search

mvt-project / mvt

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
https://mvt.re
Other
10.44k stars 989 forks source link

No colum ZLIVEUSAGE.ZWIFIIN in datausage #531

Open besendorf opened 2 months ago

besendorf commented 2 months ago 
ERROR    - Error in running extraction from module Datausage: no such column: ZLIVEUSAGE.ZWIFIIN
║ Traceback (most recent call last):
║   File "/usr/local/lib/python3.11/site-packages/mvt/common/module.py", line 167, in run_module
║     exec_or_profile("module.run()", globals(), locals())
║   File "/usr/local/lib/python3.11/site-packages/mvt/common/utils.py", line 262, in exec_or_profile
║     exec(module, globals, locals)
║   File "<string>", line 1, in <module>
║   File "/usr/local/lib/python3.11/site-packages/mvt/ios/modules/mixed/net_datausage.py", line 50, in run
║     self._extract_net_data()
║   File "/usr/local/lib/python3.11/site-packages/mvt/ios/modules/net_base.py", line 42, in _extract_net_data
║     cur.execute(
║ sqlite3.OperationalError: no such column: ZLIVEUSAGE.ZWIFIIN
Te-k commented 1 month ago

Thanks for reporting it @besendorf ! Could you please share with us the iOS version and the ZLIVEUSAGE table format? (you can get it with sqlite .schema command) (here or in private).

Thanks!

soreore commented 1 month ago

Thanks for reporting it @besendorf ! Could you please share with us the iOS version and the ZLIVEUSAGE table format? (you can get it with sqlite .schema command) (here or in private).

Thanks!

is it a virus?

nupulu commented 1 month ago

This is iOS 18.0.

CREATE TABLE ZCHECKUPEVENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP TIMESTAMP, ZSYNDROMEID VARCHAR );
CREATE TABLE ZDEMOLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINCARNATION INTEGER, ZWIFIIN INTEGER, ZWIFIOUT INTEGER, ZWWANIN INTEGER, ZWWANOUT INTEGER, ZTIMESTAMP TIMESTAMP );
CREATE TABLE ZEVENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZHAPPENEDONNET INTEGER, ZHASPEER INTEGER, ZHASSCENE INTEGER, ZRFU1 FLOAT, ZRFU2 FLOAT, ZRFU3 FLOAT, ZRFU4 FLOAT, ZRFU5 FLOAT, ZTIMESTAMP TIMESTAMP, ZFAILUREIMPACT VARCHAR, ZFAILURESTRING VARCHAR, ZSYNDROMEID VARCHAR );
CREATE TABLE ZEVENTSCENE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLINKQUALITY INTEGER, ZRSSI INTEGER, ZWITHEVENT INTEGER, ZCOURSE FLOAT, ZLATITUDE FLOAT, ZLOCACCURACY FLOAT, ZLONGITUDE FLOAT, ZRFU1 FLOAT, ZRFU3 FLOAT, ZSPEED FLOAT );
CREATE TABLE ZPEER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESS INTEGER, ZDSTPORT INTEGER, ZWITHEVENT INTEGER, ZRFU1 FLOAT, ZRFU2 FLOAT, ZRFU3 FLOAT, ZRFU4 FLOAT, ZRFU5 FLOAT, ZTIMESTAMP TIMESTAMP, ZFQDN VARCHAR );
CREATE TABLE ZTSHOOTINGDATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZWITHCHECKUPEVENT INTEGER, ZWITHEVENT INTEGER, ZTIMESTAMP TIMESTAMP, ZPROVIDERS BLOB );
CREATE TABLE ZWIFIDATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZISADHOC INTEGER, ZISCAPTIVE INTEGER, ZISLINKLOCALADDR INTEGER, ZLINKQUALITY INTEGER, ZSTATE INTEGER, ZSTATSTCPCNTACTUAL INTEGER, ZSTATSTCPCNTBASE INTEGER, ZTIMEAT INTEGER, ZDHCPLEASETIME FLOAT, ZLATITUDE FLOAT, ZLOCACCURACY FLOAT, ZLONGITUDE FLOAT, ZRFU1 FLOAT, ZRFU2 FLOAT, ZRFU3 FLOAT, ZRSSI FLOAT, ZSTATSINBYTESACTUAL FLOAT, ZSTATSINBYTESBASE FLOAT, ZSTATSOUTBYTESACTUAL FLOAT, ZSTATSOUTBYTESBASE FLOAT, ZTIMESTAMP TIMESTAMP, ZBSSID VARCHAR, ZSSID VARCHAR );
CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER);
CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB);
CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB);
CREATE TABLE ZPROCESS ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFIRSTTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBUNDLENAME VARCHAR, ZEXTENSIONNAME VARCHAR, ZPROCNAME VARCHAR );
CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, ZBILLCYCLEEND TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZWWANIN FLOAT, ZWWANOUT FLOAT, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR );
CREATE INDEX ZEVENT_ZHAPPENEDONNET_INDEX ON ZEVENT (ZHAPPENEDONNET);
CREATE INDEX ZEVENT_ZHASPEER_INDEX ON ZEVENT (ZHASPEER);
CREATE INDEX ZEVENT_ZHASSCENE_INDEX ON ZEVENT (ZHASSCENE);
CREATE INDEX ZEVENTSCENE_ZWITHEVENT_INDEX ON ZEVENTSCENE (ZWITHEVENT);
CREATE INDEX ZPEER_ZWITHEVENT_INDEX ON ZPEER (ZWITHEVENT);
CREATE INDEX ZTSHOOTINGDATA_ZWITHCHECKUPEVENT_INDEX ON ZTSHOOTINGDATA (ZWITHCHECKUPEVENT);
CREATE INDEX ZTSHOOTINGDATA_ZWITHEVENT_INDEX ON ZTSHOOTINGDATA (ZWITHEVENT);
CREATE INDEX ZLIVEUSAGE_ZHASPROCESS_INDEX ON ZLIVEUSAGE (ZHASPROCESS);
besendorf commented 1 month ago

Thanks for reporting it @besendorf ! Could you please share with us the iOS version and the ZLIVEUSAGE table format? (you can get it with sqlite .schema command) (here or in private).

Thanks!

Here the schema for the table:

CREATE TABLE ZLIVEUSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZKIND INTEGER, ZMETADATA INTEGER, ZTAG INTEGER, ZHASPROCESS INTEGER, ZBILLCYCLEEND TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZWWANIN FLOAT, ZWWANOUT FLOAT, ZBUNDLENAME VARCHAR, ZPROCNAME VARCHAR );
CREATE INDEX ZLIVEUSAGE_ZHASPROCESS_INDEX ON ZLIVEUSAGE (ZHASPROCESS);
voltagex commented 1 month ago

Also hit this, happy to help if I can - although I've currently installed the version via pipx.

swiss-JF commented 1 week ago

I got a similar message with a product with the version Product Version: 18.0.1 of iOS. I did not have the PIN passcode input while doing the acquisition, which makes me tend to an issue with the acquisition (cf. my comment on issues #537) for getting the error, but not sure about that.