[File] [PATCH] of Magdir/windows for Microsoft System Deployment Image (boot.sdi)

Jörg Jenderek joerg.jen.der.ek at gmx.net
Wed May 1 16:37:50 UTC 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago i run version 5.36 on Windows recovery drive inside boot
directory. The boot loader file "boot.sdi" is only described as "data".

So i add lines to Magdir/windows. Unfortunately there exist no official
documentation about file format by Microsoft, but some information is
found on Wikipedia. So add comment line like
# URL: http://en.wikipedia.org/wiki/System_Deployment_Image
There a link to Sergii Kolisnyk "SDI file format specification" is
mentioned. So use that as reference, expressed by comment line
# Reference: http://skolk.livejournal.com/1320.html
According to that side SDI files start with magic+version bytes. That is
expressed by  lines
 0	string			$SDI
 >4	string			0001		System Deployment Image
Afterwards display file name extension and user defined mime type by lin
es:
 !:mime	application/x-ms-sdi
 !:ext	sdi
Unfortunately i myself found only one SDI example. So i can not verify
what fields are important. For my example many field are empty. So print
values only in not empty like
 >>8	ulequad			!0		\b, MDBtype 0x%llx
 >>112	ulequad			!0		\b, PageAlignment %llu

Of interest is the table of contents starting at offset 0x400. Each
entry for a blob occupies 0x40 bytes. Each entry start with a 8 byte
null padded type identifier like PART, WIM , BOOT, LOAD or DISK. So for
first blob this is shown by line
 >>0x400	string		>\0		\b, type %-3.8s
The numeric typ ( where 0 means non-file-system, 7 means NTFS file
system and 6 means BIGFAT) is shown by line like
 >>>0x420	ulequad		!0		(0x%llx)
The offset and size of first blob is shown by lines like
 >>>0x410	ulequad		x		at 0x%llx
 >>>0x418	ulequad		>0		%llu bytes
For my example first blob was NTFS file system. So inspect this embedded
part by calling Magdir/filesystems by pointer expression like:
 >>>>(0x410.l)	indirect	x

Then repeat procedure for second blob starting with line like
 >>0x440	string		>\0		\b, type %-3.8s
For my example this was an empty zero sized WIM image.
A possible third embedded blob is shown by magics starting
with line like:
 >>0x480	string		>\0		\b, type %-3.8s

After applying the above mentioned modifications by patch
file-5.36-windows-sdi.diff then SDI example is described like:

boot.sdi: System Deployment Image, PageAlignment 2, checksum 0x39,
	type PART (0x7) at 0x2000 3161088 bytes DOS/MBR boot sector, code
offset 0x52+2, OEM-ID "NTFS    ",
Media descriptor 0xf8, sectors/track 2, heads 16, hidden sectors 2,
dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor);
NTFS, sectors/track 2, sectors 6173, $MFT start cluster 2058, $MFTMirror
start cluster 5162, clusters/RecordSegment 2, clusters/index block 8,
serial number 050d60a27d60a0dc2; contains bootstrap NTLDR,
	type WIM at 0x306000

I hope my diff file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek







-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCXMnLVQAKCRCv8rHJQhrU
1vN+AJ9AhNIhEPTqlt4b2H4Ud9bP/yb1pQCfQAbuxslxjHiqOBlKRPF8Wm5C2io=
=sKat
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.36/magic/Magdir/windows.old	2019-01-11 21:00:26 +0000
+++ file-5.36/magic/Magdir/windows	2019-05-01 15:09:09 +0000
@@ -58,2 +58,65 @@
 
+# Summary: Windows System Deployment Image
+# Created by: Joerg Jenderek
+# URL: http://en.wikipedia.org/wiki/System_Deployment_Image
+# Reference: http://skolk.livejournal.com/1320.html
+0	string			$SDI
+>4	string			0001		System Deployment Image
+!:mime	application/x-ms-sdi
+#!:mime	application/octet-stream
+# \Boot\boot.sdi
+!:ext	sdi
+# MDBtype: 0~Unspecified 1~RAM 2~ROM
+>>8	ulequad			!0		\b, MDBtype 0x%llx
+# BootCodeOffset
+>>16	ulequad			!0		\b, BootCodeOffset 0x%llx
+# BootCodeSize
+>>24	ulequad			!0		\b, BootCodeSize 0x%llx
+# VendorID
+>>32	ulequad			!0		\b, VendorID 0x%llx
+# DeviceID
+>>40	ulequad			!0		\b, DeviceID 0x%llx
+# DeviceModel
+>>48	ulequad			!0		\b, DeviceModel 0x%llx
+>>>56	ulequad			!0		\b%llx
+# DeviceRole
+>>64	ulequad			!0		\b, DeviceRole 0x%llx
+# Reserved1; reserved fields and gaps between BLOBs are padded with \0
+#>>72	ulequad			!0		\b, Reserved1 0x%llx
+# RuntimeGUID
+>>80	ulequad			!0		\b, RuntimeGUID 0x%llx
+>>>88	ulequad			!0		\b%llx
+# RuntimeOEMrev
+>>96	ulequad			!0		\b, RuntimeOEMrev 0x%llx
+# Reserved2
+#>>104	ulequad			!0		\b, Reserved2 0x%llx
+# BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k
+>>112	ulequad			!0		\b, PageAlignment %llu
+# Reserved3[48]
+#>>120	ulequad			!0		\b, Reserved3 0x%llx
+# SDI checksum 39h
+>>0x1f8	ulequad			x		\b, checksum 0x%llx
+# BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK
+>>0x400	string			>\0		\b, type %-3.8s
+# 0~non-filesystem 7~NTFS 6~BIGFAT
+>>>0x420	ulequad		!0		(0x%llx)
+# ATTRibutes
+>>>0x408	ulequad		!0		0x%llx attributes
+# Offset
+>>>0x410	ulequad		x		at 0x%llx
+# print 1 space after size and then handles NTFS boot sector by ./filesystems
+>>>0x418	ulequad		>0		%llu bytes 
+>>>>(0x410.l)	indirect	x
+# 2nd BLOB: WIM
+>>0x440		string		>\0		\b, type %-3.8s
+>>>0x428	ulequad		!0		(0x%llx)
+# ATTRibutes
+>>>0x448	ulequad		!0		0x%llx attributes
+# Offset
+>>>0x450	ulequad		x		at 0x%llx
+>>>0x458	ulequad		>0		%llu bytes 
+>>>>(0x450.l)	indirect	x
+# 3rd BLOB
+>>0x480		string		>\0		\b, type %-3.8s
+
 # Summary:	Windows Error Report text files
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.36-windows-sdi.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20190501/360c2128/attachment.obj>

More information about the File mailing list