Skip to content

F
fact_helper_file
Commit 427daf6f by dorp
Options

inital commit

parents
Showing with 2015 additions and 0 deletions
.gitignore 0 → 100644
.venv
.pyc
__pycache__/
.idea/
.cache/
.pytest_cache/
fact_helper_file/__init__.py 0 → 100644
from .type import get_file_type_from_path, get_file_type_from_binary
name = "fact_helper_file"
__all__ = [
'get_file_type_from_path',
'get_file_type_from_binary'
]
fact_helper_file/mime/custom_mime_archives 0 → 100644
# ====================== archives ======================
# cpio archives
# original code from file repository
0 short 070707 cpio archive
!:mime application/x-cpio
0 short 0143561 byte-swapped cpio archive
!:mime application/x-cpio # encoding: swapped
0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
!:mime application/x-cpio
0 string 070701 ASCII cpio archive (SVR4 with no CRC)
!:mime application/x-cpio
0 string 070702 ASCII cpio archive (SVR4 with CRC)
!:mime application/x-cpio
fact_helper_file/mime/custom_mime_bootloader 0 → 100644
# ====================== bootloader ======================
# ---- uImage file ----
# original code from binwalk
# From: Craig Heffner, U-Boot image.h header definitions file
0 belong 0x27051956 uImage header, header size: 64 bytes,
!:mime firmware/u-boot
>4 ubelong x header CRC: 0x%X,
>8 bedate x created: %s,
>12 belong <1 {invalid}
>12 ubelong x image size: %d bytes,
>16 ubelong x Data Address: 0x%X,
>20 ubelong x Entry Point: 0x%X,
>24 ubelong x data CRC: 0x%X,
>28 byte 0 OS: {invalid}invalid OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
>28 byte 4 OS: 4.4BSD,
>28 byte 5 OS: Linux,
>28 byte 6 OS: SVR4,
>28 byte 7 OS: Esix,
>28 byte 8 OS: Solaris,
>28 byte 9 OS: Irix,
>28 byte 10 OS: SCO,
>28 byte 11 OS: Dell,
>28 byte 12 OS: NCR,
>28 byte 13 OS: LynxOS,
>28 byte 14 OS: VxWorks,
>28 byte 15 OS: pSOS,
>28 byte 16 OS: QNX,
>28 byte 17 OS: Firmware,
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
>29 byte 0 CPU: {invalid}invalid CPU,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
>29 byte 4 CPU: IA64,
>29 byte 5 CPU: MIPS,
>29 byte 6 CPU: MIPS 64 bit,
>29 byte 7 CPU: PowerPC,
>29 byte 8 CPU: IBM S390,
>29 byte 9 CPU: SuperH,
>29 byte 10 CPU: Sparc,
>29 byte 11 CPU: Sparc 64 bit,
>29 byte 12 CPU: M68K,
>29 byte 13 CPU: Nios-32,
>29 byte 14 CPU: MicroBlaze,
>29 byte 15 CPU: Nios-II,
>29 byte 16 CPU: Blackfin,
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
>30 byte 0 image type: {invalid} Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
>30 byte 4 image type: Multi-File Image,
>30 byte 5 image type: Firmware Image,
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
# U-Boot boot loader
# original code from binwalk
0 string U-Boot\x20 U-Boot version string,
!:mime bootloader/u-boot
>7 byte <48 {invalid}
>7 byte >57 {invalid}
>8 byte !0x2E {invalid}
>0 string x "%s"
# CFE bootloader
# original code from binwalk
0 string CFE1 CFE boot loader
!:mime bootloader/cfe
>4 string !CFE1 {invalid}
>40 string CFE1CFE1 {invalid}
fact_helper_file/mime/custom_mime_compressed_streams 0 → 100644
# ====================== compressed streams ======================
# Type: LZMA
0 lelong&0xffffff =0x5d
>12 leshort 0xff LZMA compressed data,
!:mime application/x-lzma
>>5 lequad =0xffffffffffffffff streamed
>>5 lequad !0xffffffffffffffff non-streamed, size %lld
>12 leshort 0 LZMA compressed data,
!:mime application/x-lzma
>>5 lequad =0xffffffffffffffff streamed
>>5 lequad !0xffffffffffffffff non-streamed, size %lld
# HP_LZMA
0 string \x39\x00\x00\x00\x02 LZMA compressed data,
!:mime application/x-lzma
>5 lequad =0xffffffffffffffff streamed
>5 lequad !0xffffffffffffffff non-streamed, size %lld
# Zlib - Original Code from binwalk
0 beshort 0x789c Zlib compressed data, default compression
!:mime compression/zlib
0 beshort 0x78da Zlib compressed data, best compression
!:mime compression/zlib
0 beshort 0x785e Zlib compressed data, compressed
!:mime compression/zlib
fact_helper_file/mime/custom_mime_drone 0 → 100644
#DJI drone image signature by Fraunhofer FKIE
0 string xV4\x12 DJI Drone Image;
!:mime firmware/dji-drone
>0xc string x Vendor: %s;
>0x1c string x Device-ID: %s;
>0x2c leshort x Number of Modules: %d
#Ambarella image signature by Fraunhofer FKIE
0xa4 string \x90\xEB\x24\xA3\x00\x00 Ambarella Image;
!:mime firmware/ambarella
>0 string x Device-ID: %s;
#Ambarella Rom FS signature by Fraunhofer FKIE
0x04 string \x8A\x32\xFC\x66 Ambarella RomFS;
!:mime filesystem/ambarella-romfs
fact_helper_file/mime/custom_mime_file_systems 0 → 100644
# ====================== file Systems ======================
# Squashfs - original code from file magic db
0 string sqsh Squashfs filesystem, big endian,
!:mime filesystem/squashfs
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort <3
>>8 belong x %d bytes,
>28 beshort >2
>>28 beshort <4
>>>63 bequad x %lld bytes,
>>28 beshort >3
>>>40 bequad x %lld bytes,
#>>67 belong x %d bytes,
>4 belong x %d inodes,
>28 beshort <2
>>32 beshort x blocksize: %d bytes,
>28 beshort >1
>>28 beshort <4
>>>51 belong x blocksize: %d bytes,
>>28 beshort >3
>>>12 belong x blocksize: %d bytes,
>28 beshort <4
>>39 bedate x created: %s
>28 beshort >3
>>8 bedate x created: %s
0 string hsqs Squashfs filesystem, little endian,
!:mime filesystem/squashfs
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort <3
>>8 lelong x %d bytes,
>28 leshort >2
>>28 leshort <4
>>>63 lequad x %lld bytes,
>>28 leshort >3
>>>40 lequad x %lld bytes,
#>>63 lelong x %d bytes,
>4 lelong x %d inodes,
>28 leshort <2
>>32 leshort x blocksize: %d bytes,
>28 leshort >1
>>28 leshort <4
>>>51 lelong x blocksize: %d bytes,
>>28 leshort >3
>>>12 lelong x blocksize: %d bytes,
>28 leshort <4
>>39 ledate x created: %s
>28 leshort >3
>>8 ledate x created: %s
0 string qshs Squashfs filesystem
!:mime filesystem/squashfs
0 string shsq Squashfs filesystem
!:mime filesystem/squashfs
## AVM Squashfs Fake
0 string sqsh\x00\x00\x00\x00\x00\x00 AVM SquashFs Fake
!:mime filesystem/avm-sqfs-fake
# cramfs filesystem - original code from file magic db
0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian
!:mime filesystem/cramfs
>4 lelong x size %u
>8 lelong &1 version #2
>8 lelong &2 sorted_dirs
>8 lelong &4 hole_support
>32 lelong x CRC 0x%x,
>36 lelong x edition %u,
>40 lelong x %u blocks,
>44 lelong x %u files
0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian
!:mime filesystem/cramfs
>4 belong x size %u
>8 belong &1 version #2
>8 belong &2 sorted_dirs
>8 belong &4 hole_support
>32 belong x CRC 0x%x,
>36 belong x edition %u,
>40 belong x %u blocks,
>44 belong x %u files
# romfs - original code from file magic db
0 string -rom1fs- romfs filesystem, version 1
!:mime filesystem/romfs
>8 belong x %d bytes,
>16 string x named %s.
# Russell Coker <russell@coker.com.au>
0x10040 string _BHRfS_M BTRFS Filesystem
!:mime filesystem/btrfs
>0x1012b string >\0 label "%s",
>0x10090 lelong x sectorsize %d,
>0x10094 lelong x nodesize %d,
>0x10098 lelong x leafsize %d,
>0x10020 belong x UUID=%08x-
>0x10024 beshort x \b%04x-
>0x10026 beshort x \b%04x-
>0x10028 beshort x \b%04x-
>0x1002a beshort x \b%04x
>0x1002c belong x \b%08x,
>0x10078 lequad x %lld/
>0x10070 lequad x \b%lld bytes used,
>0x10088 lequad x %lld devices
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0x438 leshort 0xEF53 Linux
>0x44c lelong x rev %d
>0x43e leshort x \b.%d
# No journal? ext2
>0x45c lelong ^0x0000004 ext2 filesystem data
!:mime filesystem/ext2
>>0x43a leshort ^0x0000001 (mounted or unclean)
# Has a journal? ext3 or ext4
>0x45c lelong &0x0000004
# and small INCOMPAT?
>>0x460 lelong <0x0000040
# and small RO_COMPAT?
>>>0x464 lelong <0x0000008 ext3 filesystem data
!:mime filesystem/ext3
# else large RO_COMPAT?
>>>0x464 lelong >0x0000007 ext4 filesystem data
!:mime filesystem/ext4
# else large INCOMPAT?
>>0x460 lelong >0x000003f ext4 filesystem data
!:mime filesystem/ext4
>0x468 belong x \b, UUID=%08x
>0x46c beshort x \b-%04x
>0x46e beshort x \b-%04x
>0x470 beshort x \b-%04x
>0x472 belong x \b-%08x
>0x476 beshort x \b%04x
>0x478 string >0 \b, volume name "%s"
# General flags for any ext* fs
>0x460 lelong &0x0000004 (needs journal recovery)
>0x43a leshort &0x0000002 (errors)
# INCOMPAT flags
>0x460 lelong &0x0000001 (compressed)
#>0x460 lelong &0x0000002 (filetype)
#>0x460 lelong &0x0000010 (meta bg)
>0x460 lelong &0x0000040 (extents)
>0x460 lelong &0x0000080 (64bit)
#>0x460 lelong &0x0000100 (mmp)
#>0x460 lelong &0x0000200 (flex bg)
# RO_INCOMPAT flags
#>0x464 lelong &0x0000001 (sparse super)
>0x464 lelong &0x0000002 (large files)
>0x464 lelong &0x0000008 (huge files)
#>0x464 lelong &0x0000010 (gdt checksum)
#>0x464 lelong &0x0000020 (many subdirs)
#>0x463 lelong &0x0000040 (extra isize)
# Minix filesystems - Juan Cespedes <cespedes@debian.org>
0x410 leshort 0x137f
!:strength / 2
>0x402 beshort < 100
>0x402 beshort > -1 Minix filesystem, V1, 14 char names, %d zones
!:mime filesystem/minix
>0x1e string minix \b, bootable
0x410 beshort 0x137f
!:strength / 2
>0x402 beshort < 100
>0x402 beshort > -1 Minix filesystem, V1 (big endian), %d zones
!:mime filesystem/minix
>0x1e string minix \b, bootable
0x410 leshort 0x138f
!:strength / 2
>0x402 beshort < 100
>0x402 beshort > -1 Minix filesystem, V1, 30 char names, %d zones
!:mime filesystem/minix
>0x1e string minix \b, bootable
0x410 beshort 0x138f
!:strength / 2
>0x402 beshort < 100
>0x402 beshort > -1 Minix filesystem, V1, 30 char names (big endian), %d zones
!:mime filesystem/minix
>0x1e string minix \b, bootable
!:mime filesystem/minix
# *.hfs updated by Joerg Jenderek
# http://en.wikipedia.org/wiki/Hierarchical_File_System
# "BD" gives many false positives
0x400 beshort 0x4244
# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h
# first block of volume bit map (always 3)
>0x40e ubeshort 0x0003
# maximal length of volume name is 27
>>0x424 ubyte <28 Macintosh HFS data
!:mime filesystem/hfs
>>>0 beshort 0x4C4B (bootable)
#>>>0 beshort 0x0000 (not bootable)
>>>0x40a beshort &0x8000 (locked)
>>>0x40a beshort ^0x0100 (mounted)
>>>0x40a beshort &0x0200 (spared blocks)
>>>0x40a beshort &0x0800 (unclean)
>>>0x47C beshort 0x482B (Embedded HFS+ Volume)
>>>0x414 belong x block size: %d,
>>>0x412 beshort x number of blocks: %d,
>>>0x424 pstring x volume name: %s
0x400 beshort 0x482B Macintosh HFS Extended
!:mime filesystem/hfs
>&0 beshort x version %d data
>0 beshort 0x4C4B (bootable)
>0x404 belong ^0x00000100 (mounted)
>&2 belong &0x00000200 (spared blocks)
>&2 belong &0x00000800 (unclean)
>&2 belong &0x00008000 (locked)
>&6 string x last mounted by: '%.4s',
# really, that should be treated as a belong and we print a string
# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1"
>&14 beldate-0x7C25B080 x created: %s,
# only the creation date is local time, all other timestamps in HFS+ are UTC.
>&18 bedate-0x7C25B080 x last modified: %s,
>&22 bedate-0x7C25B080 >0 last backup: %s,
>&26 bedate-0x7C25B080 >0 last checked: %s,
>&38 belong x block size: %d,
>&42 belong x number of blocks: %d,
>&46 belong x free blocks: %d
# JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.)
# See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags.
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
0x8000 string JFS1 JFS filesystem image
!:mime filesystem/jfs
# Because it's text-only magic, check a binary value (version) to be sure.
# Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be
# mountable.
>&0 lelong <3 JFS2 filesystem image
!:mime filesystem/jfs2
# Label is followed by a UUID; we have to limit string length to avoid
# appending the UUID in the case of a 16-byte label.
>>&144 regex [\x20-\x7E]{1,16} (label "%s")
>>&0 lequad x \b, %lld blocks
>>&8 lelong x \b, blocksize %d
>>&32 lelong&0x00000006 >0 (dirty)
>>&36 lelong >0 (compressed)
# ISO 9660 CD-ROM
0 name cdrom
>38913 string !NSR0 ISO 9660 CD-ROM filesystem data
!:mime application/x-iso9660-image
>38913 string NSR0 UDF filesystem data
!:mime filesystem/udf
>>38917 string 1 (version 1.0)
>>38917 string 2 (version 1.5)
>>38917 string 3 (version 2.0)
>>38917 byte >0x33 (unknown version, ID 0x%X)
>>38917 byte <0x31 (unknown version, ID 0x%X)
>0x1FE leshort 0xAA55 (DOS/MBR boot sector)
# "application id" which appears to be used as a volume label
>32808 string/T >\0 '%s'
>34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable)
37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)
!:mime application/x-iso9660-image
32777 string CDROM High Sierra CD-ROM filesystem data
0x8801 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)
!:mime application/x-iso9660-image
0x8801 string NSR0 UDF filesystem data
!:mime filesystem/udf
# reiserfs - russell@coker.com.au
0x10034 string ReIsErFs ReiserFS V3.5
!:mime filesystem/reiserfs
0x10034 string ReIsEr2Fs ReiserFS V3.6
!:mime filesystem/reiserfs
0x10034 string ReIsEr3Fs ReiserFS V3.6.19
!:mime filesystem/reiserfs
>0x1002c leshort x block size %d
>0x10032 leshort &2 (mounted or unclean)
>0x10000 lelong x num blocks %d
>0x10040 lelong 1 tea hash
>0x10040 lelong 2 yura hash
>0x10040 lelong 3 r5 hash
# SGI XFS filesystem - Nathan Scott <nathans@debian.org>
0 belong 0x58465342 SGI XFS filesystem data
!:mime filesystem/xfs
>0x4 belong x (blksz %d,
>0x68 beshort x inosz %d,
>0x64 beshort ^0x2004 v1 dirs)
>0x64 beshort &0x2004 v2 dirs)
# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013
# for any allowed sector sizes
30 search/481 \x55\xAA
# to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111)
# DOS BPB information (70) and after DOS floppy (120) like in previous file version
!:strength +65
# for sector sizes < 512 Bytes
>11 uleshort <512
>>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector
!:mime filesystem/dosmbr
# for sector sizes with 512 or more Bytes
>0x1FE leshort 0xAA55 DOS/MBR boot sector
!:mime filesystem/dosmbr
9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian),
!:mime filesystem/ffs
>8404 string x last mounted on %s,
#>9504 ledate x last checked at %s,
>8224 ledate x last written at %s,
>8401 byte x clean flag %d,
>8228 lelong x number of blocks %d,
>8232 lelong x number of data blocks %d,
>8236 lelong x number of cylinder groups %d,
>8240 lelong x block size %d,
>8244 lelong x fragment size %d,
>8252 lelong x minimum percentage of free blocks %d,
>8256 lelong x rotational delay %dms,
>8260 lelong x disk rotational speed %drps,
>8320 lelong 0 TIME optimization
>8320 lelong 1 SPACE optimization
42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian)
!:mime filesystem/ffs
>&-1164 string x last mounted on %s,
>&-696 string >\0 volume name %s,
>&-304 leqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 lequad x number of blocks %lld,
>&-288 lequad x number of data blocks %lld,
>&-1332 lelong x number of cylinder groups %d,
>&-1328 lelong x block size %d,
>&-1324 lelong x fragment size %d,
>&-180 lelong x average file size %d,
>&-176 lelong x average number of files in dir %d,
>&-272 lequad x pending blocks to free %lld,
>&-264 lelong x pending inodes to free %d,
>&-664 lequad x system-wide uuid %0llx,
>&-1316 lelong x minimum percentage of free blocks %d,
>&-1248 lelong 0 TIME optimization
>&-1248 lelong 1 SPACE optimization
66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian)
!:mime filesystem/ffs
>&-1164 string x last mounted on %s,
>&-696 string >\0 volume name %s,
>&-304 leqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 lequad x number of blocks %lld,
>&-288 lequad x number of data blocks %lld,
>&-1332 lelong x number of cylinder groups %d,
>&-1328 lelong x block size %d,
>&-1324 lelong x fragment size %d,
>&-180 lelong x average file size %d,
>&-176 lelong x average number of files in dir %d,
>&-272 lequad x pending blocks to free %lld,
>&-264 lelong x pending inodes to free %d,
>&-664 lequad x system-wide uuid %0llx,
>&-1316 lelong x minimum percentage of free blocks %d,
>&-1248 lelong 0 TIME optimization
>&-1248 lelong 1 SPACE optimization
9564 belong 0x00011954 Unix Fast File system [v1] (big-endian),
!:mime filesystem/ffs
>7168 belong 0x4c41424c Apple UFS Volume
>>7186 string x named %s,
>>7176 belong x volume label version %d,
>>7180 bedate x created on %s,
>8404 string x last mounted on %s,
#>9504 bedate x last checked at %s,
>8224 bedate x last written at %s,
>8401 byte x clean flag %d,
>8228 belong x number of blocks %d,
>8232 belong x number of data blocks %d,
>8236 belong x number of cylinder groups %d,
>8240 belong x block size %d,
>8244 belong x fragment size %d,
>8252 belong x minimum percentage of free blocks %d,
>8256 belong x rotational delay %dms,
>8260 belong x disk rotational speed %drps,
>8320 belong 0 TIME optimization
>8320 belong 1 SPACE optimization
42332 belong 0x19540119 Unix Fast File system [v2] (big-endian)
!:mime filesystem/ffs
>&-1164 string x last mounted on %s,
>&-696 string >\0 volume name %s,
>&-304 beqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 bequad x number of blocks %lld,
>&-288 bequad x number of data blocks %lld,
>&-1332 belong x number of cylinder groups %d,
>&-1328 belong x block size %d,
>&-1324 belong x fragment size %d,
>&-180 belong x average file size %d,
>&-176 belong x average number of files in dir %d,
>&-272 bequad x pending blocks to free %lld,
>&-264 belong x pending inodes to free %d,
>&-664 bequad x system-wide uuid %0llx,
>&-1316 belong x minimum percentage of free blocks %d,
>&-1248 belong 0 TIME optimization
>&-1248 belong 1 SPACE optimization
66908 belong 0x19540119 Unix Fast File system [v2] (big-endian)
!:mime filesystem/ffs
>&-1164 string x last mounted on %s,
>&-696 string >\0 volume name %s,
>&-304 beqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 bequad x number of blocks %lld,
>&-288 bequad x number of data blocks %lld,
>&-1332 belong x number of cylinder groups %d,
>&-1328 belong x block size %d,
>&-1324 belong x fragment size %d,
>&-180 belong x average file size %d,
>&-176 belong x average number of files in dir %d,
>&-272 bequad x pending blocks to free %lld,
>&-264 belong x pending inodes to free %d,
>&-664 bequad x system-wide uuid %0llx,
>&-1316 belong x minimum percentage of free blocks %d,
>&-1248 belong 0 TIME optimization
>&-1248 belong 1 SPACE optimization
# jffs2 - original code fom file magic db
0 leshort 0x1984 Linux old jffs2 filesystem data little endian
!:mime filesystem/jffs2
0 leshort 0x1985 Linux jffs2 filesystem data little endian
!:mime filesystem/jffs2
# jffs2 big endian addaption
0 leshort 0x8519 Linux jffs2 filesystem data big endian
!:mime filesystem/jffs2-big
# UBIfs
# Linux kernel sources: fs/ubifs/ubifs-media.h
0 lelong 0x06101831
>0x16 leshort 0 UBIfs image
!:mime filesystem/ubifs
>0x08 lequad x \b, sequence number %llu
>0x10 leshort x \b, length %u
>0x04 lelong x \b, CRC 0x%08x
### YAFFS FKIE
## little endian YAFFS
# check if entry type is valid
0 lelong <6
# check if first element is on root level
>4 lelong 1
# check if obsolet checksum is set to FF FF
>>8 string \xff\xff YAFFS filesystem, little endian
!:mime filesystem/yaffs
## big endian YAFFS
0 belong <6
>4 belong 1
>>8 string \xff\xff YAFFS filesystem, big endian
!:mime filesystem/yaffs
fact_helper_file/mime/custom_mime_firmware_containers 0 → 100644
# ====================== firmware container ======================
# ---- Dahua Container ----
0 string DH\003\004 dahua firmware image
!:mime firmware/dahua
# ---- ROS Container ----
24 string \x50\x41\x43\x4b ROS Container
!:mime firmware/ros
# ---- TP-Link ----
# WR702N
20 string \x49\x4d\x47\x30\x00\x17 TP-Link WR702N Image
!:mime firmware/tp-wr702n
## the following firmware signatures originate to binwalk
#IMG0 header, found in VxWorks-based Mercury router firmware
0 string IMG0 IMG0 (VxWorks) header,
>4 belong <1 {invalid}
>4 belong x size: %d
#Mediatek bootloader signature
#From xp-dev.com
0 string BOOTLOADER! Mediatek bootloader
#CSYS header formats
0 string CSYS\x00 CSYS header, little endian,
>8 lelong x size: %d
0 string CSYS\x80 CSYS header, big endian,
>8 belong x size: %d
# wrgg firmware image
0 string wrgg02 WRGG firmware header,
>6 string x name: "%s",
>48 string x root device: "%s"
# ---- NETGEAR ----
# TRX/CHK
58 string HDR0 TRX firmware,
!:mime firmware/trx
>51 string NETGEAR vendor: Netgear,
>62 lelong <1 {invalid}
>62 ulelong x image size: %d bytes,
>66 ulelong x CRC32: 0x%X,
>70 uleshort x flags: 0x%X,
>72 uleshort !1
>>72 uleshort !2 {invalid}
>72 uleshort 2 version: %d, header size: 32 bytes,
>>74 ulelong x loader offset: 0x%X,
>>78 ulelong x linux kernel offset: 0x%X,
>>82 ulelong x rootfs offset: 0x%X,
>>86 ulelong x bin-header offset: 0x%X
>72 uleshort 1 version: %d, header size: 28 bytes,
>>74 ulelong x loader offset: 0x%X,
>>78 ulelong x linux kernel offset: 0x%X,
>>82 ulelong x rootfs offset: 0x%X
# trx image file
0 string HDR0 TRX firmware header, little endian,
!:mime firmware/trx
>4 lelong <1 {invalid}
>4 ulelong x image size: %d bytes,
>8 ulelong x CRC32: 0x%X,
>12 uleshort x flags: 0x%X,
>14 uleshort !1
>>14 uleshort !2 {invalid}
>14 uleshort 2 version: %d, header size: 32 bytes,
>>16 ulelong x loader offset: 0x%X,
>>20 ulelong x linux kernel offset: 0x%X,
>>24 ulelong x rootfs offset: 0x%X,
>>28 ulelong x bin-header offset: 0x%X
>14 uleshort 1 version: %d, header size: 28 bytes,
>>16 ulelong x loader offset: 0x%X,
>>20 ulelong x linux kernel offset: 0x%X,
>>24 ulelong x rootfs offset: 0x%X
14 string U2ND BIN-Header,
>4 ulelong !0 {invalid}
>22 string !\x00*10 {invalid}
>0 string x board ID: %.4s,
>18 ubyte 0 hardware version: 4702,
>18 ubyte 1 hardware version: 4712,
>18 ubyte 2 hardware version: 4712L,
>18 ubyte 3 hardware version: 4704,
>18 ubyte >3 hardware version: unknown (code: 0x%.2X),
>11 ubyte x firmware version: %d.
>12 ubyte x \b%d.
>12 ubyte x \b%d,
>8 ubyte <80
>>8 ubyte x build date: 20%.2d-
>8 ubyte >79
>>8 ubyte x build date: 19%.2d-
>9 ubyte x \b%.2d-
>10 ubyte x \b%.2d
# Ubicom firmware image
0 belong 0xFA320080 Ubicom firmware header,
!:mime firmware/ubicom
>12 ubelong x checksum: 0x%X,
>24 belong <0 {invalid}
>24 belong x image size: %d
# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.
# Netgear KWGR614 ROME image
0 string G614 Realtek firmware header, ROME bootloader,
!:mime firmware/realtek
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
>10 ubyte >12 {invalid} month
>12 ubyte >31 {invalid} day
>8 ubeshort >3000 {invalid} year
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 ubyte x body checksum: 0x%X,
>23 ubyte x header checksum: 0x%X
# Linksys WRT54GX ROME image
0 belong 0x59a0e842 Realtek firmware header, ROME bootloader,
!:mime firmware/realtek
>4 ubeshort 0xd92f image type: KFS,
>4 ubeshort 0xb162 image type: RDIR,
>4 ubeshort 0xea43 image type: BOOT,
>4 ubeshort 0x8dc9 image type: RUN,
>4 ubeshort 0x2a05 image type: CCFG,
>4 ubeshort 0x6ce8 image type: DCFG,
>4 ubeshort 0xc371 image type: LOG,
>6 byte x header version: %d,
>10 ubyte >12 {invalid}invalid month
>12 ubyte >31 {invalid}invalid day
>8 ubeshort >3000 {invalid}invalid year
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 ubyte x body checksum: 0x%X,
>23 ubyte x header checksum: 0x%X
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0 string --PaCkImGs PackImg section delimiter tag,
>10 string !-- {invalid}
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 ulelong >0x20000000
>>16 ubelong >0x20000000 {invalid}
>16 lelong <0
>>16 belong <0 {invalid}
>16 lelong >0
>>16 lelong x little endian size: %d bytes;
>16 belong >0
>>16 belong x big endian size: %d bytes
#------------------------------------------------------------------------------
# Broadcom header format
#
0 string BCRM Broadcom header,
!:mime firmware/broadcom
>4 lelong <0 {invalid}
>4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk
>>8 lelong 21 first section type: tag
# Another Broadcom firmware header...
# The header seems to be always 0x100 bytes length and there is more information than the one displayed (not sure about the meaning).
# Used for example in the EchoLife HG556a router
0x0 string \x38\x00\x00\x00 Broadcom firmware header
>0x4 string !Broadcom Corporatio {invalid}
>0x18 string x %s.
>0x8E string x Model: %s.
>0xA2 string x Firmware version: %s.
# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0 string Ck0\0\0R\0\0\0 BLCR
>16 lelong 0 {invalid}
>16 ulelong >7 {invalid}
>16 lelong 1 x86
>16 lelong 3 alpha
>16 lelong 5 x86-64
>16 lelong 7 ARM
>8 lelong x context data (little endian, version %d)
0 string \0\0\0C\0\0\0R BLCR
>16 lelong <2 {invalid}
>16 ulelong >8 {invalid}
>16 belong 2 SPARC
>16 belong 4 ppc
>16 belong 6 ppc64
>16 belong 7 ARMEB
>16 belong 8 SPARC64
>8 belong x context data (big endian, version %d)
# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\x20Startup\x20and Aculab VoIP firmware
!:mime firmware/aculab
>35 string x format "%s"
# From Albert Cahalan <acahalan@gmail.com>
# really le32 operation,destination,payloadsize (but quite predictable)
# 01 00 00 00 00 00 00 c0 00 02 00 00
0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware
#---------------------------------------------------------------------------
# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
# lead Sun/Cobalt developer) who agrees that they are good and worthy of
# inclusion.
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom
>38 string x V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
0 string CRfs COBALT boot rom data (Flat boot rom or file system)
#
# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
# Useless until forther improvements can be made to the signature.
#0 string S0 Motorola S-Record; binary data in text format
#Windows CE Binary Image Data Format aka B000FF
#More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0 string B000FF Windows CE image header,
>7 ulelong x image start: 0x%X,
>11 ulelong x image length: %d
#Windows CE RomImage
63 string \x00ECEC Windows CE memory segment header,
>4 ulelong x TOC address: 0x%X
# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
6 string SIG ZynOS header, header size: 48 bytes,
!:mime firmware/zynos
>3 byte <0x7F rom image type:
>>3 byte <1 {invalid},
>>3 byte >7 {invalid},
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
>>3 byte 4 ROMBIN,
>>3 byte 5 ROMDIR,
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
>>3 byte >0x82 {invalid},
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 ubelong >0x40000000 {invalid}
>4 belong <0 {invalid}
>4 belong 0 {invalid}
>4 belong x uncompressed size: %d,
>8 belong >0x40000000 {invalid}
>8 belong <0 {invalid}
>8 belong 0 {invalid}
>8 belong x compressed size: %d,
>14 ubeshort x uncompressed checksum: 0x%X,
>16 ubeshort x compressed checksum: 0x%X,
>12 ubyte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 ubyte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 ubelong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header,
!:mime firmware/ros
>8 lelong >1024 {invalid}
>8 lelong <0 {invalid}
>8 lelong x header size: %d bytes,
>32 lelong >1024 {invalid}
>32 lelong <0 {invalid}
>32 lelong x number of files: %d,
>48 lelong <0 {invalid}
>48 lelong x image size: %d,
>64 string x firmware version: "%s"
# Firmware header used by some TV's
0 string FNIB ZBOOT firmware header, header size: 32 bytes,
>8 ulelong x load address: 0x%.8X,
>12 ulelong x start address: 0x%.8X,
>16 ulelong x checksum: 0x%.8X,
>20 ulelong x version: 0x%.8X,
>24 lelong <1 {invalid}
>24 ulelong x image size: %d bytes
# Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17 DLOB firmware header,{jump:108}
!:mime firmware/dlob
>(7.b+12) string !\x5e\xa3\xa4\x17 {invalid},
#>>12 string x %s,
>(7.b+40) string x boot partition: "%s"
# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
4 string TP-LINK\x20Technologies TP-Link firmware header,
!:mime firmware/tp-link
#>-4 lelong x header version: %d,
>0x94 beshort x firmware version: %d.
>0x96 beshort x \b%d.
