This is an intensive hands-on course covering tools and methods for manipulating, modifying, debugging, reverse engineering, interacting with, and exploiting the software (firmware) and hardware of embedded systems. These embedded systems include COTS IoT ("Internet Of Things") products (such as routers, webcams, etc) and Industrial/Enterprise devices. Participants will gain hands-on experience with real-world devices and products, learning to interface with them on a low level. Participants will also be walked through the process of finding several of the 0-day found and disclosed by the instructors. Found to be vulnerable in millions of devices worldwide.

Concepts taught (hands-on) in the course include: 

  • Bus spying, tampering, spoofing, injection on simple serial interfaces like UART, SPI, I2C and others  

  • Finding, identifying, analyzing, and interfacing with JTAG, Serial, and other interfaces

  • Configuring, Interfacing, Using, Misusing, and Abusing JTAG for reverse engineering, manipulation, and exploitation

  • Non-destructively extracting firmware via software, JTAG and serial interfaces

  • Invasively extracting firmware by directly accessing or physically removing flash storage

  • Parsing, extracting, and analyzing firmware images

  • Manipulating firmware images to embed backdoors or other functionality

  • Binary analysis of executables on firmware to enable software exploitation

Who should attend?

Makers, Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student requirements

  • No prior experience with hardware based exploitation necessary. 

  • Novice or Intermediate software exploitation experience recommended (ARM, x86, etc.) 

  • Familiarity with IDA or disassemblers recommended. 

  • Understanding of software development, executable file formats, and debuggers recommended. 

  • Familiarity with assembly (ARM, x86, etc) recommended. 

  • Novice to Intermediate knowledge of a powerful scripting language required (Ruby, Python, Java, etc.) 

  • Familiarity with C and C++ recommended. 

What students should bring 

Students will be provided with a Lab manual and USB drive with the virtual machine and all software installed. Each student will be provided a lab kit for the duration of the class containing target embedded systems including wireless routers, NAS devices, android tablets, and embedded development boards, as well as tools for identifying and interfacing with test, debug, and peripheral interfaces including serial cables, bus pirates, logic analyzers, multimeters, jtag adapters, etc.

Find out more!



2 days

19th, 20th September 



Early bird (Until March 31st)

USD 2000


  • Discount buying the 2 Xipiter courses!!


Para realizar consultas sobre el training o alguno de sus beneficios, contacta a capacitacion@ekoparty.org


Stephen A. Ridley is a security researcher with more than 15 years of experience in software development, software security, and reverse engineering. Within that last few years, he has presented his research and spoken about reverse engineering and software security research on every Continent except Antarctica. Stephen and his work have been featured on NPR and NBC and in the Wall Street Journal, Wired, Washington Post, Fast Company, VentureBeat, Slashdot, The Register, and other publications.

Stephen serves as CTO and Founder of Senrio Inc. a VC-backed network intelligence, asset identification,and embedded device security company. Stephen 
holds several patents* some of which are specifically in support of Senrio’s machine learning and firmware technologies.Prior to Senrio, Stephen founded Xipiter, a small New York-based boutique (~10 employees), an information security practice with a focus on mobile/embedded device security services and training. Although a small practice, Xipiter’s customers included “Fortune 50” businesses, as well as Government and Defense/Intelligence Agencies.Stephen has authored a number information security articles, open-source security tools, and co-written several texts. The most recent of which is the "Android Hackers Handbook" published by Wiley &  Sons. Stephen has guest lectured at NYU, Rensselaer PolyTechnic (RPI), Dartmouth, and other universities on subject of software exploitation and reverse  engineering. Stephen has served on the programming/review committees of USENIX Woot, SecuringSmartCities, BuildItSecurely, et al. Stephen also serves on the board of IndySci.org, a California 501(c)(3) non-profit devoted to making "Open Source"  pharmaceuticals a reality