KnugiHK / WhatsApp-Chat-Exporter

A customizable Android and iOS/iPadOS WhatsApp database parser that will give you the history of your WhatsApp conversations in HTML and JSON. Android Backup Crypt12, Crypt14, Crypt15, and new schema supported.
https://wts.knugi.dev/
MIT License
625 stars 88 forks source link

[FEATURE] E2E encrypted iCloud backup support #84

Open FiloSottile opened 9 months ago

FiloSottile commented 9 months ago

If an iOS client enables end-to-end encrypted backups, the chats are not stored in device backups anymore, but only in iCloud.

From a Mac it's very convenient to access the encrypted iCloud backup at

/Users/filippo/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/Accounts/XXXXXXXXXXXXX/backup/ChatStorage.sqlite.enc

I imagine this can be decrypted with the 64 character E2E key. It would be nice to add support to WhatsApp-Chat-Exporter.

KnugiHK commented 9 months ago

You mean iCloud Advanced Data Protection or the WhatsApp built-in E2E encryption?

FiloSottile commented 9 months ago

ADP is transparent from a macOS client. ChatStorage.sqlite.enc is encrypted by WhatsApp's built-in E2E encryption.

KnugiHK commented 9 months ago

Thanks! Will look into it when I have access to Mac.

laky commented 1 month ago

I'd love this as well!

@FiloSottile, did you find some solution here? And how can you find the WhatsApp encryption key to use to read this file?

ivoidcat commented 1 week ago

+1

nnathan commented 1 week ago

did you find some solution here? And how can you find the WhatsApp encryption key to use to read this file?

The WhatsApp encryption key is derived from the password or the generated key they provide you.

It's unclear the format of the encrypted data, I don't think it is specified anywhere. Might need to reverse engineer WhatsApp or hook it with Frida to see exactly what it is doing.

ivoidcat commented 1 week ago

did you find some solution here? And how can you find the WhatsApp encryption key to use to read this file?

The WhatsApp encryption key is derived from the password or the generated key they provide you.

It's unclear the format of the encrypted data, I don't think it is specified anywhere. Might need to reverse engineer WhatsApp or hook it with Frida to see exactly what it is doing.

I have already tried it, it's not a 64 bit key

nnathan commented 1 week ago

I have already tried it, it's not a 64 bit key

First, 64 byte key, and I did say derive. That is there's an algorithm (which we don't know what it is), that transforms the secret (password or generated key) into a decryption key.

ivoidcat commented 1 week ago

I have already tried it, it's not a 64 bit key

First, 64 byte key, and I did say derive. That is there's an algorithm (which we don't know what it is), that transforms the secret (password or generated key) into a decryption key.

Regrettably, the key problem is that if icloud backup is turned on, the original files will not be obtained

nnathan commented 1 week ago

Regrettably, the key problem is that if icloud backup is turned on, the original files will not be obtained

I'm not sure I understand. As OP stated you can access and copy (download) the encrypted backups. It's just a matter of deriving the decryption key from password/generated key and performing the decryption. But unfortunately at the moment these are two unknowns. I do recall that the E2EE backups also involving an OPRF, so it might be that the decryption key is stored on WhatsApp servers.

ivoidcat commented 1 week ago

Regrettably, the key problem is that if icloud backup is turned on, the original files will not be obtained

I'm not sure I understand. As OP stated you can access and copy (download) the encrypted backups. It's just a matter of deriving the decryption key from password/generated key and performing the decryption. But unfortunately at the moment these are two unknowns. I do recall that the E2EE backups also involving an OPRF, so it might be that the decryption key is stored on WhatsApp servers.

Thanks

KnugiHK commented 6 days ago

I couldn't get the backup to appear in /Users/<user>/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/. I followed the steps outlined in this Apple discussion thread, but still no luck. Any ideas?

nnathan commented 6 days ago

Three thoughts:

  1. Make sure you have iCloud Drive sync enabled.
  2. Try navigate manually to that path rather than cd /Users/...~Whatsapp, I think certain directory has to incrementally load/sync the directory and file list.
  3. Make sure you've given your terminal or whatever permissions to access iCloud Drive/directory hierarchy.
ivoidcat commented 5 days ago

I couldn't get the backup to appear in /Users/<user>/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/. I followed the steps outlined in this Apple discussion thread, but still no luck. Any ideas?我无法让备份出现在 /Users/<user>/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/ 。我按照Apple 讨论线程中概述的步骤进行操作,但仍然没有成功。有什么想法吗?

Back up through your phone and view from it

ivoidcat commented 5 days ago

I couldn't get the backup to appear in /Users/<user>/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/. I followed the steps outlined in this Apple discussion thread, but still no luck. Any ideas?我无法让备份出现在 /Users/<user>/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/ 。我按照Apple 讨论线程中概述的步骤进行操作,但仍然没有成功。有什么想法吗?

Back up through your phone and view from it通过手机备份并查看

Just that's how I did it