├── .editorconfig ├── .gitattributes ├── .github ├── checksums └── workflows │ └── main.yml ├── .gitmodules ├── 3d └── gltf_binary.ksy ├── CONTRIBUTING.md ├── README.md ├── _build ├── .gitignore ├── Gemfile ├── build ├── build-diagrams ├── build-html ├── build-target ├── check-errors ├── footer.html.erb ├── format_base.html.erb ├── format_header.html.erb ├── format_index.html.erb ├── format_lang.html.erb ├── format_xref.html.erb ├── header.html.erb ├── test-target ├── test │ ├── Main.cs │ └── main.cpp ├── usage_cpp_stl.html.erb ├── usage_csharp.html.erb ├── usage_java.html.erb ├── usage_javascript.html.erb ├── usage_python.html.erb └── usage_ruby.html.erb ├── archive ├── android_bootldr_asus.ksy ├── android_bootldr_huawei.ksy ├── android_bootldr_qcom.ksy ├── android_dto.ksy ├── android_img.ksy ├── android_sparse.ksy ├── cpio_old_le.ksy ├── gzip.ksy ├── lzh.ksy ├── mozilla_mar.ksy ├── phar_without_stub.ksy ├── rar.ksy ├── respack.ksy ├── rpm.ksy ├── xar.ksy ├── zip.ksy └── zisofs.ksy ├── cad └── monomakh_sapr_chg.ksy ├── common ├── bcd.ksy ├── bytes_with_io.ksy ├── dos_datetime.ksy ├── riff.ksy ├── utf8_string.ksy ├── vlq_base128_be.ksy └── vlq_base128_le.ksy ├── database ├── dbf.ksy ├── gettext_mo.ksy ├── sqlite3.ksy └── tsm.ksy ├── executable ├── android_nanoapp_header.ksy ├── dex.ksy ├── dos_mz.ksy ├── elf.ksy ├── java_class.ksy ├── mach_o.ksy ├── mach_o_fat.ksy ├── microsoft_pe.ksy ├── python_pyc_27.ksy ├── swf.ksy └── uefi_te.ksy ├── filesystem ├── amlogic_emmc_partitions.ksy ├── android_super.ksy ├── apm_partition_table.ksy ├── apple_single_double.ksy ├── btrfs_stream.ksy ├── cramfs.ksy ├── ext2.ksy ├── gpt_partition_table.ksy ├── iso9660.ksy ├── luks.ksy ├── lvm2.ksy ├── mbr_partition_table.ksy ├── tr_dos_image.ksy ├── vdi.ksy ├── vfat.ksy ├── vmware_vmdk.ksy └── zx_spectrum_tap.ksy ├── firmware ├── andes_firmware.ksy ├── broadcom_trx.ksy ├── ines.ksy └── uimage.ksy ├── font ├── grub2_font.ksy ├── pcf_font.ksy └── ttf.ksy ├── game ├── allegro_dat.ksy ├── doom_wad.ksy ├── dune_2_pak.ksy ├── fallout2_dat.ksy ├── fallout_dat.ksy ├── ftl_dat.ksy ├── gran_turismo_vol.ksy ├── heaps_pak.ksy ├── heroes_of_might_and_magic_agg.ksy ├── heroes_of_might_and_magic_bmp.ksy ├── minecraft_nbt.ksy ├── quake2_md2.ksy ├── quake_mdl.ksy ├── quake_pak.ksy ├── renderware_binary_stream.ksy ├── saints_row_2_vpp_pc.ksy └── warcraft_2_pud.ksy ├── geospatial ├── shapefile_index.ksy └── shapefile_main.ksy ├── hardware ├── dtb.ksy ├── edid.ksy └── mifare │ └── mifare_classic.ksy ├── image ├── bmp.ksy ├── dicom.ksy ├── exif.ksy ├── gif.ksy ├── gimp_brush.ksy ├── icc_4.ksy ├── ico.ksy ├── jpeg.ksy ├── nitf.ksy ├── pcx.ksy ├── pcx_dcx.ksy ├── pif.ksy ├── png.ksy ├── psx_tim.ksy ├── tga.ksy ├── wmf.ksy └── xwd.ksy ├── log ├── aix_utmp.ksy ├── glibc_utmp.ksy ├── hashcat_restore.ksy ├── mcap.ksy ├── sudoers_ts.ksy ├── systemd_journal.ksy └── windows_evt_log.ksy ├── machine_code └── code_6502.ksy ├── macos ├── compressed_resource.ksy ├── ds_store.ksy ├── mac_os_resource_snd.ksy ├── resource_compression │ ├── dcmp_0.ksy │ ├── dcmp_1.ksy │ ├── dcmp_2.ksy │ └── dcmp_variable_length_integer.ksy └── resource_fork.ksy ├── media ├── android_opengl_shaders_cache.ksy ├── au.ksy ├── avi.ksy ├── blender_blend.ksy ├── creative_voice_file.ksy ├── genmidi_op2.ksy ├── id3v1_1.ksy ├── id3v2_3.ksy ├── id3v2_4.ksy ├── magicavoxel_vox.ksy ├── ogg.ksy ├── quicktime_mov.ksy ├── standard_midi_file.ksy ├── stl.ksy ├── tracker_modules │ ├── fasttracker_xm_module.ksy │ └── s3m.ksy ├── vp8_duck_ivf.ksy └── wav.ksy ├── network ├── bitcoin_transaction.ksy ├── dime_message.ksy ├── dns_packet.ksy ├── ethernet_frame.ksy ├── hccap.ksy ├── hccapx.ksy ├── icmp_packet.ksy ├── ipv4_packet.ksy ├── ipv6_packet.ksy ├── microsoft_network_monitor_v2.ksy ├── packet_ppi.ksy ├── pcap.ksy ├── protocol_body.ksy ├── rtcp_payload.ksy ├── rtp_packet.ksy ├── rtpdump.ksy ├── some_ip │ ├── some_ip.ksy │ ├── some_ip_container.ksy │ ├── some_ip_sd.ksy │ ├── some_ip_sd_entries.ksy │ └── some_ip_sd_options.ksy ├── tcp_segment.ksy ├── tls_client_hello.ksy ├── udp_datagram.ksy └── websocket.ksy ├── scientific ├── nt_mdt │ ├── nt_mdt.ksy │ └── nt_mdt_pal.ksy └── spectroscopy │ ├── avantes_roh60.ksy │ └── specpr.ksy ├── security ├── efivar_signature_list.ksy ├── openpgp_message.ksy └── ssh_public_key.ksy ├── serialization ├── asn1 │ └── asn1_der.ksy ├── bson.ksy ├── chrome_pak.ksy ├── google_protobuf.ksy ├── microsoft_cfb.ksy ├── msgpack.ksy ├── php_serialized_value.ksy ├── python_pickle.ksy └── ruby_marshal.ksy └── windows ├── regf.ksy ├── windows_lnk_file.ksy ├── windows_minidump.ksy ├── windows_resource_file.ksy ├── windows_shell_items.ksy └── windows_systemtime.ksy /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*.ksy] 4 | charset = utf-8 5 | end_of_line = lf 6 | indent_style = space 7 | indent_size = 2 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.ksy text eol=lf 2 | -------------------------------------------------------------------------------- /.github/checksums: -------------------------------------------------------------------------------- 1 | 2d8d9a4f72fa348bfff6f85a1b01802485bf20003f03e254ae37ffa362fdd398 *kaitai-struct-compiler_0.10_all.deb 2 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: formats.kaitai.io 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | with: 14 | submodules: true 15 | - uses: ruby/setup-ruby@v1 16 | with: 17 | ruby-version: '3.4' 18 | - uses: actions/setup-python@v5 19 | with: 20 | python-version: '3.x' 21 | - name: Install deps 22 | run: | 23 | sudo apt-get update 24 | curl -fsSL -O https://github.com/kaitai-io/kaitai_struct_compiler/releases/download/0.10/kaitai-struct-compiler_0.10_all.deb 25 | sha256sum --check --warn .github/checksums 26 | sudo apt-get install ./kaitai-struct-compiler_0.10_all.deb 27 | sudo apt-get install --no-install-recommends -y \ 28 | git ssh \ 29 | locales \ 30 | default-jre-headless \ 31 | make gcc libc6-dev \ 32 | graphviz \ 33 | rsync 34 | ksc --version 35 | - name: Fix locales 36 | run: | 37 | echo 'en_US.UTF-8 UTF-8' | sudo tee /etc/locale.gen 38 | echo 'LANG="en_US.UTF-8"' | sudo tee /etc/default/locale 39 | sudo dpkg-reconfigure --frontend=noninteractive locales 40 | locale 41 | - name: Install Ruby deps 42 | run: | 43 | echo 'gem: --no-document' | sudo tee /etc/gemrc 44 | cd _build 45 | bundle install 46 | - name: Build targets 47 | working-directory: _build 48 | run: ./build-target .. target 49 | - name: Upload build targets log 50 | uses: actions/upload-artifact@v4 51 | with: 52 | name: log.json 53 | path: _build/target/log.json 54 | - name: Build diagrams 55 | working-directory: _build 56 | run: ./build-diagrams target html 57 | - name: Build HTML 58 | working-directory: _build 59 | run: ./build-html .. target html 60 | - name: Deploy 61 | env: 62 | BOT_SSH_KEY: ${{secrets.BOT_SSH_KEY}} 63 | run: | 64 | .github/push_artifacts/git_config_kaitai_bot 65 | .github/push_artifacts/publish \ 66 | -o kaitai-io \ 67 | -r formats-kaitai-io.github.io \ 68 | -m "Build results of ${GITHUB_REF#refs/heads/*} $GITHUB_REPOSITORY@$GITHUB_SHA" -- \ 69 | --exclude=.git \ 70 | --exclude=.travis.yml \ 71 | --exclude=CNAME \ 72 | --exclude=favicon.ico \ 73 | --exclude=favicon.ico.license \ 74 | _build/html/ 75 | # NB: trailing slash in '_build/html/' is *very* important for rsync! 76 | if: github.ref == 'refs/heads/master' 77 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule ".github/push_artifacts"] 2 | path = .github/push_artifacts 3 | url = https://github.com/kaitai-io/push_artifacts.git 4 | -------------------------------------------------------------------------------- /3d/gltf_binary.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: gltf_binary 3 | title: GL Transmission Format, binary container 4 | file-extension: glb 5 | xref: 6 | justsolve: GlTF 7 | mime: model/gltf-binary 8 | wikidata: Q28135989 9 | license: MIT 10 | endian: le 11 | 12 | doc: | 13 | glTF is a format for distribution of 3D models optimized for being used in software 14 | 15 | doc-ref: https://github.com/KhronosGroup/glTF/tree/2354846/specification/2.0#binary-gltf-layout 16 | 17 | seq: 18 | - id: header 19 | type: header 20 | - id: chunks 21 | type: chunk 22 | repeat: eos 23 | 24 | types: 25 | 26 | header: 27 | seq: 28 | - id: magic 29 | contents: glTF 30 | - id: version 31 | type: u4 32 | doc: | 33 | Indicates the version of the Binary glTF container format. 34 | For this specification, should be set to 2. 35 | - id: length 36 | type: u4 37 | doc: Total length of the Binary glTF, including Header and all Chunks, in bytes. 38 | 39 | chunk: 40 | seq: 41 | - id: len_data 42 | type: u4 43 | - id: type 44 | type: u4 45 | enum: chunk_type 46 | - id: data 47 | size: len_data 48 | type: 49 | switch-on: type 50 | cases: 51 | 'chunk_type::json': json 52 | 'chunk_type::bin': bin 53 | 54 | json: 55 | seq: 56 | - id: data 57 | size-eos: true 58 | type: str 59 | encoding: UTF-8 60 | doc: | 61 | This is where GLB deviates from being an elegant format. 62 | To parse the rest of the file, you have to parse the JSON first. 63 | 64 | bin: 65 | seq: 66 | - id: data 67 | size-eos: true 68 | 69 | enums: 70 | chunk_type: 71 | 0x4E4F534A: json # "JSON" 72 | 0x004E4942: bin # "BIN\0" 73 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Kaitai Struct: format library 2 | 3 | ## Contributing 4 | 5 | If you've developed a format specification using Kaitai Struct and 6 | would like to make the world a little better by sharing your 7 | knowledge, so other fellow developers don't have to redo the same 8 | parsing task again and again from scratch — that's great, your 9 | contribution would be most welcome! 10 | 11 | Please follow these steps: 12 | 13 | * Choose open source license for your .ksy 14 | * We recommend either 15 | [CC0-1.0](https://spdx.org/licenses/CC0-1.0.html) if it's a 16 | trivial transcription of some specification into formal .ksy, or 17 | [MIT](https://spdx.org/licenses/MIT.html) license if your .ksy is 18 | non-trivial and creative approach to a format, but you can choose 19 | any OSI-approved open source license that you want. 20 | * Ensure that your .ksy file passes basic checklist: 21 | * It MUST compile without errors with ksc 22 | * It MUST have licensing information (`meta/license` tag with 23 | [valid SPDX open source license expression](https://spdx.org/licenses/) 24 | is mandatory, licensing comment is optional) 25 | * It SHOULD have some general information about the format and some 26 | documentation (`meta/title`, `meta/file-extension`, 27 | `meta/application`, `doc`, `doc-ref` tags). 28 | * It SHOULD match [the style guide](http://doc.kaitai.io/ksy_style_guide.html). 29 | * Fork this repository 30 | * Choose a relevant folder and add your .ksy spec into it 31 | * Create a "pull request" at GitHub to pull your specs into this repo 32 | * Please add some general information about the formats and some 33 | instructions on how could we test it (i.e. where can we find 34 | sample files in that format, etc) 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kaitai Struct: format library 2 | 3 | This repository constitutes a library of ready-made binary file format 4 | descriptions using [Kaitai Struct](http://kaitai.io/) language (`.ksy`). 5 | 6 | These formats can be useful for: 7 | 8 | * exploring a certain file format internals: one can load `.ksy` 9 | format + target binary in a [Web IDE](https://ide.kaitai.io) or 10 | [visualizer](https://github.com/kaitai-io/kaitai_struct_visualizer) 11 | and learn what's inside; 12 | 13 | * as a production-ready binary file parsing library: they can be 14 | compiled with a 15 | [Kaitai Struct compiler](https://github.com/kaitai-io/kaitai_struct_compiler) 16 | into source code in any supported target programming language; 17 | 18 | * as a starting point for learning applications of Kaitai Struct in 19 | real world; 20 | 21 | ## Exploring this repository 22 | 23 | If you want to explore the repository, please visit 24 | [Kaitai Struct format gallery](http://formats.kaitai.io/) — that's 25 | HTML rendition of this repository, which block diagrams, all the code 26 | compiled for all possible target languages, provided with usage 27 | examples and instructions, etc, etc. 28 | 29 | Alternatively, you can start with [Web IDE](https://ide.kaitai.io) — 30 | this library of formats also comes pre-loaded with it. 31 | 32 | ## Contributing 33 | 34 | See [CONTRIBUTING](CONTRIBUTING.md). 35 | 36 | ## Licensing 37 | 38 | This repository contains work of many individuals. Each .ksy is 39 | licensed separately: please see `meta/license` tag and comments in 40 | every .ksy file for permissions. Kaitai team claims no copyright over 41 | other people's contributions. 42 | -------------------------------------------------------------------------------- /_build/.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | target/ 3 | html/ 4 | a.out 5 | -------------------------------------------------------------------------------- /_build/Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem 'commonmarker' 4 | gem 'pygments.rb' 5 | -------------------------------------------------------------------------------- /_build/build: -------------------------------------------------------------------------------- 1 | #!/bin/sh -ef 2 | 3 | KSY_DIR=.. 4 | 5 | ./build-target "$KSY_DIR" target 6 | ./check-errors target/log.json 7 | ./build-diagrams target html 8 | ./build-html "$KSY_DIR" target html 9 | -------------------------------------------------------------------------------- /_build/build-diagrams: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | if [ "$#" -ne 2 ]; then 4 | echo "Usage: $0 " 5 | exit 1 6 | fi 7 | 8 | TARGET_DIR=$(realpath "$1") 9 | HTML_DIR=$(realpath "$2") 10 | 11 | for DOT in "$TARGET_DIR/graphviz/"*.dot; do 12 | FILE_ID=$(basename "$DOT" | sed 's/\.dot//') 13 | echo "$FILE_ID" 14 | FILE_DIR="$HTML_DIR/$FILE_ID" 15 | mkdir -p "$FILE_DIR" 16 | SVG_FILE="$FILE_DIR/$FILE_ID.svg" 17 | dot -Tsvg "$DOT" >"$SVG_FILE" || rm -f "$SVG_FILE" 18 | done 19 | -------------------------------------------------------------------------------- /_build/build-target: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ "$#" -ne 2 ]; then 4 | echo "Usage: $0 " 5 | exit 1 6 | fi 7 | 8 | KSY_DIR=$(realpath "$1") 9 | TARGET_DIR=$(realpath "$2") 10 | 11 | mkdir -p "$TARGET_DIR" 12 | 13 | find "$KSY_DIR" -name "*.ksy" | xargs ksc -- -I "$KSY_DIR" -t all --ksc-json-output --outdir "$TARGET_DIR" >"$TARGET_DIR"/log.json 14 | -------------------------------------------------------------------------------- /_build/check-errors: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'json' 4 | require 'pp' 5 | 6 | if ARGV.size != 1 7 | puts "Usage: #{$PROGRAM_NAME} " 8 | exit 2 9 | end 10 | 11 | log = JSON.load(File.read(ARGV[0])) 12 | 13 | is_bad = false 14 | 15 | log.each_pair { |fn, build| 16 | # Global errors 17 | errs = build['errors'] 18 | 19 | errs.each { |err| 20 | file = err['file'] 21 | file = fn if file == '(main)' 22 | 23 | path = nil 24 | path = '/' + err['path'].join('/') if err['path'] and not err['path'].empty? 25 | 26 | msg = "#{file}" 27 | if err['line'] 28 | msg << ":" << err['line'].to_s 29 | msg << ":" << err['col'].to_s if err['col'] 30 | end 31 | msg << ": " << path if path 32 | msg << ": " << err['message'] 33 | 34 | $stderr.puts msg 35 | is_bad = true 36 | } if errs 37 | } 38 | 39 | exit is_bad ? 1 : 0 40 | -------------------------------------------------------------------------------- /_build/footer.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /_build/format_base.html.erb: -------------------------------------------------------------------------------- 1 |
2 |
3 |

Block diagram

4 | 5 | 6 | 7 |
8 |
9 | 10 |
11 |
12 |

Format specification in Kaitai Struct YAML

13 | 14 | <%= code cur_lang, yaml_str %> 15 |
16 |
17 | -------------------------------------------------------------------------------- /_build/format_index.html.erb: -------------------------------------------------------------------------------- 1 | 8 | 9 |
10 |
11 |

Format Gallery

12 | 13 |

All formats in this gallery have formal specifications in Kaitai Struct language. They can be used:

14 | 15 |
    16 |
  • as is — as a concise text reference,
  • 17 |
  • as visual block diagram (thanks to GraphViz),
  • 18 |
  • to explore hex dump in detail (with a visualizer),
  • 19 |
  • as a ready-made library in any of supported target programming languages (after compiling it with Kaitai Struct compiler).
  • 20 |
21 | 22 |

For a summary of all entries with associated metadata, see File Format Cross-References.

23 |
24 |
25 | 26 |
27 |
28 | <% @by_cat.keys.sort.each_slice(2) { |cat_names| %> 29 |
30 | <% cat_names.each { |cat_name| %> 31 | <% cat = @by_cat[cat_name] %> 32 | <% cat_desc = CATS[cat_name] || {} %> 33 |
34 |
35 |
36 |
37 |

<%= cat_desc[:title] || cat_name %>

38 | <% cat.sort { |a, b| a[:id] <=> b[:id] }.each_with_index { |fmt, i| %> 39 | <% if i > 0 %>, <% end %> 40 | <%= fmt[:id] %> 41 | <% } %> 42 |
43 |
44 |
45 | <% } %> 46 |
47 | <% } %> 48 |
49 |
50 | 51 | 68 | -------------------------------------------------------------------------------- /_build/format_lang.html.erb: -------------------------------------------------------------------------------- 1 | <% if @erb_usage[cur_lang] %> 2 |
3 |
4 |

Usage

5 | 6 |

Runtime library

7 | 8 |

All parsing code for <%= LANGS[cur_lang][:name] %> generated by Kaitai Struct depends on the 9 | 12 | <%= (LANGS[cur_lang][:canonical] || LANGS[cur_lang])[:name] %> runtime library. You have to 13 | install it before you can parse data.

14 | 15 | <%= @erb_usage[cur_lang].result(binding) %> 16 |
17 |
18 | <% end %> 19 | 20 |
21 |
22 |

23 | <% if cur_lang == 'graphviz' %> 24 | GraphViz block diagram source 25 | <% else %> 26 | <%= LANGS[cur_lang][:name] %> source code to parse <%= format_name %> 27 | <% end %> 28 |

29 | 30 | <% src_files.each { |src| %> 31 | 32 |

<%= src[:filename] %>

33 | 34 |
35 |
36 |

37 | Download 38 |

39 |
40 |
41 | 42 |
43 | <%= code cur_lang, src[:src] %> 44 | 45 |
46 | <% } %> 47 |
48 |
49 | -------------------------------------------------------------------------------- /_build/format_xref.html.erb: -------------------------------------------------------------------------------- 1 | 9 | 10 |
11 |
12 |

Cross-References

13 |

14 | This table provides a summary of all entries in Kaitai 15 | Struct format gallery and their relevant cross-references. 16 |

17 |

18 | As of now, format gallery includes <%= @all.count %> formats. 19 |

20 |
21 |
22 | 23 |
24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 62 | 63 | 64 | 65 | 66 | <% @all.keys.sort.each { |id| 67 | ksy = @all[id] 68 | meta = ksy['meta'] || {} 69 | xref = meta['xref'] || {} %> 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 94 | <% } %> 95 |
Kaitai Struct IDFile extension.ksy LicenseStandardsRegistriesWikis
ISO/IECRFCMedia type (MIME)LOC FDDPRONOMForensicsWikiJust SolveWikidata
OrganizationISO, IECIETF, IRTF, IAB, ISOCIANALOCThe National Archives, UK
<%= id %><%= meta['file-extension'] %><%= meta['license'] %><%= xref['iso'] %><%= xref_a('rfc', xref['rfc']) %><%= xref_a('mime', xref['mime']) %><%= xref_a('loc', xref['loc']) %><%= xref_a('pronom', xref['pronom']) %><%= xref_a('forensicswiki', xref['forensicswiki']) %><%= xref_a('justsolve', xref['justsolve']) %><%= xref_a('wikidata', xref['wikidata']) %> 93 |
96 |
97 |
98 | -------------------------------------------------------------------------------- /_build/header.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | <%= page_title %> 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 49 | 50 | 51 | 52 | 78 | -------------------------------------------------------------------------------- /_build/test/Main.cs: -------------------------------------------------------------------------------- 1 | class Program 2 | { 3 | public static void Main(string[] args){ 4 | 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /_build/test/main.cpp: -------------------------------------------------------------------------------- 1 | int main(){ 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /_build/usage_cpp_stl.html.erb: -------------------------------------------------------------------------------- 1 | <% class_name = "#{file_id}_t" %> 2 | 3 |

For C++, the easiest way is to clone the runtime library sources 6 | and build them along with your project.

7 | 8 |

Code

9 | 10 |

Using Kaitai Struct in C++/STL usually consists of 3 steps.

11 | 12 |
    13 |
  1. We need to create an STL input stream (std::istream). One can open local file for that, or use existing std::string or char* buffer. 14 | 19 |
    20 |
    21 | <%= code cur_lang, <<-CODE 22 | #include 23 | 24 | std::ifstream is("path/to/local/file.#{sample_ext}", std::ifstream::binary); 25 | CODE 26 | %> 27 |
    28 |
    29 | <%= code cur_lang, <<-CODE 30 | #include 31 | 32 | std::istringstream is(str); 33 | CODE 34 | %> 35 |
    36 |
    37 | <%= code cur_lang, <<-CODE 38 | #include 39 | 40 | const char buf[] = { ... }; 41 | std::string str(buf, sizeof buf); 42 | std::istringstream is(str); 43 | CODE 44 | %> 45 |
    46 |
    47 | 48 |
  2. 49 | 50 |
  3. We need to wrap our input stream into Kaitai stream: 51 | 52 | <%= code cur_lang, <<-CODE 53 | #include "kaitai/kaitaistream.h" 54 | 55 | kaitai::kstream ks(&is); 56 | CODE 57 | %> 58 |
  4. 59 | 60 |
  5. And finally, we can invoke the parsing: 61 | <%= code cur_lang, <<-CODE 62 | #{class_name} data(&ks); 63 | CODE 64 | %> 65 |
  6. 66 |
67 | 68 |

After that, one can get various attributes from the structure by invoking getter methods like:

69 | 70 | <% src_usage_attrs = "" 71 | usage_attrs.each { |attr| 72 | src_usage_attrs += <<-CODE 73 | data.#{ attr[:name] }() // => #{ attr[:doc] } 74 | CODE 75 | } 76 | %> 77 | <%= code cur_lang, src_usage_attrs %> 78 | -------------------------------------------------------------------------------- /_build/usage_csharp.html.erb: -------------------------------------------------------------------------------- 1 |

The C# runtime library is available in the NuGet Gallery. Installation instructions 4 | can also be found there.

5 | 6 |

Code

7 | 8 |

Parse a local file and get structure in memory:

9 | 10 | <% class_name = ucc(file_id) %> 11 | 12 | <%= code cur_lang, <<-CODE 13 | var data = #{ class_name }.FromFile("path/to/local/file.#{sample_ext}"); 14 | CODE 15 | %> 16 | 17 |

Or parse structure from a byte array:

18 | 19 | <%= code cur_lang, <<-CODE 20 | byte[] someArray = new byte[] { ... }; 21 | var data = new #{ class_name }(new KaitaiStream(someArray)); 22 | CODE 23 | %> 24 | 25 |

After that, one can get various attributes from the structure by accessing properties like:

26 | 27 | <% src_usage_attrs = "" 28 | usage_attrs.each { |attr| 29 | src_usage_attrs += <<-CODE 30 | data.#{ ucc(attr[:name]) } // => #{ attr[:doc] } 31 | CODE 32 | } 33 | %> 34 | <%= code cur_lang, src_usage_attrs %> 35 | -------------------------------------------------------------------------------- /_build/usage_java.html.erb: -------------------------------------------------------------------------------- 1 |

The Java runtime library is published 2 | in the Maven Central Repository. Refer to the 4 | artifact page 6 | for instructions how to add it into your project with the build tool that you use.

7 | 8 |

Code

9 | 10 |

Parse a local file and get structure in memory:

11 | 12 | <% class_name = ucc(file_id) %> 13 | 14 | <%= code cur_lang, <<-CODE 15 | #{ class_name } data = #{ class_name }.fromFile("path/to/local/file.#{sample_ext}"); 16 | CODE 17 | %> 18 | 19 |

Or parse structure from a byte array:

20 | 21 | <%= code cur_lang, <<-CODE 22 | byte[] someArray = new byte[] { ... }; 23 | #{ class_name } data = new #{ class_name }(new ByteBufferKaitaiStream(someArray)); 24 | CODE 25 | %> 26 | 27 |

After that, one can get various attributes from the structure by invoking getter methods like:

28 | 29 | <% src_usage_attrs = "" 30 | usage_attrs.each { |attr| 31 | src_usage_attrs += <<-CODE 32 | data.#{ lcc(attr[:name]) }() // => #{ attr[:doc] } 33 | CODE 34 | } 35 | %> 36 | <%= code cur_lang, src_usage_attrs %> 37 | -------------------------------------------------------------------------------- /_build/usage_javascript.html.erb: -------------------------------------------------------------------------------- 1 |

The JavaScript runtime library is available 2 | at npm:

3 | 4 |
npm install kaitai-struct
5 | 6 |

Code

7 | 8 |

See the usage examples in the JavaScript notes.

9 | 10 |

Parse structure from an ArrayBuffer:

11 | 12 | <% class_name = ucc(file_id) %> 13 | 14 | <%= code cur_lang, <<-CODE 15 | var arrayBuffer = ...; 16 | var data = new #{ class_name }(new KaitaiStream(arrayBuffer)); 17 | CODE 18 | %> 19 | 20 |

After that, one can get various attributes from the structure by accessing fields or properties like:

21 | 22 | <% src_usage_attrs = "" 23 | usage_attrs.each { |attr| 24 | src_usage_attrs += <<-CODE 25 | data.#{ lcc(attr[:name]) } // => #{ attr[:doc] } 26 | CODE 27 | } 28 | %> 29 | <%= code cur_lang, src_usage_attrs %> 30 | -------------------------------------------------------------------------------- /_build/usage_python.html.erb: -------------------------------------------------------------------------------- 1 |

The Python runtime library can be installed 2 | from PyPI:

3 | 4 |
python3 -m pip install kaitaistruct
5 | 6 |

Code

7 | 8 |

Parse a local file and get structure in memory:

9 | 10 | <% class_name = ucc(file_id) %> 11 | 12 | <%= code cur_lang, <<-CODE 13 | data = #{ class_name }.from_file("path/to/local/file.#{sample_ext}") 14 | CODE 15 | %> 16 | 17 |

Or parse structure from a bytes:

18 | 19 | <%= code cur_lang, <<-CODE 20 | from kaitaistruct import KaitaiStream, BytesIO 21 | 22 | raw = b"\\x00\\x01\\x02..." 23 | data = #{ class_name }(KaitaiStream(BytesIO(raw))) 24 | CODE 25 | %> 26 | 27 |

After that, one can get various attributes from the structure by invoking getter methods like:

28 | 29 | <% src_usage_attrs = "" 30 | usage_attrs.each { |attr| 31 | src_usage_attrs += <<-CODE 32 | data.#{ attr[:name] } # => #{ attr[:doc] } 33 | CODE 34 | } 35 | %> 36 | <%= code cur_lang, src_usage_attrs %> 37 | -------------------------------------------------------------------------------- /_build/usage_ruby.html.erb: -------------------------------------------------------------------------------- 1 |

The Ruby runtime library can be installed from RubyGems:

3 | 4 |
gem install kaitai-struct
5 | 6 |

Code

7 | 8 |

Parse a local file and get structure in memory:

9 | 10 | <% class_name = ucc(file_id) %> 11 | 12 | <%= code cur_lang, <<-CODE 13 | data = #{ class_name }.from_file("path/to/local/file.#{sample_ext}") 14 | CODE 15 | %> 16 | 17 |

Or parse structure from a string of bytes:

18 | 19 | <%= code cur_lang, <<-CODE 20 | bytes = "\\x00\\x01\\x02..." 21 | data = #{ class_name }.new(Kaitai::Struct::Stream.new(bytes)) 22 | CODE 23 | %> 24 | 25 |

After that, one can get various attributes from the structure by invoking getter methods like:

26 | 27 | <% src_usage_attrs = "" 28 | usage_attrs.each { |attr| 29 | src_usage_attrs += <<-CODE 30 | data.#{ attr[:name] } # => #{ attr[:doc] } 31 | CODE 32 | } 33 | %> 34 | <%= code cur_lang, src_usage_attrs %> 35 | -------------------------------------------------------------------------------- /archive/android_bootldr_asus.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_bootldr_asus 3 | title: ASUS Fugu bootloader.img format (version 2 and later) 4 | file-extension: img 5 | tags: 6 | - archive 7 | - android 8 | license: CC0-1.0 9 | ks-version: 0.9 10 | encoding: ASCII 11 | endian: le 12 | doc: | 13 | A bootloader image which only seems to have been used on a few ASUS 14 | devices. The encoding is ASCII, because the `releasetools.py` script 15 | is written using Python 2, where the default encoding is ASCII. 16 | 17 | A test file can be found in the firmware files for the "fugu" device, 18 | which can be downloaded from 19 | doc-ref: https://android.googlesource.com/device/asus/fugu/+/android-8.1.0_r5/releasetools.py 20 | seq: 21 | - id: magic 22 | contents: BOOTLDR! 23 | - id: revision 24 | type: u2 25 | valid: 26 | min: 2 27 | - id: reserved1 28 | type: u2 29 | - id: reserved2 30 | type: u4 31 | - id: images 32 | type: image 33 | repeat: expr 34 | repeat-expr: 3 35 | doc: | 36 | Only three images are included: `ifwi.bin`, `droidboot.img` 37 | and `splashscreen.img` 38 | types: 39 | image: 40 | -webide-representation: '{file_name}' 41 | seq: 42 | - id: chunk_id 43 | size: 8 44 | type: str 45 | valid: 46 | any-of: 47 | - '"IFWI!!!!"' 48 | - '"DROIDBT!"' 49 | - '"SPLASHS!"' 50 | - id: len_body 51 | type: u4 52 | - id: flags 53 | type: u1 54 | valid: 55 | expr: _ & 1 != 0 56 | - id: reserved1 57 | type: u1 58 | - id: reserved2 59 | type: u1 60 | - id: reserved3 61 | type: u1 62 | - id: body 63 | size: len_body 64 | instances: 65 | file_name: 66 | value: | 67 | chunk_id == "IFWI!!!!" ? "ifwi.bin" : 68 | chunk_id == "DROIDBT!" ? "droidboot.img" : 69 | chunk_id == "SPLASHS!" ? "splashscreen.img" : 70 | "" 71 | -------------------------------------------------------------------------------- /archive/android_bootldr_huawei.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_bootldr_huawei 3 | title: Huawei Bootloader packed image format 4 | file-extension: img 5 | tags: 6 | - archive 7 | - android 8 | license: CC0-1.0 9 | # The `releasetools.py` script is written for Python 2, where the default 10 | # encoding is ASCII. 11 | encoding: ASCII 12 | endian: le 13 | doc: | 14 | Format of `bootloader-*.img` files found in factory images of certain Android devices from Huawei: 15 | 16 | * Nexus 6P "angler": [sample][sample-angler] ([other samples][others-angler]), 17 | [releasetools.py](https://android.googlesource.com/device/huawei/angler/+/cf92cd8/releasetools.py#29) 18 | 19 | [sample-angler]: https://androidfilehost.com/?fid=11410963190603870158 "bootloader-angler-angler-03.84.img" 20 | [others-angler]: https://androidfilehost.com/?w=search&s=bootloader-angler&type=files 21 | 22 | All image versions can be found in factory images at 23 | for the specific device. To 24 | avoid having to download an entire ZIP archive when you only need one file 25 | from it, install [remotezip](https://github.com/gtsystem/python-remotezip) and 26 | use its [command line 27 | tool](https://github.com/gtsystem/python-remotezip#command-line-tool) to list 28 | members in the archive and then to download only the file you want. 29 | 30 | doc-ref: 31 | - https://android.googlesource.com/device/huawei/angler/+/673cfb9/releasetools.py 32 | - https://source.codeaurora.org/quic/la/device/qcom/common/tree/meta_image/meta_format.h?h=LA.UM.6.1.1&id=a68d284aee85 33 | - https://source.codeaurora.org/quic/la/device/qcom/common/tree/meta_image/meta_image.c?h=LA.UM.6.1.1&id=a68d284aee85 34 | seq: 35 | - id: meta_header 36 | type: meta_hdr 37 | - id: header_ext 38 | size: meta_header.len_meta_header - meta_header._sizeof 39 | - id: image_header 40 | size: meta_header.len_image_header 41 | type: image_hdr 42 | types: 43 | meta_hdr: 44 | seq: 45 | - id: magic 46 | contents: [0x3c, 0xd6, 0x1a, 0xce] 47 | - id: version 48 | type: version 49 | - id: image_version 50 | size: 64 51 | type: strz 52 | - id: len_meta_header 53 | -orig-id: meta_hdr_sz 54 | type: u2 55 | - id: len_image_header 56 | -orig-id: img_hdr_sz 57 | type: u2 58 | version: 59 | seq: 60 | - id: major 61 | type: u2 62 | - id: minor 63 | type: u2 64 | image_hdr: 65 | seq: 66 | - id: entries 67 | type: image_hdr_entry 68 | repeat: eos 69 | doc: | 70 | The C generator program defines `img_header` as a [fixed size 71 | array](https://source.codeaurora.org/quic/la/device/qcom/common/tree/meta_image/meta_image.c?h=LA.UM.6.1.1&id=a68d284aee85#n42) 72 | of `img_header_entry_t` structs with length `MAX_IMAGES` (which is 73 | defined as `16`). 74 | 75 | This means that technically there will always be 16 `image_hdr` 76 | entries, the first *n* entries being used (filled with real values) 77 | and the rest left unused with all bytes zero. 78 | 79 | To check if an entry is used, use the `is_used` attribute. 80 | image_hdr_entry: 81 | -webide-representation: '{name} - o:{ofs_body}, s:{len_body} (used: {is_used})' 82 | seq: 83 | - id: name 84 | size: 72 85 | type: strz 86 | doc: partition name 87 | - id: ofs_body 88 | type: u4 89 | - id: len_body 90 | type: u4 91 | instances: 92 | is_used: 93 | value: ofs_body != 0 and len_body != 0 94 | doc-ref: https://source.codeaurora.org/quic/la/device/qcom/common/tree/meta_image/meta_image.c?h=LA.UM.6.1.1&id=a68d284aee85#n119 95 | body: 96 | io: _root._io 97 | pos: ofs_body 98 | size: len_body 99 | if: is_used 100 | -------------------------------------------------------------------------------- /archive/android_dto.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_dto 3 | title: Android DTB/DTBO Partition 4 | license: CC0-1.0 5 | file-extension: img 6 | endian: be 7 | 8 | doc: | 9 | Format for Android DTB/DTBO partitions. It's kind of archive with 10 | dtb/dtbo files. Used only when there is a separate unique partition 11 | (dtb, dtbo) on an android device to organize device tree files. 12 | The format consists of a header with info about size and number 13 | of device tree entries and the entries themselves. This format 14 | description could be used to extract device tree entries from a 15 | partition images and decompile them with dtc (device tree compiler). 16 | 17 | doc-ref: 18 | - https://source.android.com/docs/core/architecture/dto/partitions 19 | - https://android.googlesource.com/platform/system/libufdt/+/refs/tags/android-10.0.0_r47 20 | 21 | seq: 22 | - id: header 23 | type: dt_table_header 24 | - id: entries 25 | type: dt_table_entry 26 | repeat: expr 27 | repeat-expr: header.dt_entry_count 28 | 29 | types: 30 | dt_table_header: 31 | seq: 32 | - id: magic 33 | contents: [0xd7, 0xb7, 0xab, 0x1e] 34 | - id: total_size 35 | type: u4 36 | doc: includes dt_table_header + all dt_table_entry and all dtb/dtbo 37 | - id: header_size 38 | type: u4 39 | doc: sizeof(dt_table_header) 40 | - id: dt_entry_size 41 | type: u4 42 | doc: sizeof(dt_table_entry) 43 | - id: dt_entry_count 44 | type: u4 45 | doc: number of dt_table_entry 46 | - id: dt_entries_offset 47 | type: u4 48 | doc: offset to the first dt_table_entry from head of dt_table_header 49 | - id: page_size 50 | type: u4 51 | doc: flash page size 52 | - id: version 53 | type: u4 54 | doc: DTBO image version 55 | dt_table_entry: 56 | seq: 57 | - id: dt_size 58 | type: u4 59 | doc: size of this entry 60 | - id: dt_offset 61 | type: u4 62 | doc: offset from head of dt_table_header 63 | - id: id 64 | type: u4 65 | doc: optional, must be zero if unused 66 | - id: rev 67 | type: u4 68 | doc: optional, must be zero if unused 69 | - id: custom 70 | type: u4 71 | repeat: expr 72 | repeat-expr: 4 73 | doc: optional, must be zero if unused 74 | instances: 75 | body: 76 | io: _root._io 77 | pos: dt_offset 78 | size: dt_size 79 | doc: DTB/DTBO file 80 | -------------------------------------------------------------------------------- /archive/android_img.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_img 3 | title: Android Boot Image 4 | file-extension: img 5 | tags: 6 | - archive 7 | - android 8 | license: CC0-1.0 9 | endian: le 10 | doc-ref: https://source.android.com/docs/core/architecture/bootloader/boot-image-header 11 | seq: 12 | - id: magic 13 | contents: ANDROID! 14 | - id: kernel 15 | type: load 16 | - id: ramdisk 17 | type: load 18 | - id: second 19 | type: load 20 | - id: tags_load 21 | type: u4 22 | - id: page_size 23 | type: u4 24 | - id: header_version 25 | type: u4 26 | - id: os_version 27 | type: os_version 28 | - id: name 29 | type: strz 30 | size: 16 31 | encoding: ASCII 32 | - id: cmdline 33 | type: strz 34 | size: 512 35 | encoding: ASCII 36 | - id: sha 37 | size: 32 38 | - id: extra_cmdline 39 | type: strz 40 | size: 1024 41 | encoding: ASCII 42 | - id: recovery_dtbo 43 | type: size_offset 44 | if: header_version > 0 45 | - id: boot_header_size 46 | type: u4 47 | if: header_version > 0 48 | - id: dtb 49 | type: load_long 50 | if: header_version > 1 51 | instances: 52 | base: 53 | value: kernel.addr - 0x00008000 54 | doc: base loading address 55 | kernel_offset: 56 | value: kernel.addr - base 57 | doc: kernel offset from base 58 | ramdisk_offset: 59 | value: 'ramdisk.addr > 0 ? ramdisk.addr - base : 0' 60 | doc: ramdisk offset from base 61 | second_offset: 62 | value: 'second.addr > 0 ? second.addr - base : 0' 63 | doc: 2nd bootloader offset from base 64 | tags_offset: 65 | value: tags_load - base 66 | doc: tags offset from base 67 | dtb_offset: 68 | value: 'dtb.addr > 0 ? dtb.addr - base : 0' 69 | if: header_version > 1 70 | doc: dtb offset from base 71 | kernel_img: 72 | pos: page_size 73 | size: kernel.size 74 | ramdisk_img: 75 | pos: ((page_size + kernel.size + page_size - 1) / page_size) * page_size 76 | size: ramdisk.size 77 | if: ramdisk.size > 0 78 | second_img: 79 | pos: ((page_size + kernel.size + ramdisk.size + page_size - 1) / page_size) * page_size 80 | size: second.size 81 | if: second.size > 0 82 | recovery_dtbo_img: 83 | pos: recovery_dtbo.offset 84 | size: recovery_dtbo.size 85 | if: header_version > 0 and recovery_dtbo.size > 0 86 | dtb_img: 87 | pos: ((page_size + kernel.size + ramdisk.size + second.size + recovery_dtbo.size + page_size - 1) / page_size) * page_size 88 | size: dtb.size 89 | if: header_version > 1 and dtb.size > 0 90 | types: 91 | load: 92 | seq: 93 | - id: size 94 | type: u4 95 | - id: addr 96 | type: u4 97 | load_long: 98 | seq: 99 | - id: size 100 | type: u4 101 | - id: addr 102 | type: u8 103 | size_offset: 104 | seq: 105 | - id: size 106 | type: u4 107 | - id: offset 108 | type: u8 109 | os_version: 110 | seq: 111 | - id: version 112 | type: u4 113 | instances: 114 | major: 115 | value: (version >> 25) & 0x7f 116 | minor: 117 | value: (version >> 18) & 0x7f 118 | patch: 119 | value: (version >> 11) & 0x7f 120 | year: 121 | value: ((version >> 4) & 0x7f) + 2000 122 | month: 123 | value: version & 0xf 124 | -------------------------------------------------------------------------------- /archive/cpio_old_le.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: cpio_old_le 3 | title: cpio archive, old binary variant, little-endian 4 | file-extension: cpio 5 | xref: 6 | forensicswiki: cpio 7 | justsolve: Cpio 8 | mime: application/x-cpio 9 | pronom: fmt/635 10 | wikidata: Q285296 11 | license: CC0-1.0 12 | endian: le 13 | seq: 14 | - id: files 15 | type: file 16 | repeat: eos 17 | types: 18 | file: 19 | seq: 20 | - id: header 21 | type: file_header 22 | - id: path_name 23 | size: header.path_name_size - 1 24 | - id: string_terminator 25 | contents: [0x00] 26 | - id: path_name_padding 27 | contents: [0x00] 28 | if: header.path_name_size % 2 == 1 29 | - id: file_data 30 | size: header.file_size.value 31 | - id: file_data_padding 32 | contents: [0x00] 33 | if: header.file_size.value % 2 == 1 34 | - id: end_of_file_padding 35 | size-eos: true 36 | if: path_name == [0x54, 0x52, 0x41, 0x49, 0x4c, 0x45, 0x52, 0x21, 0x21, 0x21] and header.file_size.value == 0 37 | file_header: 38 | seq: 39 | - id: magic 40 | contents: [0xC7, 0x71] 41 | - id: device_number 42 | type: u2 43 | - id: inode_number 44 | type: u2 45 | - id: mode 46 | type: u2 47 | - id: user_id 48 | type: u2 49 | - id: group_id 50 | type: u2 51 | - id: number_of_links 52 | type: u2 53 | - id: r_device_number 54 | type: u2 55 | - id: modification_time 56 | type: four_byte_unsigned_integer 57 | - id: path_name_size 58 | type: u2 59 | - id: file_size 60 | type: four_byte_unsigned_integer 61 | four_byte_unsigned_integer: 62 | seq: 63 | - id: most_significant_bits 64 | type: u2 65 | - id: least_significant_bits 66 | type: u2 67 | instances: 68 | value: 69 | value: least_significant_bits + (most_significant_bits << 16) 70 | -------------------------------------------------------------------------------- /archive/lzh.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: lzh 3 | application: LHA (AKA LHarc) by Yoshizaki Haruyasu 4 | file-extension: lzh 5 | xref: 6 | justsolve: LHA 7 | pronom: fmt/626 8 | wikidata: Q368782 9 | license: CC0-1.0 10 | imports: 11 | - /common/dos_datetime 12 | endian: le 13 | doc: | 14 | LHA (LHarc, LZH) is a file format used by a popular freeware 15 | eponymous archiver, created in 1988 by Haruyasu Yoshizaki. Over the 16 | years, many ports and implementations were developed, sporting many 17 | extensions to original 1988 LZH. 18 | 19 | File format is pretty simple and essentially consists of a stream of 20 | records. 21 | seq: 22 | - id: entries 23 | type: record 24 | repeat: eos 25 | types: 26 | record: 27 | seq: 28 | - id: header_len 29 | type: u1 30 | - id: file_record 31 | type: file_record 32 | if: header_len > 0 33 | file_record: 34 | seq: 35 | - id: header 36 | size: _parent.header_len - 1 37 | type: header 38 | - id: file_uncompr_crc16 39 | type: u2 40 | if: header.header1.lha_level == 0 41 | - id: body 42 | size: header.header1.file_size_compr 43 | header: 44 | seq: 45 | - id: header1 46 | type: header1 47 | doc: > 48 | Level-neutral header, same for all LHA levels. Subsequent 49 | fields order and meaning varies, based on LHA level 50 | specified in this header. 51 | - id: filename_len 52 | type: u1 53 | if: header1.lha_level == 0 54 | - id: filename 55 | type: str 56 | size: filename_len 57 | encoding: ASCII 58 | if: header1.lha_level == 0 59 | - id: file_uncompr_crc16 60 | type: u2 61 | if: header1.lha_level == 2 62 | - id: os 63 | type: u1 64 | if: header1.lha_level == 2 65 | - id: ext_header_size 66 | type: u2 67 | if: header1.lha_level == 2 68 | header1: 69 | seq: 70 | - id: header_checksum 71 | type: u1 72 | - id: method_id 73 | type: str 74 | size: 5 75 | encoding: ASCII 76 | - id: file_size_compr 77 | type: u4 78 | doc: Compressed file size 79 | - id: file_size_uncompr 80 | type: u4 81 | doc: Uncompressed file size 82 | - id: file_timestamp 83 | size: 4 84 | type: dos_datetime 85 | doc: Original file date/time 86 | - id: attr 87 | type: u1 88 | doc: File or directory attribute 89 | - id: lha_level 90 | type: u1 91 | -------------------------------------------------------------------------------- /archive/mozilla_mar.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: mozilla_mar 3 | title: Mozilla ARchive 4 | file-extension: mar 5 | xref: 6 | justsolve: Mozilla_Archive 7 | wikidata: Q28777700 8 | license: CC0-1.0 9 | endian: be 10 | doc: | 11 | Mozilla ARchive file is Mozilla's own archive format to distribute software updates. 12 | Test files can be found on Mozilla's FTP site, for example: 13 | 14 | 15 | doc-ref: https://wiki.mozilla.org/Software_Update:MAR 16 | seq: 17 | - id: magic 18 | contents: "MAR1" 19 | - id: ofs_index 20 | -orig-id: OffsetToIndex 21 | type: u4 22 | - id: file_size 23 | -orig-id: FileSize 24 | type: u8 25 | - id: len_signatures 26 | -orig-id: NumSignatures 27 | type: u4 28 | - id: signatures 29 | type: signature 30 | repeat: expr 31 | repeat-expr: len_signatures 32 | - id: len_additional_sections 33 | -orig-id: NumAdditionalSections 34 | type: u4 35 | - id: additional_sections 36 | type: additional_section 37 | repeat: expr 38 | repeat-expr: len_additional_sections 39 | instances: 40 | index: 41 | pos: ofs_index 42 | type: mar_index 43 | types: 44 | signature: 45 | seq: 46 | - id: algorithm 47 | -orig-id: SignatureAlgorithmID 48 | type: u4 49 | enum: signature_algorithms 50 | - id: len_signature 51 | -orig-id: SignatureSize 52 | type: u4 53 | - id: signature 54 | size: len_signature 55 | additional_section: 56 | seq: 57 | - id: len_block 58 | type: u4 59 | - id: block_identifier 60 | -orig-id: BlockIdentifier 61 | type: u4 62 | enum: block_identifiers 63 | - id: bytes 64 | size: len_block - len_block._sizeof - block_identifier._sizeof 65 | type: 66 | switch-on: block_identifier 67 | cases: 68 | block_identifiers::product_information: product_information_block 69 | mar_index: 70 | seq: 71 | - id: len_index 72 | -orig-id: IndexSize 73 | type: u4 74 | - id: index_entries 75 | type: index_entries 76 | size: len_index 77 | index_entries: 78 | seq: 79 | - id: index_entry 80 | type: index_entry 81 | repeat: eos 82 | index_entry: 83 | seq: 84 | - id: ofs_content 85 | -orig-id: OffsetToContent 86 | type: u4 87 | - id: len_content 88 | -orig-id: ContentSize 89 | type: u4 90 | - id: flags 91 | type: u4 92 | doc: File permission bits (in standard unix-style format). 93 | - id: file_name 94 | -orig-id: FileName 95 | type: strz 96 | encoding: UTF-8 97 | instances: 98 | body: 99 | pos: ofs_content 100 | io: _root._io 101 | size: len_content 102 | product_information_block: 103 | seq: 104 | - id: mar_channel_name 105 | -orig-id: MARChannelName 106 | size: 64 107 | type: strz 108 | encoding: UTF-8 109 | - id: product_version 110 | -orig-id: ProductVersion 111 | size: 32 112 | type: strz 113 | encoding: UTF-8 114 | enums: 115 | signature_algorithms: 116 | 1: rsa_pkcs1_sha1 117 | 2: rsa_pkcs1_sha384 118 | block_identifiers: 119 | 1: product_information 120 | -------------------------------------------------------------------------------- /archive/respack.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: respack 3 | title: ResPack 4 | file-extension: cfg 5 | license: CC0-1.0 6 | encoding: UTF-8 7 | endian: le 8 | doc: | 9 | Resource file found in CPB firmware archives, mostly used on older CoolPad 10 | phones and/or tablets. The only observed files are called "ResPack.cfg". 11 | seq: 12 | - id: header 13 | type: header 14 | - id: json 15 | size: header.len_json 16 | type: str 17 | types: 18 | header: 19 | seq: 20 | - id: magic 21 | contents: "RS" 22 | - id: unknown 23 | size: 8 24 | - id: len_json 25 | type: u4 26 | - id: md5 27 | size: 32 28 | type: str 29 | doc: MD5 of data that follows the header 30 | -------------------------------------------------------------------------------- /archive/zisofs.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: zisofs 3 | title: zisofs 4 | xref: 5 | justsolve: Zisofs 6 | wikidata: Q105854284 7 | tags: 8 | - archive 9 | - filesystem 10 | license: CC0-1.0 11 | endian: le 12 | doc: | 13 | zisofs is a compression format for files on ISO9660 file system. It has 14 | limited support across operating systems, mainly Linux kernel. Typically a 15 | directory tree is first preprocessed by mkzftree (from the zisofs-tools 16 | package before being turned into an ISO9660 image by mkisofs, genisoimage 17 | or similar tool. The data is zlib compressed. 18 | 19 | The specification here describes the structure of a file that has been 20 | preprocessed by mkzftree, not of a full ISO9660 ziso. Data is not 21 | decompressed, as blocks with length 0 have a special meaning. Decompression 22 | and deconstruction of this data should be done outside of Kaitai Struct. 23 | doc-ref: https://web.archive.org/web/20200612093441/https://dev.lovelyhq.com/libburnia/web/-/wikis/zisofs 24 | seq: 25 | - id: header 26 | size: 16 27 | type: header 28 | - id: block_pointers 29 | type: u4 30 | repeat: expr 31 | repeat-expr: header.num_blocks + 1 32 | doc: | 33 | The final pointer (`block_pointers[header.num_blocks]`) indicates the end 34 | of the last block. Typically this is also the end of the file data. 35 | instances: 36 | blocks: 37 | type: 'block(block_pointers[_index], block_pointers[_index + 1])' 38 | repeat: expr 39 | repeat-expr: header.num_blocks 40 | types: 41 | header: 42 | seq: 43 | - id: magic 44 | contents: [0x37, 0xe4, 0x53, 0x96, 0xc9, 0xdb, 0xd6, 0x07] 45 | - id: uncompressed_size 46 | type: u4 47 | doc: Size of the original uncompressed file 48 | - id: len_header 49 | type: u1 50 | valid: 4 51 | doc: header_size >> 2 (currently 4) 52 | - id: block_size_log2 53 | type: u1 54 | valid: 55 | any-of: [15, 16, 17] 56 | - id: reserved 57 | contents: [0, 0] 58 | instances: 59 | block_size: 60 | value: 1 << block_size_log2 61 | num_blocks: 62 | value: '(uncompressed_size / block_size) + (uncompressed_size % block_size != 0 ? 1 : 0)' 63 | doc: ceil(uncompressed_size / block_size) 64 | block: 65 | -webide-representation: '[{ofs_start}, {ofs_end}): {len_data:dec} bytes' 66 | params: 67 | - id: ofs_start 68 | type: u4 69 | - id: ofs_end 70 | type: u4 71 | instances: 72 | len_data: 73 | value: ofs_end - ofs_start 74 | data: 75 | io: _root._io 76 | pos: ofs_start 77 | size: len_data 78 | -------------------------------------------------------------------------------- /cad/monomakh_sapr_chg.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: monomakh_sapr_chg 3 | application: MONOMAKH-SAPR 4 | file-extension: chg 5 | license: CC0-1.0 6 | ks-version: 0.7 7 | endian: le 8 | doc: | 9 | CHG is a container format file used by 10 | [MONOMAKH-SAPR](https://www.liraland.com/mono/), a software 11 | package for analysis & design of reinforced concrete multi-storey 12 | buildings with arbitrary configuration in plan. 13 | 14 | CHG is a simple container, which bundles several project files 15 | together. 16 | 17 | Written and tested by Vladimir Shulzhitskiy, 2017 18 | seq: 19 | - id: title 20 | type: str 21 | size: 10 22 | encoding: "ascii" 23 | - id: ent 24 | type: block 25 | repeat: eos 26 | types: 27 | block: 28 | seq: 29 | - id: header 30 | type: str 31 | size: 13 32 | encoding: "ascii" 33 | - id: file_size 34 | type: u8 35 | - id: file 36 | size: file_size 37 | -------------------------------------------------------------------------------- /common/bcd.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: bcd 3 | title: BCD (Binary Coded Decimals) 4 | xref: 5 | justsolve: Binary-coded_decimal 6 | wikidata: Q276582 7 | license: CC0-1.0 8 | ks-version: 0.8 9 | doc: | 10 | BCD (Binary Coded Decimals) is a common way to encode integer 11 | numbers in a way that makes human-readable output somewhat 12 | simpler. In this encoding scheme, every decimal digit is encoded as 13 | either a single byte (8 bits), or a nibble (half of a byte, 4 14 | bits). This obviously wastes a lot of bits, but it makes translation 15 | into human-readable string much easier than traditional 16 | binary-to-decimal conversion process, which includes lots of 17 | divisions by 10. 18 | 19 | For example, encoding integer 31337 in 8-digit, 8 bits per digit, 20 | big endian order of digits BCD format yields 21 | 22 | ``` 23 | 00 00 00 03 01 03 03 07 24 | ``` 25 | 26 | Encoding the same integer as 8-digit, 4 bits per digit, little 27 | endian order BCD format would yield: 28 | 29 | ``` 30 | 73 31 30 00 31 | ``` 32 | 33 | Using this type of encoding in Kaitai Struct is pretty 34 | straightforward: one calls for this type, specifying desired 35 | encoding parameters, and gets result using either `as_int` or 36 | `as_str` attributes. 37 | params: 38 | - id: num_digits 39 | type: u1 40 | doc: Number of digits in this BCD representation. Only values from 1 to 8 inclusive are supported. 41 | - id: bits_per_digit 42 | type: u1 43 | doc: Number of bits per digit. Only values of 4 and 8 are supported. 44 | - id: is_le 45 | type: bool 46 | doc: Endianness used by this BCD representation. True means little-endian, false is for big-endian. 47 | seq: 48 | - id: digits 49 | type: 50 | switch-on: bits_per_digit 51 | cases: 52 | 4: b4 53 | 8: u1 54 | repeat: expr 55 | repeat-expr: num_digits 56 | instances: 57 | as_int: 58 | value: 'is_le ? as_int_le : as_int_be' 59 | doc: Value of this BCD number as integer. Endianness would be selected based on `is_le` parameter given. 60 | as_int_le: 61 | value: > 62 | digits[0] + 63 | (num_digits < 2 ? 0 : 64 | (digits[1] * 10 + 65 | (num_digits < 3 ? 0 : 66 | (digits[2] * 100 + 67 | (num_digits < 4 ? 0 : 68 | (digits[3] * 1000 + 69 | (num_digits < 5 ? 0 : 70 | (digits[4] * 10000 + 71 | (num_digits < 6 ? 0 : 72 | (digits[5] * 100000 + 73 | (num_digits < 7 ? 0 : 74 | (digits[6] * 1000000 + 75 | (num_digits < 8 ? 0 : 76 | (digits[7] * 10000000) 77 | ) 78 | ) 79 | ) 80 | ) 81 | ) 82 | ) 83 | ) 84 | ) 85 | ) 86 | ) 87 | ) 88 | ) 89 | ) 90 | doc: Value of this BCD number as integer (treating digit order as little-endian). 91 | last_idx: 92 | value: num_digits - 1 93 | doc: Index of last digit (0-based). 94 | as_int_be: 95 | value: > 96 | digits[last_idx] + 97 | (num_digits < 2 ? 0 : 98 | (digits[last_idx - 1] * 10 + 99 | (num_digits < 3 ? 0 : 100 | (digits[last_idx - 2] * 100 + 101 | (num_digits < 4 ? 0 : 102 | (digits[last_idx - 3] * 1000 + 103 | (num_digits < 5 ? 0 : 104 | (digits[last_idx - 4] * 10000 + 105 | (num_digits < 6 ? 0 : 106 | (digits[last_idx - 5] * 100000 + 107 | (num_digits < 7 ? 0 : 108 | (digits[last_idx - 6] * 1000000 + 109 | (num_digits < 8 ? 0 : 110 | (digits[last_idx - 7] * 10000000) 111 | ) 112 | ) 113 | ) 114 | ) 115 | ) 116 | ) 117 | ) 118 | ) 119 | ) 120 | ) 121 | ) 122 | ) 123 | ) 124 | doc: Value of this BCD number as integer (treating digit order as big-endian). 125 | -------------------------------------------------------------------------------- /common/bytes_with_io.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: bytes_with_io 3 | title: Byte array with an `_io` member 4 | license: MIT 5 | doc: | 6 | Helper type to work around Kaitai Struct not providing an `_io` member for plain byte arrays. 7 | seq: 8 | - id: data 9 | size-eos: true 10 | doc: The actual data. 11 | -------------------------------------------------------------------------------- /common/dos_datetime.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dos_datetime 3 | title: MS-DOS datetime 4 | xref: 5 | justsolve: MS-DOS_date/time 6 | tags: 7 | - dos 8 | license: CC0-1.0 9 | ks-version: 0.9 10 | bit-endian: le 11 | doc: | 12 | MS-DOS date and time are packed 16-bit values that specify local date/time. 13 | The time is always stored in the current UTC time offset set on the computer 14 | which created the file. Note that the daylight saving time (DST) shifts 15 | also change the UTC time offset. 16 | 17 | For example, if you pack two files A and B into a ZIP archive, file A last modified 18 | at 2020-03-29 00:59 UTC+00:00 (GMT) and file B at 2020-03-29 02:00 UTC+01:00 (BST), 19 | the file modification times saved in MS-DOS format in the ZIP file will vary depending 20 | on whether the computer packing the files is set to GMT or BST at the time of ZIP creation. 