file/magic/Magdir/android

#------------------------------------------------------------
# $File: android,v 1.3 2013/11/08 01:24:22 christos Exp $
# Various android related magic entries
#------------------------------------------------------------

# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0	string	dex\n
>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
>4	string	>000			version %s
0	string	dey\n
>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
>4	string	>000			version %s

# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0	string	ANDROID\040BACKUP\n	Android Backup
>15	string	1\n			\b, version 1
>17	string	0\n			\b, uncompressed
>17	string	1\n			\b, compressed
>19	string	none\n			\b, unencrypted
>19	string	AES-256\n		\b, encrypted AES-256

# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
0		string	ANDROID!	Android bootimg
>8		lelong	>0			\b, kernel
>>12	lelong	>0			\b (0x%x)
>16		lelong	>0			\b, ramdisk
>>20	lelong	>0			\b (0x%x)
>24		lelong	>0			\b, second stage
>>28	lelong	>0			\b (0x%x)
>36		lelong	>0			\b, page size: %d
>38		string	>0			\b, name: %s
>64		string	>0		 	\b, cmdline (%s)
# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0	string	dex\n
>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
>4	string	>000			version %s
0	string	dey\n
>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
>4	string	>000			version %s

# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0	string	ANDROID\040BACKUP\n	Android Backup
>15	string	1\n			\b, version 1
>17	string	0\n			\b, uncompressed
>17	string	1\n			\b, compressed
>19	string	none\n			\b, unencrypted
>19	string	AES-256\n		\b, encrypted AES-256

# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
0		string	ANDROID!	Android bootimg
>8		lelong	>0			\b, kernel
>>12	lelong	>0			\b (0x%x)
>16		lelong	>0			\b, ramdisk
>>20	lelong	>0			\b (0x%x)
>24		lelong	>0			\b, second stage
>>28	lelong	>0			\b (0x%x)
>36		lelong	>0			\b, page size: %d
>38		string	>0			\b, name: %s
>64		string	>0		 	\b, cmdline (%s)

# Android Backup archive
# From: Ariel Shkedi
# File extension: .ab
# No mime-type defined
# URL: https://github.com/android/platform_frameworks_base/blob/\
# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
# android/server/BackupManagerService.java#L2367
# After the header comes a tar file
# If compressed, the entire tar file is compressed with JAVA deflate
#
# Include the version number hardcoded with the magic string to avoid
# false positives
0	string/b	ANDROID\ BACKUP\n1\n	Android Backup
>17	string		0\n			\b, Not-Compressed
>17	string		1\n			\b, Compressed
# any string as long as it's not the word none (which is matched below)
>>19    regex/1		\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
>>19	string		none\n			\b, Not-Encrypted
# Commented out because they don't seem useful to print
# (but they are part of the header - the tar file comes after them):
#>>>&1		regex/1 .*	\b, Password salt: %s
#>>>>&1		regex/1 .*	\b, Master salt: %s
#>>>>>&1	regex/1 .*	\b, PBKDF2 rounds: %s
#>>>>>>&1	regex/1 .*	\b, IV: %s
#>>>>>>>&1	regex/1 .*	\b, Key: %s