From UART to Glitching: Master Hardware Hacking with PwnPad’s Modular Learning Lab
PwnPad is an affordable, hands-on Hardware Hacking Learning Platform created by TwelveSec, designed to guide learners through progressively advanced hardware security concepts, from PCB design and firmware extraction to side-channel attacks and glitching.
Key features include:
- A modular hardware board with multiple built-in challenges
- Covers essential hardware security topics:
- UART, I²C, SPI communication
- Firmware extraction and analysis
- EEPROM dumping
- Fault injection and glitching
- Timing-based side-channel attacks
- Challenge selection via jumper pins — no need to reflash firmware
- Fully open-source, with schematics, firmware, and documentation available on GitHub
Target Audience
PwnPad is designed for learners at all levels:
- Developers — to understand how insecure hardware designs can be exploited
- Pentesters & security professionals — to sharpen offensive hardware security skills
- Students & hobbyists — to practice for CTF competitions and build a foundation in embedded systems security
- Educators & trainers — as a teaching tool for hands-on hardware security workshops
Why It Matters
Modern devices are deeply reliant on embedded hardware, and vulnerabilities at this level can compromise entire systems. PwnPad makes it possible to:
- Learn by doing, through practical, guided challenges
- Safely experiment with techniques used in real-world attacks
- Prepare for Capture The Flag (CTF) competitions and professional certification labs
- Gain hands-on experience with hardware security, an area often overlooked compared to software security
By making hardware exploitation affordable and approachable, PwnPad lowers the barrier to entry and helps grow the next generation of hardware security experts.
Challenges Overview
| # | Name | Topics | Description |
|---|---|---|---|
| 1 | Serial Snitch | #UART |
Intercept and decode UART communication. |
| 2 | Echo Chamber | #UART |
Intercept and decode UART communication, with security through obscurity. |
| 3 | Bus Whisperer | #I2C |
Spy on I2C traffic to extract secrets. |
| 4 | Invisible Wires | #I2C |
Attack I2C when slave devices are missing. |
| 5 | Code Heist | #SPI #ISP #Flash #UART |
Dump and analyze firmware from flash. |
| 6 | Hard Leak | #SPI #ISP #EEPROM |
Extract data from the internal EEPROM. |
| 7 | Power Trip | #FaultInjection #UART |
Use glitching to bypass dead code statements. |
| 8 | Glitch Storm | #FaultInjection #UART |
Use glitching to bypass password verification. |
| 9 | Clock Spy | #SideChannel #UART |
Leak secrets using timing variations. |
| 10 | Tempo Leak | #SideChannel #UART |
Leak secrets using timing variations with a twist. |
| 11 | Chaos Chain: Glitchgate | #FaultInjection #UART |
Combine UART and glitch attacks to break in. |
| 12 | Chaos Chain: Timebomb | #UART #SideChannel |
Combine UART and chain timing leaks to break in. |
| 13 | Pizza Order | #SPA #SideChannel |
Use a basic oscilloscope to exfiltrate the password. |
| 14 | Ladybirds | #SWD #Reversing STM32 |
Use a SWD debugger and patch the memmory to access the safe. |
| 15 | Ladybird I Am Your Father | #JTAG #Reversing STM32 |
Extract the firmware using JTAG and later patch the memmory to access the safe. |
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
