path: root/magic/Magdir/linux

#------------------------------------------------------------------------------
# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $
# linux:  file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
# The following basic Linux magic is useful for reference, but using
# "long" magic is a better practice in order to avoid collisions.
#
# 2	leshort		100		Linux/i386
# >0	leshort		0407		impure executable (OMAGIC)
# >0	leshort		0410		pure executable (NMAGIC)
# >0	leshort		0413		demand-paged executable (ZMAGIC)
# >0	leshort		0314		demand-paged executable (QMAGIC)
#
0	lelong		0x00640107	Linux/i386 impure executable (OMAGIC)
>16	lelong		0		\b, stripped
0	lelong		0x00640108	Linux/i386 pure executable (NMAGIC)
>16	lelong		0		\b, stripped
0	lelong		0x0064010b	Linux/i386 demand-paged executable (ZMAGIC)
>16	lelong		0		\b, stripped
0	lelong		0x006400cc	Linux/i386 demand-paged executable (QMAGIC)
>16	lelong		0		\b, stripped
#
0	string		\007\001\000	Linux/i386 object file
>20	lelong		>0x1020		\b, DLL library
# Linux-8086 stuff:
0	string		\01\03\020\04	Linux-8086 impure executable
>28	long		!0		not stripped
0	string		\01\03\040\04	Linux-8086 executable
>28	long		!0		not stripped
#
0	string		\243\206\001\0	Linux-8086 object file
#
0	string		\01\03\020\20	Minix-386 impure executable
>28	long		!0		not stripped
0	string		\01\03\040\20	Minix-386 executable
>28	long		!0		not stripped
0	string		\01\03\04\20	Minix-386 NSYM/GNU executable
>28	long		!0		not stripped
# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
216	lelong		0421		Linux/i386 core file
!:strength / 2
>220	string		>\0		of '%s'
>200	lelong		>0		(signal %d)
#
# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
# this can be overridden by the DOS executable (COM) entry
2	string		LILO		Linux/i386 LILO boot/chain loader
#
# Linux make config build file, from Ole Aamot <oka@oka.no>
# Updated by Ken Sharp
28	string		make\ config		Linux make config build file (old)
49	search/70	Kernel\ Configuration	Linux make config build file

#
# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
# Updated by Adam Buchbinder <adam.buchbinder@gmail.com>
# See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html
0	leshort		0x0436		Linux/i386 PC Screen Font v1 data,
>2	byte&0x01	0		256 characters,
>2	byte&0x01	!0		512 characters,
>2	byte&0x02	0		no directory,
>2	byte&0x02	!0		Unicode directory,
>3	byte		>0		8x%d
0	string		\x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data,
>16	lelong		x		%d characters,
>12	lelong&0x01	0		no directory,
>12	lelong&0x01	!0		Unicode directory,
>28	lelong		x		%d
>24	lelong		x		\bx%d

# Linux swap and hibernate files
# Linux kernel: include/linux/swap.h
# util-linux: libblkid/src/superblocks/swap.c

# format v0, unsupported since 2002
0xff6	string		SWAP-SPACE	Linux old swap file, 4k page size
0x1ff6	string		SWAP-SPACE	Linux old swap file, 8k page size
0x3ff6	string		SWAP-SPACE	Linux old swap file, 16k page size
0x7ff6	string		SWAP-SPACE	Linux old swap file, 32k page size
0xfff6	string		SWAP-SPACE	Linux old swap file, 64k page size

# format v1, supported since 1998
0		name	linux-swap
>0x400	lelong		1	little endian, version %u,
>>0x404	lelong		x	size %u pages,
>>0x408	lelong		x	%u bad pages,
>0x400	belong		1	big endian, version %u,
>>0x404	belong		x	size %u pages,
>>0x408	belong		x	%u bad pages,
>0x41c	string		\0	no label,
>0x41c	string		>\0	LABEL=%s,
>0x40c	ubelong		x	UUID=%08x
>0x410	ubeshort	x	\b-%04x
>0x412	ubeshort	x	\b-%04x
>0x414	ubeshort	x	\b-%04x
>0x416	ubelong		x	\b-%08x
>0x41a	ubeshort	x	\b%04x

