horrorho
File decryption mode detection failure
There are two types of Data Protection encryption that may be present on files, namely AES-CBC and AES-XTS. The AUTO switch, which is enabled by default, is only accurate about 95% of the time. As far as I'm aware the same mode is used throughout the backup.
If you experience file corruption please try switching between the modes manually with either --mode CBC or --mode XTS. The logger output should tell you which mode you're currently in, so try the other one.
Hopefully someone out there who knows how it works will let us know... Failing that, there is a workaround I'll implement at some point.
:octocat:
According to the iOS security Guide AES-XTS is used on devices with an A8 processor. We could also assume it is used on devices with an A9 processor. This list of devices include:
- iPhone 6
- iPhone 6 Plus
- iPhone 6s
- iPhone 6s Plus
- iPhone SE
- iPod Touch 6th Gen
- iPad mini 4
Maybe you could enable AES-XTS when the model number (A number, variant, or identifier) in the icloud backup matches the model number of one of the devices listed above.
Unfortunately it isn't as simple as that. All of my personal backups on an iPhone 6 are AES-CBC despite the fact that the backups have never touched a pre-A8 processor device, and Apple's own documentation says it should be AES-XTS. They are all cleanly generated with each new phone and OS build. Both of my iOS 9 and iOS 10 backups use AES-CBC. I've seen this on other backups I have access to. Now, almost universally I have seen that the 6s does use AES-XTS, but that is anecdotal.
Thanks for the feedback. Unfortunately as @mattandersen has also mentioned, the hardware model isn't an accurate gauge of the encryption mode.
If all else fails, I'll have to code in a routine to download a plist or similar, test decrypt it and then move on to the rest of the backup. It's just not an elegant or correct solution.