BootPWN: Breaking Secure Boot by Experience


Cristofaro Mune and Niek Timmers

Extended Edition

Cristofaro and Niek tell you what BootPWN is about, in their own words.


Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, implemented by a wide variety of devices such as video game consoles and mobile phones, are a clear indicator that Secure Boot vulnerabilities are widespread.

The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All vulnerabilities are identified and exploited on our custom emulated attack platform, implementing a Secure Boot for ARM 64-bit CPUs, which also encompasses TrustZone components (e.g. BL31/Monitor code).

You will take on different roles, as an attacker that’s able to:

  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection

You will be guided towards an unexpected range of Secure Boot-specific attack vectors and vulnerabilities, which may be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.


The BootPwn experience take your on a journey of 4 days of 4 hours during which we will give several lectures covering fundamental topics. Nonetheless, the emphasis will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.


  • Fundamentals
    • Embedded devices
    • Verification
    • Decryption
  • Secure Boot
    • Attack surface
    • Real-world attacks
  • Identifying Secure Boot vulnerabilities
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploiting Secure Boot vulnerabilities
    • Insecure designs
    • Vulnerable software
    • Weak cryptography
    • Incorrect cryptography
    • Configuration issues
    • Incorrect checks
    • Insecure parsing
    • Vulnerable hardware
    • Fault injection

Key learning objectives

  • Gain a thorough understanding of Secure Boot as implemented on modern devices
  • Identify vulnerabilities across the Secure Boot attack surface
  • Gain hands-on experience with exploiting Secure Boot specific vulnerabilities

Intended audience

The BootPwn experience is intended for:

  • Security Analysts and Researchers, interested in breaking Secure Boot on secure devices
  • Security enthusiasts with an interest in embedded device security
  • Software Security Developers/Architects interested in an acquiring an offensive perspective

Student prerequisites

The attendees of the BootPwn experience are expected to have:

  • Experience with Python/C programming
  • Experience with the ARM architecture (AArch64)
  • Understanding of typical software vulnerabilities
  • Familiarity with reverse engineering (AArch64)
  • Familiarity with common cryptography (RSA, AES and SHA)

Don’t worry if you don’t meet all of the above expectations. Less-experienced attendees can rely on our hints and solutions, whereas more-experienced attendees will not.

System requirements

The attendees of the BootPwn experience are expected to have:

  • Any modern computer system with sufficient memory
  • We advise to install and use the Chrome browser
  • A stable Internet connection with sufficient bandwidth

Student deliverables

During the BootPwn experience you will get access to:

  • a personal cloud-based virtual machine with all the required tooling installed
  • access to the exercise modules and instructions