Notifications
Clear all

what is this?

10 Posts
7 Users
0 Reactions
722 Views
nannib
(@nannib)
Active Member
Joined: 17 years ago
Posts: 13
Topic starter  

Hi all, I have a question what could be this
<string>wake</string>
<key>scheduledby</key>
<string>PersConn-apsd-coh.apple.com</string>
<key>time</key>

is it a notification? of what?
Thanks


   
Quote
Logan
(@logan)
Trusted Member
Joined: 15 years ago
Posts: 66
 

Hi nannib,

It would probably help if you inform us what file you obtained it from, as well as the device.


   
ReplyQuote
(@alexc)
Reputable Member
Joined: 16 years ago
Posts: 301
 

It looks like part of a Property list dictionary. If that's the case, you're missing a key at the top and a value (probably a <real> or <date> tag) at the bottom.


   
ReplyQuote
nannib
(@nannib)
Active Member
Joined: 17 years ago
Posts: 13
Topic starter  

Hi all,
I'm interested to know what is this
PersConn-apsd-coh.apple.com
is it a daemon? What runs it?
I have the time too (not published here), but I'm reading it from a binary dump and I currently can't mount the filesystem….someone can help me?
bye


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Unfortunately, I think Logan hit the nail on the head…it might help if you could provide some context.

I does look as if it might have come from a plist of some kind, but from where? You said a "binary dump"…is this from a memory dump on a Windows system (Apple products such as QuickTime and iTunes install a Scheduled Task which is also in XML format)? If so, which version? Is it from an iDevice? Is it an image? Is it from a memory dump?


   
ReplyQuote
nannib
(@nannib)
Active Member
Joined: 17 years ago
Posts: 13
Topic starter  

it is from a chip-off binary dump of an IPod Touch, it was retrieved by a strings search. )


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

Hi all, I have a question what could be this
&lt;string&gt;wake&lt;/string&gt;
&lt;key&gt;scheduledby&lt;/key&gt;
&lt;string&gt;PersConn-apsd-coh.apple.com&lt;/string&gt;
&lt;key&gt;time&lt;/key&gt;

is it a notification? of what?
Thanks

the namespace suggests that its an apple process (i.e. not a third party )

playing acronym bingo I've come up with….

Persistent Connection

Apple Push Service Daemon

COH, I don't know. Google has failed me.


   
ReplyQuote
(@indur)
Trusted Member
Joined: 17 years ago
Posts: 67
 

APSD is an Apple daemon responsible for synchronization. Since you specified it's from an iOS device, that's probably part of a system configuration file. (It could be part of an application configuration, a state file, or a log, but those are less likely.) It's certainly an XML Plist. So your carved-out bit is off by a bit – plists go key, then value.

If I had to gin up a plausible explanation (besides asking for more of the file and its path), I'd guess that it's the setting for a periodically-scheduled system wake event to allow the device to do synchronization (i.e., get new data).

Why can't you access the filesystem? If you can find the offset for the start of the filesystem, SleuthKit can handle iOS's HFSX.


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

Google did not failed you.

You gave up too soon.

Search for "PersConn-apsd" . . .


   
ReplyQuote
nannib
(@nannib)
Active Member
Joined: 17 years ago
Posts: 13
Topic starter  

I can't mount, for now, because it's difficult to get the right data combination to recover the right order for building the file system, this happens when you make a data dump directly from the memory nand chips…. (
Thanks


   
ReplyQuote
Share: