-
-
Save ink-splatters/90a20a59db00688135e826d30862d55c to your computer and use it in GitHub Desktop.
Revisions
-
leminlimez revised this gist
Dec 2, 2024 . 2 changed files with 1112 additions and 141 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,205 +1,1175 @@ # Domains.plist Documentation of `/System/Library/Backup/Domains.plist`. File taken from iOS 16.4 iPhone SE 3. The file was removed in iOS 17.0 ## Values Values in the plist. Other than `SystemDomains`, these are not really important and are just here for preservation sake. A domain in `domains.plist` contains keys that determine what gets backed up for what types of devices and where (i.e. iCloud vs iTunes). Not all domains have each key. The only 2 keys that must be in every domain are `RootPath` and `RelativePathsToBackupAndRestore`. Some domains have the value `ShouldDigest`. I am not sure exactly what it means but I have included it for documentation purposes. - `Version`: `"24.0"` - `SystemDomains`: `(Dictionary)`, see below - `MinSupportedVersion`: `"3.0"` - `MaxSupportedVersion`: `"25.0"` ## SystemDomains | List of Domains | | --------------- | | [ManagedPreferencesDomain](#managedpreferencesdomain) | | [MediaDomain](#mediadomain) | | [CameraRollDomain](#camerarolldomain) | | [WirelessDomain](#wirelessdomain) | | [MobileDeviceDomain](#mobiledevicedomain) | | [BackupDomain](#backupdomain) | | [SystemPreferencesDomain](#systempreferencesdomain) | | [ProtectedDomain](#protecteddomain) | | [HomeDomain](#homedomain) | | [KeyboardDomain](#keyboarddomain) | | [DatabaseDomain](#databasedomain) | | [InstallDomain](#installdomain) | | [TonesDomain](#tonesdomain) | | [RootDomain](#rootdomain) | | [NetworkDomain](#networkdomain) | | [BooksDomain](#booksdomain) | | [HomeKitDomain](#homekitdomain) | | [KeychainDomain](#keychaindomain) | | [HealthDomain](#healthdomain) | ### ManagedPreferencesDomain This is the most interesting domain. It appends to preference files in `/var/mobile/Library/Preferences` rather than overwriting them, but it does not have any of the limitations that [HomeDomain](#homedomain) presents. You can read more about it in the deep dive. Root Path: `/var/Managed Preferences` <details> <summary>RelativePathsToBackupAndRestore</summary> - `mobile` </details> ### MediaDomain Root Path: `/var/mobile` `ShouldDigest = false` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Media/iTunes_Control/iTunes` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Media/Recordings`: `recordings` - `Library/SMS`: `smsParts` - `Media/iTunes_Control/Device/Trainer`: `trainer` - `Media/PhotosStreamsData`: `photoStreamsData` - `Media/iTunes_Control/iTunes`: `itunes` - `Library/Recordings`: `recordingsNew` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Media/PhotoStreamsData` </details> <details> <summary>RelativePathDomainRedirects</summary> - `Media/DCIM`: `CameraRollDomain` - `Media/PhotoData`: `CameraRollDomain` </details> <details> <summary>RelativePathsToRestoreOnlyFromService</summary> - `Media/Purchases` </details> <details> <summary>RelativePathsToIgnoreExclusionsForDrive</summary> - `LibrarySMS` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `Media/iTunes_Control/iTunes/iTunesPrefs.plist` </details> <details> <summary>RelativePathsNotToBackupAndRestoreToAppleTVs</summary> - `Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Media/iTunes_Control/iTunes` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/SMS/Attachments` - `Library/SMS/Parts` - `Library/SMS/StickerCache` - `Library/SMS/Recents` - `Media/iTunes_Control/Device/Trainer` - `Media/Recordings` - `Media/PhotoStreamsData` - `Media/iTunes_Control/iTunes/iTunesPrefs.plist` - `Media/iTunes_Control/iTunes/MobileSync.plist` - `Media/iTunes_Control/iTunes/iPhotoAlbumPrefs` - `Media/iTunes_Control/iTunes/ApertureAlbumPrefs` - `Media/iTunes_Control/iTunes/PSAlbumAlbums` - `Media/iTunes_Control/iTunes/PSElementsAlbums` - `Media/iTunes_Control/iTunes/PhotosFolderPrefs` - `Media/iTunes_Control/iTunes/PhotosFolderAlbums` - `Media/iTunes_Control/iTunes/PhotosFolderName` - `Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb` - `Media/Vibrations` - `Library/Recordings` </details> ## CameraRollDomain Root Path: `/var/mobile` `ShouldDigest = false` <details> <summary>RelativePathsToBackupIgnoringProtectionClass</summary> - `Media/DCIM` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Media/Photos` - `Media/PhotoData/Caches` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathsToBackgroundRestore</summary> - `Media/DCIM` - `Media/PhotoData/Mutations` - `Media/PhotoData/CPLAssets` - `Media/Deferred` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Media/PhotoData/Metadata` - `Media/PhotoData/Thumbnails` - `Media/PhotoData/CMMAssets` - `Media/PhotoData/Mutations/PhotoData/CMMAssets` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Media/PhotoData/Caches` - `Media/PhotoData/changes` - `Media/PhotoData/changes-shm` - `Media/PhotoData/changes-wal` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/OutgoingTemp` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRemoveOnRestore</summary> - `Media/Photos` - `Media/PhotoData/Caches` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Media/DCIM`: `dcim` - `Media/PhotoData`: `photoData` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Media/DCIM` - `Media/PhotoData` - `Media/Memories/Library/PersistedMemories` - `Media/MediaAnalysis/.backup` - `Media/Deferred` </details> ## WirelessDomain Root Path: `/var/wireless` <details> <summary>RelativePathsNotToMigrate</summary> - `Library/Logs/IQAgent` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Preferences/com.apple.commcenter.attach_apn.plist` - `Library/Preferences/com.apple.commcenter.carrier_bundle.plist` - `Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist` - `Library/Preferences/com.apple.commcenter.omadm_apns.plist` - `Library/Preferences/no_backup` - `Library/Preferences/com.apple.awdd.plist` - `Library/Preferences/com.apple.awdd.persistent.plist` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Preferences/com.apple.commcenter.attach_apn.plist` - `Library/Preferences/com.apple.commcenter.carrier_bundle.plist` - `Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist` - `Library/Preferences/com.apple.commcenter.omadm_apns.plist` - `Library/Preferences/no_backup` - `Library/Preferences/com.apple.awdd.plist` - `Library/Preferences/com.apple.awdd.persistent.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Databases` - `Library/CallHistory` - `Library/Preferences` </details> ## MobileDeviceDomain Root Path: `/var/MobileDevice` <details> <summary>RelativePathsToBackupAndRestore</summary> `# backup everything` </details> ## BackupDomain **Note:** I am not sure what this does but it seems like it relates to information about the backup itself. Root Path: `# empty` `PrimaryAccount = false` <details> <summary>RelativePathsToBackupAndRestore</summary> - `Backup/Preferences` </details> ## SystemPreferencesDomain Root Path: `/var/preferences` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `SystemConfiguration/NetworkInterfaces.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `SystemConfiguration` - `com.apple.networkextension.plist` - `com.apple.networkextension.control.plist` </details> ## ProtectedDomain Root Path: `/var/protected` <details> <summary>RelativePathsNotToBackup</summary> - `trustd/private/ocspcache.sqlite3` - `trustd/private/caissuercache.sqlite3` </details> <details> <summary>RelativePathsNotToRestore</summary> - `trustd/private/ocspcache.sqlite3` - `trustd/private/caissuercache.sqlite3` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `trustd/private/TrustStore.sqlite3` - `trustd/private/CARevocation.plist` - `trustd/private/CTExceptions.plist` - `trustd/private/TransparentConnectionPins.plist` - `trustd/private/com.apple.security.exception_reset_counter.plist` </details> ## HomeDomain This is the main domain for `/var/mobile`. Even though there are others, this is where most of the files are backed up or restored to. Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Spotlight/Backup/encrypted_ranking_metadata.dat` - `Library/DuetExpertCenter/Backups` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Library/VoiceTrigger/SAT` - `Library/com.apple.geod` - `Library/com.apple.siri.remembers` - `Library/CoreDuet/People/interactionC.db` - `Library/CoreDuet/People/interactionC.db-shm` - `Library/CoreDuet/People/interactionC.db-wal` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/DoNotDisturb/DB/ModeConfigurations.json` - `Library/DoNotDisturb/DB/ModeConfigurationsSecure.json` - `Library/DoNotDisturb/DB/Settings.sqlite` - `Library/DoNotDisturb/DB/Settings.sqlite-wal` - `Library/DoNotDisturb/DB/Settings.sqlite-shm` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Library/Voicemail`: `voicemail` - `Library/Safari/Bookmarks.db`: `bookmarksDatabase` - `Library/SMS/sms.db`: `smsDatabase` - `Library/Cookies`: `cookies` - `Library/Preferences`: `preferences` - `Library/WebKit/Databases `: `webKitDatabases` - `Library/Caches/com.apple.WebAppCache`: `webAppCache` - `Library/Calendar`: `calendar` - `Library/AddressBook`: `addressBook` - `Library/Notes`: `notes` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Library/Accessibility/TTY/TTYCallHistory.sqlite` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-shm` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-wal` - `Library/VoiceTrigger/SAT` - `Library/Mobile Documents` - `Library/Application Support/CloudDocs` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/Application Support/FileProvider` - `Library/CloudStorage` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToMigrate</summary> - `Library/DataAccess/DeviceSpecificInfo.plist` - `Library/Preferences/com.apple.GMM.plist` - `Library/Preferences/com.apple.MobileBluetooth.devices.plist` - `Library/Preferences/com.apple.MobileBluetooth.security.plist` - `Library/Preferences/com.apple.MobileBluetooth.services.plist` - `Library/WebKit/Form Values` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Library/MediaStream` - `Library/Preferences/com.apple.migration.plist` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> - `Library/Application Support/CloudDocs/backup` - `Library/Application Support/FileProvider` </details> <details> <summary>RelativePathsToIgnoreExclusionsForDrive</summary> - `Library/SMS` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Preferences/com.apple.MobileBackup.DemotedApps.plist` </details> <details> <summary>RelativePathsToBackupToDriveAndStandardAccount</summary> - `Library/Safari/History.db` - `Library/Safari/History.db-wal` - `Library/Safari/History.db-shm` - `Library/Safari/BrowserState.db` - `Library/Safari/BrowserState.db-wal` - `Library/Safari/BrowserState.db-shm` - `Library/CallHistoryDB` - `Library/CallHistoryTransactions` - `Library/Recents/Recents` - `Library/Recents/Recents-shm` - `Library/Recents/Recents-wal` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Library/Caches/com.apple.mobilesafari/Thumbnails` - `Library/Caches/Safari/Thumbnails` - `Library/Duet` - `Library/Logs/Duet/DuetLST.duetlog` - `Library/Safari/History.plist` - `Library/Safari/SuspendState.plist` - `Library/Keyboard` - `Library/VoiceTrigger/SAT` - `Library/com.apple.geod` - `Library/com.apple.siri.remembers` - `Library/CoreDuet/People/interactionC.db` - `Library/CoreDuet/People/interactionC.db-shm` - `Library/CoreDuet/People/interactionC.db-wal` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/DoNotDisturb/DB/ModeConfigurations.json` - `Library/DoNotDisturb/DB/ModeConfigurationsSecure.json` - `Library/DoNotDisturb/DB/Settings.sqlite` - `Library/DoNotDisturb/DB/Settings.sqlite-wal` - `Library/DoNotDisturb/DB/Settings.sqlite-shm` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRemoveOnRestore</summary> - `Library/Preferences/com.apple.migration.plist` </details> <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Library/Accessibility/TTY/TTYCallHistory.sqlite` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-shm` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-wal` - `Library/VoiceTrigger/SAT` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Keyboard/Typology` - `Library/Calendar/Attachments` - `Library/Preferences/com.apple.AOSNotification.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMFAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist` - `Library/Preferences/com.apple.appleaccount.notbackedup.plist` - `Library/Preferences/com.apple.assistant.plist` - `Library/Preferences/com.apple.assistant.languages.plist` - `Library/Preferences/com.apple.assistant.logging.plist` - `Library/Preferences/com.apple.atc.plist` - `Library/Preferences/com.apple.BTServer.airplane.plist` - `Library/Preferences/com.apple.DataMigration.plist` - `Library/Preferences/com.apple.calaccessd.keepalive` - `Library/Preferences/com.apple.carrier.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.watch.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.locationd.notbackedup.plist` - `Library/Preferences/com.apple.managedconfiguration.notbackedup.plist` - `Library/Preferences/com.apple.migration.plist` - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.mobilephone.sortmapping.plist` - `Library/Preferences/com.apple.operator.plist` - `Library/Preferences/com.apple.preferences.volume-limit.plist` - `Library/Preferences/com.apple.purplebuddy.notbackedup.plist` - `Library/Preferences/com.apple.siri.backedup.encrypted.plist` - `Library/Preferences/com.apple.youtubeframework.notbackedup.plist` - `Library/SpringBoard/transientSettings.plist` - `Library/Safari/SyncedTabsMetadata.plist` - `Library/MobileBluetooth/com.apple.MobileBluetooth.ledevices.other.db` - `Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist` - `Library/Preferences/com.apple.icloud.fmfd.notbackedup.plist` - `Library/Preferences/com.apple.coreduetd.batterysaver.state.plist` - `Library/Preferences/com.apple.icloud.fmflocatord.notbackedup.plist` - `Library/Preferences/com.apple.stockholm.awd.plist` - `Library/Preferences/com.apple.stockholm.plist` - `Library/Preferences/com.apple.seld.plist` - `Library/Preferences/nfcd.plist` - `Library/Voicemail/OfflineCache` - `Library/Safari/BookmarksSyncMetadata.plist` - `Library/Caches/com.apple.WebAppCache` - `Library/SpringBoard/PushStore` - `Library/Preferences/com.apple.indigo.