Crypt14 cannot be decrypted (again)

[ymmij321]

I am trying to decrypt a recent (26.05.21) crypt14 DB. Keyfile is available.
Result: Decryption failed. Error during unzipping.
To make sure it is not another problem I created on the same device a new backup and extracted the key again. Result is the same. Did maybe something change in the DB format again recently?

[hogiebaer]

Same problem here. Seems to be the actual WhatsApp Version changed something in the decrypted file.
The first bytes (header) seems to change in the decrypted file. I think we have to wait for Andreas

Thx for the very good work

[markdrayton]

Perhaps @torsade has suggestions?

[ElDavoo]

same. few thing I noticed:

1. Everything is off by one byte, because the "62" value, which is the first byte, changed to BD 01.
2. Because of 1), WHATSAPP_DBFILE_SERVERSALT_OFFSET = 15 and not 14.
3. The version number is 2.21.20.16, so it's one byte more: everything after version number is going to be shifted by one more byte.
4. After the version number, there is this... strange sparse structure?
   EDIT: privacy. go see it yourself. issue is closed anyway. lol

What is this? Anybody has a clue? Is is the same across two backup, so it's either unencrypted information or encrypted without salt,iv (?) Since it is right after version information, I guess it's some other version date build id? Or maybe it's a header that describes how to encrypt the following data? (???)
Maybe this is related due to the E2E encrypted coming up Google Drive backups. When I read that news I knew the backup format was going to change. I saw it coming.

5. This structure ends at byte 191, after which everything is different from backup to backup, just like it used to be from byte 62 onwards in the "old" crypt14 format

I will try to code a "bruteforcer" that tries all possible offsets. I know it's ugly but this is my skill level, lol

[ElDavoo]

yay!

WHATSAPP_DBFILE_SERVERSALT_OFFSET = 15
WHATSAPP_DBFILE_IV_OFFSET = 67
WHATSAPP_DBFILE_CT_OFFSET = 191
WHATSAPP_DBFILE_FOOTER_SIZE = 0

Some questions arise from what's going on, though:

1. Should we give the user the ability to decrypt both "old" crypt14 and "new" crypt14 ?
2. If so, are we just going to copy classes and voice menus again?
3. What about trying a pre-made list of offsets?
4. What if the offset keep changing in the future? What about giving the user to choice to input offsets manually?

[HuibGroenewegen]

Hello I'm here just because I need to read a crypt14 file because of accidentally erasing my Whatsapp and could not restore the local database with reinstalling whatsapp. I have the key and the crypt14 file I want to convert to readable text. But my files are from the period around 24-05-21 and don't work with the whatsappviewer get an error message. I saw that ElDavoo made a change with the offsets in a program but this is (not) included in the program I download again? I'm not a pro programmer just like to figure out how to fix this issue. I read the encrypted db in hex and understand more or less the problem with the versions But how do you know where an offset starts? Howmany versions exists since they started with crypt14? Because what I understand that at the beginning the whatsapp viewer did work?

[ymmij321]

Hello I'm here just because I need to read a crypt14 file because of accidentally erasing my Whatsapp and could not restore the local database with reinstalling whatsapp. I have the key and the crypt14 file I want to convert to readable text. But my files are from the period around 24-05-21 and don't work with the whatsappviewer get an error message. I saw that ElDavoo made a change with the offsets in a program but this is (not) included in the program I download again? I'm not a pro programmer just like to figure out how to fix this issue. I read the encrypted db in hex and understand more or less the problem with the versions But how do you know where an offset starts? Howmany versions exists since they started with crypt14? Because what I understand that at the beginning the whatsapp viewer did work?

Actually, that was the scenario why I tried to use whatsapp-viewer, too. My phoned died irreversibly but I have recent local backups which are not recognised by a new WA installation on another phone. Is it possible, that WA's backup restore function is at the moment broken or glitchy? Maybe the WA developers confused themselves by changing the offset again?
Can someone else confirm this behaviour of WA?

[IvanRus1]

Actually i can't too decrypt latest database. I'd deleted my whatsapp app, then i reinstalled it and made backup base. I copied the base and the new key to pc and couldn't decrypt it also. Something new whatsapp developers did with saving database or code in the key or DB. I really don't know what to do @andreas-mausch help us by fixing this error please.

