This repository describes the process and provides the tools that allows extracting the key used by Apple's FindMy to encrypt its files.
Extracting this key only needs to be done once, it can be used the decrypt the FindMy cache files afterwards again and again.
Warning
This procedure requires to temporarily disable some of macOS' security features! Use at your own risk.
This repo and the description below is derived from seemoolab's airdrop-keychain-extractor.
Warning
This steps disables some of macOS' security features! Use at your own risk. Please continue until Step 4 to re-enabled them!
The FMIPDataManager key can only be queried from the keychain by binaries which have the correct keychain-access-group-entitlement.
Since this is an Apple-internal entitlement, we have to disable amfid that checks binary signatures and enforces the system's policies.
To do this, we first need to disable SIP via macOS' recovery mode. Start up your computer in recover mode. The procedure is described in the apple docs
In recovery mode, open the terminal and enter
csrutil enable --without nvram
and reboot the Mac. Then, add the following boot parameter via the Terminal
sudo nvram boot-args="amfi_get_out_of_my_way=1"
and reboot again.
Note: If running the extractor fails on your machine, you might need to disable SIP entirely by rebooting into recovery mode and running
csrutil disable
To restore full SIP later, reboot in macOS' recovery mode and run
nvram -d boot-args
csrutil enable
We build and run the extraction utility (note that you need a developer certificate for this):
git clone https://github.com/pajowu/beaconstorekey-extractor.git
cd beaconstorekey-extractor
make run
The program will output the extracted key, which you can use to decrypt the FindMy cache files
Note: After re-enabling SIP you will have to go through all the steps again to extract the key again, so better save if somewhere now!
To restore full SIP, reboot in macOS' recovery mode and run
nvram -d boot-args
csrutil enable
You can use this key to decrypt the FindMy cache files using
make decrypt
This will ask you for the key you extracted in step 2
本仓库介绍了提取苹果公司 FindMy 用于加密其文件的密钥的过程和工具。
提取此密钥只需要做一次,之后可以重复使用来解密 FindMy 缓存 文件。
[!警告] 此过程需要暂时禁用 macOS 的某些安全功能!使用风险自负。
本仓库和下面的描述源自 seemoolab 的 airdrop-keychain-extractor。
[!警告] 此步骤会禁用 macOS 的某些安全功能!使用风险自负。请继续到第4步重新启用它们!
FMIPDataManager 密钥只能由具有正确 keychain-access-group 权限的二进制文件从钥匙串查询。
由于这是苹果内部权限,我们必须禁用检查二进制签名并强制执行系统策略的 amfid。
为此,我们首先需要通过 macOS 的恢复模式禁用 SIP。在恢复模式下启动计算机。Apple 文档中描述了该过程:
在恢复模式下,打开终端并输入
csrutil enable --without nvram
然后重启 Mac。接着,通过终端添加以下启动参数
sudo nvram boot-args="amfi_get_out_of_my_way=1"
并再次重启。
注意:如果在您的机器上运行提取器失败,您可能需要通过重启进入恢复模式并运行以下命令来完全禁用 SIP:
csrutil disable
要稍后恢复完整的 SIP,请在 macOS 恢复模式下重启并运行
nvram -d boot-args
csrutil enable
我们构建并运行提取工具(请注意,您需要开发者证书):
git clone https://github.com/pajowu/beaconstorekey-extractor.git
cd beaconstorekey-extractor
make run
程序将输出提取的密钥,您可以使用它来解密 FindMy 缓存文件
注意:重新启用 SIP 后,您将必须再次执行所有步骤来提取密钥,所以最好现在就保存在某个地方!
要恢复完整的 SIP,请在 macOS 恢复模式下重启并运行
nvram -d boot-args
csrutil enable
您可以使用此密钥来解密 FindMy 缓存文件
make decrypt
这将要求您输入在第2步中提取的密钥