crypt15 decryption not working anymore?

[YannikBe]

Hexdump of your key file

❯ hexdump encrypted_backup.key
0000000 edac 0500 7275 0200 425b f3ac f817 0806
0000010 e054 0002 7800 0070 0000 6e20 0842 8e68
0000020 bd7d 9d1a c618 1b9a 5de2 5642 ff34 d5cf
0000030 7ca8 7046 5f79 487e 288a 00ab
000003b

Without the "line numbers": edac050072750200425bf3acf8170806e05400027800007000006e2008428e68bd7d9d1ac6181b9a5de25642ff34d5cf7ca870465f79487e288a00ab
Created with: wacreatekey --hex 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab

Hexdump of the encrypted DB

❯ hexdump -n 512 msgstore.db.crypt15
0000000 0184 0108 121a 100a 6474 af99 957b a22f
0000010 588f 52c7 8725 8d94 6c22 090a 2e32 3432
0000020 382e 382e 1a35 3902 2032 2801 3001 3801
0000030 4001 4801 5001 5801 6001 6801 7001 7801
0000040 8001 0101 0188 9001 0101 0198 a001 0101
0000050 01a8 b001 0101 01b8 c001 0101 01c8 d001
0000060 0101 01d8 e001 0101 01e8 f001 0101 01f8
0000070 8001 0102 0288 9001 0102 0298 a001 0102
0000080 02a8 b801 0102 49b2 d9d7 446a 620d 07af
0000090 5a61 6e99 09db 5721 25a9 7967 b629 05ba
00000a0 7d04 dbc6 e2c2 ec6c aebc 45b0 7285 9f8c
00000b0 b0fc d81e c6dd a009 c078 26f3 1f66 d71d
00000c0 958d 4a50 c3e0 a575 be31 8d9b 276b 8f8a
00000d0 c937 02de baed 555f c115 973e e893 eea4
00000e0 54ca 618c ef9a c6ee aeb9 8001 94d4 71cd
00000f0 75b2 a18c 2059 7f49 5af5 c360 9d6b d405
0000100 0b00 933a b566 917f 98c4 3915 2eb8 5ab5
0000110 74ff 1aa9 eeda a7ad b4b6 b053 74f6 1960
0000120 df1e efff 3e41 876a 4bec d2a1 fd7a d4c1
0000130 5bf0 baec 3399 9b39 f0ed d731 e7b6 3415
0000140 0a9c 8c2c 98b8 66a2 7c54 c09e d2c9 db68
0000150 7dc7 4c68 d187 1364 29c6 a582 a356 5a7c
0000160 562d 9e20 9352 f5e9 2cc7 04cd ea2c 9315
0000170 d8ff 585a d573 73e2 295e 7b74 170d 68dd
0000180 bd5c 04f1 9702 b3a4 a377 b267 b31b 7a7c
0000190 4e62 3538 b208 ae5f 81d5 a54e ee3f e3de
00001a0 8505 87ee f067 6ed1 9d2f eb25 7dfe 4ae6
00001b0 edf0 85e1 a881 4954 cc33 f635 21a8 33b1
00001c0 279b 0e5f 00ad 5c50 39b2 a2a7 06c1 4712
00001d0 30a1 099d 1eb8 a6db 41c5 088c c7ac 9614
00001e0 7363 68ba 659a c87a 82c3 f6d9 914b dc0d
00001f0 9554 6b1f 7843 0d56 79d9 c341 b697 c240
0000200

