Reverse Engineering Apple's typedstream Format
25 comments
·February 3, 2025wpm
css
The plist is probably a binary plist (header bytes `bplist00`) generated by NSKeyedArchiver, and then the specific data you need is encoded inside. Edited iMessages are stored in the exact same way. Luckily the plist itself is not that complex–but typedstream is pesky to work with.
wpm
The plist is no issue, but it's the values therein where you run into typedstreams. For every setting for the Script Editor's formatting, is a separate dictionary, with an NSColor and NSFont key set to a data type value. The data is a base64 encoded `streamtyped` file. Passing it through base64 decode and running `file` on the output gives back `NeXT/Apple typedstream data, little endian, version 4, system 1000`, just as in the OP.
wpm
The only reason I want to do this is because I wipe a Mac nearly weekly, and need it setup more or less the same way again. I could probably just drop the .plist in that directory and bobs your uncle, but I also would change the fonts Script Editor is using to a third-party font not installed, so I don't want to have to worry about weird order of operation BS, and also find a way to set it to any arbitrary font, as I often change out the "fixed width" font I use in all the editors for that week (I have favorites, not just a favorite, gotta keep it fresh, ya know).
I figured that since Script Editor, and the AppleScript components of macOS are so old and creaky, forgotten leftovers in the Yellow Box that no one bothered to fix. I had no idea typedstreams were still being used in modern Apple software.
nativeit
Question from a relatively uninformed sysadmin/freelance I.T. provider—will these new iMessage functions allow for 3rd-party applications (ie—CRMs, client support platforms, etc.) to read and/or work with incoming iMessages from my iCloud account? The only thing I really miss since coming from Android was my ability to consolidate all of my client communications, many of whom send text messages first and foremost (which I prefer).
css
Apple provides Messages for Business [0], but if you have a machine that can read the iMessages as they come in, you could use the library [1] that powers `imessage-exporter` as a bridge.
bengarney
I have a product that does exactly this. E-mail me at ben AT theengine DOT co, I'd love to show it to you and see if it would help.
setr
Don’t know if it helps, but I know iMessage stores message data on MacBooks inside a SQLite file; I was scanning through it previously because I was trying to do a bulk search
dbyte
The grandfather of protobuf. Lost in the tales of time.
dim13
Grandfather of Protobuf is ASN.1
foobiekr
Very much so. Pretty much all of these protocols are simplifications of asn1 and in some cases (like protobuf) there are a handful of things that got lost because the wire formats didn’t have them as they didn’t need them. A schema indicator being the single biggest flaw in protobuf.
orf
Why is the lack of a schema indicator the biggest flaw of protobuf?
TeMPOraL
One usually has two grandfathers, so it still works out.
userbinator
The telco industry, including GSM and its successors, uses ASN.1 widely.
css
iMessage uses a very strange amalgamation of typedstream (message content), keyed archives (app messages, sticker data), and protobufs (Digital Touch, handwriting) for different features. I wonder what motivated all of those design decisions.
bengarney
This is stuff is such a PIA to parse. I assume it's just different teams doing different features over the years, and being alternately repulsed/seduced by each format. Probably features are implemented as libraries so there isn't a master oversight - they aren't trying to make iMessage's internal formats follow a consistent plan, just let all the libs coexist...
meibo
Maybe they should be repulsed, considering all of the journalists that are getting persecuted and/or murdered because they are getting pwned through iMessage serialization bugs :)
pixel_tracing
As someone who used to work on that team, it’s so interesting hearing thoughts from external public on the team.
userbinator
"Those who don't understand ASN.1 are doomed to reinvent it, poorly."
That said, it could be much worse --- JSON, or XML.
swiftcoder
Nice writeup! I wonder if gnustep's NSUnarchiver could be augmented for full compatibility with Foundation?
lt_snuffles
I was curious how chat gpt can analyze this giving some general instructions https://chatgpt.com/share/67a102b0-b3e4-8003-974d-2ef73a738a...
This is perfectly timed, as I wanted to find a way to programmatically modify my Mac's AppleScript display settings/theme. For whatever reason, they're stored as typedstream format, embedded in a plist in base64. Found an old implementation/header from 1999 from Mac OS X Server v1.2, signed by Bertrand Serlet, and was going to dig in when I found the time. Now I can dig into this.