iOS 10.2 beta new manifest encryption about inflatabledonkey HOT 46 OPEN

As you might expect, particularly in retrospect, Apple simply introduced a new step. It appears to be a double application of PBKDF2 (with the introduction of SHA256):

byte[] kek = PBKDF2.generate(new SHA256Digest(), passcode, dpsl, dpic, KEK_BITLENGTH);
byte[] kek2 = PBKDF2.generate(new SHA1Digest(), kek, salt, iter, KEK_BITLENGTH);
Optional<byte[]> key = RFC3394Wrap.unwrapAES(kek2, wpky);

int KEK_BITLENGTH = 256

I've only tested it on a single key.

from inflatabledonkey.

As you can see in the first python script this is a really hide and seek game, but I did not try like I should :'(

from inflatabledonkey.

@Louti is working on decrypting an iTunes local backup made with iOS 10.2 beta 1, 2, or 3. I'm fairly sure the structure hasn't been reflected in the iCloud keybags sadly!

Did you get anywhere with the new key derivation algorithm @Louti ?

from inflatabledonkey.

Thanks a thousand times!

from inflatabledonkey.

@Louti You're welcome (a thousand times 😺)! I'm just glad I was able to help. I'll examine your updated script after work in more detail. I'll also update InflatableDonkey's key bag code.

@jirmi Educated guesses and not reversed (thankfully).

from inflatabledonkey.

Yes

There's a new entry in manifest.plist called manifestkey. With the help of the keybag you can then decipher the manifest.db

from inflatabledonkey.

@jirmi I tested carefull iOS 10.2 beta 4 (only MobileBackup, not iCloud yet) and I can assure you it's using the same system.

What's the error?

from inflatabledonkey.

Thank you, you had already described what i needed, it was me that was in disbelief on how simple the change. To decrypt the manifest db i have one device that uses class 4 and one that uses class 3, so i am looping over all the classes until i find tge right key

from inflatabledonkey.

Thank you for your detailed thoughts. Unfortunately I've largely stopped working on this project due to time constraints. I still don't own an iPhone so it's a bit tricky for me to test with iOS 10.

I'll try and take some time out to go over your script in more detail over the weekend. It may ultimately require us to reverse engineer binaries to see exactly what's going on under the hood, something I hate doing.

from inflatabledonkey.

Thanks for the quick update ! I ll try to snap the binaries with Xcode as the JB is not out yet. But maybe iCloud for windows already supports it.

I can give you the two manifests files if you need them

from inflatabledonkey.

I should have some time over the following week to examine this issue in more detail. Whether it's a trivial fix or a not remains to be seen.

I've had a look at your script but I would like more information. If you would kindly replace the following two files with their gist equivalents.

InflatableDonkey-master/src/main/java/com/github/horrorho/inflatabledonkey/cloud/clients/KeyBagClient.java
https://gist.github.com/horrorho/0e94c0cee40e8ef9773233dba6423b50

InflatableDonkey-master/src/main/java/com/github/horrorho/inflatabledonkey/data/backup/KeyBagFactory.java
https://gist.github.com/horrorho/4867ceaf71690ea98576a8910715f329

Recompile and run. It may dump out up to three error statements for each key bag it attempts to acquire. The first will contain the raw server response with encrypted fields. The second/ third will contain the decrypted key bag data/ secret which is passed to our key bag decoder. I need to see this data in it's entirety. In isolation this data cannot be used to retrieve iCloud contents but feel free to email me the results at [email protected] if you are uncomfortable about posting the results here.

from inflatabledonkey.

Hello,

I do not really use Inflatable Donkey, but I've seen it's a pretty active project regarding backups. My program is in C++, just ask me the files you need exactly (do you need Manifest.plist & Manifest.db?) I can upload them and send them to you!

from inflatabledonkey.

The InflatableDonkey modifications above should largely isolate the unadulterated key bag data and allow me to examine it. If instead you want to provide the raw protobuf key bag server response and the decrypted 'keybagData' and 'secret' field data then that's fine.

The manifest issue is more involved and I don't think I have the time to devote to it at present. However it may benefit from the elucidation of the key bag problem as both involve an unidentified key unwrap mechanism.

from inflatabledonkey.

Hello,

Can you tell me if this is good : http://pastebin.com/Ya9fEn2T (there are some of my debug code first so don't bother it)

By the way how where you able to debug backup with Windows binaries, does iCloud for windows downloads backups ? How could you run the code ?

Thanks :)

from inflatabledonkey.

Thank you.

It appears that InflatableDonkey has failed to handle the protected key bag record properly. The fields "Keybag" and "secret" have not been successfully decrypted. Let's try and fix this first. I've just pushed a new build that should solve this, assuming it's the same issue as #36.

If I could kindly ask you to grab the latest version of InflatableDonkey, re-apply the above steps and let me know the result.

If this doesn't work I'll need to further clarify the information present in the keybag and also the secret code.

Unless it's changed in the latest Windows build, there is no code to download backups directly or handle iOS data protection. The older data protection code is unchanged from iOS 8 and was a straight port. The newer AES-XTS algorithms I managed to elucidate without resorting to reversing iOS binaries.

from inflatabledonkey.

Hello,

I write you here since I'll communicate you the account details for
testing.
I tested but I'm not sure of the results, so here is an account for testing
with an iOS 10.2 beta 3 password :

Horrorho edit: details removed.

You can use it like you want since there's nothing personal in there

Tell me if I can be of any help !

On Tue, Nov 15, 2016 at 7:13 AM, horrorho [email protected] wrote:

Thank you.

It appears that InflatableDonkey has failed to handle the protected key
bag record properly. The fields "Keybag" and "secret" have not been
successfully decrypted. Let's try and fix this first. I've just pushed a
new build that should solve this, assuming it's the same issue as #36
#36.

If I could kindly ask you to grab the latest version of InflatableDonkey,
re-apply the above steps
#41 (comment)
and let me know the result.

If this doesn't work I'll need to further clarify the information present
in the keybag and also the secret code.

Unless it's changed in the latest Windows build, there is no code to
download backups directly or handle iOS data protection. The older data
protection code is unchanged from iOS 8 and was a straight port. The newer
AES-XTS algorithms I managed to reverse without resorting to reversing iOS
binaries.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#41 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALYr1nXcKzcfEIIydinlovRUBRfPtBmtks5q-U2FgaJpZM4KsrIC
.

from inflatabledonkey.

Thank you. In future you can email more sensitive information at [email protected]. I've taken the liberty of editing your response.

I'll certainly take a look at the backup most probably after work.

from inflatabledonkey.

Ok. I've managed to download your iPad backup. There was a minor issue that I've patched #44. However the device itself is iOS 9.1 and not 10.2 beta so I cannot replicate the issues you describe.

You can either try the earlier steps with the new build that I've just pushed. However this may fail again as the issue may be rooted further up the chain.

As an alternative I need more details regarding the key bag data. More specifically:

• The "secret" field/ passcode.
• The "keybagData" or all of the header data and one full set of protection class data.

As it stands I only have a partial and idiosyncratically described set of .bin files. Ideally they should be named as they appear in the key bag for me to grab a semantic handle on them e.g: wpky.bin, pbky.bin etc.

Please feel free to ask for further clarification. Also understand that I'm not an iOS security expert so I can't give you any promises as to what I can manage.

N.B. I've deleted your backup data from my Linux box. If you would kindly change the password to the iCloud account.

from inflatabledonkey.

Hello,

This is really weird. I made the account this morning and only used it onto
an iOS 10.2 beta device.

I think that the device still sends old backup to CK, since it's maybe not
compatible with newer backups.

Here you go with the keybag file (taken from our backup program, CTS) : https://we.tl/ca8l7RDwZF

On Tue, Nov 15, 2016 at 12:39 PM, horrorho [email protected] wrote:

Ok. I've managed to download your iPad backup. There was a minor issue
that I've patched #44
#44. However the
device itself is iOS 9.1 and not 10.2 beta so I cannot replicate the issues
you describe.

You can either try the earlier steps
#41 (comment)
with the new build that I've just pushed. However this may fail again as
the issue may be rooted further up the chain.

As an alternative I need more details regarding the key bag data. More
specifically:

• The "secret" field/ passcode.
• The "keybagData" or all of the header data and one full set of
  protection class data.

As it stands I only have a partial and idiosyncratically described set of
.bin files. Ideally they should be named as they appear in the key bag for
me to grab a semantic handle on them e.g: wpky.bin, pbky.bin etc.

Please feel free to ask for further clarification. Also understand that
I'm not an iOS security expert so I can't give you any promises as to what
I can manage.

N.B. I've deleted your backup data from my Linux box. If you would kindly
change the password to the iCloud account.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#41 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALYr1o8Qxv6leTTqxnFAf2B624PiiBARks5q-ZoEgaJpZM4KsrIC
.

from inflatabledonkey.

Oh the password is 1234

On Tue, Nov 15, 2016 at 12:43 PM, Louka Outrebon [email protected]
wrote:

Hello,

This is really weird. I made the account this morning and only used it
onto an iOS 10.2 beta device.

