ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

March 12th, 2015 by Vladimir Katalov

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud.

Apple iCloud

Back in 2011, Apple introduced a cloud storage system they called iCloud. The primary purpose of the cloud-based system was allowing users to automatically back up the content of their iOS devices over a Wi-Fi connection, and to restore those backups wirelessly onto a new device should the user lose or replace their old device. iOS 5 or later was required to use iCloud.

In addition to device backups, iCloud offered a platform for Apple and third-party application developers enabling to store and sync application data. Users could store documents, bookmarks, music, camera roll, calendar events, notes, e-books and other types of data.

However, there were major differences and severe limitations compared to “real” cloud storage services such as Dropbox, Box.com, Google Drive or Microsoft OneDrive. There was no way to access device backups stored in iCloud accounts other than restoring the backup onto a newly activated (or factory-reset) iOS device. There was no universal access to application data such as documents and music, too. One could only access these files from an iOS device via the application that originally saved the data.

iCloud Drive

This was changed in 2014 with the release of iCloud Drive. With the release of iOS 8, Apple introduced the ability to store just about any type of data in the cloud. Clients for iOS 8, Windows 7 and later, and OS X Yosemite (10.10) were released, finally enabling access to cloud data from other platforms. In a way, iCloud Drive has become similar to other cloud storage providers… only it’s different.

It’s Different

With typical Apple’s attention to detail, using iCloud Drive is a joy. A client application simply adds a new drive letter that the user can simply copy all types of files to. That’s it, the sync is completely automatic.


While users can store just about anything in iCloud Drive and use their Windows 7 or Mac OS X computers to access those files, some key areas still remain inaccessible via standard means. iOS backups and stored iOS app data are still stored separately, and Apple still provides no access to that data via any method other than restoring the backup to a new iOS device. There is still no direct access to iCloud files from iOS devices; only an API exists for app developers. This is a key difference between iCloud Drive and other cloud storage services that allow unconditional access to everything uploaded by the user.

As a result, a third-party tool is still needed if you want to download an iOS backup from an iCloud Drive account – just like it used to be with the classic iCloud.

Apple iCloud and iCloud Drive may look similar from the outside, but use different protocols under the hood. For this reason, upgrade to iCloud Drive is not automatic for those migrating to iOS 8. Instead, iOS users are offered to upgrade their iCloud accounts to iCloud Drive when activating a new iOS 8 device or upgrading to the latest version of iOS. Since there is no backward compatibility between iCloud Drive and iOS 7 and earlier, users with a mix of Apple hardware may wish to stay on classic iCloud until all of their iOS devices are running iOS 8.

The Solution

Finally we arrived to the point. Starting with this release, Elcomsoft Phone Breaker gains the ability to retrieve application data and user-loaded from user accounts upgraded to iCloud Drive – all that in addition to accessing iOS backups! While this is a short line of news, we spent nearly half a year reverse-engineering the new communication protocols and building code to communicate with iCloud Drive servers. We’ve finally succeeded, and it’s just in time.

Decrypting Keychain from iCloud Backups

It may sound confusing, but we are NOT decrypting iCloud Keychain. So what exactly DO we decrypt in this update? Before we go on to that, let’s have a look at these keychains first.

Keychain is a highly protected system database in iOS that keeps the most sensitive information stored in the device. Both system and third-party apps can use keychain to store protected data such as account passwords, payment information, Wi-Fi and VPN passwords, as well as various tokens and security certificates.

While stored in the device itself, the keychain is encrypted to the highest level available to the combination of hardware and software (iOS version) being used. However, once the keychain is extracted from the device and saved into a backup file, it may use a different protection level and encryption method altogether depending on the type of backup.

If the user creates a password-protected local backup with iTunes, the keychain is encrypted with a key dependent on the user-specified backup password. If you know the original backup password, you can decrypt MOST items stored in the keychain (by using the corresponding “Keychain Explorer” feature in Elcomsoft Phone Breaker).

If, however, a local backup is created without a password, the keychain will be extracted as-is (that is, encrypted with a hardware-dependent key that is unique to a particular device and does not change throughout the life of it). Now, these keychains can only be restored to the same physical device, and decrypted with the same hardware-dependent decryption key. However, if you do have that key (e.g. extracted via physical acquisition with Elcomsoft iOS Forensic Toolkit), you can decrypt ALL items from that keychain. Do note that there are numerous limitations as to which devices can or cannot be acquired via physical imaging.

Finally, if you have a cloud backup (iCloud), that backup will store the keychain protected with device password (similar to non-password-protected iTunes backups). While the encryption is mostly similar to that used in non-password-protected iTunes backups, some details are different. Therefore, decrypting the keychain extracted from an iCloud backup requires a slightly different approach.

Now when we know the theory, we can go on to the big news: Elcomsoft Phone Breaker can now decrypt all three types of keychains (provided that you have the hardware-dependent key, that is). If you want to decrypt the keychain extracted from an iCloud backup, you will need to extract the ‘securityd’ (0x835) key from the device via physical acquisition. You can just do it once, and the key can be used for decrypting all future iTunes and iCloud backups made from that device, even if the device will be factory-reset.

This is the Future

According to Apple, more than 72% of its users have already migrated to iOS 8, gaining the possibility to upgrade their iCloud service to iCloud Drive. However, there is no data available about how many users have actually switched their iCloud service to iCloud Drive. Still, since this is a one-way process (Apple provides no way of downgrading an iCloud Drive account to classic iCloud), we expect more users migrate to the new cloud storage.

Make sure to update your copy of Elcomsoft Phone Breaker to the latest release to be able to access the growing number of iCloud Drive accounts. Existing customers can download an update on its product page https://www.elcomsoft.com/epb.html .


Tags: , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

65 Responses to “Supporting Apple iCloud Drive and Decrypting Keychains from iCloud”

  1. Tom says:

    Help please
    I just ordered eppb pro. I downloaded the backups. And Its very difficult to view.
    For example I cannot view sms folder. And there’s no program on the web to open it.
    Also for photos here’s hundreds if not thousands of folders I have to try and go through just to see one photo.
    Could you please help me by making this process simpler? Or how to make it simpler?
    Thank you.

  2. Van Thuong says:

    is no way be icloud on iphone unlocking 5….

  3. Tom says:

    So basically for eppb to work. I would of needed to purchase two programs?

    • Tom,

      Not exactly. EPPB is a product to download backups, but it is not intended for viewing. To view the data, you can use any of the programs listed in our blog article (there are free ones, too).

  4. tungkick says:

    Can find password icloud Iphone 6 8.2 right?
    pls help me

  5. ku says:

    “” No, our software cannot help to break/recover password to Apple ID. “”
    if you can , Engineer of Apple will retired forever

  6. Selfish says:

    After the update i keep getting an “Invalid update_account_ui response format” , why am i getting that? i cant access my backup!!

  7. sqbily says:

    Do I understand this correctly?…..if I have an encrypted itunes or icloud backup, I dont need physical access to the phone in order to extract the passwords from the keychain backup?

    • sqbily,

      If you have encrypted iTunes backup (and its password), the device is not needed — with Elcomsoft Phone Breaker, most keychain records can be extracted and decrypted.

      With iCloud backups, the things are a bit more complex. You will need the device-unique “security key”, which can be obtained with physical acquisition of the device only (and limited to 32-bit devices that can be jailbroken).

  8. black says:

    I cant see /download any ios9 Icloud backup.Why?
    Tnanks !

    • iOS 9 iCloud backups are not supported yet. They are stored at the different location, authentication is different, as well as the network protocol, storage format and encryption. We have already completed the research and now implementing it in the software — that will take 3-4 weeks.

  9. Fortunata says:

    Is there a target date, when a new version of EPB will be available?

  10. Fortunata,

    Almost done, sorry for the delay! ETA is the end of October.

  11. Fortunata says:

    Thanks for the quick response.

  12. Help says:

    Homepage says ios9 is now supported but there’s no new release available for download. Am I missing something?

  13. We’re sorry for incorrect description (will fix it immediately). This feature will be available in next version (in the beginning of November).

  14. jamjame says:

    I had the old version of eppb, and I just within the last couple weeks purchased the newest one also (thinking i needed it for ios9). will I have to buy the new version once ios9 is supported?

  15. Vladimir Katalov says:


    Of course no – the license is valid for a year after purchase, so you will get iOS 9 support at no additional cost. The new version is on the way, testing the release candidate now – so hopefully we will get it on next week.

  16. Steve Jobs says:

    Hey Vladimir,

    When I try to run the newest version of EPPB I get the error: “Could not start Elcomsoft Phone Password Breaker. There is no access to C:\Program Files (x86)\Elcomsoft Password Recovery\Elcomsoft Phone Password Breaker\EPBMain.exe” http://i.imgur.com/dXXaxTj.png

    Version 3.21 works fine though. I’m running Windows 8.1.

  17. Christina says:

    Can you provide expected date , when new version will be available ?

  18. Vladimir Katalov says:

    Steve Jobs,

    The error is about missing Visual Studio runtime. Just download and install the following package:


    In next version, we will take these dependencies out 🙂

  19. Vladimir Katalov says:


    New version is scheduled on this Thursday (Oct 29th).

  20. black says:

    great news!

  21. Christina says:


  22. Christina says:


    As you confirmed that new version will release on Oct 29th , so please update is this release or not ? As still the old version is available on your website . Waiting for your response 🙂


  23. Vladimir Katalov says:


    Version 5.0 with iOS 9 support has been released just about a half an hour ago 🙂

  24. Christina says:

    Great!!! thanks 🙂

  25. John says:

    Downloaded new version but it says I require icloud 4.0 or higher, which I have. Icloud can see that there are updated backups but EPPB still cannot. Is there something I am doing wrong?

  26. Cory says:

    When will IOS 9 for Mac be supported?

  27. Lou says:

    so the latest version with iOS9 support is only available for windows currently? Thats a bummer, I was looking forward to this update.

  28. Don says:

    John, I was getting the same message when I had control pane 4.01 installed. So I went and downloaded the newest icloud panel (5.0) , rebooted and tried again. Still getting the same message, and backups are not showing up even though I know they are there. Help us Master Vladimir!

  29. Vladimir Katalov says:

    John, Don – we will double-check that, it seems that it’s just a problem in our version verification code.

    As on Mac version – sorry for the delay, it is related to serious changes in El Capitan. There is no ETA yet, but hopefully we will complete it 2-3 weeks.

  30. Vladimir Katalov says:

    Those who have problems with “iCloud for Windows” version – please contact me directly at v.katalov@elcomsoft.com with the following information:

    1. You operating system version (Windows 7/8/8.1/10 or Windows Server), and whether it is 32-bit or 64-bit.

    2. The version of the following file:

    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe

    Browse for it in Explorer, right-click, select [Properties], switch to [Details] tab, and look for the following fields:

    – File version
    – Product version

    Thanks beforehand, and sorry for the inconvenience!

  31. Don says:

    Is there any update on when the control panel 4.0 error might be fixed?

  32. Don,

    Working on that. That would really help if you can provide us with debug-level log file.

  33. Don says:

    Are there quite a few people still having the “icloud 4.0 or higher required” error or is it just a select few of us?

  34. Vladimir Katalov says:


    We have received 4-5 complains so far. The problem seems to be related to one of the Windows system functions that may return an incorrect path (on 64-bit systems only) to the folder where iCloud for Windows is located. An updated will be released on Monday or Tuesday, sorry for the inconvenience!

  35. Don says:

    Curse you 64 bit!! I figured it was not something widespread or there would have been more people talking about it. I will wait for the update. Thank you for the follow up.

  36. John says:

    The update didn’t fix the problem for me but hopefully did for other people.

    • John,

      I am really sorry for that! Could you please send the log file (with the maximum level) to me (vkatalov@elcomsoft.com)? We have extended the logs for that specific situation.

  37. Don says:

    Unfortunately did not work for me as well. I will send the new log too

  38. anthony says:

    did not work for me either

  39. Don says:

    Vladamir I know the registration limits us to one PC, but for those of us still having the issue would it cause a problem to uninstall and then reinstall on a different PC that is running 32 bit?

  40. Vladimir Katalov says:

    Sorry guys — yes, the fix does not seem to be complete — many users still experiencing the same problem. Working hard to resolve this issue.

    Don, there is no problem using EPB on the different (second) computer. You do not even have to uninstall it from the old one; in fact, the license allows you to use the product on as many computers as you have (assuming that you are the only user).

  41. Don says:

    Just if anyone else was thinking about trying to upgrade to windows 10 to correct, don’t bother. Was getting frustrated waiting for this to be fixed and updated to 10 to see if it would fix, but still gives the same error. Fortunately did a full backup so can go back to windows 7, but wanted to let everyone else know if someone else was considering trying it.

  42. tom says:

    Is there any update to fix this issue with 64bit windows 10? Its been almost a month and its still not working

  43. Cory says:

    Any idea when the update for Mac will be released?

  44. Vladimir Katalov says:

    We have finally located (and fixed) the problem, sorry again. EPB 5.10 (for both Windows and OS X) will be released later this week, sorry again for the delay!

  45. xpert104 says:

    How do you find the “Security Key” for your iphone?

  46. Ehsan Khan says:

    Hi, I tried inputing my username and pass. But i get the error:

    Invalid account setting urls

    what should i do with this?

  47. Shah says:

    I am getting error “Error occured during keychain decrypting: Unable to open file” while trying to explore keychain

  48. Alex says:

    Am i right assuming that there is no way to decrypt the keychain if the suspect has an encrypted itunes backup with FIPS-181 compliant password?