awesome-embedded-security

Awesome list for embedded security tools and knowledge
https://github.com/hexsecs/awesome-embedded-security

Last synced: 10 days ago
JSON representation

Further Learning and Training
- Wifi Tools
  - Embeddedsecurity.io - Beginners resource on embedded systems security.
  - SecuringHardware.com - Paid hardware security training courses by Joe Fitz [@securelyfitz](https://x.com/securelyfitz).
  - GrandIdeaStudio.com - Paid hardware hacking training with Joe Grand (aka Kingpin).
  - raelize.com - Blog - Great insight into hardware hacking such as fault injection and side-channel attacks.
  - riscure.com - Blog - One of the OG companies working on fault injection. Jasper van Woudenberg (Riscure) and Colin O'Flynn (Newae) literally [wrote the book](https://nostarch.com/hardwarehacking) on hardware hacking.
  - synacktiv - Blog - A how-to on voltage fault injection.
  - riscure.com - Blog - One of the OG companies working on fault injection. Jasper van Woudenberg (Riscure) and Colin O'Flynn (Newae) literally [wrote the book](https://nostarch.com/hardwarehacking) on hardware hacking.
  - riscure.com - Blog - One of the OG companies working on fault injection. Jasper van Woudenberg (Riscure) and Colin O'Flynn (Newae) literally [wrote the book](https://nostarch.com/hardwarehacking) on hardware hacking.
  - GrandIdeaStudio.com - Hardware hacking training with Joe Grand (aka Kingpin).
  - raelize.com - Blog - Great insight into hardware hacking such as fault injection and side-channel attacks.
  - Microcorruption - Browser-based embedded security CTF presenting a series of challenges on a fictional MSP430-based lock system, covering stack overflows through advanced memory corruption exploitation.
  - MITRE eCTF - Annual collegiate "build-then-break" competition where teams harden and then attack each other's firmware on real ARM Cortex-M microcontrollers; open source tooling and insecure reference designs published each year.
  - DVID - Damn Vulnerable IoT Device: open hardware ATmega328p board (Gerbers published) purpose-built for practicing UART extraction, firmware dumping, and Bluetooth sniffing attacks on physical hardware.
  - DVRF - Damn Vulnerable Router Firmware: modified Linksys firmware containing intentional MIPS/ARM binary exploitation challenges (buffer overflows, format strings, heap bugs) runnable under QEMU without physical hardware.
  - HardwareAllTheThings - Actively maintained hardware and IoT pentesting wiki by swisskyrepo covering fault injection, JTAG/SWD/UART exploitation, firmware dumping, side-channel attacks, and RF attacks with practical tooling references.
Hardware Tools
- Chip-Off and Memory Forensics
  - Flashrom - Utility for identifying, reading, writing, and verifying SPI flash chips common in embedded boards.
  - CHIPSEC - Platform security assessment framework with firmware and chipset checks relevant to offline dump triage.
  - The Sleuth Kit - File system forensic toolkit for carving and examining recovered NAND/eMMC/UFS image dumps.
  - SNANDer - CLI programmer for SPI NOR/NAND flash and I2C EEPROMs using the ubiquitous $3 CH341A USB chip, extending it with NAND support beyond what proprietary software provides — the go-to for quick firmware dumps from IoT hardware.
  - NANDO - Open hardware STM32-based parallel NAND flash programmer with chip autodetection, bad block handling, and an extensible chip database; targets the parallel NAND found in older routers, set-top boxes, and automotive ECUs.
- Fault Injection
  - PicoGlitcher - RP2040/RP2350-based voltage glitching platform with 66A crowbar, sub-10ns pulse resolution via PIO sampling, and a high-level Python (`findus`) API for scripting attack campaigns. Validated by SySS Research.
  - PicoEMP - NewAE's open hardware EMFI tool built on a Raspberry Pi Pico and photographic-flash transformer circuit; the community standard entry-level electromagnetic fault injection platform.
  - EM-Fault-It-Yourself - Motorized XYZ-stage EMFI platform targeting desktop and server SoCs (successfully attacked the AMD Secure Processor), with 2.5µm accuracy, 100mm travel, and a web UI for automated scanning campaigns. IEEE HOST 2022.
- Hardware Debug Interfaces
  - JTAGenum - Enumerates JTAG pinouts on unknown boards by brute-force testing candidate pin mappings.
  - UrJTAG - Open-source JTAG toolkit for boundary scan, flash programming, and low-level target interaction.
  - LUNA - FPGA-based USB analysis and development platform from Great Scott Gadgets, enabling USB sniffing, protocol fuzzing, and custom USB peripheral development via Amaranth HDL.
  - JTAGulator - Automates discovery of JTAG, SWD, and UART debug interfaces on unknown PCBs by brute-forcing pin combinations, with sigrok-compatible logic analyzer mode and direct OpenOCD integration for post-discovery exploitation.
- Hardware Reverse Engineering Multitools
  - Tiguard - An FTDI FT2232H-based multi-protocol tool for hardware hacking.
  - Bus Pirate - The Bus Pirate is an open source hacker multi-tool that talks to electronic stuff. It's got a bunch of features an intrepid hacker might need to prototype their next project.
  - Bus Pirate - Open source hacker multi-tool that talks to electronic stuff. It's got a bunch of features an intrepid hacker might need to prototype their next project.
  - Glasgow Interface Explorer - Versatile open-source FPGA-based hardware debugging and reverse engineering tool supporting SPI, I2C, UART, JTAG, and custom protocols with a high-level Python API.
  - GreatFET - Open-source USB host-side hardware security research platform from Great Scott Gadgets with an expandable neighbor board ecosystem for interfacing with embedded targets.
  - Hydrabus - Open-source multi-protocol hardware hacking tool with support for SPI, I2C, UART, CAN, 1-Wire, and JTAG interfaces, purpose-built for embedded device analysis.
- Logic Analyzer
  - Saleae - Commercial logic analyzer hardware ($149–$499+) with proprietary software; widely used for decoding SPI, I2C, UART, and other embedded protocols.
  - Sigrok - The sigrok project aims at creating a portable, cross-platform, Free/Libre/Open-Source signal analysis software suite that supports various device types (e.g. logic analyzers, oscilloscopes, and many more).
  - Sigrok - Portable, cross-platform, Free/Libre/Open-Source signal analysis software suite that supports various device types (e.g. logic analyzers, oscilloscopes, and many more).
- RF Tools (Non-SDR)
  - Flipper Zero - Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It loves hacking digital stuff, such as radio protocols, access control systems, hardware and more. It's fully open-source and customizable, so you can extend it in whatever way you like.
  - Yard Stick One - Transmit or receive digital wireless signals at frequencies below 1 GHz. It uses the same radio circuit as the popular IM-Me.
  - Proxmark - The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide. Originally built by Jonathan Westhues over 10 years ago, the device has progressively evolved into the industry standard tool for RFID Analysis.
  - Awesome Flipper Zero - A collection of Awesome resources for the Flipper Zero device.
  - ChameleonUltra - Pocket friendly powerful LF and HF emulation & manipulation tool which is based on the open-source project ChameleonMini.
  - Bruce - Powerful open-source ESP32 firmware designed for offensive security and Red Team operations.
  - Flipper Zero - Portable multi-tool for pentesters and geeks in a toy-like body. It loves hacking digital stuff, such as radio protocols, access control systems, hardware and more.
  - Proxmark3 - Open-source RFID research platform for low-level interaction, analysis, and testing across a wide range of LF and HF tags and systems.
- Side-Channel Analysis
  - ChipWhisperer - An open-source toolchain for side-channel power analysis and fault injection attacks with complete hardware and software stack.
  - SCALE - Side-Channel Attack Lab Exercises providing educational material for learning power analysis attacks with low-cost hardware.
  - lascar - Fast Python SCA library from Ledger's hardware wallet security team supporting CPA, DPA, MIA, template attacks, and ML-based attacks with lazy loading for large trace datasets.
  - scared - Industrial-grade side-channel analysis framework from eShard with best-in-class trace processing performance; supports CPA, DPA, TVLA/NICV leakage assessment, and very large trace datasets.
- Software Defined Radios
  - HackRF One - Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz.
  - ADALM-PLUTO (PlutoSDR) - The easy to use ADALM-PLUTO active learning module (PlutoSDR) helps introduce electrical engineering students to the fundamentals of software-defined radio (SDR), radio frequency (RF), and wireless communications. Designed for students at all levels and from all backgrounds, the module can be used for both instructor-led and self-directed learning to help students develop a foundation in real-world RF and communications that they can build on as they pursue science, technology, or engineering degrees.
  - RTL-SDR - Very cheap ~$30 USB dongle that can be used as a computer based radio scanner for receiving live radio signals in your area (no internet required).
  - ADALM-PLUTO (PlutoSDR) - Active learning module (PlutoSDR) used to explore software-defined radio, RF experimentation, and wireless communications.
- Software Defined Radio Software
  - Future SDR - Supports Blocks with synchronous or asynchronous implementations for stream-based or message-based data processing.
  - Maia SDR - Open-source FPGA-based SDR project focusing on the ADALM Pluto.
- Wifi Tools
  - Pwnagotchi - A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures.
  - ESP32Maurauder - A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32.
Open Source Intelligence (OSINT)
- Wifi Tools
  - Awesome OSINT
Other Awesome Lists
- Wifi Tools
Software Tools
- Baseband Security
  - FirmWire - Full-system emulation platform for Samsung (Shannon) and MediaTek cellular baseband firmware with AFL++ fuzzing integration, a task-injection ModKit, and dynamic debugging support. Found 7 pre-authentication memory corruptions. NDSS 2022.
- Binary Parsing and Analysis Tools
  - Kaitai Struct - Declarative language used to describe various binary data structures, laid out in files or in memory: i.e. binary file formats, network stream packet formats, etc.
  - Binwalk - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  - OFRAK - Binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.
  - LIEF - Library to Instrument Executable Formats: parse, modify, and abstract ELF, PE, Mach-O, DEX, and OAT binaries found in firmware images.
  - firmwalker - Searches extracted firmware filesystems for interesting files, credentials, configuration, and known-vulnerable components.
  - SCOUT - Deterministic firmware analysis pipeline emitting SARIF 2.1, CycloneDX 1.6 + VEX SBOM, and hash-anchored evidence chains; auto-detects Ghidra and runs P-code SSA dataflow taint with 4-tier confidence caps. Pure stdlib (no pip dependencies).
  - cwe_checker - Binary analysis tool that checks ELF binaries for violations of Common Weakness Enumerations (CWEs) using abstract interpretation, with cross-architecture support.
  - FLARE-FLOSS - FLARE Obfuscated String Solver that automatically extracts obfuscated, encoded, and stack strings from binaries for rapid firmware triage.
  - unblob - Fast, accurate firmware extraction engine from ONEKEY supporting 100+ archive, compression, and filesystem formats with fewer false positives than Binwalk. Presented at DEF CON 30.
  - argXtract - Statically extracts arguments to SVC calls and HAL functions from stripped ARM Cortex-M BLE firmware without symbol tables, enabling security audits of Nordic and similar binaries. ACSAC 2021.
- Bluetooth and BLE Security
  - nRF Sniffer for Bluetooth LE - Nordic Semiconductor's BLE packet sniffer for capturing and analyzing Bluetooth Low Energy traffic with Wireshark integration. Wireshark plugin is open source; dongle firmware is a closed binary requiring Nordic hardware.
  - GATTacker - BLE MITM tool for intercepting and relaying GATT profiles to test BLE device authentication and data integrity.
  - BtleJuice - Bluetooth Low Energy MITM proxy framework for real-time interception and manipulation of BLE communications.
  - Bettercap BLE - BLE scanning, enumeration, and characteristic read/write module integrated into the bettercap Swiss-army knife framework.
  - InternalBlue - Bluetooth experimentation framework enabling binary patching, LMP injection, and live monitoring of Broadcom/Cypress firmware on commodity devices (iPhone, Samsung Galaxy, Raspberry Pi) without custom hardware.
  - BrakTooth - Directed exploit suite for Bluetooth Classic LMP layer vulnerabilities, targeting protocol layers inaccessible from standard host stacks; affected 1,400+ products from Intel, Qualcomm, and Broadcom. USENIX Security 2022.
  - SweynTooth - Runnable PoC exploits for 18 BLE link-layer and L2CAP vulnerabilities across TI, NXP, Cypress, Dialog, Microchip, and STMicro SDKs, including full pairing bypass and link-layer overflows. USENIX ATC 2020.
  - WHAD Framework - Hardware-agnostic multi-protocol wireless security framework (BLE, Zigbee, Enhanced ShockBurst, ANT) using a cheap nRF52840 dongle as a universal attack radio; foundation for Quarkslab's BLE GATT fuzzer. DEF CON 32 (2024).
- Debugging Tools
  - Open OCD - OpenOCD provides on-chip programming and debugging support with a layered architecture of JTAG interface and TAP support.
  - GDB - The GNU Project debugger, allows you to see what is going on `inside' another program while it executes -- or what another program was doing at the moment it crashed.
  - GEF - Kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploit developers and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.
  - Black Magic Probe - An open-source JTAG/SWD debugger with embedded GDB server and automatic target detection.
  - pyOCD - An open-source Python library for programming and debugging Arm Cortex-M microcontrollers with cross-platform debug probe support.
  - assembly-repl - Native assembly, LLVM IR, C, C++, and Objective-C REPLs for macOS and Linux.
  - probe-rs - Modern Rust-based embedded debug toolkit supporting SWD/JTAG with built-in flashing, RTT logging, and GDB server for ARM and RISC-V targets.
  - Frida - Dynamic instrumentation toolkit for injecting JavaScript or native code into running processes on embedded Linux, Android, iOS, and bare-metal targets.
  - Open OCD - Provides on-chip programming and debugging support with a layered architecture of JTAG interface and TAP support.
  - pyOCD - An open-source Python library for programming and debugging Arm Cortex-M microcontrollers with cross-platform debug probe support.
- Disassember/Decompilers
  - IDA Pro - IDA Pro as a disassembler is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language). Advanced techniques have been implemented into IDA Pro so that it can generate assembly language source code from machine-executable code and make this complex code more human-readable.
- Disassemblers/Decompilers
  - Binary Ninja - Interactive disassembler, decompiler, and binary analysis platform for reverse engineers, malware analysts, vulnerability researchers, and software developers that runs on Windows, macOS, and Linux.
  - Cutter - Free and Open Source RE Platform powered by Rizini.
  - Rizin - A free and open-source Reverse Engineering framework, providing a complete binary analysis experience with features like Disassembler, Hexadecimal editor, Emulation, Binary inspection, Debugger, and more.
  - radare2 - A free/libre toolchain for easing several low level tasks like forensics, software reverse engineering, exploiting, debugging. It is composed by a bunch of libraries (which are extended with plugins) and programs that can be automated with almost any programming language.
  - Vivisect - A combined disassembler/static analysis/symbolic execution/debugger framework.
  - Angr Management - Multi-architecture binary analysis toolkit, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc.) and various static analyses on binaries. If you'd like to learn how to use it, you're in the right place!
  - Angr - Platform-agnostic binary analysis framework. Brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.
  - Capstone - Lightweight multi-platform, multi-architecture disassembly framework. Their target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.
  - Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission.
  - IDA Pro - Disassembler capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language). Advanced techniques have been implemented into IDA Pro so that it can generate assembly language source code from machine-executable code and make this complex code more human-readable.
  - Keystone - A lightweight multi-architecture assembler framework that complements Capstone.
  - BARF - A binary analysis and reverse engineering framework with support for ROP gadget search and CFG recovery.
  - RetDec - Retargetable machine-code decompiler from Avast supporting ARM, MIPS, x86, and other architectures common in embedded firmware.
- Emulation Tools
  - FirmAE - An automated framework for emulation and vulnerability analysis of IoT firmware with an 79% success rate using arbitration techniques.
  - Qiling - An advanced binary emulation framework supporting cross-platform OS-level emulation for Windows, Linux, Android, BSD, UEFI, and multiple architectures.
  - Unicorn Engine - A lightweight multi-architecture CPU emulator framework providing pure CPU emulation for ARM, MIPS, x86, RISC-V, and more.
  - PANDA - Platform for Architecture-Neutral Dynamic Analysis with record/replay functionality and LLVM IR translation for whole-system analysis.
  - Renode - Open-source hardware simulation framework from Antmicro for functional testing and security analysis of embedded firmware without physical hardware.
  - Avatar2 - Dynamic analysis orchestration framework for binary firmware that coordinates execution across emulators (QEMU, Unicorn) and real hardware targets.
  - Firmadyne - Automated system for emulating and analyzing Linux-based embedded firmware; extracts and boots firmware images in QEMU to enable dynamic vulnerability discovery.
  - HALucinator - MCU firmware emulation framework that replaces Hardware Abstraction Layer (HAL) functions with high-level models, enabling full firmware execution without physical hardware.
  - FirmSolo - Reverse-engineers vendor Linux kernel module version magic to load proprietary `.ko` drivers into a compatible kernel for dynamic analysis and fuzzing, unlocking code previously inaccessible to emulators. USENIX Security 2023.
- Firmware Malware Analysis
  - Firmware Security Testing - OWASP firmware security testing methodology and practical guidance for assessing embedded devices.
  - Firmware Analysis Toolkit - Automated tool for firmware emulation and vulnerability discovery.
  - emba - Efficient malware analysis framework for embedded firmware with scanning and reporting.
  - EMBArk - Enterprise web interface for EMBA providing multi-user scan management, aggregated vulnerability dashboards, and CI/CD integration for continuous firmware security monitoring.
- Firmware Supply Chain and SBOM
  - in-toto - Framework for supply chain integrity that records signed provenance steps and enforces layout verification.
  - Sigstore Cosign - Tooling for keyless signing and verification of firmware/container artifacts in CI/CD pipelines.
  - Syft - SBOM generator for filesystems and artifacts, useful for firmware package/component inventories.
  - Grype - Vulnerability scanner that consumes SBOMs to identify known CVEs in firmware dependencies.
- Firmware Taint Analysis
  - KARONTE - Static analysis tool that tracks untrusted input flows across binary boundaries (shared files, sockets, env vars) in embedded Linux firmware using angr-based inter-binary taint propagation. IEEE S&P 2020.
  - SaTC - Anchors taint analysis to string literals shared between web front-end and back-end binaries to pinpoint user-controlled input entry points; found 33 unknown bugs in commercial firmware. USENIX Security 2021.
  - EmTaint - Structured symbolic expression-based taint analysis with on-demand alias resolution for embedded Linux firmware; found 151 0-day vulnerabilities across 35 real-world images. ISSTA 2023.
- Fuzzing Tools
  - AFL++ - A coverage-guided fuzzer with enhanced mutations, QEMU and Unicorn emulation modes, and custom power schedules.
  - honggfuzz - A feedback-driven evolutionary fuzzer supporting hardware-based coverage (Intel BTS/PT) and persistent mode for extreme speed.
  - Fuzzowski - A network protocol fuzzer based on the Sulley/BooFuzz framework with support for TCP/UDP/SSL protocols.
  - Peach - A smart fuzzer supporting both generation-based and mutation-based fuzzing via Peach Pit definitions. Community edition is source-available; full product is commercial.
  - libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine integrated with LLVM.
  - boofuzz - Actively maintained network protocol fuzzer and the spiritual successor to Sulley, with session management, target monitoring, and protocol graph support.
  - GDBFuzz - Uses GDB hardware breakpoints as a coverage source for uninstrumented embedded targets — works on any GDB-debuggable MCU with no firmware modification required. Bosch Research / ISSTA 2023.
- IoT Protocol Security
  - TLS for MQTT - Overview of TLS implementation for MQTT brokers and clients.
  - wolfMQTT - MQTT client library with TLS support optimized for embedded systems.
  - CoAP Security - Constrained Application Protocol (CoAP) security with DTLS.
  - libcoap - C implementation of CoAP with DTLS support for secure IoT communication.
  - Wireshark MQTT - Protocol analyzer support for MQTT traffic inspection and security analysis.
  - KillerBee - IEEE 802.15.4/ZigBee security research framework for capturing, injecting, and analyzing ZigBee network traffic using compatible radio hardware.
  - Cotopaxi - Multi-protocol IoT security testing toolkit from Samsung R&D covering MQTT, CoAP, AMQP, DTLS, KNX, QUIC, RTSP, SSDP, HTTP/2, gRPC, and more; supports fingerprinting, fuzzing, and known-vulnerability identification across 14 protocols.
- Language Specific Decompilers
  - ILSpy - .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
  - dnSpy - .NET debugger and assembly editor.
  - de4dot - .NET deobfuscator.
  - JD-GUI - Java decompiler.
  - JADX - Dex to Java decompiler.
- MCU Firmware Fuzzing
  - Fuzzware - Automatically models MMIO peripheral inputs via symbolic execution to enable coverage-guided fuzzing of ARM Cortex-M firmware with no hardware required. Achieves up to 3.25× coverage over prior approaches. USENIX Security 2022.
  - μEmu - Infers peripheral behavior from invalid-access patterns under symbolic execution, then drives AFL-based fuzzing of bare-metal MCU firmware without physical hardware. USENIX Security 2021.
  - SAFIREFUZZ - Rewrites ARM Cortex-M firmware via dynamic binary rewriting to run as a Linux userspace process on ARM servers, achieving ~600× the fuzzing throughput of HALucinator. USENIX Security 2023.
  - Icicle - Rust-based grey-box fuzzer with architecture-agnostic coverage instrumentation, notable for supporting **MSP430 and RISC-V** where AFL++ QEMU mode has no coverage. ISSTA 2023.
  - μAFL - Hardware-in-the-loop fuzzer using ARM ETM trace hardware to collect coverage from a real MCU without any firmware instrumentation. Found 8 CVEs in STM32/NXP SDKs. ICSE 2022.
  - DICE - Automatically identifies and emulates DMA input channels in MCU firmware, enabling fuzzers to exercise DMA-driven code paths that were previously opaque. IEEE S&P 2021.
- OTA Update Security
  - SUIT - Software Update for the Internet of Things (SUIT) working group developing manifest-based firmware update architecture.
  - RAUC - Safe and secure firmware update framework for embedded Linux with bundle signing and A/B partitioning.
  - Mender - Over-the-air software updater for Linux IoT devices with atomic updates and rollback.
  - SWUpdate - Linux firmware update agent with image verification and incremental updates.
- Root of Trust and TPM
  - TPM 2.0 Reference Implementation - TPM 2.0 specification and reference software from the TCG.
  - IBM Software TPM - Software TPM 2.0 emulator for testing and development.
  - TPM 2.0 TS - TCG Software Stack for TPM 2.0 providing API for key management and attestation.
  - Keylime - Open source TPM-based remote attestation for cloud and edge.
  - AMD fTPM Security Guidance - AMD guidance and security bulletin coverage related to firmware TPM behavior on supported platforms.
  - tpm2-algtest - Tests real TPM 2.0 chips for RNG output quality, key generation timing, algorithm support, and implementation fingerprints across 80+ firmware revisions from 6 vendors. From CRoCS (discoverers of ROCA). CHES 2024.
- RTOS Security
  - FreeRTOS Security - Security features and documentation for FreeRTOS including MQTT over TLS, PKCS#11, and PSA Certified implementation.
  - Zephyr Project Security - Security documentation for the Zephyr RTOS including TF-M integration, verified boot, and security testing.
  - RT-Thread Security - Security resources and vulnerability reporting for RT-Thread IoT OS.
  - seL4 - Formally verified microkernel with machine-checked proofs of functional correctness, integrity, and confidentiality, providing the strongest security guarantees of any production OS kernel.
  - Tock OS - Rust-based embedded OS for microcontrollers designed for security through hardware-enforced memory isolation and a capability-based driver model, targeting Cortex-M and RISC-V platforms.
- Secure Boot and Firmware Trust
  - MCUboot - Secure bootloader for 32-bit microcontrollers supporting signed images, rollback protection, and measured boot flows.
  - AVB (Android Verified Boot) - Reference implementation and design guidance for chained trust and verified partitions in embedded Android systems.
  - U-Boot Verified Boot - FIT-signature based verified boot support for embedded Linux boot chains.
  - wolfBoot - Portable secure bootloader for 32-bit MCUs using wolfCrypt for image signature verification (Ed25519, ECC, RSA, post-quantum LMS/XMSS), with delta updates, encrypted images, and explicit voltage-glitch countermeasures.
- Security Auditing Frameworks
  - EXPLIoT - EXPLIoT is a Framework for security testing and exploiting IoT products and IoT infrastructure. It provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones. The name EXPLIoT (pronounced expl-aa-yo-tee) is a pun on the word exploit and explains the purpose of the framework i.e. IoT exploitation.
  - Metasploit - Knowledge is power, especially when it's shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness.
  - Firmware Analysis and Comparison Tool (FACT) - Automated Firmware Security analysis (Router, IoT, UEFI, Webcams, Drones, …). It is easy to use (web UI), extend (plug-in system) and integrate (REST API).
  - FwAnalyzer (Firmware Analyzer) - Tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules.
  - EXPLIoT - Framework for security testing and exploiting IoT products and IoT infrastructure. It provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones.
  - Metasploit - Open source penetration testing framework (BSD licensed) maintained by Rapid7, with modules for exploiting vulnerabilities, scanning, and post-exploitation across embedded Linux and IoT targets.
  - IoTGoat - OWASP intentionally insecure firmware for Raspberry Pi and x86 platforms, providing hands-on practice for the OWASP IoT Top 10 vulnerabilities.
  - kernel-hardening-checker - Audits Linux kernel Kconfig options and boot parameters against KSPP, CLIP OS, and STIG hardening recommendations; supports ARM, ARM64, x86, and RISC-V. Works in Yocto/OpenEmbedded pipelines.
- TEE/Trusted Execution Environments
  - Trusty TEE - Trusted Execution Environment used in Android for secure services and keystore.
  - Intel SGX SDK - Software Development Kit for Intel Software Guard Extensions providing hardware-based memory enclaves.
  - AMD SEV - Secure Encrypted Virtualization for encrypting VM memory with AMD-V hardware assistance.
  - OP-TEE - Open Source Trusted Execution Environment providing isolation for secure world execution on ARM TrustZone processors.
  - Intel SGX SDK - Open-source Linux SDK and Platform Software for Intel Software Guard Extensions, providing the build/install toolchain for developing and deploying hardware-based memory enclave applications.
  - Samsung TrustZone Research Toolkit - Quarkslab's RE toolkit for Samsung Kinibi TrustZone: Ghidra loader for MCLF trustlet binaries, Unicorn-based trustlet emulator for exploit development, and Python bindings for communicating with Trusted Applications.
- Zigbee / Z-Wave Security
  - Z-Fuzzer - Coverage-guided Zigbee protocol fuzzer using a software simulator with pre-defined peripheral and interrupt configurations; found 6 CVEs in TI Z-Stack. ACM Digital Threats 2022.
  - VFuzz - The only dedicated open-source Z-Wave security fuzzer; uses a Field Prioritization Algorithm to mutate protocol-valid frames and assess target encryption capabilities. IEEE Access 2022.

Programming Languages

Python 33 C 22 C++ 6 Go 4 Shell 4 Rust 3 C# 3 HTML 2 Java 2 JavaScript 2

awesome-embedded-security

Further Learning and Training

Wifi Tools

Hardware Tools

Chip-Off and Memory Forensics

Fault Injection

Hardware Debug Interfaces

Hardware Reverse Engineering Multitools

Logic Analyzer

RF Tools (Non-SDR)

Side-Channel Analysis

Software Defined Radios

Software Defined Radio Software

Wifi Tools

Open Source Intelligence (OSINT)

Wifi Tools

Other Awesome Lists

Wifi Tools

Software Tools

Baseband Security

Binary Parsing and Analysis Tools

Bluetooth and BLE Security

Debugging Tools

Disassember/Decompilers

Disassemblers/Decompilers

Emulation Tools

Firmware Malware Analysis

Firmware Supply Chain and SBOM

Firmware Taint Analysis

Fuzzing Tools

IoT Protocol Security

Language Specific Decompilers

MCU Firmware Fuzzing

OTA Update Security

Root of Trust and TPM

RTOS Security

Secure Boot and Firmware Trust

Security Auditing Frameworks

TEE/Trusted Execution Environments

Zigbee / Z-Wave Security