#--------------------------Firmware Formats--------------------------- # uImage file # From: Craig Heffner, U-Boot image.h header definitions file 0 ubelong 0x27051956 uImage header, header size: 64 bytes, >4 ubelong x header CRC: 0x%X, >8 ubedate x created: %s, >12 belong <1 {invalid} >12 ubelong x image size: %d bytes, >16 ubelong x Data Address: 0x%X, >20 ubelong x Entry Point: 0x%X, >24 ubelong x data CRC: 0x%X, >28 byte 0 OS: {invalid}invalid OS, >28 byte 1 OS: OpenBSD, >28 byte 2 OS: NetBSD, >28 byte 3 OS: FreeBSD, >28 byte 4 OS: 4.4BSD, >28 byte 5 OS: Linux, >28 byte 6 OS: SVR4, >28 byte 7 OS: Esix, >28 byte 8 OS: Solaris, >28 byte 9 OS: Irix, >28 byte 10 OS: SCO, >28 byte 11 OS: Dell, >28 byte 12 OS: NCR, >28 byte 13 OS: LynxOS, >28 byte 14 OS: VxWorks, >28 byte 15 OS: pSOS, >28 byte 16 OS: QNX, >28 byte 17 OS: Firmware, >28 byte 18 OS: RTEMS, >28 byte 19 OS: ARTOS, >28 byte 20 OS: Unity OS, >29 byte 0 CPU: {invalid}invalid CPU, >29 byte 1 CPU: Alpha, >29 byte 2 CPU: ARM, >29 byte 3 CPU: Intel x86, >29 byte 4 CPU: IA64, >29 byte 5 CPU: MIPS, >29 byte 6 CPU: MIPS 64 bit, >29 byte 7 CPU: PowerPC, >29 byte 8 CPU: IBM S390, >29 byte 9 CPU: SuperH, >29 byte 10 CPU: Sparc, >29 byte 11 CPU: Sparc 64 bit, >29 byte 12 CPU: M68K, >29 byte 13 CPU: Nios-32, >29 byte 14 CPU: MicroBlaze, >29 byte 15 CPU: Nios-II, >29 byte 16 CPU: Blackfin, >29 byte 17 CPU: AVR, >29 byte 18 CPU: STMicroelectronics ST200, >30 byte 0 image type: {invalid} Image, >30 byte 1 image type: Standalone Program, >30 byte 2 image type: OS Kernel Image, >30 byte 3 image type: RAMDisk Image, >30 byte 4 image type: Multi-File Image, >30 byte 5 image type: Firmware Image, >30 byte 6 image type: Script file, >30 byte 7 image type: Filesystem Image, >30 byte 8 image type: Binary Flat Device Tree Blob >31 byte 0 compression type: none, >31 byte 1 compression type: gzip, >31 byte 2 compression type: bzip2, >31 byte 3 compression type: lzma, >32 string x image name: "%.32s" # Hilink encrypted uImage firmware. # Additional validation/processing is done by the hilink.py plugin. 0x23 string \x4A\x52\xCA\xDA Encrypted Hilink uImage firmware header #IMG0 header, found in VxWorks-based Mercury router firmware 0 string IMG0 IMG0 (VxWorks) header, >4 belong <1 {invalid} >4 belong x size: %d #Mediatek bootloader signature #From xp-dev.com 0 string BOOTLOADER! Mediatek bootloader # CSR DFU Image, References: # Bluez dfutool # Andrea Bittau's CSR Tools http://darkircop.org/bt/ 0 string CSR-dfu2 CSR (XAP2) DFU firmware update header >8 uleshort >3 {invalid} # version consistently observed 0 string CSRbcfw1 CSR Bluecore firmware segment >18 uleshort !1 {invalid} # version consistently observed #CSYS header formats 0 string CSYS\x00 CSYS header, little endian, >8 lelong x size: %d 0 string CSYS\x80 CSYS header, big endian, >8 belong x size: %d # wrgg firmware image 0 string wrgg02 WRGG firmware header, >6 string x name: "%s", >48 string x root device: "%s" # trx image file 0 string HDR0 TRX firmware header, little endian, >4 lelong <1 {invalid} >4 ulelong x image size: %d bytes, >8 ulelong x CRC32: 0x%X, >12 uleshort x flags: 0x%X, >14 uleshort !1 >>14 uleshort !2 {invalid} >14 uleshort 2 version: %d, header size: 32 bytes, >>16 ulelong x loader offset: 0x%X, >>20 ulelong x linux kernel offset: 0x%X, >>24 ulelong x rootfs offset: 0x%X, >>28 ulelong x bin-header offset: 0x%X >14 uleshort 1 version: %d, header size: 28 bytes, >>16 ulelong x loader offset: 0x%X, >>20 ulelong x linux kernel offset: 0x%X, >>24 ulelong x rootfs offset: 0x%X 14 string U2ND BIN-Header, >4 ulelong !0 {invalid} >22 string !\x00*10 {invalid} >0 string x board ID: %.4s, >18 ubyte 0 hardware version: 4702, >18 ubyte 1 hardware version: 4712, >18 ubyte 2 hardware version: 4712L, >18 ubyte 3 hardware version: 4704, >18 ubyte >3 hardware version: unknown (code: 0x%.2X), >11 ubyte x firmware version: %d. >12 ubyte x \b%d. >12 ubyte x \b%d, >8 ubyte <80 >>8 ubyte x build date: 20%.2d- >8 ubyte >79 >>8 ubyte x build date: 19%.2d- >9 ubyte x \b%.2d- >10 ubyte x \b%.2d # Ubicom firmware image 0 belong 0xFA320080 Ubicom firmware header, >12 ubelong x checksum: 0x%X, >24 belong <0 {invalid} >24 belong x image size: %d # The ROME bootloader is used by several RealTek-based products. # Unfortunately, the magic bytes are specific to each product, so # separate signatures must be created for each one. # Netgear KWGR614 ROME image 0 string G614 Realtek firmware header, ROME bootloader, >4 beshort 0xd92f image type: KFS, >4 beshort 0xb162 image type: RDIR, >4 beshort 0xea43 image type: BOOT, >4 beshort 0x8dc9 image type: RUN, >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, >10 ubyte >12 {invalid} month >12 ubyte >31 {invalid} day >8 ubyte >3000 {invalid} year #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 ubyte x body checksum: 0x%X, >23 ubyte x header checksum: 0x%X # Linksys WRT54GX ROME image 0 belong 0x59a0e842 Realtek firmware header, ROME bootloader, >4 ubeshort 0xd92f image type: KFS, >4 ubeshort 0xb162 image type: RDIR, >4 ubeshort 0xea43 image type: BOOT, >4 ubeshort 0x8dc9 image type: RUN, >4 ubeshort 0x2a05 image type: CCFG, >4 ubeshort 0x6ce8 image type: DCFG, >4 ubeshort 0xc371 image type: LOG, >6 byte x header version: %d, >10 ubyte >12 {invalid}invalid month >12 ubyte >31 {invalid}invalid day >8 ubyte >3000 {invalid}invalid year #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 ubyte x body checksum: 0x%X, >23 ubyte x header checksum: 0x%X # PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images. 0 string --PaCkImGs PackImg section delimiter tag, >10 string !-- {invalid} # If the size in both big and little endian is greater than 512MB, consider this a false positive >16 ulelong >0x20000000 >>16 ubelong >0x20000000 {invalid} >16 lelong <0 >>16 belong <0 {invalid} >16 lelong >0 >>16 lelong x little endian size: %d bytes; >16 belong >0 >>16 belong x big endian size: %d bytes #------------------------------------------------------------------------------ # Broadcom header format # 0 string BCRM Broadcom header, >4 lelong <0 {invalid} >4 lelong x number of sections: %d, >>8 lelong 18 first section type: flash >>8 lelong 19 first section type: disk >>8 lelong 21 first section type: tag # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # http://ftg.lbl.gov/checkpoint 0 string Ck0\0\0R\0\0\0 BLCR >16 lelong 0 {invalid} >16 ulelong >7 {invalid} >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) 0 string \0\0\0C\0\0\0R BLCR >16 lelong <2 {invalid} >16 ulelong >8 {invalid} >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Aculab VoIP firmware # From: Mark Brown 0 string VoIP\x20Startup\x20and Aculab VoIP firmware >35 string x format "%s" #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From Albert Cahalan # really le32 operation,destination,payloadsize (but quite predictable) # 01 00 00 00 00 00 00 c0 00 02 00 00 0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom >38 string x V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system) # # Motorola S-Records, from Gerd Truschinski # Improved by Martin Sundhaug 0 regex (S[0-35-9]([0-9A-F]{4})([0-9A-F]{2})+\n)+ Motorola S-Record{many}; binary data in text format, record type: >1 string 0 header >1 string 1 data (16-bit) >1 string 2 data (24-bit) >1 string 3 data (32-bit) >1 string 4 reserved >1 string 5 count (16-bit) >1 string 6 count (24-bit) >1 string 7 start address (32-bit) >1 string 8 start address (24-bit) >1 string 9 start address (16-bit) #Windows CE Binary Image Data Format aka B000FF #More information on the format: #http://msdn.microsoft.com/en-us/library/ms924510.aspx #http://forum.xda-developers.com/showthread.php?t=801167 0 string B000FF Windows CE image header, >7 ulelong x image start: 0x%X, >11 ulelong x image length: %d >11 ulelong x {size:%d} #Windows CE RomImage 63 string \x00ECEC Windows CE memory segment header, >4 ulelong x TOC address: 0x%X # -------------------------------- # ZynOS ROM header format # From openwrt zynos.h. 6 string SIG ZynOS header, header size: 48 bytes, >3 byte <0x7F rom image type: >>3 byte <1 {invalid}, >>3 byte >7 {invalid}, >>3 byte 1 ROMIMG, >>3 byte 2 ROMBOOT, >>3 byte 3 BOOTEXT, >>3 byte 4 ROMBIN, >>3 byte 5 ROMDIR, >>3 byte 6 6, >>3 byte 7 ROMMAP, >3 byte >0x7F ram image type: >>3 byte >0x82 {invalid}, >>3 byte 0x80 RAM, >>3 byte 0x81 RAMCODE, >>3 byte 0x82 RAMBOOT, >4 ubelong >0x40000000 {invalid} >4 belong <0 {invalid} >4 belong 0 {invalid} >4 belong x uncompressed size: %d, >8 belong >0x40000000 {invalid} >8 belong <0 {invalid} >8 belong 0 {invalid} >8 belong x compressed size: %d, >14 ubeshort x uncompressed checksum: 0x%X, >16 ubeshort x compressed checksum: 0x%X, >12 ubyte x flags: 0x%X, >12 byte &0x40 uncompressed checksum is valid, >12 ubyte &0x80 the binary is compressed, >>12 byte &0x20 compressed checksum is valid, >35 ubelong x memory map table address: 0x%X # Firmware header used by some VxWorks-based Cisco products 0 string CI032.00 Cisco VxWorks firmware header, >8 lelong >1024 {invalid} >8 lelong <0 {invalid} >8 lelong x header size: %d bytes, >32 lelong >1024 {invalid} >32 lelong <0 {invalid} >32 lelong x number of files: %d, >48 lelong <0 {invalid} >48 lelong x image size: %d, >64 string x firmware version: "%s" # Simple VxWorks reference strings #0 string VxWorks VxWorks string referece: #>0 string x "%s" #0 string vxworks VxWorks string referece: #>0 string x "%s" #0 string VXWORKS VxWorks string referece: #>0 string x "%s" # Firmware header used by some TV's 0 string FNIB ZBOOT firmware header, header size: 32 bytes, >8 ulelong x load address: 0x%.8X, >12 ulelong x start address: 0x%.8X, >16 ulelong x checksum: 0x%.8X, >20 ulelong x version: 0x%.8X, >24 lelong <1 {invalid} >24 ulelong x image size: %d bytes # Firmware header used by several D-Link routers (and probably others) 0 string \x5e\xa3\xa4\x17 DLOB firmware header,{jump:108} >(7.b+12) string !\x5e\xa3\xa4\x17 {invalid}, #>>12 string x %s, >(7.b+40) string x boot partition: "%s" # TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format 4 string TP-LINK\x20Technologies TP-Link firmware header, #>-4 lelong x header version: %d, >0x94 beshort x firmware version: %d. >0x96 beshort x \b%d. >0x98 beshort x \b%d, >0x18 string x image version: "%s", #>0x74 belong x image size: %d bytes, >0x3C belong x product ID: 0x%X, >0x40 belong x product version: %d, >0x70 ubelong x kernel load address: 0x%X, >0x74 ubelong x kernel entry point: 0x%X, >0x7C ubelong x kernel offset: %d, >0x80 ubelong x kernel length: %d, >0x84 ubelong x rootfs offset: %d, >0x88 ubelong x rootfs length: %d, >0x8C ubelong x bootloader offset: %d, >0x90 ubelong x bootloader length: %d # Header format from: http://skaya.enix.org/wiki/FirmwareFormat 0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256, >4 string !Broadcom >>4 string !