0xff6	string		SWAPSPACE2	Linux swap file, 4k page size,
>0		use			linux-swap
0x1ff6	string		SWAPSPACE2	Linux swap file, 8k page size,
>0		use			linux-swap
0x3ff6	string		SWAPSPACE2	Linux swap file, 16k page size,
>0		use			linux-swap
0x7ff6	string		SWAPSPACE2	Linux swap file, 32k page size,
>0		use			linux-swap
0xfff6	string		SWAPSPACE2	Linux swap file, 64k page size,
>0		use			linux-swap

0	name	linux-hibernate
>0	string	S1SUSPEND	\b, with SWSUSP1 image
>0	string	S2SUSPEND	\b, with SWSUSP2 image
>0	string	ULSUSPEND	\b, with uswsusp image
>0	string	LINHIB0001	\b, with compressed hibernate image
>0	string	\xed\xc3\x02\xe9\x98\x56\xe5\x0c	\b, with tuxonice image
>0	default	x			\b, with unknown hibernate image

0xfec	string		SWAPSPACE2	Linux swap file, 4k page size,
>0		use			linux-swap
>0xff6	use			linux-hibernate
0x1fec	string		SWAPSPACE2	Linux swap file, 8k page size,
>0		use			linux-swap
>0x1ff6	use			linux-hibernate
0x3fec	string		SWAPSPACE2	Linux swap file, 16k page size,
>0		use			linux-swap
>0x3ff6	use			linux-hibernate
0x7fec	string		SWAPSPACE2	Linux swap file, 32k page size,
>0		use			linux-swap
>0x7ff6	use			linux-hibernate
0xffec	string		SWAPSPACE2	Linux swap file, 64k page size,
>0		use			linux-swap
>0xfff6	use			linux-hibernate

#
# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolas Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
# Linux kernel boot images (i386 arch) (Wolfram Kleff)
# URL: https://www.kernel.org/doc/Documentation/x86/boot.txt
514	string		HdrS		Linux kernel
!:strength + 55
# often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes
# Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin
# DamnSmallLinux 1.5 damnsmll.lnx 
!:ext	/dat/bin/lnx
>510	leshort		0xAA55		x86 boot executable
>>518	leshort		>0x1ff
>>>529	byte		0		zImage,
>>>529	byte		1		bzImage,
>>>526	lelong		>0
>>>>(526.s+0x200) string	>\0	version %s,
>>498	leshort		1		RO-rootFS,
>>498	leshort		0		RW-rootFS,
>>508	leshort		>0		root_dev %#X,
>>502	leshort		>0		swap_dev %#X,
>>504	leshort		>0		RAMdisksize %u KB,
>>506	leshort		0xFFFF		Normal VGA
>>506	leshort		0xFFFE		Extended VGA
>>506	leshort		0xFFFD		Prompt for Videomode
>>506	leshort		>0		Video mode %d
# This also matches new kernels, which were caught above by "HdrS".
0		belong	0xb8c0078e	Linux kernel
>0x1e3		string	Loading		version 1.3.79 or older
>0x1e9		string	Loading		from prehistoric times

# System.map files - Nicolas Lichtmaier <nick@debian.org>
8	search/1	\ A\ _text	Linux kernel symbol map text

# LSM entries - Nicolas Lichtmaier <nick@debian.org>
0	search/1	Begin3	Linux Software Map entry text
0	search/1	Begin4	Linux Software Map entry text (new format)

# From Matt Zimmerman, enhanced for v3 by Matthew Palmer
0	belong	0x4f4f4f4d	User-mode Linux COW file
>4	belong	<3		\b, version %d
>>8	string	>\0		\b, backing file %s
>4	belong	>2		\b, version %d
>>32	string	>\0		\b, backing file %s

############################################################################
# Linux kernel versions

0		string		\xb8\xc0\x07\x8e\xd8\xb8\x00\x90	Linux
>497		leshort		0		x86 boot sector
>>514		belong		0x8e	of a kernel from the dawn of time!
>>514		belong		0x908ed8b4	version 0.99-1.1.42
>>514		belong		0x908ed8b8	for memtest86