>0x98 beshort x \b%d,
>0x18 string x image version: "%s",
#>0x74 belong x image size: %d bytes,
>0x3C belong x product ID: 0x%X,
>0x40 belong x product version: %d,
>0x70 ubelong x kernel load address: 0x%X,
>0x74 ubelong x kernel entry point: 0x%X,
>0x7C ubelong x kernel offset: %d,
>0x80 ubelong x kernel length: %d,
>0x84 ubelong x rootfs offset: %d,
>0x88 ubelong x rootfs length: %d,
>0x8C ubelong x bootloader offset: %d,
>0x90 ubelong x bootloader length: %d
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256,
!:mime firmware/broadcom
>4 string !Broadcom
>>4 string !\x20\x20\x20\x20 {invalid}
>41 beshort !0x2020
>>41 beshort !0x0000
>>>41 string x firmware version: "%.4s",
>45 beshort !0x0202
>>45 beshort !0x0000
>>>45 string x board id: "%s",
>236 ubelong x ~CRC32 header checksum: 0x%X,
>216 ubelong x ~CRC32 data checksum: 0x%X
# Xerox MFP DLM signatures
0 string %%XRXbegin Xerox DLM firmware start of header
!:mime firmware/xerox-dlm
0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name:
>19 string x "%s"
0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version:
>22 string x "%s"
0 string %%XRXend Xerox DLM firmware end of header
# Sercomm firmware header
0 string sErCoMm Sercomm firmware signature,
!:mime firmware/sercomm
>7 leshort x version control: %d,
>9 leshort x download control: %d,
>11 string x hardware ID: "%s",
>44 uleshort x hardware version: 0x%X,
>58 uleshort x firmware version: 0x%X,
>60 uleshort x starting code segment: 0x%X,
>62 uleshort x code size: 0x%X
# NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 {invalid}
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s"
# Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header, header size: 264 bytes,
!:mime firmware/ubiquiti
>0x108 belong !0 {invalid},
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
0 string GEOS Ubiquiti firmware header, header size: 264 bytes,
!:mime firmware/ubiquiti
>0x108 belong !0 {invalid},
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
0 string OPEN Ubiquiti firmware header, third party,
!:mime firmware/ubiquiti
>0x108 belong !0 {invalid},
>0x104 ubelong x ~CRC32: 0x%X,
>4 byte 0 {invalid},
>4 string x version: "%s"
4 string \x00\x00\x00\x00PART Ubiquiti partition header,
!:mime firmware/ubiquiti
>0 byte x header size: 56 bytes,
>8 byte 0 {invalid}
>8 string x name: "%s",
>44 ubelong x base address: 0x%.8X,
4 string \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes,
>12 belong !0 {invalid},
>8 ubelong x cumulative ~CRC32: 0x%.8X
# Found in DIR-100 firmware
0 string AIH0N AIH0N firmware header, header size: 48,
>12 belong x size: %d,
>8 belong !0 executable code,
>>8 belong x load address: 0x%X,
>32 string x version: "%s"
0 belong 0x5EA3A417 SEAMA firmware header, big endian,
>4 beshort !0 {invalid}
>6 beshort x meta size: %d,
>8 belong <1 {invalid}
>8 belong x image size: %d
0 lelong 0x5EA3A417 SEAMA firmware header, little endian,
>4 leshort !0 {invalid}
>6 leshort x meta size: %d,
>8 lelong <1 {invalid}
>8 lelong x image size: %d
0 belong 0x4D544443 NSP firmware header, big endian,
>16 belong <1 {invalid}
>16 belong x header size: %d,
>20 belong <1 {invalid}
>20 belong x image size: %d,
>20 belong x {size:%d}
>4 belong <1 {invalid}
>4 ubelong x kernel offset: %d,
>12 belong <1 {invalid}
>12 belong x header version: %d,
0 lelong 0x4D544443 NSP firmware header, little endian,
>16 lelong <1 {invalid}
>16 lelong x header size: %d,
>20 lelong <1 {invalid}
>20 lelong x image size: %d,
>20 lelong x {size:%d}
>4 lelong <1 {invalid}
>4 ulelong x kernel offset: %d,
>12 lelong <1 {invalid}
>12 lelong x header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0 string WizFwPkgl Beyonwiz firmware header,
>20 string x version: "%s"
0 string BLI223WJ0 Thompson/Alcatel encoded firmware,
>32 byte x version: %d.
>33 byte x \b%d.
>34 byte x \b%d.
>35 byte x \b%d,
>44 belong x size: %d,
>48 ubelong x crc: 0x%.8X,
>35 byte x try decryption tool from:
>35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
16 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0 string ANDROID\040BACKUP\n Android Backup
>15 string 1\n \b, version 1
>17 string 0\n \b, uncompressed
>17 string 1\n \b, compressed
>19 string none\n \b, unencrypted
>19 string AES-256\n \b, encrypted AES-256
# http://forum.xda-developers.com/showthread.php?p=47818657
8 string imgARMcC Roku aimage SB
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged Sun/COBALT boot rom,
>38 string x version: "%.4s"
# Simple eCos string signatures
0 string ecos eCos RTOS string reference:
>0 string x "%s"
0 string eCos eCos RTOS string reference:
>0 string x "%s"
0 string ECOS eCos RTOS string reference:
>0 string x "%s"
# ZyXEL config signatures
6 string dbgarea ZyXEL rom-0 configuration block, name: "%s",
>16 ubeshort x compressed size: %d,
>14 ubeshort x uncompressed size: %d,
>18 ubeshort+16 x data offset from start of block: %d
6 string spt.dat ZyXEL rom-0 configuration block, name: "%s",
>16 ubeshort x compressed size: %d,
>14 ubeshort x uncompressed size: %d,
>18 ubeshort+16 x data offset from start of block: %d
6 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",
>16 ubeshort x compressed size: %d,
>14 ubeshort x uncompressed size: %d,
>18 ubeshort+16 x data offset from start of block: %d
# Obfuscated Arcadyan firmware
0x68 string \x00\xD5\x08 Obfuscated Arcadyan firmware,
>0x6B byte !0 {invalid} signature trailing byte [0x%X],{invalid}
# None of the known Arcadyan signatures bytes have a NULL byte
>0 byte 0 {invalid}
>1 byte 0 {invalid}
>2 byte 0 {invalid}
>3 byte 0 {invalid}
>0 ubelong x signature bytes: 0x%X,
>0x70 string !\x00\x00\x00\x00\x00\x00 {invalid} padding bytes{invalid}
# Digi firmware images
0xC0 string Digi Digi International firmware,
>0xC8 beshort !0x4253
>>0xC8 beshort !0x4950
>>>0xC8 beshort !0x4944
>>>>0xC8 beshort !0x444f
>>>>>0xC8 beshort !0x4443
>>>>>>0xC8 beshort !0x4f53
>>>>>>>0xC8 beshort !0x4f43
>>>>>>>>0xC8 beshort !0x4646
>>>>>>>>>0xC8 beshort !0x5350 {invalid}invalid header,
>0xD4 ubelong x load address: 0x%.8X,
>0xDC ubelong x entry point: 0x%.8X,
# Lancom firmware signatures, courtesy of christophvw
0 string ELSF LANCOM firmware header,
!:mime firmware/lancom
>22 string x model: "%s",
>18 string x firmware version: "%.4s",
>12 ubyte 255 Rel,
>12 ubyte 253 alpha,
>12 ubyte 220 PR,
>12 ubyte >0
>>12 ubyte <220 RC%d,
>12 ubyte >220
>>12 ubyte-220 <237 RU%d,
>12 ubyte 0 dev
>17 ubyte >0
>>17 ubyte x build %d
#get build date
>7 ubyte !63
#date is stored as string
>>7 string x ("%.8s")
0 string ELSO LANCOM OEM file
0 string ELSB LANCOM firmware loader,
>22 string x model: "%s",
>18 string x loader version: "%.4s",
0 string ELSC LANCOM WWAN firmware
>4 ubyte 3
>>5 beshort 0
>>7 string x \b, "%s"
0 string ELSP LANCOM file entry
>(198.L+202) belong !2
>>(198.L+202) belong !3 {invalid}
>202 string @(RECENT_FIRMWARE)/ \b, file name:
>>221 string x "%s"
>>221 string x \b{name:%s}
>(198.L+202) belong 2
>>(198.L+206) belong <1 {invalid}
>>(198.L+206) belong x \b, file size: %d bytes
>>(198.L+206) belong x \b{size:%d}
>(198.L+202) belong 3
>>&4 string @(RECENT_FIRMWARE)/ \b, alias:
>>&23 string x "%s"
>>(&0.L+4) belong x \b, file size: %d bytes
# QNAP encrypted firmware
0 string icpnas QNAP encrypted firmware footer
>10 string x , model: %s
>26 string x , version: %s
>42 uleshort !0
>>42 string x , date: %s
# Mediatek
0 string SF_BOOT\x00\x00\x00\x00\x00 Mediatek Serial Flash Image
>12 lelong <1 {invalid}
>12 lelong >1 {invalid}
>12 lelong x Version %d
0 string EMMC_BOOT\x00\x00\x00 Mediatek EMMC Flash Image
>12 lelong <1 {invalid}
>12 lelong >1 {invalid}
>12 lelong x Version %d
0 string NOR_BOOT\x00\x00\x00\x00 Mediatek NOR Flash Image
>12 lelong <1 {invalid}
>12 lelong >1 {invalid}
>12 lelong x Version %d
0 string BRLYT\x00\x00\x00 Mediatek Boot Header
>8 lelong <1 {invalid}
>8 lelong >1 {invalid}
>8 lelong x Version %d
0 string BBBB Boot section{overlap}
>8 lelong x Start 0x%X
>12 lelong x End 0x%X
>16 lelong &0x1 Load-by-Bootrom
>16 lelong &0x80000000 Internal-RAM
>16 lelong &0x7ffffff0 {invalid}
0 string FILE_INFO\x00\x00\x00 Mediatek File Info
>12 lelong <1 {invalid}
>12 lelong >1 {invalid}
>16 leshort 0 File Type: NONE
>16 leshort 1 File Type: ARM-Bootloader
>16 leshort 2 File Type: ARM-External-Bootloader
>16 leshort 10 File Type: Root-Certificate
>16 leshort 256 File Type: Primary-MAUI
>16 leshort 264 File Type: VIVA
>16 leshort 769 File Type: SECURE_RO_ME
>18 byte 0 Flash Type: NONE
>18 byte 1 Flash Type: NOR Flash
>18 byte 2 Flash Type: NAND Sequential Flash
>18 byte 3 Flash Type: NAND_TTBL
>18 byte 4 Flash Type: NAND_FDM50
>18 byte 5 EMMC-Boot-Region
>18 byte 6 EMMC-Data-Region
>18 byte 7 Flash Type: Serial Flash
>18 byte 255 Flash Type: Device-End
>18 byte >20 {invalid}
>19 byte 0 No Signature
>19 byte 1 Signature Type: PHASH
>19 byte 2 Signature Type: SINGLE
>19 byte 3 Signature Type: SINGLE and PHASH
>19 byte 4 Signature Type: MULTI
>19 byte 5 Signature Type: TYPE_NUM
>19 byte 255 Signature Type: TYE_END
>19 byte >20 {invalid}
>20 lelong x Load Address: 0x%X
>24 lelong x File Length: %d
>28 lelong x Maximum Size: %d
>32 lelong x Content Offset: 0x%X
>36 lelong x Signature Lenght: %d
>40 lelong x Jump Offset: %d
>44 lelong &0x1 POST_BUILD_DONE
>44 lelong &0x2 XIP (Execute In Place)
>44 lelong &0x4 SLT
>44 lelong &0xffffff00 {invalid}
# Android bootimg
# https://android.googlesource.com/platform/system/core.git/+/master/mkbootimg/bootimg.h
0 string ANDROID! Android bootimg
>8 ulelong x \b, kernel size: %d bytes
>12 ulelong x \b, kernel addr: 0x%X
>16 ulelong x \b, ramdisk size: %d bytes
>20 ulelong x \b, ramdisk addr: 0x%X
>48 string x \b, product name: "%s"
# UBI Image
0 lelong 0x23494255
>0x04 leshort <2
>0x05 string \0\0\0
>0x1c string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>0x04 leshort x UBI image, version %u
!:mime firmware/ubi-image
# Frontier Silicon ISU
0 string \x76\x11\x0\x0\x7c\x0\x0\x0\x01\x0\x0\x0 Frontier Silicon IR2.x image
!:mime firmware/fs-isu
>0x0c string x \b, version: %s
# Hard Drives
# Seagate LOD
0x0e string \x07\x00\x80\x01\x00 Seagate LOD
!:mime firmware/seagate-lod
# Western Digital ROYL
0 string ROYL Western Digital ROYL
!:mime firmware/wd-royl
# Western Digital flash ROM
0 regex Z.{2}\x00\x00
>0x20 byte 0x01
>>0x40 byte 0x02 Western Digital Flash ROM
!:mime firmware/wd-flash-rom
# Toshiba "CD2" Firmware
0 string \xD5\xBF\x98\x12\x01 Toshiba CD2
!:mime firmware/toshiba-cd2
# Intel HEX
0 regex \^:[A-F0-9]{8,}$ Intel HEX
!:mime firmware/intel-hex
fact_helper_file/mime/custom_mime_internal 0 → 100644
# ====================== faf internal ======================
# ---- faf internal link representation ----
0 string symbolic\ link\ -> symbolic link
>17 string x to '%s'
!:mime inode/symlink
fact_helper_file/mime/custom_mime_linux 0 → 100644
# this is an adapted version of the original file magic linux file
#------------------------------------------------------------------------------
# $File: linux,v 1.62 2015/05/03 13:06:36 christos Exp $
# linux: file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
# The following basic Linux magic is useful for reference, but using
# "long" magic is a better practice in order to avoid collisions.
#
# 2 leshort 100 Linux/i386
# >0 leshort 0407 impure executable (OMAGIC)
# >0 leshort 0410 pure executable (NMAGIC)
# >0 leshort 0413 demand-paged executable (ZMAGIC)
# >0 leshort 0314 demand-paged executable (QMAGIC)
#
0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC)
>16 lelong 0 \b, stripped
#
0 string \007\001\000 Linux/i386 object file
>20 lelong >0x1020 \b, DLL library
# Linux-8086 stuff:
0 string \01\03\020\04 Linux-8086 impure executable
>28 long !0 not stripped
0 string \01\03\040\04 Linux-8086 executable
>28 long !0 not stripped
#
0 string \243\206\001\0 Linux-8086 object file
#
0 string \01\03\020\20 Minix-386 impure executable
>28 long !0 not stripped
0 string \01\03\040\20 Minix-386 executable
>28 long !0 not stripped
0 string \01\03\04\20 Minix-386 NSYM/GNU executable
>28 long !0 not stripped
# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
216 lelong 0421 Linux/i386 core file
!:strength / 2
>220 string >\0 of '%s'
>200 lelong >0 (signal %d)
#
# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
# this can be overridden by the DOS executable (COM) entry
2 string LILO Linux/i386 LILO boot/chain loader
!:mime bootloader/lilo
#
# Linux make config build file, from Ole Aamot <oka@oka.no>
# Updated by Ken Sharp
28 string make\ config Linux make config build file (old)
49 search/70 Kernel\ Configuration Linux make config build file
#
# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
# Updated by Adam Buchbinder <adam.buchbinder@gmail.com>
# See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html
0 leshort 0x0436 Linux/i386 PC Screen Font v1 data,
>2 byte&0x01 0 256 characters,
>2 byte&0x01 !0 512 characters,
>2 byte&0x02 0 no directory,
>2 byte&0x02 !0 Unicode directory,
>3 byte >0 8x%d
0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data,
>16 lelong x %d characters,
>12 lelong&0x01 0 no directory,
>12 lelong&0x01 !0 Unicode directory,
>24 lelong x %d
>28 lelong x \bx%d
# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com>
4086 string SWAP-SPACE Linux/i386 swap file
!:mime filesystem/swap
# From: Jeff Bailey <jbailey@ubuntu.com>
# Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com>
4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image
!:mime filesystem/swap
# From: James Hunt <james.hunt@ubuntu.com>
4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate)
!:mime filesystem/swap
# according to man page of mkswap (8) March 1999
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
4086 string SWAPSPACE2 Linux/i386 swap file (new style),
!:mime filesystem/swap
>0x400 long x version %d (4K pages),
>0x404 long x size %d pages,
>1052 string \0 no label,
>1052 string >\0 LABEL=%s,
>0x40c belong x UUID=%08x
>0x410 beshort x \b-%04x
>0x412 beshort x \b-%04x
>0x414 beshort x \b-%04x
>0x416 belong x \b-%08x
>0x41a beshort x \b%04x
# From Daniel Novotny <dnovotny@redhat.com>
# swap file for PowerPC
65526 string SWAPSPACE2 Linux/ppc swap file
16374 string SWAPSPACE2 Linux/ia64 swap file
#
# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolas Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
# Linux kernel boot images (i386 arch) (Wolfram Kleff)
514 string HdrS Linux kernel
!:strength + 55
!:mime linux/kernel
>510 leshort 0xAA55 x86 boot executable
>>518 leshort >0x1ff
>>>529 byte 0 zImage,
>>>529 byte 1 bzImage,
>>>526 lelong >0
>>>>(526.s+0x200) string >\0 version %s,
>>498 leshort 1 RO-rootFS,
>>498 leshort 0 RW-rootFS,
>>508 leshort >0 root_dev 0x%X,
>>502 leshort >0 swap_dev 0x%X,
>>504 leshort >0 RAMdisksize %u KB,
>>506 leshort 0xFFFF Normal VGA
>>506 leshort 0xFFFE Extended VGA
>>506 leshort 0xFFFD Prompt for Videomode
>>506 leshort >0 Video mode %d
# This also matches new kernels, which were caught above by "HdrS".
0 belong 0xb8c0078e Linux kernel
!:mime linux/kernel
>0x1e3 string Loading version 1.3.79 or older
>0x1e9 string Loading from prehistoric times
# System.map files - Nicolas Lichtmaier <nick@debian.org>
8 search/1 \ A\ _text Linux kernel symbol map text
!:mime linux/system-map
# LSM entries - Nicolas Lichtmaier <nick@debian.org>
0 search/1 Begin3 Linux Software Map entry text
0 search/1 Begin4 Linux Software Map entry text (new format)
# From Matt Zimmerman, enhanced for v3 by Matthew Palmer
0 belong 0x4f4f4f4d User-mode Linux COW file
!:mime linux/cow
>4 belong <3 \b, version %d
>>8 string >\0 \b, backing file %s
>4 belong >2 \b, version %d
>>32 string >\0 \b, backing file %s
############################################################################
# Linux kernel versions
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
!:mime linux/kernel
>497 leshort 0 x86 boot sector
>>514 belong 0x8e of a kernel from the dawn of time!
