[File] [PATCH] of Magdir/archive, virtual VirtualBox *.NVRAM described as tar archive
Christos Zoulas
christos at zoulas.com
Tue Oct 31 21:48:08 UTC 2023
Committed, thanks!
christos
> On Oct 25, 2023, at 7:55 PM, Jörg Jenderek (GMX) <joerg.jen.der.ek at gmx.net> wrote:
>
> Hello,
> some weeks ago i must migrate to Windows 10. During that process i
> lost some Virtual Box machines. So i look for file formats related to
> Virtual Box. One format use filename extension nvram.
>
> When running file command version 5.45 with -e tar option on such
> examples and related files, i get an output like:
>
> Black_Cobra_003.cbt: Comic Book archive, tar archive
> , 1st image 19.jpg
> FreeDOS_1.ova: Open Virtualization Format Archive
> , with FreeDOS_1.ovf
> Mint-21.1_2nd.nvram: POSIX tar archive (GNU), file TpmEmuTpms/permall
> , mode 0100700, uid 0000000, gid 0000000
> , size 00000010451, seconds 14431206570
> , user someone, group somegroup
> OS X 10.11.nvram: data
> Vista.nvram: data
> Win10_22H2de.nvram: POSIX tar archive (GNU), file TpmEmuTpms/permall
> , mode 0100700, uid 0000000, gid 0000000
> , size 00000010451, seconds 14344626366
> , user someone, group somegroup
> Win11-no_tar.nvram: data
> tar-1.35.tar: POSIX tar archive, directory tar-1.35/
> , mode 0000755, uid 0001750, gid 0001750
> , size 00000000000, seconds 14455433533
> , user gray, group gray
>
> For the VirtualBox samples with --extension option only tar/gtar or ???
> is displayed. Furthermore with -i option for nvram samples only
> application/x-gtar or generic application/octet-stream
> is shown.
>
> For comparison reason i also run the file format identification
> utility DROID ( See https://sourceforge.net/projects/droid/). Here
> often the program freeze. The samples are described as "Tape Archive
> Format" with mime type application/x-tar by by PUID x-fmt/265. The
> OVA and NVRAM suffix are considered as bad. The CBT sample is described
> as "Comic Book Archive" via PUID fmt/1462 based on file name suffix (See
> EXTENSION_MISMATCH true in droid-nvram.csv.gz).
>
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). The samples described
> as TAR by file command are here also described with low priority as "TAR
> - Tape ARchive (GNU)" by ark-tar-gnu.trid.xml with generic mime type
> application/x-gtar and wrong 2 suffix (.TAR/GTAR). With highest priority
> these samples are described as "VirtualBox saved (U)EFI BIOS settings
> (TAR)" by nvram-virtualbox-tar.trid.xml with mime type
> application/x-virtualbox-nvram. The other nvram samples are described
> similar without (TAR) phrase by nvram-virtualbox.trid.xml. The other tar
> based samples are described with low priority as "TAR - Tape ARchive" by
> ark-tar-posix.trid.xml and ark-tar-file.trid.xml. The OVA sample is
> described correctly with highest priority as "Open Virtualization Format
> package" by ova.trid.xml whereas for the CBT samples no sub
> classification is shown (See appended trid-v-nvram.txt.gz).
>
> Unfortunately i found no file format description for such VirtualBox
> nvram samples. I and other people often complaining about Microsoft
> behaviour, but open software is also not the holy grail in every field.
> Such nvram samples are used and installed by VirtualBox, but the file
> type is not officially registered or you find no sufficient file
> specification. Some people say "may the source be with you", but when
> unpacking VirtualBox source packages if get about 1 GB of source text
> files. Unfortunately i have not enough expertise and time to find there
> the needed explanations.
