summaryrefslogtreecommitdiffstats
path: root/magic/Magdir/intel
blob: 5177fea4578554d64c2d74164847346174f509e8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
#------------------------------------------------------------------------------
# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $
# intel:  file(1) magic for x86 Unix
#
# Various flavors of x86 UNIX executable/object (other than Xenix, which
# is in "microsoft").  DOS is in "msdos"; the ambitious soul can do
# Windows as well.
#
# Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and
# whatever comes next (HP-PA Hummingbird?).  OS/2 may also go elsewhere
# as well, if, as, and when IBM makes it portable.
#
# The `versions' should be un-commented if they work for you.
# (Was the problem just one of endianness?)
#
0	leshort		0502		basic-16 executable
>12	lelong		>0		not stripped
#>22	leshort		>0		- version %d
0	leshort		0503		basic-16 executable (TV)
>12	lelong		>0		not stripped
#>22	leshort		>0		- version %d
0	leshort		0510		x86 executable
>12	lelong		>0		not stripped
0	leshort		0511		x86 executable (TV)
>12	lelong		>0		not stripped
0	leshort		=0512		iAPX 286 executable small model (COFF)
>12	lelong		>0		not stripped
#>22	leshort		>0		- version %d
0	leshort		=0522		iAPX 286 executable large model (COFF)
>12	lelong		>0		not stripped
#>22	leshort		>0		- version %d
# updated by Joerg Jenderek at Oct 2015
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
# ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file"
# ./intel (version 5.25) label labeled the next entry as "80386 COFF executable"
# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan
0	leshort		=0514
# use subroutine to display name+flags+variables for common object formatted files
>0	use				display-coff
#>12	lelong		>0		not stripped
# no hint found, that at offset 22 is version
#>22	leshort		>0		- version %d
0	leshort		0x0200
# no F_EXEC flag bit implies Intel ia64 COFF object file without optional header
>18	leshort		^0x0002
# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like
# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3
# by test for valid starting character (often point 0x2E) of 1st section name
>>20	ubyte		>0x1F
>>>0	use				display-coff
# F_EXEC flag bit implies Intel ia64 COFF executable
>18	leshort		&0x0002
>>0	use				display-coff
0	leshort		0x8664
>0	use				display-coff

# rom: file(1) magic for BIOS ROM Extensions found in intel machines
#      mapped into memory between 0xC0000 and 0xFFFFF
# From: Alex Myczko <alex@aiei.ch>
# updated by Joerg Jenderek
# https://en.wikipedia.org/wiki/Option_ROM
# URL:		http://fileformats.archiveteam.org/wiki/BIOS
# Reference:	http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf
0	beshort		0x55AA
# skip misidentified raspberry pi pieeprom-*.bin by check for
# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F 
>2	ubeshort	!0xF00F
# skip 2 byte sized eof.bin with start magic 
>>0	use		rom-x86
0	name		rom-x86
>0	beshort		x		BIOS (ia32) ROM Ext.
#!:mime	application/octet-stream
!:mime	application/x-ibm-rom
!:ext	rom/bin
################################################################################
# not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin)
# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom)
# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom)
>(26.s)	ubelong		!0x24506e50
#>(26.s)	ubelong		!0x24506e50	NOT PNP=%8.8x
# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin)
# 55aaf00f (pieeprom*.bin)
>>(24.s)	ubelong	!0x50434952
#>>(24.s)	ubelong	!0x50434952	ISA CARD=%8.8x
# "old" identification strings used in file version 5.41 and earlier
# probably an USB controller
>>>5	string		USB		USB
# probably	https://en.wikipedia.org/wiki/Preboot_Execution_Environment
>>>7	string		LDR		UNDI image
# probably another Adaptec SCSI controller
>>>26	string		Adaptec		Adaptec
# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin
# already done by PNP variant
#>>>28	string		Adaptec		Adaptec
# probably Promise SCSI controller
>>>42	string		PROMISE		Promise
# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING?
