file/magic/Magdir/firmware

#------------------------------------------------------------------------------
# $File: firmware,v 1.17 2025/04/06 18:37:40 christos Exp $
# firmware:  file(1) magic for firmware files
#

# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure
# examples: https://github.com/cweiske/frontier-silicon-firmwares
0	lelong		0x00001176	
>4	lelong		0x7c		Frontier Silicon firmware download
>>8	lelong		x		\b, MeOS version %x
>>12	string/32/T	x		\b, version %s
>>40	string/64/T	x		\b, customization %s

# HPE iLO firmware update image
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/
# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images
0               string                  \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00
>16             ubeshort                =0xCFDD         HPE iLO2 firmware update image
>16             ubeshort                =0x6444         HPE iLO1 firmware update image
# iLO3 images (ilo3_*.bin) start directly with image name
0               string                  iLO3\x20v\x20   HPE iLO3 firmware update image,
>7              string                  x               version %s
# iLO4 images (ilo4_*.bin) start with a signature and a certificate
0               string                  --=</Begin\x20HP\x20Signed
>75             string                  label_HPBBatch
>>5828          string                  iLO\x204
>>>5732         string                  HPIMAGE\x00     HPE iLO4 firmware update image,
>>>6947         string                  x               version %s
# iLO5 images (ilo5_*.bin) start with a signature
>75             string                  label_HPE-HPB-BMC-ILO5-4096
>>880           string                  HPIMAGE\x00     HPE iLO5 firmware update image,
>>944           string                  x               version %s

# IBM POWER Secure Boot Container
# from https://github.com/open-power/skiboot/blob/master/libstb/container.h
0	belong	0x17082011	POWER Secure Boot Container,
>4	beshort	x		version %u
>6	bequad	x		container size %llu
# These are always zero
# >14	bequad	x		target HRMOR %llx
# >22	bequad  x		stack pointer %llx
>4096	ustring \xFD7zXZ\x00    XZ compressed
0	belong	0x1bad1bad	POWER boot firmware
>256	belong	0x48002030	(PHYP entry point)

# ARM Cortex-M vector table
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties
# Match stack MSB
3		byte			0x20
# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match)
>4		ulelong&0xE0000001	1
>>8		ulelong&0xE0000001	1
>>>12		ulelong&0xE0000001	1
>>>>44		ulelong&0xE0000001	1
>>>>>56		ulelong&0xE0000001	1
# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF)
>>>>>>28	ulelong+1		<2
>>>>>>>32	ulelong+1		<2
>>>>>>>>36	ulelong+1		<2
>>>>>>>>>40	ulelong+1		<2
>>>>>>>>>>52	ulelong+1		<2	ARM Cortex-M firmware
>>>>>>>>>>>0	ulelong			>0	\b, initial SP at 0x%08x
>>>>>>>>>>>4	ulelong^1		x	\b, reset at 0x%08x
>>>>>>>>>>>8	ulelong^1		x	\b, NMI at 0x%08x
>>>>>>>>>>>12	ulelong^1		x	\b, HardFault at 0x%08x
>>>>>>>>>>>44	ulelong^1		x	\b, SVCall at 0x%08x
>>>>>>>>>>>56	ulelong^1		x	\b, PendSV at 0x%08x

# ESP-IDF partition table entry
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h
0	string		\xAA\x50
>2	ubyte		<2		ESP-IDF partition table entry
>>12	string/16	x		\b, label: "%s"
>>2	ubyte		0
>>>3	ubyte		0x00		\b, factory app
>>>3	ubyte		0x10		\b, OTA_0 app
>>>3	ubyte		0x11		\b, OTA_1 app
>>>3	ubyte		0x12		\b, OTA_2 app
>>>3	ubyte		0x13		\b, OTA_3 app
>>>3	ubyte		0x14		\b, OTA_4 app
>>>3	ubyte		0x15		\b, OTA_5 app
>>>3	ubyte		0x16		\b, OTA_6 app
>>>3	ubyte		0x17		\b, OTA_7 app
>>>3	ubyte		0x18		\b, OTA_8 app
>>>3	ubyte		0x19		\b, OTA_9 app
>>>3	ubyte		0x1A		\b, OTA_10 app
>>>3	ubyte		0x1B		\b, OTA_11 app
>>>3	ubyte		0x1C		\b, OTA_12 app
>>>3	ubyte		0x1D		\b, OTA_13 app
>>>3	ubyte		0x1E		\b, OTA_14 app
>>>3	ubyte		0x1F		\b, OTA_15 app
>>>3	ubyte		0x20		\b, test app
>>2	ubyte		1
>>>3	ubyte		0x00		\b, OTA selection data
>>>3	ubyte		0x01		\b, PHY init data
>>>3	ubyte		0x02		\b, NVS data
>>>3	ubyte		0x03		\b, coredump data
>>>3	ubyte		0x04		\b, NVS keys
>>>3	ubyte		0x05		\b, emulated eFuse data
>>>3	ubyte		0x06		\b, undefined data
>>>3	ubyte		0x80		\b, ESPHTTPD partition
>>>3	ubyte		0x81		\b, FAT partition
>>>3	ubyte		0x82		\b, SPIFFS partition
>>>3	ubyte		0xFF		\b, any data
>>4	ulelong		x		\b, offset: 0x%X
>>8	ulelong		x		\b, size: 0x%X
>>28	ulelong&0x1	1		\b, encrypted

# ESP-IDF application image
# From: A. Iooss <aiooss@crans.org>
# Update:	Joerg Jenderek
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h
# Reference:	https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/app_image_format.html
# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t
# 	First segment contains esp_app_desc_t
# ESP_IMAGE_HEADER_MAGIC at the beginning of esp_image_header_t structure
0	ubyte		0xE9
# display ESP-IDF application image (strength=40=40+0) before DOS executable with 16bit JuMP (strength=40) handled by ./msdos
#!:strength	+0
# ESP_APP_DESC_MAGIC_WORD; magic for the esp_app_desc_t structure
>32	ulelong		0xABCD5432	ESP-IDF application image
#!:mime	application/octet-stream
!:mime	application/x-espressif-bin
!:ext	bin
>>12	uleshort	0x0000		for ESP32
>>12	uleshort	0x0002		for ESP32-S2
>>12	uleshort	0x0005		for ESP32-C3
>>12	uleshort	0x0009		for ESP32-S3
>>12	uleshort	0x000A		for ESP32-H2 Beta1
>>12	uleshort	0x000C		for ESP32-C2
>>12	uleshort	0x000D		for ESP32-C6
>>12	uleshort	0x000E		for ESP32-H2 Beta2
>>12	uleshort	0x0010		for ESP32-H2
>>80	byte		!0
>>>80	string/32	x		\b, project name: "%s"
>>48	byte		!0
>>>48	string/32	x		\b, version %s
>>128	string/16	x		\b, compiled on %s
>>>112	string/16	x		%s
>>144	string/32	x		\b, IDF version: %s
>>4	ulelong		x		\b, entry address: 0x%08X

# ESP8266/ESP32 firmware image
# Note: contain partition table entries and ESP-IDF application image
# From: A. Iooss <aiooss@crans.org>
# Reference: https://docs.espressif.com/projects/esptool/en/latest/esp32/advanced-topics/firmware-image-format.html
0	byte		0xE9
>2	byte		<4
>>7	byte		0x40		ESP firmware image
# ESP8266 does not have Extended File Header
>>>12	uleshort	0x0000		for ESP32
>>>12	uleshort	0x0002		for ESP32-S2
>>>12	uleshort	0x0005		for ESP32-C3
>>>12	uleshort	0x0009		for ESP32-S3
>>>12	uleshort	0x000A		for ESP32-H2 Beta1
>>>12	uleshort	0x000C		for ESP32-C2
>>>12	uleshort	0x000D		for ESP32-C6
>>>12	uleshort	0x000E		for ESP32-H2 Beta2
>>>12	uleshort	0x0010		for ESP32-H2
>>>4	ulelong		x		\b, entry point 0x%08X