>497		leshort		!0		x86 kernel
>>504		leshort		>0		RAMdisksize=%u KB
>>502		leshort		>0		swap=%#X
>>508		leshort		>0		root=%#X
>>>498		leshort		1		\b-ro
>>>498		leshort		0		\b-rw
>>506		leshort		0xFFFF		vga=normal
>>506		leshort		0xFFFE		vga=extended
>>506		leshort		0xFFFD		vga=ask
>>506		leshort		>0		vga=%d
>>514		belong		0x908ed881	version 1.1.43-1.1.45
>>514		belong		0x15b281cd
>>>0xa8e	belong		0x55AA5a5a	version 1.1.46-1.2.13,1.3.0
>>>0xa99	belong		0x55AA5a5a	version 1.3.1,2
>>>0xaa3	belong		0x55AA5a5a	version 1.3.3-1.3.30
>>>0xaa6	belong		0x55AA5a5a	version 1.3.31-1.3.41
>>>0xb2b	belong		0x55AA5a5a	version 1.3.42-1.3.45
>>>0xaf7	belong		0x55AA5a5a	version 1.3.46-1.3.72
>>514		string		HdrS
>>>518		leshort		>0x1FF
>>>>529		byte		0		\b, zImage
>>>>529		byte		1		\b, bzImage
>>>>(526.s+0x200) string 	>\0		\b, version %s

# Linux boot sector thefts.
0		belong		0xb8c0078e	Linux
>0x1e6		belong		0x454c4b53	ELKS Kernel
>0x1e6		belong		!0x454c4b53	style boot sector

############################################################################
# Linux S390 kernel image
# Created by: Jan Kaluza <jkaluza@redhat.com>
8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
# 64bit
>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
# 32bit
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel

############################################################################
# Linux ARM compressed kernel image
# From: Kevin Cernekee <cernekee@gmail.com>
# Update: Joerg Jenderek
0x24	lelong	0x016f2818	Linux kernel ARM boot executable zImage
# There are three possible situations: LE, BE with LE bootloader and pure BE.
# In order to aid telling these apart a new endian flag was added. In order
# to support kernels before the flag and BE with LE bootloader was added we'll
# do a negative check against the BE variant of the flag when we see a LE magic.
>0x30	belong	!0x04030201	(little-endian)
# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
!:ext	img/bin
>0x30	belong	0x04030201	(big-endian)
0x24	belong	0x016f2818	Linux kernel ARM boot executable zImage (big-endian)

############################################################################
# Linux AARCH64 kernel image
0x38    lelong  0x644d5241  Linux kernel ARM64 boot executable Image
>0x18   lelong  ^1          \b, little-endian
>0x18   lelong  &1          \b, big-endian
>0x18   lelong  &2          \b, 4K pages
>0x18   lelong  &4          \b, 16K pages
>0x18   lelong  &6          \b, 32K pages

############################################################################
# Linux 8086 executable
0	lelong&0xFF0000FF 0xC30000E9	Linux-Dev86 executable, headerless
>5	string		.
>>4	string		>\0		\b, libc version %s

0	lelong&0xFF00FFFF 0x4000301	Linux-8086 executable
>2	byte&0x01	!0		\b, unmapped zero page
>2	byte&0x20	0		\b, impure
>2	byte&0x20	!0
>>2	byte&0x10	!0		\b, A_EXEC
>2	byte&0x02	!0		\b, A_PAL
>2	byte&0x04	!0		\b, A_NSYM
>2	byte&0x08	!0		\b, A_STAND
>2	byte&0x40	!0		\b, A_PURE
>2	byte&0x80	!0		\b, A_TOVLY
>28     long            !0              \b, not stripped
>37	string		.
>>36	string		>\0		\b, libc version %s

# 0	lelong&0xFF00FFFF 0x10000301	ld86 I80386 executable
# 0	lelong&0xFF00FFFF 0xB000301	ld86 M68K executable
# 0	lelong&0xFF00FFFF 0xC000301	ld86 NS16K executable
# 0	lelong&0xFF00FFFF 0x17000301	ld86 SPARC executable

# SYSLINUX boot logo files (from 'ppmtolss16' sources)
# https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename:
# file extension .lss .16
0	lelong	=0x1413f33d		SYSLINUX' LSS16 image data
# syslinux-4.05/mime/image/x-lss16.xml
!:mime image/x-lss16
>4	leshort	x			\b, width %d
>6	leshort	x			\b, height %d

0	string	OOOM			User-Mode-Linux's Copy-On-Write disk image
>4	belong	x			version %d

# SE Linux policy database
# From: Mike Frysinger <vapier@gentoo.org>
0	lelong	0xf97cff8c		SE Linux policy
>16	lelong	x			v%d
>20	lelong	1			MLS
>24	lelong	x			%d symbols
>28	lelong	x			%d ocons

