ios_backup_extractor 1.1.0

data/exe/ios

@@ -0,0 +1,107 @@
+#!/usr/bin/env ruby
+
+require 'ios_backup_extractor'
+require 'optparse'
+
+NauktisUtils::Logging.logger.level = Logger::WARN
+retreiver = IosBackupExtractor::BackupRetriever.new
+
+options = {}
+backup_options = {}
+OptionParser.new do |opts|
+  opts.banner = 'Usage: ios [options] [location]'
+  opts.separator 'If location is not provided, the default backup location will be searched'
+
+  opts.separator ''
+  opts.separator 'Operations:'
+
+  opts.on('-l', '--list', 'Prints a list of backups') do
+    options[:operation] = :list
+  end
+
+  opts.on('-d', '--detail', 'Prints a detailed list of backups') do
+    options[:operation] = :details
+  end
+
+  opts.on('--archive DESTINATION', 'Archives (tar) backups to specified destination') do |q|
+    options[:operation] = :archive
+    dest = File.expand_path(q)
+    raise "#{dest} does not exist" unless File.directory?(dest)
+    options[:destination] = dest
+  end
+
+  opts.on('--extract DESTINATION', 'Extracts backups to specified destination') do |q|
+    options[:operation] = :extract
+    dest = File.expand_path(q)
+    raise "#{dest} does not exist" unless File.directory?(dest)
+    options[:destination] = dest
+  end
+
+  # Options
+  opts.separator 'Flags:'
+
+  opts.on('--raw', 'Creates a raw archive instead of renaming files', 'Use with --archive') do
+    options[:backup_type] = :raw
+  end
+
+  opts.on('--home', 'Only save the HomeDomain') do
+    backup_options[:name] = 'home'
+    backup_options[:domain_filter] = /HomeDomain/i
+  end
+
+  opts.on('--media', 'Only saves well know media locations') do
+    backup_options[:name] = 'media'
+    backup_options[:domain_filter] = /CameraRollDomain|MediaDomain|AppDomain-net\.whatsapp\.WhatsApp/i
+  end
+
+  opts.on('--password PASSWORD', 'Password for encrypted backups') do |q|
+    backup_options[:password] = q.to_s
+  end
+
+  opts.on('--serial SERIAL', 'Target a specific device by its serial number') do |q|
+    options[:serial_number] = q.to_s.strip
+  end
+
+  opts.on('-v', '--verbose', 'Verbose logging') do
+    NauktisUtils::Logging.logger.level = Logger::INFO
+  end
+
+  opts.on('--veryverbose', 'Very verbose logging') do
+    NauktisUtils::Logging.logger.level = Logger::DEBUG
+  end
+
+  opts.on('-h', '--help', 'Prints this help') do
+    puts opts
+    exit
+  end
+end.parse!
+
+if ARGV.size > 0
+  retreiver.search_in(ARGV[0])
+else
+  retreiver.search
+end
+
+backups = retreiver.backups.sort_by! { |b| b.info_plist.last_backup_date }
+# Only perform the action for the selected backup (or all)
+if options[:serial_number]
+  backups.select! { |b| b.info_plist.serial_number == options[:serial_number] }
+end
+
+backups.each do |backup|
+  case options[:operation]
+    when :list
+      puts backup
+    when :details
+      backup.info_plist.details
+      puts '-' * 40
+    when :extract
+      backup.extract_to(options[:destination], backup_options)
+    when :archive
+      if options[:backup_type] == 'raw'
+        backup.archive_raw(options[:destination], backup_options)
+      else
+        backup.archive_to(options[:destination], backup_options)
+      end
+  end
+end

data/ios_backup_extractor.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ios_backup_extractor/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ios_backup_extractor'
+  spec.version       = IosBackupExtractor::VERSION
+  spec.authors       = ['Nauktis']
+  spec.email         = ['nauktis@users.noreply.github.com']
+
+  spec.summary       = %q{Ruby script to extract iOS backups.}
+  spec.description   = %q{Ruby script to extract iOS backups.}
+  spec.homepage      = 'https://github.com/Nauktis/ios_backup_extractor'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'nauktis_utils'
+  spec.add_dependency 'activesupport'
+  spec.add_dependency 'aes_key_wrap'
+  spec.add_dependency 'CFPropertyList'
+  spec.add_dependency 'sqlite3'
+  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+end

