected

    ./android-pin-bruteforce: config.default: line 24: syntax error: unexpected "("

    ./android-pin-bruteforce: config.default: line 24: syntax error: unexpected "("

    I get this error when trying to run the script. I double checked and my config files were not modified and match this github exactly.

    opened by bluegizmo83 2
  • Google Pixel 2 XL, Restart slight workaround

    Google Pixel 2 XL, Restart slight workaround

    Android 10 I think. I've been fiddling with a 2xl manually, it increases the cooldown by 30 seconds for about each 25 tries. So after a 100 tries the cooldown is 120 seconds. It remembers the number of tries after a restart but the cooldown will be 0 seconds. Restarting takes 20-30 seconds and ~1% battery charge.

    I don't have a nethunter set up yet, should I even bother? Can it restart through OTG? Is it going to take too long anyway? It may even burn the charge too fast but as long as it's automated I may okay with that. Btw there are no other real ways to approach this besides bruteforcing, right?

    opened by cherno-bill-ampill 2
  • How can i fix this?

    How can i fix this?

    Hello! Can you help me to fix this please? It writes: Android PIN brute-force :: version 0.1 [INFO] Loading optimised PIN list for 6 digits (optimised-pin-length-6.txt) [INFO] PIN list contains 1000000 PINs [INFO] Checking environment [FAIL] HID device (/dev/hidg0) not found $ android-pin-bruteforce diag android-pin-bruteforce: command not found $ bash ./android-pin-bruteforce diag Android PIN brute-force :: version 0.1 [INFO] # Diagnostic info [FAIL] HID device (/dev/hidg0) not found [FAIL] hid-keyboard executable (/system/xbin/hid-keyboard) not found [FAIL] usb-devices executable (/usr/bin/usb-devices) not found [INFO] ## Executing Command: /usr/bin/usb-devices ./android-pin-bruteforce: line 151: /usr/bin/usb-devices: No such file or directory [FAIL] usb-devices script failed. Return code 127. [INFO] ## Finding Android Phone USB Device ./android-pin-bruteforce: line 161: /usr/bin/usb-devices: No such file or directory [INFO] Expected result, no device found. [INFO] ## Sending Enter Key ./android-pin-bruteforce: line 170: /system/xbin/hid-keyboard: Permission denied [FAIL] Key failed to send. Return code 126. [INFO] ## Executing Command: /system/bin/getprop |grep usb [init.svc.usbd]: [stopped] [miui.usb.dialog]: [1] [persist.data.df.dev_name]: [rmnet_usb0] [persist.sys.usb.config]: [none] [persist.sys.usb.qmmi.func]: [none] [ro.boot.usbcontroller]: [a600000.dwc3] [ro.vendor.audio.soundfx.usb]: [true] [sys.usb.config]: [mtp] [sys.usb.configfs]: [1] [sys.usb.controller]: [a600000.dwc3] [sys.usb.mtp.device_type]: [3] [sys.usb.state]: [mtp] [vendor.audio.feature.usb_offload.enable]: [true] [vendor.audio.feature.usb_offload_burst_mode.enable]: [true] [vendor.audio.feature.usb_offload_sidetone_volume.enable]: [false] [vendor.audio.usb.disable.sidetone]: [true]

    [INFO] ## Executing Command: dmesg | grep -i usb | tail

    [INFO] # Troubleshooting tips

    • Check the NetHunter phone is succesfully emulating a keyboard by connecting it to a computer with a regular charging/data USB cable. Open a text editor like Notepad and you should see it sending PINs. Note that you do not need an OTG cable for this.
    • Check the Nethunter phone has a regular USB cable attached, and the locked phone has an OTG adaptor attached.
    • Try using different cables/adaptors. You may have a faulty cable/adaptor.
    • Perform a hard reset of both phones by holding down the power button for 20 seconds.
    • Try this command: /system/bin/setprop sys.usb.config hid Everything is failed
    opened by Muskaaaa 1
  • Script is not sending PIN to connected Samsung Phone

    Script is not sending PIN to connected Samsung Phone

    Hi,

    Please see the below screenshot - I do not see PIN entering on the Samsung Phone.

    image

    I have connected a USB Keyboard to the phone which is working! Please help!

    Thanks,

    opened by rmnrgb 1
  • Can use this code for pixel 3A(android 11)

    Can use this code for pixel 3A(android 11)

    I forgot my pixel 3A password, I have lots of files in my mobile,

    I have kali nethunter mobile with hid support

    Can I pin brute force my pixel 3A using kali nethunter phone?

    I tried it's not working

    Pls help me on this.

    opened by vignesh8458 1
  • Does Not Work Xiaomi Note 5A

    Does Not Work Xiaomi Note 5A

    I have Error Message : $ bash ./android-pin-bruteforce --length 4 Android PIN brute-force :: version 0.1 [INFO] Loading optimised PIN list for 4 digits (optimised-pin-length-4.txt) [INFO] PIN list contains 10001 PINs [INFO] Checking environment [FAIL] HID device (/dev/hidg0) not found

    opened by ibnudev7 1
  • Crashes on start with line 10: $'\r': command not found (User converted files to have Windows newlines and Bash complains)

    Crashes on start with line 10: $'\r': command not found (User converted files to have Windows newlines and Bash complains)

    Hi there,

    New install of NetHunter and your script and config files in the downloads folder of a Galaxy S8. Attempting to run any commands results in ten lines of error messages such as:

    line 10: $'\r': command not found line 12: config.default: No such file or directory line 15: $'\r': command not found line 16: $'\r': command not found line 18: $'\r': command not found line 21: $'\r': command not found line 29: $'\r': command not found line 30: $'\r': syntax error near unexpected token '$'{\r''

    Any idea what I'm doing wrong please?

    error

    opened by Ikoth 1
  • Does this bypass the phone autolocking after a certain number of attempts?

    Does this bypass the phone autolocking after a certain number of attempts?

    Pretty much any modern phone will auto lock or delete all date after having a certain amount of wrong attempts, so I'm wondering if and how this would bypass that?

    opened by Shahzeb-K 1
  • Locked phone: XXX, Nethunter phone: XXX - Bug description

    Locked phone: XXX, Nethunter phone: XXX - Bug description

    Describe the bug

    A clear and concise description of what the bug is.

    To Reproduce Steps to reproduce the behavior:

    1. Go to '...'
    2. Click on '....'
    3. Scroll down to '....'
    4. See error

    Expected behavior A clear and concise description of what you expected to happen.

    Screenshots If applicable, add screenshots to help explain your problem.

    My phones

    • The make and model of my NetHunter Android phone :
    • The make and model of my locked Android phone :

    Can I send any keys

    • Are your cables correctly connected?
    • Is your NetHunter Android phone capable of emulating a keyboard?
    • Does your OTG cable work?
    • Does the script correctly send keys to a text editor in Windows/Linux/MacOS?
    • Can you send keys to Windows/Linux/Macos from the command line?
    • Can you send keys to the locked phone from the command line?
    • Does the phone accept keyboard input when it is locked?
    • Did you try a different locked phone?

    Sending the correct keys

    • What keys will bring up the PIN prompt?
    • What keys should be sent after the PIN is entered?

    Troubleshooting

    • Did you try rebooting both phones?

    • Did you try unplugging and replugging the cables?

    • Did you try new cables including the OTG cable?

    • The output of the diag command

    <paste output here
    

    Troubleshooting Instructions Section

    Can I send any keys?

    Are your cables correctly connected?

    The Nethunter phone should have a regular USB cable attached. The OTG cable should be connected to the locked Android phone.

    Refer to the graphic in the README on how to connect the phones.

    Is your NetHunter Android phone capable of emulating a keyboard?

