1 2#------------------------------------------------------------------------------ 3# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ 4# intel: file(1) magic for x86 Unix 5# 6# Various flavors of x86 UNIX executable/object (other than Xenix, which 7# is in "microsoft"). DOS is in "msdos"; the ambitious soul can do 8# Windows as well. 9# 10# Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and 11# whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere 12# as well, if, as, and when IBM makes it portable. 13# 14# The `versions' should be un-commented if they work for you. 15# (Was the problem just one of endianness?) 16# 170 leshort 0502 basic-16 executable 18>12 lelong >0 not stripped 19#>22 leshort >0 - version %d 200 leshort 0503 basic-16 executable (TV) 21>12 lelong >0 not stripped 22#>22 leshort >0 - version %d 230 leshort 0510 x86 executable 24>12 lelong >0 not stripped 250 leshort 0511 x86 executable (TV) 26>12 lelong >0 not stripped 270 leshort =0512 iAPX 286 executable small model (COFF) 28>12 lelong >0 not stripped 29#>22 leshort >0 - version %d 300 leshort =0522 iAPX 286 executable large model (COFF) 31>12 lelong >0 not stripped 32#>22 leshort >0 - version %d 33# updated by Joerg Jenderek at Oct 2015 34# https://de.wikipedia.org/wiki/Common_Object_File_Format 35# http://www.delorie.com/djgpp/doc/coff/filhdr.html 36# ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" 37# ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" 38# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 390 leshort =0514 40# use subroutine to display name+flags+variables for common object formatted files 41>0 use display-coff 42#>12 lelong >0 not stripped 43# no hint found, that at offset 22 is version 44#>22 leshort >0 - version %d 450 leshort 0x0200 46# no F_EXEC flag bit implies Intel ia64 COFF object file without optional header 47>18 leshort ^0x0002 48# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like 49# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3 50# by test for valid starting character (often point 0x2E) of 1st section name 51>>20 ubyte >0x1F 52>>>0 use display-coff 53# F_EXEC flag bit implies Intel ia64 COFF executable 54>18 leshort &0x0002 55>>0 use display-coff 560 leshort 0x8664 57>0 use display-coff 58 59# rom: file(1) magic for BIOS ROM Extensions found in intel machines 60# mapped into memory between 0xC0000 and 0xFFFFF 61# From: Alex Myczko <alex@aiei.ch> 62# updated by Joerg Jenderek 63# https://en.wikipedia.org/wiki/Option_ROM 64# URL: http://fileformats.archiveteam.org/wiki/BIOS 65# Reference: http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf 660 beshort 0x55AA 67# skip misidentified raspberry pi pieeprom-*.bin by check for 68# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F 69>2 ubeshort !0xF00F 70# skip 2 byte sized eof.bin with start magic 71>>0 use rom-x86 720 name rom-x86 73>0 beshort x BIOS (ia32) ROM Ext. 74#!:mime application/octet-stream 75!:mime application/x-ibm-rom 76!:ext rom/bin 77################################################################################ 78# not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin) 79# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom) 80# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom) 81>(26.s) ubelong !0x24506e50 82#>(26.s) ubelong !0x24506e50 NOT PNP=%8.8x 83# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin) 84# 55aaf00f (pieeprom*.bin) 85>>(24.s) ubelong !0x50434952 86#>>(24.s) ubelong !0x50434952 ISA CARD=%8.8x 87# "old" identification strings used in file version 5.41 and earlier 88# probably an USB controller 89>>>5 string USB USB 90# probably https://en.wikipedia.org/wiki/Preboot_Execution_Environment 91>>>7 string LDR UNDI image 92# probably another Adaptec SCSI controller 93>>>26 string Adaptec Adaptec 94# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin 95# already done by PNP variant 96#>>>28 string Adaptec Adaptec 97# probably Promise SCSI controller 98>>>42 string PROMISE Promise 99# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING? 100>30 string IBM IBM comp. Video 101# display exact text for IBM compatible Video cards with longer text 102>>33 ubyte !0 103>>>30 string x "%s" 104# http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip 105# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+" "MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin" 106# "IBM VGA Compatible\001" NVidia44.bin 107# "IBM EGA ROM Video Seven BIOS Code, Version 1.04" V7VGA.ROM 108# "IBM" vgabios-stdvga.rom 109# "IBM" vgabios-vmware-bin.rom: 110# "IBM" vgabios-cirrus-bin.rom 111# "IBM" vgabios-virtio-bin.rom 112################################################################################ 113# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards 114# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom 115>2 ubyte x (%u*512) 116# file name file size calculated size remark 117# eof.bin 2 - with start magic nothing is shown here 118# orchid.bin 188 0 =0*512 on window 95 CD in Drivers\audio\orchid3d 119# multiboot.bin 1024 1024 =2*512 QEMU emulator 120# loader1.bin 512 2048 =4*512 121# ide_xtp.bin 8192 8192 =16*512 122# kvmvapic.bin 9216 9216 =18*512 123# V7VGA.ROM 18832 16384 =32*512 124# adaptec1542.bin 32768 16384 =32*512 125# MCT-VGA.bin 32768 24576 =48*512 126# 2975BIOS.BIN 32768 32256 =63*512 127# efi-e1000.rom 196608 64000 =125*512 128# efi-rtl8139.rom 176640 66048 =129*512 129# pieeprom*.bin 524288 122880 =240*512 130################################################################################ 131# initialization vector with executable code; often near JuMP instruction E9 yy zz 132>3 ubyte =0xE9 jmp 133# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh 134>>4 uleshort x %#4.4x 135# for initialization vector samples without 3 byte jump instruction 136>3 ubyte !0xE9 instruction 137# eb4b3734h NVidia44.bin 138# 00003234h V7VGA.ROM 139# 060e0731h kvmvapic.bin 140# cb000000h linuxboot-bin.rom 141# e80d0fcbh PXE-Intel.rom 142# b8004875h orchid.bin 143>>3 ubelong x %#8.8x 144# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f 145#>2 ubeshort x \b, AT 2 %#4.4x 146################################################################################ 147# new sections for BIOS (ia32) ROM Extension 148# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header 149>(26.s) string =$PnP \b; 150#>(26.s) string =$PnP FOUND $PnP 151# at 1Ah possible offset to expansion header structure; new for Plug aNd Play 152>>26 uleshort x at %#x PNP 153# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin) 154#>>(26.s+0x0A) ulelong !0 NOT-nullID=%8.8x 155>>(26.s+0x0A) uleshort !0 156# show PnP Vendor identification in human readable text form instead of numeric 157# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE? 158>>>(26.s+0x0C) use \^PCI-vendor 159>>>(26.s+0x0A) ubeshort x device=%#4.4x 160# 3 byte Device type code; probably the same meaning as in PCI section? 161# OK for storage controller SCSI (2975BIOS.BIN adaptec1542.bin) 162# and network controller ethernet (efi-e1000.rom efi-rtl8139.rom) 163>>(26.s+0x12) use PCI-class 164# structure revision like: 01h 165>>(26.s+4) ubyte !1 \b, revision %u 166# PnP Header structure length in multiple of 16 bytes like: 2 167>>(26.s+5) uleshort !2 \b, length %u*16 168# offset to next header; 0 if none 169>>(26.s+7) uleshort !0 \b, at %#x next header 170# reserved byte; seems to be zero 171>>(26.s+8) ubyte !0 \b, reserved %#x 172# 8-bit checksum for this header; calculated and patched by patch2pnprom 173>>(26.s+9) ubyte !0 \b, CRC %#x 174# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h 175>>(26.s+0x0E) uleshort >0 \b, at %#x 176>>>(26.s+0x0C) uleshort x 177# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU" 178>>>>(&0.s) string x "%s" 179# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h 180>>(26.s+0x10) uleshort >0 \b, at %#x 181>>>(26.s+0x0E) uleshort x 182# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager" 183# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)" 184>>>>(&0.s) string x "%s" 185# PnP Device indicators; contains bits that identify the device as being capable of bootable 186#>>(26.s+0x15) ubyte x \b, INDICATORS %#x 187# device is a display device 188>>(26.s+0x15) ubyte &0x01 \b, display 189# device is an input device 190>>(26.s+0x15) ubyte &0x02 \b, input 191# device is an IPL device 192>>(26.s+0x15) ubyte &0x04 \b, IPL 193#>>(26.s+0x15) ubyte &0x08 reserved 194# ROM is only required if this device is selected as a boot device 195>>(26.s+0x15) ubyte &0x10 \b, bootable 196# indicates ROM is read cacheable 197>>(26.s+0x15) ubyte &0x20 \b, cacheable 198# ROM may be shadowed in RAM 199>>(26.s+0x15) ubyte &0x40 \b, shadowable 200# ROM supports the device driver initialization model 201>>(26.s+0x15) ubyte &0x80 \b, InitialModel 202# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h 203# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin) 204>>(26.s+0x16) uleshort !0 \b, boot vector offset %#x 205# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt 206>>(26.s+0x18) uleshort !0 \b, disconnect offset %#x 207# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h 208# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom) 209>>(26.s+0x1A) uleshort !0 \b, bootstrap offset %#x 210# 2nd reserved area; seems to be zero 211>>(26.s+0x1C) uleshort !0 \b, 2nd reserved %#x 212# static resource information vector; 0 means disabled 213>>(26.s+0x1E) uleshort !0 \b, static offset %#4.4x 214################################################################################ 215# 4 bytes ASCII Signature "PCIR" for PCI Data Structure 216#>(24.s) string =PCIR FOUND PCIR 217>(24.s) string =PCIR \b; 218# pointer to PCI data structure like: 1Ch 38h 104h 8E44h 219>>24 uleshort x at %#x PCI 220# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids 221#>>(24.s+4) uleshort x ID=%4.4x 222# show Vendor identification in human readable text form instead of numeric 223>>(24.s+4) use PCI-vendor 224# device identification (ID) 225>>(24.s+6) uleshort x device=%#4.4x 226# Base+sub class code https://wiki.osdev.org/PCI 227>>(24.s+0x0D) use PCI-class 228# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD? 229>>(24.s+8) uleshort !0 \b, at %#x VPD 230# PCI data structure length like: 24h 28h 231>>(24.s+0xA) uleshort >0x28 \b, length %u 232# PCI data structure revision like: 0 3 233>>(24.s+0xC) ubyte >0 \b, revision %u 234# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 235# Apparently this gives the same information as given by byte at offset 2 but as 16-bit 236#>>(24.s+0x10) uleshort x \b, length %u*512 237# revision level of code/data like: 0 1 201h 502h 238>>(24.s+0xC) ubyte >1 \b, code revision %#x 239# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved 240>>(24.s+0x14) ubyte >0 \b, code type %#x 241# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved 242>>(24.s+0x15) ubyte >0 243>>>(24.s+0x15) ubyte =0x80 \b, last ROM 244# THIS SHOULD NOT HAPPEN! 245>>>(24.s+0x15) ubyte !0x80 \b, indicator %x 246# 3rd reserved area; seems to be zero in most cases but not for 247# efi-e1000.rom efi-rtl8139.rom 248>>(24.s+0x16) ubeshort !0 \b, 3rd reserved %#x 249 250# Flash descriptors for Intel SPI flash roms. 251# From Dr. Jesus <j@hug.gs> 2520 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step 25316 lelong 0x0ff0a55a Intel serial flash for PCH ROM 254 255# From: Joerg Jenderek 256# URL: https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface 257# Reference: https://uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf 258# Note: generated for example by `cat /sys/firmware/acpi/tables/DSDT MyDSDT.aml` 2590 string DSDT 260>0 use acpi-table 261# not tested or other file format 2620 string APIC 263>0 use acpi-table 264#0 string ASF! 265#>0 use acpi-table 2660 string FACP 267>0 use acpi-table 268#0 string FACS 269#>0 use acpi-table 2700 string MCFG 271>0 use acpi-table 2720 string SLIC 273>0 use acpi-table 2740 string SSDT 275>0 use acpi-table 2760 name acpi-table 277# skip ASCII text starting with DSDT by looking for valid "low" revision 278>8 ubyte <17 ACPI Machine Language file 279# assume that ACPI tables size are lower than 16 MiB 280#>4 ulelong <0x01000000 281# DSDT for Differentiated System Description Table 282>>0 string x '%.4s' 283#!:mime application/octet-stream 284!:mime application/x-intel-aml 285!:ext aml 286# the manufacture model ID like: VBOXBIOS BXDSDT 287>>16 string >\0 %.8s 288# OEM revision of DSDT for supplied OEM Table ID like: 0 1 2 20090511 289>>>24 ulelong x %x 290# OEM ID like: INTEL VBOX (VirtualBox) BXDSDT (qemu) MEDION or \030\001\0\0 for s3pt.aml 291>>10 ubyte >040 by %c 292>>>11 ubyte >040 \b%c 293>>>>12 ubyte >040 \b%c 294>>>>>13 ubyte >040 \b%c 295>>>>>>14 ubyte >040 \b%c 296>>>>>>>15 ubyte >040 \b%c 297# This field also sets the global integer width for the AML interpreter. 298# Values less than two will cause the interpreter to use 32-bit. 299# Values of two and greater will cause the interpreter to use full 64-bit. 300# 16 for asf!.aml, 67 fo rsdp.aml 301>>8 ubyte x \b, revision %u 302# length, in bytes, of the entire DSDT (including the header) 303>>4 ulelong x \b, %u bytes 304# entire table must sum to zero 305#>>9 ubyte x \b, checksum %#x 306# vendor ID for the ASL Compiler like: INTL MSFT ... 307>>28 string >\0 \b, created by %.4s 308# revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ... 309>>>32 ulelong x %x 310 311