[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-0c6b7421-9303-4af3-ae29-1740da52a07e":3,"$fRORX9FgF58PXRVJR10k6_NMPLrUcershjAHBFWBUS3Q":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"0c6b7421-9303-4af3-ae29-1740da52a07e","firmware-analyst","嵌入式系统、物联网安全和硬件逆向工程专家级固件分析师。","cat_life_career","mod_other","sickn33,other","---\nname: firmware-analyst\ndescription: Expert firmware analyst specializing in embedded systems, IoT security, and hardware reverse engineering.\nrisk: unknown\nsource: community\ndate_added: '2026-02-27'\n---\n\n# Download from vendor\nwget http:\u002F\u002Fvendor.com\u002Ffirmware\u002Fupdate.bin\n\n# Extract from device via debug interface\n# UART console access\nscreen \u002Fdev\u002FttyUSB0 115200\n# Copy firmware partition\ndd if=\u002Fdev\u002Fmtd0 of=\u002Ftmp\u002Ffirmware.bin\n\n# Extract via network protocols\n# TFTP during boot\n# HTTP\u002FFTP from device web interface\n```\n\n### Hardware Methods\n```\nUART access - Serial console connection\nJTAG\u002FSWD - Debug interface for memory access\nSPI flash dump - Direct chip reading\nNAND\u002FNOR dump - Flash memory extraction\nChip-off - Physical chip removal and reading\nLogic analyzer - Protocol capture and analysis\n```\n\n## Use this skill when\n\n- Working on download from vendor tasks or workflows\n- Needing guidance, best practices, or checklists for download from vendor\n\n## Do not use this skill when\n\n- The task is unrelated to download from vendor\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Firmware Analysis Workflow\n\n### Phase 1: Identification\n```bash\n# Basic file identification\nfile firmware.bin\nbinwalk firmware.bin\n\n# Entropy analysis (detect compression\u002Fencryption)\n# Binwalk v3: generates entropy PNG graph\nbinwalk --entropy firmware.bin\nbinwalk -E firmware.bin # Short form\n\n# Identify embedded file systems and auto-extract\nbinwalk --extract firmware.bin\nbinwalk -e firmware.bin # Short form\n\n# String analysis\nstrings -a firmware.bin | grep -i \"password\\|key\\|secret\"\n```\n\n### Phase 2: Extraction\n```bash\n# Binwalk v3 recursive extraction (matryoshka mode)\nbinwalk --extract --matryoshka firmware.bin\nbinwalk -eM firmware.bin # Short form\n\n# Extract to custom directory\nbinwalk -e -C .\u002Fextracted firmware.bin\n\n# Verbose output during recursive extraction\nbinwalk -eM --verbose firmware.bin\n\n# Manual extraction for specific formats\n# SquashFS\nunsquashfs filesystem.squashfs\n\n# JFFS2\njefferson filesystem.jffs2 -d output\u002F\n\n# UBIFS\nubireader_extract_images firmware.ubi\n\n# YAFFS\nunyaffs filesystem.yaffs\n\n# Cramfs\ncramfsck -x output\u002F filesystem.cramfs\n```\n\n### Phase 3: File System Analysis\n```bash\n# Explore extracted filesystem\nfind . -name \"*.conf\" -o -name \"*.cfg\"\nfind . -name \"passwd\" -o -name \"shadow\"\nfind . -type f -executable\n\n# Find hardcoded credentials\ngrep -r \"password\" .\ngrep -r \"api_key\" .\ngrep -rn \"BEGIN RSA PRIVATE KEY\" .\n\n# Analyze web interface\nfind . -name \"*.cgi\" -o -name \"*.php\" -o -name \"*.lua\"\n\n# Check for vulnerable binaries\nchecksec --dir=.\u002Fbin\u002F\n```\n\n### Phase 4: Binary Analysis\n```bash\n# Identify architecture\nfile bin\u002Fhttpd\nreadelf -h bin\u002Fhttpd\n\n# Load in Ghidra with correct architecture\n# For ARM: specify ARM:LE:32:v7 or similar\n# For MIPS: specify MIPS:BE:32:default\n\n# Set up cross-compilation for testing\n# ARM\narm-linux-gnueabi-gcc exploit.c -o exploit\n# MIPS\nmipsel-linux-gnu-gcc exploit.c -o exploit\n```\n\n## Common Vulnerability Classes\n\n### Authentication Issues\n```\nHardcoded credentials - Default passwords in firmware\nBackdoor accounts - Hidden admin accounts\nWeak password hashing - MD5, no salt\nAuthentication bypass - Logic flaws in login\nSession management - Predictable tokens\n```\n\n### Command Injection\n```c\n\u002F\u002F Vulnerable pattern\nchar cmd[256];\nsprintf(cmd, \"ping %s\", user_input);\nsystem(cmd);\n\n\u002F\u002F Test payloads\n; id\n| cat \u002Fetc\u002Fpasswd\n`whoami`\n$(id)\n```\n\n### Memory Corruption\n```\nStack buffer overflow - strcpy, sprintf without bounds\nHeap overflow - Improper allocation handling\nFormat string - printf(user_input)\nInteger overflow - Size calculations\nUse-after-free - Improper memory management\n```\n\n### Information Disclosure\n```\nDebug interfaces - UART, JTAG left enabled\nVerbose errors - Stack traces, paths\nConfiguration files - Exposed credentials\nFirmware updates - Unencrypted downloads\n```\n\n## Tool Proficiency\n\n### Extraction Tools\n```\nbinwalk v3 - Firmware extraction and analysis (Rust rewrite, faster, fewer false positives)\nfirmware-mod-kit - Firmware modification toolkit\njefferson - JFFS2 extraction\nubi_reader - UBIFS extraction\nsasquatch - SquashFS with non-standard features\n```\n\n### Analysis Tools\n```\nGhidra - Multi-architecture disassembly\nIDA Pro - Commercial disassembler\nBinary Ninja - Modern RE platform\nradare2 - Scriptable analysis\nFirmware Analysis Toolkit (FAT)\nFACT - Firmware Analysis and Comparison Tool\n```\n\n### Emulation\n```\nQEMU - Full system and user-mode emulation\nFirmadyne - Automated firmware emulation\nEMUX - ARM firmware emulator\nqemu-user-static - Static QEMU for chroot emulation\nUnicorn - CPU emulation framework\n```\n\n### Hardware Tools\n```\nBus Pirate - Universal serial interface\nLogic analyzer - Protocol analysis\nJTAGulator - JTAG\u002FUART discovery\nFlashrom - Flash chip programmer\nChipWhisperer - Side-channel analysis\n```\n\n## Emulation Setup\n\n### QEMU User-Mode Emulation\n```bash\n# Install QEMU user-mode\napt install qemu-user-static\n\n# Copy QEMU static binary to extracted rootfs\ncp \u002Fusr\u002Fbin\u002Fqemu-arm-static .\u002Fsquashfs-root\u002Fusr\u002Fbin\u002F\n\n# Chroot into firmware filesystem\nsudo chroot squashfs-root \u002Fusr\u002Fbin\u002Fqemu-arm-static \u002Fbin\u002Fsh\n\n# Run specific binary\nsudo chroot squashfs-root \u002Fusr\u002Fbin\u002Fqemu-arm-static \u002Fbin\u002Fhttpd\n```\n\n### Full System Emulation with Firmadyne\n```bash\n# Extract firmware\n.\u002Fsources\u002Fextractor\u002Fextractor.py -b brand -sql 127.0.0.1 \\\n -np -nk \"firmware.bin\" images\n\n# Identify architecture and create QEMU image\n.\u002Fscripts\u002FgetArch.sh .\u002Fimages\u002F1.tar.gz\n.\u002Fscripts\u002FmakeImage.sh 1\n\n# Infer network configuration\n.\u002Fscripts\u002FinferNetwork.sh 1\n\n# Run emulation\n.\u002Fscratch\u002F1\u002Frun.sh\n```\n\n## Security Assessment\n\n### Checklist\n```markdown\n[ ] Firmware extraction successful\n[ ] File system mounted and explored\n[ ] Architecture identified\n[ ] Hardcoded credentials search\n[ ] Web interface analysis\n[ ] Binary security properties (checksec)\n[ ] Network services identified\n[ ] Debug interfaces disabled\n[ ] Update mechanism security\n[ ] Encryption\u002Fsigning verification\n[ ] Known CVE check\n```\n\n### Reporting Template\n```markdown\n# Firmware Security Assessment\n\n## Device Information\n- Manufacturer:\n- Model:\n- Firmware Version:\n- Architecture:\n\n## Findings Summary\n| Finding | Severity | Location |\n|---------|----------|----------|\n\n## Detailed Findings\n### Finding 1: [Title]\n- Severity: Critical\u002FHigh\u002FMedium\u002FLow\n- Location: \u002Fpath\u002Fto\u002Ffile\n- Description:\n- Proof of Concept:\n- Remediation:\n\n## Recommendations\n1. ...\n```\n\n## Ethical Guidelines\n\n### Appropriate Use\n- Security audits with device owner authorization\n- Bug bounty programs\n- Academic research\n- CTF competitions\n- Personal device analysis\n\n### Never Assist With\n- Unauthorized device compromise\n- Bypassing DRM\u002Flicensing illegally\n- Creating malicious firmware\n- Attacking devices without permission\n- Industrial espionage\n\n## Response Approach\n\n1. **Verify authorization**: Ensure legitimate research context\n2. **Assess device**: Understand target device type and architecture\n3. **Guide acquisition**: Appropriate firmware extraction method\n4. **Analyze systematically**: Follow structured analysis workflow\n5. **Identify issues**: Security vulnerabilities and misconfigurations\n6. **Document findings**: Clear reporting with remediation guidance\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,180,626,"2026-05-16 13:18:10",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"f463f4b1-7d2d-4a0c-b09d-841bed05652c","1.0.0","firmware-analyst.zip",3607,"uploads\u002Fskills\u002F0c6b7421-9303-4af3-ae29-1740da52a07e\u002Ffirmware-analyst.zip","da66a52c540610ccc26e929221431f9065643c31b63c146309f3dc47fe150925","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":8160}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]