#--------------------File Systems---------------------
# Minix filesystems - Juan Cespedes <cespedes@debian.org>
# These signatures are useless until they can be improved.
#0x410 leshort 0x137f Minix filesystem
#>0x402 beshort !0 \b, %d zones
#>0x1e string minix \b, bootable
#0x410 leshort 0x138f Minix filesystem, 30 char names
#0x410 leshort 0x2468 Minix filesystem, version 2
#0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names
#0x410 leshort 0x4d5a Minix filesystem, version 3
#0x410 leshort 0x4d6a Minix filesystem, version 3, 30 char names
#0x410 beshort 0x137f Minix filesystem (big endian)
#>0x402 beshort !0 \b, %d zones
#>0x1e string minix \b, bootable
#0x410 beshort 0x138f Minix filesystem (big endian), 30 char names
#0x410 beshort 0x2468 Minix filesystem (big endian), version 2
#0x410 beshort 0x2478 Minix filesystem (big endian), version 2, 30 char names
#0x410 beshort 0x4d5a Minix filesystem (big endian), version 3
#0x410 beshort 0x4d6a Minix filesystem (big endian), version 3, 30 char names
# YAFFS
0 string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF YAFFS filesystem
# EFS2 file system - jojo@utulsa.edu
0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian,
>8 string !EFSSuper invalid,
>4 leshort &1 NAND
>4 leshort ^1 NOR
>4 leshort x version 0x%x,
>24 lelong x %d blocks,
>16 lelong x 0x%x pages per block,
>20 lelong x 0x%x bytes per page
0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian,
>8 string !SSFErepu invalid,
>4 beshort &1 NAND
>4 beshort ^1 NOR
>4 beshort x version 0x%x,
>24 belong x %d blocks,
>16 belong x 0x%x pages per block,
>20 belong x 0x%x bytes per page
# TROC file system
0 string TROC TROC filesystem,
>4 lelong x %d file entries
# PFS file system
0 string PFS/ PFS filesystem,
>4 string x version "%s",
>14 leshort x %d files
# MPFS file system
0 string MPFS MPFS (Microchip) filesystem,
>4 byte x version %d.
>5 byte x \b%d,
>6 leshort x %d file entries
# cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 CramFS filesystem, little endian
>4 lelong <0 invalid
>4 lelong >1073741824 invalid
>4 lelong x size %lu
>8 lelong &1 version #2
>8 lelong &2 sorted_dirs
>8 lelong &4 hole_support
>32 lelong x CRC 0x%x,
>36 lelong x edition %lu,
>40 lelong <0 invalid
>40 lelong x %lu blocks,
>44 lelong <0 invalid
>44 lelong x %lu files
>4 lelong x {jump-to-offset:%lu}
>4 lelong x {file-size:%lu}
0 belong 0x28cd3d45 CramFS filesystem, big endian
>4 belong <0 invalid
>4 belong >1073741824 invalid
>4 belong x size %lu
>8 belong &1 version #2
>8 belong &2 sorted_dirs
>8 belong &4 hole_support
>32 belong x CRC 0x%x,
>36 belong x edition %lu,
>40 belong <0 invalid
>40 belong x %lu blocks,
>44 belong <0 invalid
>44 belong x %lu files
>4 belong x {jump-to-offset:%lu}
>4 belong x {file-size:%lu}
# JFFS2 file system
# If used with binwalk's smart signature feature (on by default, -S to disable)
# this signature can potentially lead to missing some JFFS2 file systems if there
# are multiple JFFS2 file systems in a target file and there are no other identified
# files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios.
0 leshort 0x1985 JFFS2 filesystem, little endian
>2 leshort !0xE001
>>2 leshort !0xE002
>>>2 leshort !0x2003
>>>>2 leshort !0x2004
>>>>>2 leshort !0x2006
>>>>>>2 leshort !0xE008
>>>>>>>2 leshort !0xE009 \b, invalid
>(4.l) leshort !0x1985
>>(4.l+1) leshort !0x1985
>>>(4.l+2) leshort !0x1985
>>>>(4.l+3) leshort !0x1985
>>>>>(4.l) leshort !0xFFFF
>>>>>>(4.l+1) leshort !0xFFFF
>>>>>>>(4.l+2) leshort !0xFFFF
>>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid
>4 lelong 0 invalid
>4 lelong <0 invalid
>4 lelong x {one-of-many}{jump-to-offset:%d}
0 beshort 0x1985 JFFS2 filesystem, big endian
>2 beshort !0xE001
>>2 beshort !0xE002
>>>2 beshort !0x2003
>>>>2 beshort !0x2004
>>>>>2 beshort !0x2006
>>>>>>2 beshort !0xE008
>>>>>>>2 beshort !0xE009 \b, invalid
>(4.L) beshort !0x1985
>>(4.L+1) beshort !0x1985
>>>(4.L+2) beshort !0x1985
>>>>(4.L+3) beshort !0x1985
>>>>>(4.L) beshort !0xFFFF
>>>>>>(4.L+1) beshort !0xFFFF
>>>>>>>(4.L+2) beshort !0xFFFF
>>>>>>>>(4.L+3) beshort !0xFFFF \b, invalid
>4 belong 0 invalid
>4 belong <0 invalid
>4 belong x {one-of-many}{jump-to-offset:%d}
# Squashfs, big endian
0 string sqsh Squashfs filesystem, big endian,
>28 beshort >10 invalid
>28 beshort <1 invalid
>30 beshort >10 invalid
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 0 \binvalid,
>>20 beshort >4 \binvalid,
>28 beshort <3
>>8 belong x size: %d bytes,
>28 beshort 3
>>63 bequad x size: %lld bytes,
>28 beshort >3
>>40 bequad x size: %lld bytes,
>4 belong x %d inodes,
>28 beshort >3
>>12 belong blocksize: %d bytes,
>28 beshort <2
>>32 beshort x blocksize: %d bytes,
>28 beshort 2
>>51 belong x blocksize: %d bytes,
>28 beshort 3
>>51 belong x blocksize: %d bytes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
# Squashfs, little endian
0 string hsqs Squashfs filesystem, little endian,
>28 leshort >10 invalid
>28 leshort <1 invalid
>30 leshort >10 invalid
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 0 \binvalid,
>>20 leshort >4 \binvalid,
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong blocksize: %d bytes,
>28 leshort <2
>>32 leshort x blocksize: %d bytes,
>28 leshort 2
>>51 lelong x blocksize: %d bytes,
>28 leshort 3
>>51 lelong x blocksize: %d bytes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
# Squashfs with LZMA compression
0 string sqlz Squashfs filesystem, big endian, lzma compression,
>28 beshort >10 invalid
>28 beshort <1 invalid
>30 beshort >10 invalid
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 0 \binvalid,
>>20 beshort >4 \binvalid,
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong blocksize: %d bytes,
>28 beshort <2
>>32 beshort x blocksize: %d bytes,
>28 beshort 2
>>51 belong x blocksize: %d bytes,
>28 beshort 3
>>51 belong x blocksize: %d bytes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
# Squashfs 3.3 LZMA signature
0 string qshs Squashfs filesystem, big endian, lzma signature,
>28 beshort >10 invalid
>28 beshort <1 invalid
>30 beshort >10 invalid
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 0 \binvalid,
>>20 beshort >4 \binvalid,
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong blocksize: %d bytes,
>28 beshort <2
>>32 beshort x blocksize: %d bytes,
>28 beshort 2
>>51 belong x blocksize: %d bytes,
>28 beshort 3
>>51 belong x blocksize: %d bytes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
# Squashfs for DD-WRT
0 string tqsh Squashfs filesystem, big endian, DD-WRT signature,
>28 beshort >10 invalid
>28 beshort <1 invalid
>30 beshort >10 invalid
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 0 \binvalid,
>>20 beshort >4 \binvalid,
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong blocksize: %d bytes,
>28 beshort <2
>>32 beshort x blocksize: %d bytes,
>28 beshort 2
>>51 belong x blocksize: %d bytes,
>28 beshort 3
>>51 belong x blocksize: %d bytes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
# Squashfs for DD-WRT
0 string hsqt Squashfs filesystem, little endian, DD-WRT signature,
>28 leshort >10 invalid
>28 leshort <1 invalid
>30 leshort >10 invalid
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 0 \binvalid,
>>20 leshort >4 \binvalid,
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong blocksize: %d bytes,
>28 leshort <2
>>32 leshort x blocksize: %d bytes,
>28 leshort 2
>>51 lelong x blocksize: %d bytes,
>28 leshort 3
>>51 lelong x blocksize: %d bytes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
# Non-standard Squashfs signature found on some D-Link routers
0 string shsq Squashfs filesystem, little endian, non-standard signature,
>28 leshort >10 invalid
>28 leshort <1 invalid
>30 leshort >10 invalid
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 0 \binvalid,
>>20 leshort >4 \binvalid,
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong blocksize: %d bytes,
>28 leshort <2
>>32 leshort x blocksize: %d bytes,
>28 leshort 2
>>51 lelong x blocksize: %d bytes,
>28 leshort 3
>>51 lelong x blocksize: %d bytes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0 leshort 0xEF53 Linux EXT filesystem,{offset-adjust:-0x438}
>2 leshort >4 invalid state
>2 leshort 3 invalid state
>2 leshort <0 invalid state
>4 leshort >3 invalid error behavior
>4 leshort <0 invalid error behavior
>4 lelong >1 invalid major revision
>4 lelong <0 invalid major revision
>4 lelong x rev %d
>6 leshort x \b.%d
# No journal? ext2
>36 lelong ^0x0000004 ext2 filesystem data
>>2 leshort ^0x0000001 (mounted or unclean)
