1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
#------------------------------------------------------------------------------
# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $
# intel: file(1) magic for x86 Unix
#
# Various flavors of x86 UNIX executable/object (other than Xenix, which
# is in "microsoft"). DOS is in "msdos"; the ambitious soul can do
# Windows as well.
#
# Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and
# whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere
# as well, if, as, and when IBM makes it portable.
#
# The `versions' should be un-commented if they work for you.
# (Was the problem just one of endianness?)
#
0 leshort 0502 basic-16 executable
>12 lelong >0 not stripped
#>22 leshort >0 - version %d
0 leshort 0503 basic-16 executable (TV)
>12 lelong >0 not stripped
#>22 leshort >0 - version %d
0 leshort 0510 x86 executable
>12 lelong >0 not stripped
0 leshort 0511 x86 executable (TV)
>12 lelong >0 not stripped
0 leshort =0512 iAPX 286 executable small model (COFF)
>12 lelong >0 not stripped
#>22 leshort >0 - version %d
0 leshort =0522 iAPX 286 executable large model (COFF)
>12 lelong >0 not stripped
#>22 leshort >0 - version %d
# updated by Joerg Jenderek at Oct 2015
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
# ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file"
# ./intel (version 5.25) label labeled the next entry as "80386 COFF executable"
# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan
0 leshort =0514
# use subroutine to display name+flags+variables for common object formatted files
>0 use display-coff
#>12 lelong >0 not stripped
# no hint found, that at offset 22 is version
#>22 leshort >0 - version %d
0 leshort 0x0200
# no F_EXEC flag bit implies Intel ia64 COFF object file without optional header
>18 leshort ^0x0002
# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like
# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3
# by test for valid starting character (often point 0x2E) of 1st section name
>>20 ubyte >0x1F
>>>0 use display-coff
# F_EXEC flag bit implies Intel ia64 COFF executable
>18 leshort &0x0002
>>0 use display-coff
0 leshort 0x8664
>0 use display-coff
# rom: file(1) magic for BIOS ROM Extensions found in intel machines
# mapped into memory between 0xC0000 and 0xFFFFF
# From: Alex Myczko <alex@aiei.ch>
# updated by Joerg Jenderek
# https://en.wikipedia.org/wiki/Option_ROM
# URL: http://fileformats.archiveteam.org/wiki/BIOS
# Reference: http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf
0 beshort 0x55AA
# skip misidentified raspberry pi pieeprom-*.bin by check for
# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F
>2 ubeshort !0xF00F
# skip 2 byte sized eof.bin with start magic
>>0 use rom-x86
0 name rom-x86
>0 beshort x BIOS (ia32) ROM Ext.
#!:mime application/octet-stream
!:mime application/x-ibm-rom
!:ext rom/bin
################################################################################
# not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin)
# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom)
# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom)
>(26.s) ubelong !0x24506e50
#>(26.s) ubelong !0x24506e50 NOT PNP=%8.8x
# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin)
# 55aaf00f (pieeprom*.bin)
>>(24.s) ubelong !0x50434952
#>>(24.s) ubelong !0x50434952 ISA CARD=%8.8x
# "old" identification strings used in file version 5.41 and earlier
# probably an USB controller
>>>5 string USB USB
# probably https://en.wikipedia.org/wiki/Preboot_Execution_Environment
>>>7 string LDR UNDI image
# probably another Adaptec SCSI controller
>>>26 string Adaptec Adaptec
# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin
# already done by PNP variant
#>>>28 string Adaptec Adaptec
# probably Promise SCSI controller
>>>42 string PROMISE Promise
# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING?
