1b6cee71dSXin LI 2b6cee71dSXin LI#------------------------------------------------------------ 3*d38c30c0SXin LI# $File: android,v 1.16 2019/11/15 21:03:14 christos Exp $ 4b6cee71dSXin LI# Various android related magic entries 5b6cee71dSXin LI#------------------------------------------------------------ 6b6cee71dSXin LI 7b6cee71dSXin LI# Dalvik .dex format. http://retrodev.com/android/dexformat.html 8b6cee71dSXin LI# From <mkf@google.com> "Mike Fleming" 9b6cee71dSXin LI# Fixed to avoid regexec 17 errors on some dex files 10b6cee71dSXin LI# From <diff@lookout.com> "Tim Strazzere" 11b6cee71dSXin LI0 string dex\n 12b6cee71dSXin LI>0 regex dex\n[0-9]{2}\0 Dalvik dex file 13b6cee71dSXin LI>4 string >000 version %s 14b6cee71dSXin LI0 string dey\n 15b6cee71dSXin LI>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 16b6cee71dSXin LI>4 string >000 version %s 17b6cee71dSXin LI 18b6cee71dSXin LI# Android bootimg format 19b6cee71dSXin LI# From https://android.googlesource.com/\ 20b6cee71dSXin LI# platform/system/core/+/master/mkbootimg/bootimg.h 21*d38c30c0SXin LI# https://github.com/djrbliss/loki/blob/master/loki.h#L43 22b6cee71dSXin LI0 string ANDROID! Android bootimg 23*d38c30c0SXin LI>1024 string LOKI \b, LOKI'd 24*d38c30c0SXin LI>>1028 lelong 0 \b (boot) 25*d38c30c0SXin LI>>1028 lelong 1 \b (recovery) 26b6cee71dSXin LI>8 lelong >0 \b, kernel 27b6cee71dSXin LI>>12 lelong >0 \b (0x%x) 28b6cee71dSXin LI>16 lelong >0 \b, ramdisk 29b6cee71dSXin LI>>20 lelong >0 \b (0x%x) 30b6cee71dSXin LI>24 lelong >0 \b, second stage 31b6cee71dSXin LI>>28 lelong >0 \b (0x%x) 32b6cee71dSXin LI>36 lelong >0 \b, page size: %d 33b6cee71dSXin LI>38 string >0 \b, name: %s 34b6cee71dSXin LI>64 string >0 \b, cmdline (%s) 35b6cee71dSXin LI 36b6cee71dSXin LI# Android Backup archive 37b6cee71dSXin LI# From: Ariel Shkedi 3848c779cdSXin LI# Update: Joerg Jenderek 39b6cee71dSXin LI# URL: https://github.com/android/platform_frameworks_base/blob/\ 40b6cee71dSXin LI# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ 41b6cee71dSXin LI# android/server/BackupManagerService.java#L2367 4248c779cdSXin LI# Reference: https://sourceforge.net/projects/adbextractor/ 4348c779cdSXin LI# android-backup-extractor/perl/backupencrypt.pl 4448c779cdSXin LI# Note: only unix line feeds "\n" found 45b6cee71dSXin LI# After the header comes a tar file 46b6cee71dSXin LI# If compressed, the entire tar file is compressed with JAVA deflate 47b6cee71dSXin LI# 48b6cee71dSXin LI# Include the version number hardcoded with the magic string to avoid 49b6cee71dSXin LI# false positives 5048c779cdSXin LI0 string/b ANDROID\ BACKUP\n Android Backup 5148c779cdSXin LI# maybe look for some more characteristics like linefeed '\n' or version 5248c779cdSXin LI#>16 string \n 53*d38c30c0SXin LI# No mime-type defined officially 5448c779cdSXin LI!:mime application/x-google-ab 5548c779cdSXin LI!:ext ab 5648c779cdSXin LI# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) 5748c779cdSXin LI>15 string >\0 \b, version %s 5848c779cdSXin LI# "1" on 3rd line means compressed 59b6cee71dSXin LI>17 string 0\n \b, Not-Compressed 60b6cee71dSXin LI>17 string 1\n \b, Compressed 6148c779cdSXin LI# The 4th line is encryption "none" or "AES-256" 62b6cee71dSXin LI# any string as long as it's not the word none (which is matched below) 6348c779cdSXin LI>19 string none\n \b, Not-Encrypted 6448c779cdSXin LI# look for backup content after line with encryption info 6548c779cdSXin LI#>>19 search/7 \n 6648c779cdSXin LI# data part after header for not encrypted Android Backup 6748c779cdSXin LI#>>>&0 ubequad x \b, content 0x%16.16llx... 6848c779cdSXin LI# look for zlib compressed by ./compress after message with 1 space at end 6948c779cdSXin LI#>>>&0 indirect x \b; contains 7048c779cdSXin LI# look for tar archive block by ./archive for package name manifest 7148c779cdSXin LI>>288 string ustar \b; contains 7248c779cdSXin LI>>>31 use tar-file 7348c779cdSXin LI# look for zip/jar archive by ./archive ./zip after message with 1 space at end 7448c779cdSXin LI#>>2079 search/1025/s PK\003\004 \b; contains 7548c779cdSXin LI#>>>&0 indirect x 7648c779cdSXin LI>19 string !none 77b6cee71dSXin LI>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) 78b6cee71dSXin LI# Commented out because they don't seem useful to print 79b6cee71dSXin LI# (but they are part of the header - the tar file comes after them): 8048c779cdSXin LI# The 5th line is User Password Salt (128 Hex) 8148c779cdSXin LI# string length too high with standard src configuration 8248c779cdSXin LI#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" 83b6cee71dSXin LI#>>>&1 regex/1l .* \b, Password salt: %s 8448c779cdSXin LI# The 6th line is Master Key Checksum Salt (128 Hex) 85b6cee71dSXin LI#>>>>&1 regex/1l .* \b, Master salt: %s 8648c779cdSXin LI# The 7th line is Number of PBDKF2 Rounds (10000) 87b6cee71dSXin LI#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s 8848c779cdSXin LI# The 8th line is User key Initialization Vector (IV) (32 Hex) 89b6cee71dSXin LI#>>>>>>&1 regex/1l .* \b, IV: %s 9048c779cdSXin LI#>>>>>>&1 regex/1l .* \b, IV: %s 9148c779cdSXin LI# The 9th line is Master IV+Key+Checksum (192 Hex) 92b6cee71dSXin LI#>>>>>>>&1 regex/1l .* \b, Key: %s 9348c779cdSXin LI# look for new line separator char after line number 9 9448c779cdSXin LI#>>>0x204 ubyte 0x0a NL found 9548c779cdSXin LI#>>>>&1 ubequad x \b, Content magic %16.16llx 96c2931133SXin LI 97c2931133SXin LI# *.pit files by Joerg Jenderek 9848c779cdSXin LI# https://forum.xda-developers.com/showthread.php?p=9122369 9948c779cdSXin LI# https://forum.xda-developers.com/showthread.php?t=816449 100c2931133SXin LI# Partition Information Table for Samsung's smartphone with Android 101c2931133SXin LI# used by flash software Odin 102c2931133SXin LI0 ulelong 0x12349876 103c2931133SXin LI# 1st pit entry marker 104c2931133SXin LI>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 105c2931133SXin LI# minimal 13 and maximal 18 PIT entries found 106c2931133SXin LI>>4 ulelong <128 Partition Information Table for Samsung smartphone 107c2931133SXin LI>>>4 ulelong x \b, %d entries 108c2931133SXin LI# 1. pit entry 109c2931133SXin LI>>>4 ulelong >0 \b; #1 110c2931133SXin LI>>>0x01C use PIT-entry 111c2931133SXin LI>>>4 ulelong >1 \b; #2 112c2931133SXin LI>>>0x0A0 use PIT-entry 113c2931133SXin LI>>>4 ulelong >2 \b; #3 114c2931133SXin LI>>>0x124 use PIT-entry 115c2931133SXin LI>>>4 ulelong >3 \b; #4 116c2931133SXin LI>>>0x1A8 use PIT-entry 117c2931133SXin LI>>>4 ulelong >4 \b; #5 118c2931133SXin LI>>>0x22C use PIT-entry 119c2931133SXin LI>>>4 ulelong >5 \b; #6 120c2931133SXin LI>>>0x2B0 use PIT-entry 121c2931133SXin LI>>>4 ulelong >6 \b; #7 122c2931133SXin LI>>>0x334 use PIT-entry 123c2931133SXin LI>>>4 ulelong >7 \b; #8 124c2931133SXin LI>>>0x3B8 use PIT-entry 125c2931133SXin LI>>>4 ulelong >8 \b; #9 126c2931133SXin LI>>>0x43C use PIT-entry 127c2931133SXin LI>>>4 ulelong >9 \b; #10 128c2931133SXin LI>>>0x4C0 use PIT-entry 129c2931133SXin LI>>>4 ulelong >10 \b; #11 130c2931133SXin LI>>>0x544 use PIT-entry 131c2931133SXin LI>>>4 ulelong >11 \b; #12 132c2931133SXin LI>>>0x5C8 use PIT-entry 133c2931133SXin LI>>>4 ulelong >12 \b; #13 134c2931133SXin LI>>>>0x64C use PIT-entry 135c2931133SXin LI# 14. pit entry 136c2931133SXin LI>>>4 ulelong >13 \b; #14 137c2931133SXin LI>>>>0x6D0 use PIT-entry 138c2931133SXin LI>>>4 ulelong >14 \b; #15 139c2931133SXin LI>>>0x754 use PIT-entry 140c2931133SXin LI>>>4 ulelong >15 \b; #16 141c2931133SXin LI>>>0x7D8 use PIT-entry 142c2931133SXin LI>>>4 ulelong >16 \b; #17 143c2931133SXin LI>>>0x85C use PIT-entry 144c2931133SXin LI# 18. pit entry 145c2931133SXin LI>>>4 ulelong >17 \b; #18 146c2931133SXin LI>>>0x8E0 use PIT-entry 147c2931133SXin LI 148c2931133SXin LI0 name PIT-entry 149c2931133SXin LI# garbage value implies end of pit entries 150c2931133SXin LI>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 151c2931133SXin LI# skip empty partition name 152c2931133SXin LI>>0x24 ubyte !0 153c2931133SXin LI# partition name 154c2931133SXin LI>>>0x24 string >\0 %-.32s 155c2931133SXin LI# flags 156c2931133SXin LI>>>0x0C ulelong&0x00000002 2 \b+RW 157c2931133SXin LI# partition ID: 158c2931133SXin LI# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER 159c2931133SXin LI# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW 160c2931133SXin LI>>>0x08 ulelong x (0x%x) 161c2931133SXin LI# filename 162c2931133SXin LI>>>0x44 string >\0 "%-.64s" 163c2931133SXin LI#>>>0x18 ulelong >0 164c2931133SXin LI# blocksize in 512 byte units ? 165c2931133SXin LI#>>>>0x18 ulelong x \b, %db 166c2931133SXin LI# partition size in blocks ? 167c2931133SXin LI#>>>>0x22 ulelong x \b*%d 168c2931133SXin LI 1693e41d09dSXin LI# Android sparse img format 170c2931133SXin LI# From https://android.googlesource.com/\ 171c2931133SXin LI# platform/system/core/+/master/libsparse/sparse_format.h 172c2931133SXin LI0 lelong 0xed26ff3a Android sparse image 173c2931133SXin LI>4 leshort x \b, version: %d 174c2931133SXin LI>6 leshort x \b.%d 175c2931133SXin LI>16 lelong x \b, Total of %d 176c2931133SXin LI>12 lelong x \b %d-byte output blocks in 177c2931133SXin LI>20 lelong x \b %d input chunks. 1785f0216bdSXin LI 1795f0216bdSXin LI# Android binary XML magic 1805f0216bdSXin LI# In include/androidfw/ResourceTypes.h: 1815f0216bdSXin LI# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), 1825f0216bdSXin LI# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 1835f0216bdSXin LI0 lelong 0x00080003 Android binary XML 184*d38c30c0SXin LI 185*d38c30c0SXin LI# Android cryptfs footer 186*d38c30c0SXin LI# From https://android.googlesource.com/\ 187*d38c30c0SXin LI# platform/system/vold/+/refs/heads/master/cryptfs.h 188*d38c30c0SXin LI0 lelong 0xd0b5b1c4 Android cryptfs footer 189*d38c30c0SXin LI>4 leshort x \b, version: %d 190*d38c30c0SXin LI>6 leshort x \b.%d 191