Introduction
Android is an open source operating system based on the Linux kernel, initially developed by Android Inc., which Google bought in 2005. Initially, Android was developed to support touch screen devices like smartphones. These devices support different types of screen locks, like swipe lock, PIN lock, pattern lock, gesture lock, facial lock, etc.
Swipe lock unlocks the screen just by swiping a defined area on the screen with your fingertips. PIN lock is when you enter a correct pin, the screen will be unlocked. Pattern lock unlocks the screen when the user creates a pattern by joining nine circles on the screen, which is already saved on your system. This article is only based on the pattern locking system and does not cover biometric locking systems available on the phones.
Understanding Android Pattern Locks
Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure above. If we select a pattern 1478, the pattern would look as shown in Figure 2.
This pattern is saved with a 20-byte SHA-1 Hash. So the SHA-1 hash for 1478 will be “06CF96F30A7283FF7258FCEF5CF587ED51156C37” which is stored in a file named gesture.key in /data/system folder in Android’s internal memory.
The Catch
The catch to change the pattern is replace this file with a known pattern gesture.key file.
Prerequisite
- Debugging mode should be enabled.
- Android adb (Android Debugger Bridge) tool.
- AVD (Android Virtual Device) Manager Tool.
- Device USB Cable
- Device whose password needed to be changed
Methodology
Step 1
Start an AVD (Android Virtual Device), and create a pattern in the AVD. Open a command prompt. Execute the following command to check whether the AVD has been connected to the debugger or not.
1. adb devices
The output of the command should look as shown in Figure 3. If you see the name of your emulator on the screen, then your device is perfectly connected.
Step 2
Now pull out the gesture.key file from the AVD. For this execute the command that is mentioned below. This file is located in /data/system.
1. adb pull /data/system/gesture.key gesture.key
The gesture.key file will be pulled to your current working directory. Here the syntax of command is adb pull . Here my current working directory is my home folder. So the gesture.key file will be pulled out in my local file system in my home directory.
The output of the command is as shown n Figure 4.
Step 3
Now connect the other device, whose password is to be changed and close the AVD. For my example I will be using the same AVD. So now my password in my AVD is 1478 according to the pattern cell numbers. Figure 5 illustrates the pattern.
In next step, it will be shown how to change the pattern of new device to a known pattern from the previous AVD which was 1236. Figure 6 illustrates the new pattern.
Step 4
Now to change the password with a known pattern, we will push our known pattern file to the new device. The command for pushing a file into an android system is shown below. This file has to be pushed into /data/system of the new device.
adb push gesture.key /data/system/gesture.key
The gesture.key file will be pushed into the Android’s file system replacing the previous file. So now android will be having a new gesture file which contains a known password, and when we use this pattern to unlock the screen, the screen will be unlocked. The syntax for pushing a file into an Android system is adb push .
The output of the command is shown in Figure 7.
Now this changes the pattern of the new device with a known pattern. Figure 8 illustrates the known pattern unlock.
Limitations
- The device should be rooted
- The device should have USB debugging mode enabled
Reference
You can also look for the SHA-1 Hash values of the gesture key and match it with the database to find out the pattern lock combination. For this you can use my python script (https://github.com/c0d3sh3lf/Android_Forensics) to automate the decoding process.
You can download the dictionary file from http://www.android-forensics.com/tools/AndroidGestureSHA1.rar (25 MB)
Volunteer
Good stuff. So this is basically like a sam file replacement theory in windows os.
ramen
How i unlock my android phone pattern
Florian
There seems to be some issues in this article.
First the debug mode must be enabled on the phone prior to be unlocked, then you need to pull the file containing the pattern to replace it with your own. So if you can remove and add files to the phone, why couldn’t you do a physical dump instead? It seems pointless to me, but maybe I’m missing something?
I don’t mean to undermine you by the comment, as the skills you demonstrate are impressive though.
