Firmware Hunter Pro

Firmware Hunter Pro is an offline firmware analysis and triage tool designed for embedded Linux devices such as:

• Routers
• IP cameras
• DVRs
• Smart home devices
• IoT hardware
• Other Linux-based embedded systems

The tool scans extracted firmware filesystems or raw firmware images and generates reports to help identify:

• Hardcoded credentials
• Sensitive files
• Embedded web interfaces
• Interesting binaries
• Suspicious strings
• Possible malware indicators
• Component versions
• Potential attack surfaces

Firmware Hunter Pro is intended for:

• Firmware research
• Hardware hacking labs
• Embedded Linux analysis
• Educational use
• Authorized security testing

---

What the Tool Does

Firmware Hunter Pro performs offline filesystem analysis.

It does NOT:

• Execute firmware binaries
• Exploit devices
• Automatically attack systems
• Emulate firmware
• Connect to external systems automatically

The tool reads files and searches for patterns, indicators, configuration data, and embedded components.

---

Main Features

Automatic Firmware Extraction

Supports automatic extraction using Binwalk.

Example:

python3 firmware_hunter_pro_v4.py firmware.bin --extract

The tool will:

1. Run Binwalk
2. Extract embedded filesystems
3. Attempt to locate the root filesystem
4. Scan the extracted contents
5. Generate reports

---

Credential Discovery

Searches for:

• Hardcoded passwords
• Wi-Fi keys
• API keys
• JWT tokens
• MQTT credentials
• Admin usernames
• Secrets stored in configs

---

Web Interface Mapping

Searches for:

• CGI scripts
• Login pages
• Admin routes
• Firmware update pages
• API endpoints
• JavaScript references

Useful for identifying embedded web management interfaces.

---

Firmware Component Detection

Attempts to identify:

• BusyBox versions
• Linux kernel versions
• OpenSSL references
• Dropbear references
• dnsmasq references
• Embedded web servers

The tool uses string and configuration analysis for detection.

---

IOC and Suspicious String Detection

Searches for suspicious strings and known indicators associated with:

• Mirai
• Gafgyt/Bashlite
• Mozi
• XorDDoS
• Crypto miners
• Reverse shell behavior

Detection is heuristic and string-based.

The tool does NOT perform behavioral malware analysis.

---

ELF and Architecture Analysis

Identifies:

• ELF binaries
• CPU architecture hints
• Endianness
• Binary metadata

---

Entropy Analysis

Flags high-entropy files that may contain:

• Packed data
• Encrypted data
• Compressed blobs
• Binary firmware components

---

YARA Integration

Optional YARA scanning support.

Example:

python3 firmware_hunter_pro_v4.py firmware.bin --extract --yara rules.yar

---

Plugin Support

Supports simple Python plugins.

Plugins can be used for:

• Vendor-specific parsing
• Custom IOC checks
• Additional scanning logic

---

Output

The tool generates:

File	Description
firmware_report.html	HTML report
firmware_report.txt	Main text report
summary.txt	Quick summary
full_report.json	JSON report
findings.csv	CSV export
firmware_report.md	Markdown report
categorized evidence files	Separate findings

Examples:

• credential_findings.txt
• web_routes.txt
• components.txt
• malware_iocs.txt
• interesting_binaries.txt

---

Installation

Requirements

• Python 3.9+
• Linux recommended

---

Install Dependencies

Required

sudo apt install python3 binwalk

Recommended

sudo apt install squashfs-tools mtd-utils p7zip-full xz-utils

Optional

sudo apt install yara

---

Usage

Scan Extracted Firmware

python3 firmware_hunter_pro_v4.py squashfs-root

---

Scan Raw Firmware Image

python3 firmware_hunter_pro_v4.py firmware.bin --extract

---

Quick Mode

Skips files larger than 10 MB.

python3 firmware_hunter_pro_v4.py firmware.bin --extract --quick

---

Multi-threading

python3 firmware_hunter_pro_v4.py firmware.bin --extract -j 16

---

Use Plugins

python3 firmware_hunter_pro_v4.py firmware.bin --extract --plugins plugins/

---

Example Workflow

1. Obtain Firmware

Example:

flash_dump.bin

---

2. Run Firmware Hunter Pro

python3 firmware_hunter_pro_v4.py flash_dump.bin --extract

---

3. Review Reports

Recommended starting points:

1. summary.txt
2. credential_findings.txt
3. web_routes.txt
4. components.txt
5. firmware_report.html

---

Notes About Detection

Firmware Hunter Pro primarily uses:

• String analysis
• Regex matching
• File inspection
• Metadata extraction
• Heuristic analysis

The tool may produce:

• False positives
• Incomplete detections
• Generic matches

All findings should be manually reviewed.

The tool is intended as a triage and research aid, not a replacement for manual firmware analysis.

---

Safety

Avoid running analysis tools on sensitive production systems.

---

Intended Use

Firmware Hunter Pro is intended for:

• Educational use
• Firmware research
• Reverse engineering
• Hardware security testing
• Authorized security analysis

Users are responsible for complying with all applicable laws and regulations.

Do not use the tool on devices or firmware you do not own or have permission to analyze.

---

MIT License Copyright (c) 2026 ek0mssavi0r / Church of Malware Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.