[Howto] Different PIN on lockscreen than for device encryption

Search This thread

robberknight

Member
May 22, 2012
22
13
Hi,

Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

Here is how to do it, rooted phone needed:

  1. Make a backup
  2. Enable USB debugging that you have a backdoor if something goes wrong
  3. Install the prerequisites: SL4A including Python4Android
  4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
  5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
  6. Start pin_change.py through SL4A
  7. It will make a backup of your current password and allow you to set a new numeric pin
  8. Reboot your phone, the lockscreen caches the old settings otherwise
  9. Disable USB debugging and switch your superuser settings back

That's it, you can now use an easy pin on your lockscreen.

Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.
 

Attachments

  • pin_change.py.txt
    8.8 KB · Views: 2,022
Last edited:

robberknight

Member
May 22, 2012
22
13
When you use a numeric pin on your lockscreen, someone could use fingerprint locations to guess your pin code. So you should make sure that noone can make enough tries till he finds the correct pin.

Here is how to limit the number of failed pins:

  • Install Tasker
  • Install Secure Settings
  • Open Tasker and Create a new Profile
  • Context based on state - Plugin - Secure Settings
  • You can configure it to the desired number of failed login attemts
  • New Task - Misc - Reboot - Shutdown

I have set the failed login attempts to two. After that the phone instantly switches off. When switching it on again, everything is encrypted and you have to enter the long and complex encryption password. Voila, we are secure!
 
Last edited:
  • Like
Reactions: lolo250612

robberknight

Member
May 22, 2012
22
13
While I'm at it - one more hint about device encryption:

When I first tried to encrypt my Samsung Galaxy S2, it started and showed a green robot. After about a minute it rebooted and that was it - no encryption.

I activated adb logcat to see what was going on. Lots of other stuff and finally this:
Code:
E/Cryptfs (   73): unmounting /data failed
E/Cryptfs (   73): Error enabling encryption after framework is shutdown, no data changed, restarting system

I thought a bit about it and had the idea that maybe the external sdcard is still mounted and that mountpoint creates this problem. I was right - removing the external sd solved it.
 
Last edited:

szakeetm

Member
Jun 5, 2012
6
0
Hi,

Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

Here is how to do it, rooted phone needed:

  1. Make a backup
  2. Enable USB debugging that you have a backdoor if something goes wrong
  3. Install the prerequisites: SL4A including Python4Android (Sorry, I was not allowed to link it, not enough rights in the forum - so search for it)
  4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
  5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
  6. Start pin_change.py through SL4A
  7. It will make a backup of your current password and allow you to set a new numeric pin
  8. Reboot your phone, the lockscreen caches the old settings otherwise
  9. Disable USB debugging and switch your superuser settings back

That's it, you can now use an easy pin on your lockscreen.

Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.

I need a little noob help here, using Samsung Galaxy SII on ICS 4.0.3. I don't have much experience with Python, only installed it to make this script work.

Running pin_change.py I get the "sqlite3 command not found" error. Now I guess I have to install the thirdparty.tar.gz from the Python for Android (Google Code) website, but I have no idea what to do with the downloaded file. Could you please help?
 

robberknight

Member
May 22, 2012
22
13
Running pin_change.py I get the "sqlite3 command not found" error. Now I guess I have to install the thirdparty.tar.gz from the Python for Android (Google Code) website, but I have no idea what to do with the downloaded file. Could you please help?

Just do as I wrote, you don't need no thirdparty.tgz:

robberknight said:
Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.
 

robberknight

Member
May 22, 2012
22
13
I don't have a Honeycomb device to test so I don't know.

You can just try it though. The script tests the password before changing anything. The test will fail if encoding is done different on Honeycomb. And the script also creates a backup before overwriting anything.

I consider the chance that the script breaks anything quite low. But it can very well be that the script aborts with an error because something is done different on Honeycomb.
 

xdascrat

New member
Jul 24, 2012
4
0
sqlite3 binary

Some hints:
I failed to install "Sqlite installer for root".
So I grabbed sqlite3 from SuperOneClickv2.3.3-ShortFuse.zip.
Somehow it won't start within the python script. It throws "cannot locate register_android_functions" in def sqliteFound(self) which ends up with the error "sqlite3 command not found". Executing sqlite3 -version in the shell caused no problem.

I managed to get sqlite3 working by installing again from "Sqlite installer for root" after proper remount of /system in read-write mode
"mount -o remount,rw /dev/block/mmcblk0p15 /system"

The PIN-Lock works now!

Using S3 with DarkyROM III v2.0 (Android 4.0.4)
 

robberknight

Member
May 22, 2012
22
13
I managed to get sqlite3 working by installing again from "Sqlite installer for root" after proper remount of /system in read-write mode
"mount -o remount,rw /dev/block/mmcblk0p15 /system"
Thanks for reporting this. Seems they either changed it in 4.0.4 or just Samsung on the S3.

The PIN-Lock works now!
That's nice to hear, seems like the encryption & pin stuff didn't change.
 

salatiel

Senior Member
Aug 15, 2012
104
22
i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way
 

88%

Member
Aug 14, 2012
21
2
i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way

I'm not in JB, but when I got a "can't read salt" error recently, I got through it by changing SU back to "prompt" and then clicking through the prompts. I have no idea if this might work for you though.
 

morpheus4you

Member
Aug 13, 2011
6
1
Thank you for sharing this information. This is exactly what I was looking for :)

I think it is logical to have a complex password for booting your encrypted android, but using a simple pin for unlocking your screen. Who wants to enter their complex password every time the lockscreen pops up?

Im running cyanogenmod 9 on SGS2 and I will report back here if it doesn't work somehow.
 

salatiel

Senior Member
Aug 15, 2012
104
22
The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.


Sent from my Galaxy Nexus using xda app-developers app

---------- Post added at 04:07 PM ---------- Previous post was at 04:04 PM ----------

that will change the password for the encrypted volume while keeping you pin whatever you initially set up

Sent from my Galaxy Nexus using xda app-developers app
 

srynoname

Member
Sep 20, 2012
43
1
The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.
that will change the password for the encrypted volume while keeping you pin whatever you initially set up
Sent from my Galaxy Nexus using xda app-developers app
can you please elaborte on this? I assume the steps would then be
1) encrypt android phone using normal GUI way from the settings
2) Change PIN to some easy to enter PIN for the lock screen
3) Use vdc cryptfs changepw PASSWORD to set a strong password for the authentication during boot?

Update: Yes, that is how it works. See http://blog.joelj.org/2012/08/02/st...setting-a-different-bootlock-screen-password/
 
Last edited:

azoom1

Member
Jun 21, 2012
10
4
RDU
Script method is better than "vdc cryptfs changepw" on Galaxy S2 Epic Touch

This script is the way to go for the Galaxy S2 Epic Touch for at least 2 reasons:

1) Using the "vdc cryptfs changepw" method doesn't seem to work. I tried Cryptfs Password and EncPassChanger both of which fail with the error that the current password is incorrect. My presumption is that the EpicTouch stores the password differently than a Nexus. (I tried to use it command-line as well, but I'm not really versed in that method so I'm not sure I was doing it correctly.)

2) The EpicTouch also requires an alpha-numeric password in order to encrypt. It will not accept a PIN. You must choose a password with at least 6 characters, including one alpha and one numeric. Again, this is different than the Nexus which appears to accept a simpler numeric PIN for encryption.

Thus, using the "vdc cryptfs changepw" method would not be optimal because you'd still be stuck with the alpha-numeric PIN that you used to initially encrypt the device. Thus, this script method that changes the GUI PIN is much better.

