1 00:00:02,570 --> 00:00:06,439 given the choice between being right 2 00:00:04,760 --> 00:00:08,090 before lunch and right after lunch I 3 00:00:06,439 --> 00:00:10,280 always go over right before lunch 4 00:00:08,090 --> 00:00:11,719 because then like arrows really excited 5 00:00:10,280 --> 00:00:13,250 in your talk instead of all I sleep in 6 00:00:11,719 --> 00:00:17,029 it because that's what I do after lunch 7 00:00:13,250 --> 00:00:19,340 so I have to apologize I have a slightly 8 00:00:17,029 --> 00:00:22,189 hoarse voice my kids were sick three 9 00:00:19,340 --> 00:00:24,020 weeks ago and still I have a hoarse 10 00:00:22,189 --> 00:00:26,290 voice and it didn't help that I've been 11 00:00:24,020 --> 00:00:32,210 speaking the past three day four days so 12 00:00:26,290 --> 00:00:35,510 here I am this is seven armor hacks for 13 00:00:32,210 --> 00:00:40,460 seven GBP Great Britain's I repeat it 14 00:00:35,510 --> 00:00:46,220 today our own food bread with BP BP rich 15 00:00:40,460 --> 00:00:50,440 pounds what in seven pounds seven bucks 16 00:00:46,220 --> 00:00:53,750 seven dollars good work boys hey boys 17 00:00:50,440 --> 00:00:58,629 seven good work points will get you a 18 00:00:53,750 --> 00:01:01,250 bunch of hyrax so let's get on with this 19 00:00:58,630 --> 00:01:04,939 where's my there's no my pictures on 20 00:01:01,250 --> 00:01:07,970 here I'm Joe Fitzpatrick I do our 21 00:01:04,938 --> 00:01:10,520 marketing and training and I have been 22 00:01:07,970 --> 00:01:13,190 doing this for six years on my own prior 23 00:01:10,520 --> 00:01:17,929 to that I worked at until the company 24 00:01:13,190 --> 00:01:21,229 about the community and I was working on 25 00:01:17,930 --> 00:01:23,720 a silicon debug so always use they come 26 00:01:21,229 --> 00:01:24,950 off the line figuring out why they don't 27 00:01:23,720 --> 00:01:27,260 work when they don't work and how to 28 00:01:24,950 --> 00:01:29,330 make all's been faster from that I moved 29 00:01:27,260 --> 00:01:32,330 into product security so I was doing 30 00:01:29,330 --> 00:01:35,630 God's desktop and server CPU pen testing 31 00:01:32,330 --> 00:01:38,630 pre pre-release pre silicon and masovia 32 00:01:35,630 --> 00:01:40,100 I got more of that and wanted to travel 33 00:01:38,630 --> 00:01:46,630 a lot more so I decided to start 34 00:01:40,100 --> 00:01:50,060 teaching classes to Ron's and people so 35 00:01:46,630 --> 00:01:51,439 Gordon and Omega and others have haven't 36 00:01:50,060 --> 00:01:54,590 told me many times that I should come 37 00:01:51,439 --> 00:01:56,689 here to degree station for several 38 00:01:54,590 --> 00:01:58,689 layers and so I might actually be here 39 00:01:56,689 --> 00:02:01,419 finally I just so happening tonight 40 00:01:58,689 --> 00:02:03,548 class this weekend Edinboro so I have an 41 00:02:01,420 --> 00:02:05,560 excuse to the eros excited it happened 42 00:02:03,549 --> 00:02:07,119 to be the same week so I'm leaving up 43 00:02:05,560 --> 00:02:09,190 were taking varsity this is right off of 44 00:02:07,119 --> 00:02:11,200 a little search help thing that Google 45 00:02:09,190 --> 00:02:13,329 gives you and I was pretty excited to 46 00:02:11,200 --> 00:02:16,780 see notable alumni there I am right at 47 00:02:13,330 --> 00:02:21,310 the beginning this is before I agree my 48 00:02:16,780 --> 00:02:23,799 hair I actually have a Google Alert on 49 00:02:21,310 --> 00:02:27,810 my name so I can see like when things 50 00:02:23,799 --> 00:02:29,739 pop up quick and I get a lot of hits for 51 00:02:27,810 --> 00:02:31,810 members of Scottish Parliament and 52 00:02:29,739 --> 00:02:33,040 health ministers who have lots of things 53 00:02:31,810 --> 00:02:34,599 to say about organ donation and 54 00:02:33,040 --> 00:02:36,370 everything else but it's kind of neat 55 00:02:34,599 --> 00:02:40,030 because you know Joey Joe Fitzpatrick is 56 00:02:36,370 --> 00:02:42,459 always in the news but what I'm gonna 57 00:02:40,030 --> 00:02:43,930 talk about is poverty and tools for 58 00:02:42,459 --> 00:02:47,920 hardware hacking anybody seen this 59 00:02:43,930 --> 00:02:51,730 before what is it who loves the bus 60 00:02:47,920 --> 00:02:54,099 pardon I eat my spire can't stand it so 61 00:02:51,730 --> 00:02:56,590 about ten years ago or so when it came 62 00:02:54,099 --> 00:02:58,599 out it was pretty cool you could infer I 63 00:02:56,590 --> 00:03:01,180 think it's 30 35 bucks I don't know what 64 00:02:58,599 --> 00:03:04,649 it is in your money or we're not getting 65 00:03:01,180 --> 00:03:04,650 your money in a month because who knows 66 00:03:05,190 --> 00:03:11,019 but for $35 you have this little device 67 00:03:08,139 --> 00:03:13,150 without a micro controller on it this 68 00:03:11,019 --> 00:03:17,510 one right here the usb-to-serial 69 00:03:13,150 --> 00:03:19,549 chip and then right next to it this 70 00:03:17,510 --> 00:03:22,310 is a pic microcontroller and that pic 71 00:03:19,549 --> 00:03:23,750 microcontroller would basically speak 72 00:03:22,310 --> 00:03:25,250 all sorts of different protocols that 73 00:03:23,750 --> 00:03:27,829 you might want to speak it could listen 74 00:03:25,250 --> 00:03:29,750 and tell you a ratio of cable what's 75 00:03:27,829 --> 00:03:31,220 going on it was designed so you wouldn't 76 00:03:29,750 --> 00:03:33,110 have any software under computer you 77 00:03:31,220 --> 00:03:36,769 could just use a serial terminal and 78 00:03:33,110 --> 00:03:37,400 talk to this thing so at the time it was 79 00:03:36,769 --> 00:03:39,409 pretty awesome 80 00:03:37,400 --> 00:03:41,090 there was no other tool that would do 81 00:03:39,409 --> 00:03:44,149 some other things for that for even 82 00:03:41,090 --> 00:03:45,829 close to that price range if you want to 83 00:03:44,150 --> 00:03:47,629 do anything anything fancy looking at 84 00:03:45,829 --> 00:03:49,970 the signals or observe things you need 85 00:03:47,629 --> 00:03:52,370 something like this fancy Windows XP 86 00:03:49,970 --> 00:03:54,590 running logic analyzer right these 87 00:03:52,370 --> 00:03:55,879 things are you know if you're a student 88 00:03:54,590 --> 00:03:58,099 at a university and you have an extra 89 00:03:55,879 --> 00:03:59,810 lab you might have access twenties but 90 00:03:58,099 --> 00:04:01,488 if you didn't you had to beg your 91 00:03:59,810 --> 00:04:03,379 friends or find someone I wouldn't work 92 00:04:01,489 --> 00:04:05,209 or something else together your hands-on 93 00:04:03,379 --> 00:04:07,370 with these devices because they cost you 94 00:04:05,209 --> 00:04:11,209 know thousands if not tens of thousands 95 00:04:07,370 --> 00:04:13,069 of pounds or euros or quid or dollars or 96 00:04:11,209 --> 00:04:15,200 whatever but something on that order of 97 00:04:13,069 --> 00:04:16,849 magnitude probably even higher on like 98 00:04:15,200 --> 00:04:18,469 wasn't Zimbabwe dollars it was probably 99 00:04:16,850 --> 00:04:24,289 like you know a few a few trillion 100 00:04:18,470 --> 00:04:26,240 Zimbabwe dollars anyway recently there's 101 00:04:24,289 --> 00:04:29,449 been these new tools these Sayle a logic 102 00:04:26,240 --> 00:04:30,889 analyzers and this is about an inch and 103 00:04:29,449 --> 00:04:33,139 a half two inches or what's that you 104 00:04:30,889 --> 00:04:35,150 know five centimeters on the side these 105 00:04:33,139 --> 00:04:37,220 tiny little devices they have a bunch of 106 00:04:35,150 --> 00:04:39,679 wires these are logic analyzers that can 107 00:04:37,220 --> 00:04:42,039 hook up to your signals so these things 108 00:04:39,680 --> 00:04:44,810 cost closer to about a hundred dollars 109 00:04:42,039 --> 00:04:47,659 right so we have a big difference in our 110 00:04:44,810 --> 00:04:49,780 tools but still 35 dollars for a bus 111 00:04:47,660 --> 00:04:51,979 parent it's kind of the best way to go 112 00:04:49,780 --> 00:04:55,489 logic analyzers on bench top it makes 113 00:04:51,979 --> 00:04:55,969 sense PCB ones suddenly sorry PC based 114 00:04:55,490 --> 00:04:57,949 ones 115 00:04:55,970 --> 00:05:00,710 suddenly make things a whole lot more 116 00:04:57,949 --> 00:05:03,380 accessible so I'm gonna be using this 117 00:05:00,710 --> 00:05:08,270 board for quite some time this is a made 118 00:05:03,380 --> 00:05:09,710 by Adafruit and that's a company in the 119 00:05:08,270 --> 00:05:11,990 high states that that builds these like 120 00:05:09,710 --> 00:05:13,609 hobbykid puppy more things what's 121 00:05:11,990 --> 00:05:16,750 important though is on top of here is 122 00:05:13,610 --> 00:05:20,260 the FT 232 H chip right 123 00:05:16,750 --> 00:05:22,630 and empty the company name FTDI 232 124 00:05:20,260 --> 00:05:25,270 comes from rs-232 because these things 125 00:05:22,630 --> 00:05:26,710 used to speak rs-232 and not just H 126 00:05:25,270 --> 00:05:28,810 because this thing is the high speed 127 00:05:26,710 --> 00:05:30,820 version and can do more than just parts 128 00:05:28,810 --> 00:05:32,710 232 it can do chain ten again can do spy 129 00:05:30,820 --> 00:05:34,270 they can do all sorts of things and 130 00:05:32,710 --> 00:05:36,849 we'll see that they you can even sample 131 00:05:34,270 --> 00:05:38,289 and output Dana and up to 30 megabits 132 00:05:36,850 --> 00:05:41,440 per second which is would be asking for 133 00:05:38,290 --> 00:05:42,640 a chip that cost at least in the US 134 00:05:41,440 --> 00:05:44,020 would cost 15 dollars 135 00:05:42,640 --> 00:05:45,580 who knows where it costs here maybe 136 00:05:44,020 --> 00:05:51,690 maybe in here you can get them here for 137 00:05:45,580 --> 00:05:56,650 under 15 euro oh yeah 138 00:05:51,690 --> 00:05:58,690 so anyway I said 7 pounds that are 7 139 00:05:56,650 --> 00:06:01,150 good point points right and absolute 140 00:05:58,690 --> 00:06:03,730 more but luckily you can go to all they 141 00:06:01,150 --> 00:06:05,560 express which is this you know warehouse 142 00:06:03,730 --> 00:06:07,570 of everything you ever wanted to not 143 00:06:05,560 --> 00:06:09,730 work from China or everything everything 144 00:06:07,570 --> 00:06:11,169 you you would want from China but would 145 00:06:09,730 --> 00:06:13,870 hope to be a slightly better quality 146 00:06:11,169 --> 00:06:16,060 than their actual gonna get it for seven 147 00:06:13,870 --> 00:06:18,100 dollars and forty four cents you can get 148 00:06:16,060 --> 00:06:20,380 these things and like at least for me 149 00:06:18,100 --> 00:06:22,090 it's dates until about six months ago 150 00:06:20,380 --> 00:06:23,950 they're never there really wasn't a lot 151 00:06:22,090 --> 00:06:25,330 of duties tariffs on stuff coming to 152 00:06:23,950 --> 00:06:27,159 China I don't know if you follow the 153 00:06:25,330 --> 00:06:29,380 news but there's a full framework thing 154 00:06:27,160 --> 00:06:32,440 going on and like tariffs and all that 155 00:06:29,380 --> 00:06:37,479 crap but I think you guys got your own 156 00:06:32,440 --> 00:06:39,130 news to deal with so I understand so 7 157 00:06:37,479 --> 00:06:40,780 paths have a good point points or 7 158 00:06:39,130 --> 00:06:42,460 dollars you can get forward it's based 159 00:06:40,780 --> 00:06:44,409 on the same chip and some when we talk 160 00:06:42,460 --> 00:06:46,060 about things that we're gonna do we're 161 00:06:44,410 --> 00:06:48,910 not dealing with the door doesn't matter 162 00:06:46,060 --> 00:06:50,950 eyes purple or blue or red or anything 163 00:06:48,910 --> 00:06:53,560 else we're gonna use USB to talk 164 00:06:50,950 --> 00:06:57,370 directly to that ship and use that ship 165 00:06:53,560 --> 00:06:59,260 to talk directly to tires right so I 166 00:06:57,370 --> 00:07:01,960 thought it'd be pretty cool since like I 167 00:06:59,260 --> 00:07:04,780 use this chimp so much I contacted FDI 168 00:07:01,960 --> 00:07:06,640 FTDI that occurs in Glasgow so I said 169 00:07:04,780 --> 00:07:10,150 hey I'm teaching how many have a 170 00:07:06,640 --> 00:07:11,740 presentation at a university in in 171 00:07:10,150 --> 00:07:13,539 Scotland and I thought maybe you guys 172 00:07:11,740 --> 00:07:15,430 would donate a whole bunch of cable so I 173 00:07:13,540 --> 00:07:17,669 could give him out after conference and 174 00:07:15,430 --> 00:07:20,280 of course they said no and that's 175 00:07:17,669 --> 00:07:23,280 okay well can you tell me the procedure 176 00:07:20,280 --> 00:07:25,229 how I would request academic donations 177 00:07:23,280 --> 00:07:26,729 in the future and suddenly that that 178 00:07:25,229 --> 00:07:28,560 went down the right path and said well 179 00:07:26,729 --> 00:07:30,960 we we can do that we can send you some 180 00:07:28,560 --> 00:07:32,939 cables good yeah that'd be great like hi 181 00:07:30,960 --> 00:07:34,919 leaving Oregon which importantly which 182 00:07:32,939 --> 00:07:36,599 is literally 20 minutes from their US 183 00:07:34,919 --> 00:07:37,919 headquarters and here you're an hour 184 00:07:36,599 --> 00:07:39,569 from there you know worldwide 185 00:07:37,919 --> 00:07:42,210 headquarters we have to figure out how 186 00:07:39,569 --> 00:07:45,270 to get these cables right weeks go by 187 00:07:42,210 --> 00:07:47,248 right I left and I've been in the UK for 188 00:07:45,270 --> 00:07:48,960 the past week so I can't get them in a 189 00:07:47,249 --> 00:07:51,330 month and they finally get touch with me 190 00:07:48,960 --> 00:07:52,710 like hey you know sorry we dropped the 191 00:07:51,330 --> 00:07:54,960 ball this you still want those cables 192 00:07:52,710 --> 00:07:57,120 some I'm sure you know you can send them 193 00:07:54,960 --> 00:07:59,370 right to the University but okay well um 194 00:07:57,120 --> 00:08:01,050 you know we'll figure that out and they 195 00:07:59,370 --> 00:08:04,469 like go back and forth for three days so 196 00:08:01,050 --> 00:08:08,939 yesterday they shipped a whole bunch of 197 00:08:04,469 --> 00:08:10,770 cables overnight supposedly to here but 198 00:08:08,939 --> 00:08:12,659 they were supposed to arrive at noon I 199 00:08:10,770 --> 00:08:14,460 have no idea where they're to end up if 200 00:08:12,659 --> 00:08:15,688 they're animating here last I looked 201 00:08:14,460 --> 00:08:18,989 this morning they were in stance an 202 00:08:15,689 --> 00:08:21,839 airport they were also kind enough to 203 00:08:18,990 --> 00:08:24,689 use my FedEx account number to ship 204 00:08:21,839 --> 00:08:27,810 those cables overnight from right down 205 00:08:24,689 --> 00:08:29,850 the street from my house so 206 00:08:27,810 --> 00:08:31,380 you know we could call this a sales 207 00:08:29,850 --> 00:08:32,789 picture graph TV acts I'm telling you 208 00:08:31,380 --> 00:08:34,799 how to use their boards we could thank 209 00:08:32,789 --> 00:08:37,610 them for donating those cables really 210 00:08:34,799 --> 00:08:40,079 nice of them but the you know whatever 211 00:08:37,610 --> 00:08:41,370 this is being recorded maybe they would 212 00:08:40,080 --> 00:08:45,540 give me the next time and save me the 213 00:08:41,370 --> 00:08:48,230 time so I said seven it should I adjust 214 00:08:45,540 --> 00:08:49,469 microphone is that feedback okay we good 215 00:08:48,230 --> 00:08:52,170 okay 216 00:08:49,470 --> 00:08:54,240 and here are the seven scenarios I'm 217 00:08:52,170 --> 00:08:57,209 gonna walk through so using an FTA 218 00:08:54,240 --> 00:08:59,790 FTIL a pro logic analyzer with sing rock 219 00:08:57,210 --> 00:09:01,710 or an ease that you are or console 220 00:08:59,790 --> 00:09:04,110 access to go directly to talk to a 221 00:09:01,710 --> 00:09:05,460 single core computer and then will use 222 00:09:04,110 --> 00:09:07,800 it when those TV another tool that 223 00:09:05,460 --> 00:09:09,690 supports this ft2 30 to show to do James 224 00:09:07,800 --> 00:09:12,630 had control and manipulate the live 225 00:09:09,690 --> 00:09:14,520 running system then we use a flash mob 226 00:09:12,630 --> 00:09:16,710 for two things the first is to dealt 227 00:09:14,520 --> 00:09:18,089 with the firmware off of a system by 228 00:09:16,710 --> 00:09:19,560 dumping the firmware we can get a copy 229 00:09:18,089 --> 00:09:21,839 of all the code running on it we can do 230 00:09:19,560 --> 00:09:23,760 some offline analysis if without fancy 231 00:09:21,839 --> 00:09:25,350 we can go and manipulate those files and 232 00:09:23,760 --> 00:09:27,810 then flash them back to the same system 233 00:09:25,350 --> 00:09:29,640 and put it up back doored or with Lucian 234 00:09:27,810 --> 00:09:32,130 else or whatever you know fund something 235 00:09:29,640 --> 00:09:32,490 more I put on there and in the last two 236 00:09:32,130 --> 00:09:35,400 bits 237 00:09:32,490 --> 00:09:38,100 we've got using it to do VIP I squared C 238 00:09:35,400 --> 00:09:40,319 I squared C is a protocol that's used 239 00:09:38,100 --> 00:09:42,660 for configuration of lots of tiny ships 240 00:09:40,320 --> 00:09:46,200 actually the FTDI itself uses I support 241 00:09:42,660 --> 00:09:47,939 so you configure itself and then in my 242 00:09:46,200 --> 00:09:50,490 name crafting packets talking about how 243 00:09:47,940 --> 00:09:52,350 to use this as well raw output device 244 00:09:50,490 --> 00:09:56,100 for we can tell what the ones and zeros 245 00:09:52,350 --> 00:09:57,900 would want to come out and write so I'm 246 00:09:56,100 --> 00:10:00,620 gonna take a sip Waterson to my voice is 247 00:09:57,900 --> 00:10:00,620 going great 248 00:10:04,010 --> 00:10:09,750 this is a hoarse voices is an American 249 00:10:06,510 --> 00:10:13,110 accent a cylinder so first we've got the 250 00:10:09,750 --> 00:10:16,410 FTIL a the API holiday is a driver for 251 00:10:13,110 --> 00:10:18,330 Sigma Sigma is an open source logic 252 00:10:16,410 --> 00:10:20,189 analyzer platform so I mentioned before 253 00:10:18,330 --> 00:10:20,940 we have those salient logic analyzers 254 00:10:20,190 --> 00:10:23,520 and they're pretty cool 255 00:10:20,940 --> 00:10:25,350 the problem is you know it's a rant 256 00:10:23,520 --> 00:10:27,839 about more companies they have an office 257 00:10:25,350 --> 00:10:29,910 of logic analyzer you could get 460 US 258 00:10:27,839 --> 00:10:32,010 dollars with a student discount it was 259 00:10:29,910 --> 00:10:33,810 four channels they did most of the basic 260 00:10:32,010 --> 00:10:36,150 stuff it was really solid really 261 00:10:33,810 --> 00:10:38,670 reliable and had pretty easy to use 262 00:10:36,150 --> 00:10:40,260 software so what they do they cancel 263 00:10:38,670 --> 00:10:41,459 that product and then they double the 264 00:10:40,260 --> 00:10:43,350 price of all their other products so 265 00:10:41,459 --> 00:10:45,150 their machine this one is $400 so how 266 