RSS

Extracting AES keys from iPhone

April 22
The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.

UID
– Is a hardware encryption key and unique per device. It is used to generate key 0x835, key 0x89B. The key is only accessible from kernel mode and can not available to user land process. However the restriction can be bypassed by patching IOAESAccelerator kernel service.

GID
– Is a hardware encryption key and unique for every iPhone model. It is used to generate key 0x837.

Key 0x835 
- Computed at boot time by the kernel. The key is generated by encrypting the hex value 01010101010101010101010101010101 with UID key. It is used as a device key and protects the class keys. The key is also used to encrypt Backup keychain database.

Key 0x837 – Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with GID key. The key is used to decrypt iOS files during firmware update.

Key 0x89B – Computed at boot time by the kernel. The key is generated by encrypting  the hex value 183E99676BB03C546FA468F51C0CBD49 with UID key.

Jean Sigwald from Sogeti has released open source forensic tool kit including the scripts to extract keys, decrypt keybags, bruteforce iPhone passcode, etc.

I’ve compiled the code and prepared executables which can be executed directly on the iPhone. The executable files works for all iOS 5 devices including iPhone 4s and iPad 2.

Extract Keys on iPhone:
1. Jailbreak your iPhone.
2. Install openssh from cydia. This allows to do SSH to the device.
3. On Windows workstation, download AESToolsWinscp & Putty tools.
4. Connect iPhone and workstation to the same WI-FI network.
5. Run winscp and connect to the iPhone by typing iPhone IP address, root as username and alpine as password.
6.Copy device_infos, bruteforce, kernel_patcher executables to iPhone root directory.
7.Run putty and connect to the iPhone by typing iPhone IP, root as username and alpine as password.
8.On putty terminal, type below commands to change the permissions of executable files loaded onto device.

chmod 777 kernel_patcher
chmod 777 device_infos
chmod 777 bruteforce

9Hardware keys can only be accessed from kernel. In order to use them from user land first we have to patch
IOAESAccelerator kernel service. Kernel_patcher script modifies the kernel and patches IOAESAccelerator.

./kernel_patcher

10. Running device_info extract the keys and stores in a plist file.

./device_infos

11. Data protection class keys stored in the system keybag can be extracted by running bruteforce script. Class keys are protected with passcode key and key 0x835. The script bruteforces the passcode and grabs the passcode key. Later it extracts the keys from keybag and stores the result in a plist file.

./bruteforce

References:
http://code.google.com/p/iphone-dataprotection/

Note: The scripts works only on iOS 5.x devices. 

Alternative links:

http://www.4shared.com/file/zJKBZ1Pi/bruteforce.html
http://www.4shared.com/file/gTl0I_FK/device_infos.html
http://www.4shared.com/file/2ADXfWmT/kernel_patcher.html


 

Posted by on April 22, 2012 in iPhone

91 Comments

Tags: , , , , , , , , , , , , , ,

91 responses to “Extracting AES keys from iPhone

  1. Anonymous

    April 29, 2012 at 9:37 pm

    This is brilliant. My sister had changed the passcode on her iPod Touch 4G (running iOS 5) and couldn’t remember it. I followed this tutorial and was able to recover it in about four minutes.

     
  2. nevrax

    May 13, 2012 at 5:25 am

    nevrax-iPhone:~ root# ./kernel_patcher
    Kernel patching failed

    nevrax-iPhone:~ root# uname -a
    Darwin nevrax-iPhone 11.0.0 Darwin Kernel Version 11.0.0: Wed Mar 30 18:44:45 PDT 2011; root:xnu-1735.46~10/RELEASE_ARM_S5L8920X iPhone2,1 arm N88AP Darwin

    iOS 4.3.3 (8J2)
    baseband 05.13.04

     
    • Satish B

      May 13, 2012 at 4:22 pm

      The kernel might be already patched.

       
      • cetin

        June 4, 2013 at 4:46 am

        satishB…..i cant seem to do step:6,i dont understand what you mean by copy device_infos,bruteforce and kernel_patcher…….!
        can you give more explanation please

         
        • satishb3

          June 4, 2013 at 9:02 am

          You need to connect to the iPhone using winscp tool. Later you can copy those device_infos,… on to the iPhone by dragging it.

           
  3. XXXXXX

    May 16, 2012 at 7:03 am

    Help?

    XXXXXX:~ root# ./kernel_patcher
    Kernel patching failed
    XXXXXX:~ root# ./device_infos
    IOAESAccelerator returned: e00002c1
    IOAESAccelerator returned: e00002c1
    Writing results to 588ebc64bede2bd2.plist
    XXXXXX:~ root# ./bruteforce
    IOAESAccelerator returned: e00002c1
    FAIL: missing UID kernel patch
    XXXXXX:~ root#

     
    • Satish B

      May 18, 2012 at 5:32 pm

      The scripts only works for iOS 5. Which version you are using?

       
      • nevrax

        May 18, 2012 at 5:53 pm

        is there any possibility to have this script running on 4.x? at this moment an iPhone 3GS updated to IOS 5.0 can have jailbreak but it could not be unlocked (carrier).

         
        • Satish B

          May 18, 2012 at 6:37 pm

          I am working on the scripts to make them work for 4.x and it will take some more time. Meanwhile try to follow iPhone forensics article, that works for ios 4 too.
          You can unlock iPhone 3gs running on iOS 5 if you preserve the baseband. Any how only tethered jailbreak is available for 3gs.

           
          • lg

            December 21, 2012 at 10:59 pm

            I am also looking for something for IOS4 but can’t find the forensic article you mention (only articles about IOS5). Can you post a link?

             
          • satishb3

            December 22, 2012 at 6:24 am

            Techniques explained in this article also works for ios 4. You have to use iOS 4 ipsw file.

             
  4. nick

    September 5, 2012 at 2:33 pm

    Using an Ipad 2 what does it mean when on step 10
    ./device_infos I receive “Unable to find baseband error” ?

    step 11 – continues on to over 1,000 lines as well. until I exit out of putty.

     
    • satishb3

      September 5, 2012 at 6:52 pm

      strange. I have never come across such error. Which version of iOS ?

       
  5. Vivek

    September 14, 2012 at 3:13 pm

    Hi,

    Great article! The downloads links of the software are not working? Please update.

     
    • satishb3

      September 14, 2012 at 7:36 pm

      Fixed the download links

       
  6. Jerry xiao

    October 9, 2012 at 2:47 pm

    Help me, please!
    xxxx-iPhone:/ root# uname -a
    Darwin xxxx-iPhone 11.0.0 Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
    xxxx-iPhone:/ root# ls -l kernel_patcher
    -rwxrwxrwx 1 root admin 13470 Oct 9 16:23 kernel_patcher
    xxxx-iPhone:/ root# ./kernel_patcher
    Illegal instruction: 4

    ios 5.1.1(9b206)

    Thank you.

     
    • satishb3

      October 11, 2012 at 6:37 am

      may be it’s already patched.

       
      • Kevin_j

        October 20, 2012 at 1:10 am

        Same issue here..

        Illegal Instruction: 4

        IOs 5.1.1

        device_info gets the same error.

         
        • satishb3

          October 20, 2012 at 7:36 am

          I have updated the scripts just now. Download the scripts again and try once.

           
          • lpf

            October 25, 2012 at 3:48 pm

            I have just tried your current scripts (as of 10/25/2012) with the same iPhone version than Jerry Xiao, but still no luck :-(

            iPhone:~ root# uname -a
            Darwin iPhone 11.0.0 Darwin Kernel Version 11.0.0: Sun Apr 8 21:51:26 PDT 2012; root:xnu-1878.11.10~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
            iPhone:~ root# ./kernel_patcher
            Illegal instruction: 4
            iPhone:~ root# ./device_infos
            Illegal instruction: 4

            iOS 5.1.1 (9B206)
            Absinthe jailbreak

             
          • satishb3

            October 25, 2012 at 4:50 pm

            Seems my website is changing the file during upload. I will email the scripts in couple of hours. Try with them and let me know whether they work or not.

             
          • satishb3

            October 25, 2012 at 9:55 pm

            Have you tried downloading the alternative links?

             
  7. dan

    October 24, 2012 at 6:06 am

    Is it possible to add an option to seed the bruteforce script with a series of digits to start with. For instance, I have an 8 digit passcode and know the first 4 but I forgot what I set the last 4 too (I always use the same first 4 and just change up the last).

     
    • satishb3

      October 25, 2012 at 8:12 pm

      I will create when I get time. Meanwhile you can try yourself.
      Source code is here – http://code.google.com/p/iphone-dataprotection/source/browse/ramdisk_tools/systemkb_bruteforce.c
      Modify the bruteforceuserland function and recompile it.

       
      • dan

        October 26, 2012 at 4:11 am

        Thanks. I will have to clear the cob webs off my C knowledge. Hopefully I will be successful.

        Thanks again

         
      • dan

        October 26, 2012 at 4:58 am

        Well, looks like my C skills weren’t all that rusty after all, once you told me which file you used to create your tools, I was able to modify the source and crack my 8 digit passcode in about 4 minutes :-) So no need to update your version.

        Thanks

         
  8. Patrick

    November 22, 2012 at 4:56 am

    Has anyone compiled an iOS 4 of these file?

    I’m receiving ‘illegal operation’ for the first 2 files, and “Malformed Mach-o file” with bruteforce.

     
  9. Billybob

    December 4, 2012 at 11:22 am

    I was able to run kernel_patcher just fine but when I try to do the other two, I get “unable to find baseband service” I am running 5.1.1 on iPod touch 4th gen, I deleted some launch daemons, might have something to do with it?

     
    • satishb3

      December 4, 2012 at 8:40 pm

      Might be yes. Missing IO libraries could be the reason for such error.

       
  10. Lochy

    December 18, 2012 at 7:05 am

    Found a working version of the files.
    I still get an unable to find baseband service on the device_infos file tho.

    http://www.4shared.com/folder/RciVix9U/Extract_AES_Keys.html

     
    • satishb3

      December 18, 2012 at 7:54 am

      That is my 4shared repo

       
      • Lochy

        December 18, 2012 at 8:02 am

        Hha ahk. oh those were the alternative links too.
        I totally thought i tried them and it didnt work.. wow silly me.
        hah thanks man.

        anyways i still got the baseband error but im assuming thats because i was on an ipod not an iphone.
        also when i entered the commands in terminal nothing happened.
        now when i run the command for keychaintool.py nothing happens. but i did manage to use keychain viewer to look at all the keys and that worked well.
        had to take a screenshot of the keys tho because theres no way to store them (that i could see)

         
      • Stormulus

        December 29, 2012 at 3:48 pm

        Thanks for a great tool, once I grabbed the files from your 4shared repo they worked perfectly!

        It would be helpful if you zipped all three files and uploaded them to your website. The files hosted there right now just lead to confusion until you read the comments.

        Thanks again,
        Another happy customer.

         
        • satishb3

          December 29, 2012 at 5:25 pm

          Thx. I will do that.

           
          • MikeF

            January 28, 2013 at 6:58 am

            Satish, great write up. I do have a question, so after obtaining the keys what is the next step in using them to decrypt a dd image of my iphone 4?

            Is there another tool I have to use to decrypt it? My ultimate goal is to run Photorec on my dd image to recover some deleted photos in an accidental factory reset. Appreciate any help.

            Thanks.

             
          • satishb3

            January 28, 2013 at 7:56 am

            Take a look at my old article “iPhone forensics on ios 5″ step 4.

             
  11. MikeF

    January 28, 2013 at 10:36 am

    Thanks for your quick reply Satish. I took a look at your older post on iPhone forensics on ios 5 which really has some great background information.

    My current progress so far is I jailbroke my iPhone using RedSn0w, ssh into iPhone and executed ‘dd’ to dump rdisk0 as iphone.img to my PC. Since its from iPhone 4, img is encrypted and Photorec will not work. I need to decrypt img dump using AES keys and HFSExplorer.
    I have a few questions that will really help me out (I’ll try to be concise) –

    1) I only have Windows, but with Kernel Patcher (link in this post) Mac OS is not needed? Is the Custom Ramdisk script also not needed with current method?

