image image


Reverse Engineering Firmware with Ghidra

Trainer: Eric Evenchick

Date: 6th - 8th June 2022

Time: 9:00am to 5:30pm PDT

Venue: Delta Hotels by Marriott

Training Level: Intermediate

Note: Regarding COVID-19 safety, will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. will follow all applicable health regulations required by the local (Santa Clara) and government (State of California) authorities.

Training Detailed Description:

This hands-on course teaches the concepts, tools, and techniques required to reverse engineer firmware and assess embedded devices. To ensure the tools taught are available to all, we will make use of Ghidra, a powerful open-source reverse engineering tool developed by the National Security Agency. This free, capable tool eliminates the high cost of entry of expensive commercial tools that are currently used for these tasks.

During this training you will:

  • Learn general techniques for binary reverse engineering
  • Identify, unpack, load, and analyze various types of firmware into Ghidra
  • Use reverse engineering techniques to find exploitable vulnerabilities in an embedded Linux device
  • Map device vector tables, peripheral memory, and system calls to find exploitable vulnerabilities in a bare-metal device
  • Identify remotely exploitable vulnerabilities in a Bluetooth Low Energy device
  • Learn to use a debugger to assist in reverse engineering

Labs attacking an embedded Linux system and a bare-metal Bluetooth Low Energy device will be used to deliver a hands-on experience. You can expect to leave this course with the skills to reverse firmware for a variety of embedded targets. You'll also take home a target board to continue building your skills after the course.

The global embedded system market is predicted to be worth over $200 billion by 2020. An embedded system is a combination of software (called firmware) and hardware which together facilitate the accurate functioning of a target device. These increasingly popular devices are not only found in the home, but automotive, telecommunications, healthcare, industrial, and military & aerospace.

Working with firmware requires skills beyond ordinary binary reversing. This course begins with an introduction to reverse engineering ARM binaries, then moves into skills for various types of firmware. We will use Ghidra, the NSA's open-source reverse engineering tool, throughout the course. This highly extensible tool supports many different processor architectures, making it well suited for firmware reversing. Ghidra's featureset is comparable to costly tools such as IDA Pro.

Two targets will be explored in the course: an embedded Linux device and a bare-metal ARM device with Bluetooth Low Energy. These types of devices represent what's inside many products in the wild.

Each course module adopts a Mission Essential Task List (METL) approach where students are taught a list of tasks required in order to successfully implement the skills in the hands on section. We will follow this agenda:

  • Introduction to Embedded Reverse Engineering & Hello Ghidra
  • Embedded Linux Device
  • Bare-Metal Device 1: Device Peripherals and Interrupts
  • Bare-Metal Device 2: RTOS, System Calls, Bluetooth Low Energy, Debugging

What to Expect? | Key Learning Objectives:

  • Hands-on skills in binary reverse engineering using Ghidra
  • Experience with unpacking, loading, and reversing embedded Linux targets
  • Bare-metal firmware reverse engineering techniques using a real-world target

Who Should Attend? | Target Audience:

This course is aimed at students who have some experience with software development and/or binary reverse engineering, but want to learn more about binary reverse engineering, attacking embedded systems, and Ghidra.

If you are comfortable reading and writing C, you should have the background knowledge required for this course.

To help students before the course, we will provide recommended pre-course materials. This will help less experienced students get up to speed before the course.

What to Bring? | Software and Hardware Requirements:

Students will need a laptop running Windows, Linux, or macOS. Ideally, students should download and install Ghidra and Java 11 before the course to expedite setup. Students will need to be able to connect to the venue WiFi network for internet access.

What to Bring? | Prerequisite Knowledge and Skills:

Basic programming experience is an asset, since much of the analysis is of disassembled and decompiled code. Any prior experience with firmware development, embedded systems, or reverse engineering tools will be valuable.

Resources Provided at the Training | Deliverables:

Lab manual, access to a virtual cloud-based target, and a take-home hardware target will be provided.


Eric Evenchick has worked in security, design, and development roles for hardware and software companies. He now specializes in embedded device security, automotive security, and bespoke tool development. Eric's work with embedded systems began with development of research vehicles at the University of Waterloo, in partnership with General Motors and the US Environmental Protection Agency. This experience lead to roles in developing automotive firmware and reverse engineering vehicle systems at companies including Tesla Motors and Faraday Future. Eric has previously held the roles of Technical Director at NCC Group and Principal Research Consultant at Atredis. In these roles, he performed security assessments on a wide variety of hardware and software targets. Eric holds a Bachelor of Applied Science in Electrical Engineering from the University of Waterloo. He has presented at numerous software and security conferences including Black Hat, escar, SecTor, ToorCon, NorthSec, and PyCon USA. His work has been featured by several prominent publications, including Wired and Forbes.