--------------- Created by sc0ty - sc0typl[at]gmail.com - http://sc0ty.pl --------------- BlackBerry SFI/MFI software file structure description released: 09/13/2010 Structures description: Values in every structure are in little endian byte order. In structures below - first column is offset, second - size and third - description. Offset and size are given in bytes. File format description: The file consist of 8 byte header followed by certain number of sections. Sections are located one after another. The last section is checksum section. Header structure: 00 4 file signature (hex: 7D 79 AB 59) 04 4 version (see below - version field format description) Sections description: Every section consist of 12-bytes header followed by data. Sections are identified by its unique id. Section header structure: 00 4 section id (see below for id list) 04 4 section data size + 0x10 (data size is really 0x10 smaller than this field) 08 4 version (see below - version field format description) Version field format description: Version field is given as 4 byte number. Version format is 4-element dot-separated number (a.b.c.d) which every element correspond to one byte in the version field. The first element (marked as a) correspond to the last byte. E.g. version field hex: 0a 05 00 01 is version number 1.0.5.10. Section id list: 0x02 OS Firmware (contain JVM code) 0x0E DSPOS Firmware 0x05 MFI file info (is presented only in MFI files) 0x06 Checksum Section 0x06 - Checksum section description: Always is the last section. Version number is always 0.0.0.0, data size is always four bytes (data size field in section header is 0x14). Data contains checksum of entire file except this section. Its negated CRC-32 checksum. Sign description: Sections like OS and DSPOS firmware can be digitally signed. If it is signed, the last 184 bytes contains sign structure. If structure is not signed, sign signature, id and data consist of 0xff bytes (sign size field is still 0x80). Sign data is probably RSA-SHA1 signature. Public key which is used to werify data integrity is: 8F 7E DA AB 63 CE DB A7 1E 46 BE 4F 69 EA C9 64 DE E8 71 BF EC 46 17 D0 74 3D 62 63 7E C5 A7 B8 C3 4F FF 14 55 7E B6 FA 21 9A 21 59 0D FB 61 AC 47 33 73 1A D0 47 9E BB 89 9A 9D 4F 18 67 A8 E9 B4 68 42 7A 73 87 A9 45 98 02 02 71 F6 D7 59 A9 0C 43 BC 52 B6 A5 48 4B BB 31 13 4E F0 5C 82 87 EA 1F D1 29 0E 0D 01 65 A9 4E 45 E0 E2 96 68 3A 54 04 AE 77 73 57 72 6B 7A 35 B5 47 C5 0C A5 A7 Sign structure: 00 20 sign signature (null terminated string: "RIMOSSA1" followed by 0x20 bytes) 20 4 signer id (always 0x31) 24 4 sign size (always 0x80) 28 80 sign data a8 4 dunno (always 0xB4) ac 4 dunno (always 0x10000) b0 4 dunno (always hex: 1F 2D C8 D7) b4 4 dunno, variable values, maybe some kind of crc? If you have any information about how this sign work - please contact me. --------------- Created by sc0ty - sc0typl[at]gmail.com - http://sc0ty.pl ---------------