IamAlch3mist/Awesome-Embedded-Systems-Vulnerability-Research

# Awesome-Embedded-Systems-Vulnerability-Research Resources to get started vulnerability research on IoT/embedded devices. All resources credits goes to the respectful authors. ## Books * [Practical IoT Hacking](https://nostarch.com/practical-iot-hacking) * [The Hardware Hacking Handbook](https://nostarch.com/hardwarehacking) * [Blue Fox: Arm Assembly Internals and Reverse Engineering](https://www.wiley.com/en-us/Blue+Fox%3A+Arm+Assembly+Internals+and+Reverse+Engineering-p-9781119745303) * [Fuzzing Against the Machine](https://www.packtpub.com/product/fuzzing-against-the-machine/9781804614976) * [MIPS Assembly Programmming](https://www.robertwinkler.com/projects/mips_book/mips_book.pdf) * [pentest hardware](https://github.com/unprovable/PentestHardware/) * [Car Hacker's Handbook](https://nostarch.com/carhacking) * [Microcontroller Exploits](https://nostarch.com/microcontroller-exploits) * [Attacking and Securing U-Boot](https://www.amazon.com/Attacking-Securing-U-Boot-Gabriel-Gonzalez-ebook/dp/B0DHYTSWZC/) * ## YouTube channels & videos * [stacksmashing ](https://www.youtube.com/@stacksmashing) * [Flashback Team ](https://www.youtube.com/@FlashbackTeam) * [Matt Brown](https://www.youtube.com/@mattbrwn/videos) * [LiveOverflow \(RHme CTF\)](https://www.youtube.com/playlist?list=PLhixgUqwRTjwNaT40TqIIagv3b4_bfB7M) * [LiveOverflow \(Hardware security research\)](https://www.youtube.com/playlist?list=PLhixgUqwRTjyLgF4x-ZLVFL-CRTCrUo03) * [gamozolabs \(Printer Hacking\)](https://www.youtube.com/playlist?list=PLSkhUfcCXvqGGQN8ATgWI0XYGvU-jq0uG) * [Make Me Hack \(Hardware Hacking Tutorial\)](https://www.youtube.com/playlist?list=PLoFdAHrZtKkhcd9k8ZcR4th8Q8PNOx7iU) * [Foscam R2C camera ](https://youtube.com/playlist?list=PLct3DQFrYAjjOW9_wSBmOeExRxkKsp-Tn) * [Colin O'Flynn ](https://www.youtube.com/@ColinOFlynn) * [AVR reverse engineering \(HACKADAY\)](https://youtube.com/playlist?list=PL_tws4AXg7avNexvQxkfxfEBtvTtBi6Tu) * [Joe Grand](https://www.youtube.com/@JoeGrand) * [Reverse engineering raw firmware: tool to get you started ](https://www.youtube.com/watch?v=fkPSlBxh7Nw&t=259s) * [Embedded Reverse Engineering with Professor Plum ](https://www.youtube.com/watch?v=oyBx0gTwWEE) * [The Hackers Guide to Hardware Debugging: Matthew Alt](https://www.youtube.com/live/hWYzgw0WhYU?si=eK3NGKhNoSsyYK89) * [Hacking the Minut M2 IoT sensor](https://youtu.be/ZbKLAjPYOEg?si=ri1zyf0VE9nLPI_p) * [Intro to Firmware Analysis with QEMU and Ghidra](https://youtu.be/50lFwNvHbDs?si=0sbcvcf5My3p4MqP) * [RECESSIM](https://www.youtube.com/@RECESSIM) ## Blogs * [IoT binary analysis & emulation part -1](https://hacklido.com/blog/529-iot-binary-analysis-emulation-part-1) * [MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE](https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware?rq=mindshare) * [MINDSHARE: HOW TO "JUST EMULATE IT WITH QEMU"](https://www.zerodayinitiative.com/blog/2020/5/27/mindshare-how-to-just-emulate-it-with-qemu) * [MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER](https://www.zerodayinitiative.com/blog/2019/9/2/mindshare-hardware-reversing-with-the-tp-link-tl-wr841n-router) * [MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER - PART 2](https://www.zerodayinitiative.com/blog/2019/12/2/mindshare-hardware-reversing-with-the-tp-link-tl-wr841n-router-part-2?rq=router) * [EXPLOITING THE SONOS ONE SPEAKER THREE DIFFERENT WAYS: A PWN2OWN TORONTO HIGHLIGHT](https://www.zerodayinitiative.com/blog/2023/5/24/exploiting-the-sonos-one-speaker-three-different-ways-a-pwn2own-toronto-highlight) * [Unauthenticated RCE on a RIGOL oscilloscope](https://tortel.li/post/insecure-scope/) * [Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device](https://boschko.ca/qemu-emulating-firmware/) * [THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT](https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/) * [NETGEAR Routers: A Playground for Hackers?](https://research.nccgroup.com/2023/05/15/netgear-routers-a-playground-for-hackers/) * [I HACK, U-BOOT](https://www.synacktiv.com/publications/i-hack-u-boot.html) * [PCB Reverse Engineering: A Comprehensive Guide](https://guidedhacking.com/threads/pcb-reverse-engineering-a-comprehensive-guide.20388/) * [Debugging D-Link: Emulating firmware and hacking hardware](https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware) * [hyprblog](https://blog.coffinsec.com/) * [TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce) * [pwn-hisilicon-dvr](https://github.com/tothi/pwn-hisilicon-dvr) * [Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu](https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html#breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu) * [ROP-ing on Aarch64 - The CTF Style](http://blog.perfect.blue/ROPing-on-Aarch64) * [The Oddest Place You Will Ever Find PAC](https://blog.ret2.io/2021/06/16/intro-to-pac-arm64/) * [Azeria Labs](https://azeria-labs.com/) * [When an N-Day turns into a 0day. (Part 1 of 2)](https://github.com/b1ack0wl/vulnerability-write-ups/blob/master/TP-Link/WR940N/112022/Part1.md) * [Payatu blog](https://payatu.com/tag/iot/) * [Attify blog](https://blog.attify.com/) * [STAR Labs blog](https://starlabs.sg/blog/) * [wrongbaud's blog](https://wrongbaud.github.io/) * [DUMPING THE SONOS ONE SMART SPEAKER](https://www.synacktiv.com/en/publications/dumping-the-sonos-one-smart-speaker) * [PULL UP YOUR BOOTLOADER](https://www.synacktiv.com/en/publications/pull-up-your-bootloader) * [How to Speak your Hardware’s Language](https://www.interruptlabs.co.uk/articles/how-to-speak-your-hardwares-language) * [Dissection of a Payment Terminal](https://www.interruptlabs.co.uk/articles/dissection-of-a-payment-terminal) * [Dissection of a Payment Terminal: Part 2](https://www.interruptlabs.co.uk/articles/dissection-of-a-payment-terminal-part-2) * [Breaking (bad) firmware encryption. Case study on the Netgear Nighthawk M1](https://www.pentestpartners.com/security-blog/breaking-bad-firmware-encryption-case-study-on-the-netgear-nighthawk-m1/) * [An introduction to printer exploitation](https://0x434b.dev/an-introduction-to-printer-exploitation/) * [Breaking