![](https://raw.githubusercontent.com/V33RU/IoTSecurity101/master/iot-banner.png) ![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg) - A Collection for IoT Security Resources - You are welcome to fork and [contribute](https://github.com/V33RU/IoTSecurity101/blob/master/contributors.md#contributors) - Other Interesting Areas - [ICS-Security](https://github.com/V33RU/IoTSecurity101/blob/master/ICS/Industrial%20Control%20Systems.md) - [Automotive-Security](https://github.com/V33RU/IoTSecurity101/blob/master/Automotive/Automotive-security.md) ******************************************************************************************************************************** #### πŸ› οΈ Approach Methodology - 🌐 ***1. Network*** - 🌐 ***2. Web (Front & Backend and Web services)*** - πŸ“± ***3. Mobile App (Android & iOS)*** - πŸ“‘ ***4. Wireless Connectivity (Zigbee, WiFi, Bluetooth, etc)*** - πŸ’½ ***5. Firmware Pentesting (Static and Dynamic analysis , OS of IoT Devices)*** - πŸ› οΈ ***6. Hardware Hacking & Fault Injections & SCA Attacks*** - πŸ’Ύ ***7. Storage Medium*** - πŸ”Œ ***8. I/O Ports*** ## πŸ“‘ Contents - πŸ›‘οΈ IoT Security information - [πŸ‘₯ IoT Security Chat groups](#chat-groups-for-iot-security) - [πŸŽ“ IoT and Hardware Security Trainings](#iot-and-hardware-security-trainings) - [πŸ” Technical Research and Hacking](#technical-research-and-hacking) - [πŸ’» Proof of Concepts known Device Vulnerabilities](#proof-of-concepts-known-device-vulnerabilities) - [πŸ“š Books](#books-for-iot-penetration-testing) - [πŸ–‹οΈ Blogs](#blogs-for-iot-pentest) - [πŸ“‹ Cheatsheets](#awesome-cheatsheets) - [πŸ” Search Engines](#search-engines-for-exposed-iot-devices-worldwide) - [🚩 CTF](#vulnerable-iot-and-hardware-applications) - [πŸ“Ί Youtube](#youtube-channels-for-iot-pentesting) - [βš’οΈ Exploitation Tools](#exploitation-tools) - [πŸ–₯️ IoT Pentesting OSes](#iot-pentesting-oses) - [πŸ“˜ IoT Vulnerabilities Checking Guides](#iot-vulnerabilites-checking-guides) - [πŸ”¬ IoT Labs](#vulnerable-iot-and-hardware-applications) - [πŸ“– Awesome IoT Pentesting Guides](#awesome-iot-pentesting-guides) - [πŸ› Fuzzing Things](#fuzzing-things) - [🏒 IoT Lab Setup guide for corporate/individual](https://github.com/IoT-PTv/IoT-Lab-Setup) - [πŸ”§ FlipperZero](#flipperzero) - [🏘 Villages](#villages) - 🌐 Network - 🌐 Web IoT Message Protocols - [πŸ“¨ MQTT](#mqtt) - [πŸ“¬ CoAP](#coap) - πŸ“± Mobile app - [πŸ›‘οΈ Mobile security (Android & iOS)](#mobile-security-android--ios) - πŸ“‘ Wireless Protocols - [πŸ“» RADIO HACKING STARTING GUIDE](#Radio-Hacker-Quick-Start-Guide) - [πŸ“‘ Cellular Hacking GSM BTS](#cellular-hacking-gsm-bts) - [🐝 Zigbee](#zigbee-aLL-stuff) - [πŸ”΅ Bluetooth](#ble-intro-and-sw-hw-tools-to-pentest) - [πŸ“ž DECT](#dect-digital-enhanced-cordless-telecommunications) - πŸ’½ Firmware - [πŸ” Reverse Engineering Tools](#reverse-engineering-tools) - [πŸ’» Online Assemblers](#online-assemblers) - [πŸ’ͺ ARM](#arm) - [πŸ”¨ Pentesting Firmwares and emulating and analyzing](#pentesting-firmwares-and-emulating-and-analyzing) - [πŸ”¬ Firmware samples to pentest](#firmware-samples-to-pentest) - [πŸ”’ Secureboot](#secureboot) - [πŸ” Binary-Analysis](#binary-analysis) - πŸ› οΈ Hardware - [πŸ”Ž IoT Hardware Intro](#iot-hardware-overview-and-hacking) - [πŸ“Œ IoT Hardware hacking Intro] - [πŸ› οΈ Required hardware to pentest IoT](#hardware-gadgets-to-pentest) - [πŸ”Œ Hardware interfaces](#attacking-hardware-interfaces) - [πŸ”Œ SPI](#spi) - [πŸ”Œ UART](#uart) - [πŸ”Œ JTAG](#jtag) - [πŸ› οΈ SideChannel Attacks & Glitching attacks](#sidechannel-attacks) - [πŸ› οΈ Glitching Attacks](#glitching-attacks) - πŸ’Ύ Storage Medium - [πŸ“€ EMMC Hacking](#emmc-hacking) - πŸ’³ Payment Security - [πŸ’΅ ATM Hacking](#ATM-Hacking) ******************************************************************************************************************************** ### Technical Research and Hacking - [Subaru Head Unit Jailbreak](https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md) - [Jeep Hack](http://illmatics.com/Remote%20Car%20Hacking.pdf) - [Dropcam Hacking](https://www.defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf) - [Exploitee.rs Blog](https://blog.exploitee.rs/2018/10/) - [Printer Hacking Live Sessions - Gamozo Labs](https://www.youtube.com/watch?v=2LVtEoQA8Qo&ab_channel=gamozolabs) - [LED Light Hacking](https://youtu.be/Nnb2ct3hc68) - [PS4 Jailbreak – the current status](https://wololo.net/ps4-jailbreak-ps4-cfw4dummies/) - [Your Lenovo Watch X Is Watching You & Sharing What It Learns](https://www.checkmarx.com/blog/lenovo-watch-watching-you/) - [Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT](https://www.checkmarx.com/blog/smart-scale-privacy-issues-iot/) - [Smart Bulb Offers Light, Color, Music, and… Data Exfiltration?](https://www.checkmarx.com/blog/smart-bulb-exfiltration/) - [Besder-IPCamera Analysis](http://blog.0x42424242.in/2019/04/besder-investigative-journey-part-1_24.html) - [Smart Lock Vulnerabilities](https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/) ******************************************************************************************************************************** ### Proof of Concepts known Device Vulnerabilities - [IoT-Vuln-with CVE and PoC of tenda and dlink](https://github.com/z1r00/IOT_Vul) ******************************************************************************************************************************** ### Chat Groups for IoT Security - [IoTSecurity101 Telegram](https://t.me/iotsecurity1011) - [IoTSecurity101 Reddit](https://www.reddit.com/r/IoTSecurity101/) - [IoTSecurity101 Discord](https://discord.gg/EH9dxT9) - [Hardware Hacking Telegram](https://t.me/hardwareHackingBrasil) - [RFID Discord Group](https://discord.gg/Z43TrcVyPr) - [ICS Discord Group](https://discord.com/invite/CmDDsFK) ******************************************************************************************************************************** ### IoT and Hardware Security Trainings - [opensecuritytraining 2](https://p.ost2.fyi/courses) ******************************************************************************************************************************** ### Books for IoT Penetration Testing #### 2004 - [The Firmware Handbook (Embedded Technology) 1st Edition by Jack Ganssle](https://www.amazon.com/Firmware-Handbook-Embedded-Technology/dp/075067606X) - [Hardware Hacking: Have Fun while Voiding your Warranty 1st Edition](https://www.elsevier.com/books/hardware-hacking/grand/978-1-932266-83-2) #### 2007 - [Linksys WRT54G Ultimate Hacking 1st Edition by Paul Asadoorian](https://www.amazon.com/Linksys-WRT54G-Ultimate-Hacking-Asadoorian/dp/1597491667) #### 2013 - [Hacking