Reading data from iOS backups: Manifest.mbdb

November 29, 2013

Recently, I've been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).

The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.

Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I'm going to expose here the data structures this file contains:

String entity
Type	Name	Description	Null value
uint16	Lenght	Length of the string	0x0000
ASCII data	Data	Actual string of (length) size. Don't need to read this if length is null.	nothing

Property entity
Type	Name	Description
string	Key	Key of the property
string	value	Property value

Record entity
Type	Field name	Description	Null value
string	Domain	App domain
string	Path	Path to file	0x0000
string	Target		0xFFFF
string	Hash	SHA-1 hash of the file	0xFFFF
string	Encription key	Encryption key -if any-	0xFFFF
uint16	Mode	File mode: 0xAXXX: Symlink 0x4000: Directory 0x8000: File
uint64	inode number
uint32	User ID
uint32	Group ID
uint32	Last modified time	EPOCH
uint32	Last accesed time	EPOCH
uint32	Created time	EPOCH
uint64	File size		0x0...0
uint8	Flag	0x1 to 0xB
uint8	Properties number	Number of properties to follow with this record	0x00
property[0...n]	Property objects	Each property object -if any-	nothing
--	File name	SHA1(domain + path)

More info: The iPhone Wiki | This image I found

uint16 | Mode | File mode:

0xAXXX: Symlink
0x4000: Directory
0x8000: File

**More info: ** The iPhone Wiki | This image I found