New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decrypting keychain (iOS 11) #21

Open
kristian opened this Issue Jul 28, 2017 · 8 comments

Comments

Projects
None yet
8 participants
@kristian

kristian commented Jul 28, 2017

Just decrypted an (encrypted) iOS11 backup using backup_tool without a problem. Unfortunately decrypting the keychain afterwards using keychain_tool failed. The following error is shown on console:

Cannot decrypt backup keybag. Wrong password ?

I checked the Manifest.plist file and the "password" denoted in the file, matches my backup password. Any idea why this happens? I don't own the key835 for my device and so far I havn't gotten any idea how I should get it. Would the key835 be required to decrypt an encrypted keychain from a backup file?

Thanks & regards, Kristian

@AppleTechy

This comment has been minimized.

Show comment
Hide comment
@AppleTechy

AppleTechy Aug 7, 2017

Have you use this utility before? I essentially did the samething as you and ran into the same problem. I was decrypting an (encrypted) ios 10 backup. I used the command, python keychain_tool.py -d "/Users/dev/Desktop/extracted/KeychainDomain/keychain-backup.plist" "/Users/dev/Desktop/extracted/Manifest.plist" However the response to that command is,If you have key835 for device _______ enter it (in hex). My understanding was that the key835 wasn't required for decrypted (encrypted) backups, did I misunderstand something?

AppleTechy commented Aug 7, 2017

Have you use this utility before? I essentially did the samething as you and ran into the same problem. I was decrypting an (encrypted) ios 10 backup. I used the command, python keychain_tool.py -d "/Users/dev/Desktop/extracted/KeychainDomain/keychain-backup.plist" "/Users/dev/Desktop/extracted/Manifest.plist" However the response to that command is,If you have key835 for device _______ enter it (in hex). My understanding was that the key835 wasn't required for decrypted (encrypted) backups, did I misunderstand something?

@pedropapa

This comment has been minimized.

Show comment
Hide comment
@pedropapa

pedropapa Aug 17, 2017

I'm having the same issue, already tried to hex my iTunes password with no luck.

pedropapa commented Aug 17, 2017

I'm having the same issue, already tried to hex my iTunes password with no luck.

@kennym

This comment has been minimized.

Show comment
Hide comment
@kennym

kennym Nov 29, 2017

Same issue here.

kennym commented Nov 29, 2017

Same issue here.

@AppleTechy

This comment has been minimized.

Show comment
Hide comment
@AppleTechy

AppleTechy Dec 4, 2017

Anyone found a work around yet? Would be much appreciated!

Sent with GitHawk

AppleTechy commented Dec 4, 2017

Anyone found a work around yet? Would be much appreciated!

Sent with GitHawk

@guikeese

This comment has been minimized.

Show comment
Hide comment
@guikeese

guikeese Jan 11, 2018

Same here.. trying to find some but nothing yet.. =/

guikeese commented Jan 11, 2018

Same here.. trying to find some but nothing yet.. =/

@mohrt

This comment has been minimized.

Show comment
Hide comment
@mohrt

mohrt Jan 19, 2018

It looks like you'd have to jailbreak your iPhone and get the 0x835 key for YOUR device. http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/

mohrt commented Jan 19, 2018

It looks like you'd have to jailbreak your iPhone and get the 0x835 key for YOUR device. http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/

@Commodore1024

This comment has been minimized.

Show comment
Hide comment
@Commodore1024

Commodore1024 Jun 6, 2018

Key835 is required to unwrap the following security keys:
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
kSecAttrAccessibleAlwaysThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly

So any material in the keychain that is encrypted using those keys will not be decrypted.

Commodore1024 commented Jun 6, 2018

Key835 is required to unwrap the following security keys:
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
kSecAttrAccessibleAlwaysThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly

So any material in the keychain that is encrypted using those keys will not be decrypted.

@AdolfoPD

This comment has been minimized.

Show comment
Hide comment
@AdolfoPD

AdolfoPD Jul 14, 2018

Help,

I have a backup that was partially corrupted, I have the password, however the Meanifest.DB file is not cryptographed.

How to extract the data, which are cryptographed.

AdolfoPD commented Jul 14, 2018

Help,

I have a backup that was partially corrupted, I have the password, however the Meanifest.DB file is not cryptographed.

How to extract the data, which are cryptographed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment