list of IoT/embedded OS firmware tools

I mostly focus on Platform Firmware, UEFI, ACPI, etc. I usually don’t focus too much on IoT/embedded OS firmware, even though I blog about them. But there’s a lot of tools for the latter, and I’ve not yet added a section for them in Awesome Firmware Security[1]. And I have 2 friends who need such a list. Below is first pass at searching old blog posts for tools. Will refine and add to Awesome Firmware Security later. Please leave a Comment to point out any other major tools of this category that I’ve missed. Hmm, it looks like the domain is no longer valid.


Firmware security is main feature of new HP printers

Excerpting their press release:

HP Announces World’s Most Secure Printers: New HP LaserJets include built-in self-healing security features with protection down to the BIOS

HP today announced three new enterprise class LaserJet printers that deliver increased protection against malicious attacks. The stronger security is part of a broader HP strategy to provide the deepest security across PCs and printers. Printer security is a topic of growing importance. According to the Ponemon Institute, 64 percent of IT managers believe their printers are likely infected with malware. At the same time, 56 percent of enterprise companies ignore printers in their endpoint security strategy.(1) To help address this gap, HP is delivering its new HP LaserJet Enterprise printers and multi-function printers (MFPs) with industry-leading security features(2) built in, including:

* HP Sure Start enables detection of and self-healing recovery from malicious BIOS attacks, extending the same BIOS security protecting HP’s Elite line of PCs since 2013 to the new HP LaserJet Enterprise printers.
* Whitelisting ensures only known, good firmware can be loaded and executed on a printer.
* Run-time Intrusion Detection is a new feature providing in-device memory monitoring for malicious attacks. It was developed in partnership with Red Balloon Security, an embedded device security company started by researchers from Columbia University. The company has done extensive research for several government agencies, as well as private sector companies in industries such as telecommunications and controller systems.

These new features will be standard on new HP LaserJet Enterprise printers and OfficeJet Enterprise X printers with HP PageWide Technology going forward. With a firmware update, these three features can also be enabled on several HP LaserJet Enterprise printers available since April. In addition, Whitelisting and Run-time Intrusion Detection can be added to many existing HP LaserJet Enterprise printers and OfficeJet Enterprise X printers launched since 2011 through an HP FutureSmart service pack update. FutureSmart is HP firmware that helps protect customers’ investments in HP Enterprise printers by enabling delivery of new capabilities via updates.

It would be nice to see firmware security as a major feature of all new devices! 🙂

Full announcement:

HP printer firmware information page:

AMI MegaRAC gets DMTF Redfish support

This week at Intel Developer Forum (IDF), AMI showcased their MegaRAC manageability solutions. MegaRAC is AMI’s Remote Management Firmware family of products for both in-band and out-of-band management, including supporting IPMI, Intel AMT, AMD systems with DMTF DASH. Amongst the new features of MegaRAC SP-X are DMTF Redfish support, and Intel(R) Innovation Engine support.

I don’t know much about Intel’s new “Innovation Engine” is yet, so I’ll excerpt one paragraph from the AMI press release:

“The Innovation Engine is a small, embedded, Intel-architecture processor and I/O subsystem built into future Intel data center platforms,” said Lisa Spelman, General Manager of Data Center Marketing at Intel. “Firmware such as MegaRAC PM-X running on the IE can improve or differentiate the system-builders’ platforms in a wide range of ways, including manageability, cost reduction or security.”

Maybe this means that AMI is the second vendor to support Redfish, after HP?

Read AMI’s full press release here:

Firmware patents….

SPOILER ALERT: This post discusses patents. If you’re an employee at a company, ask your manager if you’re able to read this sort of information…..

I wonder how bad it’s going to get with firmware patents… Searching the patent databases, I find THOUSANDS with ‘firmware’, HUNDREDS with ‘UEFI’, and dozens with ‘coreboot’, and many for ACPI. For example, it appears that Microsoft has patented the ability to securely update firmware:

Microsoft: Secure Firmware Updates
US 20140068585 A1, CN 104603792 A, US 8898654 B2

This is just one example, all of the big OEMs, IHVs, and ISA vendors have patents left and right in this space. 😦

Are vendors able to build UEFI — or even coreboot — systems without lawyers from some of the big companies knocking on their door asking for royalties? Where is the firmware equivalent of the “Open Invention Network”, to help smaller vendors even use basic firmware functionality with lawyers looking to monetize everything? I wonder if the Maker movement or Open Hardware or Free Hardware is going to be able to survive this.

