Skip to content

B
binwalk
Commit 43ddf9b9 by devttys0
Options

Fixed extraction bug; prettified magic files

parent d95e015d
Showing with 327 additions and 341 deletions
src/binwalk/core/magic.py
......@@ -23,6 +23,7 @@ class SignatureResult(object):
self.strlen = 0
self.string = False
self.invalid = False
self.extract = True
# These are set by code internally
self.file = None
......
src/binwalk/magic/console
......@@ -4,8 +4,9 @@
#------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
#
0x104 belong 0xCEED6666 Gameboy ROM,
>0x134 string >\0 name: "%.16s"
0x104 ubelong 0xCEED6666 Gameboy ROM,
>0x134 byte !0
>>0x134 string x name: "%.16s"
>0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x01 \b, [ROM+MBC1]
......@@ -56,8 +57,9 @@
# genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format
#
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump,
>0x120 string x Name: "%.16s"
>0x110 string >\0 "%.16s"
>0x120 string x Name: "%.16s",
>0x110 byte !0
>>0x110 string x "%.16s",
>0x1B0 string RA with SRAM
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
......@@ -68,7 +70,7 @@
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\ EXE Sony Playstation executable
0 string PS-X\x20EXE Sony Playstation executable
# Area:
>113 string x (%s)
......@@ -77,17 +79,11 @@
0 string XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not
>0x0004 ulelong =0x0
>>2 ulelong !0x0 \b, {invalid}
>>2 ulelong =0x0
>>>2 ulelong !0x0 \b, {invalid}
>>>2 ulelong =0x0 \b, not signed
>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0
>>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, {invalid} base address
>>2 ulelong >0 \b, signed
## expect base address of 0x10000
>0x0104 ulelong !0x10000 {invalid}
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
......
src/binwalk/magic/crypto
......@@ -10,7 +10,9 @@
# From: Nicolas Collignon <tsointsoin@gmail.com>
0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key,
>28 string >\0 version "%s"
>28 byte !0
>>28 string x version "%s"
>28 byte 0 {invalid}
0 string ssh-dss\x20 OpenSSH DSA public key
0 string ssh-rsa\x20 OpenSSH RSA public key
......@@ -18,12 +20,12 @@
# Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com>
0 string \x30\x82 Private key in DER format (PKCS#8),
>4 string !\x02\x01\x00 {invalid},
>>2 beshort x header length: 4, sequence length: %d
>4 string !\x02\x01\x00 {invalid}
>2 beshort x header length: 4, sequence length: %d
0 string \x30\x82 Certificate in DER format (x509 v3),
>4 string !\x30\x82 {invalid},
>>2 beshort x header length: 4, sequence length: %d
>4 string !\x30\x82 {invalid}
>2 beshort x header length: 4, sequence length: %d
# GnuPG
# The format is very similar to pgp
......@@ -66,23 +68,23 @@
>3 byte 16 algorithm: blowfish-256,
>3 byte 100 algorithm: RC6,
>3 byte 101 algorithm: IDEA,
>3 byte <0 {invalid} algorithm
>3 byte >101 {invalid} algorithm,
>3 byte <0 {invalid}
>3 byte >101 {invalid}
>3 byte >16
>>3 byte <100 {invalid} algorithm,
>>3 byte <100 {invalid}
>4 byte 0 mode: CBC,
>4 byte 1 mode: ECB,
>4 byte 2 mode: CFB,
>4 byte 3 mode: OFB,
>4 byte 4 mode: nOFB,
>4 byte <0 {invalid} mode,
>4 byte >4 {invalid} mode,
>4 byte <0 {invalid}
>4 byte >4 {invalid}
>5 byte 0 keymode: 8bit
>5 byte 1 keymode: 4bit
>5 byte 2 keymode: SHA-1 hash
>5 byte 3 keymode: MD5 hash
>5 byte <0 {invalid} keymode
>5 byte >3 {invalid} keymode
>5 byte <0 {invalid}
>5 byte >3 {invalid}
#------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy
......@@ -100,3 +102,4 @@
0 string Salted__ OpenSSL encryption, salted,
>8 belong x salt: 0x%X
>12 belong x \b%X
src/binwalk/magic/executables
......@@ -10,8 +10,8 @@
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF
>4 byte 0 {invalid} class
0 string \177ELF ELF,
>4 byte 0 {invalid}
>4 byte 1 32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18 leshort 8
......@@ -26,7 +26,7 @@
>4 byte >2
>>4 byte x unknown ELF class: 0x%X
>5 byte !1
>>5 byte !2 {invalid} byte order
>>5 byte !2 {invalid}
>5 byte 1 LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
......@@ -41,8 +41,8 @@
>>>>36 lelong&0xf0000000 0x40000000 MIPS-V
>>>>36 lelong&0xf0000000 0x60000000 MIPS32
>>>>36 lelong&0xf0000000 0x70000000 MIPS64
>>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2
>>>>36 ulelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 ulelong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 lelong&0xf0000000 0x00000000 MIPS-I
......@@ -52,8 +52,8 @@
>>>>48 lelong&0xf0000000 0x40000000 MIPS-V
>>>>48 lelong&0xf0000000 0x60000000 MIPS32
>>>>48 lelong&0xf0000000 0x70000000 MIPS64
>>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2
>>>>48 ulelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 ulelong&0xf0000000 0x90000000 MIPS64 rel2
