1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
|
#------------------------------------------------------------------------------
# filesystems: file(1) magic for different filesystems
#
0 string \366\366\366\366 PC formatted floppy with no filesystem
# Sun disk labels
# From /usr/include/sun/dklabel.h:
0774 beshort 0xdabe Sun disk label
>0 string x '%s
>>31 string >\0 \b%s
>>>63 string >\0 \b%s
>>>>95 string >\0 \b%s
>0 string x \b'
>0734 short >0 %d rpm,
>0736 short >0 %d phys cys,
>0740 short >0 %d alts/cyl,
>0746 short >0 %d interleave,
>0750 short >0 %d data cyls,
>0752 short >0 %d alt cyls,
>0754 short >0 %d heads/partition,
>0756 short >0 %d sectors/track,
>0764 long >0 start cyl %ld,
>0770 long x %ld blocks
# Is there a boot block written 1 sector in?
>512 belong&077777777 0600407 \b, boot block present
0x1FE leshort 0xAA55 x86 boot sector
>2 string OSBS \b, OS/BS MBR
# J\xf6rg Jenderek <joerg.jenderek@gmx.net>
>0x8C string Invalid\ partition\ table \b, MS-DOS MBR
>0x9D string Invalid\ partition\ table \b, DR-DOS MBR, version 7.01 to 7.03
>0x10F string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222
>0x8B string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950
>0x145 string Default:\ F \b, FREE-DOS MBR
>0 string \0\0\0\0 \b, extended partition table
# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90
# older drives may use E9 xx xx
>0 lelong&0x009000EB 0x009000EB
>0 lelong&0x000000E9 0x000000E9
>>1 ubyte >37 \b, code offset 0x%x
# mtools-3.9.8/msdos.h
# usual values are marked with comments to get only informations of strange FAT systems
# valid sectorsize are from 32 to 2048
>>>11 uleshort <2049
>>>>11 uleshort >31
>>>>>3 string >\0 \b, OEM-ID "%8.8s"
>>>>>11 uleshort >512 \b, Bytes/sector %u
#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual)
>>>>>11 uleshort <512 \b, Bytes/sector %u
>>>>>13 ubyte >1 \b, sectors/cluster %u
#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies)
>>>>>14 uleshort >32 \b, reserved sectors %u
#>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32)
#>>>>>14 uleshort >1 \b, reserved sectors %u
#>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16)
>>>>>14 uleshort <1 \b, reserved sectors %u
>>>>>16 ubyte >2 \b, FATs %u
#>>>>>16 ubyte =2 \b, FATs %u (usual)
>>>>>16 ubyte =1 \b, FAT %u
>>>>>16 ubyte >0
>>>>>17 uleshort >0 \b, root entries %u
#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32)
>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB)
#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32)
>>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x
#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy)
>>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x
>>>>>22 uleshort >0 \b, sectors/FAT %u
#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32)
>>>>>26 ubyte >2 \b, heads %u
#>>>>>26 ubyte =2 \b, heads %u (usual floppy)
>>>>>26 ubyte =1 \b, heads %u
>>>>>28 ulelong >0 \b, hidden sectors %u
#>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy)
>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)
#>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB)
# FAT<32 specific
# NOT le FAT3=NOT 3TAF=0xCCABBEB9
>>>>>82 ulelong&0xCCABBEB9 >0
>>>>>>36 ubyte >0x80 \b, physical drive 0x%x
#>>>>>>36 ubyte =0x80 \b, physical drive 0x%x=0x80 (usual harddisk)
>>>>>>36 ubyte&0x7F >0 \b, physical drive 0x%x
#>>>>>>36 ubyte =0 \b, physical drive 0x%x=0 (usual floppy)
>>>>>>37 ubyte >0 \b, reserved 0x%x
#>>>>>>37 ubyte =0 \b, reserved 0x%x
>>>>>>38 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x)
>>>>>>38 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x)
>>>>>>38 ubyte =0x29
>>>>>>>39 ulelong x \b, serial number 0x%x
>>>>>>>43 string <NO\ NAME \b, label: "%11.11s"
>>>>>>>43 string >NO\ NAME \b, label: "%11.11s"
>>>>>>>43 string =NO\ NAME \b, unlabeled
>>>>>>54 string FAT1 \b, FAT
>>>>>>>54 string FAT12 \b (12 bit)
>>>>>>>54 string FAT16 \b (16 bit)
# FAT32 specific
>>>>>82 string FAT32 \b, FAT (32 bit)
>>>>>>36 ulelong x \b, sectors/FAT %u
>>>>>>40 uleshort >0 \b, extension flags %u
#>>>>>>40 uleshort =0 \b, extension flags %u
