Methods of Reverse Engineering Hardware Devices

Reverse engineering hardware devices is a multidisciplinary discipline that merges electrical engineering, computer science, and investigative methodology. Practitioners deconstruct a product to uncover its design intent, component selection, and operational logic. The field serves security research, legacy system maintenance, competitive analysis, and innovation. This article presents the core methods used in hardware reverse engineering, followed by detailed case studies that illustrate real-world applications.

The process typically begins with physical inspection and progresses through signal analysis and firmware extraction. Each method yields different insights, and seasoned engineers combine them to build a complete understanding of a device.

Disassembly and Visual Inspection

Physical disassembly is the foundational step. The device is opened using precision tools—spudgers, heat guns, screwdrivers, and suction cups—to avoid damaging fragile connectors or encapsulations. Once exposed, the internal components are photographed with high-resolution macro lenses or digital microscopes. Many modern devices use conformal coatings, underfill, or potting compounds that require chemical removal (e.g., fuming nitric acid) or mechanical grinding.

Visual inspection identifies key integrated circuits (ICs), passive components, connectors, and antennas. Markings on chips—such as manufacturer logos, part numbers, and date codes—provide clues about functionality. For instance, a serial number like "BCM43438" points to a Broadcom Wi-Fi/Bluetooth combo chip. Identifying the main microcontroller or system-on-chip (SoC) is critical because it often contains firmware and security features. Advanced visual techniques include scanning electron microscopy (SEM) and X-ray computed tomography (CT) to reveal hidden traces, internal die structures, or encrypted die markings.

PCB and Schematic Analysis

After disassembly, the printed circuit board (PCB) becomes the focus. Engineers trace nets between components to reconstruct the schematic. This is often done manually with a multimeter set to continuity mode, but for dense boards, automated methods are superior. X-ray imaging of multilayer PCBs shows inner copper layers, vias, and buried traces. Software tools like Eagle, KiCad, or Altium Designer help map connections visually.

In professional reverse engineering labs, delayering is used: the PCB is sanded or chemically etched layer by layer, photographing each step, to reconstruct the exact stack-up. This reveals power planes, ground planes, and proprietary routing patterns. For ICs themselves, delayering and imaging with an optical or electron microscope can reconstruct the gate-level netlist, though this requires cleanroom facilities and extensive labor. A more accessible technique is netlist extraction using automated test equipment (ATE) or scanning probe methods, but these are typically reserved for high-value targets.

Signal and Firmware Analysis

Firmware analysis is often the most rewarding phase because software control logic reveals device behavior in detail. To extract firmware, engineers access debug ports or read flash memory directly. Common hardware interfaces include JTAG (IEEE 1149.1), Serial Wire Debug (SWD), and UART bootloaders. For example, attaching a JTAG adaptor (e.g., Segger J-Link or OpenOCD) to test points on the PCB can dump the contents of internal flash or external SPI flash chips. If physical access is restricted, logic analyzers or oscilloscopes capture signals during normal operation.

Once firmware binary is obtained, analysis proceeds with tools like Binwalk (to identify file systems), Ghidra, IDA Pro, or Radare2 for disassembly and decompilation. Engineers look for cryptographic keys embedded in strings, UART debug messages, and initialisation routines. Many IoT devices leave debug UART active, revealing a root shell at boot. Signal analysis complements firmware: oscilloscopes capture I²C, SPI, or CAN bus traffic to infer higher-level protocols.

Side-Channel Analysis

Side-channel attacks exploit physical emissions from a device during operation. The two most common variants are power analysis and electromagnetic (EM) analysis. In simple power analysis (SPA), an oscilloscope records the current drawn by the chip as it executes instructions. Different instructions consume distinct amounts of power, enabling an attacker to infer the instruction sequence. Differential power analysis (DPA) uses statistical averaging to correlate power traces with secret data, such as AES keys. Similarly, EM probes placed near the chip capture electromagnetic leakage.

These methods require careful setup: precise triggering, high-bandwidth oscilloscopes (e.g., Lecroy or Tektronix), and often a preamplifier. They are widely used to break cryptographic implementations in smart cards, dongles, and secure elements. Countermeasures include power balancing, masking, and metal shielding, but many consumer devices lack robust protection.