I think that the device still sends old backup to CK, since it's maybe not
compatible with newer backups.

Here you go with the keybag file (taken from our backup program, CTS)

On Tue, Nov 15, 2016 at 12:39 PM, horrorho [email protected]
wrote:

Ok. I've managed to download your iPad backup. There was a minor issue
that I've patched #44
#44. However the
device itself is iOS 9.1 and not 10.2 beta so I cannot replicate the issues
you describe.

You can either try the earlier steps
#41 (comment)
with the new build that I've just pushed. However this may fail again as
the issue may be rooted further up the chain.

As an alternative I need more details regarding the key bag data. More
specifically:

• The "secret" field/ passcode.
• The "keybagData" or all of the header data and one full set of
  protection class data.

As it stands I only have a partial and idiosyncratically described set of
.bin files. Ideally they should be named as they appear in the key bag for
me to grab a semantic handle on them e.g: wpky.bin, pbky.bin etc.

Please feel free to ask for further clarification. Also understand that
I'm not an iOS security expert so I can't give you any promises as to what
I can manage.

N.B. I've deleted your backup data from my Linux box. If you would kindly
change the password to the iCloud account.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#41 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALYr1o8Qxv6leTTqxnFAf2B624PiiBARks5q-ZoEgaJpZM4KsrIC
.

from inflatabledonkey.

Thank you. However there should also be a "secret" passcode key.

To clarify further, if we examine your data from http://pastebin.com/Ya9fEn2T:

The "keybagData" here should correspond to the key bag data, i.e. https://we.tl/ca8l7RDwZF.
Line 391.

   recordField {
    identifier {
      name: "keybagData"
    }
    value {
      type: 20
      bytesValue: "\003\244Q\000;F\354\220j\317\...

However there should also be a "secret" passcode.
Line 400.

  recordField {
    identifier {
      name: "secret"
    }
    value {
      type: 20
      bytesValue: "\003\244Q\000|\273\337\227\...

Do you have this "secret" passcode available? This is what we would normally plug into the key derivation function in some manner. As it stands we use it as a password for PBKDF2.

from inflatabledonkey.

As it looks, it was indeed not reflected in the iCloud key bags.

I could not find the new derivation algorithm yet. Guys at http://www.iphonebackupextractor.com/ were able to find it since they have a working program with iOS 10.2 betas.

What's odd is that they added a new salt and an iteration counter of 10'000'000. This can't be PBKFD2 since it takes at least 3mins to derivate a key with a really good processor (http://www.iphonebackupextractor.com/fr/blog/2016/nov/10/ios-102-encryption-fully-supported/).

Any input / ideas would be interesting

from inflatabledonkey.

@Louti What language are you using to process these 10 million rounds of PBKDF2?

from inflatabledonkey.

I tried in python, and C++.
C++ will take at best rates 30 seconds.

from inflatabledonkey.

@Louti I still wouldn't discount PBKDF2 entirely. In fact it sounds like this is Apple's intention. The reason for the high iteration count is to limit brute forcing attempts. The Python time is incomparable to a hardware optimised solution. Apple hardware accelerates numerous cryptographic functions as indeed does modern Intel hardware.

Unfortunately I can't offer too much assistance. I tend to just 'cheat' and pull apart binaries to see what's going on. I often feel that InflatableDonkey was largely an exercise in reverse engineering binaries.

from inflatabledonkey.

@codegoddesskh @Louti
I think I've figured it out based on the new information that you've provided. Up till now I've been trying to replicate the issue in iCloud key bags rather than approach it from an iTunes perspective. I'll test it further and detail the algorithm/ push a gist after work.

Based on @Louti's key bag data.
Header:

VERS:00000003
TYPE:00000001
UUID:af540c6691e840458d820ef4ab89edd8
HMCK:00000000000000000000000000000000000000000000000000000000000000000000000000000000

WRAP:00000000
SALT:bdedebcad0579e8bbdf320d5e5870abc06a9c114
ITER:00002710

DPWT:00000001
DPIC:00989680
DPSL:848e0847540b0de58f1bfcb9e2f651bff3c3b4bc

Class 1. Wrapped key:

UUID:2ded92900a3b4d15b573ad10e2073938
CLAS:00000001
WRAP:00000002
KTYP:00000000
WPKY:f74fd78cefe0816f93f4ee7ea738ff08bc4c029c8a33700f00788ea6c8569ce34fc99f2a1f6f9573

Class 1. KEK/ unwrapped key:

KEK: 7322191fe5075d67265dc3233f4e63f8c9b75c787aa8041632482bb9e02135db
KEY: 5651b31b24a32ce61fa00a1b667c1c9faf50876a292384246da49f8412d1a2a9

from inflatabledonkey.

