aboutsummaryrefslogtreecommitdiff
path: root/contrib/file/magic/Magdir/linux
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/file/magic/Magdir/linux')
-rw-r--r--contrib/file/magic/Magdir/linux543
1 files changed, 488 insertions, 55 deletions
diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux
index 0405f778aa35..16aadca87d1a 100644
--- a/contrib/file/magic/Magdir/linux
+++ b/contrib/file/magic/Magdir/linux
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: linux,v 1.80 2022/03/24 15:48:58 christos Exp $
+# $File: linux,v 1.91 2024/11/09 21:15:48 christos Exp $
# linux: file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
@@ -67,8 +67,8 @@
>16 lelong x %d characters,
>12 lelong&0x01 0 no directory,
>12 lelong&0x01 !0 Unicode directory,
->24 lelong x %d
->28 lelong x \bx%d
+>28 lelong x %d
+>24 lelong x \bx%d
# Linux swap and hibernate files
# Linux kernel: include/linux/swap.h
@@ -137,34 +137,230 @@
# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolas Lichtmaier <nick@debian.org>
-# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
+# and Joerg Jenderek [unifying + more kernel info]
+# many start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
+# by assembler instructions like: movw $0x07c0,%ax; movw %ax,%ds; movw $0x9000,%ax; movw %ax,%es; movw $0x0001,%cx; subw %si,%si; subw
# Linux kernel boot images (i386 arch) (Wolfram Kleff)
# URL: https://www.kernel.org/doc/Documentation/x86/boot.txt
514 string HdrS Linux kernel
+# to display Linux kernel (strength=125=70+55) after VBR boot sector (130=70+60) but before DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem
+# before MZ PE32 executable (EFI application) (strength=50) and before DOS executable (COM) (strength=40) with start instruction 0xe9 via ./msdos
!:strength + 55
# often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes
# Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin
# DamnSmallLinux 1.5 damnsmll.lnx
+#!:mime application/octet-stream
+!:mime application/x-linux-kernel
!:ext /dat/bin/lnx
+# GRR: does there exist here samples without 55AA boot signature? I believe NO (Joerg Jenderek)
>510 leshort 0xAA55 x86 boot executable
+>>0 use kernel-info
+# show information about Linux kernel (root, swap device, vga modus, boot protocol, setup size, init_size, EFI entry point)
+0 name kernel-info
+# like: plpbtrom.bin
+# After 16 bit jump instruction Hi, are you searching something? This is the Plop Boot Manager written by Elmar Hanlhofer http?://www.plop.at
+>48 string Plop\040Boot\040Manager from PLOP Boot Manager
+# dummy test below 512 limit (for LILO 24.2 bootsect.b) to get same magic indention level like in v 1.85
+# and display comma before zImage/bzImage or version
+>498 leshort x \b,
+# boot protocol option flags valid since boot protocol >= 2.00
>>518 leshort >0x1ff
->>>529 byte 0 zImage,
->>>529 byte 1 bzImage,
->>>526 lelong >0
+# loadflags bit 0 (read); LOADED_HIGH; if 0, the protected-mode code is loaded at 0x10000
+>>>529 ubyte&0x01 0 zImage,
+# loadflags bit 0 (read); LOADED_HIGH; if 1, the protected-mode code is loaded at 0x100000; that implies is_bzImage
+>>>529 ubyte&0x01 1 bzImage,
+# kernel_version; since protocol 2.00 if not zero 2 byte pointer to kernel version string -200h; should be < 200h*setup_sects
+# 0h (ldntldr.bin plpbtrom.bin) 260h (memtest32.bin memtest64.bin) 3b0h (memdisk16.bin) 890h (damnsmll.lnx) 3400h (linux64) 3640h (linux)
+#>>>526 uleshort x kernel_version=%#4.4x
+>>>526 uleshort >0
+# GRR: \353fHdrS\003\002 wrong shown if kernel_version=0 like in ldntldr.bin (GRUB for DOS)
>>>>(526.s+0x200) string >\0 version %s,
+# 498 MasterBootRecord 4th partition entry partition type (0~empty 1~FAT12) done by ./filesystems
+# 499 MasterBootRecord 4th partition entry end heads done by ./filesystems
+# root_flags; if set (=1), the root is mounted readonly; deprecated, use the "ro" or "rw" option on the command line instead
