# kobackupdec Huawei backup decryptor _This script is introduced by the blog post at https://blog.digital-forensics.it/2019/07/huawei-backup-decryptor.html._ The `kobackupdec` script is a Python3 script aimed to decrypt Huawei *HiSuite* or *KoBackup* (the Android app) backups. When decrypting and uncompressing the archives, it will re-organize the output folders structure trying to _mimic_ the typical Android one. The script will work both on Windows and Linux hosts, provided the PyCryptoDome dependency. ## Usage The script *assumes* that backups are encrypted with a user-provided password. It actually does not support the HiSuite _self_ generated password, when the user does not provide its own. ``` usage: kobackupdec.py [-h] [-v] password backup_path dest_path Huawei KoBackup decryptor version 20190729 positional arguments: password user password for the backup backup_path backup folder dest_path decrypted backup folder optional arguments: -h, --help show this help message and exit -v, --verbose verbose level, -v to -vvv ``` - `password`, is the user provided password. - `backup_path`, is the folder containing the Huawei backup, relative or absolute paths can be used. **Be careful** to provide the strictest path to data, because the script will start enumerating all files and folders starting from the provided path, parsing the file types it expects to find and copying out all the others. If by chance you wrongly provide *c:\\* as the backup path, well, expect to get a full volume copy in the destination folder (ignoring errors). - `dest_path`, is the folder to be created in the specified path, absolute or relative. It will complain if the provided folder already exists. - `[-v]` (from `-v` to `-vvv`) verbosity level, written on *stderr*. It's suggested to use *-vvv* with a redirect to get a log of the process. ### Example ``` Z:\> py -3 kobackupdec.py -vvv 123456 "Z:\HUAWEI P30 Pro_2019-06-28 22.56.31" Z:\HiSuiteBackup INFO:root:getting files and folder from Z:\HUAWEI P30 Pro_2019-06-28 22.56.31 INFO:root:parsing XML files... INFO:root:parsing xml audio.xml DEBUG:root:parsing xml file audio.xml INFO:root:parsing xml document.xml DEBUG:root:parsing xml file document.xml INFO:root:parsing xml info.xml DEBUG:root:ignoring entry HeaderInfo DEBUG:root:ignoring entry BackupFilePhoneInfo DEBUG:root:ignoring entry BackupFileVersionInfo INFO:root:parsing xml picture.xml DEBUG:root:parsing xml file picture.xml INFO:root:parsing xml soundrecorder.xml DEBUG:root:parsing xml file soundrecorder.xml INFO:root:parsing xml video.xml DEBUG:root:parsing xml file video.xml DEBUG:root:crypto_init: using version 3. DEBUG:root:SHA256(BKEY)[16] = b'8d969eef6ecad3c29a3a629280e686cf' ... ``` The **output** folder structure will be similar to the following one: *data/data* applications will be exploded in their proper paths, and the APKs will be *restored* too (not icons, actually). Note that the **db** folder will contains the *special* databases as created by the Huawei backups. ``` HiSuiteBackup |-- data | |-- app | | |-- de.sec.mobile.apk-1 | | | [...] | | `-- org.telegram.messenger.apk-1 | `-- data | |-- de.sec.mobile | | [...] | `-- org.telegram.messenger |-- db | |-- HWlanucher.db | |-- Memo.db | |-- alarm.db | |-- calendar.db | |-- calllog.db | |-- camera.db | |-- clock.db | |-- contact.db | |-- harassment.db | |-- phoneManager.db | |-- setting.db | |-- sms.db | |-- soundrecorder.db | |-- systemUI.db | |-- weather.db | `-- wifiConfig.db `-- storage |-- DCIM |-- Download |-- Huawei |-- MagazineUnlock |-- Notifications |-- Pictures |-- WhatsApp |-- mp3 |-- parallel_intl `-- s8-wallpapers-9011.PNG ```