Felipe Martín

Be incomprehensible. If they can't understand, they can't disagree.


Reading data from iOS backups: Manifest.mbdb

Published on 2013-11-29 with no comments.

Recently, I've been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).

The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.

Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I'm going to expose here the data structures this file contains:

String entity
Type Name Description Null value
uint16 Lenght Length of the string 0x0000
ASCII data Data Actual string of (length) size. Don't need to read this if length is null. nothing
Property entity
Type Name Description
string Key Key of the property
string value Property value
Record entity
Type Field name Description Null value
string Domain App domain  
string Path Path to file 0x0000
string Target   0xFFFF
string Hash SHA-1 hash of the file 0xFFFF
string Encription key Encryption key -if any- 0xFFFF
uint16 Mode File mode:
  • 0xAXXX: Symlink
  • 0x4000: Directory
  • 0x8000: File
 
uint64 inode number    
uint32 User ID    
uint32 Group ID    
uint32 Last modified time EPOCH  
uint32 Last accesed time EPOCH  
uint32 Created time EPOCH  
uint64 File size   0x0...0
uint8 Flag 0x1 to 0xB  
uint8 Properties number Number of properties to follow with this record 0x00
property[0...n] Property objects Each property object -if any- nothing
-- File name SHA1(domain + path)  

More info:  The iPhone Wiki | This image I found