fmartingr.com/content/blog/2013/11/29/reading-data-ios-backups-manifestmbdb/index.md

+++
title = "Reading data from iOS backups: Manifest.mbdb"
date = 2013-11-29
+++

<p>Recently, I&#39;ve been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).</p>

<p>The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.</p>

<p>Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I&#39;m going to expose here the data structures this file contains:</p>

<table border="0" cellpadding="0" cellspacing="0" id="string_entity" style="width:100%">
	<tbody>
		<tr>
			<th colspan="4"><strong>String entity</strong></th>
		</tr>
		<tr>
			<th><strong>Type</strong></th>
			<th><strong>Name</strong></th>
			<th><strong>Description</strong></th>
			<th><strong>Null value</strong></th>
		</tr>
		<tr>
			<td>uint16</td>
			<td>Lenght</td>
			<td>Length of the string</td>
			<td>0x0000</td>
		</tr>
		<tr>
			<td>ASCII data</td>
			<td>Data</td>
			<td>Actual string of (length) size. Don&#39;t need to read this if length is null.</td>
			<td><em>nothing</em></td>
		</tr>
	</tbody>
</table>

<table border="0" cellpadding="0" cellspacing="0" id="property_entity" style="width:100%">
	<tbody>
		<tr>
			<th colspan="3"><strong>Property entity</strong></th>
		</tr>
		<tr>
			<th><strong>Type</strong></th>
			<th><strong>Name</strong></th>
			<th><strong>Description</strong></th>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Key</td>
			<td>Key of the property</td>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>value</td>
			<td>Property value</td>
		</tr>
	</tbody>
</table>

<table border="0" cellpadding="0" cellspacing="0" style="width:100%">
	<tbody>
		<tr>
			<th colspan="4"><strong>Record entity</strong></th>
		</tr>
		<tr>
			<th><strong>Type</strong></th>
			<th><strong>Field name</strong></th>
			<th><strong>Description</strong></th>
			<th><strong>Null value</strong></th>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Domain</td>
			<td>App domain</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Path</td>
			<td>Path to file</td>
			<td>0x0000</td>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Target</td>
			<td>&nbsp;</td>
			<td>0xFFFF</td>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Hash</td>
			<td>SHA-1 hash of the file</td>
			<td>0xFFFF</td>
		</tr>
		<tr>
			<td><a href="#string_entity">string</a></td>
			<td>Encription key</td>
			<td>Encryption key -if any-</td>
			<td>0xFFFF</td>
		</tr>
		<tr>
			<td>uint16</td>
			<td>Mode</td>
			<td>File mode:
			<ul>
				<li>0xAXXX: Symlink</li>
				<li>0x4000: Directory</li>
				<li>0x8000: File</li>
			</ul>
			</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint64</td>
			<td>inode number</td>
			<td>&nbsp;</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint32</td>
			<td>User ID</td>
			<td>&nbsp;</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint32</td>
			<td>Group ID</td>
			<td>&nbsp;</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint32</td>
			<td>Last modified time</td>
			<td>EPOCH</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint32</td>
			<td>Last accesed time</td>
			<td>EPOCH</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint32</td>
			<td>Created time</td>
			<td>EPOCH</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint64</td>
			<td>File size</td>
			<td>&nbsp;</td>
			<td>0x0...0</td>
		</tr>
		<tr>
			<td>uint8</td>
			<td>Flag</td>
			<td>0x1 to 0xB</td>
			<td>&nbsp;</td>
		</tr>
		<tr>
			<td>uint8</td>
			<td>Properties number</td>
			<td>Number of properties to follow with this record</td>
			<td>0x00</td>
		</tr>
		<tr>
			<td><a href="#property_entity">property</a>[0...n]</td>
			<td>Property objects</td>
			<td>Each property object -if any-</td>
			<td><em>nothing</em></td>
		</tr>
		<tr>
			<td>--</td>
			<td>File name</td>
			<td>SHA1(domain + path)</td>
			<td>&nbsp;</td>
		</tr>
	</tbody>
</table>

<p><strong>More info:&nbsp;</strong> <a href="http://theiphonewiki.com/wiki/ITunes_Backup#Manifest.mbdb">The iPhone Wiki</a> | <a href="http://nagareshwar.securityxploded.com/wp-content/uploads/2012/09/mbdb-record.jpg">This image I found</a></p>

uint16 | Mode | File mode:

  * 0xAXXX: Symlink
  * 0x4000: Directory
  * 0x8000: File

|
uint64 | inode number |   |
uint32 | User ID |   |
uint32 | Group ID |   |
uint32 | Last modified time | EPOCH |
uint32 | Last accesed time | EPOCH |
uint32 | Created time | EPOCH |
uint64 | File size |   | 0x0...0
uint8 | Flag | 0x1 to 0xB |
uint8 | Properties number | Number of properties to follow with this record |
0x00
property[0...n] | Property objects | Each property object -if any- | _nothing_
\-- | File name | SHA1(domain + path) |

**More info: ** [The iPhone Wiki](http://theiphonewiki.com/wiki/ITunes_Backup#Manifest.mbdb) | [This image I found](http://nagareshwar.securityxploded.com/wp-content/uploads/2012/09/mbdb-record.jpg)