1 2#------------------------------------------------------------ 3# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ 4# Various android related magic entries 5#------------------------------------------------------------ 6 7# Dalvik .dex format. http://retrodev.com/android/dexformat.html 8# From <mkf@google.com> "Mike Fleming" 9# Fixed to avoid regexec 17 errors on some dex files 10# From <diff@lookout.com> "Tim Strazzere" 110 string dex\n 12>0 regex dex\n[0-9]{2}\0 Dalvik dex file 13>4 string >000 version %s 140 string dey\n 15>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 16>4 string >000 version %s 17 18# Android bootimg format 19# From https://android.googlesource.com/\ 20# platform/system/core/+/master/mkbootimg/bootimg.h 21# https://github.com/djrbliss/loki/blob/master/loki.h#L43 220 string ANDROID! Android bootimg 23>1024 string LOKI \b, LOKI'd 24>>1028 lelong 0 \b (boot) 25>>1028 lelong 1 \b (recovery) 26>8 lelong >0 \b, kernel 27>>12 lelong >0 \b (%#x) 28>16 lelong >0 \b, ramdisk 29>>20 lelong >0 \b (%#x) 30>24 lelong >0 \b, second stage 31>>28 lelong >0 \b (%#x) 32>36 lelong >0 \b, page size: %d 33>38 string >0 \b, name: %s 34>64 string >0 \b, cmdline (%s) 35 36# Android Backup archive 37# From: Ariel Shkedi 38# Update: Joerg Jenderek 39# URL: https://github.com/android/platform_frameworks_base/blob/\ 40# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ 41# android/server/BackupManagerService.java#L2367 42# Reference: https://sourceforge.net/projects/adbextractor/ 43# android-backup-extractor/perl/backupencrypt.pl 44# Note: only unix line feeds "\n" found 45# After the header comes a tar file 46# If compressed, the entire tar file is compressed with JAVA deflate 47# 48# Include the version number hardcoded with the magic string to avoid 49# false positives 500 string/b ANDROID\ BACKUP\n Android Backup 51# maybe look for some more characteristics like linefeed '\n' or version 52#>16 string \n 53# No mime-type defined officially 54!:mime application/x-google-ab 55!:ext ab 56# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) 57>15 string >\0 \b, version %s 58# "1" on 3rd line means compressed 59>17 string 0\n \b, Not-Compressed 60>17 string 1\n \b, Compressed 61# The 4th line is encryption "none" or "AES-256" 62# any string as long as it's not the word none (which is matched below) 63>19 string none\n \b, Not-Encrypted 64# look for backup content after line with encryption info 65#>>19 search/7 \n 66# data part after header for not encrypted Android Backup 67#>>>&0 ubequad x \b, content %#16.16llx... 68# look for zlib compressed by ./compress after message with 1 space at end 69#>>>&0 indirect x \b; contains 70# look for tar archive block by ./archive for package name manifest 71>>288 string ustar \b; contains 72>>>31 use tar-file 73# look for zip/jar archive by ./archive ./zip after message with 1 space at end 74#>>2079 search/1025/s PK\003\004 \b; contains 75#>>>&0 indirect x 76>19 string !none 77>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) 78# Commented out because they don't seem useful to print 79# (but they are part of the header - the tar file comes after them): 80# The 5th line is User Password Salt (128 Hex) 81# string length too high with standard src configuration 82#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" 83#>>>&1 regex/1l .* \b, Password salt: %s 84# The 6th line is Master Key Checksum Salt (128 Hex) 85#>>>>&1 regex/1l .* \b, Master salt: %s 86# The 7th line is Number of PBDKF2 Rounds (10000) 87#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s 88# The 8th line is User key Initialization Vector (IV) (32 Hex) 89#>>>>>>&1 regex/1l .* \b, IV: %s 90#>>>>>>&1 regex/1l .* \b, IV: %s 91# The 9th line is Master IV+Key+Checksum (192 Hex) 92#>>>>>>>&1 regex/1l .* \b, Key: %s 93# look for new line separator char after line number 9 94#>>>0x204 ubyte 0x0a NL found 95#>>>>&1 ubequad x \b, Content magic %16.16llx 96 97# *.pit files by Joerg Jenderek 98# https://forum.xda-developers.com/showthread.php?p=9122369 99# https://forum.xda-developers.com/showthread.php?t=816449 100# Partition Information Table for Samsung's smartphone with Android 101# used by flash software Odin 1020 ulelong 0x12349876 103# 1st pit entry marker 104>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 105# minimal 13 and maximal 18 PIT entries found 106>>4 ulelong <128 Partition Information Table for Samsung smartphone 107>>>4 ulelong x \b, %d entries 108# 1. pit entry 109>>>4 ulelong >0 \b; #1 110>>>0x01C use PIT-entry 111>>>4 ulelong >1 \b; #2 112>>>0x0A0 use PIT-entry 113>>>4 ulelong >2 \b; #3 114>>>0x124 use PIT-entry 115>>>4 ulelong >3 \b; #4 116>>>0x1A8 use PIT-entry 117>>>4 ulelong >4 \b; #5 118>>>0x22C use PIT-entry 119>>>4 ulelong >5 \b; #6 120>>>0x2B0 use PIT-entry 121>>>4 ulelong >6 \b; #7 122>>>0x334 use PIT-entry 123>>>4 ulelong >7 \b; #8 124>>>0x3B8 use PIT-entry 125>>>4 ulelong >8 \b; #9 126>>>0x43C use PIT-entry 127>>>4 ulelong >9 \b; #10 128>>>0x4C0 use PIT-entry 129>>>4 ulelong >10 \b; #11 130>>>0x544 use PIT-entry 131>>>4 ulelong >11 \b; #12 132>>>0x5C8 use PIT-entry 133>>>4 ulelong >12 \b; #13 134>>>>0x64C use PIT-entry 135# 14. pit entry 136>>>4 ulelong >13 \b; #14 137>>>>0x6D0 use PIT-entry 138>>>4 ulelong >14 \b; #15 139>>>0x754 use PIT-entry 140>>>4 ulelong >15 \b; #16 141>>>0x7D8 use PIT-entry 142>>>4 ulelong >16 \b; #17 143>>>0x85C use PIT-entry 144# 18. pit entry 145>>>4 ulelong >17 \b; #18 146>>>0x8E0 use PIT-entry 147 1480 name PIT-entry 149# garbage value implies end of pit entries 150>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 151# skip empty partition name 152>>0x24 ubyte !0 153# partition name 154>>>0x24 string >\0 %-.32s 155# flags 156>>>0x0C ulelong&0x00000002 2 \b+RW 157# partition ID: 158# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER 159# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW 160>>>0x08 ulelong x (%#x) 161# filename 162>>>0x44 string >\0 "%-.64s" 163#>>>0x18 ulelong >0 164# blocksize in 512 byte units ? 165#>>>>0x18 ulelong x \b, %db 166# partition size in blocks ? 167#>>>>0x22 ulelong x \b*%d 168 169# Android sparse img format 170# From https://android.googlesource.com/\ 171# platform/system/core/+/master/libsparse/sparse_format.h 1720 lelong 0xed26ff3a Android sparse image 173>4 leshort x \b, version: %d 174>6 leshort x \b.%d 175>16 lelong x \b, Total of %d 176>12 lelong x \b %d-byte output blocks in 177>20 lelong x \b %d input chunks. 178 179# Android binary XML magic 180# In include/androidfw/ResourceTypes.h: 181# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), 182# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 183# The strength is increased to avoid misidentifying as Targa image data 1840 lelong 0x00080003 Android binary XML 185!:strength +1 186 187# Android cryptfs footer 188# From https://android.googlesource.com/\ 189# platform/system/vold/+/refs/heads/master/cryptfs.h 1900 lelong 0xd0b5b1c4 Android cryptfs footer 191>4 leshort x \b, version: %d 192>6 leshort x \b.%d 193 194# Android Vdex format 195# From https://android.googlesource.com/\ 196# platform/art/+/master/runtime/vdex_file.h 1970 string vdex Android vdex file, 198>4 string >000 verifier deps version: %s, 199>8 string >000 dex section version: %s, 200>12 lelong >0 number of dex files: %d, 201>16 lelong >0 verifier deps size: %d 202 203# Android Vdex format, dexfile is currently being updated 204# by android system 205# From https://android.googlesource.com/\ 206# platform/art/+/master/dex2oat/dex2oat.cc 2070 string wdex Android vdex file, being processed by dex2oat, 208>4 string >000 verifier deps version: %s, 209>8 string >000 dex section version: %s, 210>12 lelong >0 number of dex files: %d, 211>16 lelong >0 verifier deps size: %d 212 213# Disassembled DEX files 2140 string/t .class\x20 215>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) 216!:ext smali 217 218# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm 219# Reference: https://android.googlesource.com/platform/frameworks/support/\ 220# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ 221# src/main/java/androidx/profileinstaller/ProfileTranscoder.java 222# Reference: https://android.googlesource.com/platform/frameworks/support/\ 223# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ 224# src/main/java/androidx/profileinstaller/ProfileVersion.java 2250 string pro\x00 226>0 regex pro\x000[0-9][0-9]\x00 Android ART profile 227!:ext prof 228>>4 string 001\x00 \b, version 001 N 229>>4 string 005\x00 \b, version 005 O 230>>4 string 009\x00 \b, version 009 O MR1 231>>4 string 010\x00 \b, version 010 P 232>>4 string 015\x00 \b, version 015 S 2330 string prm\x00 234>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata 235!:ext profm 236>>4 string 001\x00 \b, version 001 N 237>>4 string 002\x00 \b, version 002 238 239# Android package resource table (ARSC): resources.arsc 240# Reference: https://android.googlesource.com/platform/tools/base/\ 241# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ 242# src/main/java/com/google/devrel/gmscore/tools/apk/arsc 243# 00: resource table type = 0x0002 (2) + header size = 12 (2) 244# 04: chunk size (4, skipped) 245# 08: #packages (4) 2460 ulelong 0x000c0002 Android package resource table (ARSC) 247!:ext arsc 248>8 ulelong !1 \b, %d packages 249# 12: string pool type = 0x0001 (2) + header size = 28 (2) 250# 16: chunk size (4, skipped) 251# 20: #strings (4), #styles (4), flags (4) 252>12 ulelong 0x001c0001 253>>20 ulelong !0 \b, %d string(s) 254>>24 ulelong !0 \b, %d style(s) 255>>28 ulelong &1 \b, sorted 256>>28 ulelong &256 \b, utf8 257 258# extracted APK Signing Block 259-16 string APK\x20Sig\x20Block\x2042 APK Signing Block 260