User Tag List

  1. donnyk's Avatar
    Today I got message in my iPad2 (jailbroken using absinthe) that it have 0 free space.

    Using ssh, I check the size of folders in the iPad and found out an interesting file that took 4.1G space and keep growing.

    The file is
    The owner is root user and wheel group. Curious, I rename the file into
    . I do
    again and found that the file got created again and now keep growing in size.

    AbiFathirs-iPad:~ root# ls -alh /private/var/keybags/
    total 4.1G
    drwx------  2 root wheel  170 Feb 18 23:54 ./
    drwxr-xr-x 30 root wheel 1.2K Feb 18 23:52 ../
    -rw-------  1 root wheel  97K Feb 19 00:03 backup_keys_cache.db
    -rw-------  1 root wheel 4.1G Feb 18 23:56 backup_keys_cache.db.orig
    -rw-r--r--  1 root wheel 2.9K Feb 18 18:44 systembag.kb
    I want to know if anybody else have this problems? I tried to uninstall newly installed application, from cydia and from app store, but the process that wrote to this file is still running and the file continue to grow.

    I tried to install
    , but when I run it, it crash with message
    Cannot allocate memory
    2012-02-18 05:27 PM
  2. brittag's Avatar
    Weird! What do you have installed from Cydia? Anything unusual?
    2012-02-19 09:18 AM
  3. donnyk's Avatar
    Mostly I only install console applications. I once add ********* to get ********** and install WhatsApp, after that I have removed the repo and ********** from Cydia. Other apps only WhatsPad and iWipe Cache.

    Is there any easy way to get list of installed cydia app?

    I also want to know if any other iDevice users that have those files in their device?
    2012-02-19 10:14 AM
  4. brittag's Avatar
    You can look at your list of installed packages by tapping Manage and tapping Packages. The package AppInfo can make a list that you can copy and paste.

    Under /var/keybags/ my device only has systembag.kb, no backup_keys_cache.db file.

    While googling I also found your question here, and under /var/mobile I do not have a log.0000000001 file. I do have /var/log/racoon.log (which is normal) but it's only 446.8 kb. Googling log.0000000001, it sounds like that is a common filename for a BerkeleyDB file.

    Edit: You could also install the package "syslog > /var/log/syslog" from Cydia, reboot, and then look at /var/log/syslog to see if it has any clues about what the cause of this might be.
    Last edited by brittag; 2012-02-19 at 10:32 AM.
    2012-02-19 10:27 AM
  5. donnyk's Avatar
    Here is the result using AppInfo:




    Dev Team

    ZodTTD & MacCiti


    adv-cmds - 119-5
    AppInfo - 1.5
    AppList - 1.4.2
    APR (/usr/lib) - 1.3.3-2
    APT 0.6 Transitional - 1:0-23
    APT 0.7 (apt-key) -
    APT 0.7 HTTPS Method -
    APT 0.7 Strict -
    APT 0.7 Strict (lib) -
    Base Structure - 1-4
    Berkeley DB - 4.6.21-4
    BigBoss Icon Set - 1.0
    Bourne-Again SHell - 4.0.17-13
    bzip2 - 1.0.5-7
    Core Utilities - 8.12-12
    Core Utilities (/bin) - 8.12-7
    cURL - 7.19.4-6
    CyDelete - 2.0.5-1
    Cydia Installer - 1.1.4
    Cydia Translations - 1.1.0
    Darwin Tools - 1-4
    Debian Packager - 1.14.25-9
    Debian Utilities - 3.3.3ubuntu1-1
    Diff Utilities - 2.8.1-6
    Find Utilities - 4.2.33-6
    FullForce - 1.3.4
    GNU Cryptography - 1.4.0-2
    GNU Privacy Guard - 1.4.8-4
    GnuPG Errors - 1.6-2
    gzip - 1.3.12-6
    iOS Firmware - 5.0.1
    iPad - 1
    iPhone Firmware (/sbin) - 0-1
    iWipe Cache - 1.0
    libjpeg - 6b-1
    libstatusbar - 0.9.3~0
    Location Fix for iPad - 1.0
    LZMA Utils - 4.32.7-4
    Mobile Substrate - 0.9.3995
    MouseSupport - svn.r205-1
    New Curses - 5.7-12
    OpenSSH - 5.8p1-9
    OpenSSL - 0.9.8k-9
    PAM (Apple) - 32.1-3
    PAM Modules - 36.1-4
    pcre - 7.9-3
    PreferenceLoader - 2.0.4-1
    Profile Directory - 0-2
    readline - 6.0-7
    shell-cmds - 118-6
    Simulated Key Events - 0.9.2973-1
    Sudo - 1.6.9p12-4
    system-cmds - 433.4-12
    Tape Archive - 1.19-8
    top - 39-4
    UIKit Tools - 1.1.3
    WhatsPad - 0.0.2
    2012-02-19 10:33 AM
  6. brittag's Avatar
    Hmm, I'm not familiar with Location Fix for iPad, and I don't know how WhatsPad works, but the rest of the packages look pretty normal. Location Fix for iPad seems a bit old and also seems to have something to do with databases, but not with keychain stuff, so I wouldn't guess that it was related, but it might be worth removing.

    There's also the option of restoring and jailbreaking again and only installing packages one by one to try to isolate the issue, although that can be time-consuming.
    2012-02-19 12:28 PM
  7. donnyk's Avatar
    Yeah, it will be time consuming and I don't have it right now.

    Right now my problems temporarily fixed by symbolic linking the db file into /dev/null.

    If this is really a malware and there are any other people have the similar problems, then I hope this thread and my original thread in stackexchange could help.
    2012-02-19 12:52 PM
  8. donnyk's Avatar
    Hi brittag and anyone who read this thread,

    The application (malware?) that write to the file /private/var/keybags/backup_keys_cache.db seems to know any attempt to stop it to write the file. I really need help from you to check if any other jailbroken iPad who get this problem?

    If the file not growing more than 4GB, I wouldn't have knowing it. Maybe it affect other user, maybe not.
    2012-02-28 12:30 PM