Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
B
binwalk
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-gitdep
binwalk
Commits
43ddf9b9
Commit
43ddf9b9
authored
Nov 07, 2014
by
devttys0
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixed extraction bug; prettified magic files
parent
d95e015d
Hide whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
1281 additions
and
1295 deletions
+1281
-1295
magic.py
src/binwalk/core/magic.py
+1
-0
console
src/binwalk/magic/console
+68
-72
crypto
src/binwalk/magic/crypto
+62
-59
executables
src/binwalk/magic/executables
+277
-281
filesystems
src/binwalk/magic/filesystems
+273
-268
firmware
src/binwalk/magic/firmware
+341
-347
images
src/binwalk/magic/images
+118
-127
kernels
src/binwalk/magic/kernels
+16
-17
lzma
src/binwalk/magic/lzma
+0
-0
misc
src/binwalk/magic/misc
+20
-20
network
src/binwalk/magic/network
+77
-77
sql
src/binwalk/magic/sql
+28
-27
No files found.
src/binwalk/core/magic.py
View file @
43ddf9b9
...
...
@@ -23,6 +23,7 @@ class SignatureResult(object):
self
.
strlen
=
0
self
.
string
=
False
self
.
invalid
=
False
self
.
extract
=
True
# These are set by code internally
self
.
file
=
None
...
...
src/binwalk/magic/console
View file @
43ddf9b9
...
...
@@ -4,99 +4,95 @@
#------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
#
0x104 belong 0xCEED6666 Gameboy ROM,
>0x134 string >\0 name: "%.16s"
>0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x01 \b, [ROM+MBC1]
>0x147 byte 0x02 \b, [ROM+MBC1+RAM]
>0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT]
>0x147 byte 0x05 \b, [ROM+MBC2]
>0x147 byte 0x06 \b, [ROM+MBC2+BATTERY]
>0x147 byte 0x08 \b, [ROM+RAM]
>0x147 byte 0x09 \b, [ROM+RAM+BATTERY]
>0x147 byte 0x0B \b, [ROM+MMM01]
>0x147 byte 0x0C \b, [ROM+MMM01+SRAM]
>0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT]
>0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT]
>0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT]
>0x147 byte 0x11 \b, [ROM+MBC3]
>0x147 byte 0x12 \b, [ROM+MBC3+RAM]
>0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT]
>0x147 byte 0x19 \b, [ROM+MBC5]
>0x147 byte 0x1A \b, [ROM+MBC5+RAM]
>0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT]
>0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE]
>0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM]
>0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT]
>0x147 byte 0x1F \b, [Pocket Camera]
>0x147 byte 0xFD \b, [Bandai TAMA5]
>0x147 byte 0xFE \b, [Hudson HuC-3]
>0x147 byte 0xFF \b, [Hudson HuC-1]
0x104 ubelong 0xCEED6666 Gameboy ROM,
>0x134 byte !0
>>0x134 string x name: "%.16s"
>0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x01 \b, [ROM+MBC1]
>0x147 byte 0x02 \b, [ROM+MBC1+RAM]
>0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT]
>0x147 byte 0x05 \b, [ROM+MBC2]
>0x147 byte 0x06 \b, [ROM+MBC2+BATTERY]
>0x147 byte 0x08 \b, [ROM+RAM]
>0x147 byte 0x09 \b, [ROM+RAM+BATTERY]
>0x147 byte 0x0B \b, [ROM+MMM01]
>0x147 byte 0x0C \b, [ROM+MMM01+SRAM]
>0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT]
>0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT]
>0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT]
>0x147 byte 0x11 \b, [ROM+MBC3]
>0x147 byte 0x12 \b, [ROM+MBC3+RAM]
>0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT]
>0x147 byte 0x19 \b, [ROM+MBC5]
>0x147 byte 0x1A \b, [ROM+MBC5+RAM]
>0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT]
>0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE]
>0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM]
>0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT]
>0x147 byte 0x1F \b, [Pocket Camera]
>0x147 byte 0xFD \b, [Bandai TAMA5]
>0x147 byte 0xFE \b, [Hudson HuC-3]
>0x147 byte 0xFF \b, [Hudson HuC-1]
>0x148
byte 0
\b, ROM: 256Kbit
>0x148
byte 1
\b, ROM: 512Kbit
>0x148
byte 2
\b, ROM: 1Mbit
>0x148
byte 3
\b, ROM: 2Mbit
>0x148
byte 4
\b, ROM: 4Mbit
>0x148
byte 5
\b, ROM: 8Mbit
>0x148
byte 6
\b, ROM: 16Mbit
>0x148
byte 0x52
\b, ROM: 9Mbit
>0x148
byte 0x53
\b, ROM: 10Mbit
>0x148
byte 0x54
\b, ROM: 12Mbit
>0x148
byte 0
\b, ROM: 256Kbit
>0x148
byte 1
\b, ROM: 512Kbit
>0x148
byte 2
\b, ROM: 1Mbit
>0x148
byte 3
\b, ROM: 2Mbit
>0x148
byte 4
\b, ROM: 4Mbit
>0x148
byte 5
\b, ROM: 8Mbit
>0x148
byte 6
\b, ROM: 16Mbit
>0x148
byte 0x52
\b, ROM: 9Mbit
>0x148
byte 0x53
\b, ROM: 10Mbit
>0x148
byte 0x54
\b, ROM: 12Mbit
>0x149
byte 1
\b, RAM: 16Kbit
>0x149
byte 2
\b, RAM: 64Kbit
>0x149
byte 3
\b, RAM: 128Kbit
>0x149
byte 4
\b, RAM: 1Mbit
>0x149
byte 1
\b, RAM: 16Kbit
>0x149
byte 2
\b, RAM: 64Kbit
>0x149
byte 3
\b, RAM: 128Kbit
>0x149
byte 4
\b, RAM: 1Mbit
#>0x14e
long x
\b, CRC: %x
#>0x14e
long x
\b, CRC: %x
#------------------------------------------------------------------------------
# genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format
#
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump,
>0x120 string x Name: "%.16s"
>0x110 string >\0 "%.16s"
>0x1B0 string RA with SRAM
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump,
>0x120 string x Name: "%.16s",
>0x110 byte !0
>>0x110 string x "%.16s",
>0x1B0 string RA with SRAM
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
# Nintendo .nds
192 string \044\377\256Qi\232 Nintendo DS Game ROM Image
192 string \044\377\256Qi\232
Nintendo DS Game ROM Image
# Nintendo .gba
0 string \056\000\000\352$\377\256Qi Nintendo Game Boy Advance ROM Image
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0
string PS-X\ EXE
Sony Playstation executable
0
string PS-X\x20EXE
Sony Playstation executable
# Area:
>113 string x (%s)
>113 string x
(%s)
#------------------------------------------------------------------------------
## Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>)
0
string
XBEH Microsoft Xbox executable (XBE),
0
string
XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not
>0x0004 ulelong =0x0
>>2 ulelong !0x0 \b, {invalid}
>>2 ulelong =0x0
>>>2 ulelong !0x0 \b, {invalid}
>>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0
>>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, {invalid} base address
>0x0004 ulelong =0x0
>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>2 ulelong >0 \b, signed
## expect base address of 0x10000
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
>>>(0x0118-0x0FF60) ulelong >0 (regions:
>>>>(0x0118-0x0FF60) ulelong &0x00000001 NA
>>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan
>>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World
>>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer
>>>(0x0118-0x0FF60) ulelong >0 \b)
>0x0104 ulelong !0x10000 {invalid}
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
>>>(0x0118-0x0FF60) ulelong >0 (regions:
>>>>(0x0118-0x0FF60) ulelong &0x00000001 NA
>>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan
>>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World
>>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer
>>>(0x0118-0x0FF60) ulelong >0 \b)
# --------------------------------
# # Microsoft Xbox data file formats
...
...
src/binwalk/magic/crypto
View file @
43ddf9b9
...
...
@@ -9,26 +9,28 @@
# Type: OpenSSH key files
# From: Nicolas Collignon <tsointsoin@gmail.com>
0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key,
>28 string >\0 version "%s"
0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key,
>28 byte !0
>>28 string x version "%s"
>28 byte 0 {invalid}
0 string ssh-dss\x20
OpenSSH DSA public key
0 string ssh-rsa\x20
OpenSSH RSA public key
0 string ssh-dss\x20 OpenSSH DSA public key
0 string ssh-rsa\x20 OpenSSH RSA public key
# Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com>
0
string \x30\x82
Private key in DER format (PKCS#8),
>4
string !\x02\x01\x00 {invalid},
>
>2 beshort x
header length: 4, sequence length: %d
0
string \x30\x82
Private key in DER format (PKCS#8),
>4
string !\x02\x01\x00 {invalid}
>
2 beshort x
header length: 4, sequence length: %d
0
string \x30\x82
Certificate in DER format (x509 v3),
>4
string !\x30\x82 {invalid},
>
>2 beshort x
header length: 4, sequence length: %d
0
string \x30\x82
Certificate in DER format (x509 v3),
>4
string !\x30\x82 {invalid}
>
2 beshort x
header length: 4, sequence length: %d
# GnuPG
# The format is very similar to pgp
0
string \001gpg GPG key trust database
>4
byte x version %d
0
string \001gpg GPG key trust database
>4
byte x version %d
# Not a very useful signature
#0 beshort 0x9901 GPG key public ring
...
...
@@ -39,50 +41,50 @@
#------------------------------------------------------------------------------
# Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt: file(1) magic for mcrypt 2.2.x;
#0
string \0m\3
mcrypt 2.5 encrypted data,
#>4
byte 0
{invalid}
#>4
string >\0
algorithm: "%s",
#>>&1
leshort <1
{invalid}
#>>&1
leshort >0
keysize: %d bytes,
#>>>&0
byte 0
{invalid}
#>>>&0
string >\0
mode: "%s",
#0
string \0m\3
mcrypt 2.5 encrypted data,
#>4
byte 0
{invalid}
#>4
string >\0
algorithm: "%s",
#>>&1
leshort <1
{invalid}
#>>&1
leshort >0
keysize: %d bytes,
#>>>&0
byte 0
{invalid}
#>>>&0
string >\0
mode: "%s",
0
string \0m\2
mcrypt 2.2 encrypted data,
>3
byte 0
algorithm: blowfish-448,
>3
byte 1
algorithm: DES,
>3
byte 2
algorithm: 3DES,
>3
byte 3
algorithm: 3-WAY,
>3
byte 4
algorithm: GOST,
>3
byte 6
algorithm: SAFER-SK64,
>3
byte 7
algorithm: SAFER-SK128,
>3
byte 8
algorithm: CAST-128,
>3
byte 9
algorithm: xTEA,
>3
byte 10
algorithm: TWOFISH-128,
>3
byte 11
algorithm: RC2,
>3
byte 12
algorithm: TWOFISH-192,
>3
byte 13
algorithm: TWOFISH-256,
>3
byte 14
algorithm: blowfish-128,
>3
byte 15
algorithm: blowfish-192,
>3
byte 16
algorithm: blowfish-256,
>3
byte 100
algorithm: RC6,
>3
byte 101
algorithm: IDEA,
>3
byte <0 {invalid} algorithm
>3
byte >101 {invalid} algorithm,
>3
byte
>16
>>3
byte <100 {invalid} algorithm,
>4
byte 0
mode: CBC,
>4
byte 1
mode: ECB,
>4
byte 2
mode: CFB,
>4
byte 3
mode: OFB,
>4
byte 4
mode: nOFB,
>4
byte <0 {invalid} mode,
>4
byte >4 {invalid} mode,
>5
byte 0
keymode: 8bit
>5
byte 1
keymode: 4bit
>5
byte 2
keymode: SHA-1 hash
>5
byte 3
keymode: MD5 hash
>5
byte <0 {invalid} keymode
>5
byte >3 {invalid} keymode
0
string \0m\2
mcrypt 2.2 encrypted data,
>3
byte 0
algorithm: blowfish-448,
>3
byte 1
algorithm: DES,
>3
byte 2
algorithm: 3DES,
>3
byte 3
algorithm: 3-WAY,
>3
byte 4
algorithm: GOST,
>3
byte 6
algorithm: SAFER-SK64,
>3
byte 7
algorithm: SAFER-SK128,
>3
byte 8
algorithm: CAST-128,
>3
byte 9
algorithm: xTEA,
>3
byte 10
algorithm: TWOFISH-128,
>3
byte 11
algorithm: RC2,
>3
byte 12
algorithm: TWOFISH-192,
>3
byte 13
algorithm: TWOFISH-256,
>3
byte 14
algorithm: blowfish-128,
>3
byte 15
algorithm: blowfish-192,
>3
byte 16
algorithm: blowfish-256,
>3
byte 100
algorithm: RC6,
>3
byte 101
algorithm: IDEA,
>3
byte <0 {invalid}
>3
byte >101 {invalid}
>3
byte
>16
>>3
byte <100 {invalid}
>4
byte 0
mode: CBC,
>4
byte 1
mode: ECB,
>4
byte 2
mode: CFB,
>4
byte 3
mode: OFB,
>4
byte 4
mode: nOFB,
>4
byte <0 {invalid}
>4
byte >4 {invalid}
>5
byte 0
keymode: 8bit
>5
byte 1
keymode: 4bit
>5
byte 2
keymode: SHA-1 hash
>5
byte 3
keymode: MD5 hash
>5
byte <0 {invalid}
>5
byte >3 {invalid}
#------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy
...
...
@@ -90,13 +92,14 @@
#0 beshort 0x9900 PGP key public ring
#0 beshort 0x9501 PGP key security ring
#0 beshort 0x9500 PGP key security ring
#0
beshort 0xa600
PGP encrypted data
#0
beshort 0xa600
PGP encrypted data
0 string -----BEGIN\040PGP PGP armored data,
>15 string PUBLIC\040KEY\040BLOCK- public key block
>15 string MESSAGE- message
>15 string SIGNED\040MESSAGE- signed message
>15 string PGP\040SIGNATURE- signature
0 string Salted__ OpenSSL encryption, salted,
>8 belong x salt: 0x%X
>12 belong x \b%X
0 string Salted__ OpenSSL encryption, salted,
>8 belong x salt: 0x%X
>12 belong x \b%X
src/binwalk/magic/executables
View file @
43ddf9b9
...
...
