def do_undelete(self, p):
     if not self.data.keybag.unlocked:
         print "Warning, keybag is not unlocked, some files will be inaccessible"
     if not self.carver:
         self.carver = NANDCarver(self.data, self.image)
     if False:  #len(p):
         z = self.volume.catalogTree.getLBAsHax()
         v = self.volume.getFileRecordForPath(self.curdir)
         folderId = v.folderID
         f = lambda k, v: k.parentID == folderId
     else:
         z = None
         f = None
     self.carver.carveDeletedFiles_fast(z, f)
 def do_undelete(self, p):
     if not self.data.keybag.unlocked:
         print "Warning, keybag is not unlocked, some files will be inaccessible"
     if not self.carver:
         if self.image.ppn:
             self.carver = PPNCarver(self.data, self.image)
         else:
             self.carver = NANDCarver(self.data, self.image)
     if False:#len(p):
         z =  self.volume.catalogTree.getLBAsHax()
         v = self.volume.getFileRecordForPath(self.curdir)
         folderId = v.folderID
         f = lambda k,v: k.parentID == folderId
     else:
         z = None
         f = None
     self.carver.carveDeletedFiles_fast(z, f)
Example #3
0
class ExaminerShell(Cmd):
    def __init__(self, image, completekey='tab', stdin=None, stdout=None):
        Cmd.__init__(self, completekey=completekey, stdin=stdin, stdout=stdout)
        self.curdir = "/"
        self.rdisk = None
        if image.filename == "remote":
            self.rdisk = RamdiskToolClient.get()
        self.device_infos = image.device_infos
        self.complete_open = self._complete
        self.complete_xattr = self._complete
        self.complete_cprotect = self._complete
        self.complete_ls = self._complete
        self.complete_cd = self._complete
        self.complete_plist = self._complete
        self.complete_xxd = self._complete
        self.image = image
        if image.ppn and image.filename == "remote":
            self.savepath = "."
            print "Remote PPN device, use nand_dump + save, other commands will fail"
            return
        self.system = image.getPartitionVolume(0)
        self.data = image.getPartitionVolume(1)
        self.volume = None
        self.volname = ""
        grab_system_version(self.system, self.device_infos)
        print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) * "un")
        self.deviceName = get_device_name(self.data)
        self.do_data("")
        self.savepath = os.path.join(os.path.dirname(image.filename), "%s.plist" % self.device_infos.udid[:10])
        #if image.iosVersion > 3 and not image.device_infos.has_key("passcode"):
        #    print "No passcode found in plist file, bruteforce required to access protected data"
        
        self.carver = None
    
    def set_partition(self, name, vol):
        self.volume = vol
        self.do_cd("/")
        self.volname = name
        self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname, self.curdir)
    
    def do_info(self, p):
        pprint(self.device_infos)
        
    def do_save(self, p):
        print "Save device information plist to [%s]:" % self.savepath,
        path2 = raw_input()
        if path2: self.savepath = path2
        if os.path.exists(self.savepath):
            print "File already exists, overwrite ? [y/n]:",
            if raw_input() != "y":
                return
        plistlib.writePlist(self.device_infos, self.savepath)
        
    def do_system(self, p):
        self.set_partition("system", self.system)
    
    def do_data(self, p):
        self.set_partition("data", self.data)
    
    def do_pix(self, p):
        self.do_data("")
        self.do_cd("/mobile/Media/DCIM/100APPLE")
        
    def do_keychain(self, p):
        #self.data.readFile("/Keychains/keychain-2.db")
        self._pull__and_open_sqlitedb("/Keychains/keychain-2.db")
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.print_all(False)
    
    def do_keychain_cert(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.cert(id, filename)
    
    def do_keychain_key(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.key(id, filename)
    
    def do_exit(self, p):
        return True
    
    def do_quit(self, p):
        return self.do_exit(p)

    def do_reboot(self, p):
        if not self.rdisk:
            self.rdisk = RamdiskToolClient.get()
        self.rdisk.reboot()
        return self.do_exit(p)
    
