Awesome-Embedded-Systems-Vulnerability-Research

Resources to get started vulnerability research on IoT/embedded devices. All resources credits goes to the respectful authors.

Books

• Practical IoT Hacking
• The Hardware Hacking Handbook
• Blue Fox: Arm Assembly Internals and Reverse Engineering
• Fuzzing Against the Machine
• MIPS Assembly Programmming
• pentest hardware
• Car Hacker's Handbook
• Microcontroller Exploits
• Attacking and Securing U-Boot

YouTube channels & videos

• stacksmashing
• Flashback Team
• Matt Brown
• LiveOverflow (RHme CTF)
• LiveOverflow (Hardware security research)
• gamozolabs (Printer Hacking)
• Make Me Hack (Hardware Hacking Tutorial)
• Foscam R2C camera
• Colin O'Flynn
• AVR reverse engineering (HACKADAY)
• Joe Grand
• Reverse engineering raw firmware: tool to get you started
• Embedded Reverse Engineering with Professor Plum
• The Hackers Guide to Hardware Debugging: Matthew Alt
• Hacking the Minut M2 IoT sensor
• Intro to Firmware Analysis with QEMU and Ghidra

Blogs

• IoT binary analysis & emulation part -1
• MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE
• MINDSHARE: HOW TO "JUST EMULATE IT WITH QEMU"
• MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER
• MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER - PART 2
• EXPLOITING THE SONOS ONE SPEAKER THREE DIFFERENT WAYS: A PWN2OWN TORONTO HIGHLIGHT
• Unauthenticated RCE on a RIGOL oscilloscope
• Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
• THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT
• NETGEAR Routers: A Playground for Hackers?
• I HACK, U-BOOT
• PCB Reverse Engineering: A Comprehensive Guide
• Debugging D-Link: Emulating firmware and hacking hardware
• hyprblog
• TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)
• pwn-hisilicon-dvr
• Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu
• ROP-ing on Aarch64 - The CTF Style
• The Oddest Place You Will Ever Find PAC
• Azeria Labs
• When an N-Day turns into a 0day. (Part 1 of 2)
• Payatu blog
• Attify blog
• STAR Labs blog
• wrongbaud's blog
• DUMPING THE SONOS ONE SMART SPEAKER
• PULL UP YOUR BOOTLOADER
• How to Speak your Hardware’s Language
• Dissection of a Payment Terminal
• Dissection of a Payment Terminal: Part 2
• Breaking (bad) firmware encryption. Case study on the Netgear Nighthawk M1
• An introduction to printer exploitation
• Breaking the D-Link DIR3060 Firmware Encryption - Recon - Part 1
• Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.1
• Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.2
• LinkSys EA6100 AC1200 - Part 1 - PCB reversing
• LinkSys EA6100 AC1200 - Part 2 - A serial connection FTW!
• study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
• 5 part series on reversing huawei router
• Xiongmai IoT Exploitation
• Exploiting: Buffer overflow in Xiongmai DVRs
• Introduction to PS4's security, and userland ROP
• Hacking the PS4, part 2 Userland code execution
• Hacking the PS4, part 3 Kernel exploitation
• 4 part series on Dlink camera 0 day
• Identifying Bugs in Router Firmware at Scale with Taint Analysis
• ASUSWRT URL Processing Stack Buffer Overflow
• Reverse IoT devices
• Hacking into TP-Link Archer C6 – shell access without physical disassembly
• Modern Vulnerability Research Techniques on Embedded Systems
• Embedded Hardware Hacking 101 – The Belkin WeMo Link
• The ABCs of NFC chip security
• Reversing Raw Binary Firmware Files in Ghidra
• SYNful Knock - A Cisco router implant - Part I
• MIPS Assembly
• Fail0verflow console security
• starkes blog
• Evaluating IoT firmware through emulation and fuzzing
• Quentin kaiser blogs
• TCP backdoor 32764 or how we could patch the Internet (or part of it ;))
• Reverse Engineering a VxWorks OS Based Router
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 3
• Flash Dumping - Part I
• Reversing Mac Donald's table beacon
• day to 0day(CVE-2022-30024) on TP-Link TL-WR841N
• Triple Threat: Breaking Teltonika Routers Three Ways
• Methods for Extracting Firmware from OT Devices for Vulnerability Research
• Local Privilege Escalation on the DJI RM500 Smart Controller
• Bypassing password protection and getting a shell through UART in NEC Aterm WR8165N Wi-Fi router
• Faraday CTF 2022 Write-up: Reverse Engineering and Exploiting an IoT bug
• The .text Dilemma
• JTAG 'Hacking' the Original Xbox in 2023
• Hacking 101 to mobile data
• Enabot Hacking: Part 1
• Enabot Hacking: Part 2
• Enabot Hacking: Part 3
• Setting up a Research Environment for IP Cameras
• Hacking Reolink cameras for fun and profit
• Reverse Engineering Yaesu FT-70D Firmware Encryption
• Basics of hardware hacking
• Reversing embedded device bootloader (U-Boot) - p.1
• Reversing embedded device bootloader (U-Boot) - p.2
• How I Hacked my Car
• Google Pixel Watch Root Guide using Magisk​
• 1day to 0day(CVE-2022-30024) on TP-Link TL-WR841N
• TP-Link TL-WR940N: 1-days analysis after story. (CVE-2022-43636 & CVE-2022-43635)
• NETGEAR R6700v3: 1day Analysis (CVE-2021-34982) Buffer Overflow RCE Vulnerability
• Research IOT - Analyze Bootloader - notBootSecure
• 14-829: Mobile and IoT Security
