[File] [PATCH] of Magdir/tplink firmware misidentifies windows cache cversions.?.db

Mon May 8 19:43:07 UTC 2023

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
some days ago i handles some database. Often the suffix db is used
for such file names. Some samples are misidentified as "firmware"
of tplink.

When running file command version 5.44 on such real tplink firmware
samples and misidentified db samples, i get an output like:

TL-WR1043ND-V1-FW0.0.3-stripped.bin:
	firmware 1043 v1 TP-LINK Technologies
	ver. 1.0, version 3.13.15,
	8126464 bytes or less, at 0x200
	828986 bytes
	gzip compressed data, was "vmlinux.bin",
	last modified: Wed Mar 19 03:11:27 2014,
	from Unix, original size modulo 2^32 4294967295,
	at 0
cversions.1.db:
	firmware c00 v0 (revision 0)
	V2,
	0 bytes or less,
	at 0 0 bytes ,
	at 0 0 bytes
cversions.2.db:
	firmware 400 v0 (revision 0) \240
	V2,
	100663296 bytes or less, UNKNOWN3 0x6000000,
	at 0x6000000 0 bytes ,
	at 0 0 bytes
cversions.3.db:
	firmware 7b01 v0 (revision 0) `
	V2, 16777216 bytes or less, UNKNOWN3 0x1000000,
	at 0x1000000 0 bytes ,
	at 0 0 bytes
gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v3.bin:
	firmware 1043 v3 OpenWrt r7835+25-89808e2,
	8126464 bytes or less, at 0x200 1560644 bytes ,
	at 0x17d244 2229654 bytes \012-
	Squashfs filesystem, little endian, version 4.0,
	xz compressed,
	2229654 bytes, 1365 inodes, blocksize: 65536 bytes,
	created: Sat Jul 20 11:12:58 2019
wr940nv1_en_3_13_7_up(111228).bin:
	firmware 941 v4 TP-LINK Technologies
	ver. 1.0, version 3.13.7,
	3932160 bytes or less, at 0x200 815072 bytes
	gzip compressed data, was "vmlinux.bin",
	last modified: Fri Dec 16 04:55:03 2011,
	from Unix, original size modulo 2^32 4294967295,
	at 0

With --extension option only bin is displayed.

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/).
The DB samples are described as "Thumbs DB file" of XP by
PUID fmt/682 via extension. The real firmware samples are described
generic as "Binary File" by PUID fmt/208 via extension.
(See appended droid-tplink.csv.gz).

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). The BIN samples are
described as here with low priority as "TP-Link router firmware (v1)"
by bin-tplink-v1.trid.xml. Some examples are described with higher
priority with additional phrase "gzip+lzma" by
bin-tplink_gz_lzma-v1.trid.xml. The Window cache DB samples are
described as "Unknown!" (See appended trid-v-tplink.txt.gz).

The description happens inside Magdir/tplink. The firmware samples
have no easy magic pattern, but luckily the displaying part is done
by sub routine firmware-tplink. This looks like:
 0		name		firmware-tplink
 >0		ubyte		x		firmware
 !:mime application/x-tplink-bin
 !:ext	bin
 >0x40		ubeshort	x		%x
 >0x42		ubeshort	x		v%x
 >0x44		ubelong		!1		(revision %u)
 >4		string		x		%.24s
At offset 4 vendor_name[24] string is stored. This is for real
samples something like OpenWrt or TP-LINK Technologies. The vendor
name is used in fourth test line to skip Norton Commander Cleanup
Utility NCCLEAN.INI if it is "ASCII" printable. This test line
looks like:
 >>>4		ubelong		>0x1F000000
For some DB samples like cversions.1.db, cversions.2.db, or
cversions.3.db found inside c:\ProgramData\Microsoft\Windows\Caches
this string is interpreted as invalid vendor names \240\0\0\0
\140\0\0\0 \040\0\0\0. So i skip such samples by additional test line
before calling sub routine. So this parts now becomes like:
 >>>>>5		short		!0
 >>>>>>0	use		firmware-tplink

After applying the above mentioned modifications by patch
file-5.44-tplink-db.diff then misidentification vanish
and with -m Magdir\tplink option now i get an output like:

TL-WR1043ND-V1-FW0.0.3-stripped.bin:
	firmware 1043 v1 TP-LINK Technologies
	ver. 1.0, version 3.13.15,
	8126464 bytes or less, at 0x200
	828986 bytes , at 0x100000 7077888 bytes
cversions.1.db:
	data
cversions.2.db:
	data
cversions.3.db:
	data
gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v3.bin:
	firmware 1043 v3 OpenWrt r7835+25-89808e2,
	8126464 bytes or less, at 0x200 1560644 bytes ,
	at 0x17d244 2229654 bytes
wr940nv1_en_3_13_7_up(111228).bin:
	firmware 941 v4 TP-LINK Technologies
	ver. 1.0, version 3.13.7,
	3932160 bytes or less, at 0x200 815072 bytes ,
	at 0x100000 2883584 bytes

I hope my diff file can be applied in future version of
file utility.

There is something to do. Classify the mysterious Windows cache db
samples.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCZFlQywAKCRCv8rHJQhrU
1n7yAKDXzBP1fxQVsbf+2YsU1XKNXJyqmgCfdfsVbqtJMY9enHwW/N4vVPkr4co=
=++S+
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-tplink.txt.gz
Type: application/x-gzip
Size: 515 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230508/9f19e870/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: droid-tplink.csv.gz
Type: application/x-gzip
Size: 588 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230508/9f19e870/attachment-0001.bin>
-------------- next part --------------

--- file-5.44/magic/Magdir/tplink.old	2021-05-12 19:30:24.000000000 +0200
+++ file-5.44/magic/Magdir/tplink	2023-05-08 21:38:15.842541500 +0200
@@ -5,21 +5,28 @@
 
 # URL: https://wiki.openwrt.org/doc/techref/header
 # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c
+#		http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml
+# Note:		called "TP-Link router firmware (v1)" by TrID
 # From: Joerg Jenderek
 # check for valid header version 1 or 2
 0		ulelong		<3
 >0		ulelong		!0
 # test for header padding with nulls
 >>0x100		long		0
-# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor
+# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name
 >>>4		ubelong		>0x1F000000
 # skip user.dbt by looking for positive hardware id
 >>>>0x40	ubeshort	>0
->>>>>0		use		firmware-tplink
+# skip cversions.1.db cversions.2.db cversions.3.db inside
+# c:\ProgramData\Microsoft\Windows\Caches
+# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0 
+>>>>>5		short		!0
+>>>>>>0		use		firmware-tplink
 
 0		name		firmware-tplink
 >0		ubyte		x		firmware
 !:mime application/x-tplink-bin
+# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin
 !:ext	bin
 # hardware id like 10430001 07410001 09410004 09410006
 >0x40		ubeshort	x		%x
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-tplink-db.diff.sig
Type: application/octet-stream
Size: 931 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230508/9f19e870/attachment.obj>
