emf_decrypter segmentation fault about iphone-dataprotection HOT 17 CLOSED

Yes, this is probably the same bug as issue 15 
(http://code.google.com/p/iphone-dataprotection/issues/detail?id=15). As a 
workaround you can use the python version.

Also, if you could run the following and post the output it could help fix the 
bug :
gdb ./emf_decrypter
set environment DYLD_INSERT_LIBRARIES /usr/lib/libgmalloc.dylib
run iphone_image.dmg

Thanks

That is exactly the post i was just reading. :)

i will most certainly try the python one and keep you posted with results.

just the time to copy these 30G and i'll post the gdb result.

ps. as soon as im done with all of this , hopefully with success , (as i need 
to undelete some stuff afterwards.
for which i was gonna use photorec as i've used it b4, but can i give a try to 
the python emf_undelete? is it stable?)
if you want to i can contribute throwing together some user-level walkthrough.
i think this is an amazing breakthrough and should be more accessible, say to 
ppl like me. I'm a programmer and sysadmin but low-level c is just not my thing 
and i deeply admire your work :)

Thanks, we will update the tools soon and try to add a helpfull walkthrough, 
but you're welcome to contribute as well.
I don't think photorec will work, because the unallocated space is encrypted. 
emf_undelete can recover a few files (or sometimes nothing at all), you can 
give it a try. Thanks for your feedback.

Oh i see. So the decrypter only decrypts allocated space? not bit per bit ?
damn, that i didn't know. i'm gonna give it a shot but you just gave me some 
sad news :/

but anyway, thank you again for everything so far.

I gdb as per your request. I post the output as follows:


SidMac:emf sid$ gdb ./emf_decrypter
GNU gdb 6.3.50-20050815 (Apple version gdb-1472) (Wed Jul 21 10:53:12 UTC 2010)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared 
libraries ..... done

(gdb) set environment DYLD_INSERT_LIBRARIES /usr/lib/libgmalloc.dylib
(gdb) run ../../iphonebackup.img 
Starting program: /Users/sid/Desktop/IphoneDataProtection/emf/emf_decrypter 
../../iphonebackup.img
GuardMalloc: Allocations will be placed on 16 byte boundaries.
GuardMalloc:  - Some buffer overruns may not be noticed.
GuardMalloc:  - Applications using vector instructions (e.g., SSE or Altivec) 
should work.
GuardMalloc: GuardMalloc version 23
GuardMalloc: Allocations will be placed on 16 byte boundaries.
GuardMalloc:  - Some buffer overruns may not be noticed.
GuardMalloc:  - Applications using vector instructions (e.g., SSE or Altivec) 
should work.
GuardMalloc: GuardMalloc version 23
Reading symbols for shared libraries .++++..... done
Reading symbols for shared libraries . done
GuardMalloc: Allocations will be placed on 16 byte boundaries.
GuardMalloc:  - Some buffer overruns may not be noticed.
GuardMalloc:  - Applications using vector instructions (e.g., SSE or Altivec) 
should work.
GuardMalloc: GuardMalloc version 23
WARNING ! This tool will modify the hfs image and possibly wreck it if 
something goes wrong !
Make sure to backup the image before proceeding
Press a key to continue or CTRL-C to abort

Volume identifier : fe2ae574d6dd94a7
Searching for ../../fe2ae574d6dd94a7.plist
Data partition offset = 1ce04
Reading class keys, NSProtectionComplete files should be decrypted OK
Decrypting iNode1012708
Decrypting iNode1012711
Decrypting iNode7159
Decrypting iNode7162
Decrypting iNode7169
Decrypting iNode7207
Decrypting iNode7211
Decrypting iNode7212
Decrypting iNode7217
Decrypting iNode7218
Decrypting iNode7221
Decrypting iNode7222
Decrypting iNode7224
Decrypting iNode7233
Decrypting iNode7254
Decrypting iNode7266
Decrypting iNode7267
Decrypting iNode7269
Decrypting iNode7272
Decrypting iNode7273
Decrypting iNode7280
Decrypting iNode7284
Decrypting iNode7285
Decrypting iNode7290
Decrypting iNode7300
Decrypting iNode7305
Decrypting iNode7311
Decrypting iNode7316
Decrypting iNode7321
Decrypting iNode7326
Decrypting iNode7334
Decrypting iNode7337
Decrypting iNode7345
Decrypting iNode7348
Decrypting iNode7354
Decrypting iNode7361
Decrypting iNode7363
Decrypting iNode7368
Decrypting iNode7371
Decrypting iNode7379
Decrypting iNode7381
Decrypting iNode7384
Decrypting iNode7385
Decrypting iNode7394
Decrypting iNode7402
Decrypting iNode7410
Decrypting iNode7420
Decrypting iNode7422
Decrypting iNode7426
Decrypting iNode7435
Decrypting iNode7436
Decrypting iNode7439
Decrypting iNode7442
Decrypting iNode7447
Decrypting iNode7456
Decrypting iNode7460
Decrypting iNode7463
Decrypting iNode7475
Decrypting iNode7476
Decrypting iNode7477
Decrypting iNode7482
Decrypting iNode7483
Decrypting iNode7484
Decrypting iNode7485
Decrypting iNode7488
Decrypting iNode7491
Decrypting iNode7494
Decrypting iNode7497
Decrypting iNode7511
Decrypting iNode7517
Decrypting iNode7522
Decrypting iNode7523
Decrypting iNode7524
Decrypting iNode7525
Decrypting iNode7529
Decrypting iNode7531
Decrypting iNode7532
Decrypting iNode7536
Decrypting iNode7540
Decrypting iNode7585
Decrypting iNode7593
Decrypting iNode7595
Decrypting iNode7627
Decrypting iNode7628
Decrypting iNode7636
Decrypting iNode7637
Decrypting iNode7639
Decrypting iNode7643
Decrypting iNode7650
Decrypting iNode7657
Decrypting iNode7668
Decrypting iNode7677
Decrypting iNode7696
Decrypting iNode7732
Decrypting iNode7751
Decrypting iNode7752
Decrypting iNode7763
Decrypting iNode7775
Decrypting iNode7788
Decrypting iNode7791
Decrypting temp1025131
Decrypting temp1025132
Decrypting TrustStore.sqlite3
Decrypting keychain-2.db
Decrypting ocspcache.sqlite3
Decrypting aircrack-ng
Decrypting airdecap-ng
Decrypting airmon-ng
Decrypting AUTHORS
Decrypting CHANGELOG
Decrypting LICENSE
Decrypting README
Decrypting README_AIROPDATE
Decrypting airopdate.sh
Decrypting airopdate.sh~(0).tmp
Decrypting airoscript.sh
Decrypting airoscript.sh~(0).tmp
Decrypting ivstools
Decrypting kstats
Decrypting makeivs
Decrypting aircrack-ng.1
Decrypting airdecap-ng.1
Decrypting aireplay-ng.1
Decrypting airmon-ng.1
Decrypting airodump-ng.1
Decrypting airtun-ng.1
Decrypting ivstools.1
Decrypting kstats.1
Decrypting makeivs.1
Decrypting packetforge-ng.1
Decrypting PKGBUILD
Decrypting aircrack-ng.spec
Decrypting slack-desc
Decrypting packetforge-ng
Decrypting acx-20070101.patch
Decrypting bcm43xx-injection-linux-2.6.20.patch
Decrypting hostap-driver-0.4.7.patch
Decrypting hostap-kernel-2.6.18.patch
Decrypting ieee80211_inject.patch
Decrypting ipw2200-1.1.4-inject.patch
Decrypting linux-wlanng-0.2.8.patch
Decrypting madwifi-ng-r2277.patch
Decrypting madwifi-old-r1417.patch
Decrypting hostap-driver-0.3.9.patch
Decrypting hostap-driver-0.4.5.patch
Decrypting hostap-kernel-2.6.16.patch
Decrypting ipw2200-1.1.3-inject.patch
Decrypting linux-wlan-0.2.3.packet.injection.patch
Decrypting linux-wlan-0.2.5.packet.injection.patch
Decrypting madwifi-cvs-20050707.patch
Decrypting madwifi-cvs-20050814.patch
Decrypting madwifi-cvs-20051025.patch
Decrypting madwifi-ng-r1457-1473_disable_retry_raw.patch
Decrypting madwifi-ng-r1475_disable_retry_raw.patch