the Xbox - An Introduction to Reverse Engineering HACKING THE XBOX by Andrew β€œbunnie” Huang](https://www.nostarch.com/xboxfree) - [Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure by Eric D. Knapp , Raj Samani](https://www.amazon.com/Applied-Cyber-Security-Smart-Grid/dp/1597499986/) #### 2014 - [Android Hacker's Handbook by Joshua J. Drake](https://www.amazon.in/Android-Hackers-Handbook-MISL-WILEY-Joshua/dp/812654922X) #### 2015 - [The Art of Pcb Reverse Engineering: Unravelling the Beauty of the Original Design](https://www.amazon.in/Art-Pcb-Reverse-Engineering-Unravelling/dp/1499323441) - [Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts 1st Edition, by Nitesh Dhanjani](https://www.amazon.in/Abusing-Internet-Things-Blackouts-Freakouts-ebook/dp/B013VQ7N36) #### 2016 - [Learning Linux Binary Analysis By Ryan "elfmaster" O'Neill](https://www.packtpub.com/networking-and-servers/learning-linux-binary-analysis) - [Car hacker's handbook by Craig Smith](http://opengarages.org/handbook) #### 2017 - [IoT Penetration Testing Cookbook By Aaron Guzman , Aditya Gupta](https://www.packtpub.com/networking-and-servers/iot-penetration-testing-cookbook) #### 2018 - [Inside Radio: An Attack and Defense Guide by Authors: Yang, Qing, Huang, Lin](https://books.google.co.in/books?id=71NSDwAAQBAJ&printsec=copyright&redir_esc=y#v=onepage&q&f=false) - [Pentest Hardware](https://github.com/unprovable/PentestHardware/) - [Gray Hat Hacking: The Ethical Hacker's Handbook, Fifth Edition 5th Edition by Daniel Regalado , Shon Harris , Allen Harper , Chris Eagle , Jonathan Ness , Branko Spasojevic , Ryan Linn , Stephen Sims](https://www.amazon.in/Gray-Hat-Hacking-Ethical-Handbook-ebook/dp/B07D3J9J4H) #### 2021 - [Practical Hardware Pentesting](https://www.packtpub.com/product/practical-hardware-pentesting/9781789619133?_ga=2.224205017.333884789.1668314814-101815837.1668314814) - [The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks Front Cover Jasper van Woudenberg, Colin O'Flynn](https://books.google.co.in/books?id=DEqatAEACAAJ&source=gbs_navlinks_s) - [Practical IoT Hacking-The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods](https://nostarch.com/practical-iot-hacking) - [Manual PCB-RE: The Essentials](https://www.amazon.in/Manual-PCB-RE-Essentials-Keng-Tiong/dp/B0974Z3NDS) #### 2022 - [PatrIoT: practical and agile threat research for IoT by Emre SΓΌren](https://link.springer.com/article/10.1007/s10207-022-00633-3) #### 2023 - [Practical Hardware Pentesting - Second Edition](https://www.packtpub.com/product/practical-hardware-pentesting-second-edition/9781803249322) - [Blue Fox: Arm Assembly Internals & Reverse Engineering](https://www.wiley.com/en-gb/Blue+Fox%3A+Arm+Assembly+Internals+%26+Reverse+Engineering-p-9781119745303) - [Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU](https://www.packtpub.com/product/fuzzing-against-the-machine/9781804614976) - [Hardware Security Training, Hands-on!](https://link.springer.com/book/10.1007/978-3-031-31034-8) - [Automotive Cybersecurity Engineering Handbook: The automotive engineer's roadmap to cyber-resilient vehicles Series](https://www.amazon.in/Automotive-Cybersecurity-Engineering-Handbook-cyber-resilient/dp/1801076537) - [Embedded Systems Security and TrustZone](https://embeddedsecurity.io/) ******************************************************************************************************************************** ### Blogs for IoT Pentest - [Jilles.com](https://jilles.com/) - [Syss Tech Blog](https://blog.syss.com/) - [Payatu Blog](https://payatu.com/blog/) - [Raelize Blog](https://raelize.com/blog/) - [JCJC Dev Blog](http://jcjc-dev.com/) - [W00tsec Blog](https://w00tsec.blogspot.in/) - [Devttys0 Blog](http://www.devttys0.com/) (Use Wayback Machine to check old blogs) - [Wrongbaud Blog](https://wrongbaud.github.io/) - [Embedded Bits Blog](https://embeddedbits.org/) - [RTL-SDR Blog](https://www.rtl-sdr.com/) - [Keenlab Blog](https://keenlab.tencent.com/en/) - [Courk.cc](https://courk.cc/) - [IoT Security Wiki](https://iotsecuritywiki.com/) - [Cybergibbons Blog](https://cybergibbons.com/) - [Firmware.RE](http://firmware.re/) - [K3170makan Blog](http://blog.k3170makan.com/) - [Tclaverie Blog](https://blog.tclaverie.eu/) - [Besimaltinok Blog](http://blog.besimaltinok.com/category/iot-pentest/) - [Ctrlu Blog](https://ctrlu.net/) - [IoT Pentest Blog](http://iotpentest.com/) - [Duo Decipher Blog](https://duo.com/decipher/) - [Sp3ctr3 Blog](http://www.sp3ctr3.me) - [0x42424242.in Blog](http://blog.0x42424242.in/) - [Dantheiotman Blog](https://dantheiotman.com/) - [Danman Blog](https://blog.danman.eu/) - [Quentinkaiser Blog](https://quentinkaiser.be/) - [Quarkslab Blog](https://blog.quarkslab.com) - [Ice9 Blog](https://blog.ice9.us/) - [F-Secure Labs Blog](https://labs.f-secure.com/) - [MG.lol Blog](https://mg.lol/blog/) - [CJHackerz Blog](https://cjhackerz.net/) - [Bunnie's Blog](https://github.com/sponsors/bunnie/) - [IoT My Way Blog](https://iotmyway.wordpress.com/) - [Synacktiv Publications](https://www.synacktiv.com/publications.html) - [Cr4.sh Blog](http://blog.cr4.sh/) - [Ktln2 Blog](https://ktln2.org/) - [Naehrdine Blog](https://naehrdine.blogspot.com/) - [Limited Results Blog](https://limitedresults.com/) - [Fail0verflow Blog](https://fail0verflow.com/blog/) - [Exploit Security Blog](https://www.exploitsecurity.io/blog) - [Attify Blog](https://blog.attify.com) - [wololo](https://wololo.net/) ******************************************************************************************************************************** ### Awesome CheatSheets - [Hardware Hacking cheat sheet](https://github.com/arunmagesh/hw_hacking_cheatsheet) - [Nmap](https://github.com/gnebbia/nmap_tutorial) ******************************************************************************************************************************** # Search Engines for Internet-Connected Devices - [Shodan](https://www.shodan.io/) - [Censys](https://censys.io/) - [ZoomEye](https://www.zoomeye.org/) - [BinaryEdge](https://www.binaryedge.io/) - [Thingful](https://www.thingful.net/) - [Wigle](https://wigle.net/) - [Hunter.io](https://hunter.io/) - [BuiltWith](https://builtwith.com/) - [NetDB](https://github.com/stamparm/NetDB) - [Recon-ng](https://github.com/lanmaster53/recon-ng) - [PublicWWW](https://publicwww.com/) ******************************************************************************************************************************** ### YouTube Channels for IoT Pentesting - [Joe Grand](https://www.youtube.com/@JoeGrand) - [Liveoverflow](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) - [Binary Adventure](https://www.youtube.com/channel/UCSLlgiYtOXZnYPba_W4bHqQ) - [EEVBlog](https://www.youtube.com/user/EEVblog) - [Craig