By Andrew Hoog | June 19, 2018
HOWTO decrypt iOS 10+ backups with iphone-dataprotecion
This is the third installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.
In this post, we’ll examine the venerable iphone-dataprotection toolset that was developed by Jean-Baptiste Bedrune and Jean Sigwald of Sogeti / ESEC in 2011, the early days of the “iOS Crypto Wars”.
Please checked out other posts in this series:
- HOWTO decrypt iOS 10+ backups with irestore
- HOWTO decrypt iOS 10+ backups with iphone-dataprotection [this post]
These tools were setup and run on macOS however should work on Linux with minor modifications.
Note: you must know the backup password…these tools do not implement password cracking techniques
At Hack In The Box Amsterdam 2011 (HITB), researchers Jean-Baptiste Bedrune and Jean Sigwald presented their excellent research on iPhone data protections in a talk entitled, “iPhone Data Protection in Depth” which included accompanying tools and source code.
The tools were updated into 2014 (supporting the iPhone 5) however after that point has not received additional updates.
The great thing about open source tools, though, is the community can pitch in and keep a project going. A number of folks made copies of the code (from Google Code to GitHub) and at least one of those repos (from DinoSec) has received updates enabling the decryption of backups from iOS 10 devices.
Fetch source code
First, let’s clone the updated source code repo from DinoSec:
$ cd git $ git clone email@example.com:dinosec/iphone-dataprotection.git Cloning into 'iphone-dataprotection'... remote: Counting objects: 294, done. remote: Total 294 (delta 0), reused 0 (delta 0), pack-reused 294 Receiving objects: 100% (294/294), 3.38 MiB | 5.22 MiB/s, done. Resolving deltas: 100% (68/68), done.
Next we’ll leverage virtualenv to isolate our python dependencies:
$ cd iphone-dataprotection $ python -m virtualenv --python=`which python2.7` env Running virtualenv with interpreter /usr/bin/python2.7 New python executable in /Users/hiro/Downloads/iphone-dataprotection/env/bin/python Installing setuptools, pip, wheel...done.
And then activate virtualenv and install the tools dependencies:
$ source env/bin/activate $ pip install pycrypto $ pip install construct
Now we’re ready to try it out. The script takes two inputs:
$ python python_scripts/backup_tool.py Usage: python_scripts/backup_tool.py <backup path> [output path]
so to try it out on a iOS 10.3.3 encrypted backup, I ran the following:
$ python python_scripts/backup_tool.py ~/Library/Application\ Support/MobileSync/Backup/<UDID> /tmp Device Name : iphone-me Display Name : iphone-me Last Backup Date : 2018-03-12 07:03:57 IMEI : NNNNNNNNNNNNNNN Serial Number : FFAABBCCDDEE Product Type : iPhone7,2 Product Version : 10.3.3 iTunes Version : 22.214.171.124 Extract backup to /tmp ? (y/n)
The decrypted files were all extracted to
/tmp/ so you might consider creating a separate directory for the files and providing that as the output path.