{"id":"a196ab23-3fab-4a6a-9616-a5f5464cb737","shortId":"U2nZjn","kind":"skill","title":"firmware-analyst","tagline":"Expert firmware analyst specializing in embedded systems, IoT security, and hardware reverse engineering.","description":"# Download from vendor\nwget http://vendor.com/firmware/update.bin\n\n# Extract from device via debug interface\n# UART console access\nscreen /dev/ttyUSB0 115200\n# Copy firmware partition\ndd if=/dev/mtd0 of=/tmp/firmware.bin\n\n# Extract via network protocols\n# TFTP during boot\n# HTTP/FTP from device web interface\n```\n\n### Hardware Methods\n```\nUART access         - Serial console connection\nJTAG/SWD           - Debug interface for memory access\nSPI flash dump     - Direct chip reading\nNAND/NOR dump      - Flash memory extraction\nChip-off           - Physical chip removal and reading\nLogic analyzer     - Protocol capture and analysis\n```\n\n## Use this skill when\n\n- Working on download from vendor tasks or workflows\n- Needing guidance, best practices, or checklists for download from vendor\n\n## Do not use this skill when\n\n- The task is unrelated to download from vendor\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources/implementation-playbook.md`.\n\n## Firmware Analysis Workflow\n\n### Phase 1: Identification\n```bash\n# Basic file identification\nfile firmware.bin\nbinwalk firmware.bin\n\n# Entropy analysis (detect compression/encryption)\n# Binwalk v3: generates entropy PNG graph\nbinwalk --entropy firmware.bin\nbinwalk -E firmware.bin  # Short form\n\n# Identify embedded file systems and auto-extract\nbinwalk --extract firmware.bin\nbinwalk -e firmware.bin  # Short form\n\n# String analysis\nstrings -a firmware.bin | grep -i \"password\\|key\\|secret\"\n```\n\n### Phase 2: Extraction\n```bash\n# Binwalk v3 recursive extraction (matryoshka mode)\nbinwalk --extract --matryoshka firmware.bin\nbinwalk -eM firmware.bin  # Short form\n\n# Extract to custom directory\nbinwalk -e -C ./extracted firmware.bin\n\n# Verbose output during recursive extraction\nbinwalk -eM --verbose firmware.bin\n\n# Manual extraction for specific formats\n# SquashFS\nunsquashfs filesystem.squashfs\n\n# JFFS2\njefferson filesystem.jffs2 -d output/\n\n# UBIFS\nubireader_extract_images firmware.ubi\n\n# YAFFS\nunyaffs filesystem.yaffs\n\n# Cramfs\ncramfsck -x output/ filesystem.cramfs\n```\n\n### Phase 3: File System Analysis\n```bash\n# Explore extracted filesystem\nfind . -name \"*.conf\" -o -name \"*.cfg\"\nfind . -name \"passwd\" -o -name \"shadow\"\nfind . -type f -executable\n\n# Find hardcoded credentials\ngrep -r \"password\" .\ngrep -r \"api_key\" .\ngrep -rn \"BEGIN RSA PRIVATE KEY\" .\n\n# Analyze web interface\nfind . -name \"*.cgi\" -o -name \"*.php\" -o -name \"*.lua\"\n\n# Check for vulnerable binaries\nchecksec --dir=./bin/\n```\n\n### Phase 4: Binary Analysis\n```bash\n# Identify architecture\nfile bin/httpd\nreadelf -h bin/httpd\n\n# Load in Ghidra with correct architecture\n# For ARM: specify ARM:LE:32:v7 or similar\n# For MIPS: specify MIPS:BE:32:default\n\n# Set up cross-compilation for testing\n# ARM\narm-linux-gnueabi-gcc exploit.c -o exploit\n# MIPS\nmipsel-linux-gnu-gcc exploit.c -o exploit\n```\n\n## Common Vulnerability Classes\n\n### Authentication Issues\n```\nHardcoded credentials     - Default passwords in firmware\nBackdoor accounts         - Hidden admin accounts\nWeak password hashing     - MD5, no salt\nAuthentication bypass     - Logic flaws in login\nSession management        - Predictable tokens\n```\n\n### Command Injection\n```c\n// Vulnerable pattern\nchar cmd[256];\nsprintf(cmd, \"ping %s\", user_input);\nsystem(cmd);\n\n// Test payloads\n; id\n| cat /etc/passwd\n`whoami`\n$(id)\n```\n\n### Memory Corruption\n```\nStack buffer overflow    - strcpy, sprintf without bounds\nHeap overflow           - Improper allocation handling\nFormat string           - printf(user_input)\nInteger overflow        - Size calculations\nUse-after-free          - Improper memory management\n```\n\n### Information Disclosure\n```\nDebug interfaces        - UART, JTAG left enabled\nVerbose errors          - Stack traces, paths\nConfiguration files     - Exposed credentials\nFirmware updates        - Unencrypted downloads\n```\n\n## Tool Proficiency\n\n### Extraction Tools\n```\nbinwalk v3           - Firmware extraction and analysis (Rust rewrite, faster, fewer false positives)\nfirmware-mod-kit     - Firmware modification toolkit\njefferson            - JFFS2 extraction\nubi_reader           - UBIFS extraction\nsasquatch            - SquashFS with non-standard features\n```\n\n### Analysis Tools\n```\nGhidra               - Multi-architecture disassembly\nIDA Pro              - Commercial disassembler\nBinary Ninja         - Modern RE platform\nradare2              - Scriptable analysis\nFirmware Analysis Toolkit (FAT)\nFACT                 - Firmware Analysis and Comparison Tool\n```\n\n### Emulation\n```\nQEMU                 - Full system and user-mode emulation\nFirmadyne            - Automated firmware emulation\nEMUX                 - ARM firmware emulator\nqemu-user-static     - Static QEMU for chroot emulation\nUnicorn              - CPU emulation framework\n```\n\n### Hardware Tools\n```\nBus Pirate           - Universal serial interface\nLogic analyzer       - Protocol analysis\nJTAGulator           - JTAG/UART discovery\nFlashrom             - Flash chip programmer\nChipWhisperer        - Side-channel analysis\n```\n\n## Emulation Setup\n\n### QEMU User-Mode Emulation\n```bash\n# Install QEMU user-mode\napt install qemu-user-static\n\n# Copy QEMU static binary to extracted rootfs\ncp /usr/bin/qemu-arm-static ./squashfs-root/usr/bin/\n\n# Chroot into firmware filesystem\nsudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/sh\n\n# Run specific binary\nsudo chroot squashfs-root /usr/bin/qemu-arm-static /bin/httpd\n```\n\n### Full System Emulation with Firmadyne\n```bash\n# Extract firmware\n./sources/extractor/extractor.py -b brand -sql 127.0.0.1 \\\n    -np -nk \"firmware.bin\" images\n\n# Identify architecture and create QEMU image\n./scripts/getArch.sh ./images/1.tar.gz\n./scripts/makeImage.sh 1\n\n# Infer network configuration\n./scripts/inferNetwork.sh 1\n\n# Run emulation\n./scratch/1/run.sh\n```\n\n## Security Assessment\n\n### Checklist\n```markdown\n[ ] Firmware extraction successful\n[ ] File system mounted and explored\n[ ] Architecture identified\n[ ] Hardcoded credentials search\n[ ] Web interface analysis\n[ ] Binary security properties (checksec)\n[ ] Network services identified\n[ ] Debug interfaces disabled\n[ ] Update mechanism security\n[ ] Encryption/signing verification\n[ ] Known CVE check\n```\n\n### Reporting Template\n```markdown\n# Firmware Security Assessment\n\n## Device Information\n- Manufacturer:\n- Model:\n- Firmware Version:\n- Architecture:\n\n## Findings Summary\n| Finding | Severity | Location |\n|---------|----------|----------|\n\n## Detailed Findings\n### Finding 1: [Title]\n- Severity: Critical/High/Medium/Low\n- Location: /path/to/file\n- Description:\n- Proof of Concept:\n- Remediation:\n\n## Recommendations\n1. ...\n```\n\n## Ethical Guidelines\n\n### Appropriate Use\n- Security audits with device owner authorization\n- Bug bounty programs\n- Academic research\n- CTF competitions\n- Personal device analysis\n\n### Never Assist With\n- Unauthorized device compromise\n- Bypassing DRM/licensing illegally\n- Creating malicious firmware\n- Attacking devices without permission\n- Industrial espionage\n\n## Response Approach\n\n1. **Verify authorization**: Ensure legitimate research context\n2. **Assess device**: Understand target device type and architecture\n3. **Guide acquisition**: Appropriate firmware extraction method\n4. **Analyze systematically**: Follow structured analysis workflow\n5. **Identify issues**: Security vulnerabilities and misconfigurations\n6. **Document findings**: Clear reporting with remediation guidance\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["firmware","analyst","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-firmware-analyst","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/firmware-analyst","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34793 github stars · SKILL.md body (7,951 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T00:50:56.911Z","embedding":null,"createdAt":"2026-04-18T21:37:16.225Z","updatedAt":"2026-04-24T00:50:56.911Z","lastSeenAt":"2026-04-24T00:50:56.911Z","tsv":"'/bin':346 '/bin/httpd':680 '/bin/sh':670 '/dev/mtd0':41 '/dev/ttyusb0':34 '/etc/passwd':458 '/extracted':250 '/firmware/update.bin':23 '/images/1.tar.gz':705 '/path/to/file':780 '/scratch/1/run.sh':715 '/scripts/getarch.sh':704 '/scripts/infernetwork.sh':711 '/scripts/makeimage.sh':706 '/sources/extractor/extractor.py':689 '/squashfs-root/usr/bin':659 '/tmp/firmware.bin':43 '/usr/bin/qemu-arm-static':658,669,679 '1':170,707,712,775,787,828 '115200':35 '127.0.0.1':693 '2':225,835 '256':445 '3':288,844 '32':370,379 '4':348,851 '5':858 '6':865 'academ':801 'access':32,59,68 'account':418,421 'acquisit':846 'action':155 'admin':420 'alloc':473 'analysi':93,167,181,215,291,350,521,549,567,569,574,618,630,735,807,856 'analyst':3,6 'analyz':89,328,616,852 'api':320 'appli':147 'approach':827 'appropri':790,847 'apt':644 'architectur':353,364,554,699,728,766,843 'arm':366,368,388,390,592 'arm-linux-gnueabi-gcc':389 'ask':906 'assess':717,759,836 'assist':809 'attack':820 'audit':793 'authent':409,428 'author':797,830 'auto':204 'auto-extract':203 'autom':588 'b':690 'backdoor':417 'bash':172,227,292,351,638,686 'basic':173 'begin':324 'best':108,149 'bin/httpd':355,358 'binari':343,349,560,653,673,736 'binwalk':178,184,190,193,206,209,228,234,238,247,257,516 'boot':50 'bound':469 'boundari':914 'bounti':799 'brand':691 'buffer':464 'bug':798 'bus':610 'bypass':429,814 'c':249,440 'calcul':483 'captur':91 'cat':457 'cfg':301 'cgi':333 'channel':629 'char':443 'check':340,753 'checklist':111,718 'checksec':344,739 'chip':73,81,84,624 'chip-off':80 'chipwhisper':626 'chroot':602,660,665,675 'clarif':908 'clarifi':141 'class':408 'clear':868,881 'cmd':444,447,453 'command':438 'commerci':558 'common':406 'comparison':576 'competit':804 'compil':385 'compression/encryption':183 'compromis':813 'concept':784 'conf':298 'configur':504,710 'connect':62 'consol':31,61 'constraint':143 'context':834 'copi':36,650 'correct':363 'corrupt':462 'cp':657 'cpu':605 'cramf':282 'cramfsck':283 'creat':701,817 'credenti':314,412,507,731 'criteria':917 'critical/high/medium/low':778 'cross':384 'cross-compil':383 'ctf':803 'custom':245 'cve':752 'd':272 'dd':39 'debug':28,64,493,743 'default':380,413 'describ':885 'descript':781 'detail':160,772 'detect':182 'devic':26,53,760,795,806,812,821,837,840 'differ':133 'dir':345 'direct':72 'directori':246 'disabl':745 'disassembl':555,559 'disclosur':492 'discoveri':621 'document':866 'domain':134 'download':17,100,113,127,511 'drm/licensing':815 'dump':71,76 'e':194,210,248 'em':239,258 'embed':9,199 'emul':578,586,590,594,603,606,631,637,683,714 'emux':591 'enabl':498 'encryption/signing':749 'engin':16 'ensur':831 'entropi':180,187,191 'environ':897 'environment-specif':896 'error':500 'espionag':825 'ethic':788 'exampl':161 'execut':311 'expert':4,902 'exploit':396,405 'exploit.c':394,403 'explor':293,727 'expos':506 'extract':24,44,79,205,207,226,231,235,243,256,262,276,294,514,519,537,541,655,687,721,849 'f':310 'fact':572 'fals':526 'faster':524 'fat':571 'featur':548 'fewer':525 'file':174,176,200,289,354,505,723 'filesystem':295,663 'filesystem.cramfs':286 'filesystem.jffs2':271 'filesystem.squashfs':268 'filesystem.yaffs':281 'find':296,302,308,312,331,767,769,773,774,867 'firmadyn':587,685 'firmwar':2,5,37,166,416,508,518,529,532,568,573,589,593,662,688,720,757,764,819,848 'firmware-analyst':1 'firmware-mod-kit':528 'firmware.bin':177,179,192,195,208,211,218,237,240,251,260,696 'firmware.ubi':278 'flash':70,77,623 'flashrom':622 'flaw':431 'follow':854 'form':197,213,242 'format':265,475 'framework':607 'free':487 'full':580,681 'gcc':393,402 'generat':186 'ghidra':361,551 'gnu':401 'gnueabi':392 'goal':142 'graph':189 'grep':219,315,318,322 'guid':845 'guidanc':107,872 'guidelin':789 'h':357 'handl':474 'hardcod':313,411,730 'hardwar':14,56,608 'hash':424 'heap':470 'hidden':419 'http/ftp':51 'id':456,460 'ida':556 'identif':171,175 'identifi':198,352,698,729,742,859 'illeg':816 'imag':277,697,703 'improp':472,488 'industri':824 'infer':708 'inform':491,761 'inject':439 'input':146,451,479,911 'instal':639,645 'instruct':140 'integ':480 'interfac':29,55,65,330,494,614,734,744 'iot':11 'issu':410,860 'jefferson':270,535 'jffs2':269,536 'jtag':496 'jtag/swd':63 'jtag/uart':620 'jtagul':619 'key':222,321,327 'kit':531 'known':751 'le':369 'left':497 'legitim':832 'limit':873 'linux':391,400 'load':359 'locat':771,779 'logic':88,430,615 'login':433 'lua':339 'malici':818 'manag':435,490 'manual':261 'manufactur':762 'markdown':719,756 'match':882 'matryoshka':232,236 'md5':425 'mechan':747 'memori':67,78,461,489 'method':57,850 'mip':375,377,397 'mipsel':399 'mipsel-linux-gnu-gcc':398 'misconfigur':864 'miss':919 'mod':530 'mode':233,585,636,643 'model':763 'modern':562 'modif':533 'mount':725 'multi':553 'multi-architectur':552 'name':297,300,303,306,332,335,338 'nand/nor':75 'need':106,131 'network':46,709,740 'never':808 'ninja':561 'nk':695 'non':546 'non-standard':545 'np':694 'o':299,305,334,337,395,404 'open':164 'outcom':153 'output':253,273,285,891 'outsid':137 'overflow':465,471,481 'owner':796 'partit':38 'passwd':304 'password':221,317,414,423 'path':503 'pattern':442 'payload':455 'permiss':823,912 'person':805 'phase':169,224,287,347 'php':336 'physic':83 'ping':448 'pirat':611 'platform':564 'png':188 'posit':527 'practic':109,150 