ZeroDayCommission is a weekly, high signal security briefing by OrbitCurve, focused on niche offensive and research-heavy domains: fault injection, MCU exploitation, µarch, hypervisors, compilers, embedded systems, and hardware reverse engineering. We curate for material you can use: new primitives, reproducible PoCs, practical lab setups, and techniques that transfer across targets. No fluff, just the week’s best links, what changed, and why it matters.

🥳

Use code VNCQ9KL1 at checkout for 5% off any product from FaultyHardware.de, makers of low cost voltage injection kits for hands on hardware security research. Great for anyone getting into glitching, secure boot bypass experiments, and fault injection lab work.

-> https://faultyhardware.de/en/

Byte Brief

Remote Code Execution in Yamaha Synthesizers - Security researcher and musician Anna Antonenko, aka porta, found that the Yamaha PSR-E433 accepts special MIDI messages that can lead to command execution. A rare intersection of music hardware, embedded parsing, and device exploitation. -> https://it4sec.substack.com/p/remote-code-execution-rce-in-yamaha

Laser Fault Injection on the TROPIC01 Open-Source Secure Element - Ledger Donjon used laser fault injection to bypass Ed25519 signature verification on the TROPIC01 secure element, reaching arbitrary firmware execution. Strong signal for secure element research, glitching, and physical attack realism. -> https://donjon.ledger.com/blog/tropic01-laser-fault-injection/

From Breaking Into My ISP Router to Finding a MediaTek Kernel 0day - A router exploitation chain that moves from consumer ISP hardware into a MediaTek kernel bug. Useful for researchers interested in router attack surfaces, firmware analysis, and vendor chipset reuse. -> https://www.hacefresko.com/posts/rce-on-isp-router-and-mediatek-0day

Now You See mi: Now You’re Pwned - TASZK Labs walks through exploiting and jailbreaking Xiaomi home security cameras. A strong embedded IoT target writeup with relevance to smart camera ecosystems, firmware trust boundaries, and post-exploitation research. -> https://labs.taszk.io/articles/post/nowyouseemi/

z386: An Open-Source FPGA 80386 Driven by Original Intel Microcode - An FPGA recreation of Intel’s 80386 that runs recovered original Intel microcode, boots DOS, runs DOS extenders, and plays Doom. Great material for anyone interested in microcode, ISA fidelity, and retro x86 hardware reconstruction. -> https://core-jmp.org/2026/05/z386-open-source-80386-fpga-microcode-rewrite/?no_cache=1

Reads and Resources

Designing Low-Side Capture Setups for Power Analysis on Embedded Targets - A practical guide to building power-analysis capture setups on arbitrary development boards without relying on specialized boards. Covers regulator bypassing, signal quality, and STM32F401 measurement considerations. -> https://faultpoint.com/posts/external-pa-setups-stm32f/

Breaking Hardware AES on the MSPM0G3507 - A side-channel attack on hardware AES-128 for the MSPM0G3507, moving from leakage modeling to full key recovery with 45.5k traces. Useful for SCA practitioners looking for target-specific methodology. -> https://bedri-zija.github.io/mspm0g3507-cpa

Easy Router Rev - A router reverse-engineering post focused on custom protocol analysis. A clean entry point for researchers working through embedded network devices and undocumented communication paths. -> https://faultpoint.com/posts/Easy-Router-Rev/

The Structure of .pyc Files - Ned Batchelder’s classic breakdown of Python bytecode cache files. Useful background for anyone interested in Python internals, reverse engineering Python artifacts, or writing tooling around bytecode formats. -> https://nedbatchelder.com/blog/200804/the_structure_of_pyc_files

Snake in UEFI, Part 1 - A low-level systems project that builds a game running before the operating system exists. Useful as a friendly entry into UEFI development, firmware execution environments, and pre-OS programming. -> https://hexaliker.fr/posts/part-1-snake-in-uefi/

POTAEbox: The Lost Pentest Dropbox - A build guide for a penetration testing dropbox designed around over-the-air and Ethernet access. Good inspiration for field devices, dropboxes, remote access hardware, and practical offensive infrastructure. -> https://www.whid.ninja/blog/potaebox-the-lost-pentest-dropbox

Assessing and Exploiting PLCs - A hardwear.io resource on PLC security assessment and exploitation. Relevant for researchers moving from consumer embedded devices into industrial control systems and OT attack surfaces. -> https://hardwear.io/assessing-and-exploiting-plcs/

The Secret Life of Circuits - lcamtuf’s electronics writing remains one of the best paths into analog and digital circuit intuition without overloading the reader with math. Useful foundation for hardware hackers who want to understand the board, not just probe it. -> https://lcamtuf.substack.com/p/the-secret-life-of-circuits

ME2 Writeup - A multidisciplinary project around reviving a forgotten USB interface. Interesting for hardware archaeology, USB protocol work, and reverse engineering abandoned or poorly documented devices. -> https://github.com/coremaze/ME2-Writeup

Ledger Hardware Implant - Grand Idea Studio’s hardware implant work is a useful reference point for physical supply-chain threat modeling, PCB-level inspection, and practical implant design considerations. -> https://grandideastudio.com/portfolio/security/ledger-hardware-implant/

How Kernel Anti-Cheats Work - A deep dive into modern Windows kernel anti-cheat systems: callbacks, kernel-level visibility, memory inspection, and how game protection products operate at high privilege. Useful for driver researchers and Windows internals people. -> https://s4dbrd.github.io/posts/how-kernel-anti-cheats-work/

Extracting Firmware from Devices Using JTAG - A practical introduction to using JTAG to extract firmware from physical devices. A strong starting point for hardware security researchers moving from software RE into board-level access. -> https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/

Analyzing SWTPM Logs with Wireshark - A TPM-focused walkthrough using Wireshark, open-source scripts, and Proxmox. Useful for understanding TPM packet dissection, trusted computing internals, and virtualization-adjacent security research. -> https://zetier.com/analyzing-swtpm-logs-with-wireshark/

Hacking an X-Ray Machine with WHIDelite and EvilCrowRF - WHID’s writeup on building a desktop X-ray inspection setup for PCB and hardware implant analysis. Useful for researchers interested in physical inspection workflows and lab-grade hardware RE. -> https://www.whid.ninja/blog/hacking-a-x-ray-machine-with-whidelite-evilcrowrf

Hacking a Keyboard for Fun and Profit: Can It Run Doom? - SySS takes apart the ASUS ROG Azoth keyboard, exploring its embedded features, OLED display, firmware behavior, and whether the device can be pushed far beyond normal keyboard functionality. -> https://blog.syss.com/posts/rog-azoth-will-it-run-doom/

AI-FI: Giving Claude Code Glitch Skills for Bypassing Secure Boot - Raelize explores using Claude Code in the context of glitching and secure boot bypass work. Important reading for anyone thinking about AI agents in physical security labs. -> https://raelize.com/blog/ai-fi-giving-claude-code-glitch-skills-for-bypassing-secure-boot/

HDD Firmware Hacking Part 1 - Ryan Miceli begins a hard-drive firmware hacking series covering how drives work and how to dump, reverse engineer, and modify firmware. Useful for storage firmware, embedded RE, and device internals research. -> https://icode4.coffee/?p=1465

Diving into the NVIDIA Jetson Nano Boot Process - A boot-chain-oriented look at NVIDIA Jetson Nano internals. Useful for embedded Linux, secure boot, SoC startup, and researchers interested in how developer boards initialize before userspace. -> https://www.thegoodpenguin.co.uk/blog/diving-into-the-nvidia-jetson-nano-boot-process/

An Exercise in Dynamic Analysis - Yarden Shafir’s Windows Internals post on dynamic analysis. Useful for Windows researchers who want cleaner methodology around runtime inspection, debugging, and behavior-driven analysis. -> https://windows-internals.com/an-exercise-in-dynamic-analysis/

Tooling and More

PwnPad - An affordable hands-on hardware hacking platform with challenges covering key hardware security concepts, from PCB design to side-channel attacks. Strong teaching platform for practical embedded security. -> https://github.com/twelvesec/PwnPad

KAIST Hacking Lab - A lab hub for hacking research and education. Worth tracking for academic security material, projects, and course-style resources. -> https://kaist-hacking.github.io/

Applied Cryptography Course - University of Tartu’s applied cryptography course page. Useful for structured cryptography review, especially for security engineers moving between theory and implementation. -> https://courses.cs.ut.ee/2024/appcrypto/spring

Hackers of CypherCon: So You Want to Build Your Own Hacking Device - A talk on building custom hacking hardware. Useful inspiration for anyone designing portable security tools, dropboxes, or research devices. -> https://youtu.be/vfqqMfylNaY

Side-Channel Marvels - A GitHub organization collecting side-channel analysis projects and tooling. Good rabbit hole for SCA learners and practitioners looking for implementations and examples. -> https://github.com/SideChannelMarvels

Cryptocoding - Low-level cryptography software guidelines. Useful reference for constant-time coding, implementation discipline, and avoiding common crypto engineering mistakes. -> https://github.com/veorq/cryptocoding

Hardware Hacking SlideShare Search - A discovery link for hardware hacking slide decks, including tools, side channels, fault injection, secure boot, and embedded exploitation material. -> https://www.slideshare.net/search?searchFrom=header&q=hardware%20hacking

Tools of the Hardware Hacking Trade - A hardware hacking tools deck covering practical lab equipment and techniques. Useful as a checklist for building or upgrading a physical security lab. -> https://www.slideshare.net/slideshow/hta-w04toolsofthehardwarehackingtrade-final/47532507?from_search=5

KernelFault: R00ting the Unexploitable Using Hardware Fault Injection - A fault-injection slide deck focused on turning physical faults into exploitation primitives. Good bridge between theory and exploit impact. -> https://www.slideshare.net/slideshow/kernelfault-r00ting-the-unexploitable-using-hardware-fault-injection/83685873?from_search=0

Bypassing Secure Boot Using Fault Injection - A deck focused on fault injection against secure boot flows. Useful reference for threat modeling boot verification and glitch-sensitive trust decisions. -> https://www.slideshare.net/slideshow/bypassing-secure-boot-using-fault-injection/80940684?from_search=20

Hardware Security: Side-Channel Attacks - A RootedCON side-channel deck covering foundational SCA ideas. Useful for people entering power analysis and leakage-based attacks. -> https://www.slideshare.net/slideshow/eloi-sanfelix-hardware-security-side-channel-attacks-rootedcon-2011/7179878?from_search=35

Escalating Privileges in Linux Using Fault Injection - A deck on using fault injection to affect Linux privilege boundaries. Useful for thinking about where physical fault models meet operating system security. -> https://www.slideshare.net/slideshow/escalating-privileges-in-linux-using-fault-injection-fdtc-2017/80394770?from_search=52

Hardening Secure Boot on Embedded Devices for Hostile Environments - BlueHat IL material on secure boot hardening in embedded systems. Useful for defenders designing against physical attackers and unstable execution environments. -> https://www.slideshare.net/slideshow/blue-hat-il-2019-hardening-secure-boot-on-embedded-devices-for-hostile-environments/131206540?from_search=100#12

SideChannelKevin2600 - A BSides Vancouver side-channel deck. Good supporting material for researchers collecting references on leakage, measurement, and practical side-channel methodology. -> https://www.slideshare.net/slideshow/bsidesvancouver-2019-sidechannelkevin2600/137060686?from_search=236#3