xref: /freebsd/contrib/file/magic/Magdir/android (revision 68d75eff68281c1b445e3010bb975eae07aac225) 
1
2#------------------------------------------------------------
3# $File: android,v 1.12 2019/04/19 00:42:27 christos Exp $
4# Various android related magic entries
5#------------------------------------------------------------
6
7# Dalvik .dex format. http://retrodev.com/android/dexformat.html
8# From <mkf@google.com> "Mike Fleming"
9# Fixed to avoid regexec 17 errors on some dex files
10# From <diff@lookout.com> "Tim Strazzere"
110	string	dex\n
12>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
13>4	string	>000			version %s
140	string	dey\n
15>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
16>4	string	>000			version %s
17
18# Android bootimg format
19# From https://android.googlesource.com/\
20# platform/system/core/+/master/mkbootimg/bootimg.h
210		string	ANDROID!	Android bootimg
22>1024	string	LOKI\01		\b, LOKI'd
23>8		lelong	>0			\b, kernel
24>>12	lelong	>0			\b (0x%x)
25>16		lelong	>0			\b, ramdisk
26>>20	lelong	>0			\b (0x%x)
27>24		lelong	>0			\b, second stage
28>>28	lelong	>0			\b (0x%x)
29>36		lelong	>0			\b, page size: %d
30>38		string	>0			\b, name: %s
31>64		string	>0		 	\b, cmdline (%s)
32
33# Android Backup archive
34# From: Ariel Shkedi
35# Update: Joerg Jenderek
36# URL: https://github.com/android/platform_frameworks_base/blob/\
37# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
38# android/server/BackupManagerService.java#L2367
39# Reference: https://sourceforge.net/projects/adbextractor/
40#            android-backup-extractor/perl/backupencrypt.pl
41# Note:	only unix line feeds "\n" found
42# After the header comes a tar file
43# If compressed, the entire tar file is compressed with JAVA deflate
44#
45# Include the version number hardcoded with the magic string to avoid
46# false positives
470	string/b	ANDROID\ BACKUP\n	Android Backup
48# maybe look for some more characteristics like linefeed '\n' or version
49#>16	string		\n
50# No mime-type defined offically
51!:mime	application/x-google-ab
52!:ext	ab
53# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
54>15	string		>\0			\b, version %s
55# "1" on 3rd line means compressed
56>17	string		0\n			\b, Not-Compressed
57>17	string		1\n			\b, Compressed
58# The 4th line is encryption "none" or "AES-256"
59# any string as long as it's not the word none (which is matched below)
60>19	string		none\n			\b, Not-Encrypted
61# look for backup content after line with encryption info
62#>>19	search/7	\n
63# data part after header for not encrypted Android Backup
64#>>>&0	ubequad		x	\b, content 0x%16.16llx...
65# look for zlib compressed by ./compress after message with 1 space at end
66#>>>&0	indirect	x	\b; contains
67# look for tar archive block by ./archive for package name manifest
68>>288	string		ustar	\b; contains
69>>>31	use	tar-file
70# look for zip/jar archive by ./archive ./zip after message with 1 space at end
71#>>2079	search/1025/s	PK\003\004	\b; contains
72#>>>&0	indirect	x
73>19	string		!none
74>>19    regex/1l	\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
75# Commented out because they don't seem useful to print
76# (but they are part of the header - the tar file comes after them):
77# The 5th line is User Password Salt (128 Hex)
78# string length too high with standard src configuration
79#>>>&1		string	>\0	\b, PASSWORD salt: "%-128.128s"
80#>>>&1		regex/1l .*	\b, Password salt: %s
81# The 6th line is Master Key Checksum Salt (128 Hex)
82#>>>>&1		regex/1l .*	\b, Master salt: %s
83# The 7th line is Number of PBDKF2 Rounds (10000)
84#>>>>>&1	regex/1l .*	\b, PBKDF2 rounds: %s
85# The 8th line is User key Initialization Vector (IV) (32 Hex)
86#>>>>>>&1	regex/1l .*	\b, IV: %s
87#>>>>>>&1	regex/1l .*	\b, IV: %s
88# The 9th line is Master IV+Key+Checksum (192 Hex)
89#>>>>>>>&1	regex/1l .*	\b, Key: %s
90# look for new line separator char after line number 9
91#>>>0x204	ubyte	0x0a	NL found
92#>>>>&1		ubequad	x	\b, Content magic %16.16llx
93
94# *.pit files by Joerg Jenderek
95# https://forum.xda-developers.com/showthread.php?p=9122369
96# https://forum.xda-developers.com/showthread.php?t=816449
97# Partition Information Table for Samsung's smartphone with Android
98# used by flash software Odin
990		ulelong			0x12349876
100# 1st pit entry marker
101>0x01C	ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
102# minimal 13 and maximal 18 PIT entries found
103>>4		ulelong			<128	Partition Information Table for Samsung smartphone
104>>>4		ulelong			x	\b, %d entries
105# 1. pit entry
106>>>4		ulelong			>0	\b; #1
107>>>0x01C	use				PIT-entry
108>>>4		ulelong			>1	\b; #2
109>>>0x0A0	use				PIT-entry
110>>>4		ulelong			>2	\b; #3
111>>>0x124	use				PIT-entry
112>>>4		ulelong			>3	\b; #4
113>>>0x1A8	use				PIT-entry
114>>>4		ulelong			>4	\b; #5
115>>>0x22C	use				PIT-entry
116>>>4		ulelong			>5	\b; #6
117>>>0x2B0	use				PIT-entry
118>>>4		ulelong			>6	\b; #7
119>>>0x334	use				PIT-entry
120>>>4		ulelong			>7 	\b; #8
121>>>0x3B8	use				PIT-entry
122>>>4		ulelong			>8 	\b; #9
123>>>0x43C	use				PIT-entry
124>>>4		ulelong			>9	\b; #10
125>>>0x4C0	use				PIT-entry
126>>>4		ulelong			>10	\b; #11
127>>>0x544	use				PIT-entry
128>>>4		ulelong			>11	\b; #12
129>>>0x5C8	use				PIT-entry
130>>>4		ulelong			>12	\b; #13
131>>>>0x64C	use				PIT-entry
132# 14. pit entry
133>>>4		ulelong			>13	\b; #14
134>>>>0x6D0	use				PIT-entry
135>>>4		ulelong			>14	\b; #15
136>>>0x754	use				PIT-entry
137>>>4		ulelong			>15	\b; #16
138>>>0x7D8	use				PIT-entry
139>>>4		ulelong			>16	\b; #17
140>>>0x85C	use				PIT-entry
141# 18. pit entry
142>>>4		ulelong			>17	\b; #18
143>>>0x8E0	use				PIT-entry
144
1450	name			PIT-entry
146# garbage value implies end of pit entries
147>0x00		ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
148# skip empty partition name
149>>0x24		ubyte				!0
150# partition name
151>>>0x24		string				>\0			%-.32s
152# flags
153>>>0x0C		ulelong&0x00000002		2			\b+RW
154# partition ID:
155# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER
156# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
157>>>0x08	ulelong		x			(0x%x)
158# filename
159>>>0x44		string				>\0			"%-.64s"
160#>>>0x18	ulelong				>0
161# blocksize in 512 byte units ?
162#>>>>0x18	ulelong				x			\b, %db
163# partition size in blocks ?
164#>>>>0x22	ulelong				x			\b*%d
165
166# Android sparse img format
167# From https://android.googlesource.com/\
168# platform/system/core/+/master/libsparse/sparse_format.h
1690		lelong	0xed26ff3a		Android sparse image
170>4		leshort	x			\b, version: %d
171>6		leshort	x			\b.%d
172>16		lelong	x			\b, Total of %d
173>12		lelong	x			\b %d-byte output blocks in
174>20		lelong	x			\b %d input chunks.
175
176# Android binary XML magic
177# In include/androidfw/ResourceTypes.h:
178# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
179# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
1800	lelong	0x00080003	Android binary XML
181