Hello! If you haven't yet run this program, I'd recommend reading the Password (-w | --password-file FILE option) portion of the README. That will explain how to feed in the known password. If you have run it and provided the password, I'd ask if this is from a recent version of notes using the device passcode, instead of a straight password.

I hope this helps!

Thank you for your reply. I have a follow-up question regarding the use of the decryption command.

I would like to know if the command ruby notes_cloud_ripper.rb -m /Users/Logitech/Library/Group Containers/group.com.apple.notes/ -w passwords.txt works for backups that were retrieved and decrypted using the command ruby notes_cloud_ripper.rb -i /home/user/phone_rips/iphone/[deviceid]/ for iTunes backups made on Windows.

Does the decryption process apply to both types of backups, or is it limited to those created on Mac?

I appreciate your help and look forward to your response!

Thanks for asking. The -w switch works for any of the backup types. The decryption here is just for the contents of the notes, if you are making encrypted iTunes backups, that is not yet supported (i.e. you'd need to use another program to decrypt the iTunes encrypted backup). Just make sure your iTunes backup doesn't have a password specified (or, if you are uncomfortable with that, take the backup off your Mac).

Okay, great—thank you for the clarification. Then I’m not sure if I might be doing something wrong because these are the steps I’m following, and they seem correct to me:

1. I create backups using iTunes on Windows 11, ensuring that I don’t encrypt them.
2. I use the command notes_cloud_ripper.rb -i, and it works properly, allowing me to retrieve the notes. However, the encrypted notes aren’t decrypted.
3. To handle this, I tried using the command notes_cloud_ripper.rb -m with the password I retrieved using Hashcat (and which I already remembered was correct). Despite this, I get the following error in the debug_log:
   D, [2024-12-28T15:10:04.688932 #7372] DEBUG -- : User asserted this is a MAC_BACKUP
   After that, the process stops without providing any new output or results.

I’m unsure if I’m missing something or if there’s another issue. Could you let me know if these steps are correct or if I’m making a mistake somewhere?

But at this point, it's only curiosity to make it work because I retrieved the decrypted notes from the old broken phone. I would just like to help you make it work or assist in finding new bugs or clarifications on its usage. :)

Thanks for the follow-up. To answer your questions:

1. Sounds about right, although I don't have a Windows 11 VM to duplicate.
2. This should be correct. But what version iOS is this from? That would be behavior I'd expect (ish) if it was iOS 16 or newer and used the device passcode, vice a password, or if the password was wrong (which doesn't sound like it is the case based on your next point).

One way to tell that is if the ZCRYPTOITERATIONCOUNT column for the note is set to 0. This sqlite command would help you confirm if notes are using the device passcode, is your particular note listed in here?:

SELECT ZICCLOUDSYNCINGOBJECT.Z_PK, 
  ZICCLOUDSYNCINGOBJECT.ZCRYPTOSALT, 
  ZICCLOUDSYNCINGOBJECT.ZCRYPTOITERATIONCOUNT 
FROM ZICCLOUDSYNCINGOBJECT 
WHERE ZICCLOUDSYNCINGOBJECT.ZISPASSWORDPROTECTED=1 AND ZICCLOUDSYNCINGOBJECT.ZCRYPTOITERATIONCOUNT=0;

3. -m was the wrong switch to use here, it should still be -i. An iTunes backup won't validate as a Mac backup because all the files are hashed.

As a side note, you can now use an encrypted iTunes backup using the same -i if you don't want to have the data sitting around unencrypted. Check out version 0.22.