Skip to content

B
binwalk
Commit 43ddf9b9 by devttys0
Options

Fixed extraction bug; prettified magic files

parent d95e015d
Showing with 1281 additions and 1295 deletions
src/binwalk/core/magic.py
...@@ -23,6 +23,7 @@ class SignatureResult(object): ...@@ -23,6 +23,7 @@ class SignatureResult(object):
self.strlen = 0 self.strlen = 0
self.string = False self.string = False
self.invalid = False self.invalid = False
self.extract = True
# These are set by code internally # These are set by code internally
self.file = None self.file = None
......
src/binwalk/magic/console
...@@ -4,99 +4,95 @@ ...@@ -4,99 +4,95 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
# #
0x104 belong 0xCEED6666 Gameboy ROM, 0x104 ubelong 0xCEED6666 Gameboy ROM,
>0x134 string >\0 name: "%.16s" >0x134 byte !0
>0x146 byte 0x03 \b,[SGB] >>0x134 string x name: "%.16s"
>0x147 byte 0x00 \b, [ROM ONLY] >0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x01 \b, [ROM+MBC1] >0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x02 \b, [ROM+MBC1+RAM] >0x147 byte 0x01 \b, [ROM+MBC1]
>0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT] >0x147 byte 0x02 \b, [ROM+MBC1+RAM]
>0x147 byte 0x05 \b, [ROM+MBC2] >0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT]
>0x147 byte 0x06 \b, [ROM+MBC2+BATTERY] >0x147 byte 0x05 \b, [ROM+MBC2]
>0x147 byte 0x08 \b, [ROM+RAM] >0x147 byte 0x06 \b, [ROM+MBC2+BATTERY]
>0x147 byte 0x09 \b, [ROM+RAM+BATTERY] >0x147 byte 0x08 \b, [ROM+RAM]
>0x147 byte 0x0B \b, [ROM+MMM01] >0x147 byte 0x09 \b, [ROM+RAM+BATTERY]
>0x147 byte 0x0C \b, [ROM+MMM01+SRAM] >0x147 byte 0x0B \b, [ROM+MMM01]
>0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT] >0x147 byte 0x0C \b, [ROM+MMM01+SRAM]
>0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT] >0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT]
>0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT] >0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT]
>0x147 byte 0x11 \b, [ROM+MBC3] >0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT]
>0x147 byte 0x12 \b, [ROM+MBC3+RAM] >0x147 byte 0x11 \b, [ROM+MBC3]
>0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT] >0x147 byte 0x12 \b, [ROM+MBC3+RAM]
>0x147 byte 0x19 \b, [ROM+MBC5] >0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT]
>0x147 byte 0x1A \b, [ROM+MBC5+RAM] >0x147 byte 0x19 \b, [ROM+MBC5]
>0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT] >0x147 byte 0x1A \b, [ROM+MBC5+RAM]
>0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE] >0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT]
>0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM] >0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE]
>0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT] >0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM]
>0x147 byte 0x1F \b, [Pocket Camera] >0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT]
>0x147 byte 0xFD \b, [Bandai TAMA5] >0x147 byte 0x1F \b, [Pocket Camera]
>0x147 byte 0xFE \b, [Hudson HuC-3] >0x147 byte 0xFD \b, [Bandai TAMA5]
>0x147 byte 0xFF \b, [Hudson HuC-1] >0x147 byte 0xFE \b, [Hudson HuC-3]
>0x147 byte 0xFF \b, [Hudson HuC-1]
>0x148 byte 0 \b, ROM: 256Kbit >0x148 byte 0 \b, ROM: 256Kbit
>0x148 byte 1 \b, ROM: 512Kbit >0x148 byte 1 \b, ROM: 512Kbit
>0x148 byte 2 \b, ROM: 1Mbit >0x148 byte 2 \b, ROM: 1Mbit
>0x148 byte 3 \b, ROM: 2Mbit >0x148 byte 3 \b, ROM: 2Mbit
>0x148 byte 4 \b, ROM: 4Mbit >0x148 byte 4 \b, ROM: 4Mbit
>0x148 byte 5 \b, ROM: 8Mbit >0x148 byte 5 \b, ROM: 8Mbit
>0x148 byte 6 \b, ROM: 16Mbit >0x148 byte 6 \b, ROM: 16Mbit
>0x148 byte 0x52 \b, ROM: 9Mbit >0x148 byte 0x52 \b, ROM: 9Mbit
>0x148 byte 0x53 \b, ROM: 10Mbit >0x148 byte 0x53 \b, ROM: 10Mbit
>0x148 byte 0x54 \b, ROM: 12Mbit >0x148 byte 0x54 \b, ROM: 12Mbit
>0x149 byte 1 \b, RAM: 16Kbit >0x149 byte 1 \b, RAM: 16Kbit
>0x149 byte 2 \b, RAM: 64Kbit >0x149 byte 2 \b, RAM: 64Kbit
>0x149 byte 3 \b, RAM: 128Kbit >0x149 byte 3 \b, RAM: 128Kbit
>0x149 byte 4 \b, RAM: 1Mbit >0x149 byte 4 \b, RAM: 1Mbit
#>0x14e long x \b, CRC: %x #>0x14e long x \b, CRC: %x
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format # genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format
# #
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump, 0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump,
>0x120 string x Name: "%.16s" >0x120 string x Name: "%.16s",
>0x110 string >\0 "%.16s" >0x110 byte !0
>0x1B0 string RA with SRAM >>0x110 string x "%.16s",
>0x1B0 string RA with SRAM
# From: "Nelson A. de Oliveira" <naoliv@gmail.com> # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
# Nintendo .nds # Nintendo .nds
192 string \044\377\256Qi\232 Nintendo DS Game ROM Image 192 string \044\377\256Qi\232 Nintendo DS Game ROM Image
# Nintendo .gba # Nintendo .gba
0 string \056\000\000\352$\377\256Qi Nintendo Game Boy Advance ROM Image 0 string \056\000\000\352$\377\256Qi Nintendo Game Boy Advance ROM Image
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\ EXE Sony Playstation executable 0 string PS-X\x20EXE Sony Playstation executable
# Area: # Area:
>113 string x (%s) >113 string x (%s)
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
## Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>) ## Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>)
0 string XBEH Microsoft Xbox executable (XBE), 0 string XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not ## probabilistic checks whether signed or not
>0x0004 ulelong =0x0 >0x0004 ulelong =0x0
>>2 ulelong !0x0 \b, {invalid} >>2 ulelong =0x0 \b, not signed
>>2 ulelong =0x0 >0x0004 ulelong >0
>>>2 ulelong !0x0 \b, {invalid} >>2 ulelong >0 \b, signed
>>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0
>>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, {invalid} base address
## expect base address of 0x10000 ## expect base address of 0x10000
>0x0104 ulelong =0x10000 >0x0104 ulelong !0x10000 {invalid}
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007 >>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>>(0x0118-0x0FF60) ulelong >0 (regions: >>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
>>>>(0x0118-0x0FF60) ulelong &0x00000001 NA >>>(0x0118-0x0FF60) ulelong >0 (regions:
>>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan >>>>(0x0118-0x0FF60) ulelong &0x00000001 NA
>>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World >>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan
>>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer >>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World
>>>(0x0118-0x0FF60) ulelong >0 \b) >>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer
>>>(0x0118-0x0FF60) ulelong >0 \b)
# -------------------------------- # --------------------------------
# # Microsoft Xbox data file formats # # Microsoft Xbox data file formats
......
src/binwalk/magic/crypto
...@@ -9,26 +9,28 @@ ...@@ -9,26 +9,28 @@
# Type: OpenSSH key files # Type: OpenSSH key files
# From: Nicolas Collignon <tsointsoin@gmail.com> # From: Nicolas Collignon <tsointsoin@gmail.com>
0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key, 0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key,
>28 string >\0 version "%s" >28 byte !0
>>28 string x version "%s"
>28 byte 0 {invalid}
0 string ssh-dss\x20 OpenSSH DSA public key 0 string ssh-dss\x20 OpenSSH DSA public key
0 string ssh-rsa\x20 OpenSSH RSA public key 0 string ssh-rsa\x20 OpenSSH RSA public key
# Type: Certificates/key files in DER format # Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com> # From: Gert Hulselmans <hulselmansgert@gmail.com>
0 string \x30\x82 Private key in DER format (PKCS#8), 0 string \x30\x82 Private key in DER format (PKCS#8),
>4 string !\x02\x01\x00 {invalid}, >4 string !\x02\x01\x00 {invalid}
>>2 beshort x header length: 4, sequence length: %d >2 beshort x header length: 4, sequence length: %d
0 string \x30\x82 Certificate in DER format (x509 v3), 0 string \x30\x82 Certificate in DER format (x509 v3),
>4 string !\x30\x82 {invalid}, >4 string !\x30\x82 {invalid}
>>2 beshort x header length: 4, sequence length: %d >2 beshort x header length: 4, sequence length: %d
# GnuPG # GnuPG
# The format is very similar to pgp # The format is very similar to pgp
0 string \001gpg GPG key trust database 0 string \001gpg GPG key trust database
>4 byte x version %d >4 byte x version %d
# Not a very useful signature # Not a very useful signature
#0 beshort 0x9901 GPG key public ring #0 beshort 0x9901 GPG key public ring
...@@ -39,50 +41,50 @@ ...@@ -39,50 +41,50 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Mavroyanopoulos Nikos <nmav@hellug.gr> # Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt: file(1) magic for mcrypt 2.2.x; # mcrypt: file(1) magic for mcrypt 2.2.x;
#0 string \0m\3 mcrypt 2.5 encrypted data, #0 string \0m\3 mcrypt 2.5 encrypted data,
#>4 byte 0 {invalid} #>4 byte 0 {invalid}
#>4 string >\0 algorithm: "%s", #>4 string >\0 algorithm: "%s",
#>>&1 leshort <1 {invalid} #>>&1 leshort <1 {invalid}
#>>&1 leshort >0 keysize: %d bytes, #>>&1 leshort >0 keysize: %d bytes,
#>>>&0 byte 0 {invalid} #>>>&0 byte 0 {invalid}
#>>>&0 string >\0 mode: "%s", #>>>&0 string >\0 mode: "%s",
0 string \0m\2 mcrypt 2.2 encrypted data, 0 string \0m\2 mcrypt 2.2 encrypted data,
>3 byte 0 algorithm: blowfish-448, >3 byte 0 algorithm: blowfish-448,
>3 byte 1 algorithm: DES, >3 byte 1 algorithm: DES,
>3 byte 2 algorithm: 3DES, >3 byte 2 algorithm: 3DES,
>3 byte 3 algorithm: 3-WAY, >3 byte 3 algorithm: 3-WAY,
>3 byte 4 algorithm: GOST, >3 byte 4 algorithm: GOST,
>3 byte 6 algorithm: SAFER-SK64, >3 byte 6 algorithm: SAFER-SK64,
>3 byte 7 algorithm: SAFER-SK128, >3 byte 7 algorithm: SAFER-SK128,
>3 byte 8 algorithm: CAST-128, >3 byte 8 algorithm: CAST-128,
>3 byte 9 algorithm: xTEA, >3 byte 9 algorithm: xTEA,
>3 byte 10 algorithm: TWOFISH-128, >3 byte 10 algorithm: TWOFISH-128,
>3 byte 11 algorithm: RC2, >3 byte 11 algorithm: RC2,
>3 byte 12 algorithm: TWOFISH-192, >3 byte 12 algorithm: TWOFISH-192,
>3 byte 13 algorithm: TWOFISH-256, >3 byte 13 algorithm: TWOFISH-256,
>3 byte 14 algorithm: blowfish-128, >3 byte 14 algorithm: blowfish-128,
>3 byte 15 algorithm: blowfish-192, >3 byte 15 algorithm: blowfish-192,
>3 byte 16 algorithm: blowfish-256, >3 byte 16 algorithm: blowfish-256,
>3 byte 100 algorithm: RC6, >3 byte 100 algorithm: RC6,
>3 byte 101 algorithm: IDEA, >3 byte 101 algorithm: IDEA,
>3 byte <0 {invalid} algorithm >3 byte <0 {invalid}
>3 byte >101 {invalid} algorithm, >3 byte >101 {invalid}
>3 byte >16 >3 byte >16
>>3 byte <100 {invalid} algorithm, >>3 byte <100 {invalid}
>4 byte 0 mode: CBC, >4 byte 0 mode: CBC,
>4 byte 1 mode: ECB, >4 byte 1 mode: ECB,
>4 byte 2 mode: CFB, >4 byte 2 mode: CFB,
>4 byte 3 mode: OFB, >4 byte 3 mode: OFB,
>4 byte 4 mode: nOFB, >4 byte 4 mode: nOFB,
>4 byte <0 {invalid} mode, >4 byte <0 {invalid}
>4 byte >4 {invalid} mode, >4 byte >4 {invalid}
>5 byte 0 keymode: 8bit >5 byte 0 keymode: 8bit
>5 byte 1 keymode: 4bit >5 byte 1 keymode: 4bit
>5 byte 2 keymode: SHA-1 hash >5 byte 2 keymode: SHA-1 hash
>5 byte 3 keymode: MD5 hash >5 byte 3 keymode: MD5 hash
>5 byte <0 {invalid} keymode >5 byte <0 {invalid}
>5 byte >3 {invalid} keymode >5 byte >3 {invalid}
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy # pgp: file(1) magic for Pretty Good Privacy
...@@ -90,13 +92,14 @@ ...@@ -90,13 +92,14 @@
#0 beshort 0x9900 PGP key public ring #0 beshort 0x9900 PGP key public ring
#0 beshort 0x9501 PGP key security ring #0 beshort 0x9501 PGP key security ring
#0 beshort 0x9500 PGP key security ring #0 beshort 0x9500 PGP key security ring
#0 beshort 0xa600 PGP encrypted data #0 beshort 0xa600 PGP encrypted data
0 string -----BEGIN\040PGP PGP armored data, 0 string -----BEGIN\040PGP PGP armored data,
>15 string PUBLIC\040KEY\040BLOCK- public key block >15 string PUBLIC\040KEY\040BLOCK- public key block
>15 string MESSAGE- message >15 string MESSAGE- message
>15 string SIGNED\040MESSAGE- signed message >15 string SIGNED\040MESSAGE- signed message
>15 string PGP\040SIGNATURE- signature >15 string PGP\040SIGNATURE- signature
0 string Salted__ OpenSSL encryption, salted, 0 string Salted__ OpenSSL encryption, salted,
>8 belong x salt: 0x%X >8 belong x salt: 0x%X
>12 belong x \b%X >12 belong x \b%X
src/binwalk/magic/executables
...@@ -10,231 +10,229 @@ ...@@ -10,231 +10,229 @@
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
# #
# updated by Daniel Quinlan (quinlan@yggdrasil.com) # updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF 0 string \177ELF ELF,
>4 byte 0 {invalid} class >4 byte 0 {invalid}
>4 byte 1 32-bit >4 byte 1 32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used. # only for MIPS - in the future, the ABI field of e_flags should be used.
>>18 leshort 8 >>18 leshort 8
>>>36 lelong &0x20 N32 >>>36 lelong &0x20 N32
>>18 leshort 10 >>18 leshort 10
>>>36 lelong &0x20 N32 >>>36 lelong &0x20 N32
>>18 beshort 8 >>18 beshort 8
>>>36 belong &0x20 N32 >>>36 belong &0x20 N32
>>18 beshort 10 >>18 beshort 10
>>>36 belong &0x20 N32 >>>36 belong &0x20 N32
>4 byte 2 64-bit >4 byte 2 64-bit
>4 byte >2 >4 byte >2
>>4 byte x unknown ELF class: 0x%X >>4 byte x unknown ELF class: 0x%X
>5 byte !1 >5 byte !1
>>5 byte !2 {invalid} byte order >>5 byte !2 {invalid}
>5 byte 1 LSB >5 byte 1 LSB
# The official e_machine number for MIPS is now #8, regardless of endianness. # The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still # The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8. # say something if #10 is encountered, but only gory details for #8.
>>18 leshort 8 >>18 leshort 8
# only for 32-bit # only for 32-bit
>>>4 byte 1 >>>4 byte 1
>>>>36 lelong&0xf0000000 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 0x00000000 MIPS-I
>>>>36 lelong&0xf0000000 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 0x10000000 MIPS-II
>>>>36 lelong&0xf0000000 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 0x20000000 MIPS-III
>>>>36 lelong&0xf0000000 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>36 lelong&0xf0000000 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 0x40000000 MIPS-V
>>>>36 lelong&0xf0000000 0x60000000 MIPS32 >>>>36 lelong&0xf0000000 0x60000000 MIPS32
>>>>36 lelong&0xf0000000 0x70000000 MIPS64 >>>>36 lelong&0xf0000000 0x70000000 MIPS64
>>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 ulelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2 >>>>36 ulelong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit # only for 64-bit
>>>4 byte 2 >>>4 byte 2
>>>>48 lelong&0xf0000000 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 0x00000000 MIPS-I
>>>>48 lelong&0xf0000000 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 0x10000000 MIPS-II
>>>>48 lelong&0xf0000000 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 0x20000000 MIPS-III
>>>>48 lelong&0xf0000000 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>48 lelong&0xf0000000 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 0x40000000 MIPS-V
>>>>48 lelong&0xf0000000 0x60000000 MIPS32 >>>>48 lelong&0xf0000000 0x60000000 MIPS32
>>>>48 lelong&0xf0000000 0x70000000 MIPS64 >>>>48 lelong&0xf0000000 0x70000000 MIPS64
>>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 ulelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2 >>>>48 ulelong&0xf0000000 0x90000000 MIPS64 rel2
>>16 leshort 0 no file type, >>16 leshort 0 no file type,
>>16 leshort 1 relocatable, >>16 leshort 1 relocatable,
>>16 leshort 2 executable, >>16 leshort 2 executable,
>>16 leshort 3 shared object, >>16 leshort 3 shared object,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de> # Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> # corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16 leshort 4 core file >>16 leshort 4 core file
# Core file detection is not reliable. >>16 uleshort &0xff00 processor-specific,
#>>>(0x38+0xcc) string >\0 of '%s' >>18 leshort 0 no machine,
#>>>(0x38+0x10) lelong >0 (signal %d), >>18 leshort 1 AT&T WE32100 - wrong byte order,{invalid}
>>16 leshort &0xff00 processor-specific, >>18 leshort 2 SPARC - wrongbyte order,{invalid}
>>18 leshort 0 no machine, >>18 leshort 3 Intel 80386,
>>18 leshort 1 AT&T WE32100 - {invalid} byte order, >>18 leshort 4 Motorola
>>18 leshort 2 SPARC - {invalid} byte order, >>>36 lelong &0x01000000 68000 - wrong byte order,{invalid}
>>18 leshort 3 Intel 80386, >>>36 lelong &0x00810000 CPU32 - wrong byte order,{invalid}
>>18 leshort 4 Motorola >>>36 lelong 0 68020 - wrong byte order,{invalid}
>>>36 lelong &0x01000000 68000 - {invalid} byte order, >>18 leshort 5 Motorola 88000 - wrong byte order,{invalid}
>>>36 lelong &0x00810000 CPU32 - {invalid} byte order, >>18 leshort 6 Intel 80486,
>>>36 lelong 0 68020 - {invalid} byte order, >>18 leshort 7 Intel 80860,
>>18 leshort 5 Motorola 88000 - {invalid} byte order, >>18 leshort 8 MIPS,
>>18 leshort 6 Intel 80486, >>18 leshort 9 Amdahl - wrong byte order,{invalid}
>>18 leshort 7 Intel 80860, >>18 leshort 10 MIPS (deprecated),
>>18 leshort 8 MIPS, >>18 leshort 11 RS6000 - wrong byte order,{invalid}
>>18 leshort 9 Amdahl - {invalid} byte order, >>18 leshort 15 PA-RISC - wrong byte order,{invalid}
>>18 leshort 10 MIPS (deprecated), >>>50 leshort 0x0214 2.0
>>18 leshort 11 RS6000 - {invalid} byte order, >>>48 leshort &0x0008 (LP64),
>>18 leshort 15 PA-RISC - {invalid} byte order, >>18 leshort 16 nCUBE,
>>>50 leshort 0x0214 2.0 >>18 leshort 17 Fujitsu VPP500,
>>>48 leshort &0x0008 (LP64), >>18 leshort 18 SPARC32PLUS,
>>18 leshort 16 nCUBE, >>18 leshort 20 PowerPC,
>>18 leshort 17 Fujitsu VPP500, >>18 leshort 22 IBM S/390,
>>18 leshort 18 SPARC32PLUS, >>18 leshort 36 NEC V800,
>>18 leshort 20 PowerPC, >>18 leshort 37 Fujitsu FR20,
>>18 leshort 22 IBM S/390, >>18 leshort 38 TRW RH-32,
>>18 leshort 36 NEC V800, >>18 leshort 39 Motorola RCE,
>>18 leshort 37 Fujitsu FR20, >>18 leshort 40 ARM,
>>18 leshort 38 TRW RH-32, >>18 leshort 41 Alpha,
>>18 leshort 39 Motorola RCE, >>18 uleshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 40 ARM, >>18 leshort 42 Hitachi SH,
>>18 leshort 41 Alpha, >>18 leshort 43 SPARC V9 - wrong byte order,{invalid}
>>18 leshort 0xa390 IBM S/390 (obsolete), >>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 42 Hitachi SH, >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 43 SPARC V9 - {invalid} byte order, >>18 leshort 46 Hitachi H8/300,
>>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 47 Hitachi H8/300H,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 48 Hitachi H8S,
>>18 leshort 46 Hitachi H8/300, >>18 leshort 49 Hitachi H8/500,
>>18 leshort 47 Hitachi H8/300H, >>18 leshort 50 IA-64 (Intel 64 bit architecture)
>>18 leshort 48 Hitachi H8S, >>18 leshort 51 Stanford MIPS-X,
>>18 leshort 49 Hitachi H8/500, >>18 leshort 52 Motorola Coldfire,
>>18 leshort 50 IA-64 (Intel 64 bit architecture) >>18 leshort 53 Motorola M68HC12,
>>18 leshort 51 Stanford MIPS-X, >>18 leshort 62 AMD x86-64,
>>18 leshort 52 Motorola Coldfire, >>18 leshort 75 Digital VAX,
>>18 leshort 53 Motorola M68HC12, >>18 leshort 97 NatSemi 32k,
>>18 leshort 62 AMD x86-64, >>18 uleshort 0x9026 Alpha (unofficial),
>>18 leshort 75 Digital VAX, >>20 lelong 0 {invalid} invalid version
>>18 leshort 97 NatSemi 32k, >>20 lelong 1 version 1
>>18 leshort 0x9026 Alpha (unofficial), >>36 lelong 1 MathCoPro/FPU/MAU Required
>>20 lelong 0 {invalid} version >5 byte 2 MSB
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
# only for MIPS - see comment in little-endian section above. # only for MIPS - see comment in little-endian section above.
>>18 beshort 8 >>18 beshort 8
# only for 32-bit # only for 32-bit
>>>4 byte 1 >>>4 byte 1
>>>>36 belong&0xf0000000 0x00000000 MIPS-I >>>>36 belong&0xf0000000 0x00000000 MIPS-I
>>>>36 belong&0xf0000000 0x10000000 MIPS-II >>>>36 belong&0xf0000000 0x10000000 MIPS-II
>>>>36 belong&0xf0000000 0x20000000 MIPS-III >>>>36 belong&0xf0000000 0x20000000 MIPS-III
>>>>36 belong&0xf0000000 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 0x30000000 MIPS-IV
>>>>36 belong&0xf0000000 0x40000000 MIPS-V >>>>36 belong&0xf0000000 0x40000000 MIPS-V
>>>>36 belong&0xf0000000 0x60000000 MIPS32 >>>>36 belong&0xf0000000 0x60000000 MIPS32
>>>>36 belong&0xf0000000 0x70000000 MIPS64 >>>>36 belong&0xf0000000 0x70000000 MIPS64
>>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 ubelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2 >>>>36 ubelong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit # only for 64-bit
>>>4 byte 2 >>>4 byte 2
>>>>48 belong&0xf0000000 0x00000000 MIPS-I >>>>48 belong&0xf0000000 0x00000000 MIPS-I
>>>>48 belong&0xf0000000 0x10000000 MIPS-II >>>>48 belong&0xf0000000 0x10000000 MIPS-II
>>>>48 belong&0xf0000000 0x20000000 MIPS-III >>>>48 belong&0xf0000000 0x20000000 MIPS-III
>>>>48 belong&0xf0000000 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 0x30000000 MIPS-IV
>>>>48 belong&0xf0000000 0x40000000 MIPS-V >>>>48 belong&0xf0000000 0x40000000 MIPS-V
>>>>48 belong&0xf0000000 0x60000000 MIPS32 >>>>48 belong&0xf0000000 0x60000000 MIPS32
>>>>48 belong&0xf0000000 0x70000000 MIPS64 >>>>48 belong&0xf0000000 0x70000000 MIPS64
>>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 ubelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2 >>>>48 ubelong&0xf0000000 0x90000000 MIPS64 rel2
>>16 beshort 0 no file type, >>16 beshort 0 no file type,
>>16 beshort 1 relocatable, >>16 beshort 1 relocatable,
>>16 beshort 2 executable, >>16 beshort 2 executable,
>>16 beshort 3 shared object, >>16 beshort 3 shared object,
>>16 beshort 4 core file, >>16 beshort 4 core file,
#>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) belong >0 (signal %d), #>>>(0x38+0x10) belong >0 (signal %d),
>>16 beshort &0xff00 processor-specific, >>16 ubeshort &0xff00 processor-specific,
>>18 beshort 0 no machine, >>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100, >>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC, >>18 beshort 2 SPARC,
>>18 beshort 3 Intel 80386 - {invalid} byte order, >>18 beshort 3 Intel 80386 - wrong byte order,{invalid}
>>18 beshort 4 Motorola >>18 beshort 4 Motorola
>>>36 belong &0x01000000 68000, >>>36 belong &0x01000000 68000,
>>>36 belong &0x00810000 CPU32, >>>36 belong &0x00810000 CPU32,
>>>36 belong 0 68020, >>>36 belong 0 68020,
>>18 beshort 5 Motorola 88000, >>18 beshort 5 Motorola 88000,
>>18 beshort 6 Intel 80486 - {invalid} byte order, >>18 beshort 6 Intel 80486 - wrong byte order,{invalid}
>>18 beshort 7 Intel 80860, >>18 beshort 7 Intel 80860 - wrong byte order,{invalid}
>>18 beshort 8 MIPS, >>18 beshort 8 MIPS,
>>18 beshort 9 Amdahl, >>18 beshort 9 Amdahl,
>>18 beshort 10 MIPS (deprecated), >>18 beshort 10 MIPS (deprecated),
>>18 beshort 11 RS6000, >>18 beshort 11 RS6000,
>>18 beshort 15 PA-RISC >>18 beshort 15 PA-RISC
>>>50 beshort 0x0214 2.0 >>>50 beshort 0x0214 2.0
>>>48 beshort &0x0008 (LP64) >>>48 beshort &0x0008 (LP64)
>>18 beshort 16 nCUBE, >>18 beshort 16 nCUBE,
>>18 beshort 17 Fujitsu VPP500, >>18 beshort 17 Fujitsu VPP500,
>>18 beshort 18 SPARC32PLUS, >>18 beshort 18 SPARC32PLUS,
>>>36 belong&0xffff00 &0x000100 V8+ Required, >>>36 belong&0xffff00 &0x000100 V8+ Required,
>>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required,
>>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required,
>>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, >>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required,
>>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 20 PowerPC or cisco 4500,
>>18 beshort 21 cisco 7500, >>18 beshort 21 cisco 7500,
>>18 beshort 22 IBM S/390, >>18 beshort 22 IBM S/390,
>>18 beshort 24 cisco SVIP, >>18 beshort 24 cisco SVIP,
>>18 beshort 25 cisco 7200, >>18 beshort 25 cisco 7200,
>>18 beshort 36 NEC V800 or cisco 12000, >>18 beshort 36 NEC V800 or cisco 12000,
>>18 beshort 37 Fujitsu FR20, >>18 beshort 37 Fujitsu FR20,
>>18 beshort 38 TRW RH-32, >>18 beshort 38 TRW RH-32,
>>18 beshort 39 Motorola RCE, >>18 beshort 39 Motorola RCE,
>>18 beshort 40 ARM, >>18 beshort 40 ARM,
>>18 beshort 41 Alpha, >>18 beshort 41 Alpha,
>>18 beshort 42 Hitachi SH, >>18 beshort 42 Hitachi SH,
>>18 beshort 43 SPARC V9, >>18 beshort 43 SPARC V9,
>>18 beshort 44 Siemens Tricore Embedded Processor, >>18 beshort 44 Siemens Tricore Embedded Processor,
>>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 beshort 46 Hitachi H8/300, >>18 beshort 46 Hitachi H8/300,
>>18 beshort 47 Hitachi H8/300H, >>18 beshort 47 Hitachi H8/300H,
>>18 beshort 48 Hitachi H8S, >>18 beshort 48 Hitachi H8S,
>>18 beshort 49 Hitachi H8/500, >>18 beshort 49 Hitachi H8/500,
>>18 beshort 50 Intel Merced Processor, >>18 beshort 50 Intel Merced Processor,
>>18 beshort 51 Stanford MIPS-X, >>18 beshort 51 Stanford MIPS-X,
>>18 beshort 52 Motorola Coldfire, >>18 beshort 52 Motorola Coldfire,
>>18 beshort 53 Motorola M68HC12, >>18 beshort 53 Motorola M68HC12,
>>18 beshort 73 Cray NV1, >>18 beshort 73 Cray NV1,
>>18 beshort 75 Digital VAX, >>18 beshort 75 Digital VAX,
>>18 beshort 97 NatSemi 32k, >>18 beshort 97 NatSemi 32k,
>>18 beshort 0x9026 Alpha (unofficial), >>18 ubeshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete), >>18 ubeshort 0xa390 IBM S/390 (obsolete),
>>18 beshort 0xde3d Ubicom32, >>18 ubeshort 0xde3d Ubicom32,
>>20 belong 0 {invalid} version >>20 belong 0 {invalid}invalid version
>>20 belong 1 version 1 >>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required >>36 belong 1 MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results. # like proper ELF, but extracting the string had bad results.