21 | 22 | - If set to GMT: 23 | - file A: 2020-03-29 00:59 (UTC+00:00) 24 | - file B: 2020-03-29 01:00 (UTC+00:00) 25 | - If set to BST: 26 | - file A: 2020-03-29 01:59 (UTC+01:00) 27 | - file B: 2020-03-29 02:00 (UTC+01:00) 28 | 29 | It follows that you are unable to determine the actual last modified time 30 | of any file stored in the ZIP archive, if you don't know the locale time 31 | setting of the computer at the time it created the ZIP. 32 | 33 | This format is used in some data formats from the MS-DOS era, for example: 34 | 35 | - [zip](/zip/) 36 | - [rar](/rar/) 37 | - [vfat](/vfat/) (FAT12) 38 | - [lzh](/lzh/) 39 | - [cab](http://justsolve.archiveteam.org/wiki/Cabinet) 40 | 41 | doc-ref: 42 | - https://learn.microsoft.com/en-us/windows/win32/sysinfo/ms-dos-date-and-time 43 | - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime 44 | - https://github.com/reactos/reactos/blob/c6b64448ce4/dll/win32/kernel32/client/time.c#L82-L87 DosDateTimeToFileTime 45 | - https://download.microsoft.com/download/0/8/4/084c452b-b772-4fe5-89bb-a0cbf082286a/fatgen103.doc page 25/34 46 | -webide-representation: "{date} {time}" 47 | seq: 48 | - id: time 49 | type: time 50 | - id: date 51 | type: date 52 | types: 53 | time: 54 | -webide-representation: "{padded_hour}:{padded_minute}:{padded_second}" 55 | seq: 56 | - id: second_div_2 57 | type: b5 58 | valid: 59 | max: 29 # 0-58 seconds 60 | - id: minute 61 | type: b6 62 | valid: 63 | max: 59 64 | - id: hour 65 | type: b5 66 | valid: 67 | max: 23 68 | instances: 69 | second: 70 | value: 2 * second_div_2 71 | padded_second: 72 | value: '(second <= 9 ? "0" : "") + second.to_s' 73 | padded_minute: 74 | value: '(minute <= 9 ? "0" : "") + minute.to_s' 75 | padded_hour: 76 | value: '(hour <= 9 ? "0" : "") + hour.to_s' 77 | date: 78 | -webide-representation: "{padded_year}-{padded_month}-{padded_day}" 79 | seq: 80 | - id: day 81 | type: b5 82 | valid: 83 | min: 1 84 | - id: month 85 | type: b4 86 | valid: 87 | min: 1 88 | max: 12 89 | - id: year_minus_1980 90 | type: b7 91 | instances: 92 | year: 93 | value: 1980 + year_minus_1980 94 | doc: only years from 1980 to 2107 (1980 + 127) can be represented 95 | padded_day: 96 | value: '(day <= 9 ? "0" : "") + day.to_s' 97 | padded_month: 98 | value: '(month <= 9 ? "0" : "") + month.to_s' 99 | padded_year: 100 | value: | 101 | (year <= 999 ? "0" + 102 | (year <= 99 ? "0" + 103 | (year <= 9 ? "0" : "") 104 | : "") 105 | : "") + year.to_s 106 | -------------------------------------------------------------------------------- /common/utf8_string.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: utf8_string 3 | title: UTF-8-encoded string 4 | file-extension: txt 5 | xref: 6 | wikidata: Q193537 7 | license: CC0-1.0 8 | doc: | 9 | UTF-8 is a popular character encoding scheme that allows to 10 | represent strings as sequence of code points defined in Unicode 11 | standard. Its features are: 12 | 13 | * variable width (i.e. one code point might be represented by 1 to 4 14 | bytes) 15 | * backward compatiblity with ASCII 16 | * basic validity checking (and thus distinguishing from other legacy 17 | 8-bit encodings) 18 | * maintaining sort order of codepoints if sorted as a byte array 19 | 20 | WARNING: For the vast majority of practical purposes of format 21 | definitions in Kaitai Struct, you'd likely NOT want to use this and 22 | rather just use `type: str` with `encoding: utf-8`. That will use 23 | native string implementations, which are most likely more efficient 24 | and will give you native language strings, rather than an array of 25 | individual codepoints. This format definition is provided mostly 26 | for educational / research purposes. 27 | seq: 28 | - id: codepoints 29 | type: utf8_codepoint(_io.pos) 30 | repeat: eos 31 | types: 32 | utf8_codepoint: 33 | -webide-representation: 'U+{value_as_int:hex}' 34 | params: 35 | - id: ofs 36 | type: u8 37 | seq: 38 | - id: bytes 39 | size: len_bytes 40 | instances: 41 | byte0: 42 | pos: ofs 43 | type: u1 44 | len_bytes: 45 | value: | 46 | (byte0 & 0b1000_0000 == 0) ? 1 : 47 | (byte0 & 0b1110_0000 == 0b1100_0000) ? 2 : 48 | (byte0 & 0b1111_0000 == 0b1110_0000) ? 3 : 49 | (byte0 & 0b1111_1000 == 0b1111_0000) ? 4 : 50 | -1 51 | raw0: 52 | value: | 53 | bytes[0] & ( 54 | len_bytes == 1 ? 0b0111_1111 : 55 | len_bytes == 2 ? 0b0001_1111 : 56 | len_bytes == 3 ? 0b0000_1111 : 57 | len_bytes == 4 ? 0b0000_0111 : 58 | 0 59 | ) 60 | raw1: 61 | value: 'bytes[1] & 0b0011_1111' 62 | if: len_bytes >= 2 63 | raw2: 64 | value: 'bytes[2] & 0b0011_1111' 65 | if: len_bytes >= 3 66 | raw3: 67 | value: 'bytes[3] & 0b0011_1111' 68 | if: len_bytes >= 4 69 | value_as_int: 70 | value: > 71 | len_bytes == 1 ? raw0 : 72 | len_bytes == 2 ? ((raw0 << 6) | raw1) : 73 | len_bytes == 3 ? ((raw0 << 12) | (raw1 << 6) | raw2) : 74 | len_bytes == 4 ? ((raw0 << 18) | (raw1 << 12) | (raw2 << 6) | raw3) : 75 | -1 76 | -------------------------------------------------------------------------------- /common/vlq_base128_be.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: vlq_base128_be 3 | title: Variable length quantity, unsigned integer, base128, big-endian 4 | xref: 5 | justsolve: Variable-length_quantity 6 | wikidata: Q7915686 7 | license: CC0-1.0 8 | ks-version: 0.9 9 | bit-endian: be 10 | doc: | 11 | A variable-length unsigned integer using base128 encoding. 1-byte groups 12 | consist of 1-bit flag of continuation and 7-bit value chunk, and are ordered 13 | "most significant group first", i.e. in "big-endian" manner. 14 | 15 | This particular encoding is specified and used in: 16 | 17 | * Standard MIDI file format 18 | * ASN.1 BER encoding 19 | * RAR 5.0 file format 20 | 21 | More information on this encoding is available at 22 | 23 | 24 | This particular implementation supports serialized values to up 8 bytes long. 25 | -webide-representation: '{value:dec}' 26 | seq: 27 | - id: groups 28 | type: group 29 | repeat: until 30 | repeat-until: not _.has_next 31 | types: 32 | group: 33 | -webide-representation: '{value}' 34 | doc: | 35 | One byte group, clearly divided into 7-bit "value" chunk and 1-bit "continuation" flag. 36 | seq: 37 | - id: has_next 38 | type: b1 39 | doc: If true, then we have more bytes to read 40 | - id: value 41 | type: b7 42 | doc: The 7-bit (base128) numeric value chunk of this group 43 | instances: 44 | last: 45 | value: groups.size - 1 46 | value: 47 | value: | 48 | (groups[last].value 49 | + (last >= 1 ? (groups[last - 1].value << 7) : 0) 50 | + (last >= 2 ? (groups[last - 2].value << 14) : 0) 51 | + (last >= 3 ? (groups[last - 3].value << 21) : 0) 52 | + (last >= 4 ? (groups[last - 4].value << 28) : 0) 53 | + (last >= 5 ? (groups[last - 5].value << 35) : 0) 54 | + (last >= 6 ? (groups[last - 6].value << 42) : 0) 55 | + (last >= 7 ? (groups[last - 7].value << 49) : 0)).as 56 | doc: Resulting value as normal integer 57 | -------------------------------------------------------------------------------- /database/dbf.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dbf 3 | application: dBASE 4 | file-extension: dbf 5 | xref: 6 | justsolve: DBF 7 | loc: fdd000325 8 | mime: 9 | - application/dbf 10 | - application/dbase 11 | pronom: 12 | - x-fmt/8 # dBASE Database II 13 | - x-fmt/9 # dBASE Database III 14 | - x-fmt/271 # dBASE Database III+ 15 | - x-fmt/10 # dBASE Database IV 16 | - x-fmt/272 # dBASE Database V 17 | wikidata: Q16545707 18 | license: CC0-1.0 19 | endian: le 20 | doc: | 21 | .dbf is a relational database format introduced in DOS database 22 | management system dBASE in 1982. 23 | 24 | One .dbf file corresponds to one table and contains a series of headers, 25 | specification of fields, and a number of fixed-size records. 26 | doc-ref: http://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm 27 | seq: 28 | - id: header1 29 | type: header1 30 | - id: header2 31 | size: header1.len_header - header1._sizeof - header_terminator._sizeof 32 | type: header2 33 | - id: header_terminator 34 | contents: [0x0D] 35 | - id: records 36 | type: record 37 | size: header1.len_record 38 | repeat: expr 39 | repeat-expr: header1.num_records 40 | types: 41 | header1: 42 | doc-ref: http://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm - section 1.1 43 | seq: 44 | - id: version 45 | type: u1 46 | - id: last_update_y 47 | type: u1 48 | - id: last_update_m 49 | type: u1 50 | - id: last_update_d 51 | type: u1 52 | - id: num_records 53 | type: u4 54 | - id: len_header 55 | type: u2 56 | - id: len_record 57 | type: u2 58 | instances: 59 | dbase_level: 60 | value: 'version & 0b111' 61 | header2: 62 | seq: 63 | - id: header_dbase_3 64 | if: _root.header1.dbase_level == 3 65 | type: header_dbase_3 66 | - id: header_dbase_7 67 | if: _root.header1.dbase_level == 7 68 | type: header_dbase_7 69 | - id: fields 70 | type: field 71 | repeat: eos 72 | header_dbase_3: 73 | seq: 74 | - id: reserved1 75 | size: 3 76 | - id: reserved2 77 | size: 13 78 | - id: reserved3 79 | size: 4 80 | header_dbase_7: 81 | seq: 82 | - id: reserved1 83 | contents: [0, 0] 84 | - id: has_incomplete_transaction 85 | type: u1 86 | - id: dbase_iv_encryption 87 | type: u1 88 | - id: reserved2 89 | size: 12 90 | - id: production_mdx 91 | type: u1 92 | - id: language_driver_id 93 | type: u1 94 | - id: reserved3 95 | contents: [0, 0] 96 | - id: language_driver_name 97 | size: 32 98 | - id: reserved4 99 | size: 4 100 | field: 101 | seq: 102 | - id: name 103 | type: strz 104 | encoding: ASCII 105 | size: 11 106 | - id: datatype 107 | type: u1 108 | - id: data_address 109 | type: u4 110 | - id: length 111 | type: u1 112 | - id: decimal_count 113 | type: u1 114 | - id: reserved1 115 | size: 2 116 | - id: work_area_id 117 | type: u1 118 | - id: reserved2 119 | size: 2 120 | - id: set_fields_flag 121 | type: u1 122 | - id: reserved3 123 | size: 8 124 | record: 125 | seq: 126 | - id: deleted 127 | type: u1 128 | enum: delete_state 129 | - id: record_fields 130 | size: _root.header2.fields[_index].length 131 | repeat: expr 132 | repeat-expr: _root.header2.fields.size 133 | enums: 134 | delete_state: 135 | 0x2a: true 136 | 0x20: false 137 | -------------------------------------------------------------------------------- /database/tsm.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: tsm 3 | title: InfluxDB TSM file 4 | application: InfluxDB 5 | file-extension: tsm 6 | xref: 7 | wikidata: Q29168491 8 | license: MIT 9 | endian: be 10 | doc: | 11 | InfluxDB is a scalable database optimized for storage of time 12 | series, real-time application metrics, operations monitoring events, 13 | etc, written in Go. 14 | 15 | Data is stored in .tsm files, which are kept pretty simple 16 | conceptually. Each .tsm file contains a header and footer, which 17 | stores offset to an index. Index is used to find a data block for a 18 | requested time boundary. 19 | seq: 20 | - id: header 21 | type: header 22 | instances: 23 | index: 24 | pos: _io.size - 8 25 | type: index 26 | types: 27 | header: 28 | seq: 29 | - id: magic 30 | contents: [0x16, 0xd1, 0x16, 0xd1] 31 | - id: version 32 | type: u1 33 | index: 34 | seq: 35 | - id: offset 36 | type: u8 37 | instances: 38 | entries: 39 | pos: offset 40 | type: index_header 41 | repeat: until 42 | repeat-until: _io.pos == _io.size - 8 43 | types: 44 | index_header: 45 | seq: 46 | - id: key_len 47 | type: u2 48 | - id: key 49 | type: str 50 | encoding: UTF-8 51 | size: key_len 52 | - id: type 53 | type: u1 54 | - id: entry_count 55 | type: u2 56 | 57 | - id: index_entries 58 | type: index_entry 59 | repeat: expr 60 | repeat-expr: entry_count 61 | 62 | types: 63 | index_entry: 64 | seq: 65 | - id: min_time 66 | type: u8 67 | - id: max_time 68 | type: u8 69 | - id: block_offset 70 | type: u8 71 | - id: block_size 72 | type: u4 73 | 74 | types: 75 | block_entry: 76 | seq: 77 | - id: crc32 78 | type: u4 79 | - id: data 80 | size: _parent.block_size - 4 81 | 82 | instances: 83 | block: 84 | io: _root._io 85 | pos: block_offset 86 | type: block_entry 87 | -------------------------------------------------------------------------------- /executable/android_nanoapp_header.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_nanoapp_header 3 | title: Android nanoapp header 4 | file-extension: napp_header 5 | tags: 6 | - android 7 | - executable 8 | license: Apache-2.0 9 | ks-version: 0.9 10 | endian: le 11 | doc-ref: https://android.googlesource.com/platform/system/chre/+/a7ff61b9/build/build_template.mk#130 12 | seq: 13 | - id: header_version 14 | type: u4 15 | valid: 1 16 | - id: magic 17 | contents: "NANO" 18 | - id: app_id 19 | type: u8 20 | - id: app_version 21 | type: u4 22 | - id: flags 23 | type: u4 24 | - id: hub_type 25 | type: u8 26 | - id: chre_api_major_version 27 | type: u1 28 | - id: chre_api_minor_version 29 | type: u1 30 | - id: reserved 31 | contents: [0, 0, 0, 0, 0, 0] 32 | instances: 33 | is_signed: 34 | value: flags & 0x1 != 0 35 | is_encrypted: 36 | value: flags & 0x2 != 0 37 | is_tcm_capable: 38 | value: flags & 0x4 != 0 39 | -------------------------------------------------------------------------------- /executable/dos_mz.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dos_mz 3 | title: DOS MZ executable 4 | file-extension: 5 | - exe 6 | - ovl 7 | xref: 8 | justsolve: MS-DOS_EXE 9 | pronom: x-fmt/409 10 | wikidata: Q1882110 11 | tags: 12 | - dos 13 | license: CC0-1.0 14 | ks-version: 0.9 15 | encoding: ASCII 16 | endian: le 17 | doc: | 18 | DOS MZ file format is a traditional format for executables in MS-DOS 19 | environment. Many modern formats (i.e. Windows PE) still maintain 20 | compatibility stub with this format. 21 | 22 | As opposed to .com file format (which basically sports one 64K code 23 | segment of raw CPU instructions), DOS MZ .exe file format allowed 24 | more flexible memory management, loading of larger programs and 25 | added support for relocations. 26 | doc-ref: http://www.delorie.com/djgpp/doc/exe/ 27 | seq: 28 | - id: header 29 | type: exe_header 30 | - id: body 31 | size: header.len_body 32 | instances: 33 | relocations: 34 | pos: header.mz.ofs_relocations 35 | io: header._io 36 | type: relocation 37 | repeat: expr 38 | repeat-expr: header.mz.num_relocations 39 | if: header.mz.ofs_relocations != 0 40 | types: 41 | exe_header: 42 | seq: 43 | - id: mz 44 | type: mz_header 45 | - id: rest_of_header 46 | size: mz.len_header - mz._sizeof 47 | instances: 48 | len_body: 49 | value: '(mz.last_page_extra_bytes == 0 ? mz.num_pages * 512 : (mz.num_pages - 1) * 512 + mz.last_page_extra_bytes) - mz.len_header' 50 | mz_header: 51 | seq: 52 | - id: magic 53 | size: 2 54 | type: str 55 | valid: 56 | any-of: 57 | - '"MZ"' 58 | - '"ZM"' 59 | - id: last_page_extra_bytes 60 | type: u2 61 | - id: num_pages 62 | type: u2 63 | - id: num_relocations 64 | type: u2 65 | - id: header_size 66 | type: u2 67 | - id: min_allocation 68 | type: u2 69 | - id: max_allocation 70 | type: u2 71 | - id: initial_ss 72 | type: u2 73 | - id: initial_sp 74 | type: u2 75 | - id: checksum 76 | type: u2 77 | - id: initial_ip 78 | type: u2 79 | - id: initial_cs 80 | type: u2 81 | - id: ofs_relocations 82 | type: u2 83 | - id: overlay_id 84 | type: u2 85 | instances: 86 | len_header: 87 | value: header_size * 16 88 | relocation: 89 | seq: 90 | - id: ofs 91 | type: u2 92 | - id: seg 93 | type: u2 94 | -------------------------------------------------------------------------------- /executable/mach_o_fat.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: mach_o_fat 3 | title: macOS Mach-O multiarch ("fat") binary 4 | license: CC0-1.0 5 | imports: 6 | - mach_o 7 | endian: be 8 | 9 | doc: | 10 | This is a simple container format that encapsulates multiple Mach-O files, 11 | each generally for a different architecture. XNU can execute these files just 12 | like single-arch Mach-Os and will pick the appropriate entry. 13 | 14 | doc-ref: https://opensource.apple.com/source/xnu/xnu-7195.121.3/EXTERNAL_HEADERS/mach-o/fat.h.auto.html 15 | 16 | seq: 17 | - id: magic 18 | contents: [0xca, 0xfe, 0xba, 0xbe] 19 | - id: num_fat_arch 20 | -orig-id: nfat_arch 21 | type: u4 22 | - id: fat_archs 23 | type: fat_arch 24 | repeat: expr 25 | repeat-expr: num_fat_arch 26 | 27 | types: 28 | fat_arch: 29 | seq: 30 | - id: cpu_type 31 | -orig-id: cputype 32 | type: u4 33 | enum: mach_o::cpu_type 34 | - id: cpu_subtype 35 | -orig-id: cpusubtype 36 | type: u4 37 | - id: ofs_object 38 | -orig-id: offset 39 | type: u4 40 | - id: len_object 41 | -orig-id: size 42 | type: u4 43 | - id: align 44 | type: u4 45 | 46 | instances: 47 | object: 48 | pos: ofs_object 49 | size: len_object 50 | type: mach_o 51 | -------------------------------------------------------------------------------- /filesystem/amlogic_emmc_partitions.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: amlogic_emmc_partitions 3 | title: Amlogic proprietary eMMC partition table 4 | license: CC0-1.0 5 | ks-version: 0.9 6 | encoding: UTF-8 7 | endian: le 8 | bit-endian: le 9 | 10 | doc: | 11 | This is an unnamed and undocumented partition table format implemented by 12 | the bootloader and kernel that Amlogic provides for their Linux SoCs (Meson 13 | series at least, and probably others). They appear to use this rather than GPT, 14 | the industry standard, because their BootROM loads and executes the next stage 15 | loader from offset 512 (0x200) on the eMMC, which is exactly where the GPT 16 | header would have to start. So instead of changing their BootROM, Amlogic 17 | devised this partition table, which lives at an offset of 36MiB (0x240_0000) 18 | on the eMMC and so doesn't conflict. This parser expects as input just the 19 | partition table from that offset. The maximum number of partitions in a table 20 | is 32, which corresponds to a maximum table size of 1304 bytes (0x518). 21 | 22 | doc-ref: 23 | - http://aml-code.amlogic.com/kernel/common.git/tree/include/linux/mmc/emmc_partitions.h?id=18a4a87072ababf76ea08c8539e939b5b8a440ef 24 | - http://aml-code.amlogic.com/kernel/common.git/tree/drivers/amlogic/mmc/emmc_partitions.c?id=18a4a87072ababf76ea08c8539e939b5b8a440ef 25 | 26 | seq: 27 | - id: magic 28 | contents: ["MPT", 0] 29 | - id: version 30 | size: 12 31 | type: strz 32 | - id: num_partitions 33 | -orig-id: part_num 34 | type: s4 35 | valid: 36 | min: 1 37 | max: 32 38 | - id: checksum 39 | type: u4 40 | doc: | 41 | To calculate this, treat the first (and only the first) partition 42 | descriptor in the table below as an array of unsigned little-endian 43 | 32-bit integers. Sum all those integers mod 2^32, then multiply the 44 | result by the total number of partitions, also mod 2^32. Amlogic 45 | likely meant to include all the partition descriptors in the sum, 46 | but their code as written instead repeatedly loops over the first 47 | one, once for each partition in the table. 48 | - id: partitions 49 | type: partition 50 | repeat: expr 51 | repeat-expr: num_partitions 52 | 53 | types: 54 | partition: 55 | seq: 56 | - id: name 57 | size: 16 58 | type: strz 59 | - id: size 60 | type: u8 61 | - id: offset 62 | type: u8 63 | doc: | 64 | The start of the partition relative to the start of the eMMC, in bytes 65 | - id: flags 66 | size: 4 67 | type: part_flags 68 | - id: padding 69 | size: 4 70 | 71 | types: 72 | part_flags: 73 | seq: 74 | - id: is_code 75 | -orig-id: STORE_CODE 76 | type: b1 77 | - id: is_cache 78 | -orig-id: STORE_CACHE 79 | type: b1 80 | - id: is_data 81 | -orig-id: STORE_DATA 82 | type: b1 83 | -------------------------------------------------------------------------------- /filesystem/apm_partition_table.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: apm_partition_table 3 | title: APM (Apple Partition Map) partition table 4 | xref: 5 | forensicswiki: apm 6 | justsolve: Apple_Partition_Map 7 | wikidata: Q375944 8 | tags: 9 | - filesystem 10 | - macos 11 | license: CC0-1.0 12 | encoding: ascii 13 | endian: be 14 | doc-ref: https://en.wikipedia.org/wiki/Apple_Partition_Map 15 | instances: 16 | sector_size: 17 | value: 0x200 18 | doc: | 19 | 0x200 (512) bytes for disks, 0x1000 (4096) bytes is not supported by APM 20 | 0x800 (2048) bytes for CDROM 21 | partition_lookup: 22 | io: _root._io 23 | pos: _root.sector_size 24 | size: sector_size 25 | type: partition_entry 26 | doc: | 27 | Every partition entry contains the number of partition entries. 28 | We parse the first entry, to know how many to parse, including the first one. 29 | No logic is given what to do if other entries have a different number. 30 | partition_entries: 31 | io: _root._io 32 | pos: _root.sector_size 33 | size: sector_size 34 | type: partition_entry 35 | repeat: expr 36 | repeat-expr: _root.partition_lookup.number_of_partitions 37 | types: 38 | partition_entry: 39 | seq: 40 | - id: magic 41 | contents: [ 0x50, 0x4d ] 42 | - id: reserved_1 43 | size: 0x2 44 | - id: number_of_partitions 45 | type: u4 46 | - id: partition_start 47 | type: u4 48 | doc: "First sector" 49 | - id: partition_size 50 | type: u4 51 | doc: "Number of sectors" 52 | - id: partition_name 53 | type: strz 54 | size: 0x20 55 | - id: partition_type 56 | type: strz 57 | size: 0x20 58 | - id: data_start 59 | type: u4 60 | doc: "First sector" 61 | - id: data_size 62 | type: u4 63 | doc: "Number of sectors" 64 | - id: partition_status 65 | type: u4 66 | - id: boot_code_start 67 | type: u4 68 | doc: "First sector" 69 | - id: boot_code_size 70 | type: u4 71 | doc: "Number of bytes" 72 | - id: boot_loader_address 73 | type: u4 74 | doc: "Address of bootloader code" 75 | - id: reserved_2 76 | size: 0x4 77 | - id: boot_code_entry 78 | type: u4 79 | doc: "Boot code entry point" 80 | - id: reserved_3 81 | size: 0x4 82 | - id: boot_code_cksum 83 | type: u4 84 | doc: "Boot code checksum" 85 | - id: processor_type 86 | type: strz 87 | size: 0x10 88 | # Skipping the remaining of the sector, it should be all 0x00 89 | instances: 90 | partition: 91 | io: _root._io 92 | pos: partition_start * _root.sector_size 93 | size: partition_size * _root.sector_size 94 | if: 'partition_status & 1 != 0' 95 | data: 96 | io: _root._io 97 | pos: data_start * _root.sector_size 98 | size: data_size * _root.sector_size 99 | boot_code: 100 | io: _root._io 101 | pos: boot_code_start * _root.sector_size 102 | size: boot_code_size 103 | -------------------------------------------------------------------------------- /filesystem/apple_single_double.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: apple_single_double 3 | title: AppleSingle / AppleDouble 4 | xref: 5 | forensicswiki: appledouble_header_file 6 | justsolve: AppleDouble 7 | rfc: 1740 8 | wikidata: Q4781113 9 | tags: 10 | - filesystem 11 | - macos 12 | license: CC0-1.0 13 | endian: be 14 | doc: | 15 | AppleSingle and AppleDouble files are used by certain Mac 16 | applications (e.g. Finder) to store Mac-specific file attributes on 17 | filesystems that do not support that. 18 | 19 | Syntactically, both formats are the same, the only difference is how 20 | they are being used: 21 | 22 | * AppleSingle means that only one file will be created on external 23 | filesystem that will hold both the data (AKA "data fork" in Apple 24 | terminology), and the attributes (AKA "resource fork"). 25 | * AppleDouble means that two files will be created: a normal file 26 | that keeps the data ("data fork") is kept separately from an 27 | auxiliary file that contains attributes ("resource fork"), which 28 | is kept with the same name, but starting with an extra dot and 29 | underscore `._` to keep it hidden. 30 | 31 | In modern practice (Mac OS X), Finder only uses AppleDouble to keep 32 | compatibility with other OSes, as virtually nobody outside of Mac 33 | understands how to access data in AppleSingle container. 34 | doc-ref: http://kaiser-edv.de/documents/AppleSingle_AppleDouble.pdf 35 | seq: 36 | - id: magic 37 | type: u4 38 | enum: file_type 39 | - id: version 40 | type: u4 41 | - id: reserved 42 | size: 16 43 | doc: Must be all 0. 44 | - id: num_entries 45 | type: u2 46 | - id: entries 47 | type: entry 48 | repeat: expr 49 | repeat-expr: num_entries 50 | enums: 51 | file_type: 52 | 0x00051600: apple_single 53 | 0x00051607: apple_double 54 | types: 55 | entry: 56 | seq: 57 | - id: type 58 | type: u4 59 | enum: types 60 | - id: ofs_body 61 | type: u4 62 | - id: len_body 63 | type: u4 64 | instances: 65 | body: 66 | pos: ofs_body 67 | size: len_body 68 | type: 69 | switch-on: type 70 | cases: 71 | 'types::finder_info': finder_info 72 | enums: 73 | types: 74 | 1: 75 | id: data_fork 76 | 2: 77 | id: resource_fork 78 | 3: 79 | id: real_name 80 | doc: File name on a file system that supports all the attributes. 81 | 4: 82 | id: comment 83 | 5: 84 | id: icon_bw 85 | 6: 86 | id: icon_color 87 | 8: 88 | id: file_dates_info 89 | doc: File creation, modification, access date/timestamps. 90 | 9: 91 | id: finder_info 92 | 10: 93 | id: macintosh_file_info 94 | 11: 95 | id: prodos_file_info 96 | 12: 97 | id: msdos_file_info 98 | 13: 99 | id: afp_short_name 100 | 14: 101 | id: afp_file_info 102 | 15: 103 | id: afp_directory_id 104 | finder_info: 105 | -orig-id: FInfo 106 | doc: Information specific to Finder 107 | doc-ref: older Inside Macintosh, Volume II page 84 or Volume IV page 104. 108 | seq: 109 | - id: file_type 110 | -orig-id: fdType 111 | size: 4 112 | - id: file_creator 113 | -orig-id: fdCreator 114 | size: 4 115 | - id: flags 116 | -orig-id: fdFlags 117 | type: u2 118 | - id: location 119 | -orig-id: fdLocation 120 | type: point 121 | doc: File icon's coordinates when displaying this folder. 122 | - id: folder_id 123 | -orig-id: fdFldr 124 | type: u2 125 | doc: File folder ID (=window). 126 | point: 127 | doc: Specifies 2D coordinate in QuickDraw grid. 128 | seq: 129 | - id: x 130 | type: u2 131 | - id: y 132 | type: u2 133 | -------------------------------------------------------------------------------- /filesystem/cramfs.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: cramfs 3 | xref: 4 | justsolve: Cramfs 5 | wikidata: Q747406 6 | tags: 7 | - filesystem 8 | - linux 9 | license: MIT 10 | endian: le 11 | seq: 12 | - id: super_block 13 | type: super_block_struct 14 | 15 | instances: 16 | page_size: 17 | value: 4096 18 | 19 | types: 20 | super_block_struct: 21 | seq: 22 | - id: magic 23 | contents: [0x45, 0x3D, 0xCD, 0x28] 24 | - id: size 25 | type: u4 26 | - id: flags 27 | type: u4 28 | - id: future 29 | type: u4 30 | - id: signature 31 | contents: 'Compressed ROMFS' 32 | - id: fsid 33 | type: info 34 | - id: name 35 | type: str 36 | size: 16 37 | encoding: ASCII 38 | - id: root 39 | type: inode 40 | instances: 41 | # flags 42 | flag_fsid_v2: 43 | value: (flags >> 0) & 1 44 | flag_sorted_dirs: 45 | value: (flags >> 1) & 1 46 | flag_holes: 47 | value: (flags >> 8) & 1 48 | flag_wrong_signature: 49 | value: (flags >> 9) & 1 50 | flag_shifted_root_offset: 51 | value: (flags >> 10) & 1 52 | 53 | info: 54 | seq: 55 | - id: crc 56 | type: u4 57 | - id: edition 58 | type: u4 59 | - id: blocks 60 | type: u4 61 | - id: files 62 | type: u4 63 | 64 | inode: 65 | seq: 66 | - id: mode 67 | type: u2 68 | - id: uid 69 | type: u2 70 | - id: size_gid 71 | type: u4 72 | - id: namelen_offset 73 | type: u4 74 | - id: name 75 | type: str 76 | size: namelen 77 | encoding: utf-8 78 | instances: 79 | # -- [mode] -- 80 | type: 81 | value: (mode >> 12) & 0b1111 82 | enum: file_type 83 | attr: 84 | value: (mode >> 9) & 0b0111 85 | perm_u: 86 | value: (mode >> 6) & 0b0111 87 | perm_g: 88 | value: (mode >> 3) & 0b0111 89 | perm_o: 90 | value: mode & 0b0111 91 | # -- [size_gid] -- 92 | size: 93 | value: size_gid & 0xFFFFFF 94 | gid: 95 | value: size_gid >> 24 96 | # -- [namelen_offset] -- 97 | namelen: 98 | value: (namelen_offset & 0x3F) << 2 99 | offset: 100 | value: ((namelen_offset >> 6) & 0x3FFFFFF) << 2 101 | # -- [type dependent data] -- 102 | as_reg_file: 103 | io: _root._io 104 | pos: offset 105 | type: chunked_data_inode 106 | as_symlink: 107 | io: _root._io 108 | pos: offset 109 | type: chunked_data_inode 110 | as_dir: 111 | io: _root._io 112 | pos: offset 113 | size: size 114 | type: dir_inode 115 | enums: 116 | file_type: 117 | 1: fifo 118 | 2: chrdev 119 | 4: dir 120 | 6: blkdev 121 | 8: reg_file 122 | 10: symlink 123 | 12: socket 124 | 125 | chunked_data_inode: 126 | seq: 127 | - id: block_end_index 128 | type: u4 129 | repeat: expr 130 | repeat-expr: (_parent.size + _root.page_size - 1) / _root.page_size 131 | 132 | # Correct decoding can't yet be described -- raw data for now. 133 | - id: raw_blocks 134 | size-eos: true 135 | 136 | #- id: raw_blocks 137 | # size: block_end_index[i] - _io.pos 138 | # repeat: expr 139 | # repeat-expr: (_parent.size + _root.page_size - 1) / _root.page_size 140 | 141 | dir_inode: 142 | seq: 143 | - id: children 144 | repeat: eos 145 | type: inode 146 | if: _io.size > 0 147 | -------------------------------------------------------------------------------- /filesystem/gpt_partition_table.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: gpt_partition_table 3 | title: GPT (GUID) partition table 4 | xref: 5 | forensicswiki: gpt 6 | justsolve: GUID_Partition_Table 7 | wikidata: Q603889 8 | license: CC0-1.0 9 | endian: le 10 | doc-ref: https://en.wikipedia.org/wiki/GUID_Partition_Table 11 | instances: 12 | sector_size: 13 | value: 0x200 14 | # Default is 0x200 for 512 byte sectors, set to 0x1000 to parse 4096 byte sectors. 