Purpose of this project is to demonstrate the use of the Android Open Accessory Protocol (AOA) to mimic key presses on an Android device. The script goes and try to type each PIN in the Android device in the list of pins located here

The only requirements to use this project, are the following:

• Android device with the accessory mode capability
• USB Cable
• Linux OS with Go 1.22.0 installed

If you are running this project for the first time on Linux, then you should install libusb as well, if you have not already. You can install it as follows:

$ make install-libusb

or, alternatively:

# apt-get install libusb-1.0-0-dev

To run the script, first build the project if you haven't yet:

$ make build

Then run it with sudo privileges:

$ make run

I have used a Sony Xperia Z1 Compact as the Android phone, which I am still trying to bruteforce the PIN.

This script registers itself as an accessory with the Android phone, which allows me to interact with HID Events over USB. The Android OAO Protocol only sets up the initial part of registering the script as an accessory. This setup includes a HID report descriptor, which is sent to the Android phone to configure it. What this report descriptor does is it configures a mouse pointer and a stylus on the Android phone. For my case it made it easier for me to have both of them as the mouse pointer allowed me to use absolute values to position the pointer and then convert it to the stylus to emulate a touch to press any of the 10 digits (0-9)

For each HID event sent to the Android phone you need to send 5 bytes (depends on the report descriptor) Format for each action performed on the phone is described below:

There are a few problems with this script. Not due to bugs, I think, but due to the protocol being asynchronous. There is no feedback or error handling that can be implemented when send a HID event.

Through testing the script I have found that when sending the HID event, it does not always mean the action (described above) is executed 100% reliably everytime.

This means that you will need to 'babysit' the phone to see if every PIN combination is entered correctly.

It will vary between devices due to the backoff period between many PIN entries. On my Sony you have to wait for 30 seconds after you have entered 5 PINs.

For the Sony it takes on average about 8 seconds to enter 5 pins. Then 30 second of backoff time to wait before you can enter another 5 pins.

• Thanks to Tryanks for posting this repository
• Thanks to urbanadventurer for posting a list of optimized PIN combinations

• USB Descriptor and Request Parser
• HID Report descriptor converter
• HID Report descriptor parser

• USB in a nutshell
• HID Usage Table
• https://wiki.osdev.org/USB_Human_Interface_Devices
• AOA HID Bug
• https://events.static.linuxfound.org/images/stories/slides/abs2013_bisson.pdf
• https://github.com/torvalds/linux/blob/master/samples/uhid/uhid-example.c

• http://ak.aos.sk/images/repozitar/sam/sam_1_2022/sam_1_2022_4.pdf
• https://arxiv.org/pdf/2003.04868.pdf