Smith](https://www.youtube.com/channel/UCxC8G4Oeed4N0-GVeDdFoSA) - [iotpentest [Mr-IoT]](https://www.youtube.com/channel/UCe2mJv2FPRFhYJ7dvNdYR4Q) - [Besim ALTINOK - IoT - Hardware - Wireless](https://www.youtube.com/channel/UCnIV7A3kDL4JXJEljpW6TRQ/playlists) - [Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw) - [Cyber Gibbons](https://www.youtube.com/channel/UC_IYERSoSwdR7AA5P41mYTA) - [Scanline](https://www.youtube.com/channel/UCaEgw3321ct_PE4PJvdhXEQ) - [Aaron Christophel](https://www.youtube.com/c/12002230/videos) - [Valerio Di Giampietro](https://www.youtube.com/c/MakeMeHack) ******************************************************************************************************************************** ### Vehicle Security Resources - https://github.com/jaredthecoder/awesome-vehicle-security ******************************************************************************************************************************** ### IoT Vulnerabilites Checking Guides - [Reflecting upon OWASP TOP-10 IoT Vulnerabilities](https://embedi.org/blog/reflecting-upon-owasp-top-10-iot-vulnerabilities/) - [OWASP IoT Top 10 2018 Mapping Project](https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/) - [Hardware toolkits for IoT security analysis](https://defcon-nn.ru/0x0B/Hardware%20toolkits%20for%20IoT%20security%20analysis.pdf) ******************************************************************************************************************************** ### IoT Gateway Software - [Webthings by Mozilla - RaspberryPi](https://iot.mozilla.org/docs/gateway-getting-started-guide.html) ******************************************************************************************************************************** ### IoT Pentesting OSes - [Sigint OS- LTE IMSI Catcher](https://www.sigintos.com/) - [Instatn-gnuradio OS - For Radio Signals Testing](https://github.com/bastibl/instant-gnuradio) - [Ubutnu Best Host Linux for IoT's - Use LTS](https://www.ubuntu.com/) - [Internet of Things - Penetration Testing OS v1](https://github.com/IoT-PTv) - [Dragon OS - DEBIAN LINUX WITH PREINSTALLED OPEN SOURCE SDR SOFTWARE](https://www.rtl-sdr.com/dragonos-debian-linux-with-preinstalled-open-source-sdr-software/) - [EmbedOS - Embedded security testing virtual machine](https://github.com/scriptingxss/EmbedOS) - [Skywave Linux- Software Defined Radio for Global Online Listening](https://skywavelinux.com/) - [A Small, Scalable Open Source RTOS for IoT Embedded Devices](https://www.zephyrproject.org/) - [ICS - Controlthings.io](https://www.controlthings.io/platform) - [AttifyOS - IoT Pentest OS - by Aditya Gupta](https://github.com/adi0x90/attifyos) ******************************************************************************************************************************** ### Exploitation Tools - [Expliot - IoT Exploitation framework - by Aseemjakhar](https://gitlab.com/expliot_framework/expliot) - [Routersploit (Exploitation Framework for Embedded Devices)](https://github.com/threat9/routersploit) - [IoTSecFuzz (comprehensive testing for IoT device)](https://gitlab.com/invuls/iot-projects/iotsecfuzz) - [HomePwn - Swiss Army Knife for Pentesting of IoT Devices](https://github.com/ElevenPaths/HomePWN) - [killerbee - Zigbee exploitation](https://github.com/riverloopsec/killerbee) - [PRET - Printer Exploitation Toolkit](https://github.com/RUB-NDS/PRET) - [HAL – The Hardware Analyzer](https://github.com/emsec/hal) - [FwAnalyzer (Firmware Analyzer)](https://github.com/cruise-automation/fwanalyzer) - [ISF(Industrial Security Exploitation Framework](https://github.com/w3h/isf) - [PENIOT: Penetration Testing Tool for IoT](https://github.com/yakuza8/peniot) - [MQTT-PWN](https://github.com/akamai-threat-research/mqtt-pwn) ******************************************************************************************************************************** ### Reverse Engineering Tools - [IDA Pro](https://www.youtube.com/watch?v=fgMl0Uqiey8) - [GDB](https://www.youtube.com/watch?v=fgMl0Uqiey8) - [Radare2](https://radare.gitbooks.io/radare2book/content/) | [cutter](https://cutter.re/) - [Ghidra](https://ghidra-sre.org/) ******************************************************************************************************************************** ## Introduction - [Introduction to IoT](https://en.wikipedia.org/wiki/Internet_of_things) - [IoT Architecture](https://www.c-sharpcorner.com/UploadFile/f88748/internet-of-things-part-2/) - [IoT attack surface](https://www.owasp.org/index.php/IoT_Attack_Surface_Areas) - [IoT Protocols Overview](https://www.postscapes.com/internet-of-things-protocols/) ******************************************************************************************************************************** ### IoT Web and message services #### MQTT - [Introduction](https://www.hivemq.com/blog/mqtt-essentials-part-1-introducing-mqtt) - [Hacking the IoT with MQTT](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b) - [thoughts about using IoT MQTT for V2V and Connected Car from CES 2014](https://mobilebit.wordpress.com/tag/mqtt/) - [Nmap](https://nmap.org/nsedoc/lib/mqtt.html) - [The Seven Best MQTT Client Tools](https://www.hivemq.com/blog/seven-best-mqtt-client-tools) - [A Guide to MQTT by Hacking a Doorbell to send Push Notifications](https://youtu.be/J_BAXVSVPVI) - [Are smart homes vulnerable to hacking](https://blog.avast.com/mqtt-vulnerabilities-hacking-smart-homes) - [Deep Learning UDF for KSQL / ksqlDB for Streaming Anomaly Detection of MQTT IoT Sensor Data](https://github.com/kaiwaehner/ksql-udf-deep-learning-mqtt-iot) - [Authenticating & Authorizing Devices using MQTT with Auth0](https://auth0.com/docs/integrations/authenticate-devices-using-mqtt) - [Development information for the MQTT with hardware](https://www.hackster.io/search?i=projects&q=Mqtt) - [Understanding the MQTT Protocol Packet Structure](http://www.steves-internet-guide.com/mqtt-protocol-messages-overview/) - [R7-2019-18: Multiple Hickory Smart Lock Vulnerabilities](https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/) - [IoT Live Demo: 100.000 Connected Cars With Kubernetes, Kafka, MQTT, TensorFlow](https://dzone.com/articles/iot-live-demo-100000-connected-cars-with-kubernete) #### Softwares - [Mosquitto-An open source MQTT broker](https://mosquitto.org/) - [HiveMQ](https://www.hivemq.com/) - [MQTT Explorer](http://mqtt-explorer.com/) - [MQTT proxy - IoXY](https://blog.nviso.eu/2020/07/06/introducing-ioxy-an-open-source-mqtt-intercepting-proxy/) - [MQTT Broker Security - 101](https://payatu.com/blog/dattatray/iot-security-%E2%80%93-part-12-mqtt-broker-security---101) - [Welcome