jibeee / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

FAIL: could not read /keybags/systembag.kb from data partition #76

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Reported by h2spice ;

When I try to run python python_scripts/emf_decrypter.py,

I get,

r3d4l3rtui-MacBook?-Pro:python_scripts h2spice$ python emf_decrypter.py 
../../../../rdisk0r1r2.dmg

Using plist file ../../../../Encription.plist

Keybag unlocked with passcode key

cprotect version : 4 (iOS 5)

FAIL: could not read /keybags/systembag.kb from data partition

Traceback (most recent call last):

File "emf_decrypter.py", line 34, in <module>

main()

File "emf_decrypter.py", line 19, in main

if not v.keybag.unlocked:

AttributeError?: 'bool' object has no attribute 'unlocked'

r3d4l3rtui-MacBook?-Pro:python_scripts h2spice$

Can you advise why the error might be causing this?

Thanks.

Original issue reported on code.google.com by jean.sig...@gmail.com on 2 Oct 2012 at 7:23

GoogleCodeExporter commented 8 years ago
Can you try to add this line to the file python_scripts/util/bruteforce.py at 
line 25 :
print "systembag is None :", (systembag ==None)

and then run the command again and post this new line from the output.

Also, can you post the commands you used to get the Encription.plist and 
rdisk0r1r2.dmg.
I assume you used the latest revision of the tools from the repository ?
Thanks

Original comment by jean.sig...@gmail.com on 2 Oct 2012 at 7:28

GoogleCodeExporter commented 8 years ago
ok, 

first, try to add this line to the file python_scripts/util/bruteforce.py at 
line 25: 
print "systembag is None :", (systembag ==None)

def loadKeybagFromVolume(volume, device_infos):
    systembag = volume.readFile("/keybags/systembag.kb", returnString=True)
    print "systembag is None :", (systembag ==None)           <-------------------line 25
    if not systembag or not systembag.startswith("bplist"):
        print "FAIL: could not read /keybags/systembag.kb from data partition"
        return False

and then run the command again 

r3d4l3rtui-MacBook-Pro:python_scripts h2spice$ python ./emf_decrypter.py 
./rdisk0s1s2.dmg 
Using plist file Encription.plist
Keybag unlocked with passcode key
cprotect version : 4 (iOS 5)
systembag is None : False     <----------------------- print "systembag is None 
:" , (systembag ==None)
FAIL: could not read /keybags/systembag.kb from data partition
Traceback (most recent call last):
  File "./emf_decrypter.py", line 34, in <module>
    main()
  File "./emf_decrypter.py", line 19, in main
    if not v.keybag.unlocked:
AttributeError: 'bool' object has no attribute 'unlocked'
r3d4l3rtui-MacBook-Pro:python_scripts h2spice$ 

command i used to get the rdisk0r1r2.dmg
./redsn0w -r /Users/h2spice/Desktop/RawTheft.dmg 

command i used to get the Encription.plist 
./redsn0w -i 
/Users/h2spice/tmp/iOS_Hacking/test5/iPhone2,1_5.1.1_9B206_Restore.ipsw -k 
/Users/h2spice/tmp/iOS_Hacking/test5/kernelcache.release.n88.patched \
> -r /Users/h2spice/Desktop/KeyTheft.dmg 

and i downloaded iphone-dataprotection by using command (hg colne 
https://code.google.com/p/iphone-dataprotection/ )

Original comment by h2sp...@gmail.com on 3 Oct 2012 at 7:42

GoogleCodeExporter commented 8 years ago
ok, what is the value of the dataVolumeOffset field in the plist file ?

Original comment by jean.sig...@gmail.com on 4 Oct 2012 at 9:49

GoogleCodeExporter commented 8 years ago
dataVolumeOffset is 307200 : )

Original comment by h2sp...@gmail.com on 4 Oct 2012 at 10:52

GoogleCodeExporter commented 8 years ago
OK, can you try to open the disk image with the modified HFSExplorer 
(http://code.google.com/p/iphone-dataprotection/downloads/detail?name=hfsexplore
r_iphoneEMF_d4ea02bd3fc3.zip&can=2&q=)

And open a random file in the image, for instance /logs/lockdownd.log, the file 
should contain text.

