Finding PIN from NAND dump using Python script

[cracker_jack]

I was hoping some clever programmer out there could assist me in finding a pin code from a NAND dump using a Python 3 script.

I came across this blog Bypassing a locked HTC Wildfire S using the JTAG process « copgeek018 and I am somewhat a newbie. I have successfully made my dump but do not know how to execute the script.

If you can help I would greatly appreciate it.

BR

[Gecko_UK]

If you've got the NAND dump already, you've done the difficult part


to recovr the pin- install python 3.2.3 with default settings. copy the RecoverAndroidPin.py & BruteForceAndroidPin.py to c:\Python32 . rename your NAND dump "dump.bin" and copy that to this folder as well,

now open up cmd prompt and run the following commands

Code:

cd c:\python32
python.exe RecoverAndroidPin.py -l 5 dump.bin

-l switch is the max number of characters in lock pin to search.

[cracker_jack]

Hi Gecko UK. Firstly I just want to express my huge thanks for your assistance. Your instructions were dead on and easy. Okay now for my results. It wasn't quite what I thought the outcome would be but I am not discouraged as likely I did missed something and will try an correct it. I entered your command line and this is my screenshot.



The strange thing is I could try using the brute force script but although I have the salt address I still need the hash address which I did not get. Is there something I missed along the way?

Thanks again Gecko for your help.

[dest]

Try changing the number 5 to something higher like 6, 7 or 8. I think this means the pin code is not <=5

[cracker_jack]

Yeah I tried 1 through 16 and nothing changed but thanks for the advice.

[Gecko_UK]

you sure it's a pin not pattern?

if it's pattern copy both Android_GestureFinder.py and GenerateAndroidGestureRainbowTable.py to c:\Python32 then run

Code:

cd c:\python32
python.exe GenerateAndroidGestureRainbowTable.py
(wait some time for rainbow table to be generated)
python.exe Android_GestureFinder.py dump.bin

if it's a pin and you are sure you've dumped the nand correctly you can try extracting /data/system/password.key from dump and then using bruteforce to crack it since you already got the salt. like below

Code:

cd c:\python32
python.exe BruteForceAndroidPin.py [HASH] [SALT] [MAX PIN LENGTH]

[cracker_jack]

Yes, I am pretty confident it's a PIN. When I turn on the phone it just ask for PIN no pattern. I did try your recommendation anyway and tried to recover a pattern unlock with your python commands but it came back with no find.

Sorry to ask for more help with this but how to extract /data/system/password.key hash from my dumped file.

Thanks Gecko

[Gecko_UK]

Quote:

Yes, I am pretty confident it's a PIN. When I turn on the phone it just ask for PIN no pattern. I did try your recommendation anyway and tried to recover a pattern unlock with your python commands but it came back with no find.

Sorry to ask for more help with this but how to extract /data/system/password.key hash from my dumped file.

Thanks Gecko

parseafphysical.py -n dump.bin..

https://viaforensics.com/?fid=parseAFPhysical.py

[cracker_jack]

Okay so I downloaded the parseafphysical.py script and copied it to C:
Python32 folder. I ran the script exactly as you typed it but nothing happens. It just goes back to C:\Python32>

I'm certain my dump is good (528MB) and can view in a hex editor. What did I do wrong?

[incendiu]

Quote:

Originally Posted by cracker_jack

Okay so I downloaded the parseafphysical.py script and copied it to C:
Python32 folder. I ran the script exactly as you typed it but nothing happens. It just goes back to C:\Python32>

I'm certain my dump is good (528MB) and can view in a hex editor. What did I do wrong?

Remove those .. ( dots ) and leave only

Quote:

parseafphysical.py -n dump.bin

[cracker_jack]

Yeah I tried that it didn't change anything.