Raspberry Pi Zero Wireless

On the 5th birthday of the Raspberry Pi last week, the foundation announced a new addition to the family — the Raspberry Pi Zero W. The W stands for Wireless.

I got my hands on one, from the fine folks at Pimoroni. (And no they didn’t pay me to say this.)

The Pi Zero W board

It has the same specs as the Raspberry Pi Zero, namely the 1GHz single-core CPU and 512 MB of RAM. It still has the two micro USB port — one for power and another for OTG, which means you can get it to behave like USB devices when plugged into a PC. The big difference is that they have added WiFi and Bluetooth capability to this small board by squeezing some space out from between the processor and the power circuitry. The size of the board and the placement of connectors remain the same, even the test points on the back.

I’m excited for anything that has processing power, HDMI connectivity and WiFi.

WiFi + Bluetooth

BCM43438 wireless chipset

The 802.11n WiFi and Bluetooth 4.1 functionality comes from the Broadcom BCM43438 (now known as the Cypress CYW43438). This is the same chipset that was used in the Pi 3. The wireless chipset connects via SDIO, so your network traffic does not have to contend for the USB bus bandwidth.

Continue reading

Cracking iTunes Backup Passwords with hashcat

Following the recent announcement of LUKS support in hashcat, I noticed that there have been some commits to support iTunes Backup passwords as well.

This is only useful if the backup was encrypted by setting a backup password on the iOS device. If the backup is not encrypted then all the files are in clear and there is nothing to bruteforce.

The keys used to encrypt the backup are stored in the BackupKeyBag, which can be found in the Manifest.plist file. This keybag is a binary blob, the format of which has already been documented by researchers from Sogeti ESEC Lab.

I have written a simplified script which dumps the BackupKeyBag.

Speeding up iOS Backups

iOS device backups usually take a while, depending on how much storage has been used on your device.

The iOS backup process is driven by the device itself, through the BackupAgent process. This process treats the host PC like a dumb disk store, by sending it commands like DLMessageCreateDirectory, DLMessageUploadFiles, DLMessageRemoveFiles, DLMessageGetFreeDiskSpace, etc. so that it can determine what has been backed up previously and what to send/update for incremental backups.

For password cracking, we don’t need the entire 64 GB (or God forbid, 128 GB) of data on the iOS device. We just need the Manifest.plist, which is typically less than 50 KB. But because the backup process is controlled by the device and not the PC, we can’t simply ask it to send over that single file. Sometimes when we setup a VM with libimobiledevice, we might also not have allocated such a large virtual disk. Of course when I say “we”, I really mean “I”.

Continue reading