2025-07-01, 14:45–15:20 (Europe/Paris), Amphitheater 122
A debugger is always a valuable tool when searching for vulnerabilities, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocols such as JTAG or SWD, or rely on proprietary alternatives. These debug ports are often locked to prevent unauthorized access. When locked, depending on the chip, it may still be possible to reactivate them by exploiting a bug. In rare cases where this is not possible, direct modification of the firmware may be an option. In such scenarios, an on-chip debugger can be implemented within the firmware itself. While potentially unstable, this type of debugger can be highly useful for firmware analysis and exploit development.
This talk offers an overview of low-level concepts related to interrupts, followed by a detailed guide on building an on-chip debugger, addressing the various choices and challenges that may arise during the process.
To begin with, a communication channel is required, preferably one that remains operational even during a debug interrupt. An initial breakpoint must be set on the target to trigger the debugger. A debug handler, ideally written in assembly, needs to be implemented and configured to listen for commands responsible for reading and writing memory and register contents. An intermediate server between GDB and the target must also be created. Several open-source skeletons are available to assist in this task.
In addition, the talk places special emphasis on designing a lightweight debugger, as it is intended for embedded targets. It will therefore present techniques to keep the code as minimal and efficient as possible.
Vincent Lopes is a security engineer at Quarkslab, with a focus on embedded and hardware/software reverse-engineering