Skip to content

techtrialsajm-tech/ios4-backup-extractor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ios4-backup-extractor

Extract and decrypt files from encrypted iOS 4.x iTunes backups.

Supports iOS 4.0 – 4.3.x backups created by iTunes on Windows or macOS. Decrypts photos, videos, voicemails, iMessages, contacts, and audio using the backup password — no jailbreak or iTunes access required.

Background

iOS 4.x backups use a keybag stored in Manifest.plist with per-class AES-256 keys protected by PBKDF2-HMAC-SHA1 key derivation. Each file's encryption key is embedded in the Manifest.mbdb binary manifest as the 5th string field (4 bytes LE protection class + 40 bytes RFC 3394 wrapped key). This tool implements the full decryption chain including key derivation, key unwrapping, and AES-256-CBC file decryption.

Note: iOS 5+ changed the manifest format (keybag structure and property encoding differ). This tool targets iOS 4.x exclusively.

What it extracts

Category File types
Photos .jpg, .jpeg, .png, .gif, .heic, .bmp, .tiff, .webp
Videos .mp4, .mov, .m4v, .avi, .3gp, .m4r
Voicemail .amr, .m4a, .caf
Messages sms.db, chat.db
Contacts AddressBook.sqlitedb
Audio .mp3, .m4a, .aac, .wav, .ogg

Requirements

pip install pycryptodome

Where is my backup?

Platform Path
Windows C:\Users\<user>\AppData\Roaming\Apple Computer\MobileSync\Backup\<hash>
macOS ~/Library/Application Support/MobileSync/Backup/<hash>

The <hash> folder is the backup directory to pass to --backup.

Usage

# Dry run — shows what would be extracted
python ios4_backup_extractor.py -p "YourBackupPassword" --backup /path/to/backup/hash

# Actually extract
python ios4_backup_extractor.py -p "YourBackupPassword" --backup /path/to/backup/hash --execute

Output is written to <backup>_readable/ next to the backup directory, organized into category subfolders.

How it works

  1. Key derivation — reads the keybag from Manifest.plist, derives a passcode key via PBKDF2-HMAC-SHA1 (or SHA256 with DPSL salt for newer iOS 4.x devices)
  2. Class key unwrap — uses RFC 3394 AES unwrap to recover per-protection-class AES keys
  3. Manifest parsing — reads Manifest.mbdb, extracts domain, path, size, protection class, and wrapped file key for each file
  4. File decryption — for each file: unwrap the file key with the class key, decrypt with AES-256-CBC (null IV), strip PKCS7 padding
  5. Output — categorized and written to <backup>_readable/<Category>/

Security notes

  • Your backup password is passed on the command line. On shared systems consider clearing shell history afterward.
  • Decrypted output contains personal data. Handle accordingly.
  • The script does not modify or delete the original backup.

License

Apache License 2.0 — see LICENSE.

About

Decrypt and extract files from encrypted iOS 4.x iTunes backups (photos, videos, voicemail, contacts)

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages