EPPB: Now Recovering BlackBerry Device Passwords

September 29th, 2011 by Andrey Belenko

Less than a month ago, we updated our Elcomsoft Phone Password Breaker tool with the ability to recover master passwords for BlackBerry Password Keeper and BlackBerry Wallet. I have blogged about that and promised the “next big thing” for BlackBerry forensics to be coming soon. The day arrived.

Today we are releasing a new version of Phone Password Breaker, this time adding the ability to recover security passwords protecting BlackBerry handsets. Yes, that is the very password used to lock and unlock the device. And yes, no one has done that before (well, at least not publicly).

Media Card Encryption Settings in BlackBerry OS 6

Before you get too excited, there is a catch. The new feature requires Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode. If this condition is met, EPPB will be able to run password recovery against device security password. What is also important and rather exciting is that you don’t need the BlackBerry device itself. All that is needed is a media card that was used in that device. Actually, we only need one specific file from that media card, so yes, the recovery can be off-loaded and the password can be recovered offline.

So how does this feature work? It’s pretty straightforward: launch Elcomsoft Phone Password Breaker, click Open and specify that you want to recover a BlackBerry security password. After that, you’ll need to navigate to the info.mkf file from the encrypted media card. It is located in BlackBerry/system directory on the media card, and is marked as hidden. Once you open the file (and only if the file comes from the card encrypted using the “Security Password” or “Device Password” option) you will be able to start the recovery as usual. The good news is that recovery rate is amazingly fast by today’s standards: it tries several million passwords per second on a modern multi-core CPU equipped with AES-NI instructions. With Intel i7-970, I am getting 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode. Compare that to iPhone passcode recovery rate of less than six passcodes per second for iPhone 4, and try to think hard about BlackBerry having better security.

Recovering BlackBerry Device Password in EPPB

Among other changes in this version is preliminary support for iOS 5 backups. As Apple readies its newest and most advanced mobile OS yet, we have updated EPPB to make it compatible with backups produced by the latest beta of iOS 5. All the usual features (password recovery, backup decryption, and Keychain explorer) are available for iOS 5 backups.

Speaking of iOS backup decryption, we added another option demanded by our customers. EPPB can now recover original file names when decrypting a backup. That means you will get a directory structure and meaningful file names, making it easier to explore and analyze backup contents.

I really hope you will enjoy the new features.

Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

54 Comments on "EPPB: Now Recovering BlackBerry Device Passwords"

Notify of
avatar

Masu
Guest
Masu
4 years 10 months ago

You mentioned “Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode”, however doesnt seem to be true.
Can you clarify the statement made? Perhaps only “Media Card encryption must be switched on and set to “Security Password”. Was the first statement tested positive? Seems to be a lot of confusion.

Sentenza
Guest
Sentenza
4 years 10 months ago

Hi there,
will this feature also work, if the option “Encrypt to User Password” is activated? If yes, I would assume it will recover the user password.
Best Regards

Florian
Guest
Florian
4 years 10 months ago

Hi,

in case the media card is protected by “User Password and Device Key” (or as stated in the scrrenshot “Security Password & Device” would you also break both parts of the encryption keys? AFAIK, the media cards encryption key is either encrypted using only the password (PBKDF2), or only a device-specific key or both. In case the password is not used, the device PIN could not be recovered that way, correct? If both keys are used, can you distinguish which part was PIN and which was the device key? Thanks a lot!

Douglas Gerhardt
Guest
Douglas Gerhardt
4 years 10 months ago

You mentioned “Security Password” OR “Device Password” modes. Would that mean that the “Security Password and Device Password” mode is not affected?

Thanks.

Reddy
Guest
Reddy
4 years 10 months ago

Is it true that alphanumeric “device password” can not be cracked?

Thanks.

George
Guest
George
4 years 10 months ago

I get error message “This media card is encrypted with device key and cannot be opened.” when I try to open .mkf file. What am I doing wrong?

Ricardo
Guest
Ricardo
4 years 6 months ago

How do you know if its switched to “device password” or “security password”?

Also, if its not, how do you switch it on a blackberry curve 9300?

Thanks!

Claire
Guest
Claire
4 years 5 months ago

Once the media card has been loaded and the relevant file extracted do you have to leave the media card in the pc or can you replace it in the phone and leave the program running ?

John
Guest
John
4 years 4 months ago

Hi, Is it simply a matter of connecting the BB (Bold) via USB in order to obtain the info.mkf file? In other words, is the media card mounted as a USB drive using the Mass Storage Protocol?

Or, does one physically need to remove the media card from the phone in order to mount it? Thanks…

John
Guest
John
4 years 4 months ago

Also, do you have any idea as to the default setting on a BB in terms of the Media Card security settings? Is encryption turned ‘on’ by default, and is encryption set to “security password” or “device password” by default?

iwan tanaka
Guest
iwan tanaka
3 years 9 months ago

pls help,
i can’t find “info.mkf ‘ in my media card???
i never backup my device and now i forgot my device password….
what should i do???

beejay
Guest
beejay
3 years 8 months ago

Please how do I recover my password from my stolen blackberry curve 9830. How do I also recover contacts, and files saved on the phone?

clarence
Guest
clarence
3 years 8 months ago

I would like to retreive my black berry Id

Merrick
Guest
Merrick
3 years 8 months ago
Hi, I have a Blackberry 8820. I haven’t used it for months and I finally am getting to migrating the last of my data off. I thought I remembered my PasswordKeeper password but apparently do not. I did not have a media card in the device. I just installed one, turned encryption on, and set encryption to “Security Password.” I then removed the media card, placed in my computer, and navigated to the BlackBerry/system directory (which was hidden) and it is empty. At this point the entire card is empty (five empty folders: music, pictures, ringtones, and videos which are… Read more »
Merrick
Guest
Merrick
3 years 8 months ago

I also tried “Device” encryption as well. Same thing.

Thanks.

Merrick
Guest
Merrick
3 years 8 months ago

Hi. Figurd out another solution. Thanks!

Detective Louis Frank
Guest
Detective Louis Frank
3 years 6 months ago
I need a bit of help with a case I am working on. One of the phones I’m examining is a Blackberry 8530 Curve II. The phone is PW locked and is on a Cricket CDMA network. I’m using Cellebrite UFED with Physical Analyzer and have tried everything but am unable to get into the phone. I contacted Cricket tech support about generating a PUK but they insist the PUK will wipe all user data from the phone. They offered no other options. Will EPPB be able to break the password to allow access this phone? The handset has a… Read more »
javier
Guest
javier
3 years 6 months ago

I am using your trial version but when i enter the info.mkf on the software, appears: Unsopported: container is encrypted. I could see the PIN, date and product type. But no other information. Any solution for this??

Pandero
Guest
Pandero
3 years 2 months ago

I’d like to know if there is a way to determine if a info.mkf is useful to obtain device password prior to buy the professional version.

Marwan
Guest
Marwan
3 years 2 months ago

Hi, I did exactly what you mentioned above by enabling the Encrypt in the media card and choosing device password, your software still not able to find the password. would you please advise?

justin
Guest
justin
2 years 9 months ago

i’d like my blackberryid password reseted please

Vladimir Katalov
Admin
2 years 9 months ago

Justin,

Sorry, it cannot be done with the software. Please use the following link:

https://blackberryid.blackberry.com/bbid/recoverpassword/

qiniso mthunzie
Guest
qiniso mthunzie
2 years 9 months ago

Pls help me I forgot my device password on my 9300 I can even download music pls I need the help

Vladimir Katalov
Admin
2 years 9 months ago

Qiniso,

Have you read the blog post above? The BB device password can be recovered only if specific card encryption settings are set. If that’s the case, just use our product; if not, the only option is to perform the (destructive) “chip-off” method to extract the data from your device.

Hardik
Guest
Hardik
2 years 4 months ago

Error – The Media card is encrypted with a device key and cannot be opened. Please help Plzzz………………………

Vladimir Katalov
Admin
2 years 3 months ago

Hardik,

Sorry, but if the card is encrypted using device key (or password AND key), there is nothing we can do — neither break the password nor decrypt the card. Until you have the complete physical dump of your device (which can be performed using chip-off process).

jonny
Guest
jonny
2 years 29 days ago

If the card is encrypted using device password, but there is no card inserted. Can the data still be recovered by inserting another card?

Vladimir Katalov
Admin
2 years 25 days ago

Jonny,

No. You need the original card (in fact, the single “info.mkf” file from there) to recover the device password.

jonny
Guest
jonny
1 year 11 months ago

I ran a test using your software. enabled card encryption and set to “device password” with no card inserted. put in a new card while locked. it encerypted the new card and created the ïnfo.mkf” file. proceeded to crack the file and recover password succesfully.

Vladimir Katalov
Admin
1 year 11 months ago

Jonny,

Wow, that’s interestingf, thanks! Do you mean that device has encrypted the card without any actions from your side, right when you inserted it?

Wessam Alia
Guest
Wessam Alia
1 year 10 months ago

The software is giving me a message that it can not read info.mkf file. Please help.

Vladimir Katalov
Admin
1 year 10 months ago

Wessam, what is the particular BlackBerry device you got this media card from?

jPeter
Guest
jPeter
1 year 8 months ago

If I have a dump from a Chipoff, do I need to decrypt anything after that? Or is de dump decrypted already? I have the UFED Physical Analyser to view dumps for many phonetypes but have not used it in combination with a chipoff and a blackberry dump..

Vladimir Katalov
Admin
1 year 8 months ago

jPeter,

BlackBerry dump created with chip-off method is not encrypted.

Molon
Guest
Molon
7 months 22 days ago

One more thing about cracking passwordkeeper. I have the program BBSAK and there exists a feature called “DUMP PHONE”. I would LIKE to include a screenshot if possible. WHAT DOES PHONE DUMP MEAN AND CAN IT BE USED TO EXTRACT THE FILE CONTAINING THE KEEPER PASSWORD and view the password?

Vladimir Katalov
Admin
7 months 4 days ago

Molon,

About BBSAK: sorry, we are not familian with that program, please contact the appropriate vendor.

Molon
Guest
Molon
7 months 3 days ago

I’ve reinstalled EPPB 5.14 on my XP 32-bit machine several times without success. I get the splash screen that says “…IS LOADING”, but it never loads. Running Dependency Walker shows two files missing are WER.dll and IESHIMS.dll. Does it matter that my machine is unconnected to the internet? Does the software run only with internet connection? Also I have upgraded browser from IE7 to IE8.

Vladimir Katalov
Admin
7 months 2 days ago

Sorry, but Windows XP is not supported. In theory we can make EPB compatible with XP, but that system itself is not supported by Microsoft itself amymore. It is 15 years old, btw…

Molon
Guest
Molon
7 months 1 day ago

Ok, that’s good to know. I will test the software on Win7 x64 bit machine and let you know the result.

Molon
Guest
Molon
6 months 16 days ago

After I load blackberry folder into EPB from the sdhc in the card reader, it asks to insert the blackberry password. I think I remember the password but if I insert wrong password, will it wipe the data from password keeper if it is final attempt, even though blackberry phone is not hooked up?

Vladimir Katalov
Admin
6 months 14 days ago

Molon,

What is the BleckBerry device model and BB OS version number?

Also, please note that Keep database is stored in the internal device memory, not SD card.

Molon
Guest
Molon
6 months 13 days ago

I am running OS 6.0.3.5.8 on a 9700 bold. I dropped the .ipd back up file into the decrypt folder and it returned the file being unencrypted. When I dump the blackberry folder from the sd card for decryption, it offers to enter the blackberry password. I refused to enter it because I didn’t know the result if it’s wrong.

Vladimir Katalov
Guest
Vladimir Katalov
6 months 13 days ago

Molon,

First, EPB does not modify the original data at all, so you can safely use it.

Second, do you need to break the password to the device itself, or to Keeper data?

Molon
Guest
Molon
6 months 12 days ago

There is no password assigned to device-only keeper has password. So when I try to drop blackberry folder into EPB for decryption, it shows a red x icon. What can I do to make it work?

Vladimir Katalov
Guest
Vladimir Katalov
6 months 12 days ago

Molon,

You should select “Choose source…” | “Password Keeper” on the main EPB screen, then browse for IPD backup file — that should work!

Molon
Guest
Molon
6 months 9 days ago

When I drag the .ipd file into EPB window, it says file is unencrypted. I suppose that means I have to turn back the number of allowed trials in keeper to 1 so that I can continue trying possible passwords. It’s set up for 1-10.

wpDiscuz