{"id":755,"date":"2020-11-16T17:31:47","date_gmt":"2020-11-16T16:31:47","guid":{"rendered":"https:\/\/kolbi.cz\/blog\/?p=755"},"modified":"2020-11-18T08:54:27","modified_gmt":"2020-11-18T07:54:27","slug":"extract-backup-and-restore-google-authenticator-keys-on-ios-migrate-accounts-jailbreak-required","status":"publish","type":"post","link":"https:\/\/kolbi.cz\/blog\/2020\/11\/16\/extract-backup-and-restore-google-authenticator-keys-on-ios-migrate-accounts-jailbreak-required\/","title":{"rendered":"Extract, Backup and Restore Google Authenticator Keys on iOS (Migrate Accounts) &#8211; Jailbreak required"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">everyone who changes mobile phones often like me, probably faced the issue that not really all settings are being migrated to a new phone. even using encrypted iTunes backups, some data will be missing on the new device. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">this is the case for the Google Authenticator app for example. i personally keep a backup of the keys, so i just can scan them again when i install the app on a different device, but for one account i forgot to do that and i noticed it only after i installed the new phone.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">i didn&#8217;t wipe the old device and still had access to the google authenticator app, but this particular account doesn&#8217;t allow self provisioning and i didn&#8217;t want to get in contact with the owner, just because i got a new phone.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">for other reasons i recently played with the iOS keychain and i learned, that some items only can be read when having the hardware AES keys. you can read about those over here on <a rel=\"noreferrer noopener\" href=\"https:\/\/www.theiphonewiki.com\/wiki\/AES_Keys\" target=\"_blank\">theiphonewiki<\/a> or <a href=\"http:\/\/cipherbox.blogspot.com\/2015\/10\/on-ios-firmware-and-key-decryption.html\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">the following articles have some good information about how to decrypt iTunes backups and get the keychain content, but sadly i was not able to get those methods to work with iOS 13.5 and macOS Mojave. i also didn&#8217;t find a way to extract the hardware keys on newer iPhones (in my case iPhone X and XS). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/www.securitylearn.net\/tag\/decrypting-iphone-keychain-from-backups-on-windows\/\">http:\/\/www.securitylearn.net\/tag\/decrypting-iphone-keychain-from-backups-on-windows\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/dpron.com\/recovering-google-authenticator-keys-from-ios-backups\/\">https:\/\/dpron.com\/recovering-google-authenticator-keys-from-ios-backups\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">the second article even states, that this method doesn&#8217;t work anymore on newer iOS versions, but it reveals how to reconstruct the QR code from the keychain data. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">i remembered some older tools, which were able to dump the keychain on the device itself and i eventually found <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/ptoomey3\/Keychain-Dumper\" target=\"_blank\">keychain_dumper <\/a>on github. but this didn&#8217;t work on iOS 13.5 and i noticed that this is an <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/ptoomey3\/Keychain-Dumper\/issues\/52\" target=\"_blank\">issue <\/a>due changes from Apple. in this issue someone mentions also a tool called <a rel=\"noreferrer noopener\" href=\"http:\/\/shorturl.at\/eoOW5\" target=\"_blank\">keychain_editor <\/a>and the newest build is linked there too. with this i finally managed to read the keychain on my iPhone. later i found out that there is even a newer version on the repo (see below).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">this was all i needed to know &#8211; now i just had to find the correct entry and do some encoding\/decoding to create the QR code for the Google Authenticator app!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">here is how you can do it yourself:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>jailbreak your phone (<a rel=\"noreferrer noopener\" href=\"https:\/\/unc0ver.dev\/\" target=\"_blank\">unc0ver<\/a>, <a rel=\"noreferrer noopener\" href=\"https:\/\/checkra.in\/\" target=\"_blank\">checkra1n<\/a>)<\/li><li>install OpenSSH from cydia<\/li><li>install SQLite 3.x from cydia<\/li><li>install keychaineditor from this repo <a rel=\"noreferrer noopener\" href=\"https:\/\/shorturl.at\/eoOW5\" target=\"_blank\"><\/a><a rel=\"noreferrer noopener\" href=\"https:\/\/miro92.com\/repo\/\" target=\"_blank\">https:\/\/miro92.com\/repo\/<\/a> (for iPhone X i had to use this version: <a href=\"https:\/\/shorturl.at\/eoOW5\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/shorturl.at\/eoOW5<\/a>)<\/li><li>connect to your iPhone with SSH<\/li><li>unlock your phone (important, kSecAttrAccessibleWhenUnlockedThisDeviceOnly protection is set)<\/li><li>run &#8220;keychaineditor -f com.google.otp.authentication&#8221; (or the account name from the Authenticator app)<\/li><li>check your phone, it might ask for the unlock code <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">it will now list all the accounts that you have in the Google Authenticator app, just like on the following screenshot (those are dummy accounts, which i scanned from google image search) :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"590\" src=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image.png\" alt=\"\" class=\"wp-image-759\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image.png 554w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-282x300.png 282w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">since i had quite some of them, i decided to code a simple python script to parse this output and generate scannable QR codes from it. just copy the output from the above screenshot starting with [ and ending with ] into a file and use it with my script.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">you can find the script on <a href=\"https:\/\/github.com\/kolbicz\/google_authenticator\" target=\"_blank\" rel=\"noreferrer noopener\">my github<\/a> and run it with python3 just by supplying the keychain output in json format as a command line argument. it will automatically create the QR codes as png files in the same directory. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"714\" height=\"139\" src=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-1.png\" alt=\"\" class=\"wp-image-760\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-1.png 714w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-1-300x58.png 300w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">and now you can find scannable QR codes to setup those accounts on another device!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"248\" src=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-3.png\" alt=\"\" class=\"wp-image-762\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-3.png 618w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2020\/11\/image-3-300x120.png 300w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">additional notes: the output might be different on lower iOS versions. i didn&#8217;t really invest time, but a quick check showed sightly different results. all this was done on iOS 13.5 &#8211; don&#8217;t know if this still works on iOS 14. most likely it will not on the iPhone X with checkra1n, because SEP is not available.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>everyone who changes mobile phones often like me, probably faced the issue that not really all settings are being migrated to a new phone. even <a class=\"mh-excerpt-more\" href=\"https:\/\/kolbi.cz\/blog\/2020\/11\/16\/extract-backup-and-restore-google-authenticator-keys-on-ios-migrate-accounts-jailbreak-required\/\" title=\"Extract, Backup and Restore Google Authenticator Keys on iOS (Migrate Accounts) &#8211; Jailbreak required\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":766,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[31,32,30],"class_list":["post-755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-ios","tag-jailbreak","tag-security"],"_links":{"self":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/comments?post=755"}],"version-history":[{"count":11,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/755\/revisions"}],"predecessor-version":[{"id":771,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/755\/revisions\/771"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media\/766"}],"wp:attachment":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media?parent=755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/categories?post=755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/tags?post=755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}