Problem with demo_bruteforce.py on iOS 7.1.1

[GoogleCodeExporter]

This worked on my test device with iOS version 7.0.x, but the same command 
failed once updating to iOS 7.1.1.

What steps will reproduce the problem?
1. I did all the steps down to the demo_bruteforce.py step

What is the expected output?
Seeing the brute force action taking place.

What do you see instead?

$ python python_scripts/demo_bruteforce.py

Connecting to device : xxxxxx
Keybag UUID : xxxxxxx
Enter passcode or leave blank for bruteforce:

Trying all 4-digits passcodes...
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 88, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 55, in bf_system
    di.update(bf)
ValueError: dictionary update sequence element #0 has length 1; 2 is required

What version of the product are you using? On what operating system?
OS X version: 10.9.3
XCode version: 5.1.1
Tools revision: 3cdc9a532c6b tip

Please provide any additional information below.
If I enter the correct passcode manually, I get passcode OK.

Enter passcode or leave blank for bruteforce:
XXXX
Passcode "XXXX" OK
Downloaded keychain database, use keychain_tool.py to decrypt secrets

Original issue reported on code.google.com by [email protected] on 23 May 2014 at 10:38

[GoogleCodeExporter]

By the way, I have been using an iPhone 4.

Original comment by [email protected] on 23 May 2014 at 12:56

[GoogleCodeExporter]

can you add the following code just before line 55 in demo_bruteforce.py
print bf
then re-run it and post the output. also is the correct passcode 4 digit or 
complex ?
thanks

Original comment by [email protected] on 29 May 2014 at 12:35

• Changed state: Accepted

[GoogleCodeExporter]

Ok. It's a 4 digit simple passcode.
I've edited the code like this:
            bf = client.bruteforceKeyBag(systembag["KeyBagKeys"].data)
            if bf:
                print bf
                di.update(bf)

This gives the following output:
$ python python_scripts/demo_bruteforce.py 
Connecting to device : xxxxxxxxxxx
Keybag UUID : xxxxxxxxxxx
Enter passcode or leave blank for bruteforce:

Trying all 4-digits passcodes...
Request did not return any result
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 90, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 57, in bf_system
    di.update(bf)
ValueError: dictionary update sequence element #0 has length 1; 2 is required

Original comment by [email protected] on 29 May 2014 at 2:34

[GoogleCodeExporter]

thanks, one more thing, can you run the ./bruteforce binary on the ramdisk 
through ssh and post the output. i suppose the keybag format changed in ios 7.1 
and it cannot be loaded on the older kernel we use for booting the ramdisk.

Original comment by [email protected] on 29 May 2014 at 2:38

[GoogleCodeExporter]

OK. 
-sh-4.0# ./bruteforce 
Trying to mount data partition
Writing results to 45cfa5ecc1f68ab4.plist
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
Patching iOS 7 keybag VERS 4 signature for older kernels
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
AppleKeyStoreKeyBagCreateWithData ret=e00002c9

Original comment by [email protected] on 29 May 2014 at 2:48

[GoogleCodeExporter]

thanks a lot, will fix this in the next few weeks when i have access to a 7.1 
device.

Original comment by [email protected] on 29 May 2014 at 3:02

[GoogleCodeExporter]

Any news? I have the same issue. Thanks!

Original comment by [email protected] on 1 Jul 2014 at 3:54

[GoogleCodeExporter]

@jean

looking forword for this fix. If you need any help on this just mail me. I`ve 
got an iOS 7.1 device for testing purposes.

Original comment by [email protected] on 9 Jul 2014 at 8:38

[GoogleCodeExporter]

I am getting this same error running demo_bruteforce.py on an iPad 1

Original comment by [email protected] on 9 Jul 2014 at 5:39

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

@Peter.lurchi2 can you run ./device_infos on the ramdisk (through ssh) and send 
me the KeyBagKeys section of the plist output ? i'm having trouble reproducing 
the issue on a 7.1.2 device. thanks.

