Lady bird
Carel van Rooyen profile image

Carel van Rooyen

Security Analyst at Compass Security Schweiz AG

Philipp Promeuschel profile image

Philipp Promeuschel

Security Analyst at Compass Security Schweiz AG

Carel van Rooyen & Philipp Promeuschel

Workshop Title

Xtensa & Mongoose OS exploitation

Workshop Abstract

Debugging and inspection of Mongoose IoT on the ESP32

Mongoose OS is an open source operating system used as a framework for the rapid development of IoT projects with a variety of deployable hardware options. With the cost-effective BLE devices, they are ideal for IoT development, and Mongoose OS further eases entry for developers wanting to deploy /test / use such devices. This extra abstraction might bring an unawareness of the underlying device security-relevant issues inherent in hardware and software.

We inspect the underlying system, discuss the necessary tools for this, and how we approached researching the environment.

In the workshop, we will demonstrate our thought processes behind inspection, and perform a live demo on target devices, including:

  • Setting up a Mongoose OS environment
  • Crash inspection (dumps)
  • Demos on live debugging
  • Mongoose OS firmware layout
  • A brief differentiation between X86 and Xtensa ISA exploitation considerations
  • Further live demo
  • Discussion on finding issues and patching the source
  • Discussion of possible future work (live patching, exploitation approaches)


esp32, debugging, firmware, mongoose OS


2 hours

Speaker Bio

Philipp Promeuschel is a security analyst at Compass Security Schweiz AG, interested in mobile and IoT security. Additionally he is a security course teacher (APT, mobile security, forensics, web application security) and volunteering for public IT Security events such as Cyber Security Austria 2013, Cyber Security Alpen Cup 2014, OWASP AppSec EU 2013, 2015-2017 as well as for the European Cyber Security Challenge 2015.

Carel van Rooyen is a computer systems engineer that has worked in security in three countries and is currently a security analyst at Compass Security Schweiz AG. Prior to his work as security researcher he spent years teaching web application development and network security principles.