iOS on irq5 test

Cracking iTunes Backup Passwords with Hashcat

Tue, 07 Mar 2017 01:00:00 +0000

Following the recent announcement of LUKS support in hashcat, I noticed that there have been some commits to support iTunes Backup passwords as well.

[tweet https://twitter.com/hashcat/status/824713111118684160]

This is only useful if the backup was encrypted by setting a backup password on the iOS device. If the backup is not encrypted then all the files are in clear and there is nothing to bruteforce.

The keys used to encrypt the backup are stored in the BackupKeyBag, which can be found in the Manifest.plist file. This keybag is a binary blob, the format of which has already been documented by researchers from Sogeti ESEC Lab.

I have written a simplified script which dumps the BackupKeyBag. You will need the Python bindings from libplist for the script to work. If you cannot get it to work, you can try the Perl script from philsmd instead.

Speeding up iOS Backups

iOS device backups usually take a while, depending on how much storage has been used on your device.

The iOS backup process is driven by the device itself, through the BackupAgent process. This process treats the host PC like a dumb disk store, by sending it commands
like DLMessageCreateDirectory, DLMessageUploadFiles, DLMessageRemoveFiles, DLMessageGetFreeDiskSpace, etc. so that it can determine what has been backed up previously and what to send/update for incremental backups.

For password cracking, we don’t need the entire 64 GB (or God forbid, 128 GB) of data on the iOS device. We just need the Manifest.plist, which is typically less than 50 KB. But because the backup process is controlled by the device and not the PC, we can’t simply ask it to send over that single file. Sometimes when we setup a VM with libimobiledevice, we might also not have allocated such a large virtual disk. Of course when I say “we”, I really mean “I”.

Enable iOS 5 Multitasking Gestures on iPad 1

Sun, 16 Oct 2011 22:29:00 +0000

Now that iOS 5 has been released, it’s easy to enable multitasking gestures on the iPad 1, using the same trick as before for display mirroring. Edit the /System/Library/CoreServices/Springboard.app/K48AP.plist file and add a boolean key multitasking-gestures in the capabilities dict, and set its value to true. You can add both display mirroring and multitasking gestures to the iPad 1 using this method. That’s it! Alternatively you can use Cydia or redsn0w to do this for you.

Python bindings for iTunesMobileDevice.dll

Mon, 12 Sep 2011 01:24:00 +0000

Oddly enough I can’t seem to find a Python wrapper for iTunesMobileDevice.dll. I did manage to find a C# equivalent called Manzana though, which is quite widely used. Anyhow, I bit the bullet and read through the ctypes documentation and wrote AMDevice.py which exposes some simple classes to handle connecting to an iPhone. I only implemented the minimal set of functions required to download and upload files to the iPhone, as I wrote this primarily for my iPhone SMS import script.

Stop iPhone Backup Encryption

Mon, 22 Aug 2011 12:45:00 +0000

Before the days when you could easily opt to use a “complex” passcode from the iPhone Settings, you had to manually use the iPhone Configuration Utility (iPCU). When I created a profile to use a complex passcode, I inadvertently forced my iPhone backups to be encrypted and now that the “Encrypt iPhone backup” checkbox is grayed out, I can’t stop encrypting my backups. But after I jailbroke my phone (because the baseband died), I had the option of mucking around with the system files to see if it could be undone.

Importing SMSes into the iPhone

Sat, 18 Jun 2011 17:15:00 +0000

Since my iPhone 3GS died, I have been using my dad’s Samsung Jet as a temporary replacement phone. I really can’t stand the resistive touch screen - tapping backspace will at times hit the T9 button when I’m composing an SMS. Also, I miss the display of SMSes as a conversation with both sent and received messages in a single place. I obsess over keeping chat history, so naturally I want to find a way to preserve these messages on the phone.

5 iOS Features I'd Love

Tue, 07 Jun 2011 23:18:00 +0000

WWDC 2011 kicked off yesterday with Steve Jobs taking the stage as usual. Sadly, there wasn’t a new iPhone announced (because I’m waiting to replace mine). Nevertheless, I’m still looking forward to iOS 5. Here’s some of the features I thought were great: 1. Notification Center I think this has been on everyone’s wishlist for a really long time. If you have no time to respond to the missed calls or SMSes, notifications are now shown on the lock screen so you can see what you’ve missed at a glance.

Solving the Facebook "No Internet Connection" Problem

Sun, 24 Apr 2011 22:15:00 +0000

Update 15-Aug-2011: This fix only applied to the new version of the iPhone Facebook app back in April 2011. Any problems after April 2011 is probably not the same as the one described here. I recently upgraded to the latest version of the Facebook iPhone app, but I’m not sure if that caused the problem. When you attempt to open your News Feed, it shows “Loading” for a while before showing “No Internet Connection”.

Display Mirroring on the iPad 1

Wed, 06 Apr 2011 15:58:00 +0000

This is interesting, but I don’t have any video out accessories to test it on. You just need to add a boolean that says display-mirroring: YES to the model plist (K48AP.plist for first-gen iPad) under /System/Library/CoreServices/Springboard.app/ and reboot the device. Obviously this requires a jailbroken iPad for you to access the file. It also seems to work with devices that use the A4 chip. I guess this is how Apple did their presentations all along, at all of these iOS device unveiling events.

iOS Profiles & Encrypted Backups

Fri, 14 Jan 2011 11:59:00 +0000

When I got my iPhone, it uses a 4-digit passcode to protect its contents. Unsatisfied with this, I found the iPhone Configuration Utility (iPCU), which was the only way at that time to enable complex passcodes (passwords) on the phone. After creating a profile and uploading it to the phone using the iPCU, my backups were all forced to be encrypted. Encrypted backups are not good for tinkering because you need to decrypt the files before you can edit them, and you need to re-encrypt them for it to be restored to the phone.

"Personal [WiFi] Hotspot" comes to iPhone 4 CDMA

Wed, 12 Jan 2011 02:12:00 +0000

Apple has just announced a new iPhone 4 hardware revision that allows it to be used on CDMA networks. iPhone Personal Hotspot Pref [photo stolen from Ars Technica] Interestingly, the new iPhone comes with a Personal Hotspot preference that allows it to share its 3G connection over WiFi. Ars Technica has photos of the new preference menus. I must stress the photos shown here were not taken by me. Of course the Android people have had this for a while (provided their phones could be updated to Froyo).