cybersecurity · beginner · ~12 min · safe pentest lab

Detect a firmware blob's type from its magic bytes

Magic-byte file type detection with bounds checks.

Challenge

Your job

Implement:

#include <stdint.h>
#include <stddef.h>
int detect_firmware_type(const uint8_t *buf, size_t n);

Return:

1 PE (4D 5A)
2 ELF (7F 45 4C 46)
3 U-Boot uImage (27 05 19 56, big-endian)
4 Squashfs (68 73 71 73 — ASCII hsqs)
5 JFFS2 (19 85)
0 unknown
-1 buf == NULL

If n is too short to check a given magic, skip it.

Hints

(concept) Use memcmp against constant byte arrays.
(common bug) Treating uImage's magic as little-endian. The bytes on disk are 27 05 19 56 in that order.

Why this matters

Before you mount or unpack a firmware image, you need to know what it is. Magic-byte sniffing answers the question in 8 bytes.

Input format

A const byte buffer + its length.

Output format

Type tag (0..5) or -1 on NULL.

Constraints

Bounds-check before every memcmp. Buf-NULL handling explicit.

Starter code

#include <stdint.h>
#include <stddef.h>
int detect_firmware_type(const uint8_t *buf, size_t n) {
    /* TODO */
    (void)buf; (void)n;
    return -1;
}

Common mistakes

Letting PE's 2-byte prefix match before ELF's 4-byte prefix is checked. Reading past n. Treating uImage as little-endian.

Edge cases to handle

Buffer exactly 2 bytes (PE / JFFS2 only). NULL buf.

Complexity

O(1) — bounded number of memcmps.

Background lessons

Classify a firmware blob from its magic bytes

Up next

Read a filename from a mock MFT record

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.