Again just the pure hex string in case that is easier: 01840108121a100a6474af99957ba22f588f52c787258d946c22090a2e323432382e382e1a353902203228013001380140014801500158016001680170017801800101010188900101010198a001010101a8b001010101b8c001010101c8d001010101d8e001010101e8f001010101f8800101020288900101020298a001010202a8b801010249b2d9d7446a620d07af5a616e9909db572125a97967b62905ba7d04dbc6e2c2ec6caebc45b072859f8cb0fcd81ec6dda009c07826f31f66d71d958d4a50c3e0a575be318d9b276b8f8ac93702debaed555fc115973ee893eea454ca618cef9ac6eeaeb9800194d471cd75b2a18c20597f495af5c3609d6bd4050b00933ab566917f98c439152eb85ab574ff1aa9eedaa7adb4b6b05374f61960df1eefff3e41876a4becd2a1fd7ad4c15bf0baec33999b39f0edd731e7b634150a9c8c2c98b866a27c54c09ed2c9db687dc74c68d187136429c6a582a3565a7c562d9e209352f5e92cc704cdea2c9315d8ff585ad57373e2295e7b74170d68ddbd5c04f19702b3a4a377b267b31b7a7c4e623538b208ae5f81d5a54eee3fe3de850587eef0676ed19d2feb257dfe4ae6edf085e1a8814954cc33f63521a833b1279b0e5f00ad5c5039b2a2a706c1471230a1099d1eb8a6db41c5088cc7ac9614736368ba659ac87a82c3f6d9914bdc0d95546b1f78430d5679d9c341b697c240

Screenshots
If applicable, add screenshots to help explain your problem.
Not sure what to upload here... Just in case that is my screenshot of the key I took:

Program output using -v and -f

❯ wadecrypt --force -v 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab files/Databases/msgstore.db.crypt15 msgstore.db
keyfactory.py:31        : [D] Reading keyfile...
keyfactory.py:46        : [I] The keyfile could not be opened.
key15.py:47     : [D] Root key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab
key15.py:51     : [I] Crypt15 / Raw key loaded
wadecrypt.py:235        : [D] Key15(key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab)
dbfactory.py:41         : [D] Parsing database header...
dbfactory.py:75         : [D] WhatsApp version: 2.24.8.85
dbfactory.py:78         : [D] Your phone number ends with 92
dbfactory.py:128        : [D] Crypt15 info:
Header information in your crypt15 file:IV: 746499af7b952fa28f58c7522587948d
Key type: 1
WhatsApp version: 2.24.8.85
The last two numbers of the user's Jid: 92
Backup version: 1
Features: [5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 39]
Max feature number: 39

db15.py:132     : [D] Checksum OK (d06d42d90d93bcc0f59633017a447c94). Decrypting...
db15.py:155     : [E] Authentication tag mismatch: MAC check failed.
    This probably means your backup is corrupted.
wadecrypt.py:260        : [E] I can't recognize decrypted data. Decryption not successful.
    The key probably does not match with the encrypted file.
    Or the backup is simply empty. (check with --force)
wadecrypt.py:271        : [I] Done

Additional context
I am getting the same error output when using the keyfile instead of the raw key. In case it matters: the media files are mcrypt1 encrypted but I have not even attempted decrypting them yet.
The backup is 16G in size which is why I waited for the past 12 hours for it to upload to then download it. I am certain that the screenshotted key matches the backup I am trying to decrypt.

I would appreciate any help a lot!! Thank you!

[ElDavoo]

hi, would you mind sending the DB file to t.me/eldavo ?

[ElDavoo]

In case it matters: the media files are mcrypt1 encrypted but I have not even attempted decrypting them yet.

You need additional metadata to decrypt those files, you can download them with the master branch version of whapa.

[YannikBe]

Thank you @ElDavoo for your quick reply! Unfortunately, I have to admit that I would not feel comfortable sending so much private information about my family, friends and myself to anyone online. I hope you understand. Thank you for your offer though!

[ElDavoo]

That's understandable. Are you able to try and decrypt other DB files, like avatar_backup, stickers, etc etc?

[YannikBe]

Thank you for understanding and still trying to help!

Unfortunately, decrypting other files results in the exact same error message. Even though details like the WhatsApp version number or the last two digits of my phone number are correct, the decryption fails.