+#>>498 uleshort >1 root_flags=%u
>>498 leshort 1 RO-rootFS,
>>498 leshort 0 RW-rootFS,
+# root_dev; default root device number like 0 301h (/dev/hda1 damnsmll.lnx) 380h (/dev/hd?? linux-elks); deprecated and replaced by command line option root=
>>508 leshort >0 root_dev %#X,
->>502 leshort >0 swap_dev %#X,
+# since protocol 2.04 the 2 upper bytes of long syssize and not swap_dev any more
+>>518 uleshort <0x204
+# 502-505 MasterBootRecord 4th partition entry 1st LBA sector done by ./filesystems
+>>>502 leshort >0 swap_dev %#X,
>>504 leshort >0 RAMdisksize %u KB,
+# 506-509 MasterBootRecord 4th partition entry sectors in partition done by ./filesystems
>>506 leshort 0xFFFF Normal VGA
>>506 leshort 0xFFFE Extended VGA
>>506 leshort 0xFFFD Prompt for Videomode
>>506 leshort >0 Video mode %d
+# more kernel information added by Joerg Jenderek 2023
+# if needed display comma after video mode and before setup_sects
+>>506 leshort >-4
+>>>506 leshort !0 \b,
+# setup_sects; if field contains 0, the real value is 4; size of the setup in sectors like:
+# 0 (memdisk16.bin) 1 (ldntldr.bin) 2 (memtest32.bin memtest64.bin) 4 (plpbtrom.bin linux-elks) 8 (bootsect.b) 10 (damnsmll.lnx) 25 27 (linux64) 29 30 31 33 (linux)
+# MasterBootRecord 4th partition entry start cylinder bits 0-7 done by ./filesystems
+>>497 ubyte !0 setup size 512*%u
+>>497 ubyte =0 setup size 512*4 (not 0)
+# 500 MasterBootRecord 4th partition entry end sectors+cylinder bits 8-9 done by ./filesystems
+# 501 MasterBootRecord 4th partition entry end cylinder bits 0-7 done by ./filesystems
+# syssize; 32-bit code size in 16-byte paragraphs; since protocol 2.04 long before unreliable short
+>>518 uleshort <0x204 \b,
+# 0 (ldntldr.bin) 0 (memdisk16.bin) f180h (damnsmll.lnx)
+>>>500 uleshort x syssize %#x
+>>518 uleshort >0x203 \b,
+# 0 (plpbtrom.bin) 1270h (linux-elks) 217eh (memtest32.bin) 22deh (memtest64.bin) 2c01h (memtest86+.bin) 459c6h (linux misinterpreted as swap_dev 0X4) 70c32h (linux64 misinterpreted as swap_dev 0X7)
+>>>500 ulelong x syssize %#x
+# jump; jump instruction relative to byte 0x202
+>>512 ubyte =0xEB \b, jump
+# jump adress like: 0x230 (damnsmll.lnx) 0x240 (memdisk16.bin) 0x268 (memtest32.bin memtest64.bin ldntldr.bin linux AFTER handover offset) 0x26c (linux64)
+>>>513 byte+2 x 0x2%2.2x
+# next instruction like:
+# b800088ec00fb60e mov ax,0x0800; mov es,ax; movzx cx,byte [] memdisk16.bin
+# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest32.bin
+# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest64.bin
+>>>(513.b+514) ubequad x %#16.16llx instruction
+# without jump instruction like: 0 (bootsect-lilo-24.2.b EOF!) 0xb8 (mov linux-elks) 0xfa (cli memtest86+.bin)
+>>512 ubyte !0xEB \b, at 0x200 %#x instruction
+# boot protocol version field valid since version >= 2.00 which is indicated by HdrS magic
+# so skip memtest86+.bin with misinterpreted protocol 144.0 (0x9000)
+>>514 string HdrS \b,
+# Boot protocol version; 2.3 (ldntldr.bin damnsmll.lnx) 2.6 (plpbtrom.bin) 2.10 2.11 (linux) 2.12 (memtest32.bin) 2.13 2.15 (linux64)
+>>>519 ubyte x protocol %u
+>>>518 ubyte x \b.%u
+# boot protocol in hexadecimal needed for addtional tests
+#>>>518 uleshort x (%#4.4x)
+# type_of_loader; Boot loader identifier; filled out by the bootloader
+>>>528 ubyte >0 \b, loader %#x
+# loadflags; boot protocol option flags
+#>>>529 ubyte x loadflags=%#x
+# loadflags bit 1 (kernel internal); KASLR_FLAG KASLR status to kernel
+>>>529 ubyte&0x02 !0 \b, KASLR enabled
+# loadflags bit 5 (write); QUIET_FLAG
+>>>529 ubyte&0x20 !0 \b, quiet
+# loadflags bit 6 (write) since boot protocal version >= 2.07; KEEP_SEGMENTS
+>>>518 uleshort >0x206
+>>>>529 ubyte&0x40 !0 \b, keep segments
+# loadflags bit 7 (write); CAN_USE_HEAP
+>>>529 ubyte&0x80 !0 \b, can use heap
