1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
#------------------------------------------------------------------------------
# $File: firmware,v 1.13 2024/09/04 19:04:03 christos Exp $
# firmware: file(1) magic for firmware files
#
# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure
# examples: https://github.com/cweiske/frontier-silicon-firmwares
0 lelong 0x00001176
>4 lelong 0x7c Frontier Silicon firmware download
>>8 lelong x \b, MeOS version %x
>>12 string/32/T x \b, version %s
>>40 string/64/T x \b, customization %s
# HPE iLO firmware update image
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/
# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images
0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00
>16 ubeshort =0xCFDD HPE iLO2 firmware update image
>16 ubeshort =0x6444 HPE iLO1 firmware update image
# iLO3 images (ilo3_*.bin) start directly with image name
0 string iLO3\x20v\x20 HPE iLO3 firmware update image,
>7 string x version %s
# iLO4 images (ilo4_*.bin) start with a signature and a certificate
0 string --=</Begin\x20HP\x20Signed
>75 string label_HPBBatch
>>5828 string iLO\x204
>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image,
>>>6947 string x version %s
# iLO5 images (ilo5_*.bin) start with a signature
>75 string label_HPE-HPB-BMC-ILO5-4096
>>880 string HPIMAGE\x00 HPE iLO5 firmware update image,
>>944 string x version %s
# IBM POWER Secure Boot Container
# from https://github.com/open-power/skiboot/blob/master/libstb/container.h
0 belong 0x17082011 POWER Secure Boot Container,
>4 beshort x version %u
>6 bequad x container size %llu
# These are always zero
# >14 bequad x target HRMOR %llx
# >22 bequad x stack pointer %llx
>4096 ustring \xFD7zXZ\x00 XZ compressed
0 belong 0x1bad1bad POWER boot firmware
>256 belong 0x48002030 (PHYP entry point)
# ARM Cortex-M vector table
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties
# Match stack MSB
3 byte 0x20
# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match)
>4 ulelong&0xE0000001 1
>>8 ulelong&0xE0000001 1
>>>12 ulelong&0xE0000001 1
>>>>44 ulelong&0xE0000001 1
>>>>>56 ulelong&0xE0000001 1
# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF)
>>>>>>28 ulelong+1 <2
>>>>>>>32 ulelong+1 <2
>>>>>>>>36 ulelong+1 <2
>>>>>>>>>40 ulelong+1 <2
>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware
>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x
>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x
>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x
>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x
>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x
>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x
# ESP-IDF partition table entry
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h
0 string \xAA\x50
>2 ubyte <2 ESP-IDF partition table entry
>>12 string/16 x \b, label: "%s"
>>2 ubyte 0
>>>3 ubyte 0x00 \b, factory app
>>>3 ubyte 0x10 \b, OTA_0 app
>>>3 ubyte 0x11 \b, OTA_1 app
>>>3 ubyte 0x12 \b, OTA_2 app
>>>3 ubyte 0x13 \b, OTA_3 app
>>>3 ubyte 0x14 \b, OTA_4 app
>>>3 ubyte 0x15 \b, OTA_5 app
>>>3 ubyte 0x16 \b, OTA_6 app
>>>3 ubyte 0x17 \b, OTA_7 app
>>>3 ubyte 0x18 \b, OTA_8 app
>>>3 ubyte 0x19 \b, OTA_9 app
>>>3 ubyte 0x1A \b, OTA_10 app
>>>3 ubyte 0x1B \b, OTA_11 app
>>>3 ubyte 0x1C \b, OTA_12 app
>>>3 ubyte 0x1D \b, OTA_13 app
>>>3 ubyte 0x1E \b, OTA_14 app
>>>3 ubyte 0x1F \b, OTA_15 app
>>>3 ubyte 0x20 \b, test app
>>2 ubyte 1
>>>3 ubyte 0x00 \b, OTA selection data
>>>3 ubyte 0x01 \b, PHY init data
>>>3 ubyte 0x02 \b, NVS data
>>>3 ubyte 0x03 \b, coredump data
>>>3 ubyte 0x04 \b, NVS keys
>>>3 ubyte 0x05 \b, emulated eFuse data
>>>3 ubyte 0x06 \b, undefined data
>>>3 ubyte 0x80 \b, ESPHTTPD partition
>>>3 ubyte 0x81 \b, FAT partition
>>>3 ubyte 0x82 \b, SPIFFS partition
>>>3 ubyte 0xFF \b, any data
>>4 ulelong x \b, offset: 0x%X
>>8 ulelong x \b, size: 0x%X
>>28 ulelong&0x1 1 \b, encrypted
# ESP-IDF application image
# From: Alexandre Iooss <erdnaxe@crans.org>
# Update: Joerg Jenderek
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h
# Reference: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/app_image_format.html
# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t
# First segment contains esp_app_desc_t
# ESP_IMAGE_HEADER_MAGIC at the beginning of esp_image_header_t structure
0 ubyte 0xE9
# display ESP-IDF application image (strength=40=40+0) before DOS executable with 16bit JuMP (strength=40) handled by ./msdos
#!:strength +0
# ESP_APP_DESC_MAGIC_WORD; magic for the esp_app_desc_t structure
>32 ulelong 0xABCD5432 ESP-IDF application image
#!:mime application/octet-stream
!:mime application/x-espressif-bin
!:ext bin
>>12 uleshort 0x0000 for ESP32
>>12 uleshort 0x0002 for ESP32-S2
>>12 uleshort 0x0005 for ESP32-C3
>>12 uleshort 0x0009 for ESP32-S3
>>12 uleshort 0x000A for ESP32-H2 Beta1
>>12 uleshort 0x000C for ESP32-C2
>>12 uleshort 0x000D for ESP32-C6
>>12 uleshort 0x000E for ESP32-H2 Beta2
>>12 uleshort 0x0010 for ESP32-H2
>>80 string/32 x \b, project name: "%s"
>>48 string/32 x \b, version %s
>>128 string/16 x \b, compiled on %s
>>>112 string/16 x %s
>>144 string/32 x \b, IDF version: %s
>>4 ulelong x \b, entry address: 0x%08X
# AVR firmware
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://microchipdeveloper.com/8avr:int
# Match 4-byte JMP for Reset, Int0-2, PcInt0-3 and WDT
0 uleshort&0xFE0E 0x940C
>4 uleshort&0xFE0E 0x940C
>>8 uleshort&0XFE0E 0x940C
>>>12 uleshort&0XFE0E 0x940C
>>>>16 uleshort&0XFE0E 0x940C
>>>>>20 uleshort&0XFE0E 0x940C
>>>>>>24 uleshort&0XFE0E 0x940C
>>>>>>>28 uleshort&0XFE0E 0x940C
>>>>>>>>32 uleshort&0XFE0E 0x940C AVR firmware
# Handle only 16-bit addressing
>>>>>>>>>0 uleshort 0x940C
>>>>>>>>>>2 uleshort x \b, reset at 0x%04x
# Match 2-byte RJMP for Reset, Int0-2, PcInt0-3 and WDT for smaller AVR
1 byte&0xF0 0xC0
>3 byte&0xF0 0xC0
>>5 byte&0xF0 0xC0
>>>7 byte&0xF0 0xC0
>>>>9 byte&0xF0 0xC0
>>>>>11 byte&0xF0 0xC0
>>>>>>13 byte&0xF0 0xC0
>>>>>>>15 byte&0xF0 0xC0
>>>>>>>>17 byte&0xF0 0xC0 AVR firmware
>>>>>>>>>0 uleshort&0x0FFF x \b, reset at 0x%04x
# Summary: Intel HEXadecimal file format
# URL: https://en.wikipedia.org/wiki/Intel_HEX
# Reference: http://www.piclist.com/techref/fileext/hex/intel.htm
# http://mark0.net/download/triddefs_xml.7z/defs/h/hex-intel.trid.xml
# From: Joerg Jenderek
# Note: called "Intel Hexadecimal object format" by TrID, "Intel® hexadecimal object file" on Linux
# and "Intel HEX binary data" by Notepad++
# look for start code; 1 character, an ASCII colon ':'; all characters preceding this symbol should be ignored
0 ubyte 0x3A
# check for valid record type string with range 00 - 05 (3030h - 3035h)
>&6 ubeshort&0xFFf8 =0x3030
# check for valid record length string like: 02 04 08 10h 20h 03 (usbdload.hex usbdldv2.hex from Windows Vista)
#>>1 string x LENGTH_STRING=%0.2s
#>>1 ubeshort x LENGTH=%#4.4x
>>&-8 ubeshort&0xFCf0 =0x3030
>>>0 use intel-hex
# display information (offset, record length and type) of Intel HEX
0 name intel-hex
# RECORD MARK
>0 ubyte x Intel hexadecimal object
#!:mime text/plain
!:mime text/x-hex
!:ext hex
# no samples with other suffix found
# .hex .mcs .int .ihex .ihe .ihx .h80 .h86 .a43 .a90 .obj .obl .obh .rom .eep
# .hxl-.hxh .h00-.h15 .p00-.pff
# RECLEN; 2 hex digits for number of bytes in 1st data field; like 0x02 0x03 0x04 0x08 0x10 0x20; maximum 255
>1 string x \b, 0x%2.2s record length
# OFFSET; 4 hex digits for 1st 16-bit memory offset of data like: 0000 (often) 1C00h 1E00h 3800h 3E00h 76EDh 7800h 7E00h ...
>3 string x \b, 0x%4.4s offset
# RECTYP; 2 hex digits (00 - 05); meaning of 1st data field; 00~DataRecord (often) 0l~EndOfFileRecord 02~ExtendedSegmentAddressRecord 03~StartSegmentAddressRecord 04~ExtendedLinearAddressRecord 05~StartLinearAddressRecord
>7 string x \b, '%2.2s' type
# DATA; n bytes of 1st data represented by 2n hex digits followed by 1 byte checksum
>9 string x \b, data+checksum %s
# last record :00000001FF with RECLEN 0, OFFSET 0, record type 01 for EndOfFile and 1 checksum byte FF
# samples with CarriageReturnLineFeed terminator
>-2 ubeshort =0x0d0a
# This should not happen!
>>-13 string !:00000001FF \b, last line %s
>-2 ubeshort !0x0d0a
# samples with LineFeed terminator
>>-1 ubyte =0x0a
# This should not happen!
>>>-12 string !:00000001FF \b, last line %s
# Raspberry Pi RP2040 firmware
# From: Alexandre Iooss <erdnaxe@crans.org>
# Note: RP2040 flash image starts with stage2 bootloader, then a vector table.
# URL: https://github.com/raspberrypi/pico-sdk/tree/1.5.1/src/rp2_common/boot_stage2
# boot2_*.S code (_stage2_boot)
0 ulelong 0x4B32B500
>4 ulelong 0x60582021
>>8 ulelong 0x21026898
# exit_from_boot2.S code (check_return) `pop {r0}; cmp r0, #0`
>>>148 ulelong 0x2800bc01
# Cortex-M vector table with reserved section filled with a default interrupt address
>>>>259 byte 0x20
# make sure required vector table entries are ARM Thumb and in flash
>>>>>260 ulelong&0xE0000001 1
>>>>>>264 ulelong&0xE0000001 1
>>>>>>>268 ulelong&0xE0000001 1
>>>>>>>>300 ulelong&0xE0000001 1
>>>>>>>>>312 ulelong&0xE0000001 1 Raspberry Pi RP2040 firmware
>>>>>>>>>>256 ulelong >0 \b, initial SP at 0x%08x
>>>>>>>>>>260 ulelong^1 x \b, reset at 0x%08x
>>>>>>>>>>264 ulelong^1 x \b, NMI at 0x%08x
>>>>>>>>>>268 ulelong^1 x \b, HardFault at 0x%08x
>>>>>>>>>>300 ulelong^1 x \b, SVCall at 0x%08x
>>>>>>>>>>312 ulelong^1 x \b, PendSV at 0x%08x
# optional binary_info in the first 256 bytes, used by picotool
# https://github.com/raspberrypi/pico-sdk/blob/master/src/common/pico_binary_info/include/pico/binary_info/defs.h
>>>>>>>>>>256 search/256 \xf2\xeb\x88\x71 \b, with binary_info
# Silicon Labs Gecko Bootloader update image
# From: Alexandre Iooss <erdnaxe@crans.org>
# Reference: https://github.com/raboof/gbl
# https://github.com/dsyx/emberznet-doc
# Note: TLV always starting with tag 0x03A617EB of length 8
0 ulelong 0x03A617EB
>4 ulelong 8 Silicon Labs Gecko bootloader update image
!:ext gbl
>>12 byte 1 \b, encrypted (AES-CTR-128)
>>13 byte 1 \b, signed (ECDSA-P256)
# If not encrypted, indicate first image type
>>16 ulelong 0xF40A0AF4 \b, application image
>>16 ulelong 0xF50909F5 \b, bootloader image
# Silicon Labs Gecko Bootloader OTA update with Zigbee EmberZNet SDK
# URL: https://github.com/SiliconLabs/gecko_sdk
0 ulelong 0x0BEEF11E
>6 ulelong 0x38 Silicon Labs Gecko EmberZNet OTA image
!:ext ota/zigbee
>>4 ubeshort x v%d
# Device Firmware Upgrade with ST STMicroelectronics extensions
# From: Alexandre Iooss <erdnaxe@crans.org>
# Reference: STMicroelectronics note UM0391
# Reference: https://dfu-util.sourceforge.net/dfuse.html
# DFU prefix
0 string DfuSe\x01 DFU image (STM variant)
!:ext dfu
>6 ulelong x \b, size: %d bytes
# DFU suffix, specification 0x011A
>-10 string \x1A\x01UFD
>>-12 uleshort x \b, for device %04X:
>>-14 uleshort x \b%04X
|
