[File] [PATCH] of Magdir/tplink firmware misidentifies windows cache cversions.?.db

Christos Zoulas christos at zoulas.com
Mon May 15 16:41:12 UTC 2023 

Committed, thanks!

christos

> On May 8, 2023, at 3:43 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> some days ago i handles some database. Often the suffix db is used
> for such file names. Some samples are misidentified as "firmware"
> of tplink.
> 
> When running file command version 5.44 on such real tplink firmware
> samples and misidentified db samples, i get an output like:
> 
> TL-WR1043ND-V1-FW0.0.3-stripped.bin:
> 	firmware 1043 v1 TP-LINK Technologies
> 	ver. 1.0, version 3.13.15,
> 	8126464 bytes or less, at 0x200
> 	828986 bytes
> 	gzip compressed data, was "vmlinux.bin",
> 	last modified: Wed Mar 19 03:11:27 2014,
> 	from Unix, original size modulo 2^32 4294967295,
> 	at 0
> cversions.1.db:
> 	firmware c00 v0 (revision 0)
> 	V2,
> 	0 bytes or less,
> 	at 0 0 bytes ,
> 	at 0 0 bytes
> cversions.2.db:
> 	firmware 400 v0 (revision 0) \240
> 	V2,
> 	100663296 bytes or less, UNKNOWN3 0x6000000,
> 	at 0x6000000 0 bytes ,
> 	at 0 0 bytes
> cversions.3.db:
> 	firmware 7b01 v0 (revision 0) `
> 	V2, 16777216 bytes or less, UNKNOWN3 0x1000000,
> 	at 0x1000000 0 bytes ,
> 	at 0 0 bytes
> gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v3.bin:
> 	firmware 1043 v3 OpenWrt r7835+25-89808e2,
> 	8126464 bytes or less, at 0x200 1560644 bytes ,
> 	at 0x17d244 2229654 bytes \012-
> 	Squashfs filesystem, little endian, version 4.0,
> 	xz compressed,
> 	2229654 bytes, 1365 inodes, blocksize: 65536 bytes,
> 	created: Sat Jul 20 11:12:58 2019
> wr940nv1_en_3_13_7_up(111228).bin:
> 	firmware 941 v4 TP-LINK Technologies
> 	ver. 1.0, version 3.13.7,
> 	3932160 bytes or less, at 0x200 815072 bytes
> 	gzip compressed data, was "vmlinux.bin",
> 	last modified: Fri Dec 16 04:55:03 2011,
> 	from Unix, original size modulo 2^32 4294967295,
> 	at 0
> 
> With --extension option only bin is displayed.
> 
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/).
> The DB samples are described as "Thumbs DB file" of XP by
> PUID fmt/682 via extension. The real firmware samples are described
> generic as "Binary File" by PUID fmt/208 via extension.
> (See appended droid-tplink.csv.gz).
> 
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). The BIN samples are
> described as here with low priority as "TP-Link router firmware (v1)"
> by bin-tplink-v1.trid.xml. Some examples are described with higher
> priority with additional phrase "gzip+lzma" by
> bin-tplink_gz_lzma-v1.trid.xml. The Window cache DB samples are
> described as "Unknown!" (See appended trid-v-tplink.txt.gz).
> 
> The description happens inside Magdir/tplink. The firmware samples
> have no easy magic pattern, but luckily the displaying part is done
> by sub routine firmware-tplink. This looks like:
> 0		name		firmware-tplink
>> 0		ubyte		x		firmware
> !:mime application/x-tplink-bin
> !:ext	bin
>> 0x40		ubeshort	x		%x
>> 0x42		ubeshort	x		v%x
>> 0x44		ubelong		!1		(revision %u)
>> 4		string		x		%.24s
> At offset 4 vendor_name[24] string is stored. This is for real
> samples something like OpenWrt or TP-LINK Technologies. The vendor
> name is used in fourth test line to skip Norton Commander Cleanup
> Utility NCCLEAN.INI if it is "ASCII" printable. This test line
> looks like:
>>>> 4		ubelong		>0x1F000000
> For some DB samples like cversions.1.db, cversions.2.db, or
> cversions.3.db found inside c:\ProgramData\Microsoft\Windows\Caches
> this string is interpreted as invalid vendor names \240\0\0\0
> \140\0\0\0 \040\0\0\0. So i skip such samples by additional test line
> before calling sub routine. So this parts now becomes like:
>>>>>> 5		short		!0
>>>>>>> 0	use		firmware-tplink
> 
> After applying the above mentioned modifications by patch
> file-5.44-tplink-db.diff then misidentification vanish
> and with -m Magdir\tplink option now i get an output like:
> 
> TL-WR1043ND-V1-FW0.0.3-stripped.bin:
> 	firmware 1043 v1 TP-LINK Technologies
> 	ver. 1.0, version 3.13.15,
> 	8126464 bytes or less, at 0x200
> 	828986 bytes , at 0x100000 7077888 bytes
> cversions.1.db:
> 	data
> cversions.2.db:
> 	data
> cversions.3.db:
> 	data
> gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v3.bin:
> 	firmware 1043 v3 OpenWrt r7835+25-89808e2,
> 	8126464 bytes or less, at 0x200 1560644 bytes ,
> 	at 0x17d244 2229654 bytes
> wr940nv1_en_3_13_7_up(111228).bin:
> 	firmware 941 v4 TP-LINK Technologies
> 	ver. 1.0, version 3.13.7,
> 	3932160 bytes or less, at 0x200 815072 bytes ,
> 	at 0x100000 2883584 bytes
> 
> I hope my diff file can be applied in future version of
> file utility.
> 
> There is something to do. Classify the mysterious Windows cache db
> samples.
> 
> With best wishes
> Jörg Jenderek
> - --
> Jörg Jenderek
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCZFlQywAKCRCv8rHJQhrU
> 1n7yAKDXzBP1fxQVsbf+2YsU1XKNXJyqmgCfdfsVbqtJMY9enHwW/N4vVPkr4co=
> =++S+
> -----END PGP SIGNATURE-----
> <trid-v-tplink.txt.gz><droid-tplink.csv.gz><file-5_44-tplink-db_diff.DEFANGED-5125><file-5_44-tplink-db_diff_sig.DEFANGED-5126>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20230515/7aa2cde8/attachment.asc>

More information about the File mailing list