A hint for those who are trying this and have never used SLA4/Python (as I was):

1) Load SLA4
2) Menu-View-Interpreters
3) Menu-Add
4) Select Python 2.6.2 - the SLA4 app will go get Python and intall it with the correct linking
5) Exit SLA4, then start Python and select Install, and when finished, exit Python
6) Put the pin_change.py file in the SLA4 "scripts" directory
7) Start SLA4

After that, when SLA4 is run you should see the script in the pick list. Upon selection SLA4 will pop-up an icon select-list. Pick the gear, which will run the script.

Thanks to the original poster for sharing this.
 
Last edited:
  • Like
Reactions: TNAR and respider

iamus

New member
Oct 26, 2012
2
0
This is awesome! Thanks goes to the OP!



I have one question though, Is there a way I can modify the python script to use the pattern instead of the pin ?
 

azoom1

Member
Jun 21, 2012
10
4
RDU
S3 with JB 4.1.1 - "can't read salt"

i am getting can not read salt when executing. ideas ?

---------- Post added at 03:11 PM ---------- Previous post was at 03:04 PM ----------

using jelly bean by the way


Although this worked great on my Sprint S2, I've just upgraded to the S3, (running JB 4.1.1) and I'm getting stuck at "can't read salt". I did what I could and I looked through the script and confirmed the database is at the same location in the S2 and S3. However, although I can find the salt in the S2 database, it does not appear in the S3 database. Obviously, that's why it's getting the error. Unfortunately, I can't find any information as to where the salt in stored in JB. My thought was to make a small modification to the script and point it to the correct database.

This script made using encryption on the S2 very pleasant. Any assistance you can give in helping to get it working on JB/S3 would be greatly appreciated.

Thanks.
 
Last edited:

creiss

New member
Nov 13, 2012
1
0
Awesome... but

Hey there!

Awesome little script that just works.
I am running on my Galaxy S3 here, feeling a lot more secure.

However, I just upgrades to Android 4.1.1 (Build JRO03C.I9300XXDLIH) and the script does change the password to a pin, leaving the encrpytion password intact, but it wont switch the device to pin input screen. I rather have the text box field, which is kinda annoying to use.

Would that be easily to fix for you?

Cheers,
and thanks for all the hard work,
much appreciated!

-Christian.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Hi,

    Android 4 / ICS has a good security feature: full device encryption. But it's implementation has a big usability problem: you have to use the same password for device encryption as on the lockscreen. Meaning you have to enter the complicated encryption password every time you want to access your phone :mad:

    Chosing an easy password would make encryption worthless and Android limits the lowest complexity allowed for encryption.

    Technically these passwords are two completely separate things. It's just the Android UI that mingles this. So it's time to hack and separate what should be separate!

    Here is how to do it, rooted phone needed:

    1. Make a backup
    2. Enable USB debugging that you have a backdoor if something goes wrong
    3. Install the prerequisites: SL4A including Python4Android
    4. Switch your SuperSU or superuser to grant su by default. You will have to accept lots of commands otherwise, and I had problems with the dialog of my SuperSU doing this
    5. Install my pin_change.py program in the sl4a/scripts directory on your phone, it is attached to this post. Maybe you have to rename the extension to .py (had to rename it due to forum restrictions)
    6. Start pin_change.py through SL4A
    7. It will make a backup of your current password and allow you to set a new numeric pin
    8. Reboot your phone, the lockscreen caches the old settings otherwise
    9. Disable USB debugging and switch your superuser settings back

    That's it, you can now use an easy pin on your lockscreen.

    Maybe you are missing the sqlite3 command. pin_change.py will check for it and notify you if it is not there. The easiest way to get it is the "Sqlite installer for root" app on the market.

    pin_change.py allows to restore the backup or to set a new pin. You should restore the backuped password before you change your encryption password through the Android GUI.

    I tested this on a Samsung Galaxy SII and a HTC Sensation, both EU models running a 4.0.3 from the manufacturer. I just rooted them, no custom roms.
    The only thing I could find was that the vpn account data is encrypted too and you now can't enter the password anymore. So you have to redo you vpn setup, no big deal.

    Just to make it clear: this allows you to use a numeric pin for unlocking where e.g. the Samsung Galaxy S2 requires a alphanumeric password. This tool does not (yet?) allow to use a pattern to unlock.

    You do this on your own risk, no warranty, this script may brick your phone, drink all your beer or eat little children. So be careful.
    6
    Using PIN for lockscreen and Password for Encryption

    Figure out how to get the Galaxy S3 from Sprint to use the PIN numeric entry screen for my lockscreen, and a password and full-keyboard prompt for encryption.

    The issue is that on stock ROMs for Sprint Galaxy S3 (and I believe this is true for many other S3 ROMs), you must use a full keyboard/password for the lockscreen and encryption. Using the EncPassChanger and other scripts based on cryptfs changepw won't switch the lockscreen entry method from keyboard to numeric keypad if your password contains only numbers. The following script keeps encryption password entry method (full keyboard) independent of lockscreen entry method (e.g., PIN).

    The key is that you can enable encryption independent of your lockscreen via the following command syntax
    su vdc cryptfs enablecrypto <wipe|inplace> <passwd>

    The process for having a PIN lockscreen and a long password for system encyrption is
    1) Set a PIN for your lockscreen as normal

    2) From a terminal on a rooted system (tested on rooted stock Sprint G3), type
    > su
    > vdc cryptfs enablecrypto inplace <LongSecurePassword>

    Then wait...after about 30 seconds your android will reboot and the encryption process will begin. After encryption completes (about 1 hour) your system will reboot and eventually prompt for the <LongSecurePassword> to gain access to your system. You will only need to enter that password once for each reboot / power-on. The lockscreen will continue to use the original PIN input method and PIN code.

    It might be possible to use this technique to even have a lockscreen with pattern or no security, while the device remains encrypted. That possibility has not been tested.

    Use the above technique at your own risk. "Bad people" will still have easy access to your data (based on the lockscreen method chosen) until they reboot or power-cycle your android (when they will then be greeted by the request for your LongSecurePassword.

    Also, I have not tried changing the PIN or lockscreen method after applying the above change. The unknown is how vendors have modified Android's lockscreen code - don't know how or when in the process they force the two to be kept in-sync.

    -- TJ

    BTW> more info on vdc command is via:
    android.googlesource.com/platform/system/vold/+/b1596afa59c7108cc6ce23bab54a1bc41961806a/CommandListener.cpp​
    3
    Although this worked great on my Sprint S2, I've just upgraded to the S3, (running JB 4.1.1) and I'm getting stuck at "can't read salt". I did what I could and I looked through the script and confirmed the database is at the same location in the S2 and S3. However, although I can find the salt in the S2 database, it does not appear in the S3 database. Obviously, that's why it's getting the error. Unfortunately, I can't find any information as to where the salt in stored in JB. My thought was to make a small modification to the script and point it to the correct database.

    This script made using encryption on the S2 very pleasant. Any assistance you can give in helping to get it working on JB/S3 would be greatly appreciated.

    Thanks.

    I've modified the script to work on the Galaxy Note II (N7100) on JB (4.1.1), as Samsung stores their settings elsewhere. It should be the same on the S3 as well :) Just expand to see it and copy/paste,,,


    Code:
    #
    # Android pin change
    # change the pin without Android UI restrictions bothering you
    # allows to use a different pin on the lockscreen than the password
    # for device encryption
    #
    # Version 1.0 / 2012-05-29
    # by robberknight
    #
    # modified by Pulser_G2 (pulser_at_xda-developers.com) to work with
    # Samsung devices (tested on Galaxy Note II N7100 JB 4.1.1)
    # No Warranty!
    