@@ -10,231 +10,229 @@
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0
string \177ELF ELF
>4
byte 0 {invalid} class
>4
byte 1
32-bit
0
string \177ELF ELF,
>4
byte 0 {invalid}
>4
byte 1
32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18
leshort
8
>>>36
lelong &0x20
N32
>>18
leshort
10
>>>36
lelong &0x20
N32
>>18
beshort
8
>>>36
belong &0x20
N32
>>18
beshort
10
>>>36
belong &0x20
N32
>4
byte 2
64-bit
>4
byte
>2
>>4
byte x
unknown ELF class: 0x%X
>5
byte
!1
>>5
byte !2 {invalid} byte order
>5
byte 1
LSB
>>18
leshort
8
>>>36
lelong &0x20
N32
>>18
leshort
10
>>>36
lelong &0x20
N32
>>18
beshort
8
>>>36
belong &0x20
N32
>>18
beshort
10
>>>36
belong &0x20
N32
>4
byte 2
64-bit
>4
byte
>2
>>4
byte x
unknown ELF class: 0x%X
>5
byte
!1
>>5
byte !2 {invalid}
>5
byte 1
LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8.
>>18
leshort
8
>>18
leshort
8
# only for 32-bit
>>>4
byte
1
>>>>36
lelong&0xf0000000 0x00000000
MIPS-I
>>>>36
lelong&0xf0000000 0x10000000
MIPS-II
>>>>36
lelong&0xf0000000 0x20000000
MIPS-III
>>>>36
lelong&0xf0000000 0x30000000
MIPS-IV
>>>>36
lelong&0xf0000000 0x40000000
MIPS-V
>>>>36
lelong&0xf0000000 0x60000000
MIPS32
>>>>36
lelong&0xf0000000 0x70000000
MIPS64
>>>>36
lelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>36
lelong&0xf0000000 0x90000000
MIPS64 rel2
>>>4
byte
1
>>>>36
lelong&0xf0000000 0x00000000
MIPS-I
>>>>36
lelong&0xf0000000 0x10000000
MIPS-II
>>>>36
lelong&0xf0000000 0x20000000
MIPS-III
>>>>36
lelong&0xf0000000 0x30000000
MIPS-IV
>>>>36
lelong&0xf0000000 0x40000000
MIPS-V
>>>>36
lelong&0xf0000000 0x60000000
MIPS32
>>>>36
lelong&0xf0000000 0x70000000
MIPS64
>>>>36
ulelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>36
ulelong&0xf0000000 0x90000000
MIPS64 rel2
# only for 64-bit
>>>4
byte
2
>>>>48
lelong&0xf0000000 0x00000000
MIPS-I
>>>>48
lelong&0xf0000000 0x10000000
MIPS-II
>>>>48
lelong&0xf0000000 0x20000000
MIPS-III
>>>>48
lelong&0xf0000000 0x30000000
MIPS-IV
>>>>48
lelong&0xf0000000 0x40000000
MIPS-V
>>>>48
lelong&0xf0000000 0x60000000
MIPS32
>>>>48
lelong&0xf0000000 0x70000000
MIPS64
>>>>48
lelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>48
lelong&0xf0000000 0x90000000
MIPS64 rel2
>>16
leshort 0
no file type,
>>16
leshort 1
relocatable,
>>16
leshort 2
executable,
>>16
leshort 3
shared object,
>>>4
byte
2
>>>>48
lelong&0xf0000000 0x00000000
MIPS-I
>>>>48
lelong&0xf0000000 0x10000000
MIPS-II
>>>>48
lelong&0xf0000000 0x20000000
MIPS-III
>>>>48
lelong&0xf0000000 0x30000000
MIPS-IV
>>>>48
lelong&0xf0000000 0x40000000
MIPS-V
>>>>48
lelong&0xf0000000 0x60000000
MIPS32
>>>>48
lelong&0xf0000000 0x70000000
MIPS64
>>>>48
ulelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>48
ulelong&0xf0000000 0x90000000
MIPS64 rel2
>>16
leshort 0
no file type,
>>16
leshort 1
relocatable,
>>16
leshort 2
executable,
>>16
leshort 3
shared object,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16 leshort 4 core file
# Core file detection is not reliable.
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - {invalid} byte order,
>>18 leshort 2 SPARC - {invalid} byte order,
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola
>>>36 lelong &0x01000000 68000 - {invalid} byte order,
>>>36 lelong &0x00810000 CPU32 - {invalid} byte order,
>>>36 lelong 0 68020 - {invalid} byte order,
>>18 leshort 5 Motorola 88000 - {invalid} byte order,
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS,
>>18 leshort 9 Amdahl - {invalid} byte order,
>>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - {invalid} byte order,
>>18 leshort 15 PA-RISC - {invalid} byte order,
>>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE,
>>18 leshort 17 Fujitsu VPP500,
>>18 leshort 18 SPARC32PLUS,
>>18 leshort 20 PowerPC,
>>18 leshort 22 IBM S/390,
>>18 leshort 36 NEC V800,
>>18 leshort 37 Fujitsu FR20,
>>18 leshort 38 TRW RH-32,
>>18 leshort 39 Motorola RCE,
>>18 leshort 40 ARM,
>>18 leshort 41 Alpha,
>>18 leshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - {invalid} byte order,
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300,
>>18 leshort 47 Hitachi H8/300H,
>>18 leshort 48 Hitachi H8S,
>>18 leshort 49 Hitachi H8/500,
>>18 leshort 50 IA-64 (Intel 64 bit architecture)
>>18 leshort 51 Stanford MIPS-X,
>>18 leshort 52 Motorola Coldfire,
>>18 leshort 53 Motorola M68HC12,
>>18 leshort 62 AMD x86-64,
>>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k,
>>18 leshort 0x9026 Alpha (unofficial),
>>20 lelong 0 {invalid} version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
>>16 leshort 4 core file
>>16 uleshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - wrong byte order,{invalid}
>>18 leshort 2 SPARC - wrongbyte order,{invalid}
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola
>>>36 lelong &0x01000000 68000 - wrong byte order,{invalid}
>>>36 lelong &0x00810000 CPU32 - wrong byte order,{invalid}
>>>36 lelong 0 68020 - wrong byte order,{invalid}
>>18 leshort 5 Motorola 88000 - wrong byte order,{invalid}
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS,
>>18 leshort 9 Amdahl - wrong byte order,{invalid}
>>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - wrong byte order,{invalid}
>>18 leshort 15 PA-RISC - wrong byte order,{invalid}
>>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE,
>>18 leshort 17 Fujitsu VPP500,
>>18 leshort 18 SPARC32PLUS,
>>18 leshort 20 PowerPC,
>>18 leshort 22 IBM S/390,
>>18 leshort 36 NEC V800,
>>18 leshort 37 Fujitsu FR20,
>>18 leshort 38 TRW RH-32,
>>18 leshort 39 Motorola RCE,
>>18 leshort 40 ARM,
>>18 leshort 41 Alpha,
>>18 uleshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - wrong byte order,{invalid}
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300,
>>18 leshort 47 Hitachi H8/300H,
>>18 leshort 48 Hitachi H8S,
>>18 leshort 49 Hitachi H8/500,
>>18 leshort 50 IA-64 (Intel 64 bit architecture)
>>18 leshort 51 Stanford MIPS-X,
>>18 leshort 52 Motorola Coldfire,
>>18 leshort 53 Motorola M68HC12,
>>18 leshort 62 AMD x86-64,
>>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k,
>>18 uleshort 0x9026 Alpha (unofficial),
>>20 lelong 0 {invalid} invalid version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
# only for MIPS - see comment in little-endian section above.
>>18
beshort
8
>>18
beshort
8
# only for 32-bit
>>>4
byte
1
>>>>36
belong&0xf0000000 0x00000000
MIPS-I
>>>>36
belong&0xf0000000 0x10000000
MIPS-II
>>>>36
belong&0xf0000000 0x20000000
MIPS-III
>>>>36
belong&0xf0000000 0x30000000
MIPS-IV
>>>>36
belong&0xf0000000 0x40000000
MIPS-V
>>>>36
belong&0xf0000000 0x60000000
MIPS32
>>>>36
belong&0xf0000000 0x70000000
MIPS64
>>>>36
belong&0xf0000000 0x80000000
MIPS32 rel2
>>>>36
belong&0xf0000000 0x90000000
MIPS64 rel2
>>>4
byte
1
>>>>36
belong&0xf0000000 0x00000000
MIPS-I
>>>>36
belong&0xf0000000 0x10000000
MIPS-II
>>>>36
belong&0xf0000000 0x20000000
MIPS-III
>>>>36
belong&0xf0000000 0x30000000
MIPS-IV
>>>>36
belong&0xf0000000 0x40000000
MIPS-V
>>>>36
belong&0xf0000000 0x60000000
MIPS32
>>>>36
belong&0xf0000000 0x70000000
MIPS64
>>>>36
ubelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>36
ubelong&0xf0000000 0x90000000
MIPS64 rel2
# only for 64-bit
>>>4
byte
2
>>>>48
belong&0xf0000000 0x00000000
MIPS-I
>>>>48
belong&0xf0000000 0x10000000
MIPS-II
>>>>48
belong&0xf0000000 0x20000000
MIPS-III
>>>>48
belong&0xf0000000 0x30000000
MIPS-IV
>>>>48
belong&0xf0000000 0x40000000
MIPS-V
>>>>48
belong&0xf0000000 0x60000000
MIPS32
>>>>48
belong&0xf0000000 0x70000000
MIPS64
>>>>48
belong&0xf0000000 0x80000000
MIPS32 rel2
>>>>48
belong&0xf0000000 0x90000000
MIPS64 rel2
>>16
beshort 0
no file type,
>>16
beshort 1
relocatable,
>>16
beshort 2
executable,
>>16
beshort 3
shared object,
>>16
beshort 4
core file,
#>>>(0x38+0xcc) string
>\0
of '%s'
#>>>(0x38+0x10) belong
>0
(signal %d),
>>16
beshort &0xff00
processor-specific,
>>18
beshort 0
no machine,
>>18
beshort 1
AT&T WE32100,
>>18
beshort 2
SPARC,
>>18
beshort 3 Intel 80386 - {invalid} byte order,
>>18
beshort 4
Motorola
>>>36
belong &0x01000000
68000,
>>>36
belong &0x00810000
CPU32,
>>>36
belong 0
68020,
>>18
beshort 5
Motorola 88000,
>>18
beshort 6 Intel 80486 - {invalid} byte order,
>>18
beshort 7 Intel 80860,
>>18
beshort 8
MIPS,
>>18
beshort 9
Amdahl,
>>18
beshort 10
MIPS (deprecated),
>>18
beshort 11
RS6000,
>>18
beshort 15
PA-RISC
>>>50
beshort 0x0214
2.0
>>>48
beshort &0x0008
(LP64)
>>18
beshort 16
nCUBE,
>>18
beshort 17
Fujitsu VPP500,
>>18
beshort 18
SPARC32PLUS,
>>>36
belong&0xffff00 &0x000100
V8+ Required,
>>>36
belong&0xffff00 &0x000200
Sun UltraSPARC1 Extensions Required,
>>>36
belong&0xffff00 &0x000400
HaL R1 Extensions Required,
>>>36
belong&0xffff00 &0x000800
Sun UltraSPARC3 Extensions Required,
>>18
beshort 20
PowerPC or cisco 4500,
>>18
beshort 21
cisco 7500,
>>18
beshort 22
IBM S/390,
>>18
beshort 24
cisco SVIP,
>>18
beshort 25
cisco 7200,
>>18
beshort 36
NEC V800 or cisco 12000,
>>18
beshort 37
Fujitsu FR20,
>>18
beshort 38
TRW RH-32,
>>18
beshort 39
Motorola RCE,
>>18
beshort 40
ARM,
>>18
beshort 41
Alpha,
>>18
beshort 42
Hitachi SH,
>>18
beshort 43
SPARC V9,
>>18
beshort 44
Siemens Tricore Embedded Processor,
>>18
beshort 45
Argonaut RISC Core, Argonaut Technologies Inc.,
>>18
beshort 46
Hitachi H8/300,
>>18
beshort 47
Hitachi H8/300H,
>>18
beshort 48
Hitachi H8S,
>>18
beshort 49
Hitachi H8/500,
>>18
beshort 50
Intel Merced Processor,
>>18
beshort 51
Stanford MIPS-X,
>>18
beshort 52
Motorola Coldfire,
>>18
beshort 53
Motorola M68HC12,
>>18
beshort 73
Cray NV1,
>>18
beshort 75
Digital VAX,
>>18
beshort 97
NatSemi 32k,
>>18
beshort 0x9026
Alpha (unofficial),
>>18
beshort 0xa390
IBM S/390 (obsolete),
>>18
beshort
0xde3d Ubicom32,
>>20
belong 0 {invalid}
version
>>20
belong 1
version 1
>>36
belong 1
MathCoPro/FPU/MAU Required
>>>4
byte
2
>>>>48
belong&0xf0000000 0x00000000
MIPS-I
>>>>48
belong&0xf0000000 0x10000000
MIPS-II
>>>>48
belong&0xf0000000 0x20000000
MIPS-III
>>>>48
belong&0xf0000000 0x30000000
MIPS-IV
>>>>48
belong&0xf0000000 0x40000000
MIPS-V
>>>>48
belong&0xf0000000 0x60000000
MIPS32
>>>>48
belong&0xf0000000 0x70000000
MIPS64
>>>>48
ubelong&0xf0000000 0x80000000
MIPS32 rel2
>>>>48
ubelong&0xf0000000 0x90000000
MIPS64 rel2
>>16
beshort 0
no file type,
>>16
beshort 1
relocatable,
>>16
beshort 2
executable,
>>16
beshort 3
shared object,
>>16
beshort 4
core file,
#>>>(0x38+0xcc) string
>\0
of '%s'
#>>>(0x38+0x10) belong
>0
(signal %d),
>>16
ubeshort &0xff00
processor-specific,
>>18
beshort 0
no machine,
>>18
beshort 1
AT&T WE32100,
>>18
beshort 2
SPARC,
>>18
beshort 3 Intel 80386 - wrong byte order,{invalid}
>>18
beshort 4
Motorola
>>>36
belong &0x01000000
68000,
>>>36
belong &0x00810000
CPU32,
>>>36
belong 0
68020,
>>18
beshort 5
Motorola 88000,
>>18
beshort 6 Intel 80486 - wrong byte order,{invalid}
>>18
beshort 7 Intel 80860 - wrong byte order,{invalid}
>>18
beshort 8
MIPS,
>>18
beshort 9
Amdahl,
>>18
beshort 10
MIPS (deprecated),
>>18
beshort 11
RS6000,
>>18
beshort 15
PA-RISC
>>>50
beshort 0x0214
2.0
>>>48
beshort &0x0008
(LP64)
>>18
beshort 16
nCUBE,
>>18
beshort 17
Fujitsu VPP500,
>>18
beshort 18
SPARC32PLUS,
>>>36
belong&0xffff00 &0x000100
V8+ Required,
>>>36
belong&0xffff00 &0x000200
Sun UltraSPARC1 Extensions Required,
>>>36
belong&0xffff00 &0x000400
HaL R1 Extensions Required,
>>>36
belong&0xffff00 &0x000800
Sun UltraSPARC3 Extensions Required,
>>18
beshort 20
PowerPC or cisco 4500,
>>18
beshort 21
cisco 7500,
>>18
beshort 22
IBM S/390,
>>18
beshort 24
cisco SVIP,
>>18
beshort 25
cisco 7200,
>>18
beshort 36
NEC V800 or cisco 12000,
>>18
beshort 37
Fujitsu FR20,
>>18
beshort 38
TRW RH-32,
>>18
beshort 39
Motorola RCE,
>>18
beshort 40
ARM,
>>18
beshort 41
Alpha,
>>18
beshort 42
Hitachi SH,
>>18
beshort 43
SPARC V9,
>>18
beshort 44
Siemens Tricore Embedded Processor,
>>18
beshort 45
Argonaut RISC Core, Argonaut Technologies Inc.,
>>18
beshort 46
Hitachi H8/300,
>>18
beshort 47
Hitachi H8/300H,
>>18
beshort 48
Hitachi H8S,
>>18
beshort 49
Hitachi H8/500,
>>18
beshort 50
Intel Merced Processor,
>>18
beshort 51
Stanford MIPS-X,
>>18
beshort 52
Motorola Coldfire,
>>18
beshort 53
Motorola M68HC12,
>>18
beshort 73
Cray NV1,
>>18
beshort 75
Digital VAX,
>>18
beshort 97
NatSemi 32k,
>>18
ubeshort 0x9026
Alpha (unofficial),
>>18
ubeshort 0xa390
IBM S/390 (obsolete),
>>18
ubeshort
0xde3d Ubicom32,
>>20
belong 0 {invalid}invalid
version
>>20
belong 1
version 1
>>36
belong 1
MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results.
