Decrypt an encrypted iOS 13+ backup created by iTunes on Windows
- Users starred: 17
- Users forked: 4
- Users watching: 3
- Updated at: 2020-03-12 23:47:16
Requires Python 3.4 or higher.
The code requires a cryptographic library providing the
pycryptodome (but note that this clashes with
pycrypto, if that is already installed).
The backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.
To speed up decryption,
fastpbkdf2 is desirable; otherwise the code will fall back to using standard library functions.
The fallback is much slower, but does not require the complicated build and install of
pip install biplist pycryptodome fastpbkdf2
Minimal required dependencies (automatically installed):
pip install biplist pycryptodome
Install directly from GitHub via
pip install git+https://github.com/jsharkey13/iphone_backup_decrypt # Optionally: pip install fastpbkdf2
This code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.
relativePath of the file(s) to be decrypted also needs to be known.
Very common files, like those for the call history or text message databases, can be found in the
RelativePath class: e.g. use
RelativePath.CALL_HISTORY instead of the full
If the relative path is not known, you can manually open the
Manifest.db SQLite database and explore the
Files table to find those of interest.
After creating the class, use the
EncryptedBackup.save_manifest_file(...) method to store a decrypted version.
A minimal example to decrypt and extract some files might look like:
from iphone_backup_decrypt import EncryptedBackup, RelativePath, RelativePathsLike passphrase = "..." # Or load passphrase more securely from stdin, or a file, etc. backup_path = "%AppData%\\Apple Computer\\MobileSync\\Backup\\[device-specific-hash]" backup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase) # Extract the call history SQLite database: backup.extract_file(relative_path=RelativePath.CALL_HISTORY, output_filename="./output/call_history.sqlite") # Extract all photos from the camera roll: backup.extract_files(relative_paths_like=RelativePathsLike.CAMERA_ROLL, output_folder="./output/camera_roll")