Does not work with Moto G5 Plus

[odorisiogallo]

It does not keep focus on the PIN code mask. Tried the first code, all the others fail

[urbanadventurer]

Hi @odorisiogalla,

Please show a screenshot and provide steps to reproduce the issue. I'll try to help.

On Sun, 17 Jan 2021 at 07:47, odorisiogallo notifications@github.com wrote:

It does not keep focus on the PIN code mask. Tried the first code, all the others fail

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/urbanadventurer/Android-PIN-Bruteforce/issues/9, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAY3FYPIUJGABPWV6KGDQDS2H3NZANCNFSM4WFRHLVA .

-- Kind regards, Andrew Horton

[odorisiogallo]

Video

[urbanadventurer]

You just typed the word video.

[odorisiogallo]

I'm sorry! I attach a photo. on the left the phone that remains on the lock screen preventing the entry of passwords

[urbanadventurer]

It is working as expected with a mask of 1236. It tries only one combination and then it is complete. If you only want to try the numbers 1,2,3, and 6 then use a mask of "[1236][1236][1236][1236]"

[odorisiogallo]

1236 unlock the device! I've shortened the list just for convenience. No PIN passes if the screen is in this state.

[urbanadventurer]

OK that's interesting. Let's see if we can make it work.

First, please tell me the make, model, and year of the phone.

Second, connect a real USB keyboard instead of the Nethunter phone. Press different keys to see if any key will get the phone into a state where it accepts a PIN.

[odorisiogallo]

the phone is a Moto G5 Plus but there is the same problem also on a Cubot phone from a few years ago. They are all my test phones

[urbanadventurer]

If you can find a combination of keyboard keys that will get the phones to receive a PIN then I can modify the tool.

[odorisiogallo]

Hi, the CTRL+ESC key allows you to access the PIN entry mask and launch attack correctly. Fix it please. Thank you

[urbanadventurer]

Can you please use your keyboard to test that this series of key presses will work for your Moto G5 Plus?

CTRL+ESC 1001 ENTER 1002 ENTER 1003 ENTER 1004 ENTER 1005 ENTER (WAIT for 30 seconds) 1006 ENTER 1007 ENTER 1008 ENTER 1009 ENTER 1010 ENTER (WAIT for 30 seconds) 1011 ENTER

[odorisiogallo]

Hi, from my tests the CTRL + ESC combination must be performed after each wait. After five unsuccessful attempts, a warning appears which disappears when the enter key is pressed. So it should be CTR + ESC (5 attempts) - ENTER - wait 30 seconds + CTRL + ESC (5 attempts) etc. The number of attempts decreases over time

[urbanadventurer]

Can you tell me more about "The number of attempts decreases over time"?

[odorisiogallo]

after ten attempts, only one attempt every 30 seconds

[odorisiogallo]

I also tried with a Samsung SM-A505FN / DS and after ten failed attempts (5 every thirty seconds) the attack is reduced to only one attempt every 30 seconds.

[urbanadventurer]

So would this pattern of keys work?

(Repeat this exactly 10 times) CTRL+ESC 1001 ENTER 1002 ENTER 1003 ENTER 1004 ENTER 1005 ENTER (WAIT for 30 seconds)

CTRL+ESC 1051 ENTER (WAIT for 30 seconds)

CTRL+ESC 1052 ENTER (WAIT for 30 seconds)

[odorisiogallo]

The right sequence on Moto G5 Plus is:

CTRL+ESC 1001 ENTER 1002 ENTER 1003 ENTER 1004 ENTER 1005 ENTER ENTER (for warning screen) (WAIT for 30 seconds)

CTRL+ESC 1001 ENTER 1002 ENTER 1003 ENTER 1004 ENTER 1005 ENTER ENTER (for warning screen) (WAIT for 30 seconds)

CTRL+ESC 1051 ENTER ENTER (for warning screen) (WAIT for 30 seconds) ...

[odorisiogallo]

On some newer devices such a brute force attack can cause all data to be deleted!

[urbanadventurer]

Hi @odorisiogallo what happens if you reboot the device after 9 attempts and after 10 attempts?

After the reboot does it still only allow 1 attempt per 30 seconds, or does it go back to allowing 5 per 30 seconds?

[Duvio]

I also discovered that the amount of allowed unsuccessful attempts before you have to wait for 30 secs decreases after 10 unsuccessful attempts Samsung Galaxy S10, Android 10

This would increase the amount of time needed to crack a pin from 17 hours to 3.5 days

[urbanadventurer]

@odorisiogallo ⚡ try it now with the following configuration settings in the config file:

• CHANGE_AFTER_10_ATTEMPTS=1
• PROMPT_BEFORE_EACH_PIN="ctrl_escape enter"

[odorisiogallo]

HID device (/dev/hidg0) found hid-keyboard executable (system/xbin/hid-keyboard) found HID USB device non ready... ... what happened? how to solve?

[urbanadventurer]

Try it again with the latest version from today, and show me the logs.

If it doesn't work please also show the output of the android-pin-bruteforce diag command.

[odorisiogallo]

I'm sorry, by mistake I connected the OTG cable to the Nethunter phone and not the locked phone. I'll do some tests and let us know

[odorisiogallo]

Hi and complete for the excellent work, however, the situation is this on Moto. The first five attacks succeed, the sixth fails due to the display that tends to go off every ten seconds. Attacks 7,8 and 9 are then launched correctly and then stops for 30 seconds but in reality there is another attack to be performed before the break, the sixth that did not hit. I hope I was clear.

[odorisiogallo]

You should keep the phone display locked always on or launch a command that keeps it awake every x seconds of your choice

[urbanadventurer]

Can you figure out which key will keep the phone awake?

Currently it will send an ENTER key every 5 seconds during the cooldown period to keep the phone awake, but if this doesn't work for you I can make an option to change it.

[odorisiogallo]

Every 10 seconds. It would be desirable to be able to customize this value.

[urbanadventurer]

I've updated the code so you can configure it with PROMPT_STAY_AWAKE_DURING_COOLDOWN.

The default is PROMPT_STAY_AWAKE_DURING_COOLDOWN="enter". You can select multiple keys, for example PROMPT_STAY_AWAKE_DURING_COOLDOWN="escape enter". On a Samsung the enter is necessary to dismiss any popups that might appear, for example a popup about battery levels.

[odorisiogallo]

It is good what you have done but you need to be able to configure the recovery period as well. The Moto screen turns off every 10 seconds, I think this can be resolved by setting another value other than 5. The attack failed again this time :-(

[urbanadventurer]

Can you show me the series of key presses that work when you have a keyboard plugged in?

[odorisiogallo]

I recorded a small video...

https://user-images.githubusercontent.com/57991632/108743534-28060180-7539-11eb-94bd-215811c50c2d.mp4

[odorisiogallo]

As you can see, the code 1236 is not sent because the device is not ready yet!

[urbanadventurer]

The default that is good for most phones is PROMPT_STAY_AWAKE_DURING_COOLDOWN="enter"

Try changing the config file to these values:

PROMPT_STAY_AWAKE_DURING_COOLDOWN="escape enter" PROMPT_STAY_AWAKE_DURING_COOLDOWN="ctrl-escape" PROMPT_STAY_AWAKE_DURING_COOLDOWN="ctrl-escape enter"

Please let me know if any of these work on this phone.

[urbanadventurer]

Perhaps also try COOLDOWN_TIME=31

[odorisiogallo]

Hello and congratulations for the excellent work! On my test device the procedure worked with the following configuration:

COOLDOWN_TIME=35 PROMPT_STAY_AWAKE_DURING_COOLDOWN="enter"

However after the attempt num. 40 the cooldown time of my test device increases to 60 seconds so subsequent attacks fail. So, OK from 1 to 40 attack, the next ones fail as the cooldowntime goes up to 60 seconds.

[urbanadventurer]

I've made a config file called config.motorola.motog5plus.

Can you try using --config config.motorola.motog5plus to see if it works for you, all except the cooldown period changing.

[urbanadventurer]

Can you verify this is the correct configuration for how the lockscreen on the Motorola Moto G5 Plus works?

attempt number	attempts until cooldown	cooldown
0	5	30
11	1	30
41	1	60

[odorisiogallo]

Hi, using the parametri --config the attack does not start! The phone stays on the look screen mask

[urbanadventurer]

Could you try changing the variables in config.motorola.motog5plus to see if you can make it work?

[odorisiogallo]

Hi, the config.motorola.motog5plus file is not working! While if I use the appropriately modified config file, it works perfectly. There remains the problem of 60 seconds from attack 41 onwards

[odorisiogallo]

Can you verify this is the correct configuration for how the lockscreen on the Motorola Moto G5 Plus works? attempt number attempts until cooldown cooldown 0 5 30 11 1 30 41 1 60

Yes, that's right

[urbanadventurer]

Can you please copy/paste your config that works perfectly so I can update config.motorola.motog5plus

[odorisiogallo]

If I use --config config.motorola.motog5plus dosen't work, if I use --config config It world by changing ctrl_escape enter in PROMP_BEFORE_EACH_PIN. I still have the problem of 60 seconds

[urbanadventurer]

I've changed the behaviour of CHANGE_AFTER_10_ATTEMPTS so that after 40 attempts the COOLDOWN period is 60 seconds. I also renamed CHANGE_AFTER_10_ATTEMPTS to PROGRESSIVE_COOLDOWN.

Can you try testing it again with config.motorola.motog5plus?

[odorisiogallo]

the config.motorola.motog5plus file does not work, it seems that the parameter is not passed ... if I set a delay of 35 seconds, the value is ignored and the attack does not even start

[urbanadventurer]

There was a bug that caused the config file to not be loaded. I've fixed it so try again now with config.motorola.motog5plus

[odorisiogallo]

config.motorola.motog5plus now works however after the fortieth attack the wait continues to be 30 seconds and the screen shutdown time should also be considered so that after the fortieth attack the correct delay would be 65 seconds

[odorisiogallo]

There is also a considerable battery drain of the phone blocked but it could be my problem. Could you recommend an OTG cable with charging capability? Thank you

[urbanadventurer]

I haven't tested any OTG cables with charging capability but this article looks useful https://gadgetstouse.com/blog/2016/04/07/usb-otg-cables-that-support-charging/

Do the keys to keep the phone awake during the cool down period work?

Do your logs include the following lines?

[SEND] 1993. Attempt 40 (0%) at Feb28 12:36:53 am
[DEBUG] Sending key: 1
[DEBUG] Sending key: 9
[DEBUG] Sending key: 9
[DEBUG] Sending key: 3
[DEBUG] Sending key: enter
[DEBUG] Countdown for 30 <-- I only just added this line
[INFO] Forty attempts have been reached! Now cooldown for 60 seconds after every PIN attempt.
[DEBUG] Sending key: left-ctrl escape
[DEBUG] Sending key: enter
[SEND] 1985. Attempt 41 (0%) at Feb28 12:36:56 am
[DEBUG] Sending key: 1
[DEBUG] Sending key: 9
[DEBUG] Sending key: 8
[DEBUG] Sending key: 5
[DEBUG] Sending key: enter
[DEBUG] Countdown for 60 <-- you should see 60 seconds