Skip to content

crass/seedvault_backup_parser

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SeedVault Backup Parser

This is a tool to decrypt and re-encrypt the android backups made by Seedvault. Both version 0 and 1 backups are supported for decryption. Only version 0 is supported for encryption, though adding encryption support should be fairly straight forward (do the reverse of the decryption).

Requirements

For the AES decryption, the python dependency pycryptodome is needed. For V1 format backups google's tink crypto library is also needed. The pybip39 can optionally be installed to enhance password validation.

Script only tested on Linux.

Usage

To decrypt a backup stored in the folder 1601080173780 into decrypted, run

./parse.py decrypt 1601080173780 decrypted

The script will ask for your 12 word mnemonic key at runtime or you may supply it via the -p option. It has to be lowercase, words separated by a single space. Example:

fish test thing gift mercy siren erode acoustic mango veteran soup bus

For V0 backups, the files created in the full directory are tar files and can be extracted with tar -tvf.

For V1 backups, files in the root of the decrypted directory are either tar files or sqlite3 database files, as noted in their file extensions. A subdirectory will be a name of the form datetime.number and will contain the decrypted files from storage.

Wifi Key Import

You can create a backup, modify it, and restore it back to the device. This allows to bulk-add wifi passwords without root access.

WARNING: I have tested this only for wifi passwords and do not entirely understand why the @pm@ metadata needs to be present. Googles Documentation states This action stops your app and wipes its data before performing the restore operation. This does not happen for wifi passwords. The new ones simply get added to the store, no old ones are deleted. But things might go wrong!

# create a 'fake' plaintext backup
mkdir -p toencrypt/kv/com.android.providers.settings
mkdir -p toencrypt/kv/@pm@

# copy package manager metadata from decrypted backup, required for restoring backups
cp decrypted/kv/@pm@/meta_QG1ldGFA toencrypt/kv/@pm@/meta.QG1ldGFA

# wifi passwords live in com.android.providers.settings
# copy metadata and old passwords
cp decrypted/kv/@pm@/com.android.providers.settings.Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz \
   toencrypt/kv/@pm@/com.android.providers.settings.Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz
cp decrypted/kv/com.android.providers.settings/wifinewconfig.d2lmaV9uZXdfY29uZmln \
   toencrypt/kv/com.android.providers.settings/wifinewconfig.d2lmaV9uZXdfY29uZmln

# modify the old passwords file

# create a fake .backup.metadata file (based on real one?), change token to 1234
# example file shown below

# you know should have the following directory sturcture:
#   toencrypt/.backup.metadata
#   toencrypt/kv/com.android.providers.settings/wifinewconfig.d2lmaV9uZXdfY29uZmln
#   toencrypt/kv/@pm@/com.android.providers.settings.Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz
#   toencrypt/kv/@pm@/meta.QG1ldGFA

# encrypt the fake backup with the same key the device uses. Output folder has to be numeric only and match the token
./parse.py encrypt toencrypt 1234

# copy the encrypted folder to somewhere seedvault detects it (usb/internal storage `.SeedVaultAndroidBackup`).
adb push 1234 /storage/emulated/0/.SeedVaultAndroidBackup/

# start the restore process with
adb shell bmgr restore 4d2 com.android.providers.settings
# note that 0x4d2 == 1234

# you might need to reboot if you get error -1000.
# somewhat detailed logs can be seen with
adb logcat

Example metadata file:

{
    "@meta@": {
        "version": 0,
        "token": 1234,
        "time": 1601750759994,
        "sdk_int": 29,
        "incremental": "2020.09.11.14",
        "name": "Custom Wifi Restore"
    }
}

You can also import an old wpa_supplicant config, by saving it in toencrypt/kv/com.android.providers.settings//WIFI.77-tV0lGSQ== (filename taken from android source and generated by base64.urlsafe_b64encode("\uffedWIFI".encode("utf-8")))

Backup Format V0

Each file starts with a single byte specifying the used version. After that, a list of segments follows. Each is:

2 Bytes Segment Length x | 12 Bytes Encryption IV | x Bytes Encryted Segment Content

For Key-Value backups, the first segment contains a VersionHeader, which specifies the app and key.

The file .backup.metadata in the root of a backup contains information about which app was backed up when.

Backup Format V1

TODO: See source for now

Other tools

License

This application is available as open source under the terms of the Apache-2.0 License.

About

Decrypt, Modify and Reencrypt Seedvault Android Backups

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 96.3%
  • Makefile 3.7%