>30      string          IBM          IBM comp. Video
# display exact text for IBM compatible Video cards with longer text
>>33	ubyte		!0
>>>30	string		x		"%s"
# http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip
# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+"	"MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin" 
# "IBM VGA Compatible\001"				NVidia44.bin
# "IBM EGA ROM Video Seven BIOS Code, Version 1.04"	V7VGA.ROM
# "IBM"							vgabios-stdvga.rom
# "IBM"							vgabios-vmware-bin.rom:
# "IBM"							vgabios-cirrus-bin.rom
# "IBM"							vgabios-virtio-bin.rom
################################################################################
# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards
# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom
>2       ubyte            x            (%u*512)
# file name		file size	calculated size	remark
# eof.bin		2		-		with start magic nothing is shown here
# orchid.bin		188		0	=0*512	on window 95 CD in Drivers\audio\orchid3d
# multiboot.bin		1024		1024	=2*512	QEMU emulator
# loader1.bin		512		2048	=4*512
# ide_xtp.bin		8192		8192	=16*512
# kvmvapic.bin		9216		9216	=18*512
# V7VGA.ROM		18832		16384	=32*512
# adaptec1542.bin	32768		16384	=32*512
# MCT-VGA.bin		32768		24576	=48*512
# 2975BIOS.BIN		32768		32256	=63*512
# efi-e1000.rom		196608		64000	=125*512
# efi-rtl8139.rom	176640		66048	=129*512
# pieeprom*.bin		524288		122880	=240*512
################################################################################
# initialization vector with executable code; often near JuMP instruction E9 yy zz
>3	ubyte			=0xE9	jmp
# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh 
>>4	uleshort		x	%#4.4x
# for initialization vector samples without 3 byte jump instruction
>3	ubyte			!0xE9	instruction
#	eb4b3734h	NVidia44.bin
#	00003234h	V7VGA.ROM
#	060e0731h	kvmvapic.bin
#	cb000000h	linuxboot-bin.rom
#	e80d0fcbh	PXE-Intel.rom
#	b8004875h	orchid.bin
>>3	ubelong			x	%#8.8x
# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f
#>2	ubeshort		x	\b, AT 2 %#4.4x
################################################################################
#		new sections for BIOS (ia32) ROM Extension
# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header
>(26.s)	string		=$PnP		\b;
#>(26.s)	string		=$PnP		FOUND $PnP
# at 1Ah possible offset to expansion header structure; new for Plug aNd Play
>>26		uleshort	x	at %#x PNP
# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin)
#>>(26.s+0x0A)	ulelong		!0	NOT-nullID=%8.8x
>>(26.s+0x0A)	uleshort	!0
# show PnP Vendor identification in human readable text form instead of numeric
# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE?
>>>(26.s+0x0C)	use		\^PCI-vendor
>>>(26.s+0x0A)	ubeshort	x	device=%#4.4x
# 3 byte Device type code; probably the same meaning as in PCI section?
# OK for	storage controller SCSI		(2975BIOS.BIN adaptec1542.bin)
# and		network controller ethernet	(efi-e1000.rom efi-rtl8139.rom)
>>(26.s+0x12)	use		PCI-class
# structure revision like: 01h
>>(26.s+4)	ubyte		!1	\b, revision %u
# PnP Header structure length in multiple of 16 bytes like: 2
>>(26.s+5)	uleshort	!2	\b, length %u*16
# offset to next header; 0 if none
>>(26.s+7)	uleshort	!0	\b, at %#x next header
# reserved byte; seems to be zero
>>(26.s+8)	ubyte		!0	\b, reserved %#x
# 8-bit checksum for this header; calculated and patched by patch2pnprom
>>(26.s+9)	ubyte		!0	\b, CRC %#x
# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h
>>(26.s+0x0E)	uleshort	>0	\b, at %#x
>>>(26.s+0x0C)	uleshort	x
# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU"
>>>>(&0.s)	string		x	"%s"
# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h
>>(26.s+0x10)	uleshort	>0	\b, at %#x
>>>(26.s+0x0E)	uleshort	x
# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager" 
# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)"
>>>>(&0.s)	string		x	"%s"
# PnP Device indicators; contains bits that identify the device as being capable of bootable
#>>(26.s+0x15)	ubyte		x	\b, INDICATORS %#x
# device is a display device
>>(26.s+0x15)	ubyte		&0x01	\b, display
# device is an input device
>>(26.s+0x15)	ubyte		&0x02	\b, input
# device is an IPL device
>>(26.s+0x15)	ubyte		&0x04	\b, IPL
#>>(26.s+0x15)	ubyte		&0x08	reserved
# ROM is only required if this device is selected as a boot device
>>(26.s+0x15)	ubyte		&0x10	\b, bootable
# indicates ROM is read cacheable
>>(26.s+0x15)	ubyte		&0x20	\b, cacheable
# ROM may be shadowed in RAM
>>(26.s+0x15)	ubyte		&0x40	\b, shadowable
# ROM supports the device driver initialization model
>>(26.s+0x15)	ubyte		&0x80	\b, InitialModel
# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h
# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin)
>>(26.s+0x16)	uleshort	!0	\b, boot vector offset %#x
# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt
>>(26.s+0x18)	uleshort	!0	\b, disconnect offset %#x
# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h
# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom)
>>(26.s+0x1A)	uleshort	!0	\b, bootstrap offset %#x
# 2nd reserved area; seems to be zero
>>(26.s+0x1C)	uleshort	!0	\b, 2nd reserved %#x
# static resource information vector; 0 means disabled
>>(26.s+0x1E)	uleshort	!0	\b, static offset %#4.4x
################################################################################
# 4 bytes ASCII Signature "PCIR" for PCI Data Structure
#>(24.s)	string			=PCIR	FOUND PCIR
>(24.s)	string			=PCIR	\b;
# pointer to PCI data structure like: 1Ch 38h 104h 8E44h 
>>24	uleshort		x	at %#x PCI
# Vendor identification (ID)		https://pci-ids.ucw.cz/v2.2/pci.ids
#>>(24.s+4)	uleshort	x	ID=%4.4x
# show Vendor identification in human readable text form instead of numeric
>>(24.s+4)	use		PCI-vendor
# device identification (ID)
>>(24.s+6)	uleshort	x	device=%#4.4x
# Base+sub class code			https://wiki.osdev.org/PCI
>>(24.s+0x0D)	use		PCI-class
# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD?
>>(24.s+8)	uleshort	!0	\b, at %#x VPD
# PCI data structure length like: 24h 28h
>>(24.s+0xA)	uleshort	>0x28	\b, length %u
# PCI data structure revision like: 0 3
>>(24.s+0xC)	ubyte		>0	\b, revision %u
# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83
# Apparently this gives the same information as given by byte at offset 2 but as 16-bit
#>>(24.s+0x10)	uleshort	x	\b, length %u*512
# revision level of code/data like: 0 1 201h 502h
>>(24.s+0xC)	ubyte		>1	\b, code revision %#x
# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved
>>(24.s+0x14)	ubyte		>0	\b, code type %#x
# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved
>>(24.s+0x15)	ubyte		>0
>>>(24.s+0x15)	ubyte		=0x80	\b, last ROM
# THIS SHOULD NOT HAPPEN!
>>>(24.s+0x15)	ubyte		!0x80	\b, indicator %x
# 3rd reserved area; seems to be zero in most cases but not for
# efi-e1000.rom efi-rtl8139.rom
>>(24.s+0x16)	ubeshort	!0	\b, 3rd reserved %#x

# Flash descriptors for Intel SPI flash roms.
# From Dr. Jesus <j@hug.gs>
0	lelong		0x0ff0a55a	Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step
16	lelong		0x0ff0a55a	Intel serial flash for PCH ROM

# From: 	Joerg Jenderek
# URL:		https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface
# Reference:	https://uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf
# Note:		generated for example by `cat /sys/firmware/acpi/tables/DSDT MyDSDT.aml`
0	string		DSDT
>0	use		acpi-table
# not tested or other file format
0	string		APIC
>0	use		acpi-table
#0	string		ASF!
#>0	use		acpi-table
0	string		FACP
>0	use		acpi-table
#0	string		FACS
#>0	use		acpi-table
0	string		MCFG
>0	use		acpi-table
0	string		SLIC
>0	use		acpi-table
0	string		SSDT
>0	use		acpi-table
0	name		acpi-table
# skip ASCII text starting with DSDT by looking for valid "low" revision
>8	ubyte		<17	ACPI Machine Language file
# assume that ACPI tables size are lower than 16 MiB
#>4	ulelong		<0x01000000
# DSDT for Differentiated System Description Table
>>0	string		x	'%.4s'
#!:mime	application/octet-stream
!:mime	application/x-intel-aml
!:ext	aml
# the manufacture model ID like: VBOXBIOS BXDSDT
>>16	string		>\0	%.8s
# OEM revision of DSDT for supplied OEM Table ID like: 0 1 2 20090511
>>>24	ulelong		x	%x
# OEM ID like: INTEL VBOX (VirtualBox) BXDSDT (qemu) MEDION or \030\001\0\0 for s3pt.aml
>>10	ubyte		>040	by %c
>>>11		ubyte	>040	\b%c
>>>>12		ubyte	>040	\b%c
>>>>>13		ubyte	>040	\b%c
>>>>>>14	ubyte	>040	\b%c
>>>>>>>15	ubyte	>040	\b%c
# This field also sets the global integer width for the AML interpreter.
# Values less than two will cause the interpreter to use 32-bit.
# Values of two and greater will cause the interpreter to use full 64-bit.
# 16 for asf!.aml, 67 fo rsdp.aml
>>8	ubyte		x	\b, revision %u
# length, in bytes, of the entire DSDT (including the header)
>>4	ulelong		x	\b, %u bytes
# entire table must sum to zero
#>>9	ubyte		x	\b, checksum %#x
# vendor ID for the ASL Compiler like: INTL MSFT ...
>>28	string		>\0	\b, created by %.4s
# revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ...
>>>32	ulelong		x	%x