decrypt incremental backup done in laetst version of whatsapp

[cleanerspam]

Hello ,

In Android/media/com.whatsapp/Whatsapp/Databases there were two files msgstore.db.crypt14 and msgstore-increment-1.db.crypt14 . Where the msgstore.db.crypt14 is 15 days older and is bigger in size 30mb and the msgstore-increment-1.db.crypt14 has been created 3 days earlier only and is of 30kb .

By using wadecrypt command I was able to get msgtore.db file which on replacing in Root/data/data/com.whatsapp/databases I got back my old messages but last 15 days messages have not restored . I tried to rerun your wadecrypt command individually on msgstore-increment-1.db.crypt14 but it failed to run giving errors :-

WhatsApp version: 2.24.10.85
Traceback (most recent call last):
  File "/home/user/wadecrypt.py", line 205, in <module>
    main()
  File "/home/user/wadecrypt.py", line 201, in main
    decrypt14(t1, key, args.encrypted, args.decrypted)
  File "/home/user/wadecrypt.py", line 169, in decrypt14
    offset = find_offset(heade, iv_offset, key)
  File "/home/user/wadecrypt.py", line 134, in find_offset
    if zobj[:15].decode('ascii') != 'SQLite format 3':
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd4 in position 12: ordinal not in range(128)

So is there any way to decrypt in such a way that both msgstore.db.crypt14 and msgstore-increment-1.db.crypt14 are combined and then restored ?

[ElDavoo]

Last time I checked, decryption of incremental was working, it probably broke with recent updates, but as far as i know nobody knows the format of the increment and how to merge it to main.

[cleanerspam]

After you release on PyPi , I am willing to check again

[ncatanchin]

The msgstore-increment-n.db.crypt14 files are decryptable, the same as msgstore.db. However, the resulting file is not an SQLite database, but a zip file:

msgstore-increment-1.db: Zip archive data, at least v2.0 to extract, compression method=deflate

Within the zip file are numerous json files, describing changes to key WhatsApp database tables

unzip msgstore-increment-4.db
Archive:  msgstore-increment-4.db
  inflating: sequences.json          
  inflating: messages.bin            
  inflating: deletedMessages_1.json  
  inflating: jid_modified_1.json     
  inflating: media_refs_modified_1.json  
  inflating: primary_device_version_modified_1.json  
  inflating: chat_modified_1.json    
  inflating: user_device_deleted_1.json  
  inflating: user_device_modified_1.json  
  inflating: user_device_info_deleted_1.json  
  inflating: user_device_info_modified_1.json  
  inflating: receipt_user_deleted_1.json  
  inflating: receipt_user_modified_1.json  
  inflating: receipt_device_deleted_1.json  
  inflating: receipt_device_modified_1.json  
  inflating: message_add_on_receipt_device_modified_1.json  
  inflating: group_participant_device_deleted_1.json  
  inflating: group_participant_device_modified_1.json  
  inflating: frequent_deleted_1.json  
  inflating: frequent_modified_1.json  
  inflating: props_modified_1.json   
  inflating: header.json

An example being new media_refs records:

cat media_refs_modified_1.json 

{
    "media_refs": [
        {
            "path": "\/storage\/emulated\/0\/Android\/media\/com.whatsapp\/WhatsApp\/Media\/WhatsApp Images\/IMG-20240719-WA0026.jpg",
            "_id": 6124,
            "ref_count": 2
        }
    ]
}

The odd one out is the messages.bin file. This contains message table records (new messages) in protobuf format.

See:

• https://github.com/ndunks/whatsapp-protobuf
• https://github.com/sigalor/whatsapp-web-reveng

I tried to use the tools and knowledge from those repos as I'm sure that's the key to decoding the messages.bin, but I was not able to get that working.

[ElDavoo]

I've tried decrypting increments using current version and everything works fine.
About the error in the issue, it shouldn't crash the program, but only report the error, so I fixed it.

[vb0]

For what is worth if you hit "Backup" manually in Whatsapp it seems to create just a regular msgstore.db.crypt15, which contains the very last message.