    • Check that the /dev/hidg0 device is present
    • Check that the /system/xbin/hid-keyboard binary is present

    The diag command will check that these files are present. bash ./android-pin-bruteforce diag

    If these files are present but the script doesn't work, try using another Android app to emulate a keyboard such as https://store.nethunter.com/en/packages/remote.hid.keyboard.client/

    Does your OTG cable work?

    Connect a keyboard or mouse to any phone using the OTG cable. Confirm that the cable works with a different phone and any device. Try using a different OTG cable. Even if it works, perhaps it does not fit well with your locked phone.

    Does the script correctly send keys to a text editor in Windows/Linux/MacOS?

    • Connect your NetHunter phone to your laptop.
    • Open a text editor such as Notepad
    • Run the script
    • Confirm that keys are sent to your laptop

    Can you send keys to Windows/Linux/Macos from the command line?

    Try testing sending keys from the NetHunter command line.

    echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard echo "a b c" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

    Can you send keys to the locked phone from the command line?

    Same as above.

    Does the phone accept keyboard input when it is locked?

    Connect a USB keyboard through the OTG cable to the locked phone. This technique requires emulating a keyboard, so if the phone does not accept USB keyboard input while it is locked, this attack will not work.

    Note that some devices will not permit you to use a new or unknown USB device while it is locked.

    Did you try a different locked phone?

    Same as above but with a different locked phone.

    Sending the correct keys

    What keys will bring up the PIN prompt?

    Using a keyboard, try keys and combinations of keys including:

    • CTRL + ESCAPE
    • ESCAPE
    • SPACE

    What keys should be sent after the PIN is entered?

    Usually this is enter but you might need to send other keys.

    Troubleshooting

    • Reboot the phones.
    • Unplug and replug the cables.
    • Try new cables including the OTG cable
    • Paste the output of the diag command, bash ./android-pin-bruteforce diagTBC1#37690
    opened by Bae35 0
  • [FAIL] HID USB device not ready. ../ returned 126

    [FAIL] HID USB device not ready. ../ returned 126

    Apparently the attack attempt was not successful as per screenshot.

    Screenshot_20220628-150740

    Tried to debug using bash ./android-pin-bruteforce diag & noted 2 failed entry per screenshot. I'm unable to understand Return code 1 though. Additionally, /system/bin/getprop directory exist in comparison to the non-existence as per screenshot.

    Screenshot_20220628-150528

    Screenshot_20220628-153648

    Tried sending test keys echo "a b c" | /sdcard/hid-keyboard.c /dev/hidg0 keyboard but was return with permission denied on the keyboard though. My initial thought was the permission set. I tried chmod 755, chmod -v 755, chmod a+x etc but it seems that permission cannot be updated though.

    I'm using USB gadget tool along with USB arsenal for the keyboard/mouse though. Any input is appreciated.

    opened by matr3p 2
  • [FAIL] HID USB device not ready. /data/local/nhsystem/kali-arm64/files/hid-keyboard returned 126 or 127

    [FAIL] HID USB device not ready. /data/local/nhsystem/kali-arm64/files/hid-keyboard returned 126 or 127

    When I downloaded Android-pin-bruteforce files on Kali nethunter and modified the config file this err appeared :

    ./android-pin-bruteforce crack --length 4 Android PIN brute-force :: version 0.1 [INFO] Loading optimised PIN list for 4 digits (optimised-pin-length-4.txt) [INFO] PIN list contains 10000 PINs [INFO] Checking environment [PASS] HID device (/dev/hidg0) found [PASS] hid-keyboard executable (/files/hid-keyboard) found [FAIL] HID USB device not ready. /files/hid-keyboard returned 127. [FAIL] HID USB device not ready. /files/hid-keyboard returned 127. [FAIL] HID USB device not ready. /files/hid-keyboard returned 127. ^C

    Then I tried it on termux but I found the same problem :

