image image

Reverse Engineering Firmware with Ghidra

Trainer: Eric Evenchick

Date: 5th - 8th July 2021 (5hrs for 4days)

Time: 9:00am to 2:00pm PDT

Platform: Zoom + Discord

Note: To ensure that all training kits are delivered to the attendees before the start of the training, we encourage everyone to register for the Reverse Engineering Firmware with Ghidra Training before Tue, 15 June 2021. After this day, we cannot ensure that all kits are delivered in time.


This hands-on course teaches the concepts, tools, and techniques required to reverse engineer firmware and assess embedded devices. To ensure the tools taught are available to all, we will make use of Ghidra, a powerful open-source reverse engineering tool developed by the National Security Agency. This free, capable tool eliminates the high cost of entry of expensive commercial tools that are currently used for these tasks.

Within the two days, you will:

  • Learn general techniques for binary reverse engineering
  • Identify, unpack, load, and analyze various types of firmware into Ghidra
  • Use reverse engineering techniques to find exploitable vulnerabilities in an embedded Linux device
  • Map device vector tables, peripheral memory, and system calls to find exploitable vulnerabilities in a bare-metal device
  • Identify remotely exploitable vulnerabilities in a Bluetooth Low Energy device

Labs attacking an embedded Linux system and a bare-metal Bluetooth Low Energy device will be used to deliver a hands-on experience. You can expect to leave this course with the skills to reverse firmware for a variety of embedded targets. You'll also take home a target board to continue building your skills after the course.

The global embedded system market is predicted to be worth over $200 billion by 2020. An embedded system is a combination of software (called firmware) and hardware which together facilitate the accurate functioning of a target device. These increasingly popular devices are not only found in the home, but automotive, telecommunications, healthcare, industrial, and military & aerospace.

Working with firmware requires skills beyond ordinary binary reversing. This course begins with an introduction to reverse engineering ARM binaries, then moves into skills for various types of firmware. We will use Ghidra, the NSA's open-source reverse engineering tool, throughout the course. This highly extensible tool supports many different processor architectures, making it well suited for firmware reversing. Ghidra's featureset is comparable to costly tools such as IDA Pro.

Two targets will be explored in the course: an embedded Linux device and a bare-metal ARM device with Bluetooth Low Energy. These types of devices represent what's inside many products in the wild.

This course is divided into four half-day modules. Each course module adopts a Mission Essential Task List (METL) approach where students are taught a list of tasks required in order to successfully implement the skills in the hands on section. We will follow this agenda:

Day 1 - Introduction to Embedded Reverse Engineering & Hello Ghidra
Day 2 - Embedded Linux Device
Day 3 - Bare-Metal Device 1: Device Peripherals and Interrupts
Day 4 - Bare-Metal Device 2: RTOS, System Calls, Bluetooth Low Energy


  • Hands-on skills in binary reverse engineering using Ghidra
  • Experience with unpacking, loading, and reversing embedded Linux targets
  • Bare-metal firmware reverse engineering techniques using a real-world target

What Students Will Be Provided With

  • Students will be provided with the lab manual
  • Access to a virtualized ARM device for the duration of the course
  • An embedded ARM Cortex M0 target to take home.

Who Should Take this Course

This course is aimed at students who have some experience with software development and/or binary reverse engineering, but want to learn more about binary reverse engineering, attacking embedded systems, and Ghidra.

If you are comfortable reading and writing writing C, you should have the background knowledge required for this course.

To help students before the course, we will provide recommended pre-course materials. This will help less experienced students get up to speed before the course.


  • Students should have some experience with either developing or reverse engineering software.
  • Any knowledge of microcontrollers will be an asset, but is not required.
  • Students will need a laptop running Windows, Linux, or macOS. Ideally, students should download and install Ghidra and Java 11 before the course to expedite setup.


Eric EVENCHICK has worked in development and reverse engineering roles for hardware and software companies. He now specializes in embedded device security, automotive security, and bespoke tool development. Eric's work with embedded systems began with development of research vehicles at the University of Waterloo, in partnership with General Motors and the US Environmental Protection Agency. This experience lead to roles in developing automotive firmware and reverse engineering vehicle systems at companies including Tesla Motors and Faraday Future. Eric is currently a Technical Director at NCC Group where he performs security testing on a wide variety of targets. In 2014, Eric founded Linklayer Labs, which provided consulting services and develops open source hardware tools for the information security community. Since 2012, he has been a contributor to Hackaday, a blog covering hardware and software "hacks." Eric holds a Bachelor of Applied Science in Electrical Engineering from the University of Waterloo. He has presented at numerous software and security conferences including Black Hat events in USA, Asia, and Europe, SecTor, ToorCon, and PyCon USA. His work has been featured by several publications, including Wired and Forbes.