Closed YannikBe closed 1 month ago
hi, would you mind sending the DB file to t.me/eldavo ?
In case it matters: the media files are mcrypt1 encrypted but I have not even attempted decrypting them yet.
You need additional metadata to decrypt those files, you can download them with the master branch version of whapa.
Thank you @ElDavoo for your quick reply! Unfortunately, I have to admit that I would not feel comfortable sending so much private information about my family, friends and myself to anyone online. I hope you understand. Thank you for your offer though!
That's understandable. Are you able to try and decrypt other DB files, like avatar_backup, stickers, etc etc?
Thank you for understanding and still trying to help!
Unfortunately, decrypting other files results in the exact same error message. Even though details like the WhatsApp version number or the last two digits of my phone number are correct, the decryption fails.
❯ wadecrypt --force -v 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab 4915738962092/files/Backups/stickers.db.crypt15 st
ickers.db
keyfactory.py:31 : [D] Reading keyfile...
keyfactory.py:46 : [I] The keyfile could not be opened.
key15.py:47 : [D] Root key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab
key15.py:51 : [I] Crypt15 / Raw key loaded
wadecrypt.py:235 : [D] Key15(key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab)
dbfactory.py:41 : [D] Parsing database header...
dbfactory.py:59 : [D] No feature table found (not a msgstore DB or very old)
dbfactory.py:75 : [D] WhatsApp version: 2.24.8.85
dbfactory.py:78 : [D] Your phone number ends with 92
dbfactory.py:128 : [D] Crypt15 info:
Header information in your crypt15 file:IV: c084f456209d726bddec3d6ec253d7a8
Key type: 1
WhatsApp version: 2.24.8.85
The last two numbers of the user's Jid: 92
Backup version: 0
No feature table found (not a msgstore DB or very old)
db15.py:155 : [E] Authentication tag mismatch: MAC check failed.
This probably means your backup is corrupted.
wadecrypt.py:260 : [E] I can't recognize decrypted data. Decryption not successful.
The key probably does not match with the encrypted file.
Or the backup is simply empty. (check with --force)
wadecrypt.py:271 : [I] Done
Could I maybe have made a mistake while downloading my backup from Google Drive? I used whapa
(https://github.com/B16f00t/whapa) to download the files. Whapa's author actually linked to your repo in an issue and that is how I found this project. In the whapa settings I entered my Android Device ID but I never gave it to wa-crypt-tools
.
Or is there a way to get a backup directly from my unrooted Samsung phone to circumvent Google's decryption? Or would it help if I uploaded a new WhatsApp backup from my phone into Google Drive without end-to-end encrypting it? In the end I only want to have all my messages and media on my computer to keep them safe there.
would it help if I uploaded a new WhatsApp backup from my phone into Google Drive without end-to-end encrypting it? I
You would then need to extract the key with some other projects.
Anyway, I can reproduce the issue, it looks like the actual key is different from what wacreatekey
generates
You would then need to extract the key with some other projects.
Okay I see.
Anyway, I can reproduce the issue, it looks like the actual key is different from what wacreatekey generates
Thank you for taking the time and giving it a shot as well! Is there anything I can do to find the correct key or help improving wacreatekey
without sending my entire WhatsApp history accross the internet?
No, let me see how to fix it
Any update the on the issue above @ElDavoo, having the same issue myself.
So the solution is to use the util hex_string_to_encrypted_backup_key.py
included in the repo. and then use the generated file in the decrpyt command
Example usage
hex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key
So the solution is to use the util
hex_string_to_encrypted_backup_key.py
included in the repo. and then use the generated file in the decrpyt command Example usagehex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key
Thank you @asabeeh18 for sharing that solution, I am however using the rooted - key, the 128-bit converted 64-bit and used with hex_string_to_encrypted_backup_key.py renders the same error.
So the solution is to use the util
hex_string_to_encrypted_backup_key.py
included in the repo. and then use the generated file in the decrpyt command Example usagehex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key
wacreatekey does the same, and both that and the old script generate the same encrypted_backup.key that's in my phone, but I've been unable to decrypt my db.
but I've been unable to decrypt my db. I tried with a fresh backup and it worked.
Sorry everyone, but I've been shallow and I've deleted the old test files, so I can't test anymore if there is / was a problem.
Can you just.... try again?
As a last resort, you might try using waguess
.
I will close this issue since I got no news on this
Sorry ElDavoo, I don't have the old phone anymore because I had to return it when the contract ran out. So there is nothing left I could test it on at this point. Either way, thank you very much for your support!
Hexdump of your key file
Without the "line numbers":
edac050072750200425bf3acf8170806e05400027800007000006e2008428e68bd7d9d1ac6181b9a5de25642ff34d5cf7ca870465f79487e288a00ab
Created with:wacreatekey --hex 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab
Hexdump of the encrypted DB
Again just the pure hex string in case that is easier:
01840108121a100a6474af99957ba22f588f52c787258d946c22090a2e323432382e382e1a353902203228013001380140014801500158016001680170017801800101010188900101010198a001010101a8b001010101b8c001010101c8d001010101d8e001010101e8f001010101f8800101020288900101020298a001010202a8b801010249b2d9d7446a620d07af5a616e9909db572125a97967b62905ba7d04dbc6e2c2ec6caebc45b072859f8cb0fcd81ec6dda009c07826f31f66d71d958d4a50c3e0a575be318d9b276b8f8ac93702debaed555fc115973ee893eea454ca618cef9ac6eeaeb9800194d471cd75b2a18c20597f495af5c3609d6bd4050b00933ab566917f98c439152eb85ab574ff1aa9eedaa7adb4b6b05374f61960df1eefff3e41876a4becd2a1fd7ad4c15bf0baec33999b39f0edd731e7b634150a9c8c2c98b866a27c54c09ed2c9db687dc74c68d187136429c6a582a3565a7c562d9e209352f5e92cc704cdea2c9315d8ff585ad57373e2295e7b74170d68ddbd5c04f19702b3a4a377b267b31b7a7c4e623538b208ae5f81d5a54eee3fe3de850587eef0676ed19d2feb257dfe4ae6edf085e1a8814954cc33f63521a833b1279b0e5f00ad5c5039b2a2a706c1471230a1099d1eb8a6db41c5088cc7ac9614736368ba659ac87a82c3f6d9914bdc0d95546b1f78430d5679d9c341b697c240
Screenshots If applicable, add screenshots to help explain your problem. Not sure what to upload here... Just in case that is my screenshot of the key I took:
Program output using -v and -f
Additional context I am getting the same error output when using the keyfile instead of the raw key. In case it matters: the media files are mcrypt1 encrypted but I have not even attempted decrypting them yet. The backup is 16G in size which is why I waited for the past 12 hours for it to upload to then download it. I am certain that the screenshotted key matches the backup I am trying to decrypt.
I would appreciate any help a lot!! Thank you!