Blog post 2 #3
After disassembling and characterizing the electronic board, the auditor now holds a treasure map: identified components, mapped interfaces, initial hypotheses. But this map is only a promise. To truly understand how the device works, a deep analysis of the system is required. This is where the interaction between hardware and software is revealed, the full attack surface is mapped, and the search for exploitable vulnerabilities begins.
Extracting the firmware : The Auditor's Holy Grail
Firmware is the soul of a connected device — the code orchestrating every action. Gaining access to a copy of this embedded software means unlocking the key to its logic and secrets. There are several ways to extract it. Debug interfaces like JTAG or SWD, when available, offer a direct entry point. If they’re disabled, it’s still possible to read external memory (SPI Flash, I2C, etc.) using dedicated clips, or by desoldering the chip for direct reading.
Other options include exploring the serial port (UART), which may reveal useful information during boot, or analyzing the update mechanism to intercept downloaded firmware files. In some cases, the firmware may even be publicly available on the manufacturer’s website or provided on removable media with the device.
Having access to this precious binary opens the door to deeper security analysis: searching for plaintext passwords, cryptographic secrets, vulnerable algorithms, or identifying a flaw that could compromise not just the analyzed device, but potentially an entire product line.
Binary Reverse Engineering: Exposing the Software
Once the firmware is obtained, reverse engineering begins. This involves disassembling or decompiling the code. Key tools include:
Binwalk to extract file systems
Ghidra, IDA Pro, or Radare2 to dig into the software internals
The auditor first identifies the target architecture (ARM, MIPS, RISC-V, etc.), then scrutinizes the code for critical functions, suspicious segments, or common vulnerabilities like buffer overflows.
When possible, this phase continues with dynamic analysis: running the firmware in an emulator (e.g., QEMU, or frameworks like Firmadyne or FirmAE) or on the actual board via a JTAG-connected debugger. This allows for observation of the device’s behavior under forced interactions — sometimes exposing backdoors that would otherwise remain hidden.
It’s a time-consuming and demanding step, and sometimes opportunistic: attackers entering this phase know they’re signing up for weeks of work, with no guarantee of finding the long-sought vulnerability.
Protocol Analysis: Listening to Secret Conversations
In parallel, the auditor focuses on communication — either between components or between the device and its external environment. Here, a trained ear is replaced by electronic instruments: logic analyzers, Bus Pirate, Hydrabus, HardSploit, or Wireshark for network traffic.
The goal is to uncover what data is being transmitted: sensitive data left in plaintext, poorly obfuscated information, or secrets protected by weak or outdated encryption. Ideally, this approach is combined with firmware emulation: running the device virtually allows for easier interface testing and attack simulation, while observing the effects in real time.
Obstacles Along the Way
This stage is far from smooth sailing. Many hurdles await: encrypted or obfuscated firmware, anti-debug protections, obscure or poorly documented architectures, hardware dependencies that make emulation inaccurate, and — above all — the growing complexity of modern embedded systems.
Each of these barriers is designed to slow down attackers and secure the system.
Hardsploit NG : A Key Ally in the Analysis
This is where Hardsploit NG proves its full potential. Designed to assist auditors throughout the process, it offers:
Modules to facilitate firmware extraction by managing multiple memory communication protocols and automating interface detection
Integrations with reverse engineering frameworks to speed up disassembly and file system extraction
Built-in features for listening to and injecting data into communication protocols directly from the Hardsploit NG platform — avoiding the need for multiple, disparate tools
The result? The auditor saves precious time. Where manual handling is prone to error and delay, Hardsploit NG allows focus to remain on what really matters: understanding, analyzing, and discovering potential vulnerabilities.
What's next?
With software and protocol analysis complete, the device slowly reveals its secrets. But the story doesn’t end here. In the next article, we’ll dive into the practical exploitation of vulnerabilities: how to turn discoveries into real-world attacks, test their actual impact, and ultimately finalize the process with a comprehensive report.
Stay with us — the behind-the-scenes of hardware pentesting still has plenty of secrets to uncover.
