R1NZLR / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 1 forks source link

EMF undelete fails to read systembag.kb #62

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run a 'dd if=/dev/rdisk0s1s2 bs=8192' on an iphone.
2. Run the scripts bruteforce, device_infos, kernelpatcher to get the plist. I 
used the scripts from here 
http://securitylearn.wordpress.com/2012/04/22/extracting-aes-keys-from-iphone/
3. Run emf_decrypter on the image
4. Run emf_undelete on the image

What is the expected output? What do you see instead?
Apparently it fails to read the 'keybags/systembag.kb', I have checked the 
systembag string in the bruteforce.py script and it seems its still encrypted. 
I get ")♫P╨g" as output instead of "bplist":

    if not systembag or not systembag.startswith("bplist"):
        print "FAIL: could not read /keybags/systembag.kb from data partition"
        return False

Also this is the output when I run the script emf_undelete:

Using plist file C:\Users\rvonkan\Downloads\d6d38aaf8985f0723f4ad1cc51962a30c7f8
87e7\23ed7b6e615a77fc.plist
Keybag unlocked with passcode key
cprotect version : 4 (iOS 5)
FAIL: could not read /keybags/systembag.kb from data partition
Journal size : 8MB
Collecting existing file ids
27160 file IDs
Found deleted file record 1480988 temp1480988
Found deleted file record 1482509 Info.plist
Found deleted file record 1482505 KeywordIndex.plist
Found deleted file record 1482506 Manifest.sqlitedb
Found deleted file record 1482504 express.psa
Found deleted file record 1482897 UIApplicationAutomaticSnapshotDefault-Portrait
@2x.png
Found deleted file record 1481626 backup_keys_cache.db
Found deleted file record 1481514 data_ark.plist
Found deleted file record 1482910 com.apple.AutoWake.plist
Traceback (most recent call last):
  File "C:\Python27\Scripts\iphone-dataprotection\python_scripts\emf_undelete.py
", line 25, in <module>
    do_emf_carving(volume, carveokdir, carvenokdir)
  File "C:\Python27\Scripts\iphone-dataprotection\python_scripts\hfs\journal.py"
, line 128, in do_emf_carving
    deletedFiles, filekeys = carveEMFVolumeJournal(volume)
  File "C:\Python27\Scripts\iphone-dataprotection\python_scripts\hfs\journal.py"
, line 105, in carveEMFVolumeJournal
    filekey = volume.keybag.unwrapKeyForClass(cprotect.persistent_class, cprotec
t.persistent_key)
AttributeError: 'bool' object has no attribute 'unwrapKeyForClass'

What version of the product are you using? On what operating system?
Most recent iphone-dataprotection source downloaded from google code.
iPhone 4S and iOS 5.1.1
Windows 7 64bit

Please provide any additional information below.
I have successfully run photorec recovering data from the image after using the 
emf_decrypter script. So everything works except emf_undelete. The image is 
decrypted but it seems that the systembag is still encrypted.

Original issue reported on code.google.com by ill...@gmail.com on 8 Jul 2012 at 10:50

GoogleCodeExporter commented 8 years ago
This issue was closed by revision 357a90456937.

Original comment by jean.sig...@gmail.com on 10 Jul 2012 at 5:13

GoogleCodeExporter commented 8 years ago
i just pushed a fix, thanks for reporting this issue.

Original comment by jean.sig...@gmail.com on 10 Jul 2012 at 5:14

GoogleCodeExporter commented 8 years ago
Just turn off iCloud nd it will fixx the problem

Original comment by 12mariss...@gmail.com on 15 Aug 2012 at 2:05