Lumia 820 Password ...
 
Notifications
Clear all

Lumia 820 Password needed issue

21 Posts
6 Users
0 Likes
1,045 Views
(@dr-wonder)
Posts: 49
Eminent Member
Topic starter
 

Hello every colleagues,

the case
We have a Nokia lumia 820 to investigation,when boot the phone it's protected by a password say xxxminuts to retry,see picture,

so we had to try cellebrite to extract the physial bin file and succeeded got it.but after that we still don't know the protected password is .

So every experts we have a question,is there any way to find the password or paring the key word in the image .

Any idea thought will be appreciate.Thanks

Cheers
wonder

 
Posted : 27/07/2016 10:04 am
(@dandaman_24)
Posts: 172
Estimable Member
 

A bit of help from my friend google has found some useful links for you.

Assuming its this handset model running win8
http//www.gsmarena.com/nokia_lumia_820-4968.php

Info on Win 8
http//cheeky4n6monkey.blogspot.co.uk/2014/10/awesome-windows-phone-8-stuff.html

Some free scripts to run, look at the one third from bottom. https://github.com/cheeky4n6monkey/4n6-scripts

 
Posted : 27/07/2016 1:09 pm
(@arcaine2)
Posts: 235
Estimable Member
 

http//blog.digital-forensics.it/2015/07/windows-phone-pin-cracking.html - this might be usefull as well.

Also, make sure time on the device is correct. Sometimes time and date gets shifted back and then next attempt counter is insanely high. Usually, powering on such phone with active sim card fixes it as it'll get time from GSM network, but not sure if it's an option in your case.

 
Posted : 28/07/2016 12:16 am
(@dr-wonder)
Posts: 49
Eminent Member
Topic starter
 

A bit of help from my friend google has found some useful links for you.

Assuming its this handset model running win8
http//www.gsmarena.com/nokia_lumia_820-4968.php

Some free scripts to run, look at the one third from bottom. https://github.com/cheeky4n6monkey/4n6-scripts

hello,friend,my lumia is 8.0.10517,
and after i read the links ,I find that it need SOFTWARE hive to run the python,to find the hive,
we search the web, and we find that
1.Discovering Windows Phone 8 artifacts
2.Python script determines a salted SHA256 hashed Windows Phone
3.Windows-phone-pin-cracking
these 3 article is very useful,It point out where the "SOFTWARE hive's is (\Microsoft\Comms\Security\DeviceLock\ )in Partition27 Main OS,or Object21 (SOFTWARE\Microsoft\Comms\Security\DeviceLock\Object21).
But I am confuse about the what the SOFTWARE hive is,
and can't find the hive in any place. (
So can someone help me, I can give you the bin file.Now i am uplaod it…

Cheers.

 
Posted : 28/07/2016 9:42 am
(@dr-wonder)
Posts: 49
Eminent Member
Topic starter
 

http//blog.digital-forensics.it/2015/07/windows-phone-pin-cracking.html - this might be usefull as well.

Also, make sure time on the device is correct. Sometimes time and date gets shifted back and then next attempt counter is insanely high. Usually, powering on such phone with active sim card fixes it as it'll get time from GSM network, but not sure if it's an option in your case.

hi,I have read the link you hint,and we find another 2 D .But now we can't find SOFTWARE hive registry key in"\Microsoft\Comms\Security\DeviceLock\Object21.Can someone help me.Thank you.
Please PM me.

 
Posted : 28/07/2016 9:52 am
(@arcaine2)
Posts: 235
Estimable Member
 

It's the registry file. SOFTWARE hive file is on MainOS partiton in "Windows\System32\config\", a file simply called SOFTWARE (no extension).

You can view the file with AccessData Registry Viewer to verify wheter the ObjectXX entry is there and extract hex data with it. Currently i only have an HTC 8s dump, that, from what i remember was password locked. In my case CredentialHash is in Object116.

