2 #------------------------------------------------------------
3 # $File: android,v 1.16 2019/11/15 21:03:14 christos Exp $
4 # Various android related magic entries
5 #------------------------------------------------------------
7 # Dalvik .dex format. http://retrodev.com/android/dexformat.html
8 # From <mkf@google.com> "Mike Fleming"
9 # Fixed to avoid regexec 17 errors on some dex files
10 # From <diff@lookout.com> "Tim Strazzere"
12 >0 regex dex\n[0-9]{2}\0 Dalvik dex file
13 >4 string >000 version %s
15 >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
16 >4 string >000 version %s
18 # Android bootimg format
19 # From https://android.googlesource.com/\
20 # platform/system/core/+/master/mkbootimg/bootimg.h
21 # https://github.com/djrbliss/loki/blob/master/loki.h#L43
22 0 string ANDROID! Android bootimg
23 >1024 string LOKI \b, LOKI'd
24 >>1028 lelong 0 \b (boot)
25 >>1028 lelong 1 \b (recovery)
26 >8 lelong >0 \b, kernel
27 >>12 lelong >0 \b (0x%x)
28 >16 lelong >0 \b, ramdisk
29 >>20 lelong >0 \b (0x%x)
30 >24 lelong >0 \b, second stage
31 >>28 lelong >0 \b (0x%x)
32 >36 lelong >0 \b, page size: %d
33 >38 string >0 \b, name: %s
34 >64 string >0 \b, cmdline (%s)
36 # Android Backup archive
38 # Update: Joerg Jenderek
39 # URL: https://github.com/android/platform_frameworks_base/blob/\
40 # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
41 # android/server/BackupManagerService.java#L2367
42 # Reference: https://sourceforge.net/projects/adbextractor/
43 # android-backup-extractor/perl/backupencrypt.pl
44 # Note: only unix line feeds "\n" found
45 # After the header comes a tar file
46 # If compressed, the entire tar file is compressed with JAVA deflate
48 # Include the version number hardcoded with the magic string to avoid
50 0 string/b ANDROID\ BACKUP\n Android Backup
51 # maybe look for some more characteristics like linefeed '\n' or version
53 # No mime-type defined officially
54 !:mime application/x-google-ab
56 # on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
57 >15 string >\0 \b, version %s
58 # "1" on 3rd line means compressed
59 >17 string 0\n \b, Not-Compressed
60 >17 string 1\n \b, Compressed
61 # The 4th line is encryption "none" or "AES-256"
62 # any string as long as it's not the word none (which is matched below)
63 >19 string none\n \b, Not-Encrypted
64 # look for backup content after line with encryption info
66 # data part after header for not encrypted Android Backup
67 #>>>&0 ubequad x \b, content 0x%16.16llx...
68 # look for zlib compressed by ./compress after message with 1 space at end
69 #>>>&0 indirect x \b; contains
70 # look for tar archive block by ./archive for package name manifest
71 >>288 string ustar \b; contains
73 # look for zip/jar archive by ./archive ./zip after message with 1 space at end
74 #>>2079 search/1025/s PK\003\004 \b; contains
77 >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)
78 # Commented out because they don't seem useful to print
79 # (but they are part of the header - the tar file comes after them):
80 # The 5th line is User Password Salt (128 Hex)
81 # string length too high with standard src configuration
82 #>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s"
83 #>>>&1 regex/1l .* \b, Password salt: %s
84 # The 6th line is Master Key Checksum Salt (128 Hex)
85 #>>>>&1 regex/1l .* \b, Master salt: %s
86 # The 7th line is Number of PBDKF2 Rounds (10000)
87 #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s
88 # The 8th line is User key Initialization Vector (IV) (32 Hex)
89 #>>>>>>&1 regex/1l .* \b, IV: %s
90 #>>>>>>&1 regex/1l .* \b, IV: %s
91 # The 9th line is Master IV+Key+Checksum (192 Hex)
92 #>>>>>>>&1 regex/1l .* \b, Key: %s
93 # look for new line separator char after line number 9
94 #>>>0x204 ubyte 0x0a NL found
95 #>>>>&1 ubequad x \b, Content magic %16.16llx
97 # *.pit files by Joerg Jenderek
98 # https://forum.xda-developers.com/showthread.php?p=9122369
99 # https://forum.xda-developers.com/showthread.php?t=816449
100 # Partition Information Table for Samsung's smartphone with Android
101 # used by flash software Odin
103 # 1st pit entry marker
104 >0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
105 # minimal 13 and maximal 18 PIT entries found
106 >>4 ulelong <128 Partition Information Table for Samsung smartphone
107 >>>4 ulelong x \b, %d entries
109 >>>4 ulelong >0 \b; #1
110 >>>0x01C use PIT-entry
111 >>>4 ulelong >1 \b; #2
112 >>>0x0A0 use PIT-entry
113 >>>4 ulelong >2 \b; #3
114 >>>0x124 use PIT-entry
115 >>>4 ulelong >3 \b; #4
116 >>>0x1A8 use PIT-entry
117 >>>4 ulelong >4 \b; #5
118 >>>0x22C use PIT-entry
119 >>>4 ulelong >5 \b; #6
120 >>>0x2B0 use PIT-entry
121 >>>4 ulelong >6 \b; #7
122 >>>0x334 use PIT-entry
123 >>>4 ulelong >7 \b; #8
124 >>>0x3B8 use PIT-entry
125 >>>4 ulelong >8 \b; #9
126 >>>0x43C use PIT-entry
127 >>>4 ulelong >9 \b; #10
128 >>>0x4C0 use PIT-entry
129 >>>4 ulelong >10 \b; #11
130 >>>0x544 use PIT-entry
131 >>>4 ulelong >11 \b; #12
132 >>>0x5C8 use PIT-entry
133 >>>4 ulelong >12 \b; #13
134 >>>>0x64C use PIT-entry
136 >>>4 ulelong >13 \b; #14
137 >>>>0x6D0 use PIT-entry
138 >>>4 ulelong >14 \b; #15
139 >>>0x754 use PIT-entry
140 >>>4 ulelong >15 \b; #16
141 >>>0x7D8 use PIT-entry
142 >>>4 ulelong >16 \b; #17
143 >>>0x85C use PIT-entry
145 >>>4 ulelong >17 \b; #18
146 >>>0x8E0 use PIT-entry
149 # garbage value implies end of pit entries
150 >0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
151 # skip empty partition name
154 >>>0x24 string >\0 %-.32s
156 >>>0x0C ulelong&0x00000002 2 \b+RW
158 # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER
159 # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
160 >>>0x08 ulelong x (0x%x)
162 >>>0x44 string >\0 "%-.64s"
164 # blocksize in 512 byte units ?
165 #>>>>0x18 ulelong x \b, %db
166 # partition size in blocks ?
167 #>>>>0x22 ulelong x \b*%d
169 # Android sparse img format
170 # From https://android.googlesource.com/\
171 # platform/system/core/+/master/libsparse/sparse_format.h
172 0 lelong 0xed26ff3a Android sparse image
173 >4 leshort x \b, version: %d
175 >16 lelong x \b, Total of %d
176 >12 lelong x \b %d-byte output blocks in
177 >20 lelong x \b %d input chunks.
179 # Android binary XML magic
180 # In include/androidfw/ResourceTypes.h:
181 # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
182 # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
183 0 lelong 0x00080003 Android binary XML
185 # Android cryptfs footer
186 # From https://android.googlesource.com/\
187 # platform/system/vold/+/refs/heads/master/cryptfs.h
188 0 lelong 0xd0b5b1c4 Android cryptfs footer
189 >4 leshort x \b, version: %d