    def do_pwd(self, p):
        print self.curdir
            
    def do_cd(self, p):
        if len(p) == 0: p = "/"
        if not p.startswith("/"):
            new = self.curdir + p
        else:
            new = p
        if not p.endswith("/"): new = new + "/"
        d = self.volume.ls(new)
        if d != None:
            self.curdir = new
            self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname, new)
        else:
            print "%s not found/is not a directory" % new
            
    def get_path(self, p):
        path = p
        if not path.startswith("/"):
            path = self.curdir + path
        return path
   
    def _complete(self, text, line, begidx, endidx):
        filename = text.split("/")[-1]
        dirname = "/".join(text.split("/")[:-1])
        if text.startswith("/"):
            contents = self.volume.ls(dirname)
        else:
            contents = self.volume.ls(self.curdir + dirname)
        if not contents:
            return []
        if dirname != "" and not dirname.endswith("/"):
            dirname += "/"
        res = [dirname + x for x in contents.keys() if x.startswith(filename)]
        return res
    
    #TODO if size==0 check if compressed
    def do_ls(self, p):
        dirDict = self.volume.ls((self.curdir + "/" + p).replace("//","/")) 
        if not dirDict:
            return
        for name in sorted(dirDict.keys()):
            size = ""
            protection_class = ""
            record = dirDict[name]
            if hasattr(record, "fileID"):
                size = sizeof_fmt(record.dataFork.logicalSize)
                cprotect = self.volume.getXattr(record.fileID, "com.apple.system.cprotect")
                if cprotect:
                    protection_class = PROTECTION_CLASSES[struct.unpack("<L", cprotect[8:12])[0]]
            print "%s\t%s\t%s\t%s" % (name[:30].ljust(30), size.ljust(10), hfs_date(record.createDate), protection_class)
    
    def do_undelete(self, p):
        if not self.data.keybag.unlocked:
            print "Warning, keybag is not unlocked, some files will be inaccessible"
        if not self.carver:
            if self.image.ppn:
                self.carver = PPNCarver(self.data, self.image)
            else:
                self.carver = NANDCarver(self.data, self.image)
        if False:#len(p):
            z =  self.volume.catalogTree.getLBAsHax()
            v = self.volume.getFileRecordForPath(self.curdir)
            folderId = v.folderID
            f = lambda k,v: k.parentID == folderId
        else:
            z = None
            f = None
        self.carver.carveDeletedFiles_fast(z, f)
        #self.carver.carveDeleteFiles_slow(z, f)
    
    def do_xattr(self, p):
        xattr = self.volume.listXattrs(self.get_path(p))
        if not xattr:
            return
        for name, value in xattr.items():
            print name, value.encode("hex")

    def do_protected_files(self, p):
        self.data.list_protected_files()
        
    def do_cprotect(self, p):
        id = self.volume.getFileIDByPath(self.get_path(p))
        if not id:
            return
        
        cprotect = self.volume.getXattr(id, "com.apple.system.cprotect")
        if not cprotect:
            return
        cp = cprotect_xattr.parse(cprotect)
        print cp
        print "Protection class %d => %s" % (cp.persistent_class, PROTECTION_CLASSES.get(cp.persistent_class))
        if not cp.persistent_key:
            return
        fk = self.volume.getFileKeyForCprotect(cprotect)
        if fk:
            print "Unwrapped file key : %s" % fk.encode("hex")
        else:
            print "Cannot decrypt file key"


    def do_open(self, p):
        path = self.get_path(p)
        if self.volume.readFile(path):
            os.startfile(os.path.basename(path))

    def do_xxd(self, p):
        t = p.split()
        path = self.get_path(t[0])
        data = self.volume.readFile(path, returnString=True)
        if not data:
            return
        if len(t) > 1:
            hexdump(data[:int(t[1])])
        else:
            hexdump(data[:0x200])
            if len(data) > 0x200:
                print "Output truncated to %d bytes" % 0x200
    
    def do_effaceable(self, p):
        print "Effaceable Lockers"
        for k,v in self.image.lockers.lockers.items():
            print "%s: %s" % (k, v.encode("hex"))
    
    def do_BAG1(self, p):
        print "BAG1 locker from effaceable storage"
        bag1 = self.image.lockers.get("BAG1")
        hexdump(bag1)
        print "IV:", bag1[4:20].encode("hex")
        print "Key:", bag1[20:].encode("hex")
    
    def do_keybag(self, p):
        self.data.keybag.printClassKeys()
        
    def do_plist(self, p):
        d = None
        data = self.volume.readFile(self.get_path(p), returnString=True)
        if data:
            d = parsePlist(data)
            pprint(d)
        else:
            try:
                d = readPlist(p)
                if d: pprint(d)
            except:
                pass
        if d and d.has_key("_MKBIV"):
            print "=>System keybag file"
            print "_MKBPAYLOAD: encrypted"
            print "_MKBIV: %s" % d["_MKBIV"].data.encode("hex")
            print "_MKBWIPEID: 0x%x (%s)" % (d["_MKBWIPEID"], ("%x"%(d["_MKBWIPEID"])).decode("hex"))
    
    def do_bruteforce(self, p):
        if bruteforcePasscode(self.image.device_infos, self.data):
            print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) * "un")
            self.do_save("")
    
    def do_ptable(self, p):
        pt = self.image.getPartitionTable()
        print "Block device partition table"
        print "".join(map(lambda x:x.ljust(12), ["Index", "Name", "Start LBA", "End LBA", "Size"]))
        for i in xrange(len(pt)):
            p = pt[i]
            print "".join(map(lambda x:str(x).ljust(12), [i, p.name, p.first_lba, p.last_lba, sizeof_fmt((p.last_lba - p.first_lba)*self.image.pageSize)])) 

    def do_nand_dump(self, p):
        if len(p)==0:
            print "Usage: nand_dump my_nand.bin"
            return
        self.image.dump(p)

    def do_dd(self, p):
        if len(p)==0:
            print "Usage: dd output_file.dmg"
            return
        self.volume.bdev.dumpToFile(p.split()[0])
        
    def do_img3(self, p):
        self.image.extract_img3s("./")
    
    def do_shsh(self, p):
        self.image.extract_shsh()

    def _pull__and_open_sqlitedb(self, path):
        outdir = "/tmp/"
        self.volume.readFile(path, outdir)
        self.volume.readFile(path + "-shm", outdir)
        if self.volume.readFile(path + "-wal", outdir):
            if sqlite3.sqlite_version < "3.7":
                print "Python sqlite3 version %s < 3.7" % (sqlite3.sqlite_version)
                print "Please update python sqlite dll to use this feature on iOS 6+ images (WAL)"
                return
        dbpath = os.path.join(outdir, os.path.basename(path))
        print dbpath
        return sqlite3.connect(dbpath)

    def do_sms(self, p):
        conn = self._pull__and_open_sqlitedb("/mobile/Library/SMS/sms.db")
        if not conn: return
        #http://linuxsleuthing.blogspot.fr/2012/10/whos-texting-ios6-smsdb.html
        z = conn.execute("""SELECT
            DATETIME(date + 978307200, 'unixepoch', 'localtime') as Date,
              h.id as "Phone Number",
                CASE is_from_me
                WHEN 0 THEN "Received"
                WHEN 1 THEN "Sent"
                ELSE "Unknown"
                  END as Type,
              text as Text
              FROM message m, handle h
              WHERE h.rowid = m.handle_id
              ORDER BY Date ASC;""")

        print " ".join(["Date".ljust(20), "To/From".ljust(12), "Text"])
        for row in z.fetchall():
            print row[0].ljust(21) + row[1].ljust(13) + row[3][:80]

