# Reverse engineering Mac OS (And iPhone) screen time SQLite db

Based on:
1. [Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage](https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage)
2. [Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db](https://www.mac4n6.com/blog/2018/9/12/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb)


In [1]:
import sqlite3
import os
import pandas as pd

In [2]:
DB_PATH = os.path.join(os.path.expanduser("~"), "Application Support", "Knowledge", "knowledgeC.db")
DB_PATH_DUMP = os.path.join(os.path.expanduser("~"), "knowledgeC_dump20240328.db")

In [3]:
def query_and_fetchall(db_path:str, query:str) -> pd.DataFrame:
    conn = sqlite3.connect(db_path)
    return pd.read_sql_query(query, conn)


### Listing all the tables

In [4]:
q_all_table_names = "SELECT name FROM sqlite_master WHERE type='table'"
df_tables = query_and_fetchall(DB_PATH_DUMP, q_all_table_names)

df_tables

Unnamed: 0,name
0,ZADDITIONCHANGESET
1,ZCONTEXTUALCHANGEREGISTRATION
2,ZCONTEXTUALKEYPATH
3,ZCUSTOMMETADATA
4,Z_4EVENT
5,ZDELETIONCHANGESET
6,ZHISTOGRAM
7,ZHISTOGRAMVALUE
8,ZKEYVALUE
9,ZOBJECT


### See all /app/usage events (note that data is a bit different from the post)

In [5]:
q_app_usage = """
SELECT
  datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "event_datetime", 
  CASE ZOBJECT.ZSTARTDAYOFWEEK 
      WHEN "1" THEN "Sunday"
      WHEN "2" THEN "Monday"
      WHEN "3" THEN "Tuesday"
      WHEN "4" THEN "Wednesday"
      WHEN "5" THEN "Thursday"
      WHEN "6" THEN "Friday"
      WHEN "7" THEN "Saturday"
  END "event_dow",
  ZOBJECT.ZSECONDSFROMGMT/3600 AS "event_gtm_offset",
  datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "event_start", 
  datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "event_end", 
  (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) as "event_duration",
  ZOBJECT.ZSTREAMNAME event_type, 
  ZOBJECT.ZVALUESTRING event_description,
  ZOBJECT.ZHASCUSTOMMETADATA has_custom_metadadata, 
  ZOBJECT.ZHASSTRUCTUREDMETADATA has_structured_metadata, 
  ZOBJECT.ZSTRING event_zstring, 
  ZOBJECT.ZVALUECLASS event_valueclass, 
  ZSOURCE.ZDEVICEID event_source_dev_id 
FROM ZOBJECT
  LEFT JOIN ZSOURCE ON ZOBJECT.ZSOURCE  = ZSOURCE.Z_PK
  LEFT JOIN ZSTRUCTUREDMETADATA on ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK
WHERE ZSTREAMNAME = "/app/usage" 
ORDER BY "START"
"""

In [6]:
df_app_usage = query_and_fetchall(DB_PATH_DUMP, q_app_usage)
df_app_usage[1000:15300]

Unnamed: 0,event_datetime,event_dow,event_gtm_offset,event_start,event_end,event_duration,event_type,event_description,has_custom_metadadata,has_structured_metadata,event_zstring,event_valueclass,event_source_dev_id
1000,2024-03-12 19:28:10,Tuesday,-3,2024-03-12 19:28:04,2024-03-12 19:28:09,5,/app/usage,com.google.Chrome,0,1,,1,
1001,2024-03-12 19:28:16,Tuesday,-3,2024-03-12 19:28:13,2024-03-12 19:28:16,3,/app/usage,com.google.Chrome,0,1,,1,
1002,2024-03-12 19:28:28,Tuesday,-3,2024-03-12 19:28:22,2024-03-12 19:28:28,6,/app/usage,com.google.Chrome,0,1,,1,
1003,2024-03-12 19:28:48,Tuesday,-3,2024-03-12 19:28:42,2024-03-12 19:28:48,6,/app/usage,com.google.Chrome,0,1,,1,
1004,2024-03-12 19:29:13,Tuesday,-3,2024-03-12 19:29:09,2024-03-12 19:29:13,4,/app/usage,com.google.Chrome,0,1,,1,
...,...,...,...,...,...,...,...,...,...,...,...,...,...
10361,2024-03-24 13:43:12,Sunday,-3,2024-03-24 13:43:00,2024-03-24 13:43:12,12,/app/usage,com.pagerduty.PagerDuty,0,1,,1,380D4F66-0F14-52B1-85FB-B8B9188119BA
10362,2024-03-24 13:44:51,Sunday,-3,2024-03-24 13:44:38,2024-03-24 13:44:51,13,/app/usage,com.pagerduty.PagerDuty,0,1,,1,380D4F66-0F14-52B1-85FB-B8B9188119BA
10363,2024-03-24 14:53:44,Sunday,-3,2024-03-24 14:53:25,2024-03-24 14:53:44,19,/app/usage,com.pagerduty.PagerDuty,0,1,,1,380D4F66-0F14-52B1-85FB-B8B9188119BA
10364,2024-03-25 13:55:14,Monday,-3,2024-03-25 13:54:25,2024-03-25 13:55:14,49,/app/usage,com.pagerduty.PagerDuty,0,1,,1,380D4F66-0F14-52B1-85FB-B8B9188119BA


In [7]:
q_all_events = """
SELECT
  ZOBJECT.Z_PK AS event_id,
  datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH', 'LOCALTIME') AS event_datetime, 
  CASE ZOBJECT.ZSTARTDAYOFWEEK 
      WHEN "1" THEN "Sunday"
      WHEN "2" THEN "Monday"
      WHEN "3" THEN "Tuesday"
      WHEN "4" THEN "Wednesday"
      WHEN "5" THEN "Thursday"
      WHEN "6" THEN "Friday"
      WHEN "7" THEN "Saturday"
  END AS event_dow,
  ZOBJECT.ZSECONDSFROMGMT/3600 AS event_gtm_offset,
  datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH', 'LOCALTIME') AS event_start, 
  datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH', 'LOCALTIME') AS event_end, 
  (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) AS event_duration,
  ZOBJECT.ZSTREAMNAME AS event_type, 
  ZOBJECT.ZVALUESTRING AS event_description,

  ZOBJECT.ZHASCUSTOMMETADATA AS has_custom_md, 
  ZCUSTOMMETADATA.ZNAME AS custom_md_name,
  ZCUSTOMMETADATA.ZDOUBLEVALUE AS custom_md_double_value,
  ZCUSTOMMETADATA.ZSTRINGVALUE AS custom_md_string_value,
  ZOBJECT.ZHASSTRUCTUREDMETADATA AS has_structured_md, 
  ZSTRUCTUREDMETADATA.Z_DKINTENTMETADATAKEY__INTENTVERB AS structured_md_intent_verb, 
  ZSTRUCTUREDMETADATA.Z_DKINTENTMETADATAKEY__INTENTCLASS AS structured_md_intent_class, 
  ZSTRUCTUREDMETADATA.Z_DKINTENTMETADATAKEY__DERIVEDINTENTIDENTIFIER AS structured_md_derived_intent_id,
  ZSTRUCTUREDMETADATA.Z_CDENTITYMETADATAKEY__NAME AS structured_md_entity_name,
  ZSTRUCTUREDMETADATA.Z_DKNOTIFICATIONUSAGEMETADATAKEY__BUNDLEID AS structured_md_bundle_id,
  HEX(ZSTRUCTUREDMETADATA.Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION) AS structured_md_serialized_interaction,
  --ZOBJECT.ZSTRING AS event_zstring, 
  ZOBJECT.ZVALUECLASS AS event_valueclass, 
  ZSOURCE.ZDEVICEID AS source_dev_id ,
  ZSOURCE.ZGROUPID as source_group_id,
  ZSOURCE.ZITEMID AS source_item_id,
  ZSOURCE.ZBUNDLEID AS  source_boundle_id,
  CURRENT_TIMESTAMP AS extraction_dt
FROM ZOBJECT
  LEFT JOIN ZSOURCE ON ZOBJECT.ZSOURCE  = ZSOURCE.Z_PK
  LEFT JOIN ZSTRUCTUREDMETADATA ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK
  LEFT JOIN Z_4EVENT ON ZOBJECT.Z_PK = Z_4EVENT.Z_11EVENT
  LEFT JOIN ZCUSTOMMETADATA ON Z_4EVENT.Z_4CUSTOMMETADATA = ZCUSTOMMETADATA.Z_PK
"""

In [8]:
df_all_events = query_and_fetchall(DB_PATH_DUMP, q_all_events)

In [9]:
import duckdb

con = duckdb.connect("../io/targets/20240328_ddb_test.duckdb")
duckdb.sql("CREATE TABLE all_events_stg AS SELECT * FROM df_all_events")


### Now testing abstracted functions

In [10]:
import sys


base_path = os.getcwd().rsplit(os.path.sep, 2)[0]
relative_path = 'python_projects/mac_and_iphone_screentime_exporter'
module_path = os.path.join(base_path, relative_path)
print(module_path)
if module_path not in sys.path:
    sys.path.append(module_path)

/Users/andy/notaarguello/notaarguello_repo/python_projects/mac_and_iphone_screentime_exporter


In [11]:
from mac_and_iphone_screentime_exporter.services import backup_sqlite_db

In [12]:
backup_sqlite_db(
    sqlite_orig_path=DB_PATH_DUMP,
    duckdb_dest_path="../io/targets/20240402_ddb_test.duckdb",
    duckdb_dest_tbl="knowledgeCdb_all_events",
    query=q_all_events,
    incremental_on=("event_id", "extraction_dt"))