1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
#--------------------------Firmware Formats---------------------------
# uImage file
# From: Craig Heffner, U-Boot image.h header definitions file
0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X,
>8 bedate x created: %s,
>12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d,
>28 byte 0 OS: invalid OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
>28 byte 4 OS: 4.4BSD,
>28 byte 5 OS: Linux,
>28 byte 6 OS: SVR4,
>28 byte 7 OS: Esix,
>28 byte 8 OS: Solaris,
>28 byte 9 OS: Irix,
>28 byte 10 OS: SCO,
>28 byte 11 OS: Dell,
>28 byte 12 OS: NCR,
>28 byte 13 OS: LynxOS,
>28 byte 14 OS: VxWorks,
>28 byte 15 OS: pSOS,
>28 byte 16 OS: QNX,
>28 byte 17 OS: Firmware,
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
#>29 byte x CPU arch: %d,
>29 byte 0 CPU: invalid OS,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
>29 byte 4 CPU: IA64,
>29 byte 5 CPU: MIPS,
>29 byte 6 CPU: MIPS 64 bit,
>29 byte 7 CPU: PowerPC,
>29 byte 8 CPU: IBM S390,
>29 byte 9 CPU: SuperH,
>29 byte 10 CPU: Sparc,
>29 byte 11 CPU: Sparc 64 bit,
>29 byte 12 CPU: M68K,
>29 byte 13 CPU: Nios-32,
>29 byte 14 CPU: MicroBlaze,
>29 byte 15 CPU: Nios-II,
>29 byte 16 CPU: Blackfin,
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
>30 byte 0 image type: invalid Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
>30 byte 4 image type: Multi-File Image,
>30 byte 5 image type: Firmware Image,
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
#>31 byte x compression type: %d,
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
#IMG0 header, found in VxWorks-based Mercury router firmware
0 string IMG0 IMG0 (VxWorks) header,
>4 belong x size: %d
#Mediatek bootloader signature
#From xp-dev.com
0 string BOOTLOADER! Mediatek bootloader
#CSYS header formats
0 string CSYS\x00 CSYS header, little endian,
>8 lelong x size: %d
0 string CSYS\x80 CSYS header, big endian,
>8 belong x size: %d
# wrgg firmware image
0 string wrgg02 WRGG firmware header,
>6 string x name: "%s",
>48 string x root device: "%s"
# trx image file
0 string HDR0 TRX firmware header, little endian, header size: 28 bytes,
>4 lelong <1 invalid
>4 lelong x image size: %d bytes,
>8 lelong x CRC32: 0x%X
>12 leshort x flags: 0x%X,
>14 leshort x version: %d
0 string 0RDH TRX firmware header, big endian, header size: 28 bytes,
>4 belong <1 invalid
>4 belong x image size: %d bytes,
>8 belong x CRC32: 0x%X
>12 beshort x flags: 0x%X,
>14 beshort x version: %d
# Ubicom firmware image
0 belong 0xFA320080 Ubicom firmware header,
>12 belong x checksum: 0x%X,
>24 belong <0 invalid
>24 belong x image size: %d
# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.
# Netgear KWGR614 ROME image
0 string G614 Realtek firmware header (ROME bootloader),
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X
# Linksys WRT54GX ROME image
0 belong 0x59a0e842 Realtek firmware header (ROME bootloader)
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0 string --PaCkImGs-- PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 lelong >0x20000000
>>16 belong >0x20000000 invalid
>16 lelong <0
>>16 belong <0 invalid
>16 lelong >0
>>16 lelong x little endian size: %d bytes;
>16 belong >0
>>16 belong x big endian size: %d bytes
#------------------------------------------------------------------------------
# Broadcom header format
#
0 string BCRM Broadcom header,
>4 lelong <0 invalid
>4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk
>>8 lelong 21 first section type: tag
# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0 string Ck0\0\0R\0\0\0 BLCR
>16 lelong 1 x86
>16 lelong 3 alpha
>16 lelong 5 x86-64
>16 lelong 7 ARM
>8 lelong x context data (little endian, version %d)
0 string \0\0\0C\0\0\0R BLCR
>16 belong 2 SPARC
>16 belong 4 ppc
>16 belong 6 ppc64
>16 belong 7 ARMEB
>16 belong 8 SPARC64
>8 belong x context data (big endian, version %d)
# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\x20Startup\x20and Aculab VoIP firmware
>35 string x format "%s"
#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
# From Albert Cahalan <acahalan@gmail.com>
# really le32 operation,destination,payloadsize (but quite predictable)
# 01 00 00 00 00 00 00 c0 00 02 00 00
0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware
#---------------------------------------------------------------------------
# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
# lead Sun/Cobalt developer) who agrees that they are good and worthy of
# inclusion.
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom
>38 string x V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
0 string CRfs COBALT boot rom data (Flat boot rom or file system)
#
# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
# Useless until forther improvements can be made to the signature.
#0 string S0 Motorola S-Record; binary data in text format
# --------------------------------
# Microsoft Xbox data file formats
0 string XIP0 XIP, Microsoft Xbox data
0 string XTF0 XTF, Microsoft Xbox data
#Windows CE
0 string CECE Windows CE RTOS{offset-adjust:-64}
# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0 belong x load address 0x%X,
>3 byte <0x7F rom image type:
>>3 byte <1 invalid,
>>3 byte >7 invalid,
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
>>3 byte 4 ROMBIN,
>>3 byte 5 ROMDIR,
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
>>3 byte >0x82 invalid,
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 belong >0x40000000 invalid
>4 belong <0 invalid
>4 belong 0 invalid
>4 belong x uncompressed size: %d,
>8 belong >0x40000000 invalid
>8 belong <0 invalid
>8 belong 0 invalid
>8 belong x compressed size: %d,
>14 beshort x uncompressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X,
>12 byte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 byte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 belong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header,
>8 lelong >1024 invalid
>8 lelong <0 invalid
>8 lelong x header size: %d bytes,
>32 lelong >1024 invalid
>32 lelong <0 invalid
>32 lelong x number of files: %d,
>48 lelong <0 invalid
>48 lelong x image size: %d,
>64 string x firmware version: "%s"
# Firmware header used by some TV's
0 string FNIB ZBOOT firmware header, header size: 32 bytes,
>8 lelong x load address: 0x%.8X,
>12 lelong x start address: 0x%.8X,
>16 lelong x checksum: 0x%.8X,
>20 lelong x version: 0x%.8X,
>24 lelong <1 invalid
>24 lelong x image size: %d bytes
# Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17 DLOB firmware header,
>(7.b+12) string !\x5e\xa3\xa4\x17 invalid,
#>>12 string x %s,
>(7.b+40) string x boot partition: "%s"
# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4}
#>-4 lelong x header version: %d,
>0x94 beshort x firmware version: %d.
>0x96 beshort x \b%d.
>0x98 beshort x \b%d,
>0x18 string x image version: "%s",
#>0x74 belong x image size: %d bytes,
>0x3C belong x product ID: 0x%X,
>0x40 belong x product version: %d,
>0x70 belong x kernel load address: 0x%X,
>0x74 belong x kernel entry point: 0x%X,
>0x7C belong x kernel offset: %d,
>0x80 belong x kernel length: %d,
>0x84 belong x rootfs offset: %d,
>0x88 belong x rootfs length: %d,
>0x8C belong x bootloader offset: %d,
>0x90 belong x bootloader length: %d
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256,
>4 string !Broadcom
>>4 string !\x20\x20\x20\x20 invalid
>41 beshort !0x2020
>>41 beshort !0x0000
>>>41 string x firmware version: "%.4s",
>45 beshort !0x0202
>>45 beshort !0x0000
>>>45 string x board id: "%s",
>236 belong x ~CRC32 header checksum: 0x%X,
>216 belong x ~CRC32 data checksum: 0x%X
# Xerox MFP DLM signatures
0 string %%XRXbegin Xerox DLM firmware start of header
0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name:
>19 string x "%s"
0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version:
>22 string x "%s"
0 string %%XRXend Xerox DLM firmware end of header
# Generic copyright signature
0 string Copyright Copyright string:
>9 byte 0 invalid
>9 string x "%s
>40 string x \b%s"
# Sercomm firmware header
0 string sErCoMm Sercomm firmware signature,
>7 leshort x version control: %d,
>9 leshort x download control: %d,
>11 string x hardware ID: "%s",
>44 leshort x hardware version: 0x%X,
>58 leshort x firmware version: 0x%X,
>60 leshort x starting code segment: 0x%X,
>62 leshort x code size: 0x%X
# NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 invalid
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s
>(48.l+121) string x \b%s"
# Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header,
>0x104 belong x ~CRC32: 0x%X,
>4 string x version: "%s"
0 string GEOS Ubiquiti firmware header,
>0x104 belong x ~CRC32: 0x%X,
>4 string x version: "%s"
# Too many false positives...
#0 string OPEN Ubiquiti firmware header, third party,
#>0x104 belong x ~CRC32: 0x%X,
#>4 string x version: "%s"
0 string PARTkernel Ubiquiti firmware kernel partition
0 string PARTcramfs Ubiquiti firmware CramFS partition
0 string PARTrootfs Ubiquiti firmware rootfs partition
# Found in DIR-100 firmware
0 string AIH0N AIH0N firmware header, header size: 48,
>12 belong x size: %d,
>8 belong !0 executable code,
>>8 belong x load address: 0x%X,
>32 string x version: "%s"
0 belong 0x5EA3A417 SEAMA firmware header, big endian,
>6 beshort x meta size: %d,
>8 belong x size: %d
0 lelong 0x5EA3A417 SEAMA firmware header, little endian,
>6 leshort x meta size: %d,
>8 lelong x size: %d
0 belong 0x4D544443 NSP firmware header, big endian,
>16 belong x header size: %d,
>20 belong x image size: %d,
>4 belong x kernel offset: %d,
>12 belong x header version: %d,
0 lelong 0x4D544443 NSP firmware header, little endian,
>16 lelong x header size: %d,
>20 lelong x image size: %d,
>4 lelong x kernel offset: %d,
>12 lelong x header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0 string WizFwPkgl Beyonwiz firmware header,
>20 string x version: "%s"
0 string BLI223WJ0 Thompson/Alcatel encoded firmware,
>32 byte x version: %d.
>33 byte x \b%d.
>34 byte x \b%d.
>35 byte x \b%d,
>44 belong x size: %d,
>48 belong x crc: 0x%.8X,
>35 byte x try decryption tool from:
>35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume{offset-adjust:-16}
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0 string ANDROID\040BACKUP\n Android Backup
>15 string 1\n \b, version 1
>17 string 0\n \b, uncompressed
>17 string 1\n \b, compressed
>19 string none\n \b, unencrypted
>19 string AES-256\n \b, encrypted AES-256