    def do_contacts(self, p):
        conn = self._pull__and_open_sqlitedb("/mobile/Library/AddressBook/AddressBook.sqlitedb")
        if not conn: return
        #https://gist.github.com/laacz/1180765
        conn = sqlite3.connect("AddressBook.sqlitedb")
        z = conn.execute("""select ABPerson.first,
                                 ABPerson.last,
                                 ABPerson.Organization as organization,
                                 (select value from ABMultiValue where property = 4 and record_id = ABPerson.ROWID LIMIT 1) as email
                                 from ABPerson
                                order by ABPerson.ROWID;""")

        print "".join(["First name".ljust(15), "Last name".ljust(15), "Organization".ljust(15), "Email"])
        for row in z.fetchall():
            row = map(str, row)
            print row[0].ljust(15) + row[1].ljust(15) + row[2].ljust(15) + row[3]

    def do_email(self, p):
        conn = self._pull__and_open_sqlitedb("/mobile/Library/Mail/Protected Index")
        #conn = self._pull__and_open_sqlitedb("/mobile/Library/Mail/Envelope Index")
        z = conn.execute("SELECT message_id, sender, _to, subject from messages")
        print "  ".join(map(lambda x:x.ljust(40), ["From", "To", "Subject"]))
        for row in z.fetchall():
            print "  ".join(map(lambda x:x.ljust(40)[:40], row[1:]))

    def do_debug(self,p):
        from IPython.Shell import IPShellEmbed
        ipshell = IPShellEmbed()
        ipshell(local_ns=locals())
class ExaminerShell(Cmd):
    def __init__(self, image, completekey='tab', stdin=None, stdout=None):
        Cmd.__init__(self, completekey=completekey, stdin=stdin, stdout=stdout)
        self.curdir = "/"
        self.rdisk = None
        if image.filename == "remote":
            self.rdisk = RamdiskToolClient.get()
        self.device_infos = image.device_infos
        self.complete_open = self._complete
        self.complete_xattr = self._complete
        self.complete_cprotect = self._complete
        self.complete_ls = self._complete
        self.complete_cd = self._complete
        self.complete_plist = self._complete
        self.complete_xxd = self._complete
        self.image = image
        self.system = image.getPartitionVolume(0)
        self.data = image.getPartitionVolume(1)
        self.volume = None
        self.volname = ""
        grab_system_version(self.system, self.device_infos)
        print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) * "un")
        self.deviceName = get_device_name(self.data)
        self.do_data("")
        self.savepath = os.path.join(os.path.dirname(image.filename), "%s.plist" % self.device_infos.udid[:10])
        #if image.iosVersion > 3 and not image.device_infos.has_key("passcode"):
        #    print "No passcode found in plist file, bruteforce required to access protected data"
        
        self.carver = None
    
    def set_partition(self, name, vol):
        self.volume = vol
        self.do_cd("/")
        self.volname = name
        self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname, self.curdir)
    
    def do_info(self, p):
        pprint(self.device_infos)
        
    def do_save(self, p):
        print "Save device information plist to [%s]:" % self.savepath,
        path2 = raw_input()
        if path2: self.savepath = path2
        if os.path.exists(self.savepath):
            print "File already exists, overwrite ? [y/n]:",
            if raw_input() != "y":
                return
        plistlib.writePlist(self.device_infos, self.savepath)
        
    def do_system(self, p):
        self.set_partition("system", self.system)
    
    def do_data(self, p):
        self.set_partition("data", self.data)
    
    def do_pix(self, p):
        self.do_data("")
        self.do_cd("/mobile/Media/DCIM/100APPLE")
        
    def do_keychain(self, p):
        self.data.readFile("/Keychains/keychain-2.db")
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.print_all(False)
    
    def do_keychain_cert(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.cert(id, filename)
    
    def do_keychain_key(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load("keychain-2.db", self.data.keybag, self.image.device_infos["key835"].decode("hex"))
        keychain.key(id, filename)
    
    def do_exit(self, p):
        return True
    
    def do_quit(self, p):
        return self.do_exit(p)

    def do_reboot(self, p):
        if not self.rdisk:
            self.rdisk = RamdiskToolClient.get()
        self.rdisk.reboot()
        return self.do_exit(p)
    
    def do_pwd(self, p):
        print self.curdir
            
    def do_cd(self, p):
        if len(p) == 0: p = "/"
        if not p.startswith("/"):
            new = self.curdir + p
        else:
            new = p
        if not p.endswith("/"): new = new + "/"
        d = self.volume.ls(new)
        if d != None:
            self.curdir = new
            self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname, new)
        else:
            print "%s not found/is not a directory" % new
            
    def get_path(self, p):
        path = p
        if not path.startswith("/"):
            path = self.curdir + path
        return path
   
    def _complete(self, text, line, begidx, endidx):
        filename = text.split("/")[-1]
        dirname = "/".join(text.split("/")[:-1])
        if text.startswith("/"):
            contents = self.volume.ls(dirname)
        else:
            contents = self.volume.ls(self.curdir + dirname)
        if not contents:
            return []
        if dirname != "" and not dirname.endswith("/"):
            dirname += "/"
        res = [dirname + x for x in contents.keys() if x.startswith(filename)]
        return res
    
    #TODO if size==0 check if compressed
    def do_ls(self, p):
        dirDict = self.volume.ls((self.curdir + "/" + p).replace("//","/")) 
        if not dirDict:
            return
        for name in sorted(dirDict.keys()):
            size = ""
            protection_class = ""
            record = dirDict[name]
            if hasattr(record, "fileID"):
                size = sizeof_fmt(record.dataFork.logicalSize)
                cprotect = self.volume.getXattr(record.fileID, "com.apple.system.cprotect")
                if cprotect:
                    protection_class = PROTECTION_CLASSES[struct.unpack("<L", cprotect[8:12])[0]]
            print "%s\t%s\t%s\t%s" % (name[:30].ljust(30), size.ljust(10), hfs_date(record.createDate), protection_class)
    
    def do_undelete(self, p):
        if not self.data.keybag.unlocked:
            print "Warning, keybag is not unlocked, some files will be inaccessible"
        if not self.carver:
            self.carver = NANDCarver(self.data, self.image)
        if False:#len(p):
            z =  self.volume.catalogTree.getLBAsHax()
            v = self.volume.getFileRecordForPath(self.curdir)
            folderId = v.folderID
            f = lambda k,v: k.parentID == folderId
        else:
            z = None
            f = None
        self.carver.carveDeletedFiles_fast(z, f)
        #self.carver.carveDeleteFiles_slow(z, f)
    
    def do_xattr(self, p):
        xattr = self.volume.listXattrs(self.get_path(p))
        if not xattr:
            return
        for name, value in xattr.items():
            print name, value.encode("hex")

    def do_protected_files(self, p):
        self.data.list_protected_files()
        
    def do_cprotect(self, p):
        id = self.volume.getFileIDByPath(self.get_path(p))
        if not id:
            return
        
        cprotect = self.volume.getXattr(id, "com.apple.system.cprotect")
        if not cprotect:
            return
        cp = cprotect_xattr.parse(cprotect)
        print cp
        print "Protection class %d => %s" % (cp.persistent_class, PROTECTION_CLASSES.get(cp.persistent_class))
        if not cp.persistent_key:
            return
        fk = self.volume.getFileKeyForCprotect(cprotect)
        if fk:
            print "Unwrapped file key : %s" % fk.encode("hex")
        else:
            print "Cannot decrypt file key"


    def do_open(self, p):
        path = self.get_path(p)
        if self.volume.readFile(path):
            os.startfile(os.path.basename(path))

    def do_xxd(self, p):
        t = p.split()
        path = self.get_path(t[0])
        data = self.volume.readFile(path, returnString=True)
        if not data:
            return
        if len(t) > 1:
            hexdump(data[:int(t[1])])
        else:
            hexdump(data)
    
