EOL

Added EOL

README.md

@@ -5,6 +5,10 @@ _This script is introduced by the blog post at https://blog.digital-forensics.it
 
 The `kobackupdec` is a Python3 script aimed to decrypt Huawei *HiSuite* or *KoBackup* (the Android app) backups. When decrypting and uncompressing the archives, it will re-organize the output folders structure trying to _mimic_ the typical Android one. The script will work both on Windows and Linux hosts, provided the PyCryptoDome dependency. Starting from **20100107** the script was rewritten to handle v9 and v10 kobackup backups structures.
 
+## _EOL_
+
+On 1.1.2021 the script will get its _end of life_ status. It was needed two years ago to overcome issues for some Huawei devices' forensics acquisitions. Now commercial forensics solutions include the very same capabilities, and much more: there are no more reasons to maintain it. We've got messages from guys using this script to manage theirs backups: we do not recommend it, and we did not write it for this reason. Anyhow we're happy some of you did find it useful, and we thank you for the feedback. We shared it to the community, trying to give back something: if someone has any interest in maintaining it, please let us know so we can include a link to the project. 
+
 ## Usage
 
 The script *assumes* that backups are encrypted with a user-provided password. Actually it does not support the HiSuite _self_ generated password, when the user does not provide its own.

kobackupdec.py

@@ -4,6 +4,7 @@
 # Huawei KoBackup backups decryptor.
 #
 # Version History
+# - 20200705: fixed decrypt_large_package to read input's chunks
 # - 20200611: added 'expandtar' option, to avoid automatic expansion of TARs
 #             added 'writable' option, to allow user RW on decrypted files
 #             large TAR files are not managed in chunk but not expanded
@@ -60,7 +61,7 @@ from Crypto.Hash import HMAC
 from Crypto.Protocol.KDF import PBKDF2
 from Crypto.Util import Counter
 
-VERSION = '20200611'
+VERSION = '20200705'
 
 # Disabling check on doc strings and naming convention.
 # pylint: disable=C0111,C0103
@@ -316,7 +317,7 @@ class Decryptor:
         decryptor = AES.new(key, mode=AES.MODE_CTR, counter=counter_obj)
         return decryptor.decrypt(data)
 
-    def decrypt_large_package(self, dec_material, data):
+    def decrypt_large_package(self, dec_material, entry):
         if not self._good:
             logging.warning('well, it is hard to decrypt with a wrong key.')
 
@@ -334,9 +335,12 @@ class Decryptor:
             counter_iv, byteorder='big'), little_endian=False)
 
         decryptor = AES.new(key, mode=AES.MODE_CTR, counter=counter_obj)
-        data_view = memoryview(data)
-        for x in range(0, len(data), self.chunk_size):
-            yield decryptor.decrypt(data_view[x:x+self.chunk_size])
+        data_len = entry.stat().st_size
+        with open(entry, 'rb') as entry_fd:
+            for x in range(0, data_len, self.chunk_size):
+                logging.debug('decrypting chunk %d of %s', x, entry)
+                data = entry_fd.read(self.chunk_size)
+                yield decryptor.decrypt(data)
 
     def decrypt_file(self, dec_material, data):
         if not self._good:
@@ -696,7 +700,7 @@ def decrypt_large_entry(decrypt_info, entry, type_info, search=False):
                                                          search)
     if decrypt_material:
         for x in decrypt_info.decryptor.decrypt_large_package(
-            decrypt_material, entry.read_bytes()):
+                decrypt_material, entry):
             yield x
     else:
         logging.warning('entry %s has no decrypt material!', skey)
@@ -873,7 +877,7 @@ def decrypt_backup(password, path_in, path_out, expandtar):
 
     xml_files = path_in.glob('*.xml')
     for entry in xml_files:
-        if entry.name != 'info.xml':
+        if entry.name != 'info.xml' and not entry.name.startswith('._'):
             parse_generic_xml(entry, decrypt_info)
 
     logging.debug(decrypt_info.dump())