'predict':436 'printf':477 'privat':326 'pro':557 'profici':513 'program':800 'programm':625 'proof':782 'properti':738 'protocol':47,90,617 'provid':154 'qemu':579,596,600,633,640,647,651,702 'qemu-user-stat':595,646 'r':316,319 'radare2':565 're':563 'read':74,87 'readelf':356 'reader':539 'recommend':786 'recurs':230,255 'relev':148 'remedi':785,871 'remov':85 'report':754,869 'requir':145,163,910 'research':802,833 'resources/implementation-playbook.md':165 'respons':826 'revers':15 'review':903 'rewrit':523 'rn':323 'root':668,678 'rootf':656 'rsa':325 'run':671,713 'rust':522 'safeti':913 'salt':427 'sasquatch':542 'scope':139,884 'screen':33 'scriptabl':566 'search':732 'secret':223 'secur':12,716,737,748,758,792,861 'serial':60,613 'servic':741 'session':434 'set':381 'setup':632 'sever':770,777 'shadow':307 'short':196,212,241 'side':628 'side-channel':627 'similar':373 'size':482 'skill':96,120,876 'skill-firmware-analyst' 'source-sickn33' 'special':7 'specif':264,672,898 'specifi':367,376 'spi':69 'sprintf':446,467 'sql':692 'squashf':266,543,667,677 'squashfs-root':666,676 'stack':463,501 'standard':547 'static':598,599,649,652 'step':156 'stop':904 'strcpi':466 'string':214,216,476 'structur':855 'substitut':894 'success':722,916 'sudo':664,674 'summari':768 'system':10,201,290,452,581,682,724 'systemat':853 'target':839 'task':103,123,880 'templat':755 'test':387,454,900 'tftp':48 'titl':776 'token':437 'tool':136,512,515,550,577,609 'toolkit':534,570 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':502 'treat':889 'type':309,841 'uart':30,58,495 'ubi':538 'ubif':274,540 'ubiread':275 'unauthor':811 'understand':838 'unencrypt':510 'unicorn':604 'univers':612 'unrel':125 'unsquashf':267 'unyaff':280 'updat':509,746 'use':94,118,485,791,874 'use-after-fre':484 'user':450,478,584,597,635,642,648 'user-mod':583,634,641 'v3':185,229,517 'v7':371 'valid':152,899 'vendor':19,102,115,129 'vendor.com':22 'vendor.com/firmware/update.bin':21 'verbos':252,259,499 'verif':158,750 'verifi':829 'version':765 'via':27,45 'vulner':342,407,441,862 'weak':422 'web':54,329,733 'wget':20 'whoami':459 'without':468,822 'work':98 'workflow':105,168,857 'x':284 'yaff':279","prices":[{"id":"7a82b0ff-f5a5-41e2-ba9c-913b241debfb","listingId":"a196ab23-3fab-4a6a-9616-a5f5464cb737","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:37:16.225Z"}],"sources":[{"listingId":"a196ab23-3fab-4a6a-9616-a5f5464cb737","source":"github","sourceId":"sickn33/antigravity-awesome-skills/firmware-analyst","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/firmware-analyst","isPrimary":false,"firstSeenAt":"2026-04-18T21:37:16.225Z","lastSeenAt":"2026-04-24T00:50:56.911Z"}],"details":{"listingId":"a196ab23-3fab-4a6a-9616-a5f5464cb737","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"firmware-analyst","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34793,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-24T00:28:59Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"c0edc2e1319f4bb4a3373b911b474e1625a6c905","skill_md_path":"skills/firmware-analyst/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/firmware-analyst"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"firmware-analyst","description":"Expert firmware analyst specializing in embedded systems, IoT security, and hardware reverse engineering."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/firmware-analyst"},"updatedAt":"2026-04-24T00:50:56.911Z"}}