>
> But in VirtualBox User Manual there exist in Chapter 8 about VBoxManage
> a section about modifynvram command. This command list and modify the
> NVRAM content of a virtual machine. So i use this as reference URL. That
> is expressed inside Magdir/virtual by comment lines like:
> # URL: https://www.virtualbox.org/
> # manual/ch08.html#vboxmanage-modifynvram
> # Reference: http://mark0.net/download/triddefs_xml.7z
> # defs/n/nvram-virtualbox.trid.xml
>
> The interesting sub command is listvars. This lists all UEFI variables
> in the virtual machine stored along with their owner UUID. This can be
> done for examples command line like:
> VBoxManage modifynvram "Mint-21.1_2nd" listvars
>
> So we get variable names and their GUID. In global strings of TrID
> definition we find again the listed UEFI variables but encoded as
> UTF16. Some are obviously identified as UEFI variables. These are
> expressed by lines like:
> <String>M'E'M'O'R'Y'T'Y'P'E'I'N'F'O'R'M'A'T'I'O'N</String>
> <String>K'E'Y'0'0'0'0</String>
> <String>B'O'O'T'O'R'D'E'R</String>
> <String>B'O'O'T'0'0'0'0</String>
> <String>M'T'C</String>
> <String>C'O'N'O'U'T</String>
> <String>C'O'N'I'N</String>
> <String>T'I'M'E'O'U'T</String>
> <String>P'L'A'T'F'O'R'M'L'A'N'G</String>
> <String>I'N'I'T'I'A'L'A'T'T'E'M'P'T'O'R'D'E'R</String>
>
> I can query the content of a given UEFI variable by sub command
> queryvar. This for example looks like:
> modifynvram "Win10_test" queryvar --name=Boot0000
> modifynvram "Win10_test" queryvar --name=Boot0001
> modifynvram "Win10_test" queryvar --name=Boot0002
>
> The shown content are boot devices. That encoded as UTF-16 are expressed
> in TrID definition inside global string section by lines like:
> <String>U'E'F'I' 'V'B'O'X' 'C'D'-'R'O'M' 'V'B</String>
> <String>U'I'A'P'P</String>
> <String>E'F'I' 'I'N'T'E'R'N'A'L' 'S'H'E'L'L</String>
>
> Then there are some short lines looking like ASCII inside global string
> section of TrID definition. These look like:
> <String>EI2YD</String>
> <String>_FVH</String>
>
> Some of them are found in the first 64 bytes of NVRAM samples which seem
> to be constant. Nothing looks a magic pattern except for 4 byte sequence
> _FVH and 2 byte sequence AA55 at the end of this header. So such samples
> are now described inside Magdir/virtual by lines like:
> 0 long 0
> >0x64 beshort 0xAA55
> >>0x28 string _FVH
> >>>0 use virtualbox-nvram
> 0 name virtualbox-nvram
> >0x64 beshort x VirtualBox NVRAM file
> !:mime application/x-virtualbox-nvram
> !:ext nvram
> Because i do not know if the start magic are always true (VirtualBox
> version 7.0.12 r159484) i put displaying part inside sub routine
> virtualbox-nvram. so in worst case things can easily be changed. Instead
> of generic mime type application/octet-stream i show an user defined one.
>
> Some NVRAM samples are just tar files. That can be verified by unpacking
> listing (see appended 7z-l-slt.txt.gz in output directory) like done by
> command like:
> 7z l -ttar -slt *.nvram
>
> Then we see the same information reported by file command. First member
> is file TpmEmuTpms\permall which is writeable, readable and executable
> by user someone (uid 0) "-rwx------" with group somegroup (gid 0). Now
> comes the interesting part. Second member is a file with name name
> efi\nvram and is readable and writeable to all "-rw-rw-rw-". Apparently
> that file is of the same kind as the other variant. So i extract these
> samples with same name as VirtualBox machine and additional no_tar
> phrase before suffix.
>
> This variant is described by TrID nvram-virtualbox-tar.trid.xml
> definition. The first member is TpmEmuTpms\permall. Unfortunately i do
> not know under which condition the tar based or the other variant is
> generated. The tar based samples are generated with by VirtualBox
> version 7.0.8 and also used by version 7.0.12.
>
> According to TrID some NVRAM samples are just tar files with
> TpmEmuTpms/permall archive member. That can be verified by unpacking
> listing (see appended 7z-l-nvram.txt.gz) like done by command like:
> 7z l -ttar *.nvram
>
> Assuming that TpmEmuTpms\permall file always comes first in TAR archive
> i can change magic lines inside Magdir/archive. There after some test
> lines the displaying part is done by subroutine tar-cbt for Comic
> Book archive packed as tar (*.cbt), tar-ova for Open Virtualization
> Format Archive (*.ova) or tar-file for other cases. So i must
> only insert test lines for NVRAM samples by check that first archive
> member name[100] is a file name with name TpmEmuTpms/permall. So this
> part now becomes like:
> >>>>>>>>0 string TpmEmuTpms/permall
> >>>>>>>>>0 use tar-nvram
> >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp)
> >>>>>>>>>0 use tar-cbt
> >>>>>>>>0 regex \^.{1,96}[.](ovf)
> >>>>>>>>>0 use tar-ova
> >>>>>>>>0 default x
> >>>>>>>>>0 use tar-file
>
> Unfortunately the TAR format is used for storing by others with own file
> name suffix and even own mime type. And often exact information about
> such items is missing. Too overcome this problem also for future
> expansion i first restructured the current magic lines. After
> characterising the different tar variants then inside sub routine
> tar-file information (like file type, name, mode, time, owner, group) of
> first tar archive member is shown starting with interpretation of type
> flag. Now i put this part inside new sub routine tar-entry. This looks like:
> 0 name tar-entry
> #>156 ubyte x \b, %c-type
> >156 ubyte x
> >>156 ubyte 0 \b, file
> >>156 ubyte 0x30 \b, file
> >>156 ubyte 0x31 \b, hard link
> ...
> >>>257 string >\0 \b, comment: %-.40s
>
> Now i replace corresponding lines by calling this sub routine inside
> routine tar-file. Then i replace the corresponding lines in the other
> routines for tar based files. For CBT samples this routine look like:
> 0 name tar-cbt
> >0 string x Comic Book archive, tar archive
> !:mime application/vnd.comicbook
> !:ext cbt
> >0 string >\0 \b, 1st image %-.60s
> So there last line is now replaced and routine now looks like:
> 0 name tar-cbt
> >0 string x Comic Book archive, tar archive
> !:mime application/vnd.comicbook
> !:ext cbt
> >0 use tar-entry
>
> Then i do the same procedure in routine tar-ova. For VirtualBox samples
> the corresponding sub routine so now looks like:
> 0 name tar-nvram
> >0 string x VirtualBox NVRAM file
> !:mime application/x-virtualbox-nvram
> !:ext nvram
> >0 use tar-entry
> >512 search/0x1800/s efi/nvram\0
> >>&0 use tar-entry
> #>>&512 indirect x
> After showing information of first archive entry (That starts with file
> TpmEmuTpms/permall) i look also for next member name which seems to be
> always efi/nvram. Now i also call tar-entry for this second entry. If i
> like i could also inspect the content of this entry via indirect calling
> Magdir/virtual.
>
> After applying the above mentioned modifications by 2 patches
> file-5.45-archive-nvram.diff and file-5.45-virtual-nvram.diff then with
> option -e tar i get a more correct output like:
>
> Black_Cobra_003.cbt: Comic Book archive, tar archive
> , file 19.jpg
> , mode 000644
> , size 00003315356, seconds 11540725637
> FreeDOS_1.ova: Open Virtualization Format Archive
> , file FreeDOS_1.ovf
> , mode 0100640, uid 0000007, gid 0000000
> , size 00000023702, seconds 14423046655
> , user vboxovf10, group vbox_v7.0.6r155176
> Mint-21.1_2nd.nvram: VirtualBox NVRAM file
> , file TpmEmuTpms/permall
> , mode 0100700, uid 0000000, gid 0000000
> , size 00000010451, seconds 14431206570
> , user someone, group somegroup
> , file efi/nvram
> , mode 0100700, uid 0000000, gid 0000000
> , size 00002040000, seconds 14431411147
> , user someone, group somegroup
> OS X 10.11.nvram: VirtualBox NVRAM file
> Vista.nvram: VirtualBox NVRAM file
> Win10_22H2de.nvram: VirtualBox NVRAM file
> , file TpmEmuTpms/permall
> , mode 0100700, uid 0000000, gid 0000000
> , size 00000010451, seconds 14344626366
> , user someone, group somegroup
> , file efi/nvram
> , mode 0100666, uid 0000000, gid 0000000
> , size 00002040000, seconds 14344626337
> , user someone, group somegroup
> Win11-no_tar.nvram: VirtualBox NVRAM file
> tar-1.35.tar: POSIX tar archive
> , directory tar-1.35/
> , mode 0000755, uid 0001750, gid 0001750
> , size 00000000000, seconds 14455433533
> , user gray, group gray
>
> With --extension option now the correct file names suffix are shown like:
> Black_Cobra_003.cbt: cbt
> FreeDOS_1.ova: ova
> Mint-21.1_2nd.nvram: nvram
> OS X 10.11.nvram: nvram
> Vista.nvram: nvram
> Win10_22H2de.nvram: nvram
> Win11-no_tar.nvram: nvram
> tar-1.35.tar: tar/ustar
>
> I hope my diff files can be applied in future version of
> file utility. I hope that other users check that my assumptions are
> always true and give hints about information concerning NVRAM file format.
>
> With best wishes
> Jörg Jenderek
> --
> Jörg Jenderek
> <trid-v-nvram.txt.gz><7z-l-nvram.txt.gz><7z-l-slt-nvram.txt.gz><file-5_45-archive-nvram_diff.DEFANGED-3311><file-5_45-archive-nvram_diff_sig.DEFANGED-3312><droid-nvram.csv.gz><file-5_45-virtual-nvram_diff.DEFANGED-3313><file-5_45-virtual-nvram_diff_sig.DEFANGED-3314>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
More information about the File
mailing list