android revision 284778 
1
2#------------------------------------------------------------
3# $File: android,v 1.8 2015/03/19 18:04:37 christos Exp $
4# Various android related magic entries
5#------------------------------------------------------------
6
7# Dalvik .dex format. http://retrodev.com/android/dexformat.html
8# From <mkf@google.com> "Mike Fleming"
9# Fixed to avoid regexec 17 errors on some dex files
10# From <diff@lookout.com> "Tim Strazzere"
110	string	dex\n
12>0	regex	dex\n[0-9]{2}\0	Dalvik dex file
13>4	string	>000			version %s
140	string	dey\n
15>0	regex	dey\n[0-9]{2}\0	Dalvik dex file (optimized for host)
16>4	string	>000			version %s
17
18# Android bootimg format
19# From https://android.googlesource.com/\
20# platform/system/core/+/master/mkbootimg/bootimg.h
210		string	ANDROID!	Android bootimg
22>1024	string	LOKI\01		\b, LOKI'd
23>8		lelong	>0			\b, kernel
24>>12	lelong	>0			\b (0x%x)
25>16		lelong	>0			\b, ramdisk
26>>20	lelong	>0			\b (0x%x)
27>24		lelong	>0			\b, second stage
28>>28	lelong	>0			\b (0x%x)
29>36		lelong	>0			\b, page size: %d
30>38		string	>0			\b, name: %s
31>64		string	>0		 	\b, cmdline (%s)
32
33# Android Backup archive
34# From: Ariel Shkedi
35# File extension: .ab
36# No mime-type defined
37# URL: https://github.com/android/platform_frameworks_base/blob/\
38# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
39# android/server/BackupManagerService.java#L2367
40# After the header comes a tar file
41# If compressed, the entire tar file is compressed with JAVA deflate
42#
43# Include the version number hardcoded with the magic string to avoid
44# false positives
450	string/b	ANDROID\ BACKUP\n1\n	Android Backup
46>17	string		0\n			\b, Not-Compressed
47>17	string		1\n			\b, Compressed
48# any string as long as it's not the word none (which is matched below)
49>>19    regex/1l	\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
50>>19	string		none\n			\b, Not-Encrypted
51# Commented out because they don't seem useful to print
52# (but they are part of the header - the tar file comes after them):
53#>>>&1		regex/1l .*	\b, Password salt: %s
54#>>>>&1		regex/1l .*	\b, Master salt: %s
55#>>>>>&1	regex/1l .*	\b, PBKDF2 rounds: %s
56#>>>>>>&1	regex/1l .*	\b, IV: %s
57#>>>>>>>&1	regex/1l .*	\b, Key: %s
58
59# *.pit files by Joerg Jenderek
60# http://forum.xda-developers.com/showthread.php?p=9122369
61# http://forum.xda-developers.com/showthread.php?t=816449
62# Partition Information Table for Samsung's smartphone with Android
63# used by flash software Odin
640		ulelong			0x12349876	
65# 1st pit entry marker
66>0x01C	ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000	
67# minimal 13 and maximal 18 PIT entries found
68>>4		ulelong			<128	Partition Information Table for Samsung smartphone
69>>>4		ulelong			x	\b, %d entries
70# 1. pit entry
71>>>4		ulelong			>0	\b; #1
72>>>0x01C	use				PIT-entry
73>>>4		ulelong			>1	\b; #2
74>>>0x0A0	use				PIT-entry
75>>>4		ulelong			>2	\b; #3
76>>>0x124	use				PIT-entry
77>>>4		ulelong			>3	\b; #4
78>>>0x1A8	use				PIT-entry
79>>>4		ulelong			>4	\b; #5
80>>>0x22C	use				PIT-entry
81>>>4		ulelong			>5	\b; #6
82>>>0x2B0	use				PIT-entry
83>>>4		ulelong			>6	\b; #7
84>>>0x334	use				PIT-entry
85>>>4		ulelong			>7 	\b; #8
86>>>0x3B8	use				PIT-entry
87>>>4		ulelong			>8 	\b; #9
88>>>0x43C	use				PIT-entry
89>>>4		ulelong			>9	\b; #10
90>>>0x4C0	use				PIT-entry
91>>>4		ulelong			>10	\b; #11
92>>>0x544	use				PIT-entry
93>>>4		ulelong			>11	\b; #12
94>>>0x5C8	use				PIT-entry
95>>>4		ulelong			>12	\b; #13
96>>>>0x64C	use				PIT-entry
97# 14. pit entry
98>>>4		ulelong			>13	\b; #14
99>>>>0x6D0	use				PIT-entry
100>>>4		ulelong			>14	\b; #15
101>>>0x754	use				PIT-entry
102>>>4		ulelong			>15	\b; #16
103>>>0x7D8	use				PIT-entry
104>>>4		ulelong			>16	\b; #17
105>>>0x85C	use				PIT-entry
106# 18. pit entry
107>>>4		ulelong			>17	\b; #18
108>>>0x8E0	use				PIT-entry
109
1100	name			PIT-entry
111# garbage value implies end of pit entries
112>0x00		ulequad&0xFFFFFFFCFFFFFFFC	=0x0000000000000000	
113# skip empty partition name
114>>0x24		ubyte				!0			
115# partition name
116>>>0x24		string				>\0			%-.32s
117# flags
118>>>0x0C		ulelong&0x00000002		2			\b+RW
119# partition ID:
120# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER
121# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
122>>>0x08	ulelong		x			(0x%x)
123# filename
124>>>0x44		string				>\0			"%-.64s"
125#>>>0x18	ulelong				>0			
126# blocksize in 512 byte units ?
127#>>>>0x18	ulelong				x			\b, %db
128# partition size in blocks ?
129#>>>>0x22	ulelong				x			\b*%d
130
131# Android bootimg format
132# From https://android.googlesource.com/\
133# platform/system/core/+/master/libsparse/sparse_format.h
1340		lelong	0xed26ff3a		Android sparse image
135>4		leshort	x			\b, version: %d
136>6		leshort	x			\b.%d
137>16		lelong	x			\b, Total of %d
138>12		lelong	x			\b %d-byte output blocks in
139>20		lelong	x			\b %d input chunks.
140
141# Android binary XML magic
142# In include/androidfw/ResourceTypes.h:
143# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
144# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
1450	lelong	0x00080003	Android binary XML
146