    2) After running Bruteforce script, keys taken from keybag downloads to plist file, how can I apply them to HFSExplorer? I have HFSExplorer .021 GUI on PC and there is no option to read in keys.

    3) Also, when trying to “Load filesystem from file” by pointing it to saved rdisk0 img, its throwing error message – “Invalid HFS type” even though its reading raw disk image created by dd. Do I have to dump my image a different way?

    Really appreciate your help on this, I’ve been racking my brain on this for some time.

     
    • satishb3

      January 28, 2013 at 11:14 am

      You don’t need to grab the image and extraction keys again.

      Try this- From iphone copy the keys plist to windows using ssh with winscp. Place your image file and keys plist in same folder then run hfsexplorer.

       
      • MikeF

        January 31, 2013 at 10:43 am

        satish,

        I tried putting the raw dd img dump into the same folder as HFSExplorer along with the plist file but when trying to open the dd img file I still get the error message:

        Invalid HFS type
        Program Supports:
        HFS_Plus
        HFSX
        HFS_WRAPPED_HFS_PLUS
        HFS
        Detected Type is (Unknown)

        I saw in your old article, you talked about using a modified HFSExplorer, do you have that version available anywhere? I didn’t see a link for it in there.

         
  12. Jake

    February 4, 2013 at 12:42 pm

    Is it possible to do this with IOS 6.1?

    I tried it and it said Kernel Patching failed and it says missing UID kernel patch if I run bruteforce.

     
    • satishb3

      February 4, 2013 at 6:27 pm

      It does not work with ios 6. iOS 6 kernel uses ASLR so it is difficult to break.

       
      • Jake

        February 5, 2013 at 6:55 am

        Since my iphone started out with iOS 5 does that mean that it was re-encrypted with ASLR when I upgraded to iOS 6? If I try to downgrade it back to 5 will that allow me to decrypt the resulting disk image? My goal is to recover pictures. Its an iphone 4. I appreciate your expertise.

         
        • satishb3

          February 5, 2013 at 7:05 am

          You can recover photos without downgrading . Follow my article iphone forensics on ios 5.

           
          • rathore

            February 6, 2013 at 5:47 pm

            Hi Satish, Thanks for the excellent article.

            I have an iPhone 4S and lost my photos during 6.1 upgrade and i had to restore but didnt have any backup.
            I am trying to find a way to undelete the files.
            I have got the dump of user partition from the phone but i need to decrypt it and i cannot run the kernel patcher on device. It comes back saying kernel patching failed.

            I have read your article about iphone forensics on ios 5 but i cannot find the keys for ios 6.1 firmware.

            Can you point me in direction how can i do it, or is it not possible for now?

             
          • satishb3

            February 6, 2013 at 7:12 pm

            For now there is no way to extract keys from ios 6 devices.

             
          • Isabelle

            February 11, 2013 at 4:37 pm

            Very good post; thanks for sharing

            I was interested in recovering lost pictures on my iPhone.
            It’s an iPhone 5, running jailbroken iOS 6.1 .

            If I understand correctly, actually there is no solution to recover them.
            Several questions :
            1. if a way to extract keys is discovered on iOS 6, it will work for every iPhone model or it can depends on the model of the iPhone ?
            2. I have dumped the iPhone memory with the “dd” command; so now I can use my iPhone again normally as the next step will only be needed through the image created, right ?
            The only thing that I dont have to do is to reinstall the iOS on this iPhone as, the keys will change and will not be the same as the one used on the dumped image.

            Am I correct ?
            And so, no other way to recover those lost pictures on my iPhone 5 …. :-(

             
          • satishb3

            February 14, 2013 at 5:24 pm

            For now there is no way to recover them.
            1. It works for every model.
            2. Right. You can use your phone normally. Later you can recover the images from dd image. Yes, updating or restoring the phone will change the keys.

             
          • Greg

            February 21, 2013 at 11:45 am

            Hello and thanks for making your expertise available here. I am in the same boat as Jake. You mentioned a downgrade is not necessary to recover photos and I am following the “iphone forensics on ios 5″ article. This process is going smoothly so far, though I have reached the instruction to download the iOS 5.1.1 ipsw file from http://www.getios.com. Since I have an iPhone 4, now running iOS 6.1, do I still choose the 5.1.1 9B208 ipsw file or the file for the iOS 6.1?

             
          • satishb3

            February 21, 2013 at 2:44 pm

            Yes. U have to use 5.1.1.

             
  13. Best Houston DWI Law Firms

    April 6, 2013 at 11:29 pm

    Nice information and facts about this subject, thanks
    so much for posting.

     
  14. Satish is the HERO

    May 1, 2013 at 4:53 pm

    Hi,
    there is a bug in ios 5 keeping deleting Contacts, check this:
    https://discussions.apple.com/thread/3373793?start=150&tstart=0

    I was wondering if with my IOS 5.01 jailbreaked iphone i can dd the image without use a RAM disk, I can access the iphone via SSH I also have a SSH server on my pc in the same LAN, I read on your topic that the IOS 5 encrypt the file system.

    I tried this command from the iphone terminal

    ssh root@SSHSERVERIP dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img

    but got this error:

    dd: opening `ios-root.img': Operation not supported

    I woud like to know it is possible to dd the image (my iphone has not a lock code )
    which step I had to follow after I dd my iphone image on a Windows machine, I have downloaded the modified hfsexplorer but I can’t download the AES TOOLS (link broken)

    After that can you show me how to look for deleted contacts (AddressBook.sqlitedb files) as simple as possible.

    Good 1st MAY

     
    • Satish is the HERO

      May 2, 2013 at 3:15 am

      Hi Satish
      I succeded dd my image using this tool:
      cygwin sshserver (other ssh server for windows didn’t work correctly)
      I had also to launch this command on the cygwin:
      mkgroup -l > /etc/mkgroup
      mkpasswd -l > /etc/passwd
      ssh-host-config -y
      net start sshd

      after that I sshd on my iphone (jailbreaked ios 5.01) and than launched this command: dd if=/dev/rdisk0 bs=1M | ssh cyg_server@”IP PC SSHD SERVER” ‘dd
      of=iphone-rdisk.img’

      and finally I have the full image:

      15357+1 records in
      15357+1 records out
      16103374848 bytes (16 GB) copied, 6528.5 s, 2.5
      MB/s
      31451904+0 records in
      31451904+0 records out
      16103374848 bytes (16 GB) copied, 6514.59 s, 2.5
      MB/s

      after that I used OSFmount tool to mount the image and tried to use photorec_win.exe to recover the AddressBook.sqlitedb
      without success
      than I read this post again and done this:

      iPhone4ios5:/ root# chmod 777 kernel_patcher
      iPhone4ios5:/ root# chmod 777 device_infos
      iPhone4ios5:/ root# chmod 777 bruteforce
      iPhone4ios5:/ root# ./kernel_patcher
      Found IOAESAccelerator UID ptr at 805d9a24
      vm_write into kernel_task OK
      iPhone4ios5:/ root# ./device_infos
      Writing results to d5a9ab078c53d97b.plist
      iPhone4ios5:/ root# ./bruteforce
      Writing results to d5a9ab078c53d97b.plist
      keybag id=1
      No passcode set
      Keybag version : 3
      Keybag keys : 10
      Class Wrap Key
      11 0 2fb02bae82af02d584c3a1595647aef286efc709d68d2eeea022a5323a9fb98e
      10 0 8b1902a44b0414106fb9ea24b2c9a1e6f58067b694f39eea694becfd4f3cd16b
      9 0 b5c9658175a197251c683c8626a4ac59929d85f3a51fae15d31cf9959ddc8771
      8 0 1cf9bedef4ac1724313c2bdf08ee0dcf293185adf948311cbedee60d6dc1f04f
      7 0 b2d3e4460a0bb1138a5e03f3a1868350dca85df63233f7b98b19b30c4badc9cc
      6 0 d9e50247fe606bd2ada5b07f8bb0134e21b2b13be00efbe2338c8e38965291b1
      5 0 b37000616dd7ee7f0449a189a3a82045f6cfdf7c19a22e0e999b89f901c2c292
      3 0 a05a81f6225386d6a34503f230d88530efed0a9f589054e8040be0054f90e543
      2 0 2dc30111c6814c7ba57d601625f42e6aaa1ac578201be687a98afecf7af38230
      1 0 bf113829659a931bed28c1ed708f8344e39852237fd3c63d615020092b5ff717

      Passcode key : c88750ab4cd1e43d8bd86fe5ad71b287759bfdb4f4f858931578352350755f8c
      Key 0x835 : e61481190b480fa486dc0ba16b69a55d
      Writing results to d5a9ab078c53d97b.plist

      Now I am stuck as the user “MikeF”
      when i load the modified hfsexplorer download from your suggested link it shows this error,
      I copied the generated .plist file in the same image folder.

      Invalid HFS type
      Program Supports:
      HFS_Plus
      HFSX
      HFS_WRAPPED_HFS_PLUS
      HFS
      Detected Type is (Unknown)

      I don’t know how to use:
      keychain_dump and keychainviewer0.3.deb
      are they necessary to permit hfsexplorer to read my image?

      Thanks again for your effort in helping me.

       
      • Satish is the HERO

        May 2, 2013 at 4:03 am

        I am still here, I read your other topic:
        and I launched
        ./keychain_dumper >test.txt
        it created a txt full of password and other private stuff.

        But as you suggestet to Mike I went to your other topic
        “iphone forensic ios5″ part 4

        it seems that the way you establish the communication with the iphone is totally different you load a custom firmware and use usb cable and redirect a session, I would like to use other method since I have a jailbreaked iphone I can directly ssh it without using usb cable and ramdisk, but the way you generating the .plist is differenc you are launching also python script.
        And the image is in .dmg format not the .img format I generated with dd command.
        Now with all the file I have (see my previous post) and this keychan output (.txt) can I load my dd image in hfsexplorer without using ramdisk and python without getting that error (mike user ).

        Sorry for troubling you :)

         
        • satishb3

          May 2, 2013 at 6:06 am

          Did you try this modified HFS explorer – https://code.google.com/p/iphone-dataprotection/downloads/detail?name=hfsexplorer_iphoneEMF_d4ea02bd3fc3.zip&can=2&q=

          If it does not work, you can still decrypt the image using emf_decrypter.py. Follow the iPhone forensics on iOS 5 article and install all the python tools. Then place your plist and image file in one directory and run emf_decrypter.py.

          IF your goals it to recover data from addressbook you don’t need to do all these steps. You can copy the Adressbook sqlite file to desktop using SSH and run sqlite forensic tools on it (opening the sqlite file using SqliteSpy might also show some deleted data).

           
          • Satish is the HERO

            May 2, 2013 at 10:56 pm

            Thanks for your quick reply!
            Yes I tried the modified HFS explorer without success.
            Have I to convert the img to dmg ?
            I used a virtual mac os x lion but since It had not not the Xcode installed the sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto
            failed so I had to update my OSX in order to download the latest version of XCode on the Apple Market (the update was mandatory) my virtual machins of MAC OSX did not have a gcc complier.
            Now it is past 30 minutes and I don’t know if it is stuck or slowly updating the new update OS version. Tomorrow I will let you know, but I have some questions related where I have to put the img and the plist ? (python_scripts directory? )
            Where I can get the UDID to use? I looked in my plist file and it should be at the end. I have to use this string:
            d29fcc1a77033acd92df077c89227a1665f8d03
            haven’t it ?

            udid
            cd29fcc1a77033acd92df077c89227a1665f8d03
            uuid
            725ab1b604c14600b3db275cf1449765

            Meanwhile I followed the other suggestion with sqlitespy (since Sqlite foreensic tools seems to be not for free, can you confirm that?)
            but I forgot to tell you, when for the first time I noticed that all my contacts disappeared , I went to the apple community and some users suggested to recreate some contacts with the same name, but that didn’t fix my case, now my contact list is just 2 contacts I created , I looked for other AddressBook.sqlitedb with WINSCP but they have the same weight just to contacts weight 224kb (seems to me a bit large) I also used the Sqlitebrowser plugin with firefox, but also seems to have just the 2 new contacts I added .
            Sqlite Spy I clicked on every tree Show Data but just noticed the two contacts I created.

            Thanks again!

             
          • satishb3

            May 3, 2013 at 4:26 pm

            May be running strings command on sqlite file might help

             
          • Satish is the HERO

            May 3, 2013 at 3:32 pm

            I solved in another way, since I am using lots of social network app that access to my mobile contacts list I wondered what if one of them copied my contact list in their app folder, so i ssh into my phone and grep a unique mobile number ex.
            grep -r “399366123” /var/mobile/Applications/

            and than :

            Binary file /var/mobile/Applications/6AC63303-2BD1-48C8-A698-75BC082B335A/Documents/Contacts.data matches

            BINGO !! VIBER APP KEPT A COPY OF MY CONTACT LIST:p SINCE AFTER THE DELETE I DID NOT OPEN THE VIBER APP IT HAD NOT THE OCCASION TO REFRESH A UPDATE WITH MY DELETED CONTACTS :)

            SQLITE CAN READ THE FILE Contacts.data

            :)

            Thanks for your support :P

             
          • satishb3

            May 3, 2013 at 4:27 pm

            Hmmm very clever

             
  15. Travis T

    May 5, 2013 at 10:13 pm

    Hi Satish, wonderful write-up. I just have one question. I read your comment about iOS 6 being difficult to break because of ASLR. Does the evasi0n jailbreak help with this issue at all?

     
    • satishb3

      May 6, 2013 at 8:45 pm

      Yes, it is difficult to break iOS 6 because of kernel ASLR and DEP. That might help. But my technical skills are not enough to understand their work :(

       
  16. AK

    July 13, 2013 at 9:30 pm

    Can you extract it from backup files?

     
    • satishb3

      July 14, 2013 at 6:03 am

      No. Keys are only stored on phone.

       
      • Josh C

        September 25, 2013 at 3:57 pm

        Hi Satish- thank you so much for your hard work to help people! I had an iPhone 4 and back in Summer 2011 iTunes wiped all my data which included treasured pictures and videos from my honeymoon, my son swimming for the first time etc. At the time I managed to extract an .img file of the phone which is 32GB in size but I learnt that its encrypted (I think it was ios 4.2.1 or thereabouts). It looks like you’ve cracked a way of decrypting but its a little difficult for me to understand. I’m on a mac 10.8.3 but also have access to a PC windows 8. Is there a way of extracting these precious images from this img file? Many thanks in advance!

         
        • satishb3

          September 25, 2013 at 7:14 pm

          Do you still have the phone with you? What do you mean by wipe …did you update the phone? Incase of update, new keys will be generated and there is only less chance of recovering data.

           
  17. Mika

    November 8, 2013 at 8:07 pm

    Hi,
    I’ve a iPhone4. The phone had 7.0.2 installed. Tried to install 7.0.3 but the update failed! Had to restore the phone via iTunes now all my photos are gone. Have jailbreak’d using opensn0w and dump the disk image, but now I’m facing the encryption problem.
    Is there a chance to get the data back using your tools?
    Mika

     
    • satishb3

      November 8, 2013 at 8:22 pm

      No it is not possible to recover photos. When the phone is restored, fresh set of encryption keys gets generated. So even if you get those keys, that will not work.

       
      • Mika

        November 8, 2013 at 8:27 pm

        Could you shortly explain why?

         
        • satishb3

          November 9, 2013 at 7:23 pm

          When you restore the phone a new set of encryption keys are generated. Photos on the disk image are encrypted with old encryption keys.

           
          • Mika

            November 11, 2013 at 2:32 pm

            There is no chance of a brute force approach to decrypt the data?

             
          • satishb3

            November 11, 2013 at 9:37 pm

            The key is more than 20 characters in length. Bruteforce might be difficult. Elcomsoft developed a commercial tool that can perform the bruteforce attack. I didn’t use that tool. May be you can drop an email to their support team and know more details about it.

             
          • Mika

            November 11, 2013 at 9:47 pm

            Unfortunately I got not all the details of your description above. What is the key that I need at last to decrypt the phone image/filesystem?
            Btw. thanks for your tip, I’ll try to contact Elcomsoft.

             
          • satishb3

            November 11, 2013 at 9:58 pm

            1. Before restore iphone harddisk is encrypted with EMF key (say x). So your pics are encrypted with x.
            2. After restore all data is erased and harddisk is encrypted with a newly generated EMF key (say y).

            With this complicated encryption stuff, there is no way to get your pics.

             
  18. leo

    April 13, 2014 at 8:24 pm

    hi satish
    thanks for tutorial, I’ve one question about these keys,,,
    how can i encrypt or decrypt a word with these keys?
    thanks

     
  19. InNeedOfKey

    May 17, 2014 at 9:02 am

    Will this work on iOS 7.1.1 on a jailbroken iphone 4 ?

    ./kernel_patcher reboots the phone.

    My mother updated her iPhone because it was superslow (it was full to the brim). But restoring the data from the unencrypted backup from the previous version 4.3.1 failed because of insufficient space on the device!? Now all her passwords are gone. I said no problem, I’m sure we can get them from the backup somehow ;). Now it seems the keychain in the backup is nonetheless encrypted with the device-specific key 0x835 :(

    Can I extract this key in my situation or am I fucked ?

    Thanks a lot !

     
  20. Robert Murray

    June 26, 2014 at 4:34 am

    Hi. Is there any way of extracting keys from an iPhone 5s with ios 7.1, which is jail broken. The stupid thing deleted all my videos when I was trying to copy them. I have a dd image of /dev/rdisk0.

    If not, is there any chance in the future if I keep the image?

     
    • satishb3

      June 26, 2014 at 8:46 pm

      There is no way for now. There are less chances in future.

       
  21. Alex

    June 26, 2014 at 2:47 pm

    I have an iPhone 5S, 7.1.1, jailbroken with Pangu. I managed to install Keychain Viewer on the device itself and use Keychain Dumper to save all the files: generic and internet passwords, certificates and keys. However, I noticed that the password I am looking for (email account – found in Generic Passwords) is encrypted. I suppose it is an AES key, which means I need the string I get from the keychain dumper generic passwords file and the AES key to decrypt it. Correct me if I’m mistaken, I just started reading about this. Is there any way I can get the AES key needed to decrypt and show the password in plain text?

     
    • satishb3

      June 26, 2014 at 8:48 pm

      Did you notice all other passwords in the kecyahin in plaintext ? If not, keychain dumper might be broken and needs to be fixed for 7.1.

       
      • Alex

        June 27, 2014 at 12:14 am

        The internet passwords are in plain text, the rest of them are encrypted. I also tried Keychain Viewer, with the same result. I am using a beta version of the tweak, updated for 7.1.1

         
        • satishb3

          June 27, 2014 at 7:58 am

          Then probably the email client is storing the encrypted pwd in the keychain.

           
  22. jimbob

    July 18, 2014 at 7:35 pm

    satish, great write up! i have a question about the 835 key

    i have an iPhone 4 and 4S that I want to get the 835 key from to decrypt my backups. I have they keys.plist file from the key_dumper program but I do not know how to get the 835 key from it. Elcomsoft has a program that can analyze it and do it but its like $1400 for it! Do you know of a way to get it?

    By the way, I’m on iOS 7.1.2 JB

     
  23. woo

    August 30, 2014 at 7:21 am

    so, how to extract AES keys for IOS7.x? tks

     
    • satishb3

      September 1, 2014 at 12:27 pm

      Currently there is no free tools available to extract iOS 7 keys. Elcomsoft ios toolkit is the only tool, capable of extracting AES keys from iOS 7 devices.

       
      • woo

        September 1, 2014 at 3:00 pm

        Thank you for your reply!!!

         

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>