Original comment by [email protected] on 13 Jul 2014 at 3:39

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

sorry i meant the ./bruteforce command. if there is still no KeyBagKeys section 
you can post the file /mnt2/keybags/systembag.kb. thanks a lot.

Original comment by [email protected] on 13 Jul 2014 at 5:45

[GoogleCodeExporter]

-sh-4.0# ./bruteforce
Trying to mount data partition
Writing results to 65aed7e3d4fdb93e.plist
patching keybag signature
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
Patching iOS 7 keybag VERS 4 signature for older kernels
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
AppleKeyStoreKeyBagCreateWithData ret=e00002c9

and

Device UDID : d7653c784952c4b6aef9ea3c1a5ca02502089834
Keybag: SIGN check FAIL
Keybag UUID : 04f2af5a61dc4821afa42ad24d87569b
Saving 
D:\IOS\A\tools\bruteforce\d7653c784952c4b6aef9ea3c1a5ca02502089834/65aed7e3d4fdb
93e.plist
passcodeKeyboardComplexity : {'rangeMinimum': 0, 'value': 0, 'rangeMaximum': 2}
Trying all 4-digits passcodes...

here is systembag i attached using sshrd

Original comment by [email protected] on 13 Jul 2014 at 6:18

Attachments:

• systembag.kb

[GoogleCodeExporter]

any updates sir?

Original comment by [email protected] on 14 Jul 2014 at 3:49

[GoogleCodeExporter]

This issue was updated by revision dc51928c6053.

Remove unknown iOS 7 keybag tags (GRCE and others) when keybag loading fails 
under iOS 5/6 kernels

Original comment by [email protected] on 16 Jul 2014 at 5:24

[GoogleCodeExporter]

The last commit should fix the issue after rebuilding the ramdisk. Thanks a lot 
!

Original comment by [email protected] on 16 Jul 2014 at 5:25

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

please let me know if you has been finished rebuilding the ramdisk
cause i will be the one to test it first
thank you very much

Original comment by [email protected] on 16 Jul 2014 at 10:42

[GoogleCodeExporter]

Thank you for the update. The script now finds the passcode with no problems. 
However,  I am getting the following error after the key is found:

$ python python_scripts/demo_bruteforce.py
Connecting to device : XXXXX
Keybag UUID : XXXXX
Enter passcode or leave blank for bruteforce:

Trying all 4-digits passcodes...
0 of 10000 ETA:  --:--:--
10000 of 10000 Time: 0:00:00                         |
100% |############################################|
BruteforceSystemKeyBag : 0:00:00.360563
{'passcode': '0001', 'passcodeKey': 'XXXXX'}
True
Keybag type : System keybag (0)
Keybag version : 4
Keybag UUID : XXXXX
--------------------------------------------------------------------------------
------------------------------------------------
Class                                                WRAP Type       Key        
                                                      Public key
--------------------------------------------------------------------------------
------------------------------------------------
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 88, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 59, in bf_system
    kb.printClassKeys()
  File "/Users/henry/iphone-dataprotection/python_scripts/keystore/keybag.py", line 253, in printClassKeys
    print "".join([PROTECTION_CLASSES.get(k).ljust(53),
AttributeError: 'NoneType' object has no attribute 'ljust'

Original comment by [email protected] on 20 Jul 2014 at 2:15

[GoogleCodeExporter]

@fated.dreams
can you post or email me the KeyBagKeys section of the plist file (run 
./bruteforce on the device if the python script didnt create a plist) ? thanks.

Original comment by [email protected] on 20 Jul 2014 at 4:43

[GoogleCodeExporter]

Here is the result of running ./bruteforce on the device:

-sh-4.0# ./bruteforce
Trying to mount data partition
Writing results to b8bc987ada7c0547.plist
IOConnectCallMethod on AppleKeyStore selector 6 returned e00002c9
Trying to remove iOS 7 keybag tags before loading into AppleKeyStore
Unwrapped HMCK key
Removing unknown keybag tag GNRT
Fixing SIGN HMAC
keybag id=1
0000
0001
Found passcode : 0001
Keybag version : 4
Keybag keys : 10
Class   Wrap    Key
43  0   156d86a0635fd4cca55d205b1b4a7ff8a8cd0c075c581758a31e7edb292f4bfd
42  0   4481c7ed674e44014d5c44b8ac728885f87e19da9d6decb0d80441a7c6fa6402
41  0   06a89fdc98af44f04810121e9661b809761ccacf4a7db42e43bf61f95ef373f7
40  0   9cfb23d6d76aa3dcece59d96a7da742d167a038b568ddbe9c59446f9bd98d1ba
39  0   7d85fcad35e07ab864b36c0b829fe4b17b58ae568867d2af5a4ada46f23e888f
38  0   d72d3d1727e892d43572581b58f346b1547d7c1df3e080c7a15da96e1d80c79e
37  0   1315e9ec7603254593272edf66c54ce380aa7e614d8f8aa0393aa44c1b9c7a8d
35  0   d656c06b5935d6e3cb6c0200be8b0a7cc2f11d3517f1e379c09d15c9a07e5f7c
34  0   27971a098b0c8600e4344540fb8674ab4db4c9aecbda5041d3aa0991b1318184
33  0   9d889700401b6b19965061893c36195b76119a785ff191bcf995d7b304548e3a

Passcode key : 741eb9b23c60454ea930f3231fcd872fb95cba5be84d7ce69d19a0cffbb96383
Key 0x835 : 62c5dd40c1eac27c4c866afe0cf3b50f
Writing results to b8bc987ada7c0547.plist

Original comment by [email protected] on 21 Jul 2014 at 2:35

[GoogleCodeExporter]

@fated.dreams do you managed to rebuild the ramdisk?
or still using the dainius?
cause i always get this error

C:\Python27>python python_scripts/demo_bruteforce.py
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 3, in <module>
    from keystore.keybag import Keybag
  File "C:\Python27\python_scripts\keystore\keybag.py", line 9, in <module>
    import hmac
  File "C:\Python27\lib\hmac.py", line 8, in <module>
    from operator import _compare_digest as compare_digest
ImportError: cannot import name _compare_digest

Original comment by [email protected] on 21 Jul 2014 at 3:22

[GoogleCodeExporter]

@fated.dreams: Could you provide me with a link to a copy of the Ramdisk please 
?

Very much appreciated thanks

[email protected]

Original comment by abitofbinary on 21 Jul 2014 at 6:04

[GoogleCodeExporter]

@fated.dreams
can you post the KeyBagKeys section from b8bc987ada7c0547.plist ? thanks

Original comment by [email protected] on 21 Jul 2014 at 7:42

[GoogleCodeExporter]

