Updated iPhone Keychain Dumper

By Patrick Toomey

So, apparently when I released the initial version of Keychain Dumper I failed to account for the fact that the keychain stores protected data in a few different tables within the keychain-2.db SQlite database.  Someone left a comment on the initial release letting me know they were not seeing mail accounts, etc being dumped.  A quick look at my code and the Apple development docs and I noticed that sure enough, I was only decrypting items with  the “kSecClassGenericPassword” security class.  I quickly updated the code to also decrypt the “kSecClassInternetPassword” security class as well.  There are additional security classes, but they don’t appear all that interesting to the average user (let me know if this isn’t correct).  So, I’ve updated the code on GitHub here.  I performed a 30 second check, and it appears to now dump all of the same items as before, as well as items from the Internet passwords table.  Let me know if anyone has any issues with the update.

On a final note, the README.md on GitHub mentions creating a symbolic link to build the project. The link in the readme refers to the iOS 4.2 SDK.  However, when I updated the tool I noticed that my SDK was now set to 4.3, and I had to update the symbolic link accordingly.  So, either just download the binary release on GitHub, or make sure you take note of your SDK version.

15 thoughts on “Updated iPhone Keychain Dumper

  1. Hi, I compiled the project successfully, creating the symbolic links etc and copied keychain_dumper to my iPod touch ios 4.2.1

    However when I execute the first command to dump the entitlements, I get “Permission Denied”.

    I checked /var/tmp/entitlements.xml and it is a zero-length file.

    I have checked the genp table in keychain-2.db and it is populated with 21 rows of data and the “argp” column is populated in each.

    Do you have a way around this? Maybe if you know the structure that entitlements.xml should be I could create it with the data in the genp table?

    Sorry if I’m asking stupid questions, but I’m a bit new at this!

    Thanks,

    Ryan

    • Hey,
      I’m not all together sure what the issue might be, as I haven’t seen that error myself. What are the permissions on /private/var/Keychains/keychain-2.db? It should be readable by any user. What user are you running keychain_dumper under (is it the “mobile” account)? I have never tested this on an iPod touch before, but I wouldn’t think the filesystem permissions and/or the user applications run under would be different. Lastly, I have the app copied to /priviate/var. Again, that shouldn’t make any difference, but I thought I’d throw out everything just in case it helps you figure out the issue. If you do get things figured out I’d definitely be interested to here what the issue was. Oh, and in terms of the entitlements format, you can take a look at the source code and it should be pretty obvious how you would create the entitlement manually.

  2. Hi Patrick,

    I moved the app to /private/var and set permissions on keychain_dumper and keychain-2.db to 0777.

    Magically everything worked after I did this. I guess maybe put a note in the readme to make sure the permissions are rwx.

    Thanks,

    Ryan

    • Great. I am glad you figured it out. I’ll update some of the documentation to ensure kechain-2.db is readable and that keychain_dumper itself is executable. Edit: I just updated the github readme file.

  3. Is it possible to edit the data in Keychain ??

    • I haven’t looked into/tried this, but I don’t see any immediate reason why you shouldn’t be able to add/edit items in the keychain with a few small addition to the code.

    • The pin isn’t actually stored anywhere on the device. Instead, the pin is combined with a per-device key to derive an encryption key that is used to decrypt values in the keychain that are set with the appropriate security attributes. There is a tool that allows for you to brute force this pin, but I can’t seem to find a link to it right now. If I run across i again I’ll post it here.

  4. Oh this a brilliant tool and works flawlessly.
    How about the device lock code? Isn’t that meant to be stored on the keychain?

  5. Need a little bit of help to complete the process.

    I have a jailbroken ipad v2

    Have installed ldid and keychain_dumper and done chmod as instructed.

    keychain_dumper creates an entitlements.xml of 354 bytes in length.

    then the error

    I run ldid as instructed and it gives the following error

    util/ldid.cpp(576): _assert(2:false)
    util/ldid.cpp(582): _assert(0:WEXITSTATUS(status) == 0)

    Even after having this error I did run keychain_dumper and gives the response

    No Generic Password Keychain items found. Please see the README.md to get started
    No Internet Password Keychain items found. Please see the README.md to get started

    Any help gratefully accepted

  6. Hi Patrick,
    I am trying to use the program to dump my yahoo passwords from my iPhone key chain. Looks like its dumping them, but they are encrypted. I am tried it after my phone is unlocked. I also tried after disabling the iPhone pin. Any idea how to solve this problem? I am using i OS 5.0.1 version.

  7. Hey Patrick,
    I have seen another table for keys in keychain-2.db. I tired modifying your code but looks like it doesn’t dump anything from that table. Do you know how can we dump data from that table as well ??/

    Thanks

  8. Hey thanks for replying I was able to dump the data from other tables. I was thinking if we can take the certificates out of keychain along with private key. Would it be possible from cert table ??

    • I have also been attempting to get access to the cert and key tables with no success, would it be possible to update the application to fully decrypt these tables as well so that certificates and keys could be extracted?

  9. Nice tool. It would be better if it could provide the key of the row where the password is stored in. That would make it easier for us to remove unused keychain entries for the sake of security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s