1 2#------------------------------------------------------------ 3# $File: android,v 1.8 2015/03/19 18:04:37 christos Exp $ 4# Various android related magic entries 5#------------------------------------------------------------ 6 7# Dalvik .dex format. http://retrodev.com/android/dexformat.html 8# From <mkf@google.com> "Mike Fleming" 9# Fixed to avoid regexec 17 errors on some dex files 10# From <diff@lookout.com> "Tim Strazzere" 110 string dex\n 12>0 regex dex\n[0-9]{2}\0 Dalvik dex file 13>4 string >000 version %s 140 string dey\n 15>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 16>4 string >000 version %s 17 18# Android bootimg format 19# From https://android.googlesource.com/\ 20# platform/system/core/+/master/mkbootimg/bootimg.h 210 string ANDROID! Android bootimg 22>1024 string LOKI\01 \b, LOKI'd 23>8 lelong >0 \b, kernel 24>>12 lelong >0 \b (0x%x) 25>16 lelong >0 \b, ramdisk 26>>20 lelong >0 \b (0x%x) 27>24 lelong >0 \b, second stage 28>>28 lelong >0 \b (0x%x) 29>36 lelong >0 \b, page size: %d 30>38 string >0 \b, name: %s 31>64 string >0 \b, cmdline (%s) 32 33# Android Backup archive 34# From: Ariel Shkedi 35# File extension: .ab 36# No mime-type defined 37# URL: https://github.com/android/platform_frameworks_base/blob/\ 38# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ 39# android/server/BackupManagerService.java#L2367 40# After the header comes a tar file 41# If compressed, the entire tar file is compressed with JAVA deflate 42# 43# Include the version number hardcoded with the magic string to avoid 44# false positives 450 string/b ANDROID\ BACKUP\n1\n Android Backup 46>17 string 0\n \b, Not-Compressed 47>17 string 1\n \b, Compressed 48# any string as long as it's not the word none (which is matched below) 49>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) 50>>19 string none\n \b, Not-Encrypted 51# Commented out because they don't seem useful to print 52# (but they are part of the header - the tar file comes after them): 53#>>>&1 regex/1l .* \b, Password salt: %s 54#>>>>&1 regex/1l .* \b, Master salt: %s 55#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s 56#>>>>>>&1 regex/1l .* \b, IV: %s 57#>>>>>>>&1 regex/1l .* \b, Key: %s 58 59# *.pit files by Joerg Jenderek 60# http://forum.xda-developers.com/showthread.php?p=9122369 61# http://forum.xda-developers.com/showthread.php?t=816449 62# Partition Information Table for Samsung's smartphone with Android 63# used by flash software Odin 640 ulelong 0x12349876 65# 1st pit entry marker 66>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 67# minimal 13 and maximal 18 PIT entries found 68>>4 ulelong <128 Partition Information Table for Samsung smartphone 69>>>4 ulelong x \b, %d entries 70# 1. pit entry 71>>>4 ulelong >0 \b; #1 72>>>0x01C use PIT-entry 73>>>4 ulelong >1 \b; #2 74>>>0x0A0 use PIT-entry 75>>>4 ulelong >2 \b; #3 76>>>0x124 use PIT-entry 77>>>4 ulelong >3 \b; #4 78>>>0x1A8 use PIT-entry 79>>>4 ulelong >4 \b; #5 80>>>0x22C use PIT-entry 81>>>4 ulelong >5 \b; #6 82>>>0x2B0 use PIT-entry 83>>>4 ulelong >6 \b; #7 84>>>0x334 use PIT-entry 85>>>4 ulelong >7 \b; #8 86>>>0x3B8 use PIT-entry 87>>>4 ulelong >8 \b; #9 88>>>0x43C use PIT-entry 89>>>4 ulelong >9 \b; #10 90>>>0x4C0 use PIT-entry 91>>>4 ulelong >10 \b; #11 92>>>0x544 use PIT-entry 93>>>4 ulelong >11 \b; #12 94>>>0x5C8 use PIT-entry 95>>>4 ulelong >12 \b; #13 96>>>>0x64C use PIT-entry 97# 14. pit entry 98>>>4 ulelong >13 \b; #14 99>>>>0x6D0 use PIT-entry 100>>>4 ulelong >14 \b; #15 101>>>0x754 use PIT-entry 102>>>4 ulelong >15 \b; #16 103>>>0x7D8 use PIT-entry 104>>>4 ulelong >16 \b; #17 105>>>0x85C use PIT-entry 106# 18. pit entry 107>>>4 ulelong >17 \b; #18 108>>>0x8E0 use PIT-entry 109 1100 name PIT-entry 111# garbage value implies end of pit entries 112>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 113# skip empty partition name 114>>0x24 ubyte !0 115# partition name 116>>>0x24 string >\0 %-.32s 117# flags 118>>>0x0C ulelong&0x00000002 2 \b+RW 119# partition ID: 120# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER 121# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW 122>>>0x08 ulelong x (0x%x) 123# filename 124>>>0x44 string >\0 "%-.64s" 125#>>>0x18 ulelong >0 126# blocksize in 512 byte units ? 127#>>>>0x18 ulelong x \b, %db 128# partition size in blocks ? 129#>>>>0x22 ulelong x \b*%d 130 131# Android bootimg format 132# From https://android.googlesource.com/\ 133# platform/system/core/+/master/libsparse/sparse_format.h 1340 lelong 0xed26ff3a Android sparse image 135>4 leshort x \b, version: %d 136>6 leshort x \b.%d 137>16 lelong x \b, Total of %d 138>12 lelong x \b %d-byte output blocks in 139>20 lelong x \b %d input chunks. 140 141# Android binary XML magic 142# In include/androidfw/ResourceTypes.h: 143# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), 144# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 1450 lelong 0x00080003 Android binary XML 146