>>16 leshort 0 no file type,
>>16 leshort 1 relocatable,
>>16 leshort 2 executable,
......@@ -61,26 +61,23 @@
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16 leshort 4 core file
# Core file detection is not reliable.
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific,
>>16 uleshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - {invalid} byte order,
>>18 leshort 2 SPARC - {invalid} byte order,
>>18 leshort 1 AT&T WE32100 - wrong byte order,{invalid}
>>18 leshort 2 SPARC - wrongbyte order,{invalid}
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola
>>>36 lelong &0x01000000 68000 - {invalid} byte order,
>>>36 lelong &0x00810000 CPU32 - {invalid} byte order,
>>>36 lelong 0 68020 - {invalid} byte order,
>>18 leshort 5 Motorola 88000 - {invalid} byte order,
>>>36 lelong &0x01000000 68000 - wrong byte order,{invalid}
>>>36 lelong &0x00810000 CPU32 - wrong byte order,{invalid}
>>>36 lelong 0 68020 - wrong byte order,{invalid}
>>18 leshort 5 Motorola 88000 - wrong byte order,{invalid}
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS,
>>18 leshort 9 Amdahl - {invalid} byte order,
>>18 leshort 9 Amdahl - wrong byte order,{invalid}
>>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - {invalid} byte order,
>>18 leshort 15 PA-RISC - {invalid} byte order,
>>18 leshort 11 RS6000 - wrong byte order,{invalid}
>>18 leshort 15 PA-RISC - wrong byte order,{invalid}
>>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE,
......@@ -94,9 +91,9 @@
>>18 leshort 39 Motorola RCE,
>>18 leshort 40 ARM,
>>18 leshort 41 Alpha,
>>18 leshort 0xa390 IBM S/390 (obsolete),
>>18 uleshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - {invalid} byte order,
>>18 leshort 43 SPARC V9 - wrong byte order,{invalid}
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300,
......@@ -110,8 +107,8 @@
>>18 leshort 62 AMD x86-64,
>>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k,
>>18 leshort 0x9026 Alpha (unofficial),
>>20 lelong 0 {invalid} version
>>18 uleshort 0x9026 Alpha (unofficial),
>>20 lelong 0 {invalid} invalid version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
......@@ -126,8 +123,8 @@
>>>>36 belong&0xf0000000 0x40000000 MIPS-V
>>>>36 belong&0xf0000000 0x60000000 MIPS32
>>>>36 belong&0xf0000000 0x70000000 MIPS64
>>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2
>>>>36 ubelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>36 ubelong&0xf0000000 0x90000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 belong&0xf0000000 0x00000000 MIPS-I
......@@ -137,8 +134,8 @@
>>>>48 belong&0xf0000000 0x40000000 MIPS-V
>>>>48 belong&0xf0000000 0x60000000 MIPS32
>>>>48 belong&0xf0000000 0x70000000 MIPS64
>>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2
>>>>48 ubelong&0xf0000000 0x80000000 MIPS32 rel2
>>>>48 ubelong&0xf0000000 0x90000000 MIPS64 rel2
>>16 beshort 0 no file type,
>>16 beshort 1 relocatable,
>>16 beshort 2 executable,
......@@ -146,18 +143,18 @@
>>16 beshort 4 core file,
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) belong >0 (signal %d),
>>16 beshort &0xff00 processor-specific,
>>16 ubeshort &0xff00 processor-specific,
>>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC,
>>18 beshort 3 Intel 80386 - {invalid} byte order,
>>18 beshort 3 Intel 80386 - wrong byte order,{invalid}
>>18 beshort 4 Motorola
>>>36 belong &0x01000000 68000,
>>>36 belong &0x00810000 CPU32,
>>>36 belong 0 68020,
>>18 beshort 5 Motorola 88000,
>>18 beshort 6 Intel 80486 - {invalid} byte order,
>>18 beshort 7 Intel 80860,
>>18 beshort 6 Intel 80486 - wrong byte order,{invalid}
>>18 beshort 7 Intel 80860 - wrong byte order,{invalid}
>>18 beshort 8 MIPS,
>>18 beshort 9 Amdahl,
>>18 beshort 10 MIPS (deprecated),
......@@ -198,17 +195,18 @@
>>18 beshort 73 Cray NV1,
>>18 beshort 75 Digital VAX,
>>18 beshort 97 NatSemi 32k,
>>18 beshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete),
>>18 beshort 0xde3d Ubicom32,
>>20 belong 0 {invalid} version
>>18 ubeshort 0x9026 Alpha (unofficial),
>>18 ubeshort 0xa390 IBM S/390 (obsolete),
>>18 ubeshort 0xde3d Ubicom32,
>>20 belong 0 {invalid}invalid version
>>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results.