# AVR firmware
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://microchipdeveloper.com/8avr:int
# Match 4-byte JMP for Reset, Int0-2, PcInt0-3 and WDT
0		uleshort&0xFE0E	0x940C
>4		uleshort&0xFE0E	0x940C
>>8		uleshort&0XFE0E	0x940C
>>>12		uleshort&0XFE0E	0x940C
>>>>16		uleshort&0XFE0E	0x940C
>>>>>20		uleshort&0XFE0E	0x940C
>>>>>>24	uleshort&0XFE0E	0x940C
>>>>>>>28	uleshort&0XFE0E	0x940C
>>>>>>>>32	uleshort&0XFE0E	0x940C	AVR firmware
# Handle only 16-bit addressing
>>>>>>>>>0	uleshort	0x940C
>>>>>>>>>>2	uleshort	x	\b, reset at 0x%04x
# Match 2-byte RJMP for Reset, Int0-2, PcInt0-3 and WDT for smaller AVR
1		byte&0xF0	0xC0
>3		byte&0xF0	0xC0
>>5		byte&0xF0	0xC0
>>>7		byte&0xF0	0xC0
>>>>9		byte&0xF0	0xC0
>>>>>11		byte&0xF0	0xC0
>>>>>>13	byte&0xF0	0xC0
>>>>>>>15	byte&0xF0	0xC0
>>>>>>>>17	byte&0xF0	0xC0	AVR firmware
>>>>>>>>>0	uleshort&0x0FFF	x	\b, reset at 0x%04x

# Summary:	Intel HEXadecimal file format
# URL:		https://en.wikipedia.org/wiki/Intel_HEX
# Reference:	http://www.piclist.com/techref/fileext/hex/intel.htm
#		http://mark0.net/download/triddefs_xml.7z/defs/h/hex-intel.trid.xml
# From:		Joerg Jenderek
# Note:		called "Intel Hexadecimal object format" by TrID, "Intel(R) hexadecimal object file" on Linux
#		and "Intel HEX binary data" by Notepad++
# look for start code; 1 character, an ASCII colon ':'; all characters preceding this symbol should be ignored
0	ubyte		0x3A
# check for valid record type string with range 00 - 05 (3030h - 3035h)
>&6	ubeshort&0xFFf8	=0x3030
# check for valid record length string like: 02 04 08 10h 20h 03 (usbdload.hex usbdldv2.hex from Windows Vista)
#>>1	string		x		LENGTH_STRING=%0.2s
#>>1	ubeshort	x		LENGTH=%#4.4x
>>&-8	ubeshort&0xFCf0	=0x3030
>>>0	use		intel-hex
#	display information (offset, record length and type) of Intel HEX
0	name		intel-hex
# RECORD MARK
>0	ubyte		x		Intel hexadecimal object
#!:mime	text/plain
!:mime	text/x-hex
!:ext	hex
# no samples with other suffix found
# .hex .mcs .int .ihex .ihe .ihx .h80 .h86 .a43 .a90 .obj .obl .obh .rom .eep
# .hxl-.hxh .h00-.h15 .p00-.pff
# RECLEN; 2 hex digits for number of bytes in 1st data field; like 0x02 0x03 0x04 0x08 0x10 0x20; maximum 255
>1	string		x		\b, 0x%2.2s record length
# OFFSET; 4 hex digits for 1st 16-bit memory offset of data like: 0000 (often) 1C00h 1E00h 3800h 3E00h 76EDh 7800h 7E00h ...
>3	string		x		\b, 0x%4.4s offset
# RECTYP; 2 hex digits (00 - 05); meaning of 1st data field; 00~DataRecord (often) 0l~EndOfFileRecord 02~ExtendedSegmentAddressRecord 03~StartSegmentAddressRecord 04~ExtendedLinearAddressRecord 05~StartLinearAddressRecord
>7	string		x		\b, '%2.2s' type
# DATA; n bytes of 1st data represented by 2n hex digits followed by 1 byte checksum
>9	string		x		\b, data+checksum %s
# last record :00000001FF with RECLEN 0, OFFSET 0, record type 01 for EndOfFile and 1 checksum byte FF
# samples with CarriageReturnLineFeed terminator
>-2	ubeshort	=0x0d0a
# This should not happen!
>>-13	string		!:00000001FF	\b, last line %s
>-2	ubeshort	!0x0d0a
# samples with LineFeed terminator
>>-1	ubyte		=0x0a
# This should not happen!
>>>-12	string		!:00000001FF	\b, last line %s

# Raspberry Pi RP2040 firmware
# From: Alexandre Iooss <erdnaxe@crans.org>
# Note: RP2040 flash image starts with stage2 bootloader, then a vector table.
# URL: https://github.com/raspberrypi/pico-sdk/tree/1.5.1/src/rp2_common/boot_stage2
# boot2_*.S code (_stage2_boot)
0		ulelong			0x4B32B500
>4		ulelong			0x60582021
>>8		ulelong			0x21026898
# exit_from_boot2.S code (check_return) `pop {r0}; cmp r0, #0`
>>>148		ulelong			0x2800bc01
# Cortex-M vector table with reserved section filled with a default interrupt address
>>>>259		byte			0x20
# make sure required vector table entries are ARM Thumb and in flash
>>>>>260	ulelong&0xE0000001	1
>>>>>>264	ulelong&0xE0000001	1
>>>>>>>268	ulelong&0xE0000001	1
>>>>>>>>300	ulelong&0xE0000001	1
>>>>>>>>>312	ulelong&0xE0000001	1		Raspberry Pi RP2040 firmware
>>>>>>>>>>256	ulelong			>0		\b, initial SP at 0x%08x
>>>>>>>>>>260	ulelong^1		x		\b, reset at 0x%08x
>>>>>>>>>>264	ulelong^1		x		\b, NMI at 0x%08x
>>>>>>>>>>268	ulelong^1		x		\b, HardFault at 0x%08x
>>>>>>>>>>300	ulelong^1		x		\b, SVCall at 0x%08x
>>>>>>>>>>312	ulelong^1		x		\b, PendSV at 0x%08x
# optional binary_info in the first 256 bytes, used by picotool
# https://github.com/raspberrypi/pico-sdk/blob/master/src/common/pico_binary_info/include/pico/binary_info/defs.h
>>>>>>>>>>256	search/256		\xf2\xeb\x88\x71	\b, with binary_info

# Silicon Labs Gecko Bootloader update image
# From: Alexandre Iooss <erdnaxe@crans.org>
# Reference: https://github.com/raboof/gbl
#            https://github.com/dsyx/emberznet-doc
# Note: TLV always starting with tag 0x03A617EB of length 8
0	ulelong		0x03A617EB
>4	ulelong		8		Silicon Labs Gecko bootloader update image
!:ext	gbl
>>12	byte		1		\b, encrypted (AES-CTR-128)
>>13	byte		1		\b, signed (ECDSA-P256)
# If not encrypted, indicate first image type
>>16	ulelong		0xF40A0AF4	\b, application image
>>16	ulelong		0xF50909F5	\b, bootloader image

# Silicon Labs Gecko Bootloader OTA update with Zigbee EmberZNet SDK
# URL: https://github.com/SiliconLabs/gecko_sdk
0	ulelong		0x0BEEF11E
>6	ulelong		0x38		Silicon Labs Gecko EmberZNet OTA image
!:ext	ota/zigbee
>>4	ubeshort	x		v%d

# Device Firmware Upgrade with ST STMicroelectronics extensions
# From: Alexandre Iooss <erdnaxe@crans.org>
# Reference: STMicroelectronics note UM0391
# Reference: https://dfu-util.sourceforge.net/dfuse.html
# DFU prefix
0	string		DfuSe\x01	DFU image (STM variant)
!:ext	dfu
>6	ulelong		x		\b, size: %d bytes
# DFU suffix, specification 0x011A
>-10	string		\x1A\x01UFD
>>-12	uleshort	x		\b, for device %04X:
>>-14	uleshort	x		\b%04X

# Allwinner eGON Boot Image
# Reference: https://linux-sunxi.org/EGON

0	name	egon-details
# ARM b instruction
>0	ulelong&0xff000000	0xea000000	(ARM)
# RISC-V jal instruction
>0	ulelong&0x00000fff	0x0000006f	(RISC-V)
>16	ulelong	x	\b, size %u

4	string	eGON.BT0	Allwinner eGON.BT0 Boot Image
>0	use	egon-details

4	string	eGON.BT1	Allwinner eGON.BT1 Boot Image
>0	use	egon-details

# Allwinner TOC0 Boot Image
# Reference: https://linux-sunxi.org/TOC0
0	name	toc0-item
>0	ulelong	0x010101	certificate
>0	ulelong	0x010202	firmware
>0	ulelong	0x010303	key
>4	ulelong	x	(offset 0x%x
>8	ulelong	x	\b, size 0x%x)

8	ulelong	0x89119800	Allwinner TOC0 Boot Image
>24	ulelong	x	with %u items
# each item is 32 bytes
# item 0
>24	ulelong	>0	\b:
>>48	use	toc0-item
# item 1
>24	ulelong	>1	\b,
>>80	use	toc0-item
# item 2
>24	ulelong	>2	\b,
>>112	use	toc0-item
# item 3
>24	ulelong	>3	\b,
>>144	use	toc0-item
# item 4
>24	ulelong	>4	\b,
>>176	use	toc0-item
# item 5+
>24	ulelong	>5	\b, ...

# Allwinner TOC1 Boot Image
# Reference: https://lore.kernel.org/all/20211015040811.56856-2-samuel@sholland.org/T/
0	name	toc1-item
>0	string/64/T	x	%s
>64	ulelong	x	(offset 0x%x
>68	ulelong	x	\b, size 0x%x)

16	ulelong	0x89119800	Allwinner TOC1 Boot Image
>0	string/16/T	>\0	(name "%s")
>32	ulelong	x	with %u items
# each item is 368 bytes
# item 0
>32	ulelong	>0	\b:
>>64	use	toc1-item
# item 1
>32	ulelong	>1	\b,
>>432	use	toc1-item
# item 2
>32	ulelong	>2	\b,
>>800	use	toc1-item
# item 3
>32	ulelong	>3	\b,
>>1168	use	toc1-item
# item 4
>32	ulelong	>4	\b,
>>1536	use	toc1-item
# item 5+
>32	ulelong	>5	\b, ...

# https://github.com/o-gs/dji-firmware-tools/blob/master/dji_imah_fwsig.py#L404
0	string		IM*H	DJI firmware update
>40	string/4	>\0	(auth %s,
>44	string/4	>\0	enc %s)
>44	string/4	=\0	no enc)

# NXP i.MX RT firmware image
# From: A. Iooss <aiooss@crans.org>
# Reference: Table 8-2 in MCU_Flashloader_Reference_Manual.pdf
# URL: https://github.com/tock/tock/blob/master/boards/teensy40/layout.ld
# Image starts with a NOR FlexSPI Configuration Block (FCB) of 3kB or 4kB
0		string			FCFB
>7		string			V		NXP i.MX RT bootable image
!:ext		bin
>>6		byte			x		\b, version %d
>>5		byte			x		\b.%d
>>4		byte			x		\b.%d
# then a Image Vector Table of 4kB
>>3072		ulelong&0xFCFFFFFF	0x402000D1
>>>7168		use			flexspi-fw
>>4096		ulelong&0xFDFFFFFF	0x402000D1
>>>5120		use			flexspi-fw
>>4096		ulelong&0xFDFFFFFF	0x412000D1
>>>8192		use			flexspi-fw
# then maybe a ARM Cortex-M program, but with vector table pointing to peripheral memory
0		name			flexspi-fw
>3		byte			0x20
>>4		ulelong&1		1
>>>8		ulelong&1		1
>>>>12		ulelong&1		1
>>>>>44		ulelong&1		1
>>>>>>56	ulelong&1		1		\b, ARM Cortex-M
>>>>>>>0	ulelong			>0		\b, initial SP at 0x%08x
>>>>>>>4	ulelong^1		x		\b, reset at 0x%08x
>>>>>>>8	ulelong^1		x		\b, NMI at 0x%08x
>>>>>>>12	ulelong^1		x		\b, HardFault at 0x%08x
>>>>>>>44	ulelong^1		x		\b, SVCall at 0x%08x
>>>>>>>56	ulelong^1		x		\b, PendSV at 0x%08x