head 1.1; branch 1.1.1; access; symbols FILE5_48:1.1.1.2 netbsd-11-0-RC4:1.1.1.1 netbsd-11-0-RC3:1.1.1.1 netbsd-11-0-RC2:1.1.1.1 netbsd-11-0-RC1:1.1.1.1 perseant-exfatfs-base-20250801:1.1.1.1 netbsd-11:1.1.1.1.0.4 netbsd-11-base:1.1.1.1 perseant-exfatfs-base-20240630:1.1.1.1 perseant-exfatfs:1.1.1.1.0.2 perseant-exfatfs-base:1.1.1.1 FILE5_45:1.1.1.1 CHRISTOS:1.1.1; locks; strict; comment @# @; 1.1 date 2023.08.18.18.36.50; author christos; state Exp; branches 1.1.1.1; next ; commitid IX26ghc1E2S0AiBE; 1.1.1.1 date 2023.08.18.18.36.50; author christos; state Exp; branches; next 1.1.1.2; commitid IX26ghc1E2S0AiBE; 1.1.1.2 date 2026.06.10.15.59.14; author christos; state Exp; branches; next ; commitid 3UWc0DrzTz7bHgJG; desc @@ 1.1 log @Initial revision @ text @#------------------------------------------------------------------------------ # $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ # firmware: file(1) magic for firmware files # # https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure # examples: https://github.com/cweiske/frontier-silicon-firmwares 0 lelong 0x00001176 >4 lelong 0x7c Frontier Silicon firmware download >>8 lelong x \b, MeOS version %x >>12 string/32/T x \b, version %s >>40 string/64/T x \b, customization %s # HPE iLO firmware update image # From: Alexandre Iooss # URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ # iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images 0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 >16 ubeshort =0xCFDD HPE iLO2 firmware update image >16 ubeshort =0x6444 HPE iLO1 firmware update image # iLO3 images (ilo3_*.bin) start directly with image name 0 string iLO3\x20v\x20 HPE iLO3 firmware update image, >7 string x version %s # iLO4 images (ilo4_*.bin) start with a signature and a certificate 0 string --=75 string label_HPBBatch >>5828 string iLO\x204 >>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, >>>6947 string x version %s # iLO5 images (ilo5_*.bin) start with a signature >75 string label_HPE-HPB-BMC-ILO5-4096 >>880 string HPIMAGE\x00 HPE iLO5 firmware update image, >>944 string x version %s # IBM POWER Secure Boot Container # from https://github.com/open-power/skiboot/blob/master/libstb/container.h 0 belong 0x17082011 POWER Secure Boot Container, >4 beshort x version %u >6 bequad x container size %llu # These are always zero # >14 bequad x target HRMOR %llx # >22 bequad x stack pointer %llx >4096 ustring \xFD7zXZ\x00 XZ compressed 0 belong 0x1bad1bad POWER boot firmware >256 belong 0x48002030 (PHYP entry point) # ARM Cortex-M vector table # From: Alexandre Iooss # URL: https://developer.arm.com/documentation/100701/0200/Exception-properties # Match stack MSB 3 byte 0x20 # Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) >4 ulelong&0xE0000001 1 >>8 ulelong&0xE0000001 1 >>>12 ulelong&0xE0000001 1 >>>>44 ulelong&0xE0000001 1 >>>>>56 ulelong&0xE0000001 1 # Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) >>>>>>28 ulelong+1 <2 >>>>>>>32 ulelong+1 <2 >>>>>>>>36 