❯ wadecrypt --force -v 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab 4915738962092/files/Backups/stickers.db.crypt15 st
ickers.db
keyfactory.py:31        : [D] Reading keyfile...
keyfactory.py:46        : [I] The keyfile could not be opened.
key15.py:47     : [D] Root key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab
key15.py:51     : [I] Crypt15 / Raw key loaded
wadecrypt.py:235        : [D] Key15(key: 6e4208688e7dbd1a9d18c69a1be25d425634ffcfd5a87c4670795f7e488a28ab)
dbfactory.py:41         : [D] Parsing database header...
dbfactory.py:59         : [D] No feature table found (not a msgstore DB or very old)
dbfactory.py:75         : [D] WhatsApp version: 2.24.8.85
dbfactory.py:78         : [D] Your phone number ends with 92
dbfactory.py:128        : [D] Crypt15 info:
Header information in your crypt15 file:IV: c084f456209d726bddec3d6ec253d7a8
Key type: 1
WhatsApp version: 2.24.8.85
The last two numbers of the user's Jid: 92
Backup version: 0
No feature table found (not a msgstore DB or very old)

db15.py:155     : [E] Authentication tag mismatch: MAC check failed.
    This probably means your backup is corrupted.
wadecrypt.py:260        : [E] I can't recognize decrypted data. Decryption not successful.
    The key probably does not match with the encrypted file.
    Or the backup is simply empty. (check with --force)
wadecrypt.py:271        : [I] Done

Could I maybe have made a mistake while downloading my backup from Google Drive? I used whapa (https://github.com/B16f00t/whapa) to download the files. Whapa's author actually linked to your repo in an issue and that is how I found this project. In the whapa settings I entered my Android Device ID but I never gave it to wa-crypt-tools.

Or is there a way to get a backup directly from my unrooted Samsung phone to circumvent Google's decryption? Or would it help if I uploaded a new WhatsApp backup from my phone into Google Drive without end-to-end encrypting it? In the end I only want to have all my messages and media on my computer to keep them safe there.

[ElDavoo]

would it help if I uploaded a new WhatsApp backup from my phone into Google Drive without end-to-end encrypting it? I

You would then need to extract the key with some other projects.

Anyway, I can reproduce the issue, it looks like the actual key is different from what wacreatekey generates

[YannikBe]

You would then need to extract the key with some other projects.

Okay I see.

Anyway, I can reproduce the issue, it looks like the actual key is different from what wacreatekey generates

Thank you for taking the time and giving it a shot as well! Is there anything I can do to find the correct key or help improving wacreatekey without sending my entire WhatsApp history accross the internet?

[ElDavoo]

No, let me see how to fix it

[diyathrajapakshe]

Any update the on the issue above @ElDavoo, having the same issue myself.

[asabeeh18]

So the solution is to use the util hex_string_to_encrypted_backup_key.py included in the repo. and then use the generated file in the decrpyt command
Example usage
hex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key

[diyathrajapakshe]

So the solution is to use the util hex_string_to_encrypted_backup_key.py included in the repo. and then use the generated file in the decrpyt command Example usage hex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key

Thank you @asabeeh18 for sharing that solution, I am however using the rooted - key, the 128-bit converted 64-bit and used with hex_string_to_encrypted_backup_key.py renders the same error.

[ElDavoo]

So the solution is to use the util hex_string_to_encrypted_backup_key.py included in the repo. and then use the generated file in the decrpyt command Example usage hex_string_to_encrypted_backup_key.py 8d692080deea0a624125b787618c269a5dd29d8cfbbfd7a00cd57efd739eb8b9 ouput_key

wacreatekey does the same, and both that and the old script generate the same encrypted_backup.key that's in my phone, but I've been unable to decrypt my db.

[ElDavoo]

but I've been unable to decrypt my db.
I tried with a fresh backup and it worked.

Sorry everyone, but I've been shallow and I've deleted the old test files, so I can't test anymore if there is / was a problem.
Can you just.... try again?

[ElDavoo]

As a last resort, you might try using waguess.

[ElDavoo]

I will close this issue since I got no news on this

[YannikBe]

Sorry ElDavoo, I don't have the old phone anymore because I had to return it when the contract ran out. So there is nothing left I could test it on at this point.
Either way, thank you very much for your support!