the D-Link DIR3060 Firmware Encryption - Recon - Part 1](https://0x434b.dev/breaking-the-d-link-dir3060-firmware-encryption-recon-part-1/) * [Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.1](https://0x434b.dev/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-of-the-decryption-routine-part-2-1/) * [Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.2](https://0x434b.dev/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-part-2/) * [LinkSys EA6100 AC1200 - Part 1 - PCB reversing](https://0x434b.dev/linksys-ea6100_pt1/) * [LinkSys EA6100 AC1200 - Part 2 - A serial connection FTW!](https://0x434b.dev/linksys-ea6100_pt2/) * [study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)](https://0x434b.dev/misc-study-notes-about-arm-aarch64-assembly-and-the-arm-trusted-execution-environment-tee/) * [5 part series on reversing huawei router](https://jcjc-dev.com/archive/) * [Xiongmai IoT Exploitation](https://vulncheck.com/blog/xiongmai-iot-exploitation) * [Exploiting: Buffer overflow in Xiongmai DVRs](https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/) * [Introduction to PS4's security, and userland ROP](https://cturt.github.io/ps4.html) * [Hacking the PS4, part 2 Userland code execution](https://cturt.github.io/ps4-2.html) * [Hacking the PS4, part 3 Kernel exploitation](https://cturt.github.io/ps4-3.html) * [4 part series on Dlink camera 0 day](https://fuzzywalls.github.io/) * [Identifying Bugs in Router Firmware at Scale with Taint Analysis](https://starlabs.sg/blog/2021/08-identifying-bugs-in-router-firmware-at-scale-with-taint-analysis/) * [ASUSWRT URL Processing Stack Buffer Overflow](https://starlabs.sg/blog/2020/08-asuswrt-url-processing-stack-buffer-overflow/) * [Reverse IoT devices](https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices) * [Hacking into TP-Link Archer C6 – shell access without physical disassembly](https://skowronski.tech/2021/02/hacking-into-tp-link-archer-c6-shell-access-without-physical-disassembly/) * [Modern Vulnerability Research Techniques on Embedded Systems](https://breaking-bits.gitbook.io/breaking-bits/vulnerability-discovery/reverse-engineering/modern-approaches-toward-embedded-research) * [Embedded Hardware Hacking 101 – The Belkin WeMo Link](https://www.mandiant.com/resources/blog/embedded-hardwareha) * [The ABCs of NFC chip security](https://research.nccgroup.com/2021/08/30/the-abcs-of-nfc-chip-security/) * [Reversing Raw Binary Firmware Files in Ghidra](https://gist.github.com/nstarke/ed0aba2c882b8b3078747a567ee00520) * [SYNful Knock - A Cisco router implant - Part I](https://www.mandiant.com/resources/blog/synful-knock-acis) * [MIPS Assembly](https://en.wikibooks.org/wiki/MIPS_Assembly) * [Fail0verflow console security](https://fail0verflow.com/blog/) * [starkes blog](https://starkeblog.com/) * [Evaluating IoT firmware through emulation and fuzzing](https://www.jtsec.es/blog-entry/113/evaluating-iot-firmware-through-emulation-and-fuzzing) * [Quentin kaiser blogs](https://quentinkaiser.be/) * [TCP backdoor 32764 or how we could patch the Internet (or part of it ;))](https://blog.quarkslab.com/tcp-backdoor-32764-or-how-we-could-patch-the-internet-or-part-of-it.html) * [Reverse Engineering a VxWorks OS Based Router](https://blog.quarkslab.com/reverse-engineering-a-vxworks-os-based-router.html) * [Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1](https://blog.quarkslab.com/reverse-engineering-a-philips-trimedia-cpu-based-ip-camera-part-1.html) * [Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2](https://blog.quarkslab.com/reverse-engineering-a-philips-trimedia-cpu-based-ip-camera-part-2.html) * [Reverse Engineering a Philips TriMedia CPU based IP camera - Part 3](https://blog.quarkslab.com/reverse-engineering-a-philips-trimedia-cpu-based-ip-camera-part-3.html) * [Flash Dumping - Part I](https://blog.quarkslab.com/flash-dumping-part-i.html) * [Reversing Mac Donald's table beacon](https://whiterose-infosec.super.site/d6f201f9d1da4c299d56fd78aef20151) * [day to 0day(CVE-2022-30024) on TP-Link TL-WR841N](https://blog.viettelcybersecurity.com/1day-to-0day-on-tl-link-tl-wr841n/) * [Triple Threat: Breaking Teltonika Routers Three Ways](https://claroty.com/team82/research/triple-threat-breaking-teltonika-routers-three-ways) * [Methods for Extracting Firmware from OT Devices for Vulnerability Research](https://www.nozominetworks.com/blog/methods-for-extracting-firmware-from-ot-devices-for-vulnerability-research/) * [Local Privilege Escalation on the DJI RM500 Smart Controller](https://icanhack.nl/blog/dji-rm500-privilege-escalation/#system-command-injection) * [Bypassing password protection and getting a shell through UART in NEC Aterm WR8165N Wi-Fi router](https://faradaysec.com/bypassing-password-protection-and-getting-a-shell-through-uart-in-nec-aterm-wr8165n-wi-fi-router/) * [Faraday CTF 2022 Write-up: Reverse Engineering and Exploiting an IoT bug](https://faradaysec.com/faraday-ctf-2022-write-up-reverse-engineering-and-exploiting-an-iot-bug/) * [The .text Dilemma](https://www.grayhatacademy.com/blog/the-text-dilemma) * [JTAG 'Hacking' the Original Xbox in 2023](https://blog.ret2.io/2023/08/09/jtag-hacking-the-original-xbox-2023/) * [Hacking 101 to mobile data](https://insinuator.net/2018/02/hacking-101-to-mobile-data/) * [Enabot Hacking: Part 1](https://debugmen.dev/hardware-series/2022/02/18/enabot_series_part_1.html) * [Enabot Hacking: Part 2](https://debugmen.dev/hardware-series/2022/08/01/enabot_series_part_2.html) * [Enabot Hacking: Part 3](https://debugmen.dev/hardware-series/2023/02/19/enabot_series_part_3.html) * [Setting up a Research Environment for IP Cameras](https://insinuator.net/2016/10/setting-up-a-research-environment-for-ip-cameras/) * [Hacking Reolink cameras for fun and profit](https://www.thirtythreeforty.net/posts/2020/05/hacking-reolink-cameras-for-fun-and-profit/) * [Reverse Engineering Yaesu FT-70D Firmware Encryption](https://landaire.net/reversing-yaesu-firmware-encryption/) * [Basics of hardware hacking](https://maldroid.github.io/hardware-hacking/) * [Reversing embedded device bootloader (U-Boot) - p.1](https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/) * [Reversing embedded device bootloader (U-Boot) - p.2](https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2/) * [How I Hacked my Car](https://programmingwithstyle.com/) * [Google Pixel Watch Root Guide using Magisk​](https://forum.xda-developers.com/t/how-to-root-google-pixel-watch-using-magisk.4592737/) * [1day to 0day(CVE-2022-30024) on TP-Link TL-WR841N](https://blog.viettelcybersecurity.com/1day-to-0day-on-tl-link-tl-wr841n/) * [TP-Link TL-WR940N: 1-days analysis after story. (CVE-2022-43636 & CVE-2022-43635)](https://blog.viettelcybersecurity.com/tp-link-tl-wr940n-1-days-analysis-after-story-cve-2022-4363-cve-2022-43635/) * [NETGEAR R6700v3: 1day Analysis (CVE-2021-34982) Buffer Overflow RCE Vulnerability](https://blog.viettelcybersecurity.com/netgear-r6700v3-1day-analysis-cve-2021-34982-buffer-overflow-rce-vulnerabiliy-2/) * [Research IOT - Analyze Bootloader - notBootSecure](https://blog.viettelcybersecurity.com/research-iot-analyze-bootloader-notbootsecure-3/) * [14-829: Mobile and IoT Security](https://mews.sv.cmu.edu/teaching/14829/f19/schedule.html) * [Simulating and hunting firmware vulnerabilities with Qiling](https://blog.vincss.net/2020/12/pt007-simulating-and-hunting-firmware-vulnerabilities-with-Qiling.html) * [Voidstar Security Research Blog](https://voidstarsec.com/blog/) * [Analyzing bare metal firmware binaries in Ghidra](https://blog.attify.com/analyzing-bare-metal-firmware-binaries-in-ghidra/) * [Reverse engineering of ARM microcontrollers](https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/) * [Reverse engineering microcontrollers WITHOUT a datasheet](https://www.pentestpartners.com/security-blog/reverse-engineering-microcontrollers-without-a-datasheet/) * [Dynamic analysis of firmware components in IoT devices](https://ics-cert.kaspersky.com/publications/reports/2022/07/06/dynamic-analysis-of-firmware-components-in-iot-devices/) * [🔌 Hardware All The Things](https://swisskyrepo.github.io/HardwareAllTheThings/) * [Reverse Engineering IoT Firmware: Where to Start](https://www.apriorit.com/dev-blog/reverse-reverse-engineer-iot-firmware) * [CAN Injection: keyless car theft](https://kentindell.github.io/2023/04/03/can-injection/) * [Reverse Engineering a VxWorks OS Based Router](https://blog.quarkslab.com/reverse-engineering-a-vxworks-os-based-router.html) * [Solving a Little Mystery](https://ioactive.com/solving-a-little-mystery/) * [IOActive Labs blogs](https://labs.ioactive.com/) * [Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I](https://github.com/nahueldsanchez/blogpost_qiling_dlink_1) * [Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II](https://github.com/nahueldsanchez/blogpost_qiling_dlink_2) * [A Tourist’s Phrasebook for Reversing Embedded ARM in the Dialect of the Cortex M Series](https://www.alchemistowl.org/pocorgtfo/pocorgtfo11.pdf) * [Bypassing upgrade limitations on a TP-Link TL-WR841N](https://nahueldsanchez.com.ar/Playing-with-a-TP-LINK-TR841_II/) * [Diving into Starlink's User Terminal Firmware](https://blog.quarkslab.com/starlink.html) * [HOW TO ROOT THE LG WATCH URBANE](https://www.evilsocket.net/2015/06/15/How-to-root-the-LG-Watch-Urbane-B285/) * [JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices](https://www.praetorian.com/blog/jtagulator-vs-jtagenum-tools-for-identifying-jtag-pins-in-iot-devices/) * [Chasing doorbells: Finding IoT vulnerabilities in embedded devices](https://www.coalfire.com/the-coalfire-blog/chasing-doorbells-finding-iot-vulnerabilities-in-e) * [Methods for Extracting Firmware from OT Devices for Vulnerability Research](https://www.nozominetworks.com/blog/methods-for-extracting-firmware-from-ot-devices-for-vulnerability-research) * [Hacking Transcend WiFi SD Cards](http://haxit.blogspot.com/) * [Rooting Xiaomi WiFi Routers](https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/) * [A bowl full of security problems: Examining the vulnerabilities of smart pet feeders](https://securelist.com/smart-pet-feeder-vulnerabilities/110028/) * [CVE–2019–8985 RCE](https://www.grayhatacademy.com/blog/cve-2019-8985-rce) * [Emulating and Exploiting UEFI Firmware](https://margin.re/2023/09/emulating-and-exploiting-uefi-firmware/) * [Reverse Engineering Router Firmware - But the Firmware is Encrypted](https://0xca7.github.io/public/posts/decrypting_firmware/) * [From zero to botnet – GL.iNet going wild](https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html) * [Low Budget Router](https://hegz.io/posts/lbr/) * [Firmware Fuzzing 101](https://www.mayhem.security/blog/firmware-fuzzing-101) * [Looking at the ChargePoint Home Flex Threat Landscape](https://www.zerodayinitiative.com/blog/2023/9/7/looking-at-the-chargepoint-home-flex-threat-landscape) * [Attack Surface of the Ubiquiti Connect EV Station](https://www.zerodayinitiative.com/blog/2023/12/5/attack-surface-of-the-ubiquiti-connect-ev-station) * [A Detailed Look at Pwn2Own Automotive EV Charger Hardware](https://www.zerodayinitiative.com/blog/2023/11/28/a-detailed-look-at-pwn2own-automotive-ev-charger-hardware) * [How To: Modifying EV Chargers for Benchtop Experiments](https://www.zerodayinitiative.com/blog/2023/11/8/how-to-modifying-ev-chargers-for-benchtop-experiments) * [Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit](https://www.zerodayinitiative.com/blog/2023/10/5/looking-at-the-attack-surface-of-the-sony-xav-ax5500-head-unit) * [Exploiting n-day in Home Security Camera](https://0xbigshaq.github.io/2024/01/05/tp-link-tapo-c100/) * [A tour of automotive systems from 20 years ago](http://p1kachu.pluggi.fr/project/automotive/2018/12/28/subaru-ssm1/) * [Dumping old ECUs (P30 analysis p.1)](http://p1kachu.pluggi.fr/project/automotive/2021/05/30/honda-oki-part1/) * [Reversing old ECUs (P30 analysis p.2)](http://p1kachu.pluggi.fr/project/automotive/2021/06/16/honda-oki-part2/) * [icanhack.nl blogs](https://icanhack.nl/blog/) * [Hunting for Unauthenticated n-days in Asus Routers](https://www.shielder.com/blog/2024/01/hunting-for-~~un~~authenticated-n-days-in-asus-routers/) * [Triple Threat: Breaking Teltonika Routers Three