xref: /freebsd/contrib/file/magic/Magdir/android (revision ac77b2621508c6a50ab01d07fe8d43795d908f05)
1
2#------------------------------------------------------------
3# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $
4# Various android related magic entries
5#------------------------------------------------------------
6
7# Dalvik .dex format. http://retrodev.com/android/dexformat.html
8# From <mkf@google.com> "Mike Fleming"
9# Fixed to avoid regexec 17 errors on some dex files
10# From <diff@lookout.com> "Tim Strazzere"
110	string	dex\n
12>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
13>4	string	>000			version %s
140	string	dey\n
15>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
16>4	string	>000			version %s
17
18# Android bootimg format
19# From https://android.googlesource.com/\
20# platform/system/core/+/master/mkbootimg/bootimg.h
21# https://github.com/djrbliss/loki/blob/master/loki.h#L43
220		string	ANDROID!	Android bootimg
23>1024	string	LOKI		\b, LOKI'd
24>>1028	lelong	0			\b (boot)
25>>1028	lelong	1			\b (recovery)
26>8		lelong	>0			\b, kernel
27>>12	lelong	>0			\b (%#x)
28>16		lelong	>0			\b, ramdisk
29>>20	lelong	>0			\b (%#x)
30>24		lelong	>0			\b, second stage
31>>28	lelong	>0			\b (%#x)
32>36		lelong	>0			\b, page size: %d
33>38		string	>0			\b, name: %s
34>64		string	>0		 	\b, cmdline (%s)
35
36# Android Backup archive
37# From: Ariel Shkedi
38# Update: Joerg Jenderek
39# URL: https://github.com/android/platform_frameworks_base/blob/\
40# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
41# android/server/BackupManagerService.java#L2367
42# Reference: https://sourceforge.net/projects/adbextractor/
43#            android-backup-extractor/perl/backupencrypt.pl
44# Note:	only unix line feeds "\n" found
45# After the header comes a tar file
46# If compressed, the entire tar file is compressed with JAVA deflate
47#
48# Include the version number hardcoded with the magic string to avoid
49# false positives
500	string/b	ANDROID\ BACKUP\n	Android Backup
51# maybe look for some more characteristics like linefeed '\n' or version
52#>16	string		\n
53# No mime-type defined officially
54!:mime	application/x-google-ab
55!:ext	ab
56# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
57>15	string		>\0			\b, version %s
58# "1" on 3rd line means compressed
59>17	string		0\n			\b, Not-Compressed
60>17	string		1\n			\b, Compressed
61# The 4th line is encryption "none" or "AES-256"
62# any string as long as it's not the word none (which is matched below)
63>19	string		none\n			\b, Not-Encrypted
64# look for backup content after line with encryption info
65#>>19	search/7	\n
66# data part after header for not encrypted Android Backup
67#>>>&0	ubequad		x	\b, content %#16.16llx...
68# look for zlib compressed by ./compress after message with 1 space at end
69#>>>&0	indirect	x	\b; contains
70# look for tar archive block by ./archive for package name manifest
71>>288	string		ustar	\b; contains
72>>>31	use	tar-file
73# look for zip/jar archive by ./archive ./zip after message with 1 space at end
74#>>2079	search/1025/s	PK\003\004	\b; contains
75#>>>&0	indirect	x
76>19	string		!none
77>>19    regex/1l	\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
78# Commented out because they don't seem useful to print
79# (but they are part of the header - the tar file comes after them):
80# The 5th line is User Password Salt (128 Hex)
81# string length too high with standard src configuration
82#>>>&1		string	>\0	\b, PASSWORD salt: "%-128.128s"
83#>>>&1		regex/1l .*	\b, Password salt: %s
84# The 6th line is Master Key Checksum Salt (128 Hex)
85#>>>>&1		regex/1l .*	\b, Master salt: %s
86# The 7th line is Number of PBDKF2 Rounds (10000)
87#>>>>>&1	regex/1l .*	\b, PBKDF2 rounds: %s
88# The 8th line is User key Initialization Vector (IV) (32 Hex)
89#>>>>>>&1	regex/1l .*	\b, IV: %s
90#>>>>>>&1	regex/1l .*	\b, IV: %s
91# The 9th line is Master IV+Key+Checksum (192 Hex)
92#>>>>>>>&1	regex/1l .*	\b, Key: %s
93# look for new line separator char after line number 9
94#>>>0x204	ubyte	0x0a	NL found
95#>>>>&1		ubequad	x	\b, Content magic %16.16llx
96
97# *.pit files by Joerg Jenderek
98# https://forum.xda-developers.com/showthread.php?p=9122369
99# https://forum.xda-developers.com/showthread.php?t=816449
100# Partition Information Table for Samsung's smartphone with Android
101# used by flash software Odin
1020		ulelong			0x12349876
103# 1st pit entry marker
104>0x01C	ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
105# minimal 13 and maximal 18 PIT entries found
106>>4		ulelong			<128	Partition Information Table for Samsung smartphone
107>>>4		ulelong			x	\b, %d entries
108# 1. pit entry
109>>>4		ulelong			>0	\b; #1
110>>>0x01C	use				PIT-entry
111>>>4		ulelong			>1	\b; #2
112>>>0x0A0	use				PIT-entry
113>>>4		ulelong			>2	\b; #3
114>>>0x124	use				PIT-entry
115>>>4		ulelong			>3	\b; #4
116>>>0x1A8	use				PIT-entry
117>>>4		ulelong			>4	\b; #5
118>>>0x22C	use				PIT-entry
119>>>4		ulelong			>5	\b; #6
120>>>0x2B0	use				PIT-entry
121>>>4		ulelong			>6	\b; #7
122>>>0x334	use				PIT-entry
123>>>4		ulelong			>7 	\b; #8
124>>>0x3B8	use				PIT-entry
125>>>4		ulelong			>8 	\b; #9
126>>>0x43C	use				PIT-entry
127>>>4		ulelong			>9	\b; #10
128>>>0x4C0	use				PIT-entry
129>>>4		ulelong			>10	\b; #11
130>>>0x544	use				PIT-entry
131>>>4		ulelong			>11	\b; #12
132>>>0x5C8	use				PIT-entry
133>>>4		ulelong			>12	\b; #13
134>>>>0x64C	use				PIT-entry
135# 14. pit entry
136>>>4		ulelong			>13	\b; #14
137>>>>0x6D0	use				PIT-entry
138>>>4		ulelong			>14	\b; #15
139>>>0x754	use				PIT-entry
140>>>4		ulelong			>15	\b; #16
141>>>0x7D8	use				PIT-entry
142>>>4		ulelong			>16	\b; #17
143>>>0x85C	use				PIT-entry
144# 18. pit entry
145>>>4		ulelong			>17	\b; #18
146>>>0x8E0	use				PIT-entry
147
1480	name			PIT-entry
149# garbage value implies end of pit entries
150>0x00		ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000
151# skip empty partition name
152>>0x24		ubyte				!0
153# partition name
154>>>0x24		string				>\0			%-.32s
155# flags
156>>>0x0C		ulelong&0x00000002		2			\b+RW
157# partition ID:
158# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER
159# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
160>>>0x08	ulelong		x			(%#x)
161# filename
162>>>0x44		string				>\0			"%-.64s"
163#>>>0x18	ulelong				>0
164# blocksize in 512 byte units ?
165#>>>>0x18	ulelong				x			\b, %db
166# partition size in blocks ?
