threeplanetssoftware
Caught KDFError trying to generate PBKDF2 key
Added 3 passwords to the AppleDecrypter from /data/pwd.txt Created a new AppleBackup from single file: /data/NoteStore.sqlite Guessed Notes Version: 18 Caught KDFError trying to generate PBKDF2 key Caught KDFError trying to generate PBKDF2 key Caught KDFError trying to generate PBKDF2 key Updated AppleNoteStore object with 2 AppleNotes in 2 folders belonging to 1 accounts. Adding the ZICNOTEDATA.ZPLAINTEXT and ZICNOTEDATA.ZDECOMPRESSEDDATA columns, this takes a few seconds
Mac - Macbook Air M3 macOS Version - 15
I am trying to decrypt the test Locked Apple Notes from Mac, where I know the password 100%. In the wordlist, I wrote 3 passwords, one of which is correct. But I fail. I suspect that this is because in their updates Apple partially stopped writing salt, wrappedkey, iv, iterations (randomly). Most likely, the program simply cannot get the necessary data to create a key from the table. P.S. Not encrypted notes were decoded successfully.
I believe this is related to a change in how iOS / Mac OS stores passwords. If you encrypt the note with a device passcode, it is not just a PBKDF2 derivation of the password. Now it involves material from the keystore. I have done some preliminary work in how to break that out IF the keystore is available from an iTunes backup, but hit a bug in the Ruby OpenSSL gem that kept me from getting the right key for Notes. I will revisit the bug and see if any newer releases solve it.
I believe this is related to a change in how iOS / Mac OS stores passwords. If you encrypt the note with a device passcode, it is not just a PBKDF2 derivation of the password. Now it involves material from the keystore. I have done some preliminary work in how to break that out IF the keystore is available from an iTunes backup, but hit a bug in the Ruby OpenSSL gem that kept me from getting the right key for Notes. I will revisit the bug and see if any newer releases solve it.
can you tell me roughly where this is stored? Under what name in Keychain? In login.keychain-db or iCloud Keychain? Maybe I could help. Also, can you tell me if it is possible to decrypt notes that are encrypted with the system password instead of a custom one?
I have an idea that it is unlikely to be related to Keychain (AT LEAST WITH NOTES THAT ARE ENCRYPTED WITH A CUSTOM PASSWORD). I take NoteStore.sqlite from one Mac, move them to another (in ~/Library/Group Containers/group.com.apple.notes), open the notes app and I can still decrypt notes that were encrypted with their password. But this does not apply to those notes that were encrypted with a system password. There it asks to sign in to iCloud Sync.