Microcontrollers are found in everything from credit cards and medical devices to the key fob for your car. And with such wide use, adversarial interest inevitably follows. Details of microcontroller (or firmware) exploits have been largely inaccessible to the general cybersecurity community with the details only appearing in conference proceedings or ephemeral literature such as forum or blog posts, "beer-stained napkins" used for illustrations and notes during an evening's discussion, etc. Goodspeed is intending to change that by gathering information and documenting techniques in a single place (though he also includes an extensive bibliography).

The first thing that strikes one about the book is that it is meant to be used. It has a sturdy cover and quality paper that will survive day-to-day use and continuing reference. The pages have wide margins that, as Goodspeed notes in his introduction, are intended for your notes. There is even a bound-in bookmark.

The book is structured into an introduction followed by 25 numbered chapters that provide "in-depth explanations of either techniques or how to hack a specific chip" (p. 8). The following 9 lettered chapters describe classes of techniques: "More Bootloader Vulns", "More Debugger Attacks", etc., and tie them to specific targets.

In the introduction, Goodspeed defines a microcontroller as a single-chip computer that includes "some memory for a computer program, the barest minimum of a CPU to run that program, and enough RAM to store global variables, and maybe also a heap and call stack" (p.7). Microcontrollers often include firmware "read data protection" (RDP) features intended to prevent extraction of the firmware for reverse engineering or unauthorized modification and the book offers methods for defeating those protection features.

Chapter 1, "Basics of Memory Extraction", provides a quick overview of the basics involved in extracting firmware. The process begins with basic research on the target chip: datasheets (detailed information on a specific chip), family guide (chips are often part of a family of related chips), reference designs (illustrations of how the chip might actually be used in a design), and a working cross-compiler. The author provides sage advice that "only by first understanding how the chip would be programmed in a factory will you find the bug that dumps the firmware out" (p. 9). Or as the old security aphorism puts it: "If you don't know how it's supposed to work, how are you going to figure out how to make it break?"

Next, a high-level tour of three common techniques that find many uses in later chapters. JTAG (named for its developer, the Joint Test Action Group) is a hardware protocol for debugging and failure analysis (described in greater detail in Chapter 8 "Basics of JTAG and ICSP"). Unfortunately, manufacturers may lock JTAG out in production chips which requires the reverse engineer to bypass the lock before using JTAG to read out the firmware. "ROM Bootloaders" allow the devices to boot (load their firmware) from various sources. These bootloaders can be extracted, reversed engineered, modified or exploited (yes, firmware has exploitable vulnerabilities too and they can be fiendishly difficult to patch and therefore linger for a long time) to form the basis for a technique to read out the firmware. "FLASH Bootloaders" are similar to the ROM bootloaders but are relevant to flash memory. Each of these general techniques is illustrated by applications in the following chapters.

The main part of the book follows with detailed explanations of how firmware can be extracted from specific chips. The index makes it easy to cross reference the chip part number to the relevant chapter of the book.

Because I'm an amateur radio operator, chapter 3, "MD380 Null Pointer, DFU" caught my eye, as its target is the firmware for a handheld radio transceiver the Tytera MD380. The STM32F405 chip in this radio is configured at RDP Level "1 with read protection."

Goodspeed begins by investigating the radio's implementation of the DFU (Device Firmware Update) protocol by performing a normal firmware update using the vendor's application running on a virtual machine with the hypervisor instructed to write all USB traffic to a log file. He is able to identify the normal DFU commands but also some proprietary commands. Investigating those commands, he finds a null pointer vulnerability that allowed reading of the flash bootloader. Using this information (and a lot of creativity and knowledge), he was able to reverse engineer the firmware recovery bootloader. He then patches the recovery bootloader to set the RDP level to "0 with No Protection" instead of "1 with Read Protection". After this, he can read the application firmware, modify it and write it back. That might be job done from an exploitation viewpoint but if a normal user is going to install the modified firmware, they will need to be able to use the vendor's update program which, in this case, expects to decrypt an encrypted firmware image before writing it to be device. There are a number of techniques available for encrypting data and some are more difficult to break than others. One of Goodspeed's colleagues, Christianne Rutten, was able to determine that the vendor used an XOR against a firmware key to produce the cipher text. This simple to break encryption provided a means for altered firmware to be encrypted and loaded into the radio using the vendor's firmware update utility and gave rise to a community project to enhance the firmware for this radio (md380tools).

This is both a fascinating and profoundly disturbing book. On the fascinating side, it is a cornucopia of great information. Simple perusal of the table of contents generated many "You can do that?" and, after reading the relevant chapter, "Wow, so that's how it's done!" moments. On the disturbing side, all that great and profoundly useful information is now gathered in one place and presented by a master. It also quickly becomes apparent that the bugs we chase in higher level software such as null pointers, backdoors, privilege escalation, etc., are all too present in firmware as well.

However, this is not a "type-along" type of book. Goodspeed provides an excellent roadmap, but you will still have to walk the road. To use the book to its full advantage, the reader should have experience with microcontrollers in general, a good grasp of debugging at the hardware level, and solid reverse engineering skills. Some of the techniques for de-capping chips for analysis require use of dangerous chemicals, so Goodspeed's advice on safety equipment and procedures should be taken to heart.

Who should read this book? The general security community would benefit from at least giving it a cursory read to understand what is possible given the current state of the art in firmware exploitation. This will help in evaluating security assurance claims regarding "protected" firmware updates and the effectiveness of cryptographic protections for firmware and in developing security requirements. Product designers would benefit from understanding the effectiveness of reverse engineering techniques and this understanding should better inform their decisions on how to protect the firmware used in their products and assure users that the firmware they have on their devices is genuine. It should also raise the visibility of exploitable vulnerabilities in firmware and hopefully generate increased focus on their elimination. And finally, the community fascinated by how things work will find this an invaluable compendium of information for their own learning and further research.