>4 byte <0x80
>>8 string >\0 ("%s")
>8 string \0
>>7 byte 0 (SYSV)
>>7 byte 1 (HP-UX)
>>7 byte 2 (NetBSD)
>>7 byte 3 (GNU/Linux)
>>7 byte 4 (GNU/Hurd)
>>7 byte 5 (86Open)
>>7 byte 6 (Solaris)
>>7 byte 7 (Monterey)
>>7 byte 8 (IRIX)
>>7 byte 9 (FreeBSD)
>>7 byte 10 (Tru64)
>>7 byte 11 (Novell Modesto)
>>7 byte 12 (OpenBSD)
>>7 byte 97 (ARM)
>>7 byte 255 (embedded)
>4 byte <0x80
>>8 byte !0
>>>8 string x ("%s")
>8 byte 0
>>7 byte 0 (SYSV)
>>7 byte 1 (HP-UX)
>>7 byte 2 (NetBSD)
>>7 byte 3 (GNU/Linux)
>>7 byte 4 (GNU/Hurd)
>>7 byte 5 (86Open)
>>7 byte 6 (Solaris)
>>7 byte 7 (Monterey)
>>7 byte 8 (IRIX)
>>7 byte 9 (FreeBSD)
>>7 byte 10 (Tru64)
>>7 byte 11 (Novell Modesto)
>>7 byte 12 (OpenBSD)
>>7 byte 97 (ARM)
>>7 ubyte 255 (embedded)
# Some simple Microsoft executable signatures
0
string MZ\0\0\0\0\0\0 Microsoft
>0x3c
lelong <4
{invalid}
>(0x3c.l) string !PE\0\0
MS-DOS executable
>(0x3c.l) string PE\0\0
portable executable
0
string MZ\0\0\0\0\0\0 Microsoft executable,
>0x3c
lelong <4
{invalid}
>(0x3c.l) string !PE\0\0
MS-DOS
>(0x3c.l) string PE\0\0
portable (PE)
0 string MZ Microsoft
>0x3c
lelong <4
{invalid}
0 string MZ Microsoft
executable,
>0x3c
lelong <4
{invalid}
>(0x3c.l) string !PE\0\0 {invalid}
>(0x3c.l) string PE\0\0 portable
executable
>(0x3c.l) string PE\0\0 portable
(PE)
#------------------------------------------------------------------------------
...
...
@@ -244,22 +242,21 @@
#
# Additional fields added by Craig Heffner
#
0 string bFLT BFLT executable
>4 belong <1 {invalid}
>4 belong >4 {invalid}
>4 belong x version %d,
>4 belong 4
>8 belong x code offset: 0x%.8X,
>12 belong x data segment starts at: 0x%.8X,
>16 belong x bss segment starts at: 0x%.8X,
>20 belong x bss segment ends at: 0x%.8X,
>24 belong x stack size: %d bytes,
>28 belong x relocation records start at: 0x%.8X,
>32 belong x number of reolcation records: %d,
>>36 belong&0x1 0x1 ram
>>36 belong&0x2 0x2 gotpic
>>36 belong&0x4 0x4 gzip
>>36 belong&0x8 0x8 gzdata
0 string bFLT BFLT executable
>4 belong <1 {invalid}
>4 belong >4 {invalid}
>4 belong x version %d,
>8 ubelong x code offset: 0x%.8X,
>12 ubelong x data segment starts at: 0x%.8X,
>16 ubelong x bss segment starts at: 0x%.8X,
>20 ubelong x bss segment ends at: 0x%.8X,
>24 ubelong x stack size: %d bytes,
>28 ubelong x relocation records start at: 0x%.8X,
>32 ubelong x number of reolcation records: %d,
>>36 belong&0x1 0x1 ram
>>36 belong&0x2 0x2 gotpic
>>36 belong&0x4 0x4 gzip
>>36 belong&0x8 0x8 gzdata
# Windows CE package files
...
...
@@ -274,9 +271,9 @@
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52
leshort
>1 \b, %u files
>52
uleshort
>1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56
leshort
>1 \b, %u registry entries
>56
uleshort
>1 \b, %u registry entries
#------------------------------------------------------------------------------
# motorola: file(1) magic for Motorola 68K and 88K binaries
...
...
@@ -302,51 +299,50 @@
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\x20EXE
Sony Playstation executable
0 string PS-X\x20EXE
Sony Playstation executable,
# Area:
>113 string x
("%s")
>113 string x
"%s"
#------------------------------------------------------------------------------
# cisco: file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
0 string \x85\x01\x14 Cisco IOS microcode,
>7 string x for "%s"
#>7 string >\0
#>>7 string x for "%s"
0 string \x85\x01\xcb Cisco IOS experimental microcode,
>7 string x for "%s"
#>7 string >\0
#>>7 string x for "%s"
0 string \x85\x01\x14 Cisco IOS microcode,
>7 byte 0 {invalid}
>7 string x for "%s"
0 string \x85\x01\xcb Cisco IOS experimental microcode,
>7 byte 0 {invalid}
>7 string x for "%s"
# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
0
string ESTFBINR
EST flat binary
0
string ESTFBINR
EST flat binary
# These are not the binaries themselves, but string references to them
# are a strong indication that they exist elsewhere...
#0
string /bin/busybox
Busybox string reference: "%s"{one-of-many}
#0
string /bin/sh
Shell string reference: "%s"{one-of-many}
#0
string /bin/busybox
Busybox string reference: "%s"{one-of-many}
#0
string /bin/sh
Shell string reference: "%s"{one-of-many}
# Mach-O's
0
string \xca\xfe\xba\xbe\x00\x00\x00\x01
Mach-O universal binary with 1 architecture
0
string \xca\xfe\xba\xbe\x00\x00\x00\x02
Mach-O universal binary with 2 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x03
Mach-O universal binary with 3 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x04
Mach-O universal binary with 4 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x05
Mach-O universal binary with 5 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x06
Mach-O universal binary with 6 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x07
Mach-O universal binary with 7 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x08
Mach-O universal binary with 8 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0a
Mach-O universal binary with 9 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0b
Mach-O universal binary with 10 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0c
Mach-O universal binary with 11 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0d
Mach-O universal binary with 12 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0e
Mach-O universal binary with 13 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0f
Mach-O universal binary with 14 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x10
Mach-O universal binary with 15 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x11
Mach-O universal binary with 16 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x12
Mach-O universal binary with 17 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x13
Mach-O universal binary with 18 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x01
Mach-O universal binary with 1 architecture
0
string \xca\xfe\xba\xbe\x00\x00\x00\x02
Mach-O universal binary with 2 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x03
Mach-O universal binary with 3 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x04
Mach-O universal binary with 4 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x05
Mach-O universal binary with 5 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x06
Mach-O universal binary with 6 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x07
Mach-O universal binary with 7 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x08
Mach-O universal binary with 8 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0a
Mach-O universal binary with 9 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0b
Mach-O universal binary with 10 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0c
Mach-O universal binary with 11 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0d
Mach-O universal binary with 12 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0e
Mach-O universal binary with 13 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x0f
Mach-O universal binary with 14 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x10
Mach-O universal binary with 15 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x11
Mach-O universal binary with 16 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x12
Mach-O universal binary with 17 architectures
0
string \xca\xfe\xba\xbe\x00\x00\x00\x13
Mach-O universal binary with 18 architectures
# The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255
# and all minor version numbers are 0. This gives us three more bytes we can signature on.
...
...
@@ -364,7 +360,7 @@
>4 belong >0x0050 {invalid}
# Summary: HP-38/39 calculator
0
string HP38Bin
HP 38 binary
0
string HP38Bin
HP 38 binary
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
...
...
@@ -376,10 +372,10 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
0
string HP39Bin
HP 39 binary
0
string HP39Bin
HP 39 binary
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
...
...
@@ -391,10 +387,10 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
0
string HP38Asc
HP 38 ASCII
0
string HP38Asc
HP 38 ASCII
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
...
...
@@ -406,10 +402,10 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
0
string HP39Asc
HP 39 ASCII
0
string HP39Asc
HP 39 ASCII
>7 string A (Directory List)
>7 string B (Zaplet)
>7 string C (Note)
...
...
@@ -421,8 +417,8 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
>7
byte <0x41
{invalid}
>7
byte >0x4B
{invalid}
# Summary: HP-48/49 calculator
0 string HPHP48 HP 48 binary
...
...
@@ -450,8 +446,8 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8
leshort <0x2911 ({invalid})
>8
leshort >0x2e92 ({invalid})
>8
leshort <0x2911 {invalid}
>8
leshort >0x2e92 {invalid}
0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR)
...
...
@@ -478,16 +474,16 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911
({invalid})
>8 leshort >0x2e92
({invalid})
>8 leshort <0x2911
{invalid}
>8 leshort >0x2e92
{invalid}
0
string \x23!/
Executable script,
>6
byte
!0x2F
>>7
byte !0x2F
{invalid}
>2
string x
shebang: "%s"
0
string \x23!/
Executable script,
>6
byte
!0x2F
>>7
byte !0x2F
{invalid}
>2
string x
shebang: "%s"
0
string \x23!\x20/
Executable script,
>7
byte
!0x2F
>>8
byte !0x2F
{invalid}
>3
string x
shebang: "%s"
0
string \x23!\x20/
Executable script,
>7
byte
!0x2F
>>8
byte !0x2F
{invalid}
>3
string x
shebang: "%s"
src/binwalk/magic/filesystems
View file @
43ddf9b9
...
...
@@ -34,7 +34,7 @@
#>0x1e string minix \b, bootable
# YAFFS
0
string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF
YAFFS filesystem
0
string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF
YAFFS filesystem
# EFS2 file system - jojo@utulsa.edu
0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian,
...
...
@@ -47,7 +47,7 @@
>20 lelong x 0x%x bytes per page
0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian,
>8 string !SSFErepu
{invalid},
>8 string !SSFErepu
{invalid},
>4 beshort&0x01 1 NAND
>4 beshort&0x01 0 NOR
>4 beshort x version 0x%x,
...
...
@@ -56,53 +56,53 @@
>20 belong x 0x%x bytes per page
# TROC file system
0
string
TROC TROC filesystem,
>4
lelong x
%d file entries
>4
lelong <1 ({invalid})
0
string
TROC TROC filesystem,
>4
lelong x
%d file entries
>4
lelong <1 {invalid}
# PFS file system
0
string PFS/
PFS filesystem,
>4
string x version "%s"
,
>14
leshort x
%d files
0
string PFS/
PFS filesystem,
>4
string x version %s
,
>14
leshort x
%d files
# MPFS file system
0
string MPFS MPFS (Microchip) filesystem
,
>4
byte x
version %d.
>5
byte x
\b%d,
>6
leshort x
%d file entries
0
string MPFS MPFS filesystem, Microchop
,
>4
byte x
version %d.
>5
byte x
\b%d,
>6
leshort x
%d file entries
# cramfs filesystem - russell@coker.com.au
0 lelong
0x28cd3d45 CramFS filesystem, little endian
>4
lelong <0
{invalid}
>4
lelong >1073741824
{invalid}
>4
lelong x size
%u
>8 lelong
&1
version #2
>8 lelong
&2
sorted_dirs
>8 lelong
&4
hole_support
>32 lelong
x
CRC 0x%x,
>36
lelong x
edition %u,
>40
lelong <0
{invalid}
>40
lelong x
%u blocks,
>44
lelong <0
{invalid}
>44
lelong x
%u files
>4
lelong x {jump-to-offset
:%u}
>4
lelong x {file-
size:%u}
0 belong 0x28cd3d45 CramFS filesystem, big endian
>4
belong <0
{invalid}
>4
belong >1073741824
{invalid}
>4 belong
x
size %u
>8 belong
&1
version #2
>8 belong
&2
sorted_dirs
>8 belong
&4
hole_support
>32 belong
x
CRC 0x%x,
>36 belong
x
edition %u,
>40
belong <0
{invalid}
>40 belong
x
%u blocks,
>44
belong <0
{invalid}
>44 belong
x
%u files
>4 belong
x {jump-to-offset
:%u}
>4 belong
x {file-
size:%u}
0 lelong
0x28cd3d45 CramFS filesystem, little endian,
>4
lelong <0
{invalid}
>4
lelong >1073741824
{invalid}
>4
ulelong x size:
%u
>8 lelong
&1
version #2
>8 lelong
&2
sorted_dirs
>8 lelong
&4
hole_support
>32 lelong
x
CRC 0x%x,
>36
ulelong x
edition %u,
>40
lelong <0
{invalid}
>40
ulelong x
%u blocks,
>44
lelong <0
{invalid}
>44
ulelong x
%u files
>4
ulelong x {jump
:%u}
>4
ulelong x {
size:%u}
0 belong
0x28cd3d45 CramFS filesystem, big endian
>4
belong <0
{invalid}
>4
belong >1073741824
{invalid}
>4 belong
x
size %u
>8 belong
&1
version #2
>8 belong
&2
sorted_dirs
>8 belong
&4
hole_support
>32 belong
x
CRC 0x%x,
>36 belong
x
edition %u,
>40
belong <0
{invalid}
>40 belong
x
%u blocks,
>44
belong <0
{invalid}
>44 belong
x
%u files
>4 belong
x {jump
:%u}
>4 belong
x {
size:%u}
...
