title: Reading data from iOS backups: Manifest.mbdb --- body:
Recently, I've been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).
The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.
Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I'm going to expose here the data structures this file contains:
String entity | |||
---|---|---|---|
Type | Name | Description | Null value |
uint16 | Lenght | Length of the string | 0x0000 |
ASCII data | Data | Actual string of (length) size. Don't need to read this if length is null. | nothing |
Property entity | ||
---|---|---|
Type | Name | Description |
string | Key | Key of the property |
string | value | Property value |
Record entity | |||
---|---|---|---|
Type | Field name | Description | Null value |
string | Domain | App domain | |
string | Path | Path to file | 0x0000 |
string | Target | 0xFFFF | |
string | Hash | SHA-1 hash of the file | 0xFFFF |
string | Encription key | Encryption key -if any- | 0xFFFF |
uint16 | Mode | File mode:
|
|
uint64 | inode number | ||
uint32 | User ID | ||
uint32 | Group ID | ||
uint32 | Last modified time | EPOCH | |
uint32 | Last accesed time | EPOCH | |
uint32 | Created time | EPOCH | |
uint64 | File size | 0x0...0 | |
uint8 | Flag | 0x1 to 0xB | |
uint8 | Properties number | Number of properties to follow with this record | 0x00 |
property[0...n] | Property objects | Each property object -if any- | nothing |
-- | File name | SHA1(domain + path) |
More info: The iPhone Wiki | This image I found
--- uint16 | Mode | File mode: * 0xAXXX: Symlink * 0x4000: Directory * 0x8000: File | uint64 | inode number | | uint32 | User ID | | uint32 | Group ID | | uint32 | Last modified time | EPOCH | uint32 | Last accesed time | EPOCH | uint32 | Created time | EPOCH | uint64 | File size | | 0x0...0 uint8 | Flag | 0x1 to 0xB | uint8 | Properties number | Number of properties to follow with this record | 0x00 property[0...n] | Property objects | Each property object -if any- | _nothing_ \-- | File name | SHA1(domain + path) | **More info: ** [The iPhone Wiki](http://theiphonewiki.com/wiki/ITunes_Backup#Manifest.mbdb) | [This image I found](http://nagareshwar.securityxploded.com/wp-content/uploads/2012/09/mbdb-record.jpg) --- pub_date: 2013-11-29 --- _template: blog-post.html