![]() The same file also appears to contain asymmetric keys "RootPrivateKey" and "HostPrivateKey" (my reading suggests these might be PKCS #7-enveloped). The "\programdata\apple\Lockdown\ist" contains a PList with "DeviceCertificate", "HostCertificate", and "RootCertificate", all of which appear to be valid X509 certs. ![]() The "\appdata\Roaming\Apple Computer\iTunes\itunesprefs.xml" contains a PList with a "Keychain" dict entry in it. I've listed paths below from a Windows machine but it's much of a muchness whichever OS we use. One can restore an encrypted backup to a different device, which suggests all information relevant to the decryption is present in the backup and iTunes configuration, and that anything solely on the device is irrelevant and replacable in this context. Perhaps it's one of the keys hard-coded into iTunes, or into the devices themselves.Īlthough Apple's comment above suggests the key is present on the device's keychain, I think this isn't that important. The IV is another matter, and it could be a few things. ( AES and the iTunes encrypt/decrypt process is symmetric.) However, given the reference to the iPhone keychain, I wonder whether the "backup password" might not be used as a password on an X509 certificate or symmetric private key, and that the certificate or private key itself might be used as the key. One might assume that the key is a manipulation of the "backup password" that users are prompted to enter by iTunes and passed to " AppleMobileBackup.exe", padded in a fashion dictated by CBC. That's a pretty good clue, and there's some good info here on Stackoverflow on iPhone AES/Rijndael interoperability suggesting a keysize of 128 and CBC mode may be used.Īside from any other obfuscation, a key and initialisation vector (IV)/salt are required. The key is stored securely in the iPhone keychain." Files are encrypted using AES128 with a 256-bit key. The Apple "iPhone OS Enterprise Deployment Guide" states that "Device backups can be stored in encrypted format by selecting the Encrypt iPhoneīackup option in the device summary pane of iTunes. (If you're able to help, I don't care which language you use. I have no problems reading these files otherwise, and have built some robust C# libraries for doing so. This is easy when they are unencrypted, but not when they are encrypted, whether or not the password is known.Īs such, I'm trying to figure out the encryption scheme used on mddata and mdinfo files when encrypted. The project contributors and Richard Infante will not be held responsible in the event any criminal charges be brought against any individuals misusing this tool and/or the information contained within, to break the law.I've been asked by a number of unfortunate iPhone users to help them restore data from their iTunes backups. Do not use this tool for illegal purposes, ever. The tool is for testing purposes and should ONLY be used on iPhone backups where the owner's consent has been given. ContributingĭISCLAIMER: This tool enables the extraction of personal information from iPhone backups located on a computer drive. You should make a backup of the backups you look at using this tool, even though they are opened as read-only, you should still do that do you don't accidentally do something to lose data. Ibackuptool -b $UDID -r backup.files -extract ~/Desktop/Photos -filter DCIM -regex-filter '\.(jpg|JPG|jpeg|JPEG)$ ' Running Tests # Export all JPEG photos onto "~/Desktop/Photos" The full report list is available on the wiki Installing (as a module) ![]() Some reports, will output an error message if files that are required are not present in the backup. ![]() When a report type is not supported, an error message is outputted to the terminal. IOS Support depends on the individual reporting types and which files are specifically present inside of the backup. Please read the wiki for more up-to-date and in-depth examples, and examples of how to make and use reports. This readme is intended to be an overview of features. This tool is also still fairly experimental, so use at your own risk! Even though the tool opens the backup files as read-only, you should still make a copy of your backups before using this if they are important.Ĭurrently works on macOS, not tested extensively on windows but should function properly. Are you storing unencrypted iPhone backups on your personal computer? With very little effort, we can dump all the saved messages from the backup, as well as notes, photo locations, and other data.Ĭheck out my recently updated post about my work on backups here: Reverse Engineering the iOS Backup
0 Comments
Leave a Reply. |