...
@@ -113,73 +113,73 @@
# files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios.
0
leshort 0x1985
JFFS2 filesystem, little endian
>2
leshort
!0xE001
>>2
leshort
!0xE002
>>>2
leshort
!0x2003
>>>>2
leshort
!0x2004
>>>>>2
leshort
!0x2006
>>>>>>2
leshort
!0xE008
>>>>>>>2
leshort !0xE009 \b,
{invalid}
>(4.l)
leshort !0x1985
>>(4.l+1)
leshort !0x1985
>>>(4.l+2)
leshort !0x1985
>>>>(4.l+3)
leshort
!0x1985
>>>>>(4.l)
leshort
!0xFFFF
>>>>>>(4.l+1)
leshort
!0xFFFF
>>>>>>>(4.l+2)
leshort
!0xFFFF
>>>>>>>>(4.l+3)
leshort !0xFFFF \b,
{invalid}
>4
lelong 0
{invalid}
>4
lelong <0
{invalid}
>4
lelong x {one-of-many}{jump-to-offset
:%d}
0
beshort 0x1985
JFFS2 filesystem, big endian
>2
beshort
!0xE001
>>2
beshort
!0xE002
>>>2
beshort
!0x2003
>>>>2
beshort
!0x2004
>>>>>2
beshort
!0x2006
>>>>>>2
beshort
!0xE008
>>>>>>>2
beshort !0xE009 \b,
{invalid}
>(4.L)
beshort !0x1985
>>(4.L+1)
beshort !0x1985
>>>(4.L+2)
beshort
!0x1985
>>>>(4.L+3)
beshort !0x1985
>>>>>(4.L)
beshort
!0xFFFF
>>>>>>(4.L+1)
beshort
!0xFFFF
>>>>>>>(4.L+2)
beshort
!0xFFFF
>>>>>>>>(4.L+3)
beshort !0xFFFF \b,
{invalid}
>4
belong 0
{invalid}
>4
belong <0
{invalid}
>4
belong x {one-of-many}{jump-to-offset
:%d}
0
uleshort 0x1985
JFFS2 filesystem, little endian
>2
uleshort
!0xE001
>>2
uleshort
!0xE002
>>>2
uleshort
!0x2003
>>>>2
uleshort
!0x2004
>>>>>2
uleshort
!0x2006
>>>>>>2
uleshort
!0xE008
>>>>>>>2
uleshort !0xE009
{invalid}
>(4.l)
uleshort !0x1985
>>(4.l+1)
uleshort !0x1985
>>>(4.l+2)
uleshort !0x1985
>>>>(4.l+3)
uleshort
!0x1985
>>>>>(4.l)
uleshort
!0xFFFF
>>>>>>(4.l+1)
uleshort
!0xFFFF
>>>>>>>(4.l+2)
uleshort
!0xFFFF
>>>>>>>>(4.l+3)
uleshort !0xFFFF
{invalid}
>4
lelong 0
{invalid}
>4
lelong <0
{invalid}
>4
lelong x {many}{jump
:%d}
0
ubeshort 0x1985
JFFS2 filesystem, big endian
>2
ubeshort
!0xE001
>>2
ubeshort
!0xE002
>>>2
ubeshort
!0x2003
>>>>2
ubeshort
!0x2004
>>>>>2
ubeshort
!0x2006
>>>>>>2
ubeshort
!0xE008
>>>>>>>2
ubeshort !0xE009
{invalid}
>(4.L)
ubeshort !0x1985
>>(4.L+1)
ubeshort !0x1985
>>>(4.L+2)
ubeshort
!0x1985
>>>>(4.L+3)
ubeshort !0x1985
>>>>>(4.L)
ubeshort
!0xFFFF
>>>>>>(4.L+1)
ubeshort
!0xFFFF
>>>>>>>(4.L+2)
ubeshort
!0xFFFF
>>>>>>>>(4.L+3)
ubeshort !0xFFFF
{invalid}
>4
belong 0
{invalid}
>4
belong <0
{invalid}
>4
belong x {many}{jump
:%d}
# Squashfs, big endian
0 string sqsh Squashfs filesystem, big endian,
>28 beshort >10 {invalid}
>28 beshort <1 {invalid}
>30
beshort >10
{invalid}
>30
beshort >10
{invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \blzma (non-standard type definition)
,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \bxz
,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8
belong x \b{jump-to-offset
:%d}
>>8
belong x \b{file-
size:%d}
>>8
belong x \b{jump
:%d}
>>8
belong x \b{
size:%d}
>28 beshort 3
>>63 bequad
x size: %l
ld bytes,
>>63
bequad x \b{jump-to-offset:%l
ld}
>>63
bequad x \b{file-size:%l
ld}
>>63 bequad
x size: %
ld bytes,
>>63
bequad x \b{jump:%
ld}
>>63
bequad x \b{size:%
ld}
>28 beshort >3
>>40 bequad x size: %l
l
d bytes,
>>40
bequad x \b{jump-to-offset:%l
ld}
>>40
bequad x \b{file-size:%l
ld}
>>40 bequad x size: %ld bytes,
>>40
bequad x \b{jump:%
ld}
>>40
bequad x \b{size:%
ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
...
...
@@ -194,76 +194,76 @@
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate
x
created: %s
>>8 bedate
x
created: %s
# Squashfs, little endian
0 string hsqs Squashfs filesystem, little endian,
>28 leshort >10 {invalid}
>28 leshort <1 {invalid}
>30
leshort >10
{invalid}
>30
leshort >10
{invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28
leshort >3
compression:
>>20
leshort 1
\bgzip,
>>20
leshort 2
\blzma,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \blzma (non-standard type definition)
,
>>20
leshort 0
\b{invalid},
>>20
leshort >4
\b{invalid},
>28
leshort >3
compression:
>>20
leshort 1
\bgzip,
>>20
leshort 2
\blzma,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \bxz
,
>>20
leshort 0
\b{invalid},
>>20
leshort >4
\b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {
file-
size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad
x size: %l
ld bytes,
>>63 lequad
x {file-size:%l
ld}
>28
leshort >3
>>40
lequad x size: %l
ld bytes,
>>40
lequad x {file-size:%l
ld}
>>63 lequad
x size: %
ld bytes,
>>63 lequad
x {size:%
ld}
>28
leshort >3
>>40
lequad x size: %
ld bytes,
>>40
lequad x {size:%
ld}
>4 lelong x %d inodes,
>28
leshort >3
>>12
lelong x
blocksize: %d bytes,
>28
leshort >3
>>12
lelong x
blocksize: %d bytes,
>28 leshort <2
>>32 leshort x blocksize: %d bytes,
>28 leshort 2
>>51 lelong x blocksize: %d bytes,
>28
leshort 3
>>51
lelong x
blocksize: %d bytes,
>28
leshort >3
>>12
lelong x
blocksize: %d bytes,
>28
leshort <4
>>39 ledate x
created: %s
>28
leshort >3
>>8
ledate x
created: %s
>28
leshort 3
>>51
lelong x
blocksize: %d bytes,
>28
leshort >3
>>12
lelong x
blocksize: %d bytes,
>28
leshort <4
>>39 ledate x
created: %s
>28
leshort >3
>>8
ledate x
created: %s
>28 leshort <3
>>8 lelong x {jump
-to-offset
:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad
x {jump-to-offset:%l
ld}
>>63 lequad
x {jump:%
ld}
>28 leshort >3
>>40 lequad x {jump
-to-offset:%l
ld}
>>40 lequad x {jump
:%
ld}
# Squashfs with LZMA compression
0 string sqlz Squashfs filesystem, big endian, lzma compression,
>28 beshort >10 {invalid}
>28 beshort <1 {invalid}
>30
beshort >10
{invalid}
>30
beshort >10
{invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4
\blzma (non-standard type definition),
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4
\blzma (non-standard type definition),
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {
file-
size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad
x size: %l
ld bytes,
>>63 bequad
x {file-size:%l
ld}
>>63 bequad
x size: %
ld bytes,
>>63 bequad
x {size:%
ld}
>28 beshort >3
>>40 bequad x size: %l
l
d bytes,
>>40 bequad x {
file-size:%l
ld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {
size:%
ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
...
...
@@ -278,37 +278,37 @@
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate
x
created: %s
>>8 bedate
x
created: %s
>28 beshort <3
>>8 belong x {jump
-to-offset
:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump
-to-offset:%l
ld}
>>63 bequad x {jump
:%
ld}
>28 beshort >3
>>40 bequad x {jump
-to-offset:%l
ld}
>>40 bequad x {jump
:%
ld}
# Squashfs 3.3 LZMA signature
0 string qshs Squashfs filesystem, big endian, lzma signature,
>28 beshort >10 {invalid}
>28 beshort <1 {invalid}
>30
beshort >10
{invalid}
>30
beshort >10
{invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \blzma (non-standard type definition)
,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \bxz
,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {
file-
size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad
x size: %l
ld bytes,
>>63 bequad
x {file-size:%l
ld}
>>63 bequad
x size: %
ld bytes,
>>63 bequad
x {size:%
ld}
>28 beshort >3
>>40 bequad x size: %l
l
d bytes,
>>40 bequad x {
file-size:%l
ld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {
size:%
ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
...
...
@@ -323,37 +323,37 @@
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate
x
created: %s
>>8 bedate
x
created: %s
>28 beshort <3
>>8 belong x {jump
-to-offset
:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump
-to-offset:%l
ld}
>>63 bequad x {jump
:%
ld}
>28 beshort >3
>>40 bequad x {jump
-to-offset:%l
ld}
>>40 bequad x {jump
:%
ld}
# Squashfs for DD-WRT
0 string tqsh Squashfs filesystem, big endian, DD-WRT signature,
>28 beshort >10 {invalid}
>28 beshort <1 {invalid}
>30
beshort >10
{invalid}
>30
beshort >10
{invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \blzma (non-standard type definition)
,
>>20
beshort 3
\bgzip (non-standard type definition),
>>20
beshort 4 \bxz
,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {
file-
size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad
x size: %l
ld bytes,
>>63 bequad
x {file-size:%l
ld}
>>63 bequad
x size: %
ld bytes,
>>63 bequad
x {size:%
ld}
>28 beshort >3
>>40 bequad x size: %l
l
d bytes,
>>40 bequad x {
file-size:%l
ld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {
size:%
ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
...
...
@@ -368,37 +368,37 @@
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate
x
created: %s
>>8 bedate
x
created: %s
>28 beshort <3
>>8 belong x {jump
-to-offset
:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump
-to-offset:%l
ld}
>>63 bequad x {jump
:%
ld}
>28 beshort >3
>>40 bequad x {jump
-to-offset:%l
ld}
>>40 bequad x {jump
:%
ld}
# Squashfs for DD-WRT
0 string hsqt Squashfs filesystem, little endian, DD-WRT signature,
>28 leshort >10 {invalid}
>28 leshort <1 {invalid}
>30
leshort >10
{invalid}
>30
leshort >10
{invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \blzma (non-standard type definition)
,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \bxz
,
>>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {
file-
size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad
x size: %l
ld bytes,
>>63 lequad
x {file-size:%l
ld}
>>63 lequad
x size: %
ld bytes,
>>63 lequad
x {size:%
ld}
>28 leshort >3
>>40 lequad x size: %l
l
d bytes,
>>40 lequad x {
file-size:%l
ld}
>>40 lequad x size: %ld bytes,
>>40 lequad x {
size:%
ld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
...
...
@@ -413,37 +413,37 @@
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate
x
created: %s
>>8 ledate
x
created: %s
>28 leshort <3
>>8 lelong x {jump
-to-offset
:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad
x {jump-to-offset:%l
ld}
>>63 lequad
x {jump:%
ld}
>28 leshort >3
>>40 lequad x {jump
-to-offset:%l
ld}
>>40 lequad x {jump
:%
ld}
# Non-standard Squashfs signature found on some D-Link routers
0 string shsq Squashfs filesystem, little endian, non-standard signature,
>28 leshort >10 {invalid}
>28 leshort <1 {invalid}
>30
leshort >10
{invalid}
>30
leshort >10
{invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \blzma (non-standard type definition)
,
>>20
leshort 3
\bgzip (non-standard type definition),
>>20
leshort 4 \bxz
,
>>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {
file-
size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad
x size: %l
ld bytes,
>>63 lequad
x {file-size:%l
ld}
>>63 lequad
x size: %
ld bytes,
>>63 lequad
x {size:%
ld}
>28 leshort >3
>>40 lequad x size: %l
l
d bytes,
>>40 lequad x {
file-size:%l
ld}
>>40 lequad x size: %ld bytes,
>>40 lequad x {
size:%
ld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
...
...
