Android is an open source operating system based on the Linux kernel, initially developed by Android Inc., which Google bought in 2005. Initially, Android was developed to support touch screen devices like smartphones. These devices support different types of screen locks, like swipe lock, PIN lock, pattern lock, gesture lock, facial lock, etc.
Swipe lock unlocks the screen just by swiping a defined area on the screen with your fingertips. PIN lock is when you enter a correct pin, the screen will be unlocked. Pattern lock unlocks the screen when the user creates a pattern by joining nine circles on the screen, which is already saved on your system. This article is only based on the pattern locking system and does not cover biometric locking systems available on the phones.
Understanding Android Pattern Locks
Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure above. If we select a pattern 1478, the pattern would look as shown in Figure 2.
This pattern is saved with a 20-byte SHA-1 Hash. So the SHA-1 hash for 1478 will be “06CF96F30A7283FF7258FCEF5CF587ED51156C37” which is stored in a file named gesture.key in /data/system folder in Android’s internal memory.
The catch to change the pattern is replace this file with a known pattern gesture.key file.
- Debugging mode should be enabled.
- Android adb (Android Debugger Bridge) tool.
- AVD (Android Virtual Device) Manager Tool.
- Device USB Cable
- Device whose password needed to be changed
Start an AVD (Android Virtual Device), and create a pattern in the AVD. Open a command prompt. Execute the following command to check whether the AVD has been connected to the debugger or not.
1. adb devices
The output of the command should look as shown in Figure 3. If you see the name of your emulator on the screen, then your device is perfectly connected.
Now pull out the gesture.key file from the AVD. For this execute the command that is mentioned below. This file is located in /data/system.
1. adb pull /data/system/gesture.key gesture.key
The gesture.key file will be pulled to your current working directory. Here the syntax of command is adb pull . Here my current working directory is my home folder. So the gesture.key file will be pulled out in my local file system in my home directory.
The output of the command is as shown n Figure 4.
Now connect the other device, whose password is to be changed and close the AVD. For my example I will be using the same AVD. So now my password in my AVD is 1478 according to the pattern cell numbers. Figure 5 illustrates the pattern.
In next step, it will be shown how to change the pattern of new device to a known pattern from the previous AVD which was 1236. Figure 6 illustrates the new pattern.
Now to change the password with a known pattern, we will push our known pattern file to the new device. The command for pushing a file into an android system is shown below. This file has to be pushed into /data/system of the new device.
adb push gesture.key /data/system/gesture.key
The gesture.key file will be pushed into the Android’s file system replacing the previous file. So now android will be having a new gesture file which contains a known password, and when we use this pattern to unlock the screen, the screen will be unlocked. The syntax for pushing a file into an Android system is adb push .
The output of the command is shown in Figure 7.
Now this changes the pattern of the new device with a known pattern. Figure 8 illustrates the known pattern unlock.
- The device should be rooted
- The device should have USB debugging mode enabled
You can also look for the SHA-1 Hash values of the gesture key and match it with the database to find out the pattern lock combination. For this you can use my python script (https://github.com/c0d3sh3lf/Android_Forensics) to automate the decoding process.
You can download the dictionary file from http://www.android-forensics.com/tools/AndroidGestureSHA1.rar (25 MB)
A CISC, CHFIv8 certified forensic investigator. Sumit Shrivastava has started his career as a Security Analyst Intern in Network Intelligence (I) Pvt. Ltd., Mumbai. Also working on on-going projects with the company for more than over a year with the professional tools for investigation, audit and VAPT.