aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libs/libmagic/magic/Magdir/android
blob: 8a2dedf3d2d9db6bb5ee5377ed026b54ae0bae49 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
#------------------------------------------------------------
# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $
# Various android related magic entries
#------------------------------------------------------------

# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0	string	dex\n
>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
>4	string	>000			version %s
0	string	dey\n
>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
>4	string	>000			version %s

# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
# https://github.com/djrbliss/loki/blob/master/loki.h#L43
0		string	ANDROID!	Android bootimg
>1024	string	LOKI		\b, LOKI'd
>>1028	lelong	0			\b (boot)
>>1028	lelong	1			\b (recovery)
>8		lelong	>0			\b, kernel
>>12	lelong	>0			\b (%#x)
>16		lelong	>0			\b, ramdisk
>>20	lelong	>0			\b (%#x)
>24		lelong	>0			\b, second stage
>>28	lelong	>0			\b (%#x)
>36		lelong	>0			\b, page size: %d
>38		string	>0			\b, name: %s
>64		string	>0		 	\b, cmdline (%s)

# Android Backup archive
# From: Ariel Shkedi
# Update: Joerg Jenderek 
# URL: https://github.com/android/platform_frameworks_base/blob/\
# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
# android/server/BackupManagerService.java#L2367
# Reference: https://sourceforge.net/projects/adbextractor/
#            android-backup-extractor/perl/backupencrypt.pl 
# Note:	only unix line feeds "\n" found
# After the header comes a tar file
# If compressed, the entire tar file is compressed with JAVA deflate
#
# Include the version number hardcoded with the magic string to avoid
# false positives
0	string/b	ANDROID\ BACKUP\n	Android Backup
# maybe look for some more characteristics like linefeed '\n' or version
#>16	string		\n			
# No mime-type defined officially
!:mime	application/x-google-ab
!:ext	ab
# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
>15	string		>\0			\b, version %s
# "1" on 3rd line means compressed
>17	string		0\n			\b, Not-Compressed
>17	string		1\n			\b, Compressed
# The 4th line is encryption "none" or "AES-256"
# any string as long as it's not the word none (which is matched below)
>19	string		none\n			\b, Not-Encrypted
# look for backup content after line with encryption info
#>>19	search/7	\n
# data part after header for not encrypted Android Backup 
#>>>&0	ubequad		x	\b, content %#16.16llx...
# look for zlib compressed by ./compress after message with 1 space at end
#>>>&0	indirect	x	\b; contains 
# look for tar archive block by ./archive for package name manifest
>>288	string		ustar	\b; contains
>>>31	use	tar-file
# look for zip/jar archive by ./archive ./zip after message with 1 space at end
#>>2079	search/1025/s	PK\003\004	\b; contains 
#>>>&0	indirect	x
>19	string		!none			
>>19    regex/1l	\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
# Commented out because they don't seem useful to print
# (but they are part of the header - the tar file comes after them):
# The 5th line is User Password Salt (128 Hex)
# string length too high with standard src configuration
#>>>&1		string	>\0	\b, PASSWORD salt: "%-128.128s"
#>>>&1		regex/1l .*	\b, Password salt: %s
# The 6th line is Master Key Checksum Salt (128 Hex)
#>>>>&1		regex/1l .*	\b, Master salt: %s
# The 7th line is Number of PBDKF2 Rounds (10000)
#>>>>>&1	regex/1l .*	\b, PBKDF2 rounds: %s
# The 8th line is User key Initialization Vector (IV) (32 Hex)
#>>>>>>&1	regex/1l .*	\b, IV: %s
#>>>>>>&1	regex/1l .*	\b, IV: %s
# The 9th line is Master IV+Key+Checksum (192 Hex)
#>>>>>>>&1	regex/1l .*	\b, Key: %s
# look for new line separator char after line number 9
#>>>0x204	ubyte	0x0a	NL found
#>>>>&1		ubequad	x	\b, Content magic %16.16llx

# *.pit files by Joerg Jenderek
# https://forum.xda-developers.com/showthread.php?p=9122369
# https://forum.xda-developers.com/showthread.php?t=816449
# Partition Information Table for Samsung's smartphone with Android
# used by flash software Odin
0		ulelong			0x12349876
# 1st pit entry marker
>0x01C	ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
# minimal 13 and maximal 18 PIT entries found
>>4		ulelong			<128	Partition Information Table for Samsung smartphone
>>>4		ulelong			x	\b, %d entries
# 1. pit entry
>>>4		ulelong			>0	\b; #1
>>>0x01C	use				PIT-entry
>>>4		ulelong			>1	\b; #2
>>>0x0A0	use				PIT-entry
>>>4		ulelong			>2	\b; #3
>>>0x124	use				PIT-entry
>>>4		ulelong			>3	\b; #4
>>>0x1A8	use				PIT-entry
>>>4		ulelong			>4	\b; #5
>>>0x22C	use				PIT-entry
>>>4		ulelong			>5	\b; #6
>>>0x2B0	use				PIT-entry
>>>4		ulelong			>6	\b; #7
>>>0x334	use				PIT-entry
>>>4		ulelong			>7 	\b; #8
>>>0x3B8	use				PIT-entry
>>>4		ulelong			>8 	\b; #9
>>>0x43C	use				PIT-entry
>>>4		ulelong			>9	\b; #10
>>>0x4C0	use				PIT-entry
>>>4		ulelong			>10	\b; #11
>>>0x544	use				PIT-entry
>>>4		ulelong			>11	\b; #12
>>>0x5C8	use				PIT-entry
>>>4		ulelong			>12	\b; #13
>>>>0x64C	use				PIT-entry
# 14. pit entry
>>>4		ulelong			>13	\b; #14
>>>>0x6D0	use				PIT-entry
>>>4		ulelong			>14	\b; #15
>>>0x754	use				PIT-entry
>>>4		ulelong			>15	\b; #16
>>>0x7D8	use				PIT-entry
>>>4		ulelong			>16	\b; #17
>>>0x85C	use				PIT-entry
# 18. pit entry
>>>4		ulelong			>17	\b; #18
>>>0x8E0	use				PIT-entry

0	name			PIT-entry
# garbage value implies end of pit entries
>0x00		ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
# skip empty partition name
>>0x24		ubyte				!0
# partition name
>>>0x24		string				>\0			%-.32s
# flags
>>>0x0C		ulelong&0x00000002		2			\b+RW
# partition ID:
# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER
# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
>>>0x08	ulelong		x			(%#x)
# filename
>>>0x44		string				>\0			"%-.64s"
#>>>0x18	ulelong				>0
# blocksize in 512 byte units ?
#>>>>0x18	ulelong				x			\b, %db
# partition size in blocks ?
#>>>>0x22	ulelong				x			\b*%d

# Android sparse img format
# From https://android.googlesource.com/\
# platform/system/core/+/master/libsparse/sparse_format.h
0		lelong	0xed26ff3a		Android sparse image
>4		leshort	x			\b, version: %d
>6		leshort	x			\b.%d
>16		lelong	x			\b, Total of %d
>12		lelong	x			\b %d-byte output blocks in
>20		lelong	x			\b %d input chunks.

# Android binary XML magic
# In include/androidfw/ResourceTypes.h:
# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
# The strength is increased to avoid misidentifying as Targa image data
0	lelong	0x00080003	Android binary XML
!:strength +1

# Android cryptfs footer
# From https://android.googlesource.com/\
# platform/system/vold/+/refs/heads/master/cryptfs.h
0	lelong	0xd0b5b1c4	Android cryptfs footer
>4	leshort	x	\b, version: %d
>6	leshort	x	\b.%d

# Android Vdex format
# From https://android.googlesource.com/\
# platform/art/+/master/runtime/vdex_file.h
0	string	vdex	Android vdex file,
>4	string	>000	verifier deps version: %s,
>8	string	>000	dex section version: %s,
>12	lelong	>0	number of dex files: %d,
>16	lelong	>0	verifier deps size: %d

# Android Vdex format, dexfile is currently being updated
# by android system
# From https://android.googlesource.com/\
# platform/art/+/master/dex2oat/dex2oat.cc
0	string	wdex	Android vdex file, being processed by dex2oat,
>4	string	>000	verifier deps version: %s,
>8	string	>000	dex section version: %s,
>12	lelong	>0	number of dex files: %d,
>16	lelong	>0	verifier deps size: %d

# Disassembled DEX files
0	string/t	.class\x20
>&0	regex/512	\^\\.super\x20L.*;$	disassembled Android DEX Java class (smali/baksmali)
!:ext	smali

# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm
# Reference: https://android.googlesource.com/platform/frameworks/support/\
#            +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
#            src/main/java/androidx/profileinstaller/ProfileTranscoder.java
# Reference: https://android.googlesource.com/platform/frameworks/support/\
#            +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
#            src/main/java/androidx/profileinstaller/ProfileVersion.java
0	string	pro\x00
>0	regex	pro\x000[0-9][0-9]\x00	Android ART profile
!:ext	prof
>>4	string	001\x00	\b, version 001 N
>>4	string	005\x00	\b, version 005 O
>>4	string	009\x00	\b, version 009 O MR1
>>4	string	010\x00	\b, version 010 P
>>4	string	015\x00	\b, version 015 S
0	string	prm\x00
>0	regex	prm\x000[0-9][0-9]\x00	Android ART profile metadata
!:ext	profm
>>4	string	001\x00	\b, version 001 N
>>4	string	002\x00	\b, version 002

# Android package resource table (ARSC): resources.arsc
# Reference: https://android.googlesource.com/platform/tools/base/\
#            +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\
#            src/main/java/com/google/devrel/gmscore/tools/apk/arsc
# 00: resource table type = 0x0002 (2) + header size = 12 (2)
# 04: chunk size (4, skipped)
# 08: #packages (4)
0	ulelong	0x000c0002	Android package resource table (ARSC)
!:ext	arsc
>8	ulelong	!1	\b, %d packages
# 12: string pool type = 0x0001 (2) + header size = 28 (2)
# 16: chunk size (4, skipped)
# 20: #strings (4), #styles (4), flags (4)
>12	ulelong	0x001c0001
>>20	ulelong	!0	\b, %d string(s)
>>24	ulelong	!0	\b, %d style(s)
>>28	ulelong	&1	\b, sorted
>>28	ulelong	&256	\b, utf8

# extracted APK Signing Block
-16	string	APK\x20Sig\x20Block\x2042	APK Signing Block