Unlock Android despite forgotten Pattern or Password

The Problem

A family member forgot the pattern setup in its android device.

  • The “forgot password” button would not appear to enter the password
  • The android device manager was setup but would show “lock already set the password you entered is not required”

Now usually all hope is lost and you need to factory reset your device (and lose all data). This however was not an option in my case.

The Situation

The situation for my case can be summarized like this:

  • Android 5.1.1 (others might work)
  • A second user without or with known Pattern/Password.
  • Sony Xperia Z Ultra (C6833), Version 14.6.A.0.368 (others probably work)

    • NO Sony bootloader unlock (otherwise there is probably a simpler way)
    • NO root
    • FACTORY Stock
    • NO Previous Backup via the Companion App (Otherwise you can just extract the data you need from the backup file!)
    • NO USB Debugging enabled
    • NO Developer Unlock

Because of this situation none of the methods posted on XDA are usable here and the internet is suggesting a factory reset. However as I was willing to dissassemble the device nothing is lost if I first try to dig deeper and try to get into the phone via software!

After some hours of trying to find a zero day exploit (as the version was already outdated at the time of writing), I came up with a simpler solution. I knew that there are a lot of attack vectors as I still had access to the guest user…

The Solution

So here are the steps to unlock the phone:

  • Install http://kingroot.net/ as the second user. The good part is the second user can even enable untrusted sources in options! Root the phone by clicking the button on the app.
  • Install a terminal app, for example https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en (Open the link with the “Play Store” App on the phone and login with your google account)
  • Open the terminal and type “su” followed by ‘Enter’</li>
  • If you get a notification that an app tries to get root you can accept the message and now have a root shell (= full access to the phone)
  • Now you can easily remove your pattern or password (reference):

    • Pattern: Type “rm /data/system/gesture.key”
    • Password: Type “rm /data/system/password.key”
  • Now restart the phone and if asked for a pattern or password just enter anything ;)

I think this is basically a bug/security issue in the android operating system, because guest users should not be able to select ‘Allow untrusted sources’ in the device options. On the other side I think android device manger should allow us to reset the pattern/password… Of course now its simple the backup the data and factory reset the phone (if you don’t trust the installed tools). Note however that factory reset might not delete everything in this case (as the phone was rooted), the safe choice would be to install a new firmware file.


Some things are done now:

Most of these projects can be used as normal libraries and are not specific to the XMPP server implementation. Especially Yaaf.AdvancedBuilding helps me to keep my build scripts clean on all these (and more) projects. The next step is to implement server dialback and replace the current prosody server on yaaf.de. After this I need to look into adding clients and notifications.

While releasing Yaaf.Xmpp as open-source I fixed various bugs and added new features to open source tools to make everything work flawlessly:

As a result F# Formatting does now support C# (currently with some minor limitations / bugs).

Additionally I started to maintain RazorEngine, which apparently almost died a slow death. The main reason I decided to maintain it was that the awesome F# Formatting decided to switch away to another template library when Razor seemed to be a perfect fit (I used and modified some templates already). Additionally if you look around there is no better Razor library available than RazorEngine. Now that is even more true as I have added

  • Travis and AppVeyor CI to execute the huge number of unit tests
  • complete mono compatibility
  • Documentation with F# Formatting (And for integration testing)
  • bugfixes for all open bugs/issues
  • a Razor-2/net40 (initially for F# Formatting compatibility, now they switched to net45) and a Razor-4 build
  • roslyn compiler support

Once roslyn is released RazorEngine will get an huge performance boost for first time compilations.

Finally, while cleanup up my project folder, I found an old project named IrcDotNet For which I had some open bugfixes used for an older project. So I decided to use the project to test the new F# Formatting changes and build a documentation for it. Because I was already on the build script and used a ProjectScaffold template adding AppVeyor and travis were basically free so I added them as well. At this occasion I contributed my outstanding patches and the author switched to github :).

New Website

The first step is done!

Finally I found some time to convert the outdated PHP website (once again thank you Simon) to F#. At first I planned to use ASP.net MVC but after some testing it was really easy to get Nancy running on mono. Because of experience of making ASP.net working on mono in the past I decided to stick with the “light” but (for now) very stable and good working solution.

With this first step done, and most of the release steps automated I will try to Introduce a lot of new features to this website in the future:

  • Add Registration into the site.
  • Add Chat History (and allow edit).
  • Manage some advanced chat settings.
  • Request re-sync of your IMAP History.
  • Blog?
  • Simple “Safe-Picture” service (protect pictures with capture)
  • Muact?
  • Add JavaScript-Chat client to the site (via Yaaf.Xmpp, test for JavaScript library)
  • Admin page for server management?

The time will tell if I find enough time to do all those features. The beta and automatically updated version (on every “working” commit) of this site can be found here. The Version numbers on the bottom right will tell you if there is an actuall difference between those two.