android 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. #------------------------------------------------------------
  2. # $File: android,v 1.8 2015/03/19 18:04:37 christos Exp $
  3. # Various android related magic entries
  4. #------------------------------------------------------------
  5. # Dalvik .dex format. http://retrodev.com/android/dexformat.html
  6. # From <mkf@google.com> "Mike Fleming"
  7. # Fixed to avoid regexec 17 errors on some dex files
  8. # From <diff@lookout.com> "Tim Strazzere"
  9. 0 string dex\n
  10. >0 regex dex\n[0-9]{2}\0 Dalvik dex file
  11. >4 string >000 version %s
  12. 0 string dey\n
  13. >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
  14. >4 string >000 version %s
  15. # Android bootimg format
  16. # From https://android.googlesource.com/\
  17. # platform/system/core/+/master/mkbootimg/bootimg.h
  18. 0 string ANDROID! Android bootimg
  19. >1024 string LOKI\01 \b, LOKI'd
  20. >8 lelong >0 \b, kernel
  21. >>12 lelong >0 \b (0x%x)
  22. >16 lelong >0 \b, ramdisk
  23. >>20 lelong >0 \b (0x%x)
  24. >24 lelong >0 \b, second stage
  25. >>28 lelong >0 \b (0x%x)
  26. >36 lelong >0 \b, page size: %d
  27. >38 string >0 \b, name: %s
  28. >64 string >0 \b, cmdline (%s)
  29. # Android Backup archive
  30. # From: Ariel Shkedi
  31. # File extension: .ab
  32. # No mime-type defined
  33. # URL: https://github.com/android/platform_frameworks_base/blob/\
  34. # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
  35. # android/server/BackupManagerService.java#L2367
  36. # After the header comes a tar file
  37. # If compressed, the entire tar file is compressed with JAVA deflate
  38. #
  39. # Include the version number hardcoded with the magic string to avoid
  40. # false positives
  41. 0 string/b ANDROID\ BACKUP\n1\n Android Backup
  42. >17 string 0\n \b, Not-Compressed
  43. >17 string 1\n \b, Compressed
  44. # any string as long as it's not the word none (which is matched below)
  45. >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)
  46. >>19 string none\n \b, Not-Encrypted
  47. # Commented out because they don't seem useful to print
  48. # (but they are part of the header - the tar file comes after them):
  49. #>>>&1 regex/1l .* \b, Password salt: %s
  50. #>>>>&1 regex/1l .* \b, Master salt: %s
  51. #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s
  52. #>>>>>>&1 regex/1l .* \b, IV: %s
  53. #>>>>>>>&1 regex/1l .* \b, Key: %s
  54. # *.pit files by Joerg Jenderek
  55. # http://forum.xda-developers.com/showthread.php?p=9122369
  56. # http://forum.xda-developers.com/showthread.php?t=816449
  57. # Partition Information Table for Samsung's smartphone with Android
  58. # used by flash software Odin
  59. 0 ulelong 0x12349876
  60. # 1st pit entry marker
  61. >0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
  62. # minimal 13 and maximal 18 PIT entries found
  63. >>4 ulelong <128 Partition Information Table for Samsung smartphone
  64. >>>4 ulelong x \b, %d entries
  65. # 1. pit entry
  66. >>>4 ulelong >0 \b; #1
  67. >>>0x01C use PIT-entry
  68. >>>4 ulelong >1 \b; #2
  69. >>>0x0A0 use PIT-entry
  70. >>>4 ulelong >2 \b; #3
  71. >>>0x124 use PIT-entry
  72. >>>4 ulelong >3 \b; #4
  73. >>>0x1A8 use PIT-entry
  74. >>>4 ulelong >4 \b; #5
  75. >>>0x22C use PIT-entry
  76. >>>4 ulelong >5 \b; #6
  77. >>>0x2B0 use PIT-entry
  78. >>>4 ulelong >6 \b; #7
  79. >>>0x334 use PIT-entry
  80. >>>4 ulelong >7 \b; #8
  81. >>>0x3B8 use PIT-entry
  82. >>>4 ulelong >8 \b; #9
  83. >>>0x43C use PIT-entry
  84. >>>4 ulelong >9 \b; #10
  85. >>>0x4C0 use PIT-entry
  86. >>>4 ulelong >10 \b; #11
  87. >>>0x544 use PIT-entry
  88. >>>4 ulelong >11 \b; #12
  89. >>>0x5C8 use PIT-entry
  90. >>>4 ulelong >12 \b; #13
  91. >>>>0x64C use PIT-entry
  92. # 14. pit entry
  93. >>>4 ulelong >13 \b; #14
  94. >>>>0x6D0 use PIT-entry
  95. >>>4 ulelong >14 \b; #15
  96. >>>0x754 use PIT-entry
  97. >>>4 ulelong >15 \b; #16
  98. >>>0x7D8 use PIT-entry
  99. >>>4 ulelong >16 \b; #17
  100. >>>0x85C use PIT-entry
  101. # 18. pit entry
  102. >>>4 ulelong >17 \b; #18
  103. >>>0x8E0 use PIT-entry
  104. 0 name PIT-entry
  105. # garbage value implies end of pit entries
  106. >0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
  107. # skip empty partition name
  108. >>0x24 ubyte !0
  109. # partition name
  110. >>>0x24 string >\0 %-.32s
  111. # flags
  112. >>>0x0C ulelong&0x00000002 2 \b+RW
  113. # partition ID:
  114. # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER
  115. # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
  116. >>>0x08 ulelong x (0x%x)
  117. # filename
  118. >>>0x44 string >\0 "%-.64s"
  119. #>>>0x18 ulelong >0
  120. # blocksize in 512 byte units ?
  121. #>>>>0x18 ulelong x \b, %db
  122. # partition size in blocks ?
  123. #>>>>0x22 ulelong x \b*%d
  124. # Android bootimg format
  125. # From https://android.googlesource.com/\
  126. # platform/system/core/+/master/libsparse/sparse_format.h
  127. 0 lelong 0xed26ff3a Android sparse image
  128. >4 leshort x \b, version: %d
  129. >6 leshort x \b.%d
  130. >16 lelong x \b, Total of %d
  131. >12 lelong x \b %d-byte output blocks in
  132. >20 lelong x \b %d input chunks.
  133. # Android binary XML magic
  134. # In include/androidfw/ResourceTypes.h:
  135. # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
  136. # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
  137. 0 lelong 0x00080003 Android binary XML