search

Magpol / HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS
48 stars 3 forks source link

Correct private key format #3

Open seb3point0 opened 3 years ago

seb3point0 commented 3 years ago

I managed to extract the private key using keychain_dumper:

Generic Password
----------------
Service: GRDBKeyChainService
Account: GRDBDatabaseCipherKeySpec
Entitlement Group: U68MSDN6DR.org.whispersystems.signal
Label: (null)
Accessible Attribute: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, protection level 4
Description: (null)
Comment: (null)
Synchronizable: 0
Generic Field: (null)
Keychain Data (Hex): 0xfbbe15a2bc59d7cc7fbb21ee74a13a6e2f097d38fc6ee3b9b879b82325ae4542d46c339ae3c092e3e00aa2a74ec5cdcb

Then ran sqlcipher. 

$ sqlcipher signal.sqlite
SQLCipher version 3.15.2 2016-11-28 19:13:37
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> PRAGMA key="x'fbbe15a2bc59d7cc7fbb21ee74a13a6e2f097d38fc6ee3b9b879b82325ae4542d46c339ae3c092e3e00aa2a74ec5cdcb'";
sqlite> PRAGMA cipher_plaintext_header_size = 32;
sqlite> .tables
Error: file is encrypted or is not a database
sqlite> PRAGMA cipher_plaintext_header_size=32;
sqlite> PRAGMA cipher_page_size = 1024;
sqlite> PRAGMA cipher_hmac_algorithm = HMAC_SHA1;
sqlite> PRAGMA cipher_kdf_algorithm = PBKDF2_HMAC_SHA1;
sqlite> .tables
Error: file is encrypted or is not a database

However, this doesn't work. Note that I removed the 0x from the beginning of the key – I also tried leaving it in. I also attempted opening the file with DB Browser for SQLite for Mac, with which I was able to decrypt a Signal for Mac backup previously, but that did't work either.

I wonder if this is an issue with the sqlcipher version or perhaps the key format. Any help would be appreciated.

Magpol commented 3 years ago

I had issues when using the version of SQLCipher that was included in my distribiution. I solved it by building SQLCipher from source. When looking at the source code for Signal I can't find any other changes.

Try with a more recent build of sqlcipher.

seb3point0 commented 3 years ago

Thank you!

SQLite version 3.33.0 2020-08-14 13:23:32 (SQLCipher 4.4.2 community)
Enter ".help" for usage hints.
sqlite> PRAGMA key="x'fbbe15a2bc59d7cc7fbb21ee74a13a6e2f097d38fc6ee3b9b879b82325ae4542d46c339ae3c092e3e00aa2a74ec5cdcb'";
ok
sqlite> PRAGMA cipher_plaintext_header_size = 32;
sqlite> .tables
grdb_migrations
indexable_text
indexable_text_fts
indexable_text_fts_config
indexable_text_fts_data
indexable_text_fts_docsize
indexable_text_fts_idx
keyvalue
media_gallery_items
model_ExperienceUpgrade
model_IncomingGroupsV2MessageJob
model_InstalledSticker
model_KnownStickerPack
model_OWSDevice
model_OWSDisappearingMessagesConfiguration
model_OWSMessageContentJob
model_OWSReaction
model_OWSRecipientIdentity
model_OWSUserProfile
model_SSKJobRecord
model_SignalAccount
model_SignalRecipient
model_StickerPack
model_TSAttachment
model_TSInteraction
model_TSMention
model_TSThread
model_TestModel
pending_read_receipts

Previously I was using the version of sqlcipher which comes in Ubuntu. I compiled from source and it worked. Getting here was a long journey, but I'm happy my messages and my data are finally free. I will write a blog post about this process.

seb3point0 commented 3 years ago

For anyone looking for detailed a explanation on how to jailbreak iOS and extract Signal's encrypted database, I wrote this post.

Exporting messages from Signal for iOS: a journey