>>514 belong 0x908ed8b4 version 0.99-1.1.42
>>514 belong 0x908ed8b8 for memtest86
>497 leshort !0 x86 kernel
>>504 leshort >0 RAMdisksize=%u KB
>>502 leshort >0 swap=0x%X
>>508 leshort >0 root=0x%X
>>>498 leshort 1 \b-ro
>>>498 leshort 0 \b-rw
>>506 leshort 0xFFFF vga=normal
>>506 leshort 0xFFFE vga=extended
>>506 leshort 0xFFFD vga=ask
>>506 leshort >0 vga=%d
>>514 belong 0x908ed881 version 1.1.43-1.1.45
>>514 belong 0x15b281cd
>>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0
>>>0xa99 belong 0x55AA5a5a version 1.3.1,2
>>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30
>>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41
>>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45
>>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72
>>514 string HdrS
>>>518 leshort >0x1FF
>>>>529 byte 0 \b, zImage
>>>>529 byte 1 \b, bzImage
>>>>(526.s+0x200) string >\0 \b, version %s
# Linux boot sector thefts.
0 belong 0xb8c0078e Linux
!:mime linux/bootsector
>0x1e6 belong 0x454c4b53 ELKS Kernel
>0x1e6 belong !0x454c4b53 style boot sector
############################################################################
# Linux S390 kernel image
# Created by: Jan Kaluza <jkaluza@redhat.com>
8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
!:mime linux/kernel
>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
# 64bit
>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
# 32bit
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel
# Linux ARM compressed kernel image
# From: Kevin Cernekee <cernekee@gmail.com>
36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian)
!:mime linux/kernel
36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
!:mime linux/kernel
############################################################################
# Linux 8086 executable
0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
>5 string .
>>4 string >\0 \b, libc version %s
0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable
>2 byte&0x01 !0 \b, unmapped zero page
>2 byte&0x20 0 \b, impure
>2 byte&0x20 !0
>>2 byte&0x10 !0 \b, A_EXEC
>2 byte&0x02 !0 \b, A_PAL
>2 byte&0x04 !0 \b, A_NSYM
>2 byte&0x08 !0 \b, A_STAND
>2 byte&0x40 !0 \b, A_PURE
>2 byte&0x80 !0 \b, A_TOVLY
>28 long !0 \b, not stripped
>37 string .
>>36 string >\0 \b, libc version %s
# 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable
# 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable
# 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable
# 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable
# SYSLINUX boot logo files (from 'ppmtolss16' sources)
# http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename:
# file extension .lss .16
0 lelong =0x1413f33d SYSLINUX' LSS16 image data
# syslinux-4.05/mime/image/x-lss16.xml
!:mime image/x-lss16
>4 leshort x \b, width %d
>6 leshort x \b, height %d
0 string OOOM User-Mode-Linux's Copy-On-Write disk image
>4 belong x version %d
# SE Linux policy database
# From: Mike Frysinger <vapier@gentoo.org>
0 lelong 0xf97cff8c SE Linux policy
>16 lelong x v%d
>20 lelong 1 MLS
>24 lelong x %d symbols
>28 lelong x %d ocons
# Linux Logical Volume Manager (LVM)
# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
#
# System ID, UUID and volume group name are 128 bytes long
# but they should never be full and initialized with zeros...
#
# LVM1
#
0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1
!:mime filesystem/lvm
>0x12c string >\0 , System ID: %s
0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2
!:mime filesystem/lvm
>0x12c string >\0 , System ID: %s
# LVM2
#
# It seems that the label header can be in one the four first sector
# of the disk... (from _find_labeller in lib/label/label.c of LVM2)
#
# 0x200 seems to be the common case
0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
!:mime filesystem/lvm
# read the offset to add to the start of the header, and the header
# start in 0x200
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
!:mime filesystem/lvm
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
!:mime filesystem/lvm
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
!:mime filesystem/lvm
>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
>>&0xa string >\x2f \b-%.4s
>>&0xe string >\x2f \b-%.4s
>>&0x12 string >\x2f \b-%.4s
>>&0x16 string >\x2f \b-%.4s
>>&0x1a string >\x2f \b-%.6s
>>&0x20 lequad x \b, size: %lld
# LVM snapshot
# from Jason Farrel
0 string SnAp LVM Snapshot (CopyOnWrite store)
!:mime filesystem/lvm-snapshot
>4 lelong !0 - valid,
>4 lelong 0 - invalid,
>8 lelong x version %d,
>12 lelong x chunk_size %d
# SE Linux policy database
0 lelong 0xf97cff8c SE Linux policy
>16 lelong x v%d
>20 lelong 1 MLS
>24 lelong x %d symbols
>28 lelong x %d ocons
# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec
# Anthon van der Neut (anthon@mnt.org)
0 string LUKS\xba\xbe LUKS encrypted file,
!:mime filesystem/luks
>6 beshort x ver %d
>8 string x [%s,
>40 string x %s,
>72 string x %s]
>168 string x UUID: %s
# Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
>20 search/256 (name
>>&1 string x (name %s)
# Type: Xen, the virtual machine monitor
# From: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
#>2 regex \(name\ [^)]*\) %s
>20 search/256 (name (name
>>&1 string x %s...)
# Systemd journald files
# See http://www.freedesktop.org/wiki/Software/systemd/journal-files/.
# From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
# check magic
0 string LPKSHHRH
# check that state is one of known values
>16 ubyte&252 0
# check that each half of three unique id128s is non-zero
>>24 ubequad >0
>>>32 ubequad >0
>>>>40 ubequad >0
>>>>>48 ubequad >0
>>>>>>56 ubequad >0
>>>>>>>64 ubequad >0 Journal file
!:mime application/octet-stream
# provide more info
>>>>>>>>184 leqdate 0 empty
>>>>>>>>16 ubyte 0 \b, offline
>>>>>>>>16 ubyte 1 \b, online
>>>>>>>>16 ubyte 2 \b, archived
>>>>>>>>8 ulelong&1 1 \b, sealed
>>>>>>>>12 ulelong&1 1 \b, compressed
# BCache backing and cache devices
# From: Gabriel de Perthuis <g2p.code@gmail.com>
0x1008 lequad 8
>0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache
>>0x1010 ulequad 0 cache device
>>0x1010 ulequad 1 backing device
>>0x1010 ulequad 3 cache device
>>0x1010 ulequad 4 backing device
>>0x1048 string >0 \b, label "%.32s"
>>0x1028 ubelong x \b, uuid %08x
>>0x102c ubeshort x \b-%04x
>>0x102e ubeshort x \b-%04x
>>0x1030 ubeshort x \b-%04x
>>0x1032 ubelong x \b-%08x
>>0x1036 ubeshort x \b%04x
>>0x1038 ubelong x \b, set uuid %08x
>>0x103c ubeshort x \b-%04x
>>0x103e ubeshort x \b-%04x
>>0x1040 ubeshort x \b-%04x
>>0x1042 ubelong x \b-%08x
>>0x1046 ubeshort x \b%04x
# Linux device tree:
# File format description can be found in the Linux kernel sources at
# Documentation/devicetree/booting-without-of.txt
# From Christoph Biedl
0 belong 0xd00dfeed
# structure and strings must be within blob
>&(8.L) byte x
>>&(12.L) byte x
>>>20 belong >1 Device Tree Blob version %d
!:mime linux/device-tree
>>>>4 belong x \b, size=%d
>>>>20 belong >1
>>>>>28 belong x \b, boot CPU=%d
>>>>20 belong >2
>>>>>32 belong x \b, string block size=%d
>>>>20 belong >16
>>>>>36 belong x \b, DT structure block size=%d
# glibc locale archive as defined in glibc locale/locarchive.h
0 lelong 0xde020109 locale archive
>24 lelong x %d strings
# Linux Software RAID (mdadm)
# Russell Coker <russell@coker.com.au>
0 name linuxraid
>16 belong x UUID=%8x:
>20 belong x \b%8x:
>24 belong x \b%8x:
>28 belong x \b%8x
>32 string x name=%s
>72 lelong x level=%d
>92 lelong x disks=%d
!:mime filesystem/software-raid
4096 lelong 0xa92b4efc Linux Software RAID
!:mime filesystem/software-raid
>4100 lelong x version 1.2 (%d)
>4096 use linuxraid
0 lelong 0xa92b4efc Linux Software RAID
!:mime filesystem/software-raid
>4 lelong x version 1.1 (%d)
>0 use linuxraid
# Summary: Database file for mlocate
# Description: A database file as used by mlocate, a fast implementation
# of locate/updatedb. It uses merging to reuse the existing
# database and avoid rereading most of the filesystem. It's
# the default version of locate on Arch Linux (and others).
# File path: /var/lib/mlocate/mlocate.db by default (but configurable)
# Site: https://fedorahosted.org/mlocate/
# Format docs: http://linux.die.net/man/5/mlocate.db
# Type: mlocate database file
# URL: https://fedorahosted.org/mlocate/
# From: Wander Nauta <info@wandernauta.nl>
0 string \0mlocate mlocate database
>12 byte x \b, version %d
>13 byte 1 \b, require visibility
>16 string x \b, root %s
# Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL:
# https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
# From: Pavel Emelyanov <xemul@parallels.com>
0 lelong 0x45311224 iproute2 routes dump
0 lelong 0x47361222 iproute2 addresses dump
# Image and service files for CRIU tool.
# URL: http://criu.org
# From: Pavel Emelyanov <xemul@parallels.com>
0 lelong 0x54564319 CRIU image file v1.1
0 lelong 0x55105940 CRIU service file
0 lelong 0x58313116 CRIU inventory
# Kdump compressed dump files
# http://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION
0 string KDUMP Kdump compressed dump
>8 long x v%d
>12 string >\0 \b, system %s
>77 string >\0 \b, node %s
>142 string >\0 \b, release %s
>207 string >\0 \b, version %s
>272 string >\0 \b, machine %s
>337 string >\0 \b, domain %s
fact_helper_file/mime/custom_mime_lzma 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
fact_helper_file/mime/custom_mime_printer 0 → 100644
# HP LaserJet 1000 series downloadable firmware file
0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
# HP Printer Job Language (original from file magic db)
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
#
0 string \033%-12345X@PJL HP Printer Job Language data
!:mime firmware/hp-pjl
>&0 string >\0 %s
>>&0 string >\0 %s
>>>&0 string >\0 %s
>>>>&0 string >\0 %s
#>15 string \ ENTER\ LANGUAGE\ =
#>31 string PostScript PostScript
# HP Update Streams
3 string \x00\x00\x11\x00\x00\x00\x00\x00\x00\xbe\xac HP Update Stream 1
!:mime firmware/hp-us
3 string \x00\x00\x10\x00\x00 HP Update Stream 2
!:mime firmware/hp-us
# DSK 1.0
# Reversed by Fraunhofer FKIE
0 string \x1bDSK1.0 DSK1.0 Image
!:mime firmware/dsk1.0
>0x0C ulelong x \b, payload size: %d bytes
# Extended DSK 1.0
0x0C string \x1bDSK1.0 Extended DSK1.0 Image
!:mime firmware/dsk1.0-extended
>0x18 ulelong x \b, payload size: %d bytes
# PostScript
# Reversed by Fraunhofer FKIE
0 string %!PS Postscript
!:mime text/postscript
>4 string -Adobe Adobe
fact_helper_file/mime/custom_mime_raw 0 → 100644
# RAW data from flash
8 string \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff RAW
!:strength / 254
!:mime data/raw
fact_helper_file/mime/custom_mime_uefi 0 → 100644
# ====================== UEFI ======================
# ASUS CAP
0 string \x8b\xa6\x3c\x4a\x23\x77\xfb\x48\x80 ASUS UEFI Image
!:mime firmware/uefi
# Gigabyte UEFI
0x20000 string \xaa\x55\xaa\x55\x00\x00 GigaByte UEFI Image
!:mime firmware/uefi
# Dell UEFI HDR
0 string PFS\x2eHDR Dell HDR-PFS UEFI Image
!:mime firmware/uefi
0 string \x24TAG\x01\x00\x00\x00\x5D\xc2\x8e\x14 Dell HDR-TAG UEFI Image
!:mime firmware/uefi
# Dell UEFI k
2 string \x6b\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\xe5\x8c\x8c\x3d\x8a\x1c Dell k UEFI Image
!:mime firmware/uefi
# Flash descriptors for Intel SPI flash roms.
# original code from file magic db
# From Dr. Jesus <j@hug.gs>
0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step
!:mime firmware/uefi
16 lelong 0x0ff0a55a Intel serial flash for PCH ROM
!:mime firmware/uefi
fact_helper_file/type.py 0 → 100644
import logging
from pathlib import Path
from typing import Union
import magic
def get_file_type_from_path(file_path: Union[str, Path]) -> dict:
'''
Generate a dict containing full and mime file type from file path.
First it tries to use a custom magic file, then defaults to system magic.
:param binary: bytes
:return: dict
'''
path_string = file_path if isinstance(file_path, str) else str(file_path)
return _get_file_type(path_string, 'from_file')
def get_file_type_from_binary(binary: bytes) -> dict:
'''
Generate a dict containing full and mime file type from bytes object
First it tries to use a custom magic file, then defaults to system magic.
:param binary: bytes
:return: dict
'''
return _get_file_type(binary, 'from_buffer')
def _get_file_type(path_or_binary, function_name):
magic_path = str(Path(__file__).parent / 'bin' / 'custommime.mgc')
magic_wrapper = magic.Magic(magic_file=magic_path, mime=True)
mime = _get_type_from_magic_object(path_or_binary, magic_wrapper, function_name, mime=True)
magic_wrapper = magic.Magic(magic_file=magic_path, mime=False)
full = _get_type_from_magic_object(path_or_binary, magic_wrapper, function_name, mime=False)
if mime == 'application/octet-stream':
mime = _get_type_from_magic_object(path_or_binary, magic, function_name, mime=True)
full = _get_type_from_magic_object(path_or_binary, magic, function_name, mime=False)
return {'mime': mime, 'full': full}
def _get_type_from_magic_object(path_or_binary, magic_object, function_name, mime=True):
try:
if isinstance(magic_object, magic.Magic):
result = getattr(magic_object, function_name)(path_or_binary)
else:
result = getattr(magic_object, function_name)(path_or_binary, mime=mime)
except FileNotFoundError as e:
logging.error('File not found: {}'.format(e))
result = 'error/file-not-found' if mime else 'Error: File not in storage!'
except Exception as exception:
logging.error('Could not determine file type: {} {}'.format(type(exception), str(exception)))
result = 'application/octet-stream' if mime else 'data'
return result
setup.py 0 → 100644
#!/usr/bin/env python
import os
from pathlib import Path
from subprocess import Popen, PIPE
from setuptools import setup
MODULE_NAME = 'fact_helper_file'
MIME_DIR = Path(__file__).parent / MODULE_NAME / 'mime'
class OperateInDirectory:
def __init__(self, target_directory: str):
self._current_working_dir = None
self._target_directory = target_directory
def __enter__(self):
self._current_working_dir = os.getcwd()
os.chdir(self._target_directory)
def __exit__(self, *_):
os.chdir(self._current_working_dir)
def execute_shell_command(shell_command):
with Popen(shell_command, shell=True, stdout=PIPE, stderr=PIPE) as pl:
output = pl.communicate()[0].decode('utf-8', errors='replace')
return output, pl.returncode
os.makedirs(str(MIME_DIR.parent / 'bin'), exist_ok=True)
with OperateInDirectory(str(MIME_DIR)):
file_output, file_code = execute_shell_command(
'(cat custom_* > custommime)'
' && file -C -m custommime'
' && mv -f custommime.mgc ../bin/'
' && rm custommime'
)
if file_code != 0:
exit('Failed to properly compile magic file\n{}'.format(file_output))
print('!!!!! \n\n\n !!!!!!')
setup(
name=MODULE_NAME,
version='0.2',
description='Helper functions for file type generation',
author='Johannes vom Dorp',
url='https://github.com/fkie-cad/fact_helper_file',
install_requires=['python-magic'],
python_requires='>=3.5',
packages=[MODULE_NAME, ],
package_data={MODULE_NAME: [str(MIME_DIR.parent / 'bin' / 'custommime.mgc'), ]}
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment