Hi,

I am wondering if it's only me (maybe a package I have installed that is causing this), but keychain_dumper is not finding items on iOS 13.5. It does not even prompt for a passcode when I run the tool.

# ./keychain_dumper -a
[INFO] No Generic Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Internet Password Keychain items found.
[HINT] You should unlock your device!
[INFO] No Identity Keychain items found.
[HINT] You should unlock your device!
[INFO] No Certificate Keychain items found.
[HINT] You should unlock your device!
[INFO] No Key Keychain items found.
[HINT] You should unlock your device!

# ls -l /private/var/Keychains/keychain-2.db
-rw-r--r-- 1 _securityd wheel 1732608 Jun  3 01:13 /private/var/Keychains/keychain-2.db

Tried it with:

• iPhone X and iPad Pro Gen 2
• both with iOS version 13.5
• both jailbroken with checkra1n 0.10.2
• Used the latest-greatest binary from this repo (~12h old ATM)

Can someone please confirm/refute this?

Thanks!

• Adapted Key/Cert dumping
• Fixed errors
• Added accessible attribute dumping
• Added ability to dump all Keychain Items of a certain entitlement group
• Added some colors

Tested on iOS 12.1 arm64 device.

I just upload "keychain_dumper" via SSH to my iPad 2(it's iPad 2,1) which is running iOS 5.1.1. But once I try to run ./keychain_dumper, It said that "Killed: 9" Then I tried "ldid -S keychain_dumper" and then "./keychain_dumper", I still received a "Killed: 9". I don't have a Mac, so it could be a diffcult thing for me to compile it by myself. So If there is anyway to solve this problem?

The tool seems to work great, I was able to dump keychain on a iphone 5S / 7.1.2. However, when dumping identities, the actual private key does not seem to be dumped.

Example:

Key

---
Entitlement Group: com.apple.apsd
Label: APSClientIdentity
Application Label: <20byte identifier>
Key Class: Private
Permanent Key: True
Key Size: 1024
Effective Key Size: 1024
For Encryption: False
For Decryption: True
For Key Derivation: True
For Signatures: True
For Signature Verification: False
For Key Wrapping: False
For Key Unwrapping: True

Is it possible to extract the actual 128byte private key DATA also, or am I missing something?

It would be great to be able to script this, but at the moment -s requires user input. Is it possible to change a few of the user args to changes behaviour e.g

-l : list all entitlements (same as -s but don't ask for 'Select Entitlement Group by Number') -g : dump all entitlements for the group from the numbered list above/ entitlement group ID/name

Complete process:

root# keychain_dumper -l
Entitlement Group [0]: 243LU875E5.com.example.Me
Entitlement Group [1]: 37CJY58B6M.org.Foo.Bar
Entitlement Group [2]: 3N5VQ668Y7.com.MyApp

root# keychain_dumper -g 2
[INFO] 5QRQZ3BQNM.com.MyApp selected.

I would attempt to have a go myself, but make doesn't work for me, separate issue raised.

I received an email from someone asking if I knew how to dump credentials from Google Authenticator, as the user was trying to move to a new phone and had a ton of TOTP codes stored. They noticed that the elements in Google Authenticator weren't accessible. They also mentioned that it appeared these elements had the "ThisDevice" protection class. The full list can be found on https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values. It wasn't clear to me, but I'm guessing Google is using either kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly or kSecAttrAccessibleWhenUnlockedThisDeviceOnly. I don't see why this would prevent access on the current device, but I'm also not at all familiar with the "ThisDevice" option. It has been a number of years, but I don't recall that being available however many years back when this tool was first written (it very well could have been and I've forgotten though).

I no longer have a jailbroken phone to test/debug this with. So, I was hoping some recent contributors might have more up to date info about this protection class and whether it is something that we an support or not. /cc @mechanico @0xln @vocaeq

Keychain-Dumper is an awesome tool for jailbreaked iOS devices. I made some changes to build on Yosemite and run on iOS 8.

1. changed Makefile to build more easily
2. fixed #7
3. add a build and run gif demo in Readme, for new users.

Thank you @ptoomey3

Hi Patrick Toomey,

I have to say that your code was very helpful to me. I downloaded your binary and ran it on IOS 6 on an iPad 3 where I needed to inspect some of my passwords.

Worked like a charm, although it was written for IOS 5!

I would like to send you my warmest thanks - I'm really grateful. Keep up the good work.

cheers - chris

Trying to get a binary that works on iOS 11/12 , so followed the build steps, but it fails on 'make'

macOS 10.14.6

$ make
xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -arch armv7 -arch armv7s -arch arm64 -c main.m
main.m:67:10: error: 'launchPath' is unavailable: not available on iOS
    task.launchPath = executablePath;
         ^

   note: 
         'launchPath' has been explicitly marked unavailable here
   @property (nullable, copy) NSString *launchPath 
   API_DEPRECATED_WITH_REPLACEMENT("executableU...
                                    ^
   main.m:71:11: error: 'launch' is unavailable: not available on iOS
       [task launch];
             ^```
```/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Foundation.framework/Versions/C/Headers/NSTask.h:78:1: note: 
         'launch' has been explicitly marked unavailable here
   - (void)launch API_DEPRECATED_WITH_REPLACEMENT("launchAndReturnError:", macos(10.0, API_TO_B...
   ^
   2 errors generated.
   make: *** [main.o] Error 1```

This may be a problem with the unc0ver jailbreak (v3.0.0-b46) on iPhone 5s and not a bug in Keychain-Dumper, however trying to run a binary I compiled myself on iOS 12 I'm getting:

# ./keychain_dumper
Killed: 9

dmesg output:

Sandbox: bash(1243) System Policy: deny(1) process-exec* /private/var/root/keychain_dumperSandbox: hook..execve() killing keychain_dumper[pid=1243, uid=0]: (err=1) process-exec denied while updating labe

#cd /private/var/Keychains/
#chmod 777 /bin/keychain_dumper
#/bin/keychain_dumper > keychain-export.txt

dyld: Symbol not found: _objc_opt_new Referenced from: /bin/keychain_dumper (which was built for iOS 13.5) Expected in: /usr/lib/libobjc.A.dylib in /bin/keychain_dumper Abort trap: 6

The device info : iOS 12.4 iPhone6

Is there a specific version of the iPhone SDK this needs to be built with?

dyld: symbol '_objc_release_x19' not found, expected in '/usr/lib/libobjc.A.dylib', needed by '/private/var/tmp/./keychain_dumper'

Getting that error when attempting to to run after building using the latest xcode beta (with ios 16 sdk only). Will attempt using the 14.0.1 sdk, but thought it was worth an ask.

I’ve been successfully dumping some keychain data in iOS 13 but in iOS 14 I’ve been unable to dump the data unfortunately with option -g it did not get me any data. From The same specific application. Any advice on how I can make keychain dumper work on IOS 14?

kind regards

I used checkra1n to jailbreak the device (iphone 6), after that I ssh into the phone and when trying to execute the executable it spits out this error

dyld: Symbol not found: _objc_opt_new Referenced from: /private/var/tmp/./keychain_dumper (which was built for iOS 14.4) Expected in: dyld shared cache in /private/var/tmp/./keychain_dumper Abort trap: 6

Also am I supposed to transfer only the executable or the whole directory?

What do i when an app is presenting this?

Label: (null)
Accessible Attribute: kSecAttrAccessibleWhenUnlocked, protection level 2 (default)
Application Label: <>
Application Tag: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Key Class: Public
Key Size: 0
Effective Key Size: 0
[INFO] Malformed key data detected. Check/Cleanup KeyChain manually.

keychain_dumper does not work anymore on my iPhoneSE with iOS 14. Following happened:

iPhone-von-MartinSE:/private/var/Keychains root# ./keychain_dumper -a [INFO] No Generic Password Keychain items found. [HINT] You should unlock your device! [INFO] No Internet Password Keychain items found. [HINT] You should unlock your device! [INFO] No Identity Keychain items found. [HINT] You should unlock your device! [INFO] No Certificate Keychain items found. [HINT] You should unlock your device! [INFO] No Key Keychain items found. [HINT] You should unlock your device! iPhone-von-MartinSE:/private/var/Keychains root#

Although the device is unlocked, jailbroken (by checkra1n), and the keychain_dumper is executable. The command 'keychain_dumper -e' does work, but 'keychain_dumper -s' and entering a number causes the same result as above.