Comments (25)
This is on an iPad 3G BTW.
Original comment by [email protected]
on 7 Jan 2012 at 7:44
from iphone-dataprotection.
i just pushed a fix. can you update (hg pull && hg update) and retry ?
However you mentioned that the EMF and DKey were all zeroes and this is another
problem (the decryption will fail without these keys). A few questions :
- did you use the ramdisk or did you dump from a running ios ?
- did the kernel_patcher.py script find all the kernel patches ?
- did you get any errors when the plist file was created ?
Original comment by [email protected]
on 7 Jan 2012 at 8:13
- Changed state: Accepted
from iphone-dataprotection.
(scratch the first question)
Original comment by [email protected]
on 7 Jan 2012 at 8:15
from iphone-dataprotection.
This is a protocol of creating the ramdisk with the current commit from the hg
repo:
g3-power:iphone-dataprotection g3$ python python_scripts/kernel_patcher.py
/Volumes/Voodoo/Downloads/2012-01-07/iPad1,1_5.0.1_9A405_Restore.ipsw
Decrypting kernelcache.release.k48
Unpacking ...
Doing CSED patch
Doing getxattr system patch
Doing _PE_i_can_has_debugger patch
Doing IOAESAccelerator enable UID patch
Doing AMFI patch
Patched kernel written to kernelcache.release.k48.patched
Created script make_ramdisk_k48ap.sh, you can use it to (re)build the ramdisk
g3-power:iphone-dataprotection g3$ sudo ./make_ramdisk_k48ap.sh
g3-power:iphone-dataprotection g3$ chmod 755 make_ramdisk_k48ap.sh
g3-power:iphone-dataprotection g3$ sudo ./make_ramdisk_k48ap.sh
Found iOS SDK 5.0
ln -s /System/Library/Frameworks/IOKit.framework/Versions/Current/Headers IOKit
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2 -Wall -isysroot
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/
-framework IOKit -framework CoreFoundation -framework Security -O3 -I. -o
device_infos device_infos.c device_info.c IOAESAccelerator.c
AppleEffaceableStorage.c AppleKeyStore.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c
bsdcrypto/key_wrap.c bsdcrypto/rijndael.c util.c IOKit.c registry.c
device_infos.c: In function ‘main’:
device_infos.c:9: warning: initialization discards qualifiers from pointer
target type
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -S device_infos
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2 -Wall -isysroot
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/
-framework IOKit -framework CoreFoundation -framework Security -O3 -I. -o
restored_external restored_external.c device_info.c remote_functions.c
plist_server.c AppleKeyStore.c AppleEffaceableStorage.c IOKit.c
IOAESAccelerator.c util.c registry.c AppleKeyStore_kdf.c bsdcrypto/pbkdf2.c
bsdcrypto/sha1.c bsdcrypto/rijndael.c bsdcrypto/key_wrap.c
restored_external.c: In function ‘init_usb’:
restored_external.c:34: warning: implicit declaration of function
‘IOUSBDeviceDescriptionCopyInterfaces’
restored_external.c:34: warning: initialization makes pointer from integer
without a cast
restored_external.c:89: warning: value computed is not used
restored_external.c:91: warning: value computed is not used
restored_external.c:93: warning: value computed is not used
restored_external.c:95: warning: value computed is not used
restored_external.c:97: warning: value computed is not used
remote_functions.c: In function ‘keybag_get_passcode_key’:
remote_functions.c:140: warning: pointer targets in passing argument 2 of
‘AppleKeyStore_getPasscodeKey’ differ in signedness
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
AppleKeyStore_kdf.c: In function ‘AppleKeyStore_getPasscodeKey’:
AppleKeyStore_kdf.c:31: warning: pointer targets in passing argument 3 of
‘pkcs5_pbkdf2’ differ in signedness
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -Skeystore_device.xml restored_external
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2 -Wall -isysroot
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/
-framework IOKit -framework CoreFoundation -framework Security -O3 -I. -o
bruteforce systemkb_bruteforce.c AppleKeyStore.c AppleEffaceableStorage.c
IOKit.c IOAESAccelerator.c util.c registry.c AppleKeyStore_kdf.c
bsdcrypto/pbkdf2.c bsdcrypto/sha1.c bsdcrypto/rijndael.c bsdcrypto/key_wrap.c
device_info.c
systemkb_bruteforce.c: In function ‘saveKeybagInfos’:
systemkb_bruteforce.c:27: warning: implicit declaration of function
‘device_info’
systemkb_bruteforce.c:27: warning: initialization makes pointer from integer
without a cast
systemkb_bruteforce.c: In function ‘main’:
systemkb_bruteforce.c:202: warning: implicit declaration of function
‘AppleKeyStore_getClassKeys’
systemkb_bruteforce.c:202: warning: initialization makes pointer from integer
without a cast
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
AppleKeyStore_kdf.c: In function ‘AppleKeyStore_getPasscodeKey’:
AppleKeyStore_kdf.c:31: warning: pointer targets in passing argument 3 of
‘pkcs5_pbkdf2’ differ in signedness
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -Skeystore_device.xml bruteforce
Downloading ssh.tar.gz from googlecode
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3022k 100 3022k 0 0 863k 0 0:00:03 0:00:03 --:--:-- 1698k
Archive: /Volumes/Voodoo/Downloads/2012-01-07/iPad1,1_5.0.1_9A405_Restore.ipsw
inflating: 038-3715-001.dmg
TAG: TYPE OFFSET 14 data_length:4
TAG: DATA OFFSET 34 data_length:1041000
TAG: SEPO OFFSET 1041040 data_length:4
TAG: KBAG OFFSET 104105c data_length:38
KBAG cryptState=1 aesType=100
TAG: KBAG OFFSET 10410a8 data_length:38
TAG: SHSH OFFSET 104110c data_length:80
TAG: CERT OFFSET 1041198 data_length:794
Decrypting DATA section
Decrypted data seems OK : ramdisk
/dev/disk2 /Volumes/ramdisk
"disk2" unmounted.
