Hello every colleagues,
the case
We have a Nokia lumia 820 to investigation,when boot the phone it's protected by a password say xxxminuts to retry,see picture,
so we had to try cellebrite to extract the physial bin file and succeeded got it.but after that we still don't know the protected password is .
So every experts we have a question,is there any way to find the password or paring the key word in the image .
Any idea thought will be appreciate.Thanks
Cheers
wonder
A bit of help from my friend google has found some useful links for you.
Assuming its this handset model running win8
http//
Info on Win 8
http//
Some free scripts to run, look at the one third from bottom. https://
http//
Also, make sure time on the device is correct. Sometimes time and date gets shifted back and then next attempt counter is insanely high. Usually, powering on such phone with active sim card fixes it as it'll get time from GSM network, but not sure if it's an option in your case.
A bit of help from my friend google has found some useful links for you.
Assuming its this handset model running win8
http//www.gsmarena.com/nokia_lumia_820-4968.php Some free scripts to run, look at the one third from bottom. https://
github.com/cheeky4n6monkey/4n6-scripts
hello,friend,my lumia is 8.0.10517,
and after i read the links ,I find that it need SOFTWARE hive to run the python,to find the hive,
we search the web, and we find that
these 3 article is very useful,It point out where the "SOFTWARE hive's is (\Microsoft\Comms\Security\DeviceLock\ )in Partition27 Main OS,or Object21 (SOFTWARE\Microsoft\Comms\Security\DeviceLock\Object21).
But I am confuse about the what the SOFTWARE hive is,
and can't find the hive in any place. (
So can someone help me, I can give you the bin file.Now i am uplaod it…
Cheers.
http//
blog.digital-forensics.it/2015/07/windows-phone-pin-cracking.html - this might be usefull as well. Also, make sure time on the device is correct. Sometimes time and date gets shifted back and then next attempt counter is insanely high. Usually, powering on such phone with active sim card fixes it as it'll get time from GSM network, but not sure if it's an option in your case.
hi,I have read the link you hint,and we find another 2 D .But now we can't find SOFTWARE hive registry key in"\Microsoft\Comms\Security\DeviceLock\Object21.Can someone help me.Thank you.
Please PM me.
It's the registry file. SOFTWARE hive file is on MainOS partiton in "Windows\System32\config\", a file simply called SOFTWARE (no extension).
You can view the file with AccessData Registry Viewer to verify wheter the ObjectXX entry is there and extract hex data with it. Currently i only have an HTC 8s dump, that, from what i remember was password locked. In my case CredentialHash is in Object116.
For my HTC 8s, this script is able to find the pin code.
Hello,Arcaine2
Thank you for you reply for the help.I have 2 question.
Finally we got HIVE and CredentialHash,
Credential in Object1693",see picture
And now we have 2 question.
1.We don't know which the SALT value is and which the HASH value is,can you point me out that place.
2.We don't know how to put the SOFTWARE file it in python script like this
in
Anyone can teach me ( how to run this python script?
Thank you very much.
Wonder
in
this linkit sayswinphonepincrk.py –software=SOFTWARE,BUT how to run that? Anyone can teach me ( how to run this python script?
Thank you very much.
Wonder
You need to have python working in your OS.
The line
winphonepincrk.py –software=SOFTWARE
means - more or less - use the filename "SOFTWARE" (in path or in current directory) as "target", i.e. if you rename your file to "myNiceHive.hiv", you provide that name like
winphonepincrk.py –software=myNiceHive.hiv
Normally (Windows) you have python.exe associated to .py file extension, but to be sure, run it like
python.exe winphonepincrk.py –software=myNiceHive.hiv
See also
http//
BUT, the given script
https://
is "hardcoded" to "Object21"PIN_KEY = 'Microsoft\\Comms\\Security\\DeviceLock\\Object21'
you will need to edit it to reflect your key, Object1693.
Or you could try extracting the salt, hash and length hex and use the mentioned other little python script
https://
jaclaz
@Dr.wonder, it would be easier to analyze if you either pasted a hex code out of that entry or upload whole SOFTWARE hive somewhere, but from what i see, SALT should start with 98 14 79 1E (1st row) and end with B7 73 82 15 (9-th row). HASH would start with 11 E0 62 DD (10-th row) till the end with 4E 04 96 29. Length is 4.
You need to have python working in your OS.
The line
winphonepincrk.py –software=SOFTWARE
means - more or less - use the filename "SOFTWARE" (in path or in current directory) as "target", i.e. if you rename your file to "myNiceHive.hiv", you provide that name like
winphonepincrk.py –software=myNiceHive.hivNormally (Windows) you have python.exe associated to .py file extension, but to be sure, run it like
python.exe winphonepincrk.py –software=myNiceHive.hiv
See also
http//stackoverflow.com/questions/1934675/how-to-execute-python-scripts-in-windows BUT, the given script
https://github.com/RealityNet/hotoloti/blob/master/sas/winphonepincrk.py
is "hardcoded" to "Object21"PIN_KEY = 'Microsoft\\Comms\\Security\\DeviceLock\\Object21'
you will need to edit it to reflect your key, Object1693.Or you could try extracting the salt, hash and length hex and use the mentioned other little python script
https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/wp8-sha256-pin-finder.py jaclaz
hi jaclaz ,because i am use kalilinux something like Ubuntu ,
when i run the script it says
It say file winphonepincrk.py line 26 in <module>
ImportError No module name Registry..
So ,what can i to do next and how to solve this problems?
wonder