[BOUNTY] Where is the decrypted wallet kept on Blockchain.info's iOS app ?

adamsd5

newbie

Activity: 2

Merit: 0

This chain might be totally dead by now, but I needed my own answer today to recover once again once my old phone died. Partially with the thought that I might need this again one day, I'm putting in more details. It would be a bonus if someone else was able to recover their BTC based on these instructions.

Here's more information. I did the following on my Mac:

cd /Users/Darryl/Library/Application Support/MobileSync/Backup/b24f78d91322ec7b4f32a60884b63d097ef8613f-20130920-232753
(Your exact backup location is probably different)

for file in *; do echo "==== $file ===="; strings $file; done > ~/a
(What this does is run the 'strings' command on each file, and put a header of the filename inside ====.)

Then I did:
less ~/a
(This is a command-line viewer of the data)

Then I found the content below (marked with ***) ... you can type the / key, then paste in some of the text here, perhaps WebKitLocalStorageDatabasePathPreferenceKeyYsharedKey will do it. That jumped to the following text. Possibly the backup filename is always 6efc668a42109f1e4e1da7ab631d8720761a175a... who knows. This is what worked for me. If you know your wallet identifier from https://blockchain.info/wallet/, you should search for the wallet id. The line after I found my Wallet ID, I saw my password in plaintext. I used it today on the website to once again decrypt my password. I'm upgrading it now and will try out the backup features.

This is "the content below (marked with ***):

==== 6efc668a42109f1e4e1da7ab631d8720761a175a ====
bplist00
+WebKitLocalStorageDatabasePathPreferenceKeyYsharedKey_
'WebKitOfflineWebApplicationCacheEnabledTguid_
ATDatabaseLastUpdateXpassword_
'WebKitDiskImageCacheSavedCacheDirectory_
WebDatabaseDirectoryZregistered^checksum_cache_
"WebKitShrinksStandaloneImagesToFit_
L/var/mobile/Applications/F131A0E7-72C2-4B03-A039-EFFD0BD6A56B/Library/Caches_
$52153CED-87D1-4A4D-A58C-F9499F3DA6BE

Followed immediately by $ and on the next line /

adamsd5

newbie

Activity: 2

Merit: 0

I had the same problem and found this forum post that gave me a hint to check the application data files. I was able to recover my plaintext password from an old iPhone backup file (From September 2013). I did not have to jailbreak the phone. I used the 'strings' command on my Mac on all of the files in the backup directory and sifted through the results until I found what I was looking for. I mention it here in case someone else stumbles upon this page and would like assistance getting to their BTC. I expect the latest blockchain app doesn't save the password in plaintext anymore, so perhaps this technique will work for others as well.

In the future, I'll be using one of these to hold my BTC: http://bitstash.com/

RoxxR

full member

Activity: 208

Merit: 148

Quote from: LIY2012 on January 30, 2014, 06:24:09 AM

Hello,

I was able to recover my password off my ipad. I used iTools 2013 to browse the Blockchain.info Application files. I exported the /Library/Preferences/com.rainydayapps.Blockchain.plistx file to my PC and was able to find the password in clear text inside the file. The best part is I didn't even have to jailbreak it.

Let me know if it works for you.

BTC - 14Hgz6bSrVS8rBhAg2CzHXVk2s5NUMbBm5

Please don't mention itools, it's a shady closed-source tool and i wouldn't trust it

TheButterZone

legendary

Activity: 3010

Merit: 1031

RIP Mommy

Eek, so you just have to steal a bitcoiner's iOS device and it's that easy to get access to whatever they have in bc.i?

LIY2012

newbie

Activity: 2

Merit: 0

Hello,

I was able to recover my password off my ipad. I used iTools 2013 to browse the Blockchain.info Application files. I exported the /Library/Preferences/com.rainydayapps.Blockchain.plistx file to my PC and was able to find the password in clear text inside the file. The best part is I didn't even have to jailbreak it.

Let me know if it works for you.

BTC - 14Hgz6bSrVS8rBhAg2CzHXVk2s5NUMbBm5

kaito

full member

Activity: 168

Merit: 100

Quote from: integrity42 on December 17, 2013, 06:03:37 AM

There are no warnings that forgetting your password renders your coins lost and that there is no 'recovery' option when you sign up with the iOS app.
[...]
Terrible security.

I can't vouch for the security of that app but password recovery options are not a mark of security. If you can recover it, so can someone else.

If you have any password hints or enough coins in that wallet someone might be willing to try to crack it.

stick

sr. member

Activity: 441

Merit: 266

Quote from: integrity42 on December 17, 2013, 06:02:06 AM

Yes I found this wallet file a while ago. It's encoded. There's no plaintext anywhere. ;(

Do you remember at least something about your password?

integrity42

full member

Activity: 476

Merit: 100

Quote from: hashman on December 13, 2013, 08:13:03 AM

Sorry I can't help you, but I can confirm you are not alone here and you can expect a lot of these posts coming up. I have had a couple requests for help on this issue already and I have been unable to resolve them (I don't know much about iCuffs).

A lot of people installed the blockchain.info app on their iphones (poor souls), loaded it with some coin, and are looking at a positive number in a green button now. When it comes time to spend it, they will find "Getting Unspent Outputs" frozen on the screen. Unspendable. After poking around on the website for a while if they are lucky they might be able to get an "AES encrypted wallet" emailed to them. I guess you got this far as well. Useless of course. Next step is to contact support or piuk directly:

https://bitcointalk.org/index.php?action=pm;sa=send;u=17928

good luck.

There are no warnings that forgetting your password renders your coins lost and that there is no 'recovery' option when you sign up with the iOS app.

It also doesn't ask for any passwords when you open the app later and lets you spend the coins without entering any passwords.

This is probably why apple is banning bitcoin apps. Terrible security.

integrity42

full member

Activity: 476

Merit: 100

Quote from: flatfly on December 13, 2013, 01:51:51 PM

OK, it seems that earlier versions of the iOS app save the wallet file there:
/private/var/mobile/Documents

The file should be named "wallet.aes.json" or similar. Inside the file, look for the "priv" values.
If they are encoded in an exotic format, let me know and I should be able to help with the decoding.

EDIT: if you find nothing in the above path, the following commands are also worth a shot:

find /var/mobile | grep -i wallet

or

find /var/mobile -iname \*wallet\*

Yes I found this wallet file a while ago. It's encoded. There's no plaintext anywhere. ;(

RoxxR

full member

Activity: 208

Merit: 148

Is this still ongoing? OP, please post an update.
Some users have pointed out the probable location of your keys.

flatfly

legendary

Activity: 1078

Merit: 1016

760930

OK, it seems that earlier versions of the iOS app save the wallet file there:
/private/var/mobile/Documents

The file should be named "wallet.aes.json" or similar. Inside the file, look for the "priv" values.
If they are encoded in an exotic format, let me know and I should be able to help with the decoding.

EDIT: if you find nothing in the above path, the following commands are also worth a shot:

find /var/mobile | grep -i wallet

or

find /var/mobile -iname \*wallet\*

hashman

legendary

Activity: 1264

Merit: 1008

Sorry I can't help you, but I can confirm you are not alone here and you can expect a lot of these posts coming up. I have had a couple requests for help on this issue already and I have been unable to resolve them (I don't know much about iCuffs).

A lot of people installed the blockchain.info app on their iphones (poor souls), loaded it with some coin, and are looking at a positive number in a green button now. When it comes time to spend it, they will find "Getting Unspent Outputs" frozen on the screen. Unspendable. After poking around on the website for a while if they are lucky they might be able to get an "AES encrypted wallet" emailed to them. I guess you got this far as well. Useless of course. Next step is to contact support or piuk directly:

https://bitcointalk.org/index.php?action=pm;sa=send;u=17928

good luck.

flatfly

legendary

Activity: 1078

Merit: 1016

760930

The older versions of the app did store the password in plaintext on the device.
I don't have an iOS device at hand, but here is the path for Android: /data/data/piuk.blockchain.android/shared_prefs/piuk.blockchain.android_preferences.xml

Perhaps the iOS version used a similar scheme. Try looking for a blockchain preferences file on your device.

integrity42

full member

Activity: 476

Merit: 100

To the people who PM'ed me, thanks for the tips. I already have a backup of the wallet file, but it is encrypted.

I'm wondering how the decrypted wallet is kept on the actual filesystem, since it stays decrypted unless you logout.

integrity42

full member

Activity: 476

Merit: 100

Quote from: kaito on December 12, 2013, 11:00:02 AM

Quote from: integrity42 on December 11, 2013, 04:49:05 AM

Since I was able to turn my phone on/off and still have access to my decrypted wallet whenever i used the app, (without entering a password), I know the decrypted wallet/keys had to be kept on the filesystem and NOT in memory.

Your conclusion does not necessarily follow your observation. It could've been caching your password.
Does turning off mean shutting down and powering down?

Yes, fully shutting and powering down the iPhone. Upon turning it on again, the app opens the decrypted wallet without requiring a password at all. This means that the decrypted wallet must be stored on the filesystem somewhere.

You have to manually log out of the Blockchain app if you want it to ask for a password next time you open it.
I think this is a bad design from a security standpoint. It should require the password every time you open the app, or at minimum, when you want to spend.

kaito

full member

Activity: 168

Merit: 100

Quote from: integrity42 on December 11, 2013, 04:49:05 AM

Since I was able to turn my phone on/off and still have access to my decrypted wallet whenever i used the app, (without entering a password), I know the decrypted wallet/keys had to be kept on the filesystem and NOT in memory.

Your conclusion does not necessarily follow your observation. It could've been caching your password.
Does turning off mean shutting down and powering down?

reCrypto

newbie

Activity: 14

Merit: 0

Hello integrity42, I've sent you a PM. Please check it. Thanks.

Martijnvdc

sr. member

Activity: 322

Merit: 250

Blockchain.info emails the wallet.json file to you as a backup.

I can look at the source code for you to find out if/where any keys are stored, but it will take me some time. I'll be home in about 4 hours from now.

EDIT: I have sent you a PM

integrity42

full member

Activity: 476

Merit: 100

Increasing the bounty to 2.1 BTC.

2.1BTC to Anyone who can tell me where the decrypted keys are kept on the blockchain iOS app, and help me recover my coins.

integrity42

full member

Activity: 476

Merit: 100

Quote from: MrBr1ghtSide on December 11, 2013, 04:54:49 AM

Install iFile (search it on Google - cydia)

Go to Home first(the house-icon) and you should see a list of directories.
One of them is called Applications if I'm not mistaken(else try /var/mobile/applications), and you should see a list of folders with names like b465621-kr-45986 and so on, open them all until you've found the blockchain one.

That should contain your wallet info somewhere.

*donate to the IMineCoin app - project development forum*

Yes, I've done this already... not sure which file, and not sure how to extract the keys.

Topic: [BOUNTY] Where is the decrypted wallet kept on Blockchain.info's iOS app ? (Read 3309 times)