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.homed.notbackedup.plist` - `Library/Preferences/com.apple.voicetrigger.notbackedup.plist` - `Library/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.settings.storage.plist` - `Library/Preferences/com.apple.palette.chestnut.plist` - `Library/Preferences/group.com.apple.Livability.plist` - `Library/Preferences/com.apple.mobilerepaird.plist` - `Library/Preferences/com.apple.mobilerepair.DisplayRepair.plist` - `Library/Preferences/com.apple.mobilerepair.BatteryRepair.plist` - `Library/Preferences/com.apple.NewDeviceOutreach.plist` - `Library/Application Support/com.apple.palette.green.plist` - `Library/Application Support/com.apple.palette.green.bin` - `Library/Preferences/com.apple.smartcharging.topoffprotection.plist` - `Library/SplashBoard` - `Library/Preferences/com.apple.coreaudio.device.plist` - `Library/Preferences/com.apple.powerd.lowpowermode.state.plist` - `Library/Preferences/com.apple.carrier_1.plist` - `Library/Preferences/com.apple.operator_1.plist` - `Library/Preferences/com.apple.carrier_2.plist` - `Library/Preferences/com.apple.operator_2.plist` - `Library/Preferences/com.apple.carrier_1.merged.plist` - `Library/Preferences/com.apple.operator_1.merged.plist` - `Library/Preferences/com.apple.carrier_2.merged.plist` - `Library/Preferences/com.apple.operator_2.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.plist` - `Library/Preferences/com.apple.carrier.default.plist` - `Library/Preferences/com.apple.carrier.merged.plist` - `Library/Preferences/com.apple.operator.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.merged.plist` - `Library/Preferences/com.apple.cameracapture.volatile.plist` - `Library/Preferences/com.apple.stockholm.tsmreg.plist` - `Library/Preferences/com.apple.nfcacd.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.MobileSoftwareUpdate.plist` - `Library/Preferences/com.apple.mobilerepaird.systemhealth.plist` - `Library/Passes/Discovery` - `Library/Preferences/com.apple.private.health.feature-properties.AFibBurden.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.CardioFitness.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.ElectrocardiogramV2Recording.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.IrregularRhythmNotificationsV2.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.MenstrualCycles.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.MenstrualCyclesHeartRateInput.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.OxygenSaturationRecording.companion.plist` - `Library/Maps` - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/AggregateDictionary/ADDataStore.sqlitedb` - `Library/Calendar/Attachments` - `Library/Logs/ADDataStore.sqlitedb` - `Library/BackBoard` - `Library/Preferences/com.apple.AOSNotification.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMFAccounts.notbackedup.plist` - `Library/Preferences/com.apple.calaccessd.keepalive` - `Library/Preferences/com.apple.migration.plist` - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.siri.backedup.encrypted.plist` - `Library/Health` - `Library/Safari/SyncedTabsMetadata.plist` - `Library/MobileBluetooth/com.apple.MobileBluetooth.ledevices.other.db` - `Library/Preferences/com.apple.MobileBluetooth.ledevices.plist` - `Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist` - `Library/Preferences/com.apple.stockholm.awd.plist` - `Library/Preferences/com.apple.stockholm.plist` - `Library/Preferences/com.apple.seld.plist` - `Library/Preferences/nfcd.plist` - `Library/Voicemail/OfflineCache` - `Library/Safari/BookmarksSyncMetadata.plist` - `Library/Caches/com.apple.WebAppCache` - `Library/Mail/Recents` - `Library/Mail/Recents-shm` - `Library/Mail/Recents-wal` - `Library/SpringBoard/PushStore` - `Library/Preferences/com.apple.indigo.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.homed.notbackedup.plist` - `Library/Preferences/com.apple.voicetrigger.notbackedup.plist` - `Library/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.settings.storage.plist` - `Library/Preferences/com.apple.palette.chestnut.plist` - `Library/Preferences/group.com.apple.Livability.plist` - `Library/Preferences/com.apple.mobilerepaird.plist` - `Library/Preferences/com.apple.mobilerepair.DisplayRepair.plist` - `Library/Preferences/com.apple.mobilerepair.BatteryRepair.plist` - `Library/Preferences/com.apple.NewDeviceOutreach.plist` - `Library/Application Support/com.apple.palette.green.plist` - `Library/Application Support/com.apple.palette.green.bin` - `Library/Preferences/com.apple.smartcharging.topoffprotection.plist` - `Library/SplashBoard` - `Library/Preferences/com.apple.coreaudio.device.plist` - `Library/Preferences/com.apple.carrier.plist` - `Library/Preferences/com.apple.operator.plist` - `Library/Preferences/com.apple.carrier_1.plist` - `Library/Preferences/com.apple.operator_1.plist` - `Library/Preferences/com.apple.carrier_2.plist` - `Library/Preferences/com.apple.operator_2.plist` - `Library/Preferences/com.apple.carrier_1.merged.plist` - `Library/Preferences/com.apple.operator_1.merged.plist` - `Library/Preferences/com.apple.carrier_2.merged.plist` - `Library/Preferences/com.apple.operator_2.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.plist` - `Library/Preferences/com.apple.carrier.default.plist` - `Library/Preferences/com.apple.carrier.merged.plist` - `Library/Preferences/com.apple.operator.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.merged.plist` - `Library/Preferences/com.apple.cameracapture.volatile.plist` - `Library/Preferences/com.apple.stockholm.tsmreg.plist` - `Library/Preferences/com.apple.nfcacd.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.MobileSoftwareUpdate.plist` - `Library/Preferences/com.apple.mobilerepaird.systemhealth.plist` - `Library/Passes/Discovery` - `Library/Maps` - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Demo.mov` - `Library/com.apple.itunesstored` - `Library/AddressBook` - `Library/Accounts` - `Library/Application Support/com.apple.Home/Wallpapers` - `Library/BulletinBoard` - `Library/Calendar` - `Library/ConfigurationProfiles` - `Library/UserConfigurationProfiles` - `Library/Cookies` - `Library/DataAccess` - `Library/DeviceRegistry` - `Library/DeviceRegistry.state` - `Library/Mail/Accounts.plist` - `Library/Mail/AutoFetchEnabled` - `Library/Mail/MailboxCollections.plist` - `Library/Messages` - `Library/MobileInstallation/ApplicationAttributes.plist` - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Notes` - `Library/Passes` - `Library/Preferences` - `Library/RemoteNotification` - `Library/Safari/Bookmarks.db` - `Library/SMS/sms.db` - `Library/SMS/Drafts` - `Library/SpringBoard` - `Library/TCC` - `Library/YouTube/Bookmarks.plist` - `Library/Voicemail` - `Library/WebClips` - `Library/WebKit/Databases` - `Library/WebKit/Form Values` - `Library/WebKit/GeolocationSites.plist` - `Library/MobileBluetooth` - `Library/Accessibility` - `Library/NanoBackup` - `Library/FrontBoard` - `Library/Spotlight/applications.mdplist` - `Library/Fonts` - `Library/ControlCenter/ModuleConfiguration.plist` - `Library/Spotlight/Backup/encrypted_ranking_metadata.dat` - `Library/Application Support/com.apple.ProtectedCloudStorage/Backup` - `Library/UserNotifications` - `Library/DoNotDisturb/DB/Assertions.json` - `Library/DoNotDisturb/DB/Settings.json` - `Library/Avatar/avatars.version` - `Library/Avatar/avatars.db` - `Library/VoiceShortcuts` - `Library/Avatar/CoreDataBackend` - `Documents/DemoPhotoLibraryTemplate` - `Library/NickNameCache` - `Library/com.apple.internal.ck` - `Library/Reminders` - `Library/Shortcuts` - `Library/MessagesMetaData` - `Library/Application Support/com.apple.Home/demoMode` - `Library/Mobile Documents` - `Library/Application Support/CloudDocs` - `Library/DuetExpertCenter/Backups` - `Library/Wallpapers` - `Library/ExposureNotification` - `Library/Photos/Libraries` - `Library/DoNotDisturb/DB/GlobalConfiguration.json` - `Library/Application Support/FileProvider` - `Library/CloudStorage` - `Library/com.apple.PrivacyDisclosure` </details> ## KeyboardDomain Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Library/Keyboard/BigramLearning_ja_JP.db.bundle` - `Library/Keyboard/LearningSet_zh_Hans.plist` - `Library/Keyboard/LearningSet_zh_Hant.plist` - `Library/Keyboard/PhraseLearning_ja_JP.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hans.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hans_Stroke.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Cangjie.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Stroke.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Sucheng.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_pinyin.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_zhuyin.db.bundle` - `Library/Keyboard/completion-learning-dictionary-zh-Hans` - `Library/Keyboard/completion-learning-dictionary-zh-Hant` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_pinyin.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_zhuyin.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Cangjie.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans_Stroke.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Stroke.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Sucheng.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans_Wubixing.db` - `Library/Keyboard/DynamicPhraseLexicon_ja_JP.db` - `Library/DynamicBigramPhraseLexicon_ja_JP.db` - `Library/Keyboard/Lexierra_ja_JP-dynamic-text.dat` - `Library/Keyboard/LexicalLearning_ja_JP.dat` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Keyboard/Typology` - `Library/Keyboard/CoreDataUbiquitySupport` - `Library/Keyboard/appusagedatabase.plist` - `Library/Keyboard/app_usage_database.plist` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Keyboard/Typology` - `Library/Keyboard/CoreDataUbiquitySupport` - `Library/Keyboard/appusagedatabase.plist` - `Library/Keyboard/app_usage_database.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Keyboard` </details> ## DatabaseDomain Root Path: `/var/db` <details> <summary>RelativePathsNotToMigrate</summary> - `lsd/com.apple.lsdidentifiers.plist` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `timezone/localtime` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `lsd/com.apple.lsdidentifiers.plist` - `timezone/localtime` - `com.apple.xpc.launchd` - `PlugInKit-Annotations` </details> ## InstallDomain Root Path: `/var/installd` <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Library/MobileInstallation/BackedUpState` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/MobileInstallation/BackedUpState` </details> ## TonesDomain Root Path: `/var/mobile` <details> <summary>RelativePathAggregateDictionaryGroups</summary> - ` `: `tones` </details> <details> <summary>RelativePathsNotToBackup</summary> This was empty but still included, not sure why. </details> <details> <summary>RelativePathsNotToBackupToDrive</summary> This was also empty but still included. </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Media/Purchases` - `Media/iTunes_Control/Ringtones` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Media/iTunes_Control/iTunes/Ringtones.plist` </details> ## RootDomain Root Path: `/var/root` <details> <summary>RelativePathsNotToBackup</summary> - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.coreservices.appleidauthenticationinfo.plist` - `Library/Preferences/com.apple.osanalytics.OTATaskingAgent.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.xpc.activity2.plist` - `Library/Preferences/com.apple.cltm.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.powerd.bdc.plist` - `Library/Preferences/com.apple.wifi.manager.plist` - `Library/Caches/locationd/cache_unencrypted.db` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.coreservices.appleidauthenticationinfo.plist` - `Library/Preferences/com.apple.osanalytics.OTATaskingAgent.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.xpc.activity2.plist` - `Library/Preferences/com.apple.cltm.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.powerd.bdc.plist` - `Library/Preferences/com.apple.wifi.manager.plist` - `Library/Caches/locationd/cache_unencrypted.db` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> - `Library/Caches/Backup` - `Library/Caches/Backup/properties.plist` - `Library/Caches/Backup/placeholder_entitlements.