Open GoogleCodeExporter opened 8 years ago
Can you try to add this line to the file python_scripts/util/bruteforce.py at
line 25 :
print "systembag is None :", (systembag ==None)
and then run the command again and post this new line from the output.
Also, can you post the commands you used to get the Encription.plist and
rdisk0r1r2.dmg.
I assume you used the latest revision of the tools from the repository ?
Thanks
Original comment by jean.sig...@gmail.com
on 2 Oct 2012 at 7:28
ok,
first, try to add this line to the file python_scripts/util/bruteforce.py at
line 25:
print "systembag is None :", (systembag ==None)
def loadKeybagFromVolume(volume, device_infos):
systembag = volume.readFile("/keybags/systembag.kb", returnString=True)
print "systembag is None :", (systembag ==None) <-------------------line 25
if not systembag or not systembag.startswith("bplist"):
print "FAIL: could not read /keybags/systembag.kb from data partition"
return False
and then run the command again
r3d4l3rtui-MacBook-Pro:python_scripts h2spice$ python ./emf_decrypter.py
./rdisk0s1s2.dmg
Using plist file Encription.plist
Keybag unlocked with passcode key
cprotect version : 4 (iOS 5)
systembag is None : False <----------------------- print "systembag is None
:" , (systembag ==None)
FAIL: could not read /keybags/systembag.kb from data partition
Traceback (most recent call last):
File "./emf_decrypter.py", line 34, in <module>
main()
File "./emf_decrypter.py", line 19, in main
if not v.keybag.unlocked:
AttributeError: 'bool' object has no attribute 'unlocked'
r3d4l3rtui-MacBook-Pro:python_scripts h2spice$
command i used to get the rdisk0r1r2.dmg
./redsn0w -r /Users/h2spice/Desktop/RawTheft.dmg
command i used to get the Encription.plist
./redsn0w -i
/Users/h2spice/tmp/iOS_Hacking/test5/iPhone2,1_5.1.1_9B206_Restore.ipsw -k
/Users/h2spice/tmp/iOS_Hacking/test5/kernelcache.release.n88.patched \
> -r /Users/h2spice/Desktop/KeyTheft.dmg
and i downloaded iphone-dataprotection by using command (hg colne
https://code.google.com/p/iphone-dataprotection/ )
Original comment by h2sp...@gmail.com
on 3 Oct 2012 at 7:42
ok, what is the value of the dataVolumeOffset field in the plist file ?
Original comment by jean.sig...@gmail.com
on 4 Oct 2012 at 9:49
dataVolumeOffset is 307200 : )
Original comment by h2sp...@gmail.com
on 4 Oct 2012 at 10:52
OK, can you try to open the disk image with the modified HFSExplorer
(http://code.google.com/p/iphone-dataprotection/downloads/detail?name=hfsexplore
r_iphoneEMF_d4ea02bd3fc3.zip&can=2&q=)
And open a random file in the image, for instance /logs/lockdownd.log, the file
should contain text.
Original comment by jean.sig...@gmail.com
on 5 Oct 2012 at 8:44
yes ,
after download HFSexplorer, i did open the image rdisk0s1s2.dmg.
as you said, i did open the tile /logs/lockdownd.log, this file contain text
PS. attach file : lockdownd.log
Original comment by h2sp...@gmail.com
on 6 Oct 2012 at 7:56
Attachments:
ahahahahahah...
i saw HFSExplorer debug console
this ::
Trying to detect CEncryptedEncoding structure...
CEncryptedEncoding structure not found. Proceeding...
Trying to detect UDIF structure...
UDIF structure not found. Proceeding...
pos=0
Volume cprotect major version : 4 => iOS 5
Volume Unique ID : aa56aa017bb856f4
Using plist file Z:\tmp\iOS_Hacking\test5\aa56aa017bb856f4.plist
EMF key : de90a9aba54e8a831e628dc87ded1204205504a9be6f73f4832b07427d706cdb
file id 7563 cprotect
040000000c00000004000000280000000000000000000000000000000000000000000000e651e623
f8103c702d209cac8313fb0e9384381b1cabc57b6c5c34a31606402eff9b731bcb6a07b3
file key = 97f4cdbd12fa03cfaf69c77df5dcf081caeb3891f110fa2ce8b6190d10a1b416
IV key = b929b2e2a72083fa7ca1f834edca588f
file id 7107 cprotect
040000000c0000000400000028000000000000000000000000000000000000000000000087982f24
fc33bb5f5e8a4ea924c35e7a9e5c3334ed0c6b4b99446af04350f2b8c3af204cba1d4a55
file key = 8382427dfb5a7ed1e623a245a0135b3f246d185752337f34f4190ef2a8ed9d0e
IV key = 6efc3c38fc6f4d3249f03f643ac2daef
file id 7089 cprotect
040000000c00000004000000280000000000000000000000000000000000000000000000016a1593
84f0213d0c1aab1f2a533b4d60a03d905a2a03560e698ed139e4c7ca1e5b5a911f0272d0
file key = 30aedc144d5028eb1d1c0af5fa37ac29a0cb63b70694b7fec8456bca3813bcd8
IV key = ef1cb50ad92719da89c23f0e5f792abe
file id 62582 cprotect
040000000c00000004000000280000000000000000000000000000000000000000000000801851d3
a023641b1e08e885f80948bc82e31dfc34622f130963e2f2e11dbea50e917465dabe20df
file key = 4baa1ccba762ed6068a65e1cf8ad5c8e7f6fbd212a1d9f957a30f6ef0c65b750
IV key = 3eed1aff862c9e24da9d6d92003fd94b
file id 7113 cprotect
040000000c000000040000002800000000000000000000000000000000000000000000003d9818cb
6f1c48d07c3a3e2e997314d76ce6fe0597188e6c74797faf2a76d8457553db54dd7d5c8b
file key = 3b5ecce24cc2ba91bbd662fe73c9e3a65450ae3874830c6596bc10cf4f857ac2
IV key = 483c79faf8d5fc5a41d7ca81f311183f
MemoryStatisticsPanel thread aborted.
file id 7260 cprotect
040000000c00000004000000280000000000000000000000000000000000000000000000cc9e8e99
8d1da4bfa8ffdc65fecb8ba53a4b5801e9b91771f74000c306e00407913e2e2c4cb5672a
file key = 259690872bb54ffe0bdace18fa1dfc135827cf591d7745cdb2b1fee4fe81cdfc
IV key = ddeb0e39b6f83e71e7a88cc28242824b
but, when i extract file sms.db , this file was locked password ......
um........ what i do it now ???
Original comment by h2sp...@gmail.com
on 6 Oct 2012 at 8:03
tested program is SQLiteSpy
Original comment by h2sp...@gmail.com
on 6 Oct 2012 at 8:03
ok, it seems the dataVolumeOffset field is wrong, lockdownd.log is decrypted
incorrecty, it should contain ascii text. You can try running the attached
python script (find_dataVolumeOffset.py) on the disk image, it will try all
possible values for this parameter and display the correct one.
If the script finds the right value, you can replace it in the plist file and
then emf_decrypter should work OK.
Also, if you can post the correct value, and dump just the first 4k of
/dev/rdisk0 and post it here, it would help figure out why the value was wrong
in the first place . Thanks
Original comment by jean.sig...@gmail.com
on 6 Oct 2012 at 1:25
Attachments:
i try to run the attached script on the disk image
but, occured error
r3d4l3rtui-MacBook-Pro:python_scripts h2spice$ python find_dataVolumeOffset.py
../../../diskimage/rdisk0s1s2.dmg
Using plist file ../../../diskimage/aa56aa017bb856f4.plist
Keybag unlocked with passcode key
cprotect version : 4 (iOS 5)
FAIL: could not read /keybags/systembag.kb from data partition
Traceback (most recent call last):
File "find_dataVolumeOffset.py", line 45, in <module>
main()
File "find_dataVolumeOffset.py", line 18, in main
systembag = volume.readFile("/keybags/systembag.kb", returnString=True)
File "/Users/h2spice/tmp/iOS_Hacking/test5/tool/iphone-dataprotection/python_scripts/hfs/emf.py", line 156, in readFile
filekey = self.getFileKeyForCprotect(cprotect)
File "/Users/h2spice/tmp/iOS_Hacking/test5/tool/iphone-dataprotection/python_scripts/hfs/emf.py", line 138, in getFileKeyForCprotect
return self.keybag.unwrapKeyForClass(cprotect.persistent_class, cprotect.persistent_key)
AttributeError: 'bool' object has no attribute 'unwrapKeyForClass'
Original comment by h2sp...@gmail.com
on 7 Oct 2012 at 9:01
ha yes sorry, you need to comment line 120 in hfs/emf.py
self.keybag = loadKeybagFromVolume(self, device_infos)
=>
#self.keybag = loadKeybagFromVolume(self, device_infos)
Original comment by jean.sig...@gmail.com
on 7 Oct 2012 at 10:10
@h2spice any luck ?
Original comment by jean.sig...@gmail.com
on 21 Oct 2012 at 12:23
Sorry for my late reply,
luckily, i solve this problem,
thank you,
as soon as, report about this problem.
Original comment by h2sp...@gmail.com
on 24 Oct 2012 at 4:45
ok, what was the correct value for dataVolumeOffset then ?
Also, if you can dump just the first 4k of /dev/rdisk0 and post it here, it
would help figure out why the value was wrong in the first place . Thanks
Original comment by jean.sig...@gmail.com
on 24 Oct 2012 at 8:36
@h2spice Can you describe how you solve this problem? I have the same problem
and I can't solve it yet. Thanks!
Original comment by jcruz...@gmail.com
on 12 Nov 2012 at 7:34
@jcruzq78 you can try running the script attached in comment 9 (place it in the
python_scripts folder, also make sure to comment line 120 in
python_scripts/hfs/emf.py). If it works then you can edit the plist file you
got when running the tools and replace the dataVolumeOffset value with the one
given by the find_dataVolumeOffset script.
Original comment by jean.sig...@gmail.com
on 13 Nov 2012 at 10:19
ok, thanks
when i tried to execute python module(find_dataVolumeOffset.py), got
dataVolumeOffset.
after replace the dataVolumeOffset, you can execute python
module(emf_decrypter.py).
: )
Original comment by sh...@nshc.net
on 20 Nov 2012 at 8:06
@shahn@nshc.net
Could you post the before/after value for dataVolumeOffset ? Thanks.
Original comment by jean.sig...@gmail.com
on 20 Nov 2012 at 9:10
This issue was updated by revision a829f9fe7a77.
clear bitflip count in nand dump to give comparable images
update issue 93
Makefile cleanup, use clang
Original comment by jean.sig...@gmail.com
on 16 Feb 2013 at 3:52
Original issue reported on code.google.com by
jean.sig...@gmail.com
on 2 Oct 2012 at 7:23