Sumit Shrivastava
@Florian
I appreciate your response. In this binary world, there are thousands of ways for doing a single thing. This is just one way of changing the pattern lock without unlocking the device. From the physical dump you cannot change the device lock but surely you get extract the password. In reference section I have also mentioned your point in a different manner. It is also mentioned in the limitations that the device should be rooted and should have USB Debugging mode enabled.
Pulling the gesture file is just one time process. Once you have a known gesture file on your system you can replace it to ‘n’ number of android devices. So you just need to push that file into other devices.
TL
It is also possible to crack the SHA-1 hash in no time and reveal the original pattern.
Search for “android gesture.key rainbow table”.
Sumit Shrivastava
Yes. You can do single things in many way. It’s just the matter of prospect. You can find the dictionary at http://www.android-forensics.com/tools/AndroidGestureSHA1.rar.
Nets3c
This doesn’t work on android 4.3+, it has been patched.
Sumit Shrivastava
Yes. It has been patched since Jelly Bean.
Dave
Another note here. I’m not sure if this is Samsung specific, but when I plug my phone with debugging enabled into a new PC, I have to allow the PC to connect to the debugger.
The screen must be unlocked to answer the dialog.
Sumit Shrivastava
This is for new devices which have Android 4.1+ and I guess it’s not Samsung specific. It is also there in other devices.
Marylou
This piecе of writing is truly a good one it assists new the web visitors, who are wishing in favor of blogging.
Here is my weblog; SEO (Marylou)
a
Great blog here! Also your website loads up very fast! What web host are you
using? Can I get your affiliate link to your host? I wish my website loaded up
as quickly as yours lol
reza
it doesn’t work for me it says a error :
adb failed: permission denied.
can you help me?? please contact my mail.
Nishant
Good stuff. Since this doesn’t work anymore, I guess the best work around is to deploy a reverse shell in the phone and then overwrite the file? (It has to be somewhere, right)?
Dusty
What’s up to every one, the contents present at this web page are truly
awesome for people experience, well, keep up the good work fellows.
Review my website – bing.com (Dusty)
Muhammad Shahzad
Awesome method, and It works like a charm.
Amit kumar
What will happen if i delete the gesture.key file instead of replacing?
Sumit Shrivastava
Hi Amit,
This is a very good question. If you delete the gesture file there can be two possibilities:
Logically speaking, the result should always be that your pattern is removed, but due to manufactures customizing the Android OS, there is a possibility of your phone being permanently locked. But the devices sold by Micromax, Lava, and other such companies who do not tweak the OS, you will obviously be able to remove the pattern after deleting the gesture.key file.
pepsi ipl 2015
nice triks keep it up bro.
Bill Krithinithis
On Android 5.0+, you can turn & leave on Bluetooth too. :- )
avinash
pasword cracer
Ahish - BeQuench
AppLock is not at all 100% secure. Yes! you can bypass the no. 1 privacy locking software by just using the simple tricks given below. These tricks will work even if the Advanced Protection is enabled.
#Android #AppLock #BeQuench #TipsAndTricks
http://www.bequench.com/bypass-applock-in-android/
Ankur agrawal
please give me guidence, how i crack all android phones pattern lock without loosing data.
ramen
It not work on micromax a28
prudhvi
Great one bro but here is,another latest way of hacking or bypassing android pattern or pin 2015-
https://www.youtube.com/watch?v=z7MFhM9tIhw
Sumit Shrivastava
Thanks for sharing Prudhvi!
raj
hi sir
adb pull /data/system/gesture.key gesture.key
message is : cannot create ‘gesture.key’ : read-only file system
plz give solution
Sumit Shrivastava
Hello Raj,
Make sure the system / folder where you are pulling the file has write permissions for your user.
Jehoshua
How to breach patternlock in an unrooted xperia ZR?even deletion of data is not an issue.The forgot pattern and mail thing dint work.please do respond asap.thanks:)
techikon
I really love this post. Thanks for your sharing. Hope that I could read more and more useful article like this.