Related
Follow these steps to dump all of your phone's memory. What use is this? It can be used to locate your MSL code if other methods fail. This method should work even if your phone is "bricked". This could potentially be used to retrieve lost information. At the very least it contains all your texts.
I am also currently exploring a possible security fail on the part of android/google. My phone dump contains my google account password in plain text....not just once. It has my password in plain text over 120 times. I am investigating how this could be. My google password is unique to that one account, and it is paired with my google login in the phone dump. I have not input the password in any other place outside of when I first setup my phone. I have not input that password in any app or browser. You may want to check if your login credentials are also being mishandled and possibly logged.
Phone Dump: (portions of this were taken from the PRL guide)
Connect your phone to your computer using a USB cable.
Open Device Manager.
Ports > LGE Android Platform USB Serial Port > Properties > Port Settings > Advanced > COM port number
Make a note of your COM port number.
Download and install QPST v2.7.
Open "QPST Configuration".
In the "Ports" tab, if your com port isn't listed, select "Add New Port" and write in your com port as "COM#" (# being the number you noted in step 4). Verify that your com port is listed.
Make sure your phone appears in the the "Active Phones" tab.
Run the "Memory Debug" program from QPST.
With your phone connected via USB and selected via the "Browse" button, press "Get Regions".
This will reboot your phone into "Download mode". You will most likely lose the connection to your phone because download mode uses different drivers and possible a different port. Go into device manager -> Ports (COM & LPT) and find your phone's new COM port.
Go into the QPST configuration and setup the new port.
Go back to the "Memory Debug" program, browse for your phone again, and select "Get Regions" again.
This time it will show you a bunch of options. Leave them all checked and select "SaveTo" and pick an empty folder to dump your phone memory to. This will take up a little over 500 megs.
It will take a good amount of time to finish (possibly 30 min to an hour).
When you are done, you will have the following files:
Code:
adsp_rama.bin, adsp_ramb.bin, adsp_ramc.bin, adsp_rami.bin, mdsp_rama.bin, mdsp_ramb.bin, mdsp_ramc.bin, mdsp_regs.bin, load.cmm, ebi_cs0.bin, and ebi_cs1.bin
If you want your MSL code, open ebi_cs0.bin with a hex editor. Look at the following HEX addresses:
Code:
0162ABCE
01BA6BDC
Both should contain your 6 digit MSL code in plain text.
If you want to find your ESN:
Code:
0104B5C2
What is more interesting is when you search in both ASCII and Unicode for your google account password in ebi_cs0.bin and ebi_cs1.bin. This is a raw dump of your phone memory. It will contain your contact list and other person information, but I see no reason for your account password to be logged in plain text. Another user has already reported finding his password using this technique. Please search for yourself and report back what you find. My guess is that this is not unique to the Optimus V.
Update:
I changed my account password. My phone then prompted for my new password. I entered it in. I then synced my contacts, rebooted, and then dumped the contents of my phone. My new password was in there in plain text twice. The old password was still there too. Something is logging my internet traffic or my keyboard inputs.
I can confirm my email address and password are together in plain text in multiple locations. I don't know much about mem dumps, but it appears to indicate it is google's sync service:
ebi_cs1.bin
0D565490 .... 8 NOOP..TCH 48(
0D5654A0 .... UID FLAGS)...."p
0D5654B0 .... assword"........
All other instances were preceded by imap or smtp.
JerryScript said:
I can confirm my email address and password are together in plain text in multiple locations. I don't know much about mem dumps, but it appears to indicate it is google's sync service:
ebi_cs1.bin
0D565490 .... 8 NOOP..TCH 48(
0D5654A0 .... UID FLAGS)...."p
0D5654B0 .... assword"........
All other instances were preceded by imap or smtp.
Click to expand...
Click to collapse
Thanks! With you that makes 3 of us to experience this. The address for the password(s) are different for me which is expected. Where as the MSL code would be located in a certain unchanged portion of the phone, this mysterious log would constantly be changing and could even be fragmented over the flash drive. I don't have (UID FLAGS) anywhere in either file.
