install
source · Clone the upstream repo
git clone https://github.com/rootcastleco/rei-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/rootcastleco/rei-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/firmware-analyst" ~/.claude/skills/rootcastleco-rei-skills-firmware-analyst && rm -rf "$T"
manifest:
skills/firmware-analyst/SKILL.mdsource content
⚠️ AUTHORIZED USE ONLY — This skill is intended for authorized security professionals only. Use only against systems you own or have explicit written permission to test. Unauthorized use may violate applicable laws.
Download from vendor
wget http://vendor.com/firmware/update.bin
Extract from device via debug interface
UART console access
screen /dev/ttyUSB0 115200
Copy firmware partition
dd if=/dev/mtd0 of=/tmp/firmware.bin
Extract via network protocols
TFTP during boot
HTTP/FTP from device web interface
### Hardware Methods
UART access - Serial console connection JTAG/SWD - Debug interface for memory access SPI flash dump - Direct chip reading NAND/NOR dump - Flash memory extraction Chip-off - Physical chip removal and reading Logic analyzer - Protocol capture and analysis
## Use this skill when - Working on download from vendor tasks or workflows - Needing guidance, best practices, or checklists for download from vendor ## Do not use this skill when - The task is unrelated to download from vendor - You need a different domain or tool outside this scope ## Instructions - Clarify goals, constraints, and required inputs. - Apply relevant best practices and validate outcomes. - Provide actionable steps and verification. - If detailed examples are required, open `resources/implementation-playbook.md`. ## Firmware Analysis Workflow ### Phase 1: Identification ```bash # Basic file identification file firmware.bin binwalk firmware.bin # Entropy analysis (detect compression/encryption) # Binwalk v3: generates entropy PNG graph binwalk --entropy firmware.bin binwalk -E firmware.bin # Short form # Identify embedded file systems and auto-extract binwalk --extract firmware.bin binwalk -e firmware.bin # Short form # String analysis strings -a firmware.bin | grep -i "password\|key\|secret"
Phase 2: Extraction
# Binwalk v3 recursive extraction (matryoshka mode) binwalk --extract --matryoshka firmware.bin binwalk -eM firmware.bin # Short form # Extract to custom directory binwalk -e -C ./extracted firmware.bin # Verbose output during recursive extraction binwalk -eM --verbose firmware.bin # Manual extraction for specific formats # SquashFS unsquashfs filesystem.squashfs # JFFS2 jefferson filesystem.jffs2 -d output/ # UBIFS ubireader_extract_images firmware.ubi # YAFFS unyaffs filesystem.yaffs # Cramfs cramfsck -x output/ filesystem.cramfs
Phase 3: File System Analysis
# Explore extracted filesystem find . -name "*.conf" -o -name "*.cfg" find . -name "passwd" -o -name "shadow" find . -type f -executable # Find hardcoded credentials grep -r "password" . grep -r "api_key" . grep -rn "BEGIN RSA PRIVATE KEY" . # Analyze web interface find . -name "*.cgi" -o -name "*.php" -o -name "*.lua" # Check for vulnerable binaries checksec --dir=./bin/
Phase 4: Binary Analysis
# Identify architecture file bin/httpd readelf -h bin/httpd # Load in Ghidra with correct architecture # For ARM: specify ARM:LE:32:v7 or similar # For MIPS: specify MIPS:BE:32:default # Set up cross-compilation for testing # ARM arm-linux-gnueabi-gcc exploit.c -o exploit # MIPS mipsel-linux-gnu-gcc exploit.c -o exploit
Common Vulnerability Classes
Authentication Issues
Hardcoded credentials - Default passwords in firmware Backdoor accounts - Hidden admin accounts Weak password hashing - MD5, no salt Authentication bypass - Logic flaws in login Session management - Predictable tokens
Command Injection
// Vulnerable pattern char cmd[256]; sprintf(cmd, "ping %s", user_input); system(cmd); // Test payloads ; id | cat /etc/passwd `whoami` $(id)
Memory Corruption
Stack buffer overflow - strcpy, sprintf without bounds Heap overflow - Improper allocation handling Format string - printf(user_input) Integer overflow - Size calculations Use-after-free - Improper memory management
Information Disclosure
Debug interfaces - UART, JTAG left enabled Verbose errors - Stack traces, paths Configuration files - Exposed credentials Firmware updates - Unencrypted downloads
Tool Proficiency
Extraction Tools
binwalk v3 - Firmware extraction and analysis (Rust rewrite, faster, fewer false positives) firmware-mod-kit - Firmware modification toolkit jefferson - JFFS2 extraction ubi_reader - UBIFS extraction sasquatch - SquashFS with non-standard features
Analysis Tools
Ghidra - Multi-architecture disassembly IDA Pro - Commercial disassembler Binary Ninja - Modern RE platform radare2 - Scriptable analysis Firmware Analysis Toolkit (FAT) FACT - Firmware Analysis and Comparison Tool
Emulation
QEMU - Full system and user-mode emulation Firmadyne - Automated firmware emulation EMUX - ARM firmware emulator qemu-user-static - Static QEMU for chroot emulation Unicorn - CPU emulation framework
Hardware Tools
Bus Pirate - Universal serial interface Logic analyzer - Protocol analysis JTAGulator - JTAG/UART discovery Flashrom - Flash chip programmer ChipWhisperer - Side-channel analysis
Emulation Setup
QEMU User-Mode Emulation
# Install QEMU user-mode apt install qemu-user-static # Copy QEMU static binary to extracted rootfs cp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/ # Chroot into firmware filesystem sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh # Run specific binary sudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd
Full System Emulation with Firmadyne
# Extract firmware ./sources/extractor/extractor.py -b brand -sql 127.0.0.1 \ -np -nk "firmware.bin" images # Identify architecture and create QEMU image ./scripts/getArch.sh ./images/1.tar.gz ./scripts/makeImage.sh 1 # Infer network configuration ./scripts/inferNetwork.sh 1 # Run emulation ./scratch/1/run.sh
Security Assessment
Checklist
[ ] Firmware extraction successful [ ] File system mounted and explored [ ] Architecture identified [ ] Hardcoded credentials search [ ] Web interface analysis [ ] Binary security properties (checksec) [ ] Network services identified [ ] Debug interfaces disabled [ ] Update mechanism security [ ] Encryption/signing verification [ ] Known CVE check
Reporting Template
# Firmware Security Assessment ## Device Information - Manufacturer: - Model: - Firmware Version: - Architecture: ## Findings Summary | Finding | Severity | Location | |---------|----------|----------| ## Detailed Findings ### Finding 1: [Title] - Severity: Critical/High/Medium/Low - Location: /path/to/file - Description: - Proof of Concept: - Remediation: ## Recommendations 1. ...
Ethical Guidelines
Appropriate Use
- Security audits with device owner authorization
- Bug bounty programs
- Academic research
- CTF competitions
- Personal device analysis
Never Assist With
- Unauthorized device compromise
- Bypassing DRM/licensing illegally
- Creating malicious firmware
- Attacking devices without permission
- Industrial espionage
Response Approach
- Verify authorization: Ensure legitimate research context
- Assess device: Understand target device type and architecture
- Guide acquisition: Appropriate firmware extraction method
- Analyze systematically: Follow structured analysis workflow
- Identify issues: Security vulnerabilities and misconfigurations
- Document findings: Clear reporting with remediation guidance
🏰 Rei Skills — Curated by Rootcastle Engineering & Innovation | Batuhan Ayrıbaş
Engineering Beyond Boundaries | admin@rootcastle.com