11-21-2019, 12:36 PM
Hi I found:
https://www.researchgate.net/publication...martphones
and
https://github.com/RealityNet/kobackupdec
and I wonder if anyone here could implement a method simillar to -m 10900 that would crack password for the algorithm described in above article and then implemented in kobackupdec tool.
Basically there is info.xml file for huawei backup that has some hashes inside which then are parsed by kobackupdec (python script)
KEY_SALT in kobackupdec is first 16 bytes of this pwkey_salt hash from info.xml
KEY NONCE in kobackupdec is last 16 bytes of pwkey_salt hash from info.xml
there is also e_perbackupkey hash in info.xml to get _bkey that is needed to calculate
KEY check expected that should be equal to first 32 bytes of checkMsg hash from info.xml
SALT in kobackupdec is last 32 bytes of checkMsg hash from info.xml
Here is the essential part of kobackupdec script slightly modified:
@staticmethod
def prf(p, s):
pdb.set_trace()
return HMAC.new(p, s, SHA256).digest()
def crypto_init(self):
key_salt = self._pwkey_salt[:16]
logging.debug('KEY_SALT[%s] = %s', len(key_salt),binascii.hexlify(key_salt))
key = PBKDF2(self._upwd, key_salt, Decryptor.dklen, Decryptor.count, Decryptor.prf)
logging.debug('KEY[%s] = %s', len(key), binascii.hexlify(key))
nonce = self._pwkey_salt[16:]
logging.debug('KEY NONCE[%s] = %s', len(nonce), binascii.hexlify(nonce))
cipher = AES.new(key, mode=AES.MODE_GCM, nonce=nonce)
self._bkey = cipher.decrypt(self._e_perbackupkey)[:32]
logging.debug('self._e_perbackupkey[%s] = %s', len(self._e_perbackupkey),binascii.hexlify(self._e_perbackupkey))
logging.debug('[%s] = %s', len(self._bkey), binascii.hexlify(self._bkey))
salt = self._checkMsg[32:]
logging.debug('SALT[%s] = %s', len(salt), binascii.hexlify(salt))
res = PBKDF2(self._bkey, salt, Decryptor.dklen, Decryptor.count, Decryptor.prf, hmac_hash_module=None)
logging.debug('KEY check expected = %s', binascii.hexlify(self._checkMsg[:32]))
logging.debug('RESULT = %s', binascii.hexlify(res))
if res == self._checkMsg[:32]:
logging.info('OK, backup key is correct %s' % self._upwd)
self._good = True
else:
logging.error('KO, backup key is wrong %s' % self._upwd)
self._good = False
The script is covered by license:
# Huawei KoBackup backups decryptor.
#
# Version History
# - 20190729: first public release
#
# Released under MIT License
#
# Copyright (c) 2019 Francesco "dfirfpi" Picasso, Reality Net System Solutions
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
https://www.researchgate.net/publication...martphones
and
https://github.com/RealityNet/kobackupdec
and I wonder if anyone here could implement a method simillar to -m 10900 that would crack password for the algorithm described in above article and then implemented in kobackupdec tool.
Basically there is info.xml file for huawei backup that has some hashes inside which then are parsed by kobackupdec (python script)
KEY_SALT in kobackupdec is first 16 bytes of this pwkey_salt hash from info.xml
KEY NONCE in kobackupdec is last 16 bytes of pwkey_salt hash from info.xml
there is also e_perbackupkey hash in info.xml to get _bkey that is needed to calculate
KEY check expected that should be equal to first 32 bytes of checkMsg hash from info.xml
SALT in kobackupdec is last 32 bytes of checkMsg hash from info.xml
Here is the essential part of kobackupdec script slightly modified:
@staticmethod
def prf(p, s):
pdb.set_trace()
return HMAC.new(p, s, SHA256).digest()
def crypto_init(self):
key_salt = self._pwkey_salt[:16]
logging.debug('KEY_SALT[%s] = %s', len(key_salt),binascii.hexlify(key_salt))
key = PBKDF2(self._upwd, key_salt, Decryptor.dklen, Decryptor.count, Decryptor.prf)
logging.debug('KEY[%s] = %s', len(key), binascii.hexlify(key))
nonce = self._pwkey_salt[16:]
logging.debug('KEY NONCE[%s] = %s', len(nonce), binascii.hexlify(nonce))
cipher = AES.new(key, mode=AES.MODE_GCM, nonce=nonce)
self._bkey = cipher.decrypt(self._e_perbackupkey)[:32]
logging.debug('self._e_perbackupkey[%s] = %s', len(self._e_perbackupkey),binascii.hexlify(self._e_perbackupkey))
logging.debug('[%s] = %s', len(self._bkey), binascii.hexlify(self._bkey))
salt = self._checkMsg[32:]
logging.debug('SALT[%s] = %s', len(salt), binascii.hexlify(salt))
res = PBKDF2(self._bkey, salt, Decryptor.dklen, Decryptor.count, Decryptor.prf, hmac_hash_module=None)
logging.debug('KEY check expected = %s', binascii.hexlify(self._checkMsg[:32]))
logging.debug('RESULT = %s', binascii.hexlify(res))
if res == self._checkMsg[:32]:
logging.info('OK, backup key is correct %s' % self._upwd)
self._good = True
else:
logging.error('KO, backup key is wrong %s' % self._upwd)
self._good = False
The script is covered by license:
# Huawei KoBackup backups decryptor.
#
# Version History
# - 20190729: first public release
#
# Released under MIT License
#
# Copyright (c) 2019 Francesco "dfirfpi" Picasso, Reality Net System Solutions
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.