Firmware Pen Testing. Done at the Silicon.
Embedded firmware extraction, reverse engineering, secure-boot validation, and OTA update testing for medical devices. The work that proves your device's root of trust actually holds.
JTAG, SWD, UART, SPI, chip-off - whatever your device exposes.
- JTAG / SWD / UART
- Chip-off extraction
- Secure boot review
- OTA path testing
- Free 30-min scoping call
- Fixed-fee quote in 24 hours
- Hardware lab in-house
- Senior embedded reverser on every job
- Re-test included
Why Most Pen Tests Never Touch the Firmware
Application security firms test what they're equipped to test - web apps. Embedded firmware requires a hardware lab, oscilloscopes, JTAG adapters, and reverse-engineering experience that generalists don't carry.
No Hardware Lab
Without a soldering station, logic analyzer, and JTAG adapters, the tester can't even reach the firmware to begin testing it.
No Binary Reversing Skill
Reversing ARM/RISC-V/MIPS firmware in Ghidra requires a different practitioner than the one who reads OWASP Top 10 reports.
Secure Boot Treated as a Spec
FDA expects validation, not assertion. Generic firms quote your design doc back to you instead of testing whether the chain actually holds.
What We Actually Test
À la carte scope - we focus on the firmware layer and adjacent hardware interfaces. Pair with our BLE/RF or PHI Cloud service for full coverage.
Hardware Interface Discovery
- Visual + logic-analyzer port identification
- JTAG / SWD enumeration (JTAGulator, Bus Pirate)
- UART discovery, baud detection, console attack
- SPI / I²C bus sniffing and injection
- Test-point and debug-header documentation
Firmware Extraction
- In-circuit flash readout via SPI/QSPI
- JTAG/SWD memory dumps
- Chip-off extraction (BGA / TSOP / SOIC) when required
- OTA package interception and unpacking
- Bootloader and recovery-mode extraction
Binary Analysis & Reverse Engineering
- Ghidra / IDA reversing of ARM, RISC-V, Xtensa, MIPS
- Hard-coded credential and key hunting
- Cryptographic primitive review (custom or weak crypto)
- Symbol recovery and function identification
- SBOM correlation and CVE exploit verification
Secure Boot & OTA
- Secure-boot chain validation (ROM → BL → app)
- Signature, hash, and rollback-protection testing
- OTA package signing and version-pinning review
- Downgrade-attack and partial-image scenarios
- Recovery / factory-reset abuse paths
Engagement Methodology
Three to six weeks depending on extraction difficulty and binary size.
-
01
Scoping & Hardware Intake
We review your architecture, MCU/SoC datasheet, secure-boot design, and SBOM. You ship two to three units to our lab (one for destructive extraction if chip-off is in scope).
-
02
Interface Discovery & Extraction
We document every exposed debug interface, attempt non-destructive extraction first (JTAG/SWD/UART), and only escalate to chip-off when warranted.
-
03
Reverse Engineering & Exploitation
Binary analysis in Ghidra, secret hunting, crypto review, secure-boot chain testing, and OTA path attacks. Every finding reproduced and evidenced.
-
04
FDA-Ready Reporting & Re-test
Findings mapped to AAMI TIR57, IEC 81001-5-1, and the Feb 2026 FDA guidance. SBOM-to-finding traceability included. Re-test until you pass.
Reviewer-ready deliverables in one engagement
Every firmware penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.
- JTAG / SWD / UART debug interface testing
- Flash extraction (in-circuit and chip-off)
- Binary reverse engineering and crypto review
- Secure boot, signing, and rollback validation
- OTA update path and integrity testing
- SBOM correlation and CVE exploit verification
Pricing Guidance
Fixed-fee. Hardware testing is more variable than software - we always scope on a 30-min call before quoting.
Standard Firmware
$18k - $35k
Single MCU/SoC, exposed debug interfaces, well-documented SBOM. Most ARM Cortex-M and ESP32-class devices.
- Non-destructive extraction (JTAG/SWD/UART)
- Full binary reverse engineering
- Secret + crypto review
- Secure boot validation
- One round of re-test
Hardened / Locked
$35k - $70k
Locked debug ports, encrypted flash, or secure-element-protected boot. Requires chip-off or side-channel exploration.
- Chip-off extraction (1-2 destructive units)
- Secure-element interface analysis
- OTA path and rollback testing
- Glitching / fault-injection where applicable
- Two rounds of re-test
Multi-Processor System
$70k - $150k+
Multiple processors (e.g., main MCU + radio SoC + safety co-processor), proprietary RTOS, or Linux-based platforms with custom kernel.
- Per-processor extraction and analysis
- Inter-processor communication review
- Linux kernel / driver review (where applicable)
- Dedicated senior embedded lead
What drives the price
- Number of processors and firmware images in scope
- Whether debug ports are open, locked, or fused-off
- Need for chip-off extraction (destructive) vs. in-circuit
- Binary size and obfuscation level
- Presence of a secure element or TPM
- Inclusion of OTA path and rollback testing
- RTOS vs. embedded Linux (kernel review adds scope)
We always need 2-3 sample units. One may be destroyed if chip-off is required. Discuss in scoping.
Related Premarket services
Full-Service FDA Premarket Cybersecurity
Full-service: we own 100% of SPDF, SBOMs, threat modeling, pen testing, and eSTAR documentation.
View Full-Service FDA Premarket CybersecurityFDA Deficiency Response
Got an FDA hold or AI letter? We close cybersecurity deficiencies fast.
View FDA Deficiency ResponseFDA-Compliant SBOM Services
Create, validate, and maintain SBOMs for premarket and postmarket.
View FDA-Compliant SBOM ServicesFirmware Pen Testing FAQs
Firmware Penetration Testing - scoped, fixed-fee, FDA-ready.
Embedded firmware extraction, reverse engineering, secure-boot validation, and OTA update testing for medical devices. The work that proves your device's root of trust actually holds.