>4 byte <0x80 >4 byte <0x80
>>8 string >\0 ("%s") >>8 byte !0
>8 string \0 >>>8 string x ("%s")
>>7 byte 0 (SYSV) >8 byte 0
>>7 byte 1 (HP-UX) >>7 byte 0 (SYSV)
>>7 byte 2 (NetBSD) >>7 byte 1 (HP-UX)
>>7 byte 3 (GNU/Linux) >>7 byte 2 (NetBSD)
>>7 byte 4 (GNU/Hurd) >>7 byte 3 (GNU/Linux)
>>7 byte 5 (86Open) >>7 byte 4 (GNU/Hurd)
>>7 byte 6 (Solaris) >>7 byte 5 (86Open)
>>7 byte 7 (Monterey) >>7 byte 6 (Solaris)
>>7 byte 8 (IRIX) >>7 byte 7 (Monterey)
>>7 byte 9 (FreeBSD) >>7 byte 8 (IRIX)
>>7 byte 10 (Tru64) >>7 byte 9 (FreeBSD)
>>7 byte 11 (Novell Modesto) >>7 byte 10 (Tru64)
>>7 byte 12 (OpenBSD) >>7 byte 11 (Novell Modesto)
>>7 byte 97 (ARM) >>7 byte 12 (OpenBSD)
>>7 byte 255 (embedded) >>7 byte 97 (ARM)
>>7 ubyte 255 (embedded)
# Some simple Microsoft executable signatures # Some simple Microsoft executable signatures
0 string MZ\0\0\0\0\0\0 Microsoft 0 string MZ\0\0\0\0\0\0 Microsoft executable,
>0x3c lelong <4 {invalid} >0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 MS-DOS executable >(0x3c.l) string !PE\0\0 MS-DOS
>(0x3c.l) string PE\0\0 portable executable >(0x3c.l) string PE\0\0 portable (PE)
0 string MZ Microsoft 0 string MZ Microsoft executable,
>0x3c lelong <4 {invalid} >0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 {invalid} >(0x3c.l) string !PE\0\0 {invalid}
>(0x3c.l) string PE\0\0 portable executable >(0x3c.l) string PE\0\0 portable (PE)
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
...@@ -244,22 +242,21 @@ ...@@ -244,22 +242,21 @@
# #
# Additional fields added by Craig Heffner # Additional fields added by Craig Heffner
# #
0 string bFLT BFLT executable 0 string bFLT BFLT executable
>4 belong <1 {invalid} >4 belong <1 {invalid}
>4 belong >4 {invalid} >4 belong >4 {invalid}
>4 belong x version %d, >4 belong x version %d,
>4 belong 4 >8 ubelong x code offset: 0x%.8X,
>8 belong x code offset: 0x%.8X, >12 ubelong x data segment starts at: 0x%.8X,
>12 belong x data segment starts at: 0x%.8X, >16 ubelong x bss segment starts at: 0x%.8X,
>16 belong x bss segment starts at: 0x%.8X, >20 ubelong x bss segment ends at: 0x%.8X,
>20 belong x bss segment ends at: 0x%.8X, >24 ubelong x stack size: %d bytes,
>24 belong x stack size: %d bytes, >28 ubelong x relocation records start at: 0x%.8X,
>28 belong x relocation records start at: 0x%.8X, >32 ubelong x number of reolcation records: %d,
>32 belong x number of reolcation records: %d, >>36 belong&0x1 0x1 ram
>>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic
>>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip
>>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata
>>36 belong&0x8 0x8 gzdata
# Windows CE package files # Windows CE package files
...@@ -274,9 +271,9 @@ ...@@ -274,9 +271,9 @@
>20 lelong 10005 \b, Hitachi SH4 >20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI >20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file >52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files >52 uleshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry >56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries >56 uleshort >1 \b, %u registry entries
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# motorola: file(1) magic for Motorola 68K and 88K binaries # motorola: file(1) magic for Motorola 68K and 88K binaries
...@@ -302,51 +299,50 @@ ...@@ -302,51 +299,50 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\x20EXE Sony Playstation executable 0 string PS-X\x20EXE Sony Playstation executable,
# Area: # Area:
>113 string x ("%s") >113 string x "%s"
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# cisco: file(1) magic for cisco Systems routers # cisco: file(1) magic for cisco Systems routers
# #
# Most cisco file-formats are covered by the generic elf code # Most cisco file-formats are covered by the generic elf code
0 string \x85\x01\x14 Cisco IOS microcode, 0 string \x85\x01\x14 Cisco IOS microcode,
>7 string x for "%s" >7 byte 0 {invalid}
#>7 string >\0 >7 string x for "%s"
#>>7 string x for "%s"
0 string \x85\x01\xcb Cisco IOS experimental microcode, 0 string \x85\x01\xcb Cisco IOS experimental microcode,
>7 string x for "%s" >7 byte 0 {invalid}
#>7 string >\0 >7 string x for "%s"
#>>7 string x for "%s"
# EST flat binary format (which isn't, but anyway) # EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk> # From: Mark Brown <broonie@sirena.org.uk>
0 string ESTFBINR EST flat binary 0 string ESTFBINR EST flat binary
# These are not the binaries themselves, but string references to them # These are not the binaries themselves, but string references to them
# are a strong indication that they exist elsewhere... # are a strong indication that they exist elsewhere...
#0 string /bin/busybox Busybox string reference: "%s"{one-of-many} #0 string /bin/busybox Busybox string reference: "%s"{one-of-many}
#0 string /bin/sh Shell string reference: "%s"{one-of-many} #0 string /bin/sh Shell string reference: "%s"{one-of-many}
# Mach-O's # Mach-O's
0 string \xca\xfe\xba\xbe\x00\x00\x00\x01 Mach-O universal binary with 1 architecture 0 string \xca\xfe\xba\xbe\x00\x00\x00\x01 Mach-O universal binary with 1 architecture
0 string \xca\xfe\xba\xbe\x00\x00\x00\x02 Mach-O universal binary with 2 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x02 Mach-O universal binary with 2 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x03 Mach-O universal binary with 3 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x03 Mach-O universal binary with 3 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x04 Mach-O universal binary with 4 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x04 Mach-O universal binary with 4 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x05 Mach-O universal binary with 5 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x05 Mach-O universal binary with 5 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x06 Mach-O universal binary with 6 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x06 Mach-O universal binary with 6 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x07 Mach-O universal binary with 7 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x07 Mach-O universal binary with 7 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x08 Mach-O universal binary with 8 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x08 Mach-O universal binary with 8 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0a Mach-O universal binary with 9 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0a Mach-O universal binary with 9 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0b Mach-O universal binary with 10 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0b Mach-O universal binary with 10 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0c Mach-O universal binary with 11 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0c Mach-O universal binary with 11 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0d Mach-O universal binary with 12 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0d Mach-O universal binary with 12 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0e Mach-O universal binary with 13 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0e Mach-O universal binary with 13 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x0f Mach-O universal binary with 14 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x0f Mach-O universal binary with 14 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x10 Mach-O universal binary with 15 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x10 Mach-O universal binary with 15 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x11 Mach-O universal binary with 16 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x11 Mach-O universal binary with 16 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x12 Mach-O universal binary with 17 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x12 Mach-O universal binary with 17 architectures
0 string \xca\xfe\xba\xbe\x00\x00\x00\x13 Mach-O universal binary with 18 architectures 0 string \xca\xfe\xba\xbe\x00\x00\x00\x13 Mach-O universal binary with 18 architectures
# The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255 # The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255
# and all minor version numbers are 0. This gives us three more bytes we can signature on. # and all minor version numbers are 0. This gives us three more bytes we can signature on.
...@@ -364,7 +360,7 @@ ...@@ -364,7 +360,7 @@
>4 belong >0x0050 {invalid} >4 belong >0x0050 {invalid}
# Summary: HP-38/39 calculator # Summary: HP-38/39 calculator
0 string HP38Bin HP 38 binary 0 string HP38Bin HP 38 binary
>7 string A (Directory List) >7 string A (Directory List)
>7 string B (Zaplet) >7 string B (Zaplet)
>7 string C (Note) >7 string C (Note)
...@@ -376,10 +372,10 @@ ...@@ -376,10 +372,10 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 {invalid} >7 byte <0x41 {invalid}
>7 byte >0x4B {invalid} >7 byte >0x4B {invalid}
0 string HP39Bin HP 39 binary 0 string HP39Bin HP 39 binary
>7 string A (Directory List) >7 string A (Directory List)
>7 string B (Zaplet) >7 string B (Zaplet)
>7 string C (Note) >7 string C (Note)
...@@ -391,10 +387,10 @@ ...@@ -391,10 +387,10 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 {invalid} >7 byte <0x41 {invalid}
>7 byte >0x4B {invalid} >7 byte >0x4B {invalid}
0 string HP38Asc HP 38 ASCII 0 string HP38Asc HP 38 ASCII
>7 string A (Directory List) >7 string A (Directory List)
>7 string B (Zaplet) >7 string B (Zaplet)
>7 string C (Note) >7 string C (Note)
...@@ -406,10 +402,10 @@ ...@@ -406,10 +402,10 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 {invalid} >7 byte <0x41 {invalid}
>7 byte >0x4B {invalid} >7 byte >0x4B {invalid}
0 string HP39Asc HP 39 ASCII 0 string HP39Asc HP 39 ASCII
>7 string A (Directory List) >7 string A (Directory List)
>7 string B (Zaplet) >7 string B (Zaplet)
>7 string C (Note) >7 string C (Note)
...@@ -421,8 +417,8 @@ ...@@ -421,8 +417,8 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 {invalid} >7 byte <0x41 {invalid}
>7 byte >0x4B {invalid} >7 byte >0x4B {invalid}
# Summary: HP-48/49 calculator # Summary: HP-48/49 calculator
0 string HPHP48 HP 48 binary 0 string HPHP48 HP 48 binary
...@@ -450,8 +446,8 @@ ...@@ -450,8 +446,8 @@
>8 leshort 0x2e48 (GNAME) >8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME) >8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB) >8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 ({invalid}) >8 leshort <0x2911 {invalid}
>8 leshort >0x2e92 ({invalid}) >8 leshort >0x2e92 {invalid}
0 string HPHP49 HP 49 binary 0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR) >8 leshort 0x2911 (ADR)
...@@ -478,16 +474,16 @@ ...@@ -478,16 +474,16 @@
>8 leshort 0x2e48 (GNAME) >8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME) >8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB) >8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 ({invalid}) >8 leshort <0x2911 {invalid}
>8 leshort >0x2e92 ({invalid}) >8 leshort >0x2e92 {invalid}
0 string \x23!/ Executable script, 0 string \x23!/ Executable script,
>6 byte !0x2F >6 byte !0x2F
>>7 byte !0x2F {invalid} >>7 byte !0x2F {invalid}
>2 string x shebang: "%s" >2 string x shebang: "%s"
0 string \x23!\x20/ Executable script, 0 string \x23!\x20/ Executable script,
>7 byte !0x2F >7 byte !0x2F
>>8 byte !0x2F {invalid} >>8 byte !0x2F {invalid}
>3 string x shebang: "%s" >3 string x shebang: "%s"
src/binwalk/magic/filesystems
...@@ -34,7 +34,7 @@ ...@@ -34,7 +34,7 @@
#>0x1e string minix \b, bootable #>0x1e string minix \b, bootable
# YAFFS # YAFFS
0 string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF YAFFS filesystem 0 string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF YAFFS filesystem
# EFS2 file system - jojo@utulsa.edu # EFS2 file system - jojo@utulsa.edu
0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian, 0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian,
...@@ -47,7 +47,7 @@ ...@@ -47,7 +47,7 @@
>20 lelong x 0x%x bytes per page >20 lelong x 0x%x bytes per page
0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian, 0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian,
>8 string !SSFErepu {invalid}, >8 string !SSFErepu {invalid},
>4 beshort&0x01 1 NAND >4 beshort&0x01 1 NAND
>4 beshort&0x01 0 NOR >4 beshort&0x01 0 NOR
>4 beshort x version 0x%x, >4 beshort x version 0x%x,
...@@ -56,53 +56,53 @@ ...@@ -56,53 +56,53 @@
>20 belong x 0x%x bytes per page >20 belong x 0x%x bytes per page
# TROC file system # TROC file system
0 string TROC TROC filesystem, 0 string TROC TROC filesystem,
>4 lelong x %d file entries >4 lelong x %d file entries
>4 lelong <1 ({invalid}) >4 lelong <1 {invalid}
# PFS file system # PFS file system
0 string PFS/ PFS filesystem, 0 string PFS/ PFS filesystem,
>4 string x version "%s", >4 string x version %s,
>14 leshort x %d files >14 leshort x %d files
# MPFS file system # MPFS file system
0 string MPFS MPFS (Microchip) filesystem, 0 string MPFS MPFS filesystem, Microchop,
>4 byte x version %d. >4 byte x version %d.
>5 byte x \b%d, >5 byte x \b%d,
>6 leshort x %d file entries >6 leshort x %d file entries
# cramfs filesystem - russell@coker.com.au # cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 CramFS filesystem, little endian 0 lelong 0x28cd3d45 CramFS filesystem, little endian,
>4 lelong <0 {invalid} >4 lelong <0 {invalid}
>4 lelong >1073741824 {invalid} >4 lelong >1073741824 {invalid}
>4 lelong x size %u >4 ulelong x size: %u
>8 lelong &1 version #2 >8 lelong &1 version #2
>8 lelong &2 sorted_dirs >8 lelong &2 sorted_dirs
>8 lelong &4 hole_support >8 lelong &4 hole_support
>32 lelong x CRC 0x%x, >32 lelong x CRC 0x%x,
>36 lelong x edition %u, >36 ulelong x edition %u,
>40 lelong <0 {invalid} >40 lelong <0 {invalid}
>40 lelong x %u blocks, >40 ulelong x %u blocks,
>44 lelong <0 {invalid} >44 lelong <0 {invalid}
>44 lelong x %u files >44 ulelong x %u files
>4 lelong x {jump-to-offset:%u} >4 ulelong x {jump:%u}
>4 lelong x {file-size:%u} >4 ulelong x {size:%u}
0 belong 0x28cd3d45 CramFS filesystem, big endian 0 belong 0x28cd3d45 CramFS filesystem, big endian
>4 belong <0 {invalid} >4 belong <0 {invalid}
>4 belong >1073741824 {invalid} >4 belong >1073741824 {invalid}
>4 belong x size %u >4 belong x size %u
>8 belong &1 version #2 >8 belong &1 version #2
>8 belong &2 sorted_dirs >8 belong &2 sorted_dirs
>8 belong &4 hole_support >8 belong &4 hole_support
>32 belong x CRC 0x%x, >32 belong x CRC 0x%x,
>36 belong x edition %u, >36 belong x edition %u,
>40 belong <0 {invalid} >40 belong <0 {invalid}
>40 belong x %u blocks, >40 belong x %u blocks,
>44 belong <0 {invalid} >44 belong <0 {invalid}
>44 belong x %u files >44 belong x %u files
>4 belong x {jump-to-offset:%u} >4 belong x {jump:%u}
>4 belong x {file-size:%u} >4 belong x {size:%u}
...@@ -113,73 +113,73 @@ ...@@ -113,73 +113,73 @@
# files in between the JFFS2 file systems. This is an unlikely scenario however, and # files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the # the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios. # vast majority of real world scenarios.
0 leshort 0x1985 JFFS2 filesystem, little endian 0 uleshort 0x1985 JFFS2 filesystem, little endian
>2 leshort !0xE001 >2 uleshort !0xE001
>>2 leshort !0xE002 >>2 uleshort !0xE002
>>>2 leshort !0x2003 >>>2 uleshort !0x2003
>>>>2 leshort !0x2004 >>>>2 uleshort !0x2004
>>>>>2 leshort !0x2006 >>>>>2 uleshort !0x2006
>>>>>>2 leshort !0xE008 >>>>>>2 uleshort !0xE008
>>>>>>>2 leshort !0xE009 \b, {invalid} >>>>>>>2 uleshort !0xE009 {invalid}
>(4.l) leshort !0x1985 >(4.l) uleshort !0x1985
>>(4.l+1) leshort !0x1985 >>(4.l+1) uleshort !0x1985
>>>(4.l+2) leshort !0x1985 >>>(4.l+2) uleshort !0x1985
>>>>(4.l+3) leshort !0x1985 >>>>(4.l+3) uleshort !0x1985
>>>>>(4.l) leshort !0xFFFF >>>>>(4.l) uleshort !0xFFFF
>>>>>>(4.l+1) leshort !0xFFFF >>>>>>(4.l+1) uleshort !0xFFFF
>>>>>>>(4.l+2) leshort !0xFFFF >>>>>>>(4.l+2) uleshort !0xFFFF
>>>>>>>>(4.l+3) leshort !0xFFFF \b, {invalid} >>>>>>>>(4.l+3) uleshort !0xFFFF {invalid}
>4 lelong 0 {invalid} >4 lelong 0 {invalid}
>4 lelong <0 {invalid} >4 lelong <0 {invalid}
>4 lelong x {one-of-many}{jump-to-offset:%d} >4 lelong x {many}{jump:%d}
0 beshort 0x1985 JFFS2 filesystem, big endian 0 ubeshort 0x1985 JFFS2 filesystem, big endian
>2 beshort !0xE001 >2 ubeshort !0xE001
>>2 beshort !0xE002 >>2 ubeshort !0xE002
>>>2 beshort !0x2003 >>>2 ubeshort !0x2003
>>>>2 beshort !0x2004 >>>>2 ubeshort !0x2004
>>>>>2 beshort !0x2006 >>>>>2 ubeshort !0x2006
>>>>>>2 beshort !0xE008 >>>>>>2 ubeshort !0xE008
>>>>>>>2 beshort !0xE009 \b, {invalid} >>>>>>>2 ubeshort !0xE009 {invalid}
>(4.L) beshort !0x1985 >(4.L) ubeshort !0x1985
>>(4.L+1) beshort !0x1985 >>(4.L+1) ubeshort !0x1985
>>>(4.L+2) beshort !0x1985 >>>(4.L+2) ubeshort !0x1985
>>>>(4.L+3) beshort !0x1985 >>>>(4.L+3) ubeshort !0x1985
>>>>>(4.L) beshort !0xFFFF >>>>>(4.L) ubeshort !0xFFFF
>>>>>>(4.L+1) beshort !0xFFFF >>>>>>(4.L+1) ubeshort !0xFFFF
>>>>>>>(4.L+2) beshort !0xFFFF >>>>>>>(4.L+2) ubeshort !0xFFFF
>>>>>>>>(4.L+3) beshort !0xFFFF \b, {invalid} >>>>>>>>(4.L+3) ubeshort !0xFFFF {invalid}
>4 belong 0 {invalid} >4 belong 0 {invalid}
>4 belong <0 {invalid} >4 belong <0 {invalid}
>4 belong x {one-of-many}{jump-to-offset:%d} >4 belong x {many}{jump:%d}
# Squashfs, big endian # Squashfs, big endian
0 string sqsh Squashfs filesystem, big endian, 0 string sqsh Squashfs filesystem, big endian,
>28 beshort >10 {invalid} >28 beshort >10 {invalid}
>28 beshort <1 {invalid} >28 beshort <1 {invalid}
>30 beshort >10 {invalid} >30 beshort >10 {invalid}
>28 beshort x version %d. >28 beshort x version %d.
>30 beshort x \b%d, >30 beshort x \b%d,
>28 beshort >3 compression: >28 beshort >3 compression:
>>20 beshort 1 \bgzip, >>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma, >>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition), >>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition), >>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid}, >>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid}, >>20 beshort >4 \b{invalid},
>28 beshort <3 >28 beshort <3
>>8 belong x size: %d bytes, >>8 belong x size: %d bytes,
>>8 belong x \b{jump-to-offset:%d} >>8 belong x \b{jump:%d}
>>8 belong x \b{file-size:%d} >>8 belong x \b{size:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x size: %lld bytes, >>63 bequad x size: %ld bytes,
>>63 bequad x \b{jump-to-offset:%lld} >>63 bequad x \b{jump:%ld}
>>63 bequad x \b{file-size:%lld} >>63 bequad x \b{size:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x size: %lld bytes, >>40 bequad x size: %ld bytes,
>>40 bequad x \b{jump-to-offset:%lld} >>40 bequad x \b{jump:%ld}
>>40 bequad x \b{file-size:%lld} >>40 bequad x \b{size:%ld}
>4 belong x %d inodes, >4 belong x %d inodes,
>28 beshort >3 >28 beshort >3
>>12 belong x blocksize: %d bytes, >>12 belong x blocksize: %d bytes,
...@@ -194,76 +194,76 @@ ...@@ -194,76 +194,76 @@
>28 beshort <4 >28 beshort <4
>>39 bedate x created: %s >>39 bedate x created: %s
>28 beshort >3 >28 beshort >3
>>8 bedate x created: %s >>8 bedate x created: %s
# Squashfs, little endian # Squashfs, little endian
0 string hsqs Squashfs filesystem, little endian, 0 string hsqs Squashfs filesystem, little endian,
>28 leshort >10 {invalid} >28 leshort >10 {invalid}
>28 leshort <1 {invalid} >28 leshort <1 {invalid}
>30 leshort >10 {invalid} >30 leshort >10 {invalid}
>28 leshort x version %d. >28 leshort x version %d.
>30 leshort x \b%d, >30 leshort x \b%d,
>28 leshort >3 compression: >28 leshort >3 compression:
>>20 leshort 1 \bgzip, >>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma, >>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition), >>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition), >>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid}, >>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid}, >>20 leshort >4 \b{invalid},
>28 leshort <3 >28 leshort <3
>>8 lelong x size: %d bytes, >>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d} >>8 lelong x {size:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x size: %lld bytes, >>63 lequad x size: %ld bytes,
>>63 lequad x {file-size:%lld} >>63 lequad x {size:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x size: %lld bytes, >>40 lequad x size: %ld bytes,
>>40 lequad x {file-size:%lld} >>40 lequad x {size:%ld}
>4 lelong x %d inodes, >4 lelong x %d inodes,
>28 leshort >3 >28 leshort >3
>>12 lelong x blocksize: %d bytes, >>12 lelong x blocksize: %d bytes,
>28 leshort <2 >28 leshort <2
>>32 leshort x blocksize: %d bytes, >>32 leshort x blocksize: %d bytes,
>28 leshort 2 >28 leshort 2
>>51 lelong x blocksize: %d bytes, >>51 lelong x blocksize: %d bytes,
>28 leshort 3 >28 leshort 3
>>51 lelong x blocksize: %d bytes, >>51 lelong x blocksize: %d bytes,
>28 leshort >3 >28 leshort >3
>>12 lelong x blocksize: %d bytes, >>12 lelong x blocksize: %d bytes,
>28 leshort <4 >28 leshort <4
>>39 ledate x created: %s >>39 ledate x created: %s
>28 leshort >3 >28 leshort >3
>>8 ledate x created: %s >>8 ledate x created: %s
>28 leshort <3 >28 leshort <3
>>8 lelong x {jump-to-offset:%d} >>8 lelong x {jump:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x {jump-to-offset:%lld} >>63 lequad x {jump:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x {jump-to-offset:%lld} >>40 lequad x {jump:%ld}
# Squashfs with LZMA compression # Squashfs with LZMA compression
0 string sqlz Squashfs filesystem, big endian, lzma compression, 0 string sqlz Squashfs filesystem, big endian, lzma compression,
>28 beshort >10 {invalid} >28 beshort >10 {invalid}
>28 beshort <1 {invalid} >28 beshort <1 {invalid}
>30 beshort >10 {invalid} >30 beshort >10 {invalid}
>28 beshort x version %d. >28 beshort x version %d.
>30 beshort x \b%d, >30 beshort x \b%d,
>28 beshort >3 compression: >28 beshort >3 compression:
>>20 beshort 1 \bgzip, >>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma, >>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition), >>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition), >>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 0 \b{invalid}, >>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid}, >>20 beshort >4 \b{invalid},
>28 beshort <3 >28 beshort <3
>>8 belong x size: %d bytes, >>8 belong x size: %d bytes,
>>8 belong x {file-size:%d} >>8 belong x {size:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x size: %lld bytes, >>63 bequad x size: %ld bytes,
>>63 bequad x {file-size:%lld} >>63 bequad x {size:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x size: %lld bytes, >>40 bequad x size: %ld bytes,
>>40 bequad x {file-size:%lld} >>40 bequad x {size:%ld}
>4 belong x %d inodes, >4 belong x %d inodes,
>28 beshort >3 >28 beshort >3
>>12 belong x blocksize: %d bytes, >>12 belong x blocksize: %d bytes,
...@@ -278,37 +278,37 @@ ...@@ -278,37 +278,37 @@
>28 beshort <4 >28 beshort <4
>>39 bedate x created: %s >>39 bedate x created: %s
>28 beshort >3 >28 beshort >3
>>8 bedate x created: %s >>8 bedate x created: %s
>28 beshort <3 >28 beshort <3
>>8 belong x {jump-to-offset:%d} >>8 belong x {jump:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x {jump-to-offset:%lld} >>63 bequad x {jump:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x {jump-to-offset:%lld} >>40 bequad x {jump:%ld}
# Squashfs 3.3 LZMA signature # Squashfs 3.3 LZMA signature
0 string qshs Squashfs filesystem, big endian, lzma signature, 0 string qshs Squashfs filesystem, big endian, lzma signature,
>28 beshort >10 {invalid} >28 beshort >10 {invalid}
>28 beshort <1 {invalid} >28 beshort <1 {invalid}
>30 beshort >10 {invalid} >30 beshort >10 {invalid}
>28 beshort x version %d. >28 beshort x version %d.
>30 beshort x \b%d, >30 beshort x \b%d,
>28 beshort >3 compression: >28 beshort >3 compression:
>>20 beshort 1 \bgzip, >>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma, >>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition), >>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition), >>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid}, >>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid}, >>20 beshort >4 \b{invalid},
>28 beshort <3 >28 beshort <3
>>8 belong x size: %d bytes, >>8 belong x size: %d bytes,
>>8 belong x {file-size:%d} >>8 belong x {size:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x size: %lld bytes, >>63 bequad x size: %ld bytes,
>>63 bequad x {file-size:%lld} >>63 bequad x {size:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x size: %lld bytes, >>40 bequad x size: %ld bytes,
>>40 bequad x {file-size:%lld} >>40 bequad x {size:%ld}
>4 belong x %d inodes, >4 belong x %d inodes,
>28 beshort >3 >28 beshort >3
>>12 belong x blocksize: %d bytes, >>12 belong x blocksize: %d bytes,
...@@ -323,37 +323,37 @@ ...@@ -323,37 +323,37 @@
>28 beshort <4 >28 beshort <4
>>39 bedate x created: %s >>39 bedate x created: %s
>28 beshort >3 >28 beshort >3
>>8 bedate x created: %s >>8 bedate x created: %s
>28 beshort <3 >28 beshort <3
>>8 belong x {jump-to-offset:%d} >>8 belong x {jump:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x {jump-to-offset:%lld} >>63 bequad x {jump:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x {jump-to-offset:%lld} >>40 bequad x {jump:%ld}
# Squashfs for DD-WRT # Squashfs for DD-WRT
0 string tqsh Squashfs filesystem, big endian, DD-WRT signature, 0 string tqsh Squashfs filesystem, big endian, DD-WRT signature,
>28 beshort >10 {invalid} >28 beshort >10 {invalid}
>28 beshort <1 {invalid} >28 beshort <1 {invalid}
>30 beshort >10 {invalid} >30 beshort >10 {invalid}
>28 beshort x version %d. >28 beshort x version %d.
>30 beshort x \b%d, >30 beshort x \b%d,
>28 beshort >3 compression: >28 beshort >3 compression:
>>20 beshort 1 \bgzip, >>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma, >>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition), >>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition), >>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid}, >>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid}, >>20 beshort >4 \b{invalid},
>28 beshort <3 >28 beshort <3
>>8 belong x size: %d bytes, >>8 belong x size: %d bytes,
>>8 belong x {file-size:%d} >>8 belong x {size:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x size: %lld bytes, >>63 bequad x size: %ld bytes,
>>63 bequad x {file-size:%lld} >>63 bequad x {size:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x size: %lld bytes, >>40 bequad x size: %ld bytes,
>>40 bequad x {file-size:%lld} >>40 bequad x {size:%ld}
>4 belong x %d inodes, >4 belong x %d inodes,
>28 beshort >3 >28 beshort >3
>>12 belong x blocksize: %d bytes, >>12 belong x blocksize: %d bytes,
...@@ -368,37 +368,37 @@ ...@@ -368,37 +368,37 @@
>28 beshort <4 >28 beshort <4
>>39 bedate x created: %s >>39 bedate x created: %s
>28 beshort >3 >28 beshort >3
>>8 bedate x created: %s >>8 bedate x created: %s
>28 beshort <3 >28 beshort <3
>>8 belong x {jump-to-offset:%d} >>8 belong x {jump:%d}
>28 beshort 3 >28 beshort 3
>>63 bequad x {jump-to-offset:%lld} >>63 bequad x {jump:%ld}
>28 beshort >3 >28 beshort >3
>>40 bequad x {jump-to-offset:%lld} >>40 bequad x {jump:%ld}
# Squashfs for DD-WRT # Squashfs for DD-WRT
0 string hsqt Squashfs filesystem, little endian, DD-WRT signature, 0 string hsqt Squashfs filesystem, little endian, DD-WRT signature,
>28 leshort >10 {invalid} >28 leshort >10 {invalid}
>28 leshort <1 {invalid} >28 leshort <1 {invalid}
>30 leshort >10 {invalid} >30 leshort >10 {invalid}
>28 leshort x version %d. >28 leshort x version %d.
>30 leshort x \b%d, >30 leshort x \b%d,
>28 leshort >3 compression: >28 leshort >3 compression:
>>20 leshort 1 \bgzip, >>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma, >>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition), >>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition), >>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid}, >>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid}, >>20 leshort >4 \b{invalid},
>28 leshort <3 >28 leshort <3
>>8 lelong x size: %d bytes, >>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d} >>8 lelong x {size:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x size: %lld bytes, >>63 lequad x size: %ld bytes,
>>63 lequad x {file-size:%lld} >>63 lequad x {size:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x size: %lld bytes, >>40 lequad x size: %ld bytes,
>>40 lequad x {file-size:%lld} >>40 lequad x {size:%ld}
>4 lelong x %d inodes, >4 lelong x %d inodes,
>28 leshort >3 >28 leshort >3
>>12 lelong x blocksize: %d bytes, >>12 lelong x blocksize: %d bytes,
...@@ -413,37 +413,37 @@ ...@@ -413,37 +413,37 @@
>28 leshort <4 >28 leshort <4
>>39 ledate x created: %s >>39 ledate x created: %s
>28 leshort >3 >28 leshort >3
>>8 ledate x created: %s >>8 ledate x created: %s
>28 leshort <3 >28 leshort <3
>>8 lelong x {jump-to-offset:%d} >>8 lelong x {jump:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x {jump-to-offset:%lld} >>63 lequad x {jump:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x {jump-to-offset:%lld} >>40 lequad x {jump:%ld}
# Non-standard Squashfs signature found on some D-Link routers # Non-standard Squashfs signature found on some D-Link routers
0 string shsq Squashfs filesystem, little endian, non-standard signature, 0 string shsq Squashfs filesystem, little endian, non-standard signature,
>28 leshort >10 {invalid} >28 leshort >10 {invalid}
>28 leshort <1 {invalid} >28 leshort <1 {invalid}
>30 leshort >10 {invalid} >30 leshort >10 {invalid}
>28 leshort x version %d. >28 leshort x version %d.