"disk2" ejected.
myramdisk.dmg created
You can boot the ramdisk using the following command (fix paths)
redsn0w -i
/Volumes/Voodoo/Downloads/2012-01-07/iPad1,1_5.0.1_9A405_Restore.ipsw -r
myramdisk.dmg -k kernelcache.release.k48.patched
Original comment by [email protected]
on 8 Jan 2012 at 10:18
from iphone-dataprotection.
I can’t find any errors in the above.
Original comment by [email protected]
on 8 Jan 2012 at 10:19
from iphone-dataprotection.
ok, in the plist file, are the values key835,key89B and lockers present and
contain meaningful data (ie not 0s) ?
also when you ran ./dump_data_partition.sh was there any errors displayed ?
thanks
Original comment by [email protected]
on 8 Jan 2012 at 10:54
from iphone-dataprotection.
The values for key835 and key89B are both present and contain 32 hex-digits.
I looked out for them, but I don’t remember seeing any errors when running
./dump_data_partition.sh.
Original comment by [email protected]
on 8 Jan 2012 at 11:49
from iphone-dataprotection.
I have created a backup of the data partition at /mnt2 via scp. It appears to
be complete.
I need to restore the iPad for use as soon as possible.
Is there anything I can do or prepare now to help untangle this issue further
or will restoring destroy any chances of getting at the correct values for EMF
and DKey?
Can they be calculated from other values that are available?
Original comment by [email protected]
on 8 Jan 2012 at 12:01
from iphone-dataprotection.
ok, so there is no "lockers" in the plist file ?
can you ssh into the ramdisk, run ./device_infos and look for errors ?
if you restore then the EMF and DKey will be wiped, they are calculated using
the missing lockers data and the two keys (835 & 89b).
also i see you used the 5.0.1 ipsw, this is probably not the issue but maybe
you can retry the whole process (except the data partition dump) using the 5.0
one.
Original comment by [email protected]
on 8 Jan 2012 at 1:14
from iphone-dataprotection.
Ok. ./device_infos does not produce any errors. The resulting plist file is
similar to the one next to the encrypted dd image by the same name. It lacks
the top level key-value pairs for KeyBagKeys, classKeys, keybags, passcode and
passcodeKey.
Original comment by [email protected]
on 8 Jan 2012 at 10:41
from iphone-dataprotection.
I recreated the ramdisk with 5.0 as requested.
python python_scripts/demo_bruteforce.py
Results in the exact same files being generated.
Original comment by [email protected]
on 8 Jan 2012 at 11:26
from iphone-dataprotection.
BTW: There is a lockers key in the plist. It contains 1920 hex characters, only
the first 136 of which are non 0.
Original comment by [email protected]
on 9 Jan 2012 at 10:35
from iphone-dataprotection.
ok so no lockers in any case ? this is weird, does the device boots normally
(you mentionned you need to restore) ?
Original comment by [email protected]
on 9 Jan 2012 at 10:35
from iphone-dataprotection.
No. That is why I needed a backup. ;)
Original comment by [email protected]
on 9 Jan 2012 at 10:39
from iphone-dataprotection.
I will retry after the restore. If it works then, we will know that something
was hosed that your code depended upon, right?
Original comment by [email protected]
on 9 Jan 2012 at 10:45
from iphone-dataprotection.
you have non empty lockers, key835 and key89B, but EMF and DKey are zeroes
right ?
if so, can you send me the plist file by email ? that would help understand the
issue. thanks
Original comment by [email protected]
on 9 Jan 2012 at 10:53
from iphone-dataprotection.
Sure. I tried to find your non-truncated email address, but have so far been
unsuccessful.
Original comment by [email protected]
on 9 Jan 2012 at 1:44
from iphone-dataprotection.
Apparently the EMF and DKey lockers were erased when updating from iOS 4 to iOS
5 (!). Without those keys emf_decrypter cannot work.
Original comment by [email protected]
on 21 Jan 2012 at 4:49
- Changed state: WontFix
from iphone-dataprotection.
hey all, trying to recover images for a friend... ive got the data partition
successfully. getting this:
Keybag: SIGN check OK
Keybag unlocked with passcode key
cprotect version : 2
WARNING ! This tool will modify the hfs image and possibly wreck it if
something goes wrong !
Make sure to backup the image before proceeding
You can use the --nowrite option to do a dry run instead
Press a key to continue or CTRL-C to abort
and its been running for almost 24 hours now... does this make sense? ive
already backup up the dmg... the docs say it updates it in place, but the file
mod date hasnt changed, nor has the size... should i keep waiting? cut it?
anyone know how i can know if it is really doing anything or just 'stuck'
?
much appreciated!
Original comment by [email protected]
on 17 Feb 2012 at 4:14
from iphone-dataprotection.
sorry to ask but did you "press a key to continue" (in fact i think you need to
press the enter key) ? it should display "decrypting" for each file it
processes in the image.
Original comment by [email protected]
on 18 Feb 2012 at 11:40
from iphone-dataprotection.
yes - the obvious first... i did.. many times.. but also expected something to
happen, some output and nothing.. it just froze, with the cursor blinking and
so i wasnt sure. that it *does* spit out stuff for each file is good news, so
now i know it wasnt working properly.. question is why, and why no error output
gonna copy the backup image i have and try again. i wonder if a path is
screwey, will check the script itself.
thanks...
Original comment by [email protected]
on 18 Feb 2012 at 7:11
from iphone-dataprotection.
wierd. before doing that, i wanted to see if i can mount the dmg. double
clicking it mounted it, opening it and i see what looks like an iphone phone
structure. see attached. im able to browse around, but when i try to open files
in the /mobile/media/DCIM folder its getting errors.. "file may be damaged or
in a file format Preview doesnt recognize."
If I am at this step, this is successfully decrypted, right? At this point,
this is a data issue, which I should check over at PhoneRec forums?
Original comment by [email protected]
on 18 Feb 2012 at 7:54
Attachments:
- [Screen shot 2012-02-18 at 2.49.02 PM.png](https://storage.googleapis.com/google-code-attachments/iphone-dataprotection/issue-38/comment-22/Screen shot 2012-02-18 at 2.49.02 PM.png)
from iphone-dataprotection.
The dmg can be mounted even if the image is not decrypted (because only the
"file contents" are encrypted). The error messages when opening files mean that
emf_decrypter.py did nothing (which is consistent if you said the file
modification time did not change).
There is probably a bug in emf_decrypter.py if it runs forever without
displaying "Decrypting". Can you try again and then interrupt the script
(CTRL+C) and post the python traceback here ? Thanks
Original comment by [email protected]
on 19 Feb 2012 at 3:49
from iphone-dataprotection.
ahh.. that make sense. thanks for clarifying. still hope i guess... will get
back to you soon.
Original comment by [email protected]
on 20 Feb 2012 at 1:52
from iphone-dataprotection.
it worked! and PhotoRec is finding images of the unallocated portion of the
disk. Whoo hoo!
Thanks to spent so much time and effort for making these tools, and most
importantly, opening them up to the world for free.
This is one of those things that really has an effect on people, you've helped
save precious memories!
Cheers
- SD
Original comment by [email protected]
on 20 Feb 2012 at 3:01
from iphone-dataprotection.
Related Issues (20)
- jailbreak semi untethered 7.1.1 iphone 4 stuck at apple logo HOT 1
- Problem with keychain_tool.py on iOS 7.1.1 HOT 2
- Get Less Backupuuid HOT 4
- Comparability with C or C++
- iPhone 4 Rev A IOS 7.0.4
- Some File Missing in downloaded Icloud backup only show 100 files maximum
- listing and Downnloading only 100 files of icloud data
- How can i extract a certificate/identity from I0s7 with keychain_dump?
- Offline iOS_examiner crashes
- Device UNSUPPORTED error HOT 1
- extract email's passwords from an encrypted ios backup .. !!
- rqrq
- ios 8.1 icloud backup HOT 2
- Cannot brute force passcode on iPhone 3GS (32GB)
- iOS 8.1.2 ios_examiner undelete error HOT 1
- dataRecovery.py is showing error HOT 2
- Key not matching cert (iOS 7)
- DFU mode firmware updataion
- how to bruteforce in windows
- NAND Dumper in ios examiner doesn't seem to start
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iphone-dataprotection.