@@ -458,97 +458,102 @@
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate
x
created: %s
>>8 ledate
x
created: %s
>28 leshort <3
>>8 lelong x {jump
-to-offset
:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad
x {jump-to-offset:%l
ld}
>>63 lequad
x {jump:%
ld}
>28 leshort >3
>>40 lequad x {jump
-to-offset:%l
ld}
>>40 lequad x {jump
:%
ld}
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0
leshort 0xEF53 Linux EXT filesystem,{offset-adjust:-0x438}
>2
leshort >4 {invalid}
state
>2
leshort 3 {invalid}
state
>2
leshort <0 {invalid}
state
>4
leshort >3 {invalid}
error behavior
>4
leshort <0 {invalid}
error behavior
>4
lelong >1 {invalid}
major revision
>4
lelong <0 {invalid}
major revision
>4 lelong x rev %d
>6 leshort x \b.%d
0
x438 leshort 0xEF53 Linux EXT filesystem,
>2
leshort >4 {invalid}invalid
state
>2
leshort 3 {invalid}invalid
state
>2
leshort <0 {invalid}invalid
state
>4
leshort >3 {invalid}invalid
error behavior
>4
leshort <0 {invalid}invalid
error behavior
>4
lelong >1 {invalid}invalid
major revision
>4
lelong <0 {invalid}invalid
major revision
>4
lelong x rev %d
>6
leshort x \b.%d
# No journal? ext2
>36
lelong&0x04 0
ext2 filesystem data
>>2
leshort&0x01 0
(mounted or unclean)
>36
lelong&0x04 0
ext2 filesystem data
>>2
leshort&0x01 0
(mounted or unclean)
# Has a journal? ext3 or ext4
>36 lelong &0x0000004
>36
lelong &0x0000004
# and small INCOMPAT?
>>40 lelong <0x0000040
>>40
lelong <0x0000040
# and small RO_COMPAT?
>>>44
lelong
<0x0000008 ext3 filesystem data
>>>44
lelong
<0x0000008 ext3 filesystem data
# else large RO_COMPAT?
>>>44
lelong
>0x0000007 ext4 filesystem data
>>>44
lelong
>0x0000007 ext4 filesystem data
# else large INCOMPAT?
>>40 lelong >0x000003f ext4 filesystem data
>48 belong x \b, UUID=%08x
>52 beshort x \b-%04x
>54 beshort x \b-%04x
>56 beshort x \b-%04x
>58 belong x \b-%08x
>60 beshort x \b%04x
>64 string >0 \b, volume name "%s"
>>40 lelong >0x000003f ext4 filesystem data
>48 belong x \b, UUID=%08x
>52 beshort x \b-%04x
>54 beshort x \b-%04x
>56 beshort x \b-%04x
>58 belong x \b-%08x
>60 beshort x \b%04x
>64 byte !0
>>64 string x \b, volume name "%s"
#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong >10000000 {invalid}
>8 belong x size: %d bytes,
>16 string x {file-name:%s}
>16 string x named "%s"
>8 belong x {file-size:%d}
>8 belong x {jump-to-offset:%d}
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong >10000000 {invalid}
>8 belong <1 {invalid}
>8 belong x size: %d bytes,
>16 string x {name:%s}
>16 string x named "%s"
>8 belong x {size:%d}
>8 belong x {jump:%d}
# Wind River MemFS file system, found in some VxWorks devices
0 string owowowowowowowowowowowowowowow Wind River management filesystem,
>30 string !ow {invalid},
>32 belong 1 compressed,
>32 belong 2 plain text,
>36 belong x %d files
0 string owowowowowowowowowowowowowowow Wind River management filesystem,
>30 string !ow {invalid},
>32 belong 1 compressed,
>32 belong 2 plain text,
>32 belong <1 {invalid}
32 belong >2 {invalid}
>36 belong x %d files
# netboot image - Juan Cespedes <cespedes@debian.org>
0 lelong 0x1b031336 Netboot image,
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode ({invalid})
0 string WDK\x202.0\x00 WDK file system, version 2.0{offset-adjust:-18}
0 string CD001 ISO{offset-adjust:-32769}
>6144 string !NSR0 9660 CD-ROM filesystem data,
>6144 string NSR0 UDF filesystem data,
>6148 string 1 version 1.0,
>6148 string 2 version 2.0,
>6148 string 3 version 3.0
>6148 byte >0x33 {invalid} version,
>6148 byte <0x31 {invalid} version,
>38 string >\0 volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
0 lelong 0x1b031336 Netboot image,
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode {invalid}
18 string WDK\x202.0\x00 WDK file system, version 2.0
32769 string CD001 ISO
>6144 string !NSR0 9660 CD-ROM filesystem data,
>6144 string NSR0 UDF filesystem data,
>6148 string 1 version 1.0,
>6148 string 2 version 2.0,
>6148 string 3 version 3.0
>6148 byte >0x33 {invalid} version,
>6148 byte <0x31 {invalid} version,
>38 byte !0
>>38 string x volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0
string DOSEMU\0
DOS Emulator image
>0x27E
leshort !0xAA55 \b,
{invalid}
>0x27E
leshort
0xAA55
0
string DOSEMU\0
DOS Emulator image
>0x27E
leshort !0xAA55
{invalid}
>0x27E
leshort
0xAA55
#offset is 128
>>19
byte
128
>>>(19.b-1) byte 0x0
>>>>7
lelong
>0 \b, %d heads
>>>>11
lelong
>0 \b, %d sectors/track
>>>>15
lelong
>0 \b, %d cylinders
>>19
byte
128
>>>(19.b-1) byte
0x0
>>>>7
lelong
>0 \b, %d heads
>>>>11
lelong
>0 \b, %d sectors/track
>>>>15
lelong
>0 \b, %d cylinders
# From: Alex Beregszaszi <alex@fsn.hu>
0 string COWD\x03 VMWare3 disk image,
...
...
@@ -556,8 +561,9 @@
>36 lelong x \b%d/
>40 lelong x \b%d)
0 string COWD\x02 VMWare3 undoable disk image,
>32 string >\0 "%s"
0 string COWD\x02 VMWare3 undoable disk image,
>32 byte !0
>32 string x "%s"
# TODO: Add header validation
0 string VMDK VMware4 disk image
...
...
@@ -569,31 +575,30 @@
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files
0 string
QFI\xFB
QEMU QCOW Image
0 string
QFI\xFB
QEMU QCOW Image
# BSD 2.x file system image; used in RetroBSD for PIC32.
0
string FS\x3C\x3C
BSD 2.x filesystem,
>1020
string !\x3E\x3EFS {invalid}
(missing FSMAGIC2),
>8
lelong x size: {math:%d*1024}
bytes,
>8
lelong x \b{file-
size:%d*1024}
>8
lelong x \b{jump-to-offset
:%d*1024}
>8
lelong x
total blocks: %d,
>972
lelong x
free blocks: %d,
>968
ledate x
last modified: %s
>980
byte
!0
>>980
string x
\b, last mounted on: "%s"
0
string FS\x3C\x3C
BSD 2.x filesystem,
>1020
string !\x3E\x3EFS {invalid}
(missing FSMAGIC2),
>8
lelong x size: %d*1024
bytes,
>8
lelong x {
size:%d*1024}
>8
lelong x {jump
:%d*1024}
>8
lelong x
total blocks: %d,
>972
lelong x
free blocks: %d,
>968
ledate x
last modified: %s
>980
byte
!0
>>980
string x
\b, last mounted on: "%s"
# Simple file system found in Foscam camera firmware
0 beshort 0xbd9a Foscam WebUI filesystem,
>2 leshort x checksum: 0x%X,
>16 lelong <3 {invalid} first file name length,
>16 lelong >127 {invalid} first file name length,
>20 byte 0 {invalid} first file name,
>20 byte !0x2E
>>20 byte !0x2F
>>>20 byte <65 {invalid} first file name,
>>>20 byte >122 {invalid} first file name,
>20 byte x first file name: {raw-replace}
>16 lelong x {raw-string-length:%d}
>20 string x {raw-string:%s}
0 beshort 0xbd9a Foscam WebUI filesystem,
>2 uleshort x checksum: 0x%X,
>16 lelong <3 {invalid}invalid first file name length,
>16 lelong >127 {invalid}invalid first file name length,
>20 byte 0 {invalid}invalid first file name,
>20 byte !0x2E
>>20 byte !0x2F
>>>20 byte <65 {invalid}invalid first file name,
>>>20 byte >122 {invalid}invalid first file name,
>16 lelong x {strlen:%d}
>20 string x first file name: "{string}"
src/binwalk/magic/firmware
View file @
43ddf9b9
...
...
@@ -3,158 +3,155 @@
# uImage file
# From: Craig Heffner, U-Boot image.h header definitions file
0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X,
>8 bedate x created: %s,
>12 belong <1 {invalid}
>12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d,
>28 byte 0 OS: {invalid} OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
>28 byte 4 OS: 4.4BSD,
>28 byte 5 OS: Linux,
>28 byte 6 OS: SVR4,
>28 byte 7 OS: Esix,
>28 byte 8 OS: Solaris,
>28 byte 9 OS: Irix,
>28 byte 10 OS: SCO,
>28 byte 11 OS: Dell,
>28 byte 12 OS: NCR,
>28 byte 13 OS: LynxOS,
>28 byte 14 OS: VxWorks,
>28 byte 15 OS: pSOS,
>28 byte 16 OS: QNX,
>28 byte 17 OS: Firmware,
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
#>29 byte x CPU arch: %d,
>29 byte 0 CPU: {invalid} OS,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
>29 byte 4 CPU: IA64,
>29 byte 5 CPU: MIPS,
>29 byte 6 CPU: MIPS 64 bit,
>29 byte 7 CPU: PowerPC,
>29 byte 8 CPU: IBM S390,
>29 byte 9 CPU: SuperH,
>29 byte 10 CPU: Sparc,
>29 byte 11 CPU: Sparc 64 bit,
>29 byte 12 CPU: M68K,
>29 byte 13 CPU: Nios-32,
>29 byte 14 CPU: MicroBlaze,
>29 byte 15 CPU: Nios-II,
>29 byte 16 CPU: Blackfin,
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
>30 byte 0 image type: {invalid} Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
>30 byte 4 image type: Multi-File Image,
>30 byte 5 image type: Firmware Image,
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
#>31 byte x compression type: %d,
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X,
>8 bedate x created: %s,
>12 belong <1 {invalid}
>12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
>28 byte 0 OS: {invalid}invalid OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
>28 byte 4 OS: 4.4BSD,
>28 byte 5 OS: Linux,
>28 byte 6 OS: SVR4,
>28 byte 7 OS: Esix,
>28 byte 8 OS: Solaris,
>28 byte 9 OS: Irix,
>28 byte 10 OS: SCO,
>28 byte 11 OS: Dell,
>28 byte 12 OS: NCR,
>28 byte 13 OS: LynxOS,
>28 byte 14 OS: VxWorks,
>28 byte 15 OS: pSOS,
>28 byte 16 OS: QNX,
>28 byte 17 OS: Firmware,
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
>29 byte 0 CPU: {invalid}invalid CPU,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
>29 byte 4 CPU: IA64,
>29 byte 5 CPU: MIPS,
>29 byte 6 CPU: MIPS 64 bit,
>29 byte 7 CPU: PowerPC,
>29 byte 8 CPU: IBM S390,
>29 byte 9 CPU: SuperH,
>29 byte 10 CPU: Sparc,
>29 byte 11 CPU: Sparc 64 bit,
>29 byte 12 CPU: M68K,
>29 byte 13 CPU: Nios-32,
>29 byte 14 CPU: MicroBlaze,
>29 byte 15 CPU: Nios-II,
>29 byte 16 CPU: Blackfin,
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
>30 byte 0 image type: {invalid} Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
>30 byte 4 image type: Multi-File Image,
>30 byte 5 image type: Firmware Image,
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
#IMG0 header, found in VxWorks-based Mercury router firmware
0
string IMG0
IMG0 (VxWorks) header,
>4
belong <1
{invalid}
>4
belong x
size: %d
0
string IMG0
IMG0 (VxWorks) header,
>4
belong <1
{invalid}
>4
belong x
size: %d
#Mediatek bootloader signature
#From xp-dev.com
0
string BOOTLOADER!
Mediatek bootloader
0
string BOOTLOADER!
Mediatek bootloader
#CSYS header formats
0
string CSYS\x00
CSYS header, little endian,
>8
lelong x
size: %d
0
string CSYS\x00
CSYS header, little endian,
>8
lelong x
size: %d
0
string CSYS\x80
CSYS header, big endian,
>8
belong x
size: %d
0
string CSYS\x80
CSYS header, big endian,
>8
belong x
size: %d
# wrgg firmware image
0
string wrgg02
WRGG firmware header,
>6
string x
name: "%s",
>48
string x
root device: "%s"
0
string wrgg02
WRGG firmware header,
>6
string x
name: "%s",
>48
string x
root device: "%s"
# trx image file
0
string HDR0
TRX firmware header, little endian, header size: 28 bytes,
>4
lelong <1
{invalid}
>4
lelong x
image size: %d bytes,
>8
lelong x
CRC32: 0x%X
>12
leshort x
flags: 0x%X,
>14
leshort >5
{invalid}
>14
leshort x
version: %d
0
string 0RDH
TRX firmware header, big endian, header size: 28 bytes,
>4
belong <1
{invalid}
>4
belong x
image size: %d bytes,
>8
belong x
CRC32: 0x%X
>12
beshort x
flags: 0x%X,
>14
beshort >5
{invalid}
>14
beshort x
version: %d
0
string HDR0
TRX firmware header, little endian, header size: 28 bytes,
>4
lelong <1
{invalid}
>4
lelong x
image size: %d bytes,
>8
ulelong x
CRC32: 0x%X
>12
uleshort x
flags: 0x%X,
>14
uleshort >5
{invalid}
>14
leshort x
version: %d
0
string 0RDH
TRX firmware header, big endian, header size: 28 bytes,
>4
belong <1
{invalid}
>4
belong x
image size: %d bytes,
>8
ubelong x
CRC32: 0x%X
>12
ubeshort x
flags: 0x%X,
>14
ubeshort >5
{invalid}
>14
beshort x
version: %d
# Ubicom firmware image
0
belong 0xFA320080
Ubicom firmware header,
>12
belong x
checksum: 0x%X,
>24
belong <0
{invalid}
>24
belong x
image size: %d
0
belong 0xFA320080
Ubicom firmware header,
>12
belong x
checksum: 0x%X,
>24
belong <0
{invalid}
>24
belong x
image size: %d
# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.
# Netgear KWGR614 ROME image
0
string G614
Realtek firmware header, ROME bootloader,
>4
beshort 0xd92f
image type: KFS,
>4
beshort 0xb162
image type: RDIR,
>4
beshort 0xea43
image type: BOOT,
>4
beshort 0x8dc9
image type: RUN,
>4
beshort 0x2a05
image type: CCFG,
>4
beshort 0x6ce8
image type: DCFG,
>4
beshort 0xc371
image type: LOG,
>6
byte x
header version: %d,
>10
ubyte >12
{invalid} month
>12
ubyte >31
{invalid} day
>8
ubyte >3000
{invalid} year
0
string G614
Realtek firmware header, ROME bootloader,
>4
beshort 0xd92f
image type: KFS,
>4
beshort 0xb162
image type: RDIR,
>4
beshort 0xea43
image type: BOOT,
>4
beshort 0x8dc9
image type: RUN,
>4
beshort 0x2a05
image type: CCFG,
>4
beshort 0x6ce8
image type: DCFG,
>4
beshort 0xc371
image type: LOG,
>6
byte x
header version: %d,
>10
ubyte >12
{invalid} month
>12
ubyte >31
{invalid} day
>8
ubyte >3000
{invalid} year
#month
>10
byte x
created: %d/
#day
>12
byte x
\b%d/
>10
byte x
created: %d/
#day
>12
byte x
\b%d/
#year
>8
beshort x
\b%d,
>16
belong x
image size: %d bytes,
>22
byte x
body checksum: 0x%X,
>23
byte x
header checksum: 0x%X
>8
beshort x
\b%d,
>16
belong x
image size: %d bytes,
>22
ubyte x
body checksum: 0x%X,
>23
ubyte x
header checksum: 0x%X
# Linksys WRT54GX ROME image
0
belong 0x59a0e842
Realtek firmware header, ROME bootloader,
>4
beshort
0xd92f image type: KFS,
>4
beshort
0xb162 image type: RDIR,
>4
beshort
0xea43 image type: BOOT,
>4
beshort
0x8dc9 image type: RUN,
>4
beshort
0x2a05 image type: CCFG,
>4
beshort
0x6ce8 image type: DCFG,
>4
beshort
0xc371 image type: LOG,
0
belong 0x59a0e842
Realtek firmware header, ROME bootloader,
>4
ubeshort
0xd92f image type: KFS,
>4
ubeshort
0xb162 image type: RDIR,
>4
ubeshort
0xea43 image type: BOOT,
>4
ubeshort
0x8dc9 image type: RUN,
>4
ubeshort
0x2a05 image type: CCFG,
>4
ubeshort
0x6ce8 image type: DCFG,
>4
ubeshort
0xc371 image type: LOG,
>6 byte x header version: %d,
>10 ubyte >12 {invalid} month
>12 ubyte >31 {invalid} day
>8 ubyte >3000 {invalid} year
>10 ubyte >12 {invalid}
invalid
month
>12 ubyte >31 {invalid}
invalid
day
>8 ubyte >3000 {invalid}
invalid
year
#month
>10 byte x created: %d/
#day
...
