Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    À La Carte Firmware Pen Testing

    Firmware Pen Testing. Done at the Silicon.

    Embedded firmware extraction, reverse engineering, secure-boot validation, and OTA update testing for medical devices. The work that proves your device's root of trust actually holds.

    JTAG, SWD, UART, SPI, chip-off - whatever your device exposes.

    • JTAG / SWD / UART
    • Chip-off extraction
    • Secure boot review
    • OTA path testing
    • Free 30-min scoping call
    • Fixed-fee quote in 24 hours
    • Hardware lab in-house
    • Senior embedded reverser on every job
    • Re-test included
    Trusted by leading MedTech manufacturers since 2014 · See client outcomes and awards
    Christian Espinosa, Founder & CEO

    Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

    Last reviewed

    Why Most Pen Tests Never Touch the Firmware

    Application security firms test what they're equipped to test - web apps. Embedded firmware requires a hardware lab, oscilloscopes, JTAG adapters, and reverse-engineering experience that generalists don't carry.

    No Hardware Lab

    Without a soldering station, logic analyzer, and JTAG adapters, the tester can't even reach the firmware to begin testing it.

    No Binary Reversing Skill

    Reversing ARM/RISC-V/MIPS firmware in Ghidra requires a different practitioner than the one who reads OWASP Top 10 reports.

    Secure Boot Treated as a Spec

    FDA expects validation, not assertion. Generic firms quote your design doc back to you instead of testing whether the chain actually holds.

    Attack surface

    What We Actually Test

    À la carte scope - we focus on the firmware layer and adjacent hardware interfaces. Pair with our BLE/RF or PHI Cloud service for full coverage.

    Hardware Interface Discovery

    • Visual + logic-analyzer port identification
    • JTAG / SWD enumeration (JTAGulator, Bus Pirate)
    • UART discovery, baud detection, console attack
    • SPI / I²C bus sniffing and injection
    • Test-point and debug-header documentation

    Firmware Extraction

    • In-circuit flash readout via SPI/QSPI
    • JTAG/SWD memory dumps
    • Chip-off extraction (BGA / TSOP / SOIC) when required
    • OTA package interception and unpacking
    • Bootloader and recovery-mode extraction

    Binary Analysis & Reverse Engineering

    • Ghidra / IDA reversing of ARM, RISC-V, Xtensa, MIPS
    • Hard-coded credential and key hunting
    • Cryptographic primitive review (custom or weak crypto)
    • Symbol recovery and function identification
    • SBOM correlation and CVE exploit verification

    Secure Boot & OTA

    • Secure-boot chain validation (ROM → BL → app)
    • Signature, hash, and rollback-protection testing
    • OTA package signing and version-pinning review
    • Downgrade-attack and partial-image scenarios
    • Recovery / factory-reset abuse paths
    How it works

    Engagement Methodology

    Three to six weeks depending on extraction difficulty and binary size.

    1. 01

      Scoping & Hardware Intake

      We review your architecture, MCU/SoC datasheet, secure-boot design, and SBOM. You ship two to three units to our lab (one for destructive extraction if chip-off is in scope).

    2. 02

      Interface Discovery & Extraction

      We document every exposed debug interface, attempt non-destructive extraction first (JTAG/SWD/UART), and only escalate to chip-off when warranted.

    3. 03

      Reverse Engineering & Exploitation

      Binary analysis in Ghidra, secret hunting, crypto review, secure-boot chain testing, and OTA path attacks. Every finding reproduced and evidenced.

    4. 04

      FDA-Ready Reporting & Re-test

      Findings mapped to AAMI TIR57, IEC 81001-5-1, and the Feb 2026 FDA guidance. SBOM-to-finding traceability included. Re-test until you pass.

    What's included

    Reviewer-ready deliverables in one engagement

    Every firmware penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

    • JTAG / SWD / UART debug interface testing
    • Flash extraction (in-circuit and chip-off)
    • Binary reverse engineering and crypto review
    • Secure boot, signing, and rollback validation
    • OTA update path and integrity testing
    • SBOM correlation and CVE exploit verification
    Pricing guidance

    Pricing Guidance

    Fixed-fee. Hardware testing is more variable than software - we always scope on a 30-min call before quoting.

    Standard Firmware

    $18k - $35k

    Single MCU/SoC, exposed debug interfaces, well-documented SBOM. Most ARM Cortex-M and ESP32-class devices.

    • Non-destructive extraction (JTAG/SWD/UART)
    • Full binary reverse engineering
    • Secret + crypto review
    • Secure boot validation
    • One round of re-test

    Hardened / Locked

    $35k - $70k

    Locked debug ports, encrypted flash, or secure-element-protected boot. Requires chip-off or side-channel exploration.

    • Chip-off extraction (1-2 destructive units)
    • Secure-element interface analysis
    • OTA path and rollback testing
    • Glitching / fault-injection where applicable
    • Two rounds of re-test

    Multi-Processor System

    $70k - $150k+

    Multiple processors (e.g., main MCU + radio SoC + safety co-processor), proprietary RTOS, or Linux-based platforms with custom kernel.

    • Per-processor extraction and analysis
    • Inter-processor communication review
    • Linux kernel / driver review (where applicable)
    • Dedicated senior embedded lead

    What drives the price

    • Number of processors and firmware images in scope
    • Whether debug ports are open, locked, or fused-off
    • Need for chip-off extraction (destructive) vs. in-circuit
    • Binary size and obfuscation level
    • Presence of a secure element or TPM
    • Inclusion of OTA path and rollback testing
    • RTOS vs. embedded Linux (kernel review adds scope)

    We always need 2-3 sample units. One may be destroyed if chip-off is required. Discuss in scoping.

    Related Premarket services

    FAQ

    Firmware Pen Testing FAQs

    Ready to start Firmware Penetration Testing?

    Firmware Penetration Testing - scoped, fixed-fee, FDA-ready.

    Embedded firmware extraction, reverse engineering, secure-boot validation, and OTA update testing for medical devices. The work that proves your device's root of trust actually holds.