        <key>KeyBagKeys</key>
    <data>
    REFUQQAABPBWRVJTAAAABAAAAARUWVBFAAAABAAAAABVVUlEAAAAEO4LcRvW90adlFdR
    1/k/eRFITUNLAAAAKNdSFR2nSW6SkWHYXQtvTRP9/6qvCCd2qWcZPpoBhF9SMNSK/QFI
    1D9XUkFQAAAABAAAAAFTQUxUAAAAFDtNTLaz88RSGM1Ca502DWqptLdmSVRFUgAAAAQA
    AMNQR05SVAAAAAQAAAABVVVJRAAAABDhSC7ASM9JZabARa7/K5eCQ0xBUwAAAAQAAAAr
    V1JBUAAAAAQAAAABS1RZUAAAAAQAAAAAV1BLWQAAACDAjO2ZnF0dwkmwkLf+mqBE3j/V
    xYGR2sXDonKlHMjUtlVVSUQAAAAQo9aiSWtRQL2UQN4CtQNyr0NMQVMAAAAEAAAAKldS
    QVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoobY8Klx0ETdJR48LmlS/KXMgj/b0
    e+gYTiZJOYbu8Y1JOE0LIx4rlVVVSUQAAAAQVZLNLhuESJ6ZAysYWgvT6kNMQVMAAAAE
    AAAAKVdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoXbUXP3ubVkzN7ROX0rGI
    3TZ1wk3ZwkkU9ChquLSBVN4eHcrtW4/az1VVSUQAAAAQrlidkVNzRleUnYE2Xsk6QUNM
    QVMAAAAEAAAAKFdSQVAAAAAEAAAAAUtUWVAAAAAEAAAAAFdQS1kAAAAghVAFSvehAIKP
    BzF5e5Y01x9PmbG9tdPJWAoJGwtIVzNVVUlEAAAAEKfejUyr1UpWoHeRq9r2jOVDTEFT
    AAAABAAAACdXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKOJteewlxoxLqPKN
    yAXKZw7yneiiIQ/PORN0o3TlkNLjkDU0fp4UkH5VVUlEAAAAEKlFrZGHKEPcvibdgKTr
    8gFDTEFTAAAABAAAACZXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKEaOl8Bs
    ApW+zLv17Gb/UildfI0ABg2VvgMcSHj2S0iE/9dj11L+1S5VVUlEAAAAEJUHB9ceAkBW
    r/xyUB2iE2pDTEFTAAAABAAAACVXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAA
    KDDOtS5GqQs0U1pCODrFMzzSetkFdKNjupgkA7UKtfbQCR0k0ZQkHhZVVUlEAAAAEFBU
    E8hV6U7Fpli+VEiJ8UFDTEFTAAAABAAAACNXUkFQAAAABAAAAANLVFlQAAAABAAAAABX
    UEtZAAAAKOIbm37Gip+zJdOyl3K5j6s3TDkgoaAqk7peQtcUZqQexyqQTVhxuGhVVUlE
    AAAAECiZ1RLGlEfnteH0kv9PHrZDTEFTAAAABAAAACJXUkFQAAAABAAAAANLVFlQAAAA
    BAAAAAFXUEtZAAAAKC2GIvad1vrkjS+QNr8ESHLX2N6nkQpXV2HRk0KqSSUiUmNqR+Kt
    k4xQQktZAAAAIAD1qjFBhw2B6UoxRD5ZNzCyp1HjhFU1zrtQVAJEbW4iVVVJRAAAABAw
    LHVXNgNBKoEWPBjYlmgaQ0xBUwAAAAQAAAAhV1JBUAAAAAQAAAADS1RZUAAAAAQAAAAA
    V1BLWQAAACh14cLVgZk+JmJaHbgJ1iiQd1Lq+x2LUv+KIw95VnJdj1+WPiOVdvqfU0lH
    TgAAABRb0PStHGgXslIqZBetMWpMp9c+Ag==
    </data>

Original comment by [email protected] on 22 Jul 2014 at 5:12

Attachments:

• b8bc987ada7c0547.plist

[GoogleCodeExporter]

This issue was updated by revision 83b5dc3ae9a5.

Mask CLAS tags in iOS 7 keybags

Original comment by [email protected] on 22 Jul 2014 at 5:38

[GoogleCodeExporter]

@fated.dreams
should be fixed in the latest revision. thanks again !

Original comment by [email protected] on 22 Jul 2014 at 5:38

[GoogleCodeExporter]

Thanks! Running the demo_bruteforce.py script completes without errors now. It 
also generates keychain-2.db and the DATAVOLUMEID.plist.

I did encountered another error, though. But I will open another issue for it. 
Thanks again for the update. 

Original comment by [email protected] on 23 Jul 2014 at 2:40

[GoogleCodeExporter]

@jean
Do we need to rebuild the ramdisk using the latest revision?

@fated.dreams
Could you provide me the link of ramdisk you were using
Or would you mail me and attached the ramdisk?
I'm windows user so its imposibble for me to rebuild the
Ramdisk. My mail is [email protected]

Thank you

Original comment by [email protected] on 23 Jul 2014 at 5:08

[GoogleCodeExporter]

Ditto!

@fated.dreams: Could you also provide me with a link to a copy of the Ramdisk 
please to -> [email protected]

Very much appreciated thanks

Original comment by abitofbinary on 23 Jul 2014 at 11:37