    ./android-pin-bruteforce crack --length 4 Android PIN brute-force :: version 0.1 [INFO] Loading optimised PIN list for 4 digits (optimised-pin-length-4.txt) [INFO] PIN list contains 10000 PINs [INFO] Checking environment [PASS] HID device (/dev/hidg0) found [PASS] hid-keyboard executable (/data/local/nhsystem/kali-arm64/files/hid-keyboard) found [FAIL] HID USB device not ready. /data/local/nhsystem/kali-arm64/files/hid-keyboard returned 126. [FAIL] HID USB device not ready. /data/local/nhsystem/kali-arm64/files/hid-keyboard returned 126. [FAIL] HID USB device not ready. /data/local/nhsystem/kali-arm64/files/hid-keyboard returned 126. ^C

    I'm using Redmi note 10 pro as a NH's device (with a kernel which ducky hid works on) and a termux's device. And the target phone was Redmi note 10 s , and I tried it on Samsung tab a 2016 (I don't think that it supports otg)

    opened by Engineer156 1
Owner
Andrew Horton
Andrew Horton
Tiny app to enforce security policies of your device

Sentry Enforce security policies. Tiny app to enforce security policies of your device. It can: limit the maximum number of failed password attempts d

lucky 43 Dec 24, 2022
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt

AESCrypt-Android Simple API to perform AES encryption on Android with no dependancies. This is the Android counterpart to the AESCrypt library Ruby an

Scott Alexander-Bown 636 Dec 18, 2022
PermissionX is an extension Android library that makes Android runtime permission request extremely easy

PermissionX is an extension Android library that makes Android runtime permission request extremely easy. You can use it for basic pe

Lin Guo 2.9k Dec 28, 2022
Signal Protocol library for Java/Android

Overview A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments. PreKeys This protocol uses a concept

Signal 1.8k Dec 24, 2022
Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Luca Falsina 418 Dec 29, 2022
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
a version of the official Android openssl setup to build standalone for use in app

OpenSSL on the Android platform. --- The code in this directory is based on $OPENSSL_VERSION in the file openssl.version. See patches/README for more

Guardian Project 371 Dec 8, 2022
A port of gnupg to Android (UNMAINTAINED!)

Gnu Privacy Guard for Android A port of the whole GnuPG 2.1 suite to Android. If you are using these tools in your own apps, we'd love to hear about i

Guardian Project 282 Jan 7, 2023
OpenPGP for Android

APG (Android Privacy Guard) APG originally brought email encryption to the Android platform. In recent years the project has fallen asleep, but a lot

Thialfihar 234 Dec 30, 2022
Analyze any Android/Java based app or game

ClassyShark Introduction ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and

Google 7.2k Jan 3, 2023
Android virtual machine and deobfuscator

Simplify Generic Android Deobfuscator Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it beh

Caleb Fenton 4.1k Dec 25, 2022
enjarify 8.6 0.0 L5 Python Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

Note: This repository may be out of date. Future development will occur at https://github.com/Storyyeller/enjarify. Introduction Enjarify is a tool fo

Google 2.7k Jan 8, 2023
CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!

Easy-as-pie Android Decompiler Why One stop shop I got pretty tired of decompiling Android apps with a bunch of steps that I had to remember all the t

Alex Davis 619 Dec 27, 2022
A android app for encrypting apk

A android app for encrypting apk

FlyingYu 124 Jan 5, 2023
A Java ePub reader and parser framework for Android.

FolioReader-Android is an EPUB reader written in Java and Kotlin. Features Custom Fonts Custom Text Size Themes / Day mode / Night mode Text Highlight

FolioReader 2.1k Jan 3, 2023
A program to flip every private, protected and package-private access flag to public in an Android dex file!

DexExposed A program to flip every private, protected and package-private access flag to public in an Android dex file! Building Simply run gradle mak

John Doe 2 Aug 29, 2021
A simple android app that parses its own signature and displays it

SigDisplayer Usage Download the release APK or clone the repository and compile yourself. Sign the APK with your preferred keystore. Install and open

Jonah 5 Oct 18, 2022