What I also have is many Groove IP references with my Groove IP related google login and password. This looks like it is capturing it as internet traffic. I don't see why Google or Groove IP would log a password they both have encrypted access to.
mmarz said:
Something is logging my internet traffic or my keyboard inputs.
Click to expand...
Click to collapse
It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).
Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.
obijohn said:
It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).
Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.
Click to expand...
Click to collapse
There are a few reasons I don't buy this as being the cause.
Where would this unencrypted keyboard log be? I have data2ext going. My password was found on my internal phone partition. Whatever is doing this has permission to modify files outside of the data folder.
My password was present repeatedly. Even when I changed my password, it appeared twice even though I had only entered it once.
You have to manually select when you want to add words to the dictionary, otherwise all your misspelled tweets would be added. In password fields, this is not possible because only a single letter is inputted at any given time. No word is ever developed.
My other passwords are not in this log file. For example, my titanium backup password that I have to constantly use when I restore backups is not in here. Also my internet search phrases and other relevant items that I have typed in.
Update:
I just got this from KSmithInNY:
http://androidcentral.com/android-passwords-rooted-clear-text
Any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!
mmarz said:
I just got this from KSmithInNY:
http://androidcentral.com/android-passwords-rooted-clear-text
Any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!
Click to expand...
Click to collapse
Use the 2-step verification for your Gmail account and also set up an application specific password for your android device.
http://www.youtube.com/watch?v=zMabEyrtPRg
csrow said:
Use the 2-step verification for your Gmail account and also set up an application specific password for your android device.
http://www.youtube.com/watch?v=zMabEyrtPRg
Click to expand...
Click to collapse
Wouldn't this mean that you have to enter a verification code when entering your normal password, but if malware were to steal your application specific password that you created just for your phone, they could access your account using it and bypass the verification process?
Application specific password will only work on that phone. If you lose your phone, you can revoke that password for that phone which will block the access.
csrow said:
Application specific password will only work on that phone. If you lose your phone, you can revoke that password for that phone which will block the access.
Click to expand...
Click to collapse
No, they work on any device. There is no way for google to know what device is using it. You personally assign them for that phone, but if the password were to be stolen, then it can be used on any device. Also, if your account were to be compromised, you wouldn't know which password was stolen. With each application password you create, you are allowing another passcode that can be used to access your account. This seems very unsafe.
Update: I just tested this and I am right. I can use the same application specific password on all my apps and phones. So if this password were to be stolen, anyone could use it to login to my account. This is a major fail on the part of google....again.
Update2: Application specific passwords can be used to create login tokens. That means you can use a program like trillian to log into your gtalk using it, and then use the login token it produces to get access to your main google account through a web interface.
Well, that completely defeats the purpose of 2-part authentication. Oh well.
I hope you've reported this security hole... because obviously the intent is to be more secure than it actually is.
Which hole are you referring to? How google's two step verification is worthless because of one step passwords they force you handout to automated login apps? How Android's own password storage system keeps passwords in plain text and protects it by setting the file permissions to "please don't read this"? Or are you taking about how putting all these issues aside, I can still see my password in plain text in some sort of data capturing log that I found in a data dump of my phone's internal memory?
If you are talking about the last one, I'm still trying to find out exactly where the password is being stored in the dump and by what process. I've been searching through my phone's internal memory while it is on, but I can't seem to find it. I also want to rule out malware or something stupid that I might be doing before I start yelling about the sky falling. If more of you guys try this out, maybe we can rule out malware since all of us can't have the same bug. It really can't hurt your phone to dump it. It only takes 40 mins of your time.
(The more I learn about this stuff, the angrier I get.)
so after 3 tries i was able to dump the memory and after hours of searching i cant find my mn_aaa or mn_ha shared secrets,does anyone know the location of these? i have tried qxdm and after sending the spc i send
requestnvitemread ds_mip_ss_user_prof
and i get
22:53:26.203DIAG RX item:
22:53:26.203requestnvitemread - Error response received from target.
or is there another way to find them?
ummkiper said:
so after 3 tries i was able to dump the memory and after hours of searching i cant find my mn_aaa or mn_ha shared secrets,does anyone know the location of these? i have tried qxdm and after sending the spc i send
requestnvitemread ds_mip_ss_user_prof
and i get
22:53:26.203DIAG RX item:
22:53:26.203requestnvitemread - Error response received from target.
or is there another way to find them?
Click to expand...
Click to collapse
Any luck? I have the same issue with the Optimus V, e.g. I used another phone and reading the NV item was no issue. Seems to be specific to the LG.
srmuc69 said:
Any luck? I have the same issue with the Optimus V, e.g. I used another phone and reading the NV item was no issue. Seems to be specific to the LG.
Click to expand...
Click to collapse
well i think ive gotten further with qpst i opened service programming and put in my spc read the phone then saved to file. i double clicked the file and a viewer opened and i viewed it in text format i seen alot of nv items there but have yet to figure out which ones they are.
ummkiper said:
well i think ive gotten further with qpst i opened service programming and put in my spc read the phone then saved to file. i double clicked the file and a viewer opened and i viewed it in text format i seen alot of nv items there but have yet to figure out which ones they are.
Click to expand...
Click to collapse
Any luck? I did the same thing but as I have read in many other blogs the LG Optimus V times out in qpst, so did mine too.
I still have information in the file and I found the NV_ITEM_ARRARY in the file. What I do not know is how that array is built, e.g. is there a developer guide for CDMA phone where they detail the information. I was looking for the 1192 nv item and it should start wit the length like 0A for 10 digits of the AA Password. No luck so far without knowing what the bytes are and from just locking for 0A you get tons of hits.
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
mmarz said:
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
Click to expand...
Click to collapse
I'm trying to get the NV_ITEM 1192 and 466 from the LG Optimus V which is on Virgin Mobile. When I do that with CDMA Workshop it says access denied once you save the file. Now I'm tyring to find what these values are on my LG Optimus V. Do you think the dump will have this and how would I go to find the NV ITEMs, e.g. in which file are they and at what hex position?
srmuc69 said:
I'm trying to get the NV_ITEM 1192 and 466 from the LG Optimus V which is on Virgin Mobile. When I do that with CDMA Workshop it says access denied once you save the file. Now I'm tyring to find what these values are on my LG Optimus V. Do you think the dump will have this and how would I go to find the NV ITEMs, e.g. in which file are they and at what hex position?
Click to expand...
Click to collapse
yeah the dump should have all nv items.the hard part is figuring which ones are which.
mmarz said:
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
Click to expand...
Click to collapse
well the mnha and mn aa are paswords needed to get your data working when you want to use a different phone ie the Samsung Epic on virgin mobile.you can clone all info from the optimus v to the epic but with out those password data will not work.i may not be inclined to do this anymore since the motorola triumph is coming out.meaning i wont need to find a better phone and clone this one.
There's quite a significant security flaw in Google wallet at the moment.
Going into application settings and then clearing data for wallet is the same as resetting wallet from within the application, without having to enter a pin. Know what that means? You're able to set up a new password and have access to your prepaid card.
That's right. If a tech-savvy thief has your phone and you don't have a passcode on the lockscreen (possibly because Google's implementation of passcode stuff sucks) or the screen hasn't timed out yet, the thief will have access to whatever funds remain on your Google prepaid card, regardless of the pin you set in the application.
This is yet another reason why Google needs to add the ability to lock out INDIVIDUAL applications with a code or face recognition, not just the friggin' lockscreen. If someone gets your phone after you've entered your lockscreen code/pattern, they have free reign over the device as long as the screen is on. Third party software for this purpose just doesn't work very well at this stage. This functionality needs to be integrated into the OS. Sorry for going off on a tangent.
Basically:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.
If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.
Or I'd just remotely wipe the phone , so they have none of your information on your phone .
Sent from my Galaxy Nexus using XDA App
bigmike2424 said:
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.
If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.
Or I'd just remotely wipe the phone , so they have none of your information on your phone .
Sent from my Galaxy Nexus using XDA App
Click to expand...
Click to collapse
Any actual cards that you add to Wallet will of course be removed, but the Prepaid card will still work. How easy would it be to suspend transactions with Google?
Ouch... report it!
Greets
____________
mDroid - Tapatalk
Phone: LG-P500
ROM: Nitrogen - Beta-V1b
Kernel: custom .35
Theme: ICS (Z25 - paid. ported by me )
Tweaks: ALL
Wishlist: Galaxy Nexus
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.
Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.
Click to expand...
Click to collapse
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.
Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.
Click to expand...
Click to collapse
try this:
open clear google wallet data, run google wallet again.
it will prompt you for new passcode and link it to the google account on your device.
of course, all the credit card info is wiped, but your google prepaid card can still be added without passcode, so whatever remaining balance you have on it will be usable by whoever activate it
Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
Click to expand...
Click to collapse
The OP explains it perfectly.
Evangelion01 said:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.
Click to expand...
Click to collapse
That means anyone who gets your phone, even while it's turned off, can follow these steps to remove whatever pin you have set. They can then set up Google Wallet with their own pin and add your prepaid card with all its funds back onto the app and start using it.
To be safe, you'll need to set your lockscreen to use one of the other security types such as pin, pattern, or password, and then hope nobody gets ahold of your phone while the phone itself is unlocked. I don't find face unlock to be very safe at all so I won't even recommend it for protecting Google Wallet funds.
to add some other failure of google wallet...somehow ur wallet gets registered w/ ur device...or that's how it looks like...i had a nexus s w/ wallet fully functional and about $12 left on the prepaid card...bought the GN and gave the NS to my wife...fully wiped the device, reinstalled the wallet and activated w/ my wife's account...guess what she got my remaining balance and when i activated mine on the GN i only got the $10...but to be 100% fair it could be something related with the fact that we're not really supposed to have this running on our phone...so might be something related to that, since my NS was on t-mobile and not sprint...hence i was running a "not approved" app...
Evangelion01 said:
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.
Click to expand...
Click to collapse
I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.
did you submit this issue to google?
Elganja said:
I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.
did you submit this issue to google?
Click to expand...
Click to collapse
Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.
Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!
Evangelion01 said:
Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.
Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!
Click to expand...
Click to collapse
should be here: http://support.google.com/wallet/bin/static.py?hl=en&page=known_issues.cs (click on "let us know") but it isn't working for me atm
Elganja said:
should be here: http://support.google.com/wallet/bin/static.py?hl=en&page=known_issues.cs (click on "let us know") but it isn't working for me atm
Click to expand...
Click to collapse
No surprise there, then. Thanks for the link. Hopefully they'll fix it by Q2.
MIUI had a sweet security app based on individual apps. I would lock down my games cause my boy liked to get in there and press buttons aka delete my saves.
I don't know what process it would involve to port this over. But it would be a welcome one.
Galaxy Nexus - 4.0.3 CM9
Asus Transformer - 3.2 Revolver
I went ahead and emailed the relevant Google deparment about the issue. I'll keep you all updated if I get a response, but bear in mind that this is Google's rubbish customer service that we're talking about... I'm not getting my hopes up.
If you lose your phone just log into your Gmail and change the password. Problem solved.
bp328i said:
If you lose your phone just log into your Gmail and change the password. Problem solved.
Click to expand...
Click to collapse
Yes, problem solved if you can get access to an internet-connected device quickly enough.
Evangelion01 said:
Yes, problem solved if you can get access to an internet-connected device quickly enough.
Click to expand...
Click to collapse
I guess I just don't see it as big of an issue as you do.
I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.
All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.
When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.
But seriously good find on this!
bp328i said:
I guess I just don't see it as big of an issue as you do.
I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.
All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.
When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.
But seriously good find on this!
Click to expand...
Click to collapse
That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.
But something as simple as this certainly needs to be fixed before NFC payments go mainstream.
Evangelion01 said:
That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.
But something as simple as this certainly needs to be fixed before NFC payments go mainstream.
Click to expand...
Click to collapse
I agree it is simple and does need to be fixed. They could make a quick fix by having each app that is based off our Gmail accounts require the Gmail password re-entered when an app is setup and not just ask permission.
I used to be able to log in with my username moshiachnow. Today I tried to do that, but it kept prompting me to link my log in with a Google log in. It also had me pick a different user name. So now I have this extra log in, geulanow, and no idea how I can log into my previous account. I tried resetting the password, got a new password, but keep getting logged into geulanow instead.
