Ok... at home now.
Don't know if you run unix variant or something else... That doesn't really but all these scripts have been run under Linux.
idevicebackup2 backup
Reading the backup
git clone https://github.com/PicciMario/iPhone-Backup-Analyzer-2
make build
then modify main.py on line 1449
-database = sqlite3.connect(':memory:') # Create a database file in memory
+database = sqlite3.connect('/tmp/md.db') # Create a database file in memory
then just start program and let it parse Manifest.mbdb of the iphone backup
python2.7 main.py
parse /tmp/md.db and extract names of whatsapp files and media
sqlite3 /tmp/md.db
SQLite version 3.8.10.2 2015-05-20 18:17:19
Enter ".help" for usage hints.
sqlite> .mode csv
sqlite> .separator | \n
sqlite> .output files2.csv
sqlite> .headers on
sqlite> select fileid,domain_type,domain,file_path,file_name from indice
where domain = "net.whatsapp.WhatsApp" AND domain_type = "AppDomain";
sqlite> .out stdout
sqlite> .quit
copy files and correct their names (just replace with your UUID):
foreach i (cat files2.csv | grep Library/Media/ | grep '""' | sed "s/|\"\".\+$//g" | cut -d "|" -f 2- | sed "s/|/\//g"
);
do;mkdir -p /tmp/extracted/$i;done
foreach i (cat files2.csv | grep Library/Media/ | grep -v '""' | sed "s/|/\//g" | sed "s/\/AppDomain/|AppDomain/"
);
do;src=echo $i | cut -d "|" -f 1
;dst=echo $i | cut -d "|" -f 2 | sed "s/.$//g"
; cp -v /Path/to/iphone/backup/UUID/0ef862e6faede9b72c75b948f8b5c9663921e796/$src /tmp/extracted/$dst;done
cp 0ef862e6faede9b72c75b948f8b5c9663921e796/ec50dd986a0f35953e40f6ca9602ad78173e254f /tmp/extracted/Contacts.sqlite
cp 0ef862e6faede9b72c75b948f8b5c9663921e796/7c7fba66680ef796b916b067077cc246adacf01d /tmp/extracted/ChatStorage.sqlite
Now you have your whatsapp media and ChatStorage.sqlite
On android install WhatsApp, become debugger and enable usb debugging. Setup WhatsApp and send at least one message and click backup in whatsapp. Download Legacy whatsapp and possibly also current one:
links https://github.com/AbinashBishoyi/WhatsApp-Key-DB-Extractor-UnOfficial/
wget 'http://www.whatsapp.com/android/current/WhatsApp.apk'
adb install -r -d LegacyWhatsApp.apk
This is the only phase the legacy version needs to be installed:
adb backup -f whatsapp.ab -noapk com.whatsapp
dd if=whatsapp.ab bs=4096 skip=24 iflag=skip_bytes | openssl zlib -d > whatsapp.tar
tar xvf whatsapp.tar apps/com.whatsapp/db/msgstore.db apps/com.whatsapp/f/key
k=$(hexdump -ve '2/1 "%02x"' apps/com.whatsapp/f/key | cut -b 253-316)
Pull whatsapp message backup
adb pull /sdcard/WhatsApp/Database/msgstore.db.crypt8 msgstore.db.crypt8
decrypt:
iv=$(hexdump -n 67 -ve '2/1 "%02x"' msgstore.db.crypt8 | cut -b 103-134);
dd if=msgstore.db.crypt8 bs=4096 skip=67 iflag=skip_bytes | openssl enc -aes-256-cbc -d -nosalt -bufsize 16384 -K $k -iv $iv | gunzip > msgstore.db
merge databases (https://gist.github.com/paracycle/6107205). The script provided here is not complete and trou reading multiple forensicsites I now know how to modify, to get your media also... but that is work in progress
Anyways:
sqlite3 -init ../convert.sql ../merged.db
encrypt:
dd if=msgstore.db.crypt8 iflag=count_bytes count=67 of=msgstore.db.crypt8; cat merged.db | gzip -5 |openssl enc -aes-256-cbc -e -nosalt -bufsize 16384 -K $k -iv $iv | dd of=msgstore.db.crypt8 bs=4096 seek=67 oflag=seek_bytes conv=notrunc
Push new backup:
adb push msgstore.db.crypt8 /sdcard/WhatsApp/Databases/
Push current version back to android and start whatsapp to read the backup:
adb install -r -d WhatsApp.apk