The testdisa Method for Intel Nextbooks Running Android 02-23-2018, 04:27 PM
#1
One fateful afternoon after purchasing an Intel Nextbook Ares 10a from a certain multinational corporation currently using a point-of-sales-activation PIN system I was inspired to see what I could do to get past the activation screen despite already having my six digit activation code on my receipt. This was all supposed to be in good fun as a decryption exercise. The end result of my research led me to find, already on the machine, an encrypted hash that matched my receipt PIN exactly.
I started out in my search for a crack by using an OTG (on-the-go) cable to hook a USB keyboard to the Ares 10a. I pressed the Windows key to bring up a Google search bar and Alt to pull up the emoji onscreen keyboard, which allowed me to switch to the standard keyboard layout with a simple tap. I searched the tablet itself for "settings" and entered the tablet's settings from that search. I then activated Developer Options by tapping the build number 7 times.
I went into the dev options menu and turned on USB debugging as well as turning on File Transfer as the USB's initial action upon being plugged in. I plugged the tablet into my computer and went searching around for any files that wouldn't normally be there on any other Android device I've ever purchased. In the system directory I found a file called testdisa.c - DiSa being the company responsible for the point-of-sales lock, I opened it in notepad and found what looked to be a load of gibberish.
Upon further inspection I realized there was a 32-byte character string that repeated itself throughout the file. There was, of course, more gibberish after the 32nd character which was different every iteration, but the first 32 remained the same. So I decided to run the string through the brute force mode in a program called hashcat (very useful for decryption purposes, totally free, look it up, download it, install it, love it.). In a short amount of time I was blessed to have the program crack the hash and show me the exact same six number PIN printed on my purchase receipt.
So basically with very little work and a semi-keen eye I noticed a pattern in what appeared to be a log of PIN entries and failures to input said PIN correctly.
This testdisa.c file is unencrypted and easily opened in any text editor you might have access to. After cracking the 32 byte refrain I was given the correct input and was able to unlock the tablet completely without relying on their PoSA system.
I've tried this method on five different tablets "protected" by DiSa USA's PoSA system and came up with the correct code every single time and was able to crack the tablets in under 5 minutes.
Just to be clear, I contacted the company about this error a fair number of times and was greeted with nothing but a single sarcastic message about the username of the email I was originating from. I have made every attempt to let them know about the problem so that they might fix it using something as simple as encrypting testdisa.c with 7z but to no avail.
I am merely posting this as a topic of interest and in no way support any illegalities pursued using this method of obtaining an activation PIN. This is merely for educational purposes.
The entire reason I decided to try and crack their security was because the company brags an insane amount about how ingenious their point-of-sale activation is and how hard it is to break into. Unless you've done absolutely everything possible to break your own security software you should not brag about how unbreakable it is.
If you follow every step I took in getting passed the lock screen, activating dev mode, and accessing the tablet's file tree you will 100% be able to find a hash containing the activation PIN.
I hope you enjoyed this tour through shitty encryption and how sometimes it isn't good to brag about something you haven't thoroughly tested. I'd feel bad for this multinational corporation if it weren't for the fact that they didn't think about people like me poking around in places they think someone won't find.
Enjoy testing this one out! Remember, if you paid for your tablet you own everything on it including any files left behind by a company's encryption. These files are yours to look at!
Happy trails, folks!
I started out in my search for a crack by using an OTG (on-the-go) cable to hook a USB keyboard to the Ares 10a. I pressed the Windows key to bring up a Google search bar and Alt to pull up the emoji onscreen keyboard, which allowed me to switch to the standard keyboard layout with a simple tap. I searched the tablet itself for "settings" and entered the tablet's settings from that search. I then activated Developer Options by tapping the build number 7 times.
I went into the dev options menu and turned on USB debugging as well as turning on File Transfer as the USB's initial action upon being plugged in. I plugged the tablet into my computer and went searching around for any files that wouldn't normally be there on any other Android device I've ever purchased. In the system directory I found a file called testdisa.c - DiSa being the company responsible for the point-of-sales lock, I opened it in notepad and found what looked to be a load of gibberish.
Upon further inspection I realized there was a 32-byte character string that repeated itself throughout the file. There was, of course, more gibberish after the 32nd character which was different every iteration, but the first 32 remained the same. So I decided to run the string through the brute force mode in a program called hashcat (very useful for decryption purposes, totally free, look it up, download it, install it, love it.). In a short amount of time I was blessed to have the program crack the hash and show me the exact same six number PIN printed on my purchase receipt.
So basically with very little work and a semi-keen eye I noticed a pattern in what appeared to be a log of PIN entries and failures to input said PIN correctly.
This testdisa.c file is unencrypted and easily opened in any text editor you might have access to. After cracking the 32 byte refrain I was given the correct input and was able to unlock the tablet completely without relying on their PoSA system.
I've tried this method on five different tablets "protected" by DiSa USA's PoSA system and came up with the correct code every single time and was able to crack the tablets in under 5 minutes.
Just to be clear, I contacted the company about this error a fair number of times and was greeted with nothing but a single sarcastic message about the username of the email I was originating from. I have made every attempt to let them know about the problem so that they might fix it using something as simple as encrypting testdisa.c with 7z but to no avail.
I am merely posting this as a topic of interest and in no way support any illegalities pursued using this method of obtaining an activation PIN. This is merely for educational purposes.
The entire reason I decided to try and crack their security was because the company brags an insane amount about how ingenious their point-of-sale activation is and how hard it is to break into. Unless you've done absolutely everything possible to break your own security software you should not brag about how unbreakable it is.
If you follow every step I took in getting passed the lock screen, activating dev mode, and accessing the tablet's file tree you will 100% be able to find a hash containing the activation PIN.
I hope you enjoyed this tour through shitty encryption and how sometimes it isn't good to brag about something you haven't thoroughly tested. I'd feel bad for this multinational corporation if it weren't for the fact that they didn't think about people like me poking around in places they think someone won't find.
Enjoy testing this one out! Remember, if you paid for your tablet you own everything on it including any files left behind by a company's encryption. These files are yours to look at!
Happy trails, folks!
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
