Added JFFS2 plugin to properly validate JFFS2 nodes

src/binwalk/magic/filesystems

@@ -167,14 +167,6 @@
 >>>>>2              uleshort    !0x2006
 >>>>>>2             uleshort    !0xE008
 >>>>>>>2            uleshort    !0xE009     {invalid}
->(4.l)              uleshort    !0x1985        
->>(4.l+1)           uleshort    !0x1985    
->>>(4.l+2)          uleshort    !0x1985    
->>>>(4.l+3)         uleshort    !0x1985
->>>>>(4.l)          uleshort    !0xFFFF
->>>>>>(4.l+1)       uleshort    !0xFFFF
->>>>>>>(4.l+2)      uleshort    !0xFFFF
->>>>>>>>(4.l+3)     uleshort    !0xFFFF     {invalid}
 >4                  lelong      0           {invalid}
 >4                  lelong      <0          {invalid}
 >4                  lelong      x           {many}{jump:%d}
@@ -187,14 +179,6 @@
 >>>>>2              ubeshort    !0x2006
 >>>>>>2             ubeshort    !0xE008
 >>>>>>>2            ubeshort    !0xE009     {invalid}
->(4.L)              ubeshort    !0x1985     
->>(4.L+1)           ubeshort    !0x1985     
->>>(4.L+2)          ubeshort    !0x1985
->>>>(4.L+3)         ubeshort    !0x1985    
->>>>>(4.L)          ubeshort    !0xFFFF
->>>>>>(4.L+1)       ubeshort    !0xFFFF
->>>>>>>(4.L+2)      ubeshort    !0xFFFF
->>>>>>>>(4.L+3)     ubeshort    !0xFFFF     {invalid}
 >4                  belong      0           {invalid}
 >4                  belong      <0          {invalid}
 >4                  belong      x           {many}{jump:%d}

src/binwalk/modules/signature.py

@@ -163,6 +163,7 @@ class Signature(Module):
                 if r.valid and r.jump > 0 and not self.dumb_scan:
                     absolute_jump_offset = r.offset + r.jump
                     current_block_offset = relative_offset + r.jump
+                    #print ("Jumping to: 0x%X (0x%X)..." % (absolute_jump_offset, current_block_offset))
 
                     # If the jump-to-offset is beyond the confines of the current block, seek the file to
                     # that offset and quit processing this block of data.

src/binwalk/plugins/jffs2valid.py

+import binwalk.core.plugin
+import binwalk.core.compat
+from binwalk.core.common import BlockFile
+
+class JFFS2ValidPlugin(binwalk.core.plugin.Plugin):
+    '''
+    Helps validate JFFS2 signature results.
+
+    The JFFS2 signature rules catch obvious cases, but inadvertently
+    mark some valid JFFS2 nodes as invalid due to  padding (0xFF's or
+    0x00's) in between nodes.
+    '''
+    MODULES = ['Signature']
+
+    MAX_DATA_SIZE = 10240
+
+    def _validate(self, data):
+        return data[0:2] in ['\x19\x85', '\x85\x19']
+
+    def scan(self, result):
+        if result.file and result.description.lower().startswith('jffs2 filesystem'):
+
+            # Seek to and read the suspected JFFS2 data
+            fd = self.module.config.open_file(result.file.name, offset=result.offset+result.jump, length=self.MAX_DATA_SIZE)
+            data = fd.read(self.MAX_DATA_SIZE)
+            fd.close()
+
+            # Skip any padding
+            i = 0
+            while i < self.MAX_DATA_SIZE and data[i] in ['\xFF', '\x00']:
+                i += 1
+
+            # Did we get to the end of MAX_DATA_SIZE with nothing but padding? Assume valid.
+            if i == self.MAX_DATA_SIZE:
+                result.valid = True
+            # Else, explicitly check for the JFFS2 signature
+            else:
+                try:
+                    result.valid = self._validate(data[i:i+2])
+                except IndexError:
+                    result.valid = False
+