Skip to content

Cracking Firmware with Claude Senior-Level Skill, Junior-Lev...#2483

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Cracking_Firmware_with_Claude_Senior-Level_Skill_8487f72e67f9bcf2
Open

Cracking Firmware with Claude Senior-Level Skill, Junior-Lev...#2483
carlospolop wants to merge 1 commit into
masterfrom
update_Cracking_Firmware_with_Claude_Senior-Level_Skill_8487f72e67f9bcf2

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Overview: The post describes a hands-on firmware-reversing and key-extraction experiment in which Bishop Fox used Claude Code running Sonnet 4.5 to decrypt a proprietary SonicWall SWI firmware image. This is not presented as a CVE and no CVE number is assigned; the value is in the detailed methodology for defeating firmware confidentiality by recovering operational decryption keys from a decrypted appliance filesystem.

Target artifacts and goal: The researcher provi...

🔧 Technical Details

Firmware container triage using magic bytes and length-based crypto inference: When analyzing an encrypted firmware format, first map the file structure: readable headers, signatures, base64 lines, magic bytes, offsets, and ciphertext boundaries. In this case, Salted__ at offset 0x366 identified OpenSSL enc formatting, where the following 8 bytes are the salt and the rest is encrypted payload. A base64 blob decoding to exactly 256 bytes strongly indicated an RSA-2048 ciphertext, suggesting a hybrid encryption design: RSA wraps a firmware password/session key, and AES-256-CBC encrypts the bulk payload.

Reverse the operational decrypt path instead of only searching for private keys: If grep and strings do not reveal a private key, inspect the binary that normally processes updates. Decompiled updater logic can expose the exact decrypt function, backend KMS, key name, and data flow. Here, ...

🤖 Agent Actions

Updated src/hardware-physical-access/firmware-analysis/README.md.

Added a concise new section covering:

  • encrypted firmware container triage (Salted__, 256-byte RSA blob, mixed plaintext/ciphertext)
  • reversing the appliance-side decrypt path instead of only hunting PEM keys
  • abusing embedded Vault/KMS unseal automation in extracted filesystems
  • replaying the vendor Vault binary + storage instead of reimplementing nested Vault crypto
  • exporting transit keys and testing RSA OAEP/hash parameters
  • reproducing OpenSSL EVP_BytesToKey + AES-CBC decryption offline

Also added the Bishop Fox blog URL under the existing ## References section.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/cracking-firmware-with-claude-senior-level-skill-junior-level-autonomy

Content Categories: Based on the analysis, this content was categorized under "Hardware/Physical Access > Firmware Analysis, with cross-references from Reversing and Crypto".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant