diff options
Diffstat (limited to 'magic/Magdir/android')
| -rw-r--r-- | magic/Magdir/android | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/magic/Magdir/android b/magic/Magdir/android new file mode 100644 index 0000000..63296d0 --- /dev/null +++ b/magic/Magdir/android @@ -0,0 +1,209 @@ + +#------------------------------------------------------------ +# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ +# Various android related magic entries +#------------------------------------------------------------ + +# Dalvik .dex format. http://retrodev.com/android/dexformat.html +# From <mkf@google.com> "Mike Fleming" +# Fixed to avoid regexec 17 errors on some dex files +# From <diff@lookout.com> "Tim Strazzere" +0 string dex\n +>0 regex dex\n[0-9]{2}\0 Dalvik dex file +>4 string >000 version %s +0 string dey\n +>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) +>4 string >000 version %s + +# Android bootimg format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/mkbootimg/bootimg.h +# https://github.com/djrbliss/loki/blob/master/loki.h#L43 +0 string ANDROID! Android bootimg +>1024 string LOKI \b, LOKI'd +>>1028 lelong 0 \b (boot) +>>1028 lelong 1 \b (recovery) +>8 lelong >0 \b, kernel +>>12 lelong >0 \b (%#x) +>16 lelong >0 \b, ramdisk +>>20 lelong >0 \b (%#x) +>24 lelong >0 \b, second stage +>>28 lelong >0 \b (%#x) +>36 lelong >0 \b, page size: %d +>38 string >0 \b, name: %s +>64 string >0 \b, cmdline (%s) + +# Android Backup archive +# From: Ariel Shkedi +# Update: Joerg Jenderek +# URL: https://github.com/android/platform_frameworks_base/blob/\ +# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ +# android/server/BackupManagerService.java#L2367 +# Reference: https://sourceforge.net/projects/adbextractor/ +# android-backup-extractor/perl/backupencrypt.pl +# Note: only unix line feeds "\n" found +# After the header comes a tar file +# If compressed, the entire tar file is compressed with JAVA deflate +# +# Include the version number hardcoded with the magic string to avoid +# false positives +0 string/b ANDROID\ BACKUP\n Android Backup +# maybe look for some more characteristics like linefeed '\n' or version +#>16 string \n +# No mime-type defined officially +!:mime application/x-google-ab +!:ext ab +# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) +>15 string >\0 \b, version %s +# "1" on 3rd line means compressed +>17 string 0\n \b, Not-Compressed +>17 string 1\n \b, Compressed +# The 4th line is encryption "none" or "AES-256" +# any string as long as it's not the word none (which is matched below) +>19 string none\n \b, Not-Encrypted +# look for backup content after line with encryption info +#>>19 search/7 \n +# data part after header for not encrypted Android Backup +#>>>&0 ubequad x \b, content %#16.16llx... +# look for zlib compressed by ./compress after message with 1 space at end +#>>>&0 indirect x \b; contains +# look for tar archive block by ./archive for package name manifest +>>288 string ustar \b; contains +>>>31 use tar-file +# look for zip/jar archive by ./archive ./zip after message with 1 space at end +#>>2079 search/1025/s PK\003\004 \b; contains +#>>>&0 indirect x +>19 string !none +>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) +# Commented out because they don't seem useful to print +# (but they are part of the header - the tar file comes after them): +# The 5th line is User Password Salt (128 Hex) +# string length too high with standard src configuration +#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" +#>>>&1 regex/1l .* \b, Password salt: %s +# The 6th line is Master Key Checksum Salt (128 Hex) +#>>>>&1 regex/1l .