Intel ATR on firmware security threats

Jim Walter, Director of Advanced Threat Research for Intel Security, with contributions from Yuriy Bulygin and John Loucaides, wrote a blog for Dark Reading that summarizes some recent firmware attacks.

Vulnerable From Below: Attacking Hypervisors Using Firmware And Hardware
Malicious attacks with firmware privileges can compromise an entire system, so it is especially important to apply measures to reduce the risks.

Read the full article here:



Firmware at Intel Developer Forum

IDF, Intel’s Developer Forum, is happening shortly, August 18-20 (or so). It appears Brian and Vincent of Intel UEFI will be speaking, at least:

Vendors usually announce/release new things at their annual conferences, so I’m looking forward to seeing what Intel does… With 201 sessions, only a 2-minute glance at the schedule, here’s a teaser (but not all) of the more interesting presentations I noticed:

STTS001 — Firmware in the Data Center: Building a Modern Deployment Framework Using Unified Extensible Firmware Interface (UEFI) and Redfish REST APIs
STTS002 — Building a Firmware Component Ecosystem with the Intel® Firmware Engine
ACAS002 — Defense Against the Dark Arts – Introduction to Malware Research
STTS003 — Developing Best-in-Class Security Principles with Open Source Firmware
DCWC005 — Tech Chat: Trusted Networks in the Cloud – Attestation of Network Elements for Secure Cloud
ISGC003 — Tech Chat: A Primer on Intel® Software Guard Extensions (Intel® SGX)
SFTC003 — Tech Chat: Securing the Internet of Things with Intel® Micro Runtime (Intel® MRT)
ARCS003 — Intel® Architecture Code Name Skylake Deep Dive: Hardware-Based Security for Windows® 10
SPCS012 — Zoom-in on Your Code with Intel® Processor Trace and Supporting Tools
ISGC001 — Tech Chat: Intel® Security Controller – The Platform to Automate Your Security Application for Software-Defined Infrastructure
MAKE003 — Hands-on Maker Lab: Bring Up a MinnowBoard, the Intel® Atom™ Processor Based Open Hardware Platform
STTC003 — Tech Chat: Using Intel® Firmware Engine to Generate Simulated Platforms for Wind River Simics*
DCWC007 — Tech Chat: Differentiating Your Data Center Platforms in Firmware
ISGC003 — Tech Chat: A Primer on Intel® Software Guard Extensions (Intel® SGX)
SFTC003 — Tech Chat: Securing the Internet of Things with Intel® Micro Runtime (Intel® MRT)
SPCC002 — Tech Chat: A Wireless Smartphone-Based Pulmonary Function Analyzer
HSTS004 — Thunderbolt™ 3 Technology and USB-C*
INFS009 — Trusted Containers and VMs in Cloud Environments
ISGS004 — Biometric Authentication in Trusted Execution Environments
RPCS009 — Developer Training on Intel® Active Management Technology
SSDS004 — The Future of Storage Security

new Android firmware research at DFRWS next week

DFRWS USA 2016, the Digital Forensics Research Conference USA 2015 is happening next week in Philadelphia, PA, USA. [DFRWS is the acronym, so I’m guessing it was a WorkShop before it was a Conference?] DFRWS is held in cooperation with the ACM’s SIG on Security, Audit and Control (SIGSAC).  Next week, there are a lot of interesting forensic and RE talks happening, but I only see one firmware-related one, from a quick look at the schedule:

“New acquisition method based on firmware update protocols for Android smartphones”
Seung Jei Yang, Jung Ho Choi, Ki Bom Kim, and Tae Joo Chang

Also, if you search the archives, you’ll find a handful of firmware-related talks (not many). DFRWS EU 2016 will be held from March 29 to April 1, 2016 in Lausanne, Switzerland.

DHS announces firmware security grant to Intelligent Automation

Yesterday the DHS announced a contract with Intelligent Automation ( to work on methods to safeguard firmware, and other code in mobile devices. DHS press release excerpt:

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) today announced a $1.2 million cybersecurity Mobile Technology Security (MTS) research and development (R&D) award that will help secure mobile devices for the federal government. The Broad Agency Announcement HSHQDC-14-R-B0015, issued by the S&T Cyber Security Division, awarded the contract to Intelligent Automation, Inc. (IAI) of Rockville, Md. to work on mobile security research in device layer protection. “Ensuring that mobile devices used across the public and private sector are secure is a priority for S&T,” said DHS Under Secretary for Science and Technology Dr. Reginald Brothers. “This project will provide an innovative solution for protecting mobile devices from malicious activity.” The MTS award is a part of the Mobile Device Security (MDS) R&D project which aims to accelerate the adoption of secure mobility by government and private sector organizations. The MDS project is developing R&D technologies in mobile device instrumentation, transactional security methods, mobile security management tools and mobile device layer protection.   The mobile device layer protection project will evaluate innovative approaches to protect mobile-device layers – such as firmware, operating system, applications and identity – against infections by malicious applications. IAI will implement a software security solution called TRUsted Monitor and Protection for the multicore Advanced RISC Machines (ARM) platform in an effort to severely impact an attacker’s ability to operate in existing and future mobile devices.

new firmware tool: angr

A new firmware security tool called ‘angr’ was announced at Black Hat Briefings this week:

Angr is a platform-agnostic concolic binary analysis platform developed by the Seclab at the University of California Santa Barbara and their associated CTF team, Shellphish. angr is a multi-architecture binary analysis platform, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc) and various static analyses on binaries. Several challenges must be overcome to do this, and angr has components that meet all of these challenges:
 * Loading a binary into the analysis program.
 * Translating a binary into an intermediate representation (IR).
 * Translating that IR into a semantic representation (i.e., what it does, not just what it is).
 * Performing the actual analysis. This could be:
     + A full-program static analysis (i.e., type inference, program slicing).
     + A symbolic exploration of the program’s state space (i.e., “Can we execute it until we find an overflow?”).
     + Some combination of the above (i.e., “Let’s execute only program slices that lead to a memory write, to find an overflow.”)

The talk:

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Chris Kruegel, Chief Scientist, Lastline
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common ­– they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.

tool mini-review: radare2

[If you’re already familiar with radare2, and it’s firmware — and EBC — abilities, then skip this blog.]

In 2014, Anton Kochkov gave an interesting talk: “Reversing firmware using radare2”. The scope of ‘firmware’ used in the presentation includes a wide range, UEFI, BIOS, to peripherals. Actually, the talk isn’t that interesting for information on radare, since most of the fun stuff were in the demos, not shown in the slides. IMO, the most interesting parts are the first half of the slides, before radare is introduced, where the speaker gives an interesting overview of some known silicon and firmware attacks. The last few slides mention a few other firmware security tools besides radare: UEFI Tool, BIOS Extract, FlashROM, Bus Pirate, and a few QEMU-based emulators. The presentation has MANY pointers to more information, I’ve queued up about a dozen things to read as a result of reading this. 😦

Radare is an open source reverse engineering tool, it has GUI and command line interfaces. It is peer of IDA, disassembling code is the main focus.

It supports many architectures: 6502, 8051, CRIS, H8/300, LH5801, T8200, arc, arm, avr, bf, blackfin, csr, dalvik, dcpu16, gameboy, i386, i4004, i8080, m68k, malbolge, mips, mips, msil, nios II, powerpc, rar, sh, snes, sparc, tms320 (c54x c55x c55+), V810, x86-64, and zimg. It supports many file formats: bios, dex, elf, elf64, filesystem, java, fatmach0, mach0, mach0-64, MZ, PE, PE+, TE, COFF, plan9, bios, dyldcache, Gameboy and Nintendo DS ROMs. It supports many operating systems: Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, and FirefoxOS. It has multiple language bindings: Vala/Genie, Python (2, 3), NodeJS, LUA, Go, Perl, Guile, php5, newlisp, Ruby, Java, and OCAML.

Radare’s GUIs aside, the r2 command line UI offers nice use of colors and graphics to correlate assembly language features, somewhat like how Scapy does with network packets.

Radare definitely looks like a useful tool for firmware researchers. A Google Search for radare and firmware results in lots of existing research and tutorials. Apparently, I’m the last person to learn about radare. 😦

Best yet: radare supports EFI Bytecode (EBC)!! They added EBC support, started about 2 years ago. Search for TARGET_EBC in the code. They don’t list EBC in their architecture list (above), so I’ve yet to see how well it works.

Note also in above list, they support TE executable images, and some level of “BIOS” support (yet to determine what that means).

[I was about to write a paragarph about how UEFI Forum should sponsor EBC support in LLVM, so that radare can benefit from LLVM’s intermediate representation, as well as providing an alternative compiler to the single EBC-targetting compiler, the COMMERCIAL-ONLY Intel C Compiler. But since radare already manually added EBC support to their tool, the need for LLVM as a target is no longer as important, UEFI Forum could target either GCC or LLVM, since radare has dealt with EBC themselves. We still need an alternative, non-commercial, open source EBC-targetting C compiler, though!]

[[UPDATE: The above paragraph is wrong, w/r/t radare and LLVM: Capstone is the RE tool that uses LLVM intermediate language, not radare, sorry. ]]

More Information:

Click to access h2hc2014-reversing-firmware-radare-slides.pdf

Hacking Team had other bootkits

Vlad Tsyrklevich wrote an excellent aritcle on the 0-day market via analyzing the Wikileak’ed Hacking Team emails:

Most have already read about the UEFI malware that it used, including this Intel ATR analysis:

Beyond this UEFI malware, Vlad’s analysis of the Wikileaks email revealed at least 2 other firmware exploits that Hacker Team appeared to have been using:

08/19/13,  ASUS BIOS device driver LPE, Firefox RCE added

02/24/14, “Apple iOS Remote Forced Access-Point Association”/“Apple iOS Remote Forced Firmware Update Avoidance” no longer available, OpenPAM (used on BSDs) LPE added

See Vlad’s blog for pointers to other email articles on these two entries.

I wish there was a list of former 0-days, at least the firmware subset… I also wish there was a safe place to download the “” and “Z5WE1X64.fd” files listed in the Intel ATR blog.

Matthew Garrett hardware talk at OSCON

As reported on by Seth on the Cypherpunks list, Matthew Garrett of CoreOS gave a talk earlier today at OSCON, on open hardware design, with a security background. OSCON is The O’Reilly Open Source Convention, probably the largest open source convention in North America. The slides are online, no audio/video yet, AFAICT. (I hope OSCON doesn’t continue to charge for access to post-conference video…)


Building a trustworthy computer
Matthew Garrett (CoreOS)
11:10am–11:50am Friday, 07/24/2015

The Snowden revelations demonstrated the lengths that government agencies  
were willing and able to go to in order to subvert computers. But these  
attacks aren’t limited to state-level actors – security researchers  
continue to demonstrate new vulnerabilities and weaknesses that would  
permit sophisticated criminals to achieve the same goals.

In the face of these advanced attacks, what can we do to detect and  
mitigate them? How can we make use of existing security features, and what  
changes can we make to system design? In short, how can we ensure that a  
user can trust that their computer is acting in their interests rather  
than somebody else’s?

This presentation will cover some of the existing security features and  
recent design changes in systems that can make it easier to detect  
attacks, and provide mechanisms for defending against them in the first  
place, along with simple design changes that would make it easier for  
users to ensure that components haven’t been backdoored. In addition it  
will discuss some of the remaining challenges that don’t have solid  
answers as yet. Topics covered will include: Firmware security, Trusted
platform modules, attestation, and associated privacy risks, Hardware
design to support offline verification, Remaining components that could
act against the interests of the  hardware owner

Matthew Garrett is a security developer at CoreOS, specializing in the  
areas where software starts knowing a little more about hardware than  
you’d like. He implemented much of Linux’s support for UEFI Secure Boot,  
does things with TPMs and has found more bugs in system firmware than he’s  
entirely comfortable with.

Firmware Twitter feeds, v0.3

2015-08-14 UPDATE: see also this EXCELLENT list:

The below list is outdated, I’ll make a newer one soon…..

Firmware-related Twitter feeds, v0.3

Change from last release: added about half a dozen security researchers, with help from one of them (thanks!).

BIOS/UEFI security researchers:



Other chips:


TODO: AMD, ARM, other chip makers, OEMs, IHVs, IBVs, other UEFI Forum members…
TODO: Learn WordPress, store link resources on page not as blog entries.

NIST SCAP CVE-2014-4768: IBM UEFI vulnerability

[I posted this blog entry a few hours ago, then immediately deleted it, after noticing that that CVE was listed as 2014, not 2015, and thought my search was invalid. But I just re-checked, and the CVE is dated yesterday, 2015-06-28. So I was wrong to delete the post.]

There’s a new NIST SCAP CVE for IBM UEFI for some systems, involving remote attackers. An excerpt of the data is listed below, see below URLs for full release in case you have one of these IBM systems.

Vulnerability Summary for CVE-2014-4768
Original release date: 06/28/2015
Last revised: 06/29/2015

“IBM UEFI on Flex System x880 X6, System x3850 X6, and System x3950 X6 devices allows remote authenticated users to cause an unspecified temporary denial of service by using privileged access to enable a legacy boot mode.”

More Information:

PS: Related to firmware and SCAP, but unrelated to this specific CVE: AFAICT, nobody has SCAP OVAL definitions for UEFI, and no SCAP tools look for UEFI issues. Once SCAP has UEFI OVAL definitions, apps like CHIPSEC and Copernicus can start issueing SCAP reports with this metadata, so firmware bugs can be found with SCAP security tools, instead of full-text-search luck. So AFAICT there is no way to use SCAP to properly look for firmware issues, only full-text search and hope that that “UEFI” or “BIOS” or “firmware” are included. I wish (Intel, ARM, UEFI Forum, OpenPOWER, etc.) and other vendors and trade groups who maintain firmware code should also maintain their SCAP metadata, to help keep enterprises more secure. The ecosystem needs more help looking for hardware and firmware-level bugs, they know how to look for kernelspace and userland bugs.

Learning OpenPOWER firmware

A few days ago, I blogged about AMI joining OpenPOWER. Recently, there’s been some other activity in OpenPOWER.

IBM just announced SuperVessel, an OpenPOWER-based cloud for developers:

It appears the source code to the OpenPOWER firmware was released about a year ago. Luckily, some others have been blogging on OpenPOWER firmware already:

I’m just learning about the OpenPOWER community, it’s been years since I’ve written PowerPC assembly, and that was OS-level stuff, I am not aware of current OpenPOWER firmware technology. I probably won’t have a lot of time to post blog entries next week, but but I’ll have some more on OpenPOWER firmware in future blog posts.


AMI (American Megatrends, Inc.), one of the original PC BIOS vendors, just joined the OpenPOWER Foundation. AMI’s “MegaRAC SP-X for POWER8” product was launched in support of TYAN’s first non-IBM branded OpenPOWER commercial server, which they’re demoing at COMPUTEX TAIPEI this week. MegaRAC SP-X for POWER8 includes server firmware technology. Excerpts from their PR:

“AMI joins a growing roster of technology organizations working collaboratively to build advanced server, networking, storage and acceleration technology as well as industry-leading open source software aimed at delivering more choice, control and flexibility to developers of next-generation, hyperscale and cloud data centers. The group makes POWER hardware and software available to open development for the first time, as well as making POWER intellectual property licensable to others, greatly expanding the ecosystem of innovators on the platform. AMI has been working with IBM and other OpenPOWER Foundation members like Tyan to develop enterprise server and networking solutions for next-generation data centers that integrate IBM POWER CPUs and AMI MegaRAC(R) Remote Management Firmware / Software Solutions. “

“MegaRAC(R) SP-X for POWER8 is a powerful development framework for server management solutions composed of firmware and software components, based on industry standards like IPMI 2.0, SMASH, Serial over LAN (SOL) and key serviceability features like remote presence, CIM profiles and advanced automation. MegaRAC SP-X features a high level of modularity, with the ability to easily configure and build the firmware image by selecting features using an intuitive graphical development tool chain. These features are available in independently maintained packages, for superior manageability of the firmware stack.”

More Information:,%20Brings%20Expertise%20on%20Server%20and%20Data%20Center%20Management%20to%20COMPUTEX%20TAIPEI/

qboot, new x86 firmware for qemu

Last week, Paolo Bonzini of Red Hat announced qboot, a new x86 firmware option for QEMU. qboot is a minimal x86 firmware that runs on QEMU and, together with a slimmed-down QEMU configuration, boots a virtual machine in 40 milliseconds on an Ivy Bridge Core i7 processor. The code is 8KB in size.

More information:

ARM Trusted Firmware

Starting around 2013, ARM started to release “ARM Trusted Firmware” as a BSD-licensed Github-hosted open source project.  ARM Trusted Firmware is the trusted execution environment that runs behinds the scenes of the OS on AArch64 platforms. It works in conjunction with UEFI, including Secure Boot.

In upcoming blog posts, I’ll be writing some articles with more details about this project. For now, I’ll suggest reading their Firmware Design Guide and watching the below Youtube-hosted Linaro intro video.

More Information: