nabla-c0d3 / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
39 stars 14 forks source link

iOS7 bruteforce support? #113

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hello,

I have a iPhone 4 with iOS7 beta 3 installed.

I did the jailbreak using redsnow and boot up  with the patched iOS5 firmware 
so I can do the bruteforce.

I am able to access the device, copy everything over to my laptop.

However the bruteforce does not work.

I get stuck on the 

passcodeKeyboardComplexity : {'rangeMinimum': 0, 'value': 0, 'rangeMaximum': 2}
Trying all 4-digits passcodes...

and nothing happne.

On the iPhone log I can see
booted from secure root: give device keybag access to everyone
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
IOConnectCallMethod on AppleKeyStore selector 5 returned e00002bc

Original issue reported on code.google.com by pfister....@gmail.com on 10 Jul 2013 at 5:34

GoogleCodeExporter commented 9 years ago
Here the complete log for iOS on my laptop

Connecting to device : edaa4fbd219282feed0d0a2e52514af65fbdd565
Keybag: SIGN check FAIL
Keybag UUID : f119e74945084635b5ab78d6fce2311e
Enter passcode or leave blank for bruteforce:

passcodeKeyboardComplexity : {'rangeMinimum': 0, 'value': 0, 'rangeMaximum': 2}
Trying all 4-digits passcodes...

Original comment by pfister....@gmail.com on 10 Jul 2013 at 5:35

GoogleCodeExporter commented 9 years ago
this patch should help, you'll need to rebuild the ramdisk.

Original comment by jean.sig...@gmail.com on 15 Jul 2013 at 8:29

Attachments:

GoogleCodeExporter commented 9 years ago
The patch works :) Thanks so much,

I am able to bruteforce and recover the pin.

However the keychain-2.db seems empty now.

So when I try to decrypt it I get the following error

python python_scripts/keychain_tool.py -d 
edaa4fbd219282feed0d0a2e52514af65fbdd565/keychain-2.db 
edaa4fbd219282feed0d0a2e52514af65fbdd565/99454e865a15cba0.plist
Keybag: SIGN check FAIL
Keybag unlocked with passcode key
Traceback (most recent call last):
  File "python_scripts/keychain_tool.py", line 72, in <module>
    main()
  File "python_scripts/keychain_tool.py", line 49, in main
    k = keychain_load(args[0], kb, p["key835"].decode("hex"))
  File "/Users/loic/Documents/hack/iphone/ios6/iphone-dataprotection/python_scripts/keychain/__init__.py", line 6, in keychain_load
    version = sqlite3.connect(filename).execute("SELECT version FROM tversion").fetchone()[0]
sqlite3.OperationalError: no such table: tversion

Original comment by pfister....@gmail.com on 16 Jul 2013 at 3:30

GoogleCodeExporter commented 9 years ago
Should I create a new issue for that problem  as different ?

Original comment by pfister....@gmail.com on 24 Jul 2013 at 11:37

GoogleCodeExporter commented 9 years ago
the error you have is caused by the sqlite WAL format, where the database is 
stored in 3 files instead of one. after that there is another error, the 
keychain format changed, the encrypted data is now encoded in ASN1 instead of 
binary plist. 
i created issue 115 to keep track of this, i currently cannot work on it but it 
will eventually be fixed.

Original comment by jean.sig...@gmail.com on 24 Jul 2013 at 8:38

GoogleCodeExporter commented 9 years ago
i want to ios7 custom ramdisk tools please share me or how to bruteforce ios7 
passcode key i will do ios 5 and 6 ios 6 these error "IOConnectCallMethod on 
AppleKeyStore selector 6 returned e00002c9
IOConnectCallMethod on AppleKeyStore selector 5 returned e00002bc"

please let me share thanks you so much 

Original comment by fridayth...@gmail.com on 3 Jan 2014 at 7:41

GoogleCodeExporter commented 9 years ago
@fridaythirteen77 just pushed the fix for this error, update to the latest 
revision and rebuild the ramdisk.

Original comment by jean.sig...@gmail.com on 4 Jan 2014 at 3:34

GoogleCodeExporter commented 9 years ago
Thanks how to make rebuild ramdisk for ios 7 please tech me details thanks you 
so much sir .... :) i can make this command " python 
python_scripts/kernel_patcher.py iPhone3,1_7.0.4_11B554a_Restore.ipsw "

I have this error how can i do bro ?

"Traceback (most recent call last):
  File "python_scripts/kernel_patcher.py", line 8, in <module>
    from Crypto.Cipher import AES
  File "build/bdist.macosx-10.9-intel/egg/Crypto/Cipher/AES.py", line 50, in <module>
  File "build/bdist.macosx-10.9-intel/egg/Crypto/Cipher/_AES.py", line 7, in <module>
  File "build/bdist.macosx-10.9-intel/egg/Crypto/Cipher/_AES.py", line 3, in __bootstrap__
ImportError: No module named pkg_resources"

Original comment by fridayth...@gmail.com on 5 Jan 2014 at 2:07

GoogleCodeExporter commented 9 years ago
@fridaythirteen77 use the ios 5 ipsw, even if the device runs ios 7.0.4.
http://appldnld.apple.com/iPhone4/041-8358.20111012.FFc34/iPhone3,1_5.0_9A334_Re
store.ipsw
also for the python error you need pycrypto
sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
(see https://code.google.com/p/iphone-dataprotection/wiki/README)

Original comment by jean.sig...@gmail.com on 5 Jan 2014 at 7:08

GoogleCodeExporter commented 9 years ago
@ fridaythirteen77 nevermind about pycrypto, how did you install it ?

Original comment by jean.sig...@gmail.com on 5 Jan 2014 at 7:10

GoogleCodeExporter commented 9 years ago
Bro can you upload modified ramdisk works with ios 7 thnk you

Original comment by iphone5a...@gmail.com on 19 Feb 2014 at 6:28

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
please help us to understand how the things are going on , make for us a 
tutorial please ...

Original comment by camillew...@gmail.com on 12 Jul 2014 at 10:26