# Linux Logical Volume Manager (LVM)
# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
#
# System ID, UUID and volume group name are 128 bytes long
# but they should never be full and initialized with zeros...
#
# LVM1
#
0x0	string/b	HM\001		LVM1 (Linux Logical Volume Manager), version 1
>0x12c	string/b	>\0		, System ID: %s

0x0	string/b	HM\002		LVM1 (Linux Logical Volume Manager), version 2
>0x12c	string/b	>\0		, System ID: %s

#  LVM2
#
# It seems that the label header can be in one the four first sector
# of the disk... (from _find_labeller in lib/label/label.c of LVM2)
#
# 0x200 seems to be the common case
0		name	lvm2
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>0x0          string  >\x2f          \b, UUID: %.6s
>0x6          string  >\x2f          \b-%.4s
>0xa          string  >\x2f          \b-%.4s
>0xe          string  >\x2f          \b-%.4s
>0x12         string  >\x2f          \b-%.4s
>0x16         string  >\x2f          \b-%.4s
>0x1a         string  >\x2f          \b-%.6s
>0x20         lequad  x              \b, size: %lld


# read the offset to add to the start of the header, and the header
# start in 0x200
0x218           string/b  LVM2\ 001      LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x20) use	lvm2

0x018           string/b  LVM2\ 001      LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x20) use	lvm2

0x418           string/b  LVM2\ 001      LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x20) use	lvm2

0x618           string/b  LVM2\ 001      LVM2 PV (Linux Logical Volume Manager)
>&(&-12.l-0x20) use	lvm2

# LVM snapshot
# from Jason Farrel
0	string	SnAp	LVM Snapshot (CopyOnWrite store)
>4	lelong	!0	- valid,
>4	lelong	0	- invalid,
>8	lelong	x	version %d,
>12	lelong	x	chunk_size %d

# SE Linux policy database
0	lelong	0xf97cff8c		SE Linux policy
>16	lelong	x			v%d
>20	lelong	1			MLS
>24	lelong	x			%d symbols
>28	lelong	x			%d ocons

# Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com>
0	string		LinuxGuestRecord	Xen saved domain
>20	search/256	(name
>>&1	string		x			(name %s)

# Type: Xen, the virtual machine monitor
# From: Radek Vokal <rvokal@redhat.com>
0	string		LinuxGuestRecord	Xen saved domain
#>2	regex		\(name\ [^)]*\)		%s
>20	search/256	(name			(name
>>&1	string		x			%s...)

# Systemd journald files
# See https://www.freedesktop.org/wiki/Software/systemd/journal-files/.
# From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
# Update: 	Joerg Jenderek
# URL:		https://systemd.io/JOURNAL_FILE_FORMAT/
# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml
# Note:		called "systemd journal" by TrID
#		verified by `journalctl --file=user-1000.journal`
# check magic signature[8]
0	string	LPKSHHRH
# check that state is one of known values
# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2
>16		ubyte&252	0
# check that each half of three unique id128s is non-zero
# file_id
>>24		ubequad		>0
>>>32		ubequad		>0
# machine_id
>>>>40		ubequad		>0
>>>>>48		ubequad		>0
# boot_id; last writer
>>>>>>56	ubequad		>0
>>>>>>>64	ubequad		>0	Journal file
#!:mime application/octet-stream
!:mime application/x-linux-journal
# provide more info
# head_entry_realtime; contains a POSIX timestamp stored in microseconds
>>>>>>>>184	leqdate/1000000	!0	\b, %s
>>>>>>>>184	leqdate		0	empty
# If a file is closed after writing the state field should be set to STATE_OFFLINE
>>>>>>>>16	ubyte		0	\b,
# for offline and empty only journal~ extension found
>>>>>>>>>184	leqdate		0	offline
# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html
# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like:
# Magdir/linux, 463: Warning: EXTENSION type `		journal~' has bad char '~'
!:ext		journal~
# for offline and non empty often *.journal~ but also user-1001.journal
>>>>>>>>>184	leqdate		!0	offline
!:ext		journal/journal~
# if a file is opened for writing the state field should be set to STATE_ONLINE
>>>>>>>>16	ubyte		1	\b,
# for online and empty only journal~ extension found
>>>>>>>>>184	leqdate		0	online
# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~
!:ext		journal~
# for online and non empty only journal extension found
>>>>>>>>>184	leqdate		!0	online
# system.journal user-1000.journal
!:ext		journal
# after a file has been rotated it should be set to STATE_ARCHIVED
>>>>>>>>16	ubyte		2	\b, archived
!:ext		journal
# no *.journal~ found
#!:ext		journal/journal~
# compatible_flags
>>>>>>>>8	ulelong&1	1	\b, sealed
# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16
#>>>>>>>>12	ulelong		x	FLAGS=%#x
>>>>>>>>12	ulelong&1	1	\b, compressed
>>>>>>>>12	ulelong&2	!0	\b, compressed lz4
>>>>>>>>12	ulelong&4	!0	\b, keyed hash siphash24
>>>>>>>>12	ulelong&8	!0	\b, compressed zstd
>>>>>>>>12	ulelong&16	!0	\b, compact
# uint8_t reserved[7]; apparently nil
#>>17		long		!0	\b, reserved %#8.8x
# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6
#>>>>>>>>72	ubequad		x	\b, seqnum_id %#16.16llx
#>>>>>>>>80	ubequad		x	b%16.16llx
# header_size like: 100h
>>>>>>>>88	ulequad		!0x100h	\b, header size %#llx
# arena_size  like: 0 7fff00h ffff00h 17fff00h
#>>>>>>>>96	ulequad		>0	\b, arena size %#llx
# data_hash_table_offset like: 0 15f0h 15f0h
#>>>>>>>>104	ulequad		>0	\b, hash table offset %#llx
# data_hash_table_size like: 0 38e380h
#>>>>>>>>112	ulequad		>0	\b, hash table size %#llx
# field_hash_table_offset like: 0 110h
#>>>>>>>>120	ulequad		>0	\b, field hash table offset %#llx
# field_hash_table_size like: 0 14d0h
#>>>>>>>>128	ulequad		>0	\b, field hash table size %#llx
# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h
#>>>>>>>>136	ulequad		>0	\b, tail object offset %#llx
# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh
#>>>>>>>>144	ulequad		>0	\b, objects %#llx
# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h
>>>>>>>>152	ulequad		>0	\b, entries %#llx
# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh
#>>>>>>>>160	ulequad		>0	\b, tail entry seqnum %#llx
# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah
#>>>>>>>>168	ulequad		>0	\b, head entry seqnum %#llx
# entry_array_offset like: 0 390058h 3909d8h 3909e0h
#>>>>>>>>176	ulequad		>0	\b, entry array offset %#llx

# BCache backing and cache devices
# From: Gabriel de Perthuis <g2p.code@gmail.com>
0x1008		lequad		8
>0x1018		string		\xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81	BCache
>>0x1010	ulequad		0	cache device
>>0x1010	ulequad		1	backing device
>>0x1010	ulequad		3	cache device
>>0x1010	ulequad		4	backing device
>>0x1048	string		>0	\b, label "%.32s"
>>0x1028	ubelong		x	\b, uuid %08x
>>0x102c	ubeshort	x	\b-%04x
>>0x102e	ubeshort	x	\b-%04x
>>0x1030	ubeshort	x	\b-%04x
>>0x1032	ubelong		x	\b-%08x
>>0x1036	ubeshort	x	\b%04x
>>0x1038	ubelong		x	\b, set uuid %08x
>>0x103c	ubeshort	x	\b-%04x
>>0x103e	ubeshort	x	\b-%04x
>>0x1040	ubeshort	x	\b-%04x
>>0x1042	ubelong		x	\b-%08x
>>0x1046	ubeshort	x	\b%04x

# Linux device tree:
# File format description can be found in the Linux kernel sources at
# Documentation/devicetree/booting-without-of.txt
# From Christoph Biedl
0		belong		0xd00dfeed
# structure must be within blob, strings are omitted to handle devicetrees > 1M
>&(8.L)		byte		x
>>20		belong		>1	Device Tree Blob version %d
>>>4		belong		x	\b, size=%d
>>>20		belong		>1
>>>>28		belong		x	\b, boot CPU=%d
>>>20		belong		>2
>>>>32		belong		x	\b, string block size=%d
>>>20		belong		>16
>>>>36		belong		x	\b, DT structure block size=%d

# glibc locale archive as defined in glibc locale/locarchive.h
0		lelong		0xde020109	locale archive
>24		lelong		x		%d strings

# Linux Software RAID (mdadm)
# Russell Coker <russell@coker.com.au>
0	name	linuxraid
>16	belong	x		UUID=%8x:
>20	belong	x		\b%8x:
>24	belong	x		\b%8x:
>28	belong	x		\b%8x
>32	string	x		name=%s
>72	lelong	x		level=%d
>92	lelong	x		disks=%d

4096	lelong	0xa92b4efc	Linux Software RAID
>4100	lelong	x		version 1.2 (%d)
>4096	use	linuxraid

0	lelong	0xa92b4efc	Linux Software RAID
>4	lelong	x		version 1.1 (%d)
>0	use	linuxraid

# Summary:     Database file for mlocate
# Description: A database file as used by mlocate, a fast implementation
#              of locate/updatedb. It uses merging to reuse the existing
#              database and avoid rereading most of the filesystem. It's
#              the default version of locate on Arch Linux (and others).
# File path:   /var/lib/mlocate/mlocate.db by default (but configurable)
# Site:        https://fedorahosted.org/mlocate/
# Format docs: https://linux.die.net/man/5/mlocate.db
# Type: mlocate database file
# URL:  https://fedorahosted.org/mlocate/
# From: Wander Nauta <info@wandernauta.nl>
0		string		\0mlocate	mlocate database
>12		byte		x		\b, version %d
>13		byte		1		\b, require visibility
>16		string		x		\b, root %s

# Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL:
# https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
# From: Pavel Emelyanov <xemul@parallels.com>
0		lelong		0x45311224	iproute2 routes dump
0		lelong		0x47361222	iproute2 addresses dump

# Image and service files for CRIU tool.
# URL: https://criu.org
# From: Pavel Emelyanov <xemul@parallels.com>
0		lelong		0x54564319	CRIU image file v1.1
0		lelong		0x55105940	CRIU service file
0		lelong		0x58313116	CRIU inventory

# Kdump compressed dump files
# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION

0		string		KDUMP\x20\x20\x20	Kdump compressed dump
>0		use		kdump-compressed-dump

0		name		kdump-compressed-dump
>8		long		x		v%d
>12		string		>\0		\b, system %s
>77		string		>\0		\b, node %s
>142		string		>\0		\b, release %s
>207		string		>\0		\b, version %s
>272		string		>\0		\b, machine %s
>337		string		>\0		\b, domain %s

# Flattened format
0		string		makedumpfile
>16		bequad		1
>>0x1010	string		KDUMP\x20\x20\x20	Flattened kdump compressed dump
>>>0x1010	use		kdump-compressed-dump

# Device Tree files
0		search/1024	/dts-v1/	Device Tree File (v1)
# beat c code
!:strength +14


# e2fsck undo file
# David Gilman <davidgilman1@gmail.com>
0		string		E2UNDO02	e2fsck undo file, version 2
>44		lelong		x		\b, undo file is
>>44		lelong&1	0		not finished
>>44		lelong&1	1		finished
>48		lelong		x		\b, undo file features:
>>48		lelong&1	0		lacks filesystem offset
>>48		lelong&1	1		has filesystem offset
>>>64		lequad		x		at %#llx

# ansible vault (does not really belong here)
0		string		$ANSIBLE_VAULT;	Ansible Vault
>&0		regex		[0-9]+\\.[0-9]+	\b, version %s
>>&0		string		;
>>>&0		regex		[A-Z0-9]+	\b, encryption %s

# From:		Joerg Jenderek
# URL:		https://www.gnu.org/software/grub
# Reference:	https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz
#		grub-2.06/include/grub/keyboard_layouts.h 
#		grub-2.06/grub-core/commands/keylayouts.c
# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC
0	string		GRUBLAYO		GRUB Keyboard
!:mime			application/x-grub-keyboard
!:ext			gkb
# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10
>8	ulelong		!10			\b, version %u
# 4 grub_uint32_t grub_keyboard_layout[160]
# for normal french keyboard this is letter a
>92	ubyte		!0x71
>>92	ubyte		>0x40			\b, english q is %c
#>732	ubyte		x			\b, english Q is %c
# for normal german keyboard this is letter z
>124	ubyte		!0x79
>>124	ubyte		>0x40			\b, english y is %c
#>764	ubyte		x			\b, english Y is %c