Ways](https://claroty.com/team82/research/triple-threat-breaking-teltonika-routers-three-ways) * [Hacking my “smart” toothbrush ](https://kuenzi.dev/toothbrush/) * [Reverse engineering an EV charger](https://www.mnemonic.io/resources/blog/reverse-engineering-an-ev-charger/) * [Hacking Bluetooth speaker/FM radio firmware](https://olegkutkov.me/2021/02/27/hacking-a-firmware-of-bluetooth-speaker-fm-radio/) * [Reverse engineer a Bluetooth (BLE) SmartBand](https://medium.com/@shelladdicted/reverse-engineer-a-bluetooth-ble-smartband-91ee10129217) * [How to hack a car — a quick crash-course](https://www.freecodecamp.org/news/hacking-cars-a-guide-tutorial-on-how-to-hack-a-car-5eafcfbbb7ec) * [No Hardware, No Problem: Emulation and Exploitation](https://blog.grimm-co.com/2022/04/no-hardware-no-problem-emulation-and.html) * [Reverse engineering of the Nitro OBD2](https://blog.quarkslab.com/reverse-engineering-of-the-nitro-obd2.html) * [Firmware dumping technique for an ARM Cortex-M0 SoC](https://blog.includesecurity.com/2015/11/firmware-dumping-technique-for-an-arm-cortex-m0-soc/) * [Reversing the Dropcam Part 1: Wireless and network communications](https://blog.includesecurity.com/2014/03/reversing-the-dropcam-part-1-wireless-and-network-communications/) * [Reversing the Dropcam Part 2: Rooting your Dropcam](https://blog.includesecurity.com/2014/04/reversing-the-dropcam-part-2-rooting-your-dropcam/) * [Reversing the Dropcam Part 3: Digging into complied Lua functionality](https://blog.includesecurity.com/2014/08/reversing-the-dropcam-part-3-digging-into-complied-lua-functionality/) * [Jailbreaking Subaru StarLink](https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md) * [Hardware Hacking to Bypass BIOS Passwords](https://cybercx.co.nz/blog/bypassing-bios-password/) * [Rooting a Hive Camera](https://boredpentester.com/rooting-hive-ip-cameras/) * [Building a Faraday cage with data passthrough for ESP32 reverse engineering](https://esp32-open-mac.be/posts/0003-faraday-cage/) * [LimitedResults blog's](https://limitedresults.com/posts/) * [Bypassing Readout Protection in Nordic Semiconductor Microcontrollers](https://www.emproof.com/bypassing-readout-protection-in-nordic-semiconductor-microcontrollers/) * [Cross-Execute Your Linux Binaries, Don’t Cross-Compile Them](https://research.nccgroup.com/2024/06/05/cross-execute-your-linux-binaries-dont-cross-compile-them/) * [Hacking Millions of Modems (and Investigating Who Hacked My Modem)](https://samcurry.net/hacking-millions-of-modems) * [Hacking microcontroller firmware through a USB](https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/) * [Hacking a Router: Tenda AC8 V4 Stack Overflow & PoCs](https://0reg.dev/blog/hacking-a-router-tenda-ac8-v4-stack-overflow-pocs?s=35) * [Read secure firmware from STM32F1xx flash using ChipWhisperer](https://prog.world/read-secure-firmware-from-stm32f1xx-flash-using-chipwhisperer/) * [Dumping Firmware from eMMC](https://payatu.com/blog/dumping-firmware-from-emmc/) * [Hacking a $100K Gas Chromatograph without Owning One](https://claroty.com/team82/research/hacking-a-usd100k-gas-chromatograph-without-owning-one) * [An Introduction to Fault Injection (Part 1/3)](https://www.nccgroup.com/us/research-blog/an-introduction-to-fault-injection-part-13/) * [Software-Based Fault Injection Countermeasures (Part 2/3)](https://www.nccgroup.com/us/research-blog/software-based-fault-injection-countermeasures-part-23/) * [Alternative Approaches for Fault Injection Countermeasures (Part 3/3)](https://www.nccgroup.com/us/research-blog/alternative-approaches-for-fault-injection-countermeasures-part-33/) * [Hacking a Chinese IP camera: part 1 ](http://kuku.eu.org/?projects/xm530/part1) * [Hacking a Chinese IP camera: part 2 ](http://kuku.eu.org/?projects/xm530/part2) * [Firmware Emulation with Qiling](https://labs.nettitude.com/blog/emulation-with-qiling/) * [CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM](https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/) * [eCos firmware security research](https://ecos.wtf/) * [Printing Fake Fiscal Receipts - An Italian Job p.1](https://www.shielder.com/blog/2022/04/printing-fake-fiscal-receipts-an-italian-job-p.1/) * [Printing Fake Fiscal Receipts - An Italian Job p.2](https://www.shielder.com/blog/2022/05/printing-fake-fiscal-receipts-an-italian-job-p.2/) * [How to bypass Debug Disabling on SM32F103](https://medium.com/@LargeCardinal/how-to-bypass-debug-disabling-and-crp-on-stm32f103-7116e7abb546) * [Apple Lightning](https://nyansatan.github.io/lightning/) * [TEAM.ENVY research on NVR](https://team-envy.gitbook.io/team.envy) * [Hacking a 2014 tablet... in 2024!](https://blog.r0rt1z2.com/hacking-a-2014-tablet-in-2024.html) * [Reverse Engineering of a Not-so-Secure IoT Device](https://mcuoneclipse.com/2019/05/26/reverse-engineering-of-a-not-so-secure-iot-device/) * [(0x64 ∧ 0x6d) ∨ 0x69](https://blog.3or.de/) * [STM32 firmware reverse engineering](https://medium.com/@fronders) * [Exploiting buffer overflows on embedded ARM devices](https://www.rliu.dev/blog/ectf-arm-buffer-overflow/) * [Destructive IoT Malware Emulation – Part 1 of 3 – Environment Setup](https://cyber.wtf/2024/03/28/destructive-iot-malware-emulation-part-1-of-3-environment-setup/) * [Destructive IoT Malware Emulation – Part 2 of 3 – Hooking Techniques](https://cyber.wtf/2024/08/01/destructive-iot-malware-emulation-part-2-of-3-hooking-techniques/) * [Destructive IoT Malware Emulation – Part 3 of 3 – Statistics](https://cyber.wtf/2024/10/14/destructive-iot-malware-emulation-part-3-of-3-statistics/) * [Hacking a Secure Industrial Remote Access Gateway](https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/) * [A Guide to ARM64 / AArch64 Assembly on Linux with Shellcodes and Cryptography](https://modexp.wordpress.com/2018/10/30/arm64-assembly/) * [From Patch To Exploit: CVE-2021-35029 ](https://blog.cys4.com/exploit/reverse-engineering/2022/04/18/From-Patch-To-Exploit_CVE-2021-35029) * [RealWorldCTF: Let's party in the house - Write Up](https://zerotistic.blog/posts/rwctf-wu/) * [Unauthenticated RCE in TP-Link TD-W9970v1](https://erfur.dev/blog/vuln/tplink-wd9970-rce) * [Remote Code Execution by reverse engineering an Askey Wifi-Extender ](https://blog.improsec.com/tech-blog/rce-askey) * [CVE-2020-8423: exploiting the TP-LINK TL-WR841N V10 router](https://ktln2.org/2020/03/29/exploiting-mips-router/) * [Automating binary vulnerability discovery with Ghidra and Semgrep](https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/) * [Fault Injection – Down the Rabbit Hole](https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/) * [Getting root on a Zyxel VMG8825-T50 router ](https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/) * [Exploiting a stack-based buffer overflow in practice ](https://th0mas.nl/2020/11/17/exploiting-a-stack-based-buffer-overflow-in-practice/) * [FLAG (PWN 451) RealWorldCTF writeup](https://blog.r0b.re/ctf/pwn/arm/iot/goahead/backdoor/2022/01/23/realworldctf-flag.html) * [Dumping K360 wireless keyboard firmware with a GreatFET](https://jamchamb.net/2021/05/29/dumping-k360-firmware.html) * [Reversing the Pokémon Snap Station without a Snap Station](https://jamchamb.net/2021/08/17/snap-station.html) * [Making a GameCube memory card editor with Raspberry Pi](https://jamchamb.net/2018/12/03/gamecube-memory-card-raspi.html) * [Modifying Embedded Filesystems in ARM Linux zImages](https://jamchamb.net/2022/01/02/modify-vmlinuz-arm.html) * [How to add a new architecture to QEMU - Part 1](https://fgoehler.com/blog/adding-a-new-architecture-to-qemu-01/) # series of blog on adding AVR32 CPU support to QEMU * [Analysing a router firmware vulnerability: Tenda AC15](https://eshard.com/posts/tenda-ac15-cve-analysis) * [Hacking Swann & FLIR/Lorex home security camera video](https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/) * [Reverse Engineering the Duco Connectivity Board: From Black Box to Home Assistant](https://github.com/kokx/duco-analysis) * [Laser Fault Injection on a Budget: RP2350 Edition](https://courk.cc/rp2350-challenge-laser) * [TP-Link Firmware Decryption C210 V2 cloud camera bootloaders](https://watchfulip.github.io/28-12-24/tp-link_c210_v2.html) * [Reverse Engineering PixMob LED Concert Bracelets Part One](https://cra0.net/blog/posts/reverse-engineering-pixmob-led-concert-bracelets-p1/) * [How I Also Hacked my Car](https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car) * [HardBreak - Hardware Hacking Wiki](https://www.hardbreak.wiki/) * [haxx.in](https://haxx.in/) * [Retreading The AMLogic A113X TrustZone Exploit](https://boredpentester.com/retreading-the-amlogic-a113x-trustzone-exploit-process/) * [ROPing our way to RCE](https://modzero.com/en/blog/roping-our-way-to-rce/) * [Critically Insecure Router](https://rossmarks.uk/blog/critically-insecure-router/) * [Pacemaker Pwn Pt.1](https://rossmarks.uk/blog/pacemaker-pwn-pt-1/) * [FaultyCat Introduction](https://rossmarks.uk/blog/faultycat-introduction/) * [GL iNet 300M Fun (Pt.3)](https://rossmarks.uk/blog/gl-inet-300m-fun-pt-3/) * [NAND On My Watch](https://blog.fraktal.fi/nand-on-my-watch-f307ac673d22) * [something from nothing](https://something.fromnothing.blog/) * [JabberJaw – Convert your Router to a Portable Network Attack Device!](https://samy.link/blog/jabberjaw-convert-your-router-in-portable-network-attack-dev?/jabberjaw-convert-your-router-in-portable-network-attack-dev) * [Jooki - Taking Control of a Forgotten Device](https://nv1t.github.io/blog/reviving-jooki/) * [Investigating an "evil" RJ45 dongle](https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle) * [How to Get Root Access to Your Sleep Number Bed](https://dillan.org/articles/how-to-get-root-access-to-your-sleep-number-bed) * [Xbox 360 security in details: the long way to RGH3](https://swarm.ptsecurity.com/xbox-360-security-in-details-the-long-way-to-rgh3/) * [Hack the channel: A Deep Dive into DVB Receiver Security](https://www.synacktiv.com/en/publications/hack-the-channel-a-deep-dive-into-dvb-receiver-security) * [Pwning Millions of Smart Weighing Machines with API and Hardware Hacking](https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/) * [Hack The Emulated Planet: Vulnerability Hunting on Planet WGS-804HPT Industrial Switches](https://claroty.com/team82/research/hack-the-emulated-planet-vulnerability-hunting-on-planet-wgs-804hpt-industrial-switches) * [Looking into the Nintendo Alarmo](https://garyodernichts.blogspot.com/2024/10/looking-into-nintendo-alarmo.html) * [The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices](https://claroty.com/team82/research/the-insecure-iot-cloud-strikes-again-rce-on-ruijie-cloud-connected-devices?utm_campaign=4970138-%5BSocial%5D%20Team82%20Research&utm_content=320502032&utm_medium=social&utm_source=twitter&hss_channel=tw-743739751044288513) * [Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024–54887](https://infosecwriteups.com/reversing-discovering-and-exploiting-a-tp-link-router-vulnerability-cve-2024-54887-341552c4b104) * [Fuzzing embedded systems - Part 1, Introduction](https://blog.sparrrgh.me/fuzzing/embedded/2024/06/05/fuzzing-embedded-systems-1.html) * [Fuzzing embedded systems - Part 2, Writing a fuzzer with LibAFL](https://blog.sparrrgh.me/fuzzing/embedded/2025/01/26/fuzzing-embedded-systems-2.html) * [Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE](https://web.archive.org/web/20190119164529/https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/) * [Pwning a Brother labelmaker, for fun and interop!](https://sdomi.pl/weblog/20-pwning-a-labelmaker/) * [Discovering a 0-day Authenticated RCE on my router](https://inferi.club/post/pwning-my-router-for-fun-discovering-a-0-day-authenticated-rce) * [ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP -> RCE](https://0reg.dev/blog/tenda-ac8-rop) * [Multiple vulnerabilities in Zyxel zysh](https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/) * [Unpacking Firmware Images from Cable Modems](https://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html) * [Binwally: Directory tree diff tool using Fuzzy Hashing](https://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html) * [Analyzing Malware for Embedded Devices: TheMoon Worm](https://w00tsec.blogspot.com/2014/02/analyzing-malware-for-embedded-devices.html) * [AyySSHush: Tradecraft of an emergent ASUS botnet](https://www.labs.greynoise.io/grimoire/2025-03-28-ayysshush/?_ga=2.84242140.496832694.1748623707-2053335004.1748623706) * [ASUS Series-Router SQLi in libbwdpi_sql.so](https://leeyabug.top/ASUS-SQLI) * [World’s First MIDI Shellcode](https://psi3.ru/blog/swl01u/) * [Replacing a Space Heater Firmware Over WiFi](https://blog.includesecurity.com/2025/02/replacing-a-space-heater-firmware-over-wifi/) * [FiberGateway GR241AG - Full Exploit Chain](https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/) * [Dumping the Nokia 8110 4G Firmware](https://garbsch.eu/posts/dumping-the-nokia-8110-4g-firmware/) * [Hacking the Nokia Fastmile](https://projectblack.io/blog/hacking-the-nokia-fastmile/) * [Arcadyan AW1000 (Telstra 5G Modem) Carrier Unlock](https://projectblack.io/blog/arcadyan-aw1000-carrier-unlock/) * [GigaVulnerability: readout protection bypass on GigaDevice GD32 MCUs](https://swarm.ptsecurity.com/gigavulnerability-readout-protection-bypass-on-gigadevice-gd32-mcus/) * [Extracting Embedded MultiMediaCard (eMMC) contents in-system](https://www.zerodayinitiative.com/blog/2025/6/18/extracting-embedded-multimediacard-emmc-contents-in-system) * [Firmware Security: Alcatel-Lucent ALE-DeskPhone](https://blog.syss.com/posts/voip-deskphone-firmware-security/) * [Time Travel Analysis with QEMU on IoT Targets: Not Always That Hard - Part I](https://eshard.com/posts/u-boot-cve-tta-qemu) * [Exploiting a router vulnerability: Tenda AC15 | Part I](https://eshard.com/posts/tenda-ac15-cve-analysis) * [Exploiting a router vulnerability: Tenda AC15 | Part II](https://eshard.com/posts/tenda-ac15-cve-time-travel-analysis) * [U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)](https://securitylab.github.com/research/uboot-rce-nfs-vulnerability/) * [FortiWeb Pre-Auth RCE (CVE-2025-25257)](https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce) * [FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970)](https://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970) * [Hacking Sonoff Smart Home IoT Device - Extract, Modify, Boot, Intercept, Clone!](https://jerinsunny.github.io/blogs/iotsecurity/2025/01/03/sonoff-firmware-extraction.html) * [Private Investigation - Kobo eReader - First Contact](https://kevin2600-cmd.github.io/2025/08/12/Private-Investigation-Kobo-eReader-First-Contact.html) * [Exploiting embedded mitel phones for unauthenticated remote code execution](https://baldur.dk/blog/embedded-mitel-exploitation.html) * [There’s A Hole In Your SoC: Glitching The MediaTek BootROM](https://www.nccgroup.com/research-blog/there-s-a-hole-in-your-soc-glitching-the-mediatek-bootrom/) * [Firmware Acquisition: U-Boot](https://wiki.elvis.science/index.php?title=Firmware_Acquisition:_U-Boot) * [Root Shell on Credit Card Terminal](https://stefan-gloor.ch/yomani-hack) * [Hacking a VoIP Phone](https://stefan-gloor.ch/voip-phone-hack) * [Dumping the Amlogic A113X Bootrom](https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/) * [Dump Amlogic S905D3 BootROM from Khadas VIM3L board](https://fredericb.info/2021/02/dump-amlogic-s905d3-bootrom-from-khadas-vim3l-board.html#dump-amlogic-s905d3-bootrom-from-khadas-vim3l-board) * [Reverse Engineering the AM335x Boot ROM](https://github.com/sjgallagher2/am335xbootrom) * [A dive into the Rockchip Bootloader](https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-bootloader/) * ["No grave but the SIP": Reversing a VoIP phone firmware](https://www.synacktiv.com/en/publications/no-grave-but-the-sip-reversing-a-voip-phone-firmware.html) * [Disassembling a Cortex-M raw binary file with Ghidra](https://blog.feabhas.com/2022/12/disassembling-a-cortex-m-raw-binary-file-with-ghidra/) * [LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover](https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/) * [Exploitation of Philips Smart TV](https://fredericb.info/2014/11/exploitation-of-philips-smart-tv.html#exploitation-of-philips-smart-tv) * [Analysis and reverse-engineering of the original Starlink router](https://olegkutkov.me/2021/12/25/analysis-and-reverse-engineering-of-the-original-starlink-router/) * [ Now You See mi: Now You're Pwned ](https://labs.taszk.io/articles/post/nowyouseemi/) * ["Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities](https://blog.talosintelligence.com/good-enough-emulation/) * [Sonicwall Firmware Deep Dive - SWI Firmware Decryption](https://bishopfox.com/blog/sonicwall-firmware-deep-dive-part-1) * [It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable](https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable) * [Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated](https://claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated) * [Introducing VxWorks Support for Binary Ninja Ultimate](https://binary.ninja/2024/10/31/introducing-vxworks.html) * [Fuzzing Zephyr with AFL and Renode](https://renode.io/news/fuzzing-zephyr-with-afl-renode/) * [Breaking the Ledger Security Model](https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/) * [Bits to Binary to Bootloader to Glitch: Exploiting ROM for Non-invasive Attacks](https://www.ioactive.com/bits-to-binary-to-bootloader-to-glitch/) * [CVE-2025-29338 - Buffer Overflow in NXP moal.ko Wi-Fi Kernel Driver](https://github.com/masjadaan/CVE-2025-29338#cve-2025-29338--security-advisory) * [From breaking into my ISP router to finding a MediaTek kernel 0day](https://www.hacefresko.com/posts/rce-on-isp-router-and-mediatek-0day) * [Unitree Robot BLE Service Command Injection Analysis](https://github.com/Bin4ry/UniPwn) * [Drone Hacking Part 1: Dumping Firmware and Bruteforcing ECC](https://neodyme.io/en/blog/drone_hacking_part_1/) * [APPROTECT Bypass on NRF52832](https://www.matiassoler.com/posts/approtect_bypass_nrf52832/) * [Bootloader to Iris: A Security Teardown of a Hardware Wallet](https://hhj4ck.github.io/en/iris-wallet-security-teardown.html) * [Oculus 2 research](https://diary-of-a-wimpy-researcher.org/) ## pwn2own writeup * [Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers](https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022) * [Exploiting the HP Printer without the printer (Pwn2Own 2022)](https://www.interruptlabs.co.uk/articles/pwn2own-2022-hp-printer) * [THE PRINTER GOES BRRRRR, AGAIN!](https://www.synacktiv.com/publications/the-printer-goes-brrrrr-again) * [PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749](https://mahaloz.re/2023/02/25/pwnagent-netgear.html) * [Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup](https://doar-e.github.io/blog/2022/06/11/pwn2own-2021-canon-imageclass-mf644cdw-writeup/) * [Competing in Pwn2Own 2021 Austin: Icarus at the Zenith](https://doar-e.github.io/blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/) * [THE PRINTER GOES BRRRRR!!!](https://www.synacktiv.com/en/publications/the-printer-goes-brrrrr) * [COOL VULNS DON'T LIVE LONG - NETGEAR AND PWN2OWN](https://www.synacktiv.com/en/publications/cool-vulns-dont-live-long-netgear-and-pwn2own) * [PWN2OWN AUSTIN 2021 : DEFEATING THE NETGEAR R6700V3](https://www.synacktiv.com/en/publications/pwn2own-austin-2021-defeating-the-netgear-r6700v3) * [YOUR VULNERABILITY IS IN ANOTHER OEM!](https://www.synacktiv.com/en/publications/your-vulnerability-is-in-another-oem) * [PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750](https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750) * [Pwn2Own: A Tale of a Bug Found and Lost Again](https://www.crowdstrike.com/blog/pwn2own-tale-of-a-bug-found-and-lost-again/) * [Rooting Samsung Q60T Smart TV](https://www.synacktiv.com/sites/default/files/2021-11/GreHack2021_Rooting_Samsung_Q60T_Smart_TV.pdf) * [The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022](https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/) * [Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability](https://starlabs.sg/blog/2020/10-analysis-and-exploitation-of-a-recent-tp-link-archer-a7-vulnerability/) * [Our Pwn2Own journey against time and randomness (part 1)](https://blog.quarkslab.com/our-pwn2own-journey-against-time-and-randomness-part-1.html) * [Our Pwn2Own journey against time and randomness (part 2)](https://blog.quarkslab.com/our-pwn2own-journey-against-time-and-randomness-part-2.html) * [Your NAS is not your NAS !](https://devco.re/blog/2022/03/28/your-NAS-is-not-your-NAS-en/) * [Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I](https://devco.re/blog/2023/10/05/your-printer-is-not-your-printer-hacking-printers-pwn2own-part1-en/) * [Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II](https://devco.re/blog/2023/11/06/your-printer-is-not-your-printer-hacking-printers-pwn2own-part2-en/) * [Pwn2Own Toronto 2022 : A 9-year-old bug in MikroTik RouterOS](https://devco.re/blog/2024/05/24/pwn2own-toronto-2022-a-9-year-old-bug-in-mikrotik-routeros-en/) * [Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1](https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase) * [Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2](https://claroty.com/team82/research/pivoting-from-wan-to-lan-synology-bc500-ip-camera) * [Pwn2Own Toronto 2023: Part 1 – How it all started](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-1-how-it-all-started/) * [Pwn2Own Toronto 2023: Part 2 – Exploring the Attack Surface](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-2-exploring-the-attack-surface/) * [Pwn2Own Toronto 2023: Part 3 – Exploration](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-3-exploration/) * [Pwn2Own Toronto 2023: Part 4 – Memory Corruption Analysis](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-4-memory-corruption-analysis/) * [Pwn2Own Toronto 2023: Part 5 – The Exploit](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-5-the-exploit/) * [[TeamT5] Pwn2Own Contest Experience Sharing and Vulnerability Demonstration](https://teamt5.org/en/posts/teamt5-pwn2own-contest-experience-sharing-and-vulnerability-demonstration/) * [RCE on the HP M479fdw printer](https://neodyme.io/en/blog/pwn2own-2022_printer_rce/#tldr) * [Pwn2Own IoT 2024 -Lorex 2K Indoor Wi-FiSecurityCamera](https://www.rapid7.com/globalassets/_pdfs/research/pwn2own-iot-2024-lorex-2k-indoor-wi-fi-security-camera-research.pdf) * [Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland](https://blog.infosectcbr.com.au/2024/12/exploiting-lorex-2k-indoor-wifi-at.html) * [Not All Roads Lead to PWN2OWN: Hardware Hacking (Part 1)](https://www.hacktivesecurity.com/index.php/2024/12/10/not-all-roads-lead-to-pwn2own-hardware-hacking-part-1/) * [Not All Roads Lead to PWN2OWN: Firmware Reverse Engineering (Part 2)](https://www.hacktivesecurity.com/blog/2024/12/18/not-all-roads-lead-to-pwn2own-firmware-reverse-engineering-part-2/) * [Not All Roads Lead to PWN2OWN: CGI Fuzzing, AFL and ASAN (Part 3)](https://www.hacktivesecurity.com/blog/2024/12/18/not-all-roads-lead-to-pwn2own-firmware-reverse-engineering-part-2/) * [Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024](https://www.synacktiv.com/publications/exploiting-a-blind-format-string-vulnerability-in-modern-binaries-a-case-study-from) * [Exploiting the Tesla Wall connector from its charge port connector](https://www.synacktiv.com/en/publications/exploiting-the-tesla-wall-connector-from-its-charge-port-connector) * [Streaming Zero-Fi Shells to Your Smart Speaker](https://blog.ret2.io/2025/06/11/pwn2own-soho-2024-sonos-exploit/) * [Exploiting the Synology DiskStation with Null-byte Writes](https://blog.ret2.io/2025/04/23/pwn2own-soho-2024-diskstation/) * [Pwn2Own Automotive: CHARX Vulnerability Discovery](https://blog.ret2.io/2024/07/17/pwn2own-auto-2024-charx-bugs/) * [Pwn2Own Automotive: Popping the CHARX SEC-3100](https://blog.ret2.io/2024/07/24/pwn2own-auto-2024-charx-exploit/) * [Philips Hue Bridge Investigations: Part I](https://gh0stshell.cc/philips-hue-bridge-investigations-part-i) * ## Conference Talks * [HEXACON2022 - Emulate it until you make it! Pwning a DrayTek Router by Philippe Laulheret](https://youtu.be/CD8HfjdDeuM) * [OffensiveCon22 - Radek Domanski and Pedro Ribeiro - Pwn2Own’ing Your Router Over the Internet](https://www.youtube.com/watch?v=nnAxXnjsbUI) * [OffensiveCon20 - b1ack0wl - Don't forget to SUBSCRIBE](https://www.youtube.com/watch?v=4XP5D5tTaJU) * [OffensiveCon23 - Stacksmashing- Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit](https://www.youtube.com/watch?v=-nFWcKHIUN4) * [DEF CON 24 Internet of Things Village - Elvis Collado - Reversing and Exploiting Embedded Devices](https://youtu.be/r4XntiyXMnA) * [#HITBCW2021 D2 - HITB LAB: ARM IoT Firmware Extraction And Emulation Using ARMX - Saumil Shah](https://youtu.be/Y1bFNZde33Q) * [Philippe Laulheret - Intro to Hardware Hacking - DEF CON 27 Conference](https://youtu.be/HuCbr2588-w?si=05gD8m7th_MfG3ZQ) * [ Nullcon Goa 2023 | IoT Hacking 101: Reverse Engineering The Xiaomi Ecosystem By Dennis Giese ](https://www.youtube.com/watch?v=zJ_67Yaeb70) * [ HEXACON2022 - 0-click RCE on the Tesla Model 3 by David Berard & Vincent Dehors ](https://youtu.be/k_F4wHc4h6k?si=pt-hU__FRPu8JyWM) * [ DEF CON Safe Mode Payment Village - Aleksei Stennikov - PoS Terminal Security Uncovered ](https://www.youtube.com/watch?v=gtbS3Gr264w) * [ OffensiveCon18 - Maddie Stone - The Smarts Behind Hacking Dumb Devices ](https://youtu.be/yU1BrY1ZB2o?si=u4fqLaCRNva9bvam) * [ HEXACON2024 - HSM Security and Exploitation of USB over SPI bug by Sergei Volokitin ](https://www.youtube.com/watch?v=iPMN9bQYmIU) * [ No Hat 2021 - F. Yamaguchi & C. Ursache - Ghidra2cpg: From graph queries to vulnerabilities in ... ](https://www.youtube.com/watch?v=hfxCDx9BTLo) * [ No Hat 2024 - Jacopo Jannone - Exploring and Exploiting an Android “Smart POS” Payment Terminal ](https://www.youtube.com/watch?v=a9BFGlxP71Y) * [Embedded kernel emulation in QEMU for security assessment | Stephane Duverger | hardwear.io Webinar](https://youtu.be/tPkh6AeSVAs?si=0HTlaV8baQb8KIcJ) * [Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap](https://youtu.be/piw0CZ46-Q0?si=LTqAVVd6vqHPDpXH) * [Exploitation Against the Clock: Xiaomi S3 Smartwatch](https://youtu.be/55yciJgP3Uk?si=0jT3XugT0z3Ey3cW) * [BAM BAM On A Budget: You CAN Do It! - Hash Salehi](https://youtu.be/URmI1VVilek?si=E0KPRfhcTImdw7h3) * [Kylie McDevitt - From Plug to Pwn](https://www.youtube.com/watch?v=8gU5BOyMp_U) * [Glitching the Switch](https://www.youtube.com/watch?v=b-SeoIe1sKM) * [A Disassembler for ROM Recovery](https://youtu.be/rpQQ6bSHCWw?si=d3v-9BgU3RiixkPr) * [38C3 - Demystifying Common Microcontroller Debug Protocols](https://youtu.be/IC108KdVYz4?si=UD3Zc5Z7HmUQlirP) * [38C3 - Reverse engineering U-Boot for fun and profit](https://youtu.be/tnVD30fM5Tg?si=1XzC_152F1GGh6aZ) * [0days on A Shoestring: Breaking Embedded Systems With LLMs And Junk Hardware - Peter Geissler](https://www.youtube.com/watch?v=6mgbJFVOt-s&t=5311s) ## Labs * [DAMN VULNERABLE ARM ROUTER](https://www.vulnhub.com/entry/damn-vulnerable-arm-router-dvar-tinysploitarm,224/) * [Damn Vulnerable Router Firmware](https://github.com/praetorian-inc/DVRF) * [OWASP IoT goat](https://github.com/OWASP/IoTGoat) * [Explot Security CTF](https://exploitthis.ctfd.io/challenges) * ## Tools * [unblob](https://unblob.org/) * [binwalk](https://github.com/ReFirmLabs/binwalk) * [Ghidra](https://github.com/NationalSecurityAgency/ghidra/releases) # Free decompiler for most of the architectures * [IDA Pro](https://hex-rays.com/IDA-pro/) # Costs a lot for decompilers * [Qiling binary emulation & instrumentation framework](https://github.com/qilingframework/qiling) * [Unicon CPU emulator framework](https://github.com/unicorn-engine/unicorn) * [Qemu emulator](https://github.com/qemu/qemu) * [Buildroot cross-compiler](https://buildroot.org/) * [bugprove - Automatic firmware analysis platform](https://bugprove.com/) * [TritonDSE Library](https://github.com/quarkslab/tritondse) # emulation & symbolic execution library * gdb, gdb-multiarch, gdbserver for cross-architecture debugging * picocom, minicom, putty, screen for serial interfacing * [AFL++ a Coverage guided fuzzer](https://github.com/AFLplusplus/AFLplusplus) * [SVD-Loader for Ghidra](https://github.com/leveldown-security/SVD-Loader-Ghidra) * [cpu_rec identify cpu architecture from a binary blob](https://github.com/airbus-seclab/cpu_rec) * [binbloom (analyse a raw binary firmware to find Loading address, Endianness, etc..)](https://github.com/quarkslab/binbloom) * [afl-unicorn](https://github.com/Battelle/afl-unicorn) * [SCOUT](https://github.com/R00T-Kim/SCOUT) - Deterministic firmware-to-exploit evidence engine. 42-stage pipeline producing SARIF + CycloneDX SBOM + verified exploit chains. Tested on 1,123 firmware (FirmAE corpus, 98.8% success rate). Auto-detects Ghidra; zero pip dependencies. * ## Misc * [#HITBLockdown D2 - Virtual Lab - Firmware Hacking With Ghidra - Thomas Roth & Dmitry Nedospasov](https://youtu.be/U70unElrYbs) * [#HITBLockdown002 VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern](https://www.youtube.com/watch?v=e3_T3KLh2NU) * [Firmware Bug hunting with Taint analysis](https://youtu.be/D2jHvjeFQCM) * [Hacking The Art of Exploitation](https://nostarch.com/hacking2.htm) * [Leaked Malware source code](https://github.com/ifding/iot-malware) * [SEC661: ARM Exploit Development and an Introduction to Router Emulation](https://www.sans.org/webcasts/overview-sec661-arm-exploit-development-introduction-router-emulation/) * [#HITBCyberWeek D1 LAB - Writing Bare-Metal ARM Shellcode](https://youtu.be/Kx1PDSGXr-w) * [ARM Assembly and Shellcode Basics - Saumil Shah at 44CON 2017 - Workshop](https://youtu.be/BhjJBuX0YCU) * [BSidesMCR 2018: Introduction To Return Oriented Exploitation On ARM64 by Billy Ellis](https://youtu.be/-_LGrrKv61c) * [Billy Ellis](https://www.youtube.com/@BillyEllis/videos) \# Youtube channel about IOS security * [#68 [GUIDE] Reverse engineering 🖥 firmware 📃](https://youtu.be/ZVQFE0qFdiY) * [Reverse Engineering & Vulnerability Analysis](https://pwn.umasscybersec.org/lectures/index.html) * [Remoticon 2020 // Introduction to Firmware Reverse Engineering](https://youtu.be/ccgB3UuCxjE?si=tjptjZ8krwUgqKns) * [qiling Lab](https://joansivion.github.io/qilinglabs/) * [Practical Binary Analysis](https://practicalbinaryanalysis.com/) * [A-noobs-guide-to-arm-exploitation](https://ad2001.gitbook.io/a-noobs-guide-to-arm-exploitation/) * [ What is a "good" memory corruption vulnerability? ](https://googleprojectzero.blogspot.com/2015/06/what-is-good-memory-corruption.html) *

标签：云资产清单, 内核模块, 威胁模拟, 安全资源, 嵌入式安全, 情报收集, 漏洞研究, 物联网安全, 硬件安全, 身份验证强制, 逆向工程