>>>>>>42 uleshort >0 \b, fsVersion %u
#>>>>>>42 uleshort =0 \b, fsVersion %u (usual)
>>>>>>44 ulelong >2 \b, rootdir cluster %u
#>>>>>>44 ulelong =2 \b, rootdir cluster %u
#>>>>>>44 ulelong =1 \b, rootdir cluster %u
>>>>>>48 uleshort >1 \b, infoSector %u
#>>>>>>48 uleshort =1 \b, infoSector %u (usual)
>>>>>>48 uleshort <1 \b, infoSector %u
>>>>>>50 uleshort >6 \b, Backup boot sector %u
#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual)
>>>>>>50 uleshort <6 \b, Backup boot sector %u
>>>>>>54 ulelong >0 \b, reserved1 0x%x
>>>>>>58 ulelong >0 \b, reserved2 0x%x
>>>>>>62 ulelong >0 \b, reserved3 0x%x
# same structure as FAT1X
>>>>>>64 ubyte >0x80 \b, physical drive 0x%x
#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk)
>>>>>>64 ubyte&0x7F >0 \b, physical drive 0x%x
#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy)
>>>>>>65 ubyte >0 \b, reserved 0x%x
>>>>>>66 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x)
>>>>>>66 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x)
>>>>>>66 ubyte =0x29
>>>>>>>67 ulelong x \b, serial number 0x%x
>>>>>>>71 string <NO\ NAME \b, label: "%11.11s"
>>>>>>71 string >NO\ NAME \b, label: "%11.11s"
>>>>>>71 string =NO\ NAME \b, unlabeled
### FATs end
>0x200 lelong 0x82564557 \b, BSD disklabel
# FATX
0 string FATX FATX filesystem data
# Minix filesystems - Juan Cespedes <cespedes@debian.org>
0x410 leshort 0x137f Minix filesystem
0x410 beshort 0x137f Minix filesystem (big endian),
>0x402 beshort !0 \b, %d zones
>0x1e string minix \b, bootable
0x410 leshort 0x138f Minix filesystem, 30 char names
0x410 leshort 0x2468 Minix filesystem, version 2
0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names
# romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong x %d bytes,
>16 string x named %s.
# netboot image - Juan Cespedes <cespedes@debian.org>
0 lelong 0x1b031336L Netboot image,
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode
0x18b string OS/2 OS/2 Boot Manager
9564 lelong 0x00011954 Unix Fast File system (little-endian),
>8404 string x last mounted on %s,
#>9504 ledate x last checked at %s,
>8224 ledate x last written at %s,
>8401 byte x clean flag %d,
>8228 lelong x number of blocks %d,
>8232 lelong x number of data blocks %d,
>8236 lelong x number of cylinder groups %d,
>8240 lelong x block size %d,
>8244 lelong x fragment size %d,
>8252 lelong x minimum percentage of free blocks %d,
>8256 lelong x rotational delay %dms,
>8260 lelong x disk rotational speed %drps,
>8320 lelong 0 TIME optimization
>8320 lelong 1 SPACE optimization
9564 belong 0x00011954 Unix Fast File system (big-endian),
>7168 long 0x4c41424c Apple UFS Volume
>>7186 string x named %s,
>>7176 belong x volume label version %d,
>>7180 bedate x created on %s,
>8404 string x last mounted on %s,
#>9504 bedate x last checked at %s,
>8224 bedate x last written at %s,
>8401 byte x clean flag %d,
>8228 belong x number of blocks %d,
>8232 belong x number of data blocks %d,
>8236 belong x number of cylinder groups %d,
>8240 belong x block size %d,
>8244 belong x fragment size %d,
>8252 belong x minimum percentage of free blocks %d,
>8256 belong x rotational delay %dms,
>8260 belong x disk rotational speed %drps,
>8320 belong 0 TIME optimization
>8320 belong 1 SPACE optimization
# ext2/ext3 filesystems - Andreas Dilger <adilger@turbolabs.com>
0x438 leshort 0xEF53 Linux
>0x44c lelong x rev %d
>0x43e leshort x \b.%d
>0x45c lelong ^0x0000004 ext2 filesystem data
>>0x43a leshort ^0x0000001 (mounted or unclean)
>0x45c lelong &0x0000004 ext3 filesystem data
>>0x460 lelong &0x0000004 (needs journal recovery)
>0x43a leshort &0x0000002 (errors)
>0x460 lelong &0x0000001 (compressed)
#>0x460 lelong &0x0000002 (filetype)
#>0x464 lelong &0x0000001 (sparse_super)
>0x464 lelong &0x0000002 (large files)
# SGI disk labels - Nathan Scott <nathans@debian.org>
0 belong 0x0BE5A941 SGI disk label (volume header)
# SGI XFS filesystem - Nathan Scott <nathans@debian.org>
0 belong 0x58465342 SGI XFS filesystem data
>0x4 belong x (blksz %d,
>0x68 beshort x inosz %d,
>0x64 beshort ^0x2004 v1 dirs)
>0x64 beshort &0x2004 v2 dirs)
############################################################################
# Minix-ST kernel floppy
0x800 belong 0x46fc2700 Atari-ST Minix kernel image
>19 string \240\5\371\5\0\011\0\2\0 \b, 720k floppy
>19 string \320\2\370\5\0\011\0\1\0 \b, 360k floppy
############################################################################
# Hmmm, is this a better way of detecting _standard_ floppy images ?
19 string \320\2\360\3\0\011\0\1\0 DOS floppy 360k
>0x1FE leshort 0xAA55 \b, x86 hard disk boot sector
19 string \240\5\371\3\0\011\0\2\0 DOS floppy 720k
>0x1FE leshort 0xAA55 \b, x86 hard disk boot sector
19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k
>0x1FE leshort 0xAA55 \b, x86 hard disk boot sector
19 string \240\5\371\5\0\011\0\2\0 DOS floppy 720k, IBM
>0x1FE leshort 0xAA55 \b, x86 hard disk boot sector
19 string \100\013\371\5\0\011\0\2\0 DOS floppy 1440k, mkdosfs
>0x1FE leshort 0xAA55 \b, x86 hard disk boot sector
19 string \320\2\370\5\0\011\0\1\0 Atari-ST floppy 360k
19 string \240\5\371\5\0\011\0\2\0 Atari-ST floppy 720k
# Valid media descriptor bytes for MS-DOS:
#
# Byte Capacity Media Size and Type
# -------------------------------------------------
#
# F0 2.88 MB 3.5-inch, 2-sided, 36-sector
# F0 1.44 MB 3.5-inch, 2-sided, 18-sector
# F9 720K 3.5-inch, 2-sided, 9-sector
# F9 1.2 MB 5.25-inch, 2-sided, 15-sector
# FD 360K 5.25-inch, 2-sided, 9-sector
# FF 320K 5.25-inch, 2-sided, 8-sector
# FC 180K 5.25-inch, 1-sided, 9-sector
# FE 160K 5.25-inch, 1-sided, 8-sector
# FE 250K 8-inch, 1-sided, single-density
# FD 500K 8-inch, 2-sided, single-density
# FE 1.2 MB 8-inch, 2-sided, double-density
# F8 ----- Fixed disk
#
# FC xxxK Apricot 70x1x9 boot disk.
#
# Originally a bitmap:
# xxxxxxx0 Not two sided
# xxxxxxx1 Double sided
# xxxxxx0x Not 8 SPT
# xxxxxx1x 8 SPT
# xxxxx0xx Not Removable drive
# xxxxx1xx Removable drive
# 11111xxx Must be one.
#
# But now it's rather random:
# 111111xx Low density disk
# 00 SS, Not 8 SPT
# 01 DS, Not 8 SPT
# 10 SS, 8 SPT
# 11 DS, 8 SPT
#
# 11111001 Double density 3½ floppy disk, high density 5¼
# 11110000 High density 3½ floppy disk
# 11111000 Hard disk any format
#
# CDROM Filesystems
32769 string CD001 ISO 9660 CD-ROM filesystem data
# "application id" which appears to be used as a volume label
>32808 string >\0 '%s'
>34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable)
37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)
32776 string CDROM High Sierra CD-ROM filesystem data
# cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian
>4 lelong x size %d
>8 lelong &1 version #2
>8 lelong &2 sorted_dirs
>8 lelong &4 hole_support
>32 lelong x CRC 0x%x,
>36 lelong x edition %d,
>40 lelong x %d blocks,
>44 lelong x %d files
0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian
>4 belong x size %d
>8 belong &1 version #2
>8 belong &2 sorted_dirs
>8 belong &4 hole_support
>32 belong x CRC 0x%x,
>36 belong x edition %d,
>40 belong x %d blocks,
>44 belong x %d files
# reiserfs - russell@coker.com.au
0x10034 string ReIsErFs ReiserFS V3.5
0x10034 string ReIsEr2Fs ReiserFS V3.6
>0x1002c leshort x block size %d
>0x10032 leshort &2 (mounted or unclean)
>0x10000 lelong x num blocks %d
>0x10040 lelong 1 tea hash
>0x10040 lelong 2 yura hash
>0x10040 lelong 3 r5 hash
# JFFS - russell@coker.com.au
0 lelong 0x34383931 Linux Journalled Flash File system, little endian
0 belong 0x34383931 Linux Journalled Flash File system, big endian
# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
0 string ESTFBINR EST flat binary
# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\ Startup\ and Aculab VoIP firmware
>35 string x format %s
# PPCBoot image file
# From: Mark Brown <broonie@sirena.org.uk>
0 belong 0x27051956 PPCBoot image
>4 string PPCBoot
>>12 string x version %s
# JFFS2 file system
0 leshort 0x1984 Linux old jffs2 filesystem data little endian
0 lelong 0xe0011985 Linux jffs2 filesystem data little endian
|