| blob | c715de61b1b636b0d271dd9d624cf92131bcd273 |
2 #------------------------------------------------------------------------------
3 # $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $
4 # linux: file(1) magic for Linux files
5 #
6 # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
7 # The following basic Linux magic is useful for reference, but using
8 # "long" magic is a better practice in order to avoid collisions.
9 #
10 # 2 leshort 100 Linux/i386
11 # >0 leshort 0407 impure executable (OMAGIC)
12 # >0 leshort 0410 pure executable (NMAGIC)
13 # >0 leshort 0413 demand-paged executable (ZMAGIC)
14 # >0 leshort 0314 demand-paged executable (QMAGIC)
15 #
16 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC)
17 >16 lelong 0 \b, stripped
18 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC)
19 >16 lelong 0 \b, stripped
20 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC)
21 >16 lelong 0 \b, stripped
22 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC)
23 >16 lelong 0 \b, stripped
24 #
25 0 string \007\001\000 Linux/i386 object file
26 >20 lelong >0x1020 \b, DLL library
27 # Linux-8086 stuff:
28 0 string \01\03\020\04 Linux-8086 impure executable
29 >28 long !0 not stripped
30 0 string \01\03\040\04 Linux-8086 executable
31 >28 long !0 not stripped
32 #
33 0 string \243\206\001\0 Linux-8086 object file
34 #
35 0 string \01\03\020\20 Minix-386 impure executable
36 >28 long !0 not stripped
37 0 string \01\03\040\20 Minix-386 executable
38 >28 long !0 not stripped
39 0 string \01\03\04\20 Minix-386 NSYM/GNU executable
40 >28 long !0 not stripped
41 # core dump file, from Bill Reynolds <bill@goshawk.lanl.gov>
42 216 lelong 0421 Linux/i386 core file
43 !:strength / 2
44 >220 string >\0 of '%s'
45 >200 lelong >0 (signal %d)
46 #
47 # LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com>
48 # this can be overridden by the DOS executable (COM) entry
49 2 string LILO Linux/i386 LILO boot/chain loader
50 #
51 # Linux make config build file, from Ole Aamot <oka@oka.no>
52 # Updated by Ken Sharp
53 28 string make\ config Linux make config build file (old)
54 49 search/70 Kernel\ Configuration Linux make config build file
56 #
57 # PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com>
58 # Updated by Adam Buchbinder <adam.buchbinder@gmail.com>
59 # See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html
60 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data,
61 >2 byte&0x01 0 256 characters,
62 >2 byte&0x01 !0 512 characters,
63 >2 byte&0x02 0 no directory,
64 >2 byte&0x02 !0 Unicode directory,
65 >3 byte >0 8x%d
66 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data,
67 >16 lelong x %d characters,
68 >12 lelong&0x01 0 no directory,
69 >12 lelong&0x01 !0 Unicode directory,
70 >24 lelong x %d
71 >28 lelong x \bx%d
73 # Linux swap and hibernate files
74 # Linux kernel: include/linux/swap.h
75 # util-linux: libblkid/src/superblocks/swap.c
77 # format v0, unsupported since 2002
78 0xff6 string SWAP-SPACE Linux old swap file, 4k page size
79 0x1ff6 string SWAP-SPACE Linux old swap file, 8k page size
80 0x3ff6 string SWAP-SPACE Linux old swap file, 16k page size
81 0x7ff6 string SWAP-SPACE Linux old swap file, 32k page size
82 0xfff6 string SWAP-SPACE Linux old swap file, 64k page size
84 # format v1, supported since 1998
85 0 name linux-swap
86 >0x400 lelong 1 little endian, version %u,
87 >>0x404 lelong x size %u pages,
88 >>0x408 lelong x %u bad pages,
89 >0x400 belong 1 big endian, version %u,
90 >>0x404 belong x size %u pages,
91 >>0x408 belong x %u bad pages,
92 >0x41c string \0 no label,
93 >0x41c string >\0 LABEL=%s,
94 >0x40c ubelong x UUID=%08x
95 >0x410 ubeshort x \b-%04x
96 >0x412 ubeshort x \b-%04x
97 >0x414 ubeshort x \b-%04x
98 >0x416 ubelong x \b-%08x
99 >0x41a ubeshort x \b%04x
101 0xff6 string SWAPSPACE2 Linux swap file, 4k page size,
102 >0 use linux-swap
103 0x1ff6 string SWAPSPACE2 Linux swap file, 8k page size,
104 >0 use linux-swap
105 0x3ff6 string SWAPSPACE2 Linux swap file, 16k page size,
106 >0 use linux-swap
107 0x7ff6 string SWAPSPACE2 Linux swap file, 32k page size,
108 >0 use linux-swap
109 0xfff6 string SWAPSPACE2 Linux swap file, 64k page size,
110 >0 use linux-swap
112 0 name linux-hibernate
113 >0 string S1SUSPEND \b, with SWSUSP1 image
114 >0 string S2SUSPEND \b, with SWSUSP2 image
115 >0 string ULSUSPEND \b, with uswsusp image
116 >0 string LINHIB0001 \b, with compressed hibernate image
117 >0 string \xed\xc3\x02\xe9\x98\x56\xe5\x0c \b, with tuxonice image
118 >0 default x \b, with unknown hibernate image
120 0xfec string SWAPSPACE2 Linux swap file, 4k page size,
121 >0 use linux-swap
122 >0xff6 use linux-hibernate
123 0x1fec string SWAPSPACE2 Linux swap file, 8k page size,
124 >0 use linux-swap
125 >0x1ff6 use linux-hibernate
126 0x3fec string SWAPSPACE2 Linux swap file, 16k page size,
127 >0 use linux-swap
128 >0x3ff6 use linux-hibernate
129 0x7fec string SWAPSPACE2 Linux swap file, 32k page size,
130 >0 use linux-swap
131 >0x7ff6 use linux-hibernate
132 0xffec string SWAPSPACE2 Linux swap file, 64k page size,
133 >0 use linux-swap
134 >0xfff6 use linux-hibernate
136 #
137 # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
138 # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
139 # and Nicolas Lichtmaier <nick@debian.org>
140 # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
141 # Linux kernel boot images (i386 arch) (Wolfram Kleff)
142 # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt
143 514 string HdrS Linux kernel
144 !:strength + 55
145 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes
146 # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin
147 # DamnSmallLinux 1.5 damnsmll.lnx
148 !:ext /dat/bin/lnx
149 >510 leshort 0xAA55 x86 boot executable
150 >>518 leshort >0x1ff
151 >>>529 byte 0 zImage,
152 >>>529 byte 1 bzImage,
153 >>>526 lelong >0
154 >>>>(526.s+0x200) string >\0 version %s,
155 >>498 leshort 1 RO-rootFS,
156 >>498 leshort 0 RW-rootFS,
157 >>508 leshort >0 root_dev %#X,
158 >>502 leshort >0 swap_dev %#X,
159 >>504 leshort >0 RAMdisksize %u KB,
160 >>506 leshort 0xFFFF Normal VGA
161 >>506 leshort 0xFFFE Extended VGA
162 >>506 leshort 0xFFFD Prompt for Videomode
163 >>506 leshort >0 Video mode %d
164 # This also matches new kernels, which were caught above by "HdrS".
165 0 belong 0xb8c0078e Linux kernel
166 >0x1e3 string Loading version 1.3.79 or older
167 >0x1e9 string Loading from prehistoric times
169 # System.map files - Nicolas Lichtmaier <nick@debian.org>
170 8 search/1 \ A\ _text Linux kernel symbol map text
172 # LSM entries - Nicolas Lichtmaier <nick@debian.org>
173 0 search/1 Begin3 Linux Software Map entry text
174 0 search/1 Begin4 Linux Software Map entry text (new format)
176 # From Matt Zimmerman, enhanced for v3 by Matthew Palmer
177 0 belong 0x4f4f4f4d User-mode Linux COW file
178 >4 belong <3 \b, version %d
179 >>8 string >\0 \b, backing file %s
180 >4 belong >2 \b, version %d
181 >>32 string >\0 \b, backing file %s
183 ############################################################################
184 # Linux kernel versions
186 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux
187 >497 leshort 0 x86 boot sector
188 >>514 belong 0x8e of a kernel from the dawn of time!
189 >>514 belong 0x908ed8b4 version 0.99-1.1.42
190 >>514 belong 0x908ed8b8 for memtest86
192 >497 leshort !0 x86 kernel
193 >>504 leshort >0 RAMdisksize=%u KB
194 >>502 leshort >0 swap=%#X
195 >>508 leshort >0 root=%#X
196 >>>498 leshort 1 \b-ro
197 >>>498 leshort 0 \b-rw
198 >>506 leshort 0xFFFF vga=normal
199 >>506 leshort 0xFFFE vga=extended
200 >>506 leshort 0xFFFD vga=ask
201 >>506 leshort >0 vga=%d
202 >>514 belong 0x908ed881 version 1.1.43-1.1.45
203 >>514 belong 0x15b281cd
204 >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0
205 >>>0xa99 belong 0x55AA5a5a version 1.3.1,2
206 >>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30
207 >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41
208 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45
209 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72
210 >>514 string HdrS
211 >>>518 leshort >0x1FF
212 >>>>529 byte 0 \b, zImage
213 >>>>529 byte 1 \b, bzImage
214 >>>>(526.s+0x200) string >\0 \b, version %s
216 # Linux boot sector thefts.
217 0 belong 0xb8c0078e Linux
218 >0x1e6 belong 0x454c4b53 ELKS Kernel
219 >0x1e6 belong !0x454c4b53 style boot sector
221 ############################################################################
222 # Linux S390 kernel image
223 # Created by: Jan Kaluza <jkaluza@redhat.com>
224 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390
225 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc
226 # 64bit
227 >>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel
228 >>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel
229 >>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel
230 >>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel
231 # 32bit
232 >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel
233 >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel
234 >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel
235 >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel
237 ############################################################################
238 # Linux ARM compressed kernel image
239 # From: Kevin Cernekee <cernekee@gmail.com>
240 # Update: Joerg Jenderek
241 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage
242 # There are three possible situations: LE, BE with LE bootloader and pure BE.
243 # In order to aid telling these apart a new endian flag was added. In order
244 # to support kernels before the flag and BE with LE bootloader was added we'll
245 # do a negative check against the BE variant of the flag when we see a LE magic.
246 >0x30 belong !0x04030201 (little-endian)
247 # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin"
248 !:ext img/bin
249 >0x30 belong 0x04030201 (big-endian)
250 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
252 ############################################################################
253 # Linux AARCH64 kernel image
254 0x38 lelong 0x644d5241 Linux kernel ARM64 boot executable Image
255 >0x18 lelong ^1 \b, little-endian
256 >0x18 lelong &1 \b, big-endian
257 >0x18 lelong &2 \b, 4K pages
258 >0x18 lelong &4 \b, 16K pages
259 >0x18 lelong &6 \b, 32K pages
261 ############################################################################
262 # Linux 8086 executable
263 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
264 >5 string .
265 >>4 string >\0 \b, libc version %s
267 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable
268 >2 byte&0x01 !0 \b, unmapped zero page
269 >2 byte&0x20 0 \b, impure
270 >2 byte&0x20 !0
271 >>2 byte&0x10 !0 \b, A_EXEC
272 >2 byte&0x02 !0 \b, A_PAL
273 >2 byte&0x04 !0 \b, A_NSYM
274 >2 byte&0x08 !0 \b, A_STAND
275 >2 byte&0x40 !0 \b, A_PURE
276 >2 byte&0x80 !0 \b, A_TOVLY
277 >28 long !0 \b, not stripped
278 >37 string .
279 >>36 string >\0 \b, libc version %s
281 # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable
282 # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable
283 # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable
284 # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable
286 # SYSLINUX boot logo files (from 'ppmtolss16' sources)
287 # https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename:
288 # file extension .lss .16
289 0 lelong =0x1413f33d SYSLINUX' LSS16 image data
290 # syslinux-4.05/mime/image/x-lss16.xml
291 !:mime image/x-lss16
292 >4 leshort x \b, width %d
293 >6 leshort x \b, height %d
295 0 string OOOM User-Mode-Linux's Copy-On-Write disk image
296 >4 belong x version %d
298 # SE Linux policy database
299 # From: Mike Frysinger <vapier@gentoo.org>
300 0 lelong 0xf97cff8c SE Linux policy
301 >16 lelong x v%d
302 >20 lelong 1 MLS
303 >24 lelong x %d symbols
304 >28 lelong x %d ocons
306 # Linux Logical Volume Manager (LVM)
307 # Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
308 #
309 # System ID, UUID and volume group name are 128 bytes long
310 # but they should never be full and initialized with zeros...
311 #
312 # LVM1
313 #
314 0x0 string/b HM\001 LVM1 (Linux Logical Volume Manager), version 1
315 >0x12c string/b >\0 , System ID: %s
317 0x0 string/b HM\002 LVM1 (Linux Logical Volume Manager), version 2
318 >0x12c string/b >\0 , System ID: %s
320 # LVM2
321 #
322 # It seems that the label header can be in one the four first sector
323 # of the disk... (from _find_labeller in lib/label/label.c of LVM2)
324 #
325 # 0x200 seems to be the common case
326 0 name lvm2
327 # display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
328 >0x0 string >\x2f \b, UUID: %.6s
329 >0x6 string >\x2f \b-%.4s
330 >0xa string >\x2f \b-%.4s
331 >0xe string >\x2f \b-%.4s
332 >0x12 string >\x2f \b-%.4s
333 >0x16 string >\x2f \b-%.4s
334 >0x1a string >\x2f \b-%.6s
335 >0x20 lequad x \b, size: %lld
338 # read the offset to add to the start of the header, and the header
339 # start in 0x200
340 0x218 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
341 >&(&-12.l-0x20) use lvm2
343 0x018 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
344 >&(&-12.l-0x20) use lvm2
346 0x418 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
347 >&(&-12.l-0x20) use lvm2
349 0x618 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
350 >&(&-12.l-0x20) use lvm2
352 # LVM snapshot
353 # from Jason Farrel
354 0 string SnAp LVM Snapshot (CopyOnWrite store)
355 >4 lelong !0 - valid,
356 >4 lelong 0 - invalid,
357 >8 lelong x version %d,
358 >12 lelong x chunk_size %d
360 # SE Linux policy database
361 0 lelong 0xf97cff8c SE Linux policy
362 >16 lelong x v%d
363 >20 lelong 1 MLS
364 >24 lelong x %d symbols
365 >28 lelong x %d ocons
367 # Summary: Xen saved domain file
368 # Created by: Radek Vokal <rvokal@redhat.com>
369 0 string LinuxGuestRecord Xen saved domain
370 >20 search/256 (name
371 >>&1 string x (name %s)
373 # Type: Xen, the virtual machine monitor
374 # From: Radek Vokal <rvokal@redhat.com>
375 0 string LinuxGuestRecord Xen saved domain
376 #>2 regex \(name\ [^)]*\) %s
377 >20 search/256 (name (name
378 >>&1 string x %s...)
380 # Systemd journald files
381 # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/.
382 # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
384 # check magic
385 0 string LPKSHHRH
386 # check that state is one of known values
387 >16 ubyte&252 0
388 # check that each half of three unique id128s is non-zero
389 >>24 ubequad >0
390 >>>32 ubequad >0
391 >>>>40 ubequad >0
392 >>>>>48 ubequad >0
393 >>>>>>56 ubequad >0
394 >>>>>>>64 ubequad >0 Journal file
395 !:mime application/octet-stream
396 # provide more info
397 >>>>>>>>184 leqdate 0 empty
398 >>>>>>>>16 ubyte 0 \b, offline
399 >>>>>>>>16 ubyte 1 \b, online
400 >>>>>>>>16 ubyte 2 \b, archived
401 >>>>>>>>8 ulelong&1 1 \b, sealed
402 >>>>>>>>12 ulelong&1 1 \b, compressed
404 # BCache backing and cache devices
405 # From: Gabriel de Perthuis <g2p.code@gmail.com>
406 0x1008 lequad 8
407 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache
408 >>0x1010 ulequad 0 cache device
409 >>0x1010 ulequad 1 backing device
410 >>0x1010 ulequad 3 cache device
411 >>0x1010 ulequad 4 backing device
412 >>0x1048 string >0 \b, label "%.32s"
413 >>0x1028 ubelong x \b, uuid %08x
414 >>0x102c ubeshort x \b-%04x
415 >>0x102e ubeshort x \b-%04x
416 >>0x1030 ubeshort x \b-%04x
417 >>0x1032 ubelong x \b-%08x
418 >>0x1036 ubeshort x \b%04x
419 >>0x1038 ubelong x \b, set uuid %08x
420 >>0x103c ubeshort x \b-%04x
421 >>0x103e ubeshort x \b-%04x
422 >>0x1040 ubeshort x \b-%04x
423 >>0x1042 ubelong x \b-%08x
424 >>0x1046 ubeshort x \b%04x
426 # Linux device tree:
427 # File format description can be found in the Linux kernel sources at
428 # Documentation/devicetree/booting-without-of.txt
429 # From Christoph Biedl
430 0 belong 0xd00dfeed
431 # structure must be within blob, strings are omitted to handle devicetrees > 1M
432 >&(8.L) byte x
433 >>20 belong >1 Device Tree Blob version %d
434 >>>4 belong x \b, size=%d
435 >>>20 belong >1
436 >>>>28 belong x \b, boot CPU=%d
437 >>>20 belong >2
438 >>>>32 belong x \b, string block size=%d
439 >>>20 belong >16
440 >>>>36 belong x \b, DT structure block size=%d
442 # glibc locale archive as defined in glibc locale/locarchive.h
443 0 lelong 0xde020109 locale archive
444 >24 lelong x %d strings
446 # Linux Software RAID (mdadm)
447 # Russell Coker <russell@coker.com.au>
448 0 name linuxraid
449 >16 belong x UUID=%8x:
450 >20 belong x \b%8x:
451 >24 belong x \b%8x:
452 >28 belong x \b%8x
453 >32 string x name=%s
454 >72 lelong x level=%d
455 >92 lelong x disks=%d
457 4096 lelong 0xa92b4efc Linux Software RAID
458 >4100 lelong x version 1.2 (%d)
459 >4096 use linuxraid
461 0 lelong 0xa92b4efc Linux Software RAID
462 >4 lelong x version 1.1 (%d)
463 >0 use linuxraid
465 # Summary: Database file for mlocate
466 # Description: A database file as used by mlocate, a fast implementation
467 # of locate/updatedb. It uses merging to reuse the existing
468 # database and avoid rereading most of the filesystem. It's
469 # the default version of locate on Arch Linux (and others).
470 # File path: /var/lib/mlocate/mlocate.db by default (but configurable)
471 # Site: https://fedorahosted.org/mlocate/
472 # Format docs: https://linux.die.net/man/5/mlocate.db
473 # Type: mlocate database file
474 # URL: https://fedorahosted.org/mlocate/
475 # From: Wander Nauta <info@wandernauta.nl>
476 0 string \0mlocate mlocate database
477 >12 byte x \b, version %d
478 >13 byte 1 \b, require visibility
479 >16 string x \b, root %s
481 # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL:
482 # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
483 # From: Pavel Emelyanov <xemul@parallels.com>
484 0 lelong 0x45311224 iproute2 routes dump
485 0 lelong 0x47361222 iproute2 addresses dump
487 # Image and service files for CRIU tool.
488 # URL: https://criu.org
489 # From: Pavel Emelyanov <xemul@parallels.com>
490 0 lelong 0x54564319 CRIU image file v1.1
491 0 lelong 0x55105940 CRIU service file
492 0 lelong 0x58313116 CRIU inventory
494 # Kdump compressed dump files
495 # https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION
497 0 string KDUMP Kdump compressed dump
498 >8 long x v%d
499 >12 string >\0 \b, system %s
500 >77 string >\0 \b, node %s
501 >142 string >\0 \b, release %s
502 >207 string >\0 \b, version %s
503 >272 string >\0 \b, machine %s
504 >337 string >\0 \b, domain %s
506 # Device Tree files
507 0 search/1024 /dts-v1/ Device Tree File (v1)
508 # beat c code
509 !:strength +14
512 # e2fsck undo file
513 # David Gilman <davidgilman1@gmail.com>
514 0 string E2UNDO02 e2fsck undo file, version 2
515 >44 lelong x \b, undo file is
516 >>44 lelong&1 0 not finished
517 >>44 lelong&1 1 finished
518 >48 lelong x \b, undo file features:
519 >>48 lelong&1 0 lacks filesystem offset
520 >>48 lelong&1 1 has filesystem offset
521 >>>64 lequad x at %#llx
523 # ansible vault (does not really belong here)
524 0 string $ANSIBLE_VAULT; Ansible Vault
525 >&0 regex [0-9]+\\.[0-9]+ \b, version %s
526 >>&0 string ;
527 >>>&0 regex [A-Z0-9]+ \b, encryption %s
529 # From: Joerg Jenderek
530 # URL: https://www.gnu.org/software/grub
531 # Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz
532 # grub-2.06/include/grub/keyboard_layouts.h
533 # grub-2.06/grub-core/commands/keylayouts.c
534 # GRUB_KEYBOARD_LAYOUTS_FILEMAGIC
535 0 string GRUBLAYO GRUB Keyboard
536 !:mime application/x-grub-keyboard
537 !:ext gkb
538 # GRUB_KEYBOARD_LAYOUTS_VERSION like: 10
539 >8 ulelong !10 \b, version %u
540 # 4 grub_uint32_t grub_keyboard_layout[160]
541 # for normal french keyboard this is letter a
542 >92 ubyte !0x71
543 >>92 ubyte >0x40 \b, english q is %c
544 #>732 ubyte x \b, english Q is %c
545 # for normal german keyboard this is letter z
546 >124 ubyte !0x79
547 >>124 ubyte >0x40 \b, english y is %c
548 #>764 ubyte x \b, english Y is %c