[File] [PATCH] of Magdir/tplink for openwrt firmware (update)

Fri Dec 21 17:37:56 UTC 2018

On Dec 21,  6:26pm, joerg.jen.der.ek at gmx.net (=?UTF-8?Q?J=c3=b6rg_Jenderek?=) wrote:
-- Subject: [File] [PATCH] of Magdir/tplink for openwrt firmware (update)

| Hello,
| 
| some days ago i run file command version 5.35 on some old DOS files.
| The Norton Commander Cleanup Utility initialization file NCCLEAN.INI was
| sometimes misidentified by Magdir/tplink as openwrt firmware. This looks
| with good examples like:
| 
| openwrt-ar71xx-generic-tl-wr1043nd-v1-squashfs-factory.bin:
| 	firmware 1043 v1 OpenWrt 12009,
| 	8126464 bytes or less,
| 	at 0x200 1405332 bytes gzip compressed data, max compression,
| 	from Unix, original size 4294967295,
| 	at 0x0
| wr940nv1_en_3_13_7_up(111228).bin:
| 	firmware 941 v4 TP-LINK Technologies ver. 1.0, version 3.13.7,
| 	3932160 bytes or less,
| 	at 0x200 815072 bytes gzip compressed data,
| 	was "vmlinux.bin", last modified: Fri Dec 16 04:55:03 2011,
| 	from Unix, original size 4294967295,
| 	at 0x0
| ..\other\NCCLEAN.INI:
| 	firmware 0 v0 (revision 0)  rary files,
| 	0 bytes or less,
| 	at 0x0 0 bytes ,
| 	at 0x0 0 bytes
| 
| In Magdir/tplink with 3 lines test for valid firmware header version 1
| or 2 and for header padding with nulls was done like
|  0		ulelong		<3
|  >0		ulelong		!0
|  >>0x100	long		0
| Apparently this also true for a bad example like NCCLEAN.INI. So i add
| an additional test line by looking for a valid (ASCII printable) vendor
| name like "OpenWrt" by line like
|  >>>4		ubelong		>0x1F000000
| And then afterwards call subroutine to display information for
| firmware binaries by
|  >>>>0		use		firmware-tplink
| 
| Then there is another error, which i do not understand. In subroutine
| the kernel data offset is printed by line like:
|  >0x80		ubelong		x		\b, at 0x%x
| Because normally the kernel is stored direct after firmware header this
| gives phrase "at 0x200".
| Later the root file system data offset is displayed by line
|  >0x88		ubelong		x		\b, at 0x%x
| For the above firmware samples this gives wrong offset ( in output the
| phrase "at 0x0".
| Between there was a magic line that trigger this wrong behavior:
|  >(0x80.L)	indirect	x
| Because the kernel is often compressed, this can be described by using
| file command itself to inspect that part by expression in
| Magdir/compress and pointer expression. So the above line displays
| phrase starting with "gzip compressed data". When i remove line with
| indirect instruction i get the correct root file system offsets.
| 
| Maybe somebody is smart enough to fix this behavior.
| 
| After applying the above mentioned modifications by patch
| file-5.35-tplink-nc.diff then all bad inspected examples are skipped and
| good samples are still described.
| 
| I hope my diff file can be applied in future version of file utility.

Committed and Happy Holidays!

christos