I’m not sure if this is the proper category since there isn’t category for guides and howtos, but I’m sure the admins will move this if there is better category for this.
- I’m trusting you are using this only to only save data or fix software with permission from the owner of the device and not to do anything illegal!
- I don’t know much about cryptography or cryptanalysis by any means and I don’t hack things in my everyday life. Unless I really really have to and even then I suck at it.
- I’m writing this down so you don’t have to go through all the same pain I had to go through to figure all of this out (and save a ton of your time on the side).
- I’m also sure more skilled people will point out all the errors and possible shortcuts in this so remember check out the comments below for better practises.
- If you know your lock code, but managed to use all your unlock attempts to permanently lock your phone, use this trick instead of going through the rest of this guide: https://jolla.zendesk.com/hc/en-us/articles/360002996893#32
I had to learn all of this because of failed SFOS upgrade and I didn’t want to use the Factory Reset. I’m using Xperia 10 and it has had the encryption enabled since the day I flashed it with SFOS. The only thing was, I skipped the setting of the lock code and never set it later either. So when I had to get access to the /home
to fix the failed upgrade, I had no idea what to use to unlock the encryption (just pressing Enter
for empty password didn’t work).
To crack the encryption, I used software called hashcat
(https://hashcat.net/hashcat/). On the hashcat website there are listed GPU Driver requirements, but you really don’t have to worry about downloading those, this will be fast even without those (assuming you didn’t go with maximum lenght lock code).
Because you are looking into bruteforcing the encryption, I assume your phone is in the state where you need to get your phone into Recovery Mode (How to: https://jolla.zendesk.com/hc/en-us/articles/360002996893) to be able to do anything.
From the Recovery Mode menu, choose either option 3) Shell
or 5) Run sshd
. If you choose option 3) you need SD-Card to move the file from the phone to the computer, but with option 5) you can use programs that can transfer files over SSH. If you chose option 5), SSH into the phone using any SSH client using the information shown in the telnet
window.
In the recovery shell you need to take a snippet from the beginning of the encrypted partition containing the LUKS header information for hashcat
to chew on. Using cryptsetup luksDump
to dump just the header information might be enough, but I took more, because someone on the Internet said it works better if there is little bit more than just the header (and because it is in the Internet, it must be true !):
dd if=/dev/sailfish/home of=extended-luks-header bs=1M count=5
This takes 5 MB piece from the start which is more than enough for our needs and is manageable size so you don’t run into any diskspace issues. I used the 5) Run sshd
-option so I could use program called FileZilla
to transfer the files off from the phone, but you can also for example mount SD-Card to the shell and use it to transfer the file.
I copied the extended-luks-header
-file to the same directory with hashcat
to save myself from having to play around with paths pointing to the header file. Next I created a Batch-file (hence the line with pause
), but you can ommit this step and just use commandline of your choise (the example.dict
-file was part of the hashcat
download):
hashcat --hash-type 14600 --attack-mode 0 --outfile recovered_passphrase extended-luks-header example.dict
pause
And now wait for the hashcat
to do the job (unless you had long lock code you probably won’t even have time to go get a coffee). The length of the lock code and the computing power of your GPU and CPU are the key factors on how long it takes to crack the encryption. If you know you have used long lock code, using proper GPU API like CUDA API will help a lot.
For me, in around 38 seconds with my not so powerful PC and without any CUDA API magic used, the program had ended and I opened the recovered_passphrase
-file to find a single line:
extended-luks-header:00000
Congratulations, you now have your lock code!
And how to use it? Start your phone and unlock it of course. Or if you can’t boot your phone normally, for example like this (lock code is asked on the cryptsetup open
-command):
cryptsetup open /dev/sailfish/home myHome
mount /dev/mapper/myHome /rootfs/home
chroot /rootfs
In hindsight using the dictionary attack isn’t the optimal way to crack this case, but it worked really fast anyway for lock code of this lenght.There are also options to limit what kind of and what lenght passwords hashcat
tries to find and the lock code is all numbers and can be any length between 5 and 42, but I chose these (pretty generic) parameters because I hadn’t setup the lock code myself at all so I didn’t have any idea if it would follow these rules.
Hope this short guide saves someones phone from unneeded Factory Reset or reflash!