iphone-dataprotection icon indicating copy to clipboard operation
iphone-dataprotection copied to clipboard
verified publisher icon dinosec

Where is the instructions on how to use this?

Open AppleTechy opened this issue 8 years ago • 7 comments

I am looking for a list of needed (updated) dependencies and eligible commands.

AppleTechy avatar Aug 05 '17 16:08 AppleTechy

Well, I found this guide Here. It gave a pretty good explaination on how to use the software, even though the guide is most definitely outdated. Though I am now stuck on using the keychain tool to decrypt everything due to the fact that it keeps asking me for Key 0x835, which I don't have access, nor did I think it was required for itunes encrypted backups..

AppleTechy avatar Aug 07 '17 05:08 AppleTechy

If it asks for Key0x835 just press enter and wait. If everything else is correct, it will eventually spit out the decrypted keychain.

TheDauntless avatar Sep 18 '17 12:09 TheDauntless

@TheDauntless Below is the outputted terminal text, and I am absolutely positive I used the correct password to decrypt the itunes backp. Is it an issue when using the backup_tool that the IMEI number, iTunes version and serial number show up as missing? I mean its able to successfully extract it, I believe.

Mac:python_scripts dev$ python keychain_tool.py -d 

"/Users/dev/Desktop/extracted/KeychainDomain/keychain-backup.plist" 

"/Users/dev/Desktop/extracted/Manifest.plist"

If you have key835 for device 37 enter it (in hex)

Cannot decrypt backup keybag. Wrong password ?

AppleTechy avatar Sep 21 '17 20:09 AppleTechy

Are you doing this on a 10.3.x archive? Because I'm having the same issue for 10.3; it looks as if Apple also made a modification to the keychain decryption algorithm.

The tool works fine for 10.1 and lower for me.

TheDauntless avatar Oct 01 '17 14:10 TheDauntless

10.3 + I believe doesn't work

Mradr avatar Oct 13 '17 21:10 Mradr

I have partially succeeded with 10.3 keychain by forcing the third parameter of createWithBackupManifest to True:

--- keychain_tool.py    2018-03-08 11:46:16.545684810 +0100
+++ keychain_tool.py.orig 2018-03-07 20:54:43.305195582 +0100
@@ -19,8 +19,6 @@
                   help="Extract certificates and keys")
     parser.add_option("-o", "--old", dest="oldpass", action="store_true", default=False,
                   help="Bruteforce old passcodes")
-    parser.add_option("-n", "--newer", dest="forceios102", action="store_true", default=False,
-                  help="Force iOS 10.2+ keybag format")
     
     (options, args) = parser.parse_args()
     if len(args) < 2:
@@ -43,10 +41,7 @@
                 deviceKey = d.decode("hex")
                 plistlib.writePlist(p, args[1])
         
-        if options.forceios102:
-            kb = Keybag.createWithBackupManifest(p, p.get("password",""), deviceKey, True)
-        else:
-            kb = Keybag.createWithBackupManifest(p, p.get("password",""), deviceKey)
+        kb = Keybag.createWithBackupManifest(p, p.get("password",""), deviceKey)
         if not kb:
             return
         k = Keychain4(args[0], kb)

After that the script keychain_tool.py outputs some data from keychain, but not all, especially not passwords :-(

pbdname avatar Mar 08 '18 13:03 pbdname

@pbdname See #21. Also, there is no need to force the third argument to True. That flag is set to True if ManifestKey exists. Without the ManifestKey, you wont be able to decrypt anything for 10.2+.

Commodore1024 avatar Jun 06 '18 22:06 Commodore1024