data/lib/ios_backup_extractor.rb

@@ -0,0 +1,42 @@
+require 'digest/sha1'
+require 'fileutils'
+
+require 'active_support'
+require 'active_support/core_ext/numeric'
+require 'aes_key_wrap'
+require 'cfpropertylist'
+require 'nauktis_utils'
+require 'sqlite3'
+
+require 'ios_backup_extractor/version'
+require 'ios_backup_extractor/info_plist'
+require 'ios_backup_extractor/mbdb'
+require 'ios_backup_extractor/keybag'
+require 'ios_backup_extractor/raw_backup'
+require 'ios_backup_extractor/raw_backup4'
+require 'ios_backup_extractor/raw_backup10'
+require 'ios_backup_extractor/backup_retriever'
+
+module IosBackupExtractor
+
+  ##
+  # Returns the number of files contained in +directory+
+
+  def self.file_count(directory)
+    count = 0
+    Find.find(File.expand_path(directory)) do |path|
+      count += 1 unless FileTest.directory?(path)
+    end
+    count
+  end
+
+  # TODO Move helpers somewhere else.
+  def self.plist_data_to_hash(data)
+    CFPropertyList.native_types(CFPropertyList::List.new(data: data).value)
+  end
+
+  def self.plist_file_to_hash(file)
+    file = NauktisUtils::FileBrowser.ensure_valid_file(file)
+    CFPropertyList.native_types(CFPropertyList::List.new(:file => file).value)
+  end
+end

data/lib/ios_backup_extractor/backup_retriever.rb

@@ -0,0 +1,40 @@
+module IosBackupExtractor
+  class BackupRetriever
+    include NauktisUtils::Logging
+    attr_reader :backups
+
+    def search
+      search_in(mobilesync)
+    end
+
+    def search_in(directory)
+      @backups = []
+      directory = NauktisUtils::FileBrowser.ensure_valid_directory(directory)
+      logger.debug('Retriever') {"Retrieving iDevice backup files in #{directory}."}
+      NauktisUtils::FileBrowser.each_file(directory) do |path|
+        if File.basename(path) == 'Info.plist'
+          infos = InfoPlist.new(path)
+          continue unless infos.has? InfoPlist::PRODUCT_VERSION
+          major = infos.versions.first
+          if major <= 3
+            raise 'iOS 3 backups are not supported'
+          elsif major < 10
+            @backups << RawBackup4.new(File.dirname(path))
+          else
+            @backups << RawBackup10.new(File.dirname(path))
+          end
+        end
+      end
+      self
+    end
+
+    private
+    def mobilesync
+      if RUBY_PLATFORM =~ /darwin/
+        "#{ENV['HOME']}/Library/Application Support/MobileSync/Backup"
+      else
+        "#{ENV['APPDATA']}/Apple Computer/MobileSync/Backup/"
+      end
+    end
+  end
+end

data/lib/ios_backup_extractor/info_plist.rb

@@ -0,0 +1,41 @@
+class InfoPlist
+  DEVICE_NAME = 'Device Name'
+  DISPLAY_NAME = 'Display Name'
+  IMEI = 'IMEI'
+  ITUNES_VERSION = 'iTunes Version'
+  LAST_BACKUP_DATE = 'Last Backup Date'
+  PRODUCT_TYPE = 'Product Type'
+  PRODUCT_VERSION = 'Product Version'
+  SERIAL_NUMBER = 'Serial Number'
+
+  TAGS = [DEVICE_NAME, DISPLAY_NAME, IMEI, ITUNES_VERSION, LAST_BACKUP_DATE, PRODUCT_TYPE, PRODUCT_VERSION, SERIAL_NUMBER]
+
+  def initialize(file)
+    raise 'Info.plist does not exist' unless File.exist?(file)
+    @infos = IosBackupExtractor.plist_file_to_hash(file)
+  end
+
+  TAGS.each do |tag|
+    define_method(tag.gsub(/\s+/, '_').downcase.to_sym) do
+      @infos.fetch(tag)
+    end
+  end
+
+  def versions
+    product_version.scan(/\d+/).map {|i| i.to_i}
+  end
+
+  def has?(key)
+    @infos.has_key?(key)
+  end
+
+  def details
+    TAGS.each do |tag|
+      puts "#{tag}: #{@infos.fetch(tag)}"
+    end
+  end
+
+  def to_s
+    "#{last_backup_date} - #{device_name} - #{serial_number} (#{product_type} iOS #{product_version})"
+  end
+end

data/lib/ios_backup_extractor/keybag.rb

@@ -0,0 +1,108 @@
+module IosBackupExtractor
+  class Keybag
+    include NauktisUtils::Logging
+    KEYBAG_TYPES = ['System', 'Backup', 'Escrow', 'OTA (icloud)']
+    CLASSKEY_TAGS = %w(UUID CLAS WRAP WPKY KTYP PBKY)
+    WRAP_DEVICE = 1
+    WRAP_PASSCODE = 2
+
+    def initialize(data, version_major, version_minor)
+      @version_major = version_major
+      @version_minor = version_minor
+      parse_binary_blob(data)
+    end
+
+    def parse_binary_blob(data)
+      @class_keys = {}
+      @attributes = {}
+      current_class = {}
+      loop_tlv_blocks(data) do |tag, value|
+        if value.size == 4
+          value = value.unpack('L>')[0]
+        end
+        if tag == 'TYPE'
+          @type = value & 0x3FFFFFFF # Ignore the flags
+          raise "Error: Keybag type #{@type} > 3" if @type > 3
+          logger.debug(self.class){"Keybag of type #{KEYBAG_TYPES[@type]}"}
+        end
+        @uuid = value if tag == 'UUID' and @uuid.nil?
+        @wrap = value if tag == 'WRAP' and @wrap.nil?
+        current_class = {} if tag == 'UUID' # New class starts by the UUID tag.
+        current_class[tag] = value if CLASSKEY_TAGS.include?(tag)
+        @class_keys[current_class['CLAS'] & 0xF] = current_class if current_class.has_key?('CLAS')
+        @attributes[tag] = value
+      end
+    end
+
+    def unlock_backup_keybag_with_passcode(password)
+      raise 'This is not a backup keybag' unless @type == 1 or @type == 2
+      unwrap_class_keys(get_passcode_key_from_passcode(password))
+    end
+
+    def unwrap_class_keys(passcodekey)
+      @class_keys.each_value do |classkey|
+        k = classkey['WPKY']
+        if classkey['WRAP'] & WRAP_PASSCODE > 0
+          k = AESKeyWrap.unwrap!(classkey['WPKY'].to_s, passcodekey)
+          classkey['KEY'] = k
+        end
+      end
+    end
+
+    def unwrap_key_for_class(protection_class, persistent_key)
+      raise "Keybag key #{protection_class} missing or locked" unless @class_keys.has_key?(protection_class) and @class_keys[protection_class].has_key?('KEY')
+      raise 'Invalid key length' unless persistent_key.length == 0x28
+      AESKeyWrap.unwrap!(persistent_key, @class_keys[protection_class]['KEY'])
+    end
+
+    def get_passcode_key_from_passcode(password)
+      raise 'This is not a backup/icloud keybag' unless @type == 1 or @type == 3
+
+      if @version_major == 10 && @version_minor < 2
+        return OpenSSL::PKCS5.pbkdf2_hmac_sha1(password, @attributes['SALT'], @attributes['ITER'], 32)
+      end
+
+      # Version >= 10.2
+      digest = OpenSSL::Digest::SHA256.new
+      len = digest.digest_length
+      kek = OpenSSL::PKCS5.pbkdf2_hmac(password, @attributes['DPSL'], @attributes['DPIC'], len, digest)
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(kek, @attributes['SALT'], @attributes['ITER'], 32)
+    end
+
+    ##
+    # Creates a new Keybag
+
+    def self.create_with_backup_manifest(manifest, password, version_major, version_minor)
+      kb = Keybag.new(manifest['BackupKeyBag'], version_major, version_minor)
+      kb.unlock_backup_keybag_with_passcode(password)
+      kb
+    end
+
+    ##
+    # Prints information about the Keybag
+
+    def print_info
+      puts '== Keybag'
+      puts "Keybag type: #{KEYBAG_TYPES[@type]} keybag (#{@type})"
+      puts "Keybag version: #{@attributes['VERS']}"
+      puts "Keybag iterations: #{@attributes['ITER']}, iv=#{@attributes['SALT'].unpack('H*')[0]}"
+      puts "Keybag UUID: #{@uuid.unpack('H*')[0]}"
+    end
+
+    private
+
+    ##
+    # Parses a binary blob and extracts the tags and data.
+
+    def loop_tlv_blocks(data)
+      i = 0
+      while i + 8 <= data.size do
+        tag = data[i...(i+4)].to_s
+        length = data[(i+4)...(i+8)].unpack('L>')[0]
+        value = data[(i+8)...(i+8+length)]
+        yield(tag, value)
+        i += 8 + length
+      end
+    end
+  end
+end

