EPPB: Now Recovering BlackBerry Device Passwords

September 29th, 2011 by Andrey Belenko

Less than a month ago, we updated our Elcomsoft Phone Password Breaker tool with the ability to recover master passwords for BlackBerry Password Keeper and BlackBerry Wallet. I have blogged about that and promised the “next big thing” for BlackBerry forensics to be coming soon. The day arrived.

Today we are releasing a new version of Phone Password Breaker, this time adding the ability to recover security passwords protecting BlackBerry handsets. Yes, that is the very password used to lock and unlock the device. And yes, no one has done that before (well, at least not publicly).

Media Card Encryption Settings in BlackBerry OS 6

Before you get too excited, there is a catch. The new feature requires Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode. If this condition is met, EPPB will be able to run password recovery against device security password. What is also important and rather exciting is that you don’t need the BlackBerry device itself. All that is needed is a media card that was used in that device. Actually, we only need one specific file from that media card, so yes, the recovery can be off-loaded and the password can be recovered offline.

So how does this feature work? It’s pretty straightforward: launch Elcomsoft Phone Password Breaker, click Open and specify that you want to recover a BlackBerry security password. After that, you’ll need to navigate to the info.mkf file from the encrypted media card. It is located in BlackBerry/system directory on the media card, and is marked as hidden. Once you open the file (and only if the file comes from the card encrypted using the “Security Password” or “Device Password” option) you will be able to start the recovery as usual. The good news is that recovery rate is amazingly fast by today’s standards: it tries several million passwords per second on a modern multi-core CPU equipped with AES-NI instructions. With Intel i7-970, I am getting 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode. Compare that to iPhone passcode recovery rate of less than six passcodes per second for iPhone 4, and try to think hard about BlackBerry having better security.

Recovering BlackBerry Device Password in EPPB

Among other changes in this version is preliminary support for iOS 5 backups. As Apple readies its newest and most advanced mobile OS yet, we have updated EPPB to make it compatible with backups produced by the latest beta of iOS 5. All the usual features (password recovery, backup decryption, and Keychain explorer) are available for iOS 5 backups.

Speaking of iOS backup decryption, we added another option demanded by our customers. EPPB can now recover original file names when decrypting a backup. That means you will get a directory structure and meaningful file names, making it easier to explore and analyze backup contents.

I really hope you will enjoy the new features.


Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

38 Responses to “EPPB: Now Recovering BlackBerry Device Passwords”

  1. Masu says:

    You mentioned “Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode”, however doesnt seem to be true.
    Can you clarify the statement made? Perhaps only “Media Card encryption must be switched on and set to “Security Password”. Was the first statement tested positive? Seems to be a lot of confusion.

  2. Media card encryption must be switched on and set to “Security Password”, or media card encryption must be switched on and set to “Device Password”. This is the same option really, it just got different names in different versions of the BlackBerry OS. Hope this resolves your concerns.

  3. Sentenza says:

    Hi there,
    will this feature also work, if the option “Encrypt to User Password” is activated? If yes, I would assume it will recover the user password.
    Best Regards

  4. Florian says:

    Hi,

    in case the media card is protected by “User Password and Device Key” (or as stated in the scrrenshot “Security Password & Device” would you also break both parts of the encryption keys? AFAIK, the media cards encryption key is either encrypted using only the password (PBKDF2), or only a device-specific key or both. In case the password is not used, the device PIN could not be recovered that way, correct? If both keys are used, can you distinguish which part was PIN and which was the device key? Thanks a lot!

  5. Douglas Gerhardt says:

    You mentioned “Security Password” OR “Device Password” modes. Would that mean that the “Security Password and Device Password” mode is not affected?

    Thanks.

  6. Hi,

    There is no such option. There is “Security password and device key” or “Device password and device key“. In case of those methods EPPB will not be able to recover the password yet.

  7. Hi,

    If “Security password and device key” option is selected then media card encryption key is computed by XORing password-derived key (PBKDF2) and device key. Currently we can not separate and recover them. However, if one manages to get device key (i.e. by reading flash memory directly) it will be possible to run password recovery against media card encrypted with this option.

  8. Hi,

    I am not sure what option you are referring to. In OS versions we’ve seen the option is called either “Device password” or “Security password”. But assuming from the context, if ‘Encrypt to User Password” relates to media card encryption then yes, EPPB should be able to recover those passwords, too. Please not that this is just a guess since it’s not quite clear where you’ve seen that option.

  9. Reddy says:

    Is it true that alphanumeric “device password” can not be cracked?

    Thanks.

  10. No, it is not true. Alphanumeric passwords can be recovered. It may take longer, though, because search space is larger.

  11. George says:

    I get error message “This media card is encrypted with device key and cannot be opened.” when I try to open .mkf file. What am I doing wrong?

  12. The file (info.mkf) you are trying to open is from a media card that is encrypted with either “Device Key” or “Device Password & Device Key” option. EPPB can only recover password if media card is encrypted with “Device Password” option.

  13. Ricardo says:

    How do you know if its switched to “device password” or “security password”?

    Also, if its not, how do you switch it on a blackberry curve 9300?

    Thanks!

  14. Claire says:

    Once the media card has been loaded and the relevant file extracted do you have to leave the media card in the pc or can you replace it in the phone and leave the program running ?

  15. You only need to copy one file from the media card to the PC; after that you can replace it in the phone.

  16. John says:

    Hi, Is it simply a matter of connecting the BB (Bold) via USB in order to obtain the info.mkf file? In other words, is the media card mounted as a USB drive using the Mass Storage Protocol?

    Or, does one physically need to remove the media card from the phone in order to mount it? Thanks…

  17. John says:

    Also, do you have any idea as to the default setting on a BB in terms of the Media Card security settings? Is encryption turned ‘on’ by default, and is encryption set to “security password” or “device password” by default?

  18. You need to physically remove media card from the phone and read info.mkf file from using any compatible card reader.

    I don’t know what default setting is, in many cases this setting is controlled and set by corporate policy.

  19. iwan tanaka says:

    pls help,
    i can’t find “info.mkf ‘ in my media card???
    i never backup my device and now i forgot my device password….
    what should i do???

  20. beejay says:

    Please how do I recover my password from my stolen blackberry curve 9830. How do I also recover contacts, and files saved on the phone?

  21. clarence says:

    I would like to retreive my black berry Id

  22. Merrick says:

    Hi,

    I have a Blackberry 8820. I haven’t used it for months and I finally am getting to migrating the last of my data off. I thought I remembered my PasswordKeeper password but apparently do not. I did not have a media card in the device. I just installed one, turned encryption on, and set encryption to “Security Password.” I then removed the media card, placed in my computer, and navigated to the BlackBerry/system directory (which was hidden) and it is empty. At this point the entire card is empty (five empty folders: music, pictures, ringtones, and videos which are not hidden and system which is). What do I need to do to get the Blackberry to write the info.mkf file? If I can confirm I have that file I’d like to purchase your software and recover my PasswordKeeper password.

    Thanks.

  23. Merrick says:

    I also tried “Device” encryption as well. Same thing.

    Thanks.

  24. Merrick says:

    Hi. Figurd out another solution. Thanks!

  25. Detective Louis Frank says:

    I need a bit of help with a case I am working on. One of the phones I’m examining is a Blackberry 8530 Curve II. The phone is PW locked and is on a Cricket CDMA network. I’m using Cellebrite UFED with Physical Analyzer and have tried everything but am unable to get into the phone. I contacted Cricket tech support about generating a PUK but they insist the PUK will wipe all user data from the phone. They offered no other options. Will EPPB be able to break the password to allow access this phone? The handset has a 2GB uSD card installed for storage – it did not appear encrypted.

  26. javier says:

    I am using your trial version but when i enter the info.mkf on the software, appears: Unsopported: container is encrypted. I could see the PIN, date and product type. But no other information. Any solution for this??

  27. Pandero says:

    I’d like to know if there is a way to determine if a info.mkf is useful to obtain device password prior to buy the professional version.

  28. Marwan says:

    Hi, I did exactly what you mentioned above by enabling the Encrypt in the media card and choosing device password, your software still not able to find the password. would you please advise?

  29. justin says:

    i’d like my blackberryid password reseted please

  30. Justin,

    Sorry, it cannot be done with the software. Please use the following link:

    https://blackberryid.blackberry.com/bbid/recoverpassword/

  31. qiniso mthunzie says:

    Pls help me I forgot my device password on my 9300 I can even download music pls I need the help

  32. Qiniso,

    Have you read the blog post above? The BB device password can be recovered only if specific card encryption settings are set. If that’s the case, just use our product; if not, the only option is to perform the (destructive) “chip-off” method to extract the data from your device.

  33. Hardik says:

    Error – The Media card is encrypted with a device key and cannot be opened. Please help Plzzz………………………

  34. Hardik,

    Sorry, but if the card is encrypted using device key (or password AND key), there is nothing we can do — neither break the password nor decrypt the card. Until you have the complete physical dump of your device (which can be performed using chip-off process).

  35. jonny says:

    If the card is encrypted using device password, but there is no card inserted. Can the data still be recovered by inserting another card?

  36. Jonny,

    No. You need the original card (in fact, the single “info.mkf” file from there) to recover the device password.

  37. jonny says:

    I ran a test using your software. enabled card encryption and set to “device password” with no card inserted. put in a new card while locked. it encerypted the new card and created the ïnfo.mkf” file. proceeded to crack the file and recover password succesfully.

  38. Jonny,

    Wow, that’s interestingf, thanks! Do you mean that device has encrypted the card without any actions from your side, right when you inserted it?

Leave a Reply