Mapping of the obfuscated keys (or questions) used by iOS's MobileGestalt to the de-obfuscated, easier-to-understand ones. To obfuscate a key, Apple calculates the base64 of MGCopyAnswer{theKey}
, truncates the last two characters and calculates the MD5 from the resulting string.
It is our job to de-obfuscate them all.
The keys are currently based on iOS 18.2.
There are a few certain patterns of the key names, which can be useful for de-obfuscation.
- Kebab case
some-key-name
has-xxx
supports-xxx
- Pascal case of
DeviceSupportsXXX
(common) - Pascal case of
XXXCapability
(common)FrontFacing(Camera)XXXCapability
RearFacing(Camera)XXXCapability
- Pascal case of
SupportsXXX
- Pascal case of
HasXXX
- Pascal case of
IsXXX
- Pascal case of
XXXData
(usually come alongside another key withoutData
suffix in it)
There are also keys which are obfuscated the same way but are not considered as MobileGestalt keys. That is, you can't use MGCopyAnswer
to get the value of the key. Instead, they are used for retrieving the value from the IODeviceTree
, in an obfuscated manner. These keys are mostly in the kebab case, having their pascal case equivalent which is actually used by MGCopyAnswer
. In the mapping files, these keys are marked with a comment // non-gestalt-key
.
- Extract
libMobileGestalt.dylib
from thedyld_shared_cache
of an iOS device - Run
deobfuscate.sh
script to get the new unmapped obfuscated keys - Throw the dylib into Hopper or IDA to find the human-readable function that is referenced by each key
- Update the key mapping in
deobfuscated.py
- Run
deobfuscate.sh
again to update the mapping and to also verify each function name converts to the obfuscated key it references to - Move all keys that fail to convert to
unknown_keys_desc
ofkeys_desc.py
, if any
- Jonathan Levin
- Timac
- Siguza
- Elias Limneos
- PoomSmart
- JackoPlane