unable to identify Apple Notes hash

[Niceninety]

After updating to iOS 17.5.1, Notes cannot be unlocked using FaceID, and the previously correct password is no longer valid. I used DB Browser to view the notestore.sqlite file and extracted the following data. The first entry was created after I updated the system, and the password is 000000.

Z_PK	ZCRYPTOITERATIONCOUNT	ZCRYPTOSALT	ZCRYPTOWRAPPEDKEY	ZCRYPTOINITIALIZATIONVECTOR	ZCRYPTOVERIFIER	ZCRYPTOTAG
2	20000	ba22f9cac03eab04ecec940f52c4d32e	NULL	NULL	510550b86555bd460c61e9bfe8de1adb7dd9d0acaa69eeeb	NULL
278	0	55789bfd2e0622993734917aa123db0b	1abe731602eb79a2c58dbe14652e9dfd	d6ffe178d2d102b33b7e798f7ed7db4c	NULL	b09d5a47de763b3fddfc2dc6e4440c21
281	0	6ed2d9331a174b6e6b980bc0983356b0	146caeb4e8db685ac91e3b0804f70ea4	ac803a1af9a5e54bf052c8c090a2a5ac	NULL	e99d6f25c012d2ab5e04bd1bf2420674

I checked the applenotes2john.py script and found that ZCRYPTOWRAPPEDKEY and ZCRYPTOVERIFIER can be used interchangeably. However, the ZCRYPTOVERIFIER field is empty for the latter two entries, and the ZCRYPTOWRAPPEDKEY is 16 bytes long instead of 24 bytes.

I attempted to use $ASN$*281*0*6ed2d9331a174b6e6b980bc0983356b0*146caeb4e8db685ac91e3b0804f70ea4 as the hash, but it cannot be recognized.

Anyone can help me with this? Many Thanks.

[solardiz]

Thank you for including so much detail. I guess this makes you the most qualified person to figure it out and contribute an enhancement to our project. Would you try? As far as I'm aware, no one in here has seriously looked into this functionality since it was first contributed by @kholia in 2017, who is inactive with the project lately. I'm sorry we do not have a better answer for you.