iOS 14.2 - IOS 14.5 about keychain-dumper HOT 6 OPEN

I can confirm keychain_dumper is impacted by rate limiting capabilities on the Secure Enclave Processor (SEP) when accessing the KeyChain, as described above by @utkanos in comment "#68 (comment)".

In a jailbroken iOS 14.x device keychain_dumper works if you clean-up the "ent.xml" file for your target app (reducing the number of entries), and re-apply the entitlements to the binary:

1. Modify the "./updateEntitlements.sh" script not to remove the "/usr/bin/ent.xml" output file.
2. Copy and edit the "/usr/bin/ent.xml" for your target, reducing the number of entries (<36, see comment above).
3. Copy the new "ent.xml" file back and re-apply it to the binary:

# cp ent.xml /usr/bin
# cd /usr/bin
# ldid -Sent.xml keychain_dumper

from keychain-dumper.

I suggest generating a warning related to the number of entries in the "ent.xml" file inside the "updateEntitlements.sh", once the file is created in "/usr/bin" and before applying it to the binary via "ldid". Also, a warning could be added to the README for users to be aware of that limitation in case they do not get any results.

Unfortunately, manual modification of "ent.xml" is required by now... A future option could be generating a generic "ent.xml" file only including Apple related entitlements, and another "ent.xml" file specific for a target app.

from keychain-dumper.

For folks getting no output using this tool, make sure you've updated the entitlements using the provided script on the device. If you are still getting just the hint about unlocking your device and finding no items, the problem is that your entitlements list is too long. I am still investigating why that's the case, but my current guess is that you are restricted in how many queries you can run against the SEP. I am seeing SEP operation failures if the entitlement list is too long.

So that said, the magic number seems to be 36. If you examine your entitlements.xml and you have MORE than 36 attributes corresponding to keychain entitlements, the program will bail without providing any output. While I continue to track down whether it's a hard limit of entitlements (doubtful) or the program trying too many requests (current hunch), the way to use this on iOS 14.x is to ensure your entitlements list is less than 36. Don't forget to use ldid to update the binary entitlement after you edit the file.

tl;dr if you use the -e flag to create entitlements, it's likely that your list is now too long and you need to remove items from it in order to get output. If time permits I'll dig more into this problem, but for my purposes the tool is functional. Entitlements will be a personal thing anyway, so hacking around this seems not that crucial to me.

from keychain-dumper.

@raulsiles - The instructions you listed above..should they either land in the top-level readme and/or get added to some updated script in the repo?

from keychain-dumper.

can you please make it simple with steps, becouse I face this issue and try a lot to resolve it but it really did not solve it, I have ios 14.X and still this issue exists.

from keychain-dumper.

can you please make it simple with steps, becouse I face this issue and try a lot to resolve it but it really did not solve it, I have ios 14.X and still this issue exists.

The below will remove all rubbish Apple strings and resign the binary with the new ent2.xml entitlements file.

keychain_dumper -e > ent.xml
grep -v -e '<string>com.apple.PassbookUIService</string>' -e '<string>com.apple.ProtectedCloudStorage</string>' -e '<string>com.apple.ProtectedCloudStorage.KTAccountKey</string>' -e '<string>com.apple.Spotlight</string>' -e '<string>com.apple.TextInput</string>' -e '<string>com.apple.applesse</string>' -e '<string>com.apple.apsd</string>' -e '<string>com.apple.assistant</string>' -e '<string>com.apple.bluetooth</string>' -e '<string>com.apple.certificates</string>' -e '<string>com.apple.cfnetwork</string>' -e '<string>com.apple.cloudd</string>' -e '<string>com.apple.continuity.unlock</string>' -e '<string>com.apple.hap.pairing</string>' -e '<string>com.apple.healthrecordsd</string>' -e '<string>com.apple.icloud.searchpartyd</string>' -e '<string>com.apple.identityservicesd</string>' -e '<string>com.apple.ind</string>' -e '<string>com.apple.internal.seserviced.keysync.recoveryblobs</string>' -e '<string>com.apple.ndoagent</string>' -e '<string>com.apple.networkserviceproxy</string>' -e '<string>com.apple.passd</string>' -e '<string>com.apple.rapport</string>' -e '<string>com.apple.sbd</string>' -e '<string>com.apple.security.ckks</string>' -e '<string>com.apple.security.egoIdentities</string>' -e '<string>com.apple.security.octagon</string>' -e '<string>com.apple.security.sos</string>' -e '<string>com.apple.security.sos-usercredential</string>' -e '<string>com.apple.sharing.appleidauthentication</string>' -e '<string>com.apple.telephonyutilities.callservicesd</string>' -e '<string>com.apple.transparencyd</string>' -e '<string>group.com.apple.notes</string>' -e '<string>ichat</string>' -e '<string>lockdown-identities</string>' -e '<string>online-auth-agent</string>' -e '<string>searchpartyd-baa-fmna-group</string>' -e '<string>wifianalyticsd</string>' -e '<string>apple</string>' -e '<string>apple account</string>' "ent.xml" > "ent2.xml"
ldid -Sent2.xml /usr/bin/keychain_dumper

from keychain-dumper.