Android Forensics – Bypassing Passcodes by Flashing Recovery Partitions

Jun 03, 2016




This practical was conducted on a Samsung Galaxy Exhibit T599n MetroPCS phone. Although this method works on this particular Android phone, it is not guaranteed to work on all Android phones.


Ensure the following are downloaded and saved to the computer where the phone will be acquired:


·         Android SDK Platform Tools

·         Odin v3.04 custom firmware flashing utility

·         Latest TWRP recovery ROM

· app

Ensure a micro SD Card is available to store and install the app.


To begin using a flash utility in order to install a custom recovery partition, remove a passcode, and obtain root privileges on a phone, perform the following actions:



The phone contains a PIN Code and USB Debugging is “off”.

Pic 1




Boot the phone into Download mode by holding volume down + the home key + the power key all at once.  Then plug the phone into the PC via USB.

Pic 2Pic 3





Start Odin V 3.04 and notice that the device is detected as indicated by the blue highlighted box labeled “0:[COM8]”.

Select the box named PDA (AP in newer Odin versions).

Pic 4

You should see the device listed due to a COM port connection. If not, make sure that the phone drivers are properly installed on the PC for the specific make and model phone. Disconnect and reconnect the phone to the PC until a COM connection is established.




Browse to the location where you saved your version of the TWRP recovery ROM.

Click Open.

Pic 5



Within Odin, the TWRP recovery ROM file will be listed in the PDA box (AP box in newer Odin versions). Keep the “auto reboot” and “F. Reset Time” boxes checked. Click Start.

Pic 6




Odin will automatically flash the TWRP image file to the phone and then finally finish with a green colored box with the word “PASS” inside.  The phone will reboot and you will be prompted to remove the phone from the PC.  If the process seems to hang, leave it alone and let it finish until you are prompted with a green “PASS” or a red “FAIL”.

Pic 7

If the process fails, then attempt it once more. If it still fails, then try another TWRP recovery ROM and/or another version of Odin. This is where research and trial and error come in!

NOTE – Newer phones require the “Auto Reboot” option to be unchecked. Many devices will replace your custom recovery with the stock recovery automatically during first reboot. To prevent this, use Google to find the proper key combo to enter recovery. During manual reboot, hold the key combo and boot to TWRP. Once TWRP is booted, TWRP will patch the stock ROM to prevent the stock ROM from replacing TWRP. If you don’t follow this step, you will have to repeat the install.


Disconnect phone and turn it off.  Then restart the phone into Recovery mode by holding the volume up key + the home key + the power key all at the same time.  When you notice the phone vibrate release the power key while still holding the volume up and the home key.  The phone will now be booted into the TWRP Recovery Operating System.

Pic 8





Under the “Advanced” tab in TWRP select “File Manager” and browse to the /data/system folder of the file system. In the /data/system area of the phone, scroll down until you locate the password.key file and select it.

Pic 9


Note – Depending on the make/model phone, this file may be called something else, but it usually a derivative of password (i.e. passcode). A pattern lock would have a gesture.key file. This should be researched before attempting this process as to not delete the wrong file.




Select Delete on the option screen.

Pic 10



Swipe to confirm the deletion of the password.key file.

Pic 11

You have now successfully removed the phone’s passcode!




Prepare the Micro SD card by copying the file to it.  Remove it from your computer and insert it into the phone’s micro SD card slot.  While still in TWRP, navigate back to the Home menu and then select the Install tab.  Then select the Micro SD Card in the storage tab.  Select

Pic 12

Note – If you do not see your zip file listed under the /external_sd card list, then the SD card is not mounted. Return to the Home menu in TWRP, select Mount, and select SD Card. Repeat this step again.




Swipe to confirm flashing the zip file and thus installing the SuperSU app to the phone.

Reboot the phone as normal into the normal operating system.

Pic 13





Notice the start-up screen. There is no longer a prompt to enter the passcode.

If a passcode or pattern grid still display, then enter any number or swipe any pattern to unlock the phone.

Pic 14



Enable Super User (Root) privileges by going to Menu>SuperSU and launching the app.

Pic 15




Select Grant. This will give Super User (Root) privileges to the ADB Shell.

Go into Settings and select Grant as the Default Access.

Pic 16




Enable USB Debugging by going to Menu>Settings and then select “About Phone”.  Tap on the build number 7 times to enable Developer Options.  Once Developer options are enabled turn them on and check the boxes “USB Debugging” and “Stay Awake”.

Pic 17





Plug the phone into the PC to verify that the phone has been rooted.  At this point ADB commands can be issued via the Android SDK running in a Windows command terminal.

Open a command terminal from the folder containing the adb.exe program by holding Shift+right-click in the window where adb.exe is saved. Select Open command window here.

Pic 17

The resulting command terminal will open:

Pic 18



Type the command adb devices and press Enter to ensure that your device is properly recognized.

If not, make sure USB Debugging is enabled. Disconnect and reconnect the phone to the PC and run adb devices again.

Pic 19



Type adb shell. Press Enter. Make sure you have root privileges denoted by the # sign. You may also have to run the su command to elevate your privileges as well.

Pic 20


The “#” sign is now displayed. You have root privileges and the ability to go anywhere in the phone’s file system and run any command you wish. This includes imaging the phone’s memory.


The phone is now unlocked, rooted, and ready to be imaged using the dd command utility or forensic software of your choice.


Post by Pete McGovern

Comments are closed.