- [Bus Pirate JTAG Connections with OpenOCD](https://research.kudelskisecurity.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/)
- [Extracting Firmware from External Memory via JTAG](https://www.youtube.com/watch?v=IadnBUJAvks)
- [The Hitchhacker's Guide to iPhone Lightning and JTAG Hacking](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/stacksmashing%20-%20The%20hitchhackers%20guide%20to%20iPhone%20Lightning%20%20%20JTAG%20hacking.pdf)
- [Debugging AVR Microcontrollers Through JTAG](https://hev0x.github.io/posts/debugging-avr-with-atmelice-and-gdb/)
- [Unveiling Vulnerabilities: Exploring SWD Attack Surface in Hardware](https://redfoxsec.com/blog/unveiling-vulnerabilities-exploring-swd-attack-surface-in-hardware/)
- [Introduction to ARM Serial Wire Debug Protocol](https://developer.arm.com/documentation/ihi0031/a/The-Serial-Wire-Debug-Port--SW-DP-/Introduction-to-the-ARM-Serial-Wire-Debug--SWD--protocol)
- [Serial Wire Debug and CoreSight Architecture](https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imxrt/4786/2/Serial_Wire_Debug.pdf)
- [LibSWD - Serial Wire Debug Open Library](https://github.com/cederom/LibSWD)
- [Hardware Hacking and Exploitation Bootcamp - SWD](https://happeningnext.com/event/hardware-hacking-and-exploitation-bootcamp-eid4sntq7lbas1)
#### SPI
- [Hardware Hacking 101: Identifying and Dumping eMMC Flash](https://www.riverloopsecurity.com/blog/2020/03/hw-101-emmc/)
- [Dumping Firmware from Router Using Bus Pirate - SPI](https://www.iotpentest.com/2019/06/dumping-firmware-from-device-using.html)
- [Extracting Flash Memory over SPI](https://akimbocore.com/article/extracting-flash-memory-over-spi/)
- [Extracting Firmware from Embedded Devices (SPI NOR Flash)](https://www.youtube.com/watch?v=nruUuDalNR0)
- [How to Flash Chip of a Router with a Programmer](https://www.youtube.com/watch?v=fbt4OJXJdOc)
- [TPM 2.0: Extracting Bitlocker Keys Through SPI](https://lucasteske.dev/2024/01/tpm2-bitlocker-keys)
#### I2C
- [IoT Security Part 16: Hardware Attack Surface I2C](https://payatu.com/masterclass/iot-security-part-16-101-hardware-attack-surface-i2c/)
- [RPMB: A Secret Place Inside the eMMC](https://sergioprado.blog/rpmb-a-secret-place-inside-the-emmc/)
- [Hardware Hacking 101: Identifying and Dumping eMMC Flash](https://www.riverloopsecurity.com/blog/2020/03/hw-101-emmc/)
- [eMMC Data Recovery from Damaged Smartphone](https://dangerouspayload.com/2018/10/24/emmc-data-recovery-from-damaged-smartphone/)
- [Unleash Your Smart-Home Devices: Vacuum Cleaning Robot Hacking](https://media.ccc.de/v/34c3-9147-unleash_your_smart-home_devices_vacuum_cleaning_robot_hacking)
- [Hands-On IoT Hacking: Rapid7 at DEF CON 30](https://www.rapid7.com/blog/post/2022/10/18/hands-on-iot-hacking-rapid7-at-def-con-30-iot-village-part-1/)
- [Rowhammer Bit Flips to Steal Crypto Keys](https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/)
### Glitcher Part 1 - Reproducible Voltage Glitching on STM32 Microcontrollers](https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage-glitching-on-stm32-microcontrollers/)
- [STM32L05 Voltage Glitching](https://blog.syss.com/posts/voltage-glitching-the-stm32l05-microcontroller/)
**Version 3.0** - Enhanced with 400+ additional resources from recent cybersecurity research (2019-2025)
#### Other Microcontrollers
- [Dumping the Amlogic A113X Bootrom](https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/)
- [Retreading The AMLogic A113X TrustZone Exploit Process](https://boredpentester.com/retreading-the-amlogic-a113x-trustzone-exploit-process/)
- [Reverse Engineering an Unknown Microcontroller](https://dmitry.gr/?r=05.Projects&proj=30.%20Reverse%20Engineering%20an%20Unknown%20Microcontroller)
- [Hacking Microcontroller Firmware Through a USB](https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/)
- [There's A Hole In Your SoC: Glitching The MediaTek BootROM](https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/)
### PCIe and DMA Attacks
- [A Practical Tutorial on PCIe for Total Beginners on Windows - Part 1](https://ctf.re/windows/kernel/pcie/tutorial/2023/02/14/pcie-part-1/)
- [A Practical Tutorial on PCIe for Total Beginners on Windows - Part 2](https://ctf.re/kernel/pcie/tutorial/dma/mmio/tlp/2024/03/26/pcie-part-2/)
- [PCIe DMA Attack against a Secured Jetson Nano (CVE-2022-21819)](https://www.thegoodpenguin.co.uk/blog/pcie-dma-attack-against-a-secured-jetson-nano-cve-2022-21819/)
- [Introduction to Software Defined Radio](https://www.allaboutcircuits.com/technical-articles/introduction-to-software-defined-radio/)
- [Introduction to GNU Radio Companion](https://wiki.gnuradio.org/index.php/Guided_Tutorial_GRC)
- [Creating a Flow Graph in GNU Radio Companion](https://blog.didierstevens.com/2017/09/19/quickpost-creating-a-simple-flow-graph-with-gnu-radio-companion/)
- [Analyzing Radio Signals 433MHz](https://www.rtl-sdr.com/analyzing-433-mhz-transmitters-rtl-sdr/)
- [Recording Specific Radio Signals](https://www.rtl-sdr.com/freqwatch-rtl-sdr-frequency-scanner-recorder/)
- [Replay Attacks with Raspberry Pi and rpitx](https://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-sdr-raspberry-pi-and-rpitx/)
- [Intro to Bluetooth Low Energy](https://daskalakispiros.com/files/Ebooks/Intro+to+Bluetooth+Low+Energy+v1.1.pdf)
- [Reverse Engineering BLE Devices](https://reverse-engineering-ble-devices.readthedocs.io/en/latest/)
- [My Journey Towards Reverse Engineering a Smart Band — Bluetooth-LE RE](https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2)
- [Intel Edison as Bluetooth LE Exploit Box](https://medium.com/@arunmag/intel-edison-as-bluetooth-le-exploit-box-a63e4cad6580)
- [Reverse Engineering and Exploiting a Smart Massager](https://medium.com/@arunmag/how-i-reverse-engineered-and-exploited-a-smart-massager-ee7c9f21bf33)
- [Reverse Engineering a Smart Band - Bluetooth LE RE](https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2)
- [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
- [Grand Theft Auto: A peek of BLE relay attack](https://rollingpwn.github.io/BLE-Relay-Aattck/)
- [How I Hacked Smart Lights: CVE-2022-47758](https://pwning.tech/cve-2022-47758/)
- [NFC Relay Attack on Tesla Model Y](https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf)
- [BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html)
- [BRAKTOOTH: Causing Havoc on Bluetooth Link Manager (PDF)](https://asset-group.github.io/disclosures/braktooth/braktooth.pdf)
- [Norec Attack: Stripping BLE encryption from Nordic's Library (CVE-2020-15509)](https://infosecwriteups.com/norec-attack-stripping-ble-encryption-from-nordics-library-cve-2020-15509-9798ab893b95)
- [InternalBlue - Bluetooth Experimentation Framework](https://github.com/seemoo-lab/internalblue)
#### Hacking Bluetooth Coffee Machines
- [Hacking Bluetooth to Brew Coffee from Github Actions - Part 1](https://grack.com/blog/2022/12/01/hacking-bluetooth-to-brew-coffee-on-github-actions-part-1/)
- [Hacking Bluetooth to Brew Coffee from Github Actions - Part 2](https://grack.com/blog/2022/12/02/hacking-bluetooth-to-brew-coffee-on-github-actions-part-2/)
- [Hacking Bluetooth to Brew Coffee from Github Actions - Part 3](https://grack.com/blog/2022/12/04/hacking-bluetooth-to-brew-coffee-on-github-actions-part-3/)
- [Security Vulnerabilities in LoRaWAN](https://www.cyber-threat-intelligence.com/publications/IoTDI2018-LoraWAN.pdf)
- [Low Powered and High Risk: Attacks on LoRaWAN Devices](https://www.trendmicro.com/en_us/research/21/a/Low-Powered-but-High-Risk-Evaluating-Possible-Attacks-on-LoRaWAN-Devices.html)
- [Low Powered and High Risk: Attacks on LoRaWAN Devices - Trend Micro](https://www.trendmicro.com/en_us/research/21/a/Low-Powered-but-High-Risk-Evaluating-Possible-Attacks-on-LoRaWAN-Devices.html)
- [Millions of Devices Using LoRaWAN Exposed - SecurityWeek](https://www.securityweek.com/millions-devices-using-lorawan-exposed-hacker-attacks/)
- [Do You Blindly Trust LoRaWAN Networks? - IOActive](https://www.ioactive.com/do-you-blindly-trust-lorawan-networks-for-iot/)
- [LoRaWAN Encryption Keys Easy to Crack - Threatpost](https://threatpost.com/lorawan-encryption-keys-easy-to-crack-jeopardizing-security-of-iot-networks/152276/)
- [How to Secure Smart Home Devices with Matter](https://www.iot-now.com/2022/07/12/122292-how-to-secure-smart-home-devices-with-the-matter-standard/)
- [Smart Home Device Solutions for Matter - DigiCert](https://www.digicert.com/solutions/security-solutions-for-matter-devices)
#### Security Research
- [Security Vulnerabilities and Attack Scenarios in Smart Home with Matter](https://www.ndss-symposium.org/wp-content/uploads/2024/07/sdiotsec2024-48-paper.pdf)
- [Trust Matters: Uncovering Vulnerabilities in Matter Protocol - Nozomi](https://www.nozominetworks.com/blog/trust-matters-uncovering-vulnerabilities-in-the-matter-protocol)
- [Matter over Thread Security](https://sensereo.com/community/matter-over-thread-security-how-safe-is-your-smart-home-network/)
- [State-of-the-Art Review on IoT Wireless PAN Protocol Security](https://www.mdpi.com/2073-8994/12/4/579)
- [Matter Smart Home - Krasamo](https://www.krasamo.com/matter-smart-home/)
- [Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues](https://papers.mathyvanhoef.com/usenix2023-wifi.pdf)
- [Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects](https://csis.gmu.edu/ksun/publications/WiFi_Interception_SP23.pdf)
- [WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations](https://www.mdpi.com/2410-387X/6/4/53/)
- [Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks](https://www.cs.ucr.edu/%7Ezhiyunq/pub/ccs24_wireless_mesh.pdf)
#### Exploitation
- [Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html)
- [Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 2)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html)
- [Over The Air: Exploiting The Wi-Fi Stack on Apple Devices](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html)
- [Exploiting Qualcomm WLAN and Modem Over the Air](https://i.blackhat.com/USA-19/Thursday/us-19-Pi-Exploiting-Qualcomm-WLAN-And-Modem-Over-The-Air-wp.pdf)
- [When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 1](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/)
- [When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 2](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/)
#### Reverse Engineering WiFi
- [Reverse Engineering WiFi on RISC-V BL602](https://lupyuen.github.io/articles/wifi)
- [Unveiling secrets of the ESP32: creating an open-source MAC Layer](https://zeus.ugent.be/blog/23-24/open-source-esp32-wifi-mac/)
- [Unveiling secrets of the ESP32: reverse engineering RX](https://zeus.ugent.be/blog/23-24/esp32-reverse-engineering-continued/)
### USB
- [ALL ABOUT USB-C: INTRODUCTION FOR HACKERS](https://hackaday.com/2022/12/06/usb-c-introduction-for-hackers/)
- [Hi, My Name is Keyboard](https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md)
- [How to Weaponize the Yubikey](https://www.blackhillsinfosec.com/how-to-weaponize-the-yubikey/)
### UWB (Ultra-Wideband)
- [UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice](https://uploads-ssl.webflow.com/645a4534705010e2cb244f50/64912bac55ece2717e14e84a_Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems.pdf)
### TETRA
- [All cops are broadcasting: TETRA under scrutiny](https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf)
- [Firmware Emulation with QEMU](https://www.youtube.com/watch?v=G0NNBloGIvs)
- [Emulating ARM Router Firmware - Azeria Labs](https://azeria-labs.com/emulating-arm-firmware/)
- [Emulating IoT Firmware Made Easy](https://boschko.ca/qemu-emulating-firmware/)
- [IoT Binary Analysis and Emulation Part 1](https://hacklido.com/blog/529-iot-binary-analysis-emulation-part-1)
- [Cross Debugging for ARM/MIPS with QEMU](https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain)
- [Simulating and Hunting Firmware Vulnerabilities with Qiling](https://blog.vincss.net/2020/12/pt007-simulating-and-hunting-firmware-vulnerabilities-with-Qiling.html)
- [Qiling and Binary Emulation for Automatic Unpacking](https://kernemporium.github.io/articles/en/auto_unpacking/m.html)
- [Debugging D-Link: Emulating Firmware and Hacking Hardware](https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware)
- [Adaptive Emulation Framework for Multi-Architecture IoT](https://www.techscience.com/cmc/v75n2/52069/pdf)
- [Automatic Firmware Emulation through Invalidity-guided Knowledge Inference](https://www.usenix.org/conference/usenixsecurity21/presentation/zhou)
- [Emulating RH850 architecture with Unicorn Engine](https://blog.quarkslab.com/emulating-rh850-architecture-with-unicorn-engine.html)
- [Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing](https://arxiv.org/pdf/2301.13346.pdf)
- [Challenges and Pitfalls while Emulating Six Current Icelandic Household Routers](https://skemman.is/bitstream/1946/50456/1/Challenges_and_Pitfalls_while_Emulating_Six_Current_Icelandic_Household_Routers.pdf)
- [My Emulation Goes to the Moon... Until False Flag](https://retooling.io/blog/my-emulation-goes-to-the-moon-until-false-flag)
- [How to Emulate Android Native Libraries Using Qiling](https://www.appknox.com/security/how-to-emulate-android-native-libraries-using-qiling)
- [IoT Firmware Security and Update Mechanisms](https://www.encryptionconsulting.com/iot-firmware-security-and-update-mechanisms-a-deep-dive/)
- [Implementing OTA Updates for IoT Devices](https://www.kaaiot.com/iot-knowledge-base/implementing-over-the-air-updates-for-iot-devices)
- [Secure OTA Boot Chains and Firmware Verification](https://promwad.com/news/secure-ota-boot-chains-firmware-verification)
- [The Key to Firmware Security in Connected IoT Devices](https://www.keyfactor.com/blog/firmware-security-iot-devices/)
- [Security Considerations for OTA Updates - Stack Overflow](https://stackoverflow.blog/2020/12/14/security-considerations-for-ota-software-updates-for-iot-gateway-devices/)
#### Attack Vectors
- [Top 10 IoT Vulnerabilities - OTA Update Attacks](https://www.keyfactor.com/blog/top-10-iot-vulnerabilities-in-your-devices/)
- [Updating IoT Devices 2025: Best Practices](https://stormotion.io/blog/updating-iot-devices/)
- [Review of IoT Firmware Vulnerabilities and Auditing Techniques](https://pmc.ncbi.nlm.nih.gov/articles/PMC10821153/)
- [Secure OTA Firmware Update Mechanism (PDF)](https://ecejournals.in/index.php/ESA/article/download/397/632/2072)
- [NCC Group Zephyr and MCUboot Security Assessment](https://www.nccgroup.com/us/research-blog/research-report-zephyr-and-mcuboot-security-assessment/)
- [26 Flaws in Zephyr and MCUboot](https://embeddedcomputing.com/technology/open-source/linux-freertos-related/another-iot-security-uh-oh-26-flaws-in-open-source-zephyr-and-mcuboot-stacks)
- [Tackling Security in Zephyr RTOS](https://www.electronicdesign.com/technologies/embedded/article/21215503/percepio-tackling-security-and-reliability-in-the-zephyr-rtos)
- [Enhancing Security with Zephyr RTOS](https://witekio.com/blog/zephyr-rtos-security/)
#### FreeRTOS
- [FreeRTOS 13 Vulnerabilities in TCP/IP Stack](https://hub.packtpub.com/freertos-affected-by-13-vulnerabilities-in-its-tcp-ip-stack/)
- [Exploiting Memory Corruption in FreeRTOS - ShmooCon](https://shmoo.gitbook.io/2016-shmoocon-proceedings/bring_it_on/01_exploiting_memory_corruption)
- [Mindshare: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities](https://www.zerodayinitiative.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities)
- [Automating Binary Vulnerability Discovery with Ghidra and Semgrep](https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/)
- [Finding Bugs in Netgear Router](https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc)
- [A Guide to ARM64 / AArch64 Assembly on Linux](https://modexp.wordpress.com/2018/10/30/arm64-assembly/?ref=0xor0ne.xyz)
- [ARMv8 AArch64/ARM64 Full Beginner's Assembly Tutorial](https://mariokartwii.com/armv8/)
- [A Noobs Guide to ARM Exploitation](https://ad2001.gitbook.io/a-noobs-guide-to-arm-exploitation/)
- [ARM64 Reversing And Exploitation Series (8ksec) - Parts 1-10](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/)
- [AArch64 memory and paging](https://krinkinmu.github.io/2024/01/14/aarch64-virtual-memory.html)
- [We are ARMed no more ROPpery Here](https://zeyadazima.com/exploit%20development/pointer_pac/)
- [The Dark Side of UEFI: A technical Deep-Dive into Cross-Silicon Exploitation](https://www.binarly.io/blog/the-dark-side-of-uefi-a-technical-deep-dive-into-cross-silicon-exploitation)
- [Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution](https://www.binarly.io/blog/inside-the-logofail-poc-from-integer-overflow-to-arbitrary-code-execution)
- [PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack](https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html)
- [For Science! - Using an Unimpressive Bug in EDK II](https://blog.quarkslab.com/for-science-using-an-unimpressive-bug-in-edk-ii-to-do-some-fun-exploitation.html)
- [Hydroph0bia: SecureBoot bypass for Insyde H2O](https://coderush.me/hydroph0bia-part1/)
- [A Journey into IoT: Discover Components and Ports](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports/)
- [A Journey into IoT: Firmware Dump and Analysis](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-2-firmware-dump-and-analysis/)
- [A Journey into IoT: Radio Communications](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-3-radio-communications/)
- [A Journey into IoT: Internal Communications](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-4-internal-communications/)
- [Dynamic Analysis of Firmware Components in IoT Devices](https://ics-cert.kaspersky.com/publications/reports/2022/07/06/dynamic-analysis-of-firmware-components-in-iot-devices/)
- [Route to Safety: Navigating Router Pitfalls](https://starlabs.sg/blog/2024/route-to-safety-navigating-router-pitfalls/)
- [ROPing our way to RCE](https://modzero.com/en/blog/roping-our-way-to-rce/)
- [ROPing Routers from scratch: Tenda Ac8v4](https://0reg.dev/blog/tenda-ac8-rop)
- [PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers](https://mahaloz.re/2023/02/25/pwnagent-netgear.html)
- [Puckungfu 2: Another NETGEAR WAN Command Injection](https://research.nccgroup.com/2024/02/09/puckungfu-2-another-netgear-wan-command-injection/)
- [Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024–54887](https://infosecwriteups.com/reversing-discovering-and-exploiting-a-tp-link-router-vulnerability-cve-2024-54887-341552c4b104)
- [Exploiting Zero-Day (CVE-2025–9961) Vulnerability in the TP-Link AX10 Router](https://blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46)
- [FiberGateway GR241AG - Full Exploit Chain](https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/)
- [Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC](https://tsmr.eu/blackbox-fuzzing.html)
- [Rooting the TP-Link Tapo C200 Rev.5](https://quentinkaiser.be/security/2025/07/25/rooting-tapo-c200/)
- [The Last Breath of Our Netgear RAX30 Bugs](https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/)
- [Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750](https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html)
- [TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)
#### Cisco Series
- [Patch Diffing a Cisco RV110W Firmware Update - Part 1](https://quentinkaiser.be/exploitdev/2020/09/23/ghetto-patch-diffing-cisco/)
- [CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM](https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/)
- [Pwn the ESP32 Secure Boot](https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/)
- [Breaking Secure Boot on Silicon Labs Gecko](https://blog.quarkslab.com/breaking-secure-boot-on-the-silicon-labs-gecko-platform.html)
- [Bypassing Secure Boot using Fault Injection](https://raelize.com/upload/research/2016/2016_BlackHat-EU_Bypassing-Secure-Boot-Using-Fault-Injection_NT-AS.pdf)
- [Breaking Secure Boot on Google Nest Hub (2nd Gen)](https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html)
- [Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces](https://i.blackhat.com/BH-USA-25/Presentations/US-25-Yang-Booting-into-breaches-Wednesday.pdf)
- [Intercepting HTTPS Communication in Flutter](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
- [Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/)
- [Attacking the Android kernel using the Qualcomm TrustZone](https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone)
- [Driving forward in Android drivers](https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html)
- [Analyzing a Modern In-the-wild Android Exploit](https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html)
- [GPUAF - Two ways of Rooting All Qualcomm based Android phones](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf)
- [The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html)
- [Blasting Past iOS 18](https://blog.dfsec.com/ios/2025/05/30/blasting-past-ios-18/)
- [Emulating an iPhone in QEMU](https://eshard.com/posts/emulating-ios-14-with-qemu)
- [First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200)](https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html)
- [Exploring UNIX pipes for iOS kernel exploit primitives](https://www.corellium.com/blog/exploring-unix-pipes-for-ios-kernel-exploit-primitives)
- [Deep Lateral Movement in OT Networks](https://www.forescout.com/resources/l1-lateral-movement-reportg)
- [Hacking ICS Historians: The Pivot Point from IT to OT](https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot)
- [OPC UA Deep Dive Series - Parts 1-5](https://claroty.com/team82/research/opc-ua-deep-dive-history-of-the-opc-ua-protocol)
- [Inside a New OT/IoT Cyberweapon: IOCONTROL](https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol)
- [Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000](https://claroty.com/team82/research/attention-high-voltage-exploring-the-attack-surface-of-the-rockwell-automation-powermonitor-1000)
- [CAN Injection: keyless car theft](https://kentindell.github.io/2023/04/03/can-injection/)
- [How I Hacked my Car Series - Parts 1-6](https://programmingwithstyle.com/posts/howihackedmycar/)
- [How I Also Hacked my Car](https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car)
- [Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime](https://icanhack.nl/blog/secoc-key-extraction/)
- [Recovering an ECU firmware using disassembler and branches](https://blog.quarkslab.com/recovering-an-ecu-firmware-using-disassembler-and-branches.html)
- [A Detailed Look at Pwn2own Automotive EV Charger Hardware](https://www.zerodayinitiative.com/blog/2023/11/28/a-detailed-look-at-pwn2own-automotive-ev-charger-hardware)
- [Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex](https://sector7.computest.nl/post/2024-08-pwn2own-automotive-chargepoint-home-flex/)
- [Reverse engineering an EV charger](https://www.mnemonic.io/no/resources/blog/reverse-engineering-an-ev-charger/)
- [The Blitz Tutorial Lab on Fuzzing with AFL++](https://research.checkpoint.com/2023/the-blitz-tutorial-lab-on-fuzzing-with-afl/)
- [State of Linux Snapshot Fuzzing](https://fuzzinglabs.com/state-of-linux-snapshot-fuzzing/)
- [Fuzzing between the lines in popular barcode software](https://blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/)
- [OWASP IoT Top 10](https://owasp.org/www-project-internet-of-things/)
- [IoT Security Verification Standard (ISVS)](https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS)
- [ETSI EN 303 645 - IoT Security Standard](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf)
- [Compiler Options Hardening Guide for C and C++](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html)
- [Modern Vulnerability Research on Embedded Systems](https://breaking-bits.gitbook.io/breaking-bits/vulnerability-discovery/reverse-engineering/modern-approaches-toward-embedded-research)
- [Awesome Embedded Systems Vulnerability Research](https://github.com/IamAlch3mist/Awesome-Embedded-Systems-Vulnerability-Research)
- [Applied Cyber Security and the Smart Grid - Eric Knapp & Raj Samani (2013)](https://www.amazon.com/Applied-Cyber-Security-Smart-Grid/dp/1597499986/)
- [Gray Hat Hacking 5th Edition (2018)](https://www.amazon.in/Gray-Hat-Hacking-Ethical-Handbook-ebook/dp/B07D3J9J4H)
- [Black Hat Python 2nd Edition (2021)](https://nostarch.com/black-hat-python-2nd-edition)
- [Turning Google smart speakers into wiretaps for $100k](https://downrightnifty.me/blog/2022/12/26/hacking-google-home.html)
- [Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets](http://conference.hitb.org/files/hitbsecconf2023ams/materials/D2T1%20-%20Smart%20Speaker%20Shenanigans%20-%20Making%20the%20SONOS%20One%20Sing%20Its%20Secrets%20-%20Peter%20Geissler.pdf)
- [Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5](https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-exploiting-the-thermomix-tm5)
- [A Pain in the NAS: Synology DS920+ Edition](https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition)
- [Weekend Destroyer - RCE in Western Digital PR4100 NAS](https://www.flashback.sh/blog/weekend-destroyer-wd-pr4100-rce)
- [Exploiting the Synology TC500 at Pwn2Own Ireland 2024](https://blog.infosectcbr.com.au/2025/08/01/exploiting-the-synology-tc500-at-pwn2own-ireland-2024/)
- [Hacking the Nintendo DSi Browser](https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser)
- [mast1c0re: Exploiting the PS4 and PS5 through a game save](https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/)
- [Being Overlord on the Steam Deck with 1 Byte](https://blog.quarkslab.com/being-overlord-on-the-steam-deck-with-1-byte.html)
- [Hacking the XBox 360 Hypervisor](https://icode4.coffee/?p=1047)
- [EL3vated Privileges: Glitching Google WiFi Pro from Root to EL3](https://raelize.com/upload/research/2025/Hw_io-USA-2025_EL3vated-Privileges-Glitching-Google-Wifi-Pro-from-Root-to-EL3_v1.0.pdf)
- [Your not so "Home Office" - SOHO Hacking at Pwn2Own](http://conference.hitb.org/files/hitbsecconf2023ams/materials/D1T1%20-%20Your%20Not%20So%20Home%20Office%20-%20Soho%20Hacking%20at%20Pwn2Own%20-%20McCaulay%20Hudson%20&%20Alex%20Plaskett.pdf)
- [Pwn2Own Toronto 2023 Series - Parts 1-5](https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-1-how-it-all-started/)
