ICLOUD.md

iCloud

Since iCloud is going to be the hardest to do, I'm including a seperate readme for it.

Look here for in-depth info on how iCloud is decrypted

Decryption Process

Step #	Method	URL	Headers	Response	Comments
1	GET	https://setup.icloud.com/setup/authenticate/<iCloudUserName>	Authorization "basic " + base64(iCloudUserName + ":" + iCloudPassword)	DsPrsID and mmeAuthToken	These values will be used for authentication in the next step
2	GET	https://setup.icloud.com/setup/get_account_settings	Authorization "basic " + base64(DsPrsID + ":" + mmeAuthToken)	Info about the user	This will return a NEW AND DIFFERENT MMEAUTHTOKEN. Use this new one instead of the one from /authenticate. It will also tell you what number should come after the "p" (partition #?) in the next urls.
3	GET	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/	Authorization "X‑MobileMe‑AuthToken " + base64(DsPrsID + ":" + mmeAuthToken)	A list of BackupUDIDS	Each "BackupUDID" represents a device linked with the account. Parse with "DeviceUDIDs" class.
4	GET	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/<UDID>	Authorization "X‑MobileMe‑AuthToken " + base64(DsPrsID + ":" + mmeAuthToken)	Device info list of backups	Use the "Device" class to parse out the info (name, color, etc) and backups. Choose a backup to download based on backup date and get its "snapshotID"
5	GET	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/getKeys	Authorization "X‑MobileMe‑AuthToken " + base64(DsPrsID + ":" + mmeAuthToken)	Decryption Keys	Parse these with "Keys." I have no clue how to use these yet. They are probably for decrypting the chunks
6	GET	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/<UDID>/<SnapshotID>	Authorization "X‑MobileMe‑AuthToken " + base64(DsPrsID + ":" + mmeAuthToken)	File List	Returns a list of chunks (files) and info about each one. These are a little tricky to parse.
7	POST	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/<UDID>/<SnapshotID>/getFiles	This is where I'm stuck. I have no idea how to get any of this without restoring.	File Auth tokens (fileAuthToken)	If anybody is willing to restore a jailbreakable A4 device, let me know ASAP! This part of the project is stopping me from continuing on.
8	POST	https://p##-content.icloud.com/<dsPrsID>/authorizeGet	x-apple-mmcs-auth The fileAuthToken from the previous URL x-apple-mmcs-dataclass com.apple.Dataclass.Backup x-apple-mmcs-proto-version 3.3 x-apple-mme-dsid DsPrsID x-apple-request-uuid 4EFFF273-5611-479B-A945-04DA0A0F2C3A x-mme-client-info Same as before	File URL	Once you download the file using that URL, just decrypt it with getKeys and rename it with the info from listFiles

getFiles Process

• GetFiles can't be decrypted like it is.
• It uses something called a "varint"
• The varint tells the program how long to read to get the next protobuf.
• It goes varint1, protobuf1, varint2, protobuf2
• The length of protobuf1 is the value of varint1, and so on.
• If the varint thing seems too intimidating to create, don't worry. The protobuf library does this automatically,
• I don't know how to decode this in other languages, but here is what I am doing in Java:

CodedInputStream chunkParser = CodedInputStream.newInstance(fileList);  //Get the output of "listFiles" and put it into a CodedInputStream (that class comes with the protobuf library)
Protobuf.Chunk[] files = new Protobuf.Chunk[/*# of chunks*/];           //this is an array that will contain all the chunks
for (int i = 0; !chunkParser.isAtEnd(); i++) {                          //Keep doing the following code until you reach the end of the file (with "i" increasing by 1 every time)
    int len = chunkParser.readRawVarint32();                            //Read a varint directly from the stream
    byte[] rawProtobuf = chunkParser.readRawBytes(len);                 //Now read x bytes from the stream, where x is the value of the previous varint
    files[i] = Protobuf.Chunk.parseFrom(rawProtobuf);                   //Interpret those bytes as a Protobuf and add that protobuf to the list of files
}                                                                       //Now you can run "getFiles" and "authorizeGet" on each member of the "files" variable to get the URLs

Relation to iTunes backups

• After comparing the data to iTunes' way of backing up, it seems the two aren't that different
• The "Manifest.mbdb" seems to be very similar, if not exactly the same to the output of "getFiles" in iCloud
• The "getKeys" url also seems to be related to iTunes in some way.
• Perhaps a already-existing iTunes decrypter (possibly iPhone Data Protection) could be ported to java?

Useful links

• The following links might aid you in understanding the way iCloud and iTunes encrypt their backups
• Cracking and Analyzing Apple iCloud
• iTunes Backup Decryption
• iPhone Wiki Page
• MBDB Decryption Script (Python)