Android Keystore Recovery

A tool to recover your lost Android keystore password


Project maintained by rsertelon Hosted on GitHub Pages — Theme by mattgraham

Build Status

Android Keystore Recovery

This project aims to solve the "password forgotten" problem for (Android) developers who happen to manage java keystore(s).

Usage

This bruteforce tool is very simple, yet efficient. It will try all password combinations matching [A-Za-z0-9]+ by default, from the shortest password, up to the solution.

  1. Download the project jar
  2. Launch the bruteforce: java -jar android-keystore-recovery-1.4.0-bundle.jar <keystore> [opts]

Options

These are the available options for AKR:

Generic options

You can use --from and --to to parallelize the brute force on several computers.

Note: If you want to resume a stopped brute force, I suggest that you take the second last tried password that was stored in $HOME/AndroidKeystoreRecovery.log. Indeed, as actor computation is asynchronous, there is no guarantee that every password before the last one were really tried by the software.

 Character set options — since 1.1

Time needed to retrieve password

Bruteforce algorithms are not optimized at all, AKR is faster than other bruteforce tools but it will still try all password possibilities.

In our case, we try all the characters like so: A, B, ..., Z, a, b, ..., z, 0, ..., 9. This is 62 possibilites for one character of the password.

Depending on your hardware, AKR will try more or less passwords per second, this is a sample calculation with my own computer:

- AKR velocity: v = 120 000 passwords/seconds
- Number of combinations for a password of length n: 62^n
- Number of combinations for a 6 characters password: 56 800 235 584
- Time needed to try all these combinations: 56 800 235 584 / v = 5.5 days!
- Time needed for 7 character passwords: 5.5 * 62 = 339 days!

As you can see, brute force with a single computer can take a very long time...

You can use the -f (--from) and -t (--to) options to run AKR on different computers, to parallelize computation and try to shorten the discovery of the password.

Technical Information

This software runs on the Java Virtual Machine (JVM), so you need to have a Java Runtime Environnement (JRE) installed on your computer. If you don't have one, get it at http://java.com.

To benefit from multi-core computers, this software uses the awesome Akka actor library.

Development

Licence

Copyright Romain Sertelon 2013

This software is licenced under the GNU Public Licence v3 (GPLv3), you can find it in the LICENCE file.