Hardware

• The hackers hardware toolkit
• A FRAMEWORK FOR EMBEDDED HARDWARE SECURITY ANALYSIS
• Overview of Hardware Hacking for Security Assessment
• Hardware Hacking Live at S4x16
• Awesome firmware security
• ChipWhisperer-Lite
• Repo for chipwhisperer
• Breaking Crypto For Dummies Slide
• A practical guide to RFID badge copying
• Replicant: Reproducing a Fault Injection Attack on the Trezor One
• Vuln research on the WAG54G home router
• Exploiting PSoC4 for fun and profit
• A2: Analog Malicious Hardware
• IoT goes nuclear
• Reverse Engineering Hardware of Embedded Devices: From China to the World
• Shedding too much Light on a Microcontroller’s Firmware Protection paper about microcontroller security protection bypass
• paper Computational Aspects of Correlation Power Analysis
• Console Security - Switch
• Exploiting cheap labor! D-Link 815N vulnerabilities hunt
• THE CAR HACKER’S HANDBOOK
• Bypassing CRP on Microcontrollers by Andrew Tierney video
• Microcontroller Firmware Recovery Using Invasive Analysis
• ShofEL2, a Tegra X1 and Nintendo Switch exploit
• Critical RCE Vulnerability Found in Over a Million GPON Home Routers
• Rooting a Logitech Harmony Hub: Improving Security in Today's IoT World
• Insomni’hack 2018 write-up – S3curLock level 1, 2 & 3
• Post about 0day into the MikroTik's RouterOS
• Ghost in the Machine: Challenges in Embedded Binary Security video at USENIX Enigma 2017
• Hacking the PS4, From zero to ring zero in two easy steps slide
• PS4 Aux Hax 1: Intro & Aeolia
• Rocking the pocket book: Hacking chemical plants for competition and extortion
• Hardware Hacking 101 talk
• eyeDisk. Hacking the unhackable. Again
• Make It Rain with MikroTik
• Taking a Look into Execute-Only Memory
• Breaking Through Another Side: Bypassing Firmware Security Boundaries Hardware/Firmware Security != Summary of all Security Boundaries -> Hardware/Firmware Security == HW_SEC_Boundary_1||HW_SEC_Boundary_2|| ... || HW_SEC_Boundary_N
• Pwn the ESP32 crypto-core
• Pwn the ESP32 Secure Boot
• Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
• Xiaomi Zigbee (1): Getting to know the hardware
• RouterOS: Chain to Root
• Hacking microcontroller firmware through a USB
• 36C3 - Hacking Sony PlayStation Blu-ray Drives
• PAN about broken “PAN” (Privileged Access Never)
• david-oswald/hwsec_lecture_notes Lecture notes for the Hardware and Embedded Systems Security lecture
• Exception(al) Failure - Breaking the STM32F1 Read-Out Protection
• Console Hacking: Nintendo Switch video
• xairy/hardware-village Materials for my Hardware Village talks
• Tool Release: Sinking U-Boots with Depthcharge, with documentation
• Exploiting Undocumented Hardware Blocks in the LPC55S69
• Dumping K360 wireless keyboard firmware with a GreatFET
• One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers
• A Primer on Cold Boot Attacks Against Embedded Systems
• Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu
• Hacking more secure portable storage devices
• Firmware key extraction by gaining EL3

Consoles

• The naked PSP
• Trinity: PSP Emulator Escape
• Full key extraction of NVIDIA™ TSEC
• Je Ne Sais Quoi - Falcons over the Horizon
• shogihax - Remote Code Execution on Nintendo 64 through Morita Shogi 64
• bd-j exploit chain 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads on PS4/PS5
• Exploiting the Wii U's USB Descriptor parsing
• PS4 Aux Hax 5: Flawed Instructions Get Optimized
• Next-Gen Exploitation: Exploring the PS5 Security Landscape

Bootloader

• Exploiting Android S-Boot
• [GUIDE] USB Uart on Galaxy S devices
• NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
• BootStomp: On the Security of Bootloaders in Mobile Devices
• Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM
• HARDENING SECURE BOOT ON EMBEDDED DEVICES FOR HOSTILE ENVIRONMENTS
• Emulating Exynos 4210 BootROM in QEMU
• Extracting TREZOR Secrets from SRAM
• De Rebus Antiquis exploiting the recursive stack overflow bug in the iOS 7 bootchain
• Analysis of Qualcomm Secure Boot Chains
• Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
• Pwn­ing the bcm61650

Jailbreak

• Jailbreaking iOS: From past to present
• Technical analysis of the checkm8 exploit

Side channel attack

• Reading privileged memory with a side-channel
• Intel Analysis of Speculative Execution Side Channels PDF
• Hiding your White-Box Designs is Not Enough
• Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices
• On-Device Power Analysis Across Hardware Security Domains
• In Transactional Memory, No One Can Hear You Scream
• Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction
• Recovering the CTR_DRBG state in 256 traces
• Read secure firmware from STM32F1xx flash using ChipWhisperer

CPUs

• Foreshadow Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution
• Speculative Dereferencing of Registers: Reviving Foreshadow latest paper with a more correct view on speculation attack on CPUs
• Ghostbuster: Spectre exploitation in real life
• A Systematic Evaluation of Transient Execution Attacks and Defenses
• CROSSTALK
• Inception how a simple XOR can cause a Microarchitectural Stack Overflow

Glitching

• Glitching the Switch
• fault injection attacks on microcontrollers: clock glitching tutorial
• Shaping the Glitch: Optimizing Voltage Fault Injection Attacks
• Introduction to Glitch Attacks (including Glitch Explorer)
• Copy Protection in Modern Microcontrollers
• Fault attacks on secure chips: from glitch to flash PDF
• How the PS3 hypervisor was hacked
• Firmware dumping technique for an ARM Cortex-M0 SoC
• An In-depth and Black-box characterization of the effects of Clock Glitches on 8-bit MCUs
• Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller
• Glitching the switch
• Injecting Software Vulnerabilities with Voltage Glitching PDF
• There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently
• Controlling PC on ARM using Fault Injection
• The Sorcerer’s Apprentice Guide to Fault Attacks
• https://pulse-sec.com/drive/PANDA2018_-Advancing_FI_attacks-_Fault_Models_opportunities.pdf
• Glitching Trezor using EMFI Through The Enclosure
• Fault Injection using Crowbars on Embedded Systems
• Fault Injection Attacks and Countermeasures in Embedded Processors
• Basic Side channel framework repository: provide a basic framework for side-channel analysis. Currently, it combines SAKURA-G, Chipwhispere, OpenADC, Jupyter Notebook...etc.
• Escalating Privileges in Linux using Voltage Fault Injection
• Glitching a $20k Piece of History
• Differential Fault Injection Against AES on Atmega328
• 36C3 - TrustZone-M(eh): Breaking ARMv8-M's security
• Espressif ESP32: Controlling PC during Secure Boot
• nRF52 Debug Resurrection (APPROTECT Bypass) Part 1
• There’s A Hole In Your SoC: Glitching The MediaTek BootROM
• CHIP.FAIL – GLITCHING THE SILICON OF THE CONNECTED WORLD
• Enter the EFM32 Gecko hardware exploit to unlock the debug port on the EFM32 Gecko MCUs Series 1 via an home-made EM Injection System

Power analysis

• Differential Power Analysis original paper by Paul Kocher
• Introduction to differential power analysis
• Power-Based Side-Channel Attack for AES Key Extraction on the ATMega328 Microcontroller with a github repo
• TEMPEST attacks against AES
• Breaking AES128 with Multi-Bit DPA
• POWER (ANALYSIS) TO THE PEOPLE

Timing attack

• Timing attack on an Embedded Controller
• Timing Attacks using Machine Learning

Reverse engineering

• NMOS IC Reverse Engineering
• siliconpr0n
• Inside the 74181 ALU chip: die photos and reverse engineering
• Reverse-Engineering a Cryptographic RFID Tag

JTAG

• JTAGing Mobile Phones
• The JTAG Interface: AN ATTACKER’S PERSPECTIVE
• Extracting firmware from devices using JTAG
• MIPS EJTAG specification
• Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction
• SWD – ARM’S ALTERNATIVE TO JTAG
• The hitchhacker’s guide to iPhone Lightning & JTAG hacking

Exploit

• Developing MIPS Exploits to Hack Routers
• Nifty Tricks and Sage Advice for Shellcode on Embedded Systems
• Pandora’s Cash Box: The Ghost Under Your POS
• Security Advisories: D-Link DSL-2640B
• FreeDVDBoot - Hacking the PlayStation 2 through its DVD player
• an EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices
• KINIBI TEE: TRUSTED APPLICATION EXPLOITATION
• Backdoors and other vulnerabilities in HiSilicon based hardware video encoders