The following story is just me being proud of myself, and if you ever get stuck in the same way - might come in handy.
I was playing with my Palm, and since the power button has become kind of stuck, I decided to set the "romantic stroke" (drawing a line from graffiti to screen) to do a power off. Except silly me, I forgot I had a password set. Long story short - my palm is locked. Of course, I don't remember the password.
I read online, looking for "password" and "palm"... Nothing useful. I suddenly remember that my Palm Desktop also allows me to read private records - so it must have my password!
I finally reach http://www.notsofaqs.com/users_dat.php which lets me know that the password is stored in "users.dat " in my Palm Desktop directory. Yay! I can now read the file and find the password. Almost. It's encoded. Hmm... Meanwhile I run across "Win32::Palm::Install::UsersDat" a Perl module for reading users.dat - still no luck. All it can do is display the same encoded password.
Relevant Data from http://www.notsofaqs.com/users_dat.php:
| Field Name | Type | Size | Comments |
|---|---|---|---|
| User Count | Short | 2*Byte | The count of users |
| Class Flag | Short | 2*Byte | 0xFFFF value to indicate a class entry follows |
| Class entry | Class-Entry | CUser class name | |
| User entry | User-Entry | occurs user count number of times |
| Field Name | Type | Size | Comments |
|---|---|---|---|
| Hotsync ID | Long | 4*Byte | Unique hotsync id for this user. Values less than 256 are reserved and indicate a user profile record |
| NLength | Char | 1*Byte | Length of user Long Name |
| Long Name | Char | String | User Long Name of NLength |
| Dlength | Char | 1*Byte | Length of user directory name |
| Dir Name | Char | String | User directory name of DLength |
| Active | Short | 2*Byte | value 0x0001 indicates an active user that has hotsynced with this PC before. |
| PWLength | Short | 2*Byte | Length of user password, if any. |
| Unknown | Short | 2*Byte | Unknown purpose. If you discover its purpose, please let me know. |
| Password | Char | String | A 32 character encoded string that represents the user password. Important: This field is present only if the PWLength is non-zero. |
| Unknown | Short | 2*Byte | Unknown purpose. If you discover its purpose, please let me know. |
| Variable Data Flag | Short | 2*Byte | 0xFFFF value to indicate a class entry follows. If one does, it will be immediately followed by Conduit Entries for the Permanent Sync settings. 0x8001 value to indicate no more data for this user. 0x8003 value to indicate Conduit Entries follow for this users Temporary Sync settings. Note: Any other value is an unknown value, you should continue to read shorts from the record until you encounter one of the above values or EOF to indicate the end of record for this user. |
| Variable-Data | Variable-Data | See Variable Data Flag field for an explanation. |
More reading. More dead ends. Finally I get to http://www.lusars.net/maillists/coldsync-hackers/msg01117.html which tells me that the password field on the Desktop is just an MD5 hash of my actual password. Which is totally awsome! I mean, my password couldn't be more than 10 characters (since I know me - I'm too lazy.) - so I'll just generate the 26^10 passwords, hash them, and run the remaining ones thru a dictionary.
I was about to do that when I got to http://gdataonline.com/seekhash.php -- given an MD5 hash, it'll display some dictionary-words that match it.
Bottom line: it worked! I got my password back. But I guess it was too easy - the password was "grep"... But since I never use that as a password, I guess I'm lucky I found it... :-)
Last updated on 2007-01-29 14:00:00 -0700, by Shalom CraimerBack to Tech Journal