ulelong+1 <2 >>>>>>>>>40 ulelong+1 <2 >>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware >>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x >>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x >>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x >>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x >>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x >>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x # ESP-IDF partition table entry # From: Alexandre Iooss # URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h 0 string \xAA\x50 >2 ubyte <2 ESP-IDF partition table entry >>12 string/16 x \b, label: "%s" >>2 ubyte 0 >>>3 ubyte 0x00 \b, factory app >>>3 ubyte 0x10 \b, OTA_0 app >>>3 ubyte 0x11 \b, OTA_1 app >>>3 ubyte 0x12 \b, OTA_2 app >>>3 ubyte 0x13 \b, OTA_3 app >>>3 ubyte 0x14 \b, OTA_4 app >>>3 ubyte 0x15 \b, OTA_5 app >>>3 ubyte 0x16 \b, OTA_6 app >>>3 ubyte 0x17 \b, OTA_7 app >>>3 ubyte 0x18 \b, OTA_8 app >>>3 ubyte 0x19 \b, OTA_9 app >>>3 ubyte 0x1A \b, OTA_10 app >>>3 ubyte 0x1B \b, OTA_11 app >>>3 ubyte 0x1C \b, OTA_12 app >>>3 ubyte 0x1D \b, OTA_13 app >>>3 ubyte 0x1E \b, OTA_14 app >>>3 ubyte 0x1F \b, OTA_15 app >>>3 ubyte 0x20 \b, test app >>2 ubyte 1 >>>3 ubyte 0x00 \b, OTA selection data >>>3 ubyte 0x01 \b, PHY init data >>>3 ubyte 0x02 \b, NVS data >>>3 ubyte 0x03 \b, coredump data >>>3 ubyte 0x04 \b, NVS keys >>>3 ubyte 0x05 \b, emulated eFuse data >>>3 ubyte 0x06 \b, undefined data >>>3 ubyte 0x80 \b, ESPHTTPD partition >>>3 ubyte 0x81 \b, FAT partition >>>3 ubyte 0x82 \b, SPIFFS partition >>>3 ubyte 0xFF \b, any data >>4 ulelong x \b, offset: 0x%X >>8 ulelong x \b, size: 0x%X >>28 ulelong&0x1 1 \b, encrypted # ESP-IDF application image # From: Alexandre Iooss # URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h # Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t # First segment contains esp_app_desc_t 0 ubyte 0xE9 >32 ulelong 0xABCD5432 ESP-IDF application image >>12 uleshort 0x0000 for ESP32 >>12 uleshort 0x0002 for ESP32-S2 >>12 uleshort 0x0005 for ESP32-C3 >>12 uleshort 0x0009 for ESP32-S3 >>12 uleshort 0x000A for ESP32-H2 Beta1 >>12 uleshort 0x000C for ESP32-C2 >>12 uleshort 0x000D for ESP32-C6 >>12 uleshort 0x000E for ESP32-H2 Beta2 >>12 uleshort 0x0010 for ESP32-H2 >>80 string/32 x \b, project name: "%s" >>48 string/32 x \b, version %s >>128 string/16 x \b, compiled on %s >>>112 string/16 x %s >>144 string/32 x \b, IDF version: %s >>4 ulelong x \b, entry address: 0x%08X @ 1.1.1.1 log @Update to file-5.45 (Last was file-5.44) 2023-07-27 15:45 Christos Zoulas * release 5.45 2023-07-17 11:53 Christos Zoulas * PR/465: psrok1: Avoid muslc asctime_r crash 2023-05-21 13:05 Christos Zoulas * add SIMH tape format support 2023-02-09 12:50 Christos Zoulas * bump the max size of the elf section notes to be read to 128K and make it configurable 2023-01-08 1:08 Christos Zoulas * PR/415: Fix decompression with program returning empty 2022-12-26 1:47 Christos Zoulas * PR/408: fix -p with seccomp * PR/412: fix MinGW compilation @ text @@ 1.1.1.2 log @Import file-5.48 (previous was file-5.45) 2026-05-07 11:32 Christos Zoulas * release 5.48 2026-05-11 15:55 Christos Zoulas * add landlock support (valoq) 2026-04-19 15:55 Christos Zoulas * add BE/LE GUID 2026-04-17 11:05 Christos Zoulas * multiple fixes to prevent integer overflow in 32 bits (kerwin) 2026-04-15 12:40 Christos Zoulas * PR/745: streamout: Don't flush when trying to set negative offsets on pipes, just continue, fixes 'cat file.zip | file -' * PR/753: vmihalko: Fix race is magic_getpath() 2026-03-11 15:14 Christos Zoulas * PR/728: Anton Monroe: Reinstate regex/c 2026-02-26 11:32 Christos Zoulas * release 5.47 2026-02-04 09:54 Christos Zoulas * Better multi-compound document identification by following the order of the directories entries. (Thomas Ledoux) 2026-01-19 14:00 Christos Zoulas * if stat fails, don't attempt to restore times (Steven Grubb) 2025-05-28 15:20 Christos Zoulas * PR/622: Odd_Bloke: Handle negative offsets in file_buffer(), when fd is not available. 2025-05-28 12:50 Christos Zoulas * PR/655: jsummers: Obey str_flags in strings like we do for search and regex * PR/659: Pitzl: Apply MAGIC_CONTINUE to annotations; i.e. print only the first, unless -k is specified. 2024-12-19 14:44 Christos Zoulas * PR/592: allow + in format strings * PR/592: signed operations should be done in signed context 2024-12-05 13:50 Christos Zoulas * PR/578: jsummers: Don't crash on cygwin when tm_mon == -1 * PR/579: net147: Fix stack overrun. 2024-11-27 14:44 Christos Zoulas * release 5.46 * Add OFFPOSITIVE 2024-11-25 13:56 Christos Zoulas * avoid leaking symbols in libmagic 2024-11-10 13:56 Christos Zoulas * PR/562: jsummers: Search/regex offsets are absolute to the beginning of the file, so adjust them by subtracting the offset that the "use" starts so that we don't double-count it. 2024-11-09 19:30 Christos Zoulas * PR/543: matshch: bump nbuf so we can get the flags into the buffer. 2024-11-02 14:34 Christos Zoulas * Add Android elf notes (enh) 2023-12-29 12:55 Christos Zoulas * Add limit for number of magic warnings allowed 2023-07-29 12:55 Christos Zoulas * check regex bounds (found by clusterfuzz) @ text @d2 1 a2 1 # $File: firmware,v 1.17 2025/04/06 18:37:40 christos Exp $ d113 1 a113 2 # From: A. Iooss # Update: Joerg Jenderek a114 1 # Reference: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/app_image_format.html a116 1 # ESP_IMAGE_HEADER_MAGIC at the beginning of esp_image_header_t structure a117 3 # display ESP-IDF application image (strength=40=40+0) before DOS executable with 16bit JuMP (strength=40) handled by ./msdos #!:strength +0 # ESP_APP_DESC_MAGIC_WORD; magic for the esp_app_desc_t structure a118 3 #!:mime application/octet-stream !:mime application/x-espressif-bin !:ext bin d128 2 a129 4 >>80 byte !0 >>>80 string/32 x \b, project name: "%s" >>48 byte !0 >>>48 string/32 x \b, version %s a133 268 # ESP8266/ESP32 firmware image # Note: contain partition table entries and ESP-IDF application image # From: A. Iooss # Reference: https://docs.espressif.com/projects/esptool/en/latest/esp32/advanced-topics/firmware-image-format.html 0 byte 0xE9 >2 byte <4 >>7 byte 0x40 ESP firmware image # ESP8266 does not have Extended File Header >>>12 uleshort 0x0000 for ESP32 >>>12 uleshort 0x0002 for ESP32-S2 >>>12 uleshort 0x0005 for ESP32-C3 >>>12 uleshort 0x0009 for ESP32-S3 >>>12 uleshort 0x000A for ESP32-H2 Beta1 >>>12 uleshort 0x000C for ESP32-C2 >>>12 uleshort 0x000D for ESP32-C6 >>>12 uleshort 0x000E for ESP32-H2 Beta2 >>>12 uleshort 0x0010 for ESP32-H2 >>>4 ulelong x \b, entry point 0x%08X # AVR firmware # From: Alexandre Iooss # URL: https://microchipdeveloper.com/8avr:int # Match 4-byte JMP for Reset, Int0-2, PcInt0-3 and WDT 0 uleshort&0xFE0E 0x940C >4 uleshort&0xFE0E 0x940C >>8 uleshort&0XFE0E 0x940C >>>12 uleshort&0XFE0E 0x940C >>>>16 uleshort&0XFE0E 0x940C >>>>>20 uleshort&0XFE0E 0x940C >>>>>>24 uleshort&0XFE0E 0x940C >>>>>>>28 uleshort&0XFE0E 0x940C >>>>>>>>32 uleshort&0XFE0E 0x940C AVR firmware # Handle only 16-bit addressing >>>>>>>>>0 uleshort 0x940C >>>>>>>>>>2 uleshort x \b, reset at 0x%04x # Match 2-byte RJMP for Reset, Int0-2, PcInt0-3 and WDT for smaller AVR 1 byte&0xF0 0xC0 >3 byte&0xF0 0xC0 >>5 byte&0xF0 0xC0 >>>7 byte&0xF0 0xC0 >>>>9 byte&0xF0 0xC0 >>>>>11 byte&0xF0 0xC0 >>>>>>13 byte&0xF0 0xC0 >>>>>>>15 byte&0xF0 0xC0 >>>>>>>>17 byte&0xF0 0xC0 AVR firmware >>>>>>>>>0 uleshort&0x0FFF x \b, reset at 0x%04x # Summary: Intel HEXadecimal file format # URL: https://en.wikipedia.org/wiki/Intel_HEX # Reference: http://www.piclist.com/techref/fileext/hex/intel.htm # http://mark0.net/download/triddefs_xml.7z/defs/h/hex-intel.trid.xml # From: Joerg Jenderek # Note: called "Intel Hexadecimal object format" by TrID, "Intel(R) hexadecimal object file" on Linux # and "Intel HEX binary data" by Notepad++ # look for start code; 1 character, an ASCII colon ':'; all characters preceding this symbol should be ignored 0 ubyte 0x3A # check for valid record type string with range 00 - 05 (3030h - 3035h) >&6 ubeshort&0xFFf8 =0x3030 # check for valid record length string like: 02 04 08 10h 20h 03 (usbdload.hex usbdldv2.hex from Windows Vista) #>>1 string x LENGTH_STRING=%0.2s #>>1 ubeshort x LENGTH=%#4.4x >>&-8 ubeshort&0xFCf0 =0x3030 >>>0 use intel-hex # display information (offset, record length and type) of Intel HEX 0 name intel-hex # RECORD MARK >0 ubyte x Intel hexadecimal object #!:mime text/plain !:mime text/x-hex !:ext hex # no samples with other suffix found # .hex .mcs .int .ihex .ihe .ihx .h80 .h86 .a43 .a90 .obj .obl .obh .rom .eep # .hxl-.hxh .h00-.h15 .p00-.pff # RECLEN; 2 hex digits for number of bytes in 1st data field; like 0x02 0x03 0x04 0x08 0x10 0x20; maximum 255 >1 string x \b, 0x%2.2s record length # OFFSET; 4 hex digits for 1st 16-bit memory offset of data like: 0000 (often) 1C00h 1E00h 3800h 3E00h 76EDh 7800h 7E00h ... >3 string x \b, 0x%4.4s offset # RECTYP; 2 hex digits (00 - 05); meaning of 1st data field; 00~DataRecord (often) 0l~EndOfFileRecord 02~ExtendedSegmentAddressRecord 03~StartSegmentAddressRecord 04~ExtendedLinearAddressRecord 05~StartLinearAddressRecord >7 string x \b, '%2.2s' type # DATA; n bytes of 1st data represented by 2n hex digits followed by 1 byte checksum >9 string x \b, data+checksum %s # last record :00000001FF with RECLEN 0, OFFSET 0, record type 01 for EndOfFile and 1 checksum byte FF # samples with CarriageReturnLineFeed terminator >-2 ubeshort =0x0d0a # This should not happen! >>-13 string !:00000001FF \b, last line %s >-2 ubeshort !0x0d0a # samples with LineFeed terminator >>-1 ubyte =0x0a # This should not happen! >>>-12 string !:00000001FF \b, last line %s # Raspberry Pi RP2040 firmware # From: Alexandre Iooss # Note: RP2040 flash image starts with stage2 bootloader, then a vector table. # URL: https://github.com/raspberrypi/pico-sdk/tree/1.5.1/src/rp2_common/boot_stage2 # boot2_*.S code (_stage2_boot) 0 ulelong 0x4B32B500 >4 ulelong 0x60582021 >>8 ulelong 0x21026898 # exit_from_boot2.S code (check_return) `pop {r0}; cmp r0, #0` >>>148 ulelong 0x2800bc01 # Cortex-M vector table with reserved section filled with a default interrupt address >>>>259 byte 0x20 # make sure required vector table entries are ARM Thumb and in flash >>>>>260 ulelong&0xE0000001 1 >>>>>>264 ulelong&0xE0000001 1 >>>>>>>268 ulelong&0xE0000001 1 >>>>>>>>300 ulelong&0xE0000001 1 >>>>>>>>>312 ulelong&0xE0000001 1 Raspberry Pi RP2040 firmware >>>>>>>>>>256 ulelong >0 \b, initial SP at 0x%08x >>>>>>>>>>260 ulelong^1 x \b, reset at 0x%08x >>>>>>>>>>264 ulelong^1 x \b, NMI at 0x%08x >>>>>>>>>>268 ulelong^1 x \b, HardFault at 0x%08x >>>>>>>>>>300 ulelong^1 x \b, SVCall at 0x%08x >>>>>>>>>>312 ulelong^1 x \b, PendSV at 0x%08x # optional binary_info in the first 256 bytes, used by picotool # https://github.com/raspberrypi/pico-sdk/blob/master/src/common/pico_binary_info/include/pico/binary_info/defs.h >>>>>>>>>>256 search/256 \xf2\xeb\x88\x71 \b, with binary_info # Silicon Labs Gecko Bootloader update image # From: Alexandre Iooss # Reference: https://github.com/raboof/gbl # https://github.com/dsyx/emberznet-doc # Note: TLV always starting with tag 0x03A617EB of length 8 0 ulelong 0x03A617EB >4 ulelong 8 Silicon Labs Gecko bootloader update image !:ext gbl >>12 byte 1 \b, encrypted (AES-CTR-128) >>13 byte 1 \b, signed (ECDSA-P256) # If not encrypted, indicate first image type >>16 ulelong 0xF40A0AF4 \b, application image >>16 ulelong 0xF50909F5 \b, bootloader image # Silicon Labs Gecko Bootloader OTA update with Zigbee EmberZNet SDK # URL: https://github.com/SiliconLabs/gecko_sdk 0 ulelong 0x0BEEF11E >6 ulelong 0x38 Silicon Labs Gecko EmberZNet OTA image !:ext ota/zigbee >>4 ubeshort x v%d # Device Firmware Upgrade with ST STMicroelectronics extensions # From: Alexandre Iooss # Reference: STMicroelectronics note UM0391 # Reference: https://dfu-util.sourceforge.net/dfuse.html # DFU prefix 0 string DfuSe\x01 DFU image (STM variant) !:ext dfu >6 ulelong x \b, size: %d bytes # DFU suffix, specification 0x011A >-10 string \x1A\x01UFD >>-12 uleshort x \b, for device %04X: >>-14 uleshort x \b%04X # Allwinner eGON Boot Image # Reference: https://linux-sunxi.org/EGON 0 name egon-details # ARM b instruction >0 ulelong&0xff000000 0xea000000 (ARM) # RISC-V jal instruction >0 ulelong&0x00000fff 0x0000006f (RISC-V) >16 ulelong x \b, size %u 4 string eGON.BT0 Allwinner eGON.BT0 Boot Image >0 use egon-details 4 string eGON.BT1 Allwinner eGON.BT1 Boot Image >0 use egon-details # Allwinner TOC0 Boot Image # Reference: https://linux-sunxi.org/TOC0 0 name toc0-item >0 ulelong 0x010101 certificate >0 ulelong 0x010202 firmware >0 ulelong 0x010303 key >4 ulelong x (offset 0x%x >8 ulelong x \b, size 0x%x) 8 ulelong 0x89119800 Allwinner TOC0 Boot Image >24 ulelong x with %u items # each item is 32 bytes # item 0 >24 ulelong >0 \b: >>48 use toc0-item # item 1 >24 ulelong >1 \b, >>80 use toc0-item # item 2 >24 ulelong >2 \b, >>112 use toc0-item # item 3 >24 ulelong >3 \b, >>144 use toc0-item # item 4 >24 ulelong >4 \b, >>176 use toc0-item # item 5+ >24 ulelong >5 \b, ... # Allwinner TOC1 Boot Image # Reference: https://lore.kernel.org/all/20211015040811.56856-2-samuel@@sholland.org/T/ 0 name toc1-item >0 string/64/T x %s >64 ulelong x (offset 0x%x >68 ulelong x \b, size 0x%x) 16 ulelong 0x89119800 Allwinner TOC1 Boot Image >0 string/16/T >\0 (name "%s") >32 ulelong x with %u items # each item is 368 bytes # item 0 >32 ulelong >0 \b: >>64 use toc1-item # item 1 >32 ulelong >1 \b, >>432 use toc1-item # item 2 >32 ulelong >2 \b, >>800 use toc1-item # item 3 >32 ulelong >3 \b, >>1168 use toc1-item # item 4 >32 ulelong >4 \b, >>1536 use toc1-item # item 5+ >32 ulelong >5 \b, ... # https://github.com/o-gs/dji-firmware-tools/blob/master/dji_imah_fwsig.py#L404 0 string IM*H DJI firmware update >40 string/4 >\0 (auth %s, >44 string/4 >\0 enc %s) >44 string/4 =\0 no enc) # NXP i.MX RT firmware image # From: A. Iooss # Reference: Table 8-2 in MCU_Flashloader_Reference_Manual.pdf # URL: https://github.com/tock/tock/blob/master/boards/teensy40/layout.ld # Image starts with a NOR FlexSPI Configuration Block (FCB) of 3kB or 4kB 0 string FCFB >7 string V NXP i.MX RT bootable image !:ext bin >>6 byte x \b, version %d >>5 byte x \b.%d >>4 byte x \b.%d # then a Image Vector Table of 4kB >>3072 ulelong&0xFCFFFFFF 0x402000D1 >>>7168 use flexspi-fw >>4096 ulelong&0xFDFFFFFF 0x402000D1 >>>5120 use flexspi-fw >>4096 ulelong&0xFDFFFFFF 0x412000D1 >>>8192 use flexspi-fw # then maybe a ARM Cortex-M program, but with vector table pointing to peripheral memory 0 name flexspi-fw >3 byte 0x20 >>4 ulelong&1 1 >>>8 ulelong&1 1 >>>>12 ulelong&1 1 >>>>>44 ulelong&1 1 >>>>>>56 ulelong&1 1 \b, ARM Cortex-M >>>>>>>0 ulelong >0 \b, initial SP at 0x%08x >>>>>>>4 ulelong^1 x \b, reset at 0x%08x >>>>>>>8 ulelong^1 x \b, NMI at 0x%08x >>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x >>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x >>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x @