Skip to content
Scripts to extract compound bplists in the iOS -> KnowledgeC.db -> structuredmetadata table.
Branch: master
Clone or download
Latest commit 19a02be Mar 21, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. combined Mar 21, 2019 combined Mar 21, 2019
run.PNG Add files via upload Mar 2, 2019


Script to extract compound bplists in the iOS -> KnowledgeC.db -> structuredmetadata table.

alt text

Usage: python /path/to/knowledgec.db iosversion [-d false]

  1. Python 3
  2. The ccl_bplist module is required for the scripts to work. It can be found here: (But a version has been inluded in this repo)
  3. The parse protobuf decoder by @Nevermoe ( has been updated to run on Python3 by Craig Rowland from Sandfly Security. This is to be placed in the same directory as the main script.
  4. Export a knowledgeC database from iOS, if you place it in the same directory it will run, otherwise you can run the script and point it to the right path
  5. Set the correct iOS version (11 or 12 supported). The script doesn't automatically identify which version of iOS the database has been extracted from.
  6. Run the script. A timestamp named folder will be created that will contain two folders. One for extracted database content (named dirty) and one for the extracted bplist contained within the extracte database content (clean.)
  7. Timestamped folder will also contain a HTML report with information on the clean bplists.

By default the tool will dump out the nsdata sections of the clean plists, you can turn this off with -d false, but I don't know why you would want to do that.

License: free to use etc, but if you're going to incorporate this into your paid tool and weren't before you read this code or the accompanying post please let me know or give credit.

You can’t perform that action at this time.