[Howto] Different PIN on lockscreen than for device encryption

Search This thread
By:
Advanced…
R

robberknight

Member
May 22, 2012
22
13
Hi,

Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

Here is how to do it, rooted phone needed:

  1. Make a backup
  2. Enable USB debugging that you have a backdoor if something goes wrong
  3. Install the prerequisites: SL4A including Python4Android
  4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
  5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
  6. Start pin_change.py through SL4A
  7. It will make a backup of your current password and allow you to set a new numeric pin
  8. Reboot your phone, the lockscreen caches the old settings otherwise
  9. Disable USB debugging and switch your superuser settings back

That's it, you can now use an easy pin on your lockscreen.

Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.
 

Attachments

  • pin_change.py.txt
    8.8 KB · Views: 2,028
Last edited:
  • Like
Reactions: edhaas, 7bob, rock.n.dave and 4 others
R

robberknight

Member
May 22, 2012
22
13
When you use a numeric pin on your lockscreen, someone could use fingerprint locations to guess your pin code. So you should make sure that noone can make enough tries till he finds the correct pin.

Here is how to limit the number of failed pins:

  • Install Tasker
  • Install Secure Settings
  • Open Tasker and Create a new Profile
  • Context based on state - Plugin - Secure Settings
  • You can configure it to the desired number of failed login attemts
  • New Task - Misc - Reboot - Shutdown

I have set the failed login attempts to two. After that the phone instantly switches off. When switching it on again, everything is encrypted and you have to enter the long and complex encryption password. Voila, we are secure!
 
Last edited:
  • Like
Reactions: lolo250612
R

robberknight

Member
May 22, 2012
22
13
While I'm at it - one more hint about device encryption:

When I first tried to encrypt my Samsung Galaxy S2, it started and showed a green robot. After about a minute it rebooted and that was it - no encryption.

I activated adb logcat to see what was going on. Lots of other stuff and finally this:
Code: 
E/Cryptfs (   73): unmounting /data failed
E/Cryptfs (   73): Error enabling encryption after framework is shutdown, no data changed, restarting system

I thought a bit about it and had the idea that maybe the external sdcard is still mounted and that mountpoint creates this problem. I was right - removing the external sd solved it.
 
Last edited:
S

szakeetm

Member
Jun 5, 2012
6
0
robberknight said:
Hi,

Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

Here is how to do it, rooted phone needed:

  1. Make a backup
  2. Enable USB debugging that you have a backdoor if something goes wrong
  3. Install the prerequisites: SL4A including Python4Android (Sorry, I was not allowed to link it, not enough rights in the forum - so search for it)
  4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
  5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
  6. Start pin_change.py through SL4A
  7. It will make a backup of your current password and allow you to set a new numeric pin
  8. Reboot your phone, the lockscreen caches the old settings otherwise
  9. Disable USB debugging and switch your superuser settings back

That's it, you can now use an easy pin on your lockscreen.

Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.
Click to expand...
Click to collapse

I need a little noob help here, using Samsung Galaxy SII on ICS 4.0.3. I don't have much experience with Python, only installed it to make this script work.

Running pin_change.py I get the "sqlite3 command not found" error. Now I guess I have to install the thirdparty.tar.gz from the Python for Android (Google Code) website, but I have no idea what to do with the downloaded file. Could you please help?
 
R

robberknight

Member
May 22, 2012
22
13
szakeetm said:
Running pin_change.py I get the "sqlite3 command not found" error. Now I guess I have to install the thirdparty.tar.gz from the Python for Android (Google Code) website, but I have no idea what to do with the downloaded file. Could you please help?
Click to expand...
Click to collapse

Just do as I wrote, you don't need no thirdparty.tgz:

robberknight said:
Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.
Click to expand...
Click to collapse
 
S

szakeetm

Member
Jun 5, 2012
6
0
Yes, the problem is the missing sqlite. I will do as you told once I re-encrypted my phone. Will keep you posted once I have the results.
 
P

porgybess

Member
Apr 15, 2012
47
6
Hi robberknight,

Thanks for this very interesting work. Will this work on Honeycomb as well, or just ICS?
 
R

robberknight

Member
May 22, 2012
22
13
I don't have a Honeycomb device to test so I don't know.

You can just try it though. The script tests the password before changing anything. The test will fail if encoding is done different on Honeycomb. And the script also creates a backup before overwriting anything.

I consider the chance that the script breaks anything quite low. But it can very well be that the script aborts with an error because something is done different on Honeycomb.
 
X

xdascrat

New member
Jul 24, 2012
4
0
sqlite3 binary

Some hints:
I failed to install "Sqlite installer for root".
So I grabbed sqlite3 from SuperOneClickv2.3.3-ShortFuse.zip.
Somehow it won't start within the python script. It throws "cannot locate register_android_functions" in def sqliteFound(self) which ends up with the error "sqlite3 command not found". Executing sqlite3 -version in the shell caused no problem.

I managed to get sqlite3 working by installing again from "Sqlite installer for root" after proper remount of /system in read-write mode
"mount -o remount,rw /dev/block/mmcblk0p15 /system"

The PIN-Lock works now!

Using S3 with DarkyROM III v2.0 (Android 4.0.4)
 
R

robberknight

Member
May 22, 2012
22
13
S

salatiel

Senior Member
Aug 15, 2012
104
22
i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way
 
8

88%

Member
Aug 14, 2012
21
2
salatiel said:
i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way
Click to expand...
Click to collapse

I'm not in JB, but when I got a "can't read salt" error recently, I got through it by changing SU back to "prompt" and then clicking through the prompts. I have no idea if this might work for you though.
 
M

morpheus4you

Member
Aug 13, 2011
6
1
Thank you for sharing this information. This is exactly what I was looking for :)

I think it is logical to have a complex password for booting your encrypted android, but using a simple pin for unlocking your screen. Who wants to enter their complex password every time the lockscreen pops up?

Im running cyanogenmod 9 on SGS2 and I will report back here if it doesn't work somehow.
 
S

salatiel

Senior Member
Aug 15, 2012
104
22
The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.


Sent from my Galaxy Nexus using xda app-developers app

---------- Post added at 04:07 PM ---------- Previous post was at 04:04 PM ----------

that will change the password for the encrypted volume while keeping you pin whatever you initially set up

Sent from my Galaxy Nexus using xda app-developers app
 
  • Like
Reactions: lolo250612 and morpheus4you
S

srynoname

Member
Sep 20, 2012
43
1
salatiel said:
The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.
that will change the password for the encrypted volume while keeping you pin whatever you initially set up
Sent from my Galaxy Nexus using xda app-developers app
Click to expand...
Click to collapse
can you please elaborte on this? I assume the steps would then be
1) encrypt android phone using normal GUI way from the settings
2) Change PIN to some easy to enter PIN for the lock screen
3) Use vdc cryptfs changepw PASSWORD to set a strong password for the authentication during boot?

Update: Yes, that is how it works. See http://blog.joelj.org/2012/08/02/st...setting-a-different-bootlock-screen-password/
 
Last edited:
A

azoom1

Member
Jun 21, 2012
10
4
RDU
Script method is better than "vdc cryptfs changepw" on Galaxy S2 Epic Touch

This script is the way to go for the Galaxy S2 Epic Touch for at least 2 reasons:

1) Using the "vdc cryptfs changepw" method doesn't seem to work. I tried Cryptfs Password and EncPassChanger both of which fail with the error that the current password is incorrect. My presumption is that the EpicTouch stores the password differently than a Nexus. (I tried to use it command-line as well, but I'm not really versed in that method so I'm not sure I was doing it correctly.)

2) The EpicTouch also requires an alpha-numeric password in order to encrypt. It will not accept a PIN. You must choose a password with at least 6 characters, including one alpha and one numeric. Again, this is different than the Nexus which appears to accept a simpler numeric PIN for encryption.

Thus, using the "vdc cryptfs changepw" method would not be optimal because you'd still be stuck with the alpha-numeric PIN that you used to initially encrypt the device. Thus, this script method that changes the GUI PIN is much better.

A hint for those who are trying this and have never used SLA4/Python (as I was):

1) Load SLA4
2) Menu-View-Interpreters
3) Menu-Add
4) Select Python 2.6.2 - the SLA4 app will go get Python and intall it with the correct linking
5) Exit SLA4, then start Python and select Install, and when finished, exit Python
6) Put the pin_change.py file in the SLA4 "scripts" directory
7) Start SLA4

After that, when SLA4 is run you should see the script in the pick list. Upon selection SLA4 will pop-up an icon select-list. Pick the gear, which will run the script.

Thanks to the original poster for sharing this.
 
Last edited:
  • Like
Reactions: TNAR and respider
I

iamus

New member
Oct 26, 2012
2
0
This is awesome! Thanks goes to the OP!



I have one question though, Is there a way I can modify the python script to use the pattern instead of the pin ?
 