I'm gonna test right know thanks for looking into it.

Could you just point me on how you got those ? (No need for code can be some very rough pseudo code)

from inflatabledonkey.

Ahhhhhhhhhhhhhhhhh it worked.

Tell me it's not like :
key1 = pbkdf2(password, dpsalt, dpic)
kek = pbkdf2(key1, salt, iter)

from inflatabledonkey.

AHHHHHHHHHHHHHHHHHHHHH.

I did not try the combination of the two.

from inflatabledonkey.

@horrorho @Louti
Thanks! I can also confirm it works. Btw did you just guess it or reverse engineer it from iTunes binaries?

from inflatabledonkey.

http://pastebin.com/3hP7SZ5E here if you want to take a look.

from inflatabledonkey.

@Louti have you managed to decrypt the manifest.db file now?

from inflatabledonkey.

When open-source GitHub projects help commercial developers to get their business back on track... Maybe a bit scary... ^^

Disclaimer: also working for a commercial software, but we managed to do that specific reverse by ourselves some weeks ago.

Don't know @horrorho's point of view, and all of this can be OK, but maybe it would have been fair to acknowledge who you're working for... At least by respect... : )

That being said, peace and love, and keep on the good stuff! ^^

from inflatabledonkey.

@macmade Hi there. Interesting discussion points.

I was aware of the commercial interests but not the specific details. My impression was that this was an issue that would directly impact InflatableDonkey in the near future and was worthy of attention. I don't own any iOS devices at present so @Louti offering logs/ data might seem trivial but was pretty useful for me.

I don't work in IT and I'm not any sort of iOS expert. I'm not really in with the crowd so I'm probably lacking in judgement as to how things are done as if it were.

from inflatabledonkey.

Yeah. Maybe I should have pointed it at the beginning, but I think it was pretty clear. Typing my name (or nick) on Google directly points to my company. I did the same with Kelly to find it was one of our competitor, but that's just fine, part of the game. In the end we exchanged information, solved together a problem and it's a win-win.

We think that when iOS 10.2 will be released the changes will be reflected (possibly beginning of december).

@horrorho you would sure have a really great career in IT with the skills you crafted, you would be a beast.

@macmade Congrats for finding it weeks ago ;)

from inflatabledonkey.

@Louti No worries, since there's no issue with @horrorho, everything's cool, as you say.
I'm sometimes a bit pesky when it comes to Commercial Software interacting with OpenSource, but I really think we should try our best to have some good "opensource karma".

That being said @Louti, I'll be happy to continue this discussion around a beer one day, as I think we're in the same city. My point was not about being simply rude. : )

from inflatabledonkey.

Hi @Louti,
I've just tested beta 4 and it doesn't seem to be working again. Could you pls tell me if it still works for you? Maybe it is just me :-)

from inflatabledonkey.

Thanks for quick reply! It was just stupid beginner's mistake - left in my code some fixed value for the kek while testing, sorry for the false alarm. It still works fine.

from inflatabledonkey.

haaaaarrrggg!!!!

The curiosity is killing me, so what is the final algorythm????

from inflatabledonkey.

@jorgeleo Hi there. I'm somewhat confused by your question. Did you mean the iOS10.2 algorithm alteration which is stated above? Or did you mean the entire key bag decryption process?

from inflatabledonkey.

@jorgeleo I think the right class should be specified by first 4 bytes of the ManifestKey, so it shouldn't be necessary to loop over all of them ...

from inflatabledonkey.

Trying to repeat this #41 (comment) with Obj-C for this project: https://github.com/k06a/iBackupMounter

from inflatabledonkey.

Hey guys, I'm a little bit late to the party. I am trying to implement @horrorho algorithm and I am having trouble finding the "wpky", any help finding this value would be greatly appreciated:

byte[] kek = PBKDF2.generate(new SHA256Digest(), passcode, dpsl, dpic, KEK_BITLENGTH);
byte[] kek2 = PBKDF2.generate(new SHA1Digest(), kek, salt, iter, KEK_BITLENGTH);
Optional<byte[]> key = RFC3394Wrap.unwrapAES(kek2, wpky);

from inflatabledonkey.

por favor no puedo sacar la contrasña de backup ios 10.2.1 con ningun programa comprados ya 3 y tampoco ayuda por fava

from inflatabledonkey.

Please can not remove backup password ios 10.2.1 with any program already purchased 3 and no help by fava

from inflatabledonkey.

Please can not remove backup password ios 10.2.1 with any program already purchased 3 and no help please

from inflatabledonkey.