* \b, Master salt: %s +# The 7th line is Number of PBDKF2 Rounds (10000) +#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s +# The 8th line is User key Initialization Vector (IV) (32 Hex) +#>>>>>>&1 regex/1l .* \b, IV: %s +#>>>>>>&1 regex/1l .* \b, IV: %s +# The 9th line is Master IV+Key+Checksum (192 Hex) +#>>>>>>>&1 regex/1l .* \b, Key: %s +# look for new line separator char after line number 9 +#>>>0x204 ubyte 0x0a NL found +#>>>>&1 ubequad x \b, Content magic %16.16llx + +# *.pit files by Joerg Jenderek +# https://forum.xda-developers.com/showthread.php?p=9122369 +# https://forum.xda-developers.com/showthread.php?t=816449 +# Partition Information Table for Samsung's smartphone with Android +# used by flash software Odin +0 ulelong 0x12349876 +# 1st pit entry marker +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# minimal 13 and maximal 18 PIT entries found +>>4 ulelong <128 Partition Information Table for Samsung smartphone +>>>4 ulelong x \b, %d entries +# 1. pit entry +>>>4 ulelong >0 \b; #1 +>>>0x01C use PIT-entry +>>>4 ulelong >1 \b; #2 +>>>0x0A0 use PIT-entry +>>>4 ulelong >2 \b; #3 +>>>0x124 use PIT-entry +>>>4 ulelong >3 \b; #4 +>>>0x1A8 use PIT-entry +>>>4 ulelong >4 \b; #5 +>>>0x22C use PIT-entry +>>>4 ulelong >5 \b; #6 +>>>0x2B0 use PIT-entry +>>>4 ulelong >6 \b; #7 +>>>0x334 use PIT-entry +>>>4 ulelong >7 \b; #8 +>>>0x3B8 use PIT-entry +>>>4 ulelong >8 \b; #9 +>>>0x43C use PIT-entry +>>>4 ulelong >9 \b; #10 +>>>0x4C0 use PIT-entry +>>>4 ulelong >10 \b; #11 +>>>0x544 use PIT-entry +>>>4 ulelong >11 \b; #12 +>>>0x5C8 use PIT-entry +>>>4 ulelong >12 \b; #13 +>>>>0x64C use PIT-entry +# 14. pit entry +>>>4 ulelong >13 \b; #14 +>>>>0x6D0 use PIT-entry +>>>4 ulelong >14 \b; #15 +>>>0x754 use PIT-entry +>>>4 ulelong >15 \b; #16 +>>>0x7D8 use PIT-entry +>>>4 ulelong >16 \b; #17 +>>>0x85C use PIT-entry +# 18. pit entry +>>>4 ulelong >17 \b; #18 +>>>0x8E0 use PIT-entry + +0 name PIT-entry +# garbage value implies end of pit entries +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# skip empty partition name +>>0x24 ubyte !0 +# partition name +>>>0x24 string >\0 %-.32s +# flags +>>>0x0C ulelong&0x00000002 2 \b+RW +# partition ID: +# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER +# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW +>>>0x08 ulelong x (%#x) +# filename +>>>0x44 string >\0 "%-.64s" +#>>>0x18 ulelong >0 +# blocksize in 512 byte units ? +#>>>>0x18 ulelong x \b, %db +# partition size in blocks ? +#>>>>0x22 ulelong x \b*%d + +# Android sparse img format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/libsparse/sparse_format.h +0 lelong 0xed26ff3a Android sparse image +>4 leshort x \b, version: %d +>6 leshort x \b.%d +>16 lelong x \b, Total of %d +>12 lelong x \b %d-byte output blocks in +>20 lelong x \b %d input chunks. + +# Android binary XML magic +# In include/androidfw/ResourceTypes.h: +# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), +# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +0 lelong 0x00080003 Android binary XML + +# Android cryptfs footer +# From https://android.googlesource.com/\ +# platform/system/vold/+/refs/heads/master/cryptfs.h +0 lelong 0xd0b5b1c4 Android cryptfs footer +>4 leshort x \b, version: %d +>6 leshort x \b.%d + +# Android Vdex format +# From https://android.googlesource.com/\ +# platform/art/+/master/runtime/vdex_file.h +0 string vdex Android vdex file, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d + +# Android Vdex format, dexfile is currently being updated +# by android system +# From https://android.googlesource.com/\ +# platform/art/+/master/dex2oat/dex2oat.cc +0 string wdex Android vdex file, being processed by dex2oat, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d |