The list below is compiled to inform, guide, and inspire budding security researchers. Oh and to pick something for bedtime reading too.
- https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/
- https://raelize.com/blog/espressif-systems-esp32-bypassing-flash-encryption/
- https://raelize.com/blog/espressif-systems-esp32-controlling-pc-during-sb/
- https://raelize.com/blog/espressif-systems-esp32-bypassing-sb-using-emfi/
- https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/
- https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/
- https://limitedresults.com/2019/08/pwn-the-esp32-crypto-core/
- Compromising device security via NVM controller vulnerability
- https://www.cl.cam.ac.uk/~sps32/HWIO_OTB.pdf
- https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/
- https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass-part-2/
- https://limitedresults.com/2020/01/nuvoton-m2351-mkrom-armv8-m-trustzone/
- https://media.ccc.de/v/36c3-10859-trustzone-m_eh_breaking_armv8-m_s_security
- Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
- https://i.blackhat.com/eu-19/Thursday/eu-19-Temeiza-Breaking-Bootloaders-On-The-Cheap-2.pdf
- https://toothless.co/blog/bootloader-bypass-part1/
- Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
- Shaping the Glitch: Optimizing Voltage Fault Injection Attacks
- https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
- https://www.riscure.com/uploads/2019/04/Riscure_OffensiveCon19_glitchingKeepkey.pdf
- https://www.xilinx.com/support/answers/76201.html
- https://blog.ropcha.in/drafts/part-3-zynq-cve-2021-27208.html
- The Sorcerer’s Apprentice Guide to Fault Attacks
- https://chip.fail/chipfail.pdf
- https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf
- Taking a Look into Execute-Only Memory
- https://www.cl.cam.ac.uk/~sps32/mcu_lock.html
- https://ryancor.medium.com/pulling-bits-from-rom-silicon-die-images-unknown-architecture-b73b6b0d4e5d
- https://elie.net/blog/security/hacker-guide-to-deep-learning-side-channel-attacks-the-theory/
- https://elie.net/blog/security/hacker-guide-to-deep-learning-side-channel-attacks-code-walkthrough/
- Design Considerations for EM Pulse Fault Injection