2026-06-30 –, Amphitheater 122
With the increased scrutiny on embedded device security, firmware encryption is rapidly becoming a standard hurdle in the analysis pipeline. As vendors increasingly attempt to lock down their systems, we're encountering a growing variety of encryption schemes applied at different layers—ranging from full firmware blobs to kernel images and root file systems.
This talk dives deep into the landscape of firmware encryption as seen in the wild, drawing from real-world targets such as telco routers, firewalls, IP cameras, printers, and IP phones. We'll explore encryption schemes implemented across Linux and BSD derivatives, with decryption logic buried in bootloaders, kernel code, or even opaque self-update binaries.
Rather than just showcasing results, this session is built as a reversing adventure: starting with an opaque encrypted blob, we’ll trace a path through static and dynamic reverse engineering to uncover the decryption primitive and ultimately access the firmware's inner workings. We'll analyze the recurring patterns, common developer pitfalls, and the surprising creativity some vendors bring to the table.
Whether you're building firmware extraction pipelines or you're just in it for the puzzles, this talk will arm you with practical techniques and insights for taking back control of encrypted firmware.
We will demonstrate firmware decryption using unblob, a firmware extraction tool we've open sourced and have been maintaining since 2022.
Quentin Kaiser is a former penetration tester turned binary analysis nerd. He is currently the Lead Security Researcher at ONEKEY, where he focuses on binary exploitation of embedded devices and large-scale bug-finding automation across firmware corpora.
As part of his work, he maintains the firmware extraction tool unblob among other open-source tools such as jefferson, ubi-reader, or sasquatch.
He has published extensive research on offensive security for eCOS and maintains https://ecos.wtf
, a resource hub dedicated to eCOS exploitation. He also (infrequently) updates his blog at https://quentinkaiser.be.