Sometime ago, I got a device locked with a password. As I needed to access the device using ActiveSync, I did some research and found the registry keys responsible for the device password:
HKLM\Security\SIM\6fb7
HKCU\ControlPanel\Owner\PowrPass
So I wrote a small application which resets the device password.
You can use the code in your application to remove the password protection of your device.
But how can you start the app, as you cannot unlock it? If your device supports a memory card, you can use the OS feature that start an app called AutoRun.exe in a special dir of the memory card. The special dir for ARM processor based devices is 2577. If you place the PassReset.exe as AutoRun.exe in \2577 of the memory card and then place the mem card in the device and reboot the device, the OS will automatically start the app. So you can start ResetPass
without having access to file explorer, etc.
#include "stdafx.h"
int resetPassworkLock(){
int iRet=0;
HKEY hKey;
byte *pBuf= new byte[255];
HRESULT hRes=0;
DWORD dwType=REG_BINARY;
DWORD dwCount=0;
hRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"Security\\SIM", 0, 0, &hKey);
if(hRes == ERROR_SUCCESS){
hRes = RegSetValueEx(hKey, L"6fb7", 0, dwType, NULL, dwCount);
if(hRes==ERROR_SUCCESS){
RegCloseKey(hKey);
hRes = RegOpenKeyEx(HKEY_CURRENT_USER, L"ControlPanel\\Owner", 0, 0, &hKey);
if(hRes == ERROR_SUCCESS){
pBuf[0]=0x00;
dwCount=1;
hRes = RegSetValueEx(hKey, L"PowrPass", 0, dwType, pBuf, dwCount);
if(hRes==ERROR_SUCCESS){
RegCloseKey(hKey);
}
else
iRet=-4; }
else
iRet=-3; }
else
iRet=-2; RegCloseKey(hKey);
}
else
iRet=-1;
return iRet;
}
int WINAPI WinMain( HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
TCHAR *errStr[5];
errStr[0]=new TCHAR[]=L"No error";
errStr[1]=new TCHAR[]=L"error in openKey for Security/SIM";
errStr[2]=new TCHAR[]=L"error in setValue for 6fb7";
errStr[3]=new TCHAR[]=L"error in OpenKey for ControlPanel/Owner";
errStr[4]=new TCHAR[]=L"error in setValue for PowrPass";
int iRet = resetPassworkLock();
MessageBox(GetDesktopWindow(), errStr[abs(iRet)], L"PassReset", MB_OK);
return iRet;
}