Researchers exploited weaknesses in Xiaomi’s miIO protocol to bypass authentication, predict cryptographic values, and trigger memory corruption, ultimately achieving remote code execution and a cloud-independent jailbreak on a Xiaomi C400 camera.
TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering
The article shows how AI-assisted reverse engineering of the TP-Link Tapo C200 firmware uncovered hardcoded keys, buffer overflows, and insecure APIs, demonstrating how IoT devices can expose users to remote compromise and privacy risks.
Reverse Engineering the Tapo C260 and Tapo Discovery Protocol v2
The research reverse-engineers the TP-Link Tapo C260 camera firmware and analyzes Tapo Discovery Protocol v2. By dumping and decrypting the filesystem, the author reconstructs protocol logic and maps the device’s network attack surface.
Hacking a Bluetooth Printer Server: GATT to UART Adapter?
Reverse engineering a Bluetooth printer server reveals multiple security flaws, including exposed debug interfaces and insecure GATT services, enabling unauthenticated remote code execution with root privileges via Bluetooth or network access.
Blinkenlights 2.0: Reverse Engineering a Smartwatch via Screen Signals
Reverse engineering a cheap smartwatch and reviving the classic “blinkenlights” attack to extract firmware through screen update patterns, revealing weaknesses in OTA update mechanisms, BLE communication, and embedded device security design.
Taming the dragon: reverse engineering firmware with Ghidra
The article explains how to reverse engineer embedded firmware using Ghidra, covering techniques for loading firmware, identifying CPU architectures, analyzing functions, and using scripts/plugins to understand device logic and discover vulnerabilities.
Rooting the TP-Link Tapo C200 Rev.5
A analyze the TP-Link Tapo C200 camera firmware by dumping flash via UART and U-Boot, reversing AES-encrypted rootfs headers, and modifying the firmware to gain remote root access for deeper dynamic security analysis of the device.
Breaking Flash Encryption on Espressif ESP32: Side-Channel Attacks Against Embedded Security
Researchers demonstrated that flash encryption on Espressif ESP32 chips can be broken using side-channel power analysis. By measuring power traces during AES operations, attackers can recover encryption keys and potentially decrypt firmware stored in flash memory.