john
john copied to clipboard
openwall
unable to identify Apple Notes hash
After updating to iOS 17.5.1, Notes cannot be unlocked using FaceID, and the previously correct password is no longer valid. I used DB Browser to view the notestore.sqlite file and extracted the following data. The first entry was created after I updated the system, and the password is 000000.
| Z_PK | ZCRYPTOITERATIONCOUNT | ZCRYPTOSALT | ZCRYPTOWRAPPEDKEY | ZCRYPTOINITIALIZATIONVECTOR | ZCRYPTOVERIFIER | ZCRYPTOTAG |
|---|---|---|---|---|---|---|
| 2 | 20000 | ba22f9cac03eab04ecec940f52c4d32e | NULL | NULL | 510550b86555bd460c61e9bfe8de1adb7dd9d0acaa69eeeb | NULL |
| 278 | 0 | 55789bfd2e0622993734917aa123db0b | 1abe731602eb79a2c58dbe14652e9dfd | d6ffe178d2d102b33b7e798f7ed7db4c | NULL | b09d5a47de763b3fddfc2dc6e4440c21 |
| 281 | 0 | 6ed2d9331a174b6e6b980bc0983356b0 | 146caeb4e8db685ac91e3b0804f70ea4 | ac803a1af9a5e54bf052c8c090a2a5ac | NULL | e99d6f25c012d2ab5e04bd1bf2420674 |
I checked the applenotes2john.py script and found that ZCRYPTOWRAPPEDKEY and ZCRYPTOVERIFIER can be used interchangeably. However, the ZCRYPTOVERIFIER field is empty for the latter two entries, and the ZCRYPTOWRAPPEDKEY is 16 bytes long instead of 24 bytes.
I attempted to use $ASN$*281*0*6ed2d9331a174b6e6b980bc0983356b0*146caeb4e8db685ac91e3b0804f70ea4 as the hash, but it cannot be recognized.
Anyone can help me with this? Many Thanks.
Thank you for including so much detail. I guess this makes you the most qualified person to figure it out and contribute an enhancement to our project. Would you try? As far as I'm aware, no one in here has seriously looked into this functionality since it was first contributed by @kholia in 2017, who is inactive with the project lately. I'm sorry we do not have a better answer for you.
