Pass the SALT 2026

With the increased scrutiny on embedded device security, firmware encryption is rapidly becoming a standard hurdle in the analysis pipeline. As vendors increasingly attempt to lock down their systems, we're encountering a growing variety of encryption schemes applied at different layers—ranging from full firmware blobs to kernel images and root file systems.

This talk dives deep into the landscape of firmware encryption as seen in the wild, drawing from real-world targets such as telco routers, firewalls, IP cameras, printers, and IP phones. We'll explore encryption schemes implemented across Linux and BSD derivatives, with decryption logic buried in bootloaders, kernel code, or even opaque self-update binaries.

Rather than just showcasing results, this session is built as a reversing adventure: starting with an opaque encrypted blob, we’ll trace a path through static and dynamic reverse engineering to uncover the decryption primitive and ultimately access the firmware's inner workings. We'll analyze the recurring patterns, common developer pitfalls, and the surprising creativity some vendors bring to the table.

Whether you're building firmware extraction pipelines or you're just in it for the puzzles, this talk will arm you with practical techniques and insights for taking back control of encrypted firmware.

Join us for this hands-on demo of Unblob, the flexible firmware extractor. In this session, we will extract firmware from an EV charger, dig into the firmware, and eventually emulate it so we can interact with the services in real-time. Unblob works on both hardware and downloadable versions of firmware so we have a target rich environment.