We present our process of defeating secure-boot within a modernARM-based IP Phone, Cisco 8861, using software defined radio and ourcustom EMP generator as an illustrative vehicle to discuss the followingcontributions: Dissection of a set of (yet undisclosed) vulnerabilities found inBroadcom-implemented trust zone execution environments. Our recent advancements in real-time tracking of control-flow ofsoftware running in modern embedded devices by the sensing and analysisof involuntary electromagnetic emanations. Our novel electromagnetic fault injection (EMFI) techniques capableof reliably and predictably altering computation of modern embeddeddevices by controlled applications of electromagnetic pulses. We discusschallenges and methods of achieving reliable control-flow modificationin modern 1Ghz+ processors. Discussion of hardware and software design of badFET, a low-costprogrammable electromagnetic pulse generator. It is our hope to releasebadFET as an open-source project to democratize EMFI research. (badFETis currently functional, but due to the nature of the device, it cancause serious injury or death. We plan to open-source the EMP generatorportion of badFET if/when we build sufficient safety features into itsdesign.)