to MQTT-PWN!](https://mqtt-pwn.readthedocs.io/en/latest/) #### CoAP - [Introduction](http://coap.technology/) - [CoAP client Tools](http://coap.technology/tools.html) - [CoAP Pentest Tools](https://bitbucket.org/aseemjakhar/expliot_framework) - [Nmap - NSE for coap](https://nmap.org/nsedoc/lib/coap.html) ******************************************************************************************************************************** ### RADIO HACKER QUICK START GUIDE - [Complete course in Software Defined Radio (SDR) by Michael Ossmann](https://greatscottgadgets.com/sdr/) - [SDR Notes - Radio IoT Protocols Overview](https://github.com/notpike/SDR-Notes) - [Understanding Radio](https://www.taitradioacademy.com/lessons/introduction-to-radio-communications-principals/) - [Introduction to Software Defined Radio](https://www.allaboutcircuits.com/technical-articles/introduction-to-software-defined-radio/) - [Introduction Gnuradio companion](https://wiki.gnuradio.org/index.php/Guided_Tutorial_GRC#Tutorial:_GNU_Radio_Companion) - [Creating a flow graph in gunradiocompanion](https://blog.didierstevens.com/2017/09/19/quickpost-creating-a-simple-flow-graph-with-gnu-radio-companion/) - [Analysing radio signals 433Mhz ](https://www.rtl-sdr.com/analyzing-433-mhz-transmitters-rtl-sdr/) - [Recording specific radio signal](https://www.rtl-sdr.com/freqwatch-rtl-sdr-frequency-scanner-recorder/) - [Replay Attacks with raspberrypi -rpitx](https://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-sdr-raspberry-pi-and-rpitx/) ### Cellular Hacking GSM BTS #### BTS - [Awesome-Cellular-Hacking](https://github.com/W00t3k/Awesome-Cellular-Hacking/blob/master/README.md) - [what is base tranceiver station](https://en.wikipedia.org/wiki/Base_transceiver_station) - [How to Build Your Own Rogue GSM BTS](https://l33t.gg/how-to-build-a-rogue-gsm-bts/) #### GSM SS7 Pentesting - [5Ghoul - 5G NR Attacks & 5G OTA Fuzzing](https://github.com/asset-group/5ghoul-5g-nr-attacks) - [Introduction to GSM Security](http://www.pentestingexperts.com/introduction-to-gsm-security/) - [GSM Security 2 ](https://www.ehacking.net/2011/02/gsm-security-2.html) - [vulnerabilities in GSM security with USRP B200](https://ieeexplore.ieee.org/document/7581461/) - [Security Testing 4G (LTE) Networks](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-44con-lte-presentation-2012-09-11.pdf) - [Case Study of SS7/SIGTRAN Assessment](https://nullcon.net/website/archives/pdf/goa-2017/case-study-of-SS7-sigtran.pdf) - [Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP](https://github.com/SigPloiter/SigPloit) - [ss7MAPer – A SS7 pen testing toolkit](https://n0where.net/ss7-pentesting-toolkit-ss7maper) - [Introduction to SIGTRAN and SIGTRAN Licensing](https://www.youtube.com/watch?v=XUY6pyoRKsg) - [SS7 Network Architecture](https://youtu.be/pg47dDUL1T0) - [Introduction to SS7 Signaling](https://www.patton.com/whitepapers/Intro_to_SS7_Tutorial.pdf) - [Breaking LTE on Layer Two](https://alter-attack.net/) #### Hardware Tools - [Fake BTS Detector (SCL-8521)](https://www.shoghicom.com/fake-bts-detector.php) ******************************************************************************************************************************** ### Zigbee ALL Stuff - [Introduction and protocol Overview](http://www.informit.com/articles/article.aspx?p=1409785) - [Hacking Zigbee Devices with Attify Zigbee Framework](https://blog.attify.com/hack-iot-devices-zigbee-sniffing-exploitation/) - [Hands-on with RZUSBstick](https://uk.rs-online.com/web/p/radio-frequency-development-kits/6962415/) - [ZigBee & Z-Wave Security Brief](http://www.riverloopsecurity.com/blog/2018/05/zigbee-zwave-part1/) - [Hacking ZigBee Networks](https://resources.infosecinstitute.com/topic/hacking-zigbee-networks/) - [Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes](https://mews.sv.cmu.edu/papers/wisec-20.pdf) - [Security Analysis of Zigbee Networks with Zigator and GNU Radio](https://mews.sv.cmu.edu/research/zigator/testbed-grcon2020-slides.pdf) - [Low-Cost ZigBee Selective Jamming](https://www.bastibl.net/reactive-zigbee-jamming/) #### SW Tools - [zigbear](https://github.com/philippnormann/zigbear) - [ZigDiggity](https://github.com/BishopFox/zigdiggity) - [Zigator](https://github.com/akestoridis/zigator) - [Z3sec](https://github.com/IoTsec/Z3sec) #### Hardware Tools for Zigbee - [APIMOTE IEEE 802.15.4/ZIGBEE SNIFFING HARDWARE](https://www.riverloopsecurity.com/projects/apimote/) - [RaspBee-The Raspberry Pi Zigbee gateway](https://phoscon.de/en/raspbee/) - [USRP SDR 2](https://www.ettus.com/products/) - [ATUSB IEEE 802.15.4 USB Adapter](http://shop.sysmocom.de/products/atusb) - [nRF52840-Dongle](https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF52840-Dongle) ******************************************************************************************************************************** ### BLE Intro and SW-HW Tools to pentest - [Step By Step guide to BLE Understanding and Exploiting](https://github.com/V33RU/BLE-NullBlr) - [Traffic Engineering in a Bluetooth Piconet](http://www.diva-portal.org/smash/get/diva2:833159/FULLTEXT01.pdf) - [BLE Characteristics](https://devzone.nordicsemi.com/nordic/short-range-guides/b/bluetooth-low-energy/posts/ble-characteristics-a-beginners-tutorial) #### Bluetooth and BLE Pentest Tools - [btproxy](https://github.com/conorpp/btproxy) - [hcitool & bluez](https://www.pcsuggest.com/linux-bluetooth-setup-hcitool-bluez) - [Testing With GATT Tool](https://www.jaredwolff.com/blog/get-started-with-bluetooth-low-energy/) - [crackle-Cracking encryption](https://github.com/mikeryan/crackle) - [bettercap](https://github.com/bettercap/bettercap) - [BtleJuice Bluetooth Smart Man-in-the-Middle framework](https://github.com/DigitalSecurity/btlejuice) - [gattacker](https://github.com/securing/gattacker) - [BTLEjack Bluetooth Low Energy Swiss army knife](https://github.com/virtualabs/btlejack) - [bluing-An intelligence gathering tool for hacking Bluetooth](https://github.com/fO-000/bluing) - [DEDSEC-Bluetooth-exploit](https://github.com/0xbitx/DEDSEC-Bluetooth-exploit) #### Hardware for bluetooth hacking - [NRFCONNECT - 52840](https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF52840-Dongle) - [EDIMAX](https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF52840-Dongle) - [CSR 4.0](https://www.amazon.in/GENERIC-Ultra-Mini-Bluetooth-Dongle-Adapter/dp/B0117H7GZ6/ref=asc_df_B0117H7GZ6/?tag=googleshopdes-21&linkCode=df0&hvadid=396984700257&hvpos=1o1&hvnetw=g&hvrand=2179727910417729406&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9061998&hvtargid=pla-343685677347&psc=1&ext_vrnc=hi) - [ESP32 - Development and learning Bluetooth](https://www.espressif.com/en/products/hardware/esp32/overview) - [Ubertooth](https://github.com/greatscottgadgets/ubertooth/wiki/Ubertooth-One) - [Sena 100](http://www.senanetworks.com/ud100-g03.html) - [ESP-WROVER-KIT-VB](https://www.digikey.in/en/products/detail/espressif-systems/ESP-WROVER-KIT-VB/8544301) #### BLE Pentesting Tutorials - [Blue2thprinting (blue-[tooth)-printing]: answering the question of 'WTF am I even looking at?!'](https://darkmentor.com/publication/2023-11-hardweario/) - [Open Wounds: The last 5 years have left Bluetooth to bleed](https://darkmentor.com/publication/2023-10-hacklu/) - [It Was Harder to Sniff Bluetooth Through My Mask During the Pandemic...](https://darkmentor.com/publication/2023-08-hitb/) - [Bluetooth vs BLE Basics](https://github.com/V33RU/BLE-NullBlr) - [examining-the-august-smart-lock](https://blog.quarkslab.com/examining-the-august-smart-lock.html) - [Finding bugs in Bluetooth](https://bluetooth.lol/) - [Intel Edison as Bluetooth LE β€” Exploit box](https://medium.com/@arunmag/intel-edison-as-bluetooth-le-exploit-box-a63e4cad6580) - [How I Reverse Engineered and Exploited a Smart Massager](https://medium.com/@arunmag/how-i-reverse-engineered-and-exploited-a-smart-massager-ee7c9f21bf33) - [My journey towards Reverse Engineering a Smart Band β€” Bluetooth-LE RE](https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2) - [Bluetooth Smartlocks](https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble) - [I hacked MiBand 3](https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391) - [GATTacking Bluetooth Smart Devices](https://securing.pl/en/gattacking-bluetooth-smart-devices-introducing-a-new-ble-proxy-tool/index.html) - [blueooth beacon vulnerability](https://www.beaconzone.co.uk/blog/category/security/) - [Sweyntooth Vulnerabilties](https://asset-group.github.io/disclosures/sweyntooth/) - [AIRDROP_LEAK - sniffs BLE traffic and displays status messages from Apple devices](https://github.com/hexway/apple_bleee) - [BRAKTOOTH: Causing Havoc on Bluetooth Link Manager](https://asset-group.github.io/disclosures/braktooth/) - [Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500](https://jcjc-dev.com/2023/03/19/reversing-domyos-el500-elliptical/) - [MojoBox - yet another not so smartlock](https://mandomat.github.io/2023-03-15-testing-mojobox-security/) - [bluetooth-hacking](https://github.com/zedxpace/bluetooth-hacking-) ******************************************************************************************************************************** ### DECT (Digital Enhanced Cordless Telecommunications) - [Real Time Interception And Monitoring Of A DECT Cordless Telephone](https://www.youtube.com/watch?v=MDF1eUvOte0&ab_channel=RobVK8FOES) - [Eavesdropping On Unencrypted DECT Voice Traffic](https://www.youtube.com/watch?v=WBvYsXrs3DI&ab_channel=RobVK8FOES) - [Decoding DECT Voice Traffic: In-depth Explanation](https://www.youtube.com/watch?v=oiMkirm_xfY&ab_channel=RobVK8FOES) #### Software Tools && Hardware Tools ##### Software ##### Hardware ******************************************************************************************************************************** ### Mobile security (Android & iOS) - [Android App Reverse Engineering 101](https://maddiestone.github.io/AndroidAppRE/) - [Android Application pentesting book](https://www.packtpub.com/hardware-and-creative/learning-pentesting-android-devices) - [Android Pentest Video Course-TutorialsPoint](https://www.youtube.com/watch?v=zHknRia3I6s&list=PLWPirh4EWFpESLreb04c4eZoCvJQJrC6H) - [IOS Pentesting](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf?) - [OWASP Mobile Security Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/) - [Android Tamer - Android Tamer is a Virtual / Live Platform for Android Security professionals](https://androidtamer.com/) ******************************************************************************************************************************** ### Villages - [Payment Villages](https://www.paymentvillage.org/home) - [ICS Village](https://www.icsvillage.com/) - [IoT Villages](https://www.iotvillage.org/index.html) - [RF hackers](https://rfhackers.com/) - [Car Hacking Village](https://www.carhackingvillage.com/) ******************************************************************************************************************************* ### Online Assemblers - [AZM Online Arm Assembler by Azeria](https://azeria-labs.com/azm/) - [Online Disassembler](https://onlinedisassembler.com/odaweb/) - [Compiler Explorer is an interactive online compiler which shows the assembly output of compiled C++, Rust, Go](https://godbolt.org/) ******************************************************************************************************************************** ### ARM - [Azeria Labs](https://azeria-labs.com/) - [ARM EXPLOITATION FOR IoT](https://www.exploit-db.com/docs/english/43906-arm-exploitation-for-iot.pdf) - [Damn Vulnerable ARM Router (DVAR)](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html) - [EXPLOIT.EDUCATION](https://exploit.education/) ******************************************************************************************************************************** ### Pentesting Firmwares and emulating and analyzing ##### Firmware Analysis Tools - [EMBA-An analyzer for embedded Linux firmware](https://p4cx.medium.com/emba-b370ce503602) - [FACT-Firmware Analysis and Comparison Tool](https://github.com/fkie-cad/FACT_core) - [Binwalk](https://github.com/ReFirmLabs/binwalk) - [Qiling](https://github.com/qilingframework/qiling) - [fwanalyzer](https://github.com/cruise-automation/fwanalyzer) - [ByteSweep](https://gitlab.com/bytesweep/bytesweep) - [Firmwalker](https://github.com/craigz28/firmwalker) - [Checksec.sh](https://github.com/slimm609/checksec.sh) - [QEMU](https://www.qemu.org/) - [Firmadyne](https://github.com/firmadyne/firmadyne) - [Firmware Modification Kit](https://code.google.com/archive/p/firmware-mod-kit/) ##### Resources - [Firmware analysis and reversing](https://www.owasp.org/index.php/IoT_Firmware_Analysis) - [Reversing 101](https://0xinfection.github.io/reversing/) - [IoT Security Verification Standard (ISVS)](https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS) - [OWASP Firmware Security Testing Methodology](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) - [Firmware emulation with QEMU](https://www.youtube.com/watch?v=G0NNBloGIvs) - [Reversing ESP8266 Firmware](https://boredpentester.com/reversing-esp8266-firmware-part-1/) - [Emulating Embedded Linux Devices with QEMU](https://www.novetta.com/2018/02/emulating-embedded-linux-devices-with-qemu/?__cf_chl_captcha_tk__=2167fb6cf097848dbf0dea8e4ecccc66f2a55e55-1585030085-0-AVfO7wG_mHgvnIgeIl-aiKLNW1IMb5IMLyqLOSOLydnZFzhyAyySWgfKvjvllAtYtmpbJjnaTlwyaWiO2kHXH4APqLuott0R7UReYCTZ3u--g4AJBK4eONEL2bTJcAHg3fzmXhrC-3iAqccNQC4jx1RWEz60y_MKFq63NVeoE1pC0EBYWkk7VqDWusBFbgpj6zRNv0ifKLc3oLYJck-oG13jeSbPISVLMCn6bCHVLaTp2gW7qG6GRELIWgdyfP9viyMDSAww3u-R1NmUgRQzctXIYMWH1MdL5p8lqbSpCa160cW3JaZ16IxT7iP1HkCBurx7rCOVP3DAcI8zrc19V9mi-jU9nXIW0Xf9eIpqlUP-R_txfNw4vF10PwIGKmg0Cpl2IDuY1ty3J8koQkdvxfE) - [Emulating Embedded Linux Systems with QEMU](https://www.novetta.com/2018/02/emulating-embedded-linux-systems-with-qemu/?__cf_chl_captcha_tk__=9dd83a08cffb28fae75286f63f399c34eec56852-1585030087-0-AblGAUd4LCDVbghNgQyfL5hgPXNC8pUcLIAbPUpx2tBOb_L4gVVc1sZ7Ivg0g--06WpkdpeV-kylZu3T_Yqgr7GdFpc2cKzxATdc_bsEV7uu1ljIctFloHTW_B1vvjFAe3QXdex4kkn2D4HuQiw9WLszvO2Ff8SvvfEpHoBumOavj-c2iXcEb2dDFMoK3_HB_3-y7q_BEAX3xqDCjqz7TpcoIWt-wTSQwRfx-VuBfO87hrTsX43yzq6BNjCE9s15ZQmPp_NouYIHNMnx3augAfkwZBSUA0r43GbA--3jLmJsTe_qvcn7gMz_HAR-GpnA_Usn_cr94VqtyNpl0vEsC1OMf48oBMMoFQJA6Jjn1hGPv5hV4M4aBtJrTnFoRP2YGwxAyNTM3Df9qw1iyBB8r58) - [Fuzzing Embedded Linux Devices](https://www.novetta.com/2018/07/fuzzing-embedded-linux-devices/?__cf_chl_captcha_tk__=f07f3f76e61b43f9ae6340e94cf4adeaec87977e-1585030089-0-AYkRNbh1wpUia0P5wBgrRfhf92Uy6Pl2mEEBOXi2FUvxROOJ9obK4ZIS78Y4iCRrMdi3umwQrJEyF0u3EPwHPu3_22f5PwOvVDFC0QwFPyw7LkY5bLuansI_8uoEunuLIEQ1VPIZHFpht1vT0_rW4YrYGc8osJZpubAhXfyZe1G7U_ibpZj9tdrUE6SwgA_Ph0io4LRfbjuvpeM03NHuc1sTTqRVdkWiw47kmr9uSAK10ZmQEvE7zpbpkEJM2slchjdYq6hziM3L5l8vB-eEm_JVxsSHbGfdDM3kSfTw3oXlYkvxvLy_llSyyefuub4yOBrqNgzV1Gj_PDTmuRTMxobGo7vZaRdr2LgOXML58kpG6NTDLb3A4YzwVw9u32ErRh4Ab89vn90RsHlWnU928Oc) - [Emulating ARM Router Firmware](https://azeria-labs.com/emulating-arm-firmware/) - [Reversing Firmware With Radare](https://www.bored-nerds.com/reversing/radare/automotive/2019/07/07/reversing-firmware-with-radare.html) - [Samsung Firmware Magic - Unpacking and Decrypting](https://github.com/chrivers/samsung-firmware-magic) - [Qiling & Binary Emulation for automatic unpacking](https://kernemporium.github.io/articles/en/auto_unpacking/m.html) - [Reverse engineering with #Ghidra: Breaking an embedded firmware encryption scheme](https://www.youtube.com/watch?v=4urMITJKQQs&ab_channel=stacksmashing) - [Simulating and hunting firmware vulnerabilities with Qiling](https://blog.vincss.net/2020/12/pt007-simulating-and-hunting-firmware-vulnerabilities-with-Qiling.html?m=1&s=09) ******************************************************************************************************************************** ### Firmware samples to pentest - [Download From here by firmware.center](https://firmware.center/) ******************************************************************************************************************************** ### Binary Analysis - [Reverse Engineering For Everyone!](https://0xinfection.github.io/reversing/) - [https://www.coalfire.com/the-coalfire-blog/reverse-engineering-and-patching-with-ghidra](https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc) - [Part two: Reverse engineering and patching with Ghidra](https://www.coalfire.com/the-coalfire-blog/reverse-engineering-and-patching-with-ghidra) - [Automating binary vulnerability discovery with Ghidra and Semgrep](https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/) ******************************************************************************************************************************** ### Symlinks Attacks - [Zip Slip Vulnerability](https://security.snyk.io/research/zip-slip-vulnerability) ******************************************************************************************************************************** ### Secureboot #### Dev - [Writing a Bootloader](http://3zanders.co.uk/2017/10/13/writing-a-bootloader/) #### Hacking - [Pwn the ESP32 Secure Boot](https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/) - [Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction](https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/) - [Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM](https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html) / [another-link](https://www.cnx-software.com/2016/10/06/hacking-arm-trustzone-secure-boot-on-amlogic-s905-soc/) - [Defeating Secure Boot with Symlink Attacks](https://www.anvilsecure.com/blog/defeating-secure-boot-with-symlink-attacks.html) - [PS4 Aux Hax 5 & PSVR Secure Boot Hacking with Keys by Fail0verflow!](https://www.psxhax.com/threads/ps4-aux-hax-5-psvr-secure-boot-hacking-with-keys-by-fail0verflow.12820/) - [ECLYPSIUM DISCOVERS MULTIPLE VULNERABILITIES AFFECTING 129 DELL MODELS VIA DELL REMOTE OS RECOVERY AND FIRMWARE UPDATE CAPABILITIES](https://eclypsium.com/2021/06/24/biosdisconnect/) - [Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)](https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/) - [Breaking Secure Boot on the Silicon Labs Gecko platform](https://blog.quarkslab.com/breaking-secure-boot-on-the-silicon-labs-gecko-platform.html) ******************************************************************************************************************************** ### Storage Medium #### EMMC HACKING - [eMMC Protocol](https://prodigytechno.com/emmc-protocol/) - [HARDWARE HACKING 101: IDENTIFYING AND DUMPING EMMC FLASH](https://www.riverloopsecurity.com/blog/2020/03/hw-101-emmc/) - [EMMC DATA RECOVERY FROM DAMAGED SMARTPHONE](https://dangerouspayload.com/2018/10/24/emmc-data-recovery-from-damaged-smartphone/) - [Another bunch of Atricles for EMMC](https://hackaday.com/tag/emmc/) - [Unleash your smart-home devices: Vacuum Cleaning Robot Hacking](https://media.ccc.de/v/34c3-9147-unleash_your_smart-home_devices_vacuum_cleaning_robot_hacking#t=1810) - [Hands-On IoT Hacking: Rapid7 at DEF CON 30 IoT Village, Part 1](https://www.rapid7.com/blog/post/2022/10/18/hands-on-iot-hacking-rapid7-at-def-con-30-iot-village-part-1/) ******************************************************************************************************************************** ### Payment Device Security #### ATM Hacking - [Introduction to ATM Penetration Testing](https://www.youtube.com/watch?v=Ff-0zXTYhuA) - [Pwning ATMs For Fun and Profit](https://www.youtube.com/watch?v=9cG-JL0LHYw) - [Jackpotting Automated Teller Machines Redux](https://www.youtube.com/watch?v=4StcW9OPpPc) By Barnaby Jack ******************************************************************************************************************************** ### IoT hardware Overview and Hacking - [IoT Hardware Guide](https://www.postscapes.com/internet-of-things-hardware/) - [Intro To Hardware Hacking - Dumping Your First Firmware](https://blog.nvisium.com/intro-to-hardware-hacking-dumping-your-first-firmware) #### Hardware Gadgets to pentest - [Bus Pirate](https://www.sparkfun.com/products/12942) - [EEPROM reader/SOIC Cable](https://www.sparkfun.com/products/13153) - [Jtagulator/Jtagenum](https://www.adafruit.com/product/1550) - [Logic Analyzer](https://www.saleae.com/) - [The Shikra](https://int3.cc/products/the-shikra) - [FaceDancer21 (USB Emulator/USB Fuzzer)](https://int3.cc/products/facedancer21) - [RfCat](https://int3.cc/products/rfcat) - [Hak5Gear- Hak5FieldKits](https://hakshop.com/) - [Ultra-Mini Bluetooth CSR 4.0 USB Dongle Adapter](https://www.ebay.in/itm/Ultra-Mini-Bluetooth-CSR-4-0-USB-Dongle-Adapter-Black-Golden-with-2-yr-wrnty-/332302813975) - [Attify Badge - UART, JTAG, SPI, I2C (w/ headers)](https://www.attify-store.com/products/attify-badge-assess-security-of-iot-devices) #### Attacking Hardware Interfaces - [An Introduction to Hardware Hacking](https://securityboulevard.com/2020/09/an-introduction-to-hardware-hacking/) - [Serial Terminal Basics](https://learn.sparkfun.com/tutorials/terminal-basics/all) - [Reverse Engineering Serial Ports](http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/) - [REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS](https://sec-consult.com/en/blog/2019/02/reverse-engineering-architecture-pinout-plc/) - [ChipWhisperer - Hardware attacks](http://wiki.newae.com/Main_Page) - [Hardware hacking tutorial: Dumping and reversing firmware](https://ivanorsolic.github.io/post/hardwarehacking1/) #### SPI - [Dumping the firmware From Router using BUSPIRATE - SPI Dump](https://www.iotpentest.com/2019/06/dumping-firmware-from-device-using.html) - [How to Flash Chip of a Router With a Programmer | TP-Link Router Repair & MAC address change](https://www.youtube.com/watch?v=fbt4OJXJdOc&ab_channel=ElectricalProjects%5BCreativeLab%5D) - [Extracting Flash Memory over SPI](https://akimbocore.com/article/extracting-flash-memory-over-spi/) - [Extracting Firmware from Embedded Devices (SPI NOR Flash)](https://www.youtube.com/watch?v=nruUuDalNR0&ab_channel=FlashbackTeam) - [SPI-Blogs](https://www.google.com/search?q=%22spi+dump%22&source=hp&ei=5jv9YaW6JNvl2roPgbGqMA&iflsig=AHkkrS4AAAAAYf1J9qNY6Snarz3dsHr9KXF1YSY6AKVL&ved=0ahUKEwilxY3apOb1AhXbslYBHYGYCgYQ4dUDCAg&uact=5&oq=%22spi+dump%22&gs_lcp=Cgdnd3Mtd2l6EAMyBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yCAgAEBYQChAeUABYAGC-A2gAcAB4AIABYIgBYJIBATGYAQCgAQKgAQE&sclient=gws-wiz) - [Reading FlashROMS - Youtube](https://www.youtube.com/results?search_query=reading+chip+flash+rom) #### UART - [Identifying UART interface](https://www.mikroe.com/blog/uart-serial-communication) - [onewire-over-uart](https://github.com/dword1511/onewire-over-uart) - [Accessing sensor via UART](http://home.wlu.edu/~levys/courses/csci250s2017/SensorsSignalsSerialSockets.pdf) - [Using UART to connect to a chinese IP cam](https://www.davidsopas.com/using-uart-to-connect-to-a-chinese-ip-cam/) - [A journey into IoT – Hardware hacking: UART](https://techblog.mediaservice.net/2019/03/a-journey-into-iot-hardware-hacking-uart/) - [UARTBruteForcer](https://github.com/FireFart/UARTBruteForcer) - [UART Connections and Dynamic analysis on Linksys e1000](https://www.youtube.com/watch?v=ix6rSV2Dj44&ab_channel=Defenceindepth) - [Accessing and Dumping Firmware Through UART](https://www.cyberark.com/resources/threat-research-blog/accessing-and-dumping-firmware-through-uart) - [UART Exploiter](https://github.com/exploitsecurityio/uart-exploiter) #### JTAG - [HARDWARE HACKING 101: INTRODUCTION TO JTAG](https://www.riverloopsecurity.com/blog/2021/05/hw-101-jtag/) - [How To Find The JTAG Interface - Hardware Hacking Tutorial](https://www.youtube.com/watch?v=_FSM_10JXsM&ab_channel=MakeMeHack) - [Buspirate JTAG Connections - Openocd](https://research.kudelskisecurity.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/#:~:text=The%20Bus%20Pirate%20is%20an,protocols%20like%20I%C2%B2C%20and%20SPI.) - [Extracting Firmware from External Memory via JTAG](https://www.youtube.com/watch?v=IadnBUJAvks&ab_channel=JoeGrand) - [Analyzing JTAG](https://nse.digital/pages/guides/hardware/jtag.html) - [The hitchhacker’s guide to iPhone Lightning & JTAG hacking](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/stacksmashing%20-%20The%20hitchhackers%20guide%20to%20iPhone%20Lightning%20%20%20JTAG%20hacking.pdf) #### SideChannel Attacks - [Side channel attacks](https://yifan.lu/) - [Attacks on Implementations of Secure Systems](https://github.com/Yossioren/AttacksonImplementationsCourseBook) - [fuzzing, binary analysis, IoT security, and general exploitation](https://github.com/0xricksanchez/paper_collection) - [Espressif ESP32: Bypassing Encrypted Secure Boot(CVE-2020-13629)](https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/) - [Breaking AES with ChipWhisperer - Piece of scake (Side Channel Analysis 100)](https://www.youtube.com/watch?v=FktI4qSjzaE&ab_channel=LiveOverflow) - [Researchers use Rowhammer bit flips to steal 2048-bit crypto key](https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/) #### Glitching attacks - [NAND Glitching Attack](http://www.brettlischalk.com/posts/nand-glitching-wink-hub-for-root) - [Tutorial CW305-4 Voltage Glitching with Crowbars](https://wiki.newae.com/index.php?title=Tutorial_CW305-4_Voltage_Glitching_with_Crowbars&mobileaction=toggle_view_mobile) - [Voltage Glitching Attack using SySS iCEstick Glitcher](https://www.youtube.com/watch?v=FVUhVewFmxw&feature=youtu.be&ab_channel=SySSPentestTV) - [Samy Kamkar - FPGA Glitching & Side Channel Attacks](https://www.youtube.com/watch?v=oGndiX5tvEk) - [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100)](https://www.youtube.com/watch?v=6Pf3pY3GxBM&ab_channel=LiveOverflow) - [Keys in flash - Glitching AES keys from an Arduino / ATmega with a camera flash](https://srfilipek.medium.com/keys-in-a-flash-3e984d0de54b) - [Implementing Practical Electrical Glitching Attacks](blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf) - [HOW TO VOLTAGE FAULT INJECTION](https://www.synacktiv.com/publications/how-to-voltage-fault-injection) ******************************************************************************************************************************** ### Awesome IoT Pentesting Guides - [Shodan Pentesting Guide](https://community.turgensec.com/shodan-pentesting-guide/) - [Car Hacking Practical Guide 101](https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-i-cd88d3eb4a53) - [OWASP Firmware Security Testing Methodology ](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) - [Awesome-bluetooth-security](https://github.com/engn33r/awesome-bluetooth-security) ******************************************************************************************************************************** ### Fuzzing Things - [OWASP Fuzzing Info](https://owasp.org/www-community/Fuzzing) - [Fuzzing_ICS_protocols](https://1modm.github.io/Fuzzing_ICS_protocols.html) - [Fuzzowski - the Network Protocol Fuzzer that we will want to use](https://hakin9.org/fuzzowski-the-network-protocol-fuzzer-that-we-will-want-to-use/) - [Fuzz Testing of Application Reliability](https://pages.cs.wisc.edu/~bart/fuzz/) - [FIRM-AFL : High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.usenix.org/conference/usenixsecurity19/presentation/zheng) - [Snipuzz : Black-box Fuzzing of IoT Firmware via Message Snippet Inference](https://arxiv.org/pdf/2105.05445.pdf) - [fuzzing-iot-binaries] - [part1](https://blog.attify.com/fuzzing-iot-devices-part-1/) / [part2](https://blog.attify.com/fuzzing-iot-binaries-with-afl-part-ii/) - [Modern Vulnerability Research Techniques on Embedded Systems](https://breaking-bits.gitbook.io/breaking-bits/vulnerability-discovery/reverse-engineering/modern-approaches-toward-embedded-research) - [FuzzingPaper](https://github.com/wcventure/FuzzingPaper/tree/master/Paper) - [Exercises to learn how to fuzz with American Fuzzy Lop](https://github.com/mykter/afl-training) - [Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging](https://github.com/seemoo-lab/frankenstein) - [Bluetooth experimentation framework for Broadcom and Cypress chips.](https://github.com/seemoo-lab/internalblue) - [Fuzzing Forum](https://github.com/google/fuzzing) ******************************************************************************************************************************** ### FlipperZero #### Custom firmwares - Flipper Zero Unleashed Firmware : https://github.com/DarkFlippers/unleashed-firmware - RogueMaster Flipper Zero Firmware : https://github.com/RogueMaster/flipperzero-firmware-wPlugins - #### Interesting research - CVE-2022-40363 : [Exploiting Flipper Zero’s NFC file loader](https://vvx7.io/posts/2022/09/your-amiibos-haunted/) #### Flipperzero101 - [Flipper Zero - Starter Guide](https://www.youtube.com/watch?v=MJd6qugqHg8&ab_channel=PenAce) - [A collection of Awesome resources for the Flipper Zero device.](https://github.com/djsime1/awesome-flipperzero) #### Cool Hacks - [Flipper Zero - Starter Guide](https://www.youtube.com/watch?v=MJd6qugqHg8&ab_channel=PenAce) - [gaylord M FOCker - ready to pwn your MIFARE tags](https://luemmelsec.github.io/gaylord-M-FOCker-ready-to-pwn-your-MIFARE-tags/) ******************************************************************************************************************************** ### ICS - [ICS-Security](https://github.com/V33RU/IoTSecurity101/blob/master/ICS/Industrial%20Control%20Systems.md) ******************************************************************************************************************************** ### Automotive - [Automotive-Security](https://github.com/V33RU/IoTSecurity101/blob/master/Automotive-Security.md) ******************************************************************************************************************************** ### Vulnerable IoT and Hardware Applications - IoT : https://github.com/Vulcainreo/DVID - Safe : https://insinuator.net/2016/01/damn-vulnerable-safe/ - IoT-vulhub : https://vulntotal-team.github.io/IoT-vulhub/#%E5%AE%89%E8%A3%85 - Router : https://github.com/praetorian-code/DVRF - SCADA : https://www.slideshare.net/phdays/damn-vulnerable-chemical-process - PI : https://whitedome.com.au/re4son/sticky-fingers-dv-pi/ - SS7 Network: https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network - VoIP : https://www.vulnhub.com/entry/hacklab-vulnvoip,40/ - Hardware Hacking 101 : https://github.com/rdomanski/hardware_hacking - RHME-2015 : https://github.com/Riscure/RHme-2015 - RHME-2016 : https://github.com/Riscure/Rhme-2016 - RHME-2017 : https://github.com/Riscure/Rhme-2017 - ### CTF For IoT And Embeddded #### Awesome Hardware, IoT, Firmware, ARM, and Reverse Engineering CTFs and Platforms #### Hardware CTFs - [BLE CTF](https://github.com/hackgnar/ble_ctf) - A framework focused on Bluetooth Low Energy security. - [Rhme-2016](https://github.com/Riscure/Rhme-2016) - Riscure's hardware security competition for 2016. - [Rhme-2017](https://github.com/Riscure/Rhme-2017) - Riscure's hardware security competition for 2017. #### IoT CTFs - [IoTGoat](https://github.com/scriptingxss/IoTGoat) - Deliberately insecure firmware based on OpenWrt for IoT security training. - [IoT Village CTF](https://www.iotvillage.org/) - A Capture The Flag event specifically focused on IoT security. - [IoTSec CTF](https://ctf.iotsec.io/) - Offers IoT related challenges for continuous learning. #### Firmware CTFs - [Damn Vulnerable ARM Router](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html) - A deliberately vulnerable ARM router for exploitation practice. - [Firmware Security Training & CTF](https://github.com/0x6d696368/RouterAnalysisToolkit) - Firmware analysis tools and challenges by Router Analysis Toolkit. #### ARM CTFs - [ARM-X CTF](https://github.com/therealsaumil/armx) - A set of challenges focused on ARM exploitation. - [Azeria Labs ARM Challenges](https://azeria-labs.com/writing-arm-assembly-part-1/) - Offers ARM assembly challenges and tutorials. #### Reverse Engineering CTFs - [Microcorruption](https://www.microcorruption.com/) - Embedded security CTF focusing on lock systems. - [Pwnable.kr](https://pwnable.kr/) - Offers various reverse engineering challenges. #### Platforms for Continuous Learning - [Hack The Box](https://www.hackthebox.eu/) - Platform offering a range of challenges, including hardware and reverse engineering. - [Root Me](https://www.root-me.org/) - Platform with various types of challenges including hardware and reverse engineering. - [CTFtime](https://ctftime.org/) - Lists various CTFs, including those in hardware, IoT, and firmware. ******************************************************************************************************************************** ## follow the people - [Jilles](https://twitter.com/jilles_com) - [Joe Fitz](https://twitter.com/securelyfitz) - [Aseem Jakhar](https://twitter.com/aseemjakhar) - [Cybergibbons](https://twitter.com/cybergibbons) - [Jasper](https://twitter.com/jzvw) - [Dave Jones](https://twitter.com/eevblog) - [bunnie](https://twitter.com/bunniestudios) - [Ilya Shaposhnikov](https://twitter.com/drakylar) - [Mark C.](https://twitter.com/LargeCardinal) - [A-a-ron Guzman](https://twitter.com/scriptingxss) - [Yashin Mehaboobe](https://twitter.com/YashinMehaboobe) - [Arun Magesh](https://www.linkedin.com/in/marunmagesh) - [Mr-IoT](https://twitter.com/v33riot) - [QKaiser](https://twitter.com/qkaiser) - [9lyph](https://twitter.com/9lyph)