[ymmij321]

Update: I was able to restore the backup on my new Smartphone. I was writing a bit back and forth with WA Support and my takeaway was that the connection between WA and Google Drive must also exist for local backups. My guess is that WA is saving something there in the app-dedicated storage area although the "real" Google Drive Backup is disabled. (How crappy would that be?)
Unfortunately I tested this on my new unrooted used-for-real-life-smartphone so I cannot say if there is some files (or backup keys) added to the inaccessible data folder(s) where one also finds they other key. Maybe someone can check this with an experimental phone and account? I will also try to do so as soon as I have some spare time.
Reproducing the steps to restore is a bit difficult since I was doing this in a stressy situation but it went roughly like this:

• make sure there is a connection between WA & your google account (you can find how to do this somewhere else)
• delete WA data in smartphone preferences or reinstall or install - you need a fresh WA
• allow ONLY (!) storage access directly in smartphone preferences
• copy the backup to your smartphone (if not done so already). Check for the right folder structure an names. It is WhatsApp not Whatsapp ;)
• start WA
• enter phonenumber
• after entering or receiving the registration code switch to airplane mode
• do not allow access to contacts when WA asks
• you should see that a local backup was found but another window is on top and you cannot tap restore
• when asked to choose a google account to search for backup via this window on top, confirm and you should only see "add new account"
• tap abort and repeat to choose a google account for about 3 times. MEANWHILE: When tapping on these in-front-windows they very shortly disappear. During this time try to tap on the restore button of the local backup.
• after having done this a few times abort the search for a backup on google drive. WA then continues to entering of your screen name.
• an error message occurs that WA is unable to complete registration due to network problems. Confirm a few times.
• disable airplane mode
• messages restored
• allow contact access in smartphone's preferences
• all done

I do not know if there is an easier way. This is how it worked for me, though. I don't know what would be worse: If it is a bug or even intention to almost render local backups useless.
I know all this is a bit OT but probably it helps understanding some new approaches in WA's backup "strategy".
Another takeaway: Use Signal if possible ;)

[ElDavoo]

wtf

[ymmij321]

Update: WA support finally admitted it is a "known problem" and "will be fixed in one of the upcoming versions". Doesn't seem to be a priority...

[crxed9]

Hello

I can decrypt a database from May 11th, but I cannot decrypt a database from June.

Is this because of the changed offsets?

Edit: restoring from a local backup (that WhatsApp states is 2.7 GB, always hangs at 39% :(
Edit 2: Force Closing WhatsApp at that 39% gave me all the messages of the backup back!

[unknowen700]

any new update to slove new 14 crypt ?

[silentguy256]

I guess I have this offset problem as well. I don't have a visual studio handy to compile a version with modified offsets so I'm replying here in the hope that this with remind me if this is fixed.
Personally for cases where it's just offsets that make problems I would go with just a list and then using the one that actually works. Maybe even an optional brute force that tries "sensible" values until it finds one that works.
Sadly I don't have the option to try to reload the backups into a new installation. Although... Maybe just in an emulator... Hmmm

[gnaomo]

any news?

[ElDavoo]

I've been decrypting with a python script for a while (stable version of wa) . some people had issues, but i don't know, it works for me

[gnaomo]

thank you, my db is from the latest beta so it's not working, how do you "brute force" to find the offsets?

[ElDavoo]

Use for loops and see if zlib can decode or there is an error.
I didn't save my bruteforcer.
Values might just be off by one. Try opening a working and not working encrypted backup in a hex editor and see if you can spot the differences.

[djedu28]

Any news?
My WhatsApp 2.21.14.25 has corrupted messages.db, and I can't restore backups

And neither decrypt in WV.
I don't know how to find the values

[djedu28]

I've been decrypting with a python script for a while (stable version of wa) . some people had issues, but i don't know, it works for me

Thank you!
With this script everything worked perfectly, I didn't even need to modify anything

[andreas-mausch]

New offsets are used in v1.15

Note: If you have a backup with the old offsets, you need to install v1.14. I don't have plans to support both.

[tg5hKVHPyX]

i just downloaded this software v1.15 (first time using it) and i'm getting the same decryption failed error because of the key and i have no idea why. the local backup file was made an hour ago, it's not an older crypt14.

[andreas-mausch]

Uh. What is your WhatsApp version?

[tg5hKVHPyX]

2.21.15.20

[ElDavoo]

I just tested and it works for me, version 2.21.16.20 . Maybe some people are having different offsets or formats.

[HoooooR]

2.21.15.20

As ElDavoo said, just update to 2.21.16.20, then try to decrypt a fresh data backup (you can do the installation offline). Worked perfect with me finally!

[codechecking786]

I've been decrypting with a python script for a while (stable version of wa) . some people had issues, but i don't know, it works for me

Thank you! With this script everything worked perfectly, I didn't even need to modify anything

can you please help me with this code?

[codechecking786]

I just tested and it works for me, version 2.21.16.20 . Maybe some people are having different offsets or formats.

i need some help, how can i contact you?