Decrypting madwifi-ng-r1486.patch
Decrypting madwifi-ng-r1520.patch
Decrypting madwifi-ng-r1526.patch
Decrypting madwifi-ng-r1545.patch
Decrypting madwifi-ng-r1679.patch
Decrypting madwifi-ng-r1713.patch
Decrypting madwifi-ng-r1730.patch
Decrypting madwifi-ng-r1886.patch
Decrypting madwifi-ng-r1983.patch
Decrypting rt2500-cvs-20050724.patch
Decrypting rt2500-cvs-20051008-prismheader.patch
Decrypting rt2500-cvs-2005112305.patch
Decrypting rt2570-cvs-20050824.patch
Decrypting rt2570-cvs-20051008-prismheader.patch
Decrypting rt2570-cvs-2005112305.patch
Decrypting rtl8180-0.21.patch
Decrypting rtl8187_1010.0622.patch
Decrypting rtl8187_1010.0622v2.patch
Decrypting rtl8187_1025v2.patch
Decrypting rtl8187_2.6.20.patch
Decrypting rtl8187_2.6.20v2.patch
Decrypting rtl8187_2.6.20v3.patch
Decrypting rtl8187_2.6.20v4.patch
Decrypting rtl8187_2.6.21v2.patch
Decrypting wlanng-0.2.1-pre26.patch
Decrypting zd1211rw_malformed.patch
Decrypting prism54-svn-20050724.patch
Decrypting rtl8180-0.21v2.patch
Decrypting rtl8187_2.6.21v3.patch
Decrypting zd1211rw_inject_2.6.17.patch
Decrypting zd1211rw_inject_2.6.20.patch
Decrypting zd1211rw_inject_2.6.21-gentoo.patch
Decrypting aircrack-ng.c
Decrypting aircrack-ng.h
Decrypting aircrack-ptw-lib.c
Decrypting aircrack-ptw-lib.h
Decrypting airdecap-ng.c
Decrypting aireplay-ng.c
Decrypting airodump-ng.c
Decrypting airtun-ng.c
Decrypting common.c
Decrypting crc.c
Decrypting crctable.h
Decrypting crypto.c
Decrypting crypto.h
Decrypting ivstools.c
Decrypting kstats.c
Decrypting packetforge-ng.c
Decrypting pcap.h
Decrypting sha1-mmx.S
Decrypting uniqueiv.c
Decrypting version.h
Decrypting makeivs.c
Decrypting password.lst
Decrypting wep.open.system.authentication.cap
Decrypting wep.shared.key.authentication.cap
Decrypting wpa.cap
Decrypting wpa2.eapol.cap
Decrypting touch.ivs
Decrypting com.hackyouriphone.synchronicity_2.0_iphoneos-arm.deb
Decrypting lock
Decrypting pkgcache.bin
Decrypting srcpkgcache.bin
Decrypting DUID_IA.plist
Decrypting en0-1,7c:c5:37:81:62:fa
Decrypting dhcpd_leases
Decrypting overrides.plist
Decrypting systembag.kb
Decrypting extended_states
Decrypting apt.modmyi.com_dists_stable_Release
Decrypting apt.modmyi.com_dists_stable_Release.gpg
Decrypting apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages
Decrypting 
apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages.IndexDiff
Decrypting apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages.ed
Decrypting apt.saurik.com_dists_ios_550.58_Release
Decrypting apt.saurik.com_dists_ios_550.58_Release.gpg
Decrypting apt.saurik.com_dists_ios_550.58_main_binary-iphoneos-arm_Packages
Decrypting apt.thebigboss.org_repofiles_cydia_dists_stable_Release
Decrypting apt.thebigboss.org_repofiles_cydia_dists_stable_Release.gpg
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s.IndexDiff
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s.ed
Decrypting cydia.guizmovpn.com_._Packages
Decrypting cydia.hackulo.us_._Packages
Decrypting cydia.hackulo.us_._Release
Decrypting cydia.myrepospace.com_otosan_._Packages
Decrypting cydia.myrepospace.com_otosan_._Release
Decrypting cydia.touch-mania.com_._Packages
Decrypting cydia.touch-mania.com_._Release
Decrypting cydia.winterboarder.com_._Packages
Decrypting cydia.winterboarder.com_._Release
Decrypting cydia.xsellize.com_._Packages
Decrypting cydia.xsellize.com_._Release
Decrypting cydia.zodttd.com_repo_cydia_dists_stable_Release
Decrypting cydia.zodttd.com_repo_cydia_dists_stable_Release.gpg
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.FAILE
D
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.Index
Diff
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.ed
Decrypting i.danstaface.net_deb_._Packages
Decrypting i.danstaface.net_deb_._Packages.IndexDiff
Decrypting i.danstaface.net_deb_._Release
Decrypting iphone.org.hk_apt_._Packages
Decrypting lock
fread: Bad address
error: READ
error: Bad address