A

azoom1

Member
Jun 21, 2012
10
4
RDU
S3 with JB 4.1.1 - "can't read salt"

salatiel said:
i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way
Click to expand...
Click to collapse


Although this worked great on my Sprint S2, I've just upgraded to the S3, (running JB 4.1.1) and I'm getting stuck at "can't read salt". I did what I could and I looked through the script and confirmed the database is at the same location in the S2 and S3. However, although I can find the salt in the S2 database, it does not appear in the S3 database. Obviously, that's why it's getting the error. Unfortunately, I can't find any information as to where the salt in stored in JB. My thought was to make a small modification to the script and point it to the correct database.

This script made using encryption on the S2 very pleasant. Any assistance you can give in helping to get it working on JB/S3 would be greatly appreciated.

Thanks.
 
Last edited:
C

creiss

New member
Nov 13, 2012
1
0
Awesome... but

Hey there!

Awesome little script that just works.
I am running on my Galaxy S3 here, feeling a lot more secure.

However, I just upgrades to Android 4.1.1 (Build JRO03C.I9300XXDLIH) and the script does change the password to a pin, leaving the encrpytion password intact, but it wont switch the device to pin input screen. I rather have the text box field, which is kinda annoying to use.

Would that be easily to fix for you?

Cheers,
and thanks for all the hard work,
much appreciated!

-Christian.
 
You must log in or register to reply here.

Similar threads

lokeshsaini94
  • Locked
[CLOSED] [GUIDE] [how to] CREATE OWN ROM [FOR ANY ANDROID DEVICE] [FOR N00B] [EASIEST METHODS]
Replies
1K
Views
1M
Oswald Boelcke
Oswald Boelcke
S
[GUIDE] [HOW-TO] Install Adobe Flash Player on Android 4.1 Jelly Bean/ Android 4.4
Replies
1K
Views
3M
dasdsad1
dasdsad1
Unjustified Dev
[GUIDE] New Root Method for LG Devices
Replies
1K
Views
1M
Azaze666
Azaze666
DroidModder
[GUIDE] How to edit build.prop on any Android device!
Replies
264
Views
802K
S
Shinkoku
Area51©
[MOD] AppRadio Unchained - Full mirroring for Pioneer AppRadio 2 and 3
Replies
10K
Views
2M
Area51©
Area51©

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 7
    R
    robberknight
    Hi,

    Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

    Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

    Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

    Here is how to do it, rooted phone needed:

    1. Make a backup
    2. Enable USB debugging that you have a backdoor if something goes wrong
    3. Install the prerequisites: SL4A including Python4Android
    4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
    5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
    6. Start pin_change.py through SL4A
    7. It will make a backup of your current password and allow you to set a new numeric pin
    8. Reboot your phone, the lockscreen caches the old settings otherwise
    9. Disable USB debugging and switch your superuser settings back

    That's it, you can now use an easy pin on your lockscreen.

    Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

    pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

    I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
    The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

    Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

    You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.
    View
    6
    T
    targetjr
    Using PIN for lockscreen and Password for Encryption

    Figure out how to get the Galaxy S3 from Sprint to use the PIN numeric entry screen for my lockscreen, and a password and full-keyboard prompt for encryption.

    The issue is that on stock ROMs for Sprint Galaxy S3 (and I believe this is true for many other S3 ROMs), you must use a full keyboard/password for the lockscreen and encryption. Using the EncPassChanger and other scripts based on cryptfs changepw won't switch the lockscreen entry method from keyboard to numeric keypad if your password contains only numbers. The following script keeps encryption password entry method (full keyboard) independent of lockscreen entry method (e.g., PIN).

    The key is that you can enable encryption independent of your lockscreen via the following command syntax
    su vdc cryptfs enablecrypto <wipe|inplace> <passwd>

    The process for having a PIN lockscreen and a long password for system encyrption is
    1) Set a PIN for your lockscreen as normal

    2) From a terminal on a rooted system (tested on rooted stock Sprint G3), type
    > su
    > vdc cryptfs enablecrypto inplace <LongSecurePassword>

    Then wait...after about 30 seconds your android will reboot and the encryption process will begin. After encryption completes (about 1 hour) your system will reboot and eventually prompt for the <LongSecurePassword> to gain access to your system. You will only need to enter that password once for each reboot / power-on. The lockscreen will continue to use the original PIN input method and PIN code.

    It might be possible to use this technique to even have a lockscreen with pattern or no security, while the device remains encrypted. That possibility has not been tested.

    Use the above technique at your own risk. "Bad people" will still have easy access to your data (based on the lockscreen method chosen) until they reboot or power-cycle your android (when they will then be greeted by the request for your LongSecurePassword.

    Also, I have not tried changing the PIN or lockscreen method after applying the above change. The unknown is how vendors have modified Android's lockscreen code - don't know how or when in the process they force the two to be kept in-sync.

    -- TJ

    BTW> more info on vdc command is via:
    android.googlesource.com/platform/system/vold/+/b1596afa59c7108cc6ce23bab54a1bc41961806a/CommandListener.cpp​
    View
    3
    pulser_g2
    pulser_g2
    azoom1 said:
    Although this worked great on my Sprint S2, I've just upgraded to the S3, (running JB 4.1.1) and I'm getting stuck at "can't read salt". I did what I could and I looked through the script and confirmed the database is at the same location in the S2 and S3. However, although I can find the salt in the S2 database, it does not appear in the S3 database. Obviously, that's why it's getting the error. Unfortunately, I can't find any information as to where the salt in stored in JB. My thought was to make a small modification to the script and point it to the correct database.

    This script made using encryption on the S2 very pleasant. Any assistance you can give in helping to get it working on JB/S3 would be greatly appreciated.

    Thanks.
    Click to expand...
    Click to collapse

    I've modified the script to work on the Galaxy Note II (N7100) on JB (4.1.1), as Samsung stores their settings elsewhere. It should be the same on the S3 as well :) Just expand to see it and copy/paste,,,


    Code: 
    #
# Android pin change
# change the pin without Android UI restrictions bothering you
# allows to use a different pin on the lockscreen than the password
# for device encryption
#
# Version 1.0 / 2012-05-29
# by robberknight
#
# modified by Pulser_G2 (pulser_at_xda-developers.com) to work with
# Samsung devices (tested on Galaxy Note II N7100 JB 4.1.1)
# No Warranty!

import android
import subprocess
import sys
import hashlib
import struct
import binascii

class PinChange(object):

	def __init__(self):
		self.droid = android.Android()
	
	def askNewPin(self):
		pin1 = self.droid.dialogGetInput('New PIN (numeric)').result
		if not pin1:
			return False
		
		if not pin1.isdigit() or len(pin1) < 4 or len(pin1) > 16:
			self.droid.dialogCreateAlert("Error", "Invalid PIN")
			self.droid.dialogSetNeutralButtonText('Abort')
			self.droid.dialogShow()
			return False

		pin2 = self.droid.dialogGetInput('Confirm PIN').result 
		if not pin2:
			return False

		if pin1 != pin2:
			self.droid.dialogCreateAlert("Error", "PINs don't match")
			self.droid.dialogSetNeutralButtonText('Abort')
			self.droid.dialogShow()
			return False
	
		return pin1

	def getFileContent(self,filename):
		try:
			catpipe = subprocess.Popen(["su", "-c", "cat \""+filename+"\" 2>/dev/null"], stdout = subprocess.PIPE)
			catoutput = catpipe.communicate()[0]
			if catpipe.returncode == 0:
				return catoutput
			else:
				return None
		except:
			self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
			self.droid.dialogSetNeutralButtonText('Abort')
			self.droid.dialogShow()
			sys.exit(1)
		
	def sqliteFound(self):
		try:
			statpipe = subprocess.Popen(["sqlite3", "-version"], stdout = subprocess.PIPE)
			statoutput = statpipe.communicate()[0]
			if statpipe.returncode == 0 and statoutput[0] >= '3':
				return True
		except:
			pass
		self.droid.dialogCreateAlert("Error", "Can't find sqlite3 command")
		self.droid.dialogSetNeutralButtonText('Abort')
		self.droid.dialogShow()
		sys.exit(1)

