🗂️ Resource Index

• Vulnerable IoT and Hardware Applications

  • DVRF - `Damn Vulnerable Router Firmware project for understanding router vulnerabilities.`
  • DVID - `Deliberately vulnerable IoT device firmware for training and educational purposes.`
  • Damn Vulnerable Safe - `A physical safe designed to be vulnerable, intended for security training.`
  • Sticky Fingers DV-Pi - `A vulnerable Raspberry Pi project for educational use.`
  • Damn Vulnerable SS7 Network - `Demonstrates vulnerabilities in SS7 networks.`
  • Hardware Hacking 101 - `A repository for learning the basics of hardware hacking.`
  • RHme-2015 - `Archive of the RHme-2015 hardware hacking competition.`
  • Rhme-2016 - `Archive of the RHme-2016 hardware hacking competition.`
  • Rhme-2017 - `Archive of the RHme-2017 hardware hacking competition.`

• Fuzzing Things

  • Snipuzz : Black-box Fuzzing of IoT Firmware via Message Snippet Inference
  • OWASP Fuzzing Info
  • Fuzzing_ICS_protocols
  • Fuzz Testing of Application Reliability
  • FIRM-AFL : High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
  • fuzzing-iot-binaries - iot-binaries-with-afl-part-ii/)
  • Modern Vulnerability Research Techniques on Embedded Systems
  • FuzzingPaper
  • Exercises to learn how to fuzz with American Fuzzy Lop
  • Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
  • Bluetooth experimentation framework for Broadcom and Cypress chips.
  • Fuzzing Forum

• Villages

  • ICS Village
  • Payment Villages
  • IoT Villages
  • RF hackers
  • Car Hacking Village

• Books for IoT Penetration Testing

  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • Security Issues in Mobile NFC Devices (Michael Roland)
  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • The Firmware Handbook (Embedded Technology) by Jack Ganssle
  • Linksys WRT54G Ultimate Hacking by Paul Asadoorian
  • Near Field Communication (NFC): From Theory to Practice
  • Android Hacker's Handbook by Joshua J. Drake
  • The Art of PCB Reverse Engineering by Keng Tiong
  • Abusing the Internet of Things by Nitesh Dhanjani
  • Learning Linux Binary Analysis by Ryan "elfmaster" O'Neill
  • Inside Radio: An Attack and Defense Guide by Qing Yang, Lin Huang
  • Pentest Hardware (online handbook, GitHub)
  • Gray Hat Hacking: The Ethical Hacker's Handbook, 5th Edition
  • Intro to Bluetooth Low Energy (Afaneh, PDF)
  • Bluetooth® LE Security Study Guide
  • The Hardware Hacking Handbook by Jasper van Woudenberg & Colin O'Flynn
  • Practical IoT Hacking: The Definitive Guide
  • Manual PCB-RE: The Essentials by Keng Tiong
  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • Embedded Systems Security and TrustZone
  • Practical Binary Analysis by Dennis Andriesse
  • Hack the Airwaves: Advanced BLE Exploitation Techniques
  • Microcontroller Exploits
  • The Ultimate Hardware Hacking Gear Guide (GitHub)
  • Security Issues in Mobile NFC Devices (Michael Roland)
  • Mastering Hardware Hacking: Breaking and Securing Embedded Systems
  • Practical Hardware Pentesting (2nd Edition) – Amazon.in
  • Hardware Security: Challenges and Solutions
  • The Definitive Handbook on Reverse Engineering Tools
  • Ghidra Software Reverse-Engineering for Beginners (2nd Edition)
  • IOActive E-Book: The State of Silicon Chip Hacking in 2025
  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • Security Issues in Mobile NFC Devices (Michael Roland)
  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • PatrIoT: Practical and Agile Threat Research for IoT by Emre Süren
  • Hardware Security Training, Hands-on!
  • Security Issues in Mobile NFC Devices (Michael Roland)

