Posts
- Secure Boot Isn't "Just Turn It On" — What Embedded Engineers Actually MissApril 14, 2026Engineering
Secure boot is a chain of trust, not a checkbox. Most embedded teams implement the first link (ROM verifies the bootloader) and stop. Under the EU Cyber Resilience Act, a half-implemented secure boot won't just be a security problem — it'll be a compliance problem with a 24-hour reporting clock.
- Reading JTAG Output When You've Locked Yourself OutApril 28, 2026Engineering
Fuses blown, debug disabled, and a brick on the bench. A walkthrough of the side-channels that still leak useful state — and the ones that don't.
- EU Cyber Resilience Act: What Every Embedded Engineer Should Know Before September 11, 2026May 5, 2026Compliance
The CRA reporting obligations land before the full essential-requirements regime. Here is the working engineer's read of what changes first and what to have on the bench.
- SBOM for Embedded Firmware: Why Your Python-Generated List Won't Pass a CRA AuditMay 12, 2026Compliance
A pip-freeze-style SBOM ignores half of what's in a firmware image: vendor blobs, ROM patches, RTOS forks, board-support packages. What an auditor will actually expect.
- Teardown: How the BadBox 2.0 Botnet Reached 10M Devices Through Pre-Installed MalwareMay 19, 2026Teardown
A walk through the supply-chain path that put the same payload on a million unrelated Android TV boxes — and what the embedded equivalent looks like in your own factory line.
- CAN Bus Security: What 10 Years of Motor Control Taught Me About the Protocol's Weak PointsMay 26, 2026Engineering
CAN was designed for trust between cooperating MCUs in a sealed enclosure. Every modern attack against it exploits the same assumption. Notes from a decade on the bench.