	def createBackup(self):
		if self.getFileContent("/data/system/password.sav") == None or \
			len(self.getFileContent("/data/system/password.sav")) == 0:
			try:
				statpipe = subprocess.Popen(["su", "-c", "cat /data/system/password.key >/data/system/password.sav"], stdout = subprocess.PIPE)
				statoutput = statpipe.communicate()[0]
				if statpipe.returncode != 0:
					self.droid.dialogCreateAlert("Error", "Can't create password backup")
					self.droid.dialogSetNeutralButtonText('Abort')
					self.droid.dialogShow()
					sys.exit(1)
				chmodpipe = subprocess.Popen(["su", "-c", "chmod 600 /data/system/password.sav"], stdout = subprocess.PIPE)
				chmodpipe.communicate()[0]
				if chmodpipe.returncode != 0:
					self.droid.dialogCreateAlert("Error", "Can't secure password backup")
					self.droid.dialogSetNeutralButtonText('Abort')
					self.droid.dialogShow()
					sys.exit(1)
				sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
					/data/system/locksettings.db \"SELECT value FROM locksettings WHERE name = 'lockscreen.password_type'\" >/data/system/password_type.sav"], 
					stdout = subprocess.PIPE)
				sqlitepipe.communicate()[0]
				if sqlitepipe.returncode != 0:
					self.droid.dialogCreateAlert("Error", "Can't backup password type")
					self.droid.dialogSetNeutralButtonText('Abort')
					self.droid.dialogShow()
					sys.exit(1)
			except:
				self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
				self.droid.dialogSetNeutralButtonText('Abort')
				self.droid.dialogShow()
				sys.exit(1)
		
	def restoreBackup(self):
		if self.getFileContent("/data/system/password.sav") != None and \
			len(self.getFileContent("/data/system/password.sav")) > 0 and \
			self.getFileContent("/data/system/password_type.sav") != None and \
			len(self.getFileContent("/data/system/password_type.sav")) > 0:
			try:
				statpipe = subprocess.Popen(["su", "-c", "cat /data/system/password.sav >/data/system/password.key"], stdout = subprocess.PIPE)
				statoutput = statpipe.communicate()[0]
				if statpipe.returncode != 0:
					self.droid.dialogCreateAlert("Error", "Can't restore password backup")
					self.droid.dialogSetNeutralButtonText('Abort')
					self.droid.dialogShow()
					sys.exit(1)
			except:
				self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
				self.droid.dialogSetNeutralButtonText('Abort')
				self.droid.dialogShow()
				sys.exit(1)
			pwdtype=self.getFileContent("/data/system/password_type.sav")
			pwdtype=pwdtype.splitlines()[0].strip()
			self.writePasswordType(pwdtype)
			self.droid.dialogCreateAlert("Success", "Backup restored")
			self.droid.dialogSetPositiveButtonText('Ok')
			self.droid.dialogShow()
				
	def writePasswordType(self,typeno):
		try:
			sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
				/data/system/locksettings.db \"UPDATE locksettings SET value='"+str(typeno)+"' WHERE name = 'lockscreen.password_type'\""], 
				stdout = subprocess.PIPE)
			sqlitepipe.communicate()
			if sqlitepipe.returncode == 0:
				return
		except:
			pass
		self.droid.dialogCreateAlert("Error", "Can't write pwd type")
		self.droid.dialogSetNeutralButtonText('Abort')
		self.droid.dialogShow()
		sys.exit(1)

	def writePassword(self,pwdhash):
		try:
			catpipe = subprocess.Popen(["su", "-c", "cat >/data/system/password.key"], 
				stdout = subprocess.PIPE, stdin = subprocess.PIPE)
			catoutput = catpipe.communicate(pwdhash)[0]
			if catpipe.returncode == 0:
				return
		except:
			pass
		self.droid.dialogCreateAlert("Error", "Can't write password")
		self.droid.dialogSetNeutralButtonText('Abort')
		self.droid.dialogShow()
		sys.exit(1)

	def readSalt(self):
		try:
			sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
				/data/system/locksettings.db \"SELECT value FROM locksettings WHERE name = 'lockscreen.password_salt'\""], 
				stdout = subprocess.PIPE)
			sqliteoutput = sqlitepipe.communicate()[0].splitlines()[0].strip()
			salt=long(sqliteoutput)
			if sqlitepipe.returncode == 0 and sqliteoutput == str(salt):
				return salt
		except:
			pass
		self.droid.dialogCreateAlert("Error", "Can't read salt")
		self.droid.dialogSetNeutralButtonText('Abort')
		self.droid.dialogShow()
		sys.exit(1)

	def saltToHex(self,saltlong):
		blob=struct.pack(">q",saltlong)
		longagain=struct.unpack(">Q",blob)[0]
		hexstr=hex(longagain).lstrip("0x").rstrip("L")
		return hexstr.lower()
		
	def hashPinOriginal(self,pin,salt):
		# this is what google is doing in stock android
		salted=str(pin)+self.saltToHex(salt)
		md5str=hashlib.md5(salted).hexdigest()
		sha1str=hashlib.sha1(salted).hexdigest()
		return (sha1str+md5str).upper()

	def hashPinSamsung(self,pin,salt):
		# samsung has modified the code, at least on the GT-I9100
		salted=str(pin)+self.saltToHex(salt)
		hashbuf=str()
		i=0
		while i < 1024:
			hashbuf=hashlib.sha1(hashbuf+str(i)+salted).digest()
			i=i+1
		return binascii.hexlify(hashbuf).upper()	

	def checkCurrentPassword(self,salt):
		pwd = self.droid.dialogGetInput('Enter current Password').result
		if not pwd:
			return False
		
		pwdfile=self.getFileContent("/data/system/password.key")
		pwdhash=self.hashPinOriginal(pwd,salt)
		
		if pwdhash == pwdfile:
			return "original"
		else:
			pwdhash=self.hashPinSamsung(pwd,salt)
			if pwdhash == pwdfile:
				return "samsung"
			else:
				self.droid.dialogCreateAlert("Error", "Password hash compare mismatch")
				self.droid.dialogSetNeutralButtonText('Abort')
				self.droid.dialogShow()
				return False
		
	def setNewPin(self):
		salt=self.readSalt()
		curpwdtype=self.checkCurrentPassword(salt)
		if not curpwdtype:
			return False
		newpin = self.askNewPin()
		if not newpin:
			return False
		if curpwdtype == "original":
			newhash=self.hashPinOriginal(newpin,salt)
		elif curpwdtype == "samsung":
			newhash=self.hashPinSamsung(newpin,salt)
		else:
			return
		self.createBackup()
		self.writePassword(newhash)
		# pwd types:
		# 65536 = no protection
		# 131072 = numeric pin
		# 262144 = alphanumeric password
		self.writePasswordType(131072)
		self.droid.dialogCreateAlert("Success", "New Password written")
		self.droid.dialogSetPositiveButtonText('Ok')
		self.droid.dialogShow()
	
	def run(self):
		self.sqliteFound()
		if self.getFileContent("/data/system/password.sav") != None:
			self.droid.dialogCreateAlert("Backup found", "Restore from backup or set new PIN?")
			self.droid.dialogSetPositiveButtonText('Restore')
			self.droid.dialogSetNegativeButtonText('Set PIN')
			self.droid.dialogShow()
			if self.droid.dialogGetResponse().result['which'] == 'positive':
				self.restoreBackup()
			if self.droid.dialogGetResponse().result['which'] == 'negative':
				self.setNewPin()
		else:
			self.setNewPin()
			
pinchange = PinChange()
pinchange.run()
    View
    2
    S
    salatiel
    The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.


    Sent from my Galaxy Nexus using xda app-developers app

    ---------- Post added at 04:07 PM ---------- Previous post was at 04:04 PM ----------

    that will change the password for the encrypted volume while keeping you pin whatever you initially set up

    Sent from my Galaxy Nexus using xda app-developers app
    View
    2
    A
    azoom1
    Script method is better than "vdc cryptfs changepw" on Galaxy S2 Epic Touch

    This script is the way to go for the Galaxy S2 Epic Touch for at least 2 reasons:

    1) Using the "vdc cryptfs changepw" method doesn't seem to work. I tried Cryptfs Password and EncPassChanger both of which fail with the error that the current password is incorrect. My presumption is that the EpicTouch stores the password differently than a Nexus. (I tried to use it command-line as well, but I'm not really versed in that method so I'm not sure I was doing it correctly.)

    2) The EpicTouch also requires an alpha-numeric password in order to encrypt. It will not accept a PIN. You must choose a password with at least 6 characters, including one alpha and one numeric. Again, this is different than the Nexus which appears to accept a simpler numeric PIN for encryption.

    Thus, using the "vdc cryptfs changepw" method would not be optimal because you'd still be stuck with the alpha-numeric PIN that you used to initially encrypt the device. Thus, this script method that changes the GUI PIN is much better.

    A hint for those who are trying this and have never used SLA4/Python (as I was):

    1) Load SLA4
    2) Menu-View-Interpreters
    3) Menu-Add
    4) Select Python 2.6.2 - the SLA4 app will go get Python and intall it with the correct linking
    5) Exit SLA4, then start Python and select Install, and when finished, exit Python
    6) Put the pin_change.py file in the SLA4 "scripts" directory
    7) Start SLA4

    After that, when SLA4 is run you should see the script in the pick list. Upon selection SLA4 will pop-up an icon select-list. Pick the gear, which will run the script.

    Thanks to the original poster for sharing this.
    View

New posts