0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/852 Thanks! 1 00:00:14,870 --> 00:00:17,599 The next talk is 2 00:00:17,600 --> 00:00:19,340 being held by Matthias Lazar, 3 00:00:20,900 --> 00:00:23,059 Matthias is talking about how to reverse 4 00:00:23,060 --> 00:00:25,129 engineer FPGA as 5 00:00:25,130 --> 00:00:27,019 he did it by himself, and he will tell 6 00:00:27,020 --> 00:00:29,269 you how he did it 7 00:00:29,270 --> 00:00:31,879 and how he 8 00:00:31,880 --> 00:00:34,399 especially reverse engineer the Killing 9 00:00:34,400 --> 00:00:36,379 seven series and Lattice. 10 00:00:36,380 --> 00:00:38,719 I see 40 series. 11 00:00:38,720 --> 00:00:41,059 He knows much more about this than me, so 12 00:00:41,060 --> 00:00:42,829 please give him a warm applause. 13 00:00:42,830 --> 00:00:43,830 And here's Matthias. 14 00:00:52,270 --> 00:00:54,429 I hello, 15 00:00:54,430 --> 00:00:56,709 can you hear me OK? 16 00:00:56,710 --> 00:00:58,420 Um, this. 17 00:01:00,920 --> 00:01:03,079 What is this talk about in 18 00:01:03,080 --> 00:01:05,179 this talk? I'm going to explain 19 00:01:05,180 --> 00:01:08,239 to you what is an FPGA? 20 00:01:08,240 --> 00:01:09,649 How does it work? 21 00:01:09,650 --> 00:01:11,119 What does it do? 22 00:01:11,120 --> 00:01:13,579 What does FPGA stand for? 23 00:01:13,580 --> 00:01:16,009 And of course, I will tell you stories on 24 00:01:16,010 --> 00:01:17,509 how I reverse engineered them. 25 00:01:17,510 --> 00:01:18,560 Show you some pictures. 26 00:01:19,840 --> 00:01:20,840 And so on. 27 00:01:22,270 --> 00:01:23,920 What this story isn't about. 28 00:01:25,260 --> 00:01:27,249 The talk is not about how to use 29 00:01:27,250 --> 00:01:28,619 refugees. 30 00:01:28,620 --> 00:01:30,209 I actually cannot use them. 31 00:01:30,210 --> 00:01:32,999 I never learned very long of HDL 32 00:01:33,000 --> 00:01:34,769 and its targets. It's not about high 33 00:01:34,770 --> 00:01:35,770 level synthesis. 34 00:01:39,740 --> 00:01:42,079 Maybe a quick story why I decided 35 00:01:42,080 --> 00:01:43,969 to reverse engineer the I thought, the 36 00:01:43,970 --> 00:01:45,159 series four years ago. 37 00:01:46,520 --> 00:01:49,399 I wanted to build a small CPU 38 00:01:49,400 --> 00:01:51,859 and at the problem that chip design 39 00:01:51,860 --> 00:01:55,129 and building chips is far too expensive. 40 00:01:55,130 --> 00:01:57,650 So the next simpler solution 41 00:01:58,700 --> 00:01:59,870 would be an 42 00:02:01,400 --> 00:02:02,400 FPGA. 43 00:02:04,280 --> 00:02:07,249 But I did not want to learn very long 44 00:02:07,250 --> 00:02:08,539 of all of it. 45 00:02:09,830 --> 00:02:11,599 So I decided to sit down 46 00:02:12,830 --> 00:02:15,409 and document the bitstream format 47 00:02:15,410 --> 00:02:16,410 and the internal layout. 48 00:02:17,570 --> 00:02:18,570 Anyhow. 49 00:02:19,460 --> 00:02:21,799 FPGA stands for Field 50 00:02:21,800 --> 00:02:23,419 programable Gate Array. 51 00:02:24,650 --> 00:02:26,750 What means field programable, 52 00:02:28,460 --> 00:02:30,829 in a sense, it means that the device 53 00:02:30,830 --> 00:02:33,289 is in place programable, 54 00:02:33,290 --> 00:02:36,319 so to say in life circuits, 55 00:02:36,320 --> 00:02:38,509 we can just reconfigure the device. 56 00:02:39,850 --> 00:02:42,909 The gate part is a FPGA 57 00:02:42,910 --> 00:02:45,999 simulates or implements logic gates. 58 00:02:46,000 --> 00:02:47,349 A. 59 00:02:47,350 --> 00:02:49,059 Yeah, it's a two dimensional array of 60 00:02:49,060 --> 00:02:51,159 logic gates, programable logic 61 00:02:51,160 --> 00:02:52,160 gates. 62 00:02:55,480 --> 00:02:56,719 Yes. 63 00:02:56,720 --> 00:02:57,720 But what is logic 64 00:02:59,120 --> 00:03:01,489 before I will tell you 65 00:03:01,490 --> 00:03:04,069 how an FPGA works 66 00:03:04,070 --> 00:03:05,070 and. 67 00:03:05,700 --> 00:03:07,680 So far, we have to get down to. 68 00:03:09,610 --> 00:03:11,449 Logic one on one. 69 00:03:11,450 --> 00:03:13,969 We have four operators 70 00:03:13,970 --> 00:03:15,560 are operators, yeah, 71 00:03:16,610 --> 00:03:18,949 we have not gate with the 72 00:03:18,950 --> 00:03:20,929 gate, with the arrogate and with the 73 00:03:20,930 --> 00:03:22,219 exclusive brigade. 74 00:03:23,800 --> 00:03:25,779 On the bottom, you can see the truth 75 00:03:25,780 --> 00:03:27,959 tables when we have 76 00:03:27,960 --> 00:03:30,579 the input, for example, at the augured 77 00:03:30,580 --> 00:03:33,609 zero zero, we get zero on the output. 78 00:03:33,610 --> 00:03:35,679 When we have zero one, we get one. 79 00:03:35,680 --> 00:03:36,680 And so for. 80 00:03:40,810 --> 00:03:42,820 Next thing we can. 81 00:03:45,570 --> 00:03:47,639 Jane, to get a logic gates 82 00:03:47,640 --> 00:03:48,640 into circuits. 83 00:03:49,750 --> 00:03:53,049 Here is a small example of 84 00:03:53,050 --> 00:03:54,520 one bit full error. 85 00:03:55,620 --> 00:03:57,659 Which is used to implement additions. 86 00:03:59,490 --> 00:04:01,799 And as you can see, it uses 87 00:04:01,800 --> 00:04:04,619 two exclusive organs 88 00:04:04,620 --> 00:04:07,559 to end gates up. 89 00:04:07,560 --> 00:04:09,179 This one is a three expletive. 90 00:04:09,180 --> 00:04:10,979 OK. The seven implementations of them. 91 00:04:13,620 --> 00:04:14,620 In. 92 00:04:15,350 --> 00:04:17,869 On the former slide, 93 00:04:17,870 --> 00:04:20,629 we could see that we can generate 94 00:04:20,630 --> 00:04:22,969 truth table dependent 95 00:04:22,970 --> 00:04:24,619 on the input states. 96 00:04:24,620 --> 00:04:26,059 And what we get on the output. 97 00:04:27,830 --> 00:04:30,379 With that, we also can combine several 98 00:04:30,380 --> 00:04:32,719 logic gates into 99 00:04:32,720 --> 00:04:34,609 one table. 100 00:04:34,610 --> 00:04:37,099 I did the work for the full letter 101 00:04:37,100 --> 00:04:38,100 here. 102 00:04:38,780 --> 00:04:39,780 And now. 103 00:04:40,820 --> 00:04:43,669 We have our free inputs with two outputs. 104 00:04:43,670 --> 00:04:46,159 And if we, 105 00:04:46,160 --> 00:04:47,629 for example, get on a. 106 00:04:48,700 --> 00:04:50,439 One on be zero. 107 00:04:50,440 --> 00:04:52,809 And we have to carry that one. 108 00:04:52,810 --> 00:04:54,489 We know the result will be zero and the 109 00:04:54,490 --> 00:04:56,569 carry out will be one. 110 00:04:57,850 --> 00:05:00,039 The nice part about this is we don't have 111 00:05:00,040 --> 00:05:02,109 to trade through the logic and we 112 00:05:02,110 --> 00:05:05,499 just kind of implemented 113 00:05:05,500 --> 00:05:07,779 thorough logic gates in a lookup 114 00:05:07,780 --> 00:05:10,059 table and the lookup 115 00:05:10,060 --> 00:05:12,159 table is the smallest 116 00:05:12,160 --> 00:05:13,899 part in the FPGA. 117 00:05:15,150 --> 00:05:17,419 This thing implements the logic gates. 118 00:05:23,270 --> 00:05:24,659 However. 119 00:05:24,660 --> 00:05:26,639 We need more than one lookup table, of 120 00:05:26,640 --> 00:05:27,640 course. 121 00:05:28,800 --> 00:05:30,870 So let's zoom out a bit. 122 00:05:36,580 --> 00:05:37,580 What you can see here 123 00:05:38,860 --> 00:05:41,259 is a slice in these seven serious 124 00:05:41,260 --> 00:05:43,069 sailings of a. 125 00:05:45,130 --> 00:05:47,709 These are four lookup tables with 126 00:05:47,710 --> 00:05:48,730 six inputs each. 127 00:05:50,170 --> 00:05:52,569 They are followed by a special 128 00:05:52,570 --> 00:05:54,849 care unit because 129 00:05:54,850 --> 00:05:57,129 implementing addition with 130 00:05:57,130 --> 00:05:58,989 lookup tables would take up too many 131 00:05:58,990 --> 00:06:01,089 resources and because we need 132 00:06:01,090 --> 00:06:03,279 it quite often, 133 00:06:03,280 --> 00:06:06,099 it is far cheaper for the manufacturers 134 00:06:06,100 --> 00:06:07,449 to include a carry chain. 135 00:06:08,800 --> 00:06:11,079 And then on the outputs, 136 00:06:11,080 --> 00:06:13,149 we have flip flops because 137 00:06:13,150 --> 00:06:16,059 sometimes we need to synchronize the 138 00:06:16,060 --> 00:06:18,519 state or we need to store 139 00:06:18,520 --> 00:06:19,929 one bit of information. 140 00:06:22,740 --> 00:06:25,109 We then pack together one lookup 141 00:06:25,110 --> 00:06:27,209 table, one part of the carry chain, 142 00:06:27,210 --> 00:06:29,279 and in case of the seven series two 143 00:06:29,280 --> 00:06:31,559 flip flops into what's called 144 00:06:31,560 --> 00:06:32,560 a logic cell. 145 00:06:34,130 --> 00:06:35,269 For logic cells. 146 00:06:37,370 --> 00:06:38,720 Make up one slice. 147 00:06:41,180 --> 00:06:42,769 And two slices. 148 00:06:44,070 --> 00:06:45,240 Our own group together. 149 00:06:47,490 --> 00:06:49,109 Combined with a switch, books and 150 00:06:49,110 --> 00:06:50,110 interconnect. 151 00:06:51,350 --> 00:06:52,350 Into a tile. 152 00:06:54,120 --> 00:06:56,369 As you can see, we have surrounding 153 00:06:56,370 --> 00:06:57,370 tiles. 154 00:06:59,910 --> 00:07:02,319 And that's how we implement logic, 155 00:07:02,320 --> 00:07:04,230 and that's how we wired the logic. 156 00:07:07,900 --> 00:07:10,209 Now we zoom out a bit more. 157 00:07:11,990 --> 00:07:12,990 Yeah, we can see. 158 00:07:14,370 --> 00:07:16,709 But several of those tiles are grouped 159 00:07:16,710 --> 00:07:18,119 together into columns. 160 00:07:19,850 --> 00:07:21,050 And we zoom out a bit more. 161 00:07:22,680 --> 00:07:24,749 One column, which the seven series 162 00:07:24,750 --> 00:07:27,149 contains 50 details 163 00:07:27,150 --> 00:07:28,619 and one cocktail in the middle. 164 00:07:30,150 --> 00:07:32,999 This is a rather small device. 165 00:07:33,000 --> 00:07:35,489 It only has one hundred 166 00:07:35,490 --> 00:07:36,929 eighty six columns. 167 00:07:37,950 --> 00:07:40,259 Which equates to nine 168 00:07:40,260 --> 00:07:41,879 thousand three hundred tiles. 169 00:07:44,620 --> 00:07:46,059 The columns then are grouped together 170 00:07:46,060 --> 00:07:47,409 into regions. 171 00:07:47,410 --> 00:07:49,570 This particular device has six of them. 172 00:07:51,190 --> 00:07:53,319 And yeah, that's 173 00:07:53,320 --> 00:07:55,449 the basic fabric, but we're 174 00:07:55,450 --> 00:07:56,649 still missing something. 175 00:07:58,020 --> 00:07:59,639 We still can't communicate with the 176 00:07:59,640 --> 00:08:00,750 outside world of the chip. 177 00:08:01,770 --> 00:08:03,929 For something for that, 178 00:08:03,930 --> 00:08:06,449 we need something like a bridge or 179 00:08:06,450 --> 00:08:08,879 input output modules. 180 00:08:08,880 --> 00:08:11,099 So at the borders, we have 181 00:08:11,100 --> 00:08:12,170 the ayatollahs. 182 00:08:14,430 --> 00:08:16,649 But are there more than 183 00:08:16,650 --> 00:08:18,719 those two title types? 184 00:08:18,720 --> 00:08:20,999 Of course, sometimes logic 185 00:08:21,000 --> 00:08:22,199 is not enough. 186 00:08:22,200 --> 00:08:24,989 Maybe we need memory. 187 00:08:24,990 --> 00:08:26,549 Of course, we could implement the memory 188 00:08:26,550 --> 00:08:29,579 and logic, but that's expensive to 189 00:08:29,580 --> 00:08:31,799 sort of and gave us 190 00:08:31,800 --> 00:08:33,389 small units called block room. 191 00:08:34,799 --> 00:08:36,360 Here are two columns. 192 00:08:37,600 --> 00:08:39,339 Locker room in that particular device. 193 00:08:41,740 --> 00:08:43,928 Each small rectangle contains 194 00:08:43,929 --> 00:08:46,419 36 kilobits of memory 195 00:08:46,420 --> 00:08:48,730 and there are 140. 196 00:08:49,860 --> 00:08:51,960 Yeah, blocks of RAM in this device. 197 00:08:53,380 --> 00:08:55,509 Sometimes memories are not 198 00:08:55,510 --> 00:08:56,510 enough. 199 00:08:57,070 --> 00:08:59,170 Sometimes we need processing power. 200 00:09:02,240 --> 00:09:04,429 Implementing arrhythmic 201 00:09:04,430 --> 00:09:06,499 functions like multiplication 202 00:09:06,500 --> 00:09:08,569 would also use up lots and lots of 203 00:09:08,570 --> 00:09:10,730 resources, lots and lots of logic. 204 00:09:11,820 --> 00:09:14,249 Sort of endorse gave us DSP 205 00:09:14,250 --> 00:09:16,409 Tiles DSP 206 00:09:16,410 --> 00:09:19,829 stands for digital signal processor 207 00:09:19,830 --> 00:09:21,959 or in that case, it's just the small 208 00:09:21,960 --> 00:09:24,679 addition units. 209 00:09:24,680 --> 00:09:26,539 Combined with multiplication units. 210 00:09:28,230 --> 00:09:30,599 OK, now we 211 00:09:30,600 --> 00:09:33,419 really know about the basic makeup of 212 00:09:33,420 --> 00:09:34,420 FPGA. 213 00:09:35,490 --> 00:09:37,829 But how do we configure 214 00:09:37,830 --> 00:09:38,830 it? 215 00:09:39,450 --> 00:09:42,299 How does each lookup table knows 216 00:09:42,300 --> 00:09:44,879 its values, how to 217 00:09:44,880 --> 00:09:47,489 do to flip flops, know the initial state? 218 00:09:47,490 --> 00:09:50,279 And how is everything relative? 219 00:09:50,280 --> 00:09:52,229 For that, we have to bitstream. 220 00:09:53,610 --> 00:09:55,409 Problem with the bitstream is it is 221 00:09:55,410 --> 00:09:56,410 undocumented. 222 00:09:58,690 --> 00:10:00,879 Yeah, and it's confused the switch box 223 00:10:00,880 --> 00:10:02,739 is looked at, favors provides the initial 224 00:10:02,740 --> 00:10:03,740 stage. 225 00:10:04,440 --> 00:10:06,569 This thing decides which switch to turn 226 00:10:06,570 --> 00:10:07,570 off and on. 227 00:10:09,440 --> 00:10:11,749 The goal of reverse reverse engineering 228 00:10:11,750 --> 00:10:12,750 effort is. 229 00:10:13,760 --> 00:10:15,559 It's getting the bitstream documented. 230 00:10:18,480 --> 00:10:20,909 Four years ago, I reverse engineered this 231 00:10:20,910 --> 00:10:21,910 40th. 232 00:10:23,370 --> 00:10:24,370 Quick summary 233 00:10:25,650 --> 00:10:27,899 The 40 FPGA is 234 00:10:27,900 --> 00:10:30,479 a very, very small one. 235 00:10:30,480 --> 00:10:32,039 It is optimized for low power 236 00:10:32,040 --> 00:10:33,839 consumption. 237 00:10:33,840 --> 00:10:36,179 It only has between 238 00:10:36,180 --> 00:10:37,739 three hundred eighty four and seven 239 00:10:37,740 --> 00:10:39,659 thousand six hundred eighty lookup tables 240 00:10:39,660 --> 00:10:40,769 with only four inputs. 241 00:10:42,840 --> 00:10:45,749 Even the block room looks a small, 242 00:10:45,750 --> 00:10:47,819 but is very beginners friendly, and 243 00:10:47,820 --> 00:10:49,019 it's the cheapest one of Moussa. 244 00:10:51,290 --> 00:10:53,439 This is the picture. 245 00:10:53,440 --> 00:10:55,450 The manufacturer gives us. 246 00:10:56,920 --> 00:10:59,409 It shows that programable 247 00:10:59,410 --> 00:11:00,410 logic blocks. 248 00:11:01,320 --> 00:11:03,539 Contain following 249 00:11:03,540 --> 00:11:05,070 contain eight lookup tables. 250 00:11:06,600 --> 00:11:08,969 And that the whole fabric is surrounded 251 00:11:08,970 --> 00:11:10,409 with the ayatollahs. 252 00:11:11,930 --> 00:11:14,059 But we don't know anything 253 00:11:14,060 --> 00:11:15,080 about the interconnect, 254 00:11:16,670 --> 00:11:18,889 and we don't even know how many 255 00:11:18,890 --> 00:11:21,079 tiles, how many rolls and how many 256 00:11:21,080 --> 00:11:22,080 columns there are. 257 00:11:27,300 --> 00:11:29,609 A closer look at the control 258 00:11:29,610 --> 00:11:31,979 of logic block order in that case, 259 00:11:31,980 --> 00:11:33,420 the logic cell, 260 00:11:34,590 --> 00:11:36,749 we can see there's only one flip 261 00:11:36,750 --> 00:11:38,849 flop and it can 262 00:11:38,850 --> 00:11:40,289 be bypassed. 