unreadable media files about inflatabledonkey HOT 17 CLOSED

Ok. I've figured it out, well mostly. It's an issue with XTS-AES encryption that is tied to the type of device used to create the backup, not to iOS 9.3 per se. I'm currently finishing off XTS-AES code and I'll start testing over the next day or two. I still need to figure out the detection routines for when to use the conventional AES-CBC decryption or the XTS decryption.

from inflatabledonkey.

Thank you for your feedback.

I'm aware of the broken file issue with certain domains and I have been working on it. I reversed the file checksum algorithms earlier today and I'm half way through coding them. This should tell us if our file decryption is faulty or if applications are using their own additional encryption. If it's the latter then it's currently outside the scope of this project.

I'll report back once I have more information.

As for the the WhatsApp file issue, it's a trivial matter to find, cut/ copy and paste them into a single folder using Windows Explorer search box. It's just as simple on most Linux distros. There's no need to work through individual folders.

from inflatabledonkey.

Ok, it's a decryption issue which I'll need to look into. Certain protection classes are not being decrypted properly.

from inflatabledonkey.

Thanks. I'm on OS X - what practice would you recommend to move the files?

from inflatabledonkey.

I don't have any OSX or iOS devices, so I'll leave it up to others to suggest the best approach.

Either way the core of this concept tool is to retrieve backups, not to manipulate backups post retrieval.

from inflatabledonkey.

Ok! I spent all night on this and I've pushed a new build. My current retrieval has no WhatsApp file corruption issues whereas it did on previous builds.

As for the cause, I managed to break the protection class key bag/ file decryption code somehow. Obviously I have no idea what I'm doing at times.

If you would kindly try out the new build and let me know if the issues persists. Thank you.

from inflatabledonkey.

@horrorho just tried it, still unreadable. can upload a random unreadable file from the bunch if that helps?

from inflatabledonkey.

Which iOS version are you using?
Are you able to view files in the media or other domains?

I don't think the random files will help. There is another checksum that I've not reversed yet, which should give us a post protection class decryption status. I'll try and work on that as it may give us additional clues.

I may have imagined it, but I vaguely remember newer versions of WhatsApp using disk encryption hence why I'm interested to know if you can view files in other domains.

from inflatabledonkey.

Yes I can. In addition to the one mentioned above I also have iPhone6,2 N53AP. It decrypts all files correctly and everything is viewable.

iOS is 9.3

Theoretically speaking (i'm no crypto expert), wouldn't the encrypted file help to test out various decryption methods locally?

from inflatabledonkey.

Unfortunately no. Without the decryption key it will appear as random data. To brute force the key would take time magnitudes longer than the age of the universe.

Though I suspect it's an additional security layer that WhatsApp have introduced I will endeavour to reverse the aforementioned other checksum. I have a checksum for data prior to protection class decryption, but not for data post decryption. There is still the chance that the decryption algorithms are buggy.

Again thank you for the feedback. I'll continue to work on this issue.

from inflatabledonkey.

Hi,
Great work! I too (iOS 9.3) can not open any media files excluding CameraRollDomain. Currently on the newest build.

Thank you for all your hard work.

from inflatabledonkey.

@colincowie10 Thank you for the feedback. It appears that the protection class decryption has issues with certain backups. The reason for this is unclear to me at the moment but I am looking into it as a priority.

from inflatabledonkey.

Thank you!

from inflatabledonkey.

Ok! I've spend some time on the issue and it appears iOS 9.3 has additional steps for data protection class decryption. So whilst the current code is not obviously buggy, it is incomplete.

This additional encryption layer doesn't typically appear in the CameraRollDomain but features prominently in other domains such as AppDomain-net.whatsapp.WhatsApp. So iOS 9.3 camera rolls files will decrypt but WhatsApp ones will not.

This involves more reversing work for me, which I can't stand. There is an additional issue that might be very tricky to solve, but I'll expand on this later if does indeed become problematic.

from inflatabledonkey.

Gotcha, keep up the hard work! Much appreciated.

from inflatabledonkey.

Would you mind pushing a new branch with the changes so far if you get chance, I'd like to see how it fits together.

from inflatabledonkey.

Sorry for the wait! I've pushed the new code. Please refer to the main page for caveats.

from inflatabledonkey.