SA RIOT

SA-RIOT

Security Associate Researcher IoT

Prerequisites:
C./C++ will to learn
360h of LAB included

Purchase NOW

⚙️ Quick Start Guide

After your purchase, you’ll see the LIGHT / FULL button appear in the lower-right corner of the screen.
Remember to hit the hammer icon once you enter the page — that’s what deploys your lab environment.

The lab machine timers and controls are located in the bottom-right corner.

💡 LIGHT vs FULL

LIGHT → Preconfigured environment with most tools and examples ready to go. Perfect if you have limited time or just want to follow along smoothly.

FULL → Minimal container — a clean slate for those who want to build everything from scratch following our guide.

You can’t switch directly from LIGHT to FULL once deployed, but you can:

Change modules anytime.

Destroy your LIGHT environment and redeploy a FULL one.

Use SSH-FS to move files or progress between containers if needed.

✅ Quick Checklist

🌀 Shell shows double characters? → Just refresh the page.
🔐 Prefer SSH access? → Ask for it in Discord.
⚡ Connection hiccups? → Let us know in the #masterclass_gameboy channel.
🧰 User permissions: The docker user has sudo access for apt, service, dpkg, make, and make install.
🧠 XP points: Mostly calculated based on the commands you run.
🏆 Certification: Tag us on LinkedIn or X with a screenshot of one or more AFL crashes to claim your certificate.

No credits available

You will have 360 hours to complete, you can pause the taximeter and time will be only subtracted every 10 seconds per second.

You will be able to buy spare hours if needed.

Modules have independent timing, subtracted from the 360.

This guarantees no rush.

SA-RIOT - Detailed Curriculum

🔍

QEMU+AFL = Vulnerabilities?

1. Is it so easy to find vulnerabilities? −

• Downloading and installing AFL++

• Preparing a vulnerable VLC instance

• VLC exploit

2. Full-system fuzzing – introducing TriforceAFL −

• Understanding full-system fuzzing concepts

• Installing TriforceAFL

• Setting up the fuzzing environment

3. Final Test

4. Further reading

5. Appendix

⚙️

QEMU Primer

1. Adding a new CPU

2. Emulating an embedded firmware

3. Reverse engineering DMA peripherals

4. Emulating UART with Avatar2 for firmware debugging

5. Final Test

📱

Baseband Emulation

1. A crash course on mobile phone architecture −

• Baseband

• Baseband CPU family

• Application processor and baseband interface

• A talk with Shannon

• A note on GSM/3GPP/LTE protocol specifications

2. Setting up FirmWire for vulnerability validation −

• CVE-2020-25279 – emulator fuzzing

• CVE-2020-25279 – OTA exploitation

3. Final Test

🖥️

Router Emulation x86

1. OpenWrt on x86

2. Building the firmware −

• Testing the firmware in QEMU

• Extracting and preparing the kernel

3. Fuzzing the kernel

4. Post-crash core dump triaging

💻

Router Emulation ARM32

1. Emulating the ARM architecture to run an OpenWrt system

2. Installing TriforceAFL for ARM

3. Running TriforceAFL in OpenWrt for ARM

4. Obtaining a crash

5. Final Test

★

⭐

Bonus: Evolving to recent harnesses

1. Using a more recent version of AFL++

2. Harnessing techniques

3. libqemu

4. device trees, nand, nor

🍎

iOS14/16 Emulation and Fuzzing of iPhone11

1. A brief history of iOS emulation

2. iOS basics −

• What it takes to boot iOS

• Code signatures

• Plist files and entitlements

• Binaries compilation

• IPSW formats and research kernels

3. Setting up an iOS emulator −

• Preparing the environment

• Building the emulator

• Boot prepping

• Booting iOS in QEMU

4. Preparing your harness to start fuzzing

5. Triforce's driver mod for iOS

6. Final Test

🤖

Android Emulation and Fuzzing

1. Introducing the Android OS and its architecture −

• Android system architecture overview

• Understanding the Android stack

• Key components for fuzzing

2. Fuzzing Android libraries with Sloth −

• Setting up Sloth framework

• Targeting Android libraries

• Analysis and vulnerability discovery

3. Final Test

🎯

🏆

Certification Exam

🎯 Fuzzing

⚡ Basic Emulation

🔐 Vulnerability hunting