search

dunhamsteve / ios

Utility to extract files and keychain information from iOS backups
Other
123 stars 28 forks source link

Won't dump keychain #4

Open AppleTechy opened 6 years ago

AppleTechy commented 6 years ago

Figured I would move this over here since it's now specific. I run the dumpkeys command and specify and output directory. It generates a Manifest key and has the output with a bunch of numbers inline with a keychainDomain. However after that it says No keys for class 11 genp [ 0 0 0 0 0 0 0 0 0 n] and then proceeds to dump nothing from the keychain. I then proceeded to run restore and when I went into the directory the keychain-backup.plist is still encrypted and the trustStore.sqllite seems to pretty much be empty. I can post the terminal output, I am just not exactly sure what is confidential and needs to be removed

dunhamsteve commented 6 years ago

So, the command will be like:

irestore UUID dumpkeys outfile.json

(You can leave the last bit off and it will dump to the screen.) The keychain from a restore will still be the encrypted version, which is why the separate dumpkeys command exists. If you're specifying the name of an existing directory, it's probably decoding everything and getting an error at the end when it tries to open the directory as a file to write. If you leave the name off, it should be dumping json to the screen.

There will be some errors on the screen that look like:

No key for class 10 genp [0 0 0 0 0 0 144 75]
No key for class 9 genp [0 0 0 0 0 0 144 97]
No key for class 11 genp [0 0 0 0 0 0 144 98]

these correspond to entries that we can't extract. They're marked "this device only" by the applications that saved them and need a key buried in the phone's hardware, the 0x835 key, to extract. I've never managed to get that key out of my phone. You should, however, get the decryptable subset of the keys in the json file you name on the command line.

One caveat is that internally the data for the keys is binary - a lot of them are plain text strings, but not all. Currently I base64 all the binary data, so it may look a little cryptic, but you'll usually get plain text if you decode the base64. The good stuff is in v_Data. Anything that starts with MII is asn.1 encoded binary data (X.509 keys and the like).

(It also writes a kcb.plist - this is the raw keychain data with encrypted entries, a debugging thing I forgot to take out of the program.)

Oh and I should add, that while the program can extract backups with no password (unencrypted backups), they don't include enough information to decrypt the keychain.

AppleTechy commented 6 years ago

Thanks I got it to write display in terminal. How would I get the kcb.plist? It appears it was able to extract everything, I don't see the No key error. So in specific one of the V-data types I was wanting to view in plaintext starts with QV and ends with == any ideas on what its encoded in? I tried justing use base64 but it shows up was what is normally encrypted characters in UTF-8. I was under the impression that I could dump wifi password from the keychain as well but I don't see any listed in the output? Any advice would be helpful! Thanks

dunhamsteve commented 6 years ago

I see wifi passwords in my keychain. They're under "General" and have svce equal to AirPort. If you have jq installed you could do:

jq '.General[]|select(.svce=="AirPort")|.acct+" "+.v_Data' -r < out.json

to list all of them. (You'll still have to decode the base64 yourself until jq the next version of jq comes out, at which point you could do (.v_Data|@base64d).)

Example entry (with ssid / password changed):

    {
      "acct": "SomeWifiId",
      "agrp": "apple",
      "cdat": "2017-12-28T22:31:53.127788Z",
      "desc": "AirPort network password",
      "labl": "SomeWifiId",
      "mdat": "2017-12-28T22:31:53.127788Z",
      "musr": "",
      "pdmn": "ck",
      "persistref": "",
      "svce": "AirPort",
      "sync": 1,
      "tomb": 0,
      "v_Data": "Z2l0aHVi"
    }
AppleTechy commented 6 years ago

Ah ok. I figured out why I wasn't seeing it. It wasn't being outputted in terminal. Once I told it an output file the data was there. Is there anyway to pull a profile that was installed on the device? In the decrypted backup there is a folder named SYSContainerDomain... and inside it has a folder named Configuration Profiles. Inside I see manifest.plist as well as profile stubs. When I open those stubs, it tells me payload identifiers but I don't know where those payloads are stored.