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Caches/locationd/clients.plist` - `Library/Caches/locationd/gyroCal.db` - `Library/Caches/locationd/significant.plist` - `Library/Caches/locationd/significantVisitAuth.plist` - `Library/Caches/locationd/significantVisitInterest.plist` - `Library/Caches/Backup/properties.plist` - `Library/Caches/Backup/placeholder_entitlements.plist` - `Library/Caches/Backup/enable_cloudkit` - `Library/Preferences` - `Library/Caches/locationd/consolidated.db` </details> ## NetworkDomain Root Path: `/var/networkd` <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Preferences/com.apple.symptomsd.plist` </details> ## BooksDomain Root Path: `/var/mobile/Media/Books` `ShouldDigest = false` <details> <summary>RelativePathsNotToBackupToDrive</summary> `# don't remove items not restored` </details> <details> <summary>RelativePathsToRestoreOnly</summary> `# restore everything backed up` </details> <details> <summary>RelativePathsNotToBackup</summary> This was empty but still included. </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> `# restore everything backed up` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - ` `: `books` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> ## HomeKitDomain Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToService</summary> - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Library/homed/protected-home.config` - `Library/homed/transaction-journal` - `Library/homed/protected-metadata.config` - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Library/homed/protected-home.config` - `Library/homed/transaction-journal` - `Library/homed/protected-metadata.config` - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> ## KeychainDomain Root Path: `/var/Keychains` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `keychain-backup.plist` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> Not empty but has a single item with an empty string value. - ` ` </details> <details> <summary>RelativePathsNotToRestore</summary> - `ocspcache.sqlite3` </details> <details> <summary>RelativePathsNotToBackupToDrive</summary> - `keychain-ota-backup.plist` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `keychain-backup.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `ocspcache.sqlite3` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `keychain-backup.plist`: `keychain` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `keychain-backup.plist` - `keychain-ota-backup.plist` - `TrustStore.sqlite3` </details> ## HealthDomain Root Path: `/var/mobile/Library` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Health` - `Health/Local` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Health` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Health` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Health` - `locationd/user.plist` - `MedicalID` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Health` - `locationd/user.plist` - `MedicalID` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Health/Local` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,6 +9,7 @@ | - [Notable domains](#notable-domains)<br> - [HomeDomain](#home-domain)<br> - [ManagedPreferencesDomain](#managed-preferences-domain) | | - [Sparserestore](#sparserestore)<br> - [The exploit](#the-exploit)<br> - [The patch](#the-patch)<br> - [The patch 2: Electric Boogaloo](#the-patch-2-electric-boogaloo) | | - [Sources](#sources) | | - Extras<br> - [Domains.plist](#domainsplist) | ## Intro Many of the writeups reverse engineering the iOS backup system are outdated and do not necessarily represent how it works in modern day. They also tended to describe the structure of a backup file, but do not detail the on-device process of restoring a backup behind the scenes. The goal of this writeup is to document my findings on the backup system over the years and what I learned while developing [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Nugget](https://github.com/leminlimez/Nugget-Mobile). I will also be covering the Sparserestore exploit. -
Dec 2, 2024 . 1 changed file with 141 additions and 1111 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,1175 +1,205 @@ # A deep dive into the iOS backup/restore system | Table of Contents | | ----------------- | | - [Intro](#intro) | | - [What is a domain?](#what-is-a-domain) | | - [Backup structure and Manifest.mbdb](#backup-structure-and-manifestmbdb)<br> - [Status.plist](#statusplist)<br> - [Manifest.plist](#manifestplist)<br> - [Info.plist](#infoplist)<br> - [Manifest.mbdb](#manifestmbdb)<br> - [The webclip permissions incident](#the-webclip-permissions-incident) | | - [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning) | | - [Skipping the setup](#skipping-the-setup)<br> - [CloudConfigurationDetails.plist](#cloudconfigurationdetailsplist)<br> - [com.apple.purplebuddy.plist](#comapplepurplebuddyplist) | | - [Notable domains](#notable-domains)<br> - [HomeDomain](#home-domain)<br> - [ManagedPreferencesDomain](#managed-preferences-domain) | | - [Sparserestore](#sparserestore)<br> - [The exploit](#the-exploit)<br> - [The patch](#the-patch)<br> - [The patch 2: Electric Boogaloo](#the-patch-2-electric-boogaloo) | | - [Sources](#sources) | | - Extras<br> - [Domains.plist](#domainsplist) | ## Intro Many of the writeups reverse engineering the iOS backup system are outdated and do not necessarily represent how it works in modern day. They also tended to describe the structure of a backup file, but do not detail the on-device process of restoring a backup behind the scenes. The goal of this writeup is to document my findings on the backup system over the years and what I learned while developing [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Nugget](https://github.com/leminlimez/Nugget-Mobile). I will also be covering the Sparserestore exploit. There is not a lot of documentation of how the backup domains map to the iOS file system, so I am compiling what I found here. ## What is a domain? In a backup, domains tell iOS what files to restore and where. It is both a way of organization and a security measure. Having domains prevents attackers from using restores to write anywhere in the file system. There are 2 different kinds of domains. The main type of domain is simply mapped to a file path. For example, `HomeDomain` is equivalent to `/var/mobile` but with some restrictions for what can and cannot be restored (specified in the iOS backend). There are not much to these, they just act like a container. The second type of domain requires an extension. There are 3 domains that utilize this, `SysContainerDomain`, `SysSharedContainerDomain`, and `AppDomain`. They have a trailing `-` where the extension is added. For `SysContainerDomain` and `SysSharedContainerDomain`, the container name goes after the `-` character. This is also the name of the subfolder in the file system, which makes it strange for why it needs to be a special kind of domain. This way of handling it is ultimately what made it vulnerable (see [Sparserestore](#sparserestore)). For `AppDomain`, the app bundle id goes after the `-` character. This makes sense because the file system uses a unique identifier or UUID to hash app folder names, so the restore system needs to specifically handle this scenario. Outside of the domain itself, the path will act the same as the regular domains. There used to be a file in `/System/Library/Backup/domains.plist` that listed many of the paths and what could be backed up, but it was removed in iOS 17, seemingly correlated to separating the `/var` and `/var/mobile` partitions (see more at [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning)). The file did not include the domains `SysContainerDomain-`, `SysSharedContainerDomain-`, or `AppDomain-` due to their different handling of the subpaths. A markdown version of the file can be found in [Domains.md](#domainsplist) if you would like to learn more about what can and cannot be restored in each domain. **Note:** Domains will not restore to cache folders even when told to backup everything. Certain caches or files (i.e. eligibility.plist) will get reset upon the invokation of a restore, even if it does not wipe the device. ## Backup structure and Manifest.mbdb Backups are structured as a folder containing 4 main files and the contents of the files being restored. The main files are `Info.plist`, `Manifest.mbdb`, `Manifest.plist`, and `Status.plist`. The file contents have no extension and are titled by the SHA1 hashes of the file. ### Status.plist The `Status.plist` file contains values about the status of the backup. One of these values is `IsFullBackup`, which is set to false for partial restores. Also in `Status.plist` is the `Version` value, which is the version of backups being used. For partial restores, the version key should be set to `2.4` since we are using the `Manifest.mbdb` file. Though version 3.2 backups can be created using `Manifest.db` instead, they are not useful for partial restores like I am covering here. The `UUID` field does not matter much, so I just set it to `00000000-0000-0000-0000-000000000000`. The `Date` field denotes when the backup was taken, but it can just be set to `1970-01-01T00:00:00Z`. The last two fields are `BackupState` and `SnapshotState`, they should be set to `new` and `finished` respectively for our partial restore. ### Manifest.plist `Manifest.plist` provides some basic information about the backup itself. The `Lockdown` field can just be an empty dictionary. For the `SystemDomainsVersion` and `Version`, I just used the values `20.0` and `9.1` respectively. I am not sure what the importance of these values are but they are required to finish the backup. Finally, there is the `BackupKeyBag` value. This stores KeyBag data in base64. You can find the full value I used in [Cowabunga Lite Py's create_backup.py code](https://github.com/leminlimez/CowabungaLitePy/blob/b73b128dc738df8a68e8147418b54f61b13ab82e/devicemanagement/create_backup.py#L160). ### Info.plist `Info.plist` isn't as important, so I will not cover what's in it. For the sake of a partial restore, an empty plist file can be used. ### Manifest.mbdb The main file in a backup is `Manifest.mbdb`. It stores the domains, file locations, SHA1 hashes, and many more details about what is being restored. The structure of the file itself has already been well documented, you can find that [here](https://www.theiphonewiki.com/wiki/ITunes_Backup#Manifest.mbdb). For this writeup, I will only be covering certain fields that I deem important and the structure of the files/directories prior to being placed in the manifest. File paths must list out every directory in sorted order. If 2 files are in the same directory, it should only list the file without relisting the directory. Same goes with directories. Separate directories are listed after all the files in the previous directory have been listed. Here is an example: ``` HomeDomain (domain/directory) HomeDomain Library (directory) HomeDomain Library/Preferences (directory) HomeDomain Library/Preferences/com.apple.springboard.plist (file) HomeDomain Library/Preferences/com.apple.UIKit.plist (file) HomeDomain Library/SpringBoard (directory) HomeDomain Library/SpringBoard/statusBarOverrides (file) ``` For both files and directories, owner and group permissions need to be specified. In testing, the value put usually did not seem to impact the outcome ([aside from one time](#the-webclip-permissions-incident)), but its usually safer to just use the mobile permission of `501` for most. Only files need to be hashed, directories do not. The hash is calculated as `sha1(domain + '-' + file_path)`. This hash will be placed both in `Manifest.mbdb` and used as the name for the file's contents inside the backup's folder. Another file-specific value is the inode. It provides an index for attributes about the file. No two files should have the same inode unless they are being linked. Linking should not happen in a regular partial restore. Doing so may cause the file to not restore at all. You can read about the specific use case of inodes in the [Sparserestore section](#sparserestore). ### The webclip permissions incident As I stated earlier, permissions usually do not seem to matter. There was one time where it did impact iOS in a weird way though. This is not super important to the writeup, I just wanted to share this story. Early on in Cowabunga Lite's development, there was a bug in the backup generator's code where the permissions were incorrectly set due to a missing `0`. In 64 bit systems, integers are 4 bytes long. The permissions are integer values being written to the file as hexadecimal. The bytes that are supposed to be used for the permissions are `00 00 01 F5`, which is `501` in decimal. However, in the restore code, the missing `0` caused the permissions to be set to `50 00 01 F5`, which is a very large (clearly incorrect) number. It took a `5` from the end of the previous byte. You can see the issue... This was not noticable at first. Many of the files modified by Cowabunga Lite were not impacted by this mistake. After implementing icon theming using webclips, the issue became apparent. The webclips would show up on the home screen as usual and functioned like normal. They can also be deleted like normal, or so I thought. When deleting them, they would disappear from the home screen, but as soon as the device was rebooted, they would come back. The permissions prevented iOS from being able to delete the webclips from the file system. Luckily, this was realized before making it to the public and a fix was made. To prevent this or other weird issues from happening to you if you are writing your own `Manifest.mbdb` generator, I recommend just using the mobile permission of `501` unless the file you are modifying needs a different permission. ## iOS 17 and mobile partitioning In iOS 17, Apple made many modifications to the backup system. Notably, `/var/mobile` was moved to its own partition to separate it from `/var`. Attempting to traverse from one to the other will usually lead to a bootloop or restore error. Traditionally, backup files were stored in `/var/backup` as they are being restored. With the introduction of the mobile partition in iOS 17, a new backup folder was created for domains in the mobile partition, `/var/mobile/backup`. All domains that map to the mobile folder now get placed there upon restore. ## Skipping the setup When tweaking files using partial restores, the setup screen can be very annoying. It can also be risky sometimes and start trying to overwrite your data with an iCloud backup. This is why finding methods to skip the setup are crucial. There are 2 files that Cowabunga Lite uses to fully skip the setup. ### CloudConfigurationDetails.plist The first and primary skip setup file is `CloudConfigurationDetails.plist`. This is used by the Apple Configurator app to skip the setup when making changes to supervised devices. Conveniently, this file has a key called `SkipSetup`. This key contains a list of which menu screens should be skipped on setup. In Apple Configurator, the user is able to select which screens get skipped. To get the list of values for this key, you need a mac with Apple Configurator and a jailbreakable device. On Apple Configurator, prepare the device and select all the screens to skip during setup. This process will wipe the device so be ready to set it up again. After it is done, jailbreak the device and get the file from the following file path: ``` /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/SharedDeviceConfiguration.plist ``` You should now have every key you need to skip the setup process. **Important:** You also need to set the value `CloudConfigurationUIComplete` to `true` otherwise you could get the device stuck on a bugged setup screen. The file can then be restored using the following domain and path: ``` Domain: SysSharedContainerDomain-systemgroup.com.apple.configurationprofiles Path: Library/ConfigurationProfiles/SharedDeviceConfiguration.plist ``` It should be noted that this may mess with existing configuration profiles. This should not be done on enterprise supervised devices. ### com.apple.purplebuddy.plist In iOS 17.2, Apple introduced a new setup screen to deter the user from partial restores. This was presumably added because of Cowabunga Lite 😒 <img src="https://preview.redd.it/iphone-partially-set-up-screen-shows-up-even-after-a-dfu-v0-k35idx04jqnc1.jpeg?auto=webp&s=30fea8f7420b0833ebe5d17257bec4c87f36ce81" alt="Partial Restore Screen" height="400"/> The screen was a warning about the security of partial restores, contained a giant blue shiny button with the words "Erase and Start Over" and tiny blue text below it saying "Continue with Partial Setup". Obviously not ideal for a customization tool like Cowabunga Lite where a user could accidentally wipe their entire phone. On top of ruining Cowabunga Lite, Apple also ruined their enterprise app by doing this. They added no way to skip this screen, even for their own software. Sometimes, this screen would even show up after doing a full restore from iTunes. What's worse, the screen sometimes would never go away, even after a fresh wipe or restore. This was so bad that on occasion, it would get stuck in a loop on this screen and you would have to erase anyway. They felt so threatened over a goofy cow app that they made a mess of a half baked screen plagued with issues. Apologies for the rant, but I did manage to find a way to bypass it. Using [Managed Preferences](#managed-preferences-domain), the setup information can be force overwritten and make iOS think the setup was already complete. This does not skip the other setup screens like `CloudConfigurationDetails.plist` does but it still manages to skip the partial setup screen for some reason. There are 2 keys in the plist that need to be set to `true`: `SetupDone` and `SetupFinishedAllSteps`. After that, the plist should be restored to the following domain and path: ``` Domain: ManagedPreferencesDomain Path: mobile/com.apple.purplebuddy.plist ``` This should now skip the partial setup screen. ## Notable domains ### Home Domain The main domain for writing to `/var/mobile` is `HomeDomain`. While there are others that write to the mobile folder, `HomeDomain` is where most of the files are backed up or restored to. It is where the preference files are stored and has some interesting modifications that can be done with it. Cowabunga Lite utilizes this domain for both its webclip theming and changing the status bar overrides. Cowabunga Lite used to use this domain to modify preference files, but it has since changed to using Managed Preferences for its many benefits listed in the next section. ### Managed Preferences Domain This is the most interesting domain. It takes priority of preference files stored in `/var/mobile/Library/Preferences`. Values in a preference file will always choose the one in Managed Preferences over the one from the mobile file. In addition, Managed Preferences appends to the version of the file in mobile rather than overriding it. This means that changes can be set without having to read user preferences or reset them back to default, which would happen when using `HomeDomain`. Seems great, right? But that's not all it's capable of. Unlike `HomeDomain`, `ManagedPreferencesDomain` has no file restrictions when it comes to restoring, which means many files that were not intended to be modifiable can be changed. One example is `com.apple.iokit.IOMobileGraphicsFamily.plist`. This file contains the resolution of the device. This was clearly not meant to be touched, and Apple even prevented it from being restorable in `HomeDomain` (which you can see if you look at `RelativePathsNotToRestore` in Domains.md). Since there are no restrictions in `ManagedPreferencesDomain`, the file can be restored there and the resolution of the device can be changed. **Disclaimer:** I do not recommend changing this file unless you really know what you are doing. You can really mess up your device this way and it could lead to potential data loss. As covered in [Skipping the setup](#skipping-the-setup), `com.apple.purplebuddy.plist` is another useful preference we can modify. It too is unable to be restored to `HomeDomain`, but it is able to be restored to `ManagedPreferencesDomain` without restriction. All of these properties combined make this a very powerful domain for modifying files. It is probably the most powerful domain for restoring outside of exploits like Sparserestore. ## Sparserestore ### The exploit The Sparserestore exploit is a very simple exploit at its core. It uses backpathing to continuously go back to the parent until it reaches root, allowing to write anywhere in the file system on the `/var` partition that is not SSV protected. Sparserestore works on 2 domains, `SysContainerDomain` and `SysSharedContainerDomain`. As you know from the ["What is a domain?"](#what-is-a-domain) section, these are special domains that utilize the `-` character to determine the subdirectory. After the `-` character, a backpath (`..`) can be used to traverse up the tree. Using the `/` character after the backpath, you can continuously traverse upwards until you hit root. Take the following domain: ``` SysContainerDomain-../../../../../../../.. ``` After `-`, you are currently in the directory: ``` /private/var/.backup.i/var/root/Library/Backup/SystemContainers/Data/ ``` **Note:** In the `SysSharedContainersDomain`, you will be in the `/Shared/` folder instead of the `/Data/` folder. This is your starting path. The first `../` means that you will be in the `SystemContainers` folder. The second `../` will leave you in the `Backup` folder. If you continue backpathing, you will end up in the directory `/private`. This is its own partition separate from `/var`, so we cannot exit this. However, we do not need to leave this as we can do everything we need in `/private/var` anyway. Once you reach root, you can place any file path afterwards. Though you can go straight to the file directly, it is better to restore to `/var/backup` instead. This will have the same effect as restoring to the file directly, but will be less likely to fail since there will not already be a file at that path. At the end of the restore, we can crash the restore by restoring a file directly to `/private`. Normally, a crash would cancel the backup and no files would change. However, using the exploit, the files will still be restored to. This has the added benefit of skipping the setup entirely without having to modify files like Cowabunga Lite, which can break configuration profiles. Since it takes place in the domain, listing every directory in the path is not necessary. All that is needed is the domain as a directory and the file. Though not necessary for everything, inodes can be used to create a hard link to a different file. In Sparserestore, a temporary file is created containing the data contents that are intended to be restored. The inode value for this temporary file will be set intentionally when creating the restore. The file you are intending to restore should be added to the manifest next. The contents of the file should be null data, implemented as `b""` in Python. The inode of this file should be set to the same value as the temporary file's inode. After this, the hard link needs to be broken. To break it, Sparserestore is used to navigate to the file location of the temp file in `/var/.backup.i` and break it by setting the contents to null data. This is not needed for the majority of files. It is only needed when replacing an executable binary, as done by [TrollRestore](https://github.com/JJTech0130/TrollRestore). You can see how this is implemented in [TrollRestore's code here](https://github.com/JJTech0130/TrollRestore/blob/8efae439bd033e73b0fde8456838eaece90b6f54/trollstore.py#L101). ### The patch Sparserestore was "patched" in iOS 18.1 developer beta 5 (iOS 18.1 public beta 2). To patch it, Apple restricted domains from containing a `/` character. While the backpath still works, it can only go back a single path to the `SystemContainers` folder. This is not useful for escaping the scope of the domain. However, directory operations can still be useful for Nugget. While a normal restore to the domain `SysSharedContainers-systemgroup.com.apple.mobilegestaltcache` will not allow restoring files to the `Caches` folder, using directory operations in the domain seem to bypass this restriction. There are two directory operations that work. The first is backpathing just a single directory, `SysSharedContainers-..`, then restoring to the `Shared/systemgroup.com.apple.mobilegestaltcache` folder from there. The better method is to just simply call the current directory, `SysSharedContainers-.`, then restoring to `systemgroup.com.apple.mobilegestaltcache` like normal. Everything else Nugget does after the patch aside from mobilegestalt is just using regular domains just like Cowabunga Lite. ### The patch 2: Electric Boogaloo Apple fully patched sparserestore including the method above in iOS 18.2 developer beta 3. This time, Apple fully restricted all types of path operations, making it impossible to backpath or call the current directory. This effectively stops mobilegestalt modifications from being applied because of the Cache folder exception. This patch was at the same time that Apple Intelligence on unsupported devices was patched, a very popular feature in Nugget on 18.1. This patch was separate from the sparserestore patch, so even with mobilegestalt edit access, Apple Intelligence on unsupported devices cannot be achieved. ## Sources - [iPhone Wiki](https://www.theiphonewiki.com/wiki/ITunes_Backup) - [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Cowabunga Lite Py](https://github.com/leminlimez/CowabungaLitePy) - [Nugget](https://github.com/leminlimez/Nugget) and [Nugget (mobile)](https://github.com/leminlimez/Nugget-Mobile) - [TrollRestore](https://github.com/JJTech0130/TrollRestore) -
Nov 13, 2024 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,7 +7,7 @@ | - [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning) | | - [Skipping the setup](#skipping-the-setup)<br> - [CloudConfigurationDetails.plist](#cloudconfigurationdetailsplist)<br> - [com.apple.purplebuddy.plist](#comapplepurplebuddyplist) | | - [Notable domains](#notable-domains)<br> - [HomeDomain](#home-domain)<br> - [ManagedPreferencesDomain](#managed-preferences-domain) | | - [Sparserestore](#sparserestore)<br> - [The exploit](#the-exploit)<br> - [The patch](#the-patch)<br> - [The patch 2: Electric Boogaloo](#the-patch-2-electric-boogaloo) | | - [Sources](#sources) | ## Intro @@ -190,6 +190,13 @@ There are two directory operations that work. The first is backpathing just a si Everything else Nugget does after the patch aside from mobilegestalt is just using regular domains just like Cowabunga Lite. ### The patch 2: Electric Boogaloo Apple fully patched sparserestore including the method above in iOS 18.2 developer beta 3. This time, Apple fully restricted all types of path operations, making it impossible to backpath or call the current directory. This effectively stops mobilegestalt modifications from being applied because of the Cache folder exception. This patch was at the same time that Apple Intelligence on unsupported devices was patched, a very popular feature in Nugget on 18.1. This patch was separate from the sparserestore patch, so even with mobilegestalt edit access, Apple Intelligence on unsupported devices cannot be achieved. ## Sources - [iPhone Wiki](https://www.theiphonewiki.com/wiki/ITunes_Backup) - [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Cowabunga Lite Py](https://github.com/leminlimez/CowabungaLitePy) -
