Skip to content

V33RU/awesome-baremetal-hacking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
README.md
README.md
 
 
old.md
old.md
 
 

Repository files navigation

🔩 Awesome Bare Metal Hacking

A deeply curated list of resources for bare metal security research -
firmware reversing · exploitation · fuzzing · fault injection · debug interface attacks · secure boot bypasses · TrustZone/TEE · side-channel analysis · RISC-V security

Awesome Last Updated PRs Welcome

📌 What is Bare Metal Hacking?

Bare metal refers to embedded systems that run directly on hardware with no OS layer - ARM Cortex-M/R/A, RISC-V, AVR, MIPS MCUs found in IoT devices, industrial controllers, medical hardware, automotive ECUs, satellites, and smart cards.

Security research in this space involves:

  • 🔍 Firmware extraction via JTAG/SWD, UART, flash chip-off, eMMC dump, and rowhammer
  • 🔬 Reverse engineering of stripped binaries with no symbols, no RTOS, no libc
  • 💥 Exploitation - stack overflows, ROP chains, Function-Oriented Programming (FOP)
  • Fault injection - voltage glitching, clock glitching, EM fault injection (EMFI)
  • 🔐 Secure boot bypass - readout protection (RDP) bypass, TrustZone attacks, TEE exploitation
  • 🤖 Bare metal fuzzing - MMIO modeling, rehosting, peripheral emulation with QEMU/Unicorn
  • 📡 Debug interface attacks - JTAG/SWD unlocking, OpenOCD exploitation
  • 🏗️ RISC-V security - open ISA exploitation, PMP bypass, enclave attacks

📚 Table of Contents

YouTube Videos & Channels

Channels to Follow

These channels consistently publish bare metal security, firmware RE, hardware hacking, and embedded exploitation content.

Channel Focus Link
stacksmashing Bare metal ARM RE, Ghidra, glitching, Flipper Zero internals YouTube
Colin O'Flynn / NewAE Technology ChipWhisperer, power analysis, voltage glitching, fault injection YouTube
LiveOverflow Binary exploitation, RE, CTF - great ARM exploitation series YouTube
Bare Metal Cyber Educational embedded cybersecurity audio and video courses YouTube
Matt Brown / Brown Fine Security ARM binary exploitation, IoT pentesting, bare metal BOF YouTube
RECESSIM Fault injection on automotive MCUs, smart meter RE YouTube
Hardwear.io Hardware security conference talks; fault injection, JTAG, glitching YouTube
Low Byte Productions Bare metal STM32 Cortex-M4 series - bootloaders, firmware signing, security YouTube
Low Level Embedded systems, ARM internals, OS dev, hardware-close programming YouTube
Wrong Baud Hardware hacking, SPI/UART/JTAG extraction, NAND flash analysis YouTube

Must-Watch Videos

Bare Metal Reverse Engineering

Title Channel Year What You'll Learn
Bare Metal Reverse Engineering SolaSec @ DEF CON 33 2025 Full methodology for RE of real-time bare metal ARM firmware with no RTOS
Bare-metal ARM firmware RE with Ghidra and SVD-Loader stacksmashing 2020 Loading ARM Cortex-M binaries into Ghidra, CMSIS-SVD peripheral mapping, crackme walkthrough
Intro to Firmware Analysis with QEMU and Ghidra Various 2024 End-to-end: extract firmware → emulate in QEMU → static analysis in Ghidra
WHY2025 - Bare Metal Programming From the Ground Up WHY2025 Conference 2025 What happens from power-on to your first instruction - vectors, startup, peripherals
JTAG/UART Hacking a Yamaha Keyboard porta @ DEF CON 33 2025 Hardware RE of Yamaha synth - JTAG/UART firmware dump, MIDI backdoor discovery, ARM7TDMI exploitation

Fault Injection & Glitching

Title Channel Year What You'll Learn
The Cheapskate Revolution: Hardware Attacks from Millions to Tens of Dollars Colin O'Flynn @ hardwear.io USA 2021 2021 History and democratization of SCA, VFI, EMFI - $10 attacks on brand new devices
Power Analysis and Glitch Attacks with ChipWhisperer Colin O'Flynn @ Pentester Academy 2017 AES key recovery via power analysis, bootloader bypass with clock glitching
Clock Glitch Attack: Bypassing Password Check Colin O'Flynn / NewAE 2014 Live demo: clock glitch skips an if-statement, bypasses a password check
Power Analysis and Clock Glitching - REcon 2014 Colin O'Flynn @ REcon 2014 ChipWhisperer hardware architecture; target + probe circuit; attack orchestration demo
ChipWhisperer Demo: Hardware Hacking & FPGAs Teardown Session 2022 ChipWhisperer Husky internals, low-risk CIC, live fault injection demo + FPGA integration

Exploitation

Title Channel Year What You'll Learn
Metal-as-a-Disservice: Exploiting Bare Metal Clouds Bill Demirkapi @ DEF CON 33 2025 Hijacking bare metal provisioning, persistent UEFI firmware implants, ML workload compromise
UEFI Exploitation for the Masses Shkatov & Michael @ DEF CON 26 2018 SMM backdoors, BIOS exploitation, Intel hardware debug on ARM targets
Breaking Firmware Trust From Pre-EFI Alex Ermolov et al. @ Black Hat 2022 2022 Exploiting Intel PPAM and SMI Transfer Monitor - first public offensive research
ARM Assembly and Buffer Overflows - Intro to ARM Binary Exploitation Brown Fine Security 2025 ARM assembly primer, stack layout, BOF on bare metal Cortex-M with Binary Ninja
More Buffer Overflows - ARM Exploitation Brown Fine Security 2025 Continued series: building ROP chains on ARM bare metal, exploit delivery
Binary Exploitation / Memory Corruption Playlist LiveOverflow 2016–2025 40+ videos: from format strings to heap exploitation; includes ARM segments

Hardware Hacking & Embedded Systems

Title Channel Year What You'll Learn
A Short Trip to Baremetal Hardware Hacking Javier Tallón @ CyberCamp 2018 2018 Chip-off firmware extraction, readout protection bypass, full RE walkthrough
Hacking Embedded Devices - Black Box to UID 0 Zezadas & David @ BSides Lisbon 2023 2024 Root shell on video converter: decompile APK → find vuln → exploit file path traversal → RCE
Embedded Security: Roots-of-Trust, Secure Boot Embedded Security Talk 2023 Threat modelling, roots-of-trust, boot chain integrity, TPM attestation for bare metal
Omer Kilic - Bare Metal from a Hardware Perspective Code Mesh 2019 Embedded frameworks, build systems, bare metal vs RTOS architecture tradeoffs
Breaking In to Break Things: Practical Paths to Hardware Hacking RECESSIM @ IoT Security Podcast 2025 Low-cost fault injection on automotive MCUs, smart meter RE, community + mindset
Hands-on IoT Firmware Extraction & Flash Forensics Dennis Giese @ DEF CON 33 2025 eMMC BGA chip-off, SPI flash dumping, NAND extraction - hands-on workshop with real devices

Technical Talks & Conference Presentations

DEF CON

Year Talk Title Speaker(s) Key Topics Link
2025 (DC33) Bare Metal Reverse Engineering SolaSec ARM Cortex-M RE methodology, Ghidra, MMIO YouTube
2025 (DC33) Metal-as-a-Disservice: Exploiting Legacy Flaws in Cutting Edge Clouds Bill Demirkapi Bare metal cloud provisioning hijack, firmware implants, ML workload compromise YouTube
2025 (DC33) JTAG/UART Reverse Engineering a Yamaha Keyboard porta ARM7TDMI RE, MIDI SysEx backdoor, firmware dump DEF CON
2025 (DC33) Gateways to Chaos: Modems Are a Ticking Time Bomb Multiple Edge device firmware exploitation, modem security DEF CON
2025 (DC33) eMMC BGA Secrets DEF CON HHV BGA memory removal, flash hacking, image backdoor DC HHV
2025 (DC33) Draytek Router Full Exploitation Chain Gaston Aznarez CVE-2024-51138/51139, firmware persistence, unauthenticated RCE DC HHV
2018 (DC26) UEFI Exploitation for the Masses Dmitry Shkatov, Jesse Michael BIOS/UEFI attack surface, SMM backdoors, Intel HW debug YouTube

Black Hat

Year Talk Title Speaker(s) Key Topics Link
2022 Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases Alex Ermolov, Alex Matrosov et al. Intel PPAM, SMI Transfer Monitor, pre-EFI code execution YouTube
2018 Hacking Firmware & Hardware: Software Exploitation via Hardware Training Bare metal exploit development, JTAG, SWD, firmware extraction Black Hat
2024 Advanced Embedded & Firmware Security Training Multiple Full-spectrum firmware security training Schedule

hardwear.io

Year Talk Title Speaker Key Topics Link
2021 The Cheapskate Revolution: Hardware Attacks from Millions to Tens of Dollars Colin O'Flynn History of SCA/VFI/EMFI, democratization, $10 glitching tools YouTube

BSides & Other Conferences

Year Talk Title Speaker(s) Venue Link
2025 Fuzz Testing Bare Metal and RTOS Firmware Tobias Scharnowski, Marius Muench BOOTSTRAP25 (Ringzer0) Ringzer0
2024 Hacking Embedded Devices - Black Box to UID 0 Zezadas & David Silva BSides Lisbon 2023 YouTube
2018 A Short Trip to the Baremetal Hardware Hacking Javier Tallón CyberCamp 2018 YouTube
2014 Power Analysis and Clock Glitching with ChipWhisperer Colin O'Flynn REcon 2014 YouTube

OSFC (Open Source Firmware Conference)

Year Notes Link
2024 TamaGo author Andrea Barisani + open source firmware ecosystem talks osfc.io

Research Blogs & Technical Write-ups

Firmware Reverse Engineering

Title Author / Source Description
Analyzing Bare Metal Firmware Binaries in Ghidra Attify Blog Practical: set load address for STM32, define memory segments, locate main(), identify peripherals using SVD
Bare-metal ARM RE with Ghidra and SVD-Loader stacksmashing How to use CMSIS-SVD files to auto-annotate 800+ peripherals in Ghidra for any ARM MCU
Embedded Reverse Engineering with Firmware Ninja Binary Ninja (Apr 2025) NEW - Firmware Ninja (FWN) plugin for bare metal memory map construction, peripheral analysis, and inter-device communication RE
Demystifying Arm Cortex-M33 Bare Metal: Startup Mete Balci Zero-to-main deep dive: vector table, startup code, stack init, clock config on Cortex-M33
How to Do Firmware Analysis: Tools, Tips, and Tricks Pentest Partners Methodology: binwalk extraction → Ghidra RE → EMBA scanning → dynamic testing
Reverse Engineering Bare-Metal Firmware (3-Part Series) Ragnar Security / WittsEnd2 Multi-part series covering ARM assembly analysis and bare metal vulnerability exploitation
Firmware Analysis Guide: Detect & Fix Embedded Vulnerabilities BugProve Static analysis pipeline, CVE matching, SBOM generation for bare metal blobs
Embedded Systems Engineering Roadmap m3y54m Full learning path: from bare metal programming basics to hardware security

Debug Interface Attacks (JTAG / SWD / UART)

Title Author / Source Description
IoT Security Part 18: Hardware Attack Surface – JTAG, SWD Payatu In-depth: JTAG TAP state machine, SWD DAP architecture, JTAGulator usage, buffer overflow via debug port leading to RCE
IoT Security Masterclass: JTAG & SWD Payatu Masterclass Extended practical tutorial on pin identification (JTAGulator), OpenOCD setup, debug-assisted firmware dump
Hacking Hardware Part 7: UART, JTAG and SWD Port Vulnerabilities HackYourMom Tool comparison: Bus Blaster, Black Magic Probe, J-Link, ST-Link; when to use UART vs JTAG
For hardware hacking, which do you use most: UART or JTAG? r/hardwarehacking Community discussion: real-world trade-offs; JTAG preferred for memory dumps, UART for shell access

Readout Protection & Glitch Attacks

Title Author / Source Description
Glitching STM32 Read Out Protection with Voltage Fault Injection Anvil Secure (2025) VFI on STM32F401CC to bypass RDP Level 1; custom glitcher hardware, timing window discovery, full firmware dump
nRF51 Readback Protection (RBPCONF) Bypass IamAlch3mist (2024) Load Instruction Exploitation on nRF51822 Cortex-M0 - $10 dev module, no special hardware needed
Bypassing Readout Protection in Nordic Semiconductor MCUs Emproof (2024) Complete nRF51 DK attack walk-through; RBPCONF register analysis, protection bypass methodology
STM32 Readout Protection Cracked Discussion ST Community Community analysis of STM32 RDP bypass research and vendor response

Secure Boot, TrustZone & TEE

Title Author / Source Description
Implementing Secure Boot and TEEs on Bare Metal IntechHouse (Feb 2026) Layered secure boot architecture, ARM TrustZone integration, TEE provisioning for resource-constrained MCUs
USB Armory / TamaGo Security Features reversec.com RPMB replay protection, bare metal Go TEE (GoTEE), no C runtime dependency, secure storage architecture
Understanding TrustZone Vulnerabilities (SoK) IEEE S&P 2020 Taxonomy of 80+ CVEs across TEE implementations; privilege escalation, confused deputy, memory disclosure

Firmware Fuzzing & Emulation

Title Author / Source Description
DOSS Bare-Metal Firmware Fuzzing Fraunhofer FOKUS / EU DOSS Project (2025) NEW - EU-funded Component Tester for bare metal and RTOS firmware fuzzing in IoT supply chain security
Fuzzing Device Emulation in QEMU Red Hat Research Coverage-guided fuzzing of QEMU virtual devices; structure-aware fuzz targets for bare metal emulation
Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing fuzzware.io Auto-models MMIO access patterns for Cortex-M3/M4; finds 0-days in real-world bare metal images
SAFIREFUZZ: Same-Architecture Firmware Rehosting pr0me Near-native throughput fuzzing; no emulation overhead by running firmware natively with thin shim

Bare Metal Cloud Security

Title Author / Source Description
Revisiting Bare Metal Server Security in the Age of AI Eclypsium (Jul 2025) Hardware rootkits persisting across tenant transitions, TPM 2.0 attestation, secure boot gaps in AI cloud infra

RISC-V Security Research

NEW SECTION - RISC-V is rapidly growing in IoT/embedded, introducing novel security research opportunities.

Title Author / Source Description
RISC-V Security Overview RISC-V International Official security resource hub - whitepapers on supervisor domains, isolation, cryptographic ISE
Pre-silicon Security Analysis of RISC-V Processors to Fault Injection RISC-V Summit Europe 2025 Methodology and tools for FI analysis on OpenTitan secure core and CV32E40S
Attacks, Defenses and Perspectives for Runtime Security of RISC-V IoT Devices Computers & Security (Jan 2026) Comprehensive review of side-channel, vulnerability exploitation, and network attacks on RISC-V
A Survey on Thwarting Memory Corruption in RISC-V ACM Computing Surveys Hardware-assisted memory safety for RISC-V - XoM, CFI, capability systems

Research Papers

Surveys & SoKs

Paper Venue Year Abstract
SoK: Where's the "up"?! Comprehensive Bottom-up Study on ARM Cortex-M Security USENIX / arXiv 2024 Analysis of 1,797 real-world bare metal firmware images; maps hardware security feature adoption, bug taxonomy, attack prevalence
Bare-Metal Firmware Fuzzing: A Survey of Techniques and Tools IEEE Access 2025 Comprehensive survey of emulation-based bare metal fuzzing (HALucinator, P2IM, Fuzzware, SAFIREFUZZ, PartEmu)
A Survey on IoT & Embedded Device Firmware Security Springer - Discover IoT 2023 Architecture, extraction techniques, and vulnerability analysis frameworks; UART found exploitable in 45%+ of devices
A Survey of the Security Analysis of Embedded Devices MDPI Sensors 2023 Type I/II/III embedded device taxonomy, firmware analysis pipeline, attack surface mapping

Fuzzing & Emulation

Paper Venue Year Abstract
P2IM: Scalable and Hardware-independent Firmware Testing via Peripheral Interface Modeling USENIX Security 2020 Models MCU peripheral interfaces automatically; enables firmware fuzzing without hardware using QEMU
HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation USENIX Security 2020 Replaces hardware abstraction layer functions at runtime to rehost and fuzz closed-source blob firmware
SAFIREFUZZ: Same-Architecture Firmware Rehosting and Fuzzing USENIX Security 2023 Near-native throughput rehosting using thin binary shim; outperforms QEMU-based approaches by 100x
Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing USENIX Security 2022 Automatically infers MMIO peripheral model; finds bugs in 7 real-world Cortex-M3/M4 firmware images
FANDEMIC: Firmware Attack Construction and Deployment on Power Management ICs NDSS 2022 Reverse engineering bare metal IoT firmware targeting PMIC chips; persistent firmware attack
Binary-Agnostic Fault Injection to Evaluate Cosmic Radiation Impact 2025 2025 Bare metal Cortex-M satellite firmware simulation; LLVM-based mitigation evaluation
Securing LLM-Generated Embedded Firmware through AI Agent-Driven Validation arXiv 2025 NEW - Three-phase LLM firmware generation + automated fuzzing/static analysis + AI agent patching on FreeRTOS/QEMU

Exploitation & Memory Safety

Paper Venue Year Abstract
Function-Oriented Programming Attacks on ARM Cortex-M Processors IEEE 2024 Novel code-reuse attack exploiting function-level gadgets in MPU-protected bare metal firmware
Update If You Dare: Demystifying Bare-Metal Device Firmware Updates IEEE Trans. on SW Eng. 2025 Systematic analysis of firmware update mechanisms on ARM Cortex-M; downgrade attacks, signature bypass
Retrofitting XoM for Stripped Binaries without Embedded Data NDSS 2025 Enforcing execute-only memory on stripped bare metal ARM binaries to prevent code disclosure
Leveraging Firmware RE for Stealthy Sensor Attacks via Binary Modification IEEE TIFS 2023 NEW - PMIC voltage manipulation through firmware binary modification; undetectable sensor data corruption
A Secure Boot and Firmware Update Framework for ARM Cortex-M in IIoT PECE 2026 NEW - Two-stage secure bootloader for Cortex-M33 with TrustZone-M, anti-rollback, CoAP/DTLS OTA

TrustZone & TEE

Paper Venue Year Abstract
REZONE: Disarming TrustZone with TEE Privilege Reduction USENIX Security 2022 Shows that over-privileged TEEs are exploitable; proposes privilege separation in TrustZone
Understanding Prevailing Security Vulnerabilities in TrustZone TEEs IEEE S&P 2020 Taxonomy of 80+ CVEs across OP-TEE, QSEE, iTrustee; confused deputy, TOCTOU, memory disclosure
Towards Trustworthy TrustZone-Assisted TEEs (PhD Thesis) INESC-ID 2024 Comprehensive formal analysis of TrustZone security properties and architectural flaws

RISC-V Security

NEW SECTION

Paper Venue Year Abstract
A Survey on RISC-V Security: Hardware and Architecture arXiv 2021 Comprehensive survey covering cryptographic ISE, side-channel prevention, PMP, TEE on RISC-V
A Survey of RISC-V Secure Enclaves and Trusted Execution Environments MDPI Electronics 2025 NEW - First comprehensive survey of enclave/TEE architectures for RISC-V; Sanctum, Keystone, DORAMI, AP-TEE
A Survey on Thwarting Memory Corruption in RISC-V ACM Computing Surveys 2023 Hardware-assisted memory safety: XoM, CFI, capability systems on open RISC-V cores
Security Challenges Faced by RISC-V Open-source Processors IEEE Conference 2024 RISC-V-specific security dynamics, hardware extensions, cryptographic countermeasures
Attacks, Defenses and Perspectives for Runtime Security of RISC-V IoT Devices Computers & Security 2026 NEW - Side-channel, program exploitation, network attacks - comprehensive defense review

Tools

Reverse Engineering

Tool Description Notes Link
Ghidra NSA's free RE framework with ARM Cortex-M support Must use with SVD-Loader for bare metal ghidra-sre.org
SVD-Loader for Ghidra Auto-maps 800+ hardware peripherals from CMSIS-SVD into Ghidra Essential for bare metal RE GitHub
Binary Ninja + Firmware Ninja Commercial RE platform; Firmware Ninja plugin (2025) adds bare metal memory mapping, peripheral analysis, device comms RE Best-in-class for embedded FW binary.ninja / FWN Blog
Radare2 Powerful CLI RE framework; ARM, THUMB, RISC-V support Good for scripting and automation GitHub
Rizin Fork of Radare2 with cleaner API; bare metal ARM support Preferred by many researchers GitHub
IDA Pro + ARM Plugin Industry-standard disassembler; best THUMB2 support Expensive but gold standard hex-rays.com
angr Python symbolic execution framework; models MCU firmware Use with avatar2 for bare metal GitHub
Capstone Multi-arch disassembly engine (ARM, THUMB, RISC-V, MIPS) Used in custom tooling and scripts GitHub
cwe_checker Static vulnerability checker with experimental bare metal support Runs on stripped binaries, CBMC-based GitHub
CMSIS-SVD Data Database of 1,000+ ARM MCU peripheral definitions (STM32, Nordic, etc.) Used with SVD-Loader GitHub

Firmware Analysis & Extraction

Tool Description Notes Link
Binwalk v3 Firmware analysis and extraction tool (Rust rewrite) Identify/extract compressed filesystems, certs, keys GitHub
EMBA Full-featured automated firmware security scanner with SBOM CISA SBOM compliance, CVE matching GitHub
EMBArk Docker-based web UI for EMBA Easy deployment for team use GitHub
FACT (Firmware Analysis & Comparison Tool) Web-based firmware analysis with plugin architecture Diff between firmware versions GitHub
Firmwalker Script searching extracted firmware for sensitive data Finds hardcoded passwords, keys, certs GitHub
Firmadyne Linux-based firmware emulation and dynamic analysis Works on MIPS/ARM Linux firmwares GitHub
UEFI Firmware Parser Python tool for parsing and extracting UEFI/BIOS images Extract modules, sections, certificates GitHub
Draytek Arsenal Toolkit for Draytek router firmware analysis and exploitation Released at DEF CON 32 HHV GitHub
XGecu Universal Programmer Hardware: chip-off flash reader supporting 13,000+ chips Essential for direct flash extraction xgecu.com

Emulation & Rehosting

Tool Description Notes Link
P2IM Peripheral interface modeling for bare metal firmware on QEMU USENIX Security '20 paper GitHub
HALucinator / HAL-Fuzz High-level emulation (HLE) of hardware abstraction layers Handles blob firmware without source GitHub
SAFIREFUZZ Near-native ARM Cortex-M rehosting + fuzzing 100x throughput vs QEMU GitHub
QEMU Full system emulator; ARM (Cortex-M, A), RISC-V, MIPS Backbone of most bare metal emulation qemu.org
Unicorn Engine Lightweight CPU emulator for binary analysis and emulation Single-step execution, snapshot/restore GitHub
Avatar² Multi-target orchestration (combines JTAG debugger + emulator) Bridges real hardware and emulator for analysis GitHub
PartEmu TrustZone partition emulation for Cortex-A bare metal TEE analysis Research tool for TEE RE Academic

Fuzzing Frameworks

Tool Description Notes Link
Fuzzware Self-configuring fuzzer for ARM Cortex-M3/M4 bare metal images Auto-models MMIO; finds real 0-days GitHub
Fuzzware Pipeline Job distribution layer for Fuzzware multi-instance parallel fuzzing Needed for large-scale campaigns GitHub
Fuzzware Emulator AFL forkserver-based QEMU emulation component Core fuzzing engine GitHub
HAL-Fuzz AFL-based fuzzer using HALucinator for hardware-less firmware testing Works on ARM blob binaries GitHub
SAFIREFUZZ USENIX '23: near-native throughput fuzzer with thin binary shim Best throughput of all rehosting fuzzers GitHub
AFL++ State-of-the-art coverage-guided fuzzer with QEMU mode QEMU mode for bare metal emulation GitHub
LibAFL Rust fuzzing library; build custom fuzzers for embedded targets More flexible than AFL++ for custom targets GitHub
DOSS Component Tester EU-funded IoT/embedded firmware tester for bare metal and RTOS Supply chain security focused DOSS Project

Debug Interface (JTAG / SWD / UART)

Tool Description Notes Link
OpenOCD Open On-Chip Debugger; JTAG/SWD for most ARM MCUs Free; combine with GDB for debug openocd.org
pyOCD Python-based CMSIS-DAP/SWD debugger for ARM Cortex-M Scriptable; great for automation GitHub
Black Magic Probe Open source JTAG/SWD debug probe with built-in GDB server No OpenOCD needed; runs bare metal GitHub
JLink / JLinkExe SEGGER professional JTAG/SWD probe; fastest speeds Best for production-grade targets SEGGER
JTAGulator Dedicated tool for identifying JTAG, SWD, and UART pins on PCB Adjustable voltage; essential for PCB recon GitHub
Bus Pirate Multi-protocol tool (JTAG, SWD, I2C, SPI, UART) Budget-friendly Swiss Army knife dangerous-things.com
UrJTAG Universal JTAG library and boundary-scan flash tool Good for custom JTAG device support urjtag.org
GDB + gdb-multiarch GNU Debugger with ARM bare metal remote debug support via OpenOCD or Black Magic Probe gnu.org

Fault Injection & Side-Channel

Tool Description Notes Link
ChipWhisperer The gold standard for power analysis and voltage/clock glitching Open source; Python API GitHub
ChipWhisperer Husky Latest CW hardware with FPGA; higher sample rates for advanced attacks Best for AES and RSA side-channel NewAE
PicoEMP Low-cost EM fault injection tool on RP2040 ~$20 DIY EMFI tool GitHub
GreatFET One USB-connected hardware tool for fault injection and side channel NFC, USB, and hardware RE GitHub
faultier Open-source voltage glitching framework by stacksmashing Designed for repeatability GitHub
Pico-RDP-Glitcher RP2040-based STM32 RDP bypass glitcher Community build; < $5 Community
Riscure Inspector Commercial SCA/FI platform; used in certification labs Industry standard for EAL5+ riscure.com
SideChannelMarvels Academic SCA tools: Daredevil (CPA), Jlsca, Scared Python/Julia analysis toolkits GitHub

Secure Boot & TEE Frameworks

Tool Description Notes Link
TamaGo Bare metal Go framework for ARM/ARM64/RISCV64; includes GoTEE Powers USB armory, GoKey, armory-boot GitHub
TF-A (Trusted Firmware-A) ARM reference secure world firmware for ARMv8-A Secure boot + TrustZone reference impl GitHub
OP-TEE Open Portable TEE; most studied TEE in research Run as target for TEE exploit research GitHub
Hafnium ARM Secure Partition Manager (SPM) reference implementation ARMv8.4-A S-EL2 exploitation research Trusted Firmware
imx-mkimage / Hab (HABv4) NXP i.MX secure boot tooling; understand HABv4 attack surface Research: HABv4 bypass techniques NXP
wolfBoot Minimal portable secure bootloader for bare metal MCUs Good research/attack target GitHub
OpenTitan Open-source silicon root of trust (RISC-V based) Reference design for secure MCU research GitHub

Exploit & Research Codebases

Repository Paper/Source Description
RiS3-Lab/p2im USENIX Security '20 P2IM: QEMU-based peripheral modeling for scalable bare metal firmware testing
ucsb-seclab/hal-fuzz USENIX Security '20 HALucinator fuzzing component; HLE for firmware blobs
pr0me/SAFIREFUZZ USENIX Security '23 Near-native throughput ARM Cortex-M rehosting and fuzzing
fuzzware-fuzzer/fuzzware USENIX Security '22 Self-configuring fuzzer; auto-models MMIO for ARM Cortex-M3/M4
fuzzware-fuzzer/fuzzware-pipeline Fuzzware Pipeline for multi-instance distributed Fuzzware campaigns
fuzzware-fuzzer/fuzzware-emulator Fuzzware AFL forkserver QEMU emulation backend
icicle-emu/fuzzware Fuzzware Icicle CPU emulation engine fork for Fuzzware
leveldown-security/SVD-Loader-Ghidra stacksmashing CMSIS-SVD peripheral auto-mapper for Ghidra - essential for bare metal RE
newaetech/chipwhisperer NewAE ChipWhisperer power analysis and fault injection platform
newaetech/picoemp NewAE PicoEMP: RP2040-based low-cost EMFI tool
infobyte/draytek-arsenal DEF CON 32 HHV NEW - Draytek firmware analysis and exploitation toolkit
lowbyteproductions/bare-metal-series YouTube Series NEW - STM32 Cortex-M4 bare metal firmware dev: bootloader, signed FW, security bypass

Bare Metal Frameworks

Repository Language Description
usbarmory/tamago Go Bare metal Go for ARM, ARM64, AMD64, RISCV64; TEE, secure boot, USB armory
TrustedFirmware-A/trusted-firmware-a C ARM reference TF-A; secure boot chain, TrustZone, SPM
OP-TEE/optee_os C Open Portable TEE - most studied TEE implementation in academia
blackmagic-debug/blackmagic C Black Magic Probe firmware; open source JTAG/SWD debugger
pyocd/pyOCD Python Python ARM Cortex-M debugger over SWD/JTAG; scriptable
avatartwo/avatar2 Python Multi-target orchestration framework for bare metal firmware analysis
wolfSSL/wolfBoot C Minimal portable secure bootloader for ARM MCUs
lowRISC/opentitan SystemVerilog/C NEW - Open-source silicon root of trust; RISC-V based secure MCU

Practice & CTF Targets

Repository Description
ghidraninja/arm-bare-metal-1 ARM bare metal crackme firmware binaries - designed for Ghidra RE practice
cpuu/arm_exploitation ARM binary exploitation practice challenges (used in Matt Brown's series)
posborne/cmsis-svd 1,000+ CMSIS-SVD peripheral definition files for RE and tooling

OWASP Projects

Project Description Link
OWASP BareMetal Builds secure high-assurance bare metal environments: TEEs, TPMs, secure elements, PQC for constrained devices owasp.org
OWASP FSTM 9-stage Firmware Security Testing Methodology: acquisition → extraction → static → dynamic → emulation → exploit GitBook
OWASP Embedded Application Security Secure firmware update pipelines, BOM tracking, legacy binary detection, SBOM generation owasp.org
OWASP IoT Security Testing Guide (ISTG) Dedicated firmware test cases, attack surface enumeration, hardware interface testing owasp.org

Books

Title Author(s) Year Focus
The Hardware Hacking Handbook Colin O'Flynn & Jean-Baptiste Bédrune 2021 Definitive modern reference: power analysis, fault injection, glitching, RE, JTAG, bare metal exploitation
The Hardware Hacker Andrew "bunnie" Huang 2017 PCB analysis, chip-off, JTAG fundamentals, hardware RE philosophy
Hacking the Xbox Andrew "bunnie" Huang 2003 Classic: bare metal Xbox security break - free PDF available online
Practical IoT Hacking Fotios Chantzis, Ioannis Stais, et al. 2021 UART, JTAG, SWD, firmware extraction, wireless protocols - chapter-by-chapter practicals
Building Secure Firmware Jiewen Yao & Vincent Zimmer 2020 UEFI, TrustZone, TPM, threat modeling, integrity measurement - firmware security architecture
Beyond BIOS: Developing with UEFI Vincent Zimmer, Michael Rothman, Suresh Marisetty 2017 UEFI internals, platform initialization (PEI/DXE), bare metal boot exploitation research base
Bare-Metal Embedded C Programming Packt 2025 Modern bare metal C: startup, peripherals, interrupts, RTOS - security-aware development
Firmware Security: Best Practices for Protecting Embedded Systems Various 2024 Firmware threat modeling, secure update mechanisms, supply chain integrity

Courses & Trainings

Course Provider Level Topics
SEC661: ARM Exploit Development SANS Advanced ARM/THUMB assembly, ROP chains, heap exploitation, bare metal binary exploitation
Hardware Hacking Training Black Hat Advanced Firmware analysis, JTAG, voltage glitching, SWD unlocking
ChipWhisperer Courses NewAE / Colin O'Flynn Beginner–Advanced Power analysis, AES SCA, fault injection, free course materials on learn.chipwhisperer.io
Bare Metal Cyber Audio Courses Bare Metal Cyber Beginner–Intermediate Embedded cybersecurity fundamentals, audio + video format
Applied Physical Attacks on ARM Hardwear.io Training Advanced Physical side channel, EMFI, VFI on real ARM targets
Fuzz Testing Bare Metal & RTOS Firmware Ringzer0 / BOOTSTRAP25 Advanced NEW - Hands-on firmware rehosting and fuzzing with Fuzzware, QEMU, and more
Architecture 1001 (ARM) OpenSecurityTraining2 Intermediate Deep-dive ARM architecture and binary analysis
Bare Metal STM32 Series Low Byte Productions (YouTube) Beginner–Intermediate NEW - End-to-end Cortex-M4 firmware dev: bootloader, signed updates, security bypass

CTF Challenges & Practice

Resource Description Link
arm-bare-metal-1 ARM bare metal crackme binaries by stacksmashing - use with Ghidra + SVD-Loader GitHub
arm_exploitation ARM buffer overflow / ROP chain practice challenges GitHub
DEF CON CTF Archive Archive of all DEF CON CTF challenges including embedded/RE categories archive.ooo
Microcorruption Online CTF emulating MSP430 bare metal firmware - designed for beginners microcorruption.com
Flare-On Mandiant annual RE CTF with embedded/bare metal challenges flare-on.com
247CTF Always-on CTF with RE and binary exploitation challenges 247ctf.com
pwn.college Free online binary exploitation training with ARM modules pwn.college
OpenSecurityTraining2 Free deep-dive courses: Architecture 1001 (ARM), Malware RE ost2.fyi
DEF CON HHV Badge Challenges Annual hardware hacking village badge - PCB RE, firmware extraction, crypto dchhv.org

Podcasts & Media

NEW SECTION - Podcasts covering hardware hacking, embedded security, and firmware research.

Podcast Focus Link
Darknet Diaries True stories of hacking and cybercrime, occasional hardware/firmware episodes darknetdiaries.com
Hacked Deep dives into hacking stories - has covered BLE chip backdoors, embedded exploits Podcast
IoT Security Podcast Dedicated IoT/embedded security featuring researchers like RECESSIM Various platforms
Risky Business News and commentary from security luminaries; covers firmware/hardware research risky.biz
The Amp Hour Electronics and embedded engineering - hardware design and security crossover theamphour.com
Embedded.fm Embedded systems engineering podcast - bare metal development, RTOS, security embedded.fm
Hacker Public Radio Community-driven; episodes on hardware hacking, Linux, RE hackerpublicradio.org

Communities & Forums

NEW SECTION - Where to connect with bare metal security researchers and hardware hackers.

Community Platform Focus Link
r/hardwarehacking Reddit Hardware hacking, JTAG/UART, firmware extraction, glitching Reddit
r/ReverseEngineering Reddit Binary RE, firmware analysis, tooling discussions Reddit
ChipWhisperer Chat Discord Embedded security, SCA, fault injection - official NewAE community Discord
Joe Grand's Server Discord Hardware hacking, PCB RE, Joe Grand's research Discord
DEF CON HHV In-person + Online Hardware Hacking Village - soldering, firmware, badge hacking dchhv.org
DEF CON IoT Village In-person + Online IoT exploitation, bug bounties, live device hacking iotvillage.org
Embedded Security CTF Community Various CTF teams focused on embedded/bare metal challenges Multiple platforms
Binary Ninja Slack/Discord Slack/Discord RE tooling, plugin development, firmware analysis binary.ninja
Ghidra GitHub Discussions GitHub Ghidra scripting, bare metal loader development, SVD integration GitHub

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

9 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1