README

1. Android PIN Bruteforce
2. Unlock an Android phone or device
3. by brute-forcing the lock screen PIN.
4. Turn any Kali Nethunter phone into
5. bruteforce PIN cracker of Android!
6.  
7. To learn about the commands and other usage details
8.  
9. It uses a USB OTG cable to connect the locked phone to the Nethunter device.
10. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses.
11.  
12. [Nethunter phone] ⇌ [USB cable] ⇌ [USB OTG adaptor] ⇌ [Locked Android phone]
13.  
14. The USB HID Gadget driver provides emulation of USB Human Interface Devices (HID).
15. This enables an Android Nethunter device to emulate keyboard input to the locked phone.
16. It's just like plugging a keyboard into a locked phone and pressing keys.
17.  
18. ⏳ This takes a bit over 16.6 hours to try all possible 4-digit PINs,
19. but with the optimised PIN list it should take you much less time.
20.  
21. ✅ You will need
22. - A locked Android phone
23. - A Nethunter phone (or any rooted Android with HID kernel support)
24. - USB OTG (On The Go) cable/adapter (USB male Micro-B to female USB A) and a standard charging cable (USB male Micro-B to male A).
25.  
26. ✨ Benefits
27. Turn your NetHunter phone into an Android PIN-cracking machine
28. Unlike other methods, you do not need ADB or USB debugging enabled on the locked phone
29. You don't need to buy special hardware, e.g. Rubber Ducky, Teensy, Cellebrite, XPIN Clip, etc.
30. You can easily modify the backoff time to crack other types of devices
31. It works!
32.  
33. 👉🏻 Features
34. - Optimized PIN list
35. - Bypasses phone pop-ups including the Low Power Warning
36. - Detects when the phone is unplugged or powered off, and waits while retrying every 5 seconds
37. - Configurable delays of N seconds after every X PIN attempt
38. - A log file gets created for further debugging
39.  
40. ⚙ Installation & Usage
41. Android-PIN-Bruteforce is used to unlock an Android phone (or device) by brute forcing the lock screen PIN.
42.  
43.   Find more information at: https://github.com/utsanjan/Android-Pin-Bruteforce
44.  
45. Commands:
46.  crack             Begin cracking PINs
47.  resume            Resume from a chosen PIN
48.  rewind            Crack PINs in reverse from a chosen PIN
49.  diag              Display diagnostic information
50.  
51. Options:
52.  -f, --from PIN    Resume from this PIN
53.  -m, --mask REGEX  Use a mask for known digits in the PIN
54.  -t, --type TYPE   Select PIN or PATTERN cracking
55.  -l, --length NUM  Crack PINs of NUM length
56.  -d, --dry-run     Dry run for testing. Doesn't send any keys.
57.  -v, --verbose     Output verbose logs.
58.  
59. Usage:
60.  android-pin-bruteforce <command> [options]
61. 📌 PIN Lists
62. Optimized PIN list
63. pinlist.txt is an optimized list of all possible 4-digit PINs,
64. sorted by order of likelihood. pinlist.txt is from the following:
65. https://github.com/mandatoryprogrammer/droidbrute
66.  
67. This list is used with permission from Justin Engler & Paul Vines from Senior Security Engineer, iSEC Partners, and was used in their Defcon talk, Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)
68.  
69. 🎭 Cracking with Masks
70. Masks use regular expressions with the standard grep extended format.
71.  
72. ./android-pin-bruteforce crack --mask "...[45]" --dry-run
73.  
74. To try all years from 1900 to 1999, use a mask of 19..
75. To try PINs that have a 1 in the first digit, and a 1 in the last digit, use a mask of 1..1
76. To try PINs that end in 4 or 5, use ...[45]
77. 🙁 Troubleshooting
78. Executing the script
79. If you installed the script to /sdcard/, you can
80. execute it with the following command.
81.  
82. bash ./android-pin-bruteforce
83.  
84. Note that Android mounts /sdcard with the noexec flag. You can verify this with mount.
85.  
86. Check the cables
87. The OTG cable should be connected to the locked Android phone.
88. The regular USB cable should be connected to the Nethunter phone.
89.  
90. Diagnostics
91. Use the diagnostic command.
92.  
93. bash ./android-pin-bruteforce diag
94.  
95. Note that Nethunter USB HID support was inconsistent during testing and development.
96. However, after it starts working, it should continue working until you crack the PIN.
97.  
98. If you receive this message when the USB cable is plugged in then try taking
99. the battery out of the locked Android phone and power cycling it.
100.  
101. [FAIL] HID USB device not ready. The return code from /system/xbin/hid-keyboard was 5.
102.  
103. Known Issues
104. This cannot detect when it unlocks
105. Tips & Tricks
106. Try powering off the phone and taking out the battery
107. Try sending keys to your PC or laptop
108. Note that the Device Not Found messages
109. are not as important as sending keys successfully.
110.  
111. 🧑🏻‍💻 Technical Details
112. This works from an Android phone because the USB ports
113. are not bidirectional, unlike the ports on a laptop.
114.  
115. Keys are sent using /system/xbin/hid-keyboard.
116. To test this and send the key 1 you can use the following:
117. echo 1 | /system/xbin/hid-keyboard dev/hidg0 keyboard
118.  
119. Before each PIN, we send the escape and enter keys. This is to keep the Android responsive and dismiss any popups about the number of incorrect PIN attempts or a low battery warning. My original motivation to develop this was to unlock a Samsung S5 Android phone. It had belonged to someone who had passed away, and their family needed access to the data on it. As I didn't have a USB Rubber Ducky or any other hardware handy, I tried using a variety of methods and eventually realized I had to develop something new.