• Simulating and hunting firmware vulnerabilities with Qiling
• Voidstar Security Research Blog
• Analyzing bare metal firmware binaries in Ghidra
• Reverse engineering of ARM microcontrollers
• Reverse engineering microcontrollers WITHOUT a datasheet
• Dynamic analysis of firmware components in IoT devices
• 🔌 Hardware All The Things
• Reverse Engineering IoT Firmware: Where to Start
• CAN Injection: keyless car theft
• Reverse Engineering a VxWorks OS Based Router
• Solving a Little Mystery
• IOActive Labs blogs
• Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I
• Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II
• A Tourist’s Phrasebook for Reversing Embedded ARM in the Dialect of the Cortex M Series
• Bypassing upgrade limitations on a TP-Link TL-WR841N
• Diving into Starlink's User Terminal Firmware
• HOW TO ROOT THE LG WATCH URBANE
• JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices
• Chasing doorbells: Finding IoT vulnerabilities in embedded devices
• Methods for Extracting Firmware from OT Devices for Vulnerability Research
• Hacking Transcend WiFi SD Cards
• Rooting Xiaomi WiFi Routers
• A bowl full of security problems: Examining the vulnerabilities of smart pet feeders
• CVE–2019–8985 RCE
• Emulating and Exploiting UEFI Firmware
• Reverse Engineering Router Firmware - But the Firmware is Encrypted
• From zero to botnet – GL.iNet going wild
• Low Budget Router
• Firmware Fuzzing 101
• Looking at the ChargePoint Home Flex Threat Landscape
• Attack Surface of the Ubiquiti Connect EV Station
• A Detailed Look at Pwn2Own Automotive EV Charger Hardware
• How To: Modifying EV Chargers for Benchtop Experiments
• Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit
• Exploiting n-day in Home Security Camera
• A tour of automotive systems from 20 years ago
• Dumping old ECUs (P30 analysis p.1)
• Reversing old ECUs (P30 analysis p.2)
• icanhack.nl blogs
• Hunting for Unauthenticated n-days in Asus Routers
• Triple Threat: Breaking Teltonika Routers Three Ways
• Hacking my “smart” toothbrush
• Reverse engineering an EV charger
• Hacking Bluetooth speaker/FM radio firmware
• Reverse engineer a Bluetooth (BLE) SmartBand
• How to hack a car — a quick crash-course
• No Hardware, No Problem: Emulation and Exploitation
• Reverse engineering of the Nitro OBD2
• Firmware dumping technique for an ARM Cortex-M0 SoC
• Reversing the Dropcam Part 1: Wireless and network communications
• Reversing the Dropcam Part 2: Rooting your Dropcam
• Reversing the Dropcam Part 3: Digging into complied Lua functionality
• Jailbreaking Subaru StarLink
• Hardware Hacking to Bypass BIOS Passwords
• Rooting a Hive Camera
• Building a Faraday cage with data passthrough for ESP32 reverse engineering
• LimitedResults blog's
• Bypassing Readout Protection in Nordic Semiconductor Microcontrollers
• Cross-Execute Your Linux Binaries, Don’t Cross-Compile Them
• Hacking Millions of Modems (and Investigating Who Hacked My Modem)
• Hacking microcontroller firmware through a USB
• Hacking a Router: Tenda AC8 V4 Stack Overflow & PoCs
• Read secure firmware from STM32F1xx flash using ChipWhisperer
• Dumping Firmware from eMMC
• Hacking a $100K Gas Chromatograph without Owning One
• An Introduction to Fault Injection (Part 1/3)
• Software-Based Fault Injection Countermeasures (Part 2/3)
• Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
• Hacking a Chinese IP camera: part 1
• Hacking a Chinese IP camera: part 2
• Firmware Emulation with Qiling
• CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM
• eCos firmware security research
• Printing Fake Fiscal Receipts - An Italian Job p.1
• Printing Fake Fiscal Receipts - An Italian Job p.2
• How to bypass Debug Disabling on SM32F103
• Apple Lightning
• TEAM.ENVY research on NVR
• Hacking a 2014 tablet... in 2024!
• Reverse Engineering of a Not-so-Secure IoT Device
• (0x64 ∧ 0x6d) ∨ 0x69
• STM32 firmware reverse engineering
• Exploiting buffer overflows on embedded ARM devices
• Destructive IoT Malware Emulation – Part 1 of 3 – Environment Setup
• Destructive IoT Malware Emulation – Part 2 of 3 – Hooking Techniques
• Destructive IoT Malware Emulation – Part 3 of 3 – Statistics
• Hacking a Secure Industrial Remote Access Gateway
• A Guide to ARM64 / AArch64 Assembly on Linux with Shellcodes and Cryptography
• From Patch To Exploit: CVE-2021-35029
• RealWorldCTF: Let's party in the house - Write Up
• Unauthenticated RCE in TP-Link TD-W9970v1
• Remote Code Execution by reverse engineering an Askey Wifi-Extender
• CVE-2020-8423: exploiting the TP-LINK TL-WR841N V10 router
• Automating binary vulnerability discovery with Ghidra and Semgrep
• Fault Injection – Down the Rabbit Hole
• Getting root on a Zyxel VMG8825-T50 router
• Exploiting a stack-based buffer overflow in practice
• FLAG (PWN 451) RealWorldCTF writeup
• Dumping K360 wireless keyboard firmware with a GreatFET
• Reversing the Pokémon Snap Station without a Snap Station
• Making a GameCube memory card editor with Raspberry Pi
• Modifying Embedded Filesystems in ARM Linux zImages
• How to add a new architecture to QEMU - Part 1 # series of blog on adding AVR32 CPU support to QEMU

pwn2own writeup

• Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers
• Exploiting the HP Printer without the printer (Pwn2Own 2022)
• THE PRINTER GOES BRRRRR, AGAIN!
• PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup
• Competing in Pwn2Own 2021 Austin: Icarus at the Zenith
• THE PRINTER GOES BRRRRR!!!
• COOL VULNS DON'T LIVE LONG - NETGEAR AND PWN2OWN
• PWN2OWN AUSTIN 2021 : DEFEATING THE NETGEAR R6700V3
• YOUR VULNERABILITY IS IN ANOTHER OEM!
• PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750
• Pwn2Own: A Tale of a Bug Found and Lost Again
• Rooting Samsung Q60T Smart TV
• The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022
• Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability
• Our Pwn2Own journey against time and randomness (part 1)
• Our Pwn2Own journey against time and randomness (part 2)
• Your NAS is not your NAS !
• Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I
• Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II
• Pwn2Own Toronto 2022 : A 9-year-old bug in MikroTik RouterOS
• Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1
• Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2
• Pwn2Own Toronto 2023: Part 1 – How it all started
• Pwn2Own Toronto 2023: Part 2 – Exploring the Attack Surface
• Pwn2Own Toronto 2023: Part 3 – Exploration
• Pwn2Own Toronto 2023: Part 4 – Memory Corruption Analysis
• Pwn2Own Toronto 2023: Part 5 – The Exploit
• [TeamT5] Pwn2Own Contest Experience Sharing and Vulnerability Demonstration
• RCE on the HP M479fdw printer
• Pwn2Own IoT 2024 -Lorex 2K Indoor Wi-FiSecurityCamera
• Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland
• Not All Roads Lead to PWN2OWN: Hardware Hacking (Part 1)

Conference Talks

• HEXACON2022 - Emulate it until you make it! Pwning a DrayTek Router by Philippe Laulheret
• OffensiveCon22 - Radek Domanski and Pedro Ribeiro - Pwn2Own’ing Your Router Over the Internet
• OffensiveCon20 - b1ack0wl - Don't forget to SUBSCRIBE
• OffensiveCon23 - Stacksmashing- Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit
• DEF CON 24 Internet of Things Village - Elvis Collado - Reversing and Exploiting Embedded Devices
• #HITBCW2021 D2 - HITB LAB: ARM IoT Firmware Extraction And Emulation Using ARMX - Saumil Shah
• Philippe Laulheret - Intro to Hardware Hacking - DEF CON 27 Conference
• Nullcon Goa 2023 | IoT Hacking 101: Reverse Engineering The Xiaomi Ecosystem By Dennis Giese
• HEXACON2022 - 0-click RCE on the Tesla Model 3 by David Berard & Vincent Dehors
• DEF CON Safe Mode Payment Village - Aleksei Stennikov - PoS Terminal Security Uncovered
• OffensiveCon18 - Maddie Stone - The Smarts Behind Hacking Dumb Devices
• HEXACON2024 - HSM Security and Exploitation of USB over SPI bug by Sergei Volokitin
• No Hat 2021 - F. Yamaguchi & C. Ursache - Ghidra2cpg: From graph queries to vulnerabilities in ...
• No Hat 2024 - Jacopo Jannone - Exploring and Exploiting an Android “Smart POS” Payment Terminal
• Embedded kernel emulation in QEMU for security assessment | Stephane Duverger | hardwear.io Webinar

Labs

• DAMN VULNERABLE ARM ROUTER
• Damn Vulnerable Router Firmware
• OWASP IoT goat
• Explot Security CTF

Tools

• unblob
• binwalk
• Ghidra # Free decompiler for most of the architectures
• IDA Pro # Costs a lot for decompilers
• Qiling binary emulation & instrumentation framework
• Unicon CPU emulator framework
• Qemu emulator
• Buildroot cross-compiler
• bugprove - Automatic firmware analysis platform
• TritonDSE Library # emulation & symbolic execution library
• gdb, gdb-multiarch, gdbserver for cross-architecture debugging
• picocom, minicom, putty, screen for serial interfacing
• AFL++ a Coverage guided fuzzer
• SVD-Loader for Ghidra
• cpu_rec identify cpu architecture from a binary blob
• binbloom (analyse a raw binary firmware to find Loading address, Endianness, etc..)
• afl-unicorn

Misc

• #HITBLockdown D2 - Virtual Lab - Firmware Hacking With Ghidra - Thomas Roth & Dmitry Nedospasov
• #HITBLockdown002 VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern
• Firmware Bug hunting with Taint analysis
• Hacking The Art of Exploitation
• Leaked Malware source code
• SEC661: ARM Exploit Development and an Introduction to Router Emulation
• #HITBCyberWeek D1 LAB - Writing Bare-Metal ARM Shellcode
• ARM Assembly and Shellcode Basics - Saumil Shah at 44CON 2017 - Workshop
• BSidesMCR 2018: Introduction To Return Oriented Exploitation On ARM64 by Billy Ellis
• Billy Ellis # Youtube channel about IOS security
• #68 [GUIDE] Reverse engineering 🖥 firmware 📃
• Reverse Engineering & Vulnerability Analysis
• Remoticon 2020 // Introduction to Firmware Reverse Engineering
• qiling Lab
• Practical Binary Analysis
• A-noobs-guide-to-arm-exploitation