Will you destroy our device?

Only if chip-off extraction is the only path to the firmware, and only with explicit written approval. Most engagements are non-destructive - we exhaust JTAG, SWD, UART, and in-circuit SPI options first. We always ask for at least one extra unit as insurance.

Do you need our source code?

No, but it dramatically accelerates analysis and reduces cost. Without source we reverse from binary in Ghidra. With source we can target high-risk modules directly and produce deeper findings in the same window.

What if our debug ports are fused off?

Then we look at the alternatives: in-circuit SPI/QSPI flash readout, OTA package interception, bootloader recovery modes, or chip-off as last resort. A locked device is harder, not impossible.

Will you test our secure boot chain?

Yes - this is a primary focus. We validate the full chain from ROM through bootloader to application, test signature verification, attempt rollback attacks, and probe for downgrade paths and partial-image acceptance.

What about OTA updates?

Included in scope when the device supports OTA. We capture the update package, verify signing and integrity, test downgrade and rollback, and attempt to inject modified images via the legitimate update path.

Do you do fault injection or side-channel attacks?

Voltage glitching and basic timing analysis are in scope for our Hardened / Locked tier when secure boot or secure-element security depends on it. Full power-analysis side-channel work is a specialty engagement quoted separately.

How does this map to FDA expectations?

FDA's Feb 2026 guidance and AAMI SW96 expect testing of secure-boot, integrity controls, and the OTA update path. IEC 81001-5-1 expects a secure development lifecycle. Our reports map findings directly to those frameworks plus your AAMI TIR57 risk file.

How does this relate to your SBOM service?

We correlate our binary analysis against your SBOM to confirm component versions and verify whether known CVEs are actually exploitable in your build. If you don't have an SBOM yet, our SBOM service is the right place to start.

How long does it take?

Three to four weeks for the Standard tier, four to six for Hardened/Locked, and six to ten for multi-processor systems. Chip-off and reflow add roughly one week of lab time.

What deliverables do we get?

Executive summary, full technical findings with reversing notes and PoC where appropriate, SBOM-to-finding correlation table, secure-boot validation report, FDA-ready evidence appendix, and a re-test report after remediation.

À La Carte Firmware Pen Testing

Firmware Pen Testing. Done at the Silicon.

Embedded firmware extraction, reverse engineering, secure-boot validation, and OTA update testing for medical devices. The work that proves your device's root of trust actually holds.

JTAG, SWD, UART, SPI, chip-off - whatever your device exposes.

JTAG / SWD / UART
Chip-off extraction
Secure boot review
OTA path testing

Scope My Firmware Pen Test

Free 30-min scoping call
Fixed-fee quote in 24 hours
Hardware lab in-house
Senior embedded reverser on every job
Re-test included

Trusted by leading MedTech companies since 2014

Reviewed by Christian Espinosa, MBA, CISSP · Founder & CEO

Last reviewed May 2026

Why Most Pen Tests Never Touch the Firmware

Application security firms test what they're equipped to test - web apps. Embedded firmware requires a hardware lab, oscilloscopes, JTAG adapters, and reverse-engineering experience that generalists don't carry.

No Hardware Lab

Without a soldering station, logic analyzer, and JTAG adapters, the tester can't even reach the firmware to begin testing it.

No Binary Reversing Skill

Reversing ARM/RISC-V/MIPS firmware in Ghidra requires a different practitioner than the one who reads OWASP Top 10 reports.

Secure Boot Treated as a Spec

FDA expects validation, not assertion. Generic firms quote your design doc back to you instead of testing whether the chain actually holds.

What's included

Reviewer-ready deliverables in one engagement

Every firmware penetration testing engagement ships with the artifacts FDA reviewers expect to see - traceable, complete, and aligned with current guidance.

JTAG / SWD / UART debug interface testing
Flash extraction (in-circuit and chip-off)
Binary reverse engineering and crypto review
Secure boot, signing, and rollback validation
OTA update path and integrity testing
SBOM correlation and CVE exploit verification

Attack surface

What We Actually Test

À la carte scope - we focus on the firmware layer and adjacent hardware interfaces. Pair with our BLE/RF or PHI Cloud service for full coverage.

Hardware Interface Discovery

Visual + logic-analyzer port identification
JTAG / SWD enumeration (JTAGulator, Bus Pirate)
UART discovery, baud detection, console attack
SPI / I²C bus sniffing and injection
Test-point and debug-header documentation

Firmware Extraction

In-circuit flash readout via SPI/QSPI
JTAG/SWD memory dumps
Chip-off extraction (BGA / TSOP / SOIC) when required
OTA package interception and unpacking
Bootloader and recovery-mode extraction

Binary Analysis & Reverse Engineering

Ghidra / IDA reversing of ARM, RISC-V, Xtensa, MIPS
Hard-coded credential and key hunting
Cryptographic primitive review (custom or weak crypto)
Symbol recovery and function identification
SBOM correlation and CVE exploit verification

Secure Boot & OTA

Secure-boot chain validation (ROM → BL → app)
Signature, hash, and rollback-protection testing
OTA package signing and version-pinning review
Downgrade-attack and partial-image scenarios
Recovery / factory-reset abuse paths

How it works

Engagement Methodology

Three to six weeks depending on extraction difficulty and binary size.

01

Scoping & Hardware Intake

We review your architecture, MCU/SoC datasheet, secure-boot design, and SBOM. You ship two to three units to our lab (one for destructive extraction if chip-off is in scope).
02

Interface Discovery & Extraction

We document every exposed debug interface, attempt non-destructive extraction first (JTAG/SWD/UART), and only escalate to chip-off when warranted.
03

Reverse Engineering & Exploitation

Binary analysis in Ghidra, secret hunting, crypto review, secure-boot chain testing, and OTA path attacks. Every finding reproduced and evidenced.
04

FDA-Ready Reporting & Re-test

Findings mapped to AAMI TIR57, IEC 81001-5-1, and the Feb 2026 FDA guidance. SBOM-to-finding traceability included. Re-test until you pass.

Pricing guidance

Pricing Guidance

Fixed-fee. Hardware testing is more variable than software - we always scope on a 30-min call before quoting.

Standard Firmware

$18k – $35k

Single MCU/SoC, exposed debug interfaces, well-documented SBOM. Most ARM Cortex-M and ESP32-class devices.

Non-destructive extraction (JTAG/SWD/UART)
Full binary reverse engineering
Secret + crypto review
Secure boot validation
One round of re-test

Hardened / Locked

$35k – $70k

Locked debug ports, encrypted flash, or secure-element-protected boot. Requires chip-off or side-channel exploration.

Chip-off extraction (1–2 destructive units)
Secure-element interface analysis
OTA path and rollback testing
Glitching / fault-injection where applicable
Two rounds of re-test

Multi-Processor System

$70k – $150k+

Multiple processors (e.g., main MCU + radio SoC + safety co-processor), proprietary RTOS, or Linux-based platforms with custom kernel.

Per-processor extraction and analysis
Inter-processor communication review
Linux kernel / driver review (where applicable)
Dedicated senior embedded lead

What drives the price

Number of processors and firmware images in scope
Whether debug ports are open, locked, or fused-off
Need for chip-off extraction (destructive) vs. in-circuit
Binary size and obfuscation level
Presence of a secure element or TPM
Inclusion of OTA path and rollback testing
RTOS vs. embedded Linux (kernel review adds scope)

We always need 2–3 sample units. One may be destroyed if chip-off is required. Discuss in scoping.

Get a fixed-fee quote

FAQ

Firmware Pen Testing FAQs

In their words

Backed by MedTech leaders.

"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."

Hank Tucker

CEO · MedTech Manufacturer

Ready to start Firmware Penetration Testing?

Firmware Penetration Testing - scoped, fixed-fee, FDA-ready.