run-fstests/util/kernel-magic

# Magic numbers for Linux kernels and Debian Archive files Used by
# util/arch-funcs; excerpted from the sources from the "file" sources
# version 5.45-3+b1

#
# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolas Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
# Linux kernel boot images (i386 arch) (Wolfram Kleff)
# URL: https://www.kernel.org/doc/Documentation/x86/boot.txt
514	string		HdrS		Linux kernel
!:strength + 55
# often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes
# Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin
# DamnSmallLinux 1.5 damnsmll.lnx
!:ext	/dat/bin/lnx
>510	leshort		0xAA55		x86 boot executable
>>518	leshort		>0x1ff
>>>529	byte		0		zImage,
>>>529	byte		1		bzImage,
>>>526	lelong		>0
>>>>(526.s+0x200) string	>\0	version %s,
>>498	leshort		1		RO-rootFS,
>>498	leshort		0		RW-rootFS,
>>508	leshort		>0		root_dev %#X,
>>502	leshort		>0		swap_dev %#X,
>>504	leshort		>0		RAMdisksize %u KB,
>>506	leshort		0xFFFF		Normal VGA
>>506	leshort		0xFFFE		Extended VGA
>>506	leshort		0xFFFD		Prompt for Videomode
>>506	leshort		>0		Video mode %d
# This also matches new kernels, which were caught above by "HdrS".
0		belong	0xb8c0078e	Linux kernel
>0x1e3		string	Loading		version 1.3.79 or older
>0x1e9		string	Loading		from prehistoric times

# System.map files - Nicolas Lichtmaier <nick@debian.org>
8	search/1	\ A\ _text	Linux kernel symbol map text

# LSM entries - Nicolas Lichtmaier <nick@debian.org>
0	search/1	Begin3	Linux Software Map entry text
0	search/1	Begin4	Linux Software Map entry text (new format)

# From Matt Zimmerman, enhanced for v3 by Matthew Palmer
0	belong	0x4f4f4f4d	User-mode Linux COW file
>4	belong	<3		\b, version %d
>>8	string	>\0		\b, backing file %s
>4	belong	>2		\b, version %d
>>32	string	>\0		\b, backing file %s

############################################################################
# Linux kernel versions

0		string		\xb8\xc0\x07\x8e\xd8\xb8\x00\x90	Linux
>497		leshort		0		x86 boot sector
>>514		belong		0x8e	of a kernel from the dawn of time!
>>514		belong		0x908ed8b4	version 0.99-1.1.42
>>514		belong		0x908ed8b8	for memtest86

>497		leshort		!0		x86 kernel
>>504		leshort		>0		RAMdisksize=%u KB
>>502		leshort		>0		swap=%#X
>>508		leshort		>0		root=%#X
>>>498		leshort		1		\b-ro
>>>498		leshort		0		\b-rw
>>506		leshort		0xFFFF		vga=normal
>>506		leshort		0xFFFE		vga=extended
>>506		leshort		0xFFFD		vga=ask
>>506		leshort		>0		vga=%d
>>514		belong		0x908ed881	version 1.1.43-1.1.45
>>514		belong		0x15b281cd
>>>0xa8e	belong		0x55AA5a5a	version 1.1.46-1.2.13,1.3.0
>>>0xa99	belong		0x55AA5a5a	version 1.3.1,2
>>>0xaa3	belong		0x55AA5a5a	version 1.3.3-1.3.30
>>>0xaa6	belong		0x55AA5a5a	version 1.3.31-1.3.41
>>>0xb2b	belong		0x55AA5a5a	version 1.3.42-1.3.45
>>>0xaf7	belong		0x55AA5a5a	version 1.3.46-1.3.72
>>514		string		HdrS
>>>518		leshort		>0x1FF
>>>>529		byte		0		\b, zImage
>>>>529		byte		1		\b, bzImage
>>>>(526.s+0x200) string 	>\0		\b, version %s

# Linux boot sector thefts.
0		belong		0xb8c0078e	Linux
>0x1e6		belong		0x454c4b53	ELKS Kernel
>0x1e6		belong		!0x454c4b53	style boot sector

############################################################################
# Linux S390 kernel image
# Created by: Jan Kaluza <jkaluza@redhat.com>
8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
# 64bit
>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
# 32bit
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel

############################################################################
# Linux ARM compressed kernel image
# From: Kevin Cernekee <cernekee@gmail.com>
# Update: Joerg Jenderek
0x24	lelong	0x016f2818	Linux kernel ARM boot executable zImage
# There are three possible situations: LE, BE with LE bootloader and pure BE.
# In order to aid telling these apart a new endian flag was added. In order
# to support kernels before the flag and BE with LE bootloader was added we'll
# do a negative check against the BE variant of the flag when we see a LE magic.
>0x30	belong	!0x04030201	(little-endian)
# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
!:ext	img/bin
>0x30	belong	0x04030201	(big-endian)
0x24	belong	0x016f2818	Linux kernel ARM boot executable zImage (big-endian)

############################################################################
# Linux AARCH64 kernel image
0x38    lelong  0x644d5241  Linux kernel ARM64 boot executable Image
>0x18   lelong  ^1          \b, little-endian
>0x18   lelong  &1          \b, big-endian
>0x18   lelong  &2          \b, 4K pages
>0x18   lelong  &4          \b, 16K pages
>0x18   lelong  &6          \b, 32K pages

#
# Debian package; it's in the portable archive format, and needs to go
# before the entry for regular portable archives, as it's recognized as
# a portable archive whose first member has a name beginning with
# "debian".
#
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Deb_(file_format)
0	string		=!<arch>\ndebian
# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
>14	string		-split	part of multipart Debian package
!:mime	application/vnd.debian.binary-package
# udeb is used for stripped down deb file
!:ext	deb/udeb
>14	string		-binary	Debian binary package
!:mime	application/vnd.debian.binary-package
# For ipk packager see also https://en.wikipedia.org/wiki/Opkg
!:ext	deb/udeb/ipk
# This should not happen
>14	default		x	Unknown Debian package
# NL terminated version; for most Debian cases this is 2.0 or 2.1 for split
>68	string		>\0		(format %s)
#>68	string		!2.0\n
#>>68	string		x		(format %.3s)
>68	string		=2.0\n
# 2nd archive name=control archive name like control.tar.gz or control.tar.xz
# or control.tar.zst
>>72	string		>\0		\b, with %.15s
# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
>>0	search/0x93e4f	data.tar.	\b, data compression
# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
>>>&0	string		x		%.2s
# skip space (0x20 BSD) and slash (0x2f System V) character marking end of name
>>>&2	ubyte		!0x20
>>>>&-1	ubyte		!0x2f
# display 3rd character of file name extension like 2 of bz2 or m of lzma
>>>>>&-1	ubyte	x		\b%c
>>>>>>&0	ubyte	!0x20
>>>>>>>&-1	ubyte	!0x2f
# display 4th character of file name extension like a of lzma
>>>>>>>>&-1	ubyte	x		\b%c
# split debian package case
>68	string		=2.1\n
# dpkg-1.18.25/dpkg-split/info.c
# NL terminated ASCII package name like ckermit
>>&0	string		x		\b, %s
# NL terminated package version like 302-5.3
>>>&1	string		x		%s
# NL terminated MD5 checksum
>>>>&1	string		x		\b, MD5 %s
# NL terminated original package length
>>>>>&1	string		x		\b, unsplitted size %s
# NL terminated part length
>>>>>>&1	string	x		\b, part length %s
# NL terminated package part like n/m
>>>>>>>&1	string	x		\b, part %s
# NL terminated package architecture like armhf since dpkg 1.16.1 or later
>>>>>>>>&1	string	x		\b, %s