Hardware
- The hackers hardware toolkit
- A FRAMEWORK FOR EMBEDDED HARDWARE SECURITY ANALYSIS
- Overview of Hardware Hacking for Security Assessment
- Hardware Hacking Live at S4x16
- Awesome firmware security
- ChipWhisperer-Lite
- Repo for chipwhisperer
- Breaking Crypto For Dummies Slide
- A practical guide to RFID badge copying
- Replicant: Reproducing a Fault Injection Attack on the Trezor One
- Vuln research on the WAG54G home router
- Exploiting PSoC4 for fun and profit
- A2: Analog Malicious Hardware
- IoT goes nuclear
- Reverse Engineering Hardware of Embedded Devices: From China to the World
- Shedding too much Light on a Microcontroller’s Firmware Protection paper about microcontroller security protection bypass
- paper Computational Aspects of Correlation Power Analysis
- Console Security - Switch
- Exploiting cheap labor! D-Link 815N vulnerabilities hunt
- THE CAR HACKER’S HANDBOOK
- Bypassing CRP on Microcontrollers by Andrew Tierney video
- Microcontroller Firmware Recovery Using Invasive Analysis
- ShofEL2, a Tegra X1 and Nintendo Switch exploit
- Critical RCE Vulnerability Found in Over a Million GPON Home Routers
- Rooting a Logitech Harmony Hub: Improving Security in Today's IoT World
- Insomni’hack 2018 write-up – S3curLock level 1, 2 & 3
- Post about 0day into the MikroTik's RouterOS
- Ghost in the Machine: Challenges in Embedded Binary Security video at USENIX Enigma 2017
- Hacking the PS4, From zero to ring zero in two easy steps slide
- PS4 Aux Hax 1: Intro & Aeolia
- Rocking the pocket book: Hacking chemical plants for competition and extortion
- Hardware Hacking 101 talk
- eyeDisk. Hacking the unhackable. Again
- Make It Rain with MikroTik
- Taking a Look into Execute-Only Memory
- Breaking Through Another Side: Bypassing Firmware Security Boundaries Hardware/Firmware Security != Summary of all Security Boundaries -> Hardware/Firmware Security == HW_SEC_Boundary_1||HW_SEC_Boundary_2|| ... || HW_SEC_Boundary_N
- Pwn the ESP32 crypto-core
- Pwn the ESP32 Secure Boot
- Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
- Xiaomi Zigbee (1): Getting to know the hardware
- RouterOS: Chain to Root
- Hacking microcontroller firmware through a USB
- 36C3 - Hacking Sony PlayStation Blu-ray Drives
- PAN about broken “PAN” (Privileged Access Never)
- david-oswald/hwsec_lecture_notes Lecture notes for the Hardware and Embedded Systems Security lecture
- Exception(al) Failure - Breaking the STM32F1 Read-Out Protection
- Console Hacking: Nintendo Switch video
- xairy/hardware-village Materials for my Hardware Village talks
- Tool Release: Sinking U-Boots with Depthcharge, with documentation
- Exploiting Undocumented Hardware Blocks in the LPC55S69
- Dumping K360 wireless keyboard firmware with a GreatFET
- One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers
- A Primer on Cold Boot Attacks Against Embedded Systems
- Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu
- Hacking more secure portable storage devices
- Firmware key extraction by gaining EL3
Consoles
- The naked PSP
- Trinity: PSP Emulator Escape
- Full key extraction of NVIDIA™ TSEC
- Je Ne Sais Quoi - Falcons over the Horizon
- shogihax - Remote Code Execution on Nintendo 64 through Morita Shogi 64
- bd-j exploit chain 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads on PS4/PS5
- Exploiting the Wii U's USB Descriptor parsing
- PS4 Aux Hax 5: Flawed Instructions Get Optimized
- Next-Gen Exploitation: Exploring the PS5 Security Landscape
Bootloader
- Exploiting Android S-Boot
- [GUIDE] USB Uart on Galaxy S devices
- NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
- BootStomp: On the Security of Bootloaders in Mobile Devices
- Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM
- HARDENING SECURE BOOT ON EMBEDDED DEVICES FOR HOSTILE ENVIRONMENTS
- Emulating Exynos 4210 BootROM in QEMU
- Extracting TREZOR Secrets from SRAM
- De Rebus Antiquis exploiting the recursive stack overflow bug in the iOS 7 bootchain
- Analysis of Qualcomm Secure Boot Chains
- Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
- Pwning the bcm61650
Jailbreak
Side channel attack
- Reading privileged memory with a side-channel
- Intel Analysis of Speculative Execution Side Channels PDF
- Hiding your White-Box Designs is Not Enough
- Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices
- On-Device Power Analysis Across Hardware Security Domains
- In Transactional Memory, No One Can Hear You Scream
- Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction
- Recovering the CTR_DRBG state in 256 traces
- Read secure firmware from STM32F1xx flash using ChipWhisperer
CPUs
- Foreshadow Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution
- Speculative Dereferencing of Registers: Reviving Foreshadow latest paper with a more correct view on speculation attack on CPUs
- Ghostbuster: Spectre exploitation in real life
- A Systematic Evaluation of Transient Execution Attacks and Defenses
- CROSSTALK
- Inception how a simple XOR can cause a Microarchitectural Stack Overflow
Glitching
- Glitching the Switch
- fault injection attacks on microcontrollers: clock glitching tutorial
- Shaping the Glitch: Optimizing Voltage Fault Injection Attacks
- Introduction to Glitch Attacks (including Glitch Explorer)
- Copy Protection in Modern Microcontrollers
- Fault attacks on secure chips: from glitch to flash PDF
- How the PS3 hypervisor was hacked
- Firmware dumping technique for an ARM Cortex-M0 SoC
- An In-depth and Black-box characterization of the effects of Clock Glitches on 8-bit MCUs
- Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller
- Glitching the switch
- Injecting Software Vulnerabilities with Voltage Glitching PDF
- There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently
- Controlling PC on ARM using Fault Injection
- The Sorcerer’s Apprentice Guide to Fault Attacks
- https://pulse-sec.com/drive/PANDA2018_-Advancing_FI_attacks-_Fault_Models_opportunities.pdf
- Glitching Trezor using EMFI Through The Enclosure
- Fault Injection using Crowbars on Embedded Systems
- Fault Injection Attacks and Countermeasures in Embedded Processors
- Basic Side channel framework repository: provide a basic framework for side-channel analysis. Currently, it combines SAKURA-G, Chipwhispere, OpenADC, Jupyter Notebook...etc.
- Escalating Privileges in Linux using Voltage Fault Injection
- Glitching a $20k Piece of History
- Differential Fault Injection Against AES on Atmega328
- 36C3 - TrustZone-M(eh): Breaking ARMv8-M's security
- Espressif ESP32: Controlling PC during Secure Boot
- nRF52 Debug Resurrection (APPROTECT Bypass) Part 1
- There’s A Hole In Your SoC: Glitching The MediaTek BootROM
- CHIP.FAIL – GLITCHING THE SILICON OF THE CONNECTED WORLD
- Enter the EFM32 Gecko hardware exploit to unlock the debug port on the EFM32 Gecko MCUs Series 1 via an home-made EM Injection System
Power analysis
- Differential Power Analysis original paper by Paul Kocher
- Introduction to differential power analysis
- Power-Based Side-Channel Attack for AES Key Extraction on the ATMega328 Microcontroller with a github repo
- TEMPEST attacks against AES
- Breaking AES128 with Multi-Bit DPA
- POWER (ANALYSIS) TO THE PEOPLE
Timing attack
Reverse engineering
- NMOS IC Reverse Engineering
- siliconpr0n
- Inside the 74181 ALU chip: die photos and reverse engineering
- Reverse-Engineering a Cryptographic RFID Tag
JTAG
- JTAGing Mobile Phones
- The JTAG Interface: AN ATTACKER’S PERSPECTIVE
- Extracting firmware from devices using JTAG
- MIPS EJTAG specification
- Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction
- SWD – ARM’S ALTERNATIVE TO JTAG
- The hitchhacker’s guide to iPhone Lightning & JTAG hacking
Exploit
- Developing MIPS Exploits to Hack Routers
- Nifty Tricks and Sage Advice for Shellcode on Embedded Systems
- Pandora’s Cash Box: The Ghost Under Your POS
- Security Advisories: D-Link DSL-2640B
- FreeDVDBoot - Hacking the PlayStation 2 through its DVD player
- an EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices
- KINIBI TEE: TRUSTED APPLICATION EXPLOITATION
- Backdoors and other vulnerabilities in HiSilicon based hardware video encoders