About vs. Demo: This demo folder now uses a standardized launch page. Start with About Demo, then choose the run mode that fits your class.

Cybersecurity • Browser • 20-30 min

Embedded Firmware Exploit Wokwi

A browser-based firmware security lab using Wokwi's Raspberry Pi Pico simulation. Students can practice embedded security techniques without any hardware.

▶ Open in Wokwi Simulator
Ready to start

Lab Overview

This lab demonstrates common firmware security vulnerabilities in IoT devices. The simulation runs entirely in your browser using Wokwi's cloud-based emulator.

Lab Exercises

Exercise 1: Hardcoded Secrets

Find the hardcoded API key in the firmware source code.

API_KEY = "IoT-Security-Key-2024-SECRET"
Difficulty: Easy

Exercise 2: Buffer Overflow

Exploit the vulnerable serial command handler.

void handle_command(char* input) {
    char buffer[32];
    strcpy(buffer, input);  // Vulnerable!
}
Difficulty: Medium

Exercise 3: Unencrypted Storage

Access the EEPROM to extract stored credentials.

Difficulty: Medium

Exercise 4: Debug Interface

Enable the disabled debug console for information disclosure.

Difficulty: Hard

How to Use

  1. Click "Open in Wokwi Simulator" to launch the simulation
  2. Use the serial monitor to interact with the firmware
  3. Examine the source code files in the left panel
  4. Complete each exercise by finding the vulnerability
  5. Check your answers against the solution guide
🔓 Solution Guide (click to reveal)

Exercise 1 Solution

Open secrets.h to find the hardcoded API key.

Exercise 2 Solution

In main.c, the handle_command() function uses strcpy() without bounds checking. Send a string longer than 32 characters to trigger overflow.

Exercise 3 Solution

Use the EEPROM viewer in Wokwi or run: EEPROM.read(0) to read stored credentials.

Exercise 4 Solution

Set DEBUG_MODE = 1 in config.h and upload the modified firmware.

Standard demo guide

Use this demo in a logical learning sequence

Starts immediately in browser with no installs, no API keys, and classroom-safe defaults.

What this demo is about

A browser-based firmware security lab using Wokwi's Raspberry Pi Pico simulation. Students can practice embedded security techniques without any hardware.

Learning objectives

  • Explain the main cyber decision that Embedded Firmware Exploit Wokwi is designed to support.
  • Change input assumptions and predict how the output should respond before running the demo.
  • Interpret the result in plain language, not just as a number, chart, or AI recommendation.

Run mode and expectations

  • Supported modes: Browser
  • Starts immediately in browser with no installs, no API keys, and classroom-safe defaults.

Step 1: Inputs

  • Start with the default assumptions, then change one variable at a time so students can isolate cause and effect.
  • Treat each input as a lever that changes the scenario, baseline, or business context behind the result.

Step 2: Decision buttons

  • Use the main run or simulate action to compute the scenario after inputs are set.
  • Use export or reset actions, when present, to compare runs or return to a classroom-safe baseline.

Step 3: Outputs and what to notice

  • Read the top-line result first, then look for supporting metrics, tables, or narratives that explain why it changed.
  • Students should explain whether the output is descriptive, predictive, simulated, or recommended.
  • Look for firmware behavior, input boundary, and failure mode
  • Observe how constrained inputs can still create unsafe system behavior

Available run modes

  • Browser: available for this demo.

How to proceed

  1. Choose the run mode that fits the class: Browser.
  2. Review the default assumptions before changing anything.
  3. Change one or two inputs, then use `Run the main action`.
  4. Read the output first, then compare any supporting metrics, charts, or AI text.
  5. Capture one insight, one limitation, and one action recommendation.