[File] [PATCH] of Magdir/linux; forth for Linux kernel ARM zImage,ARM OpenFirmware FORTH

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sun Aug 30 13:34:55 UTC 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
some days ago i download official image for Raspberry Pi.
When running file command version 5.39 on such kernel images and
similar files i get with -k option an output like:

kernel7.img:
	ARM OpenFirmware FORTH Dictionary,
	Text length: -509607936 bytes,
	Data length: -509607936 bytes,
	Text Relocation Table length: -369098749 bytes,
	Data Relocation Table length: 24061976 bytes,
	Entry Point: 0x00000000,
	BSS length: 4934912 bytes
	Linux kernel ARM boot executable
	zImage (little-endian)
kernel_auto.bin:
	ARM OpenFirmware FORTH Dictionary,
	Text length: -509607936 bytes,
	Data length: -509607936 bytes,
	Text Relocation Table length: -369098750 bytes,
	Data Relocation Table length: 24061976 bytes,
	Entry Point: 0x00000000, BSS length: 4233696 bytes
	Linux kernel ARM boot executable
	zImage (little-endian)
recovery7.img:
	ARM OpenFirmware FORTH Dictionary,
	Text length: -509607936 bytes,
	Data length: -509607936 bytes,
	Text Relocation Table length: -369098747 bytes,
	Data Relocation Table length: 24061976 bytes,
	Entry Point: 0x00000000,
	BSS length: 3205672 bytes
	Linux kernel ARM boot executable
	zImage (little-endian)
	(Lepton 2.x), scale 32768-36064,
	spot sensor temperature -3947603794723797500000.000000,
	color scheme 1, minimum point enabled,
	calibration: offset 0.000000, slope -0.000000
recovery7l.img:
	ARM OpenFirmware FORTH Dictionary,
	Text length: -509607936 bytes,
	Data length: -509607936 bytes,
	Text Relocation Table length: -369098747 bytes,
	Data Relocation Table length: 24061976 bytes,
	Entry Point: 0x00000000, BSS length: 3435856 bytes
	Linux kernel ARM boot executable zImage (little-endian)
	(Lepton 2.x), scale 32768-36064,
	spot sensor temperature -3947603794723797500000.000000,
	color scheme 1, minimum point enabled,
	calibration: offset 0.000000, slope -0.000000

With --extension option only ??? is displayed.

For comparison reason i run the file command version 5.37. There
correct file name extension phrase "img/bin" is shown and no
misidentification as ARM OpenFirmware FORTH Dictionary happens.

By Magdir/measure i get misidentifications starting with phrase
"(Lepton 2.x)". This nearly happens all the time when running file
command with -k option on a few dozens samples. So this magic file
gives too many false hits. So i propose to deactivate or improve
magic lines for DIY-Thermocam raw data files.

In newer version of file command as third mixed variant Big-endian
with Little-endian bootloader was added. In the past i had added
file name extension for raspian "kernel7.img" Vu+ Ultimo4K
"kernel_auto.bin". I myself have only done this for pure little
endian variant. So i put lines in correct order like
 0x24 lelong  0x016f2818  Linux kernel ARM boot executable zImage
 >0x30 belong !0x04030201 (little-endian)
 !:ext img/bin

The inspected kernel images are misidentified as ARM OpenFirmware
FORTH Dictionary with a negative Text length. I am no ARM  or FORTH
expert, but assume that in real examples only positive text length
can occur. So i also check inside Magdir/forth for positive text
length by an additional test. So this start now with lines like:
 0	lelong	0xe1a00000
 >8	lelong	0xe1a00000
 >>24	lelong	>0		ARM OpenFirmware FORTH Dictionary,
 >>>24	lelong	x		Text length: %d bytes,

After applying the above mentioned modifications by patch
file-5.39-linux-arm-kernel.diff and
file-5.39-forth-arm-dictionary.diff then misidentification vanish
and i get correct output without Magdir/measure like:

kernel7.img:     Linux kernel ARM boot executable
		 zImage (little-endian)
kernel_auto.bin: Linux kernel ARM boot executable
		 zImage (little-endian)
recovery7.img:   Linux kernel ARM boot executable
		 zImage (little-endian)
recovery7l.img:  Linux kernel ARM boot executable
		 zImage (little-endian)


I hope my 2 diff files can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek












-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCX0uq6wAKCRCv8rHJQhrU
1s22AJ99NlxnC86/PllAHTPVy+ENgGNu8wCgg1CR96uUCIK2vE2LVUIVefmgZtc=
=R3W5
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.39/magic/Magdir/forth.old	2019-06-06 19:14:20 +0000
+++ file-5.39/magic/Magdir/forth	2020-08-30 13:19:41 +0000
@@ -21,9 +21,11 @@
 0	lelong	0xe1a00000
->8	lelong	0xe1a00000	ARM OpenFirmware FORTH Dictionary,
->>24	lelong	x		Text length: %d bytes,
->>28	lelong	x		Data length: %d bytes,
->>32	lelong	x		Text Relocation Table length: %d bytes,
->>36	lelong	x		Data Relocation Table length: %d bytes,
->>40	lelong	x		Entry Point: 0x%08X,
->>44	lelong	x		BSS length: %d bytes
+>8	lelong	0xe1a00000
+# skip raspberry pi kernel image kernel7.img by checking for positive text length
+>>24	lelong	>0		ARM OpenFirmware FORTH Dictionary,
+>>>24	lelong	x		Text length: %d bytes,
+>>>28	lelong	x		Data length: %d bytes,
+>>>32	lelong	x		Text Relocation Table length: %d bytes,
+>>>36	lelong	x		Data Relocation Table length: %d bytes,
+>>>40	lelong	x		Entry Point: 0x%08X,
+>>>44	lelong	x		BSS length: %d bytes
 
-------------- next part --------------
--- file-5.39/magic/Magdir/linux.old	2020-06-15 00:01:01 +0000
+++ file-5.39/magic/Magdir/linux	2020-08-30 13:09:50 +0000
@@ -246,5 +246,5 @@
 >0x30	belong	!0x04030201	(little-endian)
->0x30	belong	0x04030201	(big-endian)
 # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
 !:ext	img/bin
+>0x30	belong	0x04030201	(big-endian)
 0x24	belong	0x016f2818	Linux kernel ARM boot executable zImage (big-endian)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.39-forth-arm-dictionary.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20200830/92bf3bf6/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.39-linux-arm-kernel.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20200830/92bf3bf6/attachment-0001.obj>

More information about the File mailing list