167#>>>>0x22	ulelong				x			\b*%d
168
169# Android sparse img format
170# From https://android.googlesource.com/\
171# platform/system/core/+/master/libsparse/sparse_format.h
1720		lelong	0xed26ff3a		Android sparse image
173>4		leshort	x			\b, version: %d
174>6		leshort	x			\b.%d
175>16		lelong	x			\b, Total of %d
176>12		lelong	x			\b %d-byte output blocks in
177>20		lelong	x			\b %d input chunks.
178
179# Android binary XML magic
180# In include/androidfw/ResourceTypes.h:
181# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
182# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
183# The strength is increased to avoid misidentifying as Targa image data
1840	lelong	0x00080003	Android binary XML
185!:strength +1
186
187# Android cryptfs footer
188# From https://android.googlesource.com/\
189# platform/system/vold/+/refs/heads/master/cryptfs.h
1900	lelong	0xd0b5b1c4	Android cryptfs footer
191>4	leshort	x	\b, version: %d
192>6	leshort	x	\b.%d
193
194# Android Vdex format
195# From https://android.googlesource.com/\
196# platform/art/+/master/runtime/vdex_file.h
1970	string	vdex	Android vdex file,
198>4	string	>000	verifier deps version: %s,
199>8	string	>000	dex section version: %s,
200>12	lelong	>0	number of dex files: %d,
201>16	lelong	>0	verifier deps size: %d
202
203# Android Vdex format, dexfile is currently being updated
204# by android system
205# From https://android.googlesource.com/\
206# platform/art/+/master/dex2oat/dex2oat.cc
2070	string	wdex	Android vdex file, being processed by dex2oat,
208>4	string	>000	verifier deps version: %s,
209>8	string	>000	dex section version: %s,
210>12	lelong	>0	number of dex files: %d,
211>16	lelong	>0	verifier deps size: %d
212
213# Disassembled DEX files
2140	string/t	.class\x20
215>&0	regex/512	\^\\.super\x20L.*;$	disassembled Android DEX Java class (smali/baksmali)
216!:ext	smali
217
218# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm
219# Reference: https://android.googlesource.com/platform/frameworks/support/\
220#            +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
221#            src/main/java/androidx/profileinstaller/ProfileTranscoder.java
222# Reference: https://android.googlesource.com/platform/frameworks/support/\
223#            +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
224#            src/main/java/androidx/profileinstaller/ProfileVersion.java
2250	string	pro\x00
226>0	regex	pro\x000[0-9][0-9]\x00	Android ART profile
227!:ext	prof
228>>4	string	001\x00	\b, version 001 N
229>>4	string	005\x00	\b, version 005 O
230>>4	string	009\x00	\b, version 009 O MR1
231>>4	string	010\x00	\b, version 010 P
232>>4	string	015\x00	\b, version 015 S
2330	string	prm\x00
234>0	regex	prm\x000[0-9][0-9]\x00	Android ART profile metadata
235!:ext	profm
236>>4	string	001\x00	\b, version 001 N
237>>4	string	002\x00	\b, version 002
238
239# Android package resource table (ARSC): resources.arsc
240# Reference: https://android.googlesource.com/platform/tools/base/\
241#            +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\
242#            src/main/java/com/google/devrel/gmscore/tools/apk/arsc
243# 00: resource table type = 0x0002 (2) + header size = 12 (2)
244# 04: chunk size (4, skipped)
245# 08: #packages (4)
2460	ulelong	0x000c0002	Android package resource table (ARSC)
247!:ext	arsc
248>8	ulelong	!1	\b, %d packages
249# 12: string pool type = 0x0001 (2) + header size = 28 (2)
250# 16: chunk size (4, skipped)
251# 20: #strings (4), #styles (4), flags (4)
252>12	ulelong	0x001c0001
253>>20	ulelong	!0	\b, %d string(s)
254>>24	ulelong	!0	\b, %d style(s)
255>>28	ulelong	&1	\b, sorted
256>>28	ulelong	&256	\b, utf8
257
258# extracted APK Signing Block
259-16	string	APK\x20Sig\x20Block\x2042	APK Signing Block
260