A couple of weeks back, WhatsApp introduced a new way of encrypting the backup messages saved on the SD card. The article that I wrote last month on decrypting the WhatsApp messages will no longer work on the new crypt5 files.
This time round, more work needs to be done to decrypt the msgstore.db.crypt5 file. If you do not have a copy of the new encrypted file, pull a copy from your Android mobile at the below mentioned location.
|
1 |
/sdcard/WhatsApp/Databases/msgstore.db.crypt5 |
First, we need the primary Google e-mail account used in the mobile phone. We will then need to generate a MD5 hash of the e-mail account. For example, if the primary e-mail account is abcd@gmail.com, the MD5 value will be 46040c38d1cbe8ffcd3df6c8ba787951.
|
1 2 |
$ echo -n abcd@gmail.com | md5sum 46040c38d1cbe8ffcd3df6c8ba787951 *- |
The MD5 hash will be a 32-digit hexadecimal value and we will need to convert it to a 48-digit value by appending the first 16 digits to the end of the original hash. So, 46040c38d1cbe8ffcd3df6c8ba787951 will become 46040c38d1cbe8ffcd3df6c8ba78795146040c38d1cbe8ff.
Next, we will need to perform an XOR operation on the 48-digit hash with a 48-digit key: 8d4b155cc9ff81e5cbf6fa7819366a3ec621a656416cd793. The end result will provide us with the decryption key. Note that a 32-digit IV (initialisation vector) value is also required together with the key for decryption. The IV value is 1e39f369e90db33aa73b442bbbb6b0b9.
We now have all the required parameters to decrypt the files using openssl. Open a terminal window and run openssl as shown below to decrypt the file.
|
1 |
$ openssl enc -aes-192-cbc -d -nosalt -in msgstore.db.crypt5 -out msgstore.db -K [key] -iv [iv] |
Replace the [key] and [iv] accordingly with the actual values.
To make it a little easier, I have written a small shell script to automate the whole process.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
#!/bin/bash function xor24 () { x24=$1 y24=$2 z24="" for ((i=0;i<48;i=i+2)) do x=${x24:$i:2} y=${y24:$i:2} z=`printf "%02x" $((16#$x^16#$y))` z24="${z24}${z}" done echo $z24 } if [ "$#" -ne 2 ] ; then echo "Usage: $0 <primary-android-email-account> <whatsapp-inputfile> > outputfile" exit 1 fi key=8d4b155cc9ff81e5cbf6fa7819366a3ec621a656416cd793 iv=1e39f369e90db33aa73b442bbbb6b0b9 emailacct="$1" infile="$2" md5_16=`echo -n $emailacct | md5sum | cut -c -32` md5_24=`echo -n $md5_16 ; echo $md5_16 | cut -c -16` aeskey=`xor24 $key $md5_24` #openssl enc -aes-192-cbc -d -nosalt -in $infile -K $aeskey -iv $iv openssl enc -aes-192-cbc -d -nosalt -nopad -bufsize 16384 -in $infile -K $aeskey -iv $iv |
Save the script as wacrypt5.sh and run the script like this:
wacrypt5.sh abcd@gmail.com msgstore.db.crypt5 > msgstore.db
Update (27-Apr-2014): Modified openssl command to include -nopad -bufsize 16384 options
Related: How to Decrypt WhatsApp crypt7 Database Messages
Related: How to Decrypt WhatsApp crypt8 Database Messages
Mohamed Ibrahim
ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }
