[File] [PATCH] of Magdir/android for Android Backup (update+extension *.ab)

Tue Dec 4 14:17:42 UTC 2018

Hello,

some days ago i run file command version 5.35 on Android Backup files.
Some Output look strange like:

tmp\backup-s4-telephony.ab:
	data
org.adblockplus.android-kk.ab:
	data
org.adblockplus.android-packed.ab:
	Android Backup, Compressed, Encrypted (AES-256)
org.adblockplus.android.ab:
	Android Backup, Compressed, Not-Encrypted
org.b1.android.filemanager.ab:
	Android Backup, Compressed, Not-Encrypted

Some Android Backup are not recognized and are described as "data".
Furthermore no filename extension is shown by --extension option.

The description for file command for such examples are handled by
Magdir/android. So i change there some lines.

The current used pattern by Ariel Shkedi include the version number "1".
This looked like:
 0	string/b	ANDROID\ BACKUP\n1\n	Android Backup
If i leave the last part with version now all backups with higher
version number are recognised by new replacement line:
 0	string/b	ANDROID\ BACKUP\n	Android Backup
According to Ariel remark lines this was done to avoid false positives.
I see no collision with other files, but if this happens then maybe look
for some more characteristics like linefeed '\n' or version range.
After the recognition line now show a user defined mime type and file
name extension by lines:
 !:mime	application/x-google-ab
 !:ext	ab
Afterwards print the version. Instead 1 i also found 2 on kitkat 4.4.3+
and 4 on Android 7.1.2. This is done by line
 >15	string		>\0			\b, version %s

For the encrypted variants there exist magic lines as comment lines to
print meta information starting with password salt at line number 5. If
i try to use these lines, the regular expression failed because of
standard string length restriction. So only first (about 90) characters
of password salt are printed instead 128 hexadecimal numbers. Then the
depending lines also failed. So maybe such lines only work when raising
some limits in header files.

For the non encrypted variants i look for magic patterns of other file
types. I found zlib and zip/jar magic. But that magics give no more
information. So add such cases only as a comment. But i also found tar
characteristic phrase "ustar" always at a fixed offset. Now i use
feature of file command itself to inspect real content type by magic
lines. If true do work by sub routine found in Magdir/archive. This now
looks like:
 >>288	string		ustar	\b; contains
 >>>31	use	tar-file
Why? Because the first file name was the package name manifest for my
inspected examples.

After applying the above mentioned modifications by patch
file-5.35-android-ab.diff then all such inspected examples are
described by android+archive like:

tmp\backup-s4-telephony.ab:
	Android Backup, version 4, Compressed, Not-Encrypted
org.adblockplus.android-kk.ab:
	Android Backup, version 2, Compressed, Encrypted (AES-256)
org.adblockplus.android-packed.ab:
	Android Backup, version 1, Compressed, Encrypted (AES-256)
org.adblockplus.android.ab:
	Android Backup, version 1, Compressed, Not-Encrypted
	; contains tar archive (ustar), file
	apps/org.adblockplus.android/_manifest, mode 0000600,
	uid 0001750, gid 0001750, size 000000003513, seconds 01265052301
org.b1.android.filemanager.ab:
	Android Backup, version 1, Compressed, Not-Encrypted
	; contains tar archive (ustar), file 	
	apps/org.b1.android.filemanager/_manifest, mode 0000600,
	uid 0001750, gid 0001750, size 000000002776, seconds 01265052361

I hope my diff file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
-- 
Jörg Jenderek






-------------- next part --------------

--- file-5.35/magic/Magdir/android.old	2017-03-17 21:35:28 +0000
+++ file-5.35/magic/Magdir/android	2018-12-04 03:05:25 +0000
@@ -34,4 +34,3 @@
 # From: Ariel Shkedi
-# File extension: .ab
-# No mime-type defined
+# Update: Joerg Jenderek 
 # URL: https://github.com/android/platform_frameworks_base/blob/\
@@ -39,2 +38,5 @@
 # android/server/BackupManagerService.java#L2367
+# Reference: http://sourceforge.net/projects/adbextractor/
+#            android-backup-extractor/perl/backupencrypt.pl 
+# Note:	only unix line feeds "\n" found
 # After the header comes a tar file
@@ -44,15 +46,48 @@
 # false positives
-0	string/b	ANDROID\ BACKUP\n1\n	Android Backup
+0	string/b	ANDROID\ BACKUP\n	Android Backup
+# maybe look for some more characteristics like linefeed '\n' or version
+#>16	string		\n			
+# No mime-type defined offically
+!:mime	application/x-google-ab
+!:ext	ab
+# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
+>15	string		>\0			\b, version %s
+# "1" on 3rd line means compressed
 >17	string		0\n			\b, Not-Compressed
 >17	string		1\n			\b, Compressed
+# The 4th line is encryption "none" or "AES-256"
 # any string as long as it's not the word none (which is matched below)
+>19	string		none\n			\b, Not-Encrypted
+# look for backup content after line with encryption info
+#>>19	search/7	\n
+# data part after header for not encrypted Android Backup 
+#>>>&0	ubequad		x	\b, content 0x%16.16llx...
+# look for zlib compressed by ./compress after message with 1 space at end
+#>>>&0	indirect	x	\b; contains 
+# look for tar archive block by ./archive for package name manifest
+>>288	string		ustar	\b; contains
+>>>31	use	tar-file
+# look for zip/jar archive by ./archive ./zip after message with 1 space at end
+#>>2079	search/1025/s	PK\003\004	\b; contains 
+#>>>&0	indirect	x
+>19	string		!none			
 >>19    regex/1l	\^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).*	\b, Encrypted (%s)
->>19	string		none\n			\b, Not-Encrypted
 # Commented out because they don't seem useful to print
 # (but they are part of the header - the tar file comes after them):
+# The 5th line is User Password Salt (128 Hex)
+# string length too high with standard src configuration
+#>>>&1		string	>\0	\b, PASSWORD salt: "%-128.128s"
 #>>>&1		regex/1l .*	\b, Password salt: %s
+# The 6th line is Master Key Checksum Salt (128 Hex)
 #>>>>&1		regex/1l .*	\b, Master salt: %s
+# The 7th line is Number of PBDKF2 Rounds (10000)
 #>>>>>&1	regex/1l .*	\b, PBKDF2 rounds: %s
+# The 8th line is User key Initialization Vector (IV) (32 Hex)
 #>>>>>>&1	regex/1l .*	\b, IV: %s
+#>>>>>>&1	regex/1l .*	\b, IV: %s
+# The 9th line is Master IV+Key+Checksum (192 Hex)
 #>>>>>>>&1	regex/1l .*	\b, Key: %s
+# look for new line separator char after line number 9
+#>>>0x204	ubyte	0x0a	NL found
+#>>>>&1		ubequad	x	\b, Content magic %16.16llx
 