    import android
    import subprocess
    import sys
    import hashlib
    import struct
    import binascii
    
    class PinChange(object):
    
    	def __init__(self):
    		self.droid = android.Android()
    	
    	def askNewPin(self):
    		pin1 = self.droid.dialogGetInput('New PIN (numeric)').result
    		if not pin1:
    			return False
    		
    		if not pin1.isdigit() or len(pin1) < 4 or len(pin1) > 16:
    			self.droid.dialogCreateAlert("Error", "Invalid PIN")
    			self.droid.dialogSetNeutralButtonText('Abort')
    			self.droid.dialogShow()
    			return False
    
    		pin2 = self.droid.dialogGetInput('Confirm PIN').result 
    		if not pin2:
    			return False
    
    		if pin1 != pin2:
    			self.droid.dialogCreateAlert("Error", "PINs don't match")
    			self.droid.dialogSetNeutralButtonText('Abort')
    			self.droid.dialogShow()
    			return False
    	
    		return pin1
    
    	def getFileContent(self,filename):
    		try:
    			catpipe = subprocess.Popen(["su", "-c", "cat \""+filename+"\" 2>/dev/null"], stdout = subprocess.PIPE)
    			catoutput = catpipe.communicate()[0]
    			if catpipe.returncode == 0:
    				return catoutput
    			else:
    				return None
    		except:
    			self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
    			self.droid.dialogSetNeutralButtonText('Abort')
    			self.droid.dialogShow()
    			sys.exit(1)
    		
    	def sqliteFound(self):
    		try:
    			statpipe = subprocess.Popen(["sqlite3", "-version"], stdout = subprocess.PIPE)
    			statoutput = statpipe.communicate()[0]
    			if statpipe.returncode == 0 and statoutput[0] >= '3':
    				return True
    		except:
    			pass
    		self.droid.dialogCreateAlert("Error", "Can't find sqlite3 command")
    		self.droid.dialogSetNeutralButtonText('Abort')
    		self.droid.dialogShow()
    		sys.exit(1)
    
    	def createBackup(self):
    		if self.getFileContent("/data/system/password.sav") == None or \
    			len(self.getFileContent("/data/system/password.sav")) == 0:
    			try:
    				statpipe = subprocess.Popen(["su", "-c", "cat /data/system/password.key >/data/system/password.sav"], stdout = subprocess.PIPE)
    				statoutput = statpipe.communicate()[0]
    				if statpipe.returncode != 0:
    					self.droid.dialogCreateAlert("Error", "Can't create password backup")
    					self.droid.dialogSetNeutralButtonText('Abort')
    					self.droid.dialogShow()
    					sys.exit(1)
    				chmodpipe = subprocess.Popen(["su", "-c", "chmod 600 /data/system/password.sav"], stdout = subprocess.PIPE)
    				chmodpipe.communicate()[0]
    				if chmodpipe.returncode != 0:
    					self.droid.dialogCreateAlert("Error", "Can't secure password backup")
    					self.droid.dialogSetNeutralButtonText('Abort')
    					self.droid.dialogShow()
    					sys.exit(1)
    				sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
    					/data/system/locksettings.db \"SELECT value FROM locksettings WHERE name = 'lockscreen.password_type'\" >/data/system/password_type.sav"], 
    					stdout = subprocess.PIPE)
    				sqlitepipe.communicate()[0]
    				if sqlitepipe.returncode != 0:
    					self.droid.dialogCreateAlert("Error", "Can't backup password type")
    					self.droid.dialogSetNeutralButtonText('Abort')
    					self.droid.dialogShow()
    					sys.exit(1)
    			except:
    				self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
    				self.droid.dialogSetNeutralButtonText('Abort')
    				self.droid.dialogShow()
    				sys.exit(1)
    		