• IoT Web and Message Services

  • IoT Security: RCE in MQTT Protocol
  • Radware – CoAP Protocol Overview
  • Radware – CoAP Protocol Overview
  • MQTT Broker Security - 101
  • Hacking the IoT with MQTT
  • Are Smart Homes Vulnerable to Hacking?
  • Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
  • Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path
  • IoT Security: RCE in MQTT Protocol
  • Penetration testing of Sesame Smart door lock
  • CVE-2020-13849
  • CVE-2023-3028
  • CVE-2021-0229
  • CVE-2019-5432
  • Using IoT MQTT for V2V and Connected Car
  • MQTT with Hardware Development Information
  • IoT Live Demo: 100,000 Connected Cars with Kubernetes, Kafka, MQTT, TensorFlow
  • Nmap MQTT Library
  • A Guide to MQTT by Hacking a Doorbell to Send Push Notifications (Video)
  • Understanding the MQTT Protocol Packet Structure
  • Deep Learning UDF for MQTT IoT Sensor Data Anomaly Detection
  • IoXY - MQTT Intercepting Proxy
  • Mosquitto - An Open Source MQTT Broker
  • HiveMQ
  • MQTT Explorer
  • Welcome to MQTT-PWN!
  • Alert: New WailingCrab Malware Loader
  • Read the Draft
  • Read the Blog
  • CoAP NSE (Nmap)
  • Copper (Firefox plugin)
  • libcoap (CLI Tools) - based CoAP library with CLI
  • Scapy CoAP Plugin
  • Peach Fuzzer (Commercial)
  • Zolertia
  • RTL-SDR - Fi Sniffers](https://www.wireshark.org/) – For CoAP/UDP traffic analysis
  • SpectralOps – Top Protocol Security Issues
  • Radware – CoAP Protocol Overview
  • Recorded Future – CoAP Exposure Study (2024)
  • RFC 8613 – OSCORE
  • RFC 8323 – CoAP over TCP
  • RFC 8824 – SCHC Header Compression
  • Radware – CoAP Protocol Overview
  • Radware – CoAP Protocol Overview
  • Radware – CoAP Protocol Overview

• RADIO HACKER QUICK START GUIDE

  • Introduction to Software Defined Radio
  • Complete course in Software Defined Radio (SDR) by Michael Ossmann
  • SDR Notes - Radio IoT Protocols Overview
  • Understanding Radio
  • Introduction Gnuradio companion
  • Creating a flow graph in gunradiocompanion
  • Analysing radio signals 433Mhz
  • Recording specific radio signal
  • Replay Attacks with raspberrypi -rpitx

• Technical Research and Hacking

  • Subaru Head Unit Jailbreak
  • Jeep Hack
  • Dropcam Hacking
  • LED Light Hacking
  • PS4 Jailbreak – the current status
  • Besder 6024PB-XMA501 IP camera security analysis
  • Smart Lock Vulnerabilities

• Pentesting Firmwares and emulating and analyzing

  • Firmware emulation with QEMU
  • Reversing ESP8266 Firmware
  • Emulating ARM Router Firmware
  • Reversing Firmware With Radare
  • Samsung Firmware Magic - Unpacking and Decrypting
  • Qiling & Binary Emulation for automatic unpacking
  • Emulating and Exploiting UEFI Firmware
  • IoT binary analysis & emulation part -1
  • ross debugging for ARM / MIPS ELF with QEMU/toolchain
  • Qemu + buildroot 101
  • Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
  • Adaptive Emulation Framework for Multi-Architecture IoT Firmware Testing
  • Automatic Firmware Emulation through Invalidity-guided Knowledge Inference
  • Debugging D-Link: Emulating firmware and hacking hardware
  • **EMBA** – Analyzer for embedded Linux firmware (static scanning, reporting)
  • **FACT** – Firmware Analysis and Comparison Tool
  • **Firmwalker** – Greps for credentials/secrets in extracted firmware
  • **fwhunt-scan** – Analyze UEFI firmware, check modules with FwHunt rules
  • **ByteSweep** – Modern, multi-arch firmware vulnerability scanner
  • **BINSEC** – Symbolic/taint-based static analysis of binaries
  • **Ghidra** – Advanced static disassembly and decompilation
  • **Radare2** – Static/dynamic reverse engineering, disassembly
  • **Cutter** – GUI for Radare2 with static/dynamic features
  • **RetDec** – Machine-code decompiler
  • **Diaphora** – Binary diffing for firmware/patch analysis
  • **unblob** – Extraction framework for embedded filesystems/blobs
  • **Firmadyne** – Automated Linux firmware emulation and analysis
  • **QEMU** – System emulator for firmware images
  • **PANDA** – Platform for architecture-neutral dynamic analysis (record/replay, taint, fuzz)
  • **Avatar2** – Dynamic firmware analysis/instrumentation
  • **Renode** – Emulates embedded systems, SoCs, peripherals
  • **Unicorn Engine** – Multi-architecture CPU emulator
  • **Boofuzz** – Network/protocol fuzzing for firmware targets
  • **Syzkaller** – Kernel fuzzer for Linux/firmware
  • **Dr. Memory** – Dynamic memory analysis (adaptable for firmware)
  • **S2E** – Selective symbolic execution for binary software
  • **FirmWire** – Baseband firmware emulation (cellular/IoT)
  • **Firmware Analysis Toolkit (FAT)** – Hybrid static/dynamic workflow for firmware
  • **Angr** – Symbolic execution and hybrid static/dynamic binary analysis
  • **Frida** – Dynamic instrumentation toolkit
  • **Qiling** – Emulator supporting static/dynamic analysis of binaries/firmware
  • **Ret-sync** – Sync reverse engineering across Ghidra/IDA/R2
  • Reversing 101
  • IoT Security Verification Standard (ISVS)

• Firmware samples to pentest

  • Download From here by firmware.center

• Binary Analysis

  • https://www.coalfire.com/the-coalfire-blog/reverse-engineering-and-patching-with-ghidra
  • Automating binary vulnerability discovery with Ghidra and Semgrep

• Symlinks Attacks

  • Zip Slip Vulnerability

• Secureboot

  • Writing a Bootloader
  • Pwn the ESP32 Secure Boot
  • Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
  • Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM - software.com/2016/10/06/hacking-arm-trustzone-secure-boot-on-amlogic-s905-soc/)
  • Defeating Secure Boot with Symlink Attacks
  • PS4 Aux Hax 5 & PSVR Secure Boot Hacking with Keys by Fail0verflow!
  • Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
  • Breaking Secure Boot on the Silicon Labs Gecko platform

• Storage Medium

  • RPMB, a secret place inside the eMMC
  • EMMC Data Recovery From Damaged Smartphone
  • Another Bunch Of Articles For EMMC
  • Unleash Your Smart-Home Devices: Vacuum Cleaning Robot Hacking
  • Hands-On IoT Hacking: Rapid7 At DEF CON 30 IoT Village, Part 1

• Payment Device Security

  • Introduction to ATM Penetration Testing
  • Pwning ATMs For Fun and Profit
  • Jackpotting Automated Teller Machines Redux

• IoT hardware Overview and Hacking

  • IoT Hardware Guide
  • Intro To Hardware Hacking - Dumping Your First Firmware
  • Jtagulator/Jtagenum
  • Logic Analyzer
  • The Shikra
  • FaceDancer21 (USB Emulator/USB Fuzzer)
  • RfCat
  • An Introduction to Hardware Hacking
  • Serial Terminal Basics
  • Reverse Engineering Serial Ports
  • REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS
  • ChipWhisperer - Hardware attacks
  • Hardware hacking tutorial: Dumping and reversing firmware
  • Dumping the firmware From Router using BUSPIRATE - SPI Dump
  • TPM 2.0: Extracting Bitlocker keys through SPI
  • SPI-Blogs
  • Reading FlashROMS - Youtube
  • Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
  • Router Analysis Part 1: UART Discovery and SPI Flash Extraction
  • Identifying UART interface
  • onewire-over-uart
  • Accessing sensor via UART
  • Using UART to connect to a chinese IP cam
  • A journey into IoT – Hardware hacking: UART
  • UARTBruteForcer
  • Accessing and Dumping Firmware Through UART
  • UART Exploiter
  • Analyzing JTAG
  • The hitchhacker’s guide to iPhone Lightning & JTAG hacking
  • Debugging 8-bit AVR® microcontrollers trhough JTAG and AVR-gdb
  • Introduction to TPM (Trusted Platform Module)
  • Trusted platform module security defeated in 30 minutes, no soldering required
  • Side channel attacks
  • Attacks on Implementations of Secure Systems
  • fuzzing, binary analysis, IoT security, and general exploitation
  • Espressif ESP32: Bypassing Encrypted Secure Boot(CVE-2020-13629)
  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key
  • Tutorial CW305-4 Voltage Glitching with Crowbars - Detailed tutorial on voltage glitching using crowbars.
  • Voltage Glitching Attack using SySS iCEstick Glitcher - A demonstration of a voltage glitching attack by SySS PentestTV.
  • Samy Kamkar - FPGA Glitching & Side Channel Attacks - Insights on FPGA glitching and side channel attacks from Samy Kamkar.
  • Hardware Power Glitch Attack - rhme2 Fiesta (FI 100) - A hardware power glitch attack demonstration by LiveOverflow.
  • Keys in flash - Glitching AES keys from an Arduino / ATmega - Extracting AES keys from an Arduino using glitching.
  • Implementing Practical Electrical Glitching Attacks - A guide on implementing electrical glitching attacks, presented at Black Hat Europe 2015.
  • How To Voltage Fault Injection - A comprehensive guide on voltage fault injection techniques.

• Awesome IoT Pentesting Guides

  • Shodan Pentesting Guide
  • Car Hacking Practical Guide 101
  • awesome-embedded-fuzzing

• CTF For IoT And Embeddded

  • BLE CTF - A framework focused on Bluetooth Low Energy security.
  • IoTGoat - Deliberately insecure firmware based on OpenWrt for IoT security training.
  • IoT Village CTF - A Capture The Flag event specifically focused on IoT security.
  • IoTSec CTF - Offers IoT related challenges for continuous learning.
  • ARM-X CTF - A set of challenges focused on ARM exploitation.
  • Azeria Labs ARM Challenges - Offers ARM assembly challenges and tutorials.
  • Microcorruption - Embedded security CTF focusing on lock systems.
  • Pwnable.kr - Offers various reverse engineering challenges.
  • Root Me - Platform with various types of challenges including hardware and reverse engineering.
  • CTFtime - Lists various CTFs, including those in hardware, IoT, and firmware.

• follow the people

  • Arun Magesh

• Blogs for IoT Pentest

  • Team82 Research
  • wrongbaud
  • Firmware Analysis
  • **voidstarsec**
  • **Exploitee.rs Website**
  • **Jilles.com**
  • **Syss Tech Blog**
  • **Payatu Blog**
  • **Raelize Blog**
  • **JCJC Dev Blog**
  • **Devttys0 Blog**
  • **Embedded Bits Blog**
  • **Keenlab Blog**
  • **Courk.cc**
  • **IoT Security Wiki**
  • **Cybergibbons Blog**
  • **Firmware.RE**
  • **K3170makan Blog**
  • **Tclaverie Blog**
  • **Besimaltinok Blog**
  • **Ctrlu Blog**
  • **Sp3ctr3 Blog**
  • **0x42424242.in Blog**
  • **Dantheiotman Blog**
  • **Danman Blog**
  • **Quentinkaiser Blog**
  • **Ice9 Blog**
  • **CJHackerz Blog**
  • **Synacktiv Publications**
  • **Cr4.sh Blog**
  • **Ktln2 Blog**
  • **Naehrdine Blog**
  • **Limited Results Blog**
  • **Fail0verflow Blog**
  • **Exploit Security Blog**

• Proof of Concepts known Device Vulnerabilities

  • IoT-Vuln-with CVE and PoC of tenda and dlink

• Community and Discussion Platforms

  • IoTSecurity101 Telegram
  • IoTSecurity101 Reddit
  • Hardware Hacking Telegram
  • ICS Discord Group

• IoT and Hardware Security Trainings

  • opensecuritytraining 2

• Awesome CheatSheets

  • Hardware Hacking cheat sheet
  • Nmap

• Search Engines for Internet-Connected Devices

  • Shodan
  • ZoomEye
  • BinaryEdge
  • Thingful
  • Wigle
  • Hunter.io
  • BuiltWith
  • Recon-ng
  • PublicWWW

• IoT Vulnerabilites Checking Guides

  • Reflecting upon OWASP TOP-10 IoT Vulnerabilities
  • Hardware toolkits for IoT security analysis

• IoT Pentesting OSes

  • Sigint OS- LTE IMSI Catcher
  • Instatn-gnuradio OS - For Radio Signals Testing
  • Ubutnu Best Host Linux for IoT's - Use LTS
  • Internet of Things - Penetration Testing OS v1
  • Dragon OS - DEBIAN LINUX WITH PREINSTALLED OPEN SOURCE SDR SOFTWARE
  • EmbedOS - Embedded security testing virtual machine
  • Skywave Linux- Software Defined Radio for Global Online Listening
  • A Small, Scalable Open Source RTOS for IoT Embedded Devices
  • ICS - Controlthings.io
  • AttifyOS - IoT Pentest OS - by Aditya Gupta

• Exploitation Tools

  • Expliot - IoT Exploitation framework - by Aseemjakhar
  • Routersploit (Exploitation Framework for Embedded Devices)
  • IoTSecFuzz (comprehensive testing for IoT device)
  • killerbee - Zigbee exploitation
  • PRET - Printer Exploitation Toolkit
  • HAL – The Hardware Analyzer
  • FwAnalyzer (Firmware Analyzer)
  • ISF(Industrial Security Exploitation Framework
  • PENIOT: Penetration Testing Tool for IoT
  • MQTT-PWN

• Reverse Engineering Tools

  • GDB
  • Radare2 - source framework for reverse engineering and analyzing binaries; includes a disassembler for multiple architectures.
  • Cutter - friendly interface as well as additional features.
  • Ghidra
  • Binary Ninja
  • OllyDbg
  • x64dbg - source x64/x32 debugger for windows with a focus on plugin support and scriptability.
  • Hopper
  • Immunity Debugger
  • PEiD

• Introduction

  • Introduction to IoT
  • IoT Architecture
  • IoT Protocols Overview

• Cellular Hacking GSM BTS

  • Awesome-Cellular-Hacking
  • what is base tranceiver station
  • How to Build Your Own Rogue GSM BTS
  • 5Ghoul - 5G NR Attacks & 5G OTA Fuzzing
  • Introduction to GSM Security
  • GSM Security 2
  • vulnerabilities in GSM security with USRP B200
  • Security Testing 4G (LTE) Networks
  • Case Study of SS7/SIGTRAN Assessment
  • Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP
  • ss7MAPer – A SS7 pen testing toolkit
  • Introduction to SIGTRAN and SIGTRAN Licensing
  • SS7 Network Architecture
  • Introduction to SS7 Signaling
  • LTE Sniffer

• NFC-RFID

  • List of RFID/NFC Security & Privacy talks

• Zigbee ALL Stuff

  • Hacking Zigbee Devices with Attify Zigbee Framework
  • Hands-on with RZUSBstick
  • Hacking ZigBee Networks
  • Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes
  • Security Analysis of Zigbee Networks with Zigator and GNU Radio
  • Low-Cost ZigBee Selective Jamming
  • zigbear
  • ZigDiggity
  • Zigator
  • Z3sec
  • USRP SDR 2
  • nRF52840-Dongle

• BLE Intro and SW-HW Tools to pentest

  • awesome-bluetooth-security
  • BLE-NullBlr: Step By Step guide to BLE Understanding and Exploiting
  • Traffic Engineering in a Bluetooth Piconet (PDF)
  • BLE Characteristics: A Beginner's Tutorial
  • Bluing - An intelligence gathering tool for hacking Bluetooth
  • BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework
  • btproxy
  • crackle - Cracking encryption
  • bettercap
  • BtleJuice Bluetooth Smart Man-in-the-Middle framework
  • gattacker
  • BTLEjack Bluetooth Low Energy Swiss army knife
  • DEDSEC-Bluetooth-exploit
  • BrakTooth Proof of Concept-Blutooth Classic Attacks
  • sweyntooth_bluetooth_low_energy_attacks Public
  • esp32_bluetooth_classic_sniffer Public
  • ESP32 - Development and learning Bluetooth
  • ESP-WROVER-KIT-VB
  • Blue2thprinting: Answering the Question of 'WTF am I even looking at?!'
  • Open Wounds: The Last 5 Years Have Left Bluetooth to Bleed
  • It Was Harder to Sniff Bluetooth Through My Mask During the Pandemic...
  • Examining the August Smart Lock
  • Finding Bugs in Bluetooth
  • Intel Edison as Bluetooth LE — Exploit Box
  • How I Reverse Engineered and Exploited a Smart Massager
  • My Journey Towards Reverse Engineering a Smart Band — Bluetooth-LE RE
  • Bluetooth Smartlocks
  • I Hacked MiBand 3
  • GATTacking Bluetooth Smart Devices
  • Bluetooth Beacon Vulnerability
  • Sweyntooth Vulnerabilities
  • AIRDROP_LEAK - Sniffs BLE Traffic and Displays Status Messages from Apple Devices
  • BRAKTOOTH: Causing Havoc on Bluetooth Link Manager
  • Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500
  • MojoBox - Yet Another Not So Smartlock
  • Bluetooth-Hacking
  • Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS) [CVE 2023-24023
  • CSR 4.0

• Mobile security (Android & iOS)

  • Android Tamer - A Virtual/Live Platform for Android Security professionals, offering tools and environment for Android security.
  • OWASP Mobile Security Testing Guide - The Open Web Application Security Project's guide for mobile security testing, applicable to iOS.

• Online Assemblers

  • AZM Online Arm Assembler by Azeria
  • Online Disassembler
  • Compiler Explorer is an interactive online compiler which shows the assembly output of compiled C++, Rust, Go

• ARM

  • Azeria Labs
  • ARM EXPLOITATION FOR IoT
  • Damn Vulnerable ARM Router (DVAR)
  • EXPLOIT.EDUCATION