Oct 17, 2024 . 1 changed file with 8 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -180,12 +180,18 @@ Since it takes place in the domain, listing every directory in the path is not n Though not necessary for everything, inodes can be used to create a hard link to a different file. In Sparserestore, a temporary file is created containing the data contents that are intended to be restored. The inode value for this temporary file will be set intentionally when creating the restore. The file you are intending to restore should be added to the manifest next. The contents of the file should be null data, implemented as `b""` in Python. The inode of this file should be set to the same value as the temporary file's inode. After this, the hard link needs to be broken. To break it, Sparserestore is used to navigate to the file location of the temp file in `/var/.backup.i` and break it by setting the contents to null data. This is not needed for the majority of files. It is only needed when replacing an executable binary, as done by [TrollRestore](https://github.com/JJTech0130/TrollRestore). You can see how this is implemented in [TrollRestore's code here](https://github.com/JJTech0130/TrollRestore/blob/8efae439bd033e73b0fde8456838eaece90b6f54/trollstore.py#L101). ### The patch Sparserestore was "patched" in iOS 18.1 developer beta 5 (iOS 18.1 public beta 2). To patch it, Apple restricted domains from containing a `/` character. While the backpath still works, it can only go back a single path to the `SystemContainers` folder. This is not useful for escaping the scope of the domain. However, directory operations can still be useful for Nugget. While a normal restore to the domain `SysSharedContainers-systemgroup.com.apple.mobilegestaltcache` will not allow restoring files to the `Caches` folder, using directory operations in the domain seem to bypass this restriction. There are two directory operations that work. The first is backpathing just a single directory, `SysSharedContainers-..`, then restoring to the `Shared/systemgroup.com.apple.mobilegestaltcache` folder from there. The better method is to just simply call the current directory, `SysSharedContainers-.`, then restoring to `systemgroup.com.apple.mobilegestaltcache` like normal. Everything else Nugget does after the patch aside from mobilegestalt is just using regular domains just like Cowabunga Lite. ## Sources - [iPhone Wiki](https://www.theiphonewiki.com/wiki/ITunes_Backup) - [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Cowabunga Lite Py](https://github.com/leminlimez/CowabungaLitePy) - [Nugget](https://github.com/leminlimez/Nugget) and [Nugget (mobile)](https://github.com/leminlimez/Nugget-Mobile) - [TrollRestore](https://github.com/JJTech0130/TrollRestore) -
Oct 15, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,7 +22,7 @@ There are 2 different kinds of domains. The main type of domain is simply mapped The second type of domain requires an extension. There are 3 domains that utilize this, `SysContainerDomain`, `SysSharedContainerDomain`, and `AppDomain`. They have a trailing `-` where the extension is added. For `SysContainerDomain` and `SysSharedContainerDomain`, the container name goes after the `-` character. This is also the name of the subfolder in the file system, which makes it strange for why it needs to be a special kind of domain. This way of handling it is ultimately what made it vulnerable (see [Sparserestore](#sparserestore)). For `AppDomain`, the app bundle id goes after the `-` character. This makes sense because the file system uses a unique identifier or UUID to hash app folder names, so the restore system needs to specifically handle this scenario. Outside of the domain itself, the path will act the same as the regular domains. There used to be a file in `/System/Library/Backup/domains.plist` that listed many of the paths and what could be backed up, but it was removed in iOS 17, seemingly correlated to separating the `/var` and `/var/mobile` partitions (see more at [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning)). The file did not include the domains `SysContainerDomain-`, `SysSharedContainerDomain-`, or `AppDomain-` due to their different handling of the subpaths. A markdown version of the file can be found in [Domains.md](#domainsplist) if you would like to learn more about what can and cannot be restored in each domain. **Note:** Domains will not restore to cache folders even when told to backup everything. Certain caches or files (i.e. eligibility.plist) will get reset upon the invokation of a restore, even if it does not wipe the device. -
Oct 15, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,1175 @@ # Domains.plist Documentation of `/System/Library/Backup/Domains.plist`. File taken from iOS 16.4 iPhone SE 3. The file was removed in iOS 17.0 ## Values Values in the plist. Other than `SystemDomains`, these are not really important and are just here for preservation sake. A domain in `domains.plist` contains keys that determine what gets backed up for what types of devices and where (i.e. iCloud vs iTunes). Not all domains have each key. The only 2 keys that must be in every domain are `RootPath` and `RelativePathsToBackupAndRestore`. Some domains have the value `ShouldDigest`. I am not sure exactly what it means but I have included it for documentation purposes. - `Version`: `"24.0"` - `SystemDomains`: `(Dictionary)`, see below - `MinSupportedVersion`: `"3.0"` - `MaxSupportedVersion`: `"25.0"` ## SystemDomains | List of Domains | | --------------- | | [ManagedPreferencesDomain](#managedpreferencesdomain) | | [MediaDomain](#mediadomain) | | [CameraRollDomain](#camerarolldomain) | | [WirelessDomain](#wirelessdomain) | | [MobileDeviceDomain](#mobiledevicedomain) | | [BackupDomain](#backupdomain) | | [SystemPreferencesDomain](#systempreferencesdomain) | | [ProtectedDomain](#protecteddomain) | | [HomeDomain](#homedomain) | | [KeyboardDomain](#keyboarddomain) | | [DatabaseDomain](#databasedomain) | | [InstallDomain](#installdomain) | | [TonesDomain](#tonesdomain) | | [RootDomain](#rootdomain) | | [NetworkDomain](#networkdomain) | | [BooksDomain](#booksdomain) | | [HomeKitDomain](#homekitdomain) | | [KeychainDomain](#keychaindomain) | | [HealthDomain](#healthdomain) | ### ManagedPreferencesDomain This is the most interesting domain. It appends to preference files in `/var/mobile/Library/Preferences` rather than overwriting them, but it does not have any of the limitations that [HomeDomain](#homedomain) presents. You can read more about it in the deep dive. Root Path: `/var/Managed Preferences` <details> <summary>RelativePathsToBackupAndRestore</summary> - `mobile` </details> ### MediaDomain Root Path: `/var/mobile` `ShouldDigest = false` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Media/iTunes_Control/iTunes` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Media/Recordings`: `recordings` - `Library/SMS`: `smsParts` - `Media/iTunes_Control/Device/Trainer`: `trainer` - `Media/PhotosStreamsData`: `photoStreamsData` - `Media/iTunes_Control/iTunes`: `itunes` - `Library/Recordings`: `recordingsNew` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Media/PhotoStreamsData` </details> <details> <summary>RelativePathDomainRedirects</summary> - `Media/DCIM`: `CameraRollDomain` - `Media/PhotoData`: `CameraRollDomain` </details> <details> <summary>RelativePathsToRestoreOnlyFromService</summary> - `Media/Purchases` </details> <details> <summary>RelativePathsToIgnoreExclusionsForDrive</summary> - `LibrarySMS` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `Media/iTunes_Control/iTunes/iTunesPrefs.plist` </details> <details> <summary>RelativePathsNotToBackupAndRestoreToAppleTVs</summary> - `Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Media/iTunes_Control/iTunes` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/SMS/Attachments` - `Library/SMS/Parts` - `Library/SMS/StickerCache` - `Library/SMS/Recents` - `Media/iTunes_Control/Device/Trainer` - `Media/Recordings` - `Media/PhotoStreamsData` - `Media/iTunes_Control/iTunes/iTunesPrefs.plist` - `Media/iTunes_Control/iTunes/MobileSync.plist` - `Media/iTunes_Control/iTunes/iPhotoAlbumPrefs` - `Media/iTunes_Control/iTunes/ApertureAlbumPrefs` - `Media/iTunes_Control/iTunes/PSAlbumAlbums` - `Media/iTunes_Control/iTunes/PSElementsAlbums` - `Media/iTunes_Control/iTunes/PhotosFolderPrefs` - `Media/iTunes_Control/iTunes/PhotosFolderAlbums` - `Media/iTunes_Control/iTunes/PhotosFolderName` - `Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb` - `Media/Vibrations` - `Library/Recordings` </details> ## CameraRollDomain Root Path: `/var/mobile` `ShouldDigest = false` <details> <summary>RelativePathsToBackupIgnoringProtectionClass</summary> - `Media/DCIM` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Media/Photos` - `Media/PhotoData/Caches` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathsToBackgroundRestore</summary> - `Media/DCIM` - `Media/PhotoData/Mutations` - `Media/PhotoData/CPLAssets` - `Media/Deferred` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Media/PhotoData/Metadata` - `Media/PhotoData/Thumbnails` - `Media/PhotoData/CMMAssets` - `Media/PhotoData/Mutations/PhotoData/CMMAssets` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Media/PhotoData/Caches` - `Media/PhotoData/changes` - `Media/PhotoData/changes-shm` - `Media/PhotoData/changes-wal` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/OutgoingTemp` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRemoveOnRestore</summary> - `Media/Photos` - `Media/PhotoData/Caches` - `Media/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/Sync` - `Media/PhotoData/Metadata/PhotoData/PhotoCloudSharingData` - `Media/PhotoData/CPL` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Media/DCIM`: `dcim` - `Media/PhotoData`: `photoData` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Media/DCIM` - `Media/PhotoData` - `Media/Memories/Library/PersistedMemories` - `Media/MediaAnalysis/.backup` - `Media/Deferred` </details> ## WirelessDomain Root Path: `/var/wireless` <details> <summary>RelativePathsNotToMigrate</summary> - `Library/Logs/IQAgent` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Preferences/com.apple.commcenter.attach_apn.plist` - `Library/Preferences/com.apple.commcenter.carrier_bundle.plist` - `Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist` - `Library/Preferences/com.apple.commcenter.omadm_apns.plist` - `Library/Preferences/no_backup` - `Library/Preferences/com.apple.awdd.plist` - `Library/Preferences/com.apple.awdd.persistent.plist` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Preferences/com.apple.commcenter.attach_apn.plist` - `Library/Preferences/com.apple.commcenter.carrier_bundle.plist` - `Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist` - `Library/Preferences/com.apple.commcenter.omadm_apns.plist` - `Library/Preferences/no_backup` - `Library/Preferences/com.apple.awdd.plist` - `Library/Preferences/com.apple.awdd.persistent.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Databases` - `Library/CallHistory` - `Library/Preferences` </details> ## MobileDeviceDomain Root Path: `/var/MobileDevice` <details> <summary>RelativePathsToBackupAndRestore</summary> `# backup everything` </details> ## BackupDomain **Note:** I am not sure what this does but it seems like it relates to information about the backup itself. Root Path: `# empty` `PrimaryAccount = false` <details> <summary>RelativePathsToBackupAndRestore</summary> - `Backup/Preferences` </details> ## SystemPreferencesDomain Root Path: `/var/preferences` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `com.apple.wifi.known-networks.plist` - `SystemConfiguration/com.apple.wifi-private-mac-networks.plist` - `SystemConfiguration/com.apple.wifi.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `SystemConfiguration/NetworkInterfaces.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `SystemConfiguration` - `com.apple.networkextension.plist` - `com.apple.networkextension.control.plist` </details> ## ProtectedDomain Root Path: `/var/protected` <details> <summary>RelativePathsNotToBackup</summary> - `trustd/private/ocspcache.sqlite3` - `trustd/private/caissuercache.sqlite3` </details> <details> <summary>RelativePathsNotToRestore</summary> - `trustd/private/ocspcache.sqlite3` - `trustd/private/caissuercache.sqlite3` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `trustd/private/TrustStore.sqlite3` - `trustd/private/CARevocation.plist` - `trustd/private/CTExceptions.plist` - `trustd/private/TransparentConnectionPins.plist` - `trustd/private/com.apple.security.exception_reset_counter.plist` </details> ## HomeDomain This is the main domain for `/var/mobile`. Even though there are others, this is where most of the files are backed up or restored to. Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Spotlight/Backup/encrypted_ranking_metadata.dat` - `Library/DuetExpertCenter/Backups` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Library/VoiceTrigger/SAT` - `Library/com.apple.geod` - `Library/com.apple.siri.remembers` - `Library/CoreDuet/People/interactionC.db` - `Library/CoreDuet/People/interactionC.db-shm` - `Library/CoreDuet/People/interactionC.db-wal` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/DoNotDisturb/DB/ModeConfigurations.json` - `Library/DoNotDisturb/DB/ModeConfigurationsSecure.json` - `Library/DoNotDisturb/DB/Settings.sqlite` - `Library/DoNotDisturb/DB/Settings.sqlite-wal` - `Library/DoNotDisturb/DB/Settings.sqlite-shm` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `Library/Voicemail`: `voicemail` - `Library/Safari/Bookmarks.db`: `bookmarksDatabase` - `Library/SMS/sms.db`: `smsDatabase` - `Library/Cookies`: `cookies` - `Library/Preferences`: `preferences` - `Library/WebKit/Databases `: `webKitDatabases` - `Library/Caches/com.apple.WebAppCache`: `webAppCache` - `Library/Calendar`: `calendar` - `Library/AddressBook`: `addressBook` - `Library/Notes`: `notes` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Library/Accessibility/TTY/TTYCallHistory.sqlite` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-shm` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-wal` - `Library/VoiceTrigger/SAT` - `Library/Mobile Documents` - `Library/Application Support/CloudDocs` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/Application Support/FileProvider` - `Library/CloudStorage` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToMigrate</summary> - `Library/DataAccess/DeviceSpecificInfo.plist` - `Library/Preferences/com.apple.GMM.plist` - `Library/Preferences/com.apple.MobileBluetooth.devices.plist` - `Library/Preferences/com.apple.MobileBluetooth.security.plist` - `Library/Preferences/com.apple.MobileBluetooth.services.plist` - `Library/WebKit/Form Values` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Library/MediaStream` - `Library/Preferences/com.apple.migration.plist` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> - `Library/Application Support/CloudDocs/backup` - `Library/Application Support/FileProvider` </details> <details> <summary>RelativePathsToIgnoreExclusionsForDrive</summary> - `Library/SMS` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Preferences/com.apple.MobileBackup.DemotedApps.plist` </details> <details> <summary>RelativePathsToBackupToDriveAndStandardAccount</summary> - `Library/Safari/History.db` - `Library/Safari/History.db-wal` - `Library/Safari/History.db-shm` - `Library/Safari/BrowserState.db` - `Library/Safari/BrowserState.db-wal` - `Library/Safari/BrowserState.db-shm` - `Library/CallHistoryDB` - `Library/CallHistoryTransactions` - `Library/Recents/Recents` - `Library/Recents/Recents-shm` - `Library/Recents/Recents-wal` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Library/Caches/com.apple.mobilesafari/Thumbnails` - `Library/Caches/Safari/Thumbnails` - `Library/Duet` - `Library/Logs/Duet/DuetLST.duetlog` - `Library/Safari/History.plist` - `Library/Safari/SuspendState.plist` - `Library/Keyboard` - `Library/VoiceTrigger/SAT` - `Library/com.apple.geod` - `Library/com.apple.siri.remembers` - `Library/CoreDuet/People/interactionC.db` - `Library/CoreDuet/People/interactionC.db-shm` - `Library/CoreDuet/People/interactionC.db-wal` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/DoNotDisturb/DB/ModeConfigurations.json` - `Library/DoNotDisturb/DB/ModeConfigurationsSecure.json` - `Library/DoNotDisturb/DB/Settings.sqlite` - `Library/DoNotDisturb/DB/Settings.sqlite-wal` - `Library/DoNotDisturb/DB/Settings.sqlite-shm` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRemoveOnRestore</summary> - `Library/Preferences/com.apple.migration.plist` </details> <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Library/Accessibility/TTY/TTYCallHistory.sqlite` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-shm` - `Library/Accessibility/TTY/TTYCallHistory.sqlite-wal` - `Library/VoiceTrigger/SAT` - `Library/PersonalizationPortrait` - `Library/DuetExpertCenter/D2DBackups` - `Library/Preferences/com.apple.speakerrecognition.plist` - `Library/Safari/SafariTabs.db` - `Library/Preferences/com.apple.announce.announcements.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Keyboard/Typology` - `Library/Calendar/Attachments` - `Library/Preferences/com.apple.AOSNotification.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMFAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist` - `Library/Preferences/com.apple.appleaccount.notbackedup.plist` - `Library/Preferences/com.apple.assistant.plist` - `Library/Preferences/com.apple.assistant.languages.plist` - `Library/Preferences/com.apple.assistant.logging.plist` - `Library/Preferences/com.apple.atc.plist` - `Library/Preferences/com.apple.BTServer.airplane.plist` - `Library/Preferences/com.apple.DataMigration.plist` - `Library/Preferences/com.apple.calaccessd.keepalive` - `Library/Preferences/com.apple.carrier.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.watch.notbackedup.plist` - `Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.locationd.notbackedup.plist` - `Library/Preferences/com.apple.managedconfiguration.notbackedup.plist` - `Library/Preferences/com.apple.migration.plist` - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.mobilephone.sortmapping.plist` - `Library/Preferences/com.apple.operator.plist` - `Library/Preferences/com.apple.preferences.volume-limit.plist` - `Library/Preferences/com.apple.purplebuddy.notbackedup.plist` - `Library/Preferences/com.apple.siri.backedup.encrypted.plist` - `Library/Preferences/com.apple.youtubeframework.notbackedup.plist` - `Library/SpringBoard/transientSettings.plist` - `Library/Safari/SyncedTabsMetadata.plist` - `Library/MobileBluetooth/com.apple.MobileBluetooth.ledevices.other.db` - `Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist` - `Library/Preferences/com.apple.icloud.fmfd.notbackedup.plist` - `Library/Preferences/com.apple.coreduetd.batterysaver.state.plist` - `Library/Preferences/com.apple.icloud.fmflocatord.notbackedup.plist` - `Library/Preferences/com.apple.stockholm.awd.plist` - `Library/Preferences/com.apple.stockholm.plist` - `Library/Preferences/com.apple.seld.plist` - `Library/Preferences/nfcd.plist` - `Library/Voicemail/OfflineCache` - `Library/Safari/BookmarksSyncMetadata.plist` - `Library/Caches/com.apple.WebAppCache` - `Library/SpringBoard/PushStore` - `Library/Preferences/com.apple.indigo.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.homed.notbackedup.plist` - `Library/Preferences/com.apple.voicetrigger.notbackedup.plist` - `Library/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.settings.storage.plist` - `Library/Preferences/com.apple.palette.chestnut.plist` - `Library/Preferences/group.com.apple.Livability.plist` - `Library/Preferences/com.apple.mobilerepaird.plist` - `Library/Preferences/com.apple.mobilerepair.DisplayRepair.plist` - `Library/Preferences/com.apple.mobilerepair.BatteryRepair.plist` - `Library/Preferences/com.apple.NewDeviceOutreach.plist` - `Library/Application Support/com.apple.palette.green.plist` - `Library/Application Support/com.apple.palette.green.bin` - `Library/Preferences/com.apple.smartcharging.topoffprotection.plist` - `Library/SplashBoard` - `Library/Preferences/com.apple.coreaudio.device.plist` - `Library/Preferences/com.apple.powerd.lowpowermode.state.plist` - `Library/Preferences/com.apple.carrier_1.plist` - `Library/Preferences/com.apple.operator_1.plist` - `Library/Preferences/com.apple.carrier_2.plist` - `Library/Preferences/com.apple.operator_2.plist` - `Library/Preferences/com.apple.carrier_1.merged.plist` - `Library/Preferences/com.apple.operator_1.merged.plist` - `Library/Preferences/com.apple.carrier_2.merged.plist` - `Library/Preferences/com.apple.operator_2.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.plist` - `Library/Preferences/com.apple.carrier.default.plist` - `Library/Preferences/com.apple.carrier.merged.plist` - `Library/Preferences/com.apple.operator.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.merged.plist` - `Library/Preferences/com.apple.cameracapture.volatile.plist` - `Library/Preferences/com.apple.stockholm.tsmreg.plist` - `Library/Preferences/com.apple.nfcacd.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.MobileSoftwareUpdate.plist` - `Library/Preferences/com.apple.mobilerepaird.systemhealth.plist` - `Library/Passes/Discovery` - `Library/Preferences/com.apple.private.health.feature-properties.AFibBurden.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.CardioFitness.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.ElectrocardiogramV2Recording.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.IrregularRhythmNotificationsV2.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.MenstrualCycles.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.MenstrualCyclesHeartRateInput.companion.plist` - `Library/Preferences/com.apple.private.health.feature-properties.OxygenSaturationRecording.companion.plist` - `Library/Maps` - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/AggregateDictionary/ADDataStore.sqlitedb` - `Library/Calendar/Attachments` - `Library/Logs/ADDataStore.sqlitedb` - `Library/BackBoard` - `Library/Preferences/com.apple.AOSNotification.FMIPAccounts.notbackedup.plist` - `Library/Preferences/com.apple.AOSNotification.FMFAccounts.notbackedup.plist` - `Library/Preferences/com.apple.calaccessd.keepalive` - `Library/Preferences/com.apple.migration.plist` - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.siri.backedup.encrypted.plist` - `Library/Health` - `Library/Safari/SyncedTabsMetadata.plist` - `Library/MobileBluetooth/com.apple.MobileBluetooth.ledevices.other.db` - `Library/Preferences/com.apple.MobileBluetooth.ledevices.plist` - `Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist` - `Library/Preferences/com.apple.stockholm.awd.plist` - `Library/Preferences/com.apple.stockholm.plist` - `Library/Preferences/com.apple.seld.plist` - `Library/Preferences/nfcd.plist` - `Library/Voicemail/OfflineCache` - `Library/Safari/BookmarksSyncMetadata.plist` - `Library/Caches/com.apple.WebAppCache` - `Library/Mail/Recents` - `Library/Mail/Recents-shm` - `Library/Mail/Recents-wal` - `Library/SpringBoard/PushStore` - `Library/Preferences/com.apple.indigo.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.homed.notbackedup.plist` - `Library/Preferences/com.apple.voicetrigger.notbackedup.plist` - `Library/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.AppleMediaServices.notbackedup` - `Library/Preferences/com.apple.settings.storage.plist` - `Library/Preferences/com.apple.palette.chestnut.plist` - `Library/Preferences/group.com.apple.Livability.plist` - `Library/Preferences/com.apple.mobilerepaird.plist` - `Library/Preferences/com.apple.mobilerepair.DisplayRepair.plist` - `Library/Preferences/com.apple.mobilerepair.BatteryRepair.plist` - `Library/Preferences/com.apple.NewDeviceOutreach.plist` - `Library/Application Support/com.apple.palette.green.plist` - `Library/Application Support/com.apple.palette.green.bin` - `Library/Preferences/com.apple.smartcharging.topoffprotection.plist` - `Library/SplashBoard` - `Library/Preferences/com.apple.coreaudio.device.plist` - `Library/Preferences/com.apple.carrier.plist` - `Library/Preferences/com.apple.operator.plist` - `Library/Preferences/com.apple.carrier_1.plist` - `Library/Preferences/com.apple.operator_1.plist` - `Library/Preferences/com.apple.carrier_2.plist` - `Library/Preferences/com.apple.operator_2.plist` - `Library/Preferences/com.apple.carrier_1.merged.plist` - `Library/Preferences/com.apple.operator_1.merged.plist` - `Library/Preferences/com.apple.carrier_2.merged.plist` - `Library/Preferences/com.apple.operator_2.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.plist` - `Library/Preferences/com.apple.carrier.default.plist` - `Library/Preferences/com.apple.carrier.merged.plist` - `Library/Preferences/com.apple.operator.merged.plist` - `Library/Preferences/com.apple.carrier.bootstrap.merged.plist` - `Library/Preferences/com.apple.cameracapture.volatile.plist` - `Library/Preferences/com.apple.stockholm.tsmreg.plist` - `Library/Preferences/com.apple.nfcacd.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.MobileSoftwareUpdate.plist` - `Library/Preferences/com.apple.mobilerepaird.systemhealth.plist` - `Library/Passes/Discovery` - `Library/Maps` - `Library/IdentityServices/Persistence/DoNotBackup` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Demo.mov` - `Library/com.apple.itunesstored` - `Library/AddressBook` - `Library/Accounts` - `Library/Application Support/com.apple.Home/Wallpapers` - `Library/BulletinBoard` - `Library/Calendar` - `Library/ConfigurationProfiles` - `Library/UserConfigurationProfiles` - `Library/Cookies` - `Library/DataAccess` - `Library/DeviceRegistry` - `Library/DeviceRegistry.state` - `Library/Mail/Accounts.plist` - `Library/Mail/AutoFetchEnabled` - `Library/Mail/MailboxCollections.plist` - `Library/Messages` - `Library/MobileInstallation/ApplicationAttributes.plist` - `Library/MusicLibrary/AccountCache.sqlitedb` - `Library/Notes` - `Library/Passes` - `Library/Preferences` - `Library/RemoteNotification` - `Library/Safari/Bookmarks.db` - `Library/SMS/sms.db` - `Library/SMS/Drafts` - `Library/SpringBoard` - `Library/TCC` - `Library/YouTube/Bookmarks.plist` - `Library/Voicemail` - `Library/WebClips` - `Library/WebKit/Databases` - `Library/WebKit/Form Values` - `Library/WebKit/GeolocationSites.plist` - `Library/MobileBluetooth` - `Library/Accessibility` - `Library/NanoBackup` - `Library/FrontBoard` - `Library/Spotlight/applications.mdplist` - `Library/Fonts` - `Library/ControlCenter/ModuleConfiguration.plist` - `Library/Spotlight/Backup/encrypted_ranking_metadata.dat` - `Library/Application Support/com.apple.ProtectedCloudStorage/Backup` - `Library/UserNotifications` - `Library/DoNotDisturb/DB/Assertions.json` - `Library/DoNotDisturb/DB/Settings.json` - `Library/Avatar/avatars.version` - `Library/Avatar/avatars.db` - `Library/VoiceShortcuts` - `Library/Avatar/CoreDataBackend` - `Documents/DemoPhotoLibraryTemplate` - `Library/NickNameCache` - `Library/com.apple.internal.ck` - `Library/Reminders` - `Library/Shortcuts` - `Library/MessagesMetaData` - `Library/Application Support/com.apple.Home/demoMode` - `Library/Mobile Documents` - `Library/Application Support/CloudDocs` - `Library/DuetExpertCenter/Backups` - `Library/Wallpapers` - `Library/ExposureNotification` - `Library/Photos/Libraries` - `Library/DoNotDisturb/DB/GlobalConfiguration.json` - `Library/Application Support/FileProvider` - `Library/CloudStorage` - `Library/com.apple.PrivacyDisclosure` </details> ## KeyboardDomain Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToDrive</summary> - `Library/Keyboard/BigramLearning_ja_JP.db.bundle` - `Library/Keyboard/LearningSet_zh_Hans.plist` - `Library/Keyboard/LearningSet_zh_Hant.plist` - `Library/Keyboard/PhraseLearning_ja_JP.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hans.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hans_Stroke.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Cangjie.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Stroke.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_Sucheng.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_pinyin.db.bundle` - `Library/Keyboard/PhraseLearning_zh_Hant_zhuyin.db.bundle` - `Library/Keyboard/completion-learning-dictionary-zh-Hans` - `Library/Keyboard/completion-learning-dictionary-zh-Hant` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_pinyin.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_zhuyin.