“Breaking Secure Boot by Experience”

Format Available Price (per student)
Online 2000 EUR
In-Person (2 days) Contact us!
In-Person (3 days) Contact us!


Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of secure devices. Recent attacks on Secure Boot, implemented by a wide variety of devices such as video game consoles and mobile phones, are a clear indicator that Secure Boot vulnerabilities are widespread.

Are you interested in learning and experiencing what it takes to break Secure Boot leveraging more than just software vulnerabilities?

Then, this is THE experience for you!

The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. The experience itself is exercise-driven and gamified using an exciting jeopardy-style Capture-The-Flag (CTF).

Using an emulated device, which is based on publicly available code bases, you will be challenged to identify and exploit interesting vulnerabilities specific to Secure Boot. Even though the emulated device implements the ARMv8 (AArch64) architecture, many exercises are at the same time architecture independent.

Do no worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, most exercises can be completed in various ways which are interesting for experiences attendees as well. Moreover, hardware attacks like Fault Injection, which are a very relevant threat for Secure Boot, are discussed and simulated where possible.


  • Anyone with an interest in breaking Secure Boot on secure devices
  • Security enthusiasts with an interest in embedded device security
  • Designers of Secure Boot interested in an offensive perspective


The exact agenda depends on the training's format. However, the lectures and exercises are sourced from an extensive library consisting of interesting topics and hands-on exercises.

  • Secure Boot introduction
  • Secure Boot fundamentals
    • Embedded technology
    • Flash image parsing
    • Cryptography (e.g. authentication or decryption)
  • Secure Boot attack surface
  • Real-world Secure Boot attacks
  • Identify Secure Boot vulnerabilities by analyzing
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploit Secure Boot vulnerabilities related to
    • Insecure designs
    • Vulnerable software
    • Using weak or incorrect cryptography
    • Too flexible configurations
    • Incorrect checks
    • Insecure parsing
    • Vulnerable hardware
    • Anti-Rollback
    • Fault injection

More details about the program can be provided on request.

Attendee requirements

Anyone with a technical background should be able to complete the BootPwn experience. Less-experienced attendees will rely on hints and/or solutions available during the hands-on exercises whereas more-experienced attendees will not. Nonetheless, familiarity with the following come in handy:

  • Embedded technologies and devices
  • Basic programming (Python and C)
  • Reverse engineering (ARM AArch64)
  • Cryptography (RSA, AES and SHA)
  • Linux command line

Relevant publications

About Raelize