>30 string IBM IBM comp. Video
# display exact text for IBM compatible Video cards with longer text
>>33 ubyte !0
>>>30 string x "%s"
# http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip
# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+" "MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin"
# "IBM VGA Compatible\001" NVidia44.bin
# "IBM EGA ROM Video Seven BIOS Code, Version 1.04" V7VGA.ROM
# "IBM" vgabios-stdvga.rom
# "IBM" vgabios-vmware-bin.rom:
# "IBM" vgabios-cirrus-bin.rom
# "IBM" vgabios-virtio-bin.rom
################################################################################
# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards
# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom
>2 ubyte x (%u*512)
# file name file size calculated size remark
# eof.bin 2 - with start magic nothing is shown here
# orchid.bin 188 0 =0*512 on window 95 CD in Drivers\audio\orchid3d
# multiboot.bin 1024 1024 =2*512 QEMU emulator
# loader1.bin 512 2048 =4*512
# ide_xtp.bin 8192 8192 =16*512
# kvmvapic.bin 9216 9216 =18*512
# V7VGA.ROM 18832 16384 =32*512
# adaptec1542.bin 32768 16384 =32*512
# MCT-VGA.bin 32768 24576 =48*512
# 2975BIOS.BIN 32768 32256 =63*512
# efi-e1000.rom 196608 64000 =125*512
# efi-rtl8139.rom 176640 66048 =129*512
# pieeprom*.bin 524288 122880 =240*512
################################################################################
# initialization vector with executable code; often near JuMP instruction E9 yy zz
>3 ubyte =0xE9 jmp
# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh
>>4 uleshort x %#4.4x
# for initialization vector samples without 3 byte jump instruction
>3 ubyte !0xE9 instruction
# eb4b3734h NVidia44.bin
# 00003234h V7VGA.ROM
# 060e0731h kvmvapic.bin
# cb000000h linuxboot-bin.rom
# e80d0fcbh PXE-Intel.rom
# b8004875h orchid.bin
>>3 ubelong x %#8.8x
# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f
#>2 ubeshort x \b, AT 2 %#4.4x
################################################################################
# new sections for BIOS (ia32) ROM Extension
# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header
>(26.s) string =$PnP \b;
#>(26.s) string =$PnP FOUND $PnP
# at 1Ah possible offset to expansion header structure; new for Plug aNd Play
>>26 uleshort x at %#x PNP
# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin)
#>>(26.s+0x0A) ulelong !0 NOT-nullID=%8.8x
>>(26.s+0x0A) uleshort !0
# show PnP Vendor identification in human readable text form instead of numeric
# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE?
>>>(26.s+0x0C) use \^PCI-vendor
>>>(26.s+0x0A) ubeshort x device=%#4.4x
# 3 byte Device type code; probably the same meaning as in PCI section?
# OK for storage controller SCSI (2975BIOS.BIN adaptec1542.bin)
# and network controller ethernet (efi-e1000.rom efi-rtl8139.rom)
>>(26.s+0x12) use PCI-class
# structure revision like: 01h
>>(26.s+4) ubyte !1 \b, revision %u
# PnP Header structure length in multiple of 16 bytes like: 2
>>(26.s+5) uleshort !2 \b, length %u*16
# offset to next header; 0 if none
>>(26.s+7) uleshort !0 \b, at %#x next header
# reserved byte; seems to be zero
>>(26.s+8) ubyte !0 \b, reserved %#x
# 8-bit checksum for this header; calculated and patched by patch2pnprom
>>(26.s+9) ubyte !0 \b, CRC %#x
# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h
>>(26.s+0x0E) uleshort >0 \b, at %#x
>>>(26.s+0x0C) uleshort x
# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU"
>>>>(&0.s) string x "%s"
# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h
>>(26.s+0x10) uleshort >0 \b, at %#x
>>>(26.s+0x0E) uleshort x
# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager"
# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)"
>>>>(&0.s) string x "%s"
# PnP Device indicators; contains bits that identify the device as being capable of bootable
#>>(26.s+0x15) ubyte x \b, INDICATORS %#x
# device is a display device
>>(26.s+0x15) ubyte &0x01 \b, display
# device is an input device
>>(26.s+0x15) ubyte &0x02 \b, input
# device is an IPL device
>>(26.s+0x15) ubyte &0x04 \b, IPL
#>>(26.s+0x15) ubyte &0x08 reserved
# ROM is only required if this device is selected as a boot device
>>(26.s+0x15) ubyte &0x10 \b, bootable
# indicates ROM is read cacheable
>>(26.s+0x15) ubyte &0x20 \b, cacheable
# ROM may be shadowed in RAM
>>(26.s+0x15) ubyte &0x40 \b, shadowable
# ROM supports the device driver initialization model
>>(26.s+0x15) ubyte &0x80 \b, InitialModel
# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h
# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin)
>>(26.s+0x16) uleshort !0 \b, boot vector offset %#x
# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt
>>(26.s+0x18) uleshort !0 \b, disconnect offset %#x
# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h
# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom)
>>(26.s+0x1A) uleshort !0 \b, bootstrap offset %#x
# 2nd reserved area; seems to be zero
>>(26.s+0x1C) uleshort !0 \b, 2nd reserved %#x
# static resource information vector; 0 means disabled
>>(26.s+0x1E) uleshort !0 \b, static offset %#4.4x
################################################################################
# 4 bytes ASCII Signature "PCIR" for PCI Data Structure
#>(24.s) string =PCIR FOUND PCIR
>(24.s) string =PCIR \b;
# pointer to PCI data structure like: 1Ch 38h 104h 8E44h
>>24 uleshort x at %#x PCI
# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids
#>>(24.s+4) uleshort x ID=%4.4x
# show Vendor identification in human readable text form instead of numeric
>>(24.s+4) use PCI-vendor
# device identification (ID)
>>(24.s+6) uleshort x device=%#4.4x
# Base+sub class code https://wiki.osdev.org/PCI
>>(24.s+0x0D) use PCI-class
# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD?