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Cangjie.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans_Stroke.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Stroke.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hant_Sucheng.db` - `Library/Keyboard/DynamicPhraseLexicon_zh_Hans_Wubixing.db` - `Library/Keyboard/DynamicPhraseLexicon_ja_JP.db` - `Library/DynamicBigramPhraseLexicon_ja_JP.db` - `Library/Keyboard/Lexierra_ja_JP-dynamic-text.dat` - `Library/Keyboard/LexicalLearning_ja_JP.dat` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Library/Keyboard/Typology` - `Library/Keyboard/CoreDataUbiquitySupport` - `Library/Keyboard/appusagedatabase.plist` - `Library/Keyboard/app_usage_database.plist` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Keyboard/Typology` - `Library/Keyboard/CoreDataUbiquitySupport` - `Library/Keyboard/appusagedatabase.plist` - `Library/Keyboard/app_usage_database.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Keyboard` </details> ## DatabaseDomain Root Path: `/var/db` <details> <summary>RelativePathsNotToMigrate</summary> - `lsd/com.apple.lsdidentifiers.plist` </details> <details> <summary>RelativePathsNotToRemoveIfNotRestored</summary> - `timezone/localtime` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `lsd/com.apple.lsdidentifiers.plist` - `timezone/localtime` - `com.apple.xpc.launchd` - `PlugInKit-Annotations` </details> ## InstallDomain Root Path: `/var/installd` <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> - `Library/MobileInstallation/BackedUpState` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/MobileInstallation/BackedUpState` </details> ## TonesDomain Root Path: `/var/mobile` <details> <summary>RelativePathAggregateDictionaryGroups</summary> - ` `: `tones` </details> <details> <summary>RelativePathsNotToBackup</summary> This was empty but still included, not sure why. </details> <details> <summary>RelativePathsNotToBackupToDrive</summary> This was also empty but still included. </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Media/Purchases` - `Media/iTunes_Control/Ringtones` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Media/iTunes_Control/iTunes/Ringtones.plist` </details> ## RootDomain Root Path: `/var/root` <details> <summary>RelativePathsNotToBackup</summary> - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.coreservices.appleidauthenticationinfo.plist` - `Library/Preferences/com.apple.osanalytics.OTATaskingAgent.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.xpc.activity2.plist` - `Library/Preferences/com.apple.cltm.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.powerd.bdc.plist` - `Library/Preferences/com.apple.wifi.manager.plist` - `Library/Caches/locationd/cache_unencrypted.db` </details> <details> <summary>RelativePathsNotToRestore</summary> - `Library/Preferences/com.apple.mmcs.plist` - `Library/Preferences/com.apple.coreservices.appleidauthenticationinfo.plist` - `Library/Preferences/com.apple.osanalytics.OTATaskingAgent.plist` - `Library/Preferences/com.apple.rtcreporting.plist` - `Library/Preferences/com.apple.xpc.activity2.plist` - `Library/Preferences/com.apple.cltm.plist` - `Library/Preferences/com.apple.MobileAsset.plist` - `Library/Preferences/com.apple.powerd.bdc.plist` - `Library/Preferences/com.apple.wifi.manager.plist` - `Library/Caches/locationd/cache_unencrypted.db` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> - `Library/Caches/Backup` - `Library/Caches/Backup/properties.plist` - `Library/Caches/Backup/placeholder_entitlements.plist` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Caches/locationd/clients.plist` - `Library/Caches/locationd/gyroCal.db` - `Library/Caches/locationd/significant.plist` - `Library/Caches/locationd/significantVisitAuth.plist` - `Library/Caches/locationd/significantVisitInterest.plist` - `Library/Caches/Backup/properties.plist` - `Library/Caches/Backup/placeholder_entitlements.plist` - `Library/Caches/Backup/enable_cloudkit` - `Library/Preferences` - `Library/Caches/locationd/consolidated.db` </details> ## NetworkDomain Root Path: `/var/networkd` <details> <summary>RelativePathsToBackupAndRestore</summary> - `Library/Preferences/com.apple.symptomsd.plist` </details> ## BooksDomain Root Path: `/var/mobile/Media/Books` `ShouldDigest = false` <details> <summary>RelativePathsNotToBackupToDrive</summary> `# don't remove items not restored` </details> <details> <summary>RelativePathsToRestoreOnly</summary> `# restore everything backed up` </details> <details> <summary>RelativePathsNotToBackup</summary> This was empty but still included. </details> <details> <summary>RelativePathsOfSystemFilesToAlwaysRestore</summary> `# restore everything backed up` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - ` `: `books` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> ## HomeKitDomain Root Path: `/var/mobile` <details> <summary>RelativePathsNotToBackupToService</summary> - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Library/homed/protected-home.config` - `Library/homed/transaction-journal` - `Library/homed/protected-metadata.config` - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Library/homed/protected-home.config` - `Library/homed/transaction-journal` - `Library/homed/protected-metadata.config` - `Library/homed/datastore.sqlite` - `Library/homed/datastore.sqlite-shm` - `Library/homed/datastore.sqlite-wal` - `Library/homed/plain-metadata.config` - `Library/homed/datastore3.sqlite` - `Library/homed/datastore3.sqlite-shm` - `Library/homed/datastore3.sqlite-wal` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> ## KeychainDomain Root Path: `/var/Keychains` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `keychain-backup.plist` </details> <details> <summary>RelativePathsNotToCheckIfModifiedDuringBackup</summary> Not empty but has a single item with an empty string value. - ` ` </details> <details> <summary>RelativePathsNotToRestore</summary> - `ocspcache.sqlite3` </details> <details> <summary>RelativePathsNotToBackupToDrive</summary> - `keychain-ota-backup.plist` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `keychain-backup.plist` </details> <details> <summary>RelativePathsNotToBackup</summary> - `ocspcache.sqlite3` </details> <details> <summary>RelativePathAggregateDictionaryGroups</summary> - `keychain-backup.plist`: `keychain` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> - `keychain-backup.plist` - `keychain-ota-backup.plist` - `TrustStore.sqlite3` </details> ## HealthDomain Root Path: `/var/mobile/Library` <details> <summary>RelativePathsNotToBackupInMegaBackup</summary> - `Health` - `Health/Local` </details> <details> <summary>RelativePathsToRemoveOnRestore</summary> - `Health` </details> <details> <summary>RelativePathsNotToBackupToService</summary> - `Health` </details> <details> <summary>RelativePathsToRestoreOnly</summary> - `Health` - `locationd/user.plist` - `MedicalID` </details> <details> <summary>RelativePathsToOnlyBackupEncrypted</summary> - `Health` - `locationd/user.plist` - `MedicalID` </details> <details> <summary>RelativePathsNotToBackup</summary> - `Health/Local` </details> <details> <summary>RelativePathsToBackupAndRestore</summary> This was empty but needs to be included. </details> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,191 @@ # A deep dive into the iOS backup/restore system | Table of Contents | | ----------------- | | - [Intro](#intro) | | - [What is a domain?](#what-is-a-domain) | | - [Backup structure and Manifest.mbdb](#backup-structure-and-manifestmbdb)<br> - [Status.plist](#statusplist)<br> - [Manifest.plist](#manifestplist)<br> - [Info.plist](#infoplist)<br> - [Manifest.mbdb](#manifestmbdb)<br> - [The webclip permissions incident](#the-webclip-permissions-incident) | | - [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning) | | - [Skipping the setup](#skipping-the-setup)<br> - [CloudConfigurationDetails.plist](#cloudconfigurationdetailsplist)<br> - [com.apple.purplebuddy.plist](#comapplepurplebuddyplist) | | - [Notable domains](#notable-domains)<br> - [HomeDomain](#home-domain)<br> - [ManagedPreferencesDomain](#managed-preferences-domain) | | - [Sparserestore](#sparserestore)<br> - [The exploit](#the-exploit)<br> - [The patch](#the-patch) | | - [Sources](#sources) | ## Intro Many of the writeups reverse engineering the iOS backup system are outdated and do not necessarily represent how it works in modern day. They also tended to describe the structure of a backup file, but do not detail the on-device process of restoring a backup behind the scenes. The goal of this writeup is to document my findings on the backup system over the years and what I learned while developing [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Nugget](https://github.com/leminlimez/Nugget-Mobile). I will also be covering the Sparserestore exploit. There is not a lot of documentation of how the backup domains map to the iOS file system, so I am compiling what I found here. ## What is a domain? In a backup, domains tell iOS what files to restore and where. It is both a way of organization and a security measure. Having domains prevents attackers from using restores to write anywhere in the file system. There are 2 different kinds of domains. The main type of domain is simply mapped to a file path. For example, `HomeDomain` is equivalent to `/var/mobile` but with some restrictions for what can and cannot be restored (specified in the iOS backend). There are not much to these, they just act like a container. The second type of domain requires an extension. There are 3 domains that utilize this, `SysContainerDomain`, `SysSharedContainerDomain`, and `AppDomain`. They have a trailing `-` where the extension is added. For `SysContainerDomain` and `SysSharedContainerDomain`, the container name goes after the `-` character. This is also the name of the subfolder in the file system, which makes it strange for why it needs to be a special kind of domain. This way of handling it is ultimately what made it vulnerable (see [Sparserestore](#sparserestore)). For `AppDomain`, the app bundle id goes after the `-` character. This makes sense because the file system uses a unique identifier or UUID to hash app folder names, so the restore system needs to specifically handle this scenario. Outside of the domain itself, the path will act the same as the regular domains. There used to be a file in `/System/Library/Backup/domains.plist` that listed many of the paths and what could be backed up, but it was removed in iOS 17, seemingly correlated to separating the `/var` and `/var/mobile` partitions (see more at [iOS 17 and mobile partitioning](#ios-17-and-mobile-partitioning)). The file did not include the domains `SysContainerDomain-`, `SysSharedContainerDomain-`, or `AppDomain-` due to their different handling of the subpaths. A markdown version of the file can be found in `Domains.md` if you would like to learn more about what can and cannot be restored in each domain. **Note:** Domains will not restore to cache folders even when told to backup everything. Certain caches or files (i.e. eligibility.plist) will get reset upon the invokation of a restore, even if it does not wipe the device. ## Backup structure and Manifest.mbdb Backups are structured as a folder containing 4 main files and the contents of the files being restored. The main files are `Info.plist`, `Manifest.mbdb`, `Manifest.plist`, and `Status.plist`. The file contents have no extension and are titled by the SHA1 hashes of the file. ### Status.plist The `Status.plist` file contains values about the status of the backup. One of these values is `IsFullBackup`, which is set to false for partial restores. Also in `Status.plist` is the `Version` value, which is the version of backups being used. For partial restores, the version key should be set to `2.4` since we are using the `Manifest.mbdb` file. Though version 3.2 backups can be created using `Manifest.db` instead, they are not useful for partial restores like I am covering here. The `UUID` field does not matter much, so I just set it to `00000000-0000-0000-0000-000000000000`. The `Date` field denotes when the backup was taken, but it can just be set to `1970-01-01T00:00:00Z`. The last two fields are `BackupState` and `SnapshotState`, they should be set to `new` and `finished` respectively for our partial restore. ### Manifest.plist `Manifest.plist` provides some basic information about the backup itself. The `Lockdown` field can just be an empty dictionary. For the `SystemDomainsVersion` and `Version`, I just used the values `20.0` and `9.1` respectively. I am not sure what the importance of these values are but they are required to finish the backup. Finally, there is the `BackupKeyBag` value. This stores KeyBag data in base64. You can find the full value I used in [Cowabunga Lite Py's create_backup.py code](https://github.com/leminlimez/CowabungaLitePy/blob/b73b128dc738df8a68e8147418b54f61b13ab82e/devicemanagement/create_backup.py#L160). ### Info.plist `Info.plist` isn't as important, so I will not cover what's in it. For the sake of a partial restore, an empty plist file can be used. ### Manifest.mbdb The main file in a backup is `Manifest.mbdb`. It stores the domains, file locations, SHA1 hashes, and many more details about what is being restored. The structure of the file itself has already been well documented, you can find that [here](https://www.theiphonewiki.com/wiki/ITunes_Backup#Manifest.mbdb). For this writeup, I will only be covering certain fields that I deem important and the structure of the files/directories prior to being placed in the manifest. File paths must list out every directory in sorted order. If 2 files are in the same directory, it should only list the file without relisting the directory. Same goes with directories. Separate directories are listed after all the files in the previous directory have been listed. Here is an example: ``` HomeDomain (domain/directory) HomeDomain Library (directory) HomeDomain Library/Preferences (directory) HomeDomain Library/Preferences/com.apple.springboard.plist (file) HomeDomain Library/Preferences/com.apple.UIKit.plist (file) HomeDomain Library/SpringBoard (directory) HomeDomain Library/SpringBoard/statusBarOverrides (file) ``` For both files and directories, owner and group permissions need to be specified. In testing, the value put usually did not seem to impact the outcome ([aside from one time](#the-webclip-permissions-incident)), but its usually safer to just use the mobile permission of `501` for most. Only files need to be hashed, directories do not. The hash is calculated as `sha1(domain + '-' + file_path)`. This hash will be placed both in `Manifest.mbdb` and used as the name for the file's contents inside the backup's folder. Another file-specific value is the inode. It provides an index for attributes about the file. No two files should have the same inode unless they are being linked. Linking should not happen in a regular partial restore. Doing so may cause the file to not restore at all. You can read about the specific use case of inodes in the [Sparserestore section](#sparserestore). ### The webclip permissions incident As I stated earlier, permissions usually do not seem to matter. There was one time where it did impact iOS in a weird way though. This is not super important to the writeup, I just wanted to share this story. Early on in Cowabunga Lite's development, there was a bug in the backup generator's code where the permissions were incorrectly set due to a missing `0`. In 64 bit systems, integers are 4 bytes long. The permissions are integer values being written to the file as hexadecimal. The bytes that are supposed to be used for the permissions are `00 00 01 F5`, which is `501` in decimal. However, in the restore code, the missing `0` caused the permissions to be set to `50 00 01 F5`, which is a very large (clearly incorrect) number. It took a `5` from the end of the previous byte. You can see the issue... This was not noticable at first. Many of the files modified by Cowabunga Lite were not impacted by this mistake. After implementing icon theming using webclips, the issue became apparent. The webclips would show up on the home screen as usual and functioned like normal. They can also be deleted like normal, or so I thought. When deleting them, they would disappear from the home screen, but as soon as the device was rebooted, they would come back. The permissions prevented iOS from being able to delete the webclips from the file system. Luckily, this was realized before making it to the public and a fix was made. To prevent this or other weird issues from happening to you if you are writing your own `Manifest.mbdb` generator, I recommend just using the mobile permission of `501` unless the file you are modifying needs a different permission. ## iOS 17 and mobile partitioning In iOS 17, Apple made many modifications to the backup system. Notably, `/var/mobile` was moved to its own partition to separate it from `/var`. Attempting to traverse from one to the other will usually lead to a bootloop or restore error. Traditionally, backup files were stored in `/var/backup` as they are being restored. With the introduction of the mobile partition in iOS 17, a new backup folder was created for domains in the mobile partition, `/var/mobile/backup`. All domains that map to the mobile folder now get placed there upon restore. ## Skipping the setup When tweaking files using partial restores, the setup screen can be very annoying. It can also be risky sometimes and start trying to overwrite your data with an iCloud backup. This is why finding methods to skip the setup are crucial. There are 2 files that Cowabunga Lite uses to fully skip the setup. ### CloudConfigurationDetails.plist The first and primary skip setup file is `CloudConfigurationDetails.plist`. This is used by the Apple Configurator app to skip the setup when making changes to supervised devices. Conveniently, this file has a key called `SkipSetup`. This key contains a list of which menu screens should be skipped on setup. In Apple Configurator, the user is able to select which screens get skipped. To get the list of values for this key, you need a mac with Apple Configurator and a jailbreakable device. On Apple Configurator, prepare the device and select all the screens to skip during setup. This process will wipe the device so be ready to set it up again. After it is done, jailbreak the device and get the file from the following file path: ``` /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/SharedDeviceConfiguration.plist ``` You should now have every key you need to skip the setup process. **Important:** You also need to set the value `CloudConfigurationUIComplete` to `true` otherwise you could get the device stuck on a bugged setup screen. The file can then be restored using the following domain and path: ``` Domain: SysSharedContainerDomain-systemgroup.com.apple.configurationprofiles Path: Library/ConfigurationProfiles/SharedDeviceConfiguration.plist ``` It should be noted that this may mess with existing configuration profiles. This should not be done on enterprise supervised devices. ### com.apple.purplebuddy.plist In iOS 17.2, Apple introduced a new setup screen to deter the user from partial restores. This was presumably added because of Cowabunga Lite 😒 <img src="https://preview.redd.it/iphone-partially-set-up-screen-shows-up-even-after-a-dfu-v0-k35idx04jqnc1.jpeg?auto=webp&s=30fea8f7420b0833ebe5d17257bec4c87f36ce81" alt="Partial Restore Screen" height="400"/> The screen was a warning about the security of partial restores, contained a giant blue shiny button with the words "Erase and Start Over" and tiny blue text below it saying "Continue with Partial Setup". Obviously not ideal for a customization tool like Cowabunga Lite where a user could accidentally wipe their entire phone. On top of ruining Cowabunga Lite, Apple also ruined their enterprise app by doing this. They added no way to skip this screen, even for their own software. Sometimes, this screen would even show up after doing a full restore from iTunes. What's worse, the screen sometimes would never go away, even after a fresh wipe or restore. This was so bad that on occasion, it would get stuck in a loop on this screen and you would have to erase anyway. They felt so threatened over a goofy cow app that they made a mess of a half baked screen plagued with issues. Apologies for the rant, but I did manage to find a way to bypass it. Using [Managed Preferences](#managed-preferences-domain), the setup information can be force overwritten and make iOS think the setup was already complete. This does not skip the other setup screens like `CloudConfigurationDetails.plist` does but it still manages to skip the partial setup screen for some reason. There are 2 keys in the plist that need to be set to `true`: `SetupDone` and `SetupFinishedAllSteps`. After that, the plist should be restored to the following domain and path: ``` Domain: ManagedPreferencesDomain Path: mobile/com.apple.purplebuddy.plist ``` This should now skip the partial setup screen. ## Notable domains ### Home Domain The main domain for writing to `/var/mobile` is `HomeDomain`. While there are others that write to the mobile folder, `HomeDomain` is where most of the files are backed up or restored to. It is where the preference files are stored and has some interesting modifications that can be done with it. Cowabunga Lite utilizes this domain for both its webclip theming and changing the status bar overrides. Cowabunga Lite used to use this domain to modify preference files, but it has since changed to using Managed Preferences for its many benefits listed in the next section. ### Managed Preferences Domain This is the most interesting domain. It takes priority of preference files stored in `/var/mobile/Library/Preferences`. Values in a preference file will always choose the one in Managed Preferences over the one from the mobile file. In addition, Managed Preferences appends to the version of the file in mobile rather than overriding it. This means that changes can be set without having to read user preferences or reset them back to default, which would happen when using `HomeDomain`. Seems great, right? But that's not all it's capable of. Unlike `HomeDomain`, `ManagedPreferencesDomain` has no file restrictions when it comes to restoring, which means many files that were not intended to be modifiable can be changed. One example is `com.apple.iokit.IOMobileGraphicsFamily.plist`. This file contains the resolution of the device. This was clearly not meant to be touched, and Apple even prevented it from being restorable in `HomeDomain` (which you can see if you look at `RelativePathsNotToRestore` in Domains.md). Since there are no restrictions in `ManagedPreferencesDomain`, the file can be restored there and the resolution of the device can be changed. **Disclaimer:** I do not recommend changing this file unless you really know what you are doing. You can really mess up your device this way and it could lead to potential data loss. As covered in [Skipping the setup](#skipping-the-setup), `com.apple.purplebuddy.plist` is another useful preference we can modify. It too is unable to be restored to `HomeDomain`, but it is able to be restored to `ManagedPreferencesDomain` without restriction. All of these properties combined make this a very powerful domain for modifying files. It is probably the most powerful domain for restoring outside of exploits like Sparserestore. ## Sparserestore ### The exploit The Sparserestore exploit is a very simple exploit at its core. It uses backpathing to continuously go back to the parent until it reaches root, allowing to write anywhere in the file system on the `/var` partition that is not SSV protected. Sparserestore works on 2 domains, `SysContainerDomain` and `SysSharedContainerDomain`. As you know from the ["What is a domain?"](#what-is-a-domain) section, these are special domains that utilize the `-` character to determine the subdirectory. After the `-` character, a backpath (`..`) can be used to traverse up the tree. Using the `/` character after the backpath, you can continuously traverse upwards until you hit root. Take the following domain: ``` SysContainerDomain-../../../../../../../.. ``` After `-`, you are currently in the directory: ``` /private/var/.backup.i/var/root/Library/Backup/SystemContainers/Data/ ``` **Note:** In the `SysSharedContainersDomain`, you will be in the `/Shared/` folder instead of the `/Data/` folder. This is your starting path. The first `../` means that you will be in the `SystemContainers` folder. The second `../` will leave you in the `Backup` folder. If you continue backpathing, you will end up in the directory `/private`. This is its own partition separate from `/var`, so we cannot exit this. However, we do not need to leave this as we can do everything we need in `/private/var` anyway. Once you reach root, you can place any file path afterwards. Though you can go straight to the file directly, it is better to restore to `/var/backup` instead. This will have the same effect as restoring to the file directly, but will be less likely to fail since there will not already be a file at that path. At the end of the restore, we can crash the restore by restoring a file directly to `/private`. Normally, a crash would cancel the backup and no files would change. However, using the exploit, the files will still be restored to. This has the added benefit of skipping the setup entirely without having to modify files like Cowabunga Lite, which can break configuration profiles. Since it takes place in the domain, listing every directory in the path is not necessary. All that is needed is the domain as a directory and the file. Though not necessary for everything, inodes can be used to create a hard link to a different file. In Sparserestore, a temporary file is created containing the data contents that are intended to be restored. The inode value for this temporary file will be set intentionally when creating the restore. The file you are intending to restore should be added to the manifest next. The contents of the file should be null data, implemented as `b""` in Python. The inode of this file should be set to the same value as the temporary file's inode. After this, the hard link needs to be broken. To break it, Sparserestore is used to navigate to the file location of the temp file in `/var/.backup.i` and break it by setting the contents to null data. This is not needed for the majority of files. It is only needed when replacing an executable binary, as done by [TrollRestore](https://github.com/JJTech0130/TrollRestore). You can see how this is implemented in [TrollRestore's code here](https://github.com/JJTech0130/TrollRestore/blob/8efae439bd033e73b0fde8456838eaece90b6f54/trollstore.py#L101). ### The patch Sparserestore was patched in iOS 18.1 developer beta 5 (iOS 18.1 public beta 2). To patch it, Apple restricted domains from containing a `/` character. While the backpath still works, it can only go back a single path to the `SystemContainers` folder. This is not useful for escaping the scope of the domain. ## Sources - [iPhone Wiki](https://www.theiphonewiki.com/wiki/ITunes_Backup) - [Cowabunga Lite](https://github.com/leminlimez/CowabungaLite) and [Cowabunga Lite Py](https://github.com/leminlimez/CowabungaLitePy) - [Nugget](https://github.com/leminlimez/Nugget) and [Nugget (mobile)](https://github.com/leminlimez/Nugget-Mobile) - [TrollRestore](https://github.com/JJTech0130/TrollRestore)