How to decrypt an encrypted Apple i. Tunes i. Phone backup Ive been asked by a number of unfortunate i. Phone users to help them restore data from their i. Bose Wave Cd Changer Update Disc For Navigation. Tunes backups. This is easy when they are unencrypted, but not when they are encrypted, whether or not the password is known. As such, Im trying to figure out the encryption scheme used on mddata and mdinfo files when encrypted. I have no problems reading these files otherwise, and have built some robust C libraries for doing so. If youre able to help, I dont care which language you use. Its the principle Im after hereThe Apple i. Phone OS Enterprise Deployment Guide states that Device backups can be stored in encrypted format by selecting the Encrypt i. Phone. Backup option in the device summary pane of i. Tunes. Files are encrypted using AES1. The key is stored securely in the i. Phone keychain. Thats a pretty good clue, and theres some good info here on Stackoverflow on i. Phone AESRijndael interoperability suggesting a keysize of 1. CBC mode may be used. Continuity All your devices. One seamless experience. Your Mac works with your other Apple devices in ways no other computer can. If you get a call on your iPhone. A communitybuilt site of hints and tips on using Apples new Mac OS X operating system. Ive been asked by a number of unfortunate iPhone users to help them restore data from their iTunes backups. This is easy when they are unencrypted, but not when they. Aside from any other obfuscation, a key and initialisation vector IVsalt are required. One might assume that the key is a manipulation of the backup password that users are prompted to enter by i. Tunes and passed to Apple. Mobile. Backup. exe, padded in a fashion dictated by CBC. However, given the reference to the i. Phone keychain, I wonder whether the backup password might not be used as a password on an X5. AES and the i. Tunes encryptdecrypt process is symmetric. The IV is another matter, and it could be a few things. Perhaps its one of the keys hard coded into i. Tunes, or into the devices themselves. Although Apples comment above suggests the key is present on the devices keychain, I think this isnt that important. One can restore an encrypted backup to a different device, which suggests all information relevant to the decryption is present in the backup and i. Tunes configuration, and that anything solely on the device is irrelevant and replacable in this context. So where might be the key beIve listed paths below from a Windows machine but its much of a muchness whichever OS we use. The appdataRoamingApple Computeri. Tunesitunesprefs. PList with a Keychain dict entry in it. The programdataappleLockdown0. PList with Device. Certificate, Host. Certificate, and Root. Certificate, all of which appear to be valid X5. The same file also appears to contain asymmetric keys Root. Iphone Keychain Access Script Download Files' title='Iphone Keychain Access Script Download Files' />Private. Key and Host. Private. Key my reading suggests these might be PKCS 7 enveloped. Also, within each backup there are Auth. Signature and Auth. Data values in the Manifest. Theres a lot of misleading stuff out there suggesting getting data from encrypted backups is easy. Its not, and to my knowledge it hasnt been done. Bypassing or disabling the backup encryption is another matter entirely, and is not what Im looking to do. This isnt about hacking apart the i. In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name. Iphone Keychain Access Script Download Files' title='Iphone Keychain Access Script Download Files' />Phone or anything like that. All Im after here is a means to extract data photos, contacts, etc. Tunes backups as I can unencrypted ones. Ive tried all sorts of permutations with the information Ive put down above but got nowhere. Id appreciate any thoughts or techniques I might have missed.