...
@@ -166,23 +163,23 @@
>23 byte x header checksum: 0x%X
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0
string --PaCkImGs--
PackImg section delimiter tag,
0
string --PaCkImGs--
PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16
lelong
>0x20000000
>>16
belong >0x20000000
{invalid}
>16
lelong
<0
>>16
belong <0
{invalid}
>16
lelong
>0
>>16
lelong x
little endian size: %d bytes;
>16
belong >0
>>16
belong x
big endian size: %d bytes
>16
ulelong
>0x20000000
>>16
ubelong >0x20000000
{invalid}
>16
lelong
<0
>>16
belong <0
{invalid}
>16
lelong
>0
>>16
lelong x
little endian size: %d bytes;
>16
belong >0
>>16
belong x
big endian size: %d bytes
#------------------------------------------------------------------------------
# Broadcom header format
#
0 string BCRM Broadcom header,
>4
lelong <0
{invalid}
>4
lelong <0
{invalid}
>4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk
...
...
@@ -192,24 +189,24 @@
# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0 string Ck0\0\0R\0\0\0 BLCR
>16 lelong 1 x86
>16 lelong 3 alpha
>16 lelong 5 x86-64
>16 lelong 7 ARM
>8 lelong x context data (little endian, version %d)
>16 lelong 1
x86
>16 lelong 3
alpha
>16 lelong 5
x86-64
>16 lelong 7
ARM
>8 lelong x
context data (little endian, version %d)
0 string \0\0\0C\0\0\0R BLCR
>16 belong 2 SPARC
>16 belong 4 ppc
>16 belong 6 ppc64
>16 belong 7 ARMEB
>16 belong 8 SPARC64
>8 belong x context data (big endian, version %d)
>16 belong 2
SPARC
>16 belong 4
ppc
>16 belong 6
ppc64
>16 belong 7
ARMEB
>16 belong 8
SPARC64
>8 belong x
context data (big endian, version %d)
# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\x20Startup\x20and Aculab VoIP firmware
>35 string x format "%s"
>35 string x
format "%s"
#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
...
...
@@ -227,7 +224,7 @@
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom
>38 string
x
V%.4s
>38 string
x
V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
...
...
@@ -242,173 +239,170 @@
#More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0
string B000FF
Windows CE image header,
>7
lelong x I
mage start: 0x%X,
>11
lelong x I
mage length: %d
0
string B000FF
Windows CE image header,
>7
ulelong x i
mage start: 0x%X,
>11
lelong x i
mage length: %d
#Windows CE RomImage
0 string \x00ECEC Windows CE memory segment header, {offset-adjust:-63}
>4
lelong x
TOC address: 0x%X
63 string \x00ECEC Windows CE memory segment header,
>4
ulelong x
TOC address: 0x%X
# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0 belong x load address 0x%X,
>3 byte <0x7F rom image type:
>>3 byte <1 {invalid},
>>3 byte >7 {invalid},
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
>>3 byte 4 ROMBIN,
>>3 byte 5 ROMDIR,
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
>>3 byte >0x82 {invalid},
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 belong >0x40000000 {invalid}
>4 belong <0 {invalid}
>4 belong 0 {invalid}
>4 belong x uncompressed size: %d,
>8 belong >0x40000000 {invalid}
>8 belong <0 {invalid}
>8 belong 0 {invalid}
>8 belong x compressed size: %d,
>14 beshort x uncompressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X,
>12 byte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 byte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 belong x memory map table address: 0x%X
6 string SIG ZynOS header, header size: 48 bytes,
>3 byte <0x7F rom image type:
>>3 byte <1 {invalid},
>>3 byte >7 {invalid},
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
>>3 byte 4 ROMBIN,
>>3 byte 5 ROMDIR,
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
>>3 byte >0x82 {invalid},
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 ubelong >0x40000000 {invalid}
>4 belong <0 {invalid}
>4 belong 0 {invalid}
>4 belong x uncompressed size: %d,
>8 belong >0x40000000 {invalid}
>8 belong <0 {invalid}
>8 belong 0 {invalid}
>8 belong x compressed size: %d,
>14 ubeshort x uncompressed checksum: 0x%X,
>16 ubeshort x compressed checksum: 0x%X,
>12 ubyte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 ubyte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 ubelong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products
0
string CI032.00
Cisco VxWorks firmware header,
>8
lelong >1024
{invalid}
>8
lelong <0
{invalid}
>8
lelong x
header size: %d bytes,
>32
lelong >1024
{invalid}
>32
lelong <0
{invalid}
>32
lelong x
number of files: %d,
>48
lelong <0
{invalid}
>48
lelong x
image size: %d,
>64
string x
firmware version: "%s"
0
string CI032.00
Cisco VxWorks firmware header,
>8
lelong >1024
{invalid}
>8
lelong <0
{invalid}
>8
lelong x
header size: %d bytes,
>32
lelong >1024
{invalid}
>32
lelong <0
{invalid}
>32
lelong x
number of files: %d,
>48
lelong <0
{invalid}
>48
lelong x
image size: %d,
>64
string x
firmware version: "%s"
# Simple VxWorks reference strings
#0
string VxWorks
VxWorks string referece:
#>0
string x
"%s"
#0
string vxworks
VxWorks string referece:
#>0
string x
"%s"
#0
string VXWORKS
VxWorks string referece:
#>0
string x
"%s"
#0
string VxWorks
VxWorks string referece:
#>0
string x
"%s"
#0
string vxworks
VxWorks string referece:
#>0
string x
"%s"
#0
string VXWORKS
VxWorks string referece:
#>0
string x
"%s"
# Firmware header used by some TV's
0
string FNIB
ZBOOT firmware header, header size: 32 bytes,
>8
lelong x
load address: 0x%.8X,
>12
lelong x
start address: 0x%.8X,
>16
lelong x
checksum: 0x%.8X,
>20
lelong x
version: 0x%.8X,
>24
lelong <1
{invalid}
>24
lelong x
image size: %d bytes
0
string FNIB
ZBOOT firmware header, header size: 32 bytes,
>8
lelong x
load address: 0x%.8X,
>12
lelong x
start address: 0x%.8X,
>16
lelong x
checksum: 0x%.8X,
>20
lelong x
version: 0x%.8X,
>24
lelong <1
{invalid}
>24
lelong x
image size: %d bytes
# Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17
DLOB firmware header,
0 string \x5e\xa3\xa4\x17
DLOB firmware header,
>(7.b+12) string !\x5e\xa3\xa4\x17 {invalid},
#>>12 string x %s,
>(7.b+40) string x boot partition: "%s"
# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0
string TP-LINK\x20Technologies
TP-Link firmware header,{offset-adjust:-4}
#>-4
lelong x
header version: %d,
>0x94
beshort x
firmware version: %d.
>0x96
beshort x
\b%d.
>0x98
beshort x
\b%d,
>0x18
string x
image version: "%s",
#>0x74 belong x
image size: %d bytes,
>0x3C
belong x
product ID: 0x%X,
>0x40
belong x
product version: %d,
>0x70
belong x
kernel load address: 0x%X,
>0x74
belong x
kernel entry point: 0x%X,
>0x7C
belong x
kernel offset: %d,
>0x80
belong x
kernel length: %d,
>0x84
belong x
rootfs offset: %d,
>0x88
belong x
rootfs length: %d,
>0x8C
belong x
bootloader offset: %d,
>0x90
belong x
bootloader length: %d
0
string TP-LINK\x20Technologies
TP-Link firmware header,{offset-adjust:-4}
#>-4
lelong x
header version: %d,
>0x94
beshort x
firmware version: %d.
>0x96
beshort x
\b%d.
>0x98
beshort x
\b%d,
>0x18
string x
image version: "%s",
#>0x74 belong x
image size: %d bytes,
>0x3C
belong x
product ID: 0x%X,
>0x40
belong x
product version: %d,
>0x70
belong x
kernel load address: 0x%X,
>0x74
belong x
kernel entry point: 0x%X,
>0x7C
belong x
kernel offset: %d,
>0x80
belong x
kernel length: %d,
>0x84
belong x
rootfs offset: %d,
>0x88
belong x
rootfs length: %d,
>0x8C
belong x
bootloader offset: %d,
>0x90
belong x
bootloader length: %d
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0
string \x36\x00\x00\x00
Broadcom 96345 firmware header, header size: 256,
>4
string
!Broadcom
>>4
string !\x20\x20\x20\x20
{invalid}
>41
beshort
!0x2020
>>41
beshort
!0x0000
>>>41
string x
firmware version: "%.4s",
>45
beshort
!0x0202
>>45
beshort
!0x0000
>>>45
string x
board id: "%s",
>236
belong x
~CRC32 header checksum: 0x%X,
>216
belong x
~CRC32 data checksum: 0x%X
0
string \x36\x00\x00\x00
Broadcom 96345 firmware header, header size: 256,
>4
string
!Broadcom
>>4
string !\x20\x20\x20\x20
{invalid}
>41
beshort
!0x2020
>>41
beshort
!0x0000
>>>41
string x
firmware version: "%.4s",
>45
beshort
!0x0202
>>45
beshort
!0x0000
>>>45
string x
board id: "%s",
>236
belong x
~CRC32 header checksum: 0x%X,
>216
belong x
~CRC32 data checksum: 0x%X
# Xerox MFP DLM signatures
0
string %%XRXbegin
Xerox DLM firmware start of header
0
string %%OID_ATT_DLM_NAME
Xerox DLM firmware name:
>19
string x
"%s"
0
string %%OID_ATT_DLM_VERSION
Xerox DLM firmware version:
>22
string x
"%s"
0
string %%XRXend
Xerox DLM firmware end of header
0
string %%XRXbegin
Xerox DLM firmware start of header
0
string %%OID_ATT_DLM_NAME
Xerox DLM firmware name:
>19
string x
"%s"
0
string %%OID_ATT_DLM_VERSION
Xerox DLM firmware version:
>22
string x
"%s"
0
string %%XRXend
Xerox DLM firmware end of header
# Generic copyright signature
0 string Copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
0 string copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
0 string Copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s"
0 string copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s"
# Sercomm firmware header
0
string sErCoMm
Sercomm firmware signature,
>7
leshort x
version control: %d,
>9
leshort x
download control: %d,
>11
string x
hardware ID: "%s",
>44
leshort x
hardware version: 0x%X,
>58
leshort x
firmware version: 0x%X,
>60
leshort x
starting code segment: 0x%X,
>62
leshort x
code size: 0x%X
0
string sErCoMm
Sercomm firmware signature,
>7
leshort x
version control: %d,
>9
leshort x
download control: %d,
>11
string x
hardware ID: "%s",
>44
leshort x
hardware version: 0x%X,
>58
leshort x
firmware version: 0x%X,
>60
leshort x
starting code segment: 0x%X,
>62
leshort x
code size: 0x%X
# NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 {invalid}
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s
>(48.l+121) string x \b%s"
0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 {invalid}
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s"
# Ubiquiti firmware signatures
0 string
UBNT
Ubiquiti firmware header, header size: 264 bytes,
0 string
UBNT
Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid},
>0x104
belong
x ~CRC32: 0x%X,
>0x104
ubelong
x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string
x version: "%s"
>4 string
x version: "%s"
0 string
GEOS
Ubiquiti firmware header, header size: 264 bytes,
0 string
GEOS
Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid},
>0x104
belong x
~CRC32: 0x%X,
>0x104
ubelong x
~CRC32: 0x%X,
>4 byte 0 {invalid},
>4
string x
version: "%s"
>4
string x
version: "%s"
0 string
OPEN
Ubiquiti firmware header, third party,
0 string
OPEN
Ubiquiti firmware header, third party,
>0x108 belong !0 {invalid},
>0x104
belong x
~CRC32: 0x%X,
>0x104
ubelong x
~CRC32: 0x%X,
>4 byte 0 {invalid},
>4
string x
version: "%s"
>4
string x
version: "%s"
0 string \x00\x00\x00\x00PART Ubiquiti partition header,{offset-adjust:4}
>0 byte x header size: 56 bytes,
...
...
