• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

Brother Passed Away - In Need of Help Bypassing PIN/Encrypted Partition

Search This thread

Lonoshea

New member
Aug 16, 2011
4
0
Hello dev's! Unfortunately, in January, my brother passed away, and I have been tasked with trying to get into his phone and recover any important images really to pass along to his wife and daughter. Needless to say, I don't know his PIN code - and I am down to 2 guesses before the phone is wiped. So here I am.

Pardon my lack of technical language here but my brother did install Team Win Recovery Project 3.1.1-0 so I have been able to get to "recovery mode". Unfortunately, his partition is encrypted and I have been unable to guess that password either.

Because his drive is encrypted, I can't get into /data to remove any .key files. I have successfully been able to figure out how to sideload zip files via ADB that are supposed to bypass the PIN screen but I have had no luck. The google "find my phone" method is not working probably because the phone isn't connecting to a network.

I have read through an alpha security post about a malicious charger hack but I don't see where to download that tool.

So - does anyone know of any possible application or ZIP file I can sideload that will either help remove the decryption password or completely and successfully bypass the PIN?

Can I update TWRP to a newer version in hopes that the encryption is removed?

Any help is appreciated!
 

cpt.macp

Senior Member
Aug 2, 2013
554
313
Under Your Bed
Any old version of twrp might do the trick and then in /data/system folder delete these files ( if they are there )
password.key
pattern.key
locksettings.db
locksettings.db-shm
locksettings.db-wal
 
  • Like
Reactions: Lonoshea

ZVNexus

Recognized Developer
Feb 23, 2016
1,032
1,606
Rocky Hill
You said any important photos correct?

https://support.google.com/accounts/troubleshooter/6357590?hl=en

I assume that your brother used Google Photos and any photos he took were most likely backed up to that. You can talk to Google about retrieving said data, you will need to prove things of course though. You will need to get a court order issued, that is if it is even approved, and everything else required should be on that page. Best of luck! Sorry to say but if the /data is encrypted you are pretty much screwed, although TWRP should decrypt in when it enters recovery so idk. That webpage is your best shot imo.
 
  • Like
Reactions: Lonoshea

Lonoshea

New member
Aug 16, 2011
4
0
thanks @ZVNexus for the tip. I do have access to his Google account but because my brother was a super sleuth, he didn't have his images automatically upload to his photo drive. the photos that are there are few and from 2015 :(

With access to his account, I do see his "activity", which I am not even sure he knew was being tracked (oh Google!) and I see that he used things like
Code:
Used com.android.gallery3d
and
Code:
Used org.cyanogenmod.snap
both of which look like photo apps.

you mentioned that TWRP should decrypt when I enter recovery.. what do you mean by that? if it is encrypted then it should always ask for a password right?

I wonder if this app is available anywhere for download and use.
HTML:
https://alephsecurity.com/2017/03/26/oneplus3t-adb-charger/
 

ZVNexus

Recognized Developer
Feb 23, 2016
1,032
1,606
Rocky Hill
thanks @ZVNexus for the tip. I do have access to his Google account but because my brother was a super sleuth, he didn't have his images automatically upload to his photo drive. the photos that are there are few and from 2015 :(

With access to his account, I do see his "activity", which I am not even sure he knew was being tracked (oh Google!) and I see that he used things like
Code:
Used com.android.gallery3d
and
Code:
Used org.cyanogenmod.snap
both of which look like photo apps.

you mentioned that TWRP should decrypt when I enter recovery.. what do you mean by that? if it is encrypted then it should always ask for a password right?

I wonder if this app is available anywhere for download and use.
HTML:
https://alephsecurity.com/2017/03/26/oneplus3t-adb-charger/

I meant that even if the chip was encrypted TWRP should have let you touch the data partition. My phone is also encrypted but TWRP allows me to touch those partitions. Strange. Hopefully others can help.
 
  • Like
Reactions: Lonoshea

Curunir

Senior Member
Hello dev's! Unfortunately, in January, my brother passed away, and I have been tasked with trying to get into his phone and recover any important images really to pass along to his wife and daughter. Needless to say, I don't know his PIN code - and I am down to 2 guesses before the phone is wiped. So here I am.

Pardon my lack of technical language here but my brother did install Team Win Recovery Project 3.1.1-0 so I have been able to get to "recovery mode". Unfortunately, his partition is encrypted and I have been unable to guess that password either.

Because his drive is encrypted, I can't get into /data to remove any .key files. I have successfully been able to figure out how to sideload zip files via ADB that are supposed to bypass the PIN screen but I have had no luck. The google "find my phone" method is not working probably because the phone isn't connecting to a network.

I have read through an alpha security post about a malicious charger hack but I don't see where to download that tool.

So - does anyone know of any possible application or ZIP file I can sideload that will either help remove the decryption password or completely and successfully bypass the PIN?

Can I update TWRP to a newer version in hopes that the encryption is removed?

Any help is appreciated!

I'm confused: if the partition is encrypted, you will generally be asked for a password during the boot process. If you're unable to enter the correct password (which AFAIK has unlimited tries), the phone simply won't boot. So you will never arrive at the lockscreen where you're supposed to enter the PIN (which offers a number of tries before wiping). With an encrypted partition, entering the recovery will prompt you for the same password you're supposed to enter during the boot process. Again, unlimited tries. As long as you're unable to do that the partitions will be 'invisible'. You can still wipe/partition them and that will remove the encryption as well as all of your data. But it seems the device you're working on works differently?

Either way: in order to gain access, you will need to either know the PIN directly (if the phone boots without a boot password) or gain access to the encrypted partition through TWRP, allowing you to remove the files responsible for the PIN lock. I'm sorry for your loss, but if it would work in any other way it simply wouldn't be secure for any Android user out there who is using encryption. Even google shouldn't be able to decrypt the phone, though it's theoretically possible they do have some kind of backdoor.

At this point, your best bet is probably trying to brute force the partition password. That would probably take a very long time, but I'm sure there's tools and organizations specializing in that sort of work.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    There's no efficient way of breaking the data partition if it's encrypted, sorry.
    1
    Any old version of twrp might do the trick and then in /data/system folder delete these files ( if they are there )
    password.key
    pattern.key
    locksettings.db
    locksettings.db-shm
    locksettings.db-wal
    1
    You said any important photos correct?

    https://support.google.com/accounts/troubleshooter/6357590?hl=en

    I assume that your brother used Google Photos and any photos he took were most likely backed up to that. You can talk to Google about retrieving said data, you will need to prove things of course though. You will need to get a court order issued, that is if it is even approved, and everything else required should be on that page. Best of luck! Sorry to say but if the /data is encrypted you are pretty much screwed, although TWRP should decrypt in when it enters recovery so idk. That webpage is your best shot imo.
    1
    thanks @ZVNexus for the tip. I do have access to his Google account but because my brother was a super sleuth, he didn't have his images automatically upload to his photo drive. the photos that are there are few and from 2015 :(

    With access to his account, I do see his "activity", which I am not even sure he knew was being tracked (oh Google!) and I see that he used things like
    Code:
    Used com.android.gallery3d
    and
    Code:
    Used org.cyanogenmod.snap
    both of which look like photo apps.

    you mentioned that TWRP should decrypt when I enter recovery.. what do you mean by that? if it is encrypted then it should always ask for a password right?

    I wonder if this app is available anywhere for download and use.
    HTML:
    https://alephsecurity.com/2017/03/26/oneplus3t-adb-charger/

    I meant that even if the chip was encrypted TWRP should have let you touch the data partition. My phone is also encrypted but TWRP allows me to touch those partitions. Strange. Hopefully others can help.