0

Firstly, I need to say my specific problem so that this question won't marked as duplicated.

I've an android phone that has already root access and bootloader lock open. And recently I dropped it and its screen (lcd panel) was blacked out and no feedback about screen. But locally its touch panel %90 of screen was working because someone calls me it can answer and rejecet call if you swipe it from its oginal coordinates of screen.

However, I connect it from Vysor app to see screen and it was successfully done its process but I couldn't backup at that position because of time limitation about my life. A day later, I tried it again but not worked. After this I reset it but now it ask me to enter password manually for first time and fingerprint doesn't work. At this step I forced to power loss (by holding power button of phone) to start it from bootlader. And I started it from bootloader and boot from my previously used twrp.img version that has ability of decrypt password and was confirmed previously time before this happened. After this step it decrypted successfully and I deleted /data/system/gatekeeper.pattern.key after I backedup 58 bytes file. Now I have backup of .key file. After that I reboot phone to open normally but it doesn't ask password also doesn't decrypt userdata partiton. And stuck on Phone is starting... screen.

Now, I realised that I set password again with same value from when system was awake. so my partition was encrypted before it was successfully decrypted. So if my password is true the TWRP security codes (that check if is successfully decrypted it) but it fails even if I use correct password. So I need to find algorithm of decryption and I will apply algorith twice.

In short, I need somehing like that but it won't check if password correct or not

twrp decrypt $PASS ; twrp decrypt $PASS.

otherwise it will fail on first time so second time and so on it will repeats.

makgun
  • 101
  • Does this answer your question? Attempting to brute force Android security pattern through TWRP via adb – alecxs Jan 10 '20 at 13:24
  • Sadly NO. Becaause in my situation it remains encrypted even if I use RIGHT pattern because it was encrypted second time before it wasn't actually decrypted. – makgun Jan 10 '20 at 14:07
  • @alecxs I know actual key that I used because I have never changed password for last 1 year. So I didn't wait 10seconds after attemp because the var: $PASS always same in my situation. But when you do bruteForceAttack you must change $PASS to find out actual key. – makgun Jan 10 '20 at 14:23
  • Also I mean that it encrypted twice like when you type in shell this command echo $PASS|md5sum|md5sum . The md5 algorith applyed cummulatively with first encryption algorth output like in my situation data partition table was encrypted twice cummulatively. – makgun Jan 10 '20 at 14:28
  • 1
    @alecxs Here is my recovery.log https://pastebin.pl/view/823ba5bc – makgun Jan 10 '20 at 20:23
  • does not look encrypted twice to me, instead decryption fails on the first try, see line 79, line 90, line 761 are you sure you placed the key backup at right location?

    try unofficial TWRP from codeworkx

     – alecxs Jan 10 '20 at 23:27
  • make a full dump adb pull /dev/block/sda13 ~ 113981 MB / ~ 4 hours (before mess up), then restore cat /tmp/gatekeeper.pattern.key > /data/system/gatekeeper.pattern.key furthermore wait for answer on this question https://android.stackexchange.com/q/216155 – alecxs Jan 11 '20 at 01:14
  • @alecxs I set password as lockscreen pattern not as directly password so it is true that it uses gatekeeper.pattern.key. Also I do full dump of my userdata partition as you suggested.(Takes 70mins with usb cable and ssd not 4 hours).However, at this time i dont have key in /tmp/ folder also my old key file was backed up as 58 bytes binary code but only remiving this file and booting device normally, it stucks on phone starting... screen. And again keeping old file with same name and location (restored key) but now it ask pattern but not accepted. I think it uses more files to decrypt it. – makgun Jan 11 '20 at 08:47
  • @alecxs after some time I bought new phone because of repair cost is so expensive according to new one. Anyway, Now I wondered that if I do brute Force to decrypt it, it has any possibility to decrypt it? With my only one file is backed up and no other files not backed up and I keep them as original file in key location.(Also I am sure I typed correctly the password but maybe the because of file it decrypt with different key) Does it worth to wait it. Any possibility to decrypt in there? – makgun Jan 13 '20 at 18:41
  • On the other hand, on my new phone, I encrypted with same key but the /data/system/gatekeeper.pattern.key contents completely different my backed up file. Why this is so different key generated with same pattern also decrypted it with new phone and again encrypted and the key again changed. – makgun Jan 13 '20 at 18:45
  • i am sorry, i am no expert. i believe there is a random generated part which is combined with your screenlock pattern. bruteforcing makes only sense for pattern, not for the missing random part. but i believe it is possible to decrypt – alecxs Jan 13 '20 at 18:50

0 Answers0