Find My data is encrypted on disk after macOS 14.4... any known workarounds?

[varenc]

I love this project! Sadly Apple has broken it.

After macOS 14.4 if you try to use this you get:

➜ python3 main.py
Traceback (most recent call last):
  File "main.py", line 101, in <module>
    log_devices()
  File "main.py", line 77, in log_devices
    log_manager.refresh_log()
  File "FindMyHistory/lib/log_manager.py", line 85, in refresh_log
    items_dict = self._get_items_dict()
  File "FindMyHistory/lib/log_manager.py", line 62, in _get_items_dict
    raise RuntimeError(f'No devices found. Please check if Full Disk '
RuntimeError: No devices found. Please check if Full Disk Access has been granted to Terminal.

This error message is wrong though. What's really happening is that on this line it attempts to JSON decode the various Find My data files. These files used to be simple JSON but now they're binary plists. The JSON decoding fails but due the the except: pass this is obscured.

The plist just contains two top level keys though:

➜ plutil -p ~/Library/Caches/com.apple.findmy.fmipcore/Items.data
{
  "encryptedData" => {length = 61896, bytes = 0xb50493ba 7e054275 1fa896df 9cded496 ... c08ecb8f d5c2ae14 }
  "signature" => {length = 64, bytes = 0xed484943 9543a6dd 6625eff6 35e5ce75 ... dc120970 a073a7b6 }
}

So the data is now encrypted on disk. I search around in Keychain for possible decryption keys but couldn't find anything obvious. I should have looked specifically for key Keychain entries created after the upgrade.

I imagine that if we can get this data decrypted we'll this project will still be pretty useful. Anyone have leads on decrypting this? Hopefully there's just some Keychain key somewhere we can use.

[varenc]

Some possible leads:

From logging messages I can tell that the Find My app seems to be accessing these keychain items:

com.apple.account.AppleAccount.cloudkit-token.<my_email>
com.apple.account.AppleAccount.find-my-friends-app-token.<my_email>
com.apple.account.AppleAccount.find-my-iphone-app-token.<my_email>
com.apple.account.AppleAccount.find-my-iphone-siri-token.<my_email>
com.apple.account.AppleAccount.find-my-iphone-token.<my_email>
com.apple.account.AppleAccount.key-transparency-token.<my_email>
com.apple.account.AppleAccount.maps-token.<my_email>
com.apple.account.AppleAccount.search-party-token.<my_email>
com.apple.account.AppleAccount.token.<my_email>
com.apple.account.DeviceLocator.find-my-iphone-app-token.<my_email>
com.apple.account.DeviceLocator.find-my-iphone-siri-token.<my_email>
com.apple.account.DeviceLocator.token.<my_email>
com.apple.account.FindMyFriends.find-my-friends-app-token.<my_email>

So now I'm cautiously optimistic the decryption key is one of those. Though how exactly to use that key to decrypt the plist I don't yet know. Would welcome any insights.

[Pnut-GGG]

I found "FMIPDataManager" and "FMFDataManager" in the keychain

They should correspond to Find my iPhone and Find my Friend

By using the method mentioned in this project (https://github.com/pajowu/beaconstorekey-extractor) I obtained the keys inside

It is a binary plist file

By opening this plist file I got two 32-bit keys (possibly AES-256?)

The names of the keys are privateKey and symmetricKey respectively

These two keychains have been created for over a year (very close to the release of macOS 14.4)

When I try to delete these two keychains and reopen Find My

These two keychains are recreated and privateKey and symmetricKey are changed

So I suspect that these two keychains are the encryption keys for handling Find my iPhone and Find my Friend

[Pnut-GGG]

I successfully decrypted the findmy data. Check my project for more information.
https://github.com/Pnut-GGG/findmy-cache-decryptor