    def do_effaceable(self, p):
        print "Effaceable Lockers"
        for k,v in self.image.lockers.lockers.items():
            print "%s: %s" % (k, v.encode("hex"))
    
    def do_BAG1(self, p):
        print "BAG1 locker from effaceable storage"
        bag1 = self.image.lockers.get("BAG1")
        hexdump(bag1)
        print "IV:", bag1[4:20].encode("hex")
        print "Key:", bag1[20:].encode("hex")
    
    def do_keybag(self, p):
        self.data.keybag.printClassKeys()
        
    def do_plist(self, p):
        d = None
        data = self.volume.readFile(self.get_path(p), returnString=True)
        if data:
            d = parsePlist(data)
            pprint(d)
        else:
            try:
                d = readPlist(p)
                if d: pprint(d)
            except:
                pass
        if d and d.has_key("_MKBIV"):
            print "=>System keybag file"
            print "_MKBPAYLOAD: encrypted"
            print "_MKBIV: %s" % d["_MKBIV"].data.encode("hex")
            print "_MKBWIPEID: 0x%x (%s)" % (d["_MKBWIPEID"], ("%x"%(d["_MKBWIPEID"])).decode("hex"))
    
    def do_bruteforce(self, p):
        if bruteforcePasscode(self.image.device_infos, self.data):
            print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) * "un")
            self.do_save("")
    
    def do_ptable(self, p):
        pt = self.image.getPartitionTable()
        print "Block device partition table"
        print "".join(map(lambda x:x.ljust(12), ["Index", "Name", "Start LBA", "End LBA", "Size"]))
        for i in xrange(len(pt)):
            p = pt[i]
            print "".join(map(lambda x:str(x).ljust(12), [i, p.name, p.first_lba, p.last_lba, sizeof_fmt((p.last_lba - p.first_lba)*self.image.pageSize)])) 

    def do_nand_dump(self, p):
        if len(p)==0:
            print "Usage: nand_dump my_nand.bin"
            return
        self.image.dump(p)

    def do_dd(self, p):
        if len(p)==0:
            print "Usage: dd output_file.dmg"
            return
        self.volume.bdev.dumpToFile(p.split()[0])
        
    def do_img3(self, p):
        self.image.extract_img3s()
    
    def do_shsh(self, p):
        self.image.extract_shsh()

    def do_debug(self,p):
        from IPython.Shell import IPShellEmbed
        ipshell = IPShellEmbed()
        ipshell(local_ns=locals())
class ExaminerShell(Cmd):
    def __init__(self, image, completekey='tab', stdin=None, stdout=None):
        Cmd.__init__(self, completekey=completekey, stdin=stdin, stdout=stdout)
        self.curdir = "/"
        self.rdisk = None
        if image.filename == "remote":
            self.rdisk = RamdiskToolClient.get()
        self.device_infos = image.device_infos
        self.complete_open = self._complete
        self.complete_xattr = self._complete
        self.complete_cprotect = self._complete
        self.complete_ls = self._complete
        self.complete_cd = self._complete
        self.complete_plist = self._complete
        self.complete_xxd = self._complete
        self.image = image
        self.system = image.getPartitionVolume(0)
        self.data = image.getPartitionVolume(1)
        self.volume = None
        self.volname = ""
        grab_system_version(self.system, self.device_infos)
        print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) *
                                          "un")
        self.deviceName = get_device_name(self.data)
        self.do_data("")
        self.savepath = os.path.join(os.path.dirname(image.filename),
                                     "%s.plist" % self.device_infos.udid[:10])
        #if image.iosVersion > 3 and not image.device_infos.has_key("passcode"):
        #    print "No passcode found in plist file, bruteforce required to access protected data"

        self.carver = None

    def set_partition(self, name, vol):
        self.volume = vol
        self.do_cd("/")
        self.volname = name
        self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname,
                                       self.curdir)

    def do_info(self, p):
        pprint(self.device_infos)

    def do_save(self, p):
        print "Save device information plist to [%s]:" % self.savepath,
        path2 = raw_input()
        if path2: self.savepath = path2
        if os.path.exists(self.savepath):
            print "File already exists, overwrite ? [y/n]:",
            if raw_input() != "y":
                return
        plistlib.writePlist(self.device_infos, self.savepath)

    def do_system(self, p):
        self.set_partition("system", self.system)

    def do_data(self, p):
        self.set_partition("data", self.data)

    def do_pix(self, p):
        self.do_data("")
        self.do_cd("/mobile/Media/DCIM/100APPLE")

    def do_keychain(self, p):
        self.data.readFile("/Keychains/keychain-2.db")
        keychain = keychain_load(
            "keychain-2.db", self.data.keybag,
            self.image.device_infos["key835"].decode("hex"))
        keychain.print_all(False)

    def do_keychain_cert(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load(
            "keychain-2.db", self.data.keybag,
            self.image.device_infos["key835"].decode("hex"))
        keychain.cert(id, filename)

    def do_keychain_key(self, p):
        t = p.split()
        id = int(t[0])
        if len(t) == 2: filename = t[1]
        else: filename = ""
        keychain = keychain_load(
            "keychain-2.db", self.data.keybag,
            self.image.device_infos["key835"].decode("hex"))
        keychain.key(id, filename)

    def do_exit(self, p):
        return True

    def do_quit(self, p):
        return self.do_exit(p)

    def do_reboot(self, p):
        if not self.rdisk:
            self.rdisk = RamdiskToolClient.get()
        self.rdisk.reboot()
        return self.do_exit(p)

    def do_pwd(self, p):
        print self.curdir

    def do_cd(self, p):
        if len(p) == 0: p = "/"
        if not p.startswith("/"):
            new = self.curdir + p
        else:
            new = p
        if not p.endswith("/"): new = new + "/"
        d = self.volume.ls(new)
        if d != None:
            self.curdir = new
            self.prompt = "(%s-%s) %s " % (self.deviceName, self.volname, new)
        else:
            print "%s not found/is not a directory" % new

    def get_path(self, p):
        path = p
        if not path.startswith("/"):
            path = self.curdir + path
        return path

    def _complete(self, text, line, begidx, endidx):
        filename = text.split("/")[-1]
        dirname = "/".join(text.split("/")[:-1])
        if text.startswith("/"):
            contents = self.volume.ls(dirname)
        else:
            contents = self.volume.ls(self.curdir + dirname)
        if not contents:
            return []
        if dirname != "" and not dirname.endswith("/"):
            dirname += "/"
        res = [dirname + x for x in contents.keys() if x.startswith(filename)]
        return res

    #TODO if size==0 check if compressed
    def do_ls(self, p):
        dirDict = self.volume.ls((self.curdir + "/" + p).replace("//", "/"))
        if not dirDict:
            return
        for name in sorted(dirDict.keys()):
            size = ""
            protection_class = ""
            record = dirDict[name]
            if hasattr(record, "fileID"):
                size = sizeof_fmt(record.dataFork.logicalSize)
                cprotect = self.volume.getXattr(record.fileID,
                                                "com.apple.system.cprotect")
                if cprotect:
                    protection_class = PROTECTION_CLASSES[struct.unpack(
                        "<L", cprotect[8:12])[0]]
            print "%s\t%s\t%s\t%s" % (name[:30].ljust(30), size.ljust(10),
                                      hfs_date(
                                          record.createDate), protection_class)

    def do_undelete(self, p):
        if not self.data.keybag.unlocked:
            print "Warning, keybag is not unlocked, some files will be inaccessible"
        if not self.carver:
            self.carver = NANDCarver(self.data, self.image)
        if False:  #len(p):
            z = self.volume.catalogTree.getLBAsHax()
            v = self.volume.getFileRecordForPath(self.curdir)
            folderId = v.folderID
            f = lambda k, v: k.parentID == folderId
        else:
            z = None
            f = None
        self.carver.carveDeletedFiles_fast(z, f)
        #self.carver.carveDeleteFiles_slow(z, f)

    def do_xattr(self, p):
        xattr = self.volume.listXattrs(self.get_path(p))
        if not xattr:
            return
        for name, value in xattr.items():
            print name, value.encode("hex")

    def do_protected_files(self, p):
        self.data.list_protected_files()

    def do_cprotect(self, p):
        id = self.volume.getFileIDByPath(self.get_path(p))
        if not id:
            return

        cprotect = self.volume.getXattr(id, "com.apple.system.cprotect")
        if not cprotect:
            return
        cp = cprotect_xattr.parse(cprotect)
        print cp
        print "Protection class %d => %s" % (
            cp.persistent_class, PROTECTION_CLASSES.get(cp.persistent_class))
        if not cp.persistent_key:
            return
        fk = self.volume.getFileKeyForCprotect(cprotect)
        if fk:
            print "Unwrapped file key : %s" % fk.encode("hex")
        else:
            print "Cannot decrypt file key"

    def do_open(self, p):
        path = self.get_path(p)
        if self.volume.readFile(path):
            os.startfile(os.path.basename(path))

    def do_xxd(self, p):
        t = p.split()
        path = self.get_path(t[0])
        data = self.volume.readFile(path, returnString=True)
        if not data:
            return
        if len(t) > 1:
            hexdump(data[:int(t[1])])
        else:
            hexdump(data)

    def do_effaceable(self, p):
        print "Effaceable Lockers"
        for k, v in self.image.lockers.lockers.items():
            print "%s: %s" % (k, v.encode("hex"))

    def do_BAG1(self, p):
        print "BAG1 locker from effaceable storage"
        bag1 = self.image.lockers.get("BAG1")
        hexdump(bag1)
        print "IV:", bag1[4:20].encode("hex")
        print "Key:", bag1[20:].encode("hex")

    def do_keybag(self, p):
        self.data.keybag.printClassKeys()

    def do_plist(self, p):
        d = None
        data = self.volume.readFile(self.get_path(p), returnString=True)
        if data:
            d = parsePlist(data)
            pprint(d)
        else:
            try:
                d = readPlist(p)
                if d: pprint(d)
            except:
                pass
        if d and d.has_key("_MKBIV"):
            print "=>System keybag file"
            print "_MKBPAYLOAD: encrypted"
            print "_MKBIV: %s" % d["_MKBIV"].data.encode("hex")
            print "_MKBWIPEID: 0x%x (%s)" % (d["_MKBWIPEID"],
                                             ("%x" %
                                              (d["_MKBWIPEID"])).decode("hex"))

    def do_bruteforce(self, p):
        if bruteforcePasscode(self.image.device_infos, self.data):
            print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) *
                                              "un")
            self.do_save("")

    def do_ptable(self, p):
        pt = self.image.getPartitionTable()
        print "Block device partition table"
        print "".join(
            map(lambda x: x.ljust(12),
                ["Index", "Name", "Start LBA", "End LBA", "Size"]))
        for i in xrange(len(pt)):
            p = pt[i]
            print "".join(
                map(lambda x: str(x).ljust(12), [
                    i, p.name, p.first_lba, p.last_lba,
                    sizeof_fmt(
                        (p.last_lba - p.first_lba) * self.image.pageSize)
                ]))

    def do_nand_dump(self, p):
        if len(p) == 0:
            print "Usage: nand_dump my_nand.bin"
            return
        self.image.dump(p)

    def do_dd(self, p):
        if len(p) == 0:
            print "Usage: dd output_file.dmg"
            return
        self.volume.bdev.dumpToFile(p.split()[0])

    def do_img3(self, p):
        self.image.extract_img3s()

    def do_shsh(self, p):
        self.image.extract_shsh()

    def do_debug(self, p):
        from IPython.Shell import IPShellEmbed
        ipshell = IPShellEmbed()
        ipshell(local_ns=locals())