Monday, December 07, 2015

Recover a Locked Android without data loss

Since I had to recover a Samsung Note 3, all the steps mostly lean towards Samsung phones.


  • Password forgotten! (you may think that this cannot happen to you, but it surely can! :-) )
  • Android Device Manager password reset doesn't work (and it didn't BTW! at least I could give this a try as WiFi was on)
  • Phone not registered with Samsung Recovery (good tha they have an alternate to ADM!, unlike ADM, you need to explicitly register your device - the one I was handling wasn't registered)
  • Un-rooted phone, with stock Android recovery
  • USB debugging disabled!

For the impatient

TL;DR summary
  • Install Samsung CDC drivers
  • Get the right device code (this one is ha3g)
  • Get the right custom recovery image (TWRP or CWM)
  • Use a firmware flashing utility which works for you (Odin or Heimdall)
  • Flash the recovery image.
  • Boot into recovery mode, and delete the password files.
Thats it!


But,... the devil is in the details!

USB drivers

Get the Samsung CDC drivers and make sure you OS detects the phone. (If you are on Windows 10, and want to connect with ADB - Samsung doesnt have ADB drivers for Windows 10!)

Device Code Name

Now, this is one confusing thing! all the custom ROMs refer/name their images by phone's code.
The Samsung Note 3, for e.g. has multiple versions - the Sprint, Verizon and International. At first glance it might seem like "Ah! I bought it in India, and its not tied to any carrier, it must be international",... sorry! not that simple - you should know the correct CPU and Model (In this case the version is ha3g and the CPU is called Exynos though its not mentioned anywhere on the box or manuals! the model is N900 - this is easy should show up when the phone starts up)

Firmware Flash utility

2 choices here:
  • Heimdall (FOSS, available on Github. Binaries packages for both Windows and Linux available)
  • Odin (Leaked [from Samsung] Windows application)

Tryst with Heimdall

Since I have a love for FOSS, I was hell-bent to get Heimdall to work, and it had a cool command-line! I downloaded and built the latest version from source! (on Ubuntu 14.04). But, it didn't work! I could not figure out what the problem was! Tried Windows binaries too, and with USB2.0 and 3.0 port (with 3.0 port it would'nt even detect the phone!)
(the good part of trying Heimdall: I got to know a little bit about partitions and PIT [Partition Information Table])
A note on USB versions: If you do not know how to recognize the ports: peep into the USB socket, BLUE means 3.0 and YELLOW is 2.0.

Odin, finally

Odin is supposedly too picky: picky about the port, the cable etc. From what I read, if in case the phone is not detected on one port, try changing to another port and try using a different cable (in my case I had the original USB cable that came with the phone, and it was a USB3.0 - it got recognized instantly)
Odin's messages and the UI aren't too friendly either!

Custom recovery image

Here, again there are quite a few choices:
  • ClockWorkMod (CWM) - Development Ceased
  • Team Win Recovery Project (TWRP) New and cool
  • CyanogenMod Recovery (CR)
I could not find the CWM image for ha3g (though I could not find one for hltexx - not Exynos!). CR is still new! Initially, tried with whichever version of TWRP image that I could get, but Odin wouldn't flash it! It would give this error message:
NAND Write Start!! 
At first I thought it had something to do with the NAND flash storage! but after a lot more research found that it could be due to the type of image being written. I had to do 2 things to be able to successfully flash:
  1. Get the latest TWRP ( recovery image, bundled as a .tar)
  2. Extract the .img from the .tar and convert it to a .tar.md5 (I found a script on XDA forums which did this)
And, finally Odin could flash the image to mobile!
You should put the mobile to Download Mode to write to flash, and that is achieved by pressing down Volume-Down, Home and Power keys together on Samsung

Recovery mode

You need to know how to get to recovery mode first, press down: Volume-Up + Home + Power keys and hold till logo flashes (do not confuse with Download-mode!)
The catch here is: though we flashed the TWRP recovery, the phone tries to be smart and replace with stock recovery if you let it reboot by itself! The remedy is to boot into TWRP immediately after the flash! i.e., once flashed do not let it restart normally (un-check Auto-Reboot in Odin)


Now, this is cool! if you ever have seen the default Android recovery and then compare with TWRP!, its like comparing age old feature phones to the moden day touch phone! TWRP has touch interface and neat buttons, you can pretty much do away without reading any manuals - thanks to the neat, and simplified UI.
Play safe
First thing I did after I could get to TWRP was to insert a microSD card, and take a backup of data, so that I could continue my RnD (it takes a NANDroid backup, which it can restore).
I tried to pull out the locksettings.db and run some SQLite SQL queries to get the MD5 encoded password, and salt. At this stage, I didn't want to go any further. So, I came back to TWRP and deleted the 2 key files /data/system/password.key and /data/system/gesture.key (though I knew it was password-locked and not gesture locked). On reboot - No password! :) Nothing lost - all contacts and data intact.


  • To this post for motivation! (so many Samsung service centers told me that its not possible, and that factory-reset [with data loss] is the only option!)
  • To this guy for the script
  • For many other detailed posts, step-wise procedures and YouTube videos which Android lovers have patiently put together.
  • And, of course to TWRP! I donated $15 towards the development (~1K/-)

1 comment:

BK said...

Very useful info. Thanks for sharing.