Join Us!

whatsapp on iOS: me...
 
Notifications
Clear all

whatsapp on iOS: message receipt timestamp  

  RSS
Rampage
(@rampage)
Active Member

Hello everyone, does anyone know if (and where) whatsapp on iOS stores informations about WHEN a message is successfully delivered to the destination recipient?

it's crucial for an investigation i'm working on

by looking at the database chatstorage.db i've noticed that there is a column named "ZRECEIPTINFO" it's a BLOB tho, and i have no clue on how to decode that blob.

any help is really apreciated.

Thanks in advance.

EDIT ok, at least i've figured out that the content of the ZRECEIPTINFO blob is a binary plist, so it's easy to decode

In the decoded value there are two timestamps, i "think" one is related to when the message was SENT, while the other one when the message was DELIVERED, but I'd love some confirmation because i cant just assume.
Maybe anyone knows? else i'll have to do some tests in the lab.

Quote
Posted : 12/03/2018 12:37 am
Lazza
(@lazza)
New Member

ok, at least i've figured out that the content of the ZRECEIPTINFO blob is a binary plist, so it's easy to decode

In my experience, the contents of ZRECEIPTINFO in recent WhatsApp versions are not binary plists. I realized they are stored as protobuf data and they can be decode with Online Protobuf Decoder or other tools.

For instance, here's a receipt
12-10-0A-07-81-39-33-41-23-45-67-1A-01-00-20-00-00-10-28-00-18-D0-FC-B8-F0-05-20-00It contains the following fields

  1. A string payload which is a nested protobuf
  2. 0A-07-81-39-33-41-23-45-67-1A-01-00-20-00-00-10

  3. A "variant" field containing 0x00
  4. Another "variant" field containing D0-FC-B8-F0-05, that is 1577991760 "raw", the Unix timestamp for 2020-01-02 @ 702pm (UTC)
  5. [/listo]

    The first payload contains this string
    81-39-33-41-23-45-67
    It is not exactly clear what 0x81 means, however here the mobile phone number is +39 334 1234567.

ReplyQuote
Posted : 24/02/2020 4:54 pm
Share: