Back to Details

firmware-analyst

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Download from vendor

从厂商处下载

wget http://vendor.com/firmware/update.bin
wget http://vendor.com/firmware/update.bin

Extract from device via debug interface

通过调试接口从设备提取

UART console access

UART控制台访问

screen /dev/ttyUSB0 115200
screen /dev/ttyUSB0 115200

Copy firmware partition

复制固件分区

dd if=/dev/mtd0 of=/tmp/firmware.bin
dd if=/dev/mtd0 of=/tmp/firmware.bin

Extract via network protocols

通过网络协议提取

TFTP during boot

启动时使用TFTP

HTTP/FTP from device web interface

从设备Web界面通过HTTP/FTP提取

undefined
undefined

Hardware Methods

硬件方法

UART access         - Serial console connection
JTAG/SWD           - Debug interface for memory access
SPI flash dump     - Direct chip reading
NAND/NOR dump      - Flash memory extraction
Chip-off           - Physical chip removal and reading
Logic analyzer     - Protocol capture and analysis
UART访问         - 串行控制台连接
JTAG/SWD           - 用于内存访问的调试接口
SPI闪存转储     - 直接读取芯片
NAND/NOR转储      - 闪存提取
芯片拆卸           - 物理移除芯片并读取
逻辑分析仪     - 协议捕获与分析

Use this skill when

何时使用此技能

  • Working on download from vendor tasks or workflows
  • Needing guidance, best practices, or checklists for download from vendor
  • 处理从厂商处下载的任务或工作流时
  • 需要从厂商处下载的指导、最佳实践或检查清单时

Do not use this skill when

何时不使用此技能

  • The task is unrelated to download from vendor
  • You need a different domain or tool outside this scope
  • 任务与从厂商处下载无关时
  • 需要此范围之外的其他领域或工具时

Instructions

说明

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open 
    resources/implementation-playbook.md
    .
  • 明确目标、约束条件和所需输入。
  • 应用相关最佳实践并验证结果。
  • 提供可操作的步骤和验证方法。
  • 如果需要详细示例,请打开
    resources/implementation-playbook.md

Firmware Analysis Workflow

固件分析工作流

Phase 1: Identification

阶段1:识别

bash
undefined
bash
undefined

Basic file identification

基础文件识别

file firmware.bin binwalk firmware.bin
file firmware.bin binwalk firmware.bin

Entropy analysis (detect compression/encryption)

熵分析(检测压缩/加密)

Binwalk v3: generates entropy PNG graph

Binwalk v3:生成熵PNG图

binwalk --entropy firmware.bin binwalk -E firmware.bin # Short form
binwalk --entropy firmware.bin binwalk -E firmware.bin # 简写形式

Identify embedded file systems and auto-extract

识别嵌入式文件系统并自动提取

binwalk --extract firmware.bin binwalk -e firmware.bin # Short form
binwalk --extract firmware.bin binwalk -e firmware.bin # 简写形式

String analysis

字符串分析

strings -a firmware.bin | grep -i "password|key|secret"
undefined
strings -a firmware.bin | grep -i "password|key|secret"
undefined

Phase 2: Extraction

阶段2:提取

bash
undefined
bash
undefined

Binwalk v3 recursive extraction (matryoshka mode)

Binwalk v3递归提取(套娃模式)

binwalk --extract --matryoshka firmware.bin binwalk -eM firmware.bin # Short form
binwalk --extract --matryoshka firmware.bin binwalk -eM firmware.bin # 简写形式

Extract to custom directory

提取到自定义目录

binwalk -e -C ./extracted firmware.bin
binwalk -e -C ./extracted firmware.bin

Verbose output during recursive extraction

递归提取时显示详细输出

binwalk -eM --verbose firmware.bin
binwalk -eM --verbose firmware.bin

Manual extraction for specific formats

针对特定格式手动提取

SquashFS

SquashFS

unsquashfs filesystem.squashfs
unsquashfs filesystem.squashfs

JFFS2

JFFS2

jefferson filesystem.jffs2 -d output/
jefferson filesystem.jffs2 -d output/

UBIFS

UBIFS

ubireader_extract_images firmware.ubi
ubireader_extract_images firmware.ubi

YAFFS

YAFFS

unyaffs filesystem.yaffs
unyaffs filesystem.yaffs

Cramfs

Cramfs

cramfsck -x output/ filesystem.cramfs
undefined
cramfsck -x output/ filesystem.cramfs
undefined

Phase 3: File System Analysis

阶段3:文件系统分析

bash
undefined
bash
undefined

Explore extracted filesystem

探索提取的文件系统

find . -name ".conf" -o -name ".cfg" find . -name "passwd" -o -name "shadow" find . -type f -executable
find . -name ".conf" -o -name ".cfg" find . -name "passwd" -o -name "shadow" find . -type f -executable

Find hardcoded credentials

查找硬编码凭证

grep -r "password" . grep -r "api_key" . grep -rn "BEGIN RSA PRIVATE KEY" .
grep -r "password" . grep -r "api_key" . grep -rn "BEGIN RSA PRIVATE KEY" .

Analyze web interface

分析Web界面

find . -name ".cgi" -o -name ".php" -o -name "*.lua"
find . -name ".cgi" -o -name ".php" -o -name "*.lua"

Check for vulnerable binaries

检查易受攻击的二进制文件

checksec --dir=./bin/
undefined
checksec --dir=./bin/
undefined

Phase 4: Binary Analysis

阶段4:二进制分析

bash
undefined
bash
undefined

Identify architecture

识别架构

file bin/httpd readelf -h bin/httpd
file bin/httpd readelf -h bin/httpd

Load in Ghidra with correct architecture

使用正确架构加载到Ghidra中

For ARM: specify ARM:LE:32:v7 or similar

对于ARM:指定ARM:LE:32:v7或类似选项

For MIPS: specify MIPS:BE:32:default

对于MIPS:指定MIPS:BE:32:default

Set up cross-compilation for testing

设置交叉编译用于测试

ARM

ARM

arm-linux-gnueabi-gcc exploit.c -o exploit
arm-linux-gnueabi-gcc exploit.c -o exploit

MIPS

MIPS

mipsel-linux-gnu-gcc exploit.c -o exploit
undefined
mipsel-linux-gnu-gcc exploit.c -o exploit
undefined

Common Vulnerability Classes

常见漏洞类型

Authentication Issues

认证问题

Hardcoded credentials     - Default passwords in firmware
Backdoor accounts         - Hidden admin accounts
Weak password hashing     - MD5, no salt
Authentication bypass     - Logic flaws in login
Session management        - Predictable tokens
硬编码凭证     - 固件中的默认密码
后门账户         - 隐藏的管理员账户
弱密码哈希     - MD5、无盐值
认证绕过     - 登录逻辑缺陷
会话管理        - 可预测的令牌

Command Injection

命令注入

c
// Vulnerable pattern
char cmd[256];
sprintf(cmd, "ping %s", user_input);
system(cmd);

// Test payloads
; id
| cat /etc/passwd
`whoami`
$(id)
c
// 易受攻击的代码模式
char cmd[256];
sprintf(cmd, "ping %s", user_input);
system(cmd);

// 测试载荷
; id
| cat /etc/passwd
`whoami`
$(id)

Memory Corruption

内存破坏

Stack buffer overflow    - strcpy, sprintf without bounds
Heap overflow           - Improper allocation handling
Format string           - printf(user_input)
Integer overflow        - Size calculations
Use-after-free          - Improper memory management
栈缓冲区溢出    - 无边界检查的strcpy、sprintf
堆溢出           - 不当的内存分配处理
格式化字符串           - printf(user_input)
整数溢出        - 大小计算错误
释放后使用          - 不当的内存管理

Information Disclosure

信息泄露

Debug interfaces        - UART, JTAG left enabled
Verbose errors          - Stack traces, paths
Configuration files     - Exposed credentials
Firmware updates        - Unencrypted downloads
调试接口        - 启用的UART、JTAG
详细错误          - 栈跟踪、路径信息
配置文件     - 暴露的凭证
固件更新        - 未加密的下载

Tool Proficiency

工具熟练度

Extraction Tools

提取工具

binwalk v3           - Firmware extraction and analysis (Rust rewrite, faster, fewer false positives)
firmware-mod-kit     - Firmware modification toolkit
jefferson            - JFFS2 extraction
ubi_reader           - UBIFS extraction
sasquatch            - SquashFS with non-standard features
binwalk v3           - 固件提取与分析(Rust重写,速度更快,误报更少)
firmware-mod-kit     - 固件修改工具包
jefferson            - JFFS2提取工具
ubi_reader           - UBIFS提取工具
sasquatch            - 支持非标准特性的SquashFS工具

Analysis Tools

分析工具

Ghidra               - Multi-architecture disassembly
IDA Pro              - Commercial disassembler
Binary Ninja         - Modern RE platform
radare2              - Scriptable analysis
Firmware Analysis Toolkit (FAT)
FACT                 - Firmware Analysis and Comparison Tool
Ghidra               - 多架构反汇编工具
IDA Pro              - 商业反汇编器
Binary Ninja         - 现代逆向工程平台
radare2              - 可脚本化分析工具
Firmware Analysis Toolkit (FAT)
FACT                 - 固件分析与比较工具

Emulation

仿真工具

QEMU                 - Full system and user-mode emulation
Firmadyne            - Automated firmware emulation
EMUX                 - ARM firmware emulator
qemu-user-static     - Static QEMU for chroot emulation
Unicorn              - CPU emulation framework
QEMU                 - 全系统和用户模式仿真
Firmadyne            - 自动化固件仿真
EMUX                 - ARM固件仿真器
qemu-user-static     - 用于chroot仿真的静态QEMU
Unicorn              - CPU仿真框架

