Sunday, December 20, 2015

Extracting data from iPhone backups, part 2

Continuing with my previous post, here are some more things I've found digging through iPhone backups.

I found a gzipped json file, which apparently contained the entire StarWalk database. It has orbital parameters, links to 3d models, descriptions, and all kinds of other stuff. Have fun exploring that...

I also wrote a simple script to pull specific files into a local directory, findfiles.py. It looks through the locally generated database (from gendb.py) and copies matching file types to the local data directory. It makes it easier to sift through file types because it adds an extension you specify.

A typelist of this backup looks like this:


{u'ASCII C++ program text': 4,
 u'ASCII English text': 17,
 u'ASCII FORTRAN program text': 5,
 u'ASCII Java program text': 61,
 u'ASCII Pascal program text': 17,
 u'ASCII text': 1396,
 u'Apple binary property list': 463,
 u'AppleDouble encoded Macintosh file': 44,
 u'Bio-Rad .PIC Image File 12850 x 29472': 8,
 u'CoreAudio Format audio file version 1': 1,
 u'DBase 3 data file': 1,
 u'DBase 3 data file (247624 records)': 1,
 u'DBase 3 data file with memo(s)': 1,
 u'Dyalog APL component file version 240 .64': 1,
 u'GIF image data': 3,
 u'HTML document text': 1,
 u'IFF data': 7,
 u'ISO Media': 11,
 u'JPEG image data': 2242,
 u'Little-endian UTF-16 Unicode English text': 3,
 u'Little-endian UTF-16 Unicode text': 2,
 u'Non-ISO extended-ASCII text': 3,
 u'PDP-11 UNIX/RT ldp': 7,
 u'PNG image data': 122,
 u'RIFF (little-endian) data': 466,
 u'SQLite 3.x database': 132,
 u'SysEx File -': 1,
 u'TIFF image data': 1,
 u'UTF-8 Unicode English text': 3,
 u'XML  document text': 1334,
 u'Zip archive data': 2,
 u'a python script text executable': 111,
 u'core file (Xenix)': 1,
 u'data': 190,
 u'empty': 25,
 u'gzip compressed data': 1,
 u'text/html;': 2,
 u'troff or preprocessor input text': 1,

 u'vCard visiting card': 3}

You'll notice a lot of source code files. Most of these are miscategorized python files that came with a python app I downloaded. Others, such as the APL file, are complete gibberish. The Bio-Rad .PIC Image File 12850 x 29472 files were a mystery to me, as I couldn't open them by any conventional means. I also couldn't find a lot of info online about them. 

I found several "UTF-8 Unicode English text" files with lots of entries like this:

{
            "date_added": "13055051350450917",
            "id": "211",
            "meta_info": {
               "stars.id": "ssc_94e670585b99b60a",
               "stars.imageData": "Cg51dVN5dTZsZHZlWWM1TRIyCipodHRwOi8vaW1ncy54a2NkLmNvbS9jb21pY3MvZWZmaWNpZW5jeS5wbmcQyQIY1gEaYwpbaHR0cDovL3QyLmdzdGF0aWMuY29tL2ltYWdlcz9xPXRibjpBTmQ5R2NScmtkUkVtSmJ0WnFYV1ZJelRYMTJ4ZjNQSENtUDFNRVB5NzI1LW5TYVp5cTFMa1pqNRCHAhirASIeCAEQhwIYqwEgtTlCBhIEgAAAAEoJaW1hZ2UvcG5n",
               "stars.isSynced": "true",
               "stars.pageData": "Ig5rT21tdS1VQ2Z1MnR2TQ==",
               "stars.type": "2"
            },
            "name": "xkcd",
            "sync_transaction_version": "2",
            "type": "url",
            "url": "http://m.xkcd.com/"
         } ],
         "date_added": "13055044120539455",
         "date_modified": "13055051350450917",
         "id": "3",
         "name": "Mobile Bookmarks",
         "sync_transaction_version": "3",
         "type": "folder"
}

I assume this is from the Chrome app, and it looks to me like a list of my bookmarks.

Upon extracting all "ASCII text" files, I was mystified by the number of files looking like this:

22 serialization::archive 10 0 0 0 0 1025 2 0 2 0.32507935166358948 0.0028225002 3.1072781 0.51664400100708008 0.074370861 10.875457 0.62693876028060913 0.12955415 0.8343581 0.85913830995559692 0.16931733 0 1.3990023136138916 0.16308928 10.289221 1.4454421997070312 0.02279284 8.7684822 1.7705215215682983 0.24627544 0 

I have no idea what these are, and a search for "serialization::archive" was inconclusive. Many hundreds of these contained thousands of seemingly random floats. Based on related data, They may actually be encoded sound files for the app iMaschine, though I can't really prove that.

I am uploading some mysterious files to https://gist.github.com/red-green/132e5680b8ffc09e91d7, in the hope that someone can help me. The first one, mystery1.js, I can only assume to be internally executed, perhaps inside the AppStore. I added one of the mysterious lists of floats as serialization_archive1.txt. 

Another file contained lists of this:

"+T9EE5FPCpiAKOlsptLH050hrtQ+BwuL73a9JmAvGgY=": {
      "dynamic_spki_hashes_expiry": 0.0,
      "expiry": 1452557234.251196,
      "mode": "force-https",
      "pkp_include_subdomains": false,
      "pkp_observed": 1421811398.470302,
      "sts_include_subdomains": true,
      "sts_observed": 1421811398.470302
   }

My thought was HTTPS certificates, but I'm clueless. The base64 doesn't seem to have anything in the way of printable characters.

Another text file contained some settings for the GSM radio:

TxPowerModel::fProxSetting=0x0
TxPowerModel::fProxLogging=0x0
BootTime=0x551d95a5
CommCenterStartsThisBoot=0x1
TraceModuleExtreme::CSILog::fEnabled=0x0
TraceModuleExtreme::CSILog::fHistory=0xffffffff
GsmRadioModule::fPreviousBootUptime=0x538a5271
GsmSettingsModel::UnconditionalCallForwardingActiveIccid=<a big number>
GsmSettingsModel::UnconditionalCallForwardingActiveValue=0x0
Settings::AttachAPNSupport=0x2
MaxDataRateManager::Enable3GSwitchSupport=0x1
MaxDataRateManager::EnableLTESwitchSupport=0x2
SettingsModel::CallingLineIdRestriction=0x0
RegistrationModel::fLastKnownServingMCC=0x137
RegistrationModel::fLastKnownServingMNC=0x1e0
RegistrationModel::fNetworkSelection=
Capabilities::SimCallAndDataSupported=0x0
Capabilities::SimCallAndDataCurrentlySupported=0x0
MaxDataRateManager::EnableLTE=0x1
GsmRadioModule::fCellularDataIsEnabled=0x1
EURQMIC2KRegistrationController::fEnableOnlyHomeNetwork=0x0

It may be possible to edit one of these files and then restore the phone from backup to change settings. However, the fact that every file has an MD5 hash may prevent that from happening.

A few of these were found too:

{"secondsSpentInCurrentSession":29,"lastSuspendTime":1421191136,"numInterruptions":0}

They might be for some kind of power timer.

Finally, for now, I found several files claiming to be "PDP-11 UNIX/RT ldp" floppy drive images. I can't extract them with the tools I have, but I doubt they actually are what they claim to be. The likelihood of finding several kilobyte-sized floppy images on an iPhone is highly unlikely.

In conclusion, data scraping is hard to do when you don't have the original file name or path. I hope somebody learned something from this. I might do more in the future.

No comments:

Post a Comment