>>(24.s+8) uleshort !0 \b, at %#x VPD
# PCI data structure length like: 24h 28h
>>(24.s+0xA) uleshort >0x28 \b, length %u
# PCI data structure revision like: 0 3
>>(24.s+0xC) ubyte >0 \b, revision %u
# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83
# Apparently this gives the same information as given by byte at offset 2 but as 16-bit
#>>(24.s+0x10) uleshort x \b, length %u*512
# revision level of code/data like: 0 1 201h 502h
>>(24.s+0xC) ubyte >1 \b, code revision %#x
# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved
>>(24.s+0x14) ubyte >0 \b, code type %#x
# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved
>>(24.s+0x15) ubyte >0
>>>(24.s+0x15) ubyte =0x80 \b, last ROM
# THIS SHOULD NOT HAPPEN!
>>>(24.s+0x15) ubyte !0x80 \b, indicator %x
# 3rd reserved area; seems to be zero in most cases but not for
# efi-e1000.rom efi-rtl8139.rom
>>(24.s+0x16) ubeshort !0 \b, 3rd reserved %#x
# Flash descriptors for Intel SPI flash roms.
# From Dr. Jesus <j@hug.gs>
0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step
16 lelong 0x0ff0a55a Intel serial flash for PCH ROM
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface
# Reference: https://uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf
# Note: generated for example by `cat /sys/firmware/acpi/tables/DSDT MyDSDT.aml`
0 string DSDT
>0 use acpi-table
# not tested or other file format
0 string APIC
>0 use acpi-table
#0 string ASF!
#>0 use acpi-table
0 string FACP
>0 use acpi-table
#0 string FACS
#>0 use acpi-table
0 string MCFG
>0 use acpi-table
0 string SLIC
>0 use acpi-table
0 string SSDT
>0 use acpi-table
0 name acpi-table
# skip ASCII text starting with DSDT by looking for valid "low" revision
>8 ubyte <17 ACPI Machine Language file
# assume that ACPI tables size are lower than 16 MiB
#>4 ulelong <0x01000000
# DSDT for Differentiated System Description Table
>>0 string x '%.4s'
#!:mime application/octet-stream
!:mime application/x-intel-aml
!:ext aml
# the manufacture model ID like: VBOXBIOS BXDSDT
>>16 string >\0 %.8s
# OEM revision of DSDT for supplied OEM Table ID like: 0 1 2 20090511
>>>24 ulelong x %x
# OEM ID like: INTEL VBOX (VirtualBox) BXDSDT (qemu) MEDION or \030\001\0\0 for s3pt.aml
>>10 ubyte >040 by %c
>>>11 ubyte >040 \b%c
>>>>12 ubyte >040 \b%c
>>>>>13 ubyte >040 \b%c
>>>>>>14 ubyte >040 \b%c
>>>>>>>15 ubyte >040 \b%c
# This field also sets the global integer width for the AML interpreter.
# Values less than two will cause the interpreter to use 32-bit.
# Values of two and greater will cause the interpreter to use full 64-bit.
# 16 for asf!.aml, 67 fo rsdp.aml
>>8 ubyte x \b, revision %u
# length, in bytes, of the entire DSDT (including the header)
>>4 ulelong x \b, %u bytes
# entire table must sum to zero
#>>9 ubyte x \b, checksum %#x
# vendor ID for the ASL Compiler like: INTL MSFT ...
>>28 string >\0 \b, created by %.4s
# revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ...
>>>32 ulelong x %x
|