What am I missing here?
Thanks.
When logging in, you must have pressed the red Google button next to the sign in area. You should instead press the > arrow next to the username/password entry. This will log you in after entering your details.
I've deleted your new account, and you still have your old @moshiachnow account.
Could you please make the design a bit more intuitive?! For example make two buttons, and label one "sign in" and the other "sign in with google".
When you are the designer of the site and therefore know how it's supposed to work, then it's easy. But if you are a user who sees this for the first time then there is absolutely no clue to figure this out, other than by luck / randomly pressing somewhere (which usually isn't a smart idea). I didn't even get, that this little arrow is supposed to be a butten. Thought it to be just a design element without any function.
Because of privacy issue I din't want to sign in with google and therefore started experimenting and searching to figure out an alternate way to log in without google. Took me about 15 Minutes to find this thread. Was near on giving up on xda an searching for an alternate forum.
Hello, as I am now aware after the fact, I did a lock boot loader 'factory' reset thinking that wiped he phone, I sold it, and now I guess it needs my login to proceed. Question 1 is, is there any bypass for this? 2. Is there a safe way to temporarily give him a temp password or something? Appreciate your help
I do have 2 step verify turned on
GHII said:
Hello, as I am now aware after the fact, I did a lock boot loader 'factory' reset thinking that wiped he phone, I sold it, and now I guess it needs my login to proceed. Question 1 is, is there any bypass for this? 2. Is there a safe way to temporarily give him a temp password or something? Appreciate your help
Click to expand...
Click to collapse
If you change you password now, he will have to wait 72 hours. So you could do that and you could give it to him over the phone, give him about two seconds to enter it and then you change it on your end.
Or you could do it with your current password, but you probably used it elsewhere.
But that is risky. He could just log in via computer and change it and own your account.
Can you meet him in person?
Or he sends it back to you.
Those are the only options I know of.
GHII said:
Hello, as I am now aware after the fact, I did a lock boot loader 'factory' reset thinking that wiped he phone, I sold it, and now I guess it needs my login to proceed. Question 1 is, is there any bypass for this? 2. Is there a safe way to temporarily give him a temp password or something? Appreciate your help
---------- Post added at 07:19 PM ---------- Previous post was at 06:53 PM ----------
[/COLOR]
TonikJDK said:
If you change you password now, he will have to wait 72 hours. So you could do that and you could give it to him over the phone, give him about two seconds to enter it and then you change it on your end.
Or you could do it with your current password, but you probably used it elsewhere.
But that is risky. He could just log in via computer and change it and own your account.
Can you meet him in person?
Or he sends it back to you.
Those are the only options I know of.
Click to expand...
Click to collapse
It's 24 hours now, instead of 72.
Click to expand...
Click to collapse
I've been in the same situation with previous my phone. My way around it was to enable 2-Step Authentication and give him my password and approve the login on my end immediately after that, I changed my password and didn't have to worry about him accessing anything from there.?
Sent from my Pixel XL
There is a workaround out there for marshmallow that may work on Nougat. I won't link it though, sorry. But if you search hard enough...
It's a security thing.
Rydah805 said:
I've been in the same situation with previous my phone. My way around it was to enable 2-Step Authentication and give him my password and approve the login on my end immediately after that, I changed my password and didn't have to worry about him accessing anything from there.?
Click to expand...
Click to collapse
Pure genius.
TonikJDK said:
Pure genius.
Click to expand...
Click to collapse
My daughter tapped my screen at the end adding the question mark lol but yeah, worked great. And once I changed the password, it logs the phone out. I of course had the password change ready at a click while reading him my old password.
Sent from my Pixel XL
Cant he just log in to his google account and go to his list of devices and remove that device from his google account ? If he removed it from his google account should not someone else be able to add their google account to it ? I"am curious on this to as I will be selling my one pixel xl as I got a 128 to replace it.
On Htc devices normally you can do a RUU and it will put it back to 100% stock removing your google account, but yeah this is no Htc unfortunately it is but its not lol.
M9guy said:
Cant he just log in to his google account and go to his list of devices and remove that device from his google account ? If he removed it from his google account should not someone else be able to add their google account to it ? I"am curious on this to as I will be selling my one pixel xl as I got a 128 to replace it.
On Htc devices normally you can do a RUU and it will put it back to 100% stock removing your google account, but yeah this is no Htc unfortunately it is but its not lol.
Click to expand...
Click to collapse
None of that will work.
It's called FRP. Factory Reset Protection. It is to stop exactly what you describe if someone steals it. Can't reset it and use it. You have to manually remove the Google account before you reset it and sell it.
TonikJDK said:
None of that will work.
It's called FRP. Factory Reset Protection. It is to stop exactly what you describe if someone steals it. Can't reset it and use it. You have to manually remove the Google account before you reset it and sell it.
Click to expand...
Click to collapse
Well yeah that is a given I figured besides removing your account from the device you had to log in to google.com and remove the device id from your google account on line.
TonikJDK said:
None of that will work.
It's called FRP. Factory Reset Protection. It is to stop exactly what you describe if someone steals it. Can't reset it and use it. You have to manually remove the Google account before you reset it and sell it.
Click to expand...
Click to collapse
I believe it will work. If he logs in to his google account on his computer he can find the devices attached to his account and remove that device id from his google account then the guy that bought the phone can remove his google account from the phone and put his own google account on the phone. The guy just needs to remove the device id off of his google account on line then the purchaser can add his own google account.
There's not a single response from original poster. I would give this one a wide berth with respect to suggestions by community dogooders.
Thanks for all the suggestions! I guess no bypass exists for the latest version of Nougat, I offered to pay shipping both ways so that I can properly wipe the phone, but he doesn't trust I will send it back?..hmmm..
Under devices in my Google Account I can "Remove account access", what will this do, this almost sounds like it will solve the problem but Im not sure exactly what this means. Will it not allow that phone to access my account any more or will it un-attach my account from the phone so that He can use it? Thanks again for all your help, lots of good suggestions
Edit: Im going to try Rydah's method...2 step verify, give pword, authorize from my phone, then change password back
GHII said:
Thanks for all the suggestions! I guess no bypass exists for the latest version of Nougat, I offered to pay shipping both ways so that I can properly wipe the phone, but he doesn't trust I will send it back?..hmmm..
Under devices in my Google Account I can "Remove account access", what will this do, this almost sounds like it will solve the problem but Im not sure exactly what this means. Will it not allow that phone to access my account any more or will it un-attach my account from the phone so that He can use it? Thanks again for all your help, lots of good suggestions
Click to expand...
Click to collapse
I"am not sure what that is, but didnt you have a sec tion that listed attached devices ? I have had that option on my google account and I did physically remove a phone that I was selling. I believe it was like a year ago. If you cant find it maybe you can get support from google such as online support. Honestly I think the option to remove the device is in your account settings when logged in to your google account through a browser such as google chrome or firefox.
Next time, remove any screen lock security on the phone, reboot, then do your factory reset. This will allow anyone to setup the used phone under their credentials.
tyea said:
Next time, remove any screen lock security on the phone, reboot, then do your factory reset. This will allow anyone to setup the used phone under their credentials.
Click to expand...
Click to collapse
That alone will NOT bypass FRP. He has to remove his Google Account under Settings > Accounts before doing a factory reset. After that, I always go back and make sure I can set the phone up while skipping the Google Account login.
Mr. Orange 645 said:
That alone will NOT bypass FRP. He has to remove his Google Account under Settings > Accounts before doing a factory reset. After that, I always go back and make sure I can set the phone up while skipping the Google Account login.
Click to expand...
Click to collapse
^^^^
You would think they would implement a feature that allows you to remove the lock remotely. For example with icloud's find my iPhone you can go to iCloud.com and remove a device if you want to.
Flash-all.bat before you sell the phone and all will be well. Hopefully you do this going forward for anew new sales, lol.
Can't you just remote wipe the phone from the android device manager webpage?
So as the title says, I have a family member who recently passed away over the weekend. The family is trying to access his phone for any pictures and videos of him with everyone. As of right now, we don't have any info about his Google account info. We're afraid to keep trying passwords in case it ends up wiping the data after a certain number of tries. I tried using Dr. Fone but the unlock software doesn't support this phone. Not sure what to do from here but I thought you guys might be able to help. Thanks, guys.
perhaps contact the local police to inquire if they have the capability to unlock the phone? They will probably require that you prove your relationship to the deceased which I don't think anyone on this forum could do. It's not that I don't believe you, but any creeper/theif/etc could say the same thing.
GL and sorry for your loss.
Sorry for your loss. If he had 2 step verification where you can send a text message to his cell phone #, you could do a Sim swap, pop the Sim in a phone that you have access to. Trigger the 2 step verification for forgot password and it might work.
Sent from my Pixel 2 XL using Tapatalk
I'm so sorry for your loss, and Hope you'd recover the content without much of a hassle.
Good Luck!
You can force a factory reset...that will delete apps and texts and any unsaved pics from texts will be deleted....BUT....it will not delete any pics taken by the cam and saved to the phone.
Good luck and sorry for your lost.
Was he logged into Gmail on a computer? Could possibly go to Google Photos and check for backed up photos and videos.
Sent from my Pixel 2 XL using Tapatalk
sorry for your loss, I hope you can recover the photos.
1st: was already mentioned. sim swap
2nd: Try to sign into their google account. If you know their gmail (you should be able to figure this out pretty easily) and know them pretty well you can probably guess their password especially if you can remember an "old" password they've used because people are creatures of habit and reuse the same or variations of the same passwords for years. Or you can do the "forgot password" option
3rd have the legal rep ask google.
Google lets third parties request the content from a deceased user's account, but this must be requested by the deceased person's legal representative. The legal representative must upload a copy of their government-issued ID and a copy of the death certificate. Even then, there's no guarantee the legal representative will gain access.
If this works, the legal representative would be able to access data from the deceased user's Drive, Gmail, Blogger, Google+, Google Photos, YouTube and other services. But again, if the deceased user didn't back up any photos in the first place, getting into the cloud backup won't do any good.
https://support.google.com/accounts/troubleshooter/6357590?hl=en#ts=6357650
4th: okay, this one is a little macabre and you said password but I have 2 methods to get into mine so I figure I'd say it......sigh.............somehow before the funeral 1) find a way to be alone with your relative and see if either of their index fingerprints will work to unlock the phone OR 2) I GUESS you COULD ask the funeral director to unlock their phone using their fingerprints but I'm not sure how agreeable they'd be on that one.. Look, I know it's creepy but if the photos/vids are important then......sigh.....damn it sounds even more eff'd up reading it than it did in my head. Okay, sorry, I'll stop now....
good luck
First of all, I'm sorry for your loss...
I have some inquiries, and then a suggestion...
First, do you know if the former owner had "unlocked" or "rooted" the phone/device? When you turn the device on, is there a warning in the powering up process that "warns" about having an "unlocked bootloader"?
If it is unlocked and/or rooted, there are more/further options that can be done, but only if it is in this "state"...
And as for my suggestion...
You might be aware of how Apple and iPhones/iPads have a sort of "find my iphone" or "find my device" type of connection and protocol on their devices... I've personally used the "Android"/Google version (called Android Device Manager [or ADM for short]) of this to find the last location of my phone and to also ring it. But I have also noticed that they (Google) are constantly evolving it and later added a "lock" option. So, taking it a step further, I checked if there was possibly an "unlock" option; and there is! Again, I personally have never used it and do not know much about it. After some cursory reading, there are certain criteria that has to have been met while the original owner was using the phone; but if, by some amazing circumstance or miracle, things have been set up properly (and you know the deceased google account information/login), there's a good chance you might be able to get the phone unlocked. You can find the information all about this here: https://one.comodo.com/blog/itsm/unlock-your-android-device-using-android-device-manager.php
One additional thought I just thought of while writing this, along the lines of talking to Google and explaining the situation, even if you don't have the google account information/login, you might be able to obtain that information from them if the situation is explained and they have protocols for this type of situation.
Again, I'm sorry for your loss, and I hope this helps. Good luck to you...