>30 leshort x \b%d, >30 leshort x \b%d,
>28 leshort >3 compression: >28 leshort >3 compression:
>>20 leshort 1 \bgzip, >>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma, >>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition), >>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition), >>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid}, >>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid}, >>20 leshort >4 \b{invalid},
>28 leshort <3 >28 leshort <3
>>8 lelong x size: %d bytes, >>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d} >>8 lelong x {size:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x size: %lld bytes, >>63 lequad x size: %ld bytes,
>>63 lequad x {file-size:%lld} >>63 lequad x {size:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x size: %lld bytes, >>40 lequad x size: %ld bytes,
>>40 lequad x {file-size:%lld} >>40 lequad x {size:%ld}
>4 lelong x %d inodes, >4 lelong x %d inodes,
>28 leshort >3 >28 leshort >3
>>12 lelong x blocksize: %d bytes, >>12 lelong x blocksize: %d bytes,
...@@ -458,97 +458,102 @@ ...@@ -458,97 +458,102 @@
>28 leshort <4 >28 leshort <4
>>39 ledate x created: %s >>39 ledate x created: %s
>28 leshort >3 >28 leshort >3
>>8 ledate x created: %s >>8 ledate x created: %s
>28 leshort <3 >28 leshort <3
>>8 lelong x {jump-to-offset:%d} >>8 lelong x {jump:%d}
>28 leshort 3 >28 leshort 3
>>63 lequad x {jump-to-offset:%lld} >>63 lequad x {jump:%ld}
>28 leshort >3 >28 leshort >3
>>40 lequad x {jump-to-offset:%lld} >>40 lequad x {jump:%ld}
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> # ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> # ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker # volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0 leshort 0xEF53 Linux EXT filesystem,{offset-adjust:-0x438} 0x438 leshort 0xEF53 Linux EXT filesystem,
>2 leshort >4 {invalid} state >2 leshort >4 {invalid}invalid state
>2 leshort 3 {invalid} state >2 leshort 3 {invalid}invalid state
>2 leshort <0 {invalid} state >2 leshort <0 {invalid}invalid state
>4 leshort >3 {invalid} error behavior >4 leshort >3 {invalid}invalid error behavior
>4 leshort <0 {invalid} error behavior >4 leshort <0 {invalid}invalid error behavior
>4 lelong >1 {invalid} major revision >4 lelong >1 {invalid}invalid major revision
>4 lelong <0 {invalid} major revision >4 lelong <0 {invalid}invalid major revision
>4 lelong x rev %d >4 lelong x rev %d
>6 leshort x \b.%d >6 leshort x \b.%d
# No journal? ext2 # No journal? ext2
>36 lelong&0x04 0 ext2 filesystem data >36 lelong&0x04 0 ext2 filesystem data
>>2 leshort&0x01 0 (mounted or unclean) >>2 leshort&0x01 0 (mounted or unclean)
# Has a journal? ext3 or ext4 # Has a journal? ext3 or ext4
>36 lelong &0x0000004 >36 lelong &0x0000004
# and small INCOMPAT? # and small INCOMPAT?
>>40 lelong <0x0000040 >>40 lelong <0x0000040
# and small RO_COMPAT? # and small RO_COMPAT?
>>>44 lelong <0x0000008 ext3 filesystem data >>>44 lelong <0x0000008 ext3 filesystem data
# else large RO_COMPAT? # else large RO_COMPAT?
>>>44 lelong >0x0000007 ext4 filesystem data >>>44 lelong >0x0000007 ext4 filesystem data
# else large INCOMPAT? # else large INCOMPAT?
>>40 lelong >0x000003f ext4 filesystem data >>40 lelong >0x000003f ext4 filesystem data
>48 belong x \b, UUID=%08x >48 belong x \b, UUID=%08x
>52 beshort x \b-%04x >52 beshort x \b-%04x
>54 beshort x \b-%04x >54 beshort x \b-%04x
>56 beshort x \b-%04x >56 beshort x \b-%04x
>58 belong x \b-%08x >58 belong x \b-%08x
>60 beshort x \b%04x >60 beshort x \b%04x
>64 string >0 \b, volume name "%s" >64 byte !0
>>64 string x \b, volume name "%s"
#romfs filesystems - Juan Cespedes <cespedes@debian.org> #romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1 0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong >10000000 {invalid} >8 belong >10000000 {invalid}
>8 belong x size: %d bytes, >8 belong <1 {invalid}
>16 string x {file-name:%s} >8 belong x size: %d bytes,
>16 string x named "%s" >16 string x {name:%s}
>8 belong x {file-size:%d} >16 string x named "%s"
>8 belong x {jump-to-offset:%d} >8 belong x {size:%d}
>8 belong x {jump:%d}
# Wind River MemFS file system, found in some VxWorks devices # Wind River MemFS file system, found in some VxWorks devices
0 string owowowowowowowowowowowowowowow Wind River management filesystem, 0 string owowowowowowowowowowowowowowow Wind River management filesystem,
>30 string !ow {invalid}, >30 string !ow {invalid},
>32 belong 1 compressed, >32 belong 1 compressed,
>32 belong 2 plain text, >32 belong 2 plain text,
>36 belong x %d files >32 belong <1 {invalid}
32 belong >2 {invalid}
>36 belong x %d files
# netboot image - Juan Cespedes <cespedes@debian.org> # netboot image - Juan Cespedes <cespedes@debian.org>
0 lelong 0x1b031336 Netboot image, 0 lelong 0x1b031336 Netboot image,
>4 lelong&0xFFFFFF00 0 >4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2 >>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3 >>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode ({invalid}) >4 lelong&0xFFFFFF00 !0 unknown mode {invalid}
0 string WDK\x202.0\x00 WDK file system, version 2.0{offset-adjust:-18} 18 string WDK\x202.0\x00 WDK file system, version 2.0
0 string CD001 ISO{offset-adjust:-32769} 32769 string CD001 ISO
>6144 string !NSR0 9660 CD-ROM filesystem data, >6144 string !NSR0 9660 CD-ROM filesystem data,
>6144 string NSR0 UDF filesystem data, >6144 string NSR0 UDF filesystem data,
>6148 string 1 version 1.0, >6148 string 1 version 1.0,
>6148 string 2 version 2.0, >6148 string 2 version 2.0,
>6148 string 3 version 3.0 >6148 string 3 version 3.0
>6148 byte >0x33 {invalid} version, >6148 byte >0x33 {invalid} version,
>6148 byte <0x31 {invalid} version, >6148 byte <0x31 {invalid} version,
>38 string >\0 volume name: "%s", >38 byte !0
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable >>38 string x volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
# updated by Joerg Jenderek at Nov 2012 # updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image # DOS Emulator image is 128 byte, null right padded header + harddisc image
0 string DOSEMU\0 DOS Emulator image 0 string DOSEMU\0 DOS Emulator image
>0x27E leshort !0xAA55 \b, {invalid} >0x27E leshort !0xAA55 {invalid}
>0x27E leshort 0xAA55 >0x27E leshort 0xAA55
#offset is 128 #offset is 128
>>19 byte 128 >>19 byte 128
>>>(19.b-1) byte 0x0 >>>(19.b-1) byte 0x0
>>>>7 lelong >0 \b, %d heads >>>>7 lelong >0 \b, %d heads
>>>>11 lelong >0 \b, %d sectors/track >>>>11 lelong >0 \b, %d sectors/track
>>>>15 lelong >0 \b, %d cylinders >>>>15 lelong >0 \b, %d cylinders
# From: Alex Beregszaszi <alex@fsn.hu> # From: Alex Beregszaszi <alex@fsn.hu>
0 string COWD\x03 VMWare3 disk image, 0 string COWD\x03 VMWare3 disk image,
...@@ -556,8 +561,9 @@ ...@@ -556,8 +561,9 @@
>36 lelong x \b%d/ >36 lelong x \b%d/
>40 lelong x \b%d) >40 lelong x \b%d)
0 string COWD\x02 VMWare3 undoable disk image, 0 string COWD\x02 VMWare3 undoable disk image,
>32 string >\0 "%s" >32 byte !0
>32 string x "%s"
# TODO: Add header validation # TODO: Add header validation
0 string VMDK VMware4 disk image 0 string VMDK VMware4 disk image
...@@ -569,31 +575,30 @@ ...@@ -569,31 +575,30 @@
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error # Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files # on existing QCOW files
0 string QFI\xFB QEMU QCOW Image 0 string QFI\xFB QEMU QCOW Image
# BSD 2.x file system image; used in RetroBSD for PIC32. # BSD 2.x file system image; used in RetroBSD for PIC32.
0 string FS\x3C\x3C BSD 2.x filesystem, 0 string FS\x3C\x3C BSD 2.x filesystem,
>1020 string !\x3E\x3EFS {invalid} (missing FSMAGIC2), >1020 string !\x3E\x3EFS {invalid}(missing FSMAGIC2),
>8 lelong x size: {math:%d*1024} bytes, >8 lelong x size: %d*1024 bytes,
>8 lelong x \b{file-size:%d*1024} >8 lelong x {size:%d*1024}
>8 lelong x \b{jump-to-offset:%d*1024} >8 lelong x {jump:%d*1024}
>8 lelong x total blocks: %d, >8 lelong x total blocks: %d,
>972 lelong x free blocks: %d, >972 lelong x free blocks: %d,
>968 ledate x last modified: %s >968 ledate x last modified: %s
>980 byte !0 >980 byte !0
>>980 string x \b, last mounted on: "%s" >>980 string x \b, last mounted on: "%s"
# Simple file system found in Foscam camera firmware # Simple file system found in Foscam camera firmware
0 beshort 0xbd9a Foscam WebUI filesystem, 0 beshort 0xbd9a Foscam WebUI filesystem,
>2 leshort x checksum: 0x%X, >2 uleshort x checksum: 0x%X,
>16 lelong <3 {invalid} first file name length, >16 lelong <3 {invalid}invalid first file name length,
>16 lelong >127 {invalid} first file name length, >16 lelong >127 {invalid}invalid first file name length,
>20 byte 0 {invalid} first file name, >20 byte 0 {invalid}invalid first file name,
>20 byte !0x2E >20 byte !0x2E
>>20 byte !0x2F >>20 byte !0x2F
>>>20 byte <65 {invalid} first file name, >>>20 byte <65 {invalid}invalid first file name,
>>>20 byte >122 {invalid} first file name, >>>20 byte >122 {invalid}invalid first file name,
>20 byte x first file name: {raw-replace} >16 lelong x {strlen:%d}
>16 lelong x {raw-string-length:%d} >20 string x first file name: "{string}"
>20 string x {raw-string:%s}
src/binwalk/magic/firmware
...@@ -3,158 +3,155 @@ ...@@ -3,158 +3,155 @@
# uImage file # uImage file
# From: Craig Heffner, U-Boot image.h header definitions file # From: Craig Heffner, U-Boot image.h header definitions file
0 belong 0x27051956 uImage header, header size: 64 bytes, 0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X, >4 belong x header CRC: 0x%X,
>8 bedate x created: %s, >8 bedate x created: %s,
>12 belong <1 {invalid} >12 belong <1 {invalid}
>12 belong x image size: %d bytes, >12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X, >16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X, >20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X, >24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d, >28 byte 0 OS: {invalid}invalid OS,
>28 byte 0 OS: {invalid} OS, >28 byte 1 OS: OpenBSD,
>28 byte 1 OS: OpenBSD, >28 byte 2 OS: NetBSD,
>28 byte 2 OS: NetBSD, >28 byte 3 OS: FreeBSD,
>28 byte 3 OS: FreeBSD, >28 byte 4 OS: 4.4BSD,
>28 byte 4 OS: 4.4BSD, >28 byte 5 OS: Linux,
>28 byte 5 OS: Linux, >28 byte 6 OS: SVR4,
>28 byte 6 OS: SVR4, >28 byte 7 OS: Esix,
>28 byte 7 OS: Esix, >28 byte 8 OS: Solaris,
>28 byte 8 OS: Solaris, >28 byte 9 OS: Irix,
>28 byte 9 OS: Irix, >28 byte 10 OS: SCO,
>28 byte 10 OS: SCO, >28 byte 11 OS: Dell,
>28 byte 11 OS: Dell, >28 byte 12 OS: NCR,
>28 byte 12 OS: NCR, >28 byte 13 OS: LynxOS,
>28 byte 13 OS: LynxOS, >28 byte 14 OS: VxWorks,
>28 byte 14 OS: VxWorks, >28 byte 15 OS: pSOS,
>28 byte 15 OS: pSOS, >28 byte 16 OS: QNX,
>28 byte 16 OS: QNX, >28 byte 17 OS: Firmware,
>28 byte 17 OS: Firmware, >28 byte 18 OS: RTEMS,
>28 byte 18 OS: RTEMS, >28 byte 19 OS: ARTOS,
>28 byte 19 OS: ARTOS, >28 byte 20 OS: Unity OS,
>28 byte 20 OS: Unity OS, >29 byte 0 CPU: {invalid}invalid CPU,
#>29 byte x CPU arch: %d, >29 byte 1 CPU: Alpha,
>29 byte 0 CPU: {invalid} OS, >29 byte 2 CPU: ARM,
>29 byte 1 CPU: Alpha, >29 byte 3 CPU: Intel x86,
>29 byte 2 CPU: ARM, >29 byte 4 CPU: IA64,
>29 byte 3 CPU: Intel x86, >29 byte 5 CPU: MIPS,
>29 byte 4 CPU: IA64, >29 byte 6 CPU: MIPS 64 bit,
>29 byte 5 CPU: MIPS, >29 byte 7 CPU: PowerPC,
>29 byte 6 CPU: MIPS 64 bit, >29 byte 8 CPU: IBM S390,
>29 byte 7 CPU: PowerPC, >29 byte 9 CPU: SuperH,
>29 byte 8 CPU: IBM S390, >29 byte 10 CPU: Sparc,
>29 byte 9 CPU: SuperH, >29 byte 11 CPU: Sparc 64 bit,
>29 byte 10 CPU: Sparc, >29 byte 12 CPU: M68K,
>29 byte 11 CPU: Sparc 64 bit, >29 byte 13 CPU: Nios-32,
>29 byte 12 CPU: M68K, >29 byte 14 CPU: MicroBlaze,
>29 byte 13 CPU: Nios-32, >29 byte 15 CPU: Nios-II,
>29 byte 14 CPU: MicroBlaze, >29 byte 16 CPU: Blackfin,
>29 byte 15 CPU: Nios-II, >29 byte 17 CPU: AVR,
>29 byte 16 CPU: Blackfin, >29 byte 18 CPU: STMicroelectronics ST200,
>29 byte 17 CPU: AVR, #>30 byte x image type: %d,
>29 byte 18 CPU: STMicroelectronics ST200, >30 byte 0 image type: {invalid} Image,
#>30 byte x image type: %d, >30 byte 1 image type: Standalone Program,
>30 byte 0 image type: {invalid} Image, >30 byte 2 image type: OS Kernel Image,
>30 byte 1 image type: Standalone Program, >30 byte 3 image type: RAMDisk Image,
>30 byte 2 image type: OS Kernel Image, >30 byte 4 image type: Multi-File Image,
>30 byte 3 image type: RAMDisk Image, >30 byte 5 image type: Firmware Image,
>30 byte 4 image type: Multi-File Image, >30 byte 6 image type: Script file,
>30 byte 5 image type: Firmware Image, >30 byte 7 image type: Filesystem Image,
>30 byte 6 image type: Script file, >30 byte 8 image type: Binary Flat Device Tree Blob
>30 byte 7 image type: Filesystem Image, >31 byte 0 compression type: none,
>30 byte 8 image type: Binary Flat Device Tree Blob >31 byte 1 compression type: gzip,
#>31 byte x compression type: %d, >31 byte 2 compression type: bzip2,
>31 byte 0 compression type: none, >31 byte 3 compression type: lzma,
>31 byte 1 compression type: gzip, >32 string x image name: "%s"
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
#IMG0 header, found in VxWorks-based Mercury router firmware #IMG0 header, found in VxWorks-based Mercury router firmware
0 string IMG0 IMG0 (VxWorks) header, 0 string IMG0 IMG0 (VxWorks) header,
>4 belong <1 {invalid} >4 belong <1 {invalid}
>4 belong x size: %d >4 belong x size: %d
#Mediatek bootloader signature #Mediatek bootloader signature
#From xp-dev.com #From xp-dev.com
0 string BOOTLOADER! Mediatek bootloader 0 string BOOTLOADER! Mediatek bootloader
#CSYS header formats #CSYS header formats
0 string CSYS\x00 CSYS header, little endian, 0 string CSYS\x00 CSYS header, little endian,
>8 lelong x size: %d >8 lelong x size: %d
0 string CSYS\x80 CSYS header, big endian, 0 string CSYS\x80 CSYS header, big endian,
>8 belong x size: %d >8 belong x size: %d
# wrgg firmware image # wrgg firmware image
0 string wrgg02 WRGG firmware header, 0 string wrgg02 WRGG firmware header,
>6 string x name: "%s", >6 string x name: "%s",
>48 string x root device: "%s" >48 string x root device: "%s"
# trx image file # trx image file
0 string HDR0 TRX firmware header, little endian, header size: 28 bytes, 0 string HDR0 TRX firmware header, little endian, header size: 28 bytes,
>4 lelong <1 {invalid} >4 lelong <1 {invalid}
>4 lelong x image size: %d bytes, >4 lelong x image size: %d bytes,
>8 lelong x CRC32: 0x%X >8 ulelong x CRC32: 0x%X
>12 leshort x flags: 0x%X, >12 uleshort x flags: 0x%X,
>14 leshort >5 {invalid} >14 uleshort >5 {invalid}
>14 leshort x version: %d >14 leshort x version: %d
0 string 0RDH TRX firmware header, big endian, header size: 28 bytes, 0 string 0RDH TRX firmware header, big endian, header size: 28 bytes,
>4 belong <1 {invalid} >4 belong <1 {invalid}
>4 belong x image size: %d bytes, >4 belong x image size: %d bytes,
>8 belong x CRC32: 0x%X >8 ubelong x CRC32: 0x%X
>12 beshort x flags: 0x%X, >12 ubeshort x flags: 0x%X,
>14 beshort >5 {invalid} >14 ubeshort >5 {invalid}
>14 beshort x version: %d >14 beshort x version: %d
# Ubicom firmware image # Ubicom firmware image
0 belong 0xFA320080 Ubicom firmware header, 0 belong 0xFA320080 Ubicom firmware header,
>12 belong x checksum: 0x%X, >12 belong x checksum: 0x%X,
>24 belong <0 {invalid} >24 belong <0 {invalid}
>24 belong x image size: %d >24 belong x image size: %d
# The ROME bootloader is used by several RealTek-based products. # The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so # Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one. # separate signatures must be created for each one.
# Netgear KWGR614 ROME image # Netgear KWGR614 ROME image
0 string G614 Realtek firmware header, ROME bootloader, 0 string G614 Realtek firmware header, ROME bootloader,
>4 beshort 0xd92f image type: KFS, >4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR, >4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT, >4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN, >4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG, >4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG, >4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG, >4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d, >6 byte x header version: %d,
>10 ubyte >12 {invalid} month >10 ubyte >12 {invalid} month
>12 ubyte >31 {invalid} day >12 ubyte >31 {invalid} day
>8 ubyte >3000 {invalid} year >8 ubyte >3000 {invalid} year
#month #month
>10 byte x created: %d/ >10 byte x created: %d/
#day #day
>12 byte x \b%d/ >12 byte x \b%d/
#year #year
>8 beshort x \b%d, >8 beshort x \b%d,
>16 belong x image size: %d bytes, >16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X, >22 ubyte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X >23 ubyte x header checksum: 0x%X
# Linksys WRT54GX ROME image # Linksys WRT54GX ROME image
0 belong 0x59a0e842 Realtek firmware header, ROME bootloader, 0 belong 0x59a0e842 Realtek firmware header, ROME bootloader,
>4 beshort 0xd92f image type: KFS, >4 ubeshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR, >4 ubeshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT, >4 ubeshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN, >4 ubeshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG, >4 ubeshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG, >4 ubeshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG, >4 ubeshort 0xc371 image type: LOG,
>6 byte x header version: %d, >6 byte x header version: %d,
>10 ubyte >12 {invalid} month >10 ubyte >12 {invalid}invalid month
>12 ubyte >31 {invalid} day >12 ubyte >31 {invalid}invalid day
>8 ubyte >3000 {invalid} year >8 ubyte >3000 {invalid}invalid year
#month #month
>10 byte x created: %d/ >10 byte x created: %d/
#day #day
...@@ -166,23 +163,23 @@ ...@@ -166,23 +163,23 @@
>23 byte x header checksum: 0x%X >23 byte x header checksum: 0x%X
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images. # PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0 string --PaCkImGs-- PackImg section delimiter tag, 0 string --PaCkImGs-- PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive # If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 lelong >0x20000000 >16 ulelong >0x20000000
>>16 belong >0x20000000 {invalid} >>16 ubelong >0x20000000 {invalid}
>16 lelong <0 >16 lelong <0
>>16 belong <0 {invalid} >>16 belong <0 {invalid}
>16 lelong >0 >16 lelong >0
>>16 lelong x little endian size: %d bytes; >>16 lelong x little endian size: %d bytes;
>16 belong >0 >16 belong >0
>>16 belong x big endian size: %d bytes >>16 belong x big endian size: %d bytes
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Broadcom header format # Broadcom header format
# #
0 string BCRM Broadcom header, 0 string BCRM Broadcom header,
>4 lelong <0 {invalid} >4 lelong <0 {invalid}
>4 lelong x number of sections: %d, >4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash >>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk >>8 lelong 19 first section type: disk
...@@ -192,24 +189,24 @@ ...@@ -192,24 +189,24 @@
# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint # http://ftg.lbl.gov/checkpoint
0 string Ck0\0\0R\0\0\0 BLCR 0 string Ck0\0\0R\0\0\0 BLCR
>16 lelong 1 x86 >16 lelong 1 x86
>16 lelong 3 alpha >16 lelong 3 alpha
>16 lelong 5 x86-64 >16 lelong 5 x86-64
>16 lelong 7 ARM >16 lelong 7 ARM
>8 lelong x context data (little endian, version %d) >8 lelong x context data (little endian, version %d)
0 string \0\0\0C\0\0\0R BLCR 0 string \0\0\0C\0\0\0R BLCR
>16 belong 2 SPARC >16 belong 2 SPARC
>16 belong 4 ppc >16 belong 4 ppc
>16 belong 6 ppc64 >16 belong 6 ppc64
>16 belong 7 ARMEB >16 belong 7 ARMEB
>16 belong 8 SPARC64 >16 belong 8 SPARC64
>8 belong x context data (big endian, version %d) >8 belong x context data (big endian, version %d)
# Aculab VoIP firmware # Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk> # From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\x20Startup\x20and Aculab VoIP firmware 0 string VoIP\x20Startup\x20and Aculab VoIP firmware
>35 string x format "%s" >35 string x format "%s"
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file # HP LaserJet 1000 series downloadable firmware file
...@@ -227,7 +224,7 @@ ...@@ -227,7 +224,7 @@
# Boot ROM images for Sun/Cobalt Linux server appliances # Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom 0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom
>38 string x V%.4s >38 string x V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it. # at the very end where file(1) can't get it.
...@@ -242,173 +239,170 @@ ...@@ -242,173 +239,170 @@
#More information on the format: #More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx #http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167 #http://forum.xda-developers.com/showthread.php?t=801167
0 string B000FF Windows CE image header, 0 string B000FF Windows CE image header,
>7 lelong x Image start: 0x%X, >7 ulelong x image start: 0x%X,
>11 lelong x Image length: %d >11 lelong x image length: %d
#Windows CE RomImage #Windows CE RomImage
0 string \x00ECEC Windows CE memory segment header, {offset-adjust:-63} 63 string \x00ECEC Windows CE memory segment header,
>4 lelong x TOC address: 0x%X >4 ulelong x TOC address: 0x%X
# -------------------------------- # --------------------------------
# ZynOS ROM header format # ZynOS ROM header format
# From openwrt zynos.h. # From openwrt zynos.h.
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6} 6 string SIG ZynOS header, header size: 48 bytes,
#>0 belong x load address 0x%X, >3 byte <0x7F rom image type:
>3 byte <0x7F rom image type: >>3 byte <1 {invalid},
>>3 byte <1 {invalid}, >>3 byte >7 {invalid},
>>3 byte >7 {invalid}, >>3 byte 1 ROMIMG,
>>3 byte 1 ROMIMG, >>3 byte 2 ROMBOOT,
>>3 byte 2 ROMBOOT, >>3 byte 3 BOOTEXT,
>>3 byte 3 BOOTEXT, >>3 byte 4 ROMBIN,
>>3 byte 4 ROMBIN, >>3 byte 5 ROMDIR,
>>3 byte 5 ROMDIR, >>3 byte 6 6,
>>3 byte 6 6, >>3 byte 7 ROMMAP,
>>3 byte 7 ROMMAP, >3 byte >0x7F ram image type:
>3 byte >0x7F ram image type: >>3 byte >0x82 {invalid},
>>3 byte >0x82 {invalid}, >>3 byte 0x80 RAM,
>>3 byte 0x80 RAM, >>3 byte 0x81 RAMCODE,
>>3 byte 0x81 RAMCODE, >>3 byte 0x82 RAMBOOT,
>>3 byte 0x82 RAMBOOT, >4 ubelong >0x40000000 {invalid}
>4 belong >0x40000000 {invalid} >4 belong <0 {invalid}
>4 belong <0 {invalid} >4 belong 0 {invalid}
>4 belong 0 {invalid} >4 belong x uncompressed size: %d,
>4 belong x uncompressed size: %d, >8 belong >0x40000000 {invalid}
>8 belong >0x40000000 {invalid} >8 belong <0 {invalid}
>8 belong <0 {invalid} >8 belong 0 {invalid}
>8 belong 0 {invalid} >8 belong x compressed size: %d,
>8 belong x compressed size: %d, >14 ubeshort x uncompressed checksum: 0x%X,
>14 beshort x uncompressed checksum: 0x%X, >16 ubeshort x compressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X, >12 ubyte x flags: 0x%X,
>12 byte x flags: 0x%X, >12 byte &0x40 uncompressed checksum is valid,
>12 byte &0x40 uncompressed checksum is valid, >12 ubyte &0x80 the binary is compressed,
>12 byte &0x80 the binary is compressed, >>12 byte &0x20 compressed checksum is valid,
>>12 byte &0x20 compressed checksum is valid, >35 ubelong x memory map table address: 0x%X
>35 belong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products # Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header, 0 string CI032.00 Cisco VxWorks firmware header,
>8 lelong >1024 {invalid} >8 lelong >1024 {invalid}
>8 lelong <0 {invalid} >8 lelong <0 {invalid}
>8 lelong x header size: %d bytes, >8 lelong x header size: %d bytes,
>32 lelong >1024 {invalid} >32 lelong >1024 {invalid}
>32 lelong <0 {invalid} >32 lelong <0 {invalid}
>32 lelong x number of files: %d, >32 lelong x number of files: %d,
>48 lelong <0 {invalid} >48 lelong <0 {invalid}
>48 lelong x image size: %d, >48 lelong x image size: %d,
>64 string x firmware version: "%s" >64 string x firmware version: "%s"
# Simple VxWorks reference strings # Simple VxWorks reference strings
#0 string VxWorks VxWorks string referece: #0 string VxWorks VxWorks string referece:
#>0 string x "%s" #>0 string x "%s"
#0 string vxworks VxWorks string referece: #0 string vxworks VxWorks string referece:
#>0 string x "%s" #>0 string x "%s"
#0 string VXWORKS VxWorks string referece: #0 string VXWORKS VxWorks string referece:
#>0 string x "%s" #>0 string x "%s"
# Firmware header used by some TV's # Firmware header used by some TV's
0 string FNIB ZBOOT firmware header, header size: 32 bytes, 0 string FNIB ZBOOT firmware header, header size: 32 bytes,
>8 lelong x load address: 0x%.8X, >8 lelong x load address: 0x%.8X,
>12 lelong x start address: 0x%.8X, >12 lelong x start address: 0x%.8X,
>16 lelong x checksum: 0x%.8X, >16 lelong x checksum: 0x%.8X,
>20 lelong x version: 0x%.8X, >20 lelong x version: 0x%.8X,
>24 lelong <1 {invalid} >24 lelong <1 {invalid}
>24 lelong x image size: %d bytes >24 lelong x image size: %d bytes
# Firmware header used by several D-Link routers (and probably others) # Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17 DLOB firmware header, 0 string \x5e\xa3\xa4\x17 DLOB firmware header,
>(7.b+12) string !\x5e\xa3\xa4\x17 {invalid}, >(7.b+12) string !\x5e\xa3\xa4\x17 {invalid},
#>>12 string x %s, #>>12 string x %s,
>(7.b+40) string x boot partition: "%s" >(7.b+40) string x boot partition: "%s"
# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format # TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4} 0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4}
#>-4 lelong x header version: %d, #>-4 lelong x header version: %d,
>0x94 beshort x firmware version: %d. >0x94 beshort x firmware version: %d.
>0x96 beshort x \b%d. >0x96 beshort x \b%d.
>0x98 beshort x \b%d, >0x98 beshort x \b%d,
>0x18 string x image version: "%s", >0x18 string x image version: "%s",
#>0x74 belong x image size: %d bytes, #>0x74 belong x image size: %d bytes,
>0x3C belong x product ID: 0x%X, >0x3C belong x product ID: 0x%X,
>0x40 belong x product version: %d, >0x40 belong x product version: %d,
>0x70 belong x kernel load address: 0x%X, >0x70 belong x kernel load address: 0x%X,
>0x74 belong x kernel entry point: 0x%X, >0x74 belong x kernel entry point: 0x%X,
>0x7C belong x kernel offset: %d, >0x7C belong x kernel offset: %d,
>0x80 belong x kernel length: %d, >0x80 belong x kernel length: %d,
>0x84 belong x rootfs offset: %d, >0x84 belong x rootfs offset: %d,
>0x88 belong x rootfs length: %d, >0x88 belong x rootfs length: %d,
>0x8C belong x bootloader offset: %d, >0x8C belong x bootloader offset: %d,
>0x90 belong x bootloader length: %d >0x90 belong x bootloader length: %d
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat # Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256, 0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256,
>4 string !Broadcom >4 string !Broadcom
>>4 string !\x20\x20\x20\x20 {invalid} >>4 string !\x20\x20\x20\x20 {invalid}
>41 beshort !0x2020 >41 beshort !0x2020
>>41 beshort !0x0000 >>41 beshort !0x0000
>>>41 string x firmware version: "%.4s", >>>41 string x firmware version: "%.4s",
>45 beshort !0x0202 >45 beshort !0x0202
>>45 beshort !0x0000 >>45 beshort !0x0000
>>>45 string x board id: "%s", >>>45 string x board id: "%s",
>236 belong x ~CRC32 header checksum: 0x%X, >236 belong x ~CRC32 header checksum: 0x%X,
>216 belong x ~CRC32 data checksum: 0x%X >216 belong x ~CRC32 data checksum: 0x%X
# Xerox MFP DLM signatures # Xerox MFP DLM signatures
0 string %%XRXbegin Xerox DLM firmware start of header 0 string %%XRXbegin Xerox DLM firmware start of header
0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name: 0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name:
>19 string x "%s" >19 string x "%s"
0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version: 0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version:
>22 string x "%s" >22 string x "%s"
0 string %%XRXend Xerox DLM firmware end of header 0 string %%XRXend Xerox DLM firmware end of header
# Generic copyright signature # Generic copyright signature
0 string Copyright Copyright string: 0 string Copyright Copyright string:
>9 byte 0 {invalid} >9 byte 0 {invalid}
>0 string x "%s >0 string x "%s"
>63 string x \b%s"
0 string copyright Copyright string: 0 string copyright Copyright string:
>9 byte 0 {invalid} >9 byte 0 {invalid}
>0 string x "%s >0 string x "%s"
>63 string x \b%s"
# Sercomm firmware header # Sercomm firmware header
0 string sErCoMm Sercomm firmware signature, 0 string sErCoMm Sercomm firmware signature,
>7 leshort x version control: %d, >7 leshort x version control: %d,
>9 leshort x download control: %d, >9 leshort x download control: %d,
>11 string x hardware ID: "%s", >11 string x hardware ID: "%s",
>44 leshort x hardware version: 0x%X, >44 leshort x hardware version: 0x%X,
>58 leshort x firmware version: 0x%X, >58 leshort x firmware version: 0x%X,
>60 leshort x starting code segment: 0x%X, >60 leshort x starting code segment: 0x%X,
>62 leshort x code size: 0x%X >62 leshort x code size: 0x%X
# NPK firmware header, used by Mikrotik # NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header, 0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 {invalid} >4 lelong <0 {invalid}
>4 lelong x image size: %d, >4 lelong x image size: %d,
>14 string x image name: "%s", >14 string x image name: "%s",
>(48.l+58) string x description: "%s >(48.l+58) string x description: "%s"
>(48.l+121) string x \b%s"
# Ubiquiti firmware signatures # Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header, header size: 264 bytes, 0 string UBNT Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid}, >0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X, >0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid}, >4 byte 0 {invalid},
>4 string x version: "%s" >4 string x version: "%s"
0 string GEOS Ubiquiti firmware header, header size: 264 bytes, 0 string GEOS Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid}, >0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X, >0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid}, >4 byte 0 {invalid},
>4 string x version: "%s" >4 string x version: "%s"
0 string OPEN Ubiquiti firmware header, third party, 0 string OPEN Ubiquiti firmware header, third party,
>0x108 belong !0 {invalid}, >0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X, >0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid}, >4 byte 0 {invalid},
>4 string x version: "%s" >4 string x version: "%s"
0 string \x00\x00\x00\x00PART Ubiquiti partition header,{offset-adjust:4} 0 string \x00\x00\x00\x00PART Ubiquiti partition header,{offset-adjust:4}
>0 byte x header size: 56 bytes, >0 byte x header size: 56 bytes,
...@@ -424,59 +418,59 @@ ...@@ -424,59 +418,59 @@
# Found in DIR-100 firmware # Found in DIR-100 firmware
0 string AIH0N AIH0N firmware header, header size: 48, 0 string AIH0N AIH0N firmware header, header size: 48,
>12 belong x size: %d, >12 belong x size: %d,
>8 belong !0 executable code, >8 belong !0 executable code,
>>8 belong x load address: 0x%X, >>8 belong x load address: 0x%X,
>32 string x version: "%s" >32 string x version: "%s"
0 belong 0x5EA3A417 SEAMA firmware header, big endian, 0 belong 0x5EA3A417 SEAMA firmware header, big endian,
>6 beshort x meta size: %d, >6 beshort x meta size: %d,
>8 belong <1 {invalid} >8 belong <1 {invalid}
>8 belong x size: %d >8 belong x size: %d
0 lelong 0x5EA3A417 SEAMA firmware header, little endian, 0 lelong 0x5EA3A417 SEAMA firmware header, little endian,
>6 leshort x meta size: %d, >6 leshort x meta size: %d,
>8 lelong <1 {invalid} >8 lelong <1 {invalid}
>8 lelong x size: %d >8 lelong x size: %d
0 belong 0x4D544443 NSP firmware header, big endian, 0 belong 0x4D544443 NSP firmware header, big endian,
>16 belong <1 {invalid} >16 belong <1 {invalid}
>16 belong x header size: %d, >16 belong x header size: %d,
>20 belong <1 {invalid} >20 belong <1 {invalid}
>20 belong x image size: %d, >20 belong x image size: %d,
>20 belong x {file-size:%d} >20 belong x {size:%d}
>4 belong <1 {invalid} >4 belong <1 {invalid}
>4 belong x kernel offset: %d, >4 belong x kernel offset: %d,
>12 belong <1 {invalid} >12 belong <1 {invalid}
>12 belong x header version: %d, >12 belong x header version: %d,
0 lelong 0x4D544443 NSP firmware header, little endian, 0 lelong 0x4D544443 NSP firmware header, little endian,
>16 lelong <1 {invalid} >16 lelong <1 {invalid}
>16 lelong x header size: %d, >16 lelong x header size: %d,
>20 lelong <1 {invalid} >20 lelong <1 {invalid}
>20 lelong x image size: %d, >20 lelong x image size: %d,
>20 lelong x {file-size:%d} >20 lelong x {size:%d}
>4 lelong <1 {invalid} >4 lelong <1 {invalid}
>4 lelong x kernel offset: %d, >4 lelong x kernel offset: %d,
>12 lelong <1 {invalid} >12 lelong <1 {invalid}
>12 lelong x header version: %d, >12 lelong x header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure # http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0 string WizFwPkgl Beyonwiz firmware header, 0 string WizFwPkgl Beyonwiz firmware header,
>20 string x version: "%s" >20 string x version: "%s"
0 string BLI223WJ0 Thompson/Alcatel encoded firmware, 0 string BLI223WJ0 Thompson/Alcatel encoded firmware,
>32 byte x version: %d. >32 byte x version: %d.
>33 byte x \b%d. >33 byte x \b%d.
>34 byte x \b%d. >34 byte x \b%d.
>35 byte x \b%d, >35 byte x \b%d,
>44 belong x size: %d, >44 belong x size: %d,
>48 belong x crc: 0x%.8X, >48 ubelong x crc: 0x%.8X,
>35 byte x try decryption tool from: >35 byte x try decryption tool from:
>35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/ >35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume{offset-adjust:-16} 16 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume
# http://android.stackexchange.com/questions/23357/\ # http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ # is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
...@@ -489,35 +483,35 @@ ...@@ -489,35 +483,35 @@
>19 string AES-256\n \b, encrypted AES-256 >19 string AES-256\n \b, encrypted AES-256
# http://forum.xda-developers.com/showthread.php?p=47818657 # http://forum.xda-developers.com/showthread.php?p=47818657
0 string imgARMcC Roku aimage SB{offset-adjust:-8} 0 string imgARMcC Roku aimage SB{offset-adjust:-8}
# Boot ROM images for Sun/Cobalt Linux server appliances # Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged Sun/COBALT boot rom, 0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged Sun/COBALT boot rom,
>38 string x version: "%.4s" >38 string x version: "%.4s"
# Simple eCos string signatures # Simple eCos string signatures
0 string ecos eCos RTOS string reference: 0 string ecos eCos RTOS string reference:
>0 string x "%s" >0 string x "%s"
0 string eCos eCos RTOS string reference: 0 string eCos eCos RTOS string reference:
>0 string x "%s" >0 string x "%s"
0 string ECOS eCos RTOS string reference: 0 string ECOS eCos RTOS string reference:
>0 string x "%s" >0 string x "%s"
# ZyXEL config signatures # ZyXEL config signatures
0 string dbgarea ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6} 6 string dbgarea ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d, >16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d, >14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d} >18 beshort x data offset from start of block: %d+16
0 string spt.dat ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6} 6 string spt.dat ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d, >16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d, >14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d} >18 beshort x data offset from start of block: %d+16
0 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6} 6 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d, >16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d, >14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d} >18 beshort x data offset from start of block: %d+16
# Obfuscated Arcadyan firmware # Obfuscated Arcadyan firmware
0x68 belong 0x00D50800 Obfuscated Arcadyan firmware, 0x68 belong 0x00D50800 Obfuscated Arcadyan firmware,
......
src/binwalk/magic/images
...@@ -23,21 +23,20 @@ ...@@ -23,21 +23,20 @@
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
# #
0 string \x89PNG\x0d\x0a\x1a\x0a PNG image 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image
>16 belong <1 {invalid} >16 belong <1 {invalid}
>16 belong >10000 {invalid} >16 belong >10000 {invalid}
>20 belong <1 {invalid} >20 belong <1 {invalid}
>20 belong >10000 {invalid} >20 belong >10000 {invalid}
>16 belong x \b, %d x >16 belong x \b, %d x
>20 belong x %d, >20 belong x %d,
>24 byte x %d-bit >24 byte x %d-bit
>25 byte 0 grayscale, >25 byte 0 grayscale,
>25 byte 2 \b/color RGB, >25 byte 2 \b/color RGB,
>25 byte 3 colormap, >25 byte 3 colormap,
>25 byte 4 gray+alpha, >25 byte 4 gray+alpha,
>25 byte 6 \b/color RGBA, >25 byte 6 \b/color RGBA,
#>26 byte 0 deflate/32K, >28 byte 0 non-interlaced
>28 byte 0 non-interlaced >28 byte 1 interlaced
>28 byte 1 interlaced
# GIF # GIF
0 string GIF8 GIF image data 0 string GIF8 GIF image data
...@@ -56,41 +55,41 @@ ...@@ -56,41 +55,41 @@
#>10 byte&0x07 =0x07 256 colors #>10 byte&0x07 =0x07 256 colors
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM 0 string BM PC bitmap,
>14 leshort 12 PC bitmap, OS/2 1.x format >14 leshort 12 OS/2 1.x format,
>>18 lelong <1 {invalid} >>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid} >>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x >>18 leshort x \b, %d x
>>20 lelong <1 {invalid} >>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid} >>20 lelong >1000000 {invalid}
>>20 leshort x %d >>20 leshort x %d
>14 leshort 64 PC bitmap, OS/2 2.x format >14 leshort 64 OS/2 2.x format,
>>18 lelong <1 {invalid} >>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid} >>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x >>18 leshort x \b, %d x
>>20 lelong <1 {invalid} >>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid} >>20 lelong >1000000 {invalid}
>>20 leshort x %d >>20 leshort x %d
>14 leshort 40 PC bitmap, Windows 3.x format >14 leshort 40 Windows 3.x format,
>>18 lelong <1 {invalid} >>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid} >>18 lelong >1000000 {invalid}
>>18 lelong x \b, %d x >>18 lelong x \b, %d x
>>22 lelong <1 {invalid} >>22 lelong <1 {invalid}
>>22 lelong >1000000 {invalid} >>22 lelong >1000000 {invalid}
>>22 lelong x %d x >>22 lelong x %d x
>>28 lelong <1 {invalid} >>28 lelong <1 {invalid}
>>28 lelong >1000000 {invalid} >>28 lelong >1000000 {invalid}
>>28 leshort x %d >>28 leshort x %d
>14 leshort 128 PC bitmap, Windows NT/2000 format >14 leshort 128 Windows NT/2000 format,
>>18 lelong >1000000 {invalid} >>18 lelong >1000000 {invalid}
>>18 lelong <1 {invalid} >>18 lelong <1 {invalid}
>>18 lelong x \b, %d x >>18 lelong x \b, %d x
>>22 lelong <1 {invalid} >>22 lelong <1 {invalid}
>>22 lelong >1000000 {invalid} >>22 lelong >1000000 {invalid}
>>22 lelong x %d x >>22 lelong x %d x
>>28 lelong <1 {invalid} >>28 lelong <1 {invalid}
>>28 lelong >1000000 {invalid} >>28 lelong >1000000 {invalid}
>>28 leshort x %d >>28 leshort x %d
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# JPEG images # JPEG images
...@@ -101,117 +100,117 @@ ...@@ -101,117 +100,117 @@
# #
# both of which turn into "JPEG image data" here. # both of which turn into "JPEG image data" here.
# #
0 belong 0xffd8ffe0 JPEG image data, JFIF standard 0 belong 0xffd8ffe0 JPEG image data, JFIF standard
>6 string !JFIF {invalid} >6 string !JFIF {invalid}
# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 # The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
# in a vain attempt to add image size reporting for JFIF. Note that these # in a vain attempt to add image size reporting for JFIF. Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently # tests are not fool-proof since some perfectly valid JPEGs are currently
# impossible to specify in magic(4) format. # impossible to specify in magic(4) format.
# First, a little JFIF version info: # First, a little JFIF version info:
>11 byte x \b %d. >11 byte x \b %d.
>12 byte x \b%02d >12 byte x \b%02d
# Next, the resolution or aspect ratio of the image: # Next, the resolution or aspect ratio of the image:
#>>13 byte 0 \b, aspect ratio #>>13 byte 0 \b, aspect ratio
#>>13 byte 1 \b, resolution (DPI) #>>13 byte 1 \b, resolution (DPI)
#>>13 byte 2 \b, resolution (DPCM) #>>13 byte 2 \b, resolution (DPCM)
#>>4 beshort x \b, segment length %d #>>4 beshort x \b, segment length %d
# Next, show thumbnail info, if it exists: # Next, show thumbnail info, if it exists:
>18 byte !0 \b, thumbnail %dx >18 byte !0 \b, thumbnail %dx
>>19 byte x \b%d >>19 byte x \b%d
0 belong 0xffd8ffe1 JPEG image data, EXIF standard 0 belong 0xffd8ffe1 JPEG image data, EXIF standard
# EXIF moved down here to avoid reporting a bogus version number, # EXIF moved down here to avoid reporting a bogus version number,
# and EXIF version number printing added. # and EXIF version number printing added.
# - Patrik R=E5dman <patrik+file-magic@iki.fi> # - Patrik R=E5dman <patrik+file-magic@iki.fi>
>6 string !Exif {invalid} >6 string !Exif {invalid}
# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
# All possible combinations of entries have to be enumerated, since no looping # All possible combinations of entries have to be enumerated, since no looping
# is possible. And both endians are possible... # is possible. And both endians are possible...
# The combinations included below are from real-world JPEGs. # The combinations included below are from real-world JPEGs.
# Little-endian # Little-endian
>12 string II >12 string II
# IFD 0 Entry #5: # IFD 0 Entry #5:
>>70 leshort 0x8769 >>70 leshort 0x8769
# EXIF IFD Entry #1: # EXIF IFD Entry #1:
>>>(78.l+14) leshort 0x9000 >>>(78.l+14) leshort 0x9000
>>>>(78.l+23) byte x %c >>>>(78.l+23) byte x %c
>>>>(78.l+24) byte x \b.%c >>>>(78.l+24) byte x \b.%c
>>>>(78.l+25) byte !0x30 \b%c >>>>(78.l+25) byte !0x30 \b%c
# IFD 0 Entry #9: # IFD 0 Entry #9:
>>118 leshort 0x8769 >>118 leshort 0x8769
# EXIF IFD Entry #3: # EXIF IFD Entry #3:
>>>(126.l+38) leshort 0x9000 >>>(126.l+38) leshort 0x9000
>>>>(126.l+47) byte x %c >>>>(126.l+47) byte x %c
>>>>(126.l+48) byte x \b.%c >>>>(126.l+48) byte x \b.%c
>>>>(126.l+49) byte !0x30 \b%c >>>>(126.l+49) byte !0x30 \b%c
# IFD 0 Entry #10 # IFD 0 Entry #10
>>130 leshort 0x8769 >>130 leshort 0x8769
# EXIF IFD Entry #3: # EXIF IFD Entry #3:
>>>(138.l+38) leshort 0x9000 >>>(138.l+38) leshort 0x9000
>>>>(138.l+47) byte x %c >>>>(138.l+47) byte x %c
>>>>(138.l+48) byte x \b.%c >>>>(138.l+48) byte x \b.%c
>>>>(138.l+49) byte !0x30 \b%c >>>>(138.l+49) byte !0x30 \b%c
# EXIF IFD Entry #4: # EXIF IFD Entry #4:
>>>(138.l+50) leshort 0x9000 >>>(138.l+50) leshort 0x9000
>>>>(138.l+59) byte x %c >>>>(138.l+59) byte x %c
>>>>(138.l+60) byte x \b.%c >>>>(138.l+60) byte x \b.%c
>>>>(138.l+61) byte !0x30 \b%c >>>>(138.l+61) byte !0x30 \b%c
# EXIF IFD Entry #5: # EXIF IFD Entry #5:
>>>(138.l+62) leshort 0x9000 >>>(138.l+62) leshort 0x9000
>>>>(138.l+71) byte x %c >>>>(138.l+71) byte x %c
>>>>(138.l+72) byte x \b.%c >>>>(138.l+72) byte x \b.%c
>>>>(138.l+73) byte !0x30 \b%c >>>>(138.l+73) byte !0x30 \b%c
# IFD 0 Entry #11 # IFD 0 Entry #11
>>142 leshort 0x8769 >>142 leshort 0x8769
# EXIF IFD Entry #3: # EXIF IFD Entry #3:
>>>(150.l+38) leshort 0x9000 >>>(150.l+38) leshort 0x9000
>>>>(150.l+47) byte x %c >>>>(150.l+47) byte x %c
>>>>(150.l+48) byte x \b.%c >>>>(150.l+48) byte x \b.%c
>>>>(150.l+49) byte !0x30 \b%c >>>>(150.l+49) byte !0x30 \b%c
# EXIF IFD Entry #4: # EXIF IFD Entry #4:
>>>(150.l+50) leshort 0x9000 >>>(150.l+50) leshort 0x9000
>>>>(150.l+59) byte x %c >>>>(150.l+59) byte x %c
>>>>(150.l+60) byte x \b.%c >>>>(150.l+60) byte x \b.%c
>>>>(150.l+61) byte !0x30 \b%c >>>>(150.l+61) byte !0x30 \b%c
# EXIF IFD Entry #5: # EXIF IFD Entry #5:
>>>(150.l+62) leshort 0x9000 >>>(150.l+62) leshort 0x9000
>>>>(150.l+71) byte x %c >>>>(150.l+71) byte x %c
>>>>(150.l+72) byte x \b.%c >>>>(150.l+72) byte x \b.%c
>>>>(150.l+73) byte !0x30 \b%c >>>>(150.l+73) byte !0x30 \b%c
# Big-endian # Big-endian
>12 string MM >12 string MM
# IFD 0 Entry #9: # IFD 0 Entry #9:
>>118 beshort 0x8769 >>118 beshort 0x8769
# EXIF IFD Entry #1: # EXIF IFD Entry #1:
>>>(126.L+14) beshort 0x9000 >>>(126.L+14) beshort 0x9000
>>>>(126.L+23) byte x %c >>>>(126.L+23) byte x %c
>>>>(126.L+24) byte x \b.%c >>>>(126.L+24) byte x \b.%c
>>>>(126.L+25) byte !0x30 \b%c >>>>(126.L+25) byte !0x30 \b%c
# EXIF IFD Entry #3: # EXIF IFD Entry #3:
>>>(126.L+38) beshort 0x9000 >>>(126.L+38) beshort 0x9000
>>>>(126.L+47) byte x %c >>>>(126.L+47) byte x %c
>>>>(126.L+48) byte x \b.%c >>>>(126.L+48) byte x \b.%c
>>>>(126.L+49) byte !0x30 \b%c >>>>(126.L+49) byte !0x30 \b%c
# IFD 0 Entry #10 # IFD 0 Entry #10
>>130 beshort 0x8769 >>130 beshort 0x8769
# EXIF IFD Entry #3: # EXIF IFD Entry #3:
>>>(138.L+38) beshort 0x9000 >>>(138.L+38) beshort 0x9000
>>>>(138.L+47) byte x %c >>>>(138.L+47) byte x %c
>>>>(138.L+48) byte x \b.%c >>>>(138.L+48) byte x \b.%c
>>>>(138.L+49) byte !0x30 \b%c >>>>(138.L+49) byte !0x30 \b%c
# EXIF IFD Entry #5: # EXIF IFD Entry #5:
>>>(138.L+62) beshort 0x9000 >>>(138.L+62) beshort 0x9000
>>>>(138.L+71) byte x %c >>>>(138.L+71) byte x %c
>>>>(138.L+72) byte x \b.%c >>>>(138.L+72) byte x \b.%c
>>>>(138.L+73) byte !0x30 \b%c >>>>(138.L+73) byte !0x30 \b%c
# IFD 0 Entry #11 # IFD 0 Entry #11
>>142 beshort 0x8769 >>142 beshort 0x8769
# EXIF IFD Entry #4: # EXIF IFD Entry #4:
>>>(150.L+50) beshort 0x9000 >>>(150.L+50) beshort 0x9000
>>>>(150.L+59) byte x %c >>>>(150.L+59) byte x %c
>>>>(150.L+60) byte x \b.%c >>>>(150.L+60) byte x \b.%c
>>>>(150.L+61) byte !0x30 \b%c >>>>(150.L+61) byte !0x30 \b%c
# Here things get sticky. We can do ONE MORE marker segment with # Here things get sticky. We can do ONE MORE marker segment with
# indirect addressing, and that's all. It would be great if we could # indirect addressing, and that's all. It would be great if we could
# do pointer arithemetic like in an assembler language. Christos? # do pointer arithemetic like in an assembler language. Christos?
...@@ -239,12 +238,4 @@ ...@@ -239,12 +238,4 @@
>>(4.S+6) byte x \b, precision %d >>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx >>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d >>(4.S+9) beshort x \b%d
# I've commented-out quantisation table reporting. I doubt anyone cares yet.
#>(4.S+5) byte 0xDB \b, quantisation table
#>>(4.S+6) beshort x \b length=%d
#>14 beshort x \b, %d x
#>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27 string !8888888888\n {invalid}
src/binwalk/magic/kernels
...@@ -5,16 +5,15 @@ ...@@ -5,16 +5,15 @@
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolás Lichtmaier <nick@debian.org> # and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image
>514 string !HdrS ({invalid}) >514 string !HdrS {invalid}
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a). # Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries. # Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version 0 string Linux\x20version\x20 Linux kernel version
>14 byte 0 {invalid} >14 byte 0 {invalid}
>14 byte !0 >14 byte !0
>>14 string x "%s >>14 string x "%s"
>>45 string x \b%s"
# eCos kernel exception handlers # eCos kernel exception handlers
# #
...@@ -26,13 +25,13 @@ ...@@ -26,13 +25,13 @@
# lw $k1, 0($k1) # lw $k1, 0($k1)
# jr $k1 # jr $k1
# nop # nop
0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL, 0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL,
>14 leshort !0x3C1B {invalid} >14 leshort !0x3C1B {invalid}
>18 leshort !0x277B {invalid} >18 leshort !0x277B {invalid}
>12 leshort x exception vector table base address: 0x%.4X >12 uleshort x exception vector table base address: 0x%.4X
>16 leshort x \b%.4X >16 uleshort x \b%.4X
0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS, 0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS,
>12 beshort !0x3C1B {invalid} >12 beshort !0x3C1B {invalid}
>16 beshort !0x277B {invalid} >16 beshort !0x277B {invalid}
>14 beshort x exception vector table base address: 0x%.4X >14 ubeshort x exception vector table base address: 0x%.4X
>18 beshort x \b%.4X >18 ubeshort x \b%.4X
src/binwalk/magic/lzma
This source diff could not be displayed because it is too large. You can view the blob instead.
src/binwalk/magic/misc
...@@ -2,9 +2,9 @@ ...@@ -2,9 +2,9 @@
# $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $ # $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $
# pdf: file(1) magic for Portable Document Format # pdf: file(1) magic for Portable Document Format
# #
0 string %PDF- PDF document, 0 string %PDF- PDF document,
>6 byte !0x2e {invalid} >6 byte !0x2e {invalid}
>5 string x version: "%3s" >5 string x version: "%3s"
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ # $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $
...@@ -25,18 +25,18 @@ ...@@ -25,18 +25,18 @@
0 string LinuxGuestRecord Xen saved domain file 0 string LinuxGuestRecord Xen saved domain file
0 string \x3chtml HTML document header{extract-delay:HTML document footer} 0 string \x3chtml HTML document header
>5 byte !0x20 >5 byte !0x20
>>5 byte !0x3e \b, {invalid} >>5 byte !0x3e {invalid}
0 string \x3cHTML HTML document header{extract-delay:HTML document footer} 0 string \x3cHTML HTML document header
>5 byte !0x20 >5 byte !0x20
>>5 byte !0x3e \b, {invalid} >>5 byte !0x3e {invalid}
0 string \x3c/html\x3e HTML document footer{offset-adjust:7} 0 string \x3c/html\x3e HTML document footer
0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7} 0 string \x3c/HTML\x3e HTML document footer
0 string \x3c?xml\x20version XML document, 0 string \x3c?xml\x20version XML document,
>15 string x version: "%.3s" >15 string x version: "%.3s"
# CodeGate 2011 http://nopsrus.blogspot.com/2013/05/codegate-ctf-2011-binary-100-points.html # CodeGate 2011 http://nopsrus.blogspot.com/2013/05/codegate-ctf-2011-binary-100-points.html
0 string \x23\x40\x7e\x5e Windows Script Encoded Data (screnc.exe) 0 string \x23\x40\x7e\x5e Windows Script Encoded Data (screnc.exe)
...@@ -57,13 +57,13 @@ ...@@ -57,13 +57,13 @@
>63 string x \b%s" >63 string x \b%s"
0 string begin\x20 uuencoded data, 0 string begin\x20 uuencoded data,
>9 byte !0x20 {invalid} format, >9 byte !0x20 {invalid}invalid format,
>6 byte <0x30 {invalid} permissions, >6 byte <0x30 {invalid}invalid permissions,
>6 byte >0x39 {invalid} permissions, >6 byte >0x39 {invalid}invalid permissions,
>7 byte <0x30 {invalid} permissions, >7 byte <0x30 {invalid}invalid permissions,
>7 byte >0x39 {invalid} permissions, >7 byte >0x39 {invalid}invalid permissions,
>8 byte <0x30 {invalid} permissions, >8 byte <0x30 {invalid}invalid permissions,
>8 byte >0x39 {invalid} permissions, >8 byte >0x39 {invalid}invalid permissions,
>10 string x file name: "%s", >10 string x file name: "%s",
>6 string x file permissions: "%.3s" >6 string x file permissions: "%.3s"
src/binwalk/magic/network
...@@ -4,88 +4,88 @@ ...@@ -4,88 +4,88 @@
# Pcap-ng files can contain multiple sections. Printing the endianness, # Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading. # snaplen, or other information from the first SHB may be misleading.
# #
0 string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d Pcap-ng capture file, big-endian, 0 string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d Pcap-ng capture file, big-endian,
>12 beshort x version %d >12 beshort x version %d
>14 beshort x \b.%d >14 beshort x \b.%d
0 string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a Pcap-ng capture file, little-endian, 0 string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a Pcap-ng capture file, little-endian,
>12 leshort x version %d >12 leshort x version %d
>14 leshort x \b.%d >14 leshort x \b.%d
# #
# "libpcap" capture files. # "libpcap" capture files.
# #
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian, 0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4 beshort >2 {invalid} >4 beshort >2 {invalid}
>4 beshort x version %d >4 beshort x version %d
>6 beshort x \b.%d, >6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation >20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet >20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet >20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25 >20 belong 3 (AX.25
>20 belong 4 (ProNET >20 belong 4 (ProNET
>20 belong 5 (CHAOS >20 belong 5 (CHAOS
>20 belong 6 (Token Ring >20 belong 6 (Token Ring
>20 belong 7 (BSD ARCNET >20 belong 7 (BSD ARCNET
>20 belong 8 (SLIP >20 belong 8 (SLIP
>20 belong 9 (PPP >20 belong 9 (PPP
>20 belong 10 (FDDI >20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM >20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP >20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP >20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP >20 belong 14 (BSD/OS PPP
>20 belong 19 (Linux ATM Classical IP >20 belong 19 (Linux ATM Classical IP
>20 belong 50 (PPP or Cisco HDLC >20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet >20 belong 51 (PPP-over-Ethernet
>20 belong 99 (Symantec Enterprise Firewall >20 belong 99 (Symantec Enterprise Firewall
>20 belong 100 (RFC 1483 ATM >20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP >20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP >20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP >20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC >20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11 >20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM >20 belong 106 (Linux Classical IP over ATM
>20 belong 107 (Frame Relay >20 belong 107 (Frame Relay
>20 belong 108 (OpenBSD loopback >20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPsec encrypted >20 belong 109 (OpenBSD IPsec encrypted
>20 belong 112 (Cisco HDLC >20 belong 112 (Cisco HDLC
>20 belong 113 (Linux "cooked" >20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk >20 belong 114 (LocalTalk
>20 belong 117 (OpenBSD PFLOG >20 belong 117 (OpenBSD PFLOG
>20 belong 119 (802.11 with Prism header >20 belong 119 (802.11 with Prism header
>20 belong 122 (RFC 2625 IP over Fibre Channel >20 belong 122 (RFC 2625 IP over Fibre Channel
>20 belong 123 (SunATM >20 belong 123 (SunATM
>20 belong 127 (802.11 with radiotap header >20 belong 127 (802.11 with radiotap header
>20 belong 129 (Linux ARCNET >20 belong 129 (Linux ARCNET
>20 belong 138 (Apple IP over IEEE 1394 >20 belong 138 (Apple IP over IEEE 1394
>20 belong 140 (MTP2 >20 belong 140 (MTP2
>20 belong 141 (MTP3 >20 belong 141 (MTP3
>20 belong 143 (DOCSIS >20 belong 143 (DOCSIS
>20 belong 144 (IrDA >20 belong 144 (IrDA
>20 belong 147 (Private use 0 >20 belong 147 (Private use 0
>20 belong 148 (Private use 1 >20 belong 148 (Private use 1
>20 belong 149 (Private use 2 >20 belong 149 (Private use 2
>20 belong 150 (Private use 3 >20 belong 150 (Private use 3
>20 belong 151 (Private use 4 >20 belong 151 (Private use 4
>20 belong 152 (Private use 5 >20 belong 152 (Private use 5
>20 belong 153 (Private use 6 >20 belong 153 (Private use 6
>20 belong 154 (Private use 7 >20 belong 154 (Private use 7
>20 belong 155 (Private use 8 >20 belong 155 (Private use 8
>20 belong 156 (Private use 9 >20 belong 156 (Private use 9
>20 belong 157 (Private use 10 >20 belong 157 (Private use 10
>20 belong 158 (Private use 11 >20 belong 158 (Private use 11
>20 belong 159 (Private use 12 >20 belong 159 (Private use 12
>20 belong 160 (Private use 13 >20 belong 160 (Private use 13
>20 belong 161 (Private use 14 >20 belong 161 (Private use 14
>20 belong 162 (Private use 15 >20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header >20 belong 163 (802.11 with AVS header
>20 belong >163 ({invalid} link layer >20 belong >163 {invalid}(invalid link layer
>20 belong <0 ({invalid} link layer >20 belong <0 {invalid}(invalid link layer
>16 belong x \b, snaplen: %d) >16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian, 0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4 leshort >2 {invalid} >4 leshort >2 {invalid}
>4 leshort <0 {invalid} >4 leshort <0 {invalid}
>4 leshort x version %d >4 leshort x version %d
>6 leshort x \b.%d, >6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation >20 lelong 0 (No link-layer encapsulation
...@@ -148,7 +148,7 @@ ...@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14 >20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15 >20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header >20 lelong 163 (802.11 with AVS header
>20 lelong >163 ({invalid} link layer >20 lelong >163 {invalid}(invalid link layer
>20 lelong <0 ({invalid} link layer >20 lelong <0 {invalid}(invalid link layer
>16 lelong x \b, snaplen: %d) >16 lelong x \b, snaplen: %d)
src/binwalk/magic/sql
...@@ -5,26 +5,26 @@ ...@@ -5,26 +5,26 @@
# From: "Marty Leisner" <mleisner@eng.mc.xerox.com> # From: "Marty Leisner" <mleisner@eng.mc.xerox.com>
# Recognize some MySQL files. # Recognize some MySQL files.
# #
0 beshort 0xfe01 MySQL table definition file 0 beshort 0xfe01 MySQL table definition file
>2 string <1 {invalid} >2 ubyte <1 {invalid}
>2 string >\11 {invalid} >2 ubyte >11 {invalid}
>2 byte x Version %d >2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file 0 string \xfe\xfe\x03 MySQL MISAM index file
>3 string <1 {invalid} >3 ubyte <1 {invalid}
>3 string >\11 {invalid} >3 ubyte >11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file 0 string \xfe\xfe\x07 MySQL MISAM compressed data file
>3 string <1 {invalid} >3 ubyte <1 {invalid}
>3 string >\11 {invalid} >3 ubyte >11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file 0 string \xfe\xfe\x05 MySQL ISAM index file
>3 string <1 {invalid} >3 ubyte <1 {invalid}
>3 string >\11 {invalid} >3 ubyte >11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file 0 string \xfe\xfe\x06 MySQL ISAM compressed data file
>3 string <1 {invalid} >3 ubyte <1 {invalid}
>3 string >\11 {invalid} >3 ubyte >11 {invalid}
>3 byte x Version %d >3 byte x Version %d
#0 string \376bin MySQL replication log #0 string \376bin MySQL replication log
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
...@@ -32,9 +32,10 @@ ...@@ -32,9 +32,10 @@
# From Ken Guest <ken@linux.ie> # From Ken Guest <ken@linux.ie>
# As observed from iRivNavi.iDB and unencoded firmware # As observed from iRivNavi.iDB and unencoded firmware
# #
0 string iRivDB iRiver Database file 0 string iRivDB iRiver Database file
>11 string >\0 Version "%s" >11 byte !0
>39 string iHP-100 [H Series] >>11 string x Version "%s"
#>39 string iHP-100 [H Series]
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# SQLite database files # SQLite database files
...@@ -49,7 +50,7 @@ ...@@ -49,7 +50,7 @@
# Version 3 of SQLite allows applications to embed their own "user version" # Version 3 of SQLite allows applications to embed their own "user version"
# number in the database. Detect this and distinguish those files. # number in the database. Detect this and distinguish those files.
0 string SQLite\x20format\x203 0 string SQLite\x20format\x203 SQLite 3.x database,
>60 string _MTN Monotone source repository >60 string _MTN monotone source repository
>60 belong !0 SQLite 3.x database, user version %u >60 ubelong !0 \b, user version %u
>60 belong 0 SQLite 3.x database
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment