How to Extract a Crypto Wallet Seed from an iPhone

I just jailbroke an iPhone, installed SSH, ran an exploit on the Secure Element chip to dump the KeyChain data, including a cryptocurrency wallet seed that a client had forgotten their passcode to.
If the good guys can do this, the bad guys can too.
Mobile wallets are not safe.

— David Veksler ₿🔑👌 (@HeroicLife) January 8, 2022

1: Jailbreak the iPhone

A “jailbreak” (or “root” for Android devices) means gaining super-user permissions on your iPhone. These permissions allow apps to escape the “sandbox” that limits what apps can normally do on IOS. There have been dozens of different jailbreaks, but they all work the same way: a jailbreak finds a vulnerability (“exploit”) in IOS that allows it to remove software restrictions. Once the jailbreak is complete, it is possible to install software that has full access to the device.

The most recent Jailbreak is unc0ver, but you must check for the best Jailbreak available for your iPhone version. It’s normal to wait several years for an exploit to be available for the current iPhone device and IOS version. Each jailbreak has its own process, so read the instructions carefully.

2: Install SSH server

Jailbreaks will typically install the Cydia alternative app store. Cydia can be used to install the apps actually needed to perform the exploit. The first app you will need is remote access to the iPhone via SSH: Open SSH.

3: Install File Browser

The Filza File Manager can be used to browse, download, and upload files to the iPhone. Don’t bother looking for keys in the filesystem, as they are only found in the Keychain database. However, this is a convenient way to upload the exploit app and download the dumped keychain.

4: Dump The Keychain

The Keychain is a database that IOS provides for apps to store confidential information. Crypto wallets use the Keychain to store secure information.

The Keychain Dumper app used to work to export the keychain on Jailbroken iPhone. However, I could not get it to work on iOS 14.7. You can copy keychain_dumper using Filza, then run it over SSH.

The Elcomsoft iOS Forensic Toolkit uses a modified version of Keychain Dumper to dump IOS credentials. The toolkit basically wraps a script around this tool, but again, running the toolkit directly did not work for me. However, by looking at the error output of this toolkit and manually copying the binaries, I was able to successfully dump the keychain into a text file, then copy it to my computer.

5: Locate the Seed in the Keychain Dump

Search the seed dump for the word “mnemonic”. I have noticed several wallets using this key to indicate the seed phrase, but of course, they may be others. It will look like this:

Internet Password

-----------------

Server: 

Account: 71DB0E2D-A6D6-4F29-8FA4-9E3D9AFB525wallets

Entitlement Group: 8LPM495FY.com.defi.wallet

Label: (null)

Accessible Attribute: kSecAttrAccessibleAfterFirstUnlock, protection level 1

Keychain Data: {"uuid":"A1C923E4-3818-44BD-8BC7-2E48507AB90C","isActive":true,"name":"CODENAME","mnemonic":"[SEED]"}

Now you can load the seed in a new wallet.