iphone-dataprotection icon indicating copy to clipboard operation
iphone-dataprotection copied to clipboard
verified publisher icon dinosec

Decrypting keychain (iOS 11)

Open kristian opened this issue 8 years ago • 9 comments

Just decrypted an (encrypted) iOS11 backup using backup_tool without a problem. Unfortunately decrypting the keychain afterwards using keychain_tool failed. The following error is shown on console:

Cannot decrypt backup keybag. Wrong password ?

I checked the Manifest.plist file and the "password" denoted in the file, matches my backup password. Any idea why this happens? I don't own the key835 for my device and so far I havn't gotten any idea how I should get it. Would the key835 be required to decrypt an encrypted keychain from a backup file?

Thanks & regards, Kristian

kristian avatar Jul 28 '17 23:07 kristian

Have you use this utility before? I essentially did the samething as you and ran into the same problem. I was decrypting an (encrypted) ios 10 backup. I used the command, python keychain_tool.py -d "/Users/dev/Desktop/extracted/KeychainDomain/keychain-backup.plist" "/Users/dev/Desktop/extracted/Manifest.plist" However the response to that command is, If you have key835 for device _______ enter it (in hex). My understanding was that the key835 wasn't required for decrypted (encrypted) backups, did I misunderstand something?

AppleTechy avatar Aug 07 '17 02:08 AppleTechy

I'm having the same issue, already tried to hex my iTunes password with no luck.

pedropapa avatar Aug 17 '17 18:08 pedropapa

Same issue here.

kennym avatar Nov 29 '17 18:11 kennym

Anyone found a work around yet? Would be much appreciated!

Sent with GitHawk

AppleTechy avatar Dec 04 '17 02:12 AppleTechy

Same here.. trying to find some but nothing yet.. =/

guikeese avatar Jan 11 '18 19:01 guikeese

It looks like you'd have to jailbreak your iPhone and get the 0x835 key for YOUR device. http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/

mohrt avatar Jan 19 '18 15:01 mohrt

Key835 is required to unwrap the following security keys: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly kSecAttrAccessibleAlwaysThisDeviceOnly kSecAttrAccessibleWhenUnlockedThisDeviceOnly

So any material in the keychain that is encrypted using those keys will not be decrypted.

Commodore1024 avatar Jun 06 '18 22:06 Commodore1024

Help,

I have a backup that was partially corrupted, I have the password, however the Meanifest.DB file is not cryptographed.

How to extract the data, which are cryptographed.

AdolfoPD avatar Jul 14 '18 17:07 AdolfoPD

Wondering if the resident experts know how iOS12 changes things.

Does the ManifestKey/BackupKeybag change completely with each incremental differential backup? I tested this a few times and sometimes it doesn't change at all and sometimes some of the contents of the Keybag change but its not clear to me how and when.

Once Manifest.DB is decrypted, does each encrypted file have its own unique key that needs to be generated from Manifest.DB's Files table?

Finally, when entries are removed from the Files table, are they removed completely from the SQLite database or is it just hidden by a delete flag?

I am trying to decrypt encrypted files from one backup ago where a newer Manifest.DB/.plist has overwritten the old ones.

Thanks

lgrimani avatar Feb 21 '19 07:02 lgrimani