1e8af9738SPeter Avalos 2e8af9738SPeter Avalos#------------------------------------------------------------ 3*614728caSSascha Wildner# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ 4e8af9738SPeter Avalos# Various android related magic entries 5e8af9738SPeter Avalos#------------------------------------------------------------ 6e8af9738SPeter Avalos 7e8af9738SPeter Avalos# Dalvik .dex format. http://retrodev.com/android/dexformat.html 8e8af9738SPeter Avalos# From <mkf@google.com> "Mike Fleming" 9e8af9738SPeter Avalos# Fixed to avoid regexec 17 errors on some dex files 10e8af9738SPeter Avalos# From <diff@lookout.com> "Tim Strazzere" 11e8af9738SPeter Avalos0 string dex\n 12e8af9738SPeter Avalos>0 regex dex\n[0-9]{2}\0 Dalvik dex file 13e8af9738SPeter Avalos>4 string >000 version %s 14e8af9738SPeter Avalos0 string dey\n 15e8af9738SPeter Avalos>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 16e8af9738SPeter Avalos>4 string >000 version %s 17e8af9738SPeter Avalos 18e8af9738SPeter Avalos# Android bootimg format 19e8af9738SPeter Avalos# From https://android.googlesource.com/\ 20e8af9738SPeter Avalos# platform/system/core/+/master/mkbootimg/bootimg.h 216fca56fbSSascha Wildner# https://github.com/djrbliss/loki/blob/master/loki.h#L43 22e8af9738SPeter Avalos0 string ANDROID! Android bootimg 236fca56fbSSascha Wildner>1024 string LOKI \b, LOKI'd 246fca56fbSSascha Wildner>>1028 lelong 0 \b (boot) 256fca56fbSSascha Wildner>>1028 lelong 1 \b (recovery) 26e8af9738SPeter Avalos>8 lelong >0 \b, kernel 27*614728caSSascha Wildner>>12 lelong >0 \b (%#x) 28e8af9738SPeter Avalos>16 lelong >0 \b, ramdisk 29*614728caSSascha Wildner>>20 lelong >0 \b (%#x) 30e8af9738SPeter Avalos>24 lelong >0 \b, second stage 31*614728caSSascha Wildner>>28 lelong >0 \b (%#x) 32e8af9738SPeter Avalos>36 lelong >0 \b, page size: %d 33e8af9738SPeter Avalos>38 string >0 \b, name: %s 34e8af9738SPeter Avalos>64 string >0 \b, cmdline (%s) 35e8af9738SPeter Avalos 36e8af9738SPeter Avalos# Android Backup archive 37e8af9738SPeter Avalos# From: Ariel Shkedi 386fca56fbSSascha Wildner# Update: Joerg Jenderek 39e8af9738SPeter Avalos# URL: https://github.com/android/platform_frameworks_base/blob/\ 40e8af9738SPeter Avalos# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ 41e8af9738SPeter Avalos# android/server/BackupManagerService.java#L2367 426fca56fbSSascha Wildner# Reference: https://sourceforge.net/projects/adbextractor/ 436fca56fbSSascha Wildner# android-backup-extractor/perl/backupencrypt.pl 446fca56fbSSascha Wildner# Note: only unix line feeds "\n" found 45e8af9738SPeter Avalos# After the header comes a tar file 46e8af9738SPeter Avalos# If compressed, the entire tar file is compressed with JAVA deflate 47e8af9738SPeter Avalos# 48e8af9738SPeter Avalos# Include the version number hardcoded with the magic string to avoid 49e8af9738SPeter Avalos# false positives 506fca56fbSSascha Wildner0 string/b ANDROID\ BACKUP\n Android Backup 516fca56fbSSascha Wildner# maybe look for some more characteristics like linefeed '\n' or version 526fca56fbSSascha Wildner#>16 string \n 536fca56fbSSascha Wildner# No mime-type defined officially 546fca56fbSSascha Wildner!:mime application/x-google-ab 556fca56fbSSascha Wildner!:ext ab 566fca56fbSSascha Wildner# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) 576fca56fbSSascha Wildner>15 string >\0 \b, version %s 586fca56fbSSascha Wildner# "1" on 3rd line means compressed 59e8af9738SPeter Avalos>17 string 0\n \b, Not-Compressed 60e8af9738SPeter Avalos>17 string 1\n \b, Compressed 616fca56fbSSascha Wildner# The 4th line is encryption "none" or "AES-256" 62e8af9738SPeter Avalos# any string as long as it's not the word none (which is matched below) 636fca56fbSSascha Wildner>19 string none\n \b, Not-Encrypted 646fca56fbSSascha Wildner# look for backup content after line with encryption info 656fca56fbSSascha Wildner#>>19 search/7 \n 666fca56fbSSascha Wildner# data part after header for not encrypted Android Backup 67*614728caSSascha Wildner#>>>&0 ubequad x \b, content %#16.16llx... 686fca56fbSSascha Wildner# look for zlib compressed by ./compress after message with 1 space at end 696fca56fbSSascha Wildner#>>>&0 indirect x \b; contains 706fca56fbSSascha Wildner# look for tar archive block by ./archive for package name manifest 716fca56fbSSascha Wildner>>288 string ustar \b; contains 726fca56fbSSascha Wildner>>>31 use tar-file 736fca56fbSSascha Wildner# look for zip/jar archive by ./archive ./zip after message with 1 space at end 746fca56fbSSascha Wildner#>>2079 search/1025/s PK\003\004 \b; contains 756fca56fbSSascha Wildner#>>>&0 indirect x 766fca56fbSSascha Wildner>19 string !none 7782c5fa3eSPeter Avalos>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) 78e8af9738SPeter Avalos# Commented out because they don't seem useful to print 79e8af9738SPeter Avalos# (but they are part of the header - the tar file comes after them): 806fca56fbSSascha Wildner# The 5th line is User Password Salt (128 Hex) 816fca56fbSSascha Wildner# string length too high with standard src configuration 826fca56fbSSascha Wildner#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" 8382c5fa3eSPeter Avalos#>>>&1 regex/1l .* \b, Password salt: %s 846fca56fbSSascha Wildner# The 6th line is Master Key Checksum Salt (128 Hex) 8582c5fa3eSPeter Avalos#>>>>&1 regex/1l .* \b, Master salt: %s 866fca56fbSSascha Wildner# The 7th line is Number of PBDKF2 Rounds (10000) 8782c5fa3eSPeter Avalos#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s 886fca56fbSSascha Wildner# The 8th line is User key Initialization Vector (IV) (32 Hex) 8982c5fa3eSPeter Avalos#>>>>>>&1 regex/1l .* \b, IV: %s 906fca56fbSSascha Wildner#>>>>>>&1 regex/1l .* \b, IV: %s 916fca56fbSSascha Wildner# The 9th line is Master IV+Key+Checksum (192 Hex) 9282c5fa3eSPeter Avalos#>>>>>>>&1 regex/1l .* \b, Key: %s 936fca56fbSSascha Wildner# look for new line separator char after line number 9 946fca56fbSSascha Wildner#>>>0x204 ubyte 0x0a NL found 956fca56fbSSascha Wildner#>>>>&1 ubequad x \b, Content magic %16.16llx 9682c5fa3eSPeter Avalos 9782c5fa3eSPeter Avalos# *.pit files by Joerg Jenderek 986fca56fbSSascha Wildner# https://forum.xda-developers.com/showthread.php?p=9122369 996fca56fbSSascha Wildner# https://forum.xda-developers.com/showthread.php?t=816449 10082c5fa3eSPeter Avalos# Partition Information Table for Samsung's smartphone with Android 10182c5fa3eSPeter Avalos# used by flash software Odin 10282c5fa3eSPeter Avalos0 ulelong 0x12349876 10382c5fa3eSPeter Avalos# 1st pit entry marker 10482c5fa3eSPeter Avalos>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 10582c5fa3eSPeter Avalos# minimal 13 and maximal 18 PIT entries found 10682c5fa3eSPeter Avalos>>4 ulelong <128 Partition Information Table for Samsung smartphone 10782c5fa3eSPeter Avalos>>>4 ulelong x \b, %d entries 10882c5fa3eSPeter Avalos# 1. pit entry 10982c5fa3eSPeter Avalos>>>4 ulelong >0 \b; #1 11082c5fa3eSPeter Avalos>>>0x01C use PIT-entry 11182c5fa3eSPeter Avalos>>>4 ulelong >1 \b; #2 11282c5fa3eSPeter Avalos>>>0x0A0 use PIT-entry 11382c5fa3eSPeter Avalos>>>4 ulelong >2 \b; #3 11482c5fa3eSPeter Avalos>>>0x124 use PIT-entry 11582c5fa3eSPeter Avalos>>>4 ulelong >3 \b; #4 11682c5fa3eSPeter Avalos>>>0x1A8 use PIT-entry 11782c5fa3eSPeter Avalos>>>4 ulelong >4 \b; #5 11882c5fa3eSPeter Avalos>>>0x22C use PIT-entry 11982c5fa3eSPeter Avalos>>>4 ulelong >5 \b; #6 12082c5fa3eSPeter Avalos>>>0x2B0 use PIT-entry 12182c5fa3eSPeter Avalos>>>4 ulelong >6 \b; #7 12282c5fa3eSPeter Avalos>>>0x334 use PIT-entry 12382c5fa3eSPeter Avalos>>>4 ulelong >7 \b; #8 12482c5fa3eSPeter Avalos>>>0x3B8 use PIT-entry 12582c5fa3eSPeter Avalos>>>4 ulelong >8 \b; #9 12682c5fa3eSPeter Avalos>>>0x43C use PIT-entry 12782c5fa3eSPeter Avalos>>>4 ulelong >9 \b; #10 12882c5fa3eSPeter Avalos>>>0x4C0 use PIT-entry 12982c5fa3eSPeter Avalos>>>4 ulelong >10 \b; #11 13082c5fa3eSPeter Avalos>>>0x544 use PIT-entry 13182c5fa3eSPeter Avalos>>>4 ulelong >11 \b; #12 13282c5fa3eSPeter Avalos>>>0x5C8 use PIT-entry 13382c5fa3eSPeter Avalos>>>4 ulelong >12 \b; #13 13482c5fa3eSPeter Avalos>>>>0x64C use PIT-entry 13582c5fa3eSPeter Avalos# 14. pit entry 13682c5fa3eSPeter Avalos>>>4 ulelong >13 \b; #14 13782c5fa3eSPeter Avalos>>>>0x6D0 use PIT-entry 13882c5fa3eSPeter Avalos>>>4 ulelong >14 \b; #15 13982c5fa3eSPeter Avalos>>>0x754 use PIT-entry 14082c5fa3eSPeter Avalos>>>4 ulelong >15 \b; #16 14182c5fa3eSPeter Avalos>>>0x7D8 use PIT-entry 14282c5fa3eSPeter Avalos>>>4 ulelong >16 \b; #17 14382c5fa3eSPeter Avalos>>>0x85C use PIT-entry 14482c5fa3eSPeter Avalos# 18. pit entry 14582c5fa3eSPeter Avalos>>>4 ulelong >17 \b; #18 14682c5fa3eSPeter Avalos>>>0x8E0 use PIT-entry 14782c5fa3eSPeter Avalos 14882c5fa3eSPeter Avalos0 name PIT-entry 14982c5fa3eSPeter Avalos# garbage value implies end of pit entries 15082c5fa3eSPeter Avalos>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 15182c5fa3eSPeter Avalos# skip empty partition name 15282c5fa3eSPeter Avalos>>0x24 ubyte !0 15382c5fa3eSPeter Avalos# partition name 15482c5fa3eSPeter Avalos>>>0x24 string >\0 %-.32s 15582c5fa3eSPeter Avalos# flags 15682c5fa3eSPeter Avalos>>>0x0C ulelong&0x00000002 2 \b+RW 15782c5fa3eSPeter Avalos# partition ID: 158970935fdSSascha Wildner# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER 15982c5fa3eSPeter Avalos# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW 160*614728caSSascha Wildner>>>0x08 ulelong x (%#x) 16182c5fa3eSPeter Avalos# filename 16282c5fa3eSPeter Avalos>>>0x44 string >\0 "%-.64s" 16382c5fa3eSPeter Avalos#>>>0x18 ulelong >0 16482c5fa3eSPeter Avalos# blocksize in 512 byte units ? 16582c5fa3eSPeter Avalos#>>>>0x18 ulelong x \b, %db 16682c5fa3eSPeter Avalos# partition size in blocks ? 16782c5fa3eSPeter Avalos#>>>>0x22 ulelong x \b*%d 16882c5fa3eSPeter Avalos 169c30bd091SSascha Wildner# Android sparse img format 17082c5fa3eSPeter Avalos# From https://android.googlesource.com/\ 17182c5fa3eSPeter Avalos# platform/system/core/+/master/libsparse/sparse_format.h 17282c5fa3eSPeter Avalos0 lelong 0xed26ff3a Android sparse image 17382c5fa3eSPeter Avalos>4 leshort x \b, version: %d 17482c5fa3eSPeter Avalos>6 leshort x \b.%d 17582c5fa3eSPeter Avalos>16 lelong x \b, Total of %d 17682c5fa3eSPeter Avalos>12 lelong x \b %d-byte output blocks in 17782c5fa3eSPeter Avalos>20 lelong x \b %d input chunks. 178c30bd091SSascha Wildner 179c30bd091SSascha Wildner# Android binary XML magic 180c30bd091SSascha Wildner# In include/androidfw/ResourceTypes.h: 181c30bd091SSascha Wildner# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), 182c30bd091SSascha Wildner# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 183c30bd091SSascha Wildner0 lelong 0x00080003 Android binary XML 1846fca56fbSSascha Wildner 1856fca56fbSSascha Wildner# Android cryptfs footer 1866fca56fbSSascha Wildner# From https://android.googlesource.com/\ 1876fca56fbSSascha Wildner# platform/system/vold/+/refs/heads/master/cryptfs.h 1886fca56fbSSascha Wildner0 lelong 0xd0b5b1c4 Android cryptfs footer 1896fca56fbSSascha Wildner>4 leshort x \b, version: %d 1906fca56fbSSascha Wildner>6 leshort x \b.%d 191970935fdSSascha Wildner 192970935fdSSascha Wildner# Android Vdex format 193970935fdSSascha Wildner# From https://android.googlesource.com/\ 194970935fdSSascha Wildner# platform/art/+/master/runtime/vdex_file.h 195970935fdSSascha Wildner0 string vdex Android vdex file, 196970935fdSSascha Wildner>4 string >000 verifier deps version: %s, 197970935fdSSascha Wildner>8 string >000 dex section version: %s, 198970935fdSSascha Wildner>12 lelong >0 number of dex files: %d, 199970935fdSSascha Wildner>16 lelong >0 verifier deps size: %d 200970935fdSSascha Wildner 201970935fdSSascha Wildner# Android Vdex format, dexfile is currently being updated 202970935fdSSascha Wildner# by android system 203970935fdSSascha Wildner# From https://android.googlesource.com/\ 204970935fdSSascha Wildner# platform/art/+/master/dex2oat/dex2oat.cc 205970935fdSSascha Wildner0 string wdex Android vdex file, being processed by dex2oat, 206970935fdSSascha Wildner>4 string >000 verifier deps version: %s, 207970935fdSSascha Wildner>8 string >000 dex section version: %s, 208970935fdSSascha Wildner>12 lelong >0 number of dex files: %d, 209970935fdSSascha Wildner>16 lelong >0 verifier deps size: %d 210