Android Mobile Forensics, Recovery, & Debugging

Step-by-Step: Decrypting WhatsApp Backups (.crypt12 & .crypt14) Without Root on Android

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction

WhatsApp, as one of the world’s most popular messaging applications, encrypts its local backups to safeguard user data. While this is a crucial security feature, it poses a challenge for mobile forensic analysts, data recovery specialists, or even curious users wishing to access their old chat histories outside the app. This guide provides a detailed, step-by-step methodology to decrypt WhatsApp backup files (specifically .crypt12 and .crypt14 formats) on an Android device *without requiring root access*.

Understanding WhatsApp’s encryption mechanism is key. The application utilizes SQLCipher to encrypt its primary database, msgstore.db. The encryption key, crucial for decryption, is stored within WhatsApp’s private application data directory, making it inaccessible without root privileges. Our technique leverages Android’s ADB backup functionality to extract this key, enabling full database decryption.

Prerequisites

Before proceeding, ensure you have the following:

  • An Android device with USB Debugging enabled.
  • Android SDK Platform-Tools (ADB) installed on your computer.
  • Python 3 installed on your computer.
  • A SQLite Browser (e.g., DB Browser for SQLite) for viewing the decrypted database.
  • Sufficient storage space on your computer for backup files.

Setting Up ADB

If you haven’t already, install ADB (Android Debug Bridge) on your system. This tool allows communication with your Android device.

# On Debian/Ubuntu
sudo apt install android-tools-adb

# On macOS (using Homebrew)
brew install android-platform-tools

# On Windows (download and extract SDK Platform-Tools)
# Add the folder to your PATH environment variable.

Verify ADB connectivity by running:

adb devices

Your device should appear in the list. If it’s your first time, you might need to authorize the connection on your Android device’s screen.

Step 1: Locate and Pull the Encrypted WhatsApp Backup

WhatsApp typically stores its encrypted database backups in the internal storage (or SD card) under the following path:

/sdcard/WhatsApp/Databases/

The files are named like msgstore.db.crypt12 or msgstore.db.crypt14, along with older versions and daily backups (e.g., msgstore-YYYY-MM-DD.1.db.crypt14). Identify the backup file you wish to decrypt (usually the latest one).

Pull the desired backup file to your computer:

adb pull /sdcard/WhatsApp/Databases/msgstore.db.crypt14 .
# Replace 'msgstore.db.crypt14' with your target filename.

This command copies the encrypted database file to your current directory.

Step 2: Extract the Encryption Key (.cryptXX) Without Root Using ADB Backup

This is the most critical step for non-rooted devices. The WhatsApp encryption key is stored in /data/data/com.whatsapp/files/key. We will use ADB’s backup functionality to extract the entire WhatsApp application data, then parse it to retrieve the key file.

Perform ADB Backup

Execute the following command:

adb backup -noapk com.whatsapp

Your Android device will prompt you to confirm the backup. You might also be asked to set a password; it’s generally safe to leave it blank for this purpose, but if you enter one, remember it. Confirm the backup on your device. This will create a file named backup.ab (or similar, depending on your OS) in your current directory.

Extracting the Key File from backup.ab

The .ab file is a compressed Android backup archive. We need to convert it into a standard tar archive. A popular tool for this is `abe.jar` (Android Backup Extractor).

Download `abe.jar` from its GitHub repository or search for ‘abe.jar download’. Place it in the same directory as your backup.ab file.

Convert the .ab file to a tar archive:

java -jar abe.jar unpack backup.ab backup.tar ""
# The "" is for an empty password if you didn't set one during backup.

Now, extract the contents of the `backup.tar` file:

tar -xvf backup.tar

Navigate through the extracted directories to find the key file. It’s typically located at:

apps/com.whatsapp/f/key

Copy this `key` file to the same directory as your encrypted msgstore.db.cryptXX file. This 32-byte file contains the AES encryption key used by SQLCipher.

Step 3: Decrypt the WhatsApp Database

With both the encrypted database and the key file, we can now proceed with decryption. WhatsApp uses SQLCipher, so we need a tool or library that can interface with SQLCipher databases using the provided key.

One common approach is to use Python with the pysqlcipher3 library or dedicated decryption scripts often found on GitHub (e.g., whatsapp-crypt or similar projects). For demonstration, we’ll outline the Python approach.

Install pysqlcipher3

pip install pysqlcipher3

Python Decryption Logic Example

Create a Python script (e.g., decrypt_whatsapp.py) with the following content. This script will read the key, connect to the encrypted database, and dump its contents to a new, unencrypted SQLite database.

import sqlite3
from pysqlcipher3 import dbapi2 as sqlcipher

def decrypt_whatsapp_db(encrypted_db_path, key_file_path, decrypted_db_path):
    try:
        with open(key_file_path, 'rb') as f:
            encryption_key = f.read()

        # WhatsApp's key file is usually 32 bytes (AES key)
        # For .crypt12 and .crypt14, the key is directly the SQLCipher passphrase.
        key_hex = encryption_key.hex()

        # Connect to the encrypted database using pysqlcipher3
        conn = sqlcipher.connect(encrypted_db_path)
        cursor = conn.cursor()

        # Set the key. For .crypt12/.crypt14, it's a raw hex key.
        cursor.execute(f"PRAGMA key = '0x{key_hex}';")
        cursor.execute("PRAGMA cipher_page_size = 1024;")
        cursor.execute("PRAGMA kdf_iter = 64000;") # Default for newer SQLCipher versions often used by WhatsApp
        cursor.execute("PRAGMA cipher_compatibility = 4;") # Adjust if needed for older versions

        # Attach an unencrypted database to dump the contents
        cursor.execute(f"ATTACH DATABASE '{decrypted_db_path}' AS plaintext KEY '';")
        
        # Export all tables from the encrypted DB to the plaintext DB
        cursor.execute("SELECT name FROM sqlite_master WHERE type='table';")
        tables = cursor.fetchall()

        for table_name in tables:
            table_name = table_name[0]
            if table_name.startswith('sqlite_'): # Skip internal SQLite tables
                continue
            print(f"Exporting table: {table_name}")
            cursor.execute(f"CREATE TABLE plaintext.{table_name} AS SELECT * FROM {table_name};")

        conn.commit()
        conn.close()
        print(f"Decryption successful! Decrypted database saved to {decrypted_db_path}")

    except Exception as e:
        print(f"An error occurred during decryption: {e}")

if __name__ == '__main__':
    encrypted_db = 'msgstore.db.crypt14' # Your encrypted database file
    key_file = 'key'                    # The extracted key file
    decrypted_db = 'msgstore_decrypted.db' # Output unencrypted database

    decrypt_whatsapp_db(encrypted_db, key_file, decrypted_db)

Run the script from your terminal:

python decrypt_whatsapp.py

This will produce a new file, msgstore_decrypted.db, which is a standard, unencrypted SQLite database.

Step 4: Analyze the Decrypted Database

Now that you have msgstore_decrypted.db, you can open it with any SQLite browser (e.g., DB Browser for SQLite). Key tables to explore include:

  • messages: Contains the actual chat messages.
  • chat_list: Information about your chats.
  • contacts: Your WhatsApp contacts.
  • wa_contacts: WhatsApp specific contact data.
  • media: Details about media files sent and received.

You can write SQL queries to extract specific conversations, media links, timestamps, and more. For instance, to view the latest messages:

SELECT 
  FROM_ME, 
  CASE WHEN FROM_ME = 1 THEN 'You' ELSE JID_ROW_ID END AS Sender, 
  DATA AS Message, 
  datetime(TIMESTAMP / 1000, 'unixepoch') AS MessageTime
FROM messages
ORDER BY TIMESTAMP DESC
LIMIT 50;

Security and Ethical Considerations

While this guide provides a technical method for data access, it’s crucial to acknowledge the ethical and legal implications. Accessing someone’s WhatsApp data without explicit consent is a severe breach of privacy and potentially illegal. This technique should only be used for legitimate purposes, such as personal data recovery, forensic analysis with proper authorization, or security research within legal boundaries.

Conclusion

Decrypting WhatsApp backups without root access is a powerful technique for accessing otherwise secured chat data. By leveraging ADB backup for key extraction and utilizing SQLCipher-compatible tools, you can successfully decrypt .crypt12 and .crypt14 databases. This process offers significant utility for data recovery, forensic investigations, and understanding the internal workings of WhatsApp’s data storage, all while bypassing the complexities and risks associated with rooting a device.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #ADB Backup #Android Forensics #Data Recovery #SQLCipher #WhatsApp Decryption

Related Technical Guides

Deep Dive: Side-Channel Attacks on Android TEE for Secure Element Data Recovery

May 29, 2026

ISP Data Extraction Masterclass: Recovering Data from Bricked Android Devices via In-System Programming

May 30, 2026

Bypass & Recover: Forensic Extraction of Signal Data from Locked Android Devices

May 30, 2026