>4 byte <0x80
>>8 string >\0 ("%s")
>8 string \0
>>8 byte !0
>>>8 string x ("%s")
>8 byte 0
>>7 byte 0 (SYSV)
>>7 byte 1 (HP-UX)
>>7 byte 2 (NetBSD)
......@@ -223,18 +221,18 @@
>>7 byte 11 (Novell Modesto)
>>7 byte 12 (OpenBSD)
>>7 byte 97 (ARM)
>>7 byte 255 (embedded)
>>7 ubyte 255 (embedded)
# Some simple Microsoft executable signatures
0 string MZ\0\0\0\0\0\0 Microsoft
0 string MZ\0\0\0\0\0\0 Microsoft executable,
>0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 MS-DOS executable
>(0x3c.l) string PE\0\0 portable executable
>(0x3c.l) string !PE\0\0 MS-DOS
>(0x3c.l) string PE\0\0 portable (PE)
0 string MZ Microsoft
0 string MZ Microsoft executable,
>0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 {invalid}
>(0x3c.l) string PE\0\0 portable executable
>(0x3c.l) string PE\0\0 portable (PE)
#------------------------------------------------------------------------------
......@@ -248,14 +246,13 @@
>4 belong <1 {invalid}
>4 belong >4 {invalid}
>4 belong x version %d,
>4 belong 4
>8 belong x code offset: 0x%.8X,
>12 belong x data segment starts at: 0x%.8X,
>16 belong x bss segment starts at: 0x%.8X,
>20 belong x bss segment ends at: 0x%.8X,
>24 belong x stack size: %d bytes,
>28 belong x relocation records start at: 0x%.8X,
>32 belong x number of reolcation records: %d,
>8 ubelong x code offset: 0x%.8X,
>12 ubelong x data segment starts at: 0x%.8X,
>16 ubelong x bss segment starts at: 0x%.8X,
>20 ubelong x bss segment ends at: 0x%.8X,
>24 ubelong x stack size: %d bytes,
>28 ubelong x relocation records start at: 0x%.8X,
>32 ubelong x number of reolcation records: %d,
>>36 belong&0x1 0x1 ram
>>36 belong&0x2 0x2 gotpic
>>36 belong&0x4 0x4 gzip
......@@ -274,9 +271,9 @@
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>52 uleshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
>56 uleshort >1 \b, %u registry entries
#------------------------------------------------------------------------------
# motorola: file(1) magic for Motorola 68K and 88K binaries
......@@ -302,22 +299,21 @@
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\x20EXE Sony Playstation executable
0 string PS-X\x20EXE Sony Playstation executable,
# Area:
>113 string x ("%s")
>113 string x "%s"
#------------------------------------------------------------------------------
# cisco: file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
0 string \x85\x01\x14 Cisco IOS microcode,
>7 byte 0 {invalid}
>7 string x for "%s"
#>7 string >\0
#>>7 string x for "%s"
0 string \x85\x01\xcb Cisco IOS experimental microcode,
>7 byte 0 {invalid}
>7 string x for "%s"
#>7 string >\0
#>>7 string x for "%s"
# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
......@@ -450,8 +446,8 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 ({invalid})
>8 leshort >0x2e92 ({invalid})
>8 leshort <0x2911 {invalid}
>8 leshort >0x2e92 {invalid}
0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR)
......@@ -478,8 +474,8 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 ({invalid})
>8 leshort >0x2e92 ({invalid})
>8 leshort <0x2911 {invalid}
>8 leshort >0x2e92 {invalid}
0 string \x23!/ Executable script,
>6 byte !0x2F
......
src/binwalk/magic/filesystems
......@@ -58,35 +58,35 @@
# TROC file system
0 string TROC TROC filesystem,
>4 lelong x %d file entries
>4 lelong <1 ({invalid})
>4 lelong <1 {invalid}
# PFS file system
0 string PFS/ PFS filesystem,
>4 string x version "%s",
>4 string x version %s,
>14 leshort x %d files
# MPFS file system
0 string MPFS MPFS (Microchip) filesystem,
0 string MPFS MPFS filesystem, Microchop,
>4 byte x version %d.
