contrib/file/magic/Magdir/android

   1
   2 #------------------------------------------------------------
   3 # $File: android,v 1.12 2019/04/19 00:42:27 christos Exp $
   4 # Various android related magic entries
   5 #------------------------------------------------------------
   6
   7 # Dalvik .dex format. http://retrodev.com/android/dexformat.html
   8 # From <mkf@google.com> "Mike Fleming"
   9 # Fixed to avoid regexec 17 errors on some dex files
  10 # From <diff@lookout.com> "Tim Strazzere"
  11 0       string  dex\n
  12 >0      regex   dex\n[0-9]{2}\0 Dalvik dex file
  13 >4      string  >000                    version %s
  14 0       string  dey\n
  15 >0      regex   dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
  16 >4      string  >000                    version %s
  17
  18 # Android bootimg format
  19 # From https://android.googlesource.com/\
  20 # platform/system/core/+/master/mkbootimg/bootimg.h
  21 0               string  ANDROID!        Android bootimg
  22 >1024   string  LOKI\01         \b, LOKI'd
  23 >8              lelong  >0                      \b, kernel
  24 >>12    lelong  >0                      \b (0x%x)
  25 >16             lelong  >0                      \b, ramdisk
  26 >>20    lelong  >0                      \b (0x%x)
  27 >24             lelong  >0                      \b, second stage
  28 >>28    lelong  >0                      \b (0x%x)
  29 >36             lelong  >0                      \b, page size: %d
  30 >38             string  >0                      \b, name: %s
  31 >64             string  >0                      \b, cmdline (%s)
  32
  33 # Android Backup archive
  34 # From: Ariel Shkedi
  35 # Update: Joerg Jenderek
  36 # URL: https://github.com/android/platform_frameworks_base/blob/\
  37 # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
  38 # android/server/BackupManagerService.java#L2367
  39 # Reference: https://sourceforge.net/projects/adbextractor/
  40 #            android-backup-extractor/perl/backupencrypt.pl
  41 # Note: only unix line feeds "\n" found
  42 # After the header comes a tar file
  43 # If compressed, the entire tar file is compressed with JAVA deflate
  44 #
  45 # Include the version number hardcoded with the magic string to avoid
  46 # false positives
  47 0       string/b        ANDROID\ BACKUP\n       Android Backup
  48 # maybe look for some more characteristics like linefeed '\n' or version
  49 #>16    string          \n
  50 # No mime-type defined offically
  51 !:mime  application/x-google-ab
  52 !:ext   ab
  53 # on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
  54 >15     string          >\0                     \b, version %s
  55 # "1" on 3rd line means compressed
  56 >17     string          0\n                     \b, Not-Compressed
  57 >17     string          1\n                     \b, Compressed
  58 # The 4th line is encryption "none" or "AES-256"
  59 # any string as long as it's not the word none (which is matched below)
  60 >19     string          none\n                  \b, Not-Encrypted
  61 # look for backup content after line with encryption info
  62 #>>19   search/7        \n
  63 # data part after header for not encrypted Android Backup
  64 #>>>&0  ubequad         x       \b, content 0x%16.16llx...
  65 # look for zlib compressed by ./compress after message with 1 space at end
  66 #>>>&0  indirect        x       \b; contains
  67 # look for tar archive block by ./archive for package name manifest
  68 >>288   string          ustar   \b; contains
  69 >>>31   use     tar-file
  70 # look for zip/jar archive by ./archive ./zip after message with 1 space at end
  71 #>>2079 search/1025/s   PK\003\004      \b; contains
  72 #>>>&0  indirect        x
  73 >19     string          !none
  74 >>19    regex/1l        \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*        \b, Encrypted (%s)
  75 # Commented out because they don't seem useful to print
  76 # (but they are part of the header - the tar file comes after them):
  77 # The 5th line is User Password Salt (128 Hex)
  78 # string length too high with standard src configuration
  79 #>>>&1          string  >\0     \b, PASSWORD salt: "%-128.128s"
  80 #>>>&1          regex/1l .*     \b, Password salt: %s
  81 # The 6th line is Master Key Checksum Salt (128 Hex)
  82 #>>>>&1         regex/1l .*     \b, Master salt: %s
  83 # The 7th line is Number of PBDKF2 Rounds (10000)
  84 #>>>>>&1        regex/1l .*     \b, PBKDF2 rounds: %s
  85 # The 8th line is User key Initialization Vector (IV) (32 Hex)
  86 #>>>>>>&1       regex/1l .*     \b, IV: %s
  87 #>>>>>>&1       regex/1l .*     \b, IV: %s
  88 # The 9th line is Master IV+Key+Checksum (192 Hex)
  89 #>>>>>>>&1      regex/1l .*     \b, Key: %s
  90 # look for new line separator char after line number 9
  91 #>>>0x204       ubyte   0x0a    NL found
  92 #>>>>&1         ubequad x       \b, Content magic %16.16llx
  93
  94 # *.pit files by Joerg Jenderek
  95 # https://forum.xda-developers.com/showthread.php?p=9122369
  96 # https://forum.xda-developers.com/showthread.php?t=816449
  97 # Partition Information Table for Samsung's smartphone with Android
  98 # used by flash software Odin
  99 0               ulelong                 0x12349876
 100 # 1st pit entry marker
 101 >0x01C  ulequad&0xFFFFFFFCFFFFFFFC      =0x0000000000000000
 102 # minimal 13 and maximal 18 PIT entries found
 103 >>4             ulelong                 <128    Partition Information Table for Samsung smartphone
 104 >>>4            ulelong                 x       \b, %d entries
 105 # 1. pit entry
 106 >>>4            ulelong                 >0      \b; #1
 107 >>>0x01C        use                             PIT-entry
 108 >>>4            ulelong                 >1      \b; #2
 109 >>>0x0A0        use                             PIT-entry
 110 >>>4            ulelong                 >2      \b; #3
 111 >>>0x124        use                             PIT-entry
 112 >>>4            ulelong                 >3      \b; #4
 113 >>>0x1A8        use                             PIT-entry
 114 >>>4            ulelong                 >4      \b; #5
 115 >>>0x22C        use                             PIT-entry
 116 >>>4            ulelong                 >5      \b; #6
 117 >>>0x2B0        use                             PIT-entry
 118 >>>4            ulelong                 >6      \b; #7
 119 >>>0x334        use                             PIT-entry
 120 >>>4            ulelong                 >7      \b; #8
 121 >>>0x3B8        use                             PIT-entry
 122 >>>4            ulelong                 >8      \b; #9
 123 >>>0x43C        use                             PIT-entry
 124 >>>4            ulelong                 >9      \b; #10
 125 >>>0x4C0        use                             PIT-entry
 126 >>>4            ulelong                 >10     \b; #11
 127 >>>0x544        use                             PIT-entry
 128 >>>4            ulelong                 >11     \b; #12
 129 >>>0x5C8        use                             PIT-entry
 130 >>>4            ulelong                 >12     \b; #13
 131 >>>>0x64C       use                             PIT-entry
 132 # 14. pit entry
 133 >>>4            ulelong                 >13     \b; #14
 134 >>>>0x6D0       use                             PIT-entry
 135 >>>4            ulelong                 >14     \b; #15
 136 >>>0x754        use                             PIT-entry
 137 >>>4            ulelong                 >15     \b; #16
 138 >>>0x7D8        use                             PIT-entry
 139 >>>4            ulelong                 >16     \b; #17
 140 >>>0x85C        use                             PIT-entry
 141 # 18. pit entry
 142 >>>4            ulelong                 >17     \b; #18
 143 >>>0x8E0        use                             PIT-entry
 144
 145 0       name                    PIT-entry
 146 # garbage value implies end of pit entries
 147 >0x00           ulequad&0xFFFFFFFCFFFFFFFC      =0x0000000000000000
 148 # skip empty partition name
 149 >>0x24          ubyte                           !0
 150 # partition name
 151 >>>0x24         string                          >\0                     %-.32s
 152 # flags
 153 >>>0x0C         ulelong&0x00000002              2                       \b+RW
 154 # partition ID:
 155 # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER
 156 # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
 157 >>>0x08 ulelong         x                       (0x%x)
 158 # filename
 159 >>>0x44         string                          >\0                     "%-.64s"
 160 #>>>0x18        ulelong                         >0
 161 # blocksize in 512 byte units ?
 162 #>>>>0x18       ulelong                         x                       \b, %db
 163 # partition size in blocks ?
 164 #>>>>0x22       ulelong                         x                       \b*%d
 165
 166 # Android sparse img format
 167 # From https://android.googlesource.com/\
 168 # platform/system/core/+/master/libsparse/sparse_format.h
 169 0               lelong  0xed26ff3a              Android sparse image
 170 >4              leshort x                       \b, version: %d
 171 >6              leshort x                       \b.%d
 172 >16             lelong  x                       \b, Total of %d
 173 >12             lelong  x                       \b %d-byte output blocks in
 174 >20             lelong  x                       \b %d input chunks.
 175
 176 # Android binary XML magic
 177 # In include/androidfw/ResourceTypes.h:
 178 # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
 179 # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
 180 0       lelong  0x00080003      Android binary XML