#--------------------------Firmware Formats---------------------------
# uImage file
# From: Craig Heffner, U-Boot image.h header definitions file
0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X,
>8 bedate x created: %s,
>12 belong <1 invalid
>12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d,
>28 byte 0 OS: invalid OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
>28 byte 4 OS: 4.4BSD,
>28 byte 5 OS: Linux,
>28 byte 6 OS: SVR4,
>28 byte 7 OS: Esix,
>28 byte 8 OS: Solaris,
>28 byte 9 OS: Irix,
>28 byte 10 OS: SCO,
>28 byte 11 OS: Dell,
>28 byte 12 OS: NCR,
>28 byte 13 OS: LynxOS,
>28 byte 14 OS: VxWorks,
>28 byte 15 OS: pSOS,
>28 byte 16 OS: QNX,
>28 byte 17 OS: Firmware,
>28 byte 18 OS: RTEMS,
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
#>29 byte x CPU arch: %d,
>29 byte 0 CPU: invalid OS,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
>29 byte 4 CPU: IA64,
>29 byte 5 CPU: MIPS,
>29 byte 6 CPU: MIPS 64 bit,
>29 byte 7 CPU: PowerPC,
>29 byte 8 CPU: IBM S390,
>29 byte 9 CPU: SuperH,
>29 byte 10 CPU: Sparc,
>29 byte 11 CPU: Sparc 64 bit,
>29 byte 12 CPU: M68K,
>29 byte 13 CPU: Nios-32,
>29 byte 14 CPU: MicroBlaze,
>29 byte 15 CPU: Nios-II,
>29 byte 16 CPU: Blackfin,
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
>30 byte 0 image type: invalid Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
>30 byte 4 image type: Multi-File Image,
>30 byte 5 image type: Firmware Image,
>30 byte 6 image type: Script file,
>30 byte 7 image type: Filesystem Image,
>30 byte 8 image type: Binary Flat Device Tree Blob
#>31 byte x compression type: %d,
>31 byte 0 compression type: none,
>31 byte 1 compression type: gzip,
>31 byte 2 compression type: bzip2,
>31 byte 3 compression type: lzma,
>32 string x image name: "%s"
#IMG0 header, found in VxWorks-based Mercury router firmware
0 string IMG0 IMG0 (VxWorks) header,
>4 belong <1 invalid
>4 belong x size: %d
#Mediatek bootloader signature
#From xp-dev.com
0 string BOOTLOADER! Mediatek bootloader
#CSYS header formats
0 string CSYS\x00 CSYS header, little endian,
>8 lelong x size: %d
0 string CSYS\x80 CSYS header, big endian,
>8 belong x size: %d
# wrgg firmware image
0 string wrgg02 WRGG firmware header,
>6 string x name: "%s",
>48 string x root device: "%s"
# trx image file
0 string HDR0 TRX firmware header, little endian, header size: 28 bytes,
>4 lelong <1 invalid
>4 lelong x image size: %d bytes,
>8 lelong x CRC32: 0x%X
>12 leshort x flags: 0x%X,
>14 leshort >5 invalid
>14 leshort x version: %d
0 string 0RDH TRX firmware header, big endian, header size: 28 bytes,
>4 belong <1 invalid
>4 belong x image size: %d bytes,
>8 belong x CRC32: 0x%X
>12 beshort x flags: 0x%X,
>14 beshort >5 invalid
>14 beshort x version: %d
# Ubicom firmware image
0 belong 0xFA320080 Ubicom firmware header,
>12 belong x checksum: 0x%X,
>24 belong <0 invalid
>24 belong x image size: %d
# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.
# Netgear KWGR614 ROME image
0 string G614 Realtek firmware header, ROME bootloader,
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X
# Linksys WRT54GX ROME image
0 belong 0x59a0e842 Realtek firmware header, ROME bootloader,
>4 beshort 0xd92f image type: KFS,
>4 beshort 0xb162 image type: RDIR,
>4 beshort 0xea43 image type: BOOT,
>4 beshort 0x8dc9 image type: RUN,
>4 beshort 0x2a05 image type: CCFG,
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
#month
>10 byte x created: %d/
#day
>12 byte x \b%d/
#year
>8 beshort x \b%d,
>16 belong x image size: %d bytes,
>22 byte x body checksum: 0x%X,
>23 byte x header checksum: 0x%X
# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0 string --PaCkImGs-- PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 lelong >0x20000000
>>16 belong >0x20000000 invalid
>16 lelong <0
>>16 belong <0 invalid
>16 lelong >0
>>16 lelong x little endian size: %d bytes;
>16 belong >0
>>16 belong x big endian size: %d bytes
#------------------------------------------------------------------------------
# Broadcom header format
#
0 string BCRM Broadcom header,
>4 lelong <0 invalid
>4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk
>>8 lelong 21 first section type: tag
# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0 string Ck0\0\0R\0\0\0 BLCR
>16 lelong 1 x86
>16 lelong 3 alpha
>16 lelong 5 x86-64
>16 lelong 7 ARM
>8 lelong x context data (little endian, version %d)
0 string \0\0\0C\0\0\0R BLCR
>16 belong 2 SPARC
>16 belong 4 ppc
>16 belong 6 ppc64
>16 belong 7 ARMEB
>16 belong 8 SPARC64
>8 belong x context data (big endian, version %d)
# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0 string VoIP\x20Startup\x20and Aculab VoIP firmware
>35 string x format "%s"
#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
# From Albert Cahalan <acahalan@gmail.com>
# really le32 operation,destination,payloadsize (but quite predictable)
# 01 00 00 00 00 00 00 c0 00 02 00 00
0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware
#---------------------------------------------------------------------------
# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
# lead Sun/Cobalt developer) who agrees that they are good and worthy of
# inclusion.
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom
>38 string x V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
0 string CRfs COBALT boot rom data (Flat boot rom or file system)
#
# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
# Useless until forther improvements can be made to the signature.
#0 string S0 Motorola S-Record; binary data in text format
# --------------------------------
# Microsoft Xbox data file formats
0 string XIP0 XIP, Microsoft Xbox data
0 string XTF0 XTF, Microsoft Xbox data
#Windows CE Binary Image Data Format aka B000FF
#More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0 string B000FF B000FF Windows CE image header,
>7 lelong x Image start: 0x%X,
>11 lelong x Image length: %d
#Windows CE RomImage
0 string \x00ECEC Windows CE memory segment header, {offset-adjust:-63}
>4 lelong x TOC address: 0x%X
# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0 belong x load address 0x%X,
>3 byte <0x7F rom image type:
>>3 byte <1 invalid,
>>3 byte >7 invalid,
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
>>3 byte 4 ROMBIN,
>>3 byte 5 ROMDIR,
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
>>3 byte >0x82 invalid,
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
>4 belong >0x40000000 invalid
>4 belong <0 invalid
>4 belong 0 invalid
>4 belong x uncompressed size: %d,
>8 belong >0x40000000 invalid
>8 belong <0 invalid
>8 belong 0 invalid
>8 belong x compressed size: %d,
>14 beshort x uncompressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X,
>12 byte x flags: 0x%X,
>12 byte &0x40 uncompressed checksum is valid,
>12 byte &0x80 the binary is compressed,
>>12 byte &0x20 compressed checksum is valid,
>35 belong x memory map table address: 0x%X
# Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header,
>8 lelong >1024 invalid
>8 lelong <0 invalid
>8 lelong x header size: %d bytes,
>32 lelong >1024 invalid
>32 lelong <0 invalid
>32 lelong x number of files: %d,
>48 lelong <0 invalid
>48 lelong x image size: %d,
>64 string x firmware version: "%s"
# Simple VxWorks reference strings
#0 string VxWorks VxWorks string referece:
#>0 string x "%s"
#0 string vxworks VxWorks string referece:
#>0 string x "%s"
#0 string VXWORKS VxWorks string referece:
#>0 string x "%s"
# Firmware header used by some TV's
0 string FNIB ZBOOT firmware header, header size: 32 bytes,
>8 lelong x load address: 0x%.8X,
>12 lelong x start address: 0x%.8X,
>16 lelong x checksum: 0x%.8X,
>20 lelong x version: 0x%.8X,
>24 lelong <1 invalid
>24 lelong x image size: %d bytes
# Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17 DLOB firmware header,
>(7.b+12) string !\x5e\xa3\xa4\x17 invalid,
#>>12 string x %s,
>(7.b+40) string x boot partition: "%s"
# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4}
#>-4 lelong x header version: %d,
>0x94 beshort x firmware version: %d.
>0x96 beshort x \b%d.
>0x98 beshort x \b%d,
>0x18 string x image version: "%s",
#>0x74 belong x image size: %d bytes,
>0x3C belong x product ID: 0x%X,
>0x40 belong x product version: %d,
>0x70 belong x kernel load address: 0x%X,
>0x74 belong x kernel entry point: 0x%X,
>0x7C belong x kernel offset: %d,
>0x80 belong x kernel length: %d,
>0x84 belong x rootfs offset: %d,
>0x88 belong x rootfs length: %d,
>0x8C belong x bootloader offset: %d,
>0x90 belong x bootloader length: %d
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256,
>4 string !Broadcom
>>4 string !\x20\x20\x20\x20 invalid
>41 beshort !0x2020
>>41 beshort !0x0000
>>>41 string x firmware version: "%.4s",
>45 beshort !0x0202
>>45 beshort !0x0000
>>>45 string x board id: "%s",
>236 belong x ~CRC32 header checksum: 0x%X,
>216 belong x ~CRC32 data checksum: 0x%X
# Xerox MFP DLM signatures
0 string %%XRXbegin Xerox DLM firmware start of header
0 string %%OID_ATT_DLM_NAME Xerox DLM firmware name:
>19 string x "%s"
0 string %%OID_ATT_DLM_VERSION Xerox DLM firmware version:
>22 string x "%s"
0 string %%XRXend Xerox DLM firmware end of header
# Generic copyright signature
0 string Copyright Copyright string:
>9 byte 0 invalid
>9 string x "%s
>40 string x \b%s"
# Sercomm firmware header
0 string sErCoMm Sercomm firmware signature,
>7 leshort x version control: %d,
>9 leshort x download control: %d,
>11 string x hardware ID: "%s",
>44 leshort x hardware version: 0x%X,
>58 leshort x firmware version: 0x%X,
>60 leshort x starting code segment: 0x%X,
>62 leshort x code size: 0x%X
# NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header,
>4 lelong <0 invalid
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s
>(48.l+121) string x \b%s"
# Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 invalid,
>0x104 belong x ~CRC32: 0x%X,
>4 byte 0 invalid,
>4 string x version: "%s"
0 string GEOS Ubiquiti firmware header, header size: 264 bytes,
>0x108 belong !0 invalid,
>0x104 belong x ~CRC32: 0x%X,
>4 byte 0 invalid,
>4 string x version: "%s"
0 string OPEN Ubiquiti firmware header, third party,
>0x108 belong !0 invalid,
>0x104 belong x ~CRC32: 0x%X,
>4 byte 0 invalid,
>4 string x version: "%s"
0 string \x00\x00\x00\x00PART Ubiquiti partition header,{offset-adjust:4}
>0 byte x header size: 56 bytes,
>8 byte 0 invalid
>8 string x name: "%s",
>44 belong x base address: 0x%.8X,
>52 belong x data size: %d bytes
>52 belong x {file-size:%d}
0 string \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes,{offset-adjust:4}
>12 belong !0 invalid,
>8 belong x cumulative ~CRC32: 0x%.8X
# Found in DIR-100 firmware
0 string AIH0N AIH0N firmware header, header size: 48,
>12 belong x size: %d,
>8 belong !0 executable code,
>>8 belong x load address: 0x%X,
>32 string x version: "%s"
0 belong 0x5EA3A417 SEAMA firmware header, big endian,
>6 beshort x meta size: %d,
>8 belong <1 invalid
>8 belong x size: %d
0 lelong 0x5EA3A417 SEAMA firmware header, little endian,
>6 leshort x meta size: %d,
>8 lelong <1 invalid
>8 lelong x size: %d
0 belong 0x4D544443 NSP firmware header, big endian,
>16 belong <1 invalid
>16 belong x header size: %d,
>20 belong <1 invalid
>20 belong x image size: %d,
>20 belong x {file-size:%d}
>4 belong <1 invalid
>4 belong x kernel offset: %d,
>12 belong <1 invalid
>12 belong x header version: %d,
0 lelong 0x4D544443 NSP firmware header, little endian,
>16 lelong <1 invalid
>16 lelong x header size: %d,
>20 lelong <1 invalid
>20 lelong x image size: %d,
>20 lelong x {file-size:%d}
>4 lelong <1 invalid
>4 lelong x kernel offset: %d,
>12 lelong <1 invalid
>12 lelong x header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0 string WizFwPkgl Beyonwiz firmware header,
>20 string x version: "%s"
0 string BLI223WJ0 Thompson/Alcatel encoded firmware,
>32 byte x version: %d.
>33 byte x \b%d.
>34 byte x \b%d.
>35 byte x \b%d,
>44 belong x size: %d,
>48 belong x crc: 0x%.8X,
>35 byte x try decryption tool from:
>35 byte x http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/
0 string \xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf UEFI PI firmware volume{offset-adjust:-16}
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0 string ANDROID\040BACKUP\n Android Backup
>15 string 1\n \b, version 1
>17 string 0\n \b, uncompressed
>17 string 1\n \b, compressed
>19 string none\n \b, unencrypted
>19 string AES-256\n \b, encrypted AES-256
# http://forum.xda-developers.com/showthread.php?p=47818657
0 string imgARMcC Roku aimage SB{offset-adjust:-8}
# Boot ROM images for Sun/Cobalt Linux server appliances
0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged Sun/COBALT boot rom,
>38 string x version: "%.4s"
# Simple eCos string signatures
0 string ecos eCos RTOS string reference:
>0 string x "%s"
0 string eCos eCos RTOS string reference:
>0 string x "%s"
0 string ECOS eCos RTOS string reference:
>0 string x "%s"
# ZyXEL config signatures
0 string dbgarea ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
0 string spt.dat ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
0 string autoexec.net ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16 beshort x compressed size: %d,
>14 beshort x uncompressed size: %d,
>18 beshort x data offset from start of block: {math:16+%d}
# Obfuscated Arcadyan firmware, used on the WRT120N
0 belong 0x04010920 Obfuscated Arcadyan firmware (WRT120N?),
>0x68 belong !0x00D50800 invalid
>0x68 belong 0x00D50800 see https://github.com/devttys0/wrt120n