1*e15daa8bSchristos#------------------------------------------------------------------------------ 2*e15daa8bSchristos# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ 3*e15daa8bSchristos# firmware: file(1) magic for firmware files 4*e15daa8bSchristos# 5*e15daa8bSchristos 6*e15daa8bSchristos# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure 7*e15daa8bSchristos# examples: https://github.com/cweiske/frontier-silicon-firmwares 8*e15daa8bSchristos0 lelong 0x00001176 9*e15daa8bSchristos>4 lelong 0x7c Frontier Silicon firmware download 10*e15daa8bSchristos>>8 lelong x \b, MeOS version %x 11*e15daa8bSchristos>>12 string/32/T x \b, version %s 12*e15daa8bSchristos>>40 string/64/T x \b, customization %s 13*e15daa8bSchristos 14*e15daa8bSchristos# HPE iLO firmware update image 15*e15daa8bSchristos# From: Alexandre Iooss <erdnaxe@crans.org> 16*e15daa8bSchristos# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ 17*e15daa8bSchristos# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images 18*e15daa8bSchristos0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 19*e15daa8bSchristos>16 ubeshort =0xCFDD HPE iLO2 firmware update image 20*e15daa8bSchristos>16 ubeshort =0x6444 HPE iLO1 firmware update image 21*e15daa8bSchristos# iLO3 images (ilo3_*.bin) start directly with image name 22*e15daa8bSchristos0 string iLO3\x20v\x20 HPE iLO3 firmware update image, 23*e15daa8bSchristos>7 string x version %s 24*e15daa8bSchristos# iLO4 images (ilo4_*.bin) start with a signature and a certificate 25*e15daa8bSchristos0 string --=</Begin\x20HP\x20Signed 26*e15daa8bSchristos>75 string label_HPBBatch 27*e15daa8bSchristos>>5828 string iLO\x204 28*e15daa8bSchristos>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, 29*e15daa8bSchristos>>>6947 string x version %s 30*e15daa8bSchristos# iLO5 images (ilo5_*.bin) start with a signature 31*e15daa8bSchristos>75 string label_HPE-HPB-BMC-ILO5-4096 32*e15daa8bSchristos>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, 33*e15daa8bSchristos>>944 string x version %s 34*e15daa8bSchristos 35*e15daa8bSchristos# IBM POWER Secure Boot Container 36*e15daa8bSchristos# from https://github.com/open-power/skiboot/blob/master/libstb/container.h 37*e15daa8bSchristos0 belong 0x17082011 POWER Secure Boot Container, 38*e15daa8bSchristos>4 beshort x version %u 39*e15daa8bSchristos>6 bequad x container size %llu 40*e15daa8bSchristos# These are always zero 41*e15daa8bSchristos# >14 bequad x target HRMOR %llx 42*e15daa8bSchristos# >22 bequad x stack pointer %llx 43*e15daa8bSchristos>4096 ustring \xFD7zXZ\x00 XZ compressed 44*e15daa8bSchristos0 belong 0x1bad1bad POWER boot firmware 45*e15daa8bSchristos>256 belong 0x48002030 (PHYP entry point) 46*e15daa8bSchristos 47*e15daa8bSchristos# ARM Cortex-M vector table 48*e15daa8bSchristos# From: Alexandre Iooss <erdnaxe@crans.org> 49*e15daa8bSchristos# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties 50*e15daa8bSchristos# Match stack MSB 51*e15daa8bSchristos3 byte 0x20 52*e15daa8bSchristos# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) 53*e15daa8bSchristos>4 ulelong&0xE0000001 1 54*e15daa8bSchristos>>8 ulelong&0xE0000001 1 55*e15daa8bSchristos>>>12 ulelong&0xE0000001 1 56*e15daa8bSchristos>>>>44 ulelong&0xE0000001 1 57*e15daa8bSchristos>>>>>56 ulelong&0xE0000001 1 58*e15daa8bSchristos# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) 59*e15daa8bSchristos>>>>>>28 ulelong+1 <2 60*e15daa8bSchristos>>>>>>>32 ulelong+1 <2 61*e15daa8bSchristos>>>>>>>>36 ulelong+1 <2 62*e15daa8bSchristos>>>>>>>>>40 ulelong+1 <2 63*e15daa8bSchristos>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware 64*e15daa8bSchristos>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x 65*e15daa8bSchristos>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x 66*e15daa8bSchristos>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x 67*e15daa8bSchristos>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x 68*e15daa8bSchristos>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x 69*e15daa8bSchristos>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x 70*e15daa8bSchristos 71*e15daa8bSchristos# ESP-IDF partition table entry 72*e15daa8bSchristos# From: Alexandre Iooss <erdnaxe@crans.org> 73*e15daa8bSchristos# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h 74*e15daa8bSchristos0 string \xAA\x50 75*e15daa8bSchristos>2 ubyte <2 ESP-IDF partition table entry 76*e15daa8bSchristos>>12 string/16 x \b, label: "%s" 77*e15daa8bSchristos>>2 ubyte 0 78*e15daa8bSchristos>>>3 ubyte 0x00 \b, factory app 79*e15daa8bSchristos>>>3 ubyte 0x10 \b, OTA_0 app 80*e15daa8bSchristos>>>3 ubyte 0x11 \b, OTA_1 app 81*e15daa8bSchristos>>>3 ubyte 0x12 \b, OTA_2 app 82*e15daa8bSchristos>>>3 ubyte 0x13 \b, OTA_3 app 83*e15daa8bSchristos>>>3 ubyte 0x14 \b, OTA_4 app 84*e15daa8bSchristos>>>3 ubyte 0x15 \b, OTA_5 app 85*e15daa8bSchristos>>>3 ubyte 0x16 \b, OTA_6 app 86*e15daa8bSchristos>>>3 ubyte 0x17 \b, OTA_7 app 87*e15daa8bSchristos>>>3 ubyte 0x18 \b, OTA_8 app 88*e15daa8bSchristos>>>3 ubyte 0x19 \b, OTA_9 app 89*e15daa8bSchristos>>>3 ubyte 0x1A \b, OTA_10 app 90*e15daa8bSchristos>>>3 ubyte 0x1B \b, OTA_11 app 91*e15daa8bSchristos>>>3 ubyte 0x1C \b, OTA_12 app 92*e15daa8bSchristos>>>3 ubyte 0x1D \b, OTA_13 app 93*e15daa8bSchristos>>>3 ubyte 0x1E \b, OTA_14 app 94*e15daa8bSchristos>>>3 ubyte 0x1F \b, OTA_15 app 95*e15daa8bSchristos>>>3 ubyte 0x20 \b, test app 96*e15daa8bSchristos>>2 ubyte 1 97*e15daa8bSchristos>>>3 ubyte 0x00 \b, OTA selection data 98*e15daa8bSchristos>>>3 ubyte 0x01 \b, PHY init data 99*e15daa8bSchristos>>>3 ubyte 0x02 \b, NVS data 100*e15daa8bSchristos>>>3 ubyte 0x03 \b, coredump data 101*e15daa8bSchristos>>>3 ubyte 0x04 \b, NVS keys 102*e15daa8bSchristos>>>3 ubyte 0x05 \b, emulated eFuse data 103*e15daa8bSchristos>>>3 ubyte 0x06 \b, undefined data 104*e15daa8bSchristos>>>3 ubyte 0x80 \b, ESPHTTPD partition 105*e15daa8bSchristos>>>3 ubyte 0x81 \b, FAT partition 106*e15daa8bSchristos>>>3 ubyte 0x82 \b, SPIFFS partition 107*e15daa8bSchristos>>>3 ubyte 0xFF \b, any data 108*e15daa8bSchristos>>4 ulelong x \b, offset: 0x%X 109*e15daa8bSchristos>>8 ulelong x \b, size: 0x%X 110*e15daa8bSchristos>>28 ulelong&0x1 1 \b, encrypted 111*e15daa8bSchristos 112*e15daa8bSchristos# ESP-IDF application image 113*e15daa8bSchristos# From: Alexandre Iooss <erdnaxe@crans.org> 114*e15daa8bSchristos# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h 115*e15daa8bSchristos# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t 116*e15daa8bSchristos# First segment contains esp_app_desc_t 117*e15daa8bSchristos0 ubyte 0xE9 118*e15daa8bSchristos>32 ulelong 0xABCD5432 ESP-IDF application image 119*e15daa8bSchristos>>12 uleshort 0x0000 for ESP32 120*e15daa8bSchristos>>12 uleshort 0x0002 for ESP32-S2 121*e15daa8bSchristos>>12 uleshort 0x0005 for ESP32-C3 122*e15daa8bSchristos>>12 uleshort 0x0009 for ESP32-S3 123*e15daa8bSchristos>>12 uleshort 0x000A for ESP32-H2 Beta1 124*e15daa8bSchristos>>12 uleshort 0x000C for ESP32-C2 125*e15daa8bSchristos>>12 uleshort 0x000D for ESP32-C6 126*e15daa8bSchristos>>12 uleshort 0x000E for ESP32-H2 Beta2 127*e15daa8bSchristos>>12 uleshort 0x0010 for ESP32-H2 128*e15daa8bSchristos>>80 string/32 x \b, project name: "%s" 129*e15daa8bSchristos>>48 string/32 x \b, version %s 130*e15daa8bSchristos>>128 string/16 x \b, compiled on %s 131*e15daa8bSchristos>>>112 string/16 x %s 132*e15daa8bSchristos>>144 string/32 x \b, IDF version: %s 133*e15daa8bSchristos>>4 ulelong x \b, entry address: 0x%08X 134