Extract and decrypt files from encrypted iOS 4.x iTunes backups.
Supports iOS 4.0 – 4.3.x backups created by iTunes on Windows or macOS. Decrypts photos, videos, voicemails, iMessages, contacts, and audio using the backup password — no jailbreak or iTunes access required.
iOS 4.x backups use a keybag stored in Manifest.plist with per-class AES-256 keys protected by PBKDF2-HMAC-SHA1 key derivation. Each file's encryption key is embedded in the Manifest.mbdb binary manifest as the 5th string field (4 bytes LE protection class + 40 bytes RFC 3394 wrapped key). This tool implements the full decryption chain including key derivation, key unwrapping, and AES-256-CBC file decryption.
Note: iOS 5+ changed the manifest format (keybag structure and property encoding differ). This tool targets iOS 4.x exclusively.
| Category | File types |
|---|---|
| Photos | .jpg, .jpeg, .png, .gif, .heic, .bmp, .tiff, .webp |
| Videos | .mp4, .mov, .m4v, .avi, .3gp, .m4r |
| Voicemail | .amr, .m4a, .caf |
| Messages | sms.db, chat.db |
| Contacts | AddressBook.sqlitedb |
| Audio | .mp3, .m4a, .aac, .wav, .ogg |
- Python 3.8+
- pycryptodome
pip install pycryptodome
| Platform | Path |
|---|---|
| Windows | C:\Users\<user>\AppData\Roaming\Apple Computer\MobileSync\Backup\<hash> |
| macOS | ~/Library/Application Support/MobileSync/Backup/<hash> |
The <hash> folder is the backup directory to pass to --backup.
# Dry run — shows what would be extracted
python ios4_backup_extractor.py -p "YourBackupPassword" --backup /path/to/backup/hash
# Actually extract
python ios4_backup_extractor.py -p "YourBackupPassword" --backup /path/to/backup/hash --executeOutput is written to <backup>_readable/ next to the backup directory, organized into category subfolders.
- Key derivation — reads the keybag from
Manifest.plist, derives a passcode key via PBKDF2-HMAC-SHA1 (or SHA256 with DPSL salt for newer iOS 4.x devices) - Class key unwrap — uses RFC 3394 AES unwrap to recover per-protection-class AES keys
- Manifest parsing — reads
Manifest.mbdb, extracts domain, path, size, protection class, and wrapped file key for each file - File decryption — for each file: unwrap the file key with the class key, decrypt with AES-256-CBC (null IV), strip PKCS7 padding
- Output — categorized and written to
<backup>_readable/<Category>/
- Your backup password is passed on the command line. On shared systems consider clearing shell history afterward.
- Decrypted output contains personal data. Handle accordingly.
- The script does not modify or delete the original backup.
Apache License 2.0 — see LICENSE.