15 | primary: 16 | io: _root._io 17 | pos: _root.sector_size 18 | type: partition_header 19 | backup: 20 | io: _root._io 21 | pos: _io.size - _root.sector_size 22 | type: partition_header 23 | types: 24 | partition_entry: 25 | seq: 26 | - id: type_guid 27 | size: 0x10 28 | - id: guid 29 | size: 0x10 30 | - id: first_lba 31 | type: u8 32 | - id: last_lba 33 | type: u8 34 | - id: attributes 35 | type: u8 36 | - id: name 37 | type: str 38 | encoding: UTF-16LE 39 | size: 0x48 40 | partition_header: 41 | seq: 42 | - id: signature 43 | contents: [0x45, 0x46, 0x49, 0x20, 0x50, 0x41, 0x52, 0x54] 44 | - id: revision 45 | type: u4 46 | - id: header_size 47 | type: u4 48 | - id: crc32_header 49 | type: u4 50 | - id: reserved 51 | type: u4 52 | - id: current_lba 53 | type: u8 54 | - id: backup_lba 55 | type: u8 56 | - id: first_usable_lba 57 | type: u8 58 | - id: last_usable_lba 59 | type: u8 60 | - id: disk_guid 61 | size: 0x10 62 | - id: entries_start 63 | type: u8 64 | - id: entries_count 65 | type: u4 66 | - id: entries_size 67 | type: u4 68 | - id: crc32_array 69 | type: u4 70 | # The document states "Reserved; must be zeroes for the rest of the block". 71 | # It would be pointless to process a data structure that must be zeroed. 72 | instances: 73 | entries: 74 | io: _root._io 75 | pos: entries_start * _root.sector_size 76 | size: entries_size 77 | type: partition_entry 78 | repeat: expr 79 | repeat-expr: entries_count 80 | -------------------------------------------------------------------------------- /filesystem/luks.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: luks 3 | title: Linux Unified Key Setup 4 | xref: 5 | forensicswiki: linux_unified_key_setup_(luks) 6 | justsolve: LUKS 7 | wikidata: Q29000504 8 | tags: 9 | - filesystem 10 | - linux 11 | license: CC0-1.0 12 | encoding: ASCII 13 | endian: be 14 | doc: | 15 | Linux Unified Key Setup (LUKS) is a format specification for storing disk 16 | encryption parameters and up to 8 user keys (which can unlock the master key). 17 | doc-ref: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf 18 | seq: 19 | - id: partition_header 20 | type: partition_header 21 | types: 22 | partition_header: 23 | seq: 24 | - id: magic 25 | contents: [0x4C, 0x55, 0x4B, 0x53, 0xBA, 0xBE] 26 | - id: version 27 | contents: [0x00, 0x01] 28 | - id: cipher_name_specification 29 | type: str 30 | size: 32 31 | - id: cipher_mode_specification 32 | type: str 33 | size: 32 34 | - id: hash_specification 35 | type: str 36 | size: 32 37 | - id: payload_offset 38 | type: u4 39 | - id: number_of_key_bytes 40 | type: u4 41 | - id: master_key_checksum 42 | size: 20 43 | - id: master_key_salt_parameter 44 | size: 32 45 | - id: master_key_iterations_parameter 46 | type: u4 47 | - id: uuid 48 | type: str 49 | size: 40 50 | - id: key_slots 51 | type: key_slot 52 | repeat: expr 53 | repeat-expr: 8 54 | types: 55 | key_slot: 56 | seq: 57 | - id: state_of_key_slot 58 | type: u4 59 | enum: key_slot_states 60 | - id: iteration_parameter 61 | type: u4 62 | - id: salt_parameter 63 | size: 32 64 | - id: start_sector_of_key_material 65 | type: u4 66 | - id: number_of_anti_forensic_stripes 67 | type: u4 68 | instances: 69 | key_material: 70 | pos: start_sector_of_key_material * 512 71 | size: _parent.number_of_key_bytes * number_of_anti_forensic_stripes 72 | enums: 73 | key_slot_states: 74 | 0x0000DEAD: disabled_key_slot 75 | 0x00AC71F3: enabled_key_slot 76 | instances: 77 | payload: 78 | pos: partition_header.payload_offset * 512 79 | size-eos: true 80 | -------------------------------------------------------------------------------- /filesystem/mbr_partition_table.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: mbr_partition_table 3 | title: MBR (Master Boot Record) partition table 4 | xref: 5 | forensicswiki: master_boot_record 6 | justsolve: Master_Boot_Record 7 | wikidata: Q624752 8 | tags: 9 | - dos 10 | license: CC0-1.0 11 | endian: le 12 | doc: | 13 | MBR (Master Boot Record) partition table is a traditional way of 14 | MS-DOS to partition larger hard disc drives into distinct 15 | partitions. 16 | 17 | This table is stored in the end of the boot sector (first sector) of 18 | the drive, after the bootstrap code. Original DOS 2.0 specification 19 | allowed only 4 partitions per disc, but DOS 3.2 introduced concept 20 | of "extended partitions", which work as nested extra "boot records" 21 | which are pointed to by original ("primary") partitions in MBR. 22 | seq: 23 | - id: bootstrap_code 24 | size: 0x1be 25 | - id: partitions 26 | type: partition_entry 27 | repeat: expr 28 | repeat-expr: 4 29 | - id: boot_signature 30 | contents: [0x55, 0xaa] 31 | types: 32 | partition_entry: 33 | seq: 34 | - id: status 35 | type: u1 36 | - id: chs_start 37 | type: chs 38 | - id: partition_type 39 | type: u1 40 | - id: chs_end 41 | type: chs 42 | - id: lba_start 43 | type: u4 44 | - id: num_sectors 45 | type: u4 46 | chs: 47 | seq: 48 | - id: head 49 | type: u1 50 | - id: b2 51 | type: u1 52 | - id: b3 53 | type: u1 54 | instances: 55 | sector: 56 | value: 'b2 & 0b111111' 57 | cylinder: 58 | value: 'b3 + ((b2 & 0b11000000) << 2)' 59 | -------------------------------------------------------------------------------- /filesystem/vmware_vmdk.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: vmware_vmdk 3 | title: VMWare Virtual Disk 4 | file-extension: vmdk 5 | xref: 6 | forensicswiki: vmware_virtual_disk_format_(vmdk) 7 | justsolve: VMDK 8 | wikidata: Q2658179 9 | license: CC0-1.0 10 | endian: le 11 | doc-ref: 'https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc#41-file-header' 12 | seq: 13 | - id: magic 14 | contents: "KDMV" 15 | - id: version 16 | type: s4 17 | - id: flags 18 | type: header_flags 19 | - id: size_max 20 | type: s8 21 | doc: Maximum number of sectors in a given image file (capacity) 22 | - id: size_grain 23 | type: s8 24 | - id: start_descriptor 25 | type: s8 26 | doc: Embedded descriptor file start sector number (0 if not available) 27 | - id: size_descriptor 28 | type: s8 29 | doc: Number of sectors that embedded descriptor file occupies 30 | - id: num_grain_table_entries 31 | type: s4 32 | doc: Number of grains table entries 33 | - id: start_secondary_grain 34 | type: s8 35 | doc: Secondary (backup) grain directory start sector number 36 | - id: start_primary_grain 37 | type: s8 38 | doc: Primary grain directory start sector number 39 | - id: size_metadata 40 | type: s8 41 | - id: is_dirty 42 | type: u1 43 | - id: stuff 44 | size: 4 45 | - id: compression_method 46 | type: u2 47 | enum: compression_methods 48 | enums: 49 | compression_methods: 50 | 0: none 51 | 1: deflate 52 | instances: 53 | len_sector: 54 | value: 0x200 55 | descriptor: 56 | pos: start_descriptor * _root.len_sector 57 | size: size_descriptor * _root.len_sector 58 | grain_primary: 59 | pos: start_primary_grain * _root.len_sector 60 | size: size_grain * _root.len_sector 61 | grain_secondary: 62 | pos: start_secondary_grain * _root.len_sector 63 | size: size_grain * _root.len_sector 64 | types: 65 | header_flags: 66 | doc-ref: 'https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc#411-flags' 67 | seq: 68 | - id: reserved1 69 | type: b5 70 | - id: zeroed_grain_table_entry 71 | # 0x00000004 72 | type: b1 73 | - id: use_secondary_grain_dir 74 | # 0x00000002 75 | type: b1 76 | - id: valid_new_line_detection_test 77 | # 0x00000001 78 | type: b1 79 | - id: reserved2 80 | type: u1 81 | - id: reserved3 82 | type: b6 83 | - id: has_metadata 84 | # 0x00020000 85 | type: b1 86 | - id: has_compressed_grain 87 | # 0x00010000 88 | type: b1 89 | - id: reserved4 90 | type: u1 91 | -------------------------------------------------------------------------------- /filesystem/zx_spectrum_tap.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: zx_spectrum_tap 3 | title: ZX Spectrum tape file 4 | file-extension: tap 5 | xref: 6 | justsolve: TAP_(ZX_Spectrum) 7 | pronom: fmt/801 8 | wikidata: Q34748140 9 | license: CC0-1.0 10 | endian: le 11 | doc: | 12 | TAP files are used by emulators of ZX Spectrum computer (released in 13 | 1982 by Sinclair Research). TAP file stores blocks of data as if 14 | they are written to magnetic tape, which was used as primary media 15 | for ZX Spectrum. Contents of this file can be viewed as a very 16 | simple linear filesystem, storing named files with some basic 17 | metainformation prepended as a header. 18 | doc-ref: https://sinclair.wiki.zxnet.co.uk/wiki/TAP_format 19 | seq: 20 | - id: blocks 21 | type: block 22 | repeat: eos 23 | enums: 24 | flag_enum: 25 | 0x00: header 26 | 0xFF: data 27 | header_type_enum: 28 | 0: program 29 | 1: num_array 30 | 2: char_array 31 | 3: bytes 32 | types: 33 | block: 34 | seq: 35 | - id: len_block 36 | type: u2 37 | - id: flag 38 | type: u1 39 | enum: flag_enum 40 | - id: header 41 | type: header 42 | if: len_block == 0x13 and flag == flag_enum::header 43 | - id: data 44 | size: header.len_data + 4 45 | if: len_block == 0x13 46 | - id: headerless_data 47 | size: len_block - 1 48 | if: flag == flag_enum::data 49 | header: 50 | seq: 51 | - id: header_type 52 | type: u1 53 | enum: header_type_enum 54 | - id: filename 55 | size: 10 56 | pad-right: 0x20 57 | - id: len_data 58 | type: u2 59 | - id: params 60 | type: 61 | switch-on: header_type 62 | cases: 63 | 'header_type_enum::program': program_params 64 | 'header_type_enum::num_array': array_params 65 | 'header_type_enum::char_array': array_params 66 | 'header_type_enum::bytes': bytes_params 67 | - id: checksum 68 | type: u1 69 | doc: Bitwise XOR of all bytes including the flag byte 70 | program_params: 71 | seq: 72 | - id: autostart_line 73 | type: u2 74 | - id: len_program 75 | type: u2 76 | array_params: 77 | seq: 78 | - id: reserved 79 | type: u1 80 | - id: var_name 81 | type: u1 82 | doc: Variable name (1..26 meaning A$..Z$ +192) 83 | - id: reserved1 84 | contents: [0x00, 0x80] 85 | bytes_params: 86 | seq: 87 | - id: start_address 88 | type: u2 89 | - id: reserved 90 | size: 2 91 | -------------------------------------------------------------------------------- /firmware/andes_firmware.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: andes_firmware 3 | title: Andes Firmware Image layout as seen in MT76 Wifi Chipsets 4 | application: Firmware Image wifi chipset 5 | license: CC0-1.0 6 | endian: le 7 | doc: Firmware image found with MediaTek MT76xx wifi chipsets. 8 | seq: 9 | - id: image_header 10 | type: image_header 11 | size: 32 12 | - id: ilm 13 | size: image_header.ilm_len 14 | - id: dlm 15 | size: image_header.dlm_len 16 | types: 17 | image_header: 18 | seq: 19 | - id: ilm_len 20 | type: u4 21 | - id: dlm_len 22 | type: u4 23 | - id: fw_ver 24 | type: u2 25 | - id: build_ver 26 | type: u2 27 | - id: extra 28 | type: u4 29 | - id: build_time 30 | type: str 31 | size: 16 32 | encoding: UTF-8 33 | -------------------------------------------------------------------------------- /font/grub2_font.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: grub2_font 3 | title: GRUB 2 font 4 | application: GRUB 2 5 | file-extension: pf2 6 | xref: 7 | justsolve: PFF2 8 | wikidata: Q29650337 9 | tags: 10 | - font 11 | license: CC0-1.0 12 | encoding: ASCII 13 | endian: be 14 | doc: | 15 | Bitmap font format for the GRUB 2 bootloader. 16 | doc-ref: https://grub.gibibit.com/New_font_format 17 | seq: 18 | - id: magic 19 | contents: ["FILE", 0, 0, 0, 4, "PFF2"] 20 | size: 12 21 | - id: sections 22 | type: section 23 | repeat: until 24 | repeat-until: _.section_type == "DATA" 25 | doc: | 26 | The "DATA" section acts as a terminator. The documentation says: 27 | "A marker that indicates the remainder of the file is data accessed 28 | via the character index (CHIX) section. When reading this font file, 29 | the rest of the file can be ignored when scanning the sections." 30 | types: 31 | section: 32 | seq: 33 | - id: section_type 34 | size: 4 35 | type: str 36 | - id: len_body 37 | type: u4 38 | doc: Should be set to `0xFFFF_FFFF` for `section_type != "DATA"` 39 | - id: body 40 | size: len_body 41 | type: 42 | switch-on: section_type 43 | cases: 44 | '"NAME"': name_section 45 | '"FAMI"': fami_section 46 | '"WEIG"': weig_section 47 | '"SLAN"': slan_section 48 | '"PTSZ"': ptsz_section 49 | '"MAXW"': maxw_section 50 | '"MAXH"': maxh_section 51 | '"ASCE"': asce_section 52 | '"DESC"': desc_section 53 | '"CHIX"': chix_section 54 | if: section_type != "DATA" 55 | name_section: 56 | seq: 57 | - id: font_name 58 | type: strz 59 | fami_section: 60 | seq: 61 | - id: font_family_name 62 | type: strz 63 | weig_section: 64 | seq: 65 | - id: font_weight 66 | type: strz 67 | slan_section: 68 | seq: 69 | - id: font_slant 70 | type: strz 71 | ptsz_section: 72 | seq: 73 | - id: font_point_size 74 | type: u2 75 | maxw_section: 76 | seq: 77 | - id: maximum_character_width 78 | type: u2 79 | maxh_section: 80 | seq: 81 | - id: maximum_character_height 82 | type: u2 83 | asce_section: 84 | seq: 85 | - id: ascent_in_pixels 86 | type: u2 87 | desc_section: 88 | seq: 89 | - id: descent_in_pixels 90 | type: u2 91 | chix_section: 92 | seq: 93 | - id: characters 94 | type: character 95 | repeat: eos 96 | types: 97 | character: 98 | seq: 99 | - id: code_point 100 | type: u4 101 | doc: Unicode code point 102 | - id: flags 103 | type: u1 104 | - id: ofs_definition 105 | type: u4 106 | instances: 107 | definition: 108 | io: _root._io 109 | pos: ofs_definition 110 | type: character_definition 111 | character_definition: 112 | seq: 113 | - id: width 114 | type: u2 115 | - id: height 116 | type: u2 117 | - id: x_offset 118 | type: s2 119 | - id: y_offset 120 | type: s2 121 | - id: device_width 122 | type: s2 123 | - id: bitmap_data 124 | size: (width * height + 7) / 8 # ceiled integer division 125 | doc: | 126 | A two-dimensional bitmap, one bit per pixel. It is organized as 127 | row-major, top-down, left-to-right. The most significant bit of 128 | each byte corresponds to the leftmost or uppermost pixel from all 129 | bits of the byte. If a bit is set (1, `true`), the pixel is set to 130 | the font color, if a bit is clear (0, `false`), the pixel is 131 | transparent. 132 | 133 | Rows are **not** padded to byte boundaries (i.e., a 134 | single byte may contain bits belonging to multiple rows). The last 135 | byte of the bitmap _is_ padded with zero bits at all unused least 136 | significant bit positions so that the bitmap ends on a byte 137 | boundary. 138 | -------------------------------------------------------------------------------- /game/dune_2_pak.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dune_2_pak 3 | application: Dune 2 game engine 4 | file-extension: pak 5 | license: CC0-1.0 6 | ks-version: 0.8 7 | encoding: ASCII 8 | endian: le 9 | doc-ref: https://moddingwiki.shikadi.net/wiki/PAK_Format_(Westwood) 10 | seq: 11 | - id: dir 12 | size: dir_size 13 | type: files 14 | instances: 15 | dir_size: 16 | pos: 0 17 | type: u4 18 | types: 19 | files: 20 | seq: 21 | - id: files 22 | type: file(_index) 23 | repeat: eos 24 | file: 25 | params: 26 | - id: idx 27 | type: u4 28 | seq: 29 | - id: ofs 30 | type: u4 31 | - id: file_name 32 | type: strz 33 | if: ofs != 0 34 | instances: 35 | next_ofs0: 36 | value: _root.dir.files[idx + 1].ofs 37 | if: ofs != 0 38 | next_ofs: 39 | value: 'next_ofs0 == 0 ? _root._io.size : next_ofs0' 40 | if: ofs != 0 41 | body: 42 | io: _root._io 43 | pos: ofs 44 | size: next_ofs - ofs 45 | if: ofs != 0 46 | -------------------------------------------------------------------------------- /game/fallout2_dat.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: fallout2_dat 3 | application: Fallout 2 4 | file-extension: dat 5 | xref: 6 | wikidata: Q32097899 7 | license: CC0-1.0 8 | endian: le 9 | types: 10 | pstr: 11 | seq: 12 | - id: size 13 | type: u4 14 | - id: str 15 | type: str 16 | size: size 17 | encoding: ASCII 18 | footer: 19 | seq: 20 | - id: index_size 21 | type: u4 22 | - id: file_size 23 | type: u4 24 | index: 25 | seq: 26 | - id: file_count 27 | type: u4 28 | - id: files 29 | type: file 30 | repeat: expr 31 | repeat-expr: file_count 32 | file: 33 | seq: 34 | - id: name 35 | type: pstr 36 | - id: flags 37 | type: u1 38 | enum: compression 39 | - id: size_unpacked 40 | type: u4 41 | - id: size_packed 42 | type: u4 43 | - id: offset 44 | type: u4 45 | instances: 46 | contents_raw: 47 | io: _root._io 48 | pos: offset 49 | size: size_unpacked 50 | if: flags == compression::none 51 | contents_zlib: 52 | io: _root._io 53 | pos: offset 54 | size: size_packed 55 | process: zlib 56 | if: flags == compression::zlib 57 | contents: 58 | value: 'flags == compression::zlib ? contents_zlib : contents_raw' 59 | if: flags == compression::zlib or flags == compression::none 60 | instances: 61 | footer: 62 | pos: _io.size - 8 63 | type: footer 64 | index: 65 | pos: _io.size - 8 - footer.index_size 66 | type: index 67 | enums: 68 | compression: 69 | 0: none 70 | 1: zlib 71 | -------------------------------------------------------------------------------- /game/fallout_dat.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: fallout_dat 3 | application: Fallout 4 | file-extension: dat 5 | xref: 6 | wikidata: Q32097740 7 | license: CC0-1.0 8 | endian: be 9 | seq: 10 | - id: folder_count 11 | type: u4 12 | - id: unknown1 13 | type: u4 14 | - id: unknown2 15 | type: u4 16 | - id: timestamp 17 | type: u4 18 | - id: folder_names 19 | type: pstr 20 | repeat: expr 21 | repeat-expr: folder_count 22 | - id: folders 23 | type: folder 24 | repeat: expr 25 | repeat-expr: folder_count 26 | types: 27 | pstr: 28 | seq: 29 | - id: size 30 | type: u1 31 | - id: str 32 | type: str 33 | size: size 34 | encoding: ASCII 35 | folder: 36 | seq: 37 | - id: file_count 38 | type: u4 39 | - id: unknown 40 | type: u4 41 | - id: flags 42 | type: u4 43 | - id: timestamp 44 | type: u4 45 | - id: files 46 | type: file 47 | repeat: expr 48 | repeat-expr: file_count 49 | file: 50 | seq: 51 | - id: name 52 | type: pstr 53 | - id: flags 54 | type: u4 55 | enum: compression 56 | - id: offset 57 | type: u4 58 | - id: size_unpacked 59 | type: u4 60 | - id: size_packed 61 | type: u4 62 | instances: 63 | contents: 64 | io: _root._io 65 | pos: offset 66 | size: "(flags == compression::none) ? size_unpacked : size_packed" 67 | enums: 68 | compression: 69 | 32: none 70 | 64: lzss 71 | -------------------------------------------------------------------------------- /game/ftl_dat.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: ftl_dat 3 | application: Faster Than Light (FTL) 4 | file-extension: dat 5 | license: CC0-1.0 6 | endian: le 7 | seq: 8 | - id: num_files 9 | type: u4 10 | doc: Number of files in the archive 11 | - id: files 12 | type: file 13 | repeat: expr 14 | repeat-expr: num_files 15 | types: 16 | file: 17 | seq: 18 | - id: ofs_meta 19 | type: u4 20 | instances: 21 | meta: 22 | pos: ofs_meta 23 | type: meta 24 | if: ofs_meta != 0 25 | meta: 26 | seq: 27 | - id: len_file 28 | type: u4 29 | - id: len_filename 30 | type: u4 31 | - id: filename 32 | type: str 33 | size: len_filename 34 | encoding: UTF-8 35 | - id: body 36 | size: len_file 37 | -------------------------------------------------------------------------------- /game/gran_turismo_vol.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: gran_turismo_vol 3 | title: Gran Turismo File System (GTFS) 4 | file-extension: vol 5 | xref: 6 | wikidata: Q32096599 7 | license: CC0-1.0 8 | endian: le 9 | seq: 10 | - id: magic 11 | contents: ["GTFS", 0, 0, 0, 0] 12 | - id: num_files 13 | type: u2 14 | - id: num_entries 15 | type: u2 16 | - id: reserved 17 | contents: [0, 0, 0, 0] 18 | - id: offsets 19 | type: u4 20 | repeat: expr 21 | repeat-expr: num_files 22 | instances: 23 | ofs_dir: 24 | value: offsets[1] 25 | files: 26 | pos: ofs_dir & 0xFFFFF800 27 | type: file_info 28 | repeat: expr 29 | repeat-expr: _root.num_entries 30 | types: 31 | file_info: 32 | seq: 33 | - id: timestamp 34 | type: u4 35 | - id: offset_idx 36 | type: u2 37 | - id: flags 38 | type: u1 39 | - id: name 40 | type: str 41 | encoding: ASCII 42 | size: 25 43 | pad-right: 0 44 | terminator: 0 45 | instances: 46 | size: 47 | value: '(_root.offsets[offset_idx + 1] & 0xFFFFF800) - _root.offsets[offset_idx]' 48 | body: 49 | pos: _root.offsets[offset_idx] & 0xFFFFF800 50 | size: size 51 | if: not is_dir 52 | is_dir: 53 | value: 'flags & 1 != 0' 54 | is_last_entry: 55 | value: 'flags & 0x80 != 0' 56 | -------------------------------------------------------------------------------- /game/heaps_pak.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: heaps_pak 3 | application: Games based on Haxe Game Framework "Heaps" (e.g. Dead Cells) 4 | file-extension: pak 5 | license: MIT 6 | encoding: UTF-8 7 | endian: le 8 | doc-ref: 'https://github.com/HeapsIO/heaps/blob/2bbc2b386952dfd8856c04a854bb706a52cb4b58/hxd/fmt/pak/Reader.hx' 9 | seq: 10 | - id: header 11 | type: header 12 | types: 13 | header: 14 | seq: 15 | - id: magic1 16 | contents: 'PAK' 17 | - id: version 18 | type: u1 19 | - id: len_header 20 | type: u4 21 | - id: len_data 22 | type: u4 23 | - id: root_entry 24 | type: entry 25 | size: len_header - 16 26 | - id: magic2 27 | contents: 'DATA' 28 | types: 29 | entry: 30 | doc-ref: 'https://github.com/HeapsIO/heaps/blob/2bbc2b386952dfd8856c04a854bb706a52cb4b58/hxd/fmt/pak/Data.hx' 31 | seq: 32 | - id: len_name 33 | type: u1 34 | - id: name 35 | type: str 36 | size: len_name 37 | - id: flags 38 | type: flags 39 | - id: body 40 | type: 41 | switch-on: flags.is_dir 42 | cases: 43 | true : dir 44 | false : file 45 | types: 46 | flags: 47 | seq: 48 | - id: unused 49 | type: b7 50 | - id: is_dir 51 | type: b1 52 | file: 53 | seq: 54 | - id: ofs_data 55 | type: u4 56 | - id: len_data 57 | type: u4 58 | # Adler32 checksum 59 | - id: checksum 60 | size: 4 61 | instances: 62 | data: 63 | io: _root._io 64 | pos: _root.header.len_header + ofs_data 65 | size: len_data 66 | dir: 67 | seq: 68 | - id: num_entries 69 | type: u4 70 | - id: entries 71 | type: entry 72 | repeat: expr 73 | repeat-expr: num_entries 74 | -------------------------------------------------------------------------------- /game/heroes_of_might_and_magic_agg.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: heroes_of_might_and_magic_agg 3 | application: Heroes of Might and Magic 4 | file-extension: agg 5 | license: CC0-1.0 6 | endian: le 7 | doc-ref: https://web.archive.org/web/20170215190034/http://rewiki.regengedanken.de/wiki/.AGG_(Heroes_of_Might_and_Magic) 8 | seq: 9 | - id: num_files 10 | type: u2 11 | - id: entries 12 | type: entry 13 | repeat: expr 14 | repeat-expr: num_files 15 | types: 16 | entry: 17 | seq: 18 | - id: hash 19 | type: u2 20 | - id: offset 21 | type: u4 22 | - id: size 23 | type: u4 24 | - id: size2 25 | type: u4 26 | instances: 27 | body: 28 | pos: offset 29 | size: size 30 | filename: 31 | seq: 32 | - id: str 33 | type: strz 34 | encoding: ASCII 35 | instances: 36 | filenames: 37 | pos: entries.last.offset + entries.last.size 38 | size: 15 39 | type: filename 40 | repeat: expr 41 | repeat-expr: num_files 42 | -------------------------------------------------------------------------------- /game/heroes_of_might_and_magic_bmp.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: heroes_of_might_and_magic_bmp 3 | application: Heroes of Might and Magic 4 | file-extension: bmp 5 | license: CC0-1.0 6 | endian: le 7 | seq: 8 | - id: magic 9 | type: u2 10 | - id: width 11 | type: u2 12 | - id: height 13 | type: u2 14 | - id: data 15 | size: 'width * height' 16 | -------------------------------------------------------------------------------- /game/quake_pak.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: quake_pak 3 | application: Quake game engine 4 | file-extension: pak 5 | xref: 6 | justsolve: Quake_PAK 7 | wikidata: Q105854676 8 | license: CC0-1.0 9 | endian: le 10 | doc-ref: 'https://quakewiki.org/wiki/.pak#Format_specification' 11 | seq: 12 | - id: magic 13 | contents: 'PACK' 14 | - id: ofs_index 15 | type: u4 16 | - id: len_index 17 | type: u4 18 | instances: 19 | index: 20 | pos: ofs_index 21 | size: len_index 22 | type: index_struct 23 | types: 24 | index_struct: 25 | seq: 26 | - id: entries 27 | type: index_entry 28 | repeat: eos 29 | index_entry: 30 | seq: 31 | - id: name 32 | type: str 33 | size: 56 34 | encoding: UTF-8 35 | terminator: 0 36 | pad-right: 0 37 | - id: ofs 38 | type: u4 39 | - id: size 40 | type: u4 41 | instances: 42 | body: 43 | io: _root._io 44 | pos: ofs 45 | size: size 46 | -------------------------------------------------------------------------------- /game/saints_row_2_vpp_pc.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: saints_row_2_vpp_pc 3 | title: Saints Rows 2 game packages 4 | file-extension: vpp_pc 5 | license: MIT 6 | encoding: UTF-8 7 | endian: le 8 | seq: 9 | - id: magic 10 | contents: [0xce, 0x0a, 0x89, 0x51, 0x04] 11 | - id: pad1 12 | size: 0x14f 13 | - id: num_files 14 | type: s4 15 | - id: container_size 16 | type: s4 17 | - id: len_offsets 18 | type: s4 19 | - id: len_filenames 20 | type: s4 21 | - id: len_extensions 22 | type: s4 23 | - id: smth5 24 | type: s4 25 | - id: smth6 26 | type: s4 27 | - id: smth7 28 | type: s4 29 | - id: smth8 30 | type: s4 31 | - id: smth9 32 | type: s4 33 | instances: 34 | files: 35 | pos: 0x800 36 | size: len_offsets 37 | type: offsets 38 | ofs_filenames: 39 | value: ((0x800 + len_offsets) & 0xfffff800) + 0x800 40 | filenames: 41 | pos: ofs_filenames 42 | size: len_filenames 43 | type: strings 44 | ofs_extensions: 45 | value: ((ofs_filenames + len_filenames) & 0xfffff800) + 0x800 46 | extensions: 47 | pos: ofs_extensions 48 | size: len_extensions 49 | type: strings 50 | data_start: 51 | value: ((ofs_extensions + len_extensions) & 0xfffff800) + 0x800 52 | types: 53 | offsets: 54 | seq: 55 | - id: entries 56 | type: offset 57 | repeat: eos 58 | types: 59 | offset: 60 | seq: 61 | - id: name_ofs 62 | type: u4 63 | - id: ext_ofs 64 | type: u4 65 | - id: smth2 66 | type: s4 67 | - id: ofs_body 68 | type: s4 69 | - id: len_body 70 | type: s4 71 | - id: always_minus_1 72 | type: s4 73 | - id: always_zero 74 | type: s4 75 | instances: 76 | filename: 77 | io: _root.filenames._io 78 | pos: name_ofs 79 | type: strz 80 | ext: 81 | io: _root.extensions._io 82 | pos: ext_ofs 83 | type: strz 84 | body: 85 | io: _root._io 86 | pos: _root.data_start + ofs_body 87 | size: len_body 88 | strings: 89 | seq: 90 | - id: entries 91 | type: strz 92 | repeat: eos 93 | -------------------------------------------------------------------------------- /geospatial/shapefile_index.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: shapefile_index 3 | title: Shapefile index file 4 | file-extension: shx 5 | xref: 6 | justsolve: Shapefile 7 | loc: fdd000280 # ESRI Shapefile 8 | pronom: fmt/277 9 | wikidata: Q27487109 10 | license: CC0-1.0 11 | endian: le 12 | seq: 13 | - id: header 14 | type: file_header 15 | - id: records 16 | type: record 17 | repeat: eos 18 | doc: the size of this section of the file in bytes must equal (header.file_length * 2) - 100 19 | types: 20 | file_header: 21 | seq: 22 | - id: file_code 23 | contents: [0x00, 0x00, 0x27, 0x0a] 24 | doc: corresponds to s4be value of 9994 25 | - id: unused_field_1 26 | contents: [0, 0, 0, 0] 27 | - id: unused_field_2 28 | contents: [0, 0, 0, 0] 29 | - id: unused_field_3 30 | contents: [0, 0, 0, 0] 31 | - id: unused_field_4 32 | contents: [0, 0, 0, 0] 33 | - id: unused_field_5 34 | contents: [0, 0, 0, 0] 35 | - id: file_length 36 | type: s4be 37 | - id: version 38 | contents: [0xe8, 0x03, 0x00, 0x00] 39 | doc: corresponds to s4le value of 1000 40 | - id: shape_type 41 | type: s4 42 | enum: shape_type 43 | - id: bounding_box 44 | type: bounding_box_x_y_z_m 45 | record: 46 | seq: 47 | - id: offset 48 | type: s4be 49 | - id: content_length 50 | type: s4be 51 | bounding_box_x_y_z_m: 52 | seq: 53 | - id: x 54 | type: bounds_min_max 55 | - id: y 56 | type: bounds_min_max 57 | - id: z 58 | type: bounds_min_max 59 | - id: m 60 | type: bounds_min_max 61 | bounds_min_max: 62 | seq: 63 | - id: min 64 | type: f8be 65 | - id: max 66 | type: f8be 67 | enums: 68 | shape_type: 69 | 0: null_shape 70 | 1: point 71 | 3: poly_line 72 | 5: polygon 73 | 8: multi_point 74 | 11: point_z 75 | 13: poly_line_z 76 | 15: polygon_z 77 | 18: multi_point_z 78 | 21: point_m 79 | 23: poly_line_m 80 | 25: polygon_m 81 | 28: multi_point_m 82 | 31: multi_patch 83 | -------------------------------------------------------------------------------- /image/ico.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: ico 3 | title: Microsoft Windows icon file 4 | file-extension: ico 5 | xref: 6 | justsolve: ICO 7 | mime: 8 | - image/x-icon 9 | - image/vnd.microsoft.icon 10 | pronom: x-fmt/418 11 | wikidata: Q729366 12 | tags: 13 | - windows 14 | license: CC0-1.0 15 | endian: le 16 | doc: | 17 | Microsoft Windows uses specific file format to store applications 18 | icons - ICO. This is a container that contains one or more image 19 | files (effectively, DIB parts of BMP files or full PNG files are 20 | contained inside). 21 | doc-ref: https://learn.microsoft.com/en-us/previous-versions/ms997538(v=msdn.10) 22 | seq: 23 | - id: magic 24 | contents: [0, 0, 1, 0] 25 | - id: num_images 26 | -orig-id: idCount 27 | type: u2 28 | doc: Number of images contained in this file 29 | - id: images 30 | -orig-id: idEntries 31 | type: icon_dir_entry 32 | repeat: expr 33 | repeat-expr: num_images 34 | types: 35 | icon_dir_entry: 36 | -orig-id: ICONDIRENTRY 37 | seq: 38 | - id: width 39 | -orig-id: bWidth 40 | type: u1 41 | doc: Width of image, px 42 | - id: height 43 | -orig-id: bHeight 44 | type: u1 45 | doc: Height of image, px 46 | - id: num_colors 47 | -orig-id: bColorCount 48 | type: u1 49 | doc: | 50 | Number of colors in palette of the image or 0 if image has 51 | no palette (i.e. RGB, RGBA, etc) 52 | - id: reserved 53 | -orig-id: bReserved 54 | contents: [0] 55 | - id: num_planes 56 | -orig-id: wPlanes 57 | type: u2 58 | doc: Number of color planes 59 | - id: bpp 60 | -orig-id: wBitCount 61 | type: u2 62 | doc: Bits per pixel in the image 63 | - id: len_img 64 | -orig-id: dwBytesInRes 65 | type: u4 66 | doc: Size of the image data 67 | - id: ofs_img 68 | -orig-id: dwImageOffset 69 | type: u4 70 | doc: Absolute offset of the image data start in the file 71 | instances: 72 | img: 73 | pos: ofs_img 74 | size: len_img 75 | doc: | 76 | Raw image data. Use `is_png` to determine whether this is an 77 | embedded PNG file (true) or a DIB bitmap (false) and call a 78 | relevant parser, if needed to parse image data further. 79 | png_header: 80 | pos: ofs_img 81 | size: 8 82 | doc: | 83 | Pre-reads first 8 bytes of the image to determine if it's an 84 | embedded PNG file. 85 | is_png: 86 | value: png_header == [137, 80, 78, 71, 13, 10, 26, 10] 87 | doc: True if this image is in PNG format. 88 | -------------------------------------------------------------------------------- /image/pcx.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: pcx 3 | file-extension: pcx 4 | xref: 5 | justsolve: PCX 6 | mime: 7 | - image/vnd.zbrush.pcx 8 | - image/x-pcx 9 | pronom: 10 | # see `/enums/versions` map 11 | - fmt/86 # PCX 0 12 | - fmt/87 # PCX 2 13 | - fmt/88 # PCX 3 14 | - fmt/89 # PCX 4 15 | - fmt/90 # PCX 5 16 | wikidata: Q535473 17 | license: CC0-1.0 18 | endian: le 19 | doc: | 20 | PCX is a bitmap image format originally used by PC Paintbrush from 21 | ZSoft Corporation. Originally, it was a relatively simple 128-byte 22 | header + uncompressed bitmap format, but latest versions introduced 23 | more complicated palette support and RLE compression. 24 | 25 | There's an option to encode 32-bit or 16-bit RGBA pixels, and thus 26 | it can potentially include transparency. Theoretically, it's 27 | possible to encode resolution or pixel density in the some of the 28 | header fields too, but in reality there's no uniform standard for 29 | these, so different implementations treat these differently. 30 | 31 | PCX format was never made a formal standard. "ZSoft Corporation 32 | Technical Reference Manual" for "Image File (.PCX) Format", last 33 | updated in 1991, is likely the closest authoritative source. 34 | doc-ref: https://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt 35 | seq: 36 | - id: hdr 37 | type: header 38 | size: 128 39 | instances: 40 | palette_256: 41 | pos: _io.size - 769 42 | type: t_palette_256 43 | if: hdr.version == versions::v3_0 and hdr.bits_per_pixel == 8 and hdr.num_planes == 1 44 | doc-ref: https://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt - "VGA 256 Color Palette Information" 45 | types: 46 | header: 47 | doc-ref: https://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt - "ZSoft .PCX FILE HEADER FORMAT" 48 | seq: 49 | - id: magic 50 | contents: [0x0a] 51 | doc: | 52 | Technically, this field was supposed to be "manufacturer" 53 | mark to distinguish between various software vendors, and 54 | 0x0a was supposed to mean "ZSoft", but everyone else ended 55 | up writing a 0x0a into this field, so that's what majority 56 | of modern software expects to have in this attribute. 57 | - id: version 58 | type: u1 59 | enum: versions 60 | - id: encoding 61 | type: u1 62 | enum: encodings 63 | - id: bits_per_pixel 64 | type: u1 65 | - id: img_x_min 66 | type: u2 67 | - id: img_y_min 68 | type: u2 69 | - id: img_x_max 70 | type: u2 71 | - id: img_y_max 72 | type: u2 73 | - id: hdpi 74 | type: u2 75 | - id: vdpi 76 | type: u2 77 | - id: palette_16 78 | size: 48 79 | - id: reserved 80 | contents: [0] 81 | - id: num_planes 82 | type: u1 83 | - id: bytes_per_line 84 | type: u2 85 | - id: palette_info 86 | type: u2 87 | - id: h_screen_size 88 | type: u2 89 | - id: v_screen_size 90 | type: u2 91 | t_palette_256: 92 | seq: 93 | - id: magic 94 | contents: [0x0c] 95 | - id: colors 96 | type: rgb 97 | repeat: expr 98 | repeat-expr: 256 99 | rgb: 100 | seq: 101 | - id: r 102 | type: u1 103 | - id: g 104 | type: u1 105 | - id: b 106 | type: u1 107 | enums: 108 | versions: 109 | 0: v2_5 110 | 2: v2_8_with_palette 111 | 3: v2_8_without_palette 112 | 4: paintbrush_for_windows 113 | 5: v3_0 114 | encodings: 115 | 1: rle 116 | -------------------------------------------------------------------------------- /image/pcx_dcx.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: pcx_dcx 3 | file-extension: dcx 4 | xref: 5 | justsolve: DCX 6 | mime: image/x-dcx 7 | pronom: x-fmt/348 8 | wikidata: Q28205890 9 | license: CC0-1.0 10 | imports: 11 | - pcx 12 | endian: le 13 | doc: | 14 | DCX is a simple extension of PCX image format allowing to bundle 15 | many PCX images (typically, pages of a document) in one file. It saw 16 | some limited use in DOS-era fax software, but was largely 17 | superseded with multi-page TIFFs and PDFs since then. 18 | seq: 19 | - id: magic 20 | contents: [0xb1, 0x68, 0xde, 0x3a] 21 | - id: files 22 | type: pcx_offset 23 | repeat: until 24 | repeat-until: _.ofs_body == 0 25 | types: 26 | pcx_offset: 27 | seq: 28 | - id: ofs_body 29 | type: u4 30 | instances: 31 | body: 32 | pos: ofs_body 33 | type: pcx 34 | if: ofs_body != 0 35 | -------------------------------------------------------------------------------- /image/psx_tim.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: psx_tim 3 | application: Sony PlayStation (PSX) typical image format 4 | file-extension: tim 5 | xref: 6 | justsolve: TIM_(PlayStation_graphics) 7 | wikidata: Q28207389 8 | license: CC0-1.0 9 | ks-version: 0.9 10 | endian: le 11 | doc-ref: 12 | - http://fileformats.archiveteam.org/wiki/TIM_(PlayStation_graphics) 13 | - https://mrclick.zophar.net/TilEd/download/timgfx.txt 14 | - https://www.romhacking.net/documents/31/ 15 | seq: 16 | - id: magic 17 | contents: [0x10, 0, 0, 0] 18 | - id: flags 19 | type: u4 20 | doc: Encodes bits-per-pixel and whether CLUT is present in a file or not 21 | - id: clut 22 | type: bitmap 23 | if: has_clut 24 | doc: CLUT (Color LookUp Table), one or several palettes for indexed color image, represented as a 25 | - id: img 26 | type: bitmap 27 | types: 28 | bitmap: 29 | seq: 30 | - id: len 31 | type: u4 32 | - id: origin_x 33 | type: u2 34 | - id: origin_y 35 | type: u2 36 | - id: width 37 | type: u2 38 | - id: height 39 | type: u2 40 | - id: body 41 | size: len - 12 # 4 + 4 * 2 42 | instances: 43 | has_clut: 44 | value: flags & 0b1000 != 0 45 | bpp: 46 | value: flags & 0b0011 47 | enums: 48 | bpp_type: 49 | 0: bpp_4 50 | 1: bpp_8 51 | 2: bpp_16 52 | 3: bpp_24 53 | -------------------------------------------------------------------------------- /image/xwd.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: xwd 3 | title: xwd (X Window Dump) bitmap image 4 | application: xwd 5 | file-extension: xwd 6 | xref: 7 | justsolve: XWD 8 | pronom: fmt/401 9 | license: CC0-1.0 10 | endian: be 11 | doc: | 12 | xwd is a file format written by eponymous X11 screen capture 13 | application (xwd stands for "X Window Dump"). Typically, an average 14 | user transforms xwd format into something more widespread by any of 15 | `xwdtopnm` and `pnmto...` utilities right away. 16 | 17 | xwd format itself provides a raw uncompressed bitmap with some 18 | metainformation, like pixel format, width, height, bit depth, 19 | etc. Note that technically format includes machine-dependent fields 20 | and thus is probably a poor choice for true cross-platform usage. 21 | seq: 22 | - id: len_header 23 | type: u4 24 | doc: Size of the header in bytes 25 | - id: hdr 26 | size: len_header - 4 27 | type: header 28 | - id: color_map 29 | size: 12 30 | type: color_map_entry 31 | repeat: expr 32 | repeat-expr: hdr.color_map_entries 33 | types: 34 | header: 35 | seq: 36 | - id: file_version 37 | type: u4 38 | doc: X11WD file version (always 07h) 39 | - id: pixmap_format 40 | type: u4 41 | doc: Format of the image data 42 | enum: pixmap_format 43 | - id: pixmap_depth 44 | type: u4 45 | doc: Pixmap depth in pixels - in practice, bits per pixel 46 | - id: pixmap_width 47 | type: u4 48 | doc: Pixmap width in pixels 49 | - id: pixmap_height 50 | type: u4 51 | doc: Pixmap height in pixels 52 | - id: x_offset 53 | type: u4 54 | doc: Bitmap X offset (number of pixels to ignore at the beginning of each scan-line) 55 | - id: byte_order 56 | type: u4 57 | doc: Byte order of image data 58 | enum: byte_order 59 | - id: bitmap_unit 60 | type: u4 61 | doc: Bitmap base data size 62 | - id: bitmap_bit_order 63 | type: u4 64 | doc: Bit-order of image data 65 | - id: bitmap_pad 66 | type: u4 67 | doc: Bitmap scan-line pad 68 | - id: bits_per_pixel 69 | type: u4 70 | doc: Bits per pixel 71 | - id: bytes_per_line 72 | type: u4 73 | doc: Bytes per scan-line 74 | - id: visual_class 75 | type: u4 76 | doc: Class of the image 77 | enum: visual_class 78 | - id: red_mask 79 | type: u4 80 | doc: Red mask 81 | - id: green_mask 82 | type: u4 83 | doc: Green mask 84 | - id: blue_mask 85 | type: u4 86 | doc: Blue mask 87 | - id: bits_per_rgb 88 | type: u4 89 | doc: Size of each color mask in bits 90 | - id: number_of_colors 91 | type: u4 92 | doc: Number of colors in image 93 | - id: color_map_entries 94 | type: u4 95 | doc: Number of entries in color map 96 | - id: window_width 97 | type: u4 98 | doc: Window width 99 | - id: window_height 100 | type: u4 101 | doc: Window height 102 | - id: window_x 103 | type: s4 104 | doc: Window upper left X coordinate 105 | - id: window_y 106 | type: s4 107 | doc: Window upper left Y coordinate 108 | - id: window_border_width 109 | type: u4 110 | doc: Window border width 111 | - id: creator 112 | type: strz 113 | encoding: UTF-8 114 | doc: Program that created this xwd file 115 | color_map_entry: 116 | seq: 117 | - id: entry_number 118 | type: u4 119 | doc: Number of the color map entry 120 | - id: red 121 | type: u2 122 | - id: green 123 | type: u2 124 | - id: blue 125 | type: u2 126 | - id: flags 127 | type: u1 128 | - id: padding 129 | type: u1 130 | enums: 131 | pixmap_format: 132 | 0: x_y_bitmap 133 | 1: x_y_pixmap 134 | 2: z_pixmap 135 | byte_order: 136 | 0: le 137 | 1: be 138 | visual_class: 139 | 0: static_gray 140 | 1: gray_scale 141 | 2: static_color 142 | 3: pseudo_color 143 | 4: true_color 144 | 5: direct_color 145 | -------------------------------------------------------------------------------- /log/aix_utmp.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: aix_utmp 3 | title: utmp log file, IBM AIX version 4 | license: CC0-1.0 5 | endian: be 6 | doc: This spec can be used to parse utmp, wtmp and other similar as created by IBM AIX. 7 | doc-ref: https://www.ibm.com/docs/en/aix/7.1?topic=files-utmph-file 8 | seq: 9 | - id: records 10 | type: record 11 | repeat: eos 12 | types: 13 | record: 14 | seq: 15 | - id: user 16 | -orig-id: ut_user 17 | doc: User login name 18 | size: 256 19 | type: str 20 | encoding: ascii 21 | - id: inittab_id 22 | -orig-id: ut_id 23 | doc: /etc/inittab id 24 | size: 14 25 | type: str 26 | encoding: ascii 27 | - id: device 28 | -orig-id: ut_line 29 | doc: device name (console, lnxx) 30 | size: 64 31 | type: str 32 | encoding: ascii 33 | - id: pid 34 | -orig-id: ut_pid 35 | type: u8 36 | doc: process id 37 | - id: type 38 | -orig-id: ut_type 39 | type: s2 40 | doc: Type of login 41 | enum: entry_type 42 | - id: timestamp 43 | -orig-id: ut_time 44 | type: s8 45 | doc: time entry was made 46 | - id: exit_status 47 | -orig-id: ut_exit 48 | type: exit_status 49 | doc: the exit status of a process marked as DEAD PROCESS 50 | - id: hostname 51 | -orig-id: ut_host 52 | size: 256 53 | doc: host name 54 | type: str 55 | encoding: ascii 56 | - id: dbl_word_pad 57 | type: s4 58 | - id: reserved_a 59 | size: 8 60 | - id: reserved_v 61 | size: 24 62 | exit_status: 63 | seq: 64 | - id: termination_code 65 | -orig-id: e_termination 66 | type: s2 67 | doc: process termination status 68 | - id: exit_code 69 | -orig-id: e_exit 70 | type: s2 71 | doc: process exit status 72 | enums: 73 | entry_type: 74 | 0: empty 75 | 1: run_lvl 76 | 2: boot_time 77 | 3: old_time 78 | 4: new_time 79 | 5: init_process 80 | 6: login_process 81 | 7: user_process 82 | 8: dead_process 83 | 9: accounting 84 | -------------------------------------------------------------------------------- /log/glibc_utmp.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: glibc_utmp 3 | title: utmp log file, Linux/glibc version 4 | xref: 5 | wikidata: Q3570128 6 | tags: 7 | - linux 8 | - log 9 | license: CC0-1.0 10 | endian: le 11 | seq: 12 | - id: records 13 | size: 0x180 14 | type: record 15 | repeat: eos 16 | types: 17 | record: 18 | seq: 19 | - id: ut_type 20 | type: s4 21 | doc: Type of login 22 | enum: entry_type 23 | - id: pid 24 | type: s4 25 | doc: Process ID of login process 26 | - id: line 27 | type: str 28 | encoding: UTF-8 29 | size: 32 30 | doc: Devicename 31 | - id: id 32 | type: str 33 | encoding: UTF-8 34 | size: 4 35 | doc: Inittab ID 36 | - id: user 37 | type: str 38 | encoding: UTF-8 39 | size: 32 40 | doc: Username 41 | - id: host 42 | type: str 43 | encoding: UTF-8 44 | size: 256 45 | doc: Hostname for remote login 46 | - id: exit 47 | type: u4 48 | doc: Exit status of a process marked as DEAD_PROCESS 49 | - id: session 50 | type: s4 51 | doc: Session ID, used for windowing 52 | - id: tv 53 | type: timeval 54 | doc: Time entry was made 55 | - id: addr_v6 56 | size: 16 57 | doc: Internet address of remote host 58 | - id: reserved 59 | size: 20 60 | timeval: 61 | seq: 62 | - id: sec 63 | type: u4 64 | doc: Seconds 65 | - id: usec 66 | type: s4 67 | doc: Microseconds 68 | enums: 69 | entry_type: 70 | 0: empty 71 | 1: run_lvl 72 | 2: boot_time 73 | 3: new_time 74 | 4: old_time 75 | 5: init_process 76 | 6: login_process 77 | 7: user_process 78 | 8: dead_process 79 | 9: accounting 80 | -------------------------------------------------------------------------------- /log/hashcat_restore.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: hashcat_restore 3 | title: Hashcat Restore file 4 | file-extension: restore 5 | license: CC0-1.0 6 | endian: le 7 | doc-ref: https://hashcat.net/wiki/doku.php?id=restore 8 | seq: 9 | - id: version 10 | type: u4 11 | - id: cwd 12 | type: strz 13 | size: 256 14 | encoding: UTF-8 15 | - id: dicts_pos 16 | type: u4 17 | - id: masks_pos 18 | type: u4 19 | - id: padding 20 | size: 4 21 | - id: current_restore_point 22 | type: u8 23 | - id: argc 24 | type: u4 25 | - id: padding2 26 | size: 12 27 | - id: argv 28 | type: strz 29 | encoding: UTF-8 30 | terminator: 0x0A 31 | repeat: expr 32 | repeat-expr: argc 33 | -------------------------------------------------------------------------------- /log/sudoers_ts.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: sudoers_ts 3 | title: Sudoers Time Stamp file 4 | license: CC0-1.0 5 | tags: 6 | - linux 7 | endian: le 8 | doc: | 9 | This spec can be used to parse sudo time stamp files located in directories 10 | such as /run/sudo/ts/$USER or /var/lib/sudo/ts/$USER. 11 | doc-ref: https://www.sudo.ws/docs/man/1.8.27/sudoers_timestamp.man/ 12 | seq: 13 | - id: records 14 | type: record 15 | repeat: eos 16 | types: 17 | record: 18 | seq: 19 | - id: version 20 | doc: version number of the timestamp_entry struct 21 | type: u2 22 | - id: len_record 23 | doc: size of the record in bytes 24 | type: u2 25 | -orig-id: size 26 | - id: payload 27 | size: len_record - 4 28 | type: 29 | switch-on: version 30 | cases: 31 | 1: record_v1 32 | 2: record_v2 33 | record_v1: 34 | seq: 35 | - id: type 36 | doc: record type 37 | type: u2 38 | enum: ts_type 39 | - id: flags 40 | doc: record flags 41 | type: ts_flag 42 | - id: auth_uid 43 | doc: user ID that was used for authentication 44 | type: u4 45 | - id: sid 46 | doc: session ID associated with tty/ppid 47 | type: u4 48 | - id: ts 49 | doc: time stamp, from a monotonic time source 50 | type: timespec 51 | - id: ttydev 52 | doc: device number of the terminal associated with the session 53 | if: type == ts_type::tty 54 | type: u4 55 | - id: ppid 56 | doc: ID of the parent process 57 | if: type == ts_type::ppid 58 | type: u4 59 | record_v2: 60 | seq: 61 | - id: type 62 | doc: record type 63 | type: u2 64 | enum: ts_type 65 | - id: flags 66 | doc: record flags 67 | type: ts_flag 68 | - id: auth_uid 69 | doc: user ID that was used for authentication 70 | type: u4 71 | - id: sid 72 | doc: ID of the user's terminal session, if present (when type is TS_TTY) 73 | type: u4 74 | - id: start_time 75 | doc: start time of the session leader for records of type TS_TTY or of the parent process for records of type TS_PPID 76 | type: timespec 77 | - id: ts 78 | doc: actual time stamp, from a monotonic time source 79 | type: timespec 80 | - id: ttydev 81 | doc: device number of the terminal associated with the session 82 | if: type == ts_type::tty 83 | type: u4 84 | - id: ppid 85 | doc: ID of the parent process 86 | if: type == ts_type::ppid 87 | type: u4 88 | timespec: 89 | seq: 90 | - id: sec 91 | type: s8 92 | doc: seconds 93 | - id: nsec 94 | type: s8 95 | doc: nanoseconds 96 | ts_flag: 97 | seq: 98 | - id: reserved0 99 | doc: Reserved (unused) bits 100 | type: b6 101 | - id: anyuid 102 | doc: ignore uid 103 | type: b1 104 | -orig-id: TS_ANYUID 105 | - id: disabled 106 | doc: entry disabled 107 | type: b1 108 | -orig-id: TS_DISABLED 109 | - id: reserved1 110 | doc: Reserved (unused) bits 111 | type: b8 112 | enums: 113 | ts_type: 114 | 1: global 115 | 2: tty 116 | 3: ppid 117 | 4: lockexcl 118 | -------------------------------------------------------------------------------- /macos/resource_compression/dcmp_variable_length_integer.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dcmp_variable_length_integer 3 | title: Variable-length integer used in Apple `'dcmp' (0)` and `'dcmp' (1)` compressed resource formats 4 | application: Mac OS 5 | license: MIT 6 | ks-version: "0.8" 7 | endian: be 8 | doc: | 9 | A variable-length integer, 10 | in the format used by the 0xfe chunks in the `'dcmp' (0)` and `'dcmp' (1)` resource compression formats. 11 | See the dcmp_0 and dcmp_1 specs for more information about these compression formats. 12 | 13 | This variable-length integer format can store an integer `x` in any of the following ways: 14 | 15 | * In a single byte, 16 | if `0 <= x <= 0x7f` 17 | (7-bit unsigned integer) 18 | * In 2 bytes, 19 | if `-0x4000 <= x <= 0x3eff` 20 | (15-bit signed integer with the highest `0x100` values unavailable) 21 | * In 5 bytes, if `-0x80000000 <= x <= 0x7fffffff` 22 | (32-bit signed integer) 23 | 24 | In practice, 25 | values are always stored in the smallest possible format, 26 | but technically any of the larger formats could be used as well. 27 | doc-ref: 'https://github.com/dgelessus/python-rsrcfork/blob/f891a6e/src/rsrcfork/compress/common.py' 28 | seq: 29 | - id: first 30 | type: u1 31 | doc: | 32 | The first byte of the variable-length integer. 33 | This determines which storage format is used. 34 | 35 | * For the 1-byte format, 36 | this encodes the entire value of the value. 37 | * For the 2-byte format, 38 | this encodes the high 7 bits of the value, 39 | minus `0xc0`. 40 | The highest bit of the value, 41 | i. e. the second-highest bit of this field, 42 | is the sign bit. 43 | * For the 5-byte format, 44 | this is always `0xff`. 45 | - id: more 46 | type: 47 | switch-on: first 48 | cases: 49 | 0xff: s4 50 | _: u1 51 | if: first >= 0x80 52 | doc: | 53 | The remaining bytes of the variable-length integer. 54 | 55 | * For the 1-byte format, 56 | this is not present. 57 | * For the 2-byte format, 58 | this encodes the low 8 bits of the value. 59 | * For the 5-byte format, 60 | this encodes the entire value. 61 | instances: 62 | value: 63 | value: | 64 | first == 0xff ? more 65 | : first >= 0x80 ? (first << 8 | more) - 0xc000 66 | : first 67 | doc: | 68 | The decoded value of the variable-length integer. 69 | -------------------------------------------------------------------------------- /media/android_opengl_shaders_cache.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: android_opengl_shaders_cache 3 | title: com.android.opengl.shaders_cache file 4 | application: Android 5 | tags: 6 | - android 7 | - media 8 | license: Apache-2.0 9 | endian: le 10 | 11 | doc: | 12 | Android apps using directly or indirectly OpenGL cache compiled shaders 13 | into com.android.opengl.shaders_cache file. 14 | doc-ref: https://android.googlesource.com/platform/frameworks/native/+/master/opengl/libs/EGL/FileBlobCache.cpp 15 | 16 | seq: 17 | - id: magic 18 | contents: "EGL$" 19 | - id: crc32 20 | type: u4 21 | doc: crc32 of `contents` 22 | - id: contents 23 | type: cache 24 | size-eos: true 25 | 26 | types: 27 | alignment: 28 | seq: 29 | - id: alignment 30 | size: "(_io.pos + 3) & ~3 - _io.pos" 31 | doc: garbage from memory 32 | prefixed_string: 33 | seq: 34 | - id: len_str 35 | type: u4 36 | -orig-id: mBuildIdLength 37 | - id: str 38 | type: strz 39 | encoding: ascii 40 | size: len_str 41 | -orig-id: mBuildId, buildId 42 | - id: alignment 43 | type: alignment 44 | cache: 45 | doc-ref: https://android.googlesource.com/platform/frameworks/native/+/master/opengl/libs/EGL/BlobCache.cpp 46 | seq: 47 | - id: magic 48 | -orig-id: mMagicNumber, blobCacheMagic 49 | contents: ["$bB_"] 50 | - id: version 51 | type: u4 52 | -orig-id: mBlobCacheVersion, blobCacheVersion 53 | - id: device_version 54 | type: u4 55 | -orig-id: mDeviceVersion, blobCacheDeviceVersion 56 | - id: num_entries 57 | type: u4 58 | -orig-id: mNumEntries 59 | - id: build_id 60 | type: prefixed_string 61 | -orig-id: mBuildIdLength, mBuildId, buildId 62 | if: version >= 3 # hypothesis, needs deeper investigation 63 | - id: entries 64 | type: entry 65 | repeat: expr 66 | repeat-expr: num_entries 67 | types: 68 | entry: 69 | seq: 70 | - id: len_key 71 | type: u4 72 | -orig-id: mKeySize, keySize 73 | - id: len_value 74 | type: u4 75 | -orig-id: mValueSize, valueSize 76 | - id: key 77 | size: len_key 78 | - id: value 79 | size: len_value 80 | - id: alignment 81 | type: alignment 82 | -------------------------------------------------------------------------------- /media/avi.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: avi 3 | title: Microsoft AVI file 4 | file-extension: avi 5 | xref: 6 | justsolve: AVI 7 | loc: fdd000059 8 | mime: video/x-msvideo 9 | pronom: fmt/5 10 | wikidata: Q209054 11 | tags: 12 | - windows 13 | license: CC0-1.0 14 | ks-version: 0.7 15 | endian: le 16 | doc-ref: https://learn.microsoft.com/en-us/previous-versions/ms779636(v=vs.85) 17 | seq: 18 | - id: magic1 19 | contents: RIFF 20 | - id: file_size 21 | type: u4 22 | - id: magic2 23 | contents: 'AVI ' 24 | - id: data 25 | type: blocks 26 | size: file_size - 4 27 | types: 28 | # either a chunk or list 29 | blocks: 30 | seq: 31 | - id: entries 32 | type: block 33 | repeat: eos 34 | block: 35 | seq: 36 | - id: four_cc 37 | type: u4 38 | enum: chunk_type 39 | - id: block_size 40 | type: u4 41 | - id: data 42 | size: block_size 43 | type: 44 | switch-on: four_cc 45 | cases: 46 | 'chunk_type::list': list_body 47 | 'chunk_type::avih': avih_body 48 | 'chunk_type::strh': strh_body 49 | list_body: 50 | seq: 51 | - id: list_type 52 | type: u4 53 | enum: chunk_type 54 | - id: data 55 | type: blocks 56 | avih_body: 57 | doc: Main header of an AVI file, defined as AVIMAINHEADER structure 58 | doc-ref: https://learn.microsoft.com/en-us/previous-versions/ms779632(v=vs.85) 59 | seq: 60 | - id: micro_sec_per_frame 61 | type: u4 62 | - id: max_bytes_per_sec 63 | type: u4 64 | - id: padding_granularity 65 | type: u4 66 | - id: flags 67 | type: u4 68 | - id: total_frames 69 | type: u4 70 | - id: initial_frames 71 | type: u4 72 | - id: streams 73 | type: u4 74 | - id: suggested_buffer_size 75 | type: u4 76 | - id: width 77 | type: u4 78 | - id: height 79 | type: u4 80 | - id: reserved 81 | size: 16 82 | strh_body: 83 | doc: Stream header (one header per stream), defined as AVISTREAMHEADER structure 84 | doc-ref: https://learn.microsoft.com/en-us/previous-versions/ms779638(v=vs.85) 85 | seq: 86 | - id: fcc_type 87 | type: u4 88 | enum: stream_type 89 | doc: Type of the data contained in the stream 90 | - id: fcc_handler 91 | type: u4 92 | enum: handler_type 93 | doc: Type of preferred data handler for the stream (specifies codec for audio / video streams) 94 | - id: flags 95 | type: u4 96 | - id: priority 97 | type: u2 98 | - id: language 99 | type: u2 100 | - id: initial_frames 101 | type: u4 102 | - id: scale 103 | type: u4 104 | - id: rate 105 | type: u4 106 | - id: start 107 | type: u4 108 | - id: length 109 | type: u4 110 | - id: suggested_buffer_size 111 | type: u4 112 | - id: quality 113 | type: u4 114 | - id: sample_size 115 | type: u4 116 | - id: frame 117 | type: rect 118 | strf_body: 119 | doc: Stream format description 120 | rect: 121 | seq: 122 | - id: left 123 | type: s2 124 | - id: top 125 | type: s2 126 | - id: right 127 | type: s2 128 | - id: bottom 129 | type: s2 130 | enums: 131 | chunk_type: 132 | 0x31786469: idx1 133 | 0x4b4e554a: junk 134 | 0x4f464e49: info 135 | 0x54465349: isft 136 | 0x5453494c: list 137 | 0x66727473: strf 138 | 0x68697661: avih 139 | 0x68727473: strh 140 | 0x69766f6d: movi 141 | 0x6c726468: hdrl 142 | 0x6c727473: strl 143 | stream_type: 144 | 0x7364696d: mids # MIDI stream 145 | 0x73646976: vids # Video stream 146 | 0x73647561: auds # Audio stream 147 | 0x73747874: txts # Text stream 148 | handler_type: 149 | 0x00000055: mp3 150 | 0x00002000: ac3 151 | 0x00002001: dts 152 | 0x64697663: cvid 153 | 0x64697678: xvid 154 | -------------------------------------------------------------------------------- /media/genmidi_op2.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: genmidi_op2 3 | title: GENMIDI.OP2 OPL2 sound bank 4 | file-extension: op2 5 | xref: 6 | wikidata: Q32098356 7 | license: CC0-1.0 8 | ks-version: 0.9 9 | encoding: ASCII 10 | endian: le 11 | doc: | 12 | GENMIDI.OP2 is a sound bank file used by players based on DMX sound 13 | library to play MIDI files with General MIDI instruments using OPL2 14 | sound chip (which was commonly installed on popular AdLib and Sound 15 | Blaster sound cards). 16 | 17 | Major users of DMX sound library include: 18 | 19 | * Original Doom game engine (and games based on it: Heretic, Hexen, Strife, Chex Quest) 20 | * Raptor: Call of the Shadows 21 | doc-ref: 22 | - http://www.fit.vutbr.cz/~arnost/muslib/op2_form.zip 23 | - https://doom.fandom.com/wiki/GENMIDI 24 | - https://moddingwiki.shikadi.net/wiki/OP2_Bank_Format 25 | seq: 26 | - id: magic 27 | contents: "#OPL_II#" 28 | - id: instruments 29 | type: instrument_entry 30 | repeat: expr 31 | repeat-expr: 175 32 | - id: instrument_names 33 | type: str 34 | size: 32 35 | pad-right: 0 36 | terminator: 0 37 | repeat: expr 38 | repeat-expr: 175 39 | types: 40 | instrument_entry: 41 | seq: 42 | - id: flags 43 | type: u2 44 | - id: finetune 45 | type: u1 46 | - id: note 47 | type: u1 48 | doc: MIDI note for fixed instruments, 0 otherwise 49 | - id: instruments 50 | repeat: expr 51 | repeat-expr: 2 52 | type: instrument 53 | instrument: 54 | seq: 55 | - id: op1 56 | type: op_settings 57 | - id: feedback 58 | type: u1 59 | doc: Feedback/AM-FM (both operators) 60 | - id: op2 61 | type: op_settings 62 | - id: unused 63 | type: u1 64 | - id: base_note 65 | type: s2 66 | doc: Base note offset 67 | op_settings: 68 | doc: | 69 | OPL2 settings for one operator (carrier or modulator) 70 | seq: 71 | - id: trem_vibr 72 | type: u1 73 | doc: Tremolo/vibrato/sustain/KSR/multi 74 | - id: att_dec 75 | type: u1 76 | doc: Attack rate/decay rate 77 | - id: sust_rel 78 | type: u1 79 | doc: Sustain level/release rate 80 | - id: wave 81 | type: u1 82 | doc: Waveform select 83 | - id: scale 84 | type: u1 85 | doc: Key scale level 86 | - id: level 87 | type: u1 88 | doc: Output level 89 | -------------------------------------------------------------------------------- /media/id3v2_3.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: id3v2_3 3 | title: ID3v2.3 tag for .mp3 files 4 | file-extension: mp3 5 | xref: 6 | forensicswiki: id3 7 | justsolve: ID3 8 | loc: fdd000108 # ID3v2 9 | wikidata: Q1054220 10 | license: CC0-1.0 11 | endian: be 12 | 13 | doc-ref: https://id3.org/id3v2.3.0 14 | 15 | seq: 16 | - id: tag 17 | type: tag 18 | 19 | types: 20 | tag: 21 | doc-ref: Section 3. ID3v2 overview 22 | seq: 23 | - id: header 24 | type: header 25 | - id: header_ex 26 | type: header_ex 27 | if: header.flags.flag_headerex 28 | - id: frames 29 | type: frame 30 | repeat: until 31 | repeat-until: _io.pos + _.size > header.size.value or _.is_invalid 32 | - id: padding 33 | if: header.flags.flag_headerex 34 | size: header_ex.padding_size - _io.pos 35 | 36 | header: 37 | doc: ID3v2 fixed header 38 | doc-ref: Section 3.1. ID3v2 header 39 | seq: 40 | - id: magic 41 | contents: 'ID3' 42 | - id: version_major 43 | type: u1 44 | - id: version_revision 45 | type: u1 46 | - id: flags 47 | type: flags 48 | - id: size 49 | type: u4be_synchsafe 50 | types: 51 | flags: 52 | seq: 53 | - id: flag_unsynchronization 54 | type: b1 55 | - id: flag_headerex 56 | type: b1 57 | - id: flag_experimental 58 | type: b1 59 | - id: reserved 60 | type: b5 61 | 62 | header_ex: 63 | doc: ID3v2 extended header 64 | doc-ref: Section 3.2. ID3v2 extended header 65 | seq: 66 | - id: size 67 | type: u4 68 | - id: flags_ex 69 | type: flags_ex 70 | - id: padding_size 71 | type: u4 72 | - id: crc 73 | type: u4 74 | if: flags_ex.flag_crc 75 | types: 76 | flags_ex: 77 | seq: 78 | - id: flag_crc 79 | type: b1 80 | - id: reserved 81 | type: b15 82 | 83 | frame: 84 | doc-ref: Section 3.3. ID3v2 frame overview 85 | seq: 86 | - id: id 87 | type: str 88 | size: 4 89 | encoding: ASCII 90 | - id: size 91 | type: u4 92 | - id: flags 93 | type: flags 94 | - id: data 95 | size: size 96 | instances: 97 | is_invalid: 98 | value: "id == '\x00\x00\x00\x00'" 99 | types: 100 | flags: 101 | seq: 102 | - id: flag_discard_alter_tag 103 | type: b1 104 | - id: flag_discard_alter_file 105 | type: b1 106 | - id: flag_read_only 107 | type: b1 108 | - id: reserved1 109 | type: b5 110 | - id: flag_compressed 111 | type: b1 112 | - id: flag_encrypted 113 | type: b1 114 | - id: flag_grouping 115 | type: b1 116 | - id: reserved2 117 | type: b5 118 | 119 | # Section 6.2. Synchsafe integers 120 | u1be_synchsafe: 121 | seq: 122 | - id: padding 123 | type: b1 124 | - id: value 125 | type: b7 126 | u2be_synchsafe: 127 | seq: 128 | - id: byte0 129 | type: u1be_synchsafe 130 | - id: byte1 131 | type: u1be_synchsafe 132 | instances: 133 | value: 134 | value: (byte0.value << 7) | byte1.value 135 | u4be_synchsafe: 136 | seq: 137 | - id: short0 138 | type: u2be_synchsafe 139 | - id: short1 140 | type: u2be_synchsafe 141 | instances: 142 | value: 143 | value: (short0.value << 14) | short1.value 144 | -------------------------------------------------------------------------------- /media/stl.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: stl 3 | application: 3D Systems Stereolithography 4 | file-extension: stl 5 | xref: 6 | justsolve: STL 7 | loc: fdd000505 8 | pronom: fmt/865 9 | wikidata: Q1238229 10 | license: CC0-1.0 11 | endian: le 12 | doc: | 13 | STL files are used to represent simple 3D models, defined using 14 | triangular 3D faces. 15 | 16 | Initially it was introduced as native format for 3D Systems 17 | Stereolithography CAD system, but due to its extreme simplicity, it 18 | was adopted by a wide range of 3D modelling, CAD, rapid prototyping 19 | and 3D printing applications as the simplest 3D model exchange 20 | format. 21 | 22 | STL is extremely bare-bones format: there are no complex headers, no 23 | texture / color support, no units specifications, no distinct vertex 24 | arrays. Whole model is specified as a collection of triangular 25 | faces. 26 | 27 | There are two versions of the format (text and binary), this spec 28 | describes binary version. 29 | seq: 30 | - id: header 31 | size: 80 32 | - id: num_triangles 33 | type: u4 34 | - id: triangles 35 | type: triangle 36 | repeat: expr 37 | repeat-expr: num_triangles 38 | types: 39 | triangle: 40 | doc: | 41 | Each STL triangle is defined by its 3 points in 3D space and a 42 | normal vector, which is generally used to determine where is 43 | "inside" and "outside" of the model. 44 | seq: 45 | - id: normal 46 | type: vec3d 47 | - id: vertices 48 | type: vec3d 49 | repeat: expr 50 | repeat-expr: 3 51 | - id: abr 52 | type: u2 53 | doc: | 54 | In theory (per standard), it's "attribute byte count" with 55 | no other details given on what "attribute" is and what 56 | should be stored in this field. 57 | 58 | In practice, software dealing with STL either expected to 59 | see 0 here, or uses this 16-bit field per se to store 60 | additional attributes (such as RGB color of a vertex or 61 | color index). 62 | vec3d: 63 | seq: 64 | - id: x 65 | type: f4 66 | - id: y 67 | type: f4 68 | - id: z 69 | type: f4 70 | -------------------------------------------------------------------------------- /media/vp8_duck_ivf.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: vp8_duck_ivf 3 | title: Duck IVF (container format for VP8) 4 | file-extension: ivf 5 | xref: 6 | justsolve: VP8 7 | loc: fdd000578 8 | wikidata: Q1063970 9 | license: CC0-1.0 10 | ks-version: 0.7 11 | endian: le 12 | doc: | 13 | Duck IVF is a simple container format for raw VP8 data, which is an open and 14 | royalty-free video compression format, currently developed by Google. 15 | 16 | Test .ivf files are available at 17 | 18 | doc-ref: https://wiki.multimedia.cx/index.php/Duck_IVF 19 | seq: 20 | ## header start 21 | - id: magic1 22 | contents: DKIF 23 | doc: Magic Number of IVF Files 24 | - id: version 25 | type: u2 26 | doc: This should be 0 27 | - id: len_header 28 | type: u2 29 | doc: Normally the header length is 32 byte 30 | - id: codec 31 | contents: VP80 32 | doc: Name of the codec e.g. 'VP80' for VP8 33 | - id: width 34 | type: u2 35 | doc: The (initial) width of the video, every keyframe may change the resolution 36 | - id: height 37 | type: u2 38 | doc: The (initial) height of the video, every keyframe may change the resolution 39 | - id: framerate 40 | type: u4 41 | doc: the (framerate * timescale) e.g. for 30 fps -> 30000 42 | - id: timescale 43 | type: u4 44 | doc: the timescale is a divider of the seconds (VPX is integer math only) mostly 1000 45 | - id: num_frames 46 | type: u4 47 | doc: the number of frames (if not a camera stream) 48 | - id: unused 49 | type: u4 50 | ## header end 51 | 52 | ## payload start 53 | - id: image_data 54 | type: blocks 55 | repeat: expr 56 | repeat-expr: num_frames 57 | ## payload end 58 | 59 | ## type definitions 60 | types: 61 | blocks: 62 | seq: 63 | - id: entries 64 | type: block 65 | block: 66 | seq: 67 | - id: len_frame 68 | doc: size of the frame data 69 | type: u4 70 | - id: timestamp 71 | type: u8 72 | - id: framedata 73 | size: len_frame 74 | -------------------------------------------------------------------------------- /network/dime_message.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: dime_message 3 | title: DIME (Direct Internet Message Encapsulation) Message 4 | file-extension: 5 | - dim 6 | - dime 7 | xref: 8 | mime: application/dime 9 | wikidata: Q1227457 10 | license: CC0-1.0 11 | bit-endian: be 12 | endian: be 13 | encoding: ASCII 14 | doc: | 15 | Direct Internet Message Encapsulation (DIME) 16 | is an old Microsoft specification for sending and receiving 17 | SOAP messages along with additional attachments, 18 | like binary files, XML fragments, and even other 19 | SOAP messages, using standard transport protocols like HTTP. 20 | 21 | Sample file: `curl -LO 22 | https://github.com/kaitai-io/kaitai_struct_formats/files/5894723/scanner_withoptions.dump.gz 23 | && gunzip scanner_withoptions.dump.gz` 24 | doc-ref: 25 | - https://datatracker.ietf.org/doc/html/draft-nielsen-dime-02 26 | - https://learn.microsoft.com/en-us/archive/msdn-magazine/2002/december/sending-files-attachments-and-soap-messages-via-dime 27 | - http://imrannazar.com/Parsing-the-DIME-Message-Format 28 | seq: 29 | - id: records 30 | type: record 31 | repeat: eos 32 | types: 33 | padding: 34 | doc: padding to the next 4-byte boundary 35 | seq: 36 | - id: boundary_padding 37 | size: (- _io.pos) % 4 38 | option_field: 39 | doc: the option field of the record 40 | seq: 41 | - id: option_elements 42 | type: option_element 43 | repeat: eos 44 | option_element: 45 | doc: one element of the option field 46 | seq: 47 | - id: element_format 48 | type: u2 49 | - id: len_element 50 | type: u2 51 | - id: element_data 52 | size: len_element 53 | record: 54 | doc: each individual fragment of the message 55 | seq: 56 | - id: version 57 | doc: DIME format version (always 1) 58 | type: b5 59 | - id: is_first_record 60 | doc: Set if this is the first record in the message 61 | type: b1 62 | - id: is_last_record 63 | doc: Set if this is the last record in the message 64 | type: b1 65 | - id: is_chunk_record 66 | doc: Set if the file contained in this record is chunked into multiple records 67 | type: b1 68 | - id: type_format 69 | doc: Indicates the structure and format of the value of the TYPE field 70 | enum: type_formats 71 | type: b4 72 | - id: reserved 73 | doc: Reserved for future use 74 | type: b4 75 | - id: len_options 76 | doc: Length of the Options field 77 | type: u2 78 | - id: len_id 79 | doc: Length of the ID field 80 | type: u2 81 | - id: len_type 82 | doc: Length of the Type field 83 | type: u2 84 | - id: len_data 85 | doc: Length of the Data field 86 | type: u4 87 | - id: options 88 | size: len_options 89 | type: option_field 90 | - id: options_padding 91 | type: padding 92 | - id: id 93 | doc: Unique identifier of the file (set in the first record of file) 94 | type: str 95 | size: len_id 96 | - id: id_padding 97 | type: padding 98 | - id: type 99 | doc: Specified type in the format set with type_format 100 | type: str 101 | size: len_type 102 | - id: type_padding 103 | type: padding 104 | - id: data 105 | doc: The file data 106 | size: len_data 107 | - id: data_padding 108 | type: padding 109 | enums: 110 | type_formats: 111 | 0: unchanged 112 | 1: media_type 113 | 2: absolute_uri 114 | 3: unknown 115 | 4: none 116 | -------------------------------------------------------------------------------- /network/ethernet_frame.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: ethernet_frame 3 | title: Ethernet frame (layer 2, IEEE 802.3) 4 | xref: 5 | ieee: 802.3 6 | wikidata: Q11331406 7 | license: CC0-1.0 8 | ks-version: 0.8 9 | imports: 10 | - /network/ipv4_packet 11 | - /network/ipv6_packet 12 | doc: | 13 | Ethernet frame is a OSI data link layer (layer 2) protocol data unit 14 | for Ethernet networks. In practice, many other networks and/or 15 | in-file dumps adopted the same format for encapsulation purposes. 16 | doc-ref: https://ieeexplore.ieee.org/document/7428776 17 | seq: 18 | - id: dst_mac 19 | size: 6 20 | doc: Destination MAC address 21 | - id: src_mac 22 | size: 6 23 | doc: Source MAC address 24 | - id: ether_type_1 25 | type: u2be 26 | enum: ether_type_enum 27 | doc: Either ether type or TPID if it is a IEEE 802.1Q frame 28 | - id: tci 29 | type: tag_control_info 30 | if: ether_type_1 == ether_type_enum::ieee_802_1q_tpid 31 | - id: ether_type_2 32 | type: u2be 33 | enum: ether_type_enum 34 | if: ether_type_1 == ether_type_enum::ieee_802_1q_tpid 35 | - id: body 36 | size-eos: true 37 | type: 38 | switch-on: ether_type 39 | cases: 40 | 'ether_type_enum::ipv4': ipv4_packet 41 | 'ether_type_enum::ipv6': ipv6_packet 42 | instances: 43 | ether_type: 44 | value: | 45 | (ether_type_1 == ether_type_enum::ieee_802_1q_tpid) ? ether_type_2 : ether_type_1 46 | doc: | 47 | Ether type can be specied in several places in the frame. If 48 | first location bears special marker (0x8100), then it is not the 49 | real ether frame yet, an additional payload (`tci`) is expected 50 | and real ether type is upcoming next. 51 | types: 52 | tag_control_info: 53 | doc: | 54 | Tag Control Information (TCI) is an extension of IEEE 802.1Q to 55 | support VLANs on normal IEEE 802.3 Ethernet network. 56 | seq: 57 | - id: priority 58 | type: b3 59 | doc: | 60 | Priority Code Point (PCP) is used to specify priority for 61 | different kinds of traffic. 62 | - id: drop_eligible 63 | type: b1 64 | doc: | 65 | Drop Eligible Indicator (DEI) specifies if frame is eligible 66 | to dropping while congestion is detected for certain classes 67 | of traffic. 68 | - id: vlan_id 69 | type: b12 70 | doc: | 71 | VLAN Identifier (VID) specifies which VLAN this frame 72 | belongs to. 73 | enums: 74 | # https://www.iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml 75 | ether_type_enum: 76 | 0x0800: ipv4 77 | 0x0801: x_75_internet 78 | 0x0802: nbs_internet 79 | 0x0803: ecma_internet 80 | 0x0804: chaosnet 81 | 0x0805: x_25_level_3 82 | 0x0806: arp 83 | 0x8100: ieee_802_1q_tpid 84 | 0x86dd: ipv6 85 | #0x88a8: ieee_802_1ad_tpid 86 | -------------------------------------------------------------------------------- /network/hccap.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: hccap 3 | title: Hashcat capture file (old version) 4 | application: 5 | - Hashcat 6 | - aircrack-ng 7 | file-extension: hccap 8 | license: Unlicense 9 | encoding: utf-8 10 | endian: le 11 | doc: | 12 | Native format of Hashcat password "recovery" utility. 13 | 14 | A sample of file for testing can be downloaded from 15 | 16 | doc-ref: https://hashcat.net/wiki/doku.php?id=hccap 17 | seq: 18 | - id: records 19 | type: hccap_record 20 | repeat: eos 21 | types: 22 | hccap_record: 23 | seq: 24 | - id: essid 25 | size: 36 26 | - id: mac_ap 27 | -orig-id: ap_mac 28 | size: 6 29 | doc: The BSSID (MAC address) of the access point 30 | - id: mac_station 31 | -orig-id: station_mac 32 | size: 6 33 | doc: The MAC address of a client connecting to the access point 34 | - id: nonce_station 35 | -orig-id: station_nonce 36 | size: 32 37 | doc: Nonce (random salt) generated by the client connecting to the access point. 38 | - id: nonce_ap 39 | -orig-id: ap_nonce 40 | size: 32 41 | doc: Nonce (random salt) generated by the access point. 42 | - id: eapol_buffer 43 | type: eapol_dummy 44 | size: 256 45 | doc: Buffer for EAPOL data, only first `len_eapol` bytes are used 46 | - id: len_eapol 47 | -orig-id: eapol_size 48 | type: u4 49 | doc: Size of EAPOL data 50 | - id: keyver 51 | type: u4 52 | doc: | 53 | The flag used to distinguish WPA from WPA2 ciphers. Value of 54 | 1 means WPA, other - WPA2. 55 | - id: keymic 56 | size: 16 57 | doc: | 58 | The final hash value. MD5 for WPA and SHA-1 for WPA2 59 | (truncated to 128 bit). 60 | instances: 61 | eapol: 62 | io: eapol_buffer._io 63 | pos: 0 64 | size: len_eapol 65 | eapol_dummy: {} 66 | -------------------------------------------------------------------------------- /network/hccapx.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: hccapx 3 | title: Hashcat capture file 4 | application: 5 | - Hashcat 6 | - aircrack-ng 7 | file-extension: hccapx 8 | license: Unlicense 9 | endian: le 10 | doc: | 11 | Native format of Hashcat password "recovery" utility 12 | doc-ref: https://hashcat.net/wiki/doku.php?id=hccapx 13 | seq: 14 | - id: records 15 | type: hccapx_record 16 | repeat: eos 17 | types: 18 | hccapx_record: 19 | seq: 20 | - id: magic 21 | contents: "HCPX" 22 | - id: version 23 | type: u4 24 | doc: The version number of the .hccapx file format. 25 | - id: ignore_replay_counter 26 | type: b1 27 | doc: | 28 | Indicates if the message pair matching was done based on 29 | replay counter or not. 30 | 31 | Whenever it was set to 1 it means that the replay counter 32 | was ignored (i.e. it was not considered at all by the 33 | matching algorithm). 34 | 35 | Hashcat currently does not perform any particular action 36 | based on this bit, but nonetheless this information could be 37 | crucial for some 3th party tools and for 38 | analysis/statistics. There could be some opportunity to 39 | implement some further logic based on this particular 40 | information also within hashcat (in the future). 41 | - id: message_pair 42 | type: b7 43 | doc: | 44 | The message_pair value describes which messages of the 4-way 45 | handshake were combined to form the .hccapx structure. It is 46 | always a pair of 2 messages: 1 from the AP (access point) 47 | and 1 from the STA (client). 48 | 49 | Furthermore, the message_pair value also gives a hint from 50 | which of the 2 messages the EAPOL origins. This is 51 | interesting data, but not necessarily needed for hashcat to 52 | be able to crack the hash. 53 | 54 | On the other hand, it could be very important to know if 55 | "only" message 1 and message 2 were captured or if for 56 | instance message 3 and/or message 4 were captured too. If 57 | message 3 and/or message 4 were captured it should be a hard 58 | evidence that the connection was established and that the 59 | password the client used was the correct one. 60 | - id: len_essid 61 | -orig-id: essid_len 62 | type: u1 63 | - id: essid 64 | size: len_essid 65 | - id: padding1 66 | size: 32 - len_essid 67 | - id: keyver 68 | type: u1 69 | doc: | 70 | The flag used to distinguish WPA from WPA2 ciphers. Value of 71 | 1 means WPA, other - WPA2. 72 | - id: keymic 73 | size: 16 74 | doc: | 75 | The final hash value. MD5 for WPA and SHA-1 for WPA2 76 | (truncated to 128 bit). 77 | - id: mac_ap 78 | size: 6 79 | doc: The BSSID (MAC address) of the access point. 80 | - id: nonce_ap 81 | size: 32 82 | doc: Nonce (random salt) generated by the access point. 83 | - id: mac_station 84 | -orig-id: mac_sta 85 | size: 6 86 | doc: The MAC address of the client connecting to the access point. 87 | - id: nonce_station 88 | -orig-id: nonce_sta 89 | size: 32 90 | doc: Nonce (random salt) generated by the client connecting to the access point. 91 | - id: len_eapol 92 | -orig-id: eapol_len 93 | type: u2 94 | doc: The length of the EAPOL data. 95 | - id: eapol 96 | size: len_eapol 97 | - id: padding2 98 | size: 256 - len_eapol 99 | -------------------------------------------------------------------------------- /network/icmp_packet.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: icmp_packet 3 | title: ICMP network packet 4 | xref: 5 | rfc: 792 6 | wikidata: Q13162 7 | license: CC0-1.0 8 | endian: be 9 | seq: 10 | - id: icmp_type 11 | type: u1 12 | enum: icmp_type_enum 13 | - id: destination_unreachable 14 | type: destination_unreachable_msg 15 | if: icmp_type == icmp_type_enum::destination_unreachable 16 | - id: time_exceeded 17 | type: time_exceeded_msg 18 | if: icmp_type == icmp_type_enum::time_exceeded 19 | - id: echo 20 | type: echo_msg 21 | if: icmp_type == icmp_type_enum::echo or icmp_type == icmp_type_enum::echo_reply 22 | enums: 23 | icmp_type_enum: 24 | 0: echo_reply 25 | 3: destination_unreachable 26 | 4: source_quench 27 | 5: redirect 28 | 8: echo 29 | 11: time_exceeded 30 | types: 31 | destination_unreachable_msg: 32 | seq: 33 | - id: code 34 | type: u1 35 | enum: destination_unreachable_code 36 | - id: checksum 37 | type: u2 38 | enums: 39 | destination_unreachable_code: 40 | 0: net_unreachable 41 | 1: host_unreachable 42 | 2: protocol_unreachable 43 | 3: port_unreachable 44 | 4: fragmentation_needed_and_df_set 45 | 5: source_route_failed 46 | 6: dst_net_unkown 47 | 7: sdt_host_unkown 48 | 8: src_isolated 49 | 9: net_prohibited_by_admin 50 | 10: host_prohibited_by_admin 51 | 11: net_unreachable_for_tos 52 | 12: host_unreachable_for_tos 53 | 13: communication_prohibited_by_admin 54 | 14: host_precedence_violation 55 | 15: precedence_cuttoff_in_effect 56 | time_exceeded_msg: 57 | seq: 58 | - id: code 59 | type: u1 60 | enum: time_exceeded_code 61 | - id: checksum 62 | type: u2 63 | enums: 64 | time_exceeded_code: 65 | 0: time_to_live_exceeded_in_transit 66 | 1: fragment_reassembly_time_exceeded 67 | echo_msg: 68 | seq: 69 | - id: code 70 | contents: [0] 71 | - id: checksum 72 | type: u2 73 | - id: identifier 74 | type: u2 75 | - id: seq_num 76 | type: u2 77 | - id: data 78 | size-eos: true 79 | -------------------------------------------------------------------------------- /network/ipv4_packet.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: ipv4_packet 3 | title: IPv4 network packet 4 | xref: 5 | rfc: 791 6 | wikidata: Q11103 7 | license: CC0-1.0 8 | ks-version: 0.8 9 | imports: 10 | - /network/protocol_body 11 | seq: 12 | - id: b1 13 | type: u1 14 | - id: b2 15 | type: u1 16 | - id: total_length 17 | type: u2be 18 | - id: identification 19 | type: u2be 20 | - id: b67 21 | type: u2be 22 | - id: ttl 23 | type: u1 24 | - id: protocol 25 | type: u1 26 | - id: header_checksum 27 | type: u2be 28 | - id: src_ip_addr 29 | size: 4 30 | - id: dst_ip_addr 31 | size: 4 32 | - id: options 33 | type: ipv4_options 34 | size: ihl_bytes - 20 35 | - id: body 36 | size: total_length - ihl_bytes 37 | type: protocol_body(protocol) 38 | instances: 39 | version: 40 | value: (b1 & 0xf0) >> 4 41 | ihl: 42 | value: b1 & 0xf 43 | ihl_bytes: 44 | value: ihl * 4 45 | types: 46 | ipv4_options: 47 | seq: 48 | - id: entries 49 | type: ipv4_option 50 | repeat: eos 51 | ipv4_option: 52 | seq: 53 | - id: b1 54 | type: u1 55 | - id: len 56 | type: u1 57 | - id: body 58 | size: 'len > 2 ? len - 2 : 0' 59 | instances: 60 | copy: 61 | value: (b1 & 0b10000000) >> 7 62 | opt_class: 63 | value: (b1 & 0b01100000) >> 5 64 | number: 65 | value: (b1 & 0b00011111) 66 | -------------------------------------------------------------------------------- /network/ipv6_packet.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: ipv6_packet 3 | title: IPv6 network packet 4 | license: CC0-1.0 5 | ks-version: 0.8 6 | imports: 7 | - /network/protocol_body 8 | endian: be 9 | seq: 10 | - id: version 11 | type: b4 12 | - id: traffic_class 13 | type: b8 14 | - id: flow_label 15 | type: b20 16 | - id: payload_length 17 | type: u2 18 | - id: next_header_type 19 | type: u1 20 | - id: hop_limit 21 | type: u1 22 | - id: src_ipv6_addr 23 | size: 16 24 | - id: dst_ipv6_addr 25 | size: 16 26 | - id: next_header 27 | type: protocol_body(next_header_type) 28 | - id: rest 29 | size-eos: true 30 | -------------------------------------------------------------------------------- /network/rtp_packet.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: rtp_packet 3 | title: RTP (Real-time Transport Protocol) 4 | xref: 5 | justsolve: RTP 6 | rfc: 7 | - 3550 8 | - 3551 9 | wikidata: Q321213 10 | license: Unlicense 11 | endian: be 12 | doc: | 13 | The Real-time Transport Protocol (RTP) is a widely used network 14 | protocol for transmitting audio or video. It usually works with the 15 | RTP Control Protocol (RTCP). The transmission can be based on 16 | Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). 17 | seq: 18 | - id: version 19 | type: b2 20 | - id: has_padding 21 | type: b1 22 | - id: has_extension 23 | type: b1 24 | - id: csrc_count 25 | type: b4 26 | - id: marker 27 | type: b1 28 | - id: payload_type 29 | type: b7 30 | enum: payload_type_enum 31 | - id: sequence_number 32 | type: u2 33 | - id: timestamp 34 | type: u4 35 | - id: ssrc 36 | type: u4 37 | - id: header_extension 38 | type: header_extention 39 | if: has_extension 40 | - id: data 41 | size: _io.size - _io.pos - len_padding 42 | doc: Payload without padding. 43 | - id: padding 44 | size: len_padding 45 | instances: 46 | len_padding_if_exists: 47 | pos: _io.size - 1 48 | type: u1 49 | if: has_padding 50 | doc: | 51 | If padding bit is enabled, last byte of data contains number of 52 | bytes appended to the payload as padding. 53 | len_padding: 54 | value: 'has_padding ? len_padding_if_exists : 0' 55 | doc: Always returns number of padding bytes to in the payload. 56 | types: 57 | header_extention: 58 | seq: 59 | - id: id 60 | type: u2 61 | - id: length 62 | type: u2 63 | enums: 64 | # https://datatracker.ietf.org/doc/html/rfc3551#section-6 65 | payload_type_enum: 66 | 0: pcmu 67 | 1: reserved1 68 | 2: reserved2 69 | 3: gsm 70 | 4: g723 71 | 5: dvi4_1 72 | 6: dvi4_2 73 | 7: lpc 74 | 8: pcma 75 | 9: g722 76 | 10: l16_1 77 | 11: l16_2 78 | 12: qcelp 79 | 13: cn 80 | 14: mpa 81 | 15: g728 82 | 16: dvi4_3 83 | 17: dvi4_4 84 | 18: g729 85 | 19: reserved19 86 | 20: unassigned20 87 | 21: unassigned21 88 | 22: unassigned22 89 | 23: unassigned23 90 | 24: unassigned24 91 | 25: celb 92 | 26: jpeg 93 | 27: unassigned27 94 | 28: nv 95 | 29: unassigned29 96 | 30: unassigned30 97 | 31: h261 98 | 32: mpv 99 | 33: mp2t 100 | 34: h263 101 | 96: mpeg_ps 102 | -------------------------------------------------------------------------------- /network/rtpdump.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: rtpdump 3 | title: Rtpdump (rtptools) 4 | file-extension: 5 | - rtp 6 | - rtpdump 7 | license: Unlicense 8 | imports: 9 | - /network/rtp_packet 10 | endian: be 11 | doc: | 12 | rtpdump is a format used by rtptools to record and replay 13 | rtp data from network capture. 14 | doc-ref: https://chromium.googlesource.com/external/webrtc/stable/talk/+/master/media/base/rtpdump.h 15 | seq: 16 | - id: file_header 17 | type: header_t 18 | - id: packets 19 | type: packet_t 20 | repeat: eos 21 | types: 22 | header_t: 23 | seq: 24 | - id: shebang 25 | contents: '#!rtpplay1.0' 26 | - id: space 27 | contents: ' ' 28 | - id: ip 29 | type: str 30 | encoding: ascii 31 | terminator: 0x2f # '/' 32 | - id: port 33 | type: str 34 | encoding: ascii 35 | terminator: 0x0a # '\n' 36 | - id: start_sec 37 | type: u4 38 | doc: | 39 | start of recording, the seconds part. 40 | - id: start_usec 41 | type: u4 42 | doc: | 43 | start of recording, the microseconds part. 44 | - id: ip2 45 | type: u4 46 | doc: | 47 | network source. 48 | - id: port2 49 | type: u2 50 | doc: | 51 | port. 52 | - id: padding 53 | type: u2 54 | doc: | 55 | 2 bytes padding. 56 | packet_t: 57 | seq: 58 | - id: length 59 | type: u2 60 | doc: | 61 | packet length (including this header). 62 | - id: len_body 63 | type: u2 64 | doc: | 65 | payload length. 66 | - id: packet_usec 67 | type: u4 68 | doc: | 69 | timestamp of packet since the start. 70 | - id: body 71 | size: len_body 72 | type: rtp_packet 73 | -------------------------------------------------------------------------------- /network/some_ip/some_ip_container.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: some_ip_container 3 | title: AUTOSAR SOME/IP container 4 | license: CC0-1.0 5 | ks-version: 0.9 6 | endian: be 7 | imports: 8 | - /network/some_ip/some_ip 9 | 10 | seq: 11 | - id: some_ip_packages 12 | type: some_ip 13 | repeat: eos 14 | -------------------------------------------------------------------------------- /network/some_ip/some_ip_sd.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: some_ip_sd 3 | title: AUTOSAR SOME/IP Service Discovery 4 | license: CC0-1.0 5 | ks-version: 0.9 6 | endian: be 7 | imports: 8 | - /network/some_ip/some_ip_sd_entries 9 | - /network/some_ip/some_ip_sd_options 10 | 11 | doc: | 12 | The main tasks of the Service Discovery Protocol are communicating the 13 | availability of functional entities called services in the in-vehicle 14 | communication as well as controlling the send behavior of event messages. 15 | This allows sending only event messages to receivers requiring them (Publish/Subscribe). 16 | The solution described here is also known as SOME/IP-SD 17 | (Scalable service-Oriented MiddlewarE over IP - Service Discovery). 18 | doc-ref: https://www.autosar.org/fileadmin/standards/foundation/19-11/AUTOSAR_PRS_SOMEIPServiceDiscoveryProtocol.pdf 19 | 20 | seq: 21 | - id: flags 22 | type: sd_flags 23 | doc: The SOME/IP-SD Header shall start with an 8 Bit field called flags. 24 | - id: reserved 25 | size: 3 26 | - id: len_entries 27 | type: u4 28 | - id: entries 29 | type: some_ip_sd_entries 30 | size: len_entries 31 | - id: len_options 32 | type: u4 33 | - id: options 34 | type: some_ip_sd_options 35 | size: len_options 36 | 37 | types: 38 | sd_flags: 39 | seq: 40 | - id: reboot 41 | type: b1 42 | - id: unicast 43 | type: b1 44 | - id: initial_data 45 | type: b1 46 | - id: reserved 47 | type: b5 48 | doc-ref: AUTOSAR_PRS_SOMEIPServiceDiscoveryProtocol.pdf - Figure 4.3 49 | -------------------------------------------------------------------------------- /network/some_ip/some_ip_sd_entries.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: some_ip_sd_entries 3 | title: AUTOSAR SOME/IP Service Discovery Entries 4 | license: CC0-1.0 5 | ks-version: 0.9 6 | endian: be 7 | 8 | doc: | 9 | The entries are used to synchronize the state of services instances and the 10 | Publish/-Subscribe handling. 11 | doc-ref: | 12 | https://www.autosar.org/fileadmin/standards/foundation/19-11/AUTOSAR_PRS_SOMEIPServiceDiscoveryProtocol.pdf 13 | - section 4.1.2.3 Entry Format 14 | 15 | seq: 16 | - id: entries 17 | type: sd_entry 18 | repeat: eos 19 | 20 | types: 21 | sd_entry: 22 | seq: 23 | - id: header 24 | type: sd_entry_header 25 | - id: content 26 | type: 27 | switch-on: header.type 28 | cases: 29 | entry_types::find : sd_service_entry 30 | entry_types::offer : sd_service_entry 31 | entry_types::subscribe : sd_eventgroup_entry 32 | entry_types::subscribe_ack : sd_eventgroup_entry 33 | 34 | types: 35 | sd_entry_header: 36 | seq: 37 | - id: type 38 | type: u1 39 | enum: entry_types 40 | - id: index_first_options 41 | type: u1 42 | - id: index_second_options 43 | type: u1 44 | - id: number_first_options 45 | type: b4 46 | - id: number_second_options 47 | type: b4 48 | - id: service_id 49 | type: u2 50 | - id: instance_id 51 | type: u2 52 | - id: major_version 53 | type: u1 54 | - id: ttl 55 | type: b24 56 | 57 | sd_service_entry: 58 | seq: 59 | - id: minor_version 60 | type: u4 61 | 62 | sd_eventgroup_entry: 63 | seq: 64 | - id: reserved 65 | type: u1 66 | - id: initial_data_requested 67 | type: b1 68 | - id: reserved2 69 | type: b3 70 | - id: counter 71 | type: b4 72 | - id: event_group_id 73 | type: u2 74 | 75 | enums: 76 | entry_types: 77 | 0x00 : find 78 | 0x01 : offer 79 | 0x06 : subscribe 80 | 0x07 : subscribe_ack 81 | -------------------------------------------------------------------------------- /network/tcp_segment.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: tcp_segment 3 | title: TCP (Transmission Control Protocol) segment 4 | xref: 5 | rfc: 6 | - 793 7 | - 1323 8 | - 9293 9 | wikidata: Q8803 10 | license: CC0-1.0 11 | endian: be 12 | ks-version: 0.10 13 | doc: | 14 | TCP is one of the core Internet protocols on transport layer (AKA 15 | OSI layer 4), providing stateful connections with error checking, 16 | guarantees of delivery, order of segments and avoidance of duplicate 17 | delivery. 18 | seq: 19 | - id: src_port 20 | type: u2 21 | doc: Source port 22 | - id: dst_port 23 | type: u2 24 | doc: Destination port 25 | - id: seq_num 26 | type: u4 27 | doc: Sequence number 28 | - id: ack_num 29 | type: u4 30 | doc: Acknowledgment number 31 | - id: data_offset 32 | type: b4 33 | doc: Data offset (in 32-bit words from the beginning of this type, normally 32 or can be extended if there are any TCP options or padding is present) 34 | - id: reserved 35 | type: b4 36 | - id: flags 37 | type: flags 38 | - id: window_size 39 | type: u2 40 | - id: checksum 41 | type: u2 42 | - id: urgent_pointer 43 | type: u2 44 | - id: options 45 | size: (data_offset * 4) - 20 46 | if: ((data_offset * 4) - 20) != 0 47 | - id: body 48 | size-eos: true 49 | types: 50 | flags: 51 | doc: | 52 | TCP header flags as defined "TCP Header Flags" registry. 53 | seq: 54 | - id: cwr 55 | type: b1 56 | doc: Congestion Window Reduced 57 | - id: ece 58 | type: b1 59 | doc: ECN-Echo 60 | - id: urg 61 | type: b1 62 | doc: Urgent pointer field is significant 63 | - id: ack 64 | type: b1 65 | doc: Acknowledgment field is significant 66 | - id: psh 67 | type: b1 68 | doc: Push function 69 | - id: rst 70 | type: b1 71 | doc: Reset the connection 72 | - id: syn 73 | type: b1 74 | doc: Synchronize sequence numbers 75 | - id: fin 76 | type: b1 77 | doc: No more data from sender 78 | to-string: | 79 | (cwr ? "|CWR" : "") + 80 | (ece ? "|ECE" : "") + 81 | (urg ? "|URG" : "") + 82 | (ack ? "|ACK" : "") + 83 | (psh ? "|PSH" : "") + 84 | (rst ? "|RST" : "") + 85 | (syn ? "|SYN" : "") + 86 | (fin ? "|FIN" : "") 87 | -------------------------------------------------------------------------------- /network/tls_client_hello.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: tls_client_hello 3 | xref: 4 | rfc: 5246 # TLS 1.2 5 | wikidata: Q206494 # TLS 6 | license: MIT 7 | endian: be 8 | 9 | seq: 10 | - id: version 11 | type: version 12 | 13 | - id: random 14 | type: random 15 | 16 | - id: session_id 17 | type: session_id 18 | 19 | - id: cipher_suites 20 | type: cipher_suites 21 | 22 | - id: compression_methods 23 | type: compression_methods 24 | 25 | - id: extensions 26 | type: extensions 27 | if: _io.eof == false 28 | 29 | types: 30 | version: 31 | seq: 32 | - id: major 33 | type: u1 34 | 35 | - id: minor 36 | type: u1 37 | 38 | random: 39 | seq: 40 | - id: gmt_unix_time 41 | type: u4 42 | 43 | - id: random 44 | size: 28 45 | 46 | session_id: 47 | seq: 48 | - id: len 49 | type: u1 50 | 51 | - id: sid 52 | size: len 53 | 54 | cipher_suites: 55 | seq: 56 | - id: len 57 | type: u2 58 | 59 | - id: cipher_suites 60 | type: u2 61 | repeat: expr 62 | repeat-expr: len/2 63 | 64 | compression_methods: 65 | seq: 66 | - id: len 67 | type: u1 68 | 69 | - id: compression_methods 70 | size: len 71 | 72 | extensions: 73 | seq: 74 | - id: len 75 | type: u2 76 | 77 | - id: extensions 78 | type: extension 79 | repeat: eos 80 | 81 | extension: 82 | seq: 83 | - id: type 84 | type: u2 85 | 86 | - id: len 87 | type: u2 88 | 89 | - id: body 90 | size: len 91 | type: 92 | switch-on: type 93 | cases: 94 | 0: sni 95 | 16: alpn 96 | 97 | sni: 98 | seq: 99 | - id: list_length 100 | type: u2 101 | 102 | - id: server_names 103 | type: server_name 104 | repeat: eos 105 | 106 | server_name: 107 | seq: 108 | - id: name_type 109 | type: u1 110 | 111 | - id: length 112 | type: u2 113 | 114 | - id: host_name 115 | size: length 116 | 117 | alpn: 118 | seq: 119 | - id: ext_len 120 | type: u2 121 | 122 | - id: alpn_protocols 123 | type: protocol 124 | repeat: eos 125 | 126 | protocol: 127 | seq: 128 | - id: strlen 129 | type: u1 130 | 131 | - id: name 132 | size: strlen 133 | -------------------------------------------------------------------------------- /network/udp_datagram.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: udp_datagram 3 | title: UDP (User Datagram Protocol) datagram 4 | xref: 5 | rfc: 768 6 | wikidata: Q11163 7 | license: CC0-1.0 8 | endian: be 9 | doc: | 10 | UDP is a simple stateless transport layer (AKA OSI layer 4) 11 | protocol, one of the core Internet protocols. It provides source and 12 | destination ports, basic checksumming, but provides not guarantees 13 | of delivery, order of packets, or duplicate delivery. 14 | seq: 15 | - id: src_port 16 | type: u2 17 | - id: dst_port 18 | type: u2 19 | - id: length 20 | type: u2 21 | - id: checksum 22 | type: u2 23 | - id: body 24 | size: length - 8 25 | -------------------------------------------------------------------------------- /network/websocket.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: websocket 3 | title: WebSocket 4 | xref: 5 | rfc: 6455 6 | wikidata: Q859938 7 | license: CC0-1.0 8 | endian: be 9 | doc: | 10 | The WebSocket protocol establishes a two-way communication channel via TCP. 11 | Messages are made up of one or more dataframes, and are delineated by 12 | frames with the `fin` bit set. 13 | seq: 14 | - id: initial_frame 15 | type: initial_frame 16 | - id: trailing_frames 17 | type: dataframe 18 | if: initial_frame.header.finished != true 19 | repeat: until 20 | repeat-until: _.header.finished 21 | 22 | types: 23 | frame_header: 24 | seq: 25 | - id: finished 26 | -orig-id: fin 27 | type: b1 28 | - id: reserved 29 | -orig-id: 'rsv1, rsv2, rsv3' 30 | type: b3 31 | - id: opcode 32 | enum: opcode 33 | type: b4 34 | - id: is_masked 35 | type: b1 36 | - id: len_payload_primary 37 | type: b7 38 | - id: len_payload_extended_1 39 | type: u2 40 | if: len_payload_primary == 126 41 | - id: len_payload_extended_2 42 | type: u4 43 | if: len_payload_primary == 127 44 | - id: mask_key 45 | type: u4 46 | if: is_masked 47 | instances: 48 | len_payload: 49 | value: | 50 | len_payload_primary <= 125 ? len_payload_primary : ( 51 | len_payload_primary == 126 ? len_payload_extended_1 : len_payload_extended_2 52 | ) 53 | 54 | initial_frame: 55 | seq: 56 | - id: header 57 | type: frame_header 58 | - id: payload_bytes 59 | size: header.len_payload 60 | if: 'header.opcode != opcode::text' 61 | - id: payload_text 62 | size: header.len_payload 63 | type: str 64 | encoding: UTF-8 65 | if: 'header.opcode == opcode::text' 66 | 67 | dataframe: 68 | seq: 69 | - id: header 70 | type: frame_header 71 | - id: payload_bytes 72 | size: header.len_payload 73 | if: '_root.initial_frame.header.opcode != opcode::text' 74 | - id: payload_text 75 | size: header.len_payload 76 | type: str 77 | encoding: UTF-8 78 | if: '_root.initial_frame.header.opcode == opcode::text' 79 | 80 | enums: 81 | opcode: 82 | 0: continuation 83 | 1: text 84 | 2: binary 85 | 3: reserved_3 86 | 4: reserved_4 87 | 5: reserved_5 88 | 6: reserved_6 89 | 7: reserved_7 90 | 8: close 91 | 9: ping 92 | 0xA: pong 93 | 0xB: reserved_control_b 94 | 0xC: reserved_control_c 95 | 0xD: reserved_control_d 96 | 0xE: reserved_control_e 97 | 0xF: reserved_control_f 98 | -------------------------------------------------------------------------------- /scientific/nt_mdt/nt_mdt_pal.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: nt_mdt_pal 3 | file-extension: pal 4 | endian: be 5 | encoding: UTF-16LE 6 | title: NT-MDT palette format 7 | application: 8 | - Nova 9 | - Image Analysis 10 | - NanoEducator 11 | license: Unlicense 12 | doc: It is a color scheme for visualising SPM scans. 13 | seq: 14 | - id: signature 15 | contents: "NT-MDT Palette File 1.00!" 16 | - id: count #? 17 | type: u4 18 | - id: meta 19 | type: meta 20 | repeat: expr 21 | repeat-expr: count 22 | - id: something2 23 | size: 1 24 | - id: tables 25 | type: col_table(_index) 26 | repeat: expr 27 | repeat-expr: count 28 | types: 29 | meta: 30 | seq: 31 | - id: unkn00 32 | size: 3 33 | doc: usually 0s 34 | - id: unkn01 35 | size: 2 36 | - id: unkn02 37 | size: 1 38 | - id: unkn03 39 | size: 1 40 | doc: usually 0s 41 | - id: colors_count 42 | type: u2le 43 | - id: unkn10 44 | size: 2 45 | doc: usually 0s 46 | - id: unkn11 47 | size: 1 48 | doc: usually 4 49 | - id: unkn12 50 | size: 2 51 | doc: usually 0s 52 | - id: name_size 53 | type: u2 54 | color: 55 | seq: 56 | - id: red 57 | type: u1 58 | - id: unkn 59 | type: u1 60 | - id: blue 61 | type: u1 62 | - id: green 63 | type: u1 64 | 65 | col_table: 66 | params: 67 | - id: index 68 | type: u2 69 | seq: 70 | - id: size1 71 | type: u1 72 | - id: unkn 73 | type: u1 74 | - id: title 75 | type: str 76 | size: _root.meta[index].name_size 77 | - id: unkn1 78 | type: u2 79 | - id: colors 80 | type: color 81 | repeat: expr 82 | repeat-expr: _root.meta[index].colors_count-1 83 | -------------------------------------------------------------------------------- /scientific/spectroscopy/avantes_roh60.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: avantes_roh60 3 | title: Avantes USB spectrometer ROH file 6.0 4 | file-extension: roh 5 | xref: 6 | wikidata: Q29960673 7 | license: CC0-1.0 8 | endian: le 9 | doc: | 10 | Avantes USB spectrometers are supplied with a Windows binary which 11 | generates one ROH and one RCM file when the user clicks "Save 12 | experiment". In the version of 6.0, the ROH file contains a header 13 | of 22 four-byte floats, then the spectrum as a float array and a 14 | footer of 3 floats. The first and last pixel numbers are specified in the 15 | header and determine the (length+1) of the spectral data. In the tested 16 | files, the length is (2032-211-1)=1820 pixels, but Kaitai determines this 17 | automatically anyway. 18 | 19 | The wavelength calibration is stored as a polynomial with coefficients 20 | of 'wlintercept', 'wlx1', ... 'wlx4', the argument of which is the 21 | (pixel number + 1), as found out by comparing with the original 22 | Avantes converted data files. There is no intensity calibration saved, 23 | but it is recommended to do it in your program - the CCD in the spectrometer 24 | is so uneven that one should prepare exact pixel-to-pixel calibration curves 25 | to get reasonable spectral results. 26 | 27 | The rest of the header floats is not known to the author. Note that the 28 | newer version of Avantes software has a different format, see also 29 | 30 | 31 | The RCM file contains the user-specified comment, so it may be useful 32 | for automatic conversion of data. You may wish to divide the spectra by 33 | the integration time before comparing them. 34 | 35 | Written and tested by Filip Dominec, 2017-2018 36 | seq: 37 | - id: unknown1 38 | type: f4 39 | - id: wlintercept 40 | type: f4 41 | - id: wlx1 42 | type: f4 43 | - id: wlx2 44 | type: f4 45 | - id: wlx3 46 | type: f4 47 | - id: wlx4 48 | type: f4 49 | - id: unknown2 50 | type: f4 51 | repeat: expr 52 | repeat-expr: 9 53 | - id: ipixfirst 54 | type: f4 55 | - id: ipixlast 56 | type: f4 57 | - id: unknown3 58 | type: f4 59 | repeat: expr 60 | repeat-expr: 4 61 | - id: spectrum 62 | type: f4 63 | repeat: expr 64 | repeat-expr: ipixlast.to_i - ipixfirst.to_i - 1 65 | - id: integration_ms 66 | type: f4 67 | - id: averaging 68 | type: f4 69 | - id: pixel_smoothing 70 | type: f4 71 | -------------------------------------------------------------------------------- /serialization/asn1/asn1_der.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: asn1_der 3 | title: ASN.1 DER (Abstract Syntax Notation One, Distinguished Encoding Rules) 4 | file-extension: der 5 | xref: 6 | justsolve: DER 7 | wikidata: Q28600469 8 | license: CC0-1.0 9 | doc: | 10 | ASN.1 (Abstract Syntax Notation One) DER (Distinguished Encoding 11 | Rules) is a standard-backed serialization scheme used in many 12 | different use-cases. Particularly popular usage scenarios are X.509 13 | certificates and some telecommunication / networking protocols. 14 | 15 | DER is self-describing encoding scheme which allows representation 16 | of simple, atomic data elements, such as strings and numbers, and 17 | complex objects, such as sequences of other elements. 18 | 19 | DER is a subset of BER (Basic Encoding Rules), with an emphasis on 20 | being non-ambiguous: there's always exactly one canonical way to 21 | encode a data structure defined in terms of ASN.1 using DER. 22 | 23 | This spec allows full parsing of format syntax, but to understand 24 | the semantics, one would typically require a dictionary of Object 25 | Identifiers (OIDs), to match OID bodies against some human-readable 26 | list of constants. OIDs are covered by many different standards, 27 | so typically it's simpler to use a pre-compiled list of them, such 28 | as: 29 | 30 | * 31 | * 32 | * 33 | doc-ref: https://www.itu.int/itu-t/recommendations/rec.aspx?rec=12483&lang=en 34 | -webide-representation: 't={type_tag}, b={body}' 35 | seq: 36 | - id: type_tag 37 | type: u1 38 | enum: type_tag 39 | - id: len 40 | type: len_encoded 41 | - id: body 42 | size: len.result 43 | type: 44 | switch-on: type_tag 45 | cases: 46 | 'type_tag::object_id': body_object_id 47 | 'type_tag::sequence_10': body_sequence 48 | 'type_tag::sequence_30': body_sequence 49 | 'type_tag::set': body_sequence 50 | 'type_tag::utf8string': body_utf8string 51 | 'type_tag::printable_string': body_printable_string 52 | types: 53 | len_encoded: 54 | -webide-representation: 'v={result:dec}' 55 | seq: 56 | - id: b1 57 | type: u1 58 | - id: int2 59 | type: u2be 60 | if: b1 == 0x82 61 | - id: int1 62 | type: u1 63 | if: b1 == 0x81 64 | instances: 65 | result: 66 | value: '(b1 == 0x81) ? int1 : ((b1 == 0x82) ? int2 : b1)' 67 | -webide-parse-mode: eager 68 | body_sequence: 69 | -webide-representation: '[...]' 70 | seq: 71 | - id: entries 72 | type: asn1_der 73 | repeat: eos 74 | body_utf8string: 75 | -webide-representation: '{str}' 76 | seq: 77 | - id: str 78 | type: str 79 | size-eos: true 80 | encoding: UTF-8 81 | body_printable_string: 82 | -webide-representation: '{str}' 83 | seq: 84 | - id: str 85 | type: str 86 | size-eos: true 87 | encoding: ASCII # actually a subset of ASCII 88 | body_object_id: 89 | -webide-representation: '{first:dec}.{second:dec}.{rest}' 90 | doc-ref: https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-object-identifier 91 | seq: 92 | - id: first_and_second 93 | type: u1 94 | - id: rest 95 | size-eos: true 96 | instances: 97 | first: 98 | value: first_and_second / 40 99 | second: 100 | value: first_and_second % 40 101 | enums: 102 | type_tag: 103 | 0: end_of_content 104 | 0x1: boolean 105 | 0x2: integer 106 | 0x3: bit_string 107 | 0x4: octet_string 108 | 0x5: null_value 109 | 0x6: object_id 110 | 0x7: object_descriptor 111 | 0x8: external 112 | 0x9: real 113 | 0xa: enumerated 114 | 0xb: embedded_pdv 115 | 0xc: utf8string 116 | 0xd: relative_oid 117 | 0x10: sequence_10 118 | 0x13: printable_string 119 | 0x16: ia5string 120 | 0x30: sequence_30 121 | 0x31: set 122 | -------------------------------------------------------------------------------- /serialization/chrome_pak.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: chrome_pak 3 | title: Chrome PAK serialization format 4 | file-extension: pak 5 | tags: 6 | - archive 7 | - serialization 8 | license: CC0-1.0 9 | endian: le 10 | doc: | 11 | Format mostly used by Google Chrome and various Android apps to store 12 | resources such as translated strings, help messages and images. 13 | doc-ref: 14 | - https://web.archive.org/web/20220126211447/https://dev.chromium.org/developers/design-documents/linuxresourcesandlocalizedstrings # version 4 15 | - https://chromium.googlesource.com/chromium/src/tools/grit/+/3c36f27/grit/format/data_pack.py # version 4 16 | - https://chromium.googlesource.com/chromium/src/tools/grit/+/8a23eae/grit/format/data_pack.py # version 5 17 | seq: 18 | - id: version 19 | type: u4 20 | valid: 21 | any-of: [4, 5] 22 | doc: only versions 4 and 5 are supported 23 | - id: num_resources_v4 24 | type: u4 25 | if: version == 4 26 | - id: encoding 27 | type: u1 28 | enum: encodings 29 | doc: | 30 | Character encoding of all text resources in the PAK file. Note that 31 | the file can **always** contain binary resources, this only applies to 32 | those that are supposed to hold text. 33 | 34 | In practice, this will probably always be `encodings::utf8` - I haven't 35 | seen any organic file that would state otherwise. `UTF8` is also usually 36 | hardcoded in Python scripts from the GRIT repository that generate .pak 37 | files (for example 38 | [`pak_util.py:79`](https://chromium.googlesource.com/chromium/src/tools/grit/+/8a23eae/pak_util.py#79)). 39 | - id: v5_part 40 | type: header_v5_part 41 | if: version == 5 42 | - id: resources 43 | type: resource(_index, _index < num_resources) 44 | repeat: expr 45 | repeat-expr: num_resources + 1 46 | doc: | 47 | The length is calculated by looking at the offset of 48 | the next item, so an extra entry is stored with id 0 49 | and offset pointing to the end of the resources. 50 | - id: aliases 51 | type: alias 52 | repeat: expr 53 | repeat-expr: num_aliases 54 | instances: 55 | num_resources: 56 | value: 'version == 5 ? v5_part.num_resources : num_resources_v4' 57 | num_aliases: 58 | value: 'version == 5 ? v5_part.num_aliases : 0' 59 | types: 60 | header_v5_part: 61 | seq: 62 | - id: encoding_padding 63 | size: 3 64 | - id: num_resources 65 | type: u2 66 | - id: num_aliases 67 | type: u2 68 | resource: 69 | -webide-representation: '{id:dec} - o:{ofs_body} s:{len_body}' 70 | params: 71 | - id: idx 72 | type: s4 73 | - id: has_body 74 | type: bool 75 | seq: 76 | - id: id 77 | type: u2 78 | - id: ofs_body 79 | type: u4 80 | instances: 81 | len_body: 82 | value: _parent.resources[idx + 1].ofs_body - ofs_body 83 | if: has_body 84 | doc: MUST NOT be accessed until the next `resource` is parsed 85 | body: 86 | pos: ofs_body 87 | size: len_body 88 | if: has_body 89 | doc: MUST NOT be accessed until the next `resource` is parsed 90 | alias: 91 | -webide-representation: '{id:dec} -> resources[{resource_idx:dec}] ({resource})' 92 | seq: 93 | - id: id 94 | type: u2 95 | - id: resource_idx 96 | type: u2 97 | valid: 98 | max: _parent.num_resources - 1 99 | instances: 100 | resource: 101 | value: _parent.resources[resource_idx] 102 | enums: 103 | encodings: 104 | 0: 105 | id: binary 106 | doc: file is not expected to contain any text resources 107 | 1: 108 | id: utf8 109 | doc: all text resources are encoded in UTF-8 110 | 2: 111 | id: utf16 112 | doc: all text resources are encoded in UTF-16 113 | -------------------------------------------------------------------------------- /serialization/google_protobuf.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: google_protobuf 3 | title: Google Protocol Buffers (protobuf) 4 | xref: 5 | justsolve: Protobuf 6 | wikidata: Q1645574 7 | license: MIT 8 | ks-version: 0.7 9 | imports: 10 | - /common/vlq_base128_le 11 | doc: | 12 | Google Protocol Buffers (AKA protobuf) is a popular data 13 | serialization scheme used for communication protocols, data storage, 14 | etc. There are implementations are available for almost every 15 | popular language. The focus points of this scheme are brevity (data 16 | is encoded in a very size-efficient manner) and extensibility (one 17 | can add keys to the structure, while keeping it readable in previous 18 | version of software). 19 | 20 | Protobuf uses semi-self-describing encoding scheme for its 21 | messages. It means that it is possible to parse overall structure of 22 | the message (skipping over fields one can't understand), but to 23 | fully understand the message, one needs a protocol definition file 24 | (`.proto`). To be specific: 25 | 26 | * "Keys" in key-value pairs provided in the message are identified 27 | only with an integer "field tag". `.proto` file provides info on 28 | which symbolic field names these field tags map to. 29 | * "Keys" also provide something called "wire type". It's not a data 30 | type in its common sense (i.e. you can't, for example, distinguish 31 | `sint32` vs `uint32` vs some enum, or `string` from `bytes`), but 32 | it's enough information to determine how many bytes to 33 | parse. Interpretation of the value should be done according to the 34 | type specified in `.proto` file. 35 | * There's no direct information on which fields are optional / 36 | required, which fields may be repeated or constitute a map, what 37 | restrictions are placed on fields usage in a single message, what 38 | are the fields' default values, etc, etc. 39 | doc-ref: https://protobuf.dev/programming-guides/encoding/ 40 | seq: 41 | - id: pairs 42 | type: pair 43 | repeat: eos 44 | doc: Key-value pairs which constitute a message 45 | types: 46 | pair: 47 | doc: Key-value pair 48 | seq: 49 | - id: key 50 | type: vlq_base128_le 51 | doc: | 52 | Key is a bit-mapped variable-length integer: lower 3 bits 53 | are used for "wire type", and everything higher designates 54 | an integer "field tag". 55 | - id: value 56 | doc: | 57 | Value that corresponds to field identified by 58 | `field_tag`. Type is determined approximately: there is 59 | enough information to parse it unambiguously from a stream, 60 | but further infromation from `.proto` file is required to 61 | interprete it properly. 62 | type: 63 | switch-on: wire_type 64 | cases: 65 | 'wire_types::varint': vlq_base128_le 66 | 'wire_types::len_delimited': delimited_bytes 67 | 'wire_types::bit_64': u8le 68 | 'wire_types::bit_32': u4le 69 | instances: 70 | wire_type: 71 | value: 'key.value & 0b111' 72 | enum: wire_types 73 | doc: | 74 | "Wire type" is a part of the "key" that carries enough 75 | information to parse value from the wire, i.e. read correct 76 | amount of bytes, but there's not enough informaton to 77 | interprete in unambiguously. For example, one can't clearly 78 | distinguish 64-bit fixed-sized integers from 64-bit floats, 79 | signed zigzag-encoded varints from regular unsigned varints, 80 | arbitrary bytes from UTF-8 encoded strings, etc. 81 | field_tag: 82 | value: 'key.value >> 3' 83 | doc: | 84 | Identifies a field of protocol. One can look up symbolic 85 | field name in a `.proto` file by this field tag. 86 | enums: 87 | wire_types: 88 | 0: varint 89 | 1: bit_64 90 | 2: len_delimited 91 | 3: group_start 92 | 4: group_end 93 | 5: bit_32 94 | delimited_bytes: 95 | seq: 96 | - id: len 97 | type: vlq_base128_le 98 | - id: body 99 | size: len.value 100 | -------------------------------------------------------------------------------- /windows/windows_shell_items.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: windows_shell_items 3 | title: Windows Shell Items 4 | xref: 5 | forensicswiki: shell_item 6 | license: CC0-1.0 7 | endian: le 8 | doc: | 9 | Windows Shell Items (AKA "shellbags") is an undocumented set of 10 | structures used internally within Windows to identify paths in 11 | Windows Folder Hierarchy. It is widely used in Windows Shell (and 12 | most visible in File Explorer), both as in-memory and in-file 13 | structures. Some formats embed them, namely: 14 | 15 | * Windows Shell link files (.lnk) Windows registry 16 | * Windows registry "ShellBags" keys 17 | 18 | The format is mostly undocumented, and is known to vary between 19 | various Windows versions. 20 | doc-ref: https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc 21 | seq: 22 | - id: items 23 | -orig-id: IDList 24 | type: shell_item 25 | repeat: until 26 | repeat-until: _.len_data == 0 27 | doc-ref: 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK].pdf Section 2.2.1' 28 | types: 29 | shell_item: 30 | -orig-id: ItemID 31 | doc-ref: 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK].pdf Section 2.2.2' 32 | seq: 33 | - id: len_data 34 | type: u2 35 | - id: data 36 | size: len_data - 2 37 | type: shell_item_data 38 | if: len_data >= 2 39 | shell_item_data: 40 | seq: 41 | - id: code 42 | type: u1 43 | - id: body1 44 | type: 45 | switch-on: code 46 | cases: 47 | 0x1f: root_folder_body 48 | - id: body2 49 | type: 50 | switch-on: code & 0x70 51 | cases: 52 | 0x20: volume_body 53 | 0x30: file_entry_body 54 | root_folder_body: 55 | doc-ref: 'https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#32-root-folder-shell-item' 56 | seq: 57 | - id: sort_index 58 | type: u1 59 | - id: shell_folder_id 60 | size: 16 61 | # TODO: various extensions 62 | volume_body: 63 | doc-ref: 'https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#33-volume-shell-item' 64 | seq: 65 | - id: flags 66 | type: u1 67 | file_entry_body: 68 | doc-ref: 'https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#34-file-entry-shell-item' 69 | seq: 70 | - type: u1 71 | - id: file_size 72 | type: u4 73 | - id: last_mod_time 74 | type: u4 75 | - id: file_attrs 76 | type: u2 77 | instances: 78 | is_dir: 79 | value: _parent.code & 0x01 != 0 80 | is_file: 81 | value: _parent.code & 0x02 != 0 82 | -------------------------------------------------------------------------------- /windows/windows_systemtime.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: windows_systemtime 3 | title: Microsoft Windows SYSTEMTIME structure 4 | xref: 5 | justsolve: Windows_SYSTEMTIME 6 | license: CC0-1.0 7 | endian: le 8 | doc: | 9 | Microsoft Windows SYSTEMTIME structure, stores individual components 10 | of date and time as individual fields, up to millisecond precision. 11 | doc-ref: https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-systemtime 12 | seq: 13 | - id: year 14 | -orig-id: wYear 15 | type: u2 16 | doc: Year 17 | - id: month 18 | -orig-id: wMonth 19 | type: u2 20 | doc: Month (January = 1) 21 | - id: dow 22 | -orig-id: wDayOfWeek 23 | type: u2 24 | doc: Day of week (Sun = 0) 25 | - id: day 26 | -orig-id: wDay 27 | type: u2 28 | doc: Day of month 29 | - id: hour 30 | -orig-id: wHour 31 | type: u2 32 | doc: Hours 33 | - id: min 34 | -orig-id: wMinute 35 | type: u2 36 | doc: Minutes 37 | - id: sec 38 | -orig-id: wSecond 39 | type: u2 40 | doc: Seconds 41 | - id: msec 42 | -orig-id: wMilliseconds 43 | type: u2 44 | doc: Milliseconds 45 | --------------------------------------------------------------------------------