Well, I was uber stupid and forgot my lock code. >.< Reflashed and I was at least able to get back into the device. But I could not get my code back (the mtd1 hack was of no use here: the code is now encrypted...).

But the libraries in charge of device locking have an interesting trait: write **** to the lock code area of where it is stored and it will be reset to 12345.

Attached is a program that will do just that. Warning: It is writing to a very critical part of the N900. I will take no responsibility whatsoever if it messes up your N900. It worked for me (i.e. I was able to reboot fine and change the code fine. Multiple times, actually. I tested quite a few times.) but I cannot ensure it will do the same for you. Use at your own risk.

It disables the autolock upon bootup, writes **** to the lock code area, brings up the control panel applet from which you MUST change it from 12345.

Run as root, prefixing it with run-standalone.sh.

Updated. Now uses a safer method.

Cheers qwerty - useful post - would be a shame to have it lost in the forums - almost needs to be in a tecky FAQ page under "I have forgotten my PIN, what do i do?"

Well figured out

So you can actually bypass the code by typing actual asterisk ?

The old grep -A 13 lock_code /dev/mtd1 still gives 12345 but a 2nd result show up and looks as you said encrypted...
it's 13 char long so my guess is that it's simple DES.
It's also preceded by 7 bytes ... not sure what they are.

Though it must have been padded with some value as i can't seem to crack it fast for a 5 char code... Any idea what is used ? :-)

EDIT: uhm, interestingly, changing the code back to 12345 and then back to mine i get different hash.
Would the previous 7 bytes (actually it varied in size, but i'm just judging from visual chars on my terminal) just be the salt?

Uhm, never mind, actually running the hash through john the ripper gave me my password after 7 minutes (Single core at 2.4Ghz).

So to get your password back, don't risk editing the mtd1 directly, just do this:

then put this in a file and crack it with any DES cracker... wait and enjoy :-)

As a side note (reference), this works with 1.2009.42-11.002 ... we'll see how it changes with time.

Thank you!

I thought I was going to spend the rest of my time with the n900 dreading the day I or a friend accidentally hit the secure device button.

john ripped through that in no time!

This thread...........

Is soooo not comforting.

How so? Not comforting in the sense that so many people have already managed to lock themselves out of their phones or that it is reasonably easy to retrieve the device password?

If your worried about the latter, let me remind you that I had to reflash the phone and blasted all of the files I had on here along with all my settings and applications. So yes, someone could pinch a n900, reflash, retrieve pw, and use it... but the data would have been safely nuked into the ether.

The fact that the encryption is so bad it takes mere minutes to crack it...

Don't get me wrong.. locking yourself out of a device sucks......... the ability to hack the device this easily... not comforting.

Well it is DES apparently. I think that has been kind of trivial to crack for a few years. Would you rather we all ship our n900s to the Authorized Nokia Repair Center and take it in the rear in shipping and "repair" charges? Because despite being under warranty and what that sweet old lady told me on the phone I'm pretty certain they were going to end up charging me if I sent it in. I don't believe this would be covered under the warranty.

If someone has physical access to a computer the information stored on it is no longer safe, short of being in a truecrypt vault. The thief could just reformat the whole thing and sell it, start using it, or pop the hard drive in a ide/usb adapter and sift through all the precious data. At least the phone makes you jump through some slightly more challenging hoops.