Original comment by jean.sig...@gmail.com on 5 Oct 2012 at 8:44

GoogleCodeExporter commented 8 years ago
yes ,

after download HFSexplorer, i did open the image rdisk0s1s2.dmg.

 as you said, i did open the tile /logs/lockdownd.log, this file contain text

PS. attach file : lockdownd.log

Original comment by h2sp...@gmail.com on 6 Oct 2012 at 7:56

Attachments:

GoogleCodeExporter commented 8 years ago
ahahahahahah...

i saw HFSExplorer debug console

this ::

Trying to detect CEncryptedEncoding structure...
CEncryptedEncoding structure not found. Proceeding...
Trying to detect UDIF structure...
UDIF structure not found. Proceeding...
pos=0
Volume cprotect major version : 4 => iOS 5
Volume Unique ID : aa56aa017bb856f4
Using plist file Z:\tmp\iOS_Hacking\test5\aa56aa017bb856f4.plist
EMF key : de90a9aba54e8a831e628dc87ded1204205504a9be6f73f4832b07427d706cdb
file id 7563 cprotect 
040000000c00000004000000280000000000000000000000000000000000000000000000e651e623
f8103c702d209cac8313fb0e9384381b1cabc57b6c5c34a31606402eff9b731bcb6a07b3
file key = 97f4cdbd12fa03cfaf69c77df5dcf081caeb3891f110fa2ce8b6190d10a1b416
IV key = b929b2e2a72083fa7ca1f834edca588f
file id 7107 cprotect 
040000000c0000000400000028000000000000000000000000000000000000000000000087982f24
fc33bb5f5e8a4ea924c35e7a9e5c3334ed0c6b4b99446af04350f2b8c3af204cba1d4a55
file key = 8382427dfb5a7ed1e623a245a0135b3f246d185752337f34f4190ef2a8ed9d0e
IV key = 6efc3c38fc6f4d3249f03f643ac2daef
file id 7089 cprotect 
040000000c00000004000000280000000000000000000000000000000000000000000000016a1593
84f0213d0c1aab1f2a533b4d60a03d905a2a03560e698ed139e4c7ca1e5b5a911f0272d0
file key = 30aedc144d5028eb1d1c0af5fa37ac29a0cb63b70694b7fec8456bca3813bcd8
IV key = ef1cb50ad92719da89c23f0e5f792abe
file id 62582 cprotect 
040000000c00000004000000280000000000000000000000000000000000000000000000801851d3
a023641b1e08e885f80948bc82e31dfc34622f130963e2f2e11dbea50e917465dabe20df
file key = 4baa1ccba762ed6068a65e1cf8ad5c8e7f6fbd212a1d9f957a30f6ef0c65b750
IV key = 3eed1aff862c9e24da9d6d92003fd94b
file id 7113 cprotect 
040000000c000000040000002800000000000000000000000000000000000000000000003d9818cb
6f1c48d07c3a3e2e997314d76ce6fe0597188e6c74797faf2a76d8457553db54dd7d5c8b
file key = 3b5ecce24cc2ba91bbd662fe73c9e3a65450ae3874830c6596bc10cf4f857ac2
IV key = 483c79faf8d5fc5a41d7ca81f311183f
MemoryStatisticsPanel thread aborted.
file id 7260 cprotect 
040000000c00000004000000280000000000000000000000000000000000000000000000cc9e8e99
8d1da4bfa8ffdc65fecb8ba53a4b5801e9b91771f74000c306e00407913e2e2c4cb5672a
file key = 259690872bb54ffe0bdace18fa1dfc135827cf591d7745cdb2b1fee4fe81cdfc
IV key = ddeb0e39b6f83e71e7a88cc28242824b

but, when i extract file sms.db , this file was locked password ......

um........ what i do it now ???

Original comment by h2sp...@gmail.com on 6 Oct 2012 at 8:03

GoogleCodeExporter commented 8 years ago
tested program is SQLiteSpy

Original comment by h2sp...@gmail.com on 6 Oct 2012 at 8:03

GoogleCodeExporter commented 8 years ago
ok, it seems the dataVolumeOffset field is wrong, lockdownd.log is decrypted 
incorrecty, it should contain ascii text. You can try running the attached 
python script (find_dataVolumeOffset.py) on the disk image, it will try all 
possible values for this parameter and display the correct one.
If the script finds the right value, you can replace it in the plist file and 
then emf_decrypter should work OK.

Also, if you can post the correct value, and dump just the first 4k of 
/dev/rdisk0 and post it here, it would help figure out why the value was wrong 
in the first place . Thanks

Original comment by jean.sig...@gmail.com on 6 Oct 2012 at 1:25

Attachments:

GoogleCodeExporter commented 8 years ago
i try to run the attached script on the disk image

but, occured error

r3d4l3rtui-MacBook-Pro:python_scripts h2spice$ python find_dataVolumeOffset.py 
../../../diskimage/rdisk0s1s2.dmg 
Using plist file ../../../diskimage/aa56aa017bb856f4.plist
Keybag unlocked with passcode key
cprotect version : 4 (iOS 5)
FAIL: could not read /keybags/systembag.kb from data partition
Traceback (most recent call last):
  File "find_dataVolumeOffset.py", line 45, in <module>
    main()
  File "find_dataVolumeOffset.py", line 18, in main
    systembag = volume.readFile("/keybags/systembag.kb", returnString=True)
  File "/Users/h2spice/tmp/iOS_Hacking/test5/tool/iphone-dataprotection/python_scripts/hfs/emf.py", line 156, in readFile
    filekey = self.getFileKeyForCprotect(cprotect)
  File "/Users/h2spice/tmp/iOS_Hacking/test5/tool/iphone-dataprotection/python_scripts/hfs/emf.py", line 138, in getFileKeyForCprotect
    return self.keybag.unwrapKeyForClass(cprotect.persistent_class, cprotect.persistent_key)
AttributeError: 'bool' object has no attribute 'unwrapKeyForClass'

Original comment by h2sp...@gmail.com on 7 Oct 2012 at 9:01

GoogleCodeExporter commented 8 years ago
ha yes sorry, you need to comment line 120 in hfs/emf.py
self.keybag = loadKeybagFromVolume(self, device_infos)
=>
#self.keybag = loadKeybagFromVolume(self, device_infos)

Original comment by jean.sig...@gmail.com on 7 Oct 2012 at 10:10

GoogleCodeExporter commented 8 years ago
@h2spice any luck ?

Original comment by jean.sig...@gmail.com on 21 Oct 2012 at 12:23

GoogleCodeExporter commented 8 years ago
Sorry for my late reply,

luckily, i solve this problem,
thank you, 

as soon as, report about this problem.

Original comment by h2sp...@gmail.com on 24 Oct 2012 at 4:45

GoogleCodeExporter commented 8 years ago
ok, what was the correct value for dataVolumeOffset then ?
Also, if you can dump just the first 4k of /dev/rdisk0 and post it here, it 
would help figure out why the value was wrong in the first place . Thanks

Original comment by jean.sig...@gmail.com on 24 Oct 2012 at 8:36

GoogleCodeExporter commented 8 years ago
@h2spice Can you describe how you solve this problem? I have the same problem 
and I can't solve it yet. Thanks!

Original comment by jcruz...@gmail.com on 12 Nov 2012 at 7:34

GoogleCodeExporter commented 8 years ago
@jcruzq78 you can try running the script attached in comment 9 (place it in the 
python_scripts folder, also make sure to comment line 120 in 
python_scripts/hfs/emf.py). If it works then you can edit the plist file you 
got when running the tools and replace the dataVolumeOffset value with the one 
given by the find_dataVolumeOffset script.

Original comment by jean.sig...@gmail.com on 13 Nov 2012 at 10:19

GoogleCodeExporter commented 8 years ago
ok, thanks

when i tried to execute python module(find_dataVolumeOffset.py), got 
dataVolumeOffset.

after replace the dataVolumeOffset, you can execute python 
module(emf_decrypter.py).

: )

Original comment by sh...@nshc.net on 20 Nov 2012 at 8:06

GoogleCodeExporter commented 8 years ago
@shahn@nshc.net
Could you post the before/after value for dataVolumeOffset ? Thanks.

Original comment by jean.sig...@gmail.com on 20 Nov 2012 at 9:10

GoogleCodeExporter commented 8 years ago
This issue was updated by revision a829f9fe7a77.

clear bitflip count in nand dump to give comparable images
update issue 93
Makefile cleanup, use clang

Original comment by jean.sig...@gmail.com on 16 Feb 2013 at 3:52