    	def restoreBackup(self):
    		if self.getFileContent("/data/system/password.sav") != None and \
    			len(self.getFileContent("/data/system/password.sav")) > 0 and \
    			self.getFileContent("/data/system/password_type.sav") != None and \
    			len(self.getFileContent("/data/system/password_type.sav")) > 0:
    			try:
    				statpipe = subprocess.Popen(["su", "-c", "cat /data/system/password.sav >/data/system/password.key"], stdout = subprocess.PIPE)
    				statoutput = statpipe.communicate()[0]
    				if statpipe.returncode != 0:
    					self.droid.dialogCreateAlert("Error", "Can't restore password backup")
    					self.droid.dialogSetNeutralButtonText('Abort')
    					self.droid.dialogShow()
    					sys.exit(1)
    			except:
    				self.droid.dialogCreateAlert("Error", "Can't execute su call (not rooted?)")
    				self.droid.dialogSetNeutralButtonText('Abort')
    				self.droid.dialogShow()
    				sys.exit(1)
    			pwdtype=self.getFileContent("/data/system/password_type.sav")
    			pwdtype=pwdtype.splitlines()[0].strip()
    			self.writePasswordType(pwdtype)
    			self.droid.dialogCreateAlert("Success", "Backup restored")
    			self.droid.dialogSetPositiveButtonText('Ok')
    			self.droid.dialogShow()
    				
    	def writePasswordType(self,typeno):
    		try:
    			sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
    				/data/system/locksettings.db \"UPDATE locksettings SET value='"+str(typeno)+"' WHERE name = 'lockscreen.password_type'\""], 
    				stdout = subprocess.PIPE)
    			sqlitepipe.communicate()
    			if sqlitepipe.returncode == 0:
    				return
    		except:
    			pass
    		self.droid.dialogCreateAlert("Error", "Can't write pwd type")
    		self.droid.dialogSetNeutralButtonText('Abort')
    		self.droid.dialogShow()
    		sys.exit(1)
    
    	def writePassword(self,pwdhash):
    		try:
    			catpipe = subprocess.Popen(["su", "-c", "cat >/data/system/password.key"], 
    				stdout = subprocess.PIPE, stdin = subprocess.PIPE)
    			catoutput = catpipe.communicate(pwdhash)[0]
    			if catpipe.returncode == 0:
    				return
    		except:
    			pass
    		self.droid.dialogCreateAlert("Error", "Can't write password")
    		self.droid.dialogSetNeutralButtonText('Abort')
    		self.droid.dialogShow()
    		sys.exit(1)
    
    	def readSalt(self):
    		try:
    			sqlitepipe = subprocess.Popen(["su", "-c", "sqlite3 -batch \
    				/data/system/locksettings.db \"SELECT value FROM locksettings WHERE name = 'lockscreen.password_salt'\""], 
    				stdout = subprocess.PIPE)
    			sqliteoutput = sqlitepipe.communicate()[0].splitlines()[0].strip()
    			salt=long(sqliteoutput)
    			if sqlitepipe.returncode == 0 and sqliteoutput == str(salt):
    				return salt
    		except:
    			pass
    		self.droid.dialogCreateAlert("Error", "Can't read salt")
    		self.droid.dialogSetNeutralButtonText('Abort')
    		self.droid.dialogShow()
    		sys.exit(1)
    
    	def saltToHex(self,saltlong):
    		blob=struct.pack(">q",saltlong)
    		longagain=struct.unpack(">Q",blob)[0]
    		hexstr=hex(longagain).lstrip("0x").rstrip("L")
    		return hexstr.lower()
    		
    	def hashPinOriginal(self,pin,salt):
    		# this is what google is doing in stock android
    		salted=str(pin)+self.saltToHex(salt)
    		md5str=hashlib.md5(salted).hexdigest()
    		sha1str=hashlib.sha1(salted).hexdigest()
    		return (sha1str+md5str).upper()
    
    	def hashPinSamsung(self,pin,salt):
    		# samsung has modified the code, at least on the GT-I9100
    		salted=str(pin)+self.saltToHex(salt)
    		hashbuf=str()
    		i=0
    		while i < 1024:
    			hashbuf=hashlib.sha1(hashbuf+str(i)+salted).digest()
    			i=i+1
    		return binascii.hexlify(hashbuf).upper()	
    
    	def checkCurrentPassword(self,salt):
    		pwd = self.droid.dialogGetInput('Enter current Password').result
    		if not pwd:
    			return False
    		
    		pwdfile=self.getFileContent("/data/system/password.key")
    		pwdhash=self.hashPinOriginal(pwd,salt)
    		