>5 byte x \b%d,
>6 leshort x %d file entries
# cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 CramFS filesystem, little endian
0 lelong 0x28cd3d45 CramFS filesystem, little endian,
>4 lelong <0 {invalid}
>4 lelong >1073741824 {invalid}
>4 lelong x size %u
>4 ulelong x size: %u
>8 lelong &1 version #2
>8 lelong &2 sorted_dirs
>8 lelong &4 hole_support
>32 lelong x CRC 0x%x,
>36 lelong x edition %u,
>36 ulelong x edition %u,
>40 lelong <0 {invalid}
>40 lelong x %u blocks,
>40 ulelong x %u blocks,
>44 lelong <0 {invalid}
>44 lelong x %u files
>4 lelong x {jump-to-offset:%u}
>4 lelong x {file-size:%u}
>44 ulelong x %u files
>4 ulelong x {jump:%u}
>4 ulelong x {size:%u}
0 belong 0x28cd3d45 CramFS filesystem, big endian
>4 belong <0 {invalid}
......@@ -101,8 +101,8 @@
>40 belong x %u blocks,
>44 belong <0 {invalid}
>44 belong x %u files
>4 belong x {jump-to-offset:%u}
>4 belong x {file-size:%u}
>4 belong x {jump:%u}
>4 belong x {size:%u}
......@@ -113,45 +113,45 @@
# files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios.
0 leshort 0x1985 JFFS2 filesystem, little endian
>2 leshort !0xE001
>>2 leshort !0xE002
>>>2 leshort !0x2003
>>>>2 leshort !0x2004
>>>>>2 leshort !0x2006
>>>>>>2 leshort !0xE008
>>>>>>>2 leshort !0xE009 \b, {invalid}
>(4.l) leshort !0x1985
>>(4.l+1) leshort !0x1985
>>>(4.l+2) leshort !0x1985
>>>>(4.l+3) leshort !0x1985
>>>>>(4.l) leshort !0xFFFF
>>>>>>(4.l+1) leshort !0xFFFF
>>>>>>>(4.l+2) leshort !0xFFFF
>>>>>>>>(4.l+3) leshort !0xFFFF \b, {invalid}
0 uleshort 0x1985 JFFS2 filesystem, little endian
>2 uleshort !0xE001
>>2 uleshort !0xE002
>>>2 uleshort !0x2003
>>>>2 uleshort !0x2004
>>>>>2 uleshort !0x2006
>>>>>>2 uleshort !0xE008
>>>>>>>2 uleshort !0xE009 {invalid}
>(4.l) uleshort !0x1985
>>(4.l+1) uleshort !0x1985
>>>(4.l+2) uleshort !0x1985
>>>>(4.l+3) uleshort !0x1985
>>>>>(4.l) uleshort !0xFFFF
>>>>>>(4.l+1) uleshort !0xFFFF
>>>>>>>(4.l+2) uleshort !0xFFFF
>>>>>>>>(4.l+3) uleshort !0xFFFF {invalid}
>4 lelong 0 {invalid}
>4 lelong <0 {invalid}
>4 lelong x {one-of-many}{jump-to-offset:%d}
0 beshort 0x1985 JFFS2 filesystem, big endian
>2 beshort !0xE001
>>2 beshort !0xE002
>>>2 beshort !0x2003
>>>>2 beshort !0x2004
>>>>>2 beshort !0x2006
>>>>>>2 beshort !0xE008
>>>>>>>2 beshort !0xE009 \b, {invalid}
>(4.L) beshort !0x1985
>>(4.L+1) beshort !0x1985
>>>(4.L+2) beshort !0x1985
>>>>(4.L+3) beshort !0x1985
>>>>>(4.L) beshort !0xFFFF
>>>>>>(4.L+1) beshort !0xFFFF
>>>>>>>(4.L+2) beshort !0xFFFF
>>>>>>>>(4.L+3) beshort !0xFFFF \b, {invalid}
>4 lelong x {many}{jump:%d}
0 ubeshort 0x1985 JFFS2 filesystem, big endian
>2 ubeshort !0xE001
>>2 ubeshort !0xE002
>>>2 ubeshort !0x2003
>>>>2 ubeshort !0x2004
>>>>>2 ubeshort !0x2006
>>>>>>2 ubeshort !0xE008
>>>>>>>2 ubeshort !0xE009 {invalid}
>(4.L) ubeshort !0x1985
>>(4.L+1) ubeshort !0x1985
>>>(4.L+2) ubeshort !0x1985
>>>>(4.L+3) ubeshort !0x1985
>>>>>(4.L) ubeshort !0xFFFF
>>>>>>(4.L+1) ubeshort !0xFFFF
>>>>>>>(4.L+2) ubeshort !0xFFFF
>>>>>>>>(4.L+3) ubeshort !0xFFFF {invalid}
>4 belong 0 {invalid}
>4 belong <0 {invalid}
>4 belong x {one-of-many}{jump-to-offset:%d}
>4 belong x {many}{jump:%d}
# Squashfs, big endian
......@@ -165,21 +165,21 @@
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x \b{jump-to-offset:%d}
>>8 belong x \b{file-size:%d}
>>8 belong x \b{jump:%d}
>>8 belong x \b{size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x \b{jump-to-offset:%lld}
>>63 bequad x \b{file-size:%lld}
>>63 bequad x size: %ld bytes,
>>63 bequad x \b{jump:%ld}
>>63 bequad x \b{size:%ld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x \b{jump-to-offset:%lld}
>>40 bequad x \b{file-size:%lld}
>>40 bequad x size: %ld bytes,
>>40 bequad x \b{jump:%ld}
>>40 bequad x \b{size:%ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
......@@ -207,18 +207,18 @@
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>>63 lequad x size: %ld bytes,
>>63 lequad x {size:%ld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>>40 lequad x size: %ld bytes,
>>40 lequad x {size:%ld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
......@@ -235,11 +235,11 @@
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>>63 lequad x {jump:%ld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
>>40 lequad x {jump:%ld}
# Squashfs with LZMA compression
0 string sqlz Squashfs filesystem, big endian, lzma compression,
......@@ -257,13 +257,13 @@
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>>63 bequad x size: %ld bytes,
>>63 bequad x {size:%ld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {size:%ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
......@@ -280,11 +280,11 @@
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>>63 bequad x {jump:%ld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
>>40 bequad x {jump:%ld}
# Squashfs 3.3 LZMA signature
0 string qshs Squashfs filesystem, big endian, lzma signature,
......@@ -297,18 +297,18 @@
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>>63 bequad x size: %ld bytes,
>>63 bequad x {size:%ld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {size:%ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
......@@ -325,11 +325,11 @@
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>>63 bequad x {jump:%ld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
>>40 bequad x {jump:%ld}
# Squashfs for DD-WRT
0 string tqsh Squashfs filesystem, big endian, DD-WRT signature,
......@@ -342,18 +342,18 @@
>>20 beshort 1 \bgzip,
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
>>20 beshort 4 \bxz,
>>20 beshort 0 \b{invalid},
>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
>>8 belong x {size:%d}
>28 beshort 3
>>63 bequad x size: %lld bytes,
>>63 bequad x {file-size:%lld}
>>63 bequad x size: %ld bytes,
>>63 bequad x {size:%ld}
>28 beshort >3
>>40 bequad x size: %lld bytes,
>>40 bequad x {file-size:%lld}
>>40 bequad x size: %ld bytes,
>>40 bequad x {size:%ld}
>4 belong x %d inodes,
>28 beshort >3
>>12 belong x blocksize: %d bytes,
......@@ -370,11 +370,11 @@
>28 beshort >3
>>8 bedate x created: %s
>28 beshort <3
>>8 belong x {jump-to-offset:%d}
>>8 belong x {jump:%d}
>28 beshort 3
>>63 bequad x {jump-to-offset:%lld}
>>63 bequad x {jump:%ld}
>28 beshort >3
>>40 bequad x {jump-to-offset:%lld}
>>40 bequad x {jump:%ld}
# Squashfs for DD-WRT
0 string hsqt Squashfs filesystem, little endian, DD-WRT signature,
......@@ -387,18 +387,18 @@
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>>63 lequad x size: %ld bytes,
>>63 lequad x {size:%ld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>>40 lequad x size: %ld bytes,
>>40 lequad x {size:%ld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
......@@ -415,11 +415,11 @@
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>>63 lequad x {jump:%ld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
>>40 lequad x {jump:%ld}
# Non-standard Squashfs signature found on some D-Link routers
0 string shsq Squashfs filesystem, little endian, non-standard signature,
......@@ -432,18 +432,18 @@
>>20 leshort 1 \bgzip,
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
>>20 leshort 4 \bxz,
>>20 leshort 0 \b{invalid},
>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
>>8 lelong x {size:%d}
>28 leshort 3
>>63 lequad x size: %lld bytes,
>>63 lequad x {file-size:%lld}
>>63 lequad x size: %ld bytes,
>>63 lequad x {size:%ld}
>28 leshort >3
>>40 lequad x size: %lld bytes,
>>40 lequad x {file-size:%lld}
>>40 lequad x size: %ld bytes,
>>40 lequad x {size:%ld}
>4 lelong x %d inodes,
>28 leshort >3
>>12 lelong x blocksize: %d bytes,
......@@ -460,24 +460,24 @@
>28 leshort >3
>>8 ledate x created: %s
>28 leshort <3
>>8 lelong x {jump-to-offset:%d}
>>8 lelong x {jump:%d}
>28 leshort 3
>>63 lequad x {jump-to-offset:%lld}
>>63 lequad x {jump:%ld}
>28 leshort >3
>>40 lequad x {jump-to-offset:%lld}
>>40 lequad x {jump:%ld}
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0 leshort 0xEF53 Linux EXT filesystem,{offset-adjust:-0x438}
>2 leshort >4 {invalid} state
>2 leshort 3 {invalid} state
>2 leshort <0 {invalid} state
>4 leshort >3 {invalid} error behavior
>4 leshort <0 {invalid} error behavior
>4 lelong >1 {invalid} major revision
>4 lelong <0 {invalid} major revision
0x438 leshort 0xEF53 Linux EXT filesystem,
>2 leshort >4 {invalid}invalid state
>2 leshort 3 {invalid}invalid state
>2 leshort <0 {invalid}invalid state
>4 leshort >3 {invalid}invalid error behavior
>4 leshort <0 {invalid}invalid error behavior
>4 lelong >1 {invalid}invalid major revision
>4 lelong <0 {invalid}invalid major revision
>4 lelong x rev %d
>6 leshort x \b.%d
# No journal? ext2
......@@ -499,23 +499,27 @@
>56 beshort x \b-%04x
>58 belong x \b-%08x
>60 beshort x \b%04x
>64 string >0 \b, volume name "%s"
>64 byte !0
>>64 string x \b, volume name "%s"
#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong >10000000 {invalid}
>8 belong <1 {invalid}
>8 belong x size: %d bytes,
>16 string x {file-name:%s}
>16 string x {name:%s}
>16 string x named "%s"
>8 belong x {file-size:%d}
>8 belong x {jump-to-offset:%d}
>8 belong x {size:%d}
>8 belong x {jump:%d}
# Wind River MemFS file system, found in some VxWorks devices
0 string owowowowowowowowowowowowowowow Wind River management filesystem,
>30 string !ow {invalid},
>32 belong 1 compressed,
>32 belong 2 plain text,
>32 belong <1 {invalid}
32 belong >2 {invalid}
>36 belong x %d files
# netboot image - Juan Cespedes <cespedes@debian.org>
......@@ -523,11 +527,11 @@
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode ({invalid})
>4 lelong&0xFFFFFF00 !0 unknown mode {invalid}
0 string WDK\x202.0\x00 WDK file system, version 2.0{offset-adjust:-18}
18 string WDK\x202.0\x00 WDK file system, version 2.0
0 string CD001 ISO{offset-adjust:-32769}
32769 string CD001 ISO
>6144 string !NSR0 9660 CD-ROM filesystem data,
>6144 string NSR0 UDF filesystem data,
>6148 string 1 version 1.0,
......@@ -535,13 +539,14 @@
>6148 string 3 version 3.0
>6148 byte >0x33 {invalid} version,
>6148 byte <0x31 {invalid} version,
>38 string >\0 volume name: "%s",
>38 byte !0
>>38 string x volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0 string DOSEMU\0 DOS Emulator image
>0x27E leshort !0xAA55 \b, {invalid}
>0x27E leshort !0xAA55 {invalid}
>0x27E leshort 0xAA55
#offset is 128
>>19 byte 128
......@@ -557,7 +562,8 @@
>40 lelong x \b%d)
0 string COWD\x02 VMWare3 undoable disk image,
>32 string >\0 "%s"
>32 byte !0
>32 string x "%s"
# TODO: Add header validation
0 string VMDK VMware4 disk image
......@@ -573,10 +579,10 @@
# BSD 2.x file system image; used in RetroBSD for PIC32.
0 string FS\x3C\x3C BSD 2.x filesystem,
>1020 string !\x3E\x3EFS {invalid} (missing FSMAGIC2),
>8 lelong x size: {math:%d*1024} bytes,
>8 lelong x \b{file-size:%d*1024}
>8 lelong x \b{jump-to-offset:%d*1024}
>1020 string !\x3E\x3EFS {invalid}(missing FSMAGIC2),
>8 lelong x size: %d*1024 bytes,
>8 lelong x {size:%d*1024}
>8 lelong x {jump:%d*1024}
>8 lelong x total blocks: %d,
>972 lelong x free blocks: %d,
>968 ledate x last modified: %s
......@@ -585,15 +591,14 @@
# Simple file system found in Foscam camera firmware
0 beshort 0xbd9a Foscam WebUI filesystem,
>2 leshort x checksum: 0x%X,
>16 lelong <3 {invalid} first file name length,
>16 lelong >127 {invalid} first file name length,
>20 byte 0 {invalid} first file name,
>2 uleshort x checksum: 0x%X,
>16 lelong <3 {invalid}invalid first file name length,
>16 lelong >127 {invalid}invalid first file name length,
>20 byte 0 {invalid}invalid first file name,
>20 byte !0x2E
>>20 byte !0x2F
>>>20 byte <65 {invalid} first file name,
>>>20 byte >122 {invalid} first file name,
>20 byte x first file name: {raw-replace}
>16 lelong x {raw-string-length:%d}
>20 string x {raw-string:%s}
>>>20 byte <65 {invalid}invalid first file name,
>>>20 byte >122 {invalid}invalid first file name,
>16 lelong x {strlen:%d}
>20 string x first file name: "{string}"
src/binwalk/magic/firmware
......@@ -11,8 +11,7 @@
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d,
>28 byte 0 OS: {invalid} OS,
>28 byte 0 OS: {invalid}invalid OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
......@@ -33,8 +32,7 @@
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
#>29 byte x CPU arch: %d,
>29 byte 0 CPU: {invalid} OS,
>29 byte 0 CPU: {invalid}invalid CPU,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
......@@ -63,7 +61,6 @@
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
#>31 byte x compression type: %d,
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
......@@ -95,17 +92,17 @@
0 string HDR0 TRX firmware header, little endian, header size: 28 bytes,
>4 lelong <1 {invalid}
>4 lelong x image size: %d bytes,
>8 lelong x CRC32: 0x%X
>12 leshort x flags: 0x%X,
>14 leshort >5 {invalid}
>8 ulelong x CRC32: 0x%X
>12 uleshort x flags: 0x%X,
>14 uleshort >5 {invalid}
>14 leshort x version: %d
0 string 0RDH TRX firmware header, big endian, header size: 28 bytes,
>4 belong <1 {invalid}
>4 belong x image size: %d bytes,
>8 belong x CRC32: 0x%X
>12 beshort x flags: 0x%X,
>14 beshort >5 {invalid}
>8 ubelong x CRC32: 0x%X
>12 ubeshort x flags: 0x%X,
>14 ubeshort >5 {invalid}
>14 beshort x version: %d
......@@ -139,22 +136,22 @@
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X
>22 ubyte x body checksum: 0x%X,
>23 ubyte x header checksum: 0x%X
# Linksys WRT54GX ROME image
0 belong 0x59a0e842 Realtek firmware header, ROME bootloader,
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>4 ubeshort 0xd92f image type: KFS,
>4 ubeshort 0xb162 image type: RDIR,
>4 ubeshort 0xea43 image type: BOOT,
>4 ubeshort 0x8dc9 image type: RUN,
>4 ubeshort 0x2a05 image type: CCFG,
>4 ubeshort 0x6ce8 image type: DCFG,
>4 ubeshort 0xc371 image type: LOG,
>6 byte x header version: %d,
>10 ubyte >12 {invalid} month
>12 ubyte >31 {invalid} day
>8 ubyte >3000 {invalid} year
>10 ubyte >12 {invalid}invalid month
>12 ubyte >31 {invalid}invalid day
>8 ubyte >3000 {invalid}invalid year
#month
>10 byte x created: %d/
#day
......@@ -168,8 +165,8 @@
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0 string --PaCkImGs-- PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 lelong >0x20000000
>>16 belong >0x20000000 {invalid}
>16 ulelong >0x20000000
>>16 ubelong >0x20000000 {invalid}
>16 lelong <0
>>16 belong <0 {invalid}
>16 lelong >0
......@@ -243,20 +240,19 @@
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0 string B000FF Windows CE image header,
>7 lelong x Image start: 0x%X,
>11 lelong x Image length: %d
>7 ulelong x image start: 0x%X,
>11 lelong x image length: %d
#Windows CE RomImage
0 string \x00ECEC Windows CE memory segment header, {offset-adjust:-63}
>4 lelong x TOC address: 0x%X
63 string \x00ECEC Windows CE memory segment header,
>4 ulelong x TOC address: 0x%X
# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0 belong x load address 0x%X,
6 string SIG ZynOS header, header size: 48 bytes,
>3 byte <0x7F rom image type:
>>3 byte <1 {invalid},
>>3 byte >7 {invalid},
......@@ -272,7 +268,7 @@
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 belong >0x40000000 {invalid}
>4 ubelong >0x40000000 {invalid}
>4 belong <0 {invalid}
>4 belong 0 {invalid}
>4 belong x uncompressed size: %d,
......@@ -280,13 +276,13 @@
>8 belong <0 {invalid}
>8 belong 0 {invalid}
>8 belong x compressed size: %d,
>14 beshort x uncompressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X,
>12 byte x flags: 0x%X,
>14 ubeshort x uncompressed checksum: 0x%X,
>16 ubeshort x compressed checksum: 0x%X,
>12 ubyte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 byte &0x80 the binary is compressed,
>12 ubyte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 belong x memory map table address: 0x%X
>35 ubelong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header,
......@@ -366,12 +362,11 @@
# Generic copyright signature
0 string Copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
>0 string x "%s"
0 string copyright Copyright string:
>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
>0 string x "%s"
# Sercomm firmware header
0 string sErCoMm Sercomm firmware signature,
......@@ -388,25 +383,24 @@
>4 lelong <0 {invalid}
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s
>(48.l+121) string x \b%s"
>(48.l+58) string x description: "%s"
# Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
0 string GEOS Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
0 string OPEN Ubiquiti firmware header, third party,
>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
......@@ -445,7 +439,7 @@
>16 belong x header size: %d,
>20 belong <1 {invalid}
>20 belong x image size: %d,
>20 belong x {file-size:%d}
>20 belong x {size:%d}
>4 belong <1 {invalid}
>4 belong x kernel offset: %d,
>12 belong <1 {invalid}
......@@ -456,7 +450,7 @@
>16 lelong x header size: %d,
>20 lelong <1 {invalid}
>20 lelong x image size: %d,
>20 lelong x {file-size:%d}
>20 lelong x {size:%d}
>4 lelong <1 {invalid}
>4 lelong x kernel offset: %d,
>12 lelong <1 {invalid}
......@@ -472,11 +466,11 @@
>34 byte x \b%d.
>35 byte x \b%d,
>44 belong x size: %d,
>48 belong x crc: 0x%.8X,
>48 ubelong x crc: 0x%.8X,
>35 byte x try decryption tool from:
>35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume{offset-adjust:-16}
16 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
......@@ -504,20 +498,20 @@
>0 string x "%s"
# ZyXEL config signatures
0 string dbgarea ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
6 string dbgarea ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
>18 beshort x data offset from start of block: %d+16
0 string spt.dat ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
6 string spt.dat ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
>18 beshort x data offset from start of block: %d+16
0 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
6 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
>18 beshort x data offset from start of block: %d+16
# Obfuscated Arcadyan firmware
0x68 belong 0x00D50800 Obfuscated Arcadyan firmware,
......
src/binwalk/magic/images
......@@ -35,7 +35,6 @@
>25 byte 3 colormap,
>25 byte 4 gray+alpha,
>25 byte 6 \b/color RGBA,
#>26 byte 0 deflate/32K,
>28 byte 0 non-interlaced
>28 byte 1 interlaced
......@@ -56,22 +55,22 @@
#>10 byte&0x07 =0x07 256 colors
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM
>14 leshort 12 PC bitmap, OS/2 1.x format
0 string BM PC bitmap,
>14 leshort 12 OS/2 1.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
>>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 64 PC bitmap, OS/2 2.x format
>14 leshort 64 OS/2 2.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
>>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 40 PC bitmap, Windows 3.x format
>14 leshort 40 Windows 3.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 lelong x \b, %d x
