Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
Enables hardware security research with JTAG debugging, firmware extraction, and side-channel analysis capabilities.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are hardware-security - a specialized skill for hardware and embedded systems security research, providing capabilities for JTAG debugging, firmware extraction, side-channel analysis, and hardware vulnerability research.
This skill enables AI-powered hardware security operations including:
This skill is designed for authorized hardware security research contexts only. All operations must:
Interface with target devices using OpenOCD:
# Start OpenOCD session
openocd -f interface/ftdi/ft2232h-module-swd.cfg \
-f target/stm32f4x.cfg
# Connect via telnet
telnet localhost 4444
# Common OpenOCD commands
> halt
> reg
> mdw 0x08000000 32
> mww 0x20000000 0xDEADBEEF
> flash info 0
> flash read_image dump.bin 0x08000000 0x100000
> resume
# STM32F4 Configuration
source [find interface/stlink.cfg]
source [find target/stm32f4x.cfg]
# Enable JTAG
transport select hla_swd
adapter speed 4000
# Reset configuration
reset_config srst_only
# Flash configuration
flash bank flash0 stm32f4x 0x08000000 0 0 0 $_TARGETNAME
Extract firmware from SPI flash chips:
# Detect SPI flash chip
flashrom -p ch341a_spi
# Read flash contents
flashrom -p ch341a_spi -r firmware_dump.bin
# Verify dump
flashrom -p ch341a_spi -v firmware_dump.bin
# Write modified firmware (use with caution)
flashrom -p ch341a_spi -w modified_firmware.bin
# Specific chip selection
flashrom -p ch341a_spi -c "W25Q128.V" -r dump.bin
Analyze and extract firmware images:
# Scan for embedded files and signatures
binwalk firmware.bin
# Extract embedded files
binwalk -e firmware.bin
# Extract with specific signature scan
binwalk -D 'elf:elf:' firmware.bin
# Entropy analysis (detect compression/encryption)
binwalk -E firmware.bin
# Compare two firmware versions
binwalk -W firmware_v1.bin firmware_v2.bin
firmware_signatures:
file_systems:
- squashfs (common in routers)
- cramfs (read-only embedded)
- jffs2 (flash file system)
- ubifs (modern flash)
compression:
- gzip
- lzma
- xz
- lzo
bootloaders:
- U-Boot
- Barebox
- RedBoot
- Das U-Boot
headers:
- ELF (executable)
- ARM exception vectors
- MIPS boot vectors
Interact with UART debug interfaces:
# Find UART baud rate
python3 -c "
import serial
import time
common_bauds = [9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600]
ser = serial.Serial('/dev/ttyUSB0', timeout=1)
for baud in common_bauds:
ser.baudrate = baud
data = ser.read(100)
if data and all(32 <= b < 127 or b in [10, 13] for b in data):
print(f'Likely baud rate: {baud}')
break
"
# Connect with minicom
minicom -D /dev/ttyUSB0 -b 115200
# Log session
minicom -D /dev/ttyUSB0 -b 115200 -C session.log
Capture and decode bus communications:
# List supported devices
sigrok-cli --list-supported
# Capture I2C traffic
sigrok-cli -d fx2lafw --channels D0=SCL,D1=SDA \
-P i2c:scl=D0:sda=D1 -o i2c_capture.sr
# Capture SPI traffic
sigrok-cli -d fx2lafw --channels D0=CLK,D1=MOSI,D2=MISO,D3=CS \
-P spi:clk=D0:mosi=D1:miso=D2:cs=D3 -o spi_capture.sr
# Decode existing capture
sigrok-cli -i capture.sr -P i2c:scl=D0:sda=D1 -A i2c
For power analysis and fault injection research:
# ChipWhisperer Lite setup
import chipwhisperer as cw
# Connect to target
scope = cw.scope()
target = cw.target(scope)
# Configure scope for power analysis
scope.default_setup()
scope.adc.samples = 24000
scope.adc.offset = 0
scope.adc.basic_mode = "rising_edge"
scope.clock.clkgen_freq = 7370000
scope.glitch.clk_src = "clkgen"
# Capture power trace
scope.arm()
target.simpleserial_write('p', bytearray(16))
ret = scope.capture()
trace = scope.get_last_trace()
# Save traces for analysis
import numpy as np
np.save('power_traces.npy', traces)
# Configure glitch parameters
scope.glitch.output = "glitch_only"
scope.glitch.trigger_src = "ext_single"
scope.glitch.width = 10
scope.glitch.offset = 10
scope.glitch.repeat = 1
# Glitch attack loop
for width in range(0, 48):
for offset in range(-48, 48):
scope.glitch.width = width
scope.glitch.offset = offset
scope.arm()
target.simpleserial_write('g', bytearray(16))
ret = scope.capture()
response = target.simpleserial_read('r', 16)
if response and check_glitch_success(response):
print(f"Glitch success: width={width}, offset={offset}")
Extract memory contents via debug interfaces:
# OpenOCD memory dump
openocd -f interface/stlink.cfg -f target/stm32f4x.cfg \
-c "init; halt; dump_image ram_dump.bin 0x20000000 0x20000; exit"
# J-Link memory read
JLinkExe -device STM32F407VG -if SWD -speed 4000 \
-autoconnect 1 -CommanderScript dump_memory.jlink
# dump_memory.jlink contents:
# h
# savebin ram.bin 0x20000000 0x20000
# exit
Analyze secure boot implementations:
secure_boot_checks:
bootloader_analysis:
- Check for signature verification bypass
- Analyze boot chain of trust
- Identify rollback protection
key_extraction:
- Locate key storage in flash/OTP
- Check for debug key exposure
- Analyze key derivation
bypass_techniques:
- Voltage glitching during boot
- Debug interface reactivation
- Boot mode pin manipulation
- Firmware downgrade attacks
This skill can leverage the following tools for enhanced capabilities:
| Tool | Description | URL |
|---|---|---|
| DeepBits Claude Plugins | Binary analysis for firmware | https://github.com/DeepBitsTechnology/claude-plugins |
| Hardware Hacking Tools | Comprehensive tool list | https://github.com/yogsec/Hardware-Hacking-Tools |
| Awesome Hardware Hacking | Resource collection | https://github.com/CyberSecurityUP/Awesome-Hardware-and-IoT-Hacking |
attack_surfaces:
debug_interfaces:
- JTAG (boundary scan, debug)
- SWD (ARM debug)
- UART (serial console)
- I2C/SPI (bus access)
physical_attacks:
- Voltage glitching
- Clock glitching
- Electromagnetic fault injection
- Laser fault injection
side_channels:
- Simple Power Analysis (SPA)
- Differential Power Analysis (DPA)
- Electromagnetic Analysis (EMA)
- Timing Analysis
firmware_attacks:
- Flash readout
- Memory extraction
- Secure boot bypass
- Firmware modification
This skill integrates with the following processes:
hardware-security-research.js - Hardware security assessment workflowsfirmware-analysis.js - Firmware extraction and analysissupply-chain-security.js - Hardware supply chain verificationWhen executing operations, provide structured output:
{
"operation": "firmware_extraction",
"target_device": "IoT Router XYZ",
"extraction_method": "SPI flash dump",
"chip_type": "W25Q128",
"dump_size": "16777216",
"sha256": "a3f2b8c9d4e5f6...",
"findings": {
"file_systems": ["squashfs at 0x100000"],
"bootloader": "U-Boot 2019.04",
"kernel": "Linux 4.14.90",
"encryption": "none detected"
},
"extracted_files": [
"squashfs-root/",
"kernel.img",
"uboot.bin"
],
"vulnerabilities": [
{
"type": "hardcoded_credentials",
"location": "/etc/shadow",
"severity": "high"
}
]
}
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.