Decrypting Signal Conversation Database

[KnugiHK]

If you have any thought on Decrypting Signal Conversation Database, feel free to leave a comment below!

[palebeki]

it's a very interesting way of approach you have. you stated that with luck that you can find "pref_database_unencrypted_secret" key. are there any ways to enforce this kind of key to come out on the shared prefs ?

p.s. still waiting on you source code of the app that mimics keystore generation function

[KnugiHK]

Hi. The source code will be available soon at KnugiHK/ExtractSignalKey once I have review all the code. Be sure to check back later!

For the unencrypted key, perhaps we can found a way to enforce it in the Signal's source code. I will look into it if I have time.

[palebeki]

i've found by reading the source code that android 6 and below (SDK <= 23) you'll get the unencrypted secret.

[KnugiHK]

I have make the source code available now. Check it out in the mentioned link.

[palebeki]

in your blog post, the app you've been working on could generate the database secret by duplicating the keystore file on "/data/misc/keystore/user_0/" directory. i'm having trouble finding that directory and how keystore works actually on Android 12. All that is found was a file name "persistend.sqlite". it Would be great if someone has knowledge about this

Android 12 Keystore file Structure

emulator64_x86_64_arm64:/data/misc/keystore # ls -la
total 156
drwx------  2 keystore keystore   4096 2022-02-14 14:57 .
drwxrwx--t 64 system   misc       4096 2021-12-11 11:35 ..
-rw-------  1 keystore keystore 126976 2022-02-14 14:57 persistent.sqlite
-rw-------  1 keystore keystore      0 2021-12-11 11:37 timestamp
-rw-------  1 keystore keystore  16384 2021-12-11 11:36 vpnprofilestore.sqlite

Android 11 Keystore file Structure

generic_x86:/data/misc/keystore/user_0 # ls -la
total 88
drwx------ 2 keystore keystore 4096 2022-02-13 21:59 .
drwx------ 3 keystore keystore 4096 2022-02-13 21:59 ..
.
.
.
-rw------- 1 keystore keystore  190 2022-02-13 21:50 1010_USRPKEY_MacRandSecret
-rw------- 1 keystore keystore  190 2022-02-13 21:59 10121_USRPKEY_SignalSecret

[KnugiHK]

@joshuahickman1 May I know what your phone model is?

[joshuahickman1]

@joshuahickman1 May I know what your phone model is?

Pixel 5a. Also observed the same on a Pixel 3.

[KnugiHK]

@joshuahickman1 May I know what your phone model is?

Pixel 5a. Also observed the same on a Pixel 3.

I see. Both phones are protected by Titan M chip.

[joshuahickman1]

@joshuahickman1 May I know what your phone model is?

Pixel 5a. Also observed the same on a Pixel 3.

I see. Both phones are protected by Titan M chip.

Correct.

Were you able to determine the issues regarding attachments? I am testing a separate phone that does not have hw-backed keystore. I have been able to obtain the modernKey and data_random values but when I use the resulting HMAC256 output as a key for AES-CTR attachments are not decrypted.

[palebeki]

Try checking on the algorithms and format used. Remember that hmac256 will always give output based on the input ( no input checks ), so check again the values. Here is a code snippet that I use to get the modern key

basetohex(json.loads(cipher.decrypt_and_verify(binascii.unhexlify(data), binascii.unhexlify(tag)))['modernKey'] + '==')

[palebeki]

i'm still having issues on understanding the usage of attachment_encrypted_secret to decrypt mms messages, maybe anyone could help ? i found a hint on using the "part" table from the db but still no clues

[KnugiHK]

Finally have some time to look into the encryption deployed for media. By examining the source code I have observed several things for decrypting the media files:

• media file are encrypted with AES-CTR
• the decryption of attachment_encrypted_secret is similar to database_encrypted_secret
• the key to decrypt media is an HMACSHA256
• the key for the HMACSHA256 is stored in the plaintext of attachment_encrypted_secret
• the message for the HMACSHA256 is 32 random bytes stored in the "part" table
• the counter of the cipher seems to be 0 or the file size (stored in the "part" table) with some calculation?

However, I am not able to decrypt it yet. Will keep trying. Below is some code that I used to attempt the decryption:

from Crypto.Cipher import AES
import hmac
from hashlib import sha256

file = open("partXXXXXXXXXXXXXX.mms", "rb").read()
mac_key = modernKey_in_decypted_attachment_encrypted_secret
mac = hmac.new(mac_key, digestmod=sha256)
mac.update(random_from_part_table)
key = mac.digest()
IV = b"\x00" * 16
cipher = AES.new(key, AES.MODE_CTR, initial_value=IV, nonce=b"")
print(cipher.decrypt(file)[:64]) # suppose an JPEG file

Some source files that may helpful for research

• https://github.com/signalapp/Signal-Android/blob/ad0482fb5bc794e815a1397a9dfbd41b4117e832/app/src/main/java/org/thoughtcrime/securesms/backup/FullBackupExporter.java
• https://github.com/signalapp/Signal-Android/blob/ad0482fb5bc794e815a1397a9dfbd41b4117e832/app/src/main/java/org/thoughtcrime/securesms/crypto/ModernDecryptingPartInputStream.java
• https://github.com/signalapp/Signal-Android/blob/ad0482fb5bc794e815a1397a9dfbd41b4117e832/core-util/src/main/java/org/signal/core/util/Conversions.java

[Botspot]

Does this still work?
I am stuck at the step where you install the old signal version.

$ adb shell pm uninstall -k org.thoughtcrime.securesms
Success
$ adb install -r /home/pi/Downloads/org.thoughtcrime.securesms-2.28.1-156-minAPI9.apk
Performing Streamed Install
adb: failed to install /home/pi/Downloads/org.thoughtcrime.securesms-2.28.1-156-minAPI9.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE]
$

[palebeki]

Reinstalling the app should work, but you can pass -d flag on adb install command to allow version downgrade installation

[Botspot]

That worked. $ adb install -d -r /home/pi/Downloads/org.thoughtcrime.securesms-2.28.1-156-minAPI9.apk
@KnugiHK Please update Decrypting-Signal-Conversation-Database.md to include the -d flag on this step.

[KnugiHK]

Done! Thanks.