......@@ -81,7 +80,7 @@
>>28 lelong <1 {invalid}
>>28 lelong >1000000 {invalid}
>>28 leshort x %d
>14 leshort 128 PC bitmap, Windows NT/2000 format
>14 leshort 128 Windows NT/2000 format,
>>18 lelong >1000000 {invalid}
>>18 lelong <1 {invalid}
>>18 lelong x \b, %d x
......@@ -239,12 +238,4 @@
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
# I've commented-out quantisation table reporting. I doubt anyone cares yet.
#>(4.S+5) byte 0xDB \b, quantisation table
#>>(4.S+6) beshort x \b length=%d
#>14 beshort x \b, %d x
#>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27 string !8888888888\n {invalid}
src/binwalk/magic/kernels
......@@ -6,15 +6,14 @@
# and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image
>514 string !HdrS ({invalid})
>514 string !HdrS {invalid}
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version
0 string Linux\x20version\x20 Linux kernel version
>14 byte 0 {invalid}
>14 byte !0
>>14 string x "%s
>>45 string x \b%s"
>>14 string x "%s"
# eCos kernel exception handlers
#
......@@ -29,10 +28,10 @@
0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL,
>14 leshort !0x3C1B {invalid}
>18 leshort !0x277B {invalid}
>12 leshort x exception vector table base address: 0x%.4X
>16 leshort x \b%.4X
>12 uleshort x exception vector table base address: 0x%.4X
>16 uleshort x \b%.4X
0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS,
>12 beshort !0x3C1B {invalid}
>16 beshort !0x277B {invalid}
>14 beshort x exception vector table base address: 0x%.4X
>18 beshort x \b%.4X
>14 ubeshort x exception vector table base address: 0x%.4X
>18 ubeshort x \b%.4X
src/binwalk/magic/misc
......@@ -25,15 +25,15 @@
0 string LinuxGuestRecord Xen saved domain file
0 string \x3chtml HTML document header{extract-delay:HTML document footer}
0 string \x3chtml HTML document header
>5 byte !0x20
>>5 byte !0x3e \b, {invalid}
0 string \x3cHTML HTML document header{extract-delay:HTML document footer}
>>5 byte !0x3e {invalid}
0 string \x3cHTML HTML document header
>5 byte !0x20
>>5 byte !0x3e \b, {invalid}
>>5 byte !0x3e {invalid}
0 string \x3c/html\x3e HTML document footer{offset-adjust:7}
0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7}
0 string \x3c/html\x3e HTML document footer
0 string \x3c/HTML\x3e HTML document footer
0 string \x3c?xml\x20version XML document,
>15 string x version: "%.3s"
......@@ -57,13 +57,13 @@
>63 string x \b%s"
0 string begin\x20 uuencoded data,
>9 byte !0x20 {invalid} format,
>6 byte <0x30 {invalid} permissions,
>6 byte >0x39 {invalid} permissions,
>7 byte <0x30 {invalid} permissions,
>7 byte >0x39 {invalid} permissions,
>8 byte <0x30 {invalid} permissions,
>8 byte >0x39 {invalid} permissions,
>9 byte !0x20 {invalid}invalid format,
>6 byte <0x30 {invalid}invalid permissions,
>6 byte >0x39 {invalid}invalid permissions,
>7 byte <0x30 {invalid}invalid permissions,
>7 byte >0x39 {invalid}invalid permissions,
>8 byte <0x30 {invalid}invalid permissions,
>8 byte >0x39 {invalid}invalid permissions,
>10 string x file name: "%s",
>6 string x file permissions: "%.3s"
src/binwalk/magic/network
......@@ -79,8 +79,8 @@
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20 belong >163 ({invalid} link layer
>20 belong <0 ({invalid} link layer
>20 belong >163 {invalid}(invalid link layer
>20 belong <0 {invalid}(invalid link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
......@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20 lelong >163 ({invalid} link layer
>20 lelong <0 ({invalid} link layer
>20 lelong >163 {invalid}(invalid link layer
>20 lelong <0 {invalid}(invalid link layer
>16 lelong x \b, snaplen: %d)
src/binwalk/magic/sql
......@@ -6,24 +6,24 @@
# Recognize some MySQL files.
#
0 beshort 0xfe01 MySQL table definition file
>2 string <1 {invalid}
>2 string >\11 {invalid}
>2 ubyte <1 {invalid}
>2 ubyte >11 {invalid}
>2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
#0 string \376bin MySQL replication log
......@@ -33,8 +33,9 @@
# As observed from iRivNavi.iDB and unencoded firmware
#
0 string iRivDB iRiver Database file
>11 string >\0 Version "%s"
>39 string iHP-100 [H Series]
>11 byte !0
>>11 string x Version "%s"
#>39 string iHP-100 [H Series]
#------------------------------------------------------------------------------
# SQLite database files
......@@ -49,7 +50,7 @@
# Version 3 of SQLite allows applications to embed their own "user version"
# number in the database. Detect this and distinguish those files.
0 string SQLite\x20format\x203
>60 string _MTN Monotone source repository
>60 belong !0 SQLite 3.x database, user version %u
>60 belong 0 SQLite 3.x database
0 string SQLite\x20format\x203 SQLite 3.x database,
>60 string _MTN monotone source repository
>60 ubelong !0 \b, user version %u
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment