Released on January 1st 2016, the ESP32, the System-on-Chip (SoC) from Espressif Systems, becomes quickly popular among the IoT industry and electronic hobbyists, due to its wireless connectivity, a low-power consumption and a free development framework supporting plenty of functions. Espressif is supporting a 12-years-longevity commitment for ESP32, and has already achieved the 100 Millions Target of IoT chip Shipments in January 2019 [1].This SoC, based on Xtensa LX6 dual-core, contains built-in security features such as:- Crypto-Hardware accelerator. The HW crypto accelerators are nowadays used to speed up cryptographic primitives like AES, SHA and even RSA, which will be used by crypto library like ARM MbedTLS [2].- Secure Boot. The Secure boot is the guardian of the firmware authenticity and integrity stored into the Flash memory. - Flash encryption. The Flash encryption is used to protect the firmware confidentiality, for example to avoid the loss of IP or to a readout of persistent and sensitive data like Wi-FI credentials in IoT devices [3].- One Time Programmable (OTP) memory. The OTP memory, based on eFuses, is considered as a Root-of-Trust to store the security configuration and the secret AES-256 keys, dedicated to secure boot process and Flash encryption. This memory is R/W protected (obviously).This talk presents, in a methodical way, how to defeat one by one the previously listed security features, having physical access to the device and using low-cost hardware techniques such as voltage glitching, analog side-channels, micro-soldering and reverse (of course). To the best of my knowledge, Built-in ESP32 security features such as Secure boot and Flash Encryption were never broken until now. Defeating these protections on a popular platform such as ESP32 should be considered as a serious threat by all the developers using the ESP32 as a main CPU platform or even as a WIFI/bluetooth peripheral, in their final products. Some discovered vulnerabilities cannot be patched without silicon redesign, leading to a lot of vulnerable devices on the field for the coming years.[1] - https://www.espressif.com/en/products/hardware[2] - https://os.mbed.com/docs/mbed-os/v5.10/porting/hardware-accelerated-crypto.html[3] - https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/