Extracting backups with Android backup extractor

25 August 2017

Following on from last weeks post, this post is going to look at extracting backup files using dd and Android backup extractor.

Using dd for unencrypted backups

If the file is not encrypted dd can and be used to extract the data. You can quickly verify if the file is encrypted by checking the header. The header of unencrypted files will look similar to the following:

ANDROID BACKUP
1
1
none

The first line indicates the file is an Android backup, the second line is the backup format version, the third line indicates if the backup is compressed, and finally the last line is the type of encryption used. As long as the last line is none and not AES-256 the following steps should work:

Extract the data from the backup using dd:
```
dd if=backup.ab bs=1 skip=24 of=data
```
If the file was compressed use openssl to decompress the data:
```
openssl zlib -d -in data -out data.tar
```
Note: if you don't have openssl installed, or if it was not compiled with zlib support, gzip can be used instead:
```
printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" | cat - data | gzip -dc > data.tar
```
Alternatively you can use the zlib module in Python:
```
python -c "import zlib;open('data.tar','wb').write(zlib.decompress(open('data', 'rb').read()))"
```
Finally the files in the backup can be extracted using tar:
```
tar xvf data.tar
```

The steps above can be run in one go with a command similar to the following:

dd if=backup.ab bs=1 skip=24 | openssl zlib -d | tar xvf -

Android backup extractor

More recent versions of Android use encryption when creating backups. As a result the method above using dd doesn't work. There is however a tool called Android backup extractor which can be used to unpack encrypted backups.

Installation

Android backup extractor can be installed with the following steps:

Install java, ant and git, on CentOS this can be done with yum:
```
sudo yum install -y java ant git
```

Clone the source from GitHub:

git clone https://github.com/nelenkov/android-backup-extractor.git

Switch to the android-backup-extractor directory:
```
cd android-backup-extractor
```

Download the latest version of the Bouncy Castle library:

curl -L https://www.bouncycastle.org/download/bcprov-jdk15on-158.jar \
  -o lib/bcprov-jdk15on-158.jar

Update build.xml to use the correct version of the Bouncy Castle library:
```
sed -i 's/bcprov-jdk15on-150.jar/bcprov-jdk15on-158.jar/' build.xml
```

Run ant to build the source code:

ant

If everything went well the output of ant should look similar to the following:

$ ant
Buildfile: /home/user/android-backup-extractor/build.xml

build:
    [javac] Compiling 2 source files to /home/user/android-backup-extractor/build
    [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.7
    [javac] 1 warning

jar:
      [jar] Building jar: /home/hmm/android-backup-extractor/abe.jar

all:

BUILD SUCCESSFUL
Total time: 3 seconds

Unpacking files

Once Android backup extractor is installed, backup files can be unpacked with the following command:

abe unpack  <backup.ab> <backup.tar> [password]

This will write the data to a tar file and produce output similar to the following:

$ ./abe unpack backup.ab output.tar secret_password
Calculated MK checksum (use UTF-8: true): E612441F07EABF08AA761C3EC0C75EB102E3D36B8CC1ED54CC7F5E56A049C838
0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 22% 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42% 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62% 63% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 97% 98% 99% 100%
1730560 bytes written to output.tar.

Note: you can also run abe indirectly using java and the -jar option:

java -jar abe.jar unpack backup.ab output.tar secret_password