Awesome
SeedVault Backup Parser
This is a tool to decrypt and (partially) re-encrypt the android backups make by Seedvault.
Requirements
For the AES decryption, the python dependency pycryptodome
is needed.
Script only tested on Linux.
Usage
To decrypt a backup stored in the folder 1601080173780
into decrypted
, run
./parse.py decrypt 1601080173780 decrypted
The script will ask for your 12 word mnemonic key at runtime. It has to be lowercase, words separated by a single space. Example:
fish test thing gift mercy siren erode acoustic mango veteran soup bus
The files created in the full
directory are tar files and can be extracted with tar -tvf
.
Re-encryption is currently only implemented for the key-value part of backups, not for the full app backups.
Wifi Key Import
You can create a backup, modify it, and restore it back to the device. This allows to bulk-add wifi passwords without root access.
WARNING: I have tested this only for wifi passwords and do not entierely understand why the @pm@
metadata needs to be present. Googles Documentation states This action stops your app and wipes its data before performing the restore operation
. This does not happen for wifi passwords. The new ones simply get added to the store, no old ones are deleted. But things might go wrong!
# create a 'fake' plaintext backup
mkdir -p toencrypt/kv/com.android.providers.settings
mkdir -p toencrypt/kv/@pm@
# copy package manager metadata from decrypted backup, required for restoring backups
cp decrypted/kv/@pm@/meta_QG1ldGFA toencrypt/kv/@pm@/meta_QG1ldGFA
# wifi passwords live in com.android.providers.settings
# copy metadata and old passwords
cp decrypted/kv/@pm@/com.android.providers.settings_Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz \
toencrypt/kv/@pm@/com.android.providers.settings_Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz
cp decrypted/kv/com.android.providers.settings/wifinewconfig_d2lmaV9uZXdfY29uZmln \
toencrypt/kv/com.android.providers.settings/wifinewconfig_d2lmaV9uZXdfY29uZmln
# modify the old passwords file
# create a fake .backup.metadata file (based on real one?), change token to 1234
# example file shown below
# you know should have the following directory sturcture:
# toencrypt/.backup.metadata
# toencrypt/kv/com.android.providers.settings/wifinewconfig_d2lmaV9uZXdfY29uZmln
# toencrypt/kv/@pm@/com.android.providers.settings_Y29tLmFuZHJvaWQucHJvdmlkZXJzLnNldHRpbmdz
# toencrypt/kv/@pm@/meta_QG1ldGFA
# encrypt the fake backup with the same key the device uses. Output folder has to be numeric only and match the token
./parse.py encrypt toencrypt 1234
# copy the encrypted folder to somewhere seedvault detects it (usb/internal storage `.SeedVaultAndroidBackup`).
adb push 1234 /storage/emulated/0/.SeedVaultAndroidBackup/
# start the restore process with
adb shell bmgr restore 4d2 com.android.providers.settings
# note that 0x4d2 == 1234
# you might need to reboot if you get error -1000.
# somewhat detailed logs can be seen with
adb logcat
Example metadata file:
{
"@meta@": {
"version": 0,
"token": 1234,
"time": 1601750759994,
"sdk_int": 29,
"incremental": "2020.09.11.14",
"name": "Custom Wifi Restore"
}
}
You can also import an old wpa_supplicant
config, by saving it in toencrypt/kv/com.android.providers.settings//WIFI.77-tV0lGSQ==
(filename taken from android source and generated by base64.urlsafe_b64encode("\uffedWIFI".encode("utf-8"))
)
Backup Format
The current backup format (as of 2020/10/04) is Version 0. Each file starts with a single byte specifying the used version. After that, a list of segments follows. Each is:
2 Bytes Segment Length x | 12 Bytes Encryption IV | x Bytes Encryted Segment Content
For Key-Value backups, the first segment contains a VersionHeader, which specifies the app and key.
The file .backup.metadata
in the root of a backup contains information about which app was backed up when.
License
This application is available as open source under the terms of the Apache-2.0 License.