[File] [PATCH] of Magdir/tplink for openwrt firmware (update)

Jörg Jenderek joerg.jen.der.ek at gmx.net
Fri Dec 21 17:26:11 UTC 2018 

Hello,

some days ago i run file command version 5.35 on some old DOS files.
The Norton Commander Cleanup Utility initialization file NCCLEAN.INI was
sometimes misidentified by Magdir/tplink as openwrt firmware. This looks
with good examples like:

openwrt-ar71xx-generic-tl-wr1043nd-v1-squashfs-factory.bin:
	firmware 1043 v1 OpenWrt 12009,
	8126464 bytes or less,
	at 0x200 1405332 bytes gzip compressed data, max compression,
	from Unix, original size 4294967295,
	at 0x0
wr940nv1_en_3_13_7_up(111228).bin:
	firmware 941 v4 TP-LINK Technologies ver. 1.0, version 3.13.7,
	3932160 bytes or less,
	at 0x200 815072 bytes gzip compressed data,
	was "vmlinux.bin", last modified: Fri Dec 16 04:55:03 2011,
	from Unix, original size 4294967295,
	at 0x0
..\other\NCCLEAN.INI:
	firmware 0 v0 (revision 0)  rary files,
	0 bytes or less,
	at 0x0 0 bytes ,
	at 0x0 0 bytes

In Magdir/tplink with 3 lines test for valid firmware header version 1
or 2 and for header padding with nulls was done like
 0		ulelong		<3
 >0		ulelong		!0
 >>0x100	long		0
Apparently this also true for a bad example like NCCLEAN.INI. So i add
an additional test line by looking for a valid (ASCII printable) vendor
name like "OpenWrt" by line like
 >>>4		ubelong		>0x1F000000
And then afterwards call subroutine to display information for
firmware binaries by
 >>>>0		use		firmware-tplink

Then there is another error, which i do not understand. In subroutine
the kernel data offset is printed by line like:
 >0x80		ubelong		x		\b, at 0x%x
Because normally the kernel is stored direct after firmware header this
gives phrase "at 0x200".
Later the root file system data offset is displayed by line
 >0x88		ubelong		x		\b, at 0x%x
For the above firmware samples this gives wrong offset ( in output the
phrase "at 0x0".
Between there was a magic line that trigger this wrong behavior:
 >(0x80.L)	indirect	x
Because the kernel is often compressed, this can be described by using
file command itself to inspect that part by expression in
Magdir/compress and pointer expression. So the above line displays
phrase starting with "gzip compressed data". When i remove line with
indirect instruction i get the correct root file system offsets.

Maybe somebody is smart enough to fix this behavior.

After applying the above mentioned modifications by patch
file-5.35-tplink-nc.diff then all bad inspected examples are skipped and
good samples are still described.

I hope my diff file can be applied in future version of file utility.

With best wishes
Jörg Jenderek
-- 
Jörg Jenderek

-------------- next part --------------
--- file-5.35/magic/Magdir/tplink.old	2017-12-14 05:52:56 +0000
+++ file-5.35/magic/Magdir/tplink	2018-12-21 17:15:35 +0000
@@ -13,3 +13,5 @@
 >>0x100		long		0
->>>0		use		firmware-tplink
+# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor
+>>>4		ubelong		>0x1F000000
+>>>>0		use		firmware-tplink
 
@@ -65,2 +67,3 @@
 # root file system data offset
+# WRONG in 5.35 with above indirect expression
 >0x88		ubelong		x		\b, at 0x%x
@@ -70,2 +73,3 @@
 >(0x88.L)	indirect	x
+# 'qshs' for wr940nv1_en_3_13_7_up(111228).bin
 #>(0x88.L)	string		x		\b, file system '%.4s'

More information about the File mailing list