Program exited with code 01.
(gdb) Quit


--

I am off to making another copy of the img and trying the python version.
I will keep you posted.

[deleted comment]

here's the current output of the python emf_decrypter:

SidMac:python_scripts sid$ sudo python ./emf_decrypter.py 
/Users/sid/Desktop/iphonebackup.img 
Password:
Traceback (most recent call last):
  File "./emf_decrypter.py", line 8, in <module>
    v = EMFVolume(sys.argv[1], write=True)
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/hfs/emf.py", line 74, in __init__
    self.keystore = Keybag.createWithPlist(pldict)
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/keystore/keybag.py", line 46, in createWithPlist
    keystore = Keybag.createWithDataSignBlob(data, k835)
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/keystore/keybag.py", line 69, in createWithDataSignBlob
    kb = Keybag(keybag["DATA"])
KeyError: 'DATA'

Does the plist need to be named a certain way this time? as in not with the 
volume hash name anymore? does it require any other files to be in the same 
folder or something?

Pycrypto and construct have already been installed.

Ha yes sorry its a bug in the output format of the python script. You can fix 
it by running the following python script:

import plistlib

filename="fe2ae574d6dd94a7.plist"
pl = plistlib.readPlist(filename)

if pl.has_key("keybags"):
    pl.update(pl["keybags"].values()[0])

plistlib.writePlist(pl, filename)

worked like a charm.
script is now working.
we'll see where we get :D

The script finished. Decrypted over 5K files. Browsable and extractable by hfs 
explorer.
So i think your work is superb.
Now trying photorec and then emf_undelete. Let's see wether i get what i needed 
in the first place or this was simply a very educational journey :)

Running photorec. So far claims it has recovered over 22K files. 5K jpgs that i 
can actually browse. But i'm gonna have to wait it out for it to finish then to 
see what it has recovered.

Don't want to get my hopes too high up, but, This is looking pretty good.

[deleted comment]

While all the statements in my above comment remain true, those were actuall 
not-deleted file. As to why photorec would behave that way idk. But i just 
wrote to the author of it.

I will now try the python emf_undele. Let's see there.

Your comment above about unallocated space remaining encrypted made me think.
Though i certainly believe the decryption process would take much longer 
depending on how much space is actually allocated, would it be possible to 
modify emd_decrypter to also treat unallocated memory?
If anything would give it a huge ++ as a forensic tool and the only one of it's 
kind.

UPDATE: emf_undelete recovered almost 50 files. Mostly plists, logs, temps and 
other system files.
Now i've hit a wall.

Each file on the data partition is encrypted using a different encryption key. 
Thus, it is not possible to recover deleted files unless you know the 
encryption key. emf_undelete does that by carving the journal file. Due to the 
way the journal works and its limited size, it can only recover a few files, as 
you mentionned, mostly system files that are created and then deleted in a 
short period of time (so the encryption key is still present in the journal 
file). 

I see. That makes sense, and of course pardon my questions as the come from my 
lack of knowledge in the topic. 
Would that mean such encryption key is dynamic?
Meaning even hfs itself mounted on the iphone would be unable to carve its own 
deleted files (if ever anyone got around to do that)?
Bc if not, then treating (this is a very theoretical assumption) the 
unallocated space with the same encryption key as the decrypter does for 
existing files, then trying to recover with the usual tools, would produce 
something?
I flew too far off the handle didn't i?

Damn, if i was able to modify the decrypter source id be happy to try that on 
my img, as im bloody desperate to recover those files. 

Yes, multiple encryption keys are used, one for each file. Even if the 
filesystem is mounted on the device it cannot carve its own delete files.