@@ -424,59 +418,59 @@
# Found in DIR-100 firmware
0 string
AIH0N
AIH0N firmware header, header size: 48,
>12 belong
x
size: %d,
>8 belong
!0
executable code,
>>8 belong
x
load address: 0x%X,
>32 string
x
version: "%s"
0
belong 0x5EA3A417
SEAMA firmware header, big endian,
>6
beshort x
meta size: %d,
>8
belong <1
{invalid}
>8
belong x
size: %d
0
lelong 0x5EA3A417
SEAMA firmware header, little endian,
>6
leshort x
meta size: %d,
>8
lelong <1
{invalid}
>8
lelong x
size: %d
0
belong 0x4D544443
NSP firmware header, big endian,
>16
belong <1
{invalid}
>16
belong x
header size: %d,
>20
belong <1
{invalid}
>20
belong x
image size: %d,
>20
belong x {file-
size:%d}
>4
belong <1
{invalid}
>4
belong x
kernel offset: %d,
>12
belong <1
{invalid}
>12
belong x
header version: %d,
0
lelong 0x4D544443
NSP firmware header, little endian,
>16
lelong <1
{invalid}
>16
lelong x
header size: %d,
>20
lelong <1
{invalid}
>20
lelong x
image size: %d,
>20
lelong x {file-
size:%d}
>4
lelong <1
{invalid}
>4
lelong x
kernel offset: %d,
>12
lelong <1
{invalid}
>12
lelong x
header version: %d,
0 string
AIH0N
AIH0N firmware header, header size: 48,
>12 belong
x
size: %d,
>8 belong
!0
executable code,
>>8 belong
x
load address: 0x%X,
>32 string
x
version: "%s"
0
belong 0x5EA3A417
SEAMA firmware header, big endian,
>6
beshort x
meta size: %d,
>8
belong <1
{invalid}
>8
belong x
size: %d
0
lelong 0x5EA3A417
SEAMA firmware header, little endian,
>6
leshort x
meta size: %d,
>8
lelong <1
{invalid}
>8
lelong x
size: %d
0
belong 0x4D544443
NSP firmware header, big endian,
>16
belong <1
{invalid}
>16
belong x
header size: %d,
>20
belong <1
{invalid}
>20
belong x
image size: %d,
>20
belong x {
size:%d}
>4
belong <1
{invalid}
>4
belong x
kernel offset: %d,
>12
belong <1
{invalid}
>12
belong x
header version: %d,
0
lelong 0x4D544443
NSP firmware header, little endian,
>16
lelong <1
{invalid}
>16
lelong x
header size: %d,
>20
lelong <1
{invalid}
>20
lelong x
image size: %d,
>20
lelong x {
size:%d}
>4
lelong <1
{invalid}
>4
lelong x
kernel offset: %d,
>12
lelong <1
{invalid}
>12
lelong x
header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0
string WizFwPkgl
Beyonwiz firmware header,
>20
string x
version: "%s"
0
string WizFwPkgl
Beyonwiz firmware header,
>20
string x
version: "%s"
0
string BLI223WJ0
Thompson/Alcatel encoded firmware,
>32
byte x
version: %d.
>33
byte x
\b%d.
>34
byte x
\b%d.
>35
byte x
\b%d,
>44
belong x
size: %d,
>48
belong x
crc: 0x%.8X,
>35
byte x
try decryption tool from:
>35
byte x
http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0
string BLI223WJ0
Thompson/Alcatel encoded firmware,
>32
byte x
version: %d.
>33
byte x
\b%d.
>34
byte x
\b%d.
>35
byte x
\b%d,
>44
belong x
size: %d,
>48
ubelong x
crc: 0x%.8X,
>35
byte x
try decryption tool from:
>35
byte x
http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume{offset-adjust:-16}
16 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
...
...
@@ -489,35 +483,35 @@
>19 string AES-256\n \b, encrypted AES-256
# http://forum.xda-developers.com/showthread.php?p=47818657
0
string imgARMcC
Roku aimage SB{offset-adjust:-8}
0
string imgARMcC
Roku aimage SB{offset-adjust:-8}
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string
Cobalt\ Networks\ Inc.\nFirmware\ v
Paged Sun/COBALT boot rom,
>38 string
x
version: "%.4s"
0 string
Cobalt\ Networks\ Inc.\nFirmware\ v
Paged Sun/COBALT boot rom,
>38 string
x
version: "%.4s"
# Simple eCos string signatures
0
string ecos
eCos RTOS string reference:
>0
string x
"%s"
0
string eCos
eCos RTOS string reference:
>0
string x
"%s"
0
string ECOS
eCos RTOS string reference:
>0
string x
"%s"
0
string ecos
eCos RTOS string reference:
>0
string x
"%s"
0
string eCos
eCos RTOS string reference:
>0
string x
"%s"
0
string ECOS
eCos RTOS string reference:
>0
string x
"%s"
# ZyXEL config signatures
0 string dbgarea ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: {math:16+%d}
0 string spt.dat ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: {math:16+%d}
0 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: {math:16+%d}
6 string dbgarea ZyXEL rom-0 configuration block, name: "%s",
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: %d+16
6 string spt.dat ZyXEL rom-0 configuration block, name: "%s",
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: %d+16
6 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",
>16
beshort x
compressed size: %d,
>14
beshort x
uncompressed size: %d,
>18
beshort x data offset from start of block: %d+16
# Obfuscated Arcadyan firmware
0x68 belong 0x00D50800 Obfuscated Arcadyan firmware,
...
...
src/binwalk/magic/images
View file @
43ddf9b9
...
...
@@ -23,21 +23,20 @@
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
#
0 string \x89PNG\x0d\x0a\x1a\x0a PNG image
>16 belong <1 {invalid}
>16 belong >10000 {invalid}
>20 belong <1 {invalid}
>20 belong >10000 {invalid}
>16 belong x \b, %d x
>20 belong x %d,
>24 byte x %d-bit
>25 byte 0 grayscale,
>25 byte 2 \b/color RGB,
>25 byte 3 colormap,
>25 byte 4 gray+alpha,
>25 byte 6 \b/color RGBA,
#>26 byte 0 deflate/32K,
>28 byte 0 non-interlaced
>28 byte 1 interlaced
>16 belong <1 {invalid}
>16 belong >10000 {invalid}
>20 belong <1 {invalid}
>20 belong >10000 {invalid}
>16 belong x \b, %d x
>20 belong x %d,
>24 byte x %d-bit
>25 byte 0 grayscale,
>25 byte 2 \b/color RGB,
>25 byte 3 colormap,
>25 byte 4 gray+alpha,
>25 byte 6 \b/color RGBA,
>28 byte 0 non-interlaced
>28 byte 1 interlaced
# GIF
0 string GIF8 GIF image data
...
...
@@ -56,41 +55,41 @@
#>10 byte&0x07 =0x07 256 colors
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM
>14 leshort 12
PC bitmap, OS/2 1.x format
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 leshort x
\b, %d x
>>20
lelong <1
{invalid}
>>20
lelong >1000000
{invalid}
>>20 leshort x
%d
>14 leshort 64
PC bitmap, OS/2 2.x format
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 leshort x
\b, %d x
>>20
lelong <1
{invalid}
>>20
lelong >1000000
{invalid}
>>20 leshort x
%d
>14 leshort 40
PC bitmap, Windows 3.x format
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 lelong x
\b, %d x
>>22
lelong <1
{invalid}
>>22
lelong >1000000
{invalid}
>>22 lelong x
%d x
>>28
lelong <1
{invalid}
>>28
lelong >1000000
{invalid}
>>28 leshort x
%d
>14 leshort 128
PC bitmap, Windows NT/2000 format
>>18
lelong >1000000
{invalid}
>>18
lelong <1
{invalid}
>>18 lelong x
\b, %d x
>>22
lelong <1
{invalid}
>>22
lelong >1000000
{invalid}
>>22 lelong x
%d x
>>28
lelong <1
{invalid}
>>28
lelong >1000000
{invalid}
>>28 leshort x
%d
0 string BM
PC bitmap,
>14 leshort 12
OS/2 1.x format,
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 leshort x \b, %d x
>>20
lelong <1
{invalid}
>>20
lelong >1000000
{invalid}
>>20 leshort x %d
>14 leshort 64
OS/2 2.x format,
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 leshort x \b, %d x
>>20
lelong <1
{invalid}
>>20
lelong >1000000
{invalid}
>>20 leshort x %d
>14 leshort 40
Windows 3.x format,
>>18
lelong <1
{invalid}
>>18
lelong >1000000
{invalid}
>>18 lelong x \b, %d x
>>22
lelong <1
{invalid}
>>22
lelong >1000000
{invalid}
>>22 lelong x %d x
>>28
lelong <1
{invalid}
>>28
lelong >1000000
{invalid}
>>28 leshort x %d
>14 leshort 128
Windows NT/2000 format,
>>18
lelong >1000000
{invalid}
>>18
lelong <1
{invalid}
>>18 lelong x \b, %d x
>>22
lelong <1
{invalid}
>>22
lelong >1000000
{invalid}
>>22 lelong x %d x
>>28
lelong <1
{invalid}
>>28
lelong >1000000
{invalid}
>>28 leshort x %d
#------------------------------------------------------------------------------
# JPEG images
...
...
@@ -101,117 +100,117 @@
#
# both of which turn into "JPEG image data" here.
#
0 belong
0xffd8ffe0
JPEG image data, JFIF standard
>6 string
!JFIF
{invalid}
0 belong
0xffd8ffe0
JPEG image data, JFIF standard
>6 string
!JFIF
{invalid}
# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
# in a vain attempt to add image size reporting for JFIF. Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently
# impossible to specify in magic(4) format.
# First, a little JFIF version info:
>11 byte
x
\b %d.
>12 byte
x
\b%02d
>11 byte
x
\b %d.
>12 byte
x
\b%02d
# Next, the resolution or aspect ratio of the image:
#>>13 byte 0 \b, aspect ratio
#>>13 byte 1 \b, resolution (DPI)
#>>13 byte 2 \b, resolution (DPCM)
#>>4 beshort x \b, segment length %d
# Next, show thumbnail info, if it exists:
>18 byte
!0
\b, thumbnail %dx
>>19 byte
x
\b%d
>18 byte
!0
\b, thumbnail %dx
>>19 byte
x
\b%d
0
belong 0xffd8ffe1
JPEG image data, EXIF standard
0
belong 0xffd8ffe1
JPEG image data, EXIF standard
# EXIF moved down here to avoid reporting a bogus version number,
# and EXIF version number printing added.
# - Patrik R=E5dman <patrik+file-magic@iki.fi>
>6
string !Exif
{invalid}
>6
string !Exif
{invalid}
# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
# All possible combinations of entries have to be enumerated, since no looping
# is possible. And both endians are possible...
# The combinations included below are from real-world JPEGs.
# Little-endian
>12 string II
>12
string II
# IFD 0 Entry #5:
>>70 leshort 0x8769
>>70
leshort 0x8769
# EXIF IFD Entry #1:
>>>(78.l+14)
leshort
0x9000
>>>>(78.l+23)
byte
x %c
>>>>(78.l+24)
byte
x \b.%c
>>>>(78.l+25)
byte
!0x30 \b%c
>>>(78.l+14)
leshort
0x9000
>>>>(78.l+23)
byte
x %c
>>>>(78.l+24)
byte
x \b.%c
>>>>(78.l+25)
byte
!0x30 \b%c
# IFD 0 Entry #9:
>>118 leshort 0x8769
>>118
leshort 0x8769
# EXIF IFD Entry #3:
>>>(126.l+38)
leshort
0x9000
>>>>(126.l+47)
byte
x %c
>>>>(126.l+48)
byte
x \b.%c
>>>>(126.l+49)
byte
!0x30 \b%c
>>>(126.l+38)
leshort
0x9000
>>>>(126.l+47)
byte
x %c
>>>>(126.l+48)
byte
x \b.%c
>>>>(126.l+49)
byte
!0x30 \b%c
# IFD 0 Entry #10
>>130 leshort 0x8769
>>130
leshort 0x8769
# EXIF IFD Entry #3:
>>>(138.l+38)
leshort
0x9000
>>>>(138.l+47)
byte
x %c
>>>>(138.l+48)
byte
x \b.%c
>>>>(138.l+49)
byte
!0x30 \b%c
>>>(138.l+38)
leshort
0x9000
>>>>(138.l+47)
byte
x %c
>>>>(138.l+48)
byte
x \b.%c
>>>>(138.l+49)
byte
!0x30 \b%c
# EXIF IFD Entry #4:
>>>(138.l+50)
leshort
0x9000
>>>>(138.l+59)
byte
x %c
>>>>(138.l+60)
byte
x \b.%c
>>>>(138.l+61)
byte
!0x30 \b%c
>>>(138.l+50)
leshort
0x9000
>>>>(138.l+59)
byte
x %c
>>>>(138.l+60)
byte
x \b.%c
>>>>(138.l+61)
byte
!0x30 \b%c
# EXIF IFD Entry #5:
>>>(138.l+62)
leshort
0x9000
>>>>(138.l+71)
byte
x %c
>>>>(138.l+72)
byte
x \b.%c
>>>>(138.l+73)
byte
!0x30 \b%c
>>>(138.l+62)
leshort
0x9000
>>>>(138.l+71)
byte
x %c
>>>>(138.l+72)
byte
x \b.%c
>>>>(138.l+73)
byte
!0x30 \b%c
# IFD 0 Entry #11
>>142 leshort 0x8769
>>142
leshort 0x8769
# EXIF IFD Entry #3:
>>>(150.l+38)
leshort
0x9000
>>>>(150.l+47)
byte
x %c
>>>>(150.l+48)
byte
x \b.%c
>>>>(150.l+49)
byte
!0x30 \b%c
>>>(150.l+38)
leshort
0x9000
>>>>(150.l+47)
byte
x %c
>>>>(150.l+48)
byte
x \b.%c
>>>>(150.l+49)
byte
!0x30 \b%c
# EXIF IFD Entry #4:
>>>(150.l+50)
leshort
0x9000
>>>>(150.l+59)
byte
x %c
>>>>(150.l+60)
byte
x \b.%c
>>>>(150.l+61)
byte
!0x30 \b%c
>>>(150.l+50)
leshort
0x9000
>>>>(150.l+59)
byte
x %c
>>>>(150.l+60)
byte
x \b.%c
>>>>(150.l+61)
byte
!0x30 \b%c
# EXIF IFD Entry #5:
>>>(150.l+62)
leshort
0x9000
>>>>(150.l+71)
byte
x %c
>>>>(150.l+72)
byte
x \b.%c
>>>>(150.l+73)
byte
!0x30 \b%c
>>>(150.l+62)
leshort
0x9000
>>>>(150.l+71)
byte
x %c
>>>>(150.l+72)
byte
x \b.%c
>>>>(150.l+73)
byte
!0x30 \b%c
# Big-endian
>12 string MM
>12
string MM
# IFD 0 Entry #9:
>>118 beshort 0x8769
>>118
beshort 0x8769
# EXIF IFD Entry #1:
>>>(126.L+14)
beshort
0x9000
>>>>(126.L+23)
byte
x %c
>>>>(126.L+24)
byte
x \b.%c
>>>>(126.L+25)
byte
!0x30 \b%c
>>>(126.L+14)
beshort
0x9000
>>>>(126.L+23)
byte
x %c
>>>>(126.L+24)
byte
x \b.%c
>>>>(126.L+25)
byte
!0x30 \b%c
# EXIF IFD Entry #3:
>>>(126.L+38)
beshort
0x9000
>>>>(126.L+47)
byte
x %c
>>>>(126.L+48)
byte
x \b.%c
>>>>(126.L+49)
byte
!0x30 \b%c
>>>(126.L+38)
beshort
0x9000
>>>>(126.L+47)
byte
x %c
>>>>(126.L+48)
byte
x \b.%c
>>>>(126.L+49)
byte
!0x30 \b%c
# IFD 0 Entry #10
>>130 beshort 0x8769
>>130
beshort 0x8769
# EXIF IFD Entry #3:
>>>(138.L+38)
beshort
0x9000
>>>>(138.L+47)
byte
x %c
>>>>(138.L+48)
byte
x \b.%c
>>>>(138.L+49)
byte
!0x30 \b%c
>>>(138.L+38)
beshort
0x9000
>>>>(138.L+47)
byte
x %c
>>>>(138.L+48)
byte
x \b.%c
>>>>(138.L+49)
byte
!0x30 \b%c
# EXIF IFD Entry #5:
>>>(138.L+62)
beshort
0x9000
>>>>(138.L+71)
byte
x %c
>>>>(138.L+72)
byte
x \b.%c
>>>>(138.L+73)
byte
!0x30 \b%c
>>>(138.L+62)
beshort
0x9000
>>>>(138.L+71)
byte
x %c
>>>>(138.L+72)
byte
x \b.%c
>>>>(138.L+73)
byte
!0x30 \b%c
# IFD 0 Entry #11
>>142 beshort 0x8769
>>142
beshort 0x8769
# EXIF IFD Entry #4:
>>>(150.L+50)
beshort
0x9000
>>>>(150.L+59)
byte
x %c
>>>>(150.L+60)
byte
x \b.%c
>>>>(150.L+61)
byte
!0x30 \b%c
>>>(150.L+50)
beshort
0x9000
>>>>(150.L+59)
byte
x %c
>>>>(150.L+60)
byte
x \b.%c
>>>>(150.L+61)
byte
!0x30 \b%c
# Here things get sticky. We can do ONE MORE marker segment with
# indirect addressing, and that's all. It would be great if we could
# do pointer arithemetic like in an assembler language. Christos?
...
