3-DAY TRAINING 1: The ARM IoT Laboratory


CAPACITY: 20 pax


EUR2599 (early bird)

EUR3199 (normal)

Early bird registration rate ends on the 31st of January


The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other “smart” appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

The ARM IoT Firmware Laboratory is a brand new class, beginning where the ARM IoT Exploit Laboratory left off. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.


– Hardware level firmware extraction from IoT devices
– ARM-X: A new firmware emulation framework for accurate emulation of IoT devices, including nvram. https://armx.exploitlab.net/
– New hardware targets: Network video recorders, multiple IP cameras, multiple routers, and perhaps more.

Who Should Attend

– Past Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
– Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
– Red Team members, who want to pen-test custom binaries and exploit custom built applications.
– Bug Hunters, who want to write exploits for all the crashes they find.
– Members of military or government cyberwarfare units.
– Members of reverse engineering research teams.
– People frustrated at software to the point they want to break it!

Key Learning Objectives

* A quick introduction to ARM architecture and assembly.
* An introduction to ARM IoT devices.
* Under the hood – circuit boards, pins, interfaces and flash chips.
* Firmware Extraction via UART.
* Firmware Extraction directly from flash memory.
* Introducing the ARM-X Firmware Emulation Framework.
* How to emulate an IoT device in ARM-X.
* Exploiting vulnerabilities in the IoT device.
* Bypassing exploit mitigation technologies – DEP and ASLR.
* Practical ARM ROP chains.
* Customised ARM shellcode.
* Overcoming limitations – payload size, bad characters, encodings.
* A deeper look into firmware emulation – emulating nvram, patching factory defaults.
* Working around missing emulated hardware – tracing binaries, patching libraries.
* Exercises, exercises and more exercises
* The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.



* A quick introduction to ARM architecture and assembly language.
* EXERCISE – Learn ARM assembly by compiling and reverse engineering binaries.
* EXERCISE – Using GDB for debugging ARM ELF binaries.
* An introduction to ARM IoT devices.
* Under the hood – a tour of the circuit boards, pins, interfaces and flash chips.
* Obtaining the firmware via UART console.
* Obtaining the firmware using an EEPROM programmer device, directly from the memory.
* Unpacking the firmware and static analysis.
* Bug hunting via static reverse engineering and decompilation.
* Introducting the ARM-X Firmware Emulation Framework.
* How to emulate an IoT device in ARM-X.
* Matching the device – choosing the right CPU to emulate.
* Matching the device – compiling a custom kernel.


* EXERCISE – emulate a home router in ARM-X.
* Filling in the blanks – dealing with missing hardware in the emulator.
* Working with nvram
* EXERCISE – emulate an IP camera in ARM-X.
* Complexities in emulation – hotpatching and hooking functions.
* EXERCISE – emulate a compilcated IoT device.
* Debugging the emulated IoT device.
* Dynamic tracing of the emulated IoT device.


* EXERCISE – Bug hunting by fuzzing.
* EXERCISE – Bug hunting by reverse engineering.
* EXERCISE – Writing exploits for the bugs discovered.
* Writing customised ARM shellcode.
* Bypassing exploit mitigation technologies – DEP and ASLR.
* Practical ARM ROP chains.
* Attacking the actual hardware.
* Overcoming cache coherency issues.


* A conceptual understanding of how functions work in C programming
* Knowledge of how a stack works, basic stack operations
* Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
* Not be allergic to command line tools.
* Have a working knowledge of shell scripts, cmd scripts or Perl.
* If none of the above apply, then enough patience to go through the pre-class tutorials.
* SKILL LEVEL: INTERMEDIATE (leaning towards advanced)

Hardware / Software Requirements

* A working laptop (no Netbooks, no Tablets, no iPads)
* Intel Core i3 (equivalent or superior) required
* 8GB RAM required, at a minimum
* Wireless network card
* 40 GB free Hard disk space
* If you’re using a new Macbook or Macbook Pro, please bring your dongles (especially for reading USB-A pen drives)

* Linux / Windows / Mac OS X desktop operating systems
* VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
* Administrator / root access MANDATORY

THE EXPLOIT LAB BLOG: http://blog.exploitlab.net/
OUR TWITTER STREAM: @therealsaumil

Students Will Be Provided With

Students will be provided with the pro version of ARM-X, and all the lab images used in the class. The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.


Location: Training Rooms Date: April 20, 2020 Time: 9:00 am - 6:00 pm Saumil Shah