Awesome-Embedded-Systems-Vulnerability-Research

Resources to get started vulnerability research on IoT/embedded devices. All resources credits goes to the respectful authors.

Books

• Practical IoT Hacking
• The Hardware Hacking Handbook
• Blue Fox: Arm Assembly Internals and Reverse Engineering
• Fuzzing Against the Machine
• MIPS Assembly Programmming
• pentest hardware

YouTube videos

• stacksmashing
• Flashback Team
• Matt Brown
• LiveOverflow (RHme CTF)
• LiveOverflow (Hardware security research)
• gamozolabs (Printer Hacking)
• Make Me Hack (Hardware Hacking Tutorial)
• Foscam R2C camera
• Colin O'Flynn
• AVR reverse engineering (HACKADAY)
• Joe Grand

Blogs

• IoT binary analysis & emulation part -1
• MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE
• MINDSHARE: HOW TO "JUST EMULATE IT WITH QEMU"
• MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER
• MINDSHARE: HARDWARE REVERSING WITH THE TP-LINK TL-WR841N ROUTER - PART 2
• EXPLOITING THE SONOS ONE SPEAKER THREE DIFFERENT WAYS: A PWN2OWN TORONTO HIGHLIGHT
• Unauthenticated RCE on a RIGOL oscilloscope
• Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
• THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT
• NETGEAR Routers: A Playground for Hackers?
• I HACK, U-BOOT
• PCB Reverse Engineering: A Comprehensive Guide
• Debugging D-Link: Emulating firmware and hacking hardware
• hyprblog
• TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)
• pwn-hisilicon-dvr
• Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu
• ROP-ing on Aarch64 - The CTF Style
• The Oddest Place You Will Ever Find PAC
• Azeria Labs
• When an N-Day turns into a 0day. (Part 1 of 2)
• Payatu blog
• Attify blog
• STAR Labs blog
• wrongbaud's blog
• DUMPING THE SONOS ONE SMART SPEAKER
• PULL UP YOUR BOOTLOADER
• How to Speak your Hardware’s Language
• Dissection of a Payment Terminal
• Dissection of a Payment Terminal: Part 2
• Breaking (bad) firmware encryption. Case study on the Netgear Nighthawk M1
• An introduction to printer exploitation
• Breaking the D-Link DIR3060 Firmware Encryption - Recon - Part 1
• Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.1
• Breaking the D-Link DIR3060 Firmware Encryption - Static analysis of the decryption routine - Part 2.2
• LinkSys EA6100 AC1200 - Part 1 - PCB reversing
• LinkSys EA6100 AC1200 - Part 2 - A serial connection FTW!
• study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
• 5 part series on reversing huawei router
• Xiongmai IoT Exploitation
• Exploiting: Buffer overflow in Xiongmai DVRs
• Introduction to PS4's security, and userland ROP
• Hacking the PS4, part 2 Userland code execution
• Hacking the PS4, part 3 Kernel exploitation
• 4 part series on Dlink camera 0 day
• Identifying Bugs in Router Firmware at Scale with Taint Analysis
• ASUSWRT URL Processing Stack Buffer Overflow
• Reverse IoT devices
• Hacking into TP-Link Archer C6 – shell access without physical disassembly
• Modern Vulnerability Research Techniques on Embedded Systems
• Embedded Hardware Hacking 101 – The Belkin WeMo Link
• The ABCs of NFC chip security
• Reversing Raw Binary Firmware Files in Ghidra
• SYNful Knock - A Cisco router implant - Part I
• MIPS Assembly
• Fail0verflow console security
• starkes blog
• Evaluating IoT firmware through emulation and fuzzing
• Quentin kaiser blogs
• TCP backdoor 32764 or how we could patch the Internet (or part of it ;))
• Reverse Engineering a VxWorks OS Based Router
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2
• Reverse Engineering a Philips TriMedia CPU based IP camera - Part 3
• Flash Dumping - Part I
• Reversing Mac Donald's table beacon
• day to 0day(CVE-2022-30024) on TP-Link TL-WR841N
• Triple Threat: Breaking Teltonika Routers Three Ways
• Methods for Extracting Firmware from OT Devices for Vulnerability Research
• Local Privilege Escalation on the DJI RM500 Smart Controller
• Bypassing password protection and getting a shell through UART in NEC Aterm WR8165N Wi-Fi router
• Faraday CTF 2022 Write-up: Reverse Engineering and Exploiting an IoT bug
• The .text Dilemma
• JTAG 'Hacking' the Original Xbox in 2023
• Hacking 101 to mobile data
• Enabot Hacking: Part 1
• Enabot Hacking: Part 2
• Enabot Hacking: Part 3
• Setting up a Research Environment for IP Cameras
• Hacking Reolink cameras for fun and profit
• Reverse Engineering Yaesu FT-70D Firmware Encryption
• Basics of hardware hacking
• Reversing embedded device bootloader (U-Boot) - p.1
• Reversing embedded device bootloader (U-Boot) - p.2
• How I Hacked my Car
• Google Pixel Watch Root Guide using Magisk​
• 1day to 0day(CVE-2022-30024) on TP-Link TL-WR841N
• TP-Link TL-WR940N: 1-days analysis after story. (CVE-2022-43636 & CVE-2022-43635)
• NETGEAR R6700v3: 1day Analysis (CVE-2021-34982) Buffer Overflow RCE Vulnerability
• Research IOT - Analyze Bootloader - notBootSecure
• 14-829: Mobile and IoT Security
• Simulating and hunting firmware vulnerabilities with Qiling
• Voidstar Security Research Blog
• Analyzing bare metal firmware binaries in Ghidra
• Reverse engineering of ARM microcontrollers
• Reverse engineering microcontrollers WITHOUT a datasheet
• Dynamic analysis of firmware components in IoT devices
• 🔌 Hardware All The Things
• Reverse Engineering IoT Firmware: Where to Start
• CAN Injection: keyless car theft
• Reverse Engineering a VxWorks OS Based Router
• Solving a Little Mystery
• IOActive Labs blogs
• Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part I
• Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II
• A Tourist’s Phrasebook for Reversing Embedded ARM in the Dialect of the Cortex M Series
• Bypassing upgrade limitations on a TP-Link TL-WR841N
• Diving into Starlink's User Terminal Firmware
• HOW TO ROOT THE LG WATCH URBANE
• JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices
• Chasing doorbells: Finding IoT vulnerabilities in embedded devices
• Methods for Extracting Firmware from OT Devices for Vulnerability Research
• Hacking Transcend WiFi SD Cards
• Rooting Xiaomi WiFi Routers
• A bowl full of security problems: Examining the vulnerabilities of smart pet feeders
• CVE–2019–8985 RCE
• Emulating and Exploiting UEFI Firmware
• Reverse Engineering Router Firmware - But the Firmware is Encrypted

pwn2own writeup

• Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers
• Exploiting the HP Printer without the printer (Pwn2Own 2022)
• THE PRINTER GOES BRRRRR, AGAIN!
• PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup
• Competing in Pwn2Own 2021 Austin: Icarus at the Zenith
• THE PRINTER GOES BRRRRR!!!
• COOL VULNS DON'T LIVE LONG - NETGEAR AND PWN2OWN
• PWN2OWN AUSTIN 2021 : DEFEATING THE NETGEAR R6700V3
• YOUR VULNERABILITY IS IN ANOTHER OEM!
• PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750
• Pwn2Own: A Tale of a Bug Found and Lost Again
• Rooting Samsung Q60T Smart TV
• The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022
• Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability
• Our Pwn2Own journey against time and randomness (part 1)

Conference Talks

• HEXACON2022 - Emulate it until you make it! Pwning a DrayTek Router by Philippe Laulheret
• OffensiveCon22 - Radek Domanski and Pedro Ribeiro - Pwn2Own’ing Your Router Over the Internet
• OffensiveCon20 - b1ack0wl - Don't forget to SUBSCRIBE
• OffensiveCon23 - Stacksmashing- Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit
• DEF CON 24 Internet of Things Village - Elvis Collado - Reversing and Exploiting Embedded Devices
• #HITBCW2021 D2 - HITB LAB: ARM IoT Firmware Extraction And Emulation Using ARMX - Saumil Shah
• Philippe Laulheret - Intro to Hardware Hacking - DEF CON 27 Conference

Folks to follow

• b1ack0wl
• 0xor0ne
• wrongbaud
• stacksmashing
• Matt Brown
• trendytofu
• hyprdude
• Quentin Kaiser

Labs

• DAMN VULNERABLE ARM ROUTER
• Damn Vulnerable Router Firmware
• OWASP IoT goat

Tools

• unblob
• binwalk
• Ghidra # Free decompiler for most of the architectures
• IDA Pro # Costs a lot for decompilers
• Qiling binary emulation & instrumentation framework
• Unicon CPU emulator framework
• Qemu emulator
• Buildroot cross-compiler
• bugprove - Automatic firmware analysis platform
• TritonDSE Library # emulation & symbolic execution library
• gdb, gdb-multiarch, gdbserver for cross-architecture debugging
• picocom, minicom, putty, screen for serial interfacing
• AFL++ a Coverage guided fuzzer
• SVD-Loader for Ghidra

Misc

• #HITBLockdown D2 - Virtual Lab - Firmware Hacking With Ghidra - Thomas Roth & Dmitry Nedospasov
• #HITBLockdown002 VIRTUAL LAB: Qiling Framework: Build a Fuzzer Based on a 1day Bug - Lau Kai Jern
• Firmware Bug hunting with Taint analysis
• Hacking The Art of Exploitation
• Leaked Malware source code
• SEC661: ARM Exploit Development and an Introduction to Router Emulation
• #HITBCyberWeek D1 LAB - Writing Bare-Metal ARM Shellcode
• ARM Assembly and Shellcode Basics - Saumil Shah at 44CON 2017 - Workshop
• BSidesMCR 2018: Introduction To Return Oriented Exploitation On ARM64 by Billy Ellis
• Billy Ellis # Youtube channel about IOS security
• #68 [GUIDE] Reverse engineering 🖥 firmware 📃
• Reverse Engineering & Vulnerability Analysis
• Remoticon 2020 // Introduction to Firmware Reverse Engineering
• qiling Lab
• Practical Binary Analysis
• A-noobs-guide-to-arm-exploitation