    		if pwdhash == pwdfile:
    			return "original"
    		else:
    			pwdhash=self.hashPinSamsung(pwd,salt)
    			if pwdhash == pwdfile:
    				return "samsung"
    			else:
    				self.droid.dialogCreateAlert("Error", "Password hash compare mismatch")
    				self.droid.dialogSetNeutralButtonText('Abort')
    				self.droid.dialogShow()
    				return False
    		
    	def setNewPin(self):
    		salt=self.readSalt()
    		curpwdtype=self.checkCurrentPassword(salt)
    		if not curpwdtype:
    			return False
    		newpin = self.askNewPin()
    		if not newpin:
    			return False
    		if curpwdtype == "original":
    			newhash=self.hashPinOriginal(newpin,salt)
    		elif curpwdtype == "samsung":
    			newhash=self.hashPinSamsung(newpin,salt)
    		else:
    			return
    		self.createBackup()
    		self.writePassword(newhash)
    		# pwd types:
    		# 65536 = no protection
    		# 131072 = numeric pin
    		# 262144 = alphanumeric password
    		self.writePasswordType(131072)
    		self.droid.dialogCreateAlert("Success", "New Password written")
    		self.droid.dialogSetPositiveButtonText('Ok')
    		self.droid.dialogShow()
    	
    	def run(self):
    		self.sqliteFound()
    		if self.getFileContent("/data/system/password.sav") != None:
    			self.droid.dialogCreateAlert("Backup found", "Restore from backup or set new PIN?")
    			self.droid.dialogSetPositiveButtonText('Restore')
    			self.droid.dialogSetNegativeButtonText('Set PIN')
    			self.droid.dialogShow()
    			if self.droid.dialogGetResponse().result['which'] == 'positive':
    				self.restoreBackup()
    			if self.droid.dialogGetResponse().result['which'] == 'negative':
    				self.setNewPin()
    		else:
    			self.setNewPin()
    			
    pinchange = PinChange()
    pinchange.run()
    2
    The easiest way to accomplish this is to set the password for the boot using vdc cryptfs changepw PASSWORD.


    Sent from my Galaxy Nexus using xda app-developers app

    ---------- Post added at 04:07 PM ---------- Previous post was at 04:04 PM ----------

    that will change the password for the encrypted volume while keeping you pin whatever you initially set up

    Sent from my Galaxy Nexus using xda app-developers app
    2
    Script method is better than "vdc cryptfs changepw" on Galaxy S2 Epic Touch

    This script is the way to go for the Galaxy S2 Epic Touch for at least 2 reasons:

    1) Using the "vdc cryptfs changepw" method doesn't seem to work. I tried Cryptfs Password and EncPassChanger both of which fail with the error that the current password is incorrect. My presumption is that the EpicTouch stores the password differently than a Nexus. (I tried to use it command-line as well, but I'm not really versed in that method so I'm not sure I was doing it correctly.)

    2) The EpicTouch also requires an alpha-numeric password in order to encrypt. It will not accept a PIN. You must choose a password with at least 6 characters, including one alpha and one numeric. Again, this is different than the Nexus which appears to accept a simpler numeric PIN for encryption.

    Thus, using the "vdc cryptfs changepw" method would not be optimal because you'd still be stuck with the alpha-numeric PIN that you used to initially encrypt the device. Thus, this script method that changes the GUI PIN is much better.

    A hint for those who are trying this and have never used SLA4/Python (as I was):

    1) Load SLA4
    2) Menu-View-Interpreters
    3) Menu-Add
    4) Select Python 2.6.2 - the SLA4 app will go get Python and intall it with the correct linking
    5) Exit SLA4, then start Python and select Install, and when finished, exit Python
    6) Put the pin_change.py file in the SLA4 "scripts" directory
    7) Start SLA4

    After that, when SLA4 is run you should see the script in the pick list. Upon selection SLA4 will pop-up an icon select-list. Pick the gear, which will run the script.

    Thanks to the original poster for sharing this.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone