Change in Hash valu...
 
Notifications
Clear all

Change in Hash values

7 Posts
3 Users
0 Likes
330 Views
 indi
(@indi)
Posts: 51
Trusted Member
Topic starter
 

Hi,

I have rooted my device. I pulled /data/data/ at two instances and hashed recursively. I notcied hash values are different for some files.

When I analyse the difference I realized there should be a difference in some files, for example since device clock is running screen launch .png file hashes has to be different in 2 instances.

As I did not use the device between 2 pull there shouldn't be changes in other user applications. For example I made no changes to device contact list. But still there is a difference in hashes.

com.android.providers.contacts/databases/contacts2.db-wal
com.android.providers.contacts/databases/contacts2.db-shm
com.android.providers.contacts/databases/contacts2.db etc.

What could be the reason for this. Is there any way for me to analyse this changes.

Thank you

 
Posted : 16/08/2014 11:31 am
(@mscotgrove)
Posts: 938
Prominent Member
 

The first thing I would do would be a binary compare of the two files.

From DOS c\fc /b <file1> <file2>

You can see the size of the difference. If it is just a few bytes you might determine if it is a date change. ie Look at the location that is different with a Hex viewer

Are the files the same length?

A different hash value just indicates that the files are not (100%) indentical

 
Posted : 16/08/2014 11:59 am
 indi
(@indi)
Posts: 51
Trusted Member
Topic starter
 

I dump sqlite contact.db and noted the difference. In contact.db there is a table call groups which store contact groups. (family, friends, coworkers etc)

In insert statements 'version' has been increased from 51 to 53. I reboot the device in between pulls.

I search internet but was unable to find out whats this version means in group table. Why it has been increased?

Furthere there is different Hash values for com.android.providers.contacts/database/profile.db files in 2 instances.

When I dumped it and compared no diff is there, and diff command also did not show any difference between files.

What could be the reason?

API Level is 15 Android version is 4.0.3

 
Posted : 16/08/2014 9:29 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

If the hash values are different, so are the files - OR - you are not hashing what you think you are hashing - OR - you are testing the wrong files (eg same name different directory is my common mistake).

Try the DOS compare I suggested

 
Posted : 16/08/2014 11:55 pm
 indi
(@indi)
Posts: 51
Trusted Member
Topic starter
 

I create hexdump of sqlite.db files and compared in two files. The difference is in file header at offset
28 Size of the database file in pages. The "in-header database size".
96 SQLITE_VERSION_NUMBER.

I notice these bit difference in several other sqlite.db files.

But I still I would like to know is header rewrite in some occasions? Any idea about possible reasons for change.

Thank you!

 
Posted : 18/08/2014 12:30 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

But I still I would like to know is header rewrite in some occasions? Any idea about possible reasons for change.

The header should only be written when SQLite is running. So my guess is that one or more aplications (that write to these specific databases) are running in the background.

Simply browsing through a few web sites can cause changes in (for example) the cookies and places sqlite files.

Simply restarting the phone could cause the diffierent applications to run and there are many reasons that a database might be updated on application start - not least of which is sqlite finding a WAL file that hadn't been checkpointed - which would then be written to the main sqlite table

However you refer to offset 96 of the main sqlite database header - this 4 byte big endian integer refers to the last version of SQLite to write to this database. In normal use this should only be changed if the SQLite library has been updated. And the db size at offset 28 should only change of the database size has changed. Both of which indicate that something more has happened, i.e. the SQLite library has been updated AND something has been added to or deleted from the database.

This is of course supported by your previous comment that new tables have been inserted and that you are rebooting the device. And it sounds like one or more applications have contacted their home server and updated in the background.

 
Posted : 18/08/2014 3:53 pm
 indi
(@indi)
Posts: 51
Trusted Member
Topic starter
 

Thank you very much for the nice explanation )

 
Posted : 23/08/2014 8:49 am
Share: