What's actually in
an iPhone backup.

When your iPhone makes a backup, it doesn't produce a single file. It produces a folder — typically tucked away somewhere you'd never think to look — filled with thousands of files with hex names that mean nothing. It looks like this:

~/Library/Application Support/MobileSync/Backup/[uuid]/
├── Manifest.db
├── Manifest.plist
├── Info.plist
├── Status.plist
├── 00/
│   ├── 0000d5edb0e7b... (10 KB)
│   ├── 001c8f88a1c9e... (2.4 MB)
│   └── ...thousands more
├── 01/
├── 02/
└── ...up to ff/

Every one of those hex-named files is something — a message database, a photo, a contact record, a settings plist. The filename is the SHA-1 of a path that used to exist on the phone. Without a map from hex-name to meaning, you can't do anything with it.

The map is Manifest.db

That's the whole secret. Manifest.db is a SQLite database. It's the index. Every file in the backup has a row: its original path on the phone, the domain it belonged to (MediaDomain, HomeDomain, AppDomain-com.burbn.instagram…), and the hex filename you'll find it under.

If you query it:

SELECT
  fileID, domain, relativePath
FROM Files
WHERE relativePath LIKE '%sms.db'

…you find out that 3d0d7e5fb2ce288813306e4d4636395e047a3d28 is your Messages database. Copy it out, open it as SQLite, and you're reading texts.

Domains are the categories

Every file lives in a domain, which is iOS's way of saying "which part of the system owns this." There are dozens. A few worth knowing:

• HomeDomain — user data that isn't app-scoped. Messages lives here. Notes, Safari, Keychain too.
• MediaDomain — your Camera Roll. Photos, videos, Live Photo pairs.
• CameraRollDomain — metadata about the above.
• AppDomain-bundle.id — per-app data. Instagram's cache is AppDomain-com.burbn.instagram.
• WirelessDomain — call history, voicemails.
• SystemPreferencesDomain — device settings.

What's not in the backup

Apple deliberately excludes certain things. Knowing what's missing is part of knowing what you can recover:

• Face ID / Touch ID data. Never leaves the secure enclave, never touches a backup.
• Apple Pay card numbers. Same story.
• Keychain (if unencrypted backup). Saved passwords, Wi-Fi keys, Safari autofill — all absent from unencrypted backups. Present in encrypted ones. This is the main reason encrypted is better.
• Apps marked "Don't back up." Developers can flag data as non-backup. Some banking and 2FA apps do this on purpose.
• iCloud-only data. Photos not yet downloaded from iCloud; messages stored only in Messages in iCloud; etc. A backup captures what was on the device at that moment.

The big picture

That's the whole format. A SQLite index + thousands of hex-named blobs. Every tool that extracts iPhone backups — iMazing, iExplorer, forensic suites, OpenExtract — does roughly this:

1. Parse Manifest.db to get the map.
2. If encrypted, use the password to derive keys per Apple's documented scheme (PBKDF2 + key-wrapping).
3. Locate the databases that matter: sms.db, AddressBook.sqlitedb, CallHistory.storedata, etc.
4. Query them with plain SQL.
5. Format the results in a way a human would want to read.

None of it is magic. It's documented. The reason commercial tools charge $50 for it isn't that the work is hard — it's that the work is tedious, and polish-around-the-edges takes time. OpenExtract is our version of that polish, given away because nobody should have to pay to read their own texts.

— The OpenExtract team