Fuzzing and Attacking Custom Embedded Systems

Tobias Scharnowski, Marius Muench
Virtual Training | August 19-25 | 32 hours


Fuzzing And Attacking Custom Embedded Systems

Tobias Scharnowski, Marius Muench

Book Now
❗️This training is scheduled for August.
Lectures on August 19, 20, 21, 22, 23, 24. Please check the detailed schedule for your time zone.

This training teaches how to analyze, fuzz test, and exploit deeply embedded devices that use custom embedded operating systems. We will take a deep dive into the inner workings of Arm Firmware, teach reverse engineering essentials with Ghidra, and will have plenty of hands-on exercises to teach proficiency with Unicorn, AFL++, and Fuzzware.


Deeply embedded systems play a crucial role in the ever-growing Internet of Things and typically offer a lucrative attack surface with over-the-air interfaces, hardcoded secrets, and missing security protections.

During the training, we will understand the inner workings of a typical embedded system, and re-discover memory corruption vulnerabilities in a real-world, non-linux embedded operating system by combining reverse engineering, emulation and fuzzing. We will then develop proof-of-concept exploits using the discovered vulnerabilities to demonstrate how an attacker could compromise the target system.

The full training is accompanied with various practical hands-on exercises and tinkering with a physical embedded training platform created for this training. After the training, we expect participants to feel comfortable to independently analyze deeply embedded systems of their choice.


- Security Researchers
- Firmware Developers
- Curious Minds


  • The inner workings of deeply embedded firmware
  • Fundamentals of firmware reverse engineering
  • Harnessing parsers for fuzzing
  • Fuzzing via full-system firmware rehosting
  • Overcoming typical fuzzing roadblocks
  • Triaging found crashes
  • Exploitation strategies for Arm Cortex-M systems



Day 1: Obtaining and Analyzing Firmware

  • Introduction to embedded systems and firmware
  • Hardware reconnaissance
  • Firmware extraction
  • Arm Thumb-v2 disassembly
  • Firmware reversing engineering with Ghidra

Day 2: Emulation and Harnessing

  • Introduction to emulation
  • Parser harnessing with unicornAFL
  • Hooking functions and emulating peripherals
  • Firmware Fuzzing with AFL++

Day 3: Full-system fuzzing via Rehosting

  • Introduction to rehosting
  • Full-system fuzzing with Fuzzware
  • Overcoming emulation roadblocks
  • Advanced rehosting for interrupts and DMA
  • Triaging and understanding crashes

Day 4: Exploitation

  • Introduction to Cortex-M exploitation
  • Arm Shellcoding
  • Building and debugging exploits
  • Return-Oriented Programming for firmware
  • Advanced topics and training recap

Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.


  • Basic knowledge in Python
  • Being comfortable with using command-line tools
  • Some background in C is a plus
  • Previous experience with firmware analysis, reverse engineering, or fuzzing is not required



Students should bring their own laptop with:

  • At least 8GB of RAM
  • At least 50 GB of available disk space
  • Access to the internet (including github)
  • One free and usable USB port
  • NATIVE Linux OS (Ubuntu 22.04 or above)

❗️While it may be possible to use a different base OS or a Linux VM, some of the hardware has not been tested with other combinations. We will not be able to troubleshoot beyond a base Linux OS install.


  • Visual Studio Code
  • Docker
  • Ghidra

Students will be provided with a detailed setup guide before the training.


Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.


Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.

https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.

Virtual Training Schedule

August 19 Monday Live Lecture (4h)
August 20 Tuesday Live Lecture (4h)
August 21 Wednesday Bonus Content Day (4h)
August 22 Thursday Live Lecture (4h)
August 23 Friday Live Lecture (4h)
August 24 Saturday Wrap up (2h)

4h Session Timings

8 am - 12 pm US Pacific Time
11 am - 3 pm US Eastern Time
4 pm - 8 pm UK BST
5 pm - 9 pm Europe CEST

2h Session Timings

8 am - 10 am US Pacific Time
11 am - 1 pm US Eastern Time
4 pm - 6 pm UK BST
5 pm - 7 pm Europe CEST

Labs and Discord Channel

24 x 7 throughout the class, and beyond!