summaryrefslogtreecommitdiffstats
path: root/magic/Magdir/firmware
blob: 4835b12e8d04499dcdd163ac7304b6253f938eab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#------------------------------------------------------------------------------
# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $
# firmware:  file(1) magic for firmware files
#

# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure
# examples: https://github.com/cweiske/frontier-silicon-firmwares
0	lelong		0x00001176	
>4	lelong		0x7c		Frontier Silicon firmware download
>>8	lelong		x		\b, MeOS version %x
>>12	string/32/T	x		\b, version %s
>>40	string/64/T	x		\b, customization %s

# HPE iLO firmware update image
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/
# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images
0               string                  \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00
>16             ubeshort                =0xCFDD         HPE iLO2 firmware update image
>16             ubeshort                =0x6444         HPE iLO1 firmware update image
# iLO3 images (ilo3_*.bin) start directly with image name
0               string                  iLO3\x20v\x20   HPE iLO3 firmware update image,
>7              string                  x               version %s
# iLO4 images (ilo4_*.bin) start with a signature and a certificate
0               string                  --=</Begin\x20HP\x20Signed
>75             string                  label_HPBBatch
>>5828          string                  iLO\x204
>>>5732         string                  HPIMAGE\x00     HPE iLO4 firmware update image,
>>>6947         string                  x               version %s
# iLO5 images (ilo5_*.bin) start with a signature
>75             string                  label_HPE-HPB-BMC-ILO5-4096
>>880           string                  HPIMAGE\x00     HPE iLO5 firmware update image,
>>944           string                  x               version %s

# IBM POWER Secure Boot Container
# from https://github.com/open-power/skiboot/blob/master/libstb/container.h
0	belong	0x17082011	POWER Secure Boot Container,
>4	beshort	x		version %u
>6	bequad	x		container size %llu
# These are always zero
# >14	bequad	x		target HRMOR %llx
# >22	bequad  x		stack pointer %llx
>4096	ustring \xFD7zXZ\x00    XZ compressed
0	belong	0x1bad1bad	POWER boot firmware
>256	belong	0x48002030	(PHYP entry point)

# ARM Cortex-M vector table
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties
# Match stack MSB
3		byte			0x20
# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match)
>4		ulelong&0xE0000001	1
>>8		ulelong&0xE0000001	1
>>>12		ulelong&0xE0000001	1
>>>>44		ulelong&0xE0000001	1
>>>>>56		ulelong&0xE0000001	1
# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF)
>>>>>>28	ulelong+1		<2
>>>>>>>32	ulelong+1		<2
>>>>>>>>36	ulelong+1		<2
>>>>>>>>>40	ulelong+1		<2
>>>>>>>>>>52	ulelong+1		<2	ARM Cortex-M firmware
>>>>>>>>>>>0	ulelong			>0	\b, initial SP at 0x%08x
>>>>>>>>>>>4	ulelong^1		x	\b, reset at 0x%08x
>>>>>>>>>>>8	ulelong^1		x	\b, NMI at 0x%08x
>>>>>>>>>>>12	ulelong^1		x	\b, HardFault at 0x%08x
>>>>>>>>>>>44	ulelong^1		x	\b, SVCall at 0x%08x
>>>>>>>>>>>56	ulelong^1		x	\b, PendSV at 0x%08x

# ESP-IDF partition table entry
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h
0	string		\xAA\x50
>2	ubyte		<2		ESP-IDF partition table entry
>>12	string/16	x		\b, label: "%s"
>>2	ubyte		0
>>>3	ubyte		0x00		\b, factory app
>>>3	ubyte		0x10		\b, OTA_0 app
>>>3	ubyte		0x11		\b, OTA_1 app
>>>3	ubyte		0x12		\b, OTA_2 app
>>>3	ubyte		0x13		\b, OTA_3 app
>>>3	ubyte		0x14		\b, OTA_4 app
>>>3	ubyte		0x15		\b, OTA_5 app
>>>3	ubyte		0x16		\b, OTA_6 app
>>>3	ubyte		0x17		\b, OTA_7 app
>>>3	ubyte		0x18		\b, OTA_8 app
>>>3	ubyte		0x19		\b, OTA_9 app
>>>3	ubyte		0x1A		\b, OTA_10 app
>>>3	ubyte		0x1B		\b, OTA_11 app
>>>3	ubyte		0x1C		\b, OTA_12 app
>>>3	ubyte		0x1D		\b, OTA_13 app
>>>3	ubyte		0x1E		\b, OTA_14 app
>>>3	ubyte		0x1F		\b, OTA_15 app
>>>3	ubyte		0x20		\b, test app
>>2	ubyte		1
>>>3	ubyte		0x00		\b, OTA selection data
>>>3	ubyte		0x01		\b, PHY init data
>>>3	ubyte		0x02		\b, NVS data
>>>3	ubyte		0x03		\b, coredump data
>>>3	ubyte		0x04		\b, NVS keys
>>>3	ubyte		0x05		\b, emulated eFuse data
>>>3	ubyte		0x06		\b, undefined data
>>>3	ubyte		0x80		\b, ESPHTTPD partition
>>>3	ubyte		0x81		\b, FAT partition
>>>3	ubyte		0x82		\b, SPIFFS partition
>>>3	ubyte		0xFF		\b, any data
>>4	ulelong		x		\b, offset: 0x%X
>>8	ulelong		x		\b, size: 0x%X
>>28	ulelong&0x1	1		\b, encrypted

# ESP-IDF application image
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h
# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t
# 	First segment contains esp_app_desc_t
0	ubyte		0xE9
>32	ulelong		0xABCD5432	ESP-IDF application image
>>12	uleshort	0x0000		for ESP32
>>12	uleshort	0x0002		for ESP32-S2
>>12	uleshort	0x0005		for ESP32-C3
>>12	uleshort	0x0009		for ESP32-S3
>>12	uleshort	0x000A		for ESP32-H2 Beta1
>>12	uleshort	0x000C		for ESP32-C2
>>12	uleshort	0x000D		for ESP32-C6
>>12	uleshort	0x000E		for ESP32-H2 Beta2
>>12	uleshort	0x0010		for ESP32-H2
>>80	string/32	x		\b, project name: "%s"
>>48	string/32	x		\b, version %s
>>128	string/16	x		\b, compiled on %s
>>>112	string/16	x		%s
>>144	string/32	x		\b, IDF version: %s
>>4	ulelong		x		\b, entry address: 0x%08X