...
@@ -239,12 +238,4 @@
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
# I've commented-out quantisation table reporting. I doubt anyone cares yet.
#>(4.S+5) byte 0xDB \b, quantisation table
#>>(4.S+6) beshort x \b length=%d
#>14 beshort x \b, %d x
#>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27 string !8888888888\n {invalid}
src/binwalk/magic/kernels
View file @
43ddf9b9
...
...
@@ -5,16 +5,15 @@
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0
string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29
Linux kernel boot image
>514
string !HdrS ({invalid})
0
string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29
Linux kernel boot image
>514
string !HdrS {invalid}
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version
>14 byte 0 {invalid}
>14 byte !0
>>14 string x "%s
>>45 string x \b%s"
0 string Linux\x20version\x20 Linux kernel version
>14 byte 0 {invalid}
>14 byte !0
>>14 string x "%s"
# eCos kernel exception handlers
#
...
...
@@ -26,13 +25,13 @@
# lw $k1, 0($k1)
# jr $k1
# nop
0
string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33
eCos kernel exception handler, architecture: MIPSEL,
>14
leshort !0x3C1B
{invalid}
>18
leshort !0x277B
{invalid}
>12
leshort x
exception vector table base address: 0x%.4X
>16
leshort x
\b%.4X
0
string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F
eCos kernel exception handler, architecture: MIPS,
>12
beshort !0x3C1B
{invalid}
>16
beshort !0x277B
{invalid}
>14
beshort x
exception vector table base address: 0x%.4X
>18
beshort x
\b%.4X
0
string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33
eCos kernel exception handler, architecture: MIPSEL,
>14
leshort !0x3C1B
{invalid}
>18
leshort !0x277B
{invalid}
>12
uleshort x
exception vector table base address: 0x%.4X
>16
uleshort x
\b%.4X
0
string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F
eCos kernel exception handler, architecture: MIPS,
>12
beshort !0x3C1B
{invalid}
>16
beshort !0x277B
{invalid}
>14
ubeshort x
exception vector table base address: 0x%.4X
>18
ubeshort x
\b%.4X
src/binwalk/magic/lzma
View file @
43ddf9b9
This source diff could not be displayed because it is too large. You can
view the blob
instead.
src/binwalk/magic/misc
View file @
43ddf9b9
...
...
@@ -2,9 +2,9 @@
# $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $
# pdf: file(1) magic for Portable Document Format
#
0 string %PDF- PDF document,
>6
byte !0x2e
{invalid}
>5 string x version: "%3s"
0
string %PDF- PDF document,
>6
byte !0x2e
{invalid}
>5
string x version: "%3s"
#------------------------------------------------------------------------------
# $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $
...
...
@@ -25,18 +25,18 @@
0 string LinuxGuestRecord Xen saved domain file
0
string \x3chtml HTML document header{extract-delay:HTML document footer}
>5
byte
!0x20
>>5
byte !0x3e \b,
{invalid}
0
string \x3cHTML HTML document header{extract-delay:HTML document footer}
>5
byte
!0x20
>>5
byte !0x3e \b,
{invalid}
0
string \x3chtml HTML document header
>5
byte
!0x20
>>5
byte !0x3e
{invalid}
0
string \x3cHTML HTML document header
>5
byte
!0x20
>>5
byte !0x3e
{invalid}
0
string \x3c/html\x3e HTML document footer{offset-adjust:7}
0
string \x3c/HTML\x3e HTML document footer{offset-adjust:7}
0
string \x3c/html\x3e HTML document footer
0
string \x3c/HTML\x3e HTML document footer
0
string \x3c?xml\x20version
XML document,
>15
string x
version: "%.3s"
0
string \x3c?xml\x20version
XML document,
>15
string x
version: "%.3s"
# CodeGate 2011 http://nopsrus.blogspot.com/2013/05/codegate-ctf-2011-binary-100-points.html
0 string \x23\x40\x7e\x5e Windows Script Encoded Data (screnc.exe)
...
...
@@ -57,13 +57,13 @@
>63 string x \b%s"
0 string begin\x20 uuencoded data,
>9 byte !0x20 {invalid} format,
>6 byte <0x30 {invalid} permissions,
>6 byte >0x39 {invalid} permissions,
>7 byte <0x30 {invalid} permissions,
>7 byte >0x39 {invalid} permissions,
>8 byte <0x30 {invalid} permissions,
>8 byte >0x39 {invalid} permissions,
>9 byte !0x20 {invalid}
invalid
format,
>6 byte <0x30 {invalid}
invalid
permissions,
>6 byte >0x39 {invalid}
invalid
permissions,
>7 byte <0x30 {invalid}
invalid
permissions,
>7 byte >0x39 {invalid}
invalid
permissions,
>8 byte <0x30 {invalid}
invalid
permissions,
>8 byte >0x39 {invalid}
invalid
permissions,
>10 string x file name: "%s",
>6 string x file permissions: "%.3s"
src/binwalk/magic/network
View file @
43ddf9b9
...
...
@@ -4,88 +4,88 @@
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0
string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d
Pcap-ng capture file, big-endian,
>12
beshort x
version %d
>14
beshort x
\b.%d
0
string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d
Pcap-ng capture file, big-endian,
>12
beshort x
version %d
>14
beshort x
\b.%d
0
string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a
Pcap-ng capture file, little-endian,
>12
leshort x
version %d
>14
leshort x
\b.%d
0
string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a
Pcap-ng capture file, little-endian,
>12
leshort x
version %d
>14
leshort x
\b.%d
#
# "libpcap" capture files.
#
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4
beshort >2
{invalid}
>4 beshort x version %d
>6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (BSD ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 19 (Linux ATM Classical IP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 99 (Symantec Enterprise Firewall
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 107 (Frame Relay
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPsec encrypted
>20 belong 112 (Cisco HDLC
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>20 belong 117 (OpenBSD PFLOG
>20 belong 119 (802.11 with Prism header
>20 belong 122 (RFC 2625 IP over Fibre Channel
>20 belong 123 (SunATM
>20 belong 127 (802.11 with radiotap header
>20 belong 129 (Linux ARCNET
>20 belong 138 (Apple IP over IEEE 1394
>20 belong 140 (MTP2
>20 belong 141 (MTP3
>20 belong 143 (DOCSIS
>20 belong 144 (IrDA
>20 belong 147 (Private use 0
>20 belong 148 (Private use 1
>20 belong 149 (Private use 2
>20 belong 150 (Private use 3
>20 belong 151 (Private use 4
>20 belong 152 (Private use 5
>20 belong 153 (Private use 6
>20 belong 154 (Private use 7
>20 belong 155 (Private use 8
>20 belong 156 (Private use 9
>20 belong 157 (Private use 10
>20 belong 158 (Private use 11
>20 belong 159 (Private use 12
>20 belong 160 (Private use 13
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20
belong >163 ({invalid}
link layer
>20
belong <0 ({invalid}
link layer
>16 belong x \b, snaplen: %d)
0 string \xa1\xb2\xc3\xd4\x00
Libpcap capture file, big-endian,
>4
beshort >2
{invalid}
>4 beshort x
version %d
>6 beshort x
\b.%d,
>20 belong 0
(No link-layer encapsulation
>20 belong 1
(Ethernet
>20 belong 2
(3Mb Ethernet
>20 belong 3
(AX.25
>20 belong 4
(ProNET
>20 belong 5
(CHAOS
>20 belong 6
(Token Ring
>20 belong 7
(BSD ARCNET
>20 belong 8
(SLIP
>20 belong 9
(PPP
>20 belong 10
(FDDI
>20 belong 11
(RFC 1483 ATM
>20 belong 12
(raw IP
>20 belong 13
(BSD/OS SLIP
>20 belong 14
(BSD/OS PPP
>20 belong 19
(Linux ATM Classical IP
>20 belong 50
(PPP or Cisco HDLC
>20 belong 51
(PPP-over-Ethernet
>20 belong 99
(Symantec Enterprise Firewall
>20 belong 100
(RFC 1483 ATM
>20 belong 101
(raw IP
>20 belong 102
(BSD/OS SLIP
>20 belong 103
(BSD/OS PPP
>20 belong 104
(BSD/OS Cisco HDLC
>20 belong 105
(802.11
>20 belong 106
(Linux Classical IP over ATM
>20 belong 107
(Frame Relay
>20 belong 108
(OpenBSD loopback
>20 belong 109
(OpenBSD IPsec encrypted
>20 belong 112
(Cisco HDLC
>20 belong 113
(Linux "cooked"
>20 belong 114
(LocalTalk
>20 belong 117
(OpenBSD PFLOG
>20 belong 119
(802.11 with Prism header
>20 belong 122
(RFC 2625 IP over Fibre Channel
>20 belong 123
(SunATM
>20 belong 127
(802.11 with radiotap header
>20 belong 129
(Linux ARCNET
>20 belong 138
(Apple IP over IEEE 1394
>20 belong 140
(MTP2
>20 belong 141
(MTP3
>20 belong 143
(DOCSIS
>20 belong 144
(IrDA
>20 belong 147
(Private use 0
>20 belong 148
(Private use 1
>20 belong 149
(Private use 2
>20 belong 150
(Private use 3
>20 belong 151
(Private use 4
>20 belong 152
(Private use 5
>20 belong 153
(Private use 6
>20 belong 154
(Private use 7
>20 belong 155
(Private use 8
>20 belong 156
(Private use 9
>20 belong 157
(Private use 10
>20 belong 158
(Private use 11
>20 belong 159
(Private use 12
>20 belong 160
(Private use 13
>20 belong 161
(Private use 14
>20 belong 162
(Private use 15
>20 belong 163
(802.11 with AVS header
>20
belong >163 {invalid}(invalid
link layer
>20
belong <0 {invalid}(invalid
link layer
>16 belong x
\b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4
leshort >2
{invalid}
>4
leshort <0
{invalid}
>4
leshort >2
{invalid}
>4
leshort <0
{invalid}
>4 leshort x version %d
>6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation
...
...
@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20
lelong >163 ({invalid}
link layer
>20
lelong <0 ({invalid}
link layer
>20
lelong >163 {invalid}(invalid
link layer
>20
lelong <0 {invalid}(invalid
link layer
>16 lelong x \b, snaplen: %d)
src/binwalk/magic/sql
View file @
43ddf9b9
...
...
@@ -5,26 +5,26 @@
# From: "Marty Leisner" <mleisner@eng.mc.xerox.com>
# Recognize some MySQL files.
#
0 beshort
0xfe01 MySQL table definition file
>2
string <1
{invalid}
>2
string >\11
{invalid}
>2 byte
x Version %d
0 string
\xfe\xfe\x03 MySQL MISAM index file
>3
string <1
{invalid}
>3
string >\11
{invalid}
>3 byte
x Version %d
0 string
\xfe\xfe\x07 MySQL MISAM compressed data file
>3
string <1
{invalid}
>3
string >\11
{invalid}
>3 byte
x Version %d
0 string
\xfe\xfe\x05 MySQL ISAM index file
>3
string <1
{invalid}
>3
string >\11
{invalid}
>3 byte
x Version %d
0 string
\xfe\xfe\x06 MySQL ISAM compressed data file
>3
string <1
{invalid}
>3
string >\11
{invalid}
>3 byte
x Version %d
0 beshort 0xfe01 MySQL table definition file
>2
ubyte <1
{invalid}
>2
ubyte >11
{invalid}
>2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file
>3
ubyte <1
{invalid}
>3
ubyte >11
{invalid}
>3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file
>3
ubyte <1
{invalid}
>3
ubyte >11
{invalid}
>3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file
>3
ubyte <1
{invalid}
>3
ubyte >11
{invalid}
>3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file
>3
ubyte <1
{invalid}
>3
ubyte >11
{invalid}
>3 byte x Version %d
#0 string \376bin MySQL replication log
#------------------------------------------------------------------------------
...
...
@@ -32,9 +32,10 @@
# From Ken Guest <ken@linux.ie>
# As observed from iRivNavi.iDB and unencoded firmware
#
0 string iRivDB iRiver Database file
>11 string >\0 Version "%s"
>39 string iHP-100 [H Series]
0 string iRivDB iRiver Database file
>11 byte !0
>>11 string x Version "%s"
#>39 string iHP-100 [H Series]
#------------------------------------------------------------------------------
# SQLite database files
...
...
@@ -49,7 +50,7 @@
# Version 3 of SQLite allows applications to embed their own "user version"
# number in the database. Detect this and distinguish those files.
0 string
SQLite\x20format\x203
>60 string
_MTN M
onotone source repository
>60
belong !0 SQLite 3.x database
, user version %u
>60 belong 0 SQLite 3.x database
0 string
SQLite\x20format\x203 SQLite 3.x database,
>60 string
_MTN m
onotone source repository
>60
ubelong !0 \b
, user version %u
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