Hardware Tools

硬件工具

Bus Pirate           - Universal serial interface
Logic analyzer       - Protocol analysis
JTAGulator           - JTAG/UART discovery
Flashrom             - Flash chip programmer
ChipWhisperer        - Side-channel analysis
Bus Pirate           - 通用串行接口
逻辑分析仪       - 协议分析
JTAGulator           - JTAG/UART发现工具
Flashrom             - 闪存芯片编程器
ChipWhisperer        - 侧信道分析工具

Emulation Setup

仿真环境搭建

QEMU User-Mode Emulation

QEMU用户模式仿真

bash
undefined
bash
undefined

Install QEMU user-mode

安装QEMU用户模式

apt install qemu-user-static
apt install qemu-user-static

Copy QEMU static binary to extracted rootfs

将QEMU静态二进制文件复制到提取的根文件系统

cp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/
cp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/

Chroot into firmware filesystem

Chroot进入固件文件系统

sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh

Run specific binary

运行特定二进制文件

sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd
undefined
sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd
undefined

Full System Emulation with Firmadyne

使用Firmadyne进行全系统仿真

bash
undefined
bash
undefined

Extract firmware

提取固件

./sources/extractor/extractor.py -b brand -sql 127.0.0.1
-np -nk "firmware.bin" images
./sources/extractor/extractor.py -b brand -sql 127.0.0.1
-np -nk "firmware.bin" images

Identify architecture and create QEMU image

识别架构并创建QEMU镜像

./scripts/getArch.sh ./images/1.tar.gz ./scripts/makeImage.sh 1
./scripts/getArch.sh ./images/1.tar.gz ./scripts/makeImage.sh 1

Infer network configuration

推断网络配置

./scripts/inferNetwork.sh 1
./scripts/inferNetwork.sh 1

Run emulation

运行仿真

./scratch/1/run.sh
undefined
./scratch/1/run.sh
undefined

Security Assessment

安全评估

Checklist

检查清单

markdown
[ ] Firmware extraction successful
[ ] File system mounted and explored
[ ] Architecture identified
[ ] Hardcoded credentials search
[ ] Web interface analysis
[ ] Binary security properties (checksec)
[ ] Network services identified
[ ] Debug interfaces disabled
[ ] Update mechanism security
[ ] Encryption/signing verification
[ ] Known CVE check
markdown
[ ] 固件提取成功
[ ] 文件系统已挂载并探索
[ ] 架构已识别
[ ] 硬编码凭证搜索完成
[ ] Web界面分析完成
[ ] 二进制安全属性检查(checksec)
[ ] 网络服务已识别
[ ] 调试接口已禁用
[ ] 更新机制安全性检查
[ ] 加密/签名验证完成
[ ] 已知CVE检查完成

Reporting Template

报告模板

markdown
undefined
markdown
undefined

Firmware Security Assessment

固件安全评估报告

Device Information

设备信息

  • Manufacturer:
  • Model:
  • Firmware Version:
  • Architecture:
  • 制造商:
  • 型号:
  • 固件版本:
  • 架构:

Findings Summary

发现摘要

FindingSeverityLocation
发现项严重程度位置

Detailed Findings

详细发现

Finding 1: [Title]

发现1: [标题]

  • Severity: Critical/High/Medium/Low
  • Location: /path/to/file
  • Description:
  • Proof of Concept:
  • Remediation:
  • 严重程度: 关键/高/中/低
  • 位置: /path/to/file
  • 描述:
  • 概念验证:
  • 修复建议:

Recommendations

总体建议

  1. ...
undefined
  1. ...
undefined

Ethical Guidelines

伦理准则

Appropriate Use

适当使用场景

  • Security audits with device owner authorization
  • Bug bounty programs
  • Academic research
  • CTF competitions
  • Personal device analysis
  • 获得设备所有者授权的安全审计
  • 漏洞赏金计划
  • 学术研究
  • CTF竞赛
  • 个人设备分析

Never Assist With

绝对禁止协助的场景

  • Unauthorized device compromise
  • Bypassing DRM/licensing illegally
  • Creating malicious firmware
  • Attacking devices without permission
  • Industrial espionage
  • 未经授权的设备入侵
  • 非法绕过DRM/授权
  • 创建恶意固件
  • 无权限攻击设备
  • 工业间谍活动

Response Approach

响应流程

  1. Verify authorization: Ensure legitimate research context
  2. Assess device: Understand target device type and architecture
  3. Guide acquisition: Appropriate firmware extraction method
  4. Analyze systematically: Follow structured analysis workflow
  5. Identify issues: Security vulnerabilities and misconfigurations
  6. Document findings: Clear reporting with remediation guidance
  1. 验证授权: 确保研究背景合法合规
  2. 评估设备: 了解目标设备类型和架构
  3. 指导获取: 选择合适的固件提取方法
  4. 系统分析: 遵循结构化分析工作流
  5. 识别问题: 找出安全漏洞和配置错误
  6. 记录发现: 撰写清晰的报告并提供修复指导