# Has a journal? ext3 or ext4
>36 lelong &0x0000004
# and small INCOMPAT?
>>40 lelong <0x0000040
# and small RO_COMPAT?
>>>44 lelong <0x0000008 ext3 filesystem data
# else large RO_COMPAT?
>>>44 lelong >0x0000007 ext4 filesystem data
# else large INCOMPAT?
>>40 lelong >0x000003f ext4 filesystem data
>48 belong x \b, UUID=%08x
>52 beshort x \b-%04x
>54 beshort x \b-%04x
>56 beshort x \b-%04x
>58 belong x \b-%08x
>60 beshort x \b%04x
>64 string >0 \b, volume name "%s"
#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong >10000000 invalid
>8 belong x size: %d bytes,
>16 string x {file-name:%s}
>16 string x named "%s"
>8 belong x {file-size:%d}
>8 belong x {jump-to-offset:%d}
# Wind River MemFS file system, found in some VxWorks devices
0 string owowowowowowowowowowowowowowow Wind River management filesystem,
>30 string !ow invalid,
>32 belong 1 compressed,
>32 belong 2 plain text,
>36 belong x %d files
# netboot image - Juan Cespedes <cespedes@debian.org>
0 lelong 0x1b031336L Netboot image,
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode (invalid)
0 string WDK\x202.0\x00 WDK file system, version 2.0{offset-adjust:-18}
0 string CD001 ISO{offset-adjust:-32769}
>6144 string !NSR0 9660 CD-ROM filesystem data,
>6144 string NSR0 UDF filesystem data,
>6148 string 1 version 1.0,
>6148 string 2 version 2.0,
>6148 string 3 version 3.0
>6148 byte >0x33 invalid version,
>6148 byte <0x31 invalid version,
>38 string >\0 volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0 string DOSEMU\0 DOS Emulator image
>0x27E leshort !0xAA55 \b, invalid
>0x27E leshort 0xAA55
#offset is 128
>>19 byte 128
>>>(19.b-1) byte 0x0
>>>>7 lelong >0 \b, %d heads
>>>>11 lelong >0 \b, %d sectors/track
>>>>15 lelong >0 \b, %d cylinders
# From: Alex Beregszaszi <alex@fsn.hu>
0 string COWD\x03 VMWare3 disk image,
>32 lelong x (%d/
>36 lelong x \b%d/
>40 lelong x \b%d)
0 string COWD\x02 VMWare3 undoable disk image,
>32 string >\0 "%s"
# TODO: Add header validation
0 string VMDK VMware4 disk image
0 string KDMV VMware4 disk image
#--------------------------------------------------------------------
# Qemu Emulator Image
# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files
0 string QFI\xFB QEMU QCOW Image
# BSD 2.x file system image; used in RetroBSD for PIC32.
0 string FS\x3C\x3C BSD 2.x filesystem,
>1020 string !\x3E\x3EFS invalid (missing FSMAGIC2),
>8 lelong x size: {math:%d*1024} bytes,
>8 lelong x \b{file-size:%d*1024}
>8 lelong x \b{jump-to-offset:%d*1024}
>8 lelong x total blocks: %d,
>972 lelong x free blocks: %d,
>968 ledate x last modified: %s
>980 byte !0
>>980 string x \b, last mounted on: "%s"
# Simple file system found in Foscam camera firmware
0 beshort 0xbd9a Foscam WebUI filesystem,
>2 leshort x checksum: 0x%X,
>16 lelong <3 invalid first file name length,
>16 lelong >127 invalid first file name length,
>20 byte 0 invalid first file name,
>20 byte !0x2E
>>20 byte !0x2F
>>>20 byte <65 invalid first file name,
>>>20 byte >122 invalid first file name,
>20 byte x first file name: {raw-replace}
>16 lelong x {raw-string-length:%d}
>20 string x {raw-string:%s}