Reply
Thread Tools
qwerty12's Avatar
Posts: 4,274 | Thanked: 5,358 times | Joined on Sep 2007 @ Looking at y'all and sighing
#1
Well, I was uber stupid and forgot my lock code. >.< Reflashed and I was at least able to get back into the device. But I could not get my code back (the mtd1 hack was of no use here: the code is now encrypted...).

But the libraries in charge of device locking have an interesting trait: write **** to the lock code area of where it is stored and it will be reset to 12345.

Attached is a program that will do just that. Warning: It is writing to a very critical part of the N900. I will take no responsibility whatsoever if it messes up your N900. It worked for me (i.e. I was able to reboot fine and change the code fine. Multiple times, actually. I tested quite a few times.) but I cannot ensure it will do the same for you. Use at your own risk.

It disables the autolock upon bootup, writes **** to the lock code area, brings up the control panel applet from which you MUST change it from 12345.

Run as root, prefixing it with run-standalone.sh.
Attached Files
File Type: gz a.out.gz (2.2 KB, 10089 views)

Last edited by qwerty12; 2009-12-20 at 16:18.
 

The Following 59 Users Say Thank You to qwerty12 For This Useful Post:
qwerty12's Avatar
Posts: 4,274 | Thanked: 5,358 times | Joined on Sep 2007 @ Looking at y'all and sighing
#2
Updated. Now uses a safer method.
 

The Following 10 Users Say Thank You to qwerty12 For This Useful Post:
noobmonkey's Avatar
Posts: 3,203 | Thanked: 1,391 times | Joined on Nov 2009 @ Worthing, England
#3
Originally Posted by qwerty12 View Post
Updated. Now uses a safer method.
Cheers qwerty - useful post - would be a shame to have it lost in the forums - almost needs to be in a tecky FAQ page under "I have forgotten my PIN, what do i do?"

Well figured out
 

The Following 2 Users Say Thank You to noobmonkey For This Useful Post:
R-R's Avatar
Posts: 739 | Thanked: 242 times | Joined on Sep 2007 @ Montreal
#4
So you can actually bypass the code by typing actual asterisk ?

The old grep -A 13 lock_code /dev/mtd1 still gives 12345 but a 2nd result show up and looks as you said encrypted...
it's 13 char long so my guess is that it's simple DES.
It's also preceded by 7 bytes ... not sure what they are.

Though it must have been padded with some value as i can't seem to crack it fast for a 5 char code... Any idea what is used ? :-)

EDIT: uhm, interestingly, changing the code back to 12345 and then back to mine i get different hash.
Would the previous 7 bytes (actually it varied in size, but i'm just judging from visual chars on my terminal) just be the salt?

Last edited by R-R; 2009-12-20 at 16:54.
 

The Following 2 Users Say Thank You to R-R For This Useful Post:
R-R's Avatar
Posts: 739 | Thanked: 242 times | Joined on Sep 2007 @ Montreal
#5
Uhm, never mind, actually running the hash through john the ripper gave me my password after 7 minutes (Single core at 2.4Ghz).

So to get your password back, don't risk editing the mtd1 directly, just do this:

Code:
echo root:$(grep -A 13 lock_code /dev/mtd1|tail -1):
then put this in a file and crack it with any DES cracker... wait and enjoy :-)

As a side note (reference), this works with 1.2009.42-11.002 ... we'll see how it changes with time.

Last edited by R-R; 2009-12-20 at 17:31.
 

The Following 37 Users Say Thank You to R-R For This Useful Post:
Posts: 90 | Thanked: 11 times | Joined on Oct 2009
#6
Originally Posted by R-R View Post
Uhm, never mind, actually running the hash through john the ripper gave me my password after 7 minutes (Single core at 2.4Ghz).

So to get your password back, don't risk editing the mtd1 directly, just do this:

Code:
echo root:$(grep -A 13 lock_code /dev/mtd1|tail -1):
then put this in a file and crack it with any DES cracker... wait and enjoy :-)

As a side note (reference), this works with 1.2009.42-11.002 ... we'll see how it changes with time.
Thank you!

I thought I was going to spend the rest of my time with the n900 dreading the day I or a friend accidentally hit the secure device button.

john ripped through that in no time!
 

The Following User Says Thank You to arpwatch For This Useful Post:
Posts: 3,428 | Thanked: 2,856 times | Joined on Jul 2008
#7
This thread...........

Is soooo not comforting.
__________________
If I've helped you or you use any of my packages feel free to help me out.
-----------------------------------------------------------------------------------
Maintaining:
pyRadio - Pandora Radio on your N900, N810 or N800!
 

The Following 3 Users Say Thank You to fatalsaint For This Useful Post:
Posts: 90 | Thanked: 11 times | Joined on Oct 2009
#8
Originally Posted by fatalsaint View Post
This thread...........

Is soooo not comforting.
How so? Not comforting in the sense that so many people have already managed to lock themselves out of their phones or that it is reasonably easy to retrieve the device password?

If your worried about the latter, let me remind you that I had to reflash the phone and blasted all of the files I had on here along with all my settings and applications. So yes, someone could pinch a n900, reflash, retrieve pw, and use it... but the data would have been safely nuked into the ether.

Last edited by arpwatch; 2009-12-22 at 06:06.
 

The Following User Says Thank You to arpwatch For This Useful Post:
Posts: 3,428 | Thanked: 2,856 times | Joined on Jul 2008
#9
The fact that the encryption is so bad it takes mere minutes to crack it...

Don't get me wrong.. locking yourself out of a device sucks......... the ability to hack the device this easily... not comforting.
__________________
If I've helped you or you use any of my packages feel free to help me out.
-----------------------------------------------------------------------------------
Maintaining:
pyRadio - Pandora Radio on your N900, N810 or N800!
 

The Following User Says Thank You to fatalsaint For This Useful Post:
Posts: 90 | Thanked: 11 times | Joined on Oct 2009
#10
Well it is DES apparently. I think that has been kind of trivial to crack for a few years. Would you rather we all ship our n900s to the Authorized Nokia Repair Center and take it in the rear in shipping and "repair" charges? Because despite being under warranty and what that sweet old lady told me on the phone I'm pretty certain they were going to end up charging me if I sent it in. I don't believe this would be covered under the warranty.

If someone has physical access to a computer the information stored on it is no longer safe, short of being in a truecrypt vault. The thief could just reformat the whole thing and sell it, start using it, or pop the hard drive in a ide/usb adapter and sift through all the precious data. At least the phone makes you jump through some slightly more challenging hoops.
 

The Following User Says Thank You to arpwatch For This Useful Post:
Reply

Tags
devicelock, nokia n900


 
Forum Jump


All times are GMT. The time now is 21:15.