\x20\x20\x20\x20 {invalid} >41 beshort !0x2020 >>41 beshort !0x0000 >>>41 string x firmware version: "%.4s", >45 beshort !0x0202 >>45 beshort !0x0000 >>>45 string x board id: "%s", >236 ubelong x ~CRC32 header checksum: 0x%X, >216 ubelong x ~CRC32 data checksum: 0x%X # Xerox MFP DLM signatures 0 string %%XRXbegin Xerox DLM firmware start of header 0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name: >19 string x "%s" 0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version: >22 string x "%s" 0 string %%XRXend Xerox DLM firmware end of header # Generic copyright signature 0 string Copyright Copyright string: >9 byte 0 {invalid} >0 string x "%s" 0 string copyright Copyright string: >9 byte 0 {invalid} >0 string x "%s" # Sercomm firmware header 0 string sErCoMm Sercomm firmware signature, >7 uleshort x version control: %d, >9 uleshort x download control: %d, >11 byte 0 {invalid} >11 string x hardware ID: "%s", >44 uleshort x hardware version: 0x%X, >58 uleshort x firmware version: 0x%X, >60 uleshort x starting code segment: 0x%X, >62 uleshort x code size: 0x%X # NPK firmware header, used by Mikrotik 0 belong 0x1EF1D0BA NPK firmware header, >4 lelong <0 {invalid} >4 lelong x image size: %d, >14 string x image name: "%s", >(48.l+58) string x description: "%s" # Ubiquiti firmware signatures 0 string UBNT Ubiquiti firmware header, header size: 264 bytes, >0x108 belong !0 {invalid}, >0x104 ubelong x ~CRC32: 0x%X, >4 byte 0 {invalid}, >4 string x version: "%s" 0 string GEOS Ubiquiti firmware header, header size: 264 bytes, >0x108 belong !0 {invalid}, >0x104 ubelong x ~CRC32: 0x%X, >4 byte 0 {invalid}, >4 string x version: "%s" 0 string OPEN Ubiquiti firmware header, third party, >0x108 belong !0 {invalid}, >0x104 ubelong x ~CRC32: 0x%X, >4 byte 0 {invalid}, >4 string x version: "%s" -4 string \x00\x00\x00\x00PART Ubiquiti partition header, >0 byte x header size: 56 bytes, >0 byte 0 {invalid} >0 string x name: "%s", >40 ubelong x base address: 0x%.8X, >48 belong x data size: %d bytes{size:%d} -4 string \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes, >8 belong !0 {invalid}, >4 ubelong x cumulative ~CRC32: 0x%.8X -4 string \x00\x00\x00\x00ENDS Signed Ubiquiti end header, RSA 2048 bit, header size: 264 bytes >260 ubelong !0 {invalid} # Ubiquiti additional data -4 string \x00\x00\x00\x00EXEC Ubiquiti firmware additional data, # Non-empty string (16 bytes max) >4 byte 0 {invalid} >4 string x name: %s, # Size of attached data >48 ubelong x size: %d bytes, # Size, again >52 ubelong x size2: %d bytes, # CRC32 of header + data >>(48.L+56) ubelong x CRC32: %x # Padding >>(48.L+60) ubelong !0 {invalid} # Found in DIR-100 firmware 0 string AIH0 AIH0 firmware header, header size: 48, >12 ubelong 0 {invalid} >12 ubelong+48 x {size:%d} >12 ubelong x data size: %d, >8 ubelong !0 executable code, >>8 ubelong&3 !0 {invalid} >>8 ubelong x load address: 0x%X, >32 string x version: "%s" 0 belong 0x5EA3A417 SEAMA firmware header, big endian, >4 beshort !0 {invalid} >6 beshort x meta size: %d, >8 belong <1 {invalid} >8 belong x image size: %d 0 lelong 0x5EA3A417 SEAMA firmware header, little endian, >4 leshort !0 {invalid} >6 leshort x meta size: %d, >8 lelong <1 {invalid} >8 lelong x image size: %d 0 belong 0x4D544443 NSP firmware header, big endian, >16 belong <1 {invalid} >16 belong x header size: %d, >20 belong <1 {invalid} >20 belong x image size: %d, >20 belong x {size:%d} >4 belong <1 {invalid} >4 ubelong x kernel offset: %d, >12 belong <1 {invalid} >12 belong x header version: %d, 0 lelong 0x4D544443 NSP firmware header, little endian, >16 lelong <1 {invalid} >16 lelong x header size: %d, >20 lelong <1 {invalid} >20 lelong x image size: %d, >20 lelong x {size:%d} >4 lelong <1 {invalid} >4 ulelong x kernel offset: %d, >12 lelong <1 {invalid} >12 lelong x header version: %d, # http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure 0 string WizFwPkgl Beyonwiz firmware header, >20 string x version: "%s" 0 string BLI223WJ0 Thompson/Alcatel encoded firmware, >32 byte x version: %d. >33 byte x \b%d. >34 byte x \b%d. >35 byte x \b%d, >44 belong x size: %d, >48 ubelong x crc: 0x%.8X, >35 byte x try decryption tool from: >35 byte x http://web.archive.org/web/20130929103301/http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/ # http://android.stackexchange.com/questions/23357/\ # is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ # 23608#23608 0 string ANDROID\040BACKUP\n Android Backup >15 string 1\n \b, version 1 >17 string 0\n \b, uncompressed >17 string 1\n \b, compressed >19 string none\n \b, unencrypted >19 string AES-256\n \b, encrypted AES-256 # https://github.com/omnirom/android_bootable_recovery/blob/android-7.1/adbbu/twadbstream.h 0 string TWRP\x00\x00\x00\x00 TWRP Backup, >0x8 string twstreamheader\x00\x00 AdbBackupStreamHeader, >>0x2C string \x00*468 >>0x18 ulequad x TWRP Parititon Count: %d, >>0x20 ulequad x ADB Backup Version: %d, >>0x28 ubelong x CRC32 data checksum: 0x%X >0x8 string twfilename\x00\x00\x00\x00\x00\x00 twfilehdr (twfilename), >>0x18 ulequad x Size: %d, >>0x20 ulequad x Compressed: %d, >>0x28 ubelong x CRC32 data checksum: 0x%X, >>0x2C string x Filename: %s{jump:468} >0x8 string twimage\x00\x00\x00\x00\x00\x00\x00\x00\x00 twfilehdr (twimage), >>0x18 ulequad x Size: %d, >>0x20 ulequad x Compressed: %d, >>0x28 ubelong x CRC32 data checksum: 0x%X, >>0x2C string x Filename: %s{jump:468} >0x8 string md5trailer\x00\x00\x00\x00\x00\x00 AdbBackupFileTrailer, >>0x48 string \x00*440 >>0x18 ubelong x zlib CRC32 data checksum: 0x%X, >>0x1C ubelong x CRC32 data checksum: 0x%X, >>0x20 string x MD5: %s, >0x8 string twendadb\x00\x00\x00\x00\x00\x00\x00\x00 AdbBackupControlType (twendadb), >>0x18 ubelong x CRC32 data checksum: 0x%X >>0x1C string \x00*484 >0x8 string tweof\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 AdbBackupControlType (tweof), >>0x18 ubelong x CRC32 data checksum: 0x%X >>0x1C string \x00*484 >0x8 string twverifymd5\x00\x00\x00\x00\x00 AdbBackupControlType (twverifymd5), >>0x18 ubelong x CRC32 data checksum: 0x%X >>0x1C string \x00*484 >0x8 string twdatablock\x00\x00\x00\x00\x00 AdbBackupControlType (twdatablock), >>0x18 ubelong x CRC32 data checksum: 0x%X >>0x1C string \x00*484 >0x8 string twerror\x00\x00\x00\x00\x00\x00\x00\x00\x00 AdbBackupControlType (twerror), >>0x18 ubelong x CRC32 data checksum: 0x%X >>0x1C string \x00*484 # http://forum.xda-developers.com/showthread.php?p=47818657 8 string imgARMcC Roku aimage SB # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged Sun/COBALT boot rom, >38 string x version: "%.4s" # ZyXEL config signatures 6 string dbgarea ZyXEL rom-0 configuration block, name: "%s", >16 ubeshort x compressed size: %d, >14 ubeshort x uncompressed size: %d, >18 ubeshort+16 x data offset from start of block: %d 6 string spt.dat ZyXEL rom-0 configuration block, name: "%s", >16 ubeshort x compressed size: %d, >14 ubeshort x uncompressed size: %d, >18 ubeshort+16 x data offset from start of block: %d 6 string autoexec.net ZyXEL rom-0 configuration block, name: "%s", >16 ubeshort x compressed size: %d, >14 ubeshort x uncompressed size: %d, >18 ubeshort+16 x data offset from start of block: %d # Obfuscated Arcadyan firmware 0x68 string \x00\xD5\x08 Obfuscated Arcadyan firmware, >0x6B byte !0 {invalid} signature trailing byte [0x%X],{invalid} # None of the known Arcadyan signatures bytes have a NULL byte >0 byte 0 {invalid} >1 byte 0 {invalid} >2 byte 0 {invalid} >3 byte 0 {invalid} >0 ubelong x signature bytes: 0x%X, >0x70 string !