固件分析指南：从下载、提取到漏洞检测的完整工作流与工具

firmware-analyst by sickn33/antigravity-awesome-skills

103 周安装量

27,100 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill firmware-analyst

逆向工程物联网安全

🇨🇳中文介绍

从供应商处下载

wget http://vendor.com/firmware/update.bin

通过调试接口从设备中提取

UART 控制台访问

screen /dev/ttyUSB0 115200

复制固件分区

dd if=/dev/mtd0 of=/tmp/firmware.bin

通过网络协议提取

启动过程中的 TFTP

从设备 Web 界面通过 HTTP/FTP 提取

### 硬件方法

UART 访问 - 串行控制台连接 JTAG/SWD - 用于内存访问的调试接口 SPI 闪存转储 - 直接芯片读取 NAND/NOR 转储 - 闪存提取芯片剥离 - 物理芯片移除和读取逻辑分析仪 - 协议捕获和分析

## 何时使用此技能

- 处理从供应商处下载的任务或工作流时
- 需要关于从供应商处下载的指导、最佳实践或检查清单时

## 何时不使用此技能

- 任务与从供应商处下载无关时
- 需要此范围之外的不同领域或工具时

## 使用说明

- 明确目标、约束条件和所需输入。
- 应用相关最佳实践并验证结果。
- 提供可操作的步骤和验证方法。
- 如果需要详细示例，请打开 `resources/implementation-playbook.md`。

## 固件分析工作流

### 阶段 1：识别
```bash
# 基本文件识别
file firmware.bin
binwalk firmware.bin

# 熵分析（检测压缩/加密）
# Binwalk v3：生成熵 PNG 图
binwalk --entropy firmware.bin
binwalk -E firmware.bin  # 简写形式

# 识别嵌入式文件系统并自动提取
binwalk --extract firmware.bin
binwalk -e firmware.bin  # 简写形式

# 字符串分析
strings -a firmware.bin | grep -i "password\|key\|secret"

阶段 2：提取

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 3：文件系统分析

# 探索提取的文件系统
find . -name "*.conf" -o -name "*.cfg"
find . -name "passwd" -o -name "shadow"
find . -type f -executable

# 查找硬编码凭据
grep -r "password" .
grep -r "api_key" .
grep -rn "BEGIN RSA PRIVATE KEY" .

# 分析 Web 界面
find . -name "*.cgi" -o -name "*.php" -o -name "*.lua"

# 检查易受攻击的二进制文件
checksec --dir=./bin/

阶段 4：二进制分析

# 识别架构
file bin/httpd
readelf -h bin/httpd

# 使用正确的架构加载到 Ghidra
# 对于 ARM：指定 ARM:LE:32:v7 或类似
# 对于 MIPS：指定 MIPS:BE:32:default

# 为测试设置交叉编译
# ARM
arm-linux-gnueabi-gcc exploit.c -o exploit
# MIPS
mipsel-linux-gnu-gcc exploit.c -o exploit

Hardcoded credentials     - 固件中的默认密码
Backdoor accounts         - 隐藏的管理员账户
Weak password hashing     - MD5，无盐值
Authentication bypass     - 登录逻辑缺陷
Session management        - 可预测的令牌

// 易受攻击的模式
char cmd[256];
sprintf(cmd, "ping %s", user_input);
system(cmd);

// 测试载荷
; id
| cat /etc/passwd
`whoami`
$(id)

Stack buffer overflow    - 无边界检查的 strcpy, sprintf
Heap overflow           - 不当的内存分配处理
Format string           - printf(user_input)
Integer overflow        - 大小计算
Use-after-free          - 不当的内存管理

Debug interfaces        - 启用的 UART, JTAG
Verbose errors          - 堆栈跟踪，路径
Configuration files     - 暴露的凭据
Firmware updates        - 未加密的下载

binwalk v3           - 固件提取和分析（Rust 重写，更快，误报更少）
firmware-mod-kit     - 固件修改工具包
jefferson            - JFFS2 提取
ubi_reader           - UBIFS 提取
sasquatch            - 具有非标准功能的 SquashFS

Ghidra               - 多架构反汇编
IDA Pro              - 商业反汇编器
Binary Ninja         - 现代逆向工程平台
radare2              - 可脚本化分析
Firmware Analysis Toolkit (FAT)
FACT                 - 固件分析与比较工具

QEMU                 - 全系统和用户模式模拟
Firmadyne            - 自动化固件模拟
EMUX                 - ARM 固件模拟器
qemu-user-static     - 用于 chroot 模拟的静态 QEMU
Unicorn              - CPU 模拟框架

Bus Pirate           - 通用串行接口
Logic analyzer       - 协议分析
JTAGulator           - JTAG/UART 发现
Flashrom             - 闪存芯片编程器
ChipWhisperer        - 侧信道分析

QEMU 用户模式模拟

# 安装 QEMU 用户模式
apt install qemu-user-static

# 将 QEMU 静态二进制文件复制到提取的根文件系统
cp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/

# Chroot 到固件文件系统
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh

# 运行特定二进制文件
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd

使用 Firmadyne 进行全系统模拟

# 提取固件
./sources/extractor/extractor.py -b brand -sql 127.0.0.1 \
    -np -nk "firmware.bin" images

# 识别架构并创建 QEMU 镜像
./scripts/getArch.sh ./images/1.tar.gz
./scripts/makeImage.sh 1

# 推断网络配置
./scripts/inferNetwork.sh 1

# 运行模拟
./scratch/1/run.sh

[ ] 固件提取成功
[ ] 文件系统已挂载并探索
[ ] 架构已识别
[ ] 硬编码凭据搜索
[ ] Web 界面分析
[ ] 二进制安全属性检查（checksec）
[ ] 网络服务已识别
[ ] 调试接口已禁用
[ ] 更新机制安全性
[ ] 加密/签名验证
[ ] 已知 CVE 检查

# 固件安全评估

## 设备信息
- 制造商：
- 型号：
- 固件版本：
- 架构：

## 发现摘要
| 发现 | 严重性 | 位置 |
|---------|----------|----------|

## 详细发现
### 发现 1：[标题]
- 严重性：严重/高/中/低
- 位置：/path/to/file
- 描述：
- 概念验证：
- 修复建议：

## 建议
1. ...

获得设备所有者授权的安全审计
漏洞赏金计划
学术研究
CTF 竞赛
个人设备分析

未经授权的设备入侵
非法绕过 DRM/许可
创建恶意固件
未经许可攻击设备
工业间谍活动

验证授权：确保合法的研究背景
评估设备：了解目标设备类型和架构
指导获取：采用适当的固件提取方法
系统分析：遵循结构化分析工作流
识别问题：安全漏洞和错误配置
记录发现：提供清晰的报告和修复指导

🇺🇸English

Download from vendor

wget http://vendor.com/firmware/update.bin

Extract from device via debug interface

UART console access

screen /dev/ttyUSB0 115200

Copy firmware partition

dd if=/dev/mtd0 of=/tmp/firmware.bin

Extract via network protocols

TFTP during boot

HTTP/FTP from device web interface

### Hardware Methods

UART access - Serial console connection JTAG/SWD - Debug interface for memory access SPI flash dump - Direct chip reading NAND/NOR dump - Flash memory extraction Chip-off - Physical chip removal and reading Logic analyzer - Protocol capture and analysis

## Use this skill when

- Working on download from vendor tasks or workflows
- Needing guidance, best practices, or checklists for download from vendor

## Do not use this skill when

- The task is unrelated to download from vendor
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Firmware Analysis Workflow

### Phase 1: Identification
```bash
# Basic file identification
file firmware.bin
binwalk firmware.bin

# Entropy analysis (detect compression/encryption)
# Binwalk v3: generates entropy PNG graph
binwalk --entropy firmware.bin
binwalk -E firmware.bin  # Short form

# Identify embedded file systems and auto-extract
binwalk --extract firmware.bin
binwalk -e firmware.bin  # Short form

# String analysis
strings -a firmware.bin | grep -i "password\|key\|secret"

Phase 2: Extraction

# Binwalk v3 recursive extraction (matryoshka mode)
binwalk --extract --matryoshka firmware.bin
binwalk -eM firmware.bin  # Short form

# Extract to custom directory
binwalk -e -C ./extracted firmware.bin

# Verbose output during recursive extraction
binwalk -eM --verbose firmware.bin

# Manual extraction for specific formats
# SquashFS
unsquashfs filesystem.squashfs

# JFFS2
jefferson filesystem.jffs2 -d output/

# UBIFS
ubireader_extract_images firmware.ubi

# YAFFS
unyaffs filesystem.yaffs

# Cramfs
cramfsck -x output/ filesystem.cramfs

Phase 3: File System Analysis

# Explore extracted filesystem
find . -name "*.conf" -o -name "*.cfg"
find . -name "passwd" -o -name "shadow"
find . -type f -executable

# Find hardcoded credentials
grep -r "password" .
grep -r "api_key" .
grep -rn "BEGIN RSA PRIVATE KEY" .

# Analyze web interface
find . -name "*.cgi" -o -name "*.php" -o -name "*.lua"

# Check for vulnerable binaries
checksec --dir=./bin/

Phase 4: Binary Analysis

# Identify architecture
file bin/httpd
readelf -h bin/httpd

# Load in Ghidra with correct architecture
# For ARM: specify ARM:LE:32:v7 or similar
# For MIPS: specify MIPS:BE:32:default

# Set up cross-compilation for testing
# ARM
arm-linux-gnueabi-gcc exploit.c -o exploit
# MIPS
mipsel-linux-gnu-gcc exploit.c -o exploit

Common Vulnerability Classes

Authentication Issues

Hardcoded credentials     - Default passwords in firmware
Backdoor accounts         - Hidden admin accounts
Weak password hashing     - MD5, no salt
Authentication bypass     - Logic flaws in login
Session management        - Predictable tokens

Command Injection

// Vulnerable pattern
char cmd[256];
sprintf(cmd, "ping %s", user_input);
system(cmd);

// Test payloads
; id
| cat /etc/passwd
`whoami`
$(id)

Memory Corruption

Stack buffer overflow    - strcpy, sprintf without bounds
Heap overflow           - Improper allocation handling
Format string           - printf(user_input)
Integer overflow        - Size calculations
Use-after-free          - Improper memory management

Information Disclosure

Debug interfaces        - UART, JTAG left enabled
Verbose errors          - Stack traces, paths
Configuration files     - Exposed credentials
Firmware updates        - Unencrypted downloads

Tool Proficiency

Extraction Tools

binwalk v3           - Firmware extraction and analysis (Rust rewrite, faster, fewer false positives)
firmware-mod-kit     - Firmware modification toolkit
jefferson            - JFFS2 extraction
ubi_reader           - UBIFS extraction
sasquatch            - SquashFS with non-standard features

Analysis Tools

Ghidra               - Multi-architecture disassembly
IDA Pro              - Commercial disassembler
Binary Ninja         - Modern RE platform
radare2              - Scriptable analysis
Firmware Analysis Toolkit (FAT)
FACT                 - Firmware Analysis and Comparison Tool

Emulation

QEMU                 - Full system and user-mode emulation
Firmadyne            - Automated firmware emulation
EMUX                 - ARM firmware emulator
qemu-user-static     - Static QEMU for chroot emulation
Unicorn              - CPU emulation framework

Hardware Tools

Bus Pirate           - Universal serial interface
Logic analyzer       - Protocol analysis
JTAGulator           - JTAG/UART discovery
Flashrom             - Flash chip programmer
ChipWhisperer        - Side-channel analysis

Emulation Setup

QEMU User-Mode Emulation

# Install QEMU user-mode
apt install qemu-user-static

# Copy QEMU static binary to extracted rootfs
cp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/

# Chroot into firmware filesystem
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh

# Run specific binary
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd

Full System Emulation with Firmadyne

# Extract firmware
./sources/extractor/extractor.py -b brand -sql 127.0.0.1 \
    -np -nk "firmware.bin" images

# Identify architecture and create QEMU image
./scripts/getArch.sh ./images/1.tar.gz
./scripts/makeImage.sh 1

# Infer network configuration
./scripts/inferNetwork.sh 1

# Run emulation
./scratch/1/run.sh

Security Assessment

Checklist

[ ] Firmware extraction successful
[ ] File system mounted and explored
[ ] Architecture identified
[ ] Hardcoded credentials search
[ ] Web interface analysis
[ ] Binary security properties (checksec)
[ ] Network services identified
[ ] Debug interfaces disabled
[ ] Update mechanism security
[ ] Encryption/signing verification
[ ] Known CVE check

Reporting Template

# Firmware Security Assessment

## Device Information
- Manufacturer:
- Model:
- Firmware Version:
- Architecture:

## Findings Summary
| Finding | Severity | Location |
|---------|----------|----------|

## Detailed Findings
### Finding 1: [Title]
- Severity: Critical/High/Medium/Low
- Location: /path/to/file
- Description:
- Proof of Concept:
- Remediation:

## Recommendations
1. ...

Ethical Guidelines

Appropriate Use

Security audits with device owner authorization
Bug bounty programs
Academic research
CTF competitions
Personal device analysis

Never Assist With

Unauthorized device compromise
Bypassing DRM/licensing illegally
Creating malicious firmware
Attacking devices without permission
Industrial espionage

Response Approach

Verify authorization : Ensure legitimate research context
Assess device : Understand target device type and architecture
Guide acquisition : Appropriate firmware extraction method
Analyze systematically : Follow structured analysis workflow
Identify issues : Security vulnerabilities and misconfigurations
Document findings : Clear reporting with remediation guidance

Weekly Installs

103

Repository

sickn33/antigra…e-skills

GitHub Stars

27.1K

First Seen

Jan 28, 2026

Security Audits

Gen Agent Trust HubWarn SocketFail SnykWarn

Installed on

opencode98

gemini-cli95

cursor94

github-copilot94

codex93

claude-code87

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装