Firmware / IoT / OT — PhantomYerra Help

Firmware binary file (.bin, .img, .fw, .hex) from client or extracted from device
Device type and architecture known (ARM, MIPS, x86, RISC-V)
Written authorization covering firmware analysis and device testing
For live device testing: hardware access, UART/JTAG interface cables if needed
For OT/SCADA: network access to the OT segment with safety coordinator present

1

Select Firmware / IoT from Home Screen

Click 🔌 Firmware / IoT / OT. Select assessment type: Firmware Analysis, Live Device Testing, Protocol Audit (MQTT/BLE/Zigbee), or OT/SCADA.
2

Upload Firmware Binary

Drag and drop the firmware file. PhantomYerra runs file and binwalk to identify format, architecture, and compression type automatically.
3

Claude Runs Full Firmware Analysis Pipeline

Phase 1: Extraction — binwalk -e (recursive filesystem extraction) Phase 2: Analysis — EMBA: architecture, OS, services, CVE match Phase 3: Secrets — firmwalker: passwords, keys, certs in filesystem Phase 4: CVE matching — cve-bin-tool: match binaries to CVE database Phase 5: Decompile — Ghidra headless: decompile key binaries Phase 6: AI analysis — Claude reviews decompiled code (anonymized) Phase 7: Crypto audit — weak crypto: MD5 passwords, hardcoded keys Phase 8: Report — findings with CVSS scores and remediation
4

Review IoT/Firmware Security Report

Report includes: firmware metadata, extracted file system contents summary, secrets found, CVE matches by binary, decompiled vulnerability analysis, and OWASP IoT Top 10 mapping.

⏱️ Typical duration: 30–120 minutes depending on firmware size and Ghidra analysis depth.

1

Upload Firmware and Start Wizard

Claude proposes extraction as first step. Approve to begin.
2

Approve Analysis Steps

Proposal: "Run binwalk -e on firmware.bin — extract filesystem" → [Approve] → SquashFS extracted: 1,247 files Proposal: "Run firmwalker to find credentials and keys in extracted FS" → [Approve] → Found: /etc/passwd with MD5 hashed passwords /etc/ssl/private/device.key (RSA private key) /usr/bin/httpd hardcoded password: admin/admin123 Proposal: "Run cve-bin-tool on extracted binaries" → [Approve] → busybox 1.31.0: CVE-2021-42373 (critical), 3 more vulns OpenSSL 1.0.2: 8 CVEs including Heartbleed variant

⏱️ Typical duration: 1–3 hours with active approval.

1

Extract Firmware

binwalk -e firmware.bin cd _firmware.bin.extracted/ ls -la # identify SquashFS, JFFS2, or raw filesystem
2

Find Hardcoded Credentials and Secrets

firmwalker.sh ./_firmware.bin.extracted/ # Manual grep find . -name "*.conf" -o -name "*.env" -o -name "*.cfg" | \ xargs grep -l "password\|passwd\|secret\|key" 2>/dev/null strings firmware.bin | grep -E "(password|secret|key|token).*=" # Find SSH keys find . -name "*.pem" -o -name "*.key" -o -name "id_rsa" 2>/dev/null
3

CVE Matching

cve-bin-tool ./_firmware.bin.extracted/ \ --format json \ --output cve_results.json # EMBA full analysis sudo emba -f firmware.bin -l emba_output/ -s
4

Ghidra Decompilation

analyzeHeadless /tmp/ghidra_proj FirmwareProj \ -import ./_firmware.bin.extracted/usr/bin/httpd \ -postScript DecompileAll.py \ -scriptPath /opt/phantomyerra/config/ghidra_scripts/
5

MQTT Protocol Audit

# Subscribe to all topics (unauthenticated test) mosquitto_sub -h [device-ip] -t "#" -v # Check for authentication required mosquitto_pub -h [device-ip] -t "test" -m "hello" 2>&1 # mqtt-pwn for automated MQTT security testing mqtt-pwn -c [device-ip] -p 1883

⏱️ Duration: 1 day (firmware only) to 3 days (full IoT device assessment including hardware interfaces).

Firmware / IoT / OT Security