Felipe Martín

Be incomprehensible. If they can't understand, they can't disagree.


Reading data from iOS backups: Manifest.mbdb

Published on 2013-11-29 with no comments.

Recently, I've been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).

The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.

Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I'm going to expose here the data structures this file contains:

String entity
TypeNameDescriptionNull value
uint16LenghtLength of the string0x0000
ASCII dataDataActual string of (length) size. Don't need to read this if length is null.nothing
Property entity
TypeNameDescription
stringKeyKey of the property
stringvalueProperty value
Record entity
TypeField nameDescriptionNull value
stringDomainApp domain 
stringPathPath to file0x0000
stringTarget 0xFFFF
stringHashSHA-1 hash of the file0xFFFF
stringEncription keyEncryption key -if any-0xFFFF
uint16ModeFile mode:
  • 0xAXXX: Symlink
  • 0x4000: Directory
  • 0x8000: File
 
uint64inode number  
uint32User ID  
uint32Group ID  
uint32Last modified timeEPOCH 
uint32Last accesed timeEPOCH 
uint32Created timeEPOCH 
uint64File size 0x0...0
uint8Flag0x1 to 0xB 
uint8Properties numberNumber of properties to follow with this record0x00
property[0...n]Property objectsEach property object -if any-nothing
--File nameSHA1(domain + path) 

More info: The iPhone Wiki | This image I found