Firmware Tags

An IMG3 or IMG4 firmware "tag" is a four byte code that indicates the data contained in the current chunk.

Purpose of Tags

Normally, the contents of these "tags" would be contained in the header "struct" of the whole file, like what the IMG2 file format partially did. However, this has the limitation that, short of reserving padding space in the header, is limited in extensibility.

The common solution to this issue is to use a "chunked" file format. In such a format, each chunk identifies itself and its size, and it's up to the reader to understand the payload. With this format, the header can be very small; The IMG2 format's header is 0x400 (1024) bytes long, but the vast majority of it is reserved padding bytes. In contrast, the IMG3 format's header is a measly 0x14 (20) bytes long, with only a 12 byte overhead per tag.



An IMG3 tag consists of only 12 bytes of information: the four byte "magic" and two 32 bit sizes.

   0  u32   magic     // in little endian
   4  u32   fullSize  // including header and padding
   8  u32   size      // including padding
   C  u8[]  data
????  u8[]  padding

List of Known Tags

There exist many different tags, each with their own purpose. This is a list of tags known to exist:

  • BORD: Board to be used with
  • CERT: Certificate
  • CEPO: Chip epoch
  • CHIP: Chip to be used with
  • DATA: Payload
  • ECID: "Exclusive Chip ID"
  • KBAG: The (encrypted) IV/key used to decrypt the payload
  • NONC: Nonce used when the file was signed
  • OVRD
  • PROD: Production mode
  • RAND
  • SALT
  • SDOM: Security domain
  • SEPO: Security epoch
  • SHSH: Encrypted hash of the payload
  • TYPE: Type of image (i.e. what the DATA tag contains)
  • VERS: iBoot version of the image