+# payload_offset; since boot protocol 2.08 if non-zero contains offset of the protected-mode code to the payload like: cdh (linux) 40dh (linux64)
+>>>518 uleshort >0x207
+>>>>584 ulelong >0 \b, from protected-mode code at offset %#x
+# payload_length; since boot protocol 2.08 the length of the payload like: 452c41h (linux) 6fb644h (linux64)
+>>>>>588 ulelong x %#x bytes
+# jump setup size sectors a 512 bytes from kernel beginning
+>>>>>(497.b*512) ubequad x
+#>>>>>(497.b*512) ubequad x 512BYTES_BEFORE_PROTECTED-MODE_CODE=%#16.16llx
+# jump payload_offset bytes + 512 bytes (for boot sector) - 8 (ubequad length) to payload start
+#>>>>>>&(584.l+504) ubeshort x PAYLOAD=%#4.4x
+# supported compression formats are gzip (magic numbers 1F8B or 1F9E linux) bzip2 (425A), LZMA (5D00 linux64), XZ (FD37) LZ4 (0221) ZST v0.8+ (28B5)
+>>>>>>&(584.l+504) ubeshort =0x1F8B gzip compressed
+>>>>>>&(584.l+504) ubeshort =0x1F9E gzip compressed
+>>>>>>&(584.l+504) ubeshort =0x425A bzip2 compressed
+>>>>>>&(584.l+504) ubeshort =0x5D00 LZMA compressed
+>>>>>>&(584.l+504) ubeshort =0xFD37 XZ compressed
+>>>>>>&(584.l+504) ubeshort =0x0221 LZ4 compressed
+>>>>>>&(584.l+504) ubeshort =0x28B5 ZST compressed
+# TODO: handle compressed data by ./compress; difficulties with leading space and duplicate gzip compressed
+#>>>>>>&(584.l+504) indirect x COMPRESS_NOT_WORKING
+# setup_move_size; for protocol 2.00-2.01; bytes starting with the beginning of the boot sector
+# like: 0 (ldntldr.bin memdisk16.bin memtest32.bin memtest64.bin plpbtrom.bin) 8000h (damnsmll.lnx linux linux64)
+>>>518 uleshort <0x202
+>>>>518 uleshort >0x1FF
+>>>>530 uleshort x \b, setup_move_size %#4.4x
+# code32_start; address to jump to in protected mode like: 100000h (linux linux64 memtest32.bin memtest64.bin)
+#>>>>532 ulelong >0 \b, code32_start %#x
+# kernel_alignment; since boot protocol 2.05 alignment unit required by the kernel (if relocatable_kernel is true) like: 0 (plptrom.bin) 1000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64)
+#>>>518 uleshort >0x204
+#>>>>560 ulelong x \b, kernel_alignment %#x
+# relocatable_kernel; since boot protocol 2.05 the protected-mode part of the kernel can be loaded at any address if this field is nonzero
+>>>518 uleshort >0x204
+>>>>564 ubyte =1 \b, relocatable
+#>>>>564 ubyte x \b, relocatable_kernel=%u
+# min_alignment; since boot protocol 2.10 if nonzero, indicates as a power of two the minimum alignment required like: 12 (4 KB memtest32.bin memtest64.bin) 13 (8 KB linux) 21 (2 MB linux64)
+#>>>518 uleshort >0x209
+#>>>>565 ubyte >0 \b, min_alignment %u
+# xloadflags; since boot protocol 2.12 like: 3fh (linux64 unexpected value) 4h(memtest32.bin) 9h(memtest64.bin)
+>>>518 uleshort >0x20B
+#>>>>566 uleshort x \b, xloadflags=%#4.4x
+# handover_offset; offset from beginning of kernel image to EFI handover protocol entry point like:
+# 0 (damnsmll.lnx ldntldr.bin) 10h (memtest32.bin memtest64.bin) 30h (linux) 190h (linux64) 8e9000b8h (plpbtrom.bin INVALID!)
+# this value makes only sense when 32 or 64-bit EFI handoff entry point
+>>>>566 uleshort&0x000C !0 \b, handover offset
+>>>>>612 ulelong x %#x
+# Bit 0 XLF_KERNEL_64; if 1, this kernel has the legacy 64-bit entry point at 0x200
+>>>>566 uleshort&0x0001 !0 \b, legacy 64-bit entry point
+# Bit 1 XLF_CAN_BE_LOADED_ABOVE_4G; if 1, kernel/boot_params/cmdline/ramdisk can be above 4G
+>>>>566 uleshort&0x0002 !0 \b, can be above 4G
+# Bit 2 XLF_EFI_HANDOVER_32; if 1, the kernel supports the 32-bit EFI handoff entry point
+>>>>566 uleshort&0x0004 !0 \b, 32-bit EFI handoff entry point
+# Bit 3 XLF_EFI_HANDOVER_64; if 1, the kernel supports the 64-bit EFI handoff entry point
+>>>>566 uleshort&0x0008 !0 \b, 64-bit EFI handoff entry point
+# Bit 4 EFI_KEXEC; if 1, the kernel supports kexec EFI boot with EFI runtime support
+>>>>566 uleshort&0x0010 !0 \b, EFI kexec boot support
+# GRR: What does bit 5 mean?
+>>>>566 uleshort&0x0020 !0 \b, xloadflags bit 5
+# cmdline_size; since boot protocol 2.06 maximum size of the kernel command line like: 255 (memtest32.bin memtest64.bin) 2047 (linux linux64 plpbtrom); version <= 2.06 maximum was 255
+>>>518 uleshort >0x205
+>>>>568 ulelong x \b, max cmdline size %u
+# hardware_subarch; since boot protocol 2.07 hardware subarchtecture like: 0~default x86 1~lguest 2~Xen 3~Moorestown 4~CE4100 TV
+>>>518 uleshort >0x206
+>>>>572 ulelong >0 \b, hardware_subarch %u
+# hardware_subarch_data; since boot protocol 2.07 pointer to data specific for hardware subarch; unused for default x86
+>>>>>576 ulequad >0 \b, hardware_subarch_data %#llx
+# setup_data; since boot protocol 2.09 64-bit physical pointer to NULL terminated single linked list of struct setup_data
+>>>518 uleshort >0x208
+>>>>592 ulequad >0 \b, setup_data %16.16llx
+# pref_address; since boot protocol 2.10 if nonzero preferred load address for kernel like: 100000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64)
+#>>>518 uleshort >0x209
+#>>>>600 ulequad >0 \b, pref_address %#llx
+# init_size; since boot protocol 2.10 indicates amount of contiguous memory kernel needs before it is capable of examining its memory map
+# like: 0h (damnsmll.lnx) 687f8h (memtest32.bin) 6acf8h (memtest64.bin) aa3000h (linux) 2514000h (linux64) 67ea0000h (memdisk16.bin INVALID) a4f3f2ffh (plpbtrom.bin INVALID) ffffff80h (ldntldr.bin INVALID)
+>>>518 uleshort >0x209
+>>>>608 ulelong x \b, init_size %#x
# This also matches new kernels, which were caught above by "HdrS".
-0 belong 0xb8c0078e Linux kernel
+# but also few samples without "HdrS" magic like: bootsect-lilo-24.2.b linux-elks memtest86+.bin
+# URL: https://tldp.org/HOWTO/Linux-i386-Boot-Code-HOWTO/bootsect.html
+#0 belong 0xb8c0078e Linux kernel
+0 belong 0xb8c0078e
+# to display Linux x86 kernel or Linux ELKS Kernel (strength=70=70+0) after VBR boot sector (130=70+60) DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem
+#!:strength +0
+# "newer" kernel (with HdrS magic) already done before
+>514 string HdrS
+# so handle "old" kernel variant (without HdrS magic)
+>514 default x Linux
+#!:mime application/octet-stream
+!:mime application/x-linux-kernel
+# GRR: in file 5.45 remaining default clause not working for samples with size = 512 like LILO 24.2 bootsect.b
+>>0 belong x
+# ELKS kernel variant is now unified with other "old" kernel variant (without HdrS magic)
+>>0x1e6 belong =0x454c4b53 ELKS Kernel
+!:ext /
+# "old" kernel variant and not ELKS
+>>0x1e6 belong !0x454c4b53 x86 kernel
+!:ext /b/bin
+# show kernel version information based on "Loading" message offset
+>>0 use kernel-version-old1
+# unified "old" variant with start instruction \xb8\xc0\x07\x8e\xd8\xb8\x00\x90
+>>4 string \xd8\xb8\x00\x90
+# show kernel version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field
+>>>0 use kernel-version-old2
+# show kernel version information part 3 for "old" kernel variant (without HdrS magic) based on new HdrS field
+>>>0 use kernel-version-old3
+# show common kernel information
+>>0 use kernel-info
+# show kernel version information part 1 for "old" kernel variant (without HdrS magic) based on "Loading" message offset
+0 name kernel-version-old1
>0x1e3 string Loading version 1.3.79 or older
>0x1e9 string Loading from prehistoric times
+# LILO 24.2-5.1 bootsect.b
+>0x1c5 string Loading from LILO 24.2
+# Memtest86 5.31b memtest86+.bin
+>0x1d2 string Loading from Memtest86 5.31b
+# DamnSmallLinux kernel version 2.4.26 damnsmll.lnx not needed because done by kernel_version pointer
+#>0x1cb string Loading damnsmll.lnx 2.4.26~
+# Memtest86+ v6.20 memtest32.bin not needed because done by kernel_version pointer
+#>0x1c6 string Loading\040Memtest86+ from Memtest86+ v6.20
# System.map files - Nicolas Lichtmaier <nick@debian.org>
8 search/1 \ A\ _text Linux kernel symbol map text
@@ -183,13 +379,37 @@
############################################################################
# Linux kernel versions
-0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
+# apply only to "old" kernel variant (without HdrS magic) like damnsmll.lnx memtest86+.bin
+# wrong (497 setup_sects 498 root_flags) and now already done by 1st unified "old" kernel variant
+#0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
+0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90foo OLD_VARIANT Linux
>497 leshort 0 x86 boot sector
+>>0 use kernel-version-old2
+>497 leshort !0 x86 kernel
+# not needed any more because information is now shown by common kernel-info with other phrases
+>>0 use kernel-info-old
+# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field
+>>0 use kernel-version-old3
+>>0 use kernel-version-4
+# version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field
+0 name kernel-version-old2
+# dummy test to get same magic indention level like in v 1.85
+>518 leshort x
>>514 belong 0x8e of a kernel from the dawn of time!
>>514 belong 0x908ed8b4 version 0.99-1.1.42
>>514 belong 0x908ed8b8 for memtest86
-
+# dummy test function to get same magic indention level like in v 1.85
+0 name kernel-version-dummy
>497 leshort !0 x86 kernel
+# not needed any more because information is now shown by kernel-info
+#>0 use kernel-info-old
+>>0 use kernel-info
+# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field
+>0 use kernel-version-old3
+# deprecated because same information is shown by kernel-info with other phrases
+0 name kernel-info-old
+# dummy test to get same magic indention level like in v 1.85
+>504 leshort x
>>504 leshort >0 RAMdisksize=%u KB
>>502 leshort >0 swap=%#X
>>508 leshort >0 root=%#X
@@ -199,6 +419,10 @@
>>506 leshort 0xFFFE vga=extended
>>506 leshort 0xFFFD vga=ask
>>506 leshort >0 vga=%d
+# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field
+0 name kernel-version-old3
+# dummy test to get same magic indention level like in v 1.85
+>514 belong x
>>514 belong 0x908ed881 version 1.1.43-1.1.45
>>514 belong 0x15b281cd
>>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0
@@ -207,16 +431,27 @@
>>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41
>>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45
>>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72
+# show kernel version information part 4 for kernel variant (with HdrS magic) based on "HdrS" field
+# not needed any more because information is now shown by common kernel-info
+0 name kernel-version-4
+# dummy test to get same magic indention level like in v 1.85
+>518 leshort x
>>514 string HdrS
>>>518 leshort >0x1FF
>>>>529 byte 0 \b, zImage
>>>>529 byte 1 \b, bzImage
+# GRR: Not valid if kernel_version=0
>>>>(526.s+0x200) string >\0 \b, version %s
# Linux boot sector thefts.
-0 belong 0xb8c0078e Linux
->0x1e6 belong 0x454c4b53 ELKS Kernel
->0x1e6 belong !0x454c4b53 style boot sector
+# ELKS kernel variant is now unified with above "old" kernel variant (without HdrS magic)
+#0 belong 0xb8c0078e Linux
+# display "Linux ELKS Kernel" or "Linux style boot sector" (strength=70) after DOS/MBR IPL (115=50+65) and MBR boot sector (105=40+65) via ./filesystem
+#!:strength +0
+# https://en.wikipedia.org/wiki/Embeddable_Linux_Kernel_Subset
+# https://github.com/jbruchon/elks/releases/download/v0.6.0/fd2880-fat.img/linux
+#>0x1e6 belong 0x454c4b53 ELKS Kernel
+#>0x1e6 belong !0x454c4b53 style boot sector
############################################################################
# Linux S390 kernel image
@@ -238,16 +473,44 @@
# Linux ARM compressed kernel image
# From: Kevin Cernekee <cernekee@gmail.com>
# Update: Joerg Jenderek
+# Update: Luke T. Shumaker
+0 name arm-zimage
+# Version indicators
+>0x34 lelong 0x45454545 (kernel >=v4.15)
+>0x34 lelong !0x45454545
+>>0x30 clear x
+>>0x30 belong 0x04030201 (kernel >=v3.17, <v4.15)
+>>0x30 lelong 0x04030201 (kernel >=v3.17, <v4.15)
+>>0x30 default x (kernel <v3.17)
+# Endianness indicators
+#
+# The kernel has 3 endianness modes: little-endian, and 2 variants of
+# big-endian: BE-32 (ARMv5) and BE-8 (ARMv6+).
+#
+# In kernels <v3.17:
+# - the 0x016f2818 @ 0x24 magic number indicates big-endian or
+# little-endian (can't distinguish between BE-8 and BE-32)
+# In kernels >=v3.17:
+# - a new 0x04030201 @ 0x30 magic number indicates big-endian or
+# little-endian, but doesn't distinguish between BE-8 and BE-32
+# - the old 0x016f2818 @ 0x24 magic number is little-endian for
+# LE *and* BE-8, or big-endian for BE-32
+#
+# >=v3.17
+>0x30 clear x
+>0x30 belong 0x04030201 (big-endian,
+>>0x24 belong 0x016f2818 BE-32, ARMv5)
+>>0x24 lelong 0x016f2818 BE-8, ARMv6+)
+>0x30 lelong 0x04030201 (little-endian)
+# <v3.17
+>0x30 default x
+>>0x24 lelong 0x016f2818 (little-endian)
+>>0x24 belong 0x016f2818 (big-endian)
+
0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage
-# There are three possible situations: LE, BE with LE bootloader and pure BE.
-# In order to aid telling these apart a new endian flag was added. In order
-# to support kernels before the flag and BE with LE bootloader was added we'll
-# do a negative check against the BE variant of the flag when we see a LE magic.
->0x30 belong !0x04030201 (little-endian)
-# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
-!:ext img/bin
->0x30 belong 0x04030201 (big-endian)
-0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
+>0 use arm-zimage
+0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage
+>0 use arm-zimage
############################################################################
# Linux AARCH64 kernel image
@@ -259,6 +522,12 @@
>0x18 lelong &6 \b, 32K pages
############################################################################
+# Linux RISC-V kernel image
+0x38 string RSC\05 Linux kernel RISC-V boot executable Image
+>0x18 lelong ^1 \b, little-endian
+>0x18 lelong &1 \b, big-endian
+
+############################################################################
# Linux 8086 executable
0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
>5 string .
@@ -357,59 +626,105 @@
>8 lelong x version %d,
>12 lelong x chunk_size %d
-# SE Linux policy database
-0 lelong 0xf97cff8c SE Linux policy
->16 lelong x v%d
->20 lelong 1 MLS
->24 lelong x %d symbols
->28 lelong x %d ocons
-
-# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec
-# Anthon van der Neut (anthon@mnt.org)
-0 string LUKS\xba\xbe LUKS encrypted file,
->6 beshort x ver %d
->8 string x [%s,
->40 string x %s,
->72 string x %s]
->168 string x UUID: %s
-
-
# Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
>20 search/256 (name
>>&1 string x (name %s)
-# Type: Xen, the virtual machine monitor
-# From: Radek Vokal <rvokal@redhat.com>
-0 string LinuxGuestRecord Xen saved domain
-#>2 regex \(name\ [^)]*\) %s
->20 search/256 (name (name
->>&1 string x %s...)
-
# Systemd journald files
# See https://www.freedesktop.org/wiki/Software/systemd/journal-files/.
# From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
-
-# check magic
+# Update: Joerg Jenderek
+# URL: https://systemd.io/JOURNAL_FILE_FORMAT/
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml
+# Note: called "systemd journal" by TrID
+# verified by `journalctl --file=user-1000.journal`
+# check magic signature[8]
0 string LPKSHHRH
# check that state is one of known values
+# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2
>16 ubyte&252 0
# check that each half of three unique id128s is non-zero
+# file_id
>>24 ubequad >0
>>>32 ubequad >0
+# machine_id
>>>>40 ubequad >0
>>>>>48 ubequad >0
+# boot_id; last writer
>>>>>>56 ubequad >0
>>>>>>>64 ubequad >0 Journal file
-!:mime application/octet-stream
+#!:mime application/octet-stream
+!:mime application/x-linux-journal
# provide more info
+# head_entry_realtime; contains a POSIX timestamp stored in microseconds
+>>>>>>>>184 leqdate/1000000 !0 \b, %s
>>>>>>>>184 leqdate 0 empty
->>>>>>>>16 ubyte 0 \b, offline
->>>>>>>>16 ubyte 1 \b, online
+# If a file is closed after writing the state field should be set to STATE_OFFLINE
+>>>>>>>>16 ubyte 0 \b,
+# for offline and empty only journal~ extension found
+>>>>>>>>>184 leqdate 0 offline
+# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html
+# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like:
+# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~'
+!:ext journal~
+# for offline and non empty often *.journal~ but also user-1001.journal
+>>>>>>>>>184 leqdate !0 offline
+!:ext journal/journal~
+# if a file is opened for writing the state field should be set to STATE_ONLINE
+>>>>>>>>16 ubyte 1 \b,
+# for online and empty only journal~ extension found
+>>>>>>>>>184 leqdate 0 online
+# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~
+!:ext journal~
+# for online and non empty only journal extension found
+>>>>>>>>>184 leqdate !0 online
+# system.journal user-1000.journal
+!:ext journal
+# after a file has been rotated it should be set to STATE_ARCHIVED
>>>>>>>>16 ubyte 2 \b, archived
+!:ext journal
+# no *.journal~ found
+#!:ext journal/journal~
+# compatible_flags
>>>>>>>>8 ulelong&1 1 \b, sealed
+# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16
+#>>>>>>>>12 ulelong x FLAGS=%#x
>>>>>>>>12 ulelong&1 1 \b, compressed
+>>>>>>>>12 ulelong&2 !0 \b, compressed lz4
+>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24
+>>>>>>>>12 ulelong&8 !0 \b, compressed zstd
+>>>>>>>>12 ulelong&16 !0 \b, compact
+# uint8_t reserved[7]; apparently nil
+#>>17 long !0 \b, reserved %#8.8x
+# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6
+#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx
+#>>>>>>>>80 ubequad x b%16.16llx
+# header_size like: 100h
+>>>>>>>>88 ulequad !0x100h \b, header size %#llx
+# arena_size like: 0 7fff00h ffff00h 17fff00h
+#>>>>>>>>96 ulequad >0 \b, arena size %#llx
+# data_hash_table_offset like: 0 15f0h 15f0h
+#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx
+# data_hash_table_size like: 0 38e380h
+#>>>>>>>>112 ulequad >0 \b, hash table size %#llx
+# field_hash_table_offset like: 0 110h
+#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx
+# field_hash_table_size like: 0 14d0h
+#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx
+# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h
+#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx
+# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh
+#>>>>>>>>144 ulequad >0 \b, objects %#llx
+# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h
+>>>>>>>>152 ulequad >0 \b, entries %#llx
+# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh
+#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx
+# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah
+#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx
+# entry_array_offset like: 0 390058h 3909d8h 3909e0h
+#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx
# BCache backing and cache devices
# From: Gabriel de Perthuis <g2p.code@gmail.com>
@@ -481,12 +796,90 @@
# Site: https://fedorahosted.org/mlocate/
# Format docs: https://linux.die.net/man/5/mlocate.db
# Type: mlocate database file
+# URL: https://en.wikipedia.org/wiki/Locate_(Unix)
# URL: https://fedorahosted.org/mlocate/
# From: Wander Nauta <info@wandernauta.nl>
+# Update: Joerg Jenderek
0 string \0mlocate mlocate database
->12 byte x \b, version %d
+#!:mime application/octet-stream
+!:mime application/x-mlocate
+# default mlocate.db if not overriden with --output option of updatedb
+!:ext db
+# at the moment value is 0; a higher version will probably not occur, because mlocate is now often replaced by plocate
+>12 byte !0 \b, version %d
+# configured with -l option of updatedb
>13 byte 1 \b, require visibility
+# 2 byte pad for 32-bit total alignment
+#>14 short !0 \b, padding %#x
+# standard is 1 byte / if not overriden with --database-root option of updatedb
>16 string x \b, root %s
+# 1st variable name nil terminated like: prune_bind_mounts
+>>&1 string x \b, 1st variable %s
+# 1st variable value like: 0 1
+>>>&1 string x \b=%s
+# configuration block size in big endian like: 82 85 174 181 185 483 491 496 497 556 600
+>8 ubelong x \b, configuration size %u
+
+# URL: https://plocate.sesse.net/
+# Reference: https://plocate.sesse.net/download/plocate-1.1.19.tar.gz
+# plocate-1.1.19/db.h
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/db-plocate.trid.xml
+# Note: called "plocate database" by TrID
+# magic[8]
+0 string \0plocate plocate database
+#!:mime application/octet-stream
+!:mime application/x-plocate
+# default /var/lib/plocate/plocate.db if not overriden with --output option of updatedb.plocate
+!:ext db
+# version; 2 is the current version
+>8 ulelong !1 \b, version %u
+# hashtable_size; like 1 (for "empty" samples) 1b5c3h
+#>12 ulelong >1 \b, hash table size %#x
+# extra_ht_slots; like: 10h
+>16 ulelong !0x10 \b, extra_ht_slots %#x
+# num_docids; like 0 (for "empty" samples) a132h
+>20 ulelong >0 \b, num_docids %u
+# hash_table_offset_bytes; 78h (for "empty" samples) afdf99h
+#>24 ulequad !0x78 \b, hash table offset %#llx
+# filename_index_offset_bytes; 70h (for "empty" samples) aad571h
+#>32 ulequad !0x70 \b, filename index offset %#llx
+# version 1 and up only
+>8 ulelong >0
+# max_version; nominally 1 or 2 but can be increased if more features are added in a backward-compatible way
+>>40 ulelong !2 \b, max version %u
+# zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h
+>>44 ulelong !0 \b, at %#x
+# zstd_dictionary_offset_bytes; 0 (for "empty" samples) 70h
+>>48 ulequad >0 \b+%#llx
+# jump to beginning of zstd dictionary
+>>>(48.q) ubequad x
+# jump realative zstd dictionary length bytes - 8 (quad length) forward to ZST data beginning
+#>>>>&(44.l-8) ubelong x ZST=%8.8x
+>>>>&(44.l-8) ubelong x
+# print 1 space char after zstd_dictionary_offset and then handles Zstandard compressed data by ./compress
+# to get phrase like "at 0x400+0x70 Zstandard compressed data (v0.8+)"
+>>>>>&-4 indirect x \b
+# only if max_version >= 2 and only relevant for updatedb
+>40 ulelong >1
+# directory_data_length_byte
+#>>56 ulequad x \b, directory data length %#llx
+# directory_data_offset_bytes;
+#>>64 ulequad x offset %#llx
+# next_zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h
+>>72 ulequad >0 \b, next zstd dictionary length %#llx
+# next_zstd_dictionary_offset_bytes; 0 (for "empty" samples) 14b9cb8h
+>>>80 ulequad >0 offset %#llx
+# conf_block_length_bytes like; 65 147 148 151 152 452 537 540 543
+>>88 ulequad x \b, configuration size %llu
+# conf_block_offset_bytes; 1a1h (for "empty" samples) 14ba0b8h
+>>96 ulequad >0 \b, at %#llx 1st variable
+# 1st variable name nil terminated like: prune_bind_mounts
+>>>(96.q) string x %s
+# 1st variable value nil terminated like: 0 1
+>>>>&1 string x \b=%s
+# bool check_visibility; 0 or 1 configured with -l option of updatedb.plocate
+>>104 ubyte 1 \b, require visibility
+#>>104 ubyte x \b, check_visibility %#x
# Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL:
# https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
@@ -502,9 +895,12 @@
0 lelong 0x58313116 CRIU inventory
# Kdump compressed dump files
-# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION
+# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION
+
+0 string KDUMP\x20\x20\x20 Kdump compressed dump
+>0 use kdump-compressed-dump
-0 string KDUMP Kdump compressed dump
+0 name kdump-compressed-dump
>8 long x v%d
>12 string >\0 \b, system %s
>77 string >\0 \b, node %s
@@ -513,6 +909,12 @@
>272 string >\0 \b, machine %s
>337 string >\0 \b, domain %s
+# Flattened format
+0 string makedumpfile
+>16 bequad 1
+>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump
+>>>0x1010 use kdump-compressed-dump
+
# Device Tree files
0 search/1024 /dts-v1/ Device Tree File (v1)
# beat c code
@@ -535,3 +937,34 @@
>&0 regex [0-9]+\\.[0-9]+ \b, version %s
>>&0 string ;
>>>&0 regex [A-Z0-9]+ \b, encryption %s
+
+# From: Joerg Jenderek
+# URL: https://www.gnu.org/software/grub
+# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz
+# grub-2.06/include/grub/keyboard_layouts.h
+# grub-2.06/grub-core/commands/keylayouts.c
+# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC
+0 string GRUBLAYO GRUB Keyboard
+!:mime application/x-grub-keyboard
+!:ext gkb
+# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10
+>8 ulelong !10 \b, version %u
+# 4 grub_uint32_t grub_keyboard_layout[160]
+# for normal french keyboard this is letter a
+>92 ubyte !0x71
+>>92 ubyte >0x40 \b, english q is %c
+#>732 ubyte x \b, english Q is %c
+# for normal german keyboard this is letter z
+>124 ubyte !0x79
+>>124 ubyte >0x40 \b, english y is %c
+#>764 ubyte x \b, english Y is %c
+
+
+# From: Ben Dooks <ben.dooks@codethink.co.uk>
+# URL: https://github.com/torvalds/linux/blob/master/tools/perf/util/header.c
+# perf files for v1 and v2
+0 string PERFFILE Linux perf recording, version 1
+
+0 lequad 0x32454c4946524550 Linux perf recording, version 2. little endian
+
+0 bequad 0x32454c4946524550 Linux perf recording, version 2. big endian