Locked phone: Nexus 5, Nethunter phone: Xiaomi Redmi Note 3 - hid-keyboard works, usb-devices detected, but its not cracking (even when correct pin in the list)

[simtcrom]

To test if its working, I modified optimised-pin-length-4.txt to have only 9 in the list with one of them being my correct pin.
I have a working nethunter phone (redmi note 3) and working locked phone (nexus 5).
Connected otg cable to locked phone and normal micros usb cable to nethunter phone.
ran command bash ./android-pin-bruteforce crack
I can see nethunter phone tried one by one pins in optimised-pin-length-4.txt, it even tried the actual pin and went further. But locked phone did not unlock.

When observed locked phone's PIN screen , I do not see pins being entered there by nethunter phone is that normal behavior?

To test hid-keyboard actually works, I opened a notepad on locked phone and ran the command again on nethunter phone, I could see pins being printed there.

[urbanadventurer]

If you can't see PINs being entered then that is not normal behaviour.

What config are you using, and have you tried the config files I made for the Motorola G4 and G5?

If those config files do not work then you may need to experiment using a keyword to find out what keys must be pressed before entering a PIN, such as ESCAPE, ENTER, SPACE, CTRL-ESCAPE and so on. With that information you could make a new config file.

[simtcrom]

If you can't see PINs being entered then that is not normal behaviour.

attached config and config.default (please note that on phone I kept file names as config and config.default just for uploading here i renamed to .txt

config.default.txt
config.txt

[simtcrom]

If those config files do not work then you may need to experiment using a keyword to find out what keys must be pressed before entering a PIN, such as ESCAPE, ENTER, SPACE, CTRL-ESCAPE and so on. With that information you could make a new config file.

Ah got it. I will give a try.

[urbanadventurer]

This variable might need to change KEYS_BEFORE_EACH_PIN="escape enter"

By the way, you can use it like this.

bash ./android-pin-bruteforce -c ./config.motorola.moto-g4-plus crack

[simtcrom]

This variable might need to change KEYS_BEFORE_EACH_PIN="escape enter"

By the way, you can use it like this.

bash ./android-pin-bruteforce -c ./config.motorola.moto-g4-plus crack

Guess I am making progress now, When I tried config.motorola.moto-g4-plus I can see first PIN in the list being printed on locked phone and saw Wrong PIN .
But then it did not print anything.

[urbanadventurer]

Any tips on how to make the README easier to understand would be helpful. Let me know how your journey goes.

[simtcrom]

Any tips on how to make the README easier to understand would be helpful. Let me know how your journey goes.

Sure. I am trying by connecting an actual keyboard and recording what keystrokes will get to the PIN screen.

space + enter goes to PIN screen
then typing numbers get PIN inputted
enter attempts that PIN.

But after that, if I type another PIN it is not being inputted (even though I am on PIN screen), looks like the cursor went out some where.
I am trying to find the keystroke to get the cursor back.

[simtcrom]

I connected a physical keyboard to my locked phone and ,
Pressed space + enter
Which took me to PIN screen and I could enter PIN there. After entering wrong PIN and hit enter, the cursor goes out from where PIN is entered.
I had to hit tab key 4 times to get cursor back in position.

In short, I have to hit tab key 4 times after every incorrect PIN, how can I put this in to config?

[urbanadventurer]

I have just added the space_enter key combination. You will need to download the latest version of the source code for this feature.

The part of the config to change is this:
KEYS_BEFORE_EACH_PIN="space_enter tab tab tab tab"

Hopefully this works. Let me know how you go. If not, do any other keys other than space + enter work to bring up the PIN screen?

I added this to this part of the script:

function send_keys() {
  prompt="$1"
  delay="$2"

  for key in $prompt; do

    case $key in 
      "ctrl_escape")
        send_key "left-ctrl escape"
        ;;
      "ctrl-escape")
        send_key "left-ctrl escape"
        ;;
      "space_enter")
        send_key "spacebar return"
        ;;
      "space-enter")
        send_key "spacebar return"
        ;;

[simtcrom]

I have just added the space_enter key combination. You will need to download the latest version of the source code for this feature.

The part of the config to change is this:
KEYS_BEFORE_EACH_PIN="space_enter tab tab tab tab"

Hopefully this works. Let me know how you go. If not, do any other keys other than space + enter work to bring up the PIN screen?

I added this to this part of the script:

function send_keys() {
  prompt="$1"
  delay="$2"

  for key in $prompt; do

    case $key in 
      "ctrl_escape")
        send_key "left-ctrl escape"
        ;;
      "ctrl-escape")
        send_key "left-ctrl escape"
        ;;
      "space_enter")
        send_key "spacebar return"
        ;;
      "space-enter")
        send_key "spacebar return"
        ;;

I downloaded latest android-pin-bruteforce and added KEYS_BEFORE_EACH_PIN="space_enter tab tab tab tab" to config.motorola.moto-g4-plus . When I try, its not going to PIN screen any more.

With KEYS_BEFORE_EACH_PIN="ctrl_escape enter" in config.motorola.moto-g4-plus and latest android-pin-bruteforce , at least its going to the PIN screen and input the first PIN in the list and try it. Its the next PIN onwards, its not able to input.

I will find out if any key other than space + enter takes me to PIN screen.

Note: The locked phone I am trying is Nexus 5

[simtcrom]

I set,
KEYS_BEFORE_STARTING="space enter"

And tried setting below to
KEYS_BEFORE_EACH_PIN="tab tab tab tab"

and its going PIN screen, but not selecting PIN field.

And tried setting below to
KEYS_BEFORE_EACH_PIN="ctrl_escape enter"

Now going to PIN screen and get selected and first PIN get inputted correctly. But after 1st PIN inputted, PIN field selection gone. I know that tab tab tab tab (4 times tab keys) will bring back the selection. But some how not able to make the script do that.

[urbanadventurer]

Can you combine those?

KEYS_BEFORE_EACH_PIN="ctrl_escape enter tab tab tab tab"

Above you wrote : KEYS_BEFORE_STARTING="space enter"
This sends space, a short delay, then sends enter.

That is different to: KEYS_BEFORE_EACH_PIN="space_enter
This sends space and enter at the same time.

[simtcrom]

Can you combine those?

KEYS_BEFORE_EACH_PIN="ctrl_escape enter tab tab tab tab"

Above you wrote : KEYS_BEFORE_STARTING="space enter"
This sends space, a short delay, then sends enter.

That is different to: KEYS_BEFORE_EACH_PIN="space_enter
This sends space and enter at the same time.

I tried KEYS_BEFORE_EACH_PIN="ctrl_escape enter tab tab tab tab" and also set KEYS_BEFORE_EACH_PIN="space_enter" still its not doing. Also noticed, during cool off period also its trying PINs on the script.
I made a video of trying different combinations. I am hoping once you see it you will get different behaviors, and you will be able to suggest correct settings to me.

https://youtu.be/tNc6RuflGgs

[urbanadventurer]

I have added KEYS_AFTER_EACH_PIN by default it is "enter" but you could try changing it to "enter tab tab tab tab"

[simtcrom]

I have added KEYS_AFTER_EACH_PIN by default it is "enter" but you could try changing it to "enter tab tab tab tab"

That did not help either.

I was thinking of sending keystrokes using hid-keyboard and get the working pattern.
If I want to write couple of below commands, as part of a shell script, how should I do it?
I tried putting them as is, and get error “/dev/hidg0: No such file or directory”
When I try the command individually on shell it works.

echo left-ctrl escape enter | hid-keyboard /dev/hidg0 keybaord

also spacebar an allowed keystroke or is it space ?

[urbanadventurer]

spacebar should work, but if it isn't working try space.

The following command should work in a shell script:

echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

The /system/xbin/hid-keyboard will combine some keys, but combined keys can only be used in this script when an underscore joins them, for example with ctrl_escape.

[urbanadventurer]

@simtcrom were you successful in making a config file for your Nexus 5?

[urbanadventurer]

Try making a script like this for testing:

echo "left-ctrl escape" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "spacebar" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "1 2 3 4" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

[simtcrom]

Try making a script like this for testing:

echo "left-ctrl escape" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "spacebar" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "1 2 3 4" | /system/xbin/hid-keyboard /dev/hidg0 keyboard
echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard

I got busy with work.
But I definitely plan to come back and try this.
I will sure post my results.

[urbanadventurer]

Have you had a chance to look at this again?

[simtcrom]

Have you had a chance to look at this again?

Sorry I could not. Busy at work place.
Also the touch of nexus stopped working. So will have to spend some considerable amount of time to try this out again.

[pathanrajik]

locked out unlock