iOS 14.2 - IOS 14.5

[SupaYoshi]

I’ve been successfully dumping some keychain data in iOS 13 but in iOS 14 I’ve been unable to dump the data unfortunately with option -g it did not get me any data. From The same specific application. Any advice on how I can make keychain dumper work on IOS 14?

kind regards

[utkanos]

For folks getting no output using this tool, make sure you've updated the entitlements using the provided script on the device. If you are still getting just the hint about unlocking your device and finding no items, the problem is that your entitlements list is too long. I am still investigating why that's the case, but my current guess is that you are restricted in how many queries you can run against the SEP. I am seeing SEP operation failures if the entitlement list is too long.

So that said, the magic number seems to be 36. If you examine your entitlements.xml and you have MORE than 36 attributes corresponding to keychain entitlements, the program will bail without providing any output. While I continue to track down whether it's a hard limit of entitlements (doubtful) or the program trying too many requests (current hunch), the way to use this on iOS 14.x is to ensure your entitlements list is less than 36. Don't forget to use ldid to update the binary entitlement after you edit the file.

tl;dr if you use the -e flag to create entitlements, it's likely that your list is now too long and you need to remove items from it in order to get output. If time permits I'll dig more into this problem, but for my purposes the tool is functional. Entitlements will be a personal thing anyway, so hacking around this seems not that crucial to me.

[raulsiles]

I can confirm keychain_dumper is impacted by rate limiting capabilities on the Secure Enclave Processor (SEP) when accessing the KeyChain, as described above by @utkanos in comment "https://github.com/ptoomey3/Keychain-Dumper/issues/68#issuecomment-894400287".

In a jailbroken iOS 14.x device keychain_dumper works if you clean-up the "ent.xml" file for your target app (reducing the number of entries), and re-apply the entitlements to the binary: 1) Modify the "./updateEntitlements.sh" script not to remove the "/usr/bin/ent.xml" output file. 2) Copy and edit the "/usr/bin/ent.xml" for your target, reducing the number of entries (<36, see comment above). 3) Copy the new "ent.xml" file back and re-apply it to the binary:

# cp ent.xml /usr/bin
# cd /usr/bin
# ldid -Sent.xml keychain_dumper

[ptoomey3]

@raulsiles - The instructions you listed above..should they either land in the top-level readme and/or get added to some updated script in the repo?

[raulsiles]

I suggest generating a warning related to the number of entries in the "ent.xml" file inside the "updateEntitlements.sh", once the file is created in "/usr/bin" and before applying it to the binary via "ldid". Also, a warning could be added to the README for users to be aware of that limitation in case they do not get any results.

Unfortunately, manual modification of "ent.xml" is required by now... A future option could be generating a generic "ent.xml" file only including Apple related entitlements, and another "ent.xml" file specific for a target app.

[gamal999]

can you please make it simple with steps, becouse I face this issue and try a lot to resolve it but it really did not solve it, I have ios 14.X and still this issue exists.

[bensh]

can you please make it simple with steps, becouse I face this issue and try a lot to resolve it but it really did not solve it, I have ios 14.X and still this issue exists.

The below will remove all rubbish Apple strings and resign the binary with the new ent2.xml entitlements file.

keychain_dumper -e > ent.xml
grep -v -e '<string>com.apple.PassbookUIService</string>' -e '<string>com.apple.ProtectedCloudStorage</string>' -e '<string>com.apple.ProtectedCloudStorage.KTAccountKey</string>' -e '<string>com.apple.Spotlight</string>' -e '<string>com.apple.TextInput</string>' -e '<string>com.apple.applesse</string>' -e '<string>com.apple.apsd</string>' -e '<string>com.apple.assistant</string>' -e '<string>com.apple.bluetooth</string>' -e '<string>com.apple.certificates</string>' -e '<string>com.apple.cfnetwork</string>' -e '<string>com.apple.cloudd</string>' -e '<string>com.apple.continuity.unlock</string>' -e '<string>com.apple.hap.pairing</string>' -e '<string>com.apple.healthrecordsd</string>' -e '<string>com.apple.icloud.searchpartyd</string>' -e '<string>com.apple.identityservicesd</string>' -e '<string>com.apple.ind</string>' -e '<string>com.apple.internal.seserviced.keysync.recoveryblobs</string>' -e '<string>com.apple.ndoagent</string>' -e '<string>com.apple.networkserviceproxy</string>' -e '<string>com.apple.passd</string>' -e '<string>com.apple.rapport</string>' -e '<string>com.apple.sbd</string>' -e '<string>com.apple.security.ckks</string>' -e '<string>com.apple.security.egoIdentities</string>' -e '<string>com.apple.security.octagon</string>' -e '<string>com.apple.security.sos</string>' -e '<string>com.apple.security.sos-usercredential</string>' -e '<string>com.apple.sharing.appleidauthentication</string>' -e '<string>com.apple.telephonyutilities.callservicesd</string>' -e '<string>com.apple.transparencyd</string>' -e '<string>group.com.apple.notes</string>' -e '<string>ichat</string>' -e '<string>lockdown-identities</string>' -e '<string>online-auth-agent</string>' -e '<string>searchpartyd-baa-fmna-group</string>' -e '<string>wifianalyticsd</string>' -e '<string>apple</string>' -e '<string>apple account</string>' "ent.xml" > "ent2.xml"
ldid -Sent2.xml /usr/bin/keychain_dumper