\x00\x00\x00\x00\x00\x00 {invalid} padding bytes{invalid} # Digi firmware images 0xC0 string Digi Digi International firmware, >0xC8 beshort !0x4253 >>0xC8 beshort !0x4950 >>>0xC8 beshort !0x4944 >>>>0xC8 beshort !0x444f >>>>>0xC8 beshort !0x4443 >>>>>>0xC8 beshort !0x4f53 >>>>>>>0xC8 beshort !0x4f43 >>>>>>>>0xC8 beshort !0x4646 >>>>>>>>>0xC8 beshort !0x5350 {invalid}invalid header, >0xD4 ubelong x load address: 0x%.8X, >0xDC ubelong x entry point: 0x%.8X, # Lancom firmware signatures, courtesy of christophvw 0 string ELSF LANCOM firmware header, >22 string x model: "%s", >18 string x firmware version: "%.4s", >12 ubyte 255 Rel, >12 ubyte 253 alpha, >12 ubyte 220 PR, >12 ubyte >0 >>12 ubyte <220 RC%d, >12 ubyte >220 >>12 ubyte-220 <237 RU%d, >12 ubyte 0 dev >17 ubyte >0 >>17 ubyte x build %d #get build date >7 ubyte !63 #date is stored as string >>7 string x ("%.8s") 0 string ELSO LANCOM OEM file 0 string ELSB LANCOM firmware loader, >22 string x model: "%s", >18 string x loader version: "%.4s", 0 string ELSC LANCOM WWAN firmware >4 ubyte 3 >>5 beshort 0 >>7 string x \b, "%s" 0 string ELSP LANCOM file entry >(198.L+202) belong !2 >>(198.L+202) belong !3 {invalid} >202 string @(RECENT_FIRMWARE)/ \b, file name: >>221 string x "%s" >>221 string x \b{name:%s} >(198.L+202) belong 2 >>(198.L+206) belong <1 {invalid} >>(198.L+206) belong x \b, file size: %d bytes >>(198.L+206) belong x \b{size:%d} >(198.L+202) belong 3 >>&4 string @(RECENT_FIRMWARE)/ \b, alias: >>&23 string x "%s" >>(&0.L+4) belong x \b, file size: %d bytes # Another Broadcom firmware header... # The header seems to be always 0x100 bytes length and there is more information than the one displayed (not sure about the meaning). # Used for example in the EchoLife HG556a router 0x0 string \x38\x00\x00\x00 Broadcom firmware header >0x4 string !Broadcom Corporatio {invalid} >0x18 string x %s. >0x8E string x Model: %s. >0xA2 string x Firmware version: %s. # QNAP encrypted firmware 0 string icpnas QNAP encrypted firmware footer >10 string x , model: %s >26 string x , version: %s >42 uleshort !0 >>42 string x , date: %s # Mediatek 0 string SF_BOOT\x00\x00\x00\x00\x00 Mediatek Serial Flash Image >12 lelong <1 {invalid} >12 lelong >1 {invalid} >12 lelong x Version %d 0 string EMMC_BOOT\x00\x00\x00 Mediatek EMMC Flash Image >12 lelong <1 {invalid} >12 lelong >1 {invalid} >12 lelong x Version %d 0 string NOR_BOOT\x00\x00\x00\x00 Mediatek NOR Flash Image >12 lelong <1 {invalid} >12 lelong >1 {invalid} >12 lelong x Version %d 0 string BRLYT\x00\x00\x00 Mediatek Boot Header >8 lelong <1 {invalid} >8 lelong >1 {invalid} >8 lelong x Version %d 0 string BBBB Boot section{overlap} >8 lelong x Start 0x%X >12 lelong x End 0x%X >16 lelong &0x1 Load-by-Bootrom >16 lelong &0x80000000 Internal-RAM >16 lelong &0x7ffffff0 {invalid} 0 string FILE_INFO\x00\x00\x00 Mediatek File Info >12 lelong <1 {invalid} >12 lelong >1 {invalid} >16 leshort 0 File Type: NONE >16 leshort 1 File Type: ARM-Bootloader >16 leshort 2 File Type: ARM-External-Bootloader >16 leshort 10 File Type: Root-Certificate >16 leshort 256 File Type: Primary-MAUI >16 leshort 264 File Type: VIVA >16 leshort 769 File Type: SECURE_RO_ME >18 byte 0 Flash Type: NONE >18 byte 1 Flash Type: NOR Flash >18 byte 2 Flash Type: NAND Sequential Flash >18 byte 3 Flash Type: NAND_TTBL >18 byte 4 Flash Type: NAND_FDM50 >18 byte 5 EMMC-Boot-Region >18 byte 6 EMMC-Data-Region >18 byte 7 Flash Type: Serial Flash >18 byte 255 Flash Type: Device-End >18 byte >20 {invalid} >19 byte 0 No Signature >19 byte 1 Signature Type: PHASH >19 byte 2 Signature Type: SINGLE >19 byte 3 Signature Type: SINGLE and PHASH >19 byte 4 Signature Type: MULTI >19 byte 5 Signature Type: TYPE_NUM >19 byte 255 Signature Type: TYE_END >19 byte >20 {invalid} >20 lelong x Load Address: 0x%X >24 lelong x File Length: %d >28 lelong x Maximum Size: %d >32 lelong x Content Offset: 0x%X >36 lelong x Signature Lenght: %d >40 lelong x Jump Offset: %d >44 lelong &0x1 POST_BUILD_DONE >44 lelong &0x2 XIP (Execute In Place) >44 lelong &0x4 SLT >44 lelong &0xffffff00 {invalid} # Android bootimg # https://android.googlesource.com/platform/system/core.git/+/master/mkbootimg/bootimg.h 0 string ANDROID! Android bootimg >8 ulelong x \b, kernel size: %d bytes >12 ulelong x \b, kernel addr: 0x%X >16 ulelong x \b, ramdisk size: %d bytes >20 ulelong x \b, ramdisk addr: 0x%X >48 string x \b, product name: "%s" # QCDT # https://source.codeaurora.org/quic/la/device/qcom/common/tree/dtbtool?h=LA.BF64.1.2.2_rb4.42 0 string QCDT Qualcomm device tree container >4 ulelong x \b, version: %u >8 ulelong x \b, DTB entries: %u # Nexus BOOTLDR # https://github.com/NVISO-BE/nexus_5_bootloader_unpacker 0 string BOOTLDR! Nexus bootloader image >8 ulelong <1 {invalid} >8 ulelong x \b, num images: %u >12 ulelong x \b, bootldr size: %u # Nexus IMGDATA # https://github.com/bitdomo/imgdata/tree/hammerhead 0 string IMGDATA! Nexus IMGDATA >12 ulelong >100 {invalid} >12 ulelong x \b, entries: %u # Motorola bootlogo container # https://github.com/grub4android/lk/blob/master-uboot/app/aboot/aboot.c#L2710 0 string MotoLogo\x00 Motorola bootlogo container # Motorola RLE bootlogo # https://github.com/grub4android/lk/blob/master-uboot/app/aboot/aboot.c#L2710 0 string MotoRun\x00 Motorola RLE bootlogo >8 ubeshort x \b, width: %u >10 ubeshort x \b, height: %u # Motorola UTAGS # https://github.com/MotorolaMobilityLLC/kernel-msm/blob/marshmallow-6.0.0-release/drivers/misc/utag/utags.c 0 string __UTAG_HEAD__\x00 Motorola UTAGS >32 ulelong x \b, size: %u >36 ulelong x \b, flags: %x >40 ulelong x \b, crc32: %x # Qualcomm splash screen # https://source.codeaurora.org/quic/la/device/qcom/common/tree/display/logo/logo_gen.py?h=LA.BR.1.3.3-06310-8952.0 0 string SPLASH!! Qualcomm splash screen >8 ulelong x \b, width: %u >12 ulelong x \b, height: %u >16 ulelong x \b, type: %u >20 ulelong x \b, blocks: %u # Qualcomm SBL1 0 string \xd1\xdc\x4b\x84\x34\x10\xd7\x73 Qualcomm SBL1 >24 ulelong x \b, image addr: %x >28 ulelong x \b, image size: %u >32 ulelong x \b, code size: %u >40 ulelong x \b, sig size: %u >48 ulelong x \b, cert chain size: %u >52 ulelong x \b, oem_root_cert_sel: %u >56 ulelong x \b, oem_num_root_certs: %u # Intel HEX 0 regex (\:([0-9A-F]{2}){5,}\n)+ Intel HEX data{many}, record type: >7 string 00 data >7 string 01 end of file >7 string 02 extended segment address >7 string 03 start segment address >7 string 04 extended linear address >7 string 05 start linear address >7 ubeshort >0x3035 unknown {invalid} # ATAGs msm nand partition table # https://github.com/roman-yepishev/acer-tools/tree/master/msmptbl 0 ubequad 0x9a1b7daabc487d1f ATAGs msm parition table (msmptbl), >8 lelong >0 version: %X, >>12 lelong >0 number of paritions: %d >8 lelong <0 {invalid} # MCastFS2 (.mcfs) # http://support.aminocom.com/link/portal/1108/1281/Article/1204/Software-for-Aminet-set-top-boxes 0 string \x0E\x00\x4D\x43\x61\x73\x74\x46\x53\x32\x00\x00 Amino MCastFS2 (.mcfs) # Intel microcode package. Might contain more than one, but using only magic # files, it's not fun to detect them. Also, it uses BCD dates, that's why the date format looks weird. # Header version is always 1 0x0 ulelong 1 Intel x86 or x64 microcode, # Signature of the applicable model, cannot be 0. It might be possible to narrow this down a bit. >0x0c ulelong !0 sig 0x%08x, # >0x18 ulelong x pf_mask 0x%02x, # Year >0x09 ubyte >0x20 {invalid} >0x09 ubyte <0x19 {invalid} >0x08 uleshort x %04X- # Month, BCD, test if 0x01 <= month <= 19 >0x0b ubyte 0 {invalid} >0x0b ubyte&0xf0 >0x10 {invalid} >0x0b ubyte&0x0f >0x09 {invalid} >0x0b ubyte x \b%02X- # Day, BCD, test if 0x01 <= day <= 39 >0x0a ubyte&0xf0 >0x30 {invalid} >0x0a ubyte&0x0f >0x09 {invalid} >0x0a ubyte 0 {invalid} >0x0a ubyte x \b%02X, # The revision of the microcode update >0x04 lelong !0 rev 0x%04x, # Total size, useful for extraction? >0x20 ulelong 0 size 2048 {size:2048} >0x20 ulelong !0 size %d {size:%d} # Reserved, always zero as of 2018-09-23 >0x24 ulelong 0 >0x28 ulelong 0 >0x2c ulelong 0 # Flattened device tree # Device Tree specification v0.2 # https://github.com/devicetree-org/devicetree-specification/releases/download/v0.2/devicetree-specification-v0.2.pdf # Device tree magic 0 ubelong 0xd00dfeed Flattened device tree, # Device tree size, may not be less than header size (40) >4 ubelong <40 {invalid} >4 ubelong x size: %d bytes, # Offset of structure block, may not be less than header size (40), must be aligned to 4 byte boundary >8 ubelong <40 {invalid} >8 ubelong&3 !0 {invalid} >8 ubelong !0 # First node of structure block, must be either FDT_BEGIN_NODE (1), FDT_NOP (4) or FDT_END (9) >>(8.L) ubelong !1 >>>(8.L) ubelong !4 >>>>(8.L) ubelong !9 {invalid} >>>>(8.L) ubelong 9 empty device tree, # Offset of strings block, may not be less than header size (40) >12 ubelong <40 {invalid} # Version >20 ubelong x version: %d # Size of strings block, must be greater than 0 >32 ubelong 0 {invalid} # Size of structure block, must be greater than 0 >36 ubelong 0 {invalid} # Toshiba SSD Firmware Update # The version string seems to be at 0xe2f4, but I'm unsure if that offset is fixed 0 string ID\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Toshiba SSD Firmware Update # bix file # This is just a U-Boot header file with different magic at offset 0. It is # used by at least Zyxel in their GS1900-series switches, but shows up in # firmware for Cisco Sx220 switches as well. 0 ubelong 0x83800000 bix header, header size: 64 bytes, >4 ubelong x header CRC: 0x%X, >8 ubedate x created: %s, >12 belong <1 {invalid} >12 ubelong x image size: %d bytes, >16 ubelong x Data Address: 0x%X, >20 ubelong x Entry Point: 0x%X, >24 ubelong x data CRC: 0x%X, >28 byte 0 OS: {invalid}invalid OS, >28 byte 1 OS: OpenBSD, >28 byte 2 OS: NetBSD, >28 byte 3 OS: FreeBSD, >28 byte 4 OS: 4.4BSD, >28 byte 5 OS: Linux, >28 byte 6 OS: SVR4, >28 byte 7 OS: Esix, >28 byte 8 OS: Solaris, >28 byte 9 OS: Irix, >28 byte 10 OS: SCO, >28 byte 11 OS: Dell, >28 byte 12 OS: NCR, >28 byte 13 OS: LynxOS, >28 byte 14 OS: VxWorks, >28 byte 15 OS: pSOS, >28 byte 16 OS: QNX, >28 byte 17 OS: Firmware, >28 byte 18 OS: RTEMS, >28 byte 19 OS: ARTOS, >28 byte 20 OS: Unity OS, >29 byte 0 CPU: {invalid}invalid CPU, >29 byte 1 CPU: Alpha, >29 byte 2 CPU: ARM, >29 byte 3 CPU: Intel x86, >29 byte 4 CPU: IA64, >29 byte 5 CPU: MIPS, >29 byte 6 CPU: MIPS 64 bit, >29 byte 7 CPU: PowerPC, >29 byte 8 CPU: IBM S390, >29 byte 9 CPU: SuperH, >29 byte 10 CPU: Sparc, >29 byte 11 CPU: Sparc 64 bit, >29 byte 12 CPU: M68K, >29 byte 13 CPU: Nios-32, >29 byte 14 CPU: MicroBlaze, >29 byte 15 CPU: Nios-II, >29 byte 16 CPU: Blackfin, >29 byte 17 CPU: AVR, >29 byte 18 CPU: STMicroelectronics ST200, >30 byte 0 image type: {invalid} Image, >30 byte 1 image type: Standalone Program, >30 byte 2 image type: OS Kernel Image, >30 byte 3 image type: RAMDisk Image, >30 byte 4 image type: Multi-File Image, >30 byte 5 image type: Firmware Image, >30 byte 6 image type: Script file, >30 byte 7 image type: Filesystem Image, >30 byte 8 image type: Binary Flat Device Tree Blob >31 byte 0 compression type: none, >31 byte 1 compression type: gzip, >31 byte 2 compression type: bzip2, >31 byte 3 compression type: lzma, >32 string x image name: "%s" # AUTEL EVO I/II # https://github.com/anthok/autel 0 string "" Autel EVO Upgrade Transfer{overlap}, >16 string "" >28 belong x filename_size: {strlen:%d}%d, >32 belong x >36 string x filename: {string}%s, >(28.L+36) string "" >(28.L+36+15) belong x file_size: %d, >(28.L+36+15+4) belong x