Note: work in progress! Trying to figure out the key and salt to encrypt passwords.

With the release of LunaSysMgr into webOS CE, I got a chance to see how the screen lock system really works. With that I have the answer to a question that I have been thinking about since I wrote the guide on how to disable the lock screen through SSH: How would you disable the lock screen if Developer Mode isn't on? A bit of digging through the source revealed the answer, and now I present you with a guide on how to disable the lock screen if you've accidentally locked yourself out and don't have Developer Mode enabled.

If you do have Developer Mode enabled, please use this guide instead to unlock. It's much easier.

Warning: You will be dealing with raw partitions on your TP. Be careful of what you're doing and follow the instructions exactly.

  1. You will need webOS Doctor and WOSQI. Be sure to download webOS Doctor as the .jar file (look here if you're having troubles). After downloading both, open WOSQI to install the Novacom drivers.
  2. Put your TP in USB Update Mode. Shut down the TP, then hold the Power button and Volume Up rocker until the USB symbol appears on the TP's screen.
  3. You will now need to extract the boot image from webOS Doctor. Open the downloaded .jar in an archiver (such as 7-Zip), navigate to the "resources" folder, and extract "webOS.tar". Open that up, and extract "./nova-installer-image-topaz.uImage" to somewhere you will remember.
  4. Boot the TP by memboot. Open up a command prompt, "cd" to the directory you extracted the boot image to, and type
    novacom boot mem:// < nova-installer-image-topaz.uImage
    (See here for information on memboot.) After you hit enter, novacom will block and upload the image on to the TP. Wait until the HP logo is displayed on the TP's screen and novacom returns. (The logo will not be glowing.)
  5. Open webOS Quick Install and open up a device command line. Click on the "Tools" menu, and select "Linux Commandline".
  6. Mount /var. Type
    mount /dev/mapper/store-var /var
  7. Type
    cd /var/luna/data
  8. Rename the passcode file. We'll need it later. Type in
    mv .passcode passcode.bak
  9. Important! Unmount the file system. Type in
    cd / && sync && umount /var
  10. Reboot. Type
  11. Enable Developer Mode. After the TP reboots, go to the Device Info app, open the menu, and tap "Custom Application...", and type "##devmode#" in the box. Move the slider to the ON position.
  12. Remove password from Key Manager. Open up the command line again, and open up the passcode file. Type:
    cat /var/luna/data/passcode.bak
    You will see something like
    { "pin": "crypted pin" }
    { "password": "crypted password" }
    Record the encrypted pin/password somewhere.
  13. Decrypt the password. I'm still trying to figure this out, but it uses Blowfish. (CE has password encryption/decryption code stripped, along with the encryption keys and salt and whatnot. Note you may have problems with Key Manager if you decide to install the CE LunaSysMgr on your TP.)
  14. Change Key Manager password. Type
    luna-send -f -n 1 palm://com.palm.keymanager/changePassword '{"oldPassword":"old password here", "newPassword":""}'
    Replace "old password here" with the old password.
  15. Reboot. Type

And you're done. There should no longer be a passcode required and all of your accounts should still sign themselves in. If your accounts require you to reenter all the passwords, keep Developer Mode on, rename "passcode.bak" back to ".passcode" (follow steps 7 and 8, reversing the two arguments in step 8), and follow the instructions in the thread linked above for TPs with Developer Mode enabled.

Screenshots to come soon, once I figure out what the Blowfish key and salt is.