00:10:43,350 --> 00:10:51,930 many of you four dollars to buy logic 267 00:10:45,150 --> 00:10:53,579 analyzer right now yeah so it just here 268 00:10:51,930 --> 00:10:55,800 it bothers me because I'm trying to get 269 00:10:53,580 --> 00:11:00,000 people to start doing this stuff so FTDI 270 00:10:55,800 --> 00:11:01,620 la is a driver to use this as a TI where 271 00:11:00,000 --> 00:11:03,630 has a logic analyzer so what I've done 272 00:11:01,620 --> 00:11:05,640 here is I got my board I don't have the 273 00:11:03,630 --> 00:11:07,290 seven pound the seven dollar won't have 274 00:11:05,640 --> 00:11:09,209 these because I have just tons of these 275 00:11:07,290 --> 00:11:12,660 actually about 30 of them with me for 276 00:11:09,209 --> 00:11:14,430 the classes I'm teaching this week and 277 00:11:12,660 --> 00:11:16,140 we forgot a bunch of wires to this 278 00:11:14,430 --> 00:11:19,170 header on vigeland on a Raspberry Pi 279 00:11:16,140 --> 00:11:20,400 here so I took the Raspberry Pi just 280 00:11:19,170 --> 00:11:21,990 because it again I have a bunch of them 281 00:11:20,400 --> 00:11:23,280 has aids in for classes what we want to 282 00:11:21,990 --> 00:11:26,160 do is what I'll listen to what those 283 00:11:23,280 --> 00:11:28,500 signals are doing right so it's an 284 00:11:26,160 --> 00:11:30,120 electrical observation room and what we 285 00:11:28,500 --> 00:11:34,050 can do with the software is we tell it 286 00:11:30,120 --> 00:11:36,450 to connect to this FTDI to 32 H and then 287 00:11:34,050 --> 00:11:38,699 we go and tell it to Hampshire 1 million 288 00:11:36,450 --> 00:11:40,470 mo this is actually the previous hops 289 00:11:38,700 --> 00:11:42,330 reckon what we really want to do is 290 00:11:40,470 --> 00:11:45,180 capture a few million samples at about 291 00:11:42,330 --> 00:11:47,910 one megahertz right so we go click run 292 00:11:45,180 --> 00:11:49,319 it'll go and capture data so we'll get a 293 00:11:47,910 --> 00:11:51,600 whole bunch of ones and zeros if we look 294 00:11:49,320 --> 00:11:54,310 closer at this data will see that the 295 00:11:51,600 --> 00:11:56,439 day that goes up and down and 296 00:11:54,310 --> 00:11:58,599 that state of being spit out on these 297 00:11:56,439 --> 00:12:00,579 pins so now we can use the logic 298 00:11:58,600 --> 00:12:01,749 analyzer to interpret and figure out 299 00:12:00,579 --> 00:12:04,540 what it's doing what it's communicating 300 00:12:01,749 --> 00:12:06,879 what it's saying I think now this 301 00:12:04,540 --> 00:12:08,410 program is pulse view pulse view is the 302 00:12:06,879 --> 00:12:09,879 front end the graphical front end to 303 00:12:08,410 --> 00:12:11,230 sing rock so we can do this all in 304 00:12:09,879 --> 00:12:13,180 command line if you're really you know 305 00:12:11,230 --> 00:12:14,529 sharp I'd like to command lines or we 306 00:12:13,180 --> 00:12:16,989 can do it with a nice graphical display 307 00:12:14,529 --> 00:12:18,579 we can then go and use this option over 308 00:12:16,990 --> 00:12:21,339 here because our protocol decoders right 309 00:12:18,579 --> 00:12:23,769 so it's just a matter of details about 310 00:12:21,339 --> 00:12:25,809 what these things are doing if we know 311 00:12:23,769 --> 00:12:28,809 that we have a serial protocol we could 312 00:12:25,809 --> 00:12:30,249 then go and apply protocol decoder and 313 00:12:28,809 --> 00:12:32,889 tell that we wanted to code the data 314 00:12:30,249 --> 00:12:35,050 here we want to interpret the ones and 315 00:12:32,889 --> 00:12:38,709 zeros and zeros and ones and turn them 316 00:12:35,050 --> 00:12:40,508 into bytes right so right now we have 317 00:12:38,709 --> 00:12:43,989 the ability to measure a signal observe 318 00:12:40,509 --> 00:12:46,389 and understand more about it this is 319 00:12:43,990 --> 00:12:48,220 great for finding quartz than the chip 320 00:12:46,389 --> 00:12:49,720 is communicating on this is great for 321 00:12:48,220 --> 00:12:52,329 listening between two chips that are 322 00:12:49,720 --> 00:12:56,410 communicating to each other it's just 323 00:12:52,329 --> 00:13:00,489 really happy to do so most of the water 324 00:12:56,410 --> 00:13:02,469 I should you know drink we got time 325 00:13:00,490 --> 00:13:10,629 already more to drive down so don't 326 00:13:02,470 --> 00:13:13,740 worry good I should a chef set of shots 327 00:13:10,629 --> 00:13:15,879 of whiskey right for the seven you know 328 00:13:13,740 --> 00:13:16,509 that's good good to clear throat too 329 00:13:15,879 --> 00:13:20,439 isn't it 330 00:13:16,509 --> 00:13:23,230 yeah I don't know sorry so serial 331 00:13:20,439 --> 00:13:25,059 console so we matter raspberry pi we're 332 00:13:23,230 --> 00:13:26,350 just moving around and had a few wires 333 00:13:25,059 --> 00:13:28,689 it just so happens that 334 00:13:26,350 --> 00:13:30,490 this is your this is a serial 335 00:13:28,690 --> 00:13:32,230 communication where the Raspberry Pi is 336 00:13:30,490 --> 00:13:34,060 telling us about the boot process it's 337 00:13:32,230 --> 00:13:36,250 giving us all the things that happen as 338 00:13:34,060 --> 00:13:37,660 it loads the kernel those drivers and 339 00:13:36,250 --> 00:13:40,510 then it shows us a prompt to what we can 340 00:13:37,660 --> 00:13:42,939 do stuff so it is the exact same or and 341 00:13:40,510 --> 00:13:44,500 we're just going to use it both people 342 00:13:42,940 --> 00:13:47,920 to command money here we're going to use 343 00:13:44,500 --> 00:13:49,290 it using the tool called screen is there 344 00:13:47,920 --> 00:13:51,310 anything anyone ever used screen before 345 00:13:49,290 --> 00:13:52,959 okay have been in the same way 346 00:13:51,310 --> 00:13:55,839 everybody's screen to talk to a serial 347 00:13:52,960 --> 00:13:58,300 killer before okay good apparently 348 00:13:55,840 --> 00:13:59,680 screen also has other uses too this was 349 00:13:58,300 --> 00:14:01,209 news to me a few years ago I have been 350 00:13:59,680 --> 00:14:03,099 using it for over a decade 351 00:14:01,210 --> 00:14:04,660 to talk to serial cables and then I 352 00:14:03,100 --> 00:14:06,160 found out it has other purposes where 353 00:14:04,660 --> 00:14:06,699 you can have multiple terminals and all 354 00:14:06,160 --> 00:14:10,750 that fun stuff 355 00:14:06,700 --> 00:14:12,880 but anyway screen and what we do is we 356 00:14:10,750 --> 00:14:18,400 need to tell it to talk to the cable so 357 00:14:12,880 --> 00:14:21,010 we call it dev on sonic system TTY USB 358 00:14:18,400 --> 00:14:23,319 zero and we also have to have the speed 359 00:14:21,010 --> 00:14:25,090 we want to talk we don't know with you 360 00:14:23,320 --> 00:14:26,080 are what speed it's talking until we sit 361 00:14:25,090 --> 00:14:28,330 there and look at it with a logic 362 00:14:26,080 --> 00:14:30,190 analyzer which we just did so we just 363 00:14:28,330 --> 00:14:34,150 happen to know that this is one one five 364 00:14:30,190 --> 00:14:36,790 two zero zero bits per second right we 365 00:14:34,150 --> 00:14:39,490 do that and suddenly we get data we have 366 00:14:36,790 --> 00:14:42,490 text running right on the screen so 367 00:14:39,490 --> 00:14:45,310 again sometimes you'll do this I know I 368 00:14:42,490 --> 00:14:46,930 know straight twos I originally wanted 369 00:14:45,310 --> 00:14:48,790 to do a bunch of demos with this but 370 00:14:46,930 --> 00:14:50,800 then I realized that my time was kind of 371 00:14:48,790 --> 00:14:52,630 limited so I just screenshots instead so 372 00:14:50,800 --> 00:14:54,219 now I'm thinking like oh if I if I just 373 00:14:52,630 --> 00:14:56,170 was about figured out how to get that 374 00:14:54,220 --> 00:14:58,000 document camera but I'm not going to do 375 00:14:56,170 --> 00:15:01,180 that because then you'll all be bored 376 00:14:58,000 --> 00:15:02,590 watching me try and make wires work but 377 00:15:01,180 --> 00:15:05,219 hardware is actually easy it's not that 378 00:15:02,590 --> 00:15:07,630 hard just ask for em later 379 00:15:05,220 --> 00:15:09,760 so what will happen is we'll run this 380 00:15:07,630 --> 00:15:12,280 and it'll give us all the stuff and 381 00:15:09,760 --> 00:15:14,770 finally the very end it may or may not 382 00:15:12,280 --> 00:15:17,470 give us a promise to log in which is cut 383 00:15:14,770 --> 00:15:17,920 off from the botanist so we want to log 384 00:15:17,470 --> 00:15:18,860 in 385 00:15:17,920 --> 00:15:21,650 sometimes it 386 00:15:18,860 --> 00:15:24,080 a your route you get this little pound 387 00:15:21,650 --> 00:15:26,300 sign and you get a prompt or a colon or 388 00:15:24,080 --> 00:15:27,890 a spatula me and it tells you pay your 389 00:15:26,300 --> 00:15:29,540 route you do it everyone all these 390 00:15:27,890 --> 00:15:31,880 commands are available to you it's fun 391 00:15:29,540 --> 00:15:33,410 times other times it's really obnoxious 392 00:15:31,880 --> 00:15:35,120 Senate LOC to you and it's a different 393 00:15:33,410 --> 00:15:38,140 user sometimes it's really really 394 00:15:35,120 --> 00:15:40,520 annoying and asks you for a password 395 00:15:38,140 --> 00:15:42,080 like what do you do they like I don't 396 00:15:40,520 --> 00:15:43,610 know the password them you can sit there 397 00:15:42,080 --> 00:15:46,040 and write a script that'll try under 398 00:15:43,610 --> 00:15:47,540 passport that's no fun so we might have 399 00:15:46,040 --> 00:15:49,959 to find another scenario another way to 400 00:15:47,540 --> 00:15:54,589 get into a system like that 401 00:15:49,960 --> 00:15:57,950 one option is JTAG so who's used a JTAG 402 00:15:54,590 --> 00:16:02,420 before right so James had is the joint 403 00:15:57,950 --> 00:16:04,160 test action group right so this is where 404 00:16:02,420 --> 00:16:06,800 all the joint testers get together for 405 00:16:04,160 --> 00:16:09,290 some action where they talk about how 406 00:16:06,800 --> 00:16:12,650 they want to test their work so it's a 407 00:16:09,290 --> 00:16:14,540 it's a - a standard it's designed in the 408 00:16:12,650 --> 00:16:17,030 80s for more testing to make sure your 409 00:16:14,540 --> 00:16:19,640 boards are hooked up together but every 410 00:16:17,030 --> 00:16:21,949 device had a tap and a test access port 411 00:16:19,640 --> 00:16:23,689 to use this more test feature so what 412 00:16:21,950 --> 00:16:25,760 maybe factures did i've CPUs and said 413 00:16:23,690 --> 00:16:27,650 hey we want to be able to debug our cpu 414 00:16:25,760 --> 00:16:32,060 as well let's add those commands to this 415 00:16:27,650 --> 00:16:34,280 interface so how it comes is to open OCD 416 00:16:32,060 --> 00:16:37,939 so that's not OCD what you're thinking 417 00:16:34,280 --> 00:16:39,920 it's on ship debugger right so it's open 418 00:16:37,940 --> 00:16:42,230 source which means that if you want to 419 00:16:39,920 --> 00:16:43,819 read any documentation understand how it 420 00:16:42,230 --> 00:16:46,510 works at all you have no choice but to 421 00:16:43,820 --> 00:16:51,920 read the source code which is residency 422 00:16:46,510 --> 00:16:52,400 sort of so anyway of open OCD looks 423 00:16:51,920 --> 00:16:55,219 familiar 424 00:16:52,400 --> 00:16:56,420 we've got the same or USB cable or in 425 00:16:55,220 --> 00:16:58,310 the system I have this little wire 426 00:16:56,420 --> 00:17:00,410 harness I didn't cut the wires to 427 00:16:58,310 --> 00:17:02,420 different pins this time right every 428 00:17:00,410 --> 00:17:04,250 device has different debug pins that are 429 00:17:02,420 --> 00:17:06,079 dedicated and I actually did Sheila 430 00:17:04,250 --> 00:17:08,329 wellness when I had to go in there and 431 00:17:06,079 --> 00:17:11,149 change some software configurations to 432 00:17:08,329 --> 00:17:12,800 enable JTAG right JTAG is a debug 433 00:17:11,150 --> 00:17:14,360 feature we don't usually use it in 434 00:17:12,800 --> 00:17:16,730 normal operation we only use it when 435 00:17:14,359 --> 00:17:18,560 we're testing it so manufacturers you 436 00:17:16,730 --> 00:17:20,120 know like they really when you're 437 00:17:18,560 --> 00:17:21,208 designing a chip it's more expensive to 438 00:17:20,119 --> 00:17:22,979 have a pin and 439 00:17:21,209 --> 00:17:24,539 to have more function inside the silicon 440 00:17:22,980 --> 00:17:27,089 so they try to minimize the number of 441 00:17:24,539 --> 00:17:28,950 pins so they have multi-purpose pins so 442 00:17:27,089 --> 00:17:30,960 we told those multi-purpose pins to go 443 00:17:28,950 --> 00:17:35,669 back into cheytac boat so we could go 444 00:17:30,960 --> 00:17:36,059 and miss from our system next there we 445 00:17:35,669 --> 00:17:37,890 go 446 00:17:36,059 --> 00:17:40,230 so what LCD is the tool we're going to 447 00:17:37,890 --> 00:17:42,299 use we'd use a - ax command to like 448 00:17:40,230 --> 00:17:45,299 include a file in the first file we have 449 00:17:42,299 --> 00:17:47,190 is ft - 32 H about CFG this is the 450 00:17:45,299 --> 00:17:50,970 configuration file that tells us where 451 00:17:47,190 --> 00:17:52,950 to find this FTDI work what can my sandy 452 00:17:50,970 --> 00:17:55,049 it looks like and just some details 453 00:17:52,950 --> 00:17:57,659 about how we're using it and next we 454 00:17:55,049 --> 00:17:59,700 have raspberry pi Don CFG this is a 455 00:17:57,659 --> 00:18:04,559 configuration file it tells us that we 456 00:17:59,700 --> 00:18:06,330 have an arm 1176 processor and it has a 457 00:18:04,559 --> 00:18:09,360 certain amount of memory and other 458 00:18:06,330 --> 00:18:11,610 features so in fair telling open OCD 459 00:18:09,360 --> 00:18:14,250 details when our heart we start of an 460 00:18:11,610 --> 00:18:17,340 OCD it goes to our source our adapter it 461 00:18:14,250 --> 00:18:18,720 looks around finds a device twice as 462 00:18:17,340 --> 00:18:21,360 identified with a code and it's 463 00:18:18,720 --> 00:18:22,679 recognized as a broad common part just 464 00:18:21,360 --> 00:18:26,250 like we were talking before we were 465 00:18:22,679 --> 00:18:28,799 talking about the less expensive and 466 00:18:26,250 --> 00:18:30,419 more expensive ft 232 boards they're all 467 00:18:28,799 --> 00:18:32,520 the same know of the same chip on them 468 00:18:30,419 --> 00:18:33,299 right when it comes down to coding and 469 00:18:32,520 --> 00:18:35,399 working with it 470 00:18:33,299 --> 00:18:37,980 but we care about is the manufacturer 471 00:18:35,399 --> 00:18:40,320 and so again same thing comes when we're 472 00:18:37,980 --> 00:18:42,360 talking about using J 10 right we're not 473 00:18:40,320 --> 00:18:46,760 talking to a jade Raspberry Pi with 474 00:18:42,360 --> 00:18:49,649 jtech we're talking to an Arrancar arm 475 00:18:46,760 --> 00:18:51,870 1176 processor doesn't matter whether 476 00:18:49,649 --> 00:18:54,149 it's on a Raspberry Pi or a zero or 477 00:18:51,870 --> 00:18:57,360 inside of a flip phone from the 90s 478 00:18:54,149 --> 00:19:02,189 which is where that processor belongs 479 00:18:57,360 --> 00:19:04,110 but anyway we find our break points or 480 00:19:02,190 --> 00:19:06,480 watch points we have our ability to go 481 00:19:04,110 --> 00:19:09,840 and debug our heart now how many of you 482 00:19:06,480 --> 00:19:13,200 have used GEB before right it is GB to 483 00:19:09,840 --> 00:19:15,480 debug up process right so you attach to 484 00:19:13,200 --> 00:19:18,060 a process you use genie you can you know 485 00:19:15,480 --> 00:19:19,860 x10 I show 10 instructions at the 486 00:19:18,060 --> 00:19:22,620 program counter look at the contents of 487 00:19:19,860 --> 00:19:24,449 memory need stuff like that well that's 488 00:19:22,620 --> 00:19:26,159 exactly how it would OCD work so you can 489 00:19:24,450 --> 00:19:28,740 start up GP instead of telling it to 490 00:19:26,160 --> 00:19:31,050 attach to a bid process ID number you 491 00:19:28,740 --> 00:19:33,030 tell it to attach to open MCD and then 492 00:19:31,050 --> 00:19:35,399 you're directly using your hardware to 493 00:19:33,030 --> 00:19:36,899 go and debug this is your using your 494 00:19:35,400 --> 00:19:40,460 heart hair JTAG adapter and debugging 495 00:19:36,900 --> 00:19:40,460 the hardware on this little board 496 00:19:41,690 --> 00:19:45,380 reading Cheers 497 00:19:47,720 --> 00:19:53,880 so next flash wrong don't thinking 498 00:19:50,550 --> 00:19:55,350 further so people talk about dummy 499 00:19:53,880 --> 00:19:56,550 pheromones you know I just don't confirm 500 00:19:55,350 --> 00:19:58,530 one we'll deal with it later like I've 501 00:19:56,550 --> 00:20:01,560 scrapped the framework and really if 502 00:19:58,530 --> 00:20:03,780 you're a software person your goal is to 503 00:20:01,560 --> 00:20:06,120 get code to look at right if you're a 504 00:20:03,780 --> 00:20:09,090 software person looking at an IOT device 505 00:20:06,120 --> 00:20:10,770 or network adapter or a webcam or 506 00:20:09,090 --> 00:20:12,389 anything like that once we get the 507 00:20:10,770 --> 00:20:14,040 firmware off of that you've taken this 508 00:20:12,390 --> 00:20:16,410 Hardware tissue and turned it into a 509 00:20:14,040 --> 00:20:18,180 software issue right so I'm a hardware 510 00:20:16,410 --> 00:20:20,610 person that means when it's a software 511 00:20:18,180 --> 00:20:21,870 problem someone else's problem so I love 512 00:20:20,610 --> 00:20:23,810 getting firmware off with devices and 513 00:20:21,870 --> 00:20:27,780 handing it to someone else to deal with 514 00:20:23,810 --> 00:20:30,720 so flash Brahmi is a pretty pervasive 515 00:20:27,780 --> 00:20:34,320 tool it's very common inspiron most 516 00:20:30,720 --> 00:20:36,240 distributions it can be flash using 517 00:20:34,320 --> 00:20:39,149 about like 30 different pieces of 518 00:20:36,240 --> 00:20:41,160 hardware so there is the FT 232 H we're 519 00:20:39,150 --> 00:20:42,850 going to use we've also got a handful of 520 00:20:41,160 --> 00:20:50,740 other devices made by commercial 521 00:20:42,850 --> 00:20:52,659 like a maze SF 600 visit Eddie Brock 522 00:20:50,740 --> 00:20:55,240 teddy frog assist uh you know if you 523 00:20:52,660 --> 00:20:57,550 want a dollar device that does basically 524 00:20:55,240 --> 00:21:00,310 the same thing that lets you talk to a 525 00:20:57,550 --> 00:21:02,020 flash chip so we use flash foam in this 526 00:21:00,310 --> 00:21:04,330 case we'll wire up this is a Wi-Fi 527 00:21:02,020 --> 00:21:07,510 router I've been dealing with and we 528 00:21:04,330 --> 00:21:10,149 have a CPU here it has memory and right 529 00:21:07,510 --> 00:21:13,990 over here you can see my green I'll 530 00:21:10,150 --> 00:21:16,810 change to then right here we've got a 531 00:21:13,990 --> 00:21:19,090 flash chip it's a little 8 pin ship his 532 00:21:16,810 --> 00:21:20,710 stores eight megabytes of data but that 533 00:21:19,090 --> 00:21:23,169 eight megabytes of data is enough to 534 00:21:20,710 --> 00:21:25,930 install to store a bootloader a kernel 535 00:21:23,170 --> 00:21:27,400 the root filesystem and a little extra 536 00:21:25,930 --> 00:21:29,800 space to spare if we're using modify 537 00:21:27,400 --> 00:21:32,440 bugs so what we'll do is we'll click to 538 00:21:29,800 --> 00:21:33,879 the pins of that Shin right we can look 539 00:21:32,440 --> 00:21:35,800 for the datasheet of that chip to tell 540 00:21:33,880 --> 00:21:39,340 us which pins to globe to and again 541 00:21:35,800 --> 00:21:42,970 saying or say USB cable to our system 542 00:21:39,340 --> 00:21:45,699 and we just have to use the right 543 00:21:42,970 --> 00:21:47,470 invocation to make magic happen what 544 00:21:45,700 --> 00:21:49,510 we're totally here we have flash the 545 00:21:47,470 --> 00:21:52,420 home is the program where Tony to use a 546 00:21:49,510 --> 00:21:56,650 specific program and it's the FT two to 547 00:21:52,420 --> 00:21:57,790 three to underscore spy program so FTDI 548 00:21:56,650 --> 00:21:58,930 actually makes a whole bunch of 549 00:21:57,790 --> 00:22:02,050 different ships they make the two to 550 00:21:58,930 --> 00:22:04,290 three two then four to three two and the 551 00:22:02,050 --> 00:22:07,000 two three two and just matters how many 552 00:22:04,290 --> 00:22:08,770 ports they have on them so I use the two 553 00:22:07,000 --> 00:22:10,600 three two H's the cheapest and smalls it 554 00:22:08,770 --> 00:22:12,280 only has one port the two to three to 555 00:22:10,600 --> 00:22:14,080 Asian has a basically two of those chips 556 00:22:12,280 --> 00:22:15,820 sandwich driver what makes of silicon 557 00:22:14,080 --> 00:22:18,040 how the floor has forth and I don't know 558 00:22:15,820 --> 00:22:21,970 why you a USB cable with four serial 559 00:22:18,040 --> 00:22:24,149 ports but hey so the most actually I can 560 00:22:21,970 --> 00:22:26,680 think of a few good reasons but anyway 561 00:22:24,150 --> 00:22:28,180 and then what we tell to do oh we have 562 00:22:26,680 --> 00:22:30,520 to tell it what type because again we 563 00:22:28,180 --> 00:22:31,990 have variants of this chick they all use 564 00:22:30,520 --> 00:22:34,030 a similar driver in and cliquey to 565 00:22:31,990 --> 00:22:36,250 clarify that as a - 30 th version and 566 00:22:34,030 --> 00:22:38,760 then we want to read so we do the - are 567 00:22:36,250 --> 00:22:40,600 and the file we would write it - okay 568 00:22:38,760 --> 00:22:42,158 flashlight it was 569 00:22:40,600 --> 00:22:45,158 and this is this doesn't happen the 570 00:22:42,159 --> 00:22:46,299 first time ever right it goes says Oh 571 00:22:45,159 --> 00:22:48,700 detective Hart 572 00:22:46,299 --> 00:22:51,490 we found a whit bond flash chip and 573 00:22:48,700 --> 00:22:55,120 we're gonna pump it we flash never done 574 00:22:51,490 --> 00:22:56,529 this takes a few minutes when it doesn't 575 00:22:55,120 --> 00:22:58,389 work it gives you all sorts of errors 576 00:22:56,529 --> 00:23:00,130 sometimes it says we found a flash check 577 00:22:58,389 --> 00:23:01,508 we don't know what it is sometimes it 578 00:23:00,130 --> 00:23:02,740 says we didn't find a flash chip but 579 00:23:01,509 --> 00:23:04,240 whatever ten there's a flash chip there 580 00:23:02,740 --> 00:23:05,559 and give you a lot of cryptic error 581 00:23:04,240 --> 00:23:08,799 messages but not me to tell you what's 582 00:23:05,559 --> 00:23:10,149 going on again open source tools if you 583 00:23:08,799 --> 00:23:11,710 want to learn more about how it works 584 00:23:10,149 --> 00:23:13,299 you can either wait the source code or 585 00:23:11,710 --> 00:23:15,429 do what I do and took up your logic 586 00:23:13,299 --> 00:23:16,629 analyzer to outlaw it works so you can 587 00:23:15,429 --> 00:23:19,240 understand what the heck is doing 588 00:23:16,629 --> 00:23:21,029 because it's hard to read logic 589 00:23:19,240 --> 00:23:23,950 analyzers for me are easier to read 590 00:23:21,029 --> 00:23:27,789 anyway we did it we don't we got our 591 00:23:23,950 --> 00:23:29,169 supply done hurried out but again I said 592 00:23:27,789 --> 00:23:30,759 once we get firmware we had enough to 593 00:23:29,169 --> 00:23:33,039 stop for people make a deal with it but 594 00:23:30,759 --> 00:23:35,049 it's still not in that lease for me so 595 00:23:33,039 --> 00:23:38,049 what we can use is a tool called pin and 596 00:23:35,049 --> 00:23:39,940 lock okay this is a great tool basically 597 00:23:38,049 --> 00:23:42,190 if you ever use the file command file 598 00:23:39,940 --> 00:23:45,220 looks at the Ruby a notepad and so know 599 00:23:42,190 --> 00:23:50,679 this looks like a PDF or a zip or a JPEG 600 00:23:45,220 --> 00:23:52,389 or text file or code or an elf and then 601 00:23:50,679 --> 00:23:54,549 walk way so that walks through an entire 602 00:23:52,389 --> 00:23:56,110 file and looks for the beginning of 603 00:23:54,549 --> 00:23:58,269 files in different intermediate spots in 604 00:23:56,110 --> 00:24:01,899 that file so let's go walk through this 605 00:23:58,269 --> 00:24:03,399 and say oh I found a document Federation 606 00:24:01,899 --> 00:24:05,439 of Lachman footer so maybe I found an 607 00:24:03,399 --> 00:24:07,090 HTML file on there I found a copy 608 00:24:05,440 --> 00:24:08,529 registry because you're actually 609 00:24:07,090 --> 00:24:11,019 interested in those ones use a couple of 610 00:24:08,529 --> 00:24:12,370 kernels right we have this header block 611 00:24:11,019 --> 00:24:17,320 header image we're gonna break it down 612 00:24:12,370 --> 00:24:18,969 and say go this is the Linux mips kernel 613 00:24:17,320 --> 00:24:20,250 that's gonna follow me here and here we 614 00:24:18,970 --> 00:24:22,179 have healthy and make compressed data 615 00:24:20,250 --> 00:24:23,590 knowing that it's also makes me press 616 00:24:22,179 --> 00:24:25,480 day that means that this tool knows how 617 00:24:23,590 --> 00:24:28,280 to decompress it so there we go we got 618 00:24:25,480 --> 00:24:29,930 the kernel press 619 00:24:28,280 --> 00:24:41,810 like walk through and look at all the 620 00:24:29,930 --> 00:24:43,610 details in it sorry it's a good thing 621 00:24:41,810 --> 00:24:47,270 I'm not handing out cables because that 622 00:24:43,610 --> 00:24:50,030 I have to delay them so LZ may compress 623 00:24:47,270 --> 00:24:51,590 colonel we also have a couple other 624 00:24:50,030 --> 00:24:53,570 things tell me here we have a squash in 625 00:24:51,590 --> 00:24:55,790 Venice Anna jf4 that's two file system 626 00:24:53,570 --> 00:24:57,740 these are the file systems out all the 627 00:24:55,790 --> 00:24:59,620 details all the extra files in addition 628 00:24:57,740 --> 00:25:02,450 to the colonel to make the system run 629 00:24:59,620 --> 00:25:07,489 whether you show here is there's a - key 630 00:25:02,450 --> 00:25:08,990 option and it guesses extract so I'll go 631 00:25:07,490 --> 00:25:12,590 and extract all this cool stuff that 632 00:25:08,990 --> 00:25:14,630 I've found isn't that handy so we going 633 00:25:12,590 --> 00:25:18,429 to track these files but I chose to do 634 00:25:14,630 --> 00:25:22,450 is extract the Oh 635 00:25:18,430 --> 00:25:25,250 this time is off that's why I'm sorry 636 00:25:22,450 --> 00:25:28,850 the clock on here is 10 times fast but 637 00:25:25,250 --> 00:25:31,040 it's ok because we're doing good - II 638 00:25:28,850 --> 00:25:32,330 extracts him what I'm going to do is I'm 639 00:25:31,040 --> 00:25:33,860 gonna look at the squash fest file 640 00:25:32,330 --> 00:25:34,580 systems and there'll be a full root 641 00:25:33,860 --> 00:25:37,429 filesystem 642 00:25:34,580 --> 00:25:38,629 so it'll have an Etsy directly and it's 643 00:25:37,430 --> 00:25:41,000 like that see directory it's gonna have 644 00:25:38,630 --> 00:25:42,890 a use of the files all the fancy files 645 00:25:41,000 --> 00:25:45,140 are what modifies go and give us sales 646 00:25:42,890 --> 00:25:46,910 privileges on this so who's familiar 647 00:25:45,140 --> 00:25:49,250 with Linux ten knows what files we can 648 00:25:46,910 --> 00:25:53,240 modify to give ourselves privileges it 649 00:25:49,250 --> 00:25:57,380 guesses back the room where our 650 00:25:53,240 --> 00:25:58,970 passwords stored online sister okay so 651 00:25:57,380 --> 00:26:00,950 that adds a password of show some source 652 00:25:58,970 --> 00:26:03,200 user information and NC shadow which 653 00:26:00,950 --> 00:26:04,490 stores the hash passwords we have access 654 00:26:03,200 --> 00:26:06,230 to those files if we wanted to we could 655 00:26:04,490 --> 00:26:07,790 go - is but 656 00:26:06,230 --> 00:26:09,230 that's no fun that's for people who you 657 00:26:07,790 --> 00:26:10,210 know don't want to buy anything like 658 00:26:09,230 --> 00:26:12,679 Bitcoin anymore 659 00:26:10,210 --> 00:26:14,900 we're gonna go create we can go and we 660 00:26:12,679 --> 00:26:17,270 can modify and put our own cash in there 661 00:26:14,900 --> 00:26:20,780 we can press it and send it back we can 662 00:26:17,270 --> 00:26:22,490 go into the password file and go and say 663 00:26:20,780 --> 00:26:25,760 oh there's user I not a login it's user 664 00:26:22,490 --> 00:26:27,830 but change users user ID to zero and 665 00:26:25,760 --> 00:26:30,500 then when you login as user here's your 666 00:26:27,830 --> 00:26:33,918 root but we're gonna do is we look at 667 00:26:30,500 --> 00:26:35,809 this in in tab basically a whole bunch 668 00:26:33,919 --> 00:26:37,370 of the initialization programs can't run 669 00:26:35,809 --> 00:26:38,960 this isn't open wrt which is a 670 00:26:37,370 --> 00:26:41,479 distribution of Linux caters 671 00:26:38,960 --> 00:26:42,919 specifically for $5.00 and right here 672 00:26:41,480 --> 00:26:45,460 might ask for a console 673 00:26:42,919 --> 00:26:48,440 I'm gonna run big log in fashion user 674 00:26:45,460 --> 00:26:52,700 like ah let's change that let's change 675 00:26:48,440 --> 00:26:54,860 that to - America root okay so wouldn't 676 00:26:52,700 --> 00:26:57,620 it be nice to just turn it on like an 677 00:26:54,860 --> 00:26:59,889 image ask for a console here is your 678 00:26:57,620 --> 00:27:02,149 console it sounds like a good deal right 679 00:26:59,890 --> 00:27:04,970 so what we can do is we can take this 680 00:27:02,150 --> 00:27:10,940 file system these two old make a squash 681 00:27:04,970 --> 00:27:12,559 address right so squash this is that 682 00:27:10,940 --> 00:27:14,990 compressed file system we can't just 683 00:27:12,559 --> 00:27:16,850 mount it we have to go and extract files 684 00:27:14,990 --> 00:27:18,830 from it and then pack them up it's kind 685 00:27:16,850 --> 00:27:20,928 of like giving a file you have to sift a 686 00:27:18,830 --> 00:27:23,149 copy of your file system so we'll use 687 00:27:20,929 --> 00:27:25,490 makes part of this and we use that to 688 00:27:23,150 --> 00:27:30,559 rebuild a firmer image that we can flash 689 00:27:25,490 --> 00:27:32,660 back to our voice with gosh wrong there 690 00:27:30,559 --> 00:27:35,149 are other tools than classroom to do 691 00:27:32,660 --> 00:27:37,610 this and actually this other tools are 692 00:27:35,150 --> 00:27:40,490 in my opinion better than flash ROM but 693 00:27:37,610 --> 00:27:42,799 everybody seems to want to use flash ROM 694 00:27:40,490 --> 00:27:45,020 because every time you use it your honor 695 00:27:42,799 --> 00:27:46,370 I ain't going back to flash around all 696 00:27:45,020 --> 00:27:48,139 the time because it's always there it's 697 00:27:46,370 --> 00:27:50,030 always on every disk Linux distribution 698 00:27:48,140 --> 00:27:51,919 and every other like custom tool I come 699 00:27:50,030 --> 00:27:53,668 up with I have to support and I don't 700 00:27:51,919 --> 00:27:59,549 want to support my students 701 00:27:53,669 --> 00:28:01,820 I go so let's talk about writing 702 00:27:59,549 --> 00:28:04,469 firmware it's really tough 703 00:28:01,820 --> 00:28:08,789 basically we take the same exact command 704 00:28:04,469 --> 00:28:09,389 line and change the R to the W pretty 705 00:28:08,789 --> 00:28:11,309 cool right 706 00:28:09,389 --> 00:28:14,908 say why are a single comes to same 707 00:28:11,309 --> 00:28:16,979 everything we've just taken a dump we've 708 00:28:14,909 --> 00:28:19,919 gone and modified it changed a couple 709 00:28:16,979 --> 00:28:22,169 bits we packed it and now we're flashing 710 00:28:19,919 --> 00:28:24,839 it right pops the same device okay 711 00:28:22,169 --> 00:28:30,359 so we came back and what it would let be 712 00:28:24,839 --> 00:28:32,129 for there's no areas same set up let me 713 00:28:30,359 --> 00:28:35,428 let me clear up some of my clutter 714 00:28:32,129 --> 00:28:37,379 so we can look close quite a lot more at 715 00:28:35,429 --> 00:28:38,159 the system you'll notice there some we 716 00:28:37,379 --> 00:28:41,248 are wires 717 00:28:38,159 --> 00:28:44,579 I give us an income that's not factory 718 00:28:41,249 --> 00:28:49,019 okay although I've seen similar factory 719 00:28:44,579 --> 00:28:51,779 type jobs in sketchy hardware so what 720 00:28:49,019 --> 00:28:54,209 happens is this CPU always want us to 721 00:28:51,779 --> 00:28:55,769 talk to that flash chip right so in 722 00:28:54,209 --> 00:28:58,469 order that make all this happen we have 723 00:28:55,769 --> 00:29:00,389 to tell the CPU to show back up right so 724 00:28:58,469 --> 00:29:02,099 what do we do we want to tell it to be 725 00:29:00,389 --> 00:29:04,408 sad just stay ressentiment 726 00:29:02,099 --> 00:29:05,668 keep resetting it tells time sometimes 727 00:29:04,409 --> 00:29:07,859 you're lucky to get a recent modern 728 00:29:05,669 --> 00:29:09,509 digital that down the whole time well 729 00:29:07,859 --> 00:29:11,968 the system didn't have that so what I 730 00:29:09,509 --> 00:29:14,459 did is I will look to this chip I found 731 00:29:11,969 --> 00:29:17,940 out that this wire right here is the 732 00:29:14,459 --> 00:29:20,329 reset wire and I hope that over here to 733 00:29:17,940 --> 00:29:24,239 a jumper where I pulled it to ground 734 00:29:20,329 --> 00:29:27,389 alright and you know it's a little ever 735 00:29:24,239 --> 00:29:28,589 raising epoxy not pop it on there hold 736 00:29:27,389 --> 00:29:30,059 it in place because if you hear there's 737 00:29:28,589 --> 00:29:31,799 something more than once you should do 738 00:29:30,059 --> 00:29:32,789 it right right so hot glue that's the 739 00:29:31,799 --> 00:29:36,690 right way to do it right 740 00:29:32,789 --> 00:29:38,369 way better than duct tape and I also if 741 00:29:36,690 --> 00:29:41,039 you're ever tempted don't use Krazy Glue 742 00:29:38,369 --> 00:29:42,539 it just makes a mess of everything the 743 00:29:41,039 --> 00:29:44,579 worst part is crazy little get 744 00:29:42,539 --> 00:29:46,229 underneath these little pity little pins 745 00:29:44,579 --> 00:29:48,450 and then the next time you try to use 746 00:29:46,229 --> 00:29:49,619 your own pro clips to clip onto them it 747 00:29:48,450 --> 00:29:51,450 won't be able to get around the back of 748 00:29:49,619 --> 00:29:52,978 it then they will fall off so don't you 749 00:29:51,450 --> 00:29:58,440 crazy work hot glue 750 00:29:52,979 --> 00:30:00,050 okay herb for a cough drops um anyway we 751 00:29:58,440 --> 00:30:02,780 flashed it back 752 00:30:00,050 --> 00:30:05,389 Cyril had a policy report right there we 753 00:30:02,780 --> 00:30:07,520 can hook up our that TV on board to talk 754 00:30:05,390 --> 00:30:09,470 to that we watch the system that and we 755 00:30:07,520 --> 00:30:13,160 can see what we successfully did we end 756 00:30:09,470 --> 00:30:27,860 up with a root shell simply don't get so 757 00:30:13,160 --> 00:30:31,820 far oh excuse me next flash whoa I'm 758 00:30:27,860 --> 00:30:34,070 writing with W now modifying exports 759 00:30:31,820 --> 00:30:35,780 account configuration so I don't 760 00:30:34,070 --> 00:30:38,629 actually have the photos with me here 761 00:30:35,780 --> 00:30:42,610 because all of my sorority stuff is they 762 00:30:38,630 --> 00:30:44,900 don't like ask at home in Oregon so I 763 00:30:42,610 --> 00:30:48,620 don't have any surveillance cameras that 764 00:30:44,900 --> 00:30:50,390 I can get a good shot so what we have is 765 00:30:48,620 --> 00:30:52,520 I squared C configuration and if we look 766 00:30:50,390 --> 00:30:56,180 back at this device or it'll look very 767 00:30:52,520 --> 00:30:59,420 closely at the back to the eye board 768 00:30:56,180 --> 00:31:01,190 right and we see there's this big chip 769 00:30:59,420 --> 00:31:03,800 here that's the FTDI where we have some 770 00:31:01,190 --> 00:31:05,990 LED I'm sorry crystal that gives it a 771 00:31:03,800 --> 00:31:07,820 frequency oscillator we've got a couple 772 00:31:05,990 --> 00:31:10,640 of LEDs over here oh then we've got this 773 00:31:07,820 --> 00:31:13,490 other black ship all right look it it's 774 00:31:10,640 --> 00:31:23,260 got six pins it does something right 775 00:31:13,490 --> 00:31:25,310 this is a serial prom that's pretty 776 00:31:23,260 --> 00:31:27,440 awesome right sorry 777 00:31:25,310 --> 00:31:29,510 so I'm going to certainly promise this 778 00:31:27,440 --> 00:31:31,820 is a no chip that holds a couple of 779 00:31:29,510 --> 00:31:33,020 bytes of storage so that that class 780 00:31:31,820 --> 00:31:35,149 shape you talked about before was by 781 00:31:33,020 --> 00:31:38,030 eight megabytes this is like every 782 00:31:35,150 --> 00:31:39,980 twenty eight months that's all what 783 00:31:38,030 --> 00:31:41,059 happens is when this chip power zone on 784 00:31:39,980 --> 00:31:43,940 it goes and talks 785 00:31:41,059 --> 00:31:51,379 says hey Who am I and this chick says oh 786 00:31:43,940 --> 00:31:54,200 you are a cm Jenny's cjm cu-ft - 32 H or 787 00:31:51,379 --> 00:31:59,899 if your fancy it says you are a native 788 00:31:54,200 --> 00:32:01,700 fruit ft - 32 H so when you pop it up on 789 00:31:59,899 --> 00:32:03,018 the screen where you love it you're the 790 00:32:01,700 --> 00:32:05,960 driver shows up and says you have 791 00:32:03,019 --> 00:32:08,149 attached ft to 32 H it gives the name of 792 00:32:05,960 --> 00:32:09,320 the manufacturer to Sam for release and 793 00:32:08,149 --> 00:32:12,860 we have something like that is because 794 00:32:09,320 --> 00:32:15,110 whoever this buff pirate like this boss 795 00:32:12,860 --> 00:32:19,879 party is very similar to that's actually 796 00:32:15,110 --> 00:32:22,100 ft 2 3 - oh all right that means it's 797 00:32:19,879 --> 00:32:24,259 slow it can't do anything but you are 798 00:32:22,100 --> 00:32:26,178 but when we plug the bus card in and 799 00:32:24,259 --> 00:32:28,159 says hey you have a bus firing sounds 800 00:32:26,179 --> 00:32:29,960 good right it says hey everyone 801 00:32:28,159 --> 00:32:32,690 there's a little flash chip right there 802 00:32:29,960 --> 00:32:35,269 that tells it it's a bus part right so 803 00:32:32,690 --> 00:32:39,289 if you're a manufacturer of like I don't 804 00:32:35,269 --> 00:32:44,179 know a USB microphone or something I 805 00:32:39,289 --> 00:32:47,299 don't give an example tell me I get this 806 00:32:44,179 --> 00:32:50,869 bomb USB device for that ft2 graduation 807 00:32:47,299 --> 00:32:54,049 so I got a little radio dongle fur like 808 00:32:50,869 --> 00:32:55,970 a dr. white right you would speak USB to 809 00:32:54,049 --> 00:32:58,639 the serial cable that serial cable a 810 00:32:55,970 --> 00:33:00,649 serial protocol to the actual hardware 811 00:32:58,639 --> 00:33:03,529 but you about this device to say hey I'm 812 00:33:00,649 --> 00:33:05,570 a Mattel or I'm on you know Sony or 813 00:33:03,529 --> 00:33:07,639 about some other brand device I don't 814 00:33:05,570 --> 00:33:09,820 want to say I'm an I'm not I don't have 815 00:33:07,639 --> 00:33:13,699 to yah device I am a branded device 816 00:33:09,820 --> 00:33:15,439 anyway the point being we can go in and 817 00:33:13,700 --> 00:33:19,249 speak the protocol with this piece we've 818 00:33:15,440 --> 00:33:23,450 got to hum this tool this library called 819 00:33:19,249 --> 00:33:25,039 live and PSN see right which is an 820 00:33:23,450 --> 00:33:27,919 abbreviation in that great for something 821 00:33:25,039 --> 00:33:29,720 I don't remember what I never do but 822 00:33:27,919 --> 00:33:31,250 it's basically they're after 823 00:33:29,720 --> 00:33:33,170 as high as the interface for you to go 824 00:33:31,250 --> 00:33:35,810 and tell what things you want to do 825 00:33:33,170 --> 00:33:38,180 whatever you want them to do it so with 826 00:33:35,810 --> 00:33:40,190 this we say over have my advice and 827 00:33:38,180 --> 00:33:42,200 we're gonna set some hands high and some 828 00:33:40,190 --> 00:33:45,160 things low achievement maybe this is the 829 00:33:42,200 --> 00:33:47,870 wrong one sorry 830 00:33:45,160 --> 00:33:50,720 they don't know I'm talking to the wrong 831 00:33:47,870 --> 00:33:53,989 sign adamant order so we have NP s SE 832 00:33:50,720 --> 00:33:56,990 and we have a bunch of I squared C 833 00:33:53,990 --> 00:33:59,690 commands that we can do we can have an 834 00:33:56,990 --> 00:34:01,460 acknowledgment we can write this we can 835 00:33:59,690 --> 00:34:04,190 get acknowledgments we can read bits 836 00:34:01,460 --> 00:34:05,990 right so it basically have an API built 837 00:34:04,190 --> 00:34:09,679 into this and then it's funny this this 838 00:34:05,990 --> 00:34:11,690 is to limp esse it's a bunch of rappers 839 00:34:09,679 --> 00:34:14,000 and a NPI it's written by the same guy 840 00:34:11,690 --> 00:34:14,480 who writes Ben walk so he really knows 841 00:34:14,000 --> 00:34:16,370 his stuff 842 00:34:14,480 --> 00:34:22,190 Greg Heffley you should follow him he's 843 00:34:16,370 --> 00:34:24,350 like I think he's at dinner TT ys0 844 00:34:22,190 --> 00:34:27,860 on twitter so you should follow him he's 845 00:34:24,350 --> 00:34:30,679 smart and what we'll do is we'll say hey 846 00:34:27,860 --> 00:34:33,230 we're going to talk I squared C and 400 847 00:34:30,679 --> 00:34:35,569 kilohertz and let's go start writing 848 00:34:33,230 --> 00:34:36,770 game to that or we need a nerf Roman we 849 00:34:35,570 --> 00:34:38,240 have that communicate with that shape we 850 00:34:36,770 --> 00:34:42,020 can change the configuration on my chip 851 00:34:38,239 --> 00:34:46,270 and suddenly we turn our whatever we 852 00:34:42,020 --> 00:34:49,489 have our our our our not half C n J's 853 00:34:46,270 --> 00:34:51,920 MCU ft 2 into H we can pretend it's an 854 00:34:49,489 --> 00:34:53,779 Adafruit we can pretend it is any other 855 00:34:51,920 --> 00:35:00,620 manufacturer that makes a board based on 856 00:34:53,780 --> 00:35:02,480 the same chip and last thing that I 857 00:35:00,620 --> 00:35:05,250 mentioned was that back at the custom 858 00:35:02,480 --> 00:35:08,320 protocol who knows what mid-90s 859 00:35:05,250 --> 00:35:10,580 [Music] 860 00:35:08,320 --> 00:35:12,110 so up to this point I've been talking 861 00:35:10,580 --> 00:35:14,630 about the existing protocols I talked 862 00:35:12,110 --> 00:35:17,480 about mache tank I talked about your I 863 00:35:14,630 --> 00:35:19,490 talked about spy and I swear see you can 864 00:35:17,480 --> 00:35:21,650 go and like look for our time diagrams 865 00:35:19,490 --> 00:35:23,720 an ideal scenarios we find chips that 866 00:35:21,650 --> 00:35:25,550 support these protocols but sometimes 867 00:35:23,720 --> 00:35:29,180 you encounter protocols that are 868 00:35:25,550 --> 00:35:30,710 different rarely but you do and usually 869 00:35:29,180 --> 00:35:33,680 when you're calculus because some did a 870 00:35:30,710 --> 00:35:35,360 poor design job but anyway sometimes you 871 00:35:33,680 --> 00:35:36,430 want to see a different particles so I'm 872 00:35:35,360 --> 00:35:38,440 going to speak 873 00:35:36,430 --> 00:35:40,629 protocol differently so if you wanted to 874 00:35:38,440 --> 00:35:41,920 mess with the timing on your spy 875 00:35:40,630 --> 00:35:43,750 interface and he wanted to start like 876 00:35:41,920 --> 00:35:44,290 doing maybe even glitching or something 877 00:35:43,750 --> 00:35:46,390 like that 878 00:35:44,290 --> 00:35:48,430 to try and get readouts from uh from a 879 00:35:46,390 --> 00:35:50,650 flash device right you would want to 880 00:35:48,430 --> 00:35:52,960 have very fine grained control for when 881 00:35:50,650 --> 00:35:56,109 your signals went to one or zero or 882 00:35:52,960 --> 00:35:59,530 anything else so what we can do is we 883 00:35:56,109 --> 00:36:01,779 can use the bang mode right and what we 884 00:35:59,530 --> 00:36:11,619 do the same using one GPIO mother's 885 00:36:01,780 --> 00:36:13,480 children purpose input Harley so 886 00:36:11,619 --> 00:36:15,700 basically we have a bunch of pins on 887 00:36:13,480 --> 00:36:18,490 this device we can tell any one of them 888 00:36:15,700 --> 00:36:20,259 to be an input or an output and if it's 889 00:36:18,490 --> 00:36:23,828 an elbow we can tell it to be a 1 or a 0 890 00:36:20,260 --> 00:36:26,819 high voltage or look voltage right so as 891 00:36:23,829 --> 00:36:30,160 a great wise friend of mine once said 892 00:36:26,819 --> 00:36:31,210 once you can turn on/off an LED in 893 00:36:30,160 --> 00:36:36,970 hardware you can do pretty much 894 00:36:31,210 --> 00:36:38,559 everything right so so basically it's 895 00:36:36,970 --> 00:36:41,200 all a matter of timing when you turn 896 00:36:38,559 --> 00:36:43,270 those on it's one off so the combination 897 00:36:41,200 --> 00:36:46,210 of sending your Penn State's high and 898 00:36:43,270 --> 00:36:47,770 sending your Penn State's low I'm sorry 899 00:36:46,210 --> 00:36:50,530 pick high and him low 900 00:36:47,770 --> 00:36:52,390 and do it as precise timing that's all 901 00:36:50,530 --> 00:36:54,400 it comes down to right once you have his 902 00:36:52,390 --> 00:36:56,650 ability to do this in software you will 903 00:36:54,400 --> 00:36:59,769 have a little protocols at your disposal 904 00:36:56,650 --> 00:36:59,769 [Music] 905 00:37:00,540 --> 00:37:08,950 almost on so here we go seven sevens 906 00:37:06,390 --> 00:37:12,339 scenarios one through seven things you 907 00:37:08,950 --> 00:37:14,109 can do with a 15.7 could boil each board 908 00:37:12,339 --> 00:37:16,180 or may eat a few years of their tea 909 00:37:14,109 --> 00:37:18,339 arrow or I don't know 910 00:37:16,180 --> 00:37:20,770 you can you can use a logic analyzer 911 00:37:18,339 --> 00:37:23,230 with a software sing rock if you need to 912 00:37:20,770 --> 00:37:25,020 on your console access you can use it as 913 00:37:23,230 --> 00:37:28,230 a JTAG control access depot 914 00:37:25,020 --> 00:37:30,060 kaalia chip right we can use firmware 915 00:37:28,230 --> 00:37:33,270 dumping and writing reading and writing 916 00:37:30,060 --> 00:37:35,100 to mail in a system and we can also do 917 00:37:33,270 --> 00:37:37,380 some configuration is promising a 918 00:37:35,100 --> 00:37:38,790 configuration of various devices and if 919 00:37:37,380 --> 00:37:40,530 you need to you can always craft your 920 00:37:38,790 --> 00:37:46,500 own custom custom protocol from scratch 921 00:37:40,530 --> 00:37:47,940 in software very tediously of course 922 00:37:46,500 --> 00:37:49,080 you're not doing this with just a piece 923 00:37:47,940 --> 00:37:50,940 of hardware there's software that 924 00:37:49,080 --> 00:37:53,910 supports all this so these are tools 925 00:37:50,940 --> 00:37:55,920 that I use on a regular basis I find 926 00:37:53,910 --> 00:37:58,140 them to be quite reliable each make if I 927 00:37:55,920 --> 00:38:00,000 have my complaints about them I got the 928 00:37:58,140 --> 00:38:02,368 same rocket open-source logic analyzer 929 00:38:00,000 --> 00:38:04,619 framework pulse view is this graphical 930 00:38:02,369 --> 00:38:07,830 front-end screen is this multi-purpose 931 00:38:04,619 --> 00:38:09,210 oh sorry no consoles it can speak to 932 00:38:07,830 --> 00:38:10,799 your serial cable 933 00:38:09,210 --> 00:38:12,570 it could speak to you know whatever 934 00:38:10,800 --> 00:38:13,710 brightness your cable or your go to a 935 00:38:12,570 --> 00:38:16,830 few arts or anything else 936 00:38:13,710 --> 00:38:18,930 open OCD is another open source to it 937 00:38:16,830 --> 00:38:21,090 because you're on shape debugging it 938 00:38:18,930 --> 00:38:24,779 lets you control the bugger with JTAC or 939 00:38:21,090 --> 00:38:26,850 even sswd single our debug flash bomb is 940 00:38:24,780 --> 00:38:29,070 the flash reading writing Swiss Army 941 00:38:26,850 --> 00:38:31,170 knife it works with this it works with 942 00:38:29,070 --> 00:38:33,600 commercial tools you can even use flash 943 00:38:31,170 --> 00:38:36,080 ROM on your laptop to make rice off of 944 00:38:33,600 --> 00:38:38,490 your laptop or PC or everything else 945 00:38:36,080 --> 00:38:41,100 they walk it's a great tool once you've 946 00:38:38,490 --> 00:38:42,899 got that firmware image to go and break 947 00:38:41,100 --> 00:38:44,520 it down into pieces so that you can make 948 00:38:42,900 --> 00:38:46,230 sense of it so you can hand off of 949 00:38:44,520 --> 00:38:47,640 software parts to the software people or 950 00:38:46,230 --> 00:38:49,290 it can just mess around with text files 951 00:38:47,640 --> 00:38:51,779 and that's why your skills are like 952 00:38:49,290 --> 00:38:54,119 money and lastly there's a library live 953 00:38:51,780 --> 00:38:56,850 at PS NC which lets you have kind of 954 00:38:54,119 --> 00:38:58,440 Python or C API interface to control 955 00:38:56,850 --> 00:39:00,660 events that are coming out of this board 956 00:38:58,440 --> 00:39:01,859 which can be really handy has to go into 957 00:39:00,660 --> 00:39:04,129 the scenarios where you have these 958 00:39:01,859 --> 00:39:20,340 non-standard verticals 959 00:39:04,130 --> 00:39:23,040 any questions better manufacturer than 960 00:39:20,340 --> 00:39:24,280 the one from China yeah I would have 961 00:39:23,040 --> 00:39:27,070 been someone experiencing 962 00:39:24,280 --> 00:39:29,920 probably when I were stuck behind 963 00:39:27,070 --> 00:39:32,440 quantity from from Aliexpress I expect 964 00:39:29,920 --> 00:39:33,430 to get my 10% failures an order from 965 00:39:32,440 --> 00:39:35,080 Adafruit 966 00:39:33,430 --> 00:39:46,779 if that happens I just sent them back at 967 00:39:35,080 --> 00:39:48,190 the Seminoles there are my go-to tools 968 00:39:46,780 --> 00:39:50,200 and that's what I have two devices I 969 00:39:48,190 --> 00:39:52,780 prefer these and more expensive hands I 970 00:39:50,200 --> 00:39:54,819 will say because I caught up an ENDIF 971 00:39:52,780 --> 00:39:57,340 hey what about the thing I did with it 972 00:39:54,820 --> 00:39:59,080 if I'm tailor the system and I want to 973 00:39:57,340 --> 00:40:00,610 find a serial console on our cheytac 974 00:39:59,080 --> 00:40:04,060 kids and they're hard to find 975 00:40:00,610 --> 00:40:06,460 I would much rather take a $15.00 door 976 00:40:04,060 --> 00:40:08,500 and why are not once and leave it with 977 00:40:06,460 --> 00:40:10,930 that system and never taken apart that 978 00:40:08,500 --> 00:40:12,520 everything take it off until my $15 for 979 00:40:10,930 --> 00:40:14,500 a used on this board and this board 980 00:40:12,520 --> 00:40:16,750 because I'll go back to that same work 981 00:40:14,500 --> 00:40:18,580 you know in a week and have to go spend 982 00:40:16,750 --> 00:40:20,500 a half an hour finding those pins again 983 00:40:18,580 --> 00:40:22,660 because I'm really bad at documentation 984 00:40:20,500 --> 00:40:26,650 when I could just leave that 50 probably 985 00:40:22,660 --> 00:40:29,770 more attached even more so you can get 986 00:40:26,650 --> 00:40:32,500 serial cables that just to you are for a 987 00:40:29,770 --> 00:40:34,270 dollar to like there's no way then it 988 00:40:32,500 --> 00:40:35,740 makes sense to ever disconnect Asiri 989 00:40:34,270 --> 00:40:51,700 cable once you've got a connected 990 00:40:35,740 --> 00:40:53,319 working in my opinion so that's where 991 00:40:51,700 --> 00:40:55,450 you set me into the next level of 992 00:40:53,320 --> 00:40:57,190 complexity right question is like what 993 00:40:55,450 --> 00:40:59,799 happens if you have like I we don't 994 00:40:57,190 --> 00:41:01,510 protection or stuff like that so again 995 00:40:59,800 --> 00:41:02,800 that's where you have to find out more 996 00:41:01,510 --> 00:41:05,110 about the check you're targeting we're 997 00:41:02,800 --> 00:41:07,480 dealer with a spy flash chip right 998 00:41:05,110 --> 00:41:09,280 that's an assistant and they've done 999 00:41:07,480 --> 00:41:10,930 something that it's like we're singing 1000 00:41:09,280 --> 00:41:13,090 to do is you'd like desolder from the 1001 00:41:10,930 --> 00:41:14,529 system and you can read it right unless 1002 00:41:13,090 --> 00:41:16,360 they're doing sexy stuff like a 1003 00:41:14,530 --> 00:41:18,400 encrypting once ever on that well if 1004 00:41:16,360 --> 00:41:20,320 they're doing them where's the key 1005 00:41:18,400 --> 00:41:21,760 well it turns out a lot of the low-cost 1006 00:41:20,320 --> 00:41:23,540 systems don't actually have provisions 1007 00:41:21,760 --> 00:41:26,570 just to remove to use inside so 1008 00:41:23,540 --> 00:41:29,120 externally so find our key arts and read 1009 00:41:26,570 --> 00:41:31,700 it or use a logic analyzer and sniffing 1010 00:41:29,120 --> 00:41:34,490 key reading mechanism basically 1011 00:41:31,700 --> 00:41:36,410 everything has to well homomorphic 1012 00:41:34,490 --> 00:41:39,020 encryption aside everything eventually 1013 00:41:36,410 --> 00:41:40,520 has to be decrypted for use so sit 1014 00:41:39,020 --> 00:41:42,170 around listen that one which i 1015 00:41:40,520 --> 00:41:45,020 caramelize or to find out when you can 1016 00:41:42,170 --> 00:41:49,300 grab the firmware with excuse me in 1017 00:41:45,020 --> 00:41:49,300 plain text it's a part of question 1018 00:41:49,700 --> 00:41:52,779 [Music] 1019 00:41:57,790 --> 00:42:05,990 that's a tough question because so when 1020 00:42:02,090 --> 00:42:07,910 I was doing consulting like be presented 1021 00:42:05,990 --> 00:42:09,859 with a board and how to get something to 1022 00:42:07,910 --> 00:42:13,790 work on it and how can I don't do that 1023 00:42:09,860 --> 00:42:15,740 anymore and I just teach I go and grab 1024 00:42:13,790 --> 00:42:18,009 dozen boards and I picked the words very 1025 00:42:15,740 --> 00:42:18,009 easy 1026 00:42:18,310 --> 00:42:22,700 I've gotten really good at picking ones 1027 00:42:20,810 --> 00:42:24,650 that I know JTACs don't work on because 1028 00:42:22,700 --> 00:42:26,810 I want a good example of having a burger 1029 00:42:24,650 --> 00:42:30,020 so I would guess when it comes to like 1030 00:42:26,810 --> 00:42:33,560 Brenda a selection of like off-the-shelf 1031 00:42:30,020 --> 00:42:36,080 networking equipment right I would be I 1032 00:42:33,560 --> 00:42:38,180 can't I can't guess what I am finding is 1033 00:42:36,080 --> 00:42:40,819 more often devices and actually have 1034 00:42:38,180 --> 00:42:42,710 JTAG disabled it's how much it before 1035 00:42:40,820 --> 00:42:44,390 sometimes that means that in grammar on 1036 00:42:42,710 --> 00:42:47,080 it sometimes that means that got the 1037 00:42:44,390 --> 00:42:49,359 traces or traces on but even if they did 1038 00:42:47,080 --> 00:42:52,160 there's often ways to restore that 1039 00:42:49,360 --> 00:42:55,400 sometimes I actually use this to should 1040 00:42:52,160 --> 00:43:01,850 prevent JTAG so actually I was dealing 1041 00:42:55,400 --> 00:43:04,070 with a PLC and they have an XP LPC our 1042 00:43:01,850 --> 00:43:05,540 microcontroller on it and that's the 1043 00:43:04,070 --> 00:43:08,750 court of code we don't protection and 1044 00:43:05,540 --> 00:43:12,020 cheytac disabling didn't use it 1045 00:43:08,750 --> 00:43:13,370 so yeah whatever but if they had you 1046 00:43:12,020 --> 00:43:15,230 don't even go down the path of more 1047 00:43:13,370 --> 00:43:16,970 invasive are more attacks bleaching or 1048 00:43:15,230 --> 00:43:19,280 otherwise messing with the system to get 1049 00:43:16,970 --> 00:43:29,299 that back that device to give up its 1050 00:43:19,280 --> 00:43:30,920 code pretty good for lunch everything if 1051 00:43:29,300 --> 00:43:31,780 you just stop asking questions we can 1052 00:43:30,920 --> 00:43:34,250 even sooner 1053 00:43:31,780 --> 00:43:35,990 thank you very much for having me and I 1054 00:43:34,250 --> 00:43:40,640 am delighted to finally make it to a 1055 00:43:35,990 --> 00:43:42,740 secure airtight so please find me ask me 1056 00:43:40,640 --> 00:43:45,620 questions I also have a lot of stickers 1057 00:43:42,740 --> 00:43:49,790 with me today read the big half of the 1058 00:43:45,620 --> 00:43:53,870 Bloomberg article no super mario havend 1059 00:43:49,790 --> 00:43:55,550 it's pretty pricey sighs amen so what uh 1060 00:43:53,870 --> 00:43:59,930 yeah how much if I want to believe 1061 00:43:55,550 --> 00:44:02,110 sinners coming out see for those thank 1062 00:43:59,930 --> 00:44:02,109 you again