data/lib/ios_backup_extractor/mbdb.rb

@@ -0,0 +1,88 @@
+module IosBackupExtractor
+  class MBDB
+    include NauktisUtils::Logging
+
+    def initialize(manifest_location)
+      parse(NauktisUtils::FileBrowser.ensure_valid_file(manifest_location))
+    end
+
+    def files
+      @files
+    end
+
+    private
+    # Retreive an integer (big-endian) from the current offset in the data.
+    # Adjust the offset after.
+    def get_integer(size)
+      value = 0
+      size.times do
+        value = (value << 8) + @data[@offset].ord
+        @offset += 1
+      end
+      value
+    end
+
+    # Retreive a string from the current offset in the data.
+    # Adjust the offset after.
+    def get_string
+      if @data[@offset] == 0xFF.chr and @data[@offset + 1] == 0xFF.chr
+        @offset += 2
+        ''
+      else
+        length = get_integer(2)
+        value = @data[@offset...(@offset + length)]
+        @offset += length
+        value
+      end
+    end
+
+    # Parse the manifest file
+    def parse(filename)
+      # Set-up
+      @files = Array.new
+      @total_size = 0
+      @data = File.open(filename, 'rb') { |f| f.read }
+      @offset = 0
+      raise 'This does not look like an MBDB file' if @data[0...4] != 'mbdb'
+      @offset = 6 # We skip the header mbdb\5\0
+      # Actual parsing
+      while @offset < @data.size
+        info = Hash.new
+        info[:start_offset] = @offset
+        info[:domain] = get_string # Domain name
+        info[:file_path] = get_string # File path
+        info[:link_target] = get_string # Absolute path for Symbolic Links
+        info[:data_hash] = get_string
+        info[:encryption_key] = get_string
+        info[:mode] = get_integer(2)
+        info[:type] = '?'
+        info[:type] = 'l' if (info[:mode] & 0xE000) == 0xA000 # Symlink
+        info[:type] = '-' if (info[:mode] & 0xE000) == 0x8000 # File
+        info[:type] = 'd' if (info[:mode] & 0xE000) == 0x4000 # Directory
+        @offset += 8 # We skip the inode numbers (uint64).
+        info[:user_id] = get_integer(4)
+        info[:group_id] = get_integer(4)
+        info[:mtime] = get_integer(4) # File last modified time in Epoch format
+        info[:atime] = get_integer(4) # File last accessed time in Epoch format
+        info[:ctime] = get_integer(4) # File created time in Epoch format
+        info[:file_size] = get_integer(8)
+        info[:protection_class] = get_integer(1)
+        info[:properties_number] = get_integer(1)
+        info[:properties] = Hash.new
+        info[:properties_number].times do
+          propname = get_string
+          propvalue = get_string
+          info[:properties][propname] = propvalue
+        end
+        # Compute the ID of the file.
+        fullpath = info[:domain] + '-' + info[:file_path]
+        info[:file_id] = Digest::SHA1.hexdigest(fullpath)
+        # We add the file to the list of files.
+        @files << info
+        # We accumulate the total size
+        @total_size += info[:file_size]
+      end
+      logger.debug('Manifest Parser') {"#{@files.size.to_s(:delimited)} entries in the Manifest. Total size: #{@total_size.to_s(:human_size)}."}
+    end  
+  end
+end