ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloud

May 8th, 2014 by Vladimir Katalov

This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why.

Cross-Platform Compatibility

No, we haven’t released a Mac OS version yet. But we’ve made the last step we needed to do to make it happen. EPPB 3.0 features an all-new user interface based on the cross-platform Qt library. This was the last obstacle stopping us in porting the code to different platforms. We expect to see a Mac OS version in the next few months.


However, the new GUI is not all about cross-platform compatibility. With Qt, we brought in full drag-and-drop support, new controls, and overall better and slicker looks.


BlackBerry 10 Support

When BlackBerry 10 was released, the security model was changed. Unlike before, local backups produced by BlackBerry Link are always encrypted with a highly secure encryption key. This key depends on BlackBerry ID, and is stored deep in the device. Technically speaking, extracting this key is impossible, yet after a lot of research we were able to get it by using a BlackBerry service request.

So what happens when the user creates a backup with BlackBerry 10? At the time a new BlackBerry device is initialized with the user’s BlackBerry ID and password, the device connects to a BlackBerry server and receives a binary encryption key dependent on the BB ID. This key is then written to a secure area in the device. This area is not accessible from the outside; only BlackBerry OS can access information stored in that area.

This key is highly secure. Apparently, it’s tied to the user’s BlackBerry ID, and is stored on the server, allowing the user to initialize a new device with the same data. We don’t know the way it’s generated (and if we do know, we won’t tell). Most probably, the key is some form of hash based on BlackBerry ID. The key is not changed when the user changes BB password, and remains the same with new BB hardware.

So, when the user creates a backup with BlackBerry Link (earlier versions used less secure Blackberry Desktop Software), the tool simply passes the command to the BlackBerry device. The device core encrypts information on the fly, and passes it to BlackBerry Link already encrypted. In a way, BlackBerry Link does not make backups at all; it simply receives an encrypted data stream and saves it into a file.

What happens when the user restores a BB device? The device is first initialized with a BB ID via the BlackBerry server. The encryption key is transmitted from the server, and securely stored in the device. Now, when the device receives encrypted data stream from BlackBerry Link, it can decrypt it and restore data. The decryption occurs in the core; decrypted data never leaves the device, let alone the encryption key itself.

So what did we do, exactly?

We reverse-engineered the initialization request, emulating a fresh BlackBerry device being activated with a certain BB ID (which is stored in the backup file in plain text). Just like with Apple iCloud, you must supply the correct password to that BB ID. If you do, our software will acquire the encryption key from the BlackBerry server, and use it to instantly decrypt local backups. Sounds simple? Believe us, it was a nightmare of a work! However, we did it, and so far we are the only company who can do anything with BB 10 backups.

So what do you get after entering the user’s BB ID and password? Our tool decrypts backup data, producing three archives with the following content:

  • Application data
  • Media files (pictures and videos)
  • Settings

Interestingly, BlackBerry also backs up applications. While we receive the apps, we don’t save them to a file due to copyright reasons.

Most information in these archives is available in plain text or SQLite format. They can be analyzed with commonly available mobile forensic software such as Oxygen Forensic Suite.

Cloud Acquisition of Windows Phone 8

Windows Phone 8 can store data in a cloud service called My Windows Phone. Unlike Apple, Microsoft does not create a full cloud backup. Instead, information is stored in separate pieces in an obscure format. As a result, manually analyzing this data is a nightmare, even if you know the user’s Live ID and password.


In order to acquire data from My Windows Phone cloud, we download information one chunk after another, creating an artificial “backup”. The data in this backup file is stored predominantly in SQLite format, allowing investigators to use readily available forensic tools to analyze its content. In addition, we extract and save the list of devices registered on a certain My Windows Phone account.

Apple Tells You to Make Backups

Always having a fresh backup of your mobile device is a must. We assembled a list of articles from Apple Knowledge Base explaining why to make backups, and how to configure your iOS device to make them.

iCloud: Back up your iOS device to iCloud

iCloud: Restore your iOS device from iCloud

iCloud: Troubleshooting restoring an iCloud backup

iCloud: iCloud storage and backup overview

iOS: Unable to restore from backup of a newer device

iOS: Back up and restore your iOS device with iCloud or iTunes

iTunes: About iOS backups

Choosing an iOS backup method (Should I use iTunes or iCloud to back up my iOS device?)

Recovering iCloud contacts, calendars, and bookmarks from an iTunes backup of an iOS device

iOS: If you can’t back up or restore from a backup in iTunes

iCloud: iCloud security and privacy overview


Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

11 Responses to “Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloud”

  1. Pedro Ferreira says:

    Hello, can u tell me if i choose to download only the whattsapp messages, i can read the file, chatstorage.sqlite, because some weeks ago, they changed the file to a encrypteed one that is not possible to read, because its crypted.

    • Pedro,

      Yes, you can. In fact the additional encryption has been implemented not by the vendor, but by Apple (in iOS 7.1), but current version of EPPB (3.0 beta) successfully decrypts all the data.

  2. dixi ignorans says:

    If the mobile device is in use, so unlocked and connected to a network (wifi or phone), can the device be entered by malicious users, and secrets recovered ?

  3. Dixi,

    Well, some iPhone services can be accessed over WiFi, but only if the attacker has the “pairing” record from the “trusted” computer. Otherwise, there are no [known] risks.

  4. cleerox says:

    This is solely based on having the BBID password for BlackBerry 10, but have you attempted getting that password without knowing it?

    As far as I read in part of the icloud hack, the attackers used a brute force attack which cracked the icloud password along with resetting the pw fairly easily.

    Of course once you have the password for something it’s not a stretch to think you can access the data.

    • cleerox,

      I do not think that iCloud accounts have been created using brute-force attack on Apple ID, it is toop slow and not effective. Most probably, “fishing” emails have been used (to collect the password).

      For BlackBerry IDs, account is protected from brute-forcing anyway — it just lockes after a few unsuccessful attempts.

  5. uttamsingh says:


  6. mongo says:


    Any chance you could add a feature to the new version? For someone with a large icloud it takes a lot of time to download it all again. If I could choose to download camera roll from a certain date it would be much easier. That way I wouldn’t have to download the same pictures once again. I have the old version of eppb and if you add this feature I will buy the new one as well.


  7. mongo,

    Selecting the “time range” (for photos or any other information) will be troublesome. The program spends quite a lot of time receiving the complete list of all files (well, in fact the “chunks” the files are further compiled from), and then we will need additional time for analysis and selective download.

    From the other size, iCloud backups are incremental, and in fact EPPB downloads only those files that have been changed or added (until you delete the “.chunks” folder created by EPPB). First download always takes a lot of time, but further downloads complete much faster.

    What particular version of EPPB are you using now? Best of all, create the ticket in our support system, and we will see what we can do.

  8. David says:

    Hi, may i ask if the trial version of the elcomsoft phone password breaker allows cracking of blackberry 10 device backups encryption key? If it does not, what about the home edition of the software?

  9. David,

    Unfortunately no — it is not technically possible; to decrypt BB 10 backup (created with BlackBerry Link), you need the password to BB ID. That feature is available in Forensic edition of Phone Breaker only.