Extracting backups with Android backup extractor
Following on from last weeks post, this post is going to look at extracting backup files using dd and Android backup extractor.
Using dd for unencrypted backups
If the file is not encrypted dd
can and be used to extract the data. You can
quickly verify if the file is encrypted by checking the header. The header of
unencrypted files will look similar to the following:
ANDROID BACKUP
1
1
none
The first line indicates the file is an Android backup, the second line is the
backup format version, the third line indicates if the backup is compressed,
and finally the last line is the type of encryption used. As long as the last
line is none
and not AES-256
the following steps should work:
-
Extract the data from the backup using
dd
:dd if=backup.ab bs=1 skip=24 of=data
-
If the file was compressed use
openssl
to decompress the data:openssl zlib -d -in data -out data.tar
Note: if you don't have
openssl
installed, or if it was not compiled withzlib
support, gzip can be used instead:printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" | cat - data | gzip -dc > data.tar
Alternatively you can use the
zlib
module in Python:python -c "import zlib;open('data.tar','wb').write(zlib.decompress(open('data', 'rb').read()))"
-
Finally the files in the backup can be extracted using tar:
tar xvf data.tar
The steps above can be run in one go with a command similar to the following:
dd if=backup.ab bs=1 skip=24 | openssl zlib -d | tar xvf -
Android backup extractor
More recent versions of Android use encryption when creating backups. As a
result the method above using dd
doesn't work. There is however a tool called
Android backup extractor which can be used
to unpack encrypted backups.
Installation
Android backup extractor can be installed with the following steps:
-
Install
java
,ant
andgit
, on CentOS this can be done withyum
:sudo yum install -y java ant git
-
Clone the source from GitHub:
git clone https://github.com/nelenkov/android-backup-extractor.git
-
Switch to the
android-backup-extractor
directory:cd android-backup-extractor
-
Download the latest version of the Bouncy Castle library:
curl -L https://www.bouncycastle.org/download/bcprov-jdk15on-158.jar \ -o lib/bcprov-jdk15on-158.jar
-
Update
build.xml
to use the correct version of the Bouncy Castle library:sed -i 's/bcprov-jdk15on-150.jar/bcprov-jdk15on-158.jar/' build.xml
-
Run
ant
to build the source code:ant
If everything went well the output of
ant
should look similar to the following:$ ant Buildfile: /home/user/android-backup-extractor/build.xml build: [javac] Compiling 2 source files to /home/user/android-backup-extractor/build [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.7 [javac] 1 warning jar: [jar] Building jar: /home/hmm/android-backup-extractor/abe.jar all: BUILD SUCCESSFUL Total time: 3 seconds
Unpacking files
Once Android backup extractor is installed, backup files can be unpacked with the following command:
abe unpack <backup.ab> <backup.tar> [password]
This will write the data to a tar file and produce output similar to the following:
$ ./abe unpack backup.ab output.tar secret_password
Calculated MK checksum (use UTF-8: true): E612441F07EABF08AA761C3EC0C75EB102E3D36B8CC1ED54CC7F5E56A049C838
0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 22% 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42% 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62% 63% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 97% 98% 99% 100%
1730560 bytes written to output.tar.
Note: you can also run abe
indirectly using java
and the -jar
option:
java -jar abe.jar unpack backup.ab output.tar secret_password