A look back at Hardwear.io USA 2025

Hardware.io USA is a cybersecurity conference focused on hardware and embedded system security, held in California, USA. From May 27 to May 31, the event kicked off with three days of hands-on training, followed by two days of talks, workshops, and hallway chats with some of the best minds in the field.

Here are some of the key topics that stood out:

• IoT security, including Zephyr RTOS and automotive attacks
• EMFI - with a dive into Google Wifi Pro and the NXP MPC5566
• JTAG exploitation
• PowerG wireless protocol reverse engineering
• Hardware reverse engineering on ICs
• A fresh look at rowhammer attacks
• A deep dive into Adam’s Bridge and post-quantum crypto
• Firmware extraction from STM32 chips

Videos and slides should be online soon.

In this post, I’ll share some of the talks I attended and why I found them interesting.

1️⃣ Exploiting Something Deeply Hidden: Signals, Silence, and Secrets

Speaker(s): Samy Kamkar

An overview of the career of renowned security researcher Samy Kamkar, from his arrest following the creation of the MySpace worm to his later shift toward hardware security research.

2️⃣ EL3vated Privileges: Glitching Google Wifi Pro from Root to EL3

Speaker(s): Cristofaro Mune

This talk walked through a successful EMFI (Electromagnetic Fault Injection) attack on the Qualcomm IPQ5018 SoC inside the Google Wifi Pro router. The goal was to escalate privileges from a root shell (EL0) all the way up to EL3 — the highest privilege level on ARM architectures.

3️⃣ Why 'Adams Bridge' Leaks: Attacking a PQC Root-of-Trust

Speaker(s): Markku-Juhani O. Saari

The talk examines Adams Bridge, the ML-DSA (Dilithium) accelerator in the Caliptra 2.0 Root of Trust, part of an open-source initiative backed by major tech companies.

While Caliptra 1.0 is already deployed in commercial silicon, Caliptra 2.0 is being adopted more broadly. The presentation focuses on attacks against the "secure" version of Adams Bridge, bypassing partial masking countermeasures, and explores architectural challenges in designing post-quantum cryptographic (PQC) hardware.

Both pre-silicon leakage simulations and FPGA-based testing are used.

4️⃣ Skimmers, Shimmers, and You: Reverse Engineering Card Skimmers to Retrieve Stolen Payment Information

Speaker(s): Aidan Quimby

This presentation explains how skimmers and shimmers are used in payment terminals, such as those found at gas stations.

These devices are discreetly attached to the terminal, making them nearly invisible to users. Their purpose is to capture card information, either by reading the magnetic stripe or accessing data from the chip.

The ultimate goal is to create a cloned version of the original card, mimicking only the magnetic stripe authentication.

One approach is to create a magnetic stripe clone only. This can still be effective because, in the United States, many terminals continue to rely solely on magnetic stripe data.

If the terminal attempts to use the chip on the card, the objective is to trick it into believing that the card supports only magnetic stripe mode. In such cases, the reader will access fallback data stored on the chip, which replicates the magnetic stripe information.

Some valuable tools referenced:

• Cardpeek
• SVD-Loader for Ghidra
• Hunter Cat card skimmer detector
• Skim Scan
• Bluesleuth Bluetooth scanner
• Security tape
• Target EasySweep

5️⃣ Tracing the Untraceable: Extracting Protected Flash with STM32-TraceRip

Speaker(s): Aidan Quimby, Mark Omo & James Rowley

The researchers bypassed the readout protection of the STM32G0 processor family using a novel platform called STM32-TraceRip. This tool enables the extraction of runtime execution traces, even when protection mechanisms are active.

They developed a custom algorithm to reconstruct protected flash memory by leveraging sparse intermediate values observed during the boot-time CRC process. The technique is applicable to a broad range of STM32 microcontrollers, including STM32G0, STM32C0, STM32F0, STM32F1, and others.

6️⃣ Zephyr Security: Breezing Through Internals, Threats, and Hardening

Speaker(s): Eric Evenchick

The talk reviews security findings and best practices for Zephyr, a widely adopted real-time operating system (RTOS) for resource-constrained devices. It highlights built-in security features, common misconfigurations, and offers guidance for developers and researchers working with Zephyr-based systems.

The presentation is fairly high-level, so it's intended for people who are not familiar with RTOS security or Zephyr.

7️⃣ Hardware Hacking a Car’s Head Unit & Uncovering a Vulnerable RTOS

Speaker(s): Danilo Erazo

He explains how to hack the infotainment system (IVI) of its car. I was able to download the RTOS and modify it.

Some valuable references:

• Cracking the Bluetooth PIN by Yaniv Shaked and Avishai Wool
• Website: https://revers3everything.com/

8️⃣ Exploiting a Blind Format String Vulnerability in Modern IoT Devices: A Pwn2Own 2024 Case Study

Speaker(s): Baptiste MOINE

This talk presents a case study from Pwn2Own Ireland 2024, detailing the discovery and exploitation of a blind format string vulnerability in the Synology TC500 IP camera. Unfortunately, the product was patched two days before starting Pwn2Own.

9️⃣ New kinds of tools for maintaining and sustaining software

Speaker(s): Sergey Bratus

This is a presentation by an academic that combines theory and practical application. Updating software often requires a full recompilation, making patching complex—even when source code is available. This highlights the value of micro-patching, which involves modifying only the specific parts of the binary that need changes.

The talk explores how to apply such targeted patches, verify the integrity and functionality of the modified binary, and ensure no new vulnerabilities are introduced in the process.

Tool mentioned:

OFRAK: a framework for decompiling, unpacking, analyzing, modifying, and re-packing binaries.

🔟 Making Integrated-Circuit Supply Chain Validation an Easier Task in the Context of Open-Source Silicon

Speaker(s): Olivier THOMAS

This talk addresses the threat of hardware Trojans and how to detect them in the IC supply chain. The company Texplained, known for its expertise in IC reverse engineering, demonstrates a practical approach to verifying that a chip hasn’t been tampered with.

Their method relies on having a golden sample (i.e., the original hardware design), which is only feasible with open-source chips. They reverse-engineer chips by de-layering and analyzing each layer to reconstruct the hardware's structure and behavior.

As a proof of concept, they challenge themselves to recover the design within a day, simulating real-world conditions where a chip is randomly sampled from a production batch.

By comparing the reconstructed design with the golden sample, they can identify hardware modifications. If a Trojan is detected, their process allows them to emulate and analyze its behavior, providing insights into what the malicious logic does.

It receives funding from the ORSHIN: Open-source ReSilient Hardware and software for Internet of things project.

1️⃣1️⃣ BAM BAM on a Budget: You CAN Do It!z

Speaker(s): Hash Salehi

The speaker was tasked with reproducing the attack described in 'BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks' by Collin O’Flynn for a client. Initially, he estimated it would take five days, as it was merely replicating a published paper .. but ultimately, the process took two months.

The target was the NXP MPC5566 microcontroller.

1️⃣2️⃣ Weaknesses and Vulnerabilities in the PowerG Wireless Radio Protocol

Speaker(s): James Chambers & Sultan Qasim Khan

This talk presents the first public reverse engineering of the PowerG wireless protocol used in security systems by Johnson Controls.

The researchers uncovered a major vulnerability affecting common deployments and analyzed protocol weaknesses. They detail their methods, including SDR signal capture and firmware analysis, and release tools for packet capture, decryption, and analysis.

1️⃣3️⃣ Six Years of Rowhammer: Breakthroughs and Future Directions

Speaker(s): Stefan Saroiu (Microsoft)

This talk presents six years of research under Microsoft’s Project STEMA, focused on understanding and mitigating Rowhammer attacks in cloud environments. It introduces Panopticon, a practical defense mechanism developed to detect and address these vulnerabilities in Azure servers.

The talk began by addressing a counterintuitive reality: newer generations of DRAM are actually more vulnerable to Rowhammer attacks due to increased cell density. For years, hardware vendors had downplayed the threat, especially when it came to DDR4 memory.

Many claimed it was immune to Rowhammer, and any concerns were limited to academic scenarios:

DRAM generations are more vulnerable to Rowhammer attacks due to higher cell density, despite this being counterintuitive.

Before 2020, vendors largely dismissed these attacks, claiming DDR4 was safe. However, a 2020 ETH Zurich paper demonstrated successful Rowhammer attacks on DDR4, even bypassing built-in mitigations that only detect hammering between 1–2 adjacent rows.

In response, Microsoft built a dedicated DRAM lab for R&D. Vendors argued that only academic DRAM modules were vulnerable—not server-grade memory. Microsoft disproved this using tools like the FS2800 DDR Detective bus analyzer, showing that even ECC-protected server DRAM was exploitable.

They also developed a custom fault injector (mFIT) to disable refresh operations, further demonstrating attack feasibility.

Although vendors claimed ECC would mitigate such faults, Microsoft showed otherwise, revealing that on-die mitigation circuits have limited coverage (e.g., only 100 counters for -millions of rows to check).

To improve detection, Microsoft introduced Panopticon, a system that adds hardware counters to detect abnormal row access patterns and raise alerts. However, this system can also be abused: attackers could trigger alerts to cause denial-of-service.

While DDR5 includes Panopticon-like features, proper configuration impacts performance—so it’s often disabled. Microsoft said that servers typically aren’t rebooted once running, making persistent vulnerabilities more critical.

1️⃣4️⃣ Journey into JTAG

Speaker(s): Ryan Grachek

The speaker presented an attack on the Qualcomm APQ8064 chip in a Samsung Galaxy S4, focusing on JTAG exploitation. While the target is outdated, the talk offered valuable insights into low-level JTAG techniques. It was highly technical, which led to a rushed ending and many slides being skipped.

The presentation was highly technical. As a result, the ending was rushed and several slides were skipped.

Tools used:

• UrJTAG
• TUMPA JTAG adapter
• z3x Easy-JTAG.