Locked phone: HTC One X, Nethunter phone: Nexus 5 - Error sending keys

[ante1377]

Hello have the following issue,

bash ./android-pin-bruteforce crack -v Android PIN brute-force :: version 0.1 [INFO] Loading optimised PIN list for 4 digits (optimised-pin-length-4.txt) [INFO] PIN list contains 10000 PINs [INFO] # Current Configuration [CONF] Configuration file: [CONF] ## PINs [CONF] PIN list: optimised-pin-length-4.txt [CONF] Mask: [CONF] Resume from: [CONF] PIN Type (PIN or Pattern): PIN [CONF] PIN Length: 4 [CONF] Direction (normal or rewind): 1 [CONF] [CONF] ## Timing: [CONF] Delay before starting: 2 [CONF] Delay between keys: 0.25 [CONF] Cooldown time: 30 [CONF] Cooldown after N attempts: 5 [CONF] Send keys to stay awake during cooldown every N seconds: 5 [CONF] Progessive Cooldown: 0 [CONF] - Attempt count : 1 11 41 [CONF] - Attempts until cooldown: 5 1 1 [CONF] - Cooldown in seconds : 30 30 60 [CONF] [CONF] ## Keys: [CONF] Keys to send before starting: enter [CONF] Keys to bring up the lock screen: escape enter [CONF] Keys to stay awake during cooldown: enter [CONF] [CONF] ## Exiting [CONF] Exit after fail count: 15 [CONF] [CONF] ## File paths [CONF] Log file: bruter.log [CONF] HID Keyboard device: /dev/hidg0 [CONF] Path to hid-keyboard: /system/xbin/hid-keyboard [CONF] Path to usb-devices: /usr/bin/usb-devices [CONF] [CONF] ## Configuration [CONF] Dry Run: 0 [CONF] Verbose: 1 [INFO] Checking environment [PASS] HID device (/dev/hidg0) found [PASS] hid-keyboard executable (/system/xbin/hid-keyboard) found [DEBUG] Sending key: enter recv report: 00 [DEBUG] Sending key: escape [DEBUG] Sending key: enter [FAIL] HID USB device not ready. /system/xbin/hid-keyboard returned 5.

Source | Nexus 5 running Linux kali 3.4.0-8.14-Re4son-3.5 #1 SMP PREEMPT Tue Apr 14 22:10:45 AEST 2020 armv7l GNU/Linux Target | HTC One S OTG Cables tried |

Working USB keyboard on all above OTG cables Working with USB cable to Computer Windows 10 using the application, does send keys Tried swapping from MTP to Charge and back in Dev options (no change) Tried rebooting victim phone (no change)

ADB logcat show this, 04-27 07:47:00.078 1621 1621 I Binder_A: type=1400 audit(0.0:1876): avc: denied { ioctl } for path="socket:[418058]" dev="sockfs" ino=418058 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=1 04-27 07:47:00.078 1621 1621 I Binder_A: type=1400 audit(0.0:1877): avc: denied { ioctl } for path="socket:[418058]" dev="sockfs" ino=418058 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=1

setenforce 0 setenforce: SELinux is disabled

Any ideas?

[urbanadventurer]

Not really, just try unplugging and replugging the cables. Maybe also try rebooting the devices.

[ante1377]

So just drop it and move on in life I guess :D

[urbanadventurer]

@ante1377 you could help me improve the troubleshooting section of the README. Perhaps while you do this, you will find the solution for your phone.

I think it would be useful to have a series of questions with yes/no answers. Can you do a trial run of answering these questions, and help me edit this to make it clear for other people?

I noted in the diag output that it looks like your NetHunter phone sent the enter key correctly at first, but failed on a later attempt. Maybe the keys are sent too quickly or the cables are faulty?

Answer Section

My phones

• The make and model of my NetHunter Android phone :
• The make and model of my locked Android phone :

Can I send any keys

• Are your cables correctly connected?
• Is your NetHunter Android phone capable of emulating a keyboard?
• Does your OTG cable work?
• Does the script correctly send keys to a text editor in Windows/Linux/MacOS?
• Can you send keys to Windows/Linux/Macos from the command line?
• Can you send keys to the locked phone from the command line?
• Does the phone accept keyboard input when it is locked?
• Did you try a different locked phone?

Sending the correct keys

• What keys will bring up the PIN prompt?
• What keys should be sent after the PIN is entered?

Troubleshooting

• Did you try rebooting both phones?

• Did you try unplugging and replugging the cables?

• Did you try new cables including the OTG cable?

• The output of the diag command

  <paste output here

Troubleshooting Instructions Section

Can I send any keys?

Are your cables correctly connected?

The Nethunter phone should have a regular USB cable attached. The OTG cable should be connected to the locked Android phone.

Refer to the graphic in the README on how to connect the phones.

Is your NetHunter Android phone capable of emulating a keyboard?

• Check that the /dev/hidg0 device is present
• Check that the /system/xbin/hid-keyboard binary is present

The diag command will check that these files are present. bash ./android-pin-bruteforce diag

If these files are present but the script doesn't work, try using another Android app to emulate a keyboard such as https://store.nethunter.com/en/packages/remote.hid.keyboard.client/

Does your OTG cable work?

Connect a keyboard or mouse to any phone using the OTG cable. Confirm that the cable works with a different phone and any device. Try using a different OTG cable. Even if it works, perhaps it does not fit well with your locked phone.

Does the script correctly send keys to a text editor in Windows/Linux/MacOS?

• Connect your NetHunter phone to your laptop.
• Open a text editor such as Notepad
• Run the script
• Confirm that keys are sent to your laptop

Can you send keys to Windows/Linux/Macos from the command line?

Try testing sending keys from the NetHunter command line.

echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard echo "a b c" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

Can you send keys to the locked phone from the command line?

Same as above.

Does the phone accept keyboard input when it is locked?

Connect a USB keyboard through the OTG cable to the locked phone. This technique requires emulating a keyboard, so if the phone does not accept USB keyboard input while it is locked, this attack will not work.

Note that some devices will not permit you to use a new or unknown USB device while it is locked.

Did you try a different locked phone?

Same as above but with a different locked phone.

Sending the correct keys

What keys will bring up the PIN prompt?

Using a keyboard, try keys and combinations of keys including:

• CTRL + ESCAPE
• ESCAPE
• SPACE

What keys should be sent after the PIN is entered?

Usually this is enter but you might need to send other keys.

Troubleshooting

• Reboot the phones.
• Unplug and replug the cables.
• Try new cables including the OTG cable
• Paste the output of the diag command, bash ./android-pin-bruteforce diag

[ante1377]

I would love to help you write a good troubleshooting guide. While reading through this guide I found something to have at the top of the troubleshooting!

_Does the phone accept keyboard input when it is locked? Connect a USB keyboard through the OTG cable to the locked phone. This technique requires emulating a keyboard, so if the phone does not accept USB keyboard input while it is locked, this attack will not work.

Note that some devices will not permit you to use a new or unknown USB device while it is locked._

I saw that this above and it should be the very first to try on the locked phone since it brings you to a dead stop if it's not working. I tried above on both trial phones *HTC and neither of these accept the USB keyboard, the first is running a CM kernel and opens up a navigation app, the other HTC that has a O2 provider image actually hangs and reboots once you unplug the keyboard, does not take any input at all though. Verified the cabling and keyboard with the nethunter phone (Nexus 5) and a android tablet (Lenovo TB-8504X). So I guess I'm out of luck with this. The application works fine with the Nexus 5 and the Tablet.

[urbanadventurer]

What are the exact make and model of the phones that won't accept input from a keyboard? I will add that information to the wiki https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database

[ante1377]

What are the exact make and model of the phones that won't accept input from a keyboard? I will add that information to the wiki https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database

That link is empty, just got another OTG cable and low and behold this one seems to work. Not that the buttons in the script seem to be suitable but I am able to use the keyboard now and if I manually open the "enter pin" it does put pins in there :) just need to figure out the key-combo now.

[urbanadventurer]

@ante1377 that's great news. So you just needed a new OTG cable!

[ante1377]

@ante1377 that's great news. So you just needed a new OTG cable!

Any ideas how to setup a new keyset? Can't see how to "swipe up" somehow. Also not sure why the other cables worked with other phones but not with the HTC One X. Would probably need someone else with a HTC One X to confirm properly in case there is a pin issue on the actual phone itself.

[urbanadventurer]

If swiping up with keyboard input is not possible then we will need to look at options to emulate mouse input.

Have you tried combinations of keys with CTRL, ALT, SHIFT, etc?

[ante1377]

If swiping up with keyboard input is not possible then we will need to look at options to emulate mouse input.

Have you tried combinations of keys with CTRL, ALT, SHIFT, etc?

Have not been able to find any other way then using the mouse left click and drag it north!

[urbanadventurer]

Hi @ante1377 Mouse emulation is on the roadmap.

[ante1377]

pulled the latest android-pin-bruteforce v.02 and it seems to have done something so now the keys get sent and its also working with an edit of my htc.config file. :)

HTC ONE X