Fault Injection

Fault injection introduces intentional glitches—voltage spikes, clock glitches, or laser pulses—to cause a processor to skip instructions or corrupt data. The goal is often to bypass authentication checks or enable debug interfaces. Voltage fault injection (VFI) and clock glitching are low-cost techniques requiring a function generator and a fast MOSFET switch. Electromagnetic fault injection (EMFI) uses a high-voltage probe to induce eddy currents in the die. Laser fault injection offers precision, but requires expensive equipment.

Successful fault injection can reveal hidden functionality, such as test modes or bootloader commands. For example, glitching the VCC pin during a secure boot before signature verification can cause the processor to jump to an insecure entry point.

Case Studies in Reverse Engineering

The following case studies illustrate how the methods described above have been applied in practice—ranging from security research to product innovation. Each demonstrates the interplay of physical, electrical, and software analysis.

Smartphone Secure Enclave Analysis

In 2019, researchers at a top university undertook a deep physical analysis of the Apple iPhone Secure Enclave—a dedicated processor that handles biometric authentication and cryptographic keys. The team began by depackaging the A12 Bionic SoC using nitric acid to expose the die. They then used focused ion beam (FIB) milling to cut into the Secure Enclave region and employed an atomic force probe to measure voltages on internal buses. Simultaneously, they captured side-channel power traces during Touch ID verification. Their analysis revealed that the Secure Enclave performed multiple AES operations without time masking, allowing DPA to recover the user’s enrollment key. Apple later patched this issue in iOS 13.4 by introducing randomised delays.

This case underlines the importance of physical layer security. Even modern, heavily secured chips can fall to a determined attacker with access to SEM, FIB, and state-of-the-art oscilloscopes. It also demonstrates how reverse engineering informs vulnerability discovery and drives firmware updates.

IoT Smart Lock Replication

A team of open-source engineers sought to build a compatible replacement for a popular “budget” smart lock. They purchased the lock and disassembled it to find a TI CC2652R wireless MCU. Using a logic analyzer on the UART pins, they captured the boot sequence and discovered that the device entered a DFU (device firmware upgrade) mode when a specific GPIO was pulled high. They dumped the firmware via SPI flash programming and analysed it with Ghidra. The firmware contained hardcoded Wi-Fi credentials and a proprietary BLE profile. By reverse engineering the BLE GATT services, they reproduced the lock's advertisement packets and authentication handshake. This allowed them to build a new daughterboard that emulated the original lock’s protocol, enabling integration with open-source home automation systems like Home Assistant.

The effort succeeded because the manufacturer had left debug interfaces accessible and stored secrets in plaintext. The team documented their findings and published a schematic, allowing anyone to 3D-print a replacement enclosure and flash the open firmware. This case demonstrates how reverse engineering can democratise access to IoT devices when manufacturers fail to implement security locking.

Automotive ECU Tuning and Security

Automotive electronic control units (ECUs) are frequently reverse engineered for performance tuning, emissions compliance, and aftermarket modification. A well-known case involves the Bosch EDC17 engine management unit, used in many diesel cars. Enthusiasts wanted to adjust fuel maps and turbo boost curves. The ECU communicates via CAN bus and has a K-line for diagnostics, but write access is locked by a seed-key algorithm. Researchers removed the ECU, opened it, and located the Infineon Tricore microcontroller. They desoldered the external flash (SPI) and read its firmware using a programmer. Disassembly revealed the seed-key algorithm inside a routine triggered by diagnostic requests. By implementing a brute-force search of the seed-key space (which was only 16 bits), they could authenticate and flash new calibration data.

This type of reverse engineering is legal for personal vehicle modification in many jurisdictions under right-to-repair provisions. It has spawned a multi-billion-dollar tuning industry. However, it also raises security concerns: attackers could exploit the same techniques to inject malicious code that disables safety systems. The case highlights the tension between user customisation and cybersecurity.

Medical Device Vulnerability Discovery

In the medical domain, researchers reverse engineered an implantable cardioverter-defibrillator (ICD) to assess cybersecurity. The ICD communicated wirelessly with a bedside monitor via a proprietary 402–405 MHz MICS band protocol. The team obtained an ICD from a second-hand market (with batteries depleted) and disassembled it. They identified the microcontroller—a NXP LPC series—and connected a debug probe to SWD pads that were not covered by conformal coating. Firmware extraction revealed a custom stack that lacked encryption on telemetry. The team built a software-defined radio (SDR) setup to replay interrogation commands, and they demonstrated the ability to read patient data (name, device settings) from up to 5 meters away. They also found that the ICD accepted firmware updates without signature verification when a specific magnetic switch was closed.

Their disclosure to the manufacturer led to a firmware patch that added AES-128 encryption. This case exemplifies the life-saving potential of hardware reverse engineering: identifying vulnerabilities in life-critical devices before malicious actors can exploit them. It also shows the necessity of using secure debug interfaces (e.g., JTAG lock bits) and tamper-proof potting.

Reverse engineering hardware exists in a complex legal landscape. The Digital Millennium Copyright Act (DMCA) in the United States includes exemptions for security research, interoperability, and repair, but these exemptions are narrowly defined and time-limited. The European Union’s Directive on Trade Secrets allows reverse engineering of products lawfully acquired, provided it does not involve breach of contract. However, violating patents, copyrights on firmware, or terms of service can lead to litigation. Practitioners must carefully document the legal basis for their work—whether it falls under academic research, private security assessment, or aftermarket modification.

Ethically, reverse engineers have a responsibility to disclose vulnerabilities responsibly. Full disclosure (publishing complete exploits) can endanger users if patches are not available. Coordinated vulnerability disclosure (CVD), where findings are first shared with the manufacturer with a 90-day deadline, is the accepted standard. Moreover, reverse engineering should never be used for malicious purposes such as cloning payment cards or disabling safety features in medical devices.

Tools of the Trade

Effective hardware reverse engineering demands a well-equipped lab. Essential tools include:

  • Oscilloscopes (e.g., Keysight InfiniiVision, R&S RTO) for high-speed signal capture. Bandwidth of at least 200 MHz is recommended for digital protocols like SPI and I²C.
  • Logic Analyzers (e.g., Saleae Logic Pro 16, Sigrok) for decoding multiple digital channels simultaneously. They simplify protocol parsing for UART, CAN, and I²C.
  • JTAG/SWD Debuggers (e.g., SEGGER J-Link, ST-Link, Olimex ARM-USB-TINY-H) for firmware dumping and debugging. Many microcontrollers have lock bits that must be bypassed through fault injection or side-channel analysis.
  • Flash Programmers (e.g., Dediprog, Xeltek, or open-source Bus Pirate) for reading/writing external memory chips (SPI flash, parallel NOR).
  • Desoldering and Reballing equipment: hot air stations, soldering irons with fine tips, and ultrasonic cleaners for removing ICs for external reading.
  • Software tools: Binwalk for firmware extraction, Ghidra or IDA Pro for disassembly, and scripts for Python-based analysis of binary blobs.
  • Side-channel hardware: ChipWhisperer for power analysis and fault injection, and custom EM probes from companies like Langer or RF-Technik.

An often-overlooked tool is documentation. Every finding—photos, netlists, memory maps, and signal traces—must be recorded to allow verification and replication. Version control (Git) and lab notebooks are indispensable.

The Future of Hardware Reverse Engineering

As devices become more complex, reverse engineering methods evolve. New challenges include 3D ICs with stacked dies, chiplets inside packages, and advanced packaging like fan-out wafer-level packaging (FOWLP). These require X-ray laminography and machine learning to automatically segment internal structures. On the firmware side, obfuscation and encrypted bootloaders are becoming standard. However, side-channel attacks continue to mature, and quantum computing may eventually break many current encryption schemes used in firmware authentication. The cat-and-mouse game between hardware designers and reverse engineers ensures the field will remain dynamic.

Open-source hardware initiatives, such as the OpenTitan project and many open-source UEFI implementations, provide a transparent baseline that can be studied without resorting to reverse engineering. Still, for proprietary devices—especially in consumer electronics, automotive, and medical sectors—the skills outlined above will remain in high demand for security research and interoperability.

Reverse engineering hardware is not merely a technical exercise; it is a critical practice for understanding and securing the devices that permeate modern life. By applying the methods described in this article and respecting ethical boundaries, practitioners can uncover hidden threats, enable repair, and foster innovation.