Back to Details

competition-firmware-layout

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Firmware Layout

竞赛固件布局

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the hard part is understanding how a firmware image is structured, booted, updated, and turned into reachable device behavior.
Reply in Simplified Chinese unless the user explicitly requests English.
仅在 
$ctf-sandbox-orchestrator
已经激活并完成沙箱假设、节点归属和证据优先级确定后,再作为下游专属技能使用。如果尚未完成上述步骤,请先返回 
$ctf-sandbox-orchestrator
当核心难点是理解固件镜像的结构、启动流程、更新机制以及如何转化为可触达的设备行为时使用本技能。
除非用户明确要求英文,否则使用简体中文回复。

Quick Start

快速开始

  1. Preserve the original image, extracted partitions, unpacked filesystems, and patched copies as separate artifacts.
  2. Map outer container, partition table, bootloader, kernel, rootfs, config, and update metadata before editing anything.
  3. Track the boot or update chain in order instead of jumping straight to the most interesting file.
  4. Record keys, signatures, offsets, partition boundaries, and init entrypoints in one compact evidence chain.
  5. Reproduce the decisive secret, branch, or reachable service from the smallest extracted path.
  1. 将原始镜像、提取的分区、解压的文件系统和补丁副本作为独立工件保存。
  2. 在进行任何编辑前,先梳理外层容器、分区表、bootloader、内核、rootfs、配置以及更新元数据的映射关系。
  3. 按顺序追踪启动或更新链,不要直接跳转到最受关注的文件。
  4. 在一个紧凑的证据链中记录密钥、签名、偏移量、分区边界和初始化入口点。
  5. 从最小的提取路径复现关键密钥、分支或可访问服务。

Workflow

工作流

1. Establish Image Layout

1. 确定镜像布局

  • Identify container type, partition headers, compression, filesystem type, and any appended or nested images.
  • Record offsets, sizes, hashes, mount points, and partition names before extraction mutates anything.
  • Separate bootloader, kernel, initramfs, rootfs, config blobs, and update metadata as different layers.
  • 识别容器类型、分区头、压缩方式、文件系统类型,以及任何附加或嵌套的镜像。
  • 在提取操作修改任何内容前,记录偏移量、大小、哈希值、挂载点和分区名称。
  • 将bootloader、内核、initramfs、rootfs、配置二进制块和更新元数据分离为不同层级。

2. Trace Boot Or Update Flow

2. 追踪启动或更新流程

  • Map how control moves from bootloader to kernel to init to services, or from update package to verifier to installer.
  • Note which credentials, certificates, passwords, seeds, or config files are consumed at each stage.
  • Distinguish checked-in firmware intent from the live behavior the extracted files actually support.
  • 梳理控制权如何从bootloader转移到内核,再到init,再到服务的流转过程,或者从更新包到验证器再到安装程序的流转过程。
  • 记录每个阶段使用的凭证、证书、密码、种子或配置文件。
  • 区分已登记的固件预期行为与提取文件实际支持的实际运行行为。

3. Reduce To The Decisive Path

3. 精简到关键路径

  • Show the smallest chain from image boundary to service exposure, auth bypass, debug interface, credential recovery, or flag artifact.
  • Keep extracted filesystems, derived configs, and patch experiments separate from pristine inputs.
  • If the challenge becomes mostly about native crash behavior or exploit primitives after extraction, switch back to the broader reverse skill.
  • 展示从镜像边界到服务暴露、认证绕过、调试接口、凭证恢复或flag工件的最短链路。
  • 将提取的文件系统、衍生配置和补丁实验与原始输入分开存放。
  • 如果提取后挑战主要变成原生崩溃行为或利用原语相关内容,切换回更通用的逆向技能。

Read This Reference

参考资料

  • Load 
    references/firmware-layout.md
    for the layout checklist, boot-chain checklist, and evidence packaging.
  • 加载 
    references/firmware-layout.md
    查看布局检查清单、启动链检查清单和证据打包规范。

What To Preserve

需要保存的内容

  • Partition offsets, hashes, filesystem types, mount paths, boot entrypoints, and update metadata
  • Extracted secrets, config paths, init scripts, service units, and credentials tied to the stage that consumes them
  • Original images, extracted layers, mounted views, and patched copies as separate artifacts
  • 分区偏移量、哈希值、文件系统类型、挂载路径、启动入口点和更新元数据
  • 提取的密钥、配置路径、初始化脚本、服务单元,以及与使用它们的阶段绑定的凭证
  • 原始镜像、提取的层级、挂载视图和补丁副本作为独立工件