Create a gist now

Instantly share code, notes, and snippets.

@geekman /parse_keybag.py
Created Mar 3, 2017

What would you like to do?
Download ZIP
extract & parse the BackupKeyBag from an iTunes Backup
Raw
parse_keybag.py
#!/usr/bin/env python
#
# extracts and parse BackupKeyBag
#
# 2017.02.04 darell tan
#
from plist import *
import struct
import sys
from binascii import hexlify
from collections import OrderedDict
try:
from cStringIO import StringIO
except:
from StringIO import StringIO
def getKeybagFile(manifest_file):
"""
Retrieves the BackupKeyBag embedded within the Manifest.plist.
"""
with open(manifest_file, 'rb') as f:
data = f.read()
pl = Structure.from_bin(data) if data.startswith('bplist') \
else Structure.from_xml(data)
assert 'Version' in pl
return StringIO(pl['BackupKeyBag'].get_value())
class Keybag:
def __init__(self, f):
self.hdr = OrderedDict()
self.keys = []
self.f = f if hasattr(f, 'read') else open(f, 'rb')
self._parse()
def _parse(self):
keys = []
currKey = OrderedDict()
while True:
hdr = self.f.read(4+4)
if hdr == '':
break
typ, sz = struct.unpack('>4sI', hdr)
data = self.f.read(sz)
if sz == 4:
data, = struct.unpack('>I', data)
# UUID usually first item of each entry
if typ == 'UUID':
if 'UUID' in currKey:
keys.append(currKey)
else:
self.hdr = currKey
currKey = OrderedDict()
currKey[typ] = data
if currKey:
keys.append(currKey)
self.keys = keys
def dump(self):
for k, v in self.hdr.iteritems():
print k, v
print '-' * 10
def decode(typ, val):
if typ == 'UUID':
v = hexlify(val)
return '%s...%s' % (v[:6], v[-4:])
elif not isinstance(val, (int, long)):
return hexlify(val)
else:
return repr(val)
for key in self.keys:
print ', '.join('%s: %s' % (k, decode(k, v)) \
for k, v in key.iteritems())
def __repr__(self):
return repr(self.keys)
def main():
stream = getKeybagFile(sys.argv[1])
k = Keybag(stream)
k.dump()
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment