User Manual

Lockscreens Decoding

Andriller has the means of decoding pattern locks, and cracking PIN codes and Passwords.

Pattern, PIN and Password Cracking These features require a little more processing power, so are best to be performed locally on your own machine. The methods are explained below.

Get Salt from... Salt is an integer value, which is required for cracking the passwords. Salt can be positive as well as negative integers. The salt value can be obtained by parsing setting.db or locksettings.db files; when successfully fetched, the Salt value will be printed into the main terminal window.

Gesture Pattern Decoding

To decode a Pattern lock, click [Browse] and select the gesture.key file located at /data/system/gesture.key on your Android device.

Else, just submit the gesture pattern hash (hexadecimal string of the gesture.key file), and click [Decode].

When decoded, the pattern will be shown as a sequence list. When Pattern is filled, click [Draw] and the pattern displayed in a visualised form.

Right-click on the drawn pattern to save is as a PostScrip file.

Tip: if you wish to draw a pattern but don't have a gesture hash key or value, you can double-click on the disabled Pattern field, this will re-enable the field for editing. Enter the pattern in a form of a list, and click [Draw]. The pattern will be drawn, which can be saved as a file.

Lockscreen PIN code cracking

  1. Select start and max value of the PIN code. By default, the max value is set to 9999, increase if required
  2. Enter the value of password.key file
  3. Enter the salt value as an integer
  4. Press Start for cracking to begin

Once Start is clicked, a percentage progress will be displayed.

You can pause and resume cracking at any time. Last tried PIN will be shown just to let you know how far you've gone.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.

Lockscreen Password cracking

  1. Click Browse and select a word list file (recommended word list files to download from crackstation.net)
  2. Enter the value of password.key file
  3. Enter the salt value and an integer
  4. Press Start for cracking to begin

Once Start is clicked, tried password will be displayed while cracking.

You can pause and resume cracking at any time, just like with PIN cracking.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.

Lockscreen Password brute force

  1. Select the maximum length of a password
  2. Select characters believed to have been used in the password. Select combinations of lower/upper case characters, digits, or custom characters
  3. Enter the value of password.key file
  4. Enter the salt value and an integer
  5. Press Start for cracking to begin

This cracking method cannot be paused/resumed like with other methods.

Decrypt Encrypted Databases

Andriller supports decryption of encrypted WhatsApp databases:

  1. msgstore.db.crypt
  2. msgstore.db.crypt5
  3. msgstore.db.crypt7
  4. msgstore.db.crypt8
  5. msgstore.db.crypt9
  6. msgstore.db.crypt10
  7. msgstore.db.crypt12

Plain Crypt (msgstore.db.crypt) The encrypted database is automatically decrypted into an SQLite3 database. Browse and select the encrypted file, Andriller will decode to a new file in the same directory.

msgstore.db.crypt ==> msgstore.db

Crypt5 (msgstore.db.crypt5) To successfully decrypt this type of database, an email address is required, which is synchronised with the Android device. Browse and select the encrypted file, you will be prompted to enter the email address. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt5 ==> msgstore.db

Crypt7-12 (msgstore.db.crypt7-12) To successfully decrypt this type of database, an encryption key file is required for the following location: '/data/data/com.whatsapp/files/key' <-- absolute path 'apps/com.whatsapp/f/key' <-- from Android backup This file should be automatically extracted during normal Andriller extraction (root and AB), and saved in the 'db' folder of the extraction

Browse and select the encrypted file, you will be prompted to browse and select the key file next. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt7 ==> msgstore.db

Decode & Merge Multiple Database

Facebook This utility will decode multiple Facebook databases and produce combined messages on one report (without duplicates). This is useful if attempting to combine "threads_db2" databases from com.facebook.katana and com.facebook.orca applications directories.

WhatsApp This utility will decode multiple WhatsApp databases and produce combined messages on one report (without duplicates). Use recovered (from /data/data/com.whatsapp) and decrypted backup databases (such as decrypted msgstore.db.crypt8 from /sdcard/WhatsApp/Databases).

Tools

Andriller has a feature to unpack Android backup files from Android versions 4.x and above.

AB to TAR Converts backup.ab file to Tarball.

backup.ab ==> backup.ab.tar

AB to folder Converts and extracts backup.ab to a folder.

backup.ab ==> backup.ab_extracted/

Screen Capture

New Feature for Andriller - take screen captures.

Supports Android devices version 4.x and above. Screen captures are saved at same resolution that the device display supports. Generate a report from taken screen captures. Add notes to taken captures.

Configurations (Preferences)

Configation preferences is located at File > Configurations

  • Default Output path - this is the location where Andriller defaults its OUTPUT location for extractions and database decoding.
  • Cracking update rate - for Lockscreen cracking, every this amount of passwords tried the Andriller window will update the progress. The lower the number, slower cracking performance will be.
  • Samsung type cracking will be lower by factor of 1000 due to more complex password encoding used.
  • Offline mode - for every time Andriller starts it checks for the latest version. This step can be skipped by setting Andriller offline. This may speed up application's startup.
  • Window size - this set Andriller log window to "Small" (12 lines) or "Regular" (20 lines). Smaller window size are better fit on Netbooks and smaller resolution monitors.
  • Auto save log - when an extraction is complete, the items in the log will be automatically saved in the output folder under name "andriller.log".

Cookies disclaimer

I agree Our site saves small pieces of text information (cookies) on your device in order to deliver better content and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device.