263 00:11:40,290 --> 00:11:42,659 You can use both the pure output 264 00:11:42,660 --> 00:11:45,629 of the lookup table and the Flip-Flop, 265 00:11:45,630 --> 00:11:46,740 and we only four inputs. 266 00:11:49,270 --> 00:11:51,639 What's special about the rioting 267 00:11:51,640 --> 00:11:52,640 in the eyes 40? 268 00:11:54,890 --> 00:11:57,469 Is there are to be directional? 269 00:11:58,880 --> 00:12:00,959 So you have more than one source 270 00:12:00,960 --> 00:12:03,019 at each while you 271 00:12:03,020 --> 00:12:05,089 can if you put in the right or 272 00:12:05,090 --> 00:12:06,829 wrong configuration because short 273 00:12:06,830 --> 00:12:08,509 circuits in the device itself. 274 00:12:11,180 --> 00:12:13,189 Another thing they provide us with eight 275 00:12:13,190 --> 00:12:15,169 globally relative signatures, they get 276 00:12:15,170 --> 00:12:17,449 relative to every single tile and 277 00:12:17,450 --> 00:12:19,549 every tile we can choose 278 00:12:19,550 --> 00:12:21,740 out of those eight for. 279 00:12:24,490 --> 00:12:26,859 The interconnect between 280 00:12:26,860 --> 00:12:29,079 the tiles mainly consists 281 00:12:29,080 --> 00:12:31,209 of wires that span over 282 00:12:31,210 --> 00:12:33,999 four tiles and over 12 tiles horizontally 283 00:12:34,000 --> 00:12:35,000 and vertically. 284 00:12:36,120 --> 00:12:38,219 And, of course, everything tile is 285 00:12:38,220 --> 00:12:40,259 connected with its surrounding neighbors. 286 00:12:40,260 --> 00:12:41,260 That's it. 287 00:12:43,460 --> 00:12:45,559 What were the challenges with 288 00:12:45,560 --> 00:12:49,099 reverse engineering the 40 FPGA? 289 00:12:49,100 --> 00:12:51,379 Well, we had no knowledge 290 00:12:51,380 --> 00:12:53,449 about the internal layout. 291 00:12:53,450 --> 00:12:55,669 I had no schematic. 292 00:12:55,670 --> 00:12:57,739 I had no idea at all how many 293 00:12:57,740 --> 00:12:58,939 wires there were. 294 00:12:58,940 --> 00:13:01,849 Where to go, where to switch boxes are 295 00:13:01,850 --> 00:13:04,019 power to switch boxes, connect 296 00:13:04,020 --> 00:13:05,630 to the control of logic blocks, 297 00:13:06,830 --> 00:13:09,499 and even the bitstream well 298 00:13:09,500 --> 00:13:10,580 commands for 299 00:13:12,350 --> 00:13:14,779 commanding the FPGA 300 00:13:14,780 --> 00:13:17,149 to load correct bitstream were only 301 00:13:17,150 --> 00:13:19,779 partially documented. 302 00:13:19,780 --> 00:13:21,969 Another challenge, of course, is 303 00:13:21,970 --> 00:13:24,069 mapping the Thai location to the bitmap 304 00:13:24,070 --> 00:13:26,379 coordinates. But I will show you more 305 00:13:26,380 --> 00:13:27,879 details of that later. 306 00:13:29,520 --> 00:13:31,819 So how do they reverse engineer the 307 00:13:31,820 --> 00:13:32,940 40 FPGA? 308 00:13:34,320 --> 00:13:35,320 Well. 309 00:13:36,310 --> 00:13:38,529 I took a look, took a closer 310 00:13:38,530 --> 00:13:40,779 look at the towards 311 00:13:40,780 --> 00:13:41,950 the vendors gave me. 312 00:13:44,220 --> 00:13:46,679 Especially the bitstream generator, 313 00:13:47,970 --> 00:13:51,209 the bitstream generator seemed to contain 314 00:13:51,210 --> 00:13:52,590 several strings. 315 00:13:54,410 --> 00:13:57,799 Which related to the names of the wiring 316 00:13:57,800 --> 00:14:01,039 and you kept comparing the bit names, 317 00:14:01,040 --> 00:14:02,040 but. 318 00:14:02,420 --> 00:14:04,669 They were behind the debug flag 319 00:14:04,670 --> 00:14:06,169 that I could not reach. 320 00:14:07,740 --> 00:14:09,899 Because they commented it 321 00:14:09,900 --> 00:14:11,940 out and a compiler didn't optimize adult. 322 00:14:13,360 --> 00:14:14,979 That's why it was easy for me to document 323 00:14:14,980 --> 00:14:17,409 and and reverse engineer this 40 324 00:14:17,410 --> 00:14:19,479 FPGA because I only had 325 00:14:19,480 --> 00:14:21,669 to replace one single Trump instruction 326 00:14:21,670 --> 00:14:24,129 in the window tour. 327 00:14:24,130 --> 00:14:26,499 And I was able to get every single name 328 00:14:26,500 --> 00:14:28,809 of every single bit there was and 329 00:14:28,810 --> 00:14:31,609 a short description of its function. 330 00:14:31,610 --> 00:14:32,610 All right. 331 00:14:38,530 --> 00:14:40,749 Not a fun story about how 332 00:14:40,750 --> 00:14:42,939 this tool was written 333 00:14:42,940 --> 00:14:45,129 when it tried to decompile it and 334 00:14:45,130 --> 00:14:46,779 looked through some functions in it. 335 00:14:48,310 --> 00:14:50,619 You could see where 336 00:14:50,620 --> 00:14:52,989 the copy pasted everything together. 337 00:14:52,990 --> 00:14:54,759 If you have one function and it's a 338 00:14:54,760 --> 00:14:56,829 combination of print f's and see 339 00:14:56,830 --> 00:14:58,479 out, you know. 340 00:15:00,210 --> 00:15:02,370 They copy and paste that shit together. 341 00:15:03,990 --> 00:15:06,389 Another thing I noticed 342 00:15:06,390 --> 00:15:08,370 the bitstream contained 343 00:15:10,350 --> 00:15:12,570 CRC or cyclic redundancy check. 344 00:15:13,810 --> 00:15:16,599 But there was not a single 345 00:15:16,600 --> 00:15:18,999 opcode that related to 346 00:15:19,000 --> 00:15:21,219 this function, namely, excuse 347 00:15:21,220 --> 00:15:23,559 me for the whole binary, had none. 348 00:15:23,560 --> 00:15:25,989 If you implement the slightly redundancy 349 00:15:25,990 --> 00:15:27,970 check you normally need it for. 350 00:15:30,320 --> 00:15:31,969 That puzzles me. 351 00:15:31,970 --> 00:15:34,309 So I just randomly stopped the 352 00:15:34,310 --> 00:15:36,469 bitstream generator and took a look at 353 00:15:36,470 --> 00:15:38,749 the memory dump, and they found 354 00:15:38,750 --> 00:15:41,449 out they generated the bitstream 355 00:15:41,450 --> 00:15:42,450 in ASCII. 356 00:15:43,380 --> 00:15:46,409 So at some point I found it 357 00:15:46,410 --> 00:15:48,479 in string of ones and 358 00:15:48,480 --> 00:15:50,120 zeroes in asking. 359 00:15:51,410 --> 00:15:53,809 And they generated that part only 360 00:15:53,810 --> 00:15:54,860 for the CRC. 361 00:15:57,190 --> 00:15:58,719 I don't know what happened in that 362 00:15:58,720 --> 00:15:59,619 program. 363 00:15:59,620 --> 00:16:01,749 I don't want to know what led to 364 00:16:01,750 --> 00:16:03,939 these decisions, but 365 00:16:03,940 --> 00:16:04,940 Wolf. 366 00:16:08,300 --> 00:16:10,669 With the signing seven series, 367 00:16:11,900 --> 00:16:14,119 I reverse engineered or partially 368 00:16:14,120 --> 00:16:15,769 reverse engineer deciding seven series 369 00:16:15,770 --> 00:16:16,770 two years ago. 370 00:16:19,620 --> 00:16:20,999 I had another challenge because the 371 00:16:21,000 --> 00:16:22,000 sailing series, 372 00:16:23,250 --> 00:16:25,679 the seven series, it is really, 373 00:16:25,680 --> 00:16:27,990 really high, a high performance device. 374 00:16:29,400 --> 00:16:31,499 One thing looked at 375 00:16:31,500 --> 00:16:32,669 six lookup table. 376 00:16:34,310 --> 00:16:36,439 Uses up half the memory 377 00:16:36,440 --> 00:16:38,869 of one small detail 378 00:16:38,870 --> 00:16:40,549 in the eyes 40 379 00:16:41,810 --> 00:16:45,319 and even the smallest seven years, FPGA 380 00:16:45,320 --> 00:16:47,599 has my lookup tables that are far 381 00:16:47,600 --> 00:16:49,309 bigger than the S40 ones. 382 00:16:50,760 --> 00:16:53,699 And the biggest one has more than 1.2 383 00:16:53,700 --> 00:16:55,130 million lookup table. 384 00:16:56,610 --> 00:16:59,819 This maps to around 150000 385 00:16:59,820 --> 00:17:00,820 tiles. 386 00:17:03,560 --> 00:17:06,229 Yeah, a lot of resources in 387 00:17:06,230 --> 00:17:07,230 the seventh year is. 388 00:17:09,810 --> 00:17:12,838 Contain and block them, 389 00:17:12,839 --> 00:17:15,509 the block arm has 36 killer bits of data, 390 00:17:15,510 --> 00:17:16,529 as I mentioned before. 391 00:17:18,280 --> 00:17:20,170 We have the central clock line. 392 00:17:22,970 --> 00:17:25,039 The DSP calls the all times, by the way, 393 00:17:25,040 --> 00:17:26,209 this is just the. 394 00:17:27,410 --> 00:17:29,479 Bottom most part of the 395 00:17:29,480 --> 00:17:31,940 sink seven to 20 later. 396 00:17:33,040 --> 00:17:34,899 I will tell you more on that, I will tell 397 00:17:34,900 --> 00:17:36,729 you more about the thing seven to 20. 398 00:17:36,730 --> 00:17:38,919 This is the particular day it was decided 399 00:17:38,920 --> 00:17:39,920 to reverse engineer. 400 00:17:41,160 --> 00:17:43,859 Because it contained two 401 00:17:43,860 --> 00:17:46,769 arm Cortex-A9 processor cores 402 00:17:46,770 --> 00:17:49,499 that could reprogram the FPGA 403 00:17:49,500 --> 00:17:50,609 and interface with it. 404 00:17:52,700 --> 00:17:55,309 I really, really liked the fourth 405 00:17:55,310 --> 00:17:57,319 about combining. 406 00:17:59,920 --> 00:18:02,109 And FPGA with the 407 00:18:02,110 --> 00:18:05,169 interconnect, with the memory system 408 00:18:05,170 --> 00:18:07,359 of the processor cores and use that. 409 00:18:07,360 --> 00:18:09,279 But then again, I didn't want to learn 410 00:18:09,280 --> 00:18:11,499 very of HDL. 411 00:18:11,500 --> 00:18:12,940 So I decided to reverse engineer it. 412 00:18:15,380 --> 00:18:16,699 With the seven series, 413 00:18:17,930 --> 00:18:18,950 I am. 414 00:18:20,400 --> 00:18:22,650 I had to scale up my whole operations. 415 00:18:23,840 --> 00:18:26,089 Because, for example, 416 00:18:26,090 --> 00:18:27,979 as I mentioned before, then nine falls in 417 00:18:27,980 --> 00:18:29,150 France, which boxes 418 00:18:30,530 --> 00:18:31,519 each 419 00:18:31,520 --> 00:18:32,520 switch books. 420 00:18:33,310 --> 00:18:34,310 Contains. 421 00:18:36,000 --> 00:18:39,359 Two hundred and sixteen multiplexes, 422 00:18:39,360 --> 00:18:41,249 and they have three thousand seven 423 00:18:41,250 --> 00:18:43,229 hundred thirty eight possible connection 424 00:18:43,230 --> 00:18:44,230 states. 425 00:18:45,020 --> 00:18:46,509 That's a lot. 426 00:18:46,510 --> 00:18:49,449 They also connect through 135 427 00:18:49,450 --> 00:18:50,859 words to neighboring tiles 428 00:18:52,450 --> 00:18:54,729 and rolled 117 wires 429 00:18:54,730 --> 00:18:56,469 from neighboring tiles to them. 430 00:18:58,780 --> 00:19:01,329 The whole operation's suddenly got 431 00:19:01,330 --> 00:19:02,919 very big. 432 00:19:02,920 --> 00:19:04,689 And of course, the whole divide contains 433 00:19:04,690 --> 00:19:06,819 more than three million wires, and 434 00:19:06,820 --> 00:19:08,979 there are four to two 435 00:19:08,980 --> 00:19:11,049 million or more than 32 436 00:19:11,050 --> 00:19:13,209 million configuration split 437 00:19:13,210 --> 00:19:14,479 with each of them. 438 00:19:14,480 --> 00:19:15,880 I had to find out what they do. 439 00:19:19,220 --> 00:19:21,259 What were the challenges with the seven 440 00:19:21,260 --> 00:19:23,240 serious yet the complex design, 441 00:19:24,290 --> 00:19:25,290 but with this one? 442 00:19:26,300 --> 00:19:29,019 I was not able to get. 443 00:19:29,020 --> 00:19:31,180 Any debugging information whatsoever? 444 00:19:32,470 --> 00:19:34,929 Arthur, the Tudor chain, was much 445 00:19:34,930 --> 00:19:37,239 more complex than the letters one. 446 00:19:39,330 --> 00:19:41,430 It was first it was written in Java. 447 00:19:42,930 --> 00:19:45,059 So, no, the compiling 448 00:19:45,060 --> 00:19:47,309 there for me, I'm only 449 00:19:47,310 --> 00:19:49,560 a C Assembly C++ programmer. 450 00:19:51,930 --> 00:19:54,390 And it was written much nicer. 451 00:19:55,880 --> 00:19:57,919 Another thing that bothered me, I will 452 00:19:57,920 --> 00:20:00,349 show you shortly, 453 00:20:00,350 --> 00:20:02,659 is that there is a small part 454 00:20:02,660 --> 00:20:04,909 where the pattern of 455 00:20:04,910 --> 00:20:07,009 the bitmap you can extract out of the 456 00:20:07,010 --> 00:20:08,779 bitstream doesn't match. 457 00:20:10,380 --> 00:20:11,380 The rest. 458 00:20:12,230 --> 00:20:14,359 And this part is, as I later found 459 00:20:14,360 --> 00:20:15,980 out, for the error correction part. 460 00:20:19,760 --> 00:20:21,919 Also, not a small challenge, 461 00:20:21,920 --> 00:20:24,379 also mapping the Thai locations 462 00:20:24,380 --> 00:20:25,489 to the bitmap coordinates. 463 00:20:26,900 --> 00:20:29,269 Now I will show you a very small 464 00:20:29,270 --> 00:20:31,849 section of the bitmap. 465 00:20:31,850 --> 00:20:33,919 You can I can generate of the 466 00:20:33,920 --> 00:20:34,920 bitstream. 467 00:20:36,910 --> 00:20:37,910 OK. 468 00:20:39,010 --> 00:20:41,469 When I first looked at this, 469 00:20:41,470 --> 00:20:43,239 I was like, fuck. 470 00:20:46,400 --> 00:20:48,529 This thing seemed 471 00:20:48,530 --> 00:20:50,599 like an insurmountable 472 00:20:50,600 --> 00:20:52,699 wall to me, but 473 00:20:52,700 --> 00:20:54,259 I already did. 474 00:20:54,260 --> 00:20:56,329 And you already can see some patterns 475 00:20:56,330 --> 00:20:57,330 in there. 476 00:20:58,460 --> 00:21:00,559 We, for example, can see that there 477 00:21:00,560 --> 00:21:02,750 are some bigger chunks, 478 00:21:03,860 --> 00:21:04,879 most probably. 479 00:21:04,880 --> 00:21:07,069 These are the configuration 480 00:21:07,070 --> 00:21:08,909 data for the lookup tables. 481 00:21:10,390 --> 00:21:11,589 Nice. 482 00:21:11,590 --> 00:21:13,839 Now we only have to find out what 483 00:21:13,840 --> 00:21:16,269 the other columns that look like 484 00:21:16,270 --> 00:21:17,270 noise do. 485 00:21:19,560 --> 00:21:21,989 Of course they are for the switch boxes, 486 00:21:21,990 --> 00:21:24,179 but mapping them 487 00:21:24,180 --> 00:21:27,239 to the to the sink wires. 488 00:21:27,240 --> 00:21:28,240 I was hard. 489 00:21:31,530 --> 00:21:33,809 About mapping the tiles 490 00:21:33,810 --> 00:21:35,339 to the bitmap. 491 00:21:35,340 --> 00:21:36,340 I have another picture. 492 00:21:39,100 --> 00:21:43,029 We can see that 64 493 00:21:43,030 --> 00:21:45,339 pixels mapped to one tile. 494 00:21:47,070 --> 00:21:49,319 And this part. 495 00:21:50,990 --> 00:21:53,149 Or, yeah, 496 00:21:53,150 --> 00:21:54,150 this part. 497 00:21:55,270 --> 00:21:57,489 Maps to the 498 00:21:57,490 --> 00:21:58,490 other part. 499 00:22:02,590 --> 00:22:05,139 With the middle part, I was puzzled. 500 00:22:05,140 --> 00:22:07,479 Of course, the small, 501 00:22:07,480 --> 00:22:09,609 regular flock of pixels we 502 00:22:09,610 --> 00:22:11,739 can see here and here and 503 00:22:11,740 --> 00:22:15,009 here had to have 504 00:22:15,010 --> 00:22:17,429 had to do how to 505 00:22:17,430 --> 00:22:18,430 how to. 506 00:22:20,830 --> 00:22:22,749 Had to be used to forward the clock 507 00:22:22,750 --> 00:22:24,460 interconnect with. 508 00:22:27,030 --> 00:22:28,799 You're in the middle, we can see there's 509 00:22:28,800 --> 00:22:29,939 the clock. 510 00:22:29,940 --> 00:22:32,039 We know that 25 tiles on one 511 00:22:32,040 --> 00:22:33,930 side and 25 tiles on the other side. 512 00:22:35,030 --> 00:22:36,030 But that's all I got. 513 00:22:37,470 --> 00:22:38,640 First to work with 514 00:22:39,870 --> 00:22:41,729 about the ELO collecting court that we 515 00:22:41,730 --> 00:22:43,829 can see there, if that thing was 516 00:22:43,830 --> 00:22:46,290 a challenge, but I had an idea. 517 00:22:48,310 --> 00:22:50,559 I wrote a small 518 00:22:50,560 --> 00:22:52,779 parcel with counted the number 519 00:22:52,780 --> 00:22:55,029 of bits that were set in each role. 520 00:22:56,710 --> 00:22:58,989 If this number was 521 00:22:58,990 --> 00:23:01,129 one, I 522 00:23:01,130 --> 00:23:04,119 start the information about the 523 00:23:04,120 --> 00:23:05,120 middle part. 524 00:23:09,690 --> 00:23:11,849 Out of that, I was able to find out. 525 00:23:12,930 --> 00:23:15,369 This thing was using Heming in court 526 00:23:15,370 --> 00:23:17,339 or single conviction, purely error 527 00:23:17,340 --> 00:23:19,409 detection, extend the timing called. 528 00:23:21,570 --> 00:23:23,669 I would love to show you 529 00:23:23,670 --> 00:23:25,949 more, but right 530 00:23:25,950 --> 00:23:28,049 now I had a problem with 531 00:23:28,050 --> 00:23:29,669 my hard disk and my notebook. 532 00:23:30,700 --> 00:23:33,189 And that's kind of where my talk. 533 00:23:35,520 --> 00:23:36,959 Early, and I think. 534 00:23:40,360 --> 00:23:41,360 Hmm. 535 00:23:41,730 --> 00:23:43,229 What can I tell you more about the 536 00:23:43,230 --> 00:23:45,059 reverse engineering of the seven serious? 537 00:23:47,280 --> 00:23:49,649 With the divided tour chain we get 538 00:23:49,650 --> 00:23:51,299 in, at least we get the internal 539 00:23:51,300 --> 00:23:52,300 schematic. 540 00:23:53,220 --> 00:23:54,869 And you can extract it 541 00:23:56,730 --> 00:23:58,439 automatically. 542 00:23:58,440 --> 00:24:00,509 You get the informations on the 543 00:24:00,510 --> 00:24:02,429 tile coordinates, you get the names of 544 00:24:02,430 --> 00:24:03,539 the wires. 545 00:24:03,540 --> 00:24:05,279 But we don't get the information in the 546 00:24:05,280 --> 00:24:07,739 bitstream, but with the knowledge 547 00:24:07,740 --> 00:24:10,289 of where the tile sits in the bitstream. 548 00:24:11,380 --> 00:24:13,779 We can correlate that data. 549 00:24:13,780 --> 00:24:15,759 I created several ultimate tools for 550 00:24:15,760 --> 00:24:18,069 that. I would have loved to show 551 00:24:18,070 --> 00:24:20,139 them to you, but 552 00:24:20,140 --> 00:24:22,299 something went terribly wrong. 553 00:24:22,300 --> 00:24:23,300 I'm sorry. 554 00:24:24,850 --> 00:24:27,369 So what are the implications 555 00:24:27,370 --> 00:24:28,370 of my work? 556 00:24:29,100 --> 00:24:30,100 I did there. 557 00:24:32,830 --> 00:24:35,049 Because I can 558 00:24:35,050 --> 00:24:37,150 create a net list out of the bitstream, 559 00:24:38,470 --> 00:24:41,439 I'm able to 560 00:24:41,440 --> 00:24:43,509 cross compile bitstream different 561 00:24:43,510 --> 00:24:44,510 architectures. 562 00:24:45,310 --> 00:24:47,439 We've said we can copy extract and 563 00:24:47,440 --> 00:24:49,680 reverse engineer IP course, but. 564 00:24:51,510 --> 00:24:53,910 Are otherwise impenetrable. 565 00:24:55,050 --> 00:24:57,989 Another possibility is starting 566 00:24:57,990 --> 00:25:00,189 project as another project, I start 567 00:25:00,190 --> 00:25:02,279 with Clifford together to create a 568 00:25:02,280 --> 00:25:04,739 second target 569 00:25:04,740 --> 00:25:06,359 for his open source tool chain. 570 00:25:08,370 --> 00:25:10,769 I'm very sorry that my dog got 571 00:25:10,770 --> 00:25:11,770 this short. 572 00:25:13,350 --> 00:25:14,350 Yeah. 573 00:25:15,840 --> 00:25:16,840 Any questions? 574 00:25:26,390 --> 00:25:28,010 This was very short indeed. 575 00:25:29,060 --> 00:25:31,189 So if you have questions 576 00:25:31,190 --> 00:25:33,769 for Matt, please come to the microphones. 577 00:25:33,770 --> 00:25:35,839 He is one to three 578 00:25:35,840 --> 00:25:38,669 and four and 579 00:25:38,670 --> 00:25:40,729 we have we can take questions from 580 00:25:40,730 --> 00:25:42,829 the IOC at all via Twitter as 581 00:25:42,830 --> 00:25:43,830 well. 582 00:25:44,900 --> 00:25:46,519 Yeah, we have a question here at 583 00:25:46,520 --> 00:25:47,520 Microphone one. 584 00:25:48,560 --> 00:25:49,759 I know. 585 00:25:49,760 --> 00:25:51,499 Yes, I would like to know what happened 586 00:25:51,500 --> 00:25:52,429 to you. 587 00:25:52,430 --> 00:25:54,499 Well, you pressured not to. 588 00:25:54,500 --> 00:25:56,329 What happened to your laptop? 589 00:25:56,330 --> 00:25:58,069 What happened? There was something about 590 00:25:58,070 --> 00:26:00,529 exFAT and Michalos and 591 00:26:00,530 --> 00:26:02,239 unplugging it. 592 00:26:02,240 --> 00:26:03,319 OK? 593 00:26:03,320 --> 00:26:05,419 And and my windows went 594 00:26:05,420 --> 00:26:08,389 to try to repair a disk just freezes 595 00:26:08,390 --> 00:26:10,669 like at 596 00:26:10,670 --> 00:26:11,670 its heart 597 00:26:12,530 --> 00:26:14,779 happened like one hour before the whole 598 00:26:14,780 --> 00:26:15,780 thing started. 599 00:26:19,290 --> 00:26:20,400 My second question. 600 00:26:21,420 --> 00:26:23,519 Have you worked on the Xilinx 601 00:26:23,520 --> 00:26:25,409 Spartan six series? 602 00:26:25,410 --> 00:26:27,899 No, I never cared about the Spartan 603 00:26:27,900 --> 00:26:29,609 ones and about the six series. 604 00:26:29,610 --> 00:26:30,610 I only want 605 00:26:32,070 --> 00:26:33,989 to reverse the seven series because of 606 00:26:33,990 --> 00:26:36,209 the Cortex processor in it. 607 00:26:36,210 --> 00:26:38,010 OK, thank you. 608 00:26:39,120 --> 00:26:40,329 Thank you. 609 00:26:40,330 --> 00:26:42,239 And Microphone two, please. 610 00:26:42,240 --> 00:26:43,409 Yeah, thanks for the talk. 611 00:26:43,410 --> 00:26:45,839 Can you comment on this like middle 612 00:26:45,840 --> 00:26:47,939 point of the FPGA because you 613 00:26:47,940 --> 00:26:50,879 have like this blackboard there and this 614 00:26:50,880 --> 00:26:52,169 white part there? 615 00:26:52,170 --> 00:26:53,939 Is it like the error correction code for 616 00:26:53,940 --> 00:26:55,769 half of the FPGA and the other half of 617 00:26:55,770 --> 00:26:56,969 the FPGA? Or how does 618 00:26:56,970 --> 00:26:58,499 that work exactly? 619 00:26:58,500 --> 00:27:01,169 With Heming code, you normally 620 00:27:01,170 --> 00:27:03,599 mix the parity bits 621 00:27:03,600 --> 00:27:04,600 into the data, 622 00:27:06,450 --> 00:27:08,759 but of course, Xilinx doesn't 623 00:27:08,760 --> 00:27:10,559 want that, so they put it in the middle. 624 00:27:11,970 --> 00:27:13,609 And these certain bits that they are 625 00:27:13,610 --> 00:27:15,779 already having called for one row. 626 00:27:19,170 --> 00:27:21,779 I can show you later the details when I 627 00:27:21,780 --> 00:27:23,939 get them out of my hard disk 628 00:27:23,940 --> 00:27:26,669 there, I have everything 629 00:27:26,670 --> 00:27:29,459 in details. With more details. 630 00:27:29,460 --> 00:27:30,659 Thanks. 631 00:27:30,660 --> 00:27:32,189 Thank you. 632 00:27:32,190 --> 00:27:34,559 Microphone three, please. 633 00:27:34,560 --> 00:27:36,869 I was somewhat puzzled by your remarks 634 00:27:36,870 --> 00:27:39,149 regarding your inability to decompile 635 00:27:39,150 --> 00:27:41,399 the Java toolchain you mentioned earlier, 636 00:27:41,400 --> 00:27:42,989 because usually seashell up in the 637 00:27:42,990 --> 00:27:45,479 sailboat codes and JVM stuff is 638 00:27:45,480 --> 00:27:47,309 the easiest prey in that regard. 639 00:27:47,310 --> 00:27:49,739 How come that might be, 640 00:27:49,740 --> 00:27:51,809 but I always come a bit from a different 641 00:27:51,810 --> 00:27:53,699 direction because I thought everything to 642 00:27:53,700 --> 00:27:55,019 myself. 643 00:27:55,020 --> 00:27:58,019 I had no idea how to take each other 644 00:27:58,020 --> 00:27:59,879 with the letters toolchain. 645 00:27:59,880 --> 00:28:02,189 I created two tours for 646 00:28:02,190 --> 00:28:04,049 that called elimination. 647 00:28:04,050 --> 00:28:06,269 One, for example, pitched 648 00:28:06,270 --> 00:28:08,369 every single Trump instruction in the 649 00:28:08,370 --> 00:28:11,039 binary so it could get the program flow. 650 00:28:11,040 --> 00:28:12,929 Another one replaced everything else, 651 00:28:12,930 --> 00:28:14,699 called breakpoint. 652 00:28:14,700 --> 00:28:16,829 I then hooked the structured 653 00:28:16,830 --> 00:28:19,739 exception, handling it from windows 654 00:28:19,740 --> 00:28:22,019 and replaced every opcode 655 00:28:22,020 --> 00:28:23,310 as it was executed. 656 00:28:24,360 --> 00:28:26,549 In that way, I could reduce the 657 00:28:26,550 --> 00:28:28,619 code by two thirds, which was 658 00:28:28,620 --> 00:28:30,479 easy to decompile. But as I said with 659 00:28:30,480 --> 00:28:32,580 Java, I had no idea how to tackle that. 660 00:28:33,960 --> 00:28:35,639 There's lots of automated software for 661 00:28:35,640 --> 00:28:36,449 that. Give it another 662 00:28:36,450 --> 00:28:39,119 go. I never used it. 663 00:28:39,120 --> 00:28:41,069 I always wrote my own software. 664 00:28:41,070 --> 00:28:43,139 Maybe that's one 665 00:28:43,140 --> 00:28:44,140 of the reasons. 666 00:28:45,350 --> 00:28:47,209 Then we have a question from the IFC 667 00:28:47,210 --> 00:28:48,210 chat, 668 00:28:49,820 --> 00:28:51,979 what architectures 669 00:28:51,980 --> 00:28:54,469 do FPGA is use? 670 00:28:54,470 --> 00:28:56,239 You mentioned armed ones, but it wasn't 671 00:28:56,240 --> 00:28:57,439 the FPGA itself. 672 00:28:58,670 --> 00:29:00,919 No, I just don't use 673 00:29:00,920 --> 00:29:03,049 architectures like 674 00:29:03,050 --> 00:29:04,309 CPUs. 675 00:29:04,310 --> 00:29:06,469 They have the building blocks like 676 00:29:06,470 --> 00:29:07,819 the controller logic block 677 00:29:09,230 --> 00:29:11,659 like Block RAM, DSP tiles, 678 00:29:11,660 --> 00:29:13,759 the old tiles, and that's 679 00:29:13,760 --> 00:29:14,760 the architecture. 680 00:29:17,240 --> 00:29:19,549 Then microphone one again, 681 00:29:19,550 --> 00:29:21,649 I am wondering whether 682 00:29:21,650 --> 00:29:23,599 you have to try to extract some of the 683 00:29:23,600 --> 00:29:25,999 device database from the video or some 684 00:29:26,000 --> 00:29:28,129 information, or did you skip 685 00:29:28,130 --> 00:29:29,449 that for for legal reasons? 686 00:29:29,450 --> 00:29:29,659 I don't 687 00:29:29,660 --> 00:29:32,179 know. I've thought about doing that, but 688 00:29:32,180 --> 00:29:34,429 the binaries, I think, are 689 00:29:34,430 --> 00:29:36,409 more than 10 gigabytes in size. 690 00:29:36,410 --> 00:29:37,550 And I was like, No, fuck it. 691 00:29:38,840 --> 00:29:41,209 OK, I think Vivaro 692 00:29:42,590 --> 00:29:44,749 encrypts IP cores, so basically 693 00:29:44,750 --> 00:29:46,279 virtually ellacott and they do the same 694 00:29:46,280 --> 00:29:48,289 way. Also, for example, files which 695 00:29:48,290 --> 00:29:50,219 contain some of the device information. 696 00:29:50,220 --> 00:29:52,309 I think that's quite similar to what 697 00:29:52,310 --> 00:29:53,329 Intel is doing. 698 00:29:53,330 --> 00:29:55,429 OK. Are those who listen to the talk 699 00:29:55,430 --> 00:29:55,909 yesterday. 700 00:29:55,910 --> 00:29:58,159 I had no need for that information 701 00:29:58,160 --> 00:30:00,020 because I could get 702 00:30:01,060 --> 00:30:03,259 the device information out of like 703 00:30:03,260 --> 00:30:05,749 10 or 20 example projects 704 00:30:05,750 --> 00:30:07,069 just threw into the core. 705 00:30:08,580 --> 00:30:09,499 OK. 706 00:30:09,500 --> 00:30:11,179 If you want, I can show you later some 707 00:30:11,180 --> 00:30:12,649 more details about that. 708 00:30:12,650 --> 00:30:13,650 Mm hmm. 709 00:30:14,540 --> 00:30:16,639 Microphone two, please. 710 00:30:16,640 --> 00:30:17,659 Hey, impressive work. 711 00:30:17,660 --> 00:30:18,919 Thank you. 712 00:30:18,920 --> 00:30:20,419 Sorry for the presentation! 713 00:30:20,420 --> 00:30:22,729 Uh, OK, so let's exclude 714 00:30:22,730 --> 00:30:23,929 your presentation from your work. 715 00:30:23,930 --> 00:30:25,579 Still impressive. 716 00:30:25,580 --> 00:30:27,739 Um, my question was almost the 717 00:30:27,740 --> 00:30:30,169 same, so you didn't look at X 718 00:30:30,170 --> 00:30:32,509 or high speed 719 00:30:32,510 --> 00:30:34,639 IP cores because it was too complicated, 720 00:30:34,640 --> 00:30:35,119 I guess. 721 00:30:35,120 --> 00:30:36,860 No, I didn't have a device for that. 722 00:30:38,480 --> 00:30:40,189 Oh, OK, OK. 723 00:30:40,190 --> 00:30:42,379 I don't have all 724 00:30:42,380 --> 00:30:43,489 the hardware in my mind. 725 00:30:43,490 --> 00:30:44,419 OK, thank you. 726 00:30:44,420 --> 00:30:45,549 We'll ask you details later. 727 00:30:47,390 --> 00:30:50,149 Microphone one again, please. 728 00:30:50,150 --> 00:30:52,219 Did you do any work on cloaking? 729 00:30:52,220 --> 00:30:53,419 What did you do? 730 00:30:53,420 --> 00:30:55,639 Any work on cloaking like bills and clock 731 00:30:55,640 --> 00:30:56,689 distribution and all that? 732 00:30:56,690 --> 00:30:57,679 Yeah, sure. 733 00:30:57,680 --> 00:30:58,189 OK. 734 00:30:58,190 --> 00:31:00,829 Sure. I know about I have 735 00:31:00,830 --> 00:31:02,509 some information about the column 736 00:31:02,510 --> 00:31:04,939 drivers, the real drivers, how 737 00:31:04,940 --> 00:31:07,369 everything comes together. 738 00:31:08,960 --> 00:31:11,029 OK. But you but I was also part of 739 00:31:11,030 --> 00:31:12,649 this class which have disappeared. 740 00:31:12,650 --> 00:31:14,809 I had detailed 741 00:31:14,810 --> 00:31:16,969 pictures of the schematics 742 00:31:16,970 --> 00:31:19,069 where I could zoom in and zoom out. 743 00:31:19,070 --> 00:31:21,139 But yeah, OK, 744 00:31:21,140 --> 00:31:22,140 fuck up heaven's 745 00:31:24,080 --> 00:31:25,679 microphone to please. 746 00:31:25,680 --> 00:31:26,629 I think so. 747 00:31:26,630 --> 00:31:28,789 I took my question 748 00:31:28,790 --> 00:31:31,189 is regarding reprograming the FPGA 749 00:31:31,190 --> 00:31:33,409 fabric from the arm cortex 750 00:31:33,410 --> 00:31:34,819 us? Did you have a look at that? 751 00:31:34,820 --> 00:31:36,439 Is it also possible with your work 752 00:31:36,440 --> 00:31:37,729 or it is. 753 00:31:38,870 --> 00:31:40,969 But another thing that interests me more? 754 00:31:40,970 --> 00:31:43,039 The small thing the 17:20 755 00:31:43,040 --> 00:31:45,319 I'm talking about has 756 00:31:45,320 --> 00:31:47,419 two tiles that can 757 00:31:47,420 --> 00:31:49,519 reprogram the whole thing or partially 758 00:31:49,520 --> 00:31:50,869 reprogram it. 759 00:31:50,870 --> 00:31:51,179 Mm hmm. 760 00:31:51,180 --> 00:31:53,019 Yeah. And of course, results. 761 00:31:54,170 --> 00:31:56,329 Yeah. So it wouldn't not 762 00:31:56,330 --> 00:31:58,609 be a problem with flashing 763 00:31:58,610 --> 00:31:59,779 that with your 764 00:32:01,310 --> 00:32:03,049 selfmade file. 765 00:32:03,050 --> 00:32:05,419 One thing about these and 766 00:32:05,420 --> 00:32:07,489 the think it's a combination of a 767 00:32:07,490 --> 00:32:09,769 CPU and FPGA, 768 00:32:09,770 --> 00:32:11,899 but they're isolated. 769 00:32:11,900 --> 00:32:14,869 You don't even need to power up the 770 00:32:14,870 --> 00:32:16,939 J part, but you need to power up the 771 00:32:16,940 --> 00:32:19,150 arm part because it's the arm part. 772 00:32:20,510 --> 00:32:23,299 That obviously is prioritized and that 773 00:32:23,300 --> 00:32:25,789 configure is the first bitstream. 774 00:32:25,790 --> 00:32:27,979 OK. So I can just 775 00:32:27,980 --> 00:32:30,529 use your bitstream then that you 776 00:32:30,530 --> 00:32:31,879 generated using your tools. 777 00:32:31,880 --> 00:32:33,619 I haven't, but I have 778 00:32:35,000 --> 00:32:37,639 a very, very, very, very proof of concept 779 00:32:37,640 --> 00:32:40,009 place and draw tool for small gates and 780 00:32:40,010 --> 00:32:42,079 the bits with the IOC. 781 00:32:42,080 --> 00:32:43,819 OK, that's working, and it's routing and 782 00:32:43,820 --> 00:32:44,599 splicing. 783 00:32:44,600 --> 00:32:45,600 OK, thank you. 784 00:32:46,520 --> 00:32:47,750 Microphone one, please. 785 00:32:48,850 --> 00:32:51,109 Um, what about the timing 786 00:32:51,110 --> 00:32:53,659 information if you also reverse engineer 787 00:32:53,660 --> 00:32:54,109 that 788 00:32:54,110 --> 00:32:56,389 I started extracting the timing 789 00:32:56,390 --> 00:32:58,639 information, but I wanted 790 00:32:58,640 --> 00:33:00,619 to finish up more of the title 791 00:33:00,620 --> 00:33:02,899 information before I 792 00:33:02,900 --> 00:33:03,979 started with that. 793 00:33:03,980 --> 00:33:06,139 But I have the tools already 794 00:33:06,140 --> 00:33:08,299 waiting and that's that 795 00:33:08,300 --> 00:33:10,699 would be one of the next parts of a taxi. 796 00:33:10,700 --> 00:33:12,859 So sometime in the future, 797 00:33:12,860 --> 00:33:14,569 we can expect to 798 00:33:14,570 --> 00:33:16,160 actually use 799 00:33:17,270 --> 00:33:19,099 it with timing analysis. 800 00:33:19,100 --> 00:33:21,529 And I would hope to 801 00:33:21,530 --> 00:33:23,689 because I don't have 802 00:33:23,690 --> 00:33:25,799 a real motivation behind the 803 00:33:25,800 --> 00:33:28,159 device other than for fun 804 00:33:28,160 --> 00:33:30,439 if I could create something great 805 00:33:30,440 --> 00:33:32,959 out of it that interests the community. 806 00:33:32,960 --> 00:33:34,849 Oh, I would love to do that. 807 00:33:34,850 --> 00:33:35,850 But until now, 808 00:33:38,510 --> 00:33:39,859 I wasn't in contact with anyone 809 00:33:42,320 --> 00:33:44,539 and microphone to please 810 00:33:44,540 --> 00:33:46,819 so that you look at some other 811 00:33:46,820 --> 00:33:49,609 features like the of scale plus. 812 00:33:49,610 --> 00:33:51,799 Or maybe, yes, I did. 813 00:33:51,800 --> 00:33:52,789 I started. 814 00:33:52,790 --> 00:33:54,919 I started looking at the auto scale, 815 00:33:54,920 --> 00:33:56,869 but before that I wanted to finish up the 816 00:33:56,870 --> 00:33:59,179 seven series and I don't have 817 00:33:59,180 --> 00:34:01,039 a working order to scale and I just want 818 00:34:01,040 --> 00:34:02,509 to hold it in my hands when I reverse 819 00:34:02,510 --> 00:34:03,679 engineer it. 820 00:34:03,680 --> 00:34:06,199 I think you can understand it. 821 00:34:06,200 --> 00:34:07,999 And the other part of the question that 822 00:34:08,000 --> 00:34:09,799 you look at other vendors may be micro 823 00:34:09,800 --> 00:34:11,689 small Terra Micro Semi. 824 00:34:11,690 --> 00:34:13,759 I've first considered before I 825 00:34:13,760 --> 00:34:15,799 decided to reverse engineered S40. 826 00:34:15,800 --> 00:34:16,800 But I think that crap. 827 00:34:17,690 --> 00:34:20,059 And yes, I really want to reverse 828 00:34:20,060 --> 00:34:22,579 engineer the Otere into Leadpages 829 00:34:22,580 --> 00:34:24,799 next, because then I 830 00:34:24,800 --> 00:34:26,269 kind of regurgitated all the big three 831 00:34:26,270 --> 00:34:28,309 vendors super things. 832 00:34:29,750 --> 00:34:31,939 Thank you. And no one. 833 00:34:31,940 --> 00:34:34,129 Yeah, I have a question concerning 834 00:34:34,130 --> 00:34:35,809 the place and route you do. 835 00:34:35,810 --> 00:34:38,089 And what is the basic approach 836 00:34:38,090 --> 00:34:40,069 you take to reduce 837 00:34:41,090 --> 00:34:43,309 become the nations of block placing 838 00:34:43,310 --> 00:34:44,928 right now? It's just the proof of 839 00:34:44,929 --> 00:34:47,119 concept. There is no reducing 840 00:34:47,120 --> 00:34:48,408 anything later. 841 00:34:48,409 --> 00:34:50,448 Of course, we'll use simulated annealing 842 00:34:50,449 --> 00:34:52,549 and I really want to 843 00:34:52,550 --> 00:34:54,259 get into a what way to call it the 844 00:34:54,260 --> 00:34:56,388 reduced order 845 00:34:56,389 --> 00:34:58,559 binary decision diagrams. 846 00:34:58,560 --> 00:34:59,560 OK, thank you. 847 00:35:01,310 --> 00:35:02,449 Number two, please. 848 00:35:03,470 --> 00:35:05,029 Thank you for the questions. 849 00:35:05,030 --> 00:35:07,399 You're saving me, I'm high. 850 00:35:07,400 --> 00:35:09,499 Do we have and tried out 851 00:35:09,500 --> 00:35:11,809 to get the bridges between the FPGA 852 00:35:11,810 --> 00:35:14,029 and the hard car 853 00:35:14,030 --> 00:35:16,339 parts working, for example, memory 854 00:35:16,340 --> 00:35:18,829 or access from the FPGA 855 00:35:18,830 --> 00:35:20,899 to the hardware peripherals in 856 00:35:20,900 --> 00:35:22,609 the air? 857 00:35:22,610 --> 00:35:24,889 I started working on that, but it's 858 00:35:26,000 --> 00:35:28,399 just really interesting. Another tale 859 00:35:28,400 --> 00:35:30,829 I can show you more to the later issue 860 00:35:30,830 --> 00:35:31,830 of time. 861 00:35:32,720 --> 00:35:35,209 Thank you. Number three, 862 00:35:35,210 --> 00:35:37,399 how does the FPGA apply the 863 00:35:37,400 --> 00:35:38,400 bitstream? 864 00:35:41,010 --> 00:35:42,479 In what sense? 865 00:35:42,480 --> 00:35:44,599 Well, you put it in 866 00:35:44,600 --> 00:35:46,139 the Earth or something. 867 00:35:46,140 --> 00:35:46,649 How does it 868 00:35:46,650 --> 00:35:47,650 work? 869 00:35:48,030 --> 00:35:50,249 There are several several ways with 870 00:35:50,250 --> 00:35:52,319 this one because it has an ARM 871 00:35:52,320 --> 00:35:53,259 Cortex processor. 872 00:35:53,260 --> 00:35:55,259 So there's a small bootloader. 873 00:35:55,260 --> 00:35:57,749 You can put the whole 874 00:35:57,750 --> 00:35:59,939 thing on an SD card 875 00:35:59,940 --> 00:36:02,429 and it loads it automatically through 876 00:36:02,430 --> 00:36:03,809 the Cortex-A9. 877 00:36:03,810 --> 00:36:05,639 Of course, you could use Choetech or you 878 00:36:05,640 --> 00:36:07,739 can connect an external spy 879 00:36:07,740 --> 00:36:09,239 device. 880 00:36:09,240 --> 00:36:10,260 There are many possibilities. 881 00:36:11,500 --> 00:36:12,500 Right? Thanks. 882 00:36:13,290 --> 00:36:16,379 And we have a question of microphone for. 883 00:36:16,380 --> 00:36:19,049 Hi, thank you for your talk. 884 00:36:19,050 --> 00:36:21,249 A little request. 885 00:36:21,250 --> 00:36:23,369 Could you present the whole presentation 886 00:36:23,370 --> 00:36:24,989 in the self-organized session later? 887 00:36:24,990 --> 00:36:26,009 Maybe. 888 00:36:26,010 --> 00:36:28,229 I would love to cool things. 889 00:36:30,210 --> 00:36:32,339 And number one again. 890 00:36:32,340 --> 00:36:34,319 Yes, I had a question during your 891 00:36:34,320 --> 00:36:36,899 studies. Did you discover 892 00:36:36,900 --> 00:36:39,209 new stuff about FPGA 893 00:36:39,210 --> 00:36:41,579 backdoors made by NSA 894 00:36:41,580 --> 00:36:43,079 and friends? 895 00:36:43,080 --> 00:36:45,149 No, but I found ways to 896 00:36:45,150 --> 00:36:46,150 detect them 897 00:36:46,890 --> 00:36:47,399 that 898 00:36:47,400 --> 00:36:49,199 I found ways to detect. 899 00:36:49,200 --> 00:36:50,309 Detect them. 900 00:36:50,310 --> 00:36:51,839 OK. I'd love to talk 901 00:36:53,250 --> 00:36:55,619 about you. Phone to you about that. 902 00:36:55,620 --> 00:36:57,839 Sure. And I wanted to say 903 00:36:57,840 --> 00:36:59,260 something else about 904 00:37:00,420 --> 00:37:02,669 these families is visiting family you've 905 00:37:02,670 --> 00:37:04,619 been working with, which integrates an 906 00:37:04,620 --> 00:37:06,539 FPGA and a CPU. 907 00:37:06,540 --> 00:37:09,809 I think that in terms of cybersecurity, 908 00:37:09,810 --> 00:37:11,879 it is absolutely not a good idea to 909 00:37:11,880 --> 00:37:13,949 mix in the same chip and 910 00:37:13,950 --> 00:37:15,389 FPGA and the CPU 911 00:37:16,440 --> 00:37:18,899 because an attacker like NSA 912 00:37:18,900 --> 00:37:21,389 can easily upload some 913 00:37:21,390 --> 00:37:22,619 a few bytes of cards. 914 00:37:22,620 --> 00:37:23,579 No, he cannot. 915 00:37:23,580 --> 00:37:25,529 And I will tell you later about that 916 00:37:25,530 --> 00:37:26,309 because 917 00:37:26,310 --> 00:37:27,509 I 918 00:37:27,510 --> 00:37:30,359 have a I'm working on a proof of concept 919 00:37:30,360 --> 00:37:33,209 for a and template device. 920 00:37:33,210 --> 00:37:35,789 OK. I'd be delighted to 921 00:37:35,790 --> 00:37:37,339 talk about that with you better. 922 00:37:37,340 --> 00:37:38,340 Thank you. 923 00:37:38,760 --> 00:37:40,800 We have a question in the IOC chat. 924 00:37:42,420 --> 00:37:44,519 What is lacking to get a free and open 925 00:37:44,520 --> 00:37:46,289 source FPGA toolchain? 926 00:37:46,290 --> 00:37:48,569 Like with, we have storm for the IEC 4G 927 00:37:48,570 --> 00:37:49,559 serious. 928 00:37:49,560 --> 00:37:50,589 What do you mean? 929 00:37:50,590 --> 00:37:51,719 Are the players involved to? 930 00:37:54,030 --> 00:37:56,359 Wish I was 40, I gave Clifford 931 00:37:56,360 --> 00:37:58,799 my findings and 932 00:37:58,800 --> 00:38:00,919 tea together with some other guys, 933 00:38:00,920 --> 00:38:03,199 they created the place and draw tool 934 00:38:03,200 --> 00:38:04,999 and I just provided them with the 935 00:38:05,000 --> 00:38:06,949 information about, Yeah, we've 936 00:38:06,950 --> 00:38:08,750 documentation basically. 937 00:38:10,580 --> 00:38:12,139 Hope that answers that question 938 00:38:12,140 --> 00:38:13,489 microphone to please. 939 00:38:14,690 --> 00:38:15,799 Yes, thanks. 940 00:38:15,800 --> 00:38:17,989 You said that you don't do 941 00:38:17,990 --> 00:38:19,639 very luck and we fiddle. 942 00:38:19,640 --> 00:38:21,979 So what do you use as 943 00:38:21,980 --> 00:38:24,049 input for your design tools? 944 00:38:24,050 --> 00:38:25,969 The example project of the vendors. 945 00:38:27,320 --> 00:38:29,719 Then I drank around the gates 946 00:38:29,720 --> 00:38:31,100 to get some different 947 00:38:32,120 --> 00:38:34,279 pacing and routing, and we're 948 00:38:34,280 --> 00:38:35,809 sailing sailing's. You have to block 949 00:38:35,810 --> 00:38:36,709 design editor. 950 00:38:36,710 --> 00:38:38,750 I also had that in made a presentation. 951 00:38:40,680 --> 00:38:41,680 OK, things 952 00:38:42,590 --> 00:38:44,749 number one again, please. 953 00:38:44,750 --> 00:38:45,689 Hello. 954 00:38:45,690 --> 00:38:47,929 And between exiling it forces 955 00:38:47,930 --> 00:38:50,089 you to use the Z4 bus 956 00:38:50,090 --> 00:38:52,699 between the programable logic 957 00:38:52,700 --> 00:38:55,489 and the arm cores. 958 00:38:55,490 --> 00:38:58,429 Did you figure out if there's another way 959 00:38:58,430 --> 00:39:00,109 to connect these parts? 960 00:39:00,110 --> 00:39:01,110 What do you mean? 961 00:39:02,660 --> 00:39:05,299 They don't force me to use the 962 00:39:05,300 --> 00:39:07,009 bus death, although you are. 963 00:39:07,010 --> 00:39:09,409 Do you also have like 64 964 00:39:09,410 --> 00:39:10,969 year olds? 965 00:39:10,970 --> 00:39:12,649 Oh yes, to get outside the device. 966 00:39:12,650 --> 00:39:13,979 I mean, I don't know between the hours 967 00:39:13,980 --> 00:39:16,599 between that and the fabric. 968 00:39:16,600 --> 00:39:18,199 OK, good. 969 00:39:18,200 --> 00:39:18,649 Thank you. 970 00:39:18,650 --> 00:39:20,059 If you want to, we can show you more 971 00:39:20,060 --> 00:39:22,999 details to the later, OK? 972 00:39:23,000 --> 00:39:25,099 I think there will be a session later. 973 00:39:27,560 --> 00:39:29,389 Microphone two, please. 974 00:39:29,390 --> 00:39:31,699 Could you explain your way of reverse 975 00:39:31,700 --> 00:39:33,169 engineering the FPGA? 976 00:39:33,170 --> 00:39:35,539 Did you create a bitstream and observe 977 00:39:35,540 --> 00:39:37,429 its behavior, or did you just create a 978 00:39:37,430 --> 00:39:39,679 bitstream and not run it? 979 00:39:39,680 --> 00:39:41,539 I never ran the bitstream I created. 980 00:39:43,040 --> 00:39:45,709 I only once 981 00:39:45,710 --> 00:39:47,539 tried a small bitstream I created by 982 00:39:47,540 --> 00:39:49,999 myself, and that was 983 00:39:50,000 --> 00:39:51,000 it. 984 00:39:52,040 --> 00:39:53,989 So what are you to do if you did not run 985 00:39:53,990 --> 00:39:55,399 the bitstream? 986 00:39:55,400 --> 00:39:57,139 I just got the knowledge out of it. 987 00:39:57,140 --> 00:39:59,299 I tried to recreate 988 00:39:59,300 --> 00:40:01,489 the same that list information that I got 989 00:40:01,490 --> 00:40:03,589 out of the tool chain only by looking at 990 00:40:03,590 --> 00:40:04,590 the bitstream. 991 00:40:06,750 --> 00:40:08,879 Thank you. And Microphone two 992 00:40:08,880 --> 00:40:09,880 again. 993 00:40:10,920 --> 00:40:12,839 Can you talk about reverse engineering 994 00:40:12,840 --> 00:40:14,939 the non logic tiles 995 00:40:14,940 --> 00:40:17,819 like the PLL tiles i o tiles? 996 00:40:17,820 --> 00:40:19,829 Is that somehow different from reverse 997 00:40:19,830 --> 00:40:21,509 engineering the logic tiles? 998 00:40:21,510 --> 00:40:23,189 Sadly, yes. 999 00:40:23,190 --> 00:40:25,349 You get the way 1000 00:40:25,350 --> 00:40:27,719 you get her. The information is 1001 00:40:29,100 --> 00:40:31,859 almost to no extent automated. 1002 00:40:31,860 --> 00:40:33,959 You have to look at or I have 1003 00:40:33,960 --> 00:40:35,879 to look at the schematic information. 1004 00:40:35,880 --> 00:40:38,309 Look what in turn, switches 1005 00:40:38,310 --> 00:40:39,209 are used. 1006 00:40:39,210 --> 00:40:40,169 Where do you go? 1007 00:40:40,170 --> 00:40:42,269 Then I have to create another image where 1008 00:40:42,270 --> 00:40:44,339 the switch is not used and I can 1009 00:40:44,340 --> 00:40:45,779 take the difference between the tile and 1010 00:40:45,780 --> 00:40:47,169 then. OK? 1011 00:40:47,170 --> 00:40:49,349 One detail Do the vendors 1012 00:40:49,350 --> 00:40:50,999 provide some sort of schematics of the 1013 00:40:51,000 --> 00:40:52,379 below blocks or is that? 1014 00:40:52,380 --> 00:40:53,129 Yes, we 1015 00:40:53,130 --> 00:40:54,089 provide information 1016 00:40:54,090 --> 00:40:56,579 with sailing's, you know, almost 1017 00:40:56,580 --> 00:40:58,020 everything about the device. 1018 00:40:59,490 --> 00:41:00,490 Cool. Thanks. 1019 00:41:01,200 --> 00:41:04,469 And another question in the IOC chat 1020 00:41:04,470 --> 00:41:06,359 when and where with a later session take 1021 00:41:06,360 --> 00:41:07,360 place? 1022 00:41:08,310 --> 00:41:10,319 When and where do you want it to take 1023 00:41:10,320 --> 00:41:11,730 place? I. 1024 00:41:12,740 --> 00:41:14,689 I'm not that good with talks, as you've 1025 00:41:14,690 --> 00:41:16,879 noticed, I'm more conversation, 1026 00:41:16,880 --> 00:41:17,880 guy, 1027 00:41:18,530 --> 00:41:20,599 so maybe you just come 1028 00:41:20,600 --> 00:41:23,359 to the front after just talk and 1029 00:41:23,360 --> 00:41:25,159 you can figure out a place together, 1030 00:41:25,160 --> 00:41:27,319 maybe at a bar or if there is 1031 00:41:27,320 --> 00:41:28,879 some free space. 1032 00:41:28,880 --> 00:41:31,129 It's it's a big space actually to. 1033 00:41:33,840 --> 00:41:35,250 Are there any more questions? 1034 00:41:37,400 --> 00:41:39,459 Doesn't seem like that, so give 1035 00:41:39,460 --> 00:41:41,410 a warm applause to a lesser. 1036 00:42:04,230 --> 00:42:05,230 The.