This script might be easier to use. Less dependancies, but you have to manually extract HASH and SALT from that registry entry. For this, look at website from my previous post. SALT should be everything from the red stuff up to green one, so based on that example it should start at 87A6 and end with 38B7. HASH is the red part at the end, from 3CDA to 2585. Apply the same to what you'll see and it should work.

For my HTC 8s, this script is able to find the pin code.

 
Posted : 29/07/2016 12:23 am
(@dr-wonder)
Posts: 49
Eminent Member
Topic starter
 

Hello,Arcaine2
Thank you for you reply for the help.I have 2 question.
Finally we got HIVE and CredentialHash,
Credential in Object1693",see picture

And now we have 2 question.

1.We don't know which the SALT value is and which the HASH value is,can you point me out that place.

2.We don't know how to put the SOFTWARE file it in python script like this

in this linkit sayswinphonepincrk.py –software=SOFTWARE,BUT how to run that?

Anyone can teach me ( how to run this python script?

Thank you very much.

Wonder

 
Posted : 29/07/2016 10:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

in this linkit sayswinphonepincrk.py –software=SOFTWARE,BUT how to run that?

Anyone can teach me ( how to run this python script?

Thank you very much.

Wonder

You need to have python working in your OS.
The line
winphonepincrk.py –software=SOFTWARE
means - more or less - use the filename "SOFTWARE" (in path or in current directory) as "target", i.e. if you rename your file to "myNiceHive.hiv", you provide that name like
winphonepincrk.py –software=myNiceHive.hiv

Normally (Windows) you have python.exe associated to .py file extension, but to be sure, run it like
python.exe winphonepincrk.py –software=myNiceHive.hiv
See also
http//stackoverflow.com/questions/1934675/how-to-execute-python-scripts-in-windows

BUT, the given script
https://github.com/RealityNet/hotoloti/blob/master/sas/winphonepincrk.py
is "hardcoded" to "Object21"
PIN_KEY = 'Microsoft\\Comms\\Security\\DeviceLock\\Object21'you will need to edit it to reflect your key, Object1693.

Or you could try extracting the salt, hash and length hex and use the mentioned other little python script
https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/wp8-sha256-pin-finder.py

jaclaz

 
Posted : 29/07/2016 1:11 pm
(@arcaine2)
Posts: 235
Estimable Member
 

@Dr.wonder, it would be easier to analyze if you either pasted a hex code out of that entry or upload whole SOFTWARE hive somewhere, but from what i see, SALT should start with 98 14 79 1E (1st row) and end with B7 73 82 15 (9-th row). HASH would start with 11 E0 62 DD (10-th row) till the end with 4E 04 96 29. Length is 4.

 
Posted : 29/07/2016 2:38 pm
(@dr-wonder)
Posts: 49
Eminent Member
Topic starter
 

You need to have python working in your OS.
The line
winphonepincrk.py –software=SOFTWARE
means - more or less - use the filename "SOFTWARE" (in path or in current directory) as "target", i.e. if you rename your file to "myNiceHive.hiv", you provide that name like
winphonepincrk.py –software=myNiceHive.hiv

Normally (Windows) you have python.exe associated to .py file extension, but to be sure, run it like
python.exe winphonepincrk.py –software=myNiceHive.hiv
See also
http//stackoverflow.com/questions/1934675/how-to-execute-python-scripts-in-windows

BUT, the given script
https://github.com/RealityNet/hotoloti/blob/master/sas/winphonepincrk.py
is "hardcoded" to "Object21"
PIN_KEY = 'Microsoft\\Comms\\Security\\DeviceLock\\Object21'you will need to edit it to reflect your key, Object1693.

Or you could try extracting the salt, hash and length hex and use the mentioned other little python script
https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/wp8-sha256-pin-finder.py

jaclaz

hi jaclaz ,because i am use kalilinux something like Ubuntu ,

when i run the script it says

It say file winphonepincrk.py line 26 in <module>
ImportError No module name Registry..

So ,what can i to do next and how to solve this problems?

wonder

 
Posted : 29/07/2016 3:21 pm
Page 1 / 3
Share: