Information Technology Reference
In-Depth Information
Extracted iPhone backup files
Decrypting the keychain
For unencrypted backups, all the backup files are stored unencrypted except the keychain.
The keychain file contents are encrypted with a set of class keys in the Backup keybag.
The Backup keybag itself is protected with a key (
0x835
) derived from the iPhone hard-
ware key (UID key). So, in order to decrypt the keychain, you need to extract the key
0x835
from the device using the
demo_bruteforce.py
techniques explained in
The iPhone Data Protection tools also contain python scripts to decrypt the keychain file
from the backup. To decrypt the keychain, run the following command in a terminal win-
dow and enter your device key
0x835
when prompted:
$sudo python keychain_tool.py -d "/Users/satishb3/Library/
Application Support/MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
KeychainDomain/keychain-backup.plist" "/Users/satishb3/
Library/Application Support/MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
Manifest.plist"
This backup is not encrypted, without key 835 nothing in
the keychain can be decrypted
If you have key835 for device
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898 enter it (in hex)
33403aec43adea127459485bf5969502