everyone who changes mobile phones often like me, probably faced the issue that not really all settings are being migrated to a new phone. even using encrypted iTunes backups, some data will be missing on the new device.
this is the case for the Google Authenticator app for example. i personally keep a backup of the keys, so i just can scan them again when i install the app on a different device, but for one account i forgot to do that and i noticed it only after i installed the new phone.
i didn’t wipe the old device and still had access to the google authenticator app, but this particular account doesn’t allow self provisioning and i didn’t want to get in contact with the owner, just because i got a new phone.
for other reasons i recently played with the iOS keychain and i learned, that some items only can be read when having the hardware AES keys. you can read about those over here on theiphonewiki or here.
the following articles have some good information about how to decrypt iTunes backups and get the keychain content, but sadly i was not able to get those methods to work with iOS 13.5 and macOS Mojave. i also didn’t find a way to extract the hardware keys on newer iPhones (in my case iPhone X and XS).
http://www.securitylearn.net/tag/decrypting-iphone-keychain-from-backups-on-windows/
https://dpron.com/recovering-google-authenticator-keys-from-ios-backups/
the second article even states, that this method doesn’t work anymore on newer iOS versions, but it reveals how to reconstruct the QR code from the keychain data.
i remembered some older tools, which were able to dump the keychain on the device itself and i eventually found keychain_dumper on github. but this didn’t work on iOS 13.5 and i noticed that this is an issue due changes from Apple. in this issue someone mentions also a tool called keychain_editor and the newest build is linked there too. with this i finally managed to read the keychain on my iPhone. later i found out that there is even a newer version on the repo (see below).
this was all i needed to know – now i just had to find the correct entry and do some encoding/decoding to create the QR code for the Google Authenticator app!
here is how you can do it yourself:
- jailbreak your phone (unc0ver, checkra1n)
- install OpenSSH from cydia
- install SQLite 3.x from cydia
- install keychaineditor from this repo https://miro92.com/repo/ (for iPhone X i had to use this version: https://shorturl.at/eoOW5)
- connect to your iPhone with SSH
- unlock your phone (important, kSecAttrAccessibleWhenUnlockedThisDeviceOnly protection is set)
- run “keychaineditor -f com.google.otp.authentication” (or the account name from the Authenticator app)
- check your phone, it might ask for the unlock code
it will now list all the accounts that you have in the Google Authenticator app, just like on the following screenshot (those are dummy accounts, which i scanned from google image search) :
since i had quite some of them, i decided to code a simple python script to parse this output and generate scannable QR codes from it. just copy the output from the above screenshot starting with [ and ending with ] into a file and use it with my script.
you can find the script on my github and run it with python3 just by supplying the keychain output in json format as a command line argument. it will automatically create the QR codes as png files in the same directory.
and now you can find scannable QR codes to setup those accounts on another device!
additional notes: the output might be different on lower iOS versions. i didn’t really invest time, but a quick check showed sightly different results. all this was done on iOS 13.5 – don’t know if this still works on iOS 14. most likely it will not on the iPhone X with checkra1n, because SEP is not available.
Enjoy!
Leave a Reply
You must be logged in to post a comment.