#--------------------------Firmware Formats---------------------------

# uImage file     
# From: Craig Heffner, U-Boot image.h header definitions file
0	belong	0x27051956	uImage header, header size: 64 bytes,
>4	belong	x		header CRC: 0x%X,
>8	bedate	x		created: %s,
>12 belong  <1      invalid
>12	belong	x		image size: %d bytes,
>16	belong	x		Data Address: 0x%X,
>20	belong	x		Entry Point: 0x%X,
>24	belong	x		data CRC: 0x%X,
#>28	byte	x		OS type: %d,
>28	byte	0		OS: invalid OS,
>28	byte	1		OS: OpenBSD,
>28	byte	2		OS: NetBSD,
>28	byte	3		OS: FreeBSD,
>28	byte	4		OS: 4.4BSD,
>28	byte	5		OS: Linux,
>28	byte	6		OS: SVR4,
>28	byte	7		OS: Esix,
>28	byte	8		OS: Solaris,
>28	byte	9		OS: Irix,
>28	byte	10		OS: SCO,
>28	byte	11		OS: Dell,
>28	byte	12		OS: NCR,
>28	byte	13		OS: LynxOS,
>28	byte	14		OS: VxWorks,
>28	byte	15		OS: pSOS,
>28	byte	16		OS: QNX,
>28	byte	17		OS: Firmware,
>28	byte	18		OS: RTEMS,
>28	byte	19		OS: ARTOS,
>28	byte	20		OS: Unity OS,
#>29	byte	x		CPU arch: %d,
>29	byte	0		CPU: invalid OS,
>29	byte	1		CPU: Alpha,
>29	byte	2		CPU: ARM,
>29	byte	3		CPU: Intel x86,
>29	byte	4		CPU: IA64,
>29	byte	5		CPU: MIPS,
>29	byte	6		CPU: MIPS 64 bit,
>29	byte	7		CPU: PowerPC,
>29	byte	8		CPU: IBM S390,
>29	byte	9		CPU: SuperH,
>29	byte	10		CPU: Sparc,
>29	byte	11		CPU: Sparc 64 bit,
>29	byte	12		CPU: M68K,
>29	byte	13		CPU: Nios-32,
>29	byte	14		CPU: MicroBlaze,
>29	byte	15		CPU: Nios-II,
>29	byte	16		CPU: Blackfin,
>29	byte	17		CPU: AVR,
>29	byte	18		CPU: STMicroelectronics ST200,
#>30	byte	x		image type: %d,
>30	byte	0		image type: invalid Image,
>30	byte	1		image type: Standalone Program,
>30	byte	2		image type: OS Kernel Image,
>30	byte 	3		image type: RAMDisk Image,
>30	byte	4		image type: Multi-File Image,
>30	byte	5		image type: Firmware Image,
>30	byte	6		image type: Script file,
>30	byte	7		image type: Filesystem Image,
>30	byte	8		image type: Binary Flat Device Tree Blob
#>31	byte	x		compression type: %d,
>31	byte	0		compression type: none,
>31	byte	1		compression type: gzip,
>31	byte	2		compression type: bzip2,
>31	byte	3		compression type: lzma,
>32	string	x		image name: "%s"

#IMG0 header, found in VxWorks-based Mercury router firmware
0	string		IMG0	IMG0 (VxWorks) header,
>4	belong		<1		invalid
>4	belong		x		size: %d

#Mediatek bootloader signature
#From xp-dev.com
0	string		BOOTLOADER!	Mediatek bootloader

#CSYS header formats
0	string		CSYS\x00	CSYS header, little endian, 
>8	lelong		x			size: %d

0	string		CSYS\x80	CSYS header, big endian,
>8	belong		x			size: %d

# wrgg firmware image
0	string		wrgg02	WRGG firmware header,
>6	string		x		name: "%s",
>48	string		x		root device: "%s"

# trx image file
0	string		HDR0	TRX firmware header, little endian, header size: 28 bytes,
>4	lelong		<1		invalid
>4	lelong		x		image size: %d bytes,
>8	lelong		x		CRC32: 0x%X
>12	leshort		x		flags: 0x%X,
>14	leshort		>5		invalid
>14	leshort		x		version: %d

0	string		0RDH	TRX firmware header, big endian, header size: 28 bytes,
>4	belong		<1		invalid
>4	belong		x		image size: %d bytes,
>8	belong		x		CRC32: 0x%X
>12	beshort		x		flags: 0x%X,
>14	beshort		>5		invalid
>14	beshort		x		version: %d


# Ubicom firmware image
0	belong	0xFA320080	Ubicom firmware header,
>12	belong	x			checksum: 0x%X,
>24	belong	<0			invalid
>24	belong	x			image size: %d

# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.

# Netgear KWGR614 ROME image
0	string		G614		Realtek firmware header, ROME bootloader,
>4	beshort		0xd92f		image type: KFS,
>4	beshort		0xb162		image type: RDIR,
>4	beshort		0xea43		image type: BOOT,
>4	beshort		0x8dc9		image type: RUN,
>4	beshort		0x2a05		image type: CCFG,
>4	beshort		0x6ce8		image type: DCFG,
>4	beshort		0xc371		image type: LOG,
>6	byte		x		header version: %d,
#month
>10	byte		x		created: %d/
#day	
>12	byte 		x		\b%d/
#year
>8	beshort		x		\b%d,
>16	belong		x		image size: %d bytes,
>22	byte		x		body checksum: 0x%X,
>23	byte		x		header checksum: 0x%X

# Linksys WRT54GX ROME image
0		belong			0x59a0e842		Realtek firmware header, ROME bootloader,
>4      beshort         0xd92f          image type: KFS,
>4      beshort         0xb162          image type: RDIR,
>4      beshort         0xea43          image type: BOOT,
>4      beshort         0x8dc9          image type: RUN,
>4      beshort         0x2a05          image type: CCFG,
>4      beshort         0x6ce8          image type: DCFG,
>4      beshort         0xc371          image type: LOG,
>6      byte            x               header version: %d,
#month
>10     byte            x               created: %d/
#day    
>12     byte            x               \b%d/
#year
>8      beshort         x               \b%d,
>16     belong          x               image size: %d bytes,
>22     byte            x               body checksum: 0x%X,
>23     byte            x               header checksum: 0x%X

# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0	string		--PaCkImGs--	PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16	lelong		>0x20000000
>>16	belong		>0x20000000	invalid
>16	lelong		<0
>>16	belong		<0		invalid
>16	lelong		>0
>>16	lelong		x		little endian size: %d bytes;
>16	belong		>0		
>>16	belong		x		big endian size: %d bytes


#------------------------------------------------------------------------------
# Broadcom header format
#
0       string          BCRM            Broadcom header,
>4	lelong		<0		invalid
>4      lelong          x               number of sections: %d,
>>8     lelong          18              first section type: flash
>>8     lelong          19              first section type: disk
>>8     lelong          21              first section type: tag


# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0       string  Ck0\0\0R\0\0\0  BLCR
>16     lelong  1       x86
>16     lelong  3       alpha
>16     lelong  5       x86-64
>16     lelong  7       ARM
>8      lelong  x       context data (little endian, version %d)

0       string  \0\0\0C\0\0\0R  BLCR
>16     belong  2       SPARC
>16     belong  4       ppc
>16     belong  6       ppc64
>16     belong  7       ARMEB
>16     belong  8       SPARC64
>8      belong  x       context data (big endian, version %d)

# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0       string  VoIP\x20Startup\x20and      Aculab VoIP firmware
>35     string  x       format "%s"

#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
0       string  \xbe\xefABCDEFGH        HP LaserJet 1000 series downloadable firmware

# From Albert Cahalan <acahalan@gmail.com>
# really le32 operation,destination,payloadsize (but quite predictable)
# 01 00 00 00 00 00 00 c0 00 02 00 00
0       string          \1\0\0\0\0\0\0\300\0\2\0\0      Marvell Libertas firmware

#---------------------------------------------------------------------------
# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
# lead Sun/Cobalt developer) who agrees that they are good and worthy of
# inclusion.

# Boot ROM images for Sun/Cobalt Linux server appliances
0       string  Cobalt\x20Networks\x20Inc.\nFirmware\x20v     Paged COBALT boot rom
>38     string x        V%.4s

# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
0       string CRfs     COBALT boot rom data (Flat boot rom or file system)

#
# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
# Useless until forther improvements can be made to the signature.
#0   string      S0          Motorola S-Record; binary data in text format

# --------------------------------
# Microsoft Xbox data file formats
0       string          XIP0            XIP, Microsoft Xbox data
0       string          XTF0            XTF, Microsoft Xbox data

#Windows CE Binary Image Data Format aka B000FF
#More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0	string	B000FF	B000FF Windows CE image header,
>7	lelong	x	Image start: 0x%X,
>11	lelong	x	Image length: %d


#Windows CE RomImage
0    string    \x00ECEC     Windows CE memory segment header, {offset-adjust:-63}
>4	lelong	x	TOC address: 0x%X


# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0	string		SIG		ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0	belong		x		load address 0x%X,
>3	byte		<0x7F		rom image type:
>>3	byte		<1		invalid,
>>3	byte		>7		invalid,
>>3	byte		1		ROMIMG,
>>3	byte		2		ROMBOOT,
>>3	byte		3		BOOTEXT,
>>3	byte		4		ROMBIN,
>>3	byte		5		ROMDIR,
>>3	byte		6		6,
>>3	byte		7		ROMMAP,
>3	byte		>0x7F		ram image type:
>>3	byte		>0x82		invalid,
>>3	byte		0x80		RAM,
>>3	byte		0x81		RAMCODE,
>>3	byte		0x82		RAMBOOT,
>4	belong		>0x40000000	invalid
>4	belong		<0		invalid
>4	belong		0		invalid
>4	belong		x		uncompressed size: %d,
>8	belong		>0x40000000	invalid
>8	belong		<0		invalid
>8	belong		0  		invalid
>8	belong		x		compressed size: %d,
>14	beshort		x		uncompressed checksum: 0x%X,
>16	beshort		x		compressed checksum: 0x%X,
>12	byte		x		flags: 0x%X,
>12	byte		&0x40		uncompressed checksum is valid,
>12	byte		&0x80		the binary is compressed,
>>12	byte		&0x20		compressed checksum is valid,
>35	belong		x		memory map table address: 0x%X

# Firmware header used by some VxWorks-based Cisco products
0	string		CI032.00	Cisco VxWorks firmware header,
>8	lelong		>1024		invalid
>8	lelong		<0		invalid
>8	lelong		x		header size: %d bytes,
>32	lelong		>1024		invalid
>32	lelong		<0		invalid
>32	lelong		x		number of files: %d,
>48	lelong		<0		invalid
>48	lelong		x		image size: %d,
>64	string		x		firmware version: "%s"

# Simple VxWorks reference strings
#0	string		VxWorks		VxWorks string referece:
#>0	string		x			"%s"
#0	string		vxworks		VxWorks string referece:
#>0	string		x			"%s"
#0	string		VXWORKS		VxWorks string referece:
#>0	string		x			"%s"

# Firmware header used by some TV's
0	string		FNIB		ZBOOT firmware header, header size: 32 bytes,
>8	lelong		x		load address: 0x%.8X,
>12	lelong		x		start address: 0x%.8X,
>16	lelong		x		checksum: 0x%.8X,
>20	lelong		x		version: 0x%.8X,
>24	lelong		<1		invalid
>24	lelong		x		image size: %d bytes

# Firmware header used by several D-Link routers (and probably others)
0               string  \x5e\xa3\xa4\x17	DLOB firmware header,
>(7.b+12)       string  !\x5e\xa3\xa4\x17       invalid,
#>>12           string  x                       %s,
>(7.b+40)       string  x                       boot partition: "%s"

# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0	string          TP-LINK\x20Technologies		TP-Link firmware header,{offset-adjust:-4}
#>-4	lelong          x               		header version: %d,
>0x94  	beshort         x               		firmware version: %d.
>0x96  	beshort         x               		\b%d.
>0x98  	beshort         x               		\b%d,
>0x18  	string          x               		image version: "%s",
#>0x74  belong          x               		image size: %d bytes,
>0x3C  	belong          x               		product ID: 0x%X,
>0x40  	belong          x               		product version: %d,
>0x70  	belong          x               		kernel load address: 0x%X,
>0x74  	belong          x               		kernel entry point: 0x%X,
>0x7C  	belong          x               		kernel offset: %d,
>0x80  	belong          x               		kernel length: %d,
>0x84  	belong          x               		rootfs offset: %d,
>0x88  	belong          x               		rootfs length: %d,
>0x8C  	belong          x               		bootloader offset: %d,
>0x90  	belong          x               		bootloader length: %d

# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0	string		\x36\x00\x00\x00		Broadcom 96345 firmware header, header size: 256,
>4	string		!Broadcom
>>4	string		!\x20\x20\x20\x20		invalid
>41	beshort		!0x2020
>>41	beshort		!0x0000
>>>41	string		x				firmware version: "%.4s",
>45	beshort		!0x0202
>>45	beshort		!0x0000
>>>45	string		x				board id: "%s",
>236	belong		x				~CRC32 header checksum: 0x%X,
>216	belong		x				~CRC32 data checksum: 0x%X

# Xerox MFP DLM signatures
0	string		%%XRXbegin			Xerox DLM firmware start of header
0	string		%%OID_ATT_DLM_NAME		Xerox DLM firmware name:
>19	string		x				"%s"
0	string		%%OID_ATT_DLM_VERSION		Xerox DLM firmware version:
>22	string		x				"%s"
0	string		%%XRXend			Xerox DLM firmware end of header

# Generic copyright signature
0	string		Copyright			Copyright string:
>9	byte		0				invalid
>9	string		x				"%s
>40	string		x				\b%s"

# Sercomm firmware header
0	string		sErCoMm				Sercomm firmware signature,
>7	leshort		x				version control: %d,
>9	leshort		x				download control: %d,
>11	string		x				hardware ID: "%s",
>44	leshort		x				hardware version: 0x%X,
>58	leshort		x				firmware version: 0x%X,
>60	leshort		x				starting code segment: 0x%X,
>62	leshort		x				code size: 0x%X

# NPK firmware header, used by Mikrotik
0		belong		0x1EF1D0BA		NPK firmware header,
>4		lelong		<0			invalid
>4		lelong		x			image size: %d,
>14		string		x			image name: "%s",
>(48.l+58)	string		x			description: "%s
>(48.l+121)	string		x			\b%s"

# Ubiquiti firmware signatures
0       string		UBNT		Ubiquiti firmware header, header size: 264 bytes,
>0x108  belong      !0          invalid,
>0x104	belong		x           ~CRC32: 0x%X,
>4      byte        0           invalid,
>4      string		x           version: "%s"

0       string		GEOS	    Ubiquiti firmware header, header size: 264 bytes,
>0x108  belong      !0          invalid,
>0x104	belong		x		    ~CRC32: 0x%X,
>4      byte        0           invalid,
>4	    string		x		    version: "%s"

0       string		OPEN		Ubiquiti firmware header, third party,
>0x108  belong      !0          invalid,
>0x104	belong		x		    ~CRC32: 0x%X,
>4      byte        0           invalid,
>4	    string		x		    version: "%s"

0   string      \x00\x00\x00\x00PART    Ubiquiti partition header,{offset-adjust:4}
>0  byte        x                       header size: 56 bytes,
>8  byte        0                       invalid
>8  string      x                       name: "%s",
>44 belong      x                       base address: 0x%.8X,
>52 belong      x                       data size: %d bytes
>52 belong      x                       {file-size:%d}

0   string      \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes,{offset-adjust:4}
>12 belong      !0                      invalid,
>8  belong      x                       cumulative ~CRC32: 0x%.8X


# Found in DIR-100 firmware
0       string  	AIH0N   	AIH0N firmware header, header size: 48,
>12     belong  	x       	size: %d,
>8      belong  	!0      	executable code,
>>8     belong  	x       	load address: 0x%X,
>32     string  	x       	version: "%s"

0	belong		0x5EA3A417	SEAMA firmware header, big endian,
>6	beshort		x		meta size: %d,
>8  belong      <1      invalid
>8	belong		x		size: %d

0	lelong		0x5EA3A417	SEAMA firmware header, little endian,
>6	leshort		x		meta size: %d,
>8  lelong      <1      invalid
>8	lelong		x		size: %d

0	belong		0x4D544443	NSP firmware header, big endian,
>16 belong      <1      invalid
>16	belong		x		header size: %d,
>20 belong      <1      invalid
>20	belong		x		image size: %d,
>20 belong      x       {file-size:%d}
>4  belong      <1      invalid
>4	belong		x		kernel offset: %d,
>12 belong      <1      invalid
>12	belong		x		header version: %d,

0	lelong		0x4D544443	NSP firmware header, little endian,
>16 lelong      <1      invalid
>16	lelong		x		header size: %d,
>20 lelong      <1      invalid
>20	lelong		x		image size: %d,
>20 lelong      x       {file-size:%d}
>4  lelong      <1      invalid
>4	lelong		x		kernel offset: %d,
>12 lelong      <1      invalid
>12	lelong		x		header version: %d,

# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0	string		WizFwPkgl	Beyonwiz firmware header,
>20	string		x		    version: "%s"

0	string		BLI223WJ0	Thompson/Alcatel encoded firmware,
>32	byte		x		version: %d.
>33	byte		x		\b%d.
>34	byte		x		\b%d.
>35	byte		x		\b%d,
>44	belong		x		size: %d,
>48	belong		x		crc: 0x%.8X,
>35	byte		x		try decryption tool from:
>35	byte		x		http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/

0	string		\xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf	UEFI PI firmware volume{offset-adjust:-16}

# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0       string  ANDROID\040BACKUP\n     Android Backup
>15     string  1\n                     \b, version 1
>17     string  0\n                     \b, uncompressed
>17     string  1\n                     \b, compressed
>19     string  none\n                  \b, unencrypted
>19     string  AES-256\n               \b, encrypted AES-256

# http://forum.xda-developers.com/showthread.php?p=47818657
0	string	imgARMcC 		Roku aimage SB{offset-adjust:-8}

# Boot ROM images for Sun/Cobalt Linux server appliances
0       string	Cobalt\ Networks\ Inc.\nFirmware\ v	Paged Sun/COBALT boot rom,
>38     string	x        				version: "%.4s"

# Simple eCos string signatures
0		string	ecos					eCos RTOS string reference:
>0		string	x						"%s"
0		string	eCos					eCos RTOS string reference:
>0		string	x						"%s"
0		string	ECOS					eCos RTOS string reference:
>0		string	x						"%s"

# ZyXEL config signatures
0		string	dbgarea					ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

0		string	spt.dat					ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

0		string	autoexec.net			ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

# Obfuscated Arcadyan firmware, used on the WRT120N
0       belong  0x04010920              Obfuscated Arcadyan firmware (WRT120N?),
>0x68   belong  !0x00D50800             invalid
>0x68   belong  0x00D50800              see https://github.com/devttys0/wrt120n