1 2#------------------------------------------------------------ 3# $File: android,v 1.3 2013/11/08 01:24:22 christos Exp $ 4# Various android related magic entries 5#------------------------------------------------------------ 6 7# Dalvik .dex format. http://retrodev.com/android/dexformat.html 8# From <mkf@google.com> "Mike Fleming" 9# Fixed to avoid regexec 17 errors on some dex files 10# From <diff@lookout.com> "Tim Strazzere" 110 string dex\n 12>0 regex dex\n[0-9]{2}\0 Dalvik dex file 13>4 string >000 version %s 140 string dey\n 15>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 16>4 string >000 version %s 17 18# http://android.stackexchange.com/questions/23357/\ 19# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ 20# 23608#23608 210 string ANDROID\040BACKUP\n Android Backup 22>15 string 1\n \b, version 1 23>17 string 0\n \b, uncompressed 24>17 string 1\n \b, compressed 25>19 string none\n \b, unencrypted 26>19 string AES-256\n \b, encrypted AES-256 27 28# Android bootimg format 29# From https://android.googlesource.com/\ 30# platform/system/core/+/master/mkbootimg/bootimg.h 310 string ANDROID! Android bootimg 32>8 lelong >0 \b, kernel 33>>12 lelong >0 \b (0x%x) 34>16 lelong >0 \b, ramdisk 35>>20 lelong >0 \b (0x%x) 36>24 lelong >0 \b, second stage 37>>28 lelong >0 \b (0x%x) 38>36 lelong >0 \b, page size: %d 39>38 string >0 \b, name: %s 40>64 string >0 \b, cmdline (%s) 41# Dalvik .dex format. http://retrodev.com/android/dexformat.html 42# From <mkf@google.com> "Mike Fleming" 43# Fixed to avoid regexec 17 errors on some dex files 44# From <diff@lookout.com> "Tim Strazzere" 450 string dex\n 46>0 regex dex\n[0-9]{2}\0 Dalvik dex file 47>4 string >000 version %s 480 string dey\n 49>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) 50>4 string >000 version %s 51 52# http://android.stackexchange.com/questions/23357/\ 53# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ 54# 23608#23608 550 string ANDROID\040BACKUP\n Android Backup 56>15 string 1\n \b, version 1 57>17 string 0\n \b, uncompressed 58>17 string 1\n \b, compressed 59>19 string none\n \b, unencrypted 60>19 string AES-256\n \b, encrypted AES-256 61 62# Android bootimg format 63# From https://android.googlesource.com/\ 64# platform/system/core/+/master/mkbootimg/bootimg.h 650 string ANDROID! Android bootimg 66>8 lelong >0 \b, kernel 67>>12 lelong >0 \b (0x%x) 68>16 lelong >0 \b, ramdisk 69>>20 lelong >0 \b (0x%x) 70>24 lelong >0 \b, second stage 71>>28 lelong >0 \b (0x%x) 72>36 lelong >0 \b, page size: %d 73>38 string >0 \b, name: %s 74>64 string >0 \b, cmdline (%s) 75 76# Android Backup archive 77# From: Ariel Shkedi 78# File extension: .ab 79# No mime-type defined 80# URL: https://github.com/android/platform_frameworks_base/blob/\ 81# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ 82# android/server/BackupManagerService.java#L2367 83# After the header comes a tar file 84# If compressed, the entire tar file is compressed with JAVA deflate 85# 86# Include the version number hardcoded with the magic string to avoid 87# false positives 880 string/b ANDROID\ BACKUP\n1\n Android Backup 89>17 string 0\n \b, Not-Compressed 90>17 string 1\n \b, Compressed 91# any string as long as it's not the word none (which is matched below) 92>>19 regex/1 \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) 93>>19 string none\n \b, Not-Encrypted 94# Commented out because they don't seem useful to print 95# (but they are part of the header - the tar file comes after them): 96#>>>&1 regex/1 .* \b, Password salt: %s 97#>>>>&1 regex/1 .* \b, Master salt: %s 98#>>>>>&1 regex/1 .* \b, PBKDF2 rounds: %s 99#>>>>>>&1 regex/1 .* \b, IV: %s 100#>>>>>>>&1 regex/1 .* \b, Key: %s 101