0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/83 Thanks! 1 00:00:09,940 --> 00:00:11,609 Welcome to the talk. 2 00:00:11,610 --> 00:00:13,269 Hardware attacks, advanced on 3 00:00:13,270 --> 00:00:15,579 exploitation and Android hacking 4 00:00:15,580 --> 00:00:18,189 delivered today by the author 5 00:00:18,190 --> 00:00:20,289 by one of the coauthors of the book 6 00:00:20,290 --> 00:00:22,539 Android Hack Handbooks 7 00:00:22,540 --> 00:00:24,909 and author, a regular speaker 8 00:00:24,910 --> 00:00:27,039 and trainer to DEFCON and Black Hat, 9 00:00:27,040 --> 00:00:29,319 give a warm hand of applause to Mr. 10 00:00:29,320 --> 00:00:30,320 Stephen, really? 11 00:00:39,370 --> 00:00:40,450 What's up, guys? 12 00:00:42,700 --> 00:00:43,700 How you doing? 13 00:00:44,730 --> 00:00:45,909 Right? 14 00:00:45,910 --> 00:00:48,489 Can you hear me OK and everyone hear me? 15 00:00:48,490 --> 00:00:50,589 This is this is very impersonal for such 16 00:00:50,590 --> 00:00:52,179 a personal community. 17 00:00:52,180 --> 00:00:54,849 It's awfully distant. 18 00:00:54,850 --> 00:00:57,009 So I'm going to try to make this as 19 00:00:57,010 --> 00:00:58,149 personable as possible. 20 00:00:58,150 --> 00:00:59,150 So 21 00:01:00,850 --> 00:01:02,319 it's kind of thrown together. 22 00:01:02,320 --> 00:01:03,320 Just kidding. 23 00:01:04,660 --> 00:01:06,549 Well, what I'll do here is I'll try to 24 00:01:06,550 --> 00:01:07,839 basically, there's been a lot of stuff 25 00:01:07,840 --> 00:01:09,459 going on, so I'm going to give you a lot 26 00:01:09,460 --> 00:01:12,309 of material and a short amount of time 27 00:01:12,310 --> 00:01:14,169 and kind of just tell you what we've been 28 00:01:14,170 --> 00:01:16,179 working on and some of the research we've 29 00:01:16,180 --> 00:01:18,549 been presenting about 30 00:01:18,550 --> 00:01:20,649 recently and specifically some of the 31 00:01:20,650 --> 00:01:21,670 trainings we've been doing. 32 00:01:22,780 --> 00:01:25,419 So the talk, as he said, is a 33 00:01:25,420 --> 00:01:27,989 hardware attacks, arm exploitation 34 00:01:27,990 --> 00:01:29,409 Android. 35 00:01:29,410 --> 00:01:31,179 And then I'll talk about a few other 36 00:01:31,180 --> 00:01:33,189 little side projects speckled here. 37 00:01:33,190 --> 00:01:35,949 And there is a lot of photos 38 00:01:35,950 --> 00:01:37,869 because with hardware stuff, it's 39 00:01:37,870 --> 00:01:39,249 tangible. 40 00:01:39,250 --> 00:01:41,439 And I can't like show you a PCB up here 41 00:01:41,440 --> 00:01:42,899 on the podium, so I'm going to show you 42 00:01:42,900 --> 00:01:43,959 on slides and stuff. 43 00:01:46,510 --> 00:01:47,510 But first, I'd like to 44 00:01:48,970 --> 00:01:51,369 like to note that I don't see a single 45 00:01:51,370 --> 00:01:52,599 is there? Are there any black people in 46 00:01:52,600 --> 00:01:54,249 here? Are there any black people 47 00:01:57,460 --> 00:01:59,229 not other than on the stage right now? 48 00:01:59,230 --> 00:02:00,519 Can you please raise your hand? 49 00:02:02,620 --> 00:02:05,169 Not nobody raised their hand. 50 00:02:05,170 --> 00:02:06,549 Wow. 51 00:02:06,550 --> 00:02:08,168 So maybe we need to start another 52 00:02:08,169 --> 00:02:10,149 community initiative like to reach out 53 00:02:10,150 --> 00:02:13,389 to, you know, minorities 54 00:02:13,390 --> 00:02:14,620 and yeah. 55 00:02:21,410 --> 00:02:23,299 I appreciate your pandering applause. 56 00:02:23,300 --> 00:02:24,319 It was quite nice of you. 57 00:02:25,760 --> 00:02:27,679 All right, so let's get down to business. 58 00:02:27,680 --> 00:02:30,019 I'm Stephen Ridley at Steven 59 00:02:30,020 --> 00:02:31,020 is me. 60 00:02:32,780 --> 00:02:35,299 So normally what I would do in smaller 61 00:02:35,300 --> 00:02:37,279 circumstances, we run a blog called Don't 62 00:02:37,280 --> 00:02:38,989 Stop Beans Up Your Nose. 63 00:02:38,990 --> 00:02:40,939 Me and a former colleague, Stephen 64 00:02:40,940 --> 00:02:43,609 Lawler, and we would throw these condoms 65 00:02:43,610 --> 00:02:45,559 into the audience. 66 00:02:45,560 --> 00:02:47,659 And this place is too big to throw 67 00:02:47,660 --> 00:02:49,519 a bunch of condoms into the audience. 68 00:02:49,520 --> 00:02:50,929 But on the condoms, you can see this they 69 00:02:50,930 --> 00:02:52,969 prevent more white hats where this black 70 00:02:52,970 --> 00:02:54,829 hat in the condom is, of course, a black 71 00:02:54,830 --> 00:02:55,830 hat. 72 00:02:56,660 --> 00:02:58,159 If you want a couple of them, come see 73 00:02:58,160 --> 00:02:59,239 me. 74 00:02:59,240 --> 00:03:01,069 Describe me. I'm the black guy at this 75 00:03:01,070 --> 00:03:02,070 conference. 76 00:03:03,600 --> 00:03:04,600 You'll be able to find me. 77 00:03:10,400 --> 00:03:10,999 All right. 78 00:03:11,000 --> 00:03:13,309 So all race issues 79 00:03:13,310 --> 00:03:15,049 aside, let's have a little fun with 80 00:03:15,050 --> 00:03:16,279 hardware and stuff. 81 00:03:16,280 --> 00:03:18,169 So first a bit about me. 82 00:03:18,170 --> 00:03:19,909 I run a blog with Stephen Lawler, as I 83 00:03:19,910 --> 00:03:21,869 mentioned, don't stuff beans up your nose 84 00:03:21,870 --> 00:03:23,059 dot com. If you want to know the story 85 00:03:23,060 --> 00:03:25,099 behind that, I won't bore you. 86 00:03:25,100 --> 00:03:26,149 But it's a pretty neat story. 87 00:03:26,150 --> 00:03:27,150 We used to work together. 88 00:03:28,880 --> 00:03:29,849 There's a little bit about me. 89 00:03:29,850 --> 00:03:32,089 This screen is huge. 90 00:03:32,090 --> 00:03:33,829 It's huge, it's ridiculous. 91 00:03:33,830 --> 00:03:35,179 And everything a screen this big. 92 00:03:35,180 --> 00:03:36,180 That's funny. 93 00:03:36,710 --> 00:03:38,839 What's that? It's right in front of me. 94 00:03:38,840 --> 00:03:40,009 Holy crap. Right there. 95 00:03:40,010 --> 00:03:41,270 Look at that on my laptop. 96 00:03:46,300 --> 00:03:47,300 You've got a lot 97 00:03:48,950 --> 00:03:50,449 right there, too. There's a TV there, and 98 00:03:50,450 --> 00:03:51,529 there's one there, too. 99 00:03:51,530 --> 00:03:52,939 Thank you. Whoever you are, you are a 100 00:03:52,940 --> 00:03:53,940 genius. 101 00:03:56,420 --> 00:03:57,420 All right. So 102 00:03:58,730 --> 00:04:00,439 who we are? 103 00:04:00,440 --> 00:04:02,329 I'm not crazy. I'm actually representing 104 00:04:02,330 --> 00:04:04,609 my buddy, Stephen Lawler, who is right 105 00:04:04,610 --> 00:04:06,019 there. That's us drinking. 106 00:04:06,020 --> 00:04:08,149 And yes, that's a gift. 107 00:04:08,150 --> 00:04:10,159 That's how Steven does Tokyo. 108 00:04:10,160 --> 00:04:11,539 That's at the Gundam cafe. 109 00:04:11,540 --> 00:04:12,919 So nerd points there, I'll have, you 110 00:04:12,920 --> 00:04:14,999 know. Anyway, so here 111 00:04:15,000 --> 00:04:16,909 we are. I run a small information 112 00:04:16,910 --> 00:04:18,648 security consultancy called Exhibitor. 113 00:04:19,730 --> 00:04:20,898 Prior to that, it was this chief 114 00:04:20,899 --> 00:04:23,479 information security officer at Semple. 115 00:04:23,480 --> 00:04:24,379 I worked at McAfee. 116 00:04:24,380 --> 00:04:25,789 I founded the Security Architecture Group 117 00:04:25,790 --> 00:04:26,869 there. 118 00:04:26,870 --> 00:04:28,579 I was a founding member of Con. 119 00:04:28,580 --> 00:04:31,099 We run about we won a bunch of seats. 120 00:04:31,100 --> 00:04:32,660 Then we started running at a DEFCON. 121 00:04:33,710 --> 00:04:36,739 I've spoken to a bunch of places DEFCON, 122 00:04:36,740 --> 00:04:38,899 Black Hat, now CCC, which is quite the 123 00:04:38,900 --> 00:04:40,069 honor on my my dad. 124 00:04:42,110 --> 00:04:43,429 And so I guess I should places. 125 00:04:43,430 --> 00:04:44,569 And so we have a book coming out to 126 00:04:44,570 --> 00:04:45,589 Android Hackers Handbook. 127 00:04:45,590 --> 00:04:46,759 It's already available on Amazon. 128 00:04:46,760 --> 00:04:48,799 Preorder a bunch of people smarter than I 129 00:04:48,800 --> 00:04:49,800 am. Collin Mulliner, 130 00:04:51,230 --> 00:04:53,239 Joshua Drake and stuff like that were 131 00:04:53,240 --> 00:04:54,739 gracious enough to have me help them out 132 00:04:54,740 --> 00:04:55,849 with the book. 133 00:04:55,850 --> 00:04:57,379 So check that out. It's really going to 134 00:04:57,380 --> 00:04:59,029 be good. And some of the stuff that we'll 135 00:04:59,030 --> 00:05:00,679 talk about in the book, there's really 136 00:05:00,680 --> 00:05:02,959 cool hardware section, which 137 00:05:02,960 --> 00:05:04,669 I which I helped out with. 138 00:05:04,670 --> 00:05:06,169 I'll talk about some of those techniques 139 00:05:06,170 --> 00:05:07,170 in this talk. 140 00:05:08,780 --> 00:05:10,219 So Stephen Lawler is a buddy of mine. 141 00:05:10,220 --> 00:05:12,169 We used to work together just paying 142 00:05:12,170 --> 00:05:13,849 homage to him. We do the Black Hat 143 00:05:13,850 --> 00:05:15,499 trainings together. 144 00:05:15,500 --> 00:05:16,729 So in this talk, what I'll do is I'll 145 00:05:16,730 --> 00:05:18,829 talk a little bit about how I 146 00:05:18,830 --> 00:05:21,229 discovered hardware hacking. 147 00:05:21,230 --> 00:05:23,539 I'm traditionally a software guy. 148 00:05:23,540 --> 00:05:25,549 I did a talk at Recon in 2011 called 149 00:05:25,550 --> 00:05:28,129 Hardware Hacking for Software People. 150 00:05:28,130 --> 00:05:30,499 And that that talks 151 00:05:30,500 --> 00:05:31,849 seem to really strike a chord with people 152 00:05:31,850 --> 00:05:33,979 in our community who are traditionally 153 00:05:33,980 --> 00:05:35,809 software people and need kind of a 154 00:05:35,810 --> 00:05:37,819 foothold into discovering hardware. 155 00:05:37,820 --> 00:05:39,229 And I know there's a lot of really smart 156 00:05:39,230 --> 00:05:40,729 hardware folks here. 157 00:05:40,730 --> 00:05:42,739 But for those of you who are like me, 158 00:05:42,740 --> 00:05:44,209 it's a really good introduction to some 159 00:05:44,210 --> 00:05:45,709 of these concepts. 160 00:05:45,710 --> 00:05:46,639 Then I'll talk a little bit about 161 00:05:46,640 --> 00:05:48,319 practical arm exploitation, which is the 162 00:05:48,320 --> 00:05:50,239 course we've been teaching. 163 00:05:50,240 --> 00:05:51,290 And then I'll talk about 164 00:05:52,610 --> 00:05:54,169 how we built our development environments 165 00:05:54,170 --> 00:05:55,819 for ARM, which is also a barrier to entry 166 00:05:55,820 --> 00:05:58,039 for people who are trying to do mobile 167 00:05:58,040 --> 00:05:59,929 exploitation and transition their skills 168 00:05:59,930 --> 00:06:01,939 to the mobile mobile environment. 169 00:06:01,940 --> 00:06:02,899 I'll talk a little bit about some 170 00:06:02,900 --> 00:06:03,929 interesting stuff from the core, 171 00:06:03,930 --> 00:06:06,019 specifically a wrap on the arm 172 00:06:06,020 --> 00:06:08,209 platform, some some of the neat 173 00:06:08,210 --> 00:06:09,619 stuff like stack flipping we might have 174 00:06:09,620 --> 00:06:10,699 to skip through. 175 00:06:10,700 --> 00:06:12,019 And then there's some really interesting 176 00:06:12,020 --> 00:06:13,999 side projects that that I mentioned 177 00:06:14,000 --> 00:06:15,000 earlier. 178 00:06:16,850 --> 00:06:19,129 So this is kind of how how did 179 00:06:19,130 --> 00:06:20,569 this all get started? 180 00:06:20,570 --> 00:06:22,069 I was a software guy who specializes in 181 00:06:22,070 --> 00:06:23,419 exploitation and reverse engineering 182 00:06:23,420 --> 00:06:25,099 software, but I was always really 183 00:06:25,100 --> 00:06:26,100 interested in hardware. 184 00:06:27,110 --> 00:06:28,909 I would see cool projects like this. 185 00:06:28,910 --> 00:06:30,889 I would read Hack a day, and I just 186 00:06:30,890 --> 00:06:32,959 really didn't have a way to get into it. 187 00:06:34,520 --> 00:06:36,529 So one of the first things I did was, and 188 00:06:36,530 --> 00:06:37,819 this is a little bit of stuff from the 189 00:06:37,820 --> 00:06:39,919 hardware hacking for software, people 190 00:06:39,920 --> 00:06:41,089 talk. 191 00:06:41,090 --> 00:06:42,949 I was really interested or really 192 00:06:42,950 --> 00:06:45,559 fascinated to learn that a lot of PCBs 193 00:06:45,560 --> 00:06:47,839 and a lot of chips speak standard serial 194 00:06:47,840 --> 00:06:49,999 protocols like I do CSPI, 195 00:06:50,000 --> 00:06:51,229 and that's kind of like how I got 196 00:06:51,230 --> 00:06:53,539 introduced to it because I'd use like RSA 197 00:06:53,540 --> 00:06:55,729 02:32 and stuff like that, you know, 198 00:06:55,730 --> 00:06:57,439 connecting your win modems and stuff to 199 00:06:57,440 --> 00:06:59,539 your old PC to dial BVB's 200 00:06:59,540 --> 00:07:00,979 and issuing commands. 201 00:07:00,980 --> 00:07:03,049 So that was accessible to me, but I was 202 00:07:03,050 --> 00:07:04,669 really surprised to find out how many 203 00:07:04,670 --> 00:07:06,469 embedded systems made use of a lot of 204 00:07:06,470 --> 00:07:08,119 these serial protocols. 205 00:07:08,120 --> 00:07:09,120 So, 206 00:07:10,460 --> 00:07:12,079 so once I learned that I started finding 207 00:07:12,080 --> 00:07:14,329 these, these serial 208 00:07:14,330 --> 00:07:16,819 enabled enabled, I see 209 00:07:16,820 --> 00:07:18,139 a lot of consumer hardware. 210 00:07:19,400 --> 00:07:21,049 So I found them in analog to digital 211 00:07:21,050 --> 00:07:23,330 converters bus controllers. 212 00:07:24,390 --> 00:07:25,459 You probably. 213 00:07:25,460 --> 00:07:27,829 I'm sure you've heard about Charlie 214 00:07:27,830 --> 00:07:29,309 Miller and Chris Farley. 215 00:07:29,310 --> 00:07:30,499 Six car hacking stuff. 216 00:07:31,520 --> 00:07:33,679 Really, really great body 217 00:07:33,680 --> 00:07:35,209 of research there. Even though it is done 218 00:07:35,210 --> 00:07:36,919 hacking, it was a really cool. 219 00:07:36,920 --> 00:07:38,839 They did some really cool work there that 220 00:07:38,840 --> 00:07:39,859 wasn't necessarily serial. 221 00:07:39,860 --> 00:07:41,209 That was can. 222 00:07:41,210 --> 00:07:42,799 But again, we're just talking wireline 223 00:07:42,800 --> 00:07:44,929 protocols that you can intercept 224 00:07:44,930 --> 00:07:47,359 and look at the data and really have 225 00:07:47,360 --> 00:07:48,979 interesting results. 226 00:07:48,980 --> 00:07:51,169 So I focused on some of these like I2C 227 00:07:51,170 --> 00:07:53,569 and Spy, and I started finding 228 00:07:53,570 --> 00:07:55,459 these this stuff in routers. 229 00:07:57,530 --> 00:07:59,629 One interesting bit to some of you 230 00:07:59,630 --> 00:08:02,479 may already know, but VGA and HDMI cables 231 00:08:02,480 --> 00:08:04,819 have its pen, so there's actual 232 00:08:04,820 --> 00:08:06,949 serial pins inside of your VGA 233 00:08:06,950 --> 00:08:08,539 cable. So when you plug your monitor into 234 00:08:08,540 --> 00:08:10,429 your computer, there's a communication 235 00:08:10,430 --> 00:08:12,679 that happens over two designated pens 236 00:08:12,680 --> 00:08:14,239 and that's all on it, you see. 237 00:08:14,240 --> 00:08:15,799 And that's stuff like, I was like, Whoa, 238 00:08:15,800 --> 00:08:17,119 now this is stuff I can handle. 239 00:08:17,120 --> 00:08:19,369 You know, like this is this is serial 240 00:08:19,370 --> 00:08:20,329 data. 241 00:08:20,330 --> 00:08:22,489 And I found some debugging tools 242 00:08:22,490 --> 00:08:23,719 and stuff like that. There's a serial 243 00:08:23,720 --> 00:08:25,939 data that we can use to do 244 00:08:25,940 --> 00:08:27,829 kind of high level reverse engineering or 245 00:08:31,370 --> 00:08:32,370 wow. 246 00:08:34,330 --> 00:08:35,709 Who shook this up? What are you? 247 00:08:35,710 --> 00:08:36,759 Why don't you strip us up? 248 00:08:38,750 --> 00:08:39,649 Nice. 249 00:08:39,650 --> 00:08:40,908 That's right. 250 00:08:40,909 --> 00:08:42,440 Here we go. Q Flight of the Bumblebee. 251 00:08:45,320 --> 00:08:46,320 All right. 252 00:08:47,840 --> 00:08:49,009 This was going to explode to 253 00:08:50,930 --> 00:08:51,930 look at. 254 00:08:55,400 --> 00:08:56,400 Uh-Huh. 255 00:08:57,950 --> 00:08:59,049 It's because I'm black and then. 256 00:09:01,250 --> 00:09:02,419 All right. 257 00:09:02,420 --> 00:09:04,070 I'll see how you all do in Germany. 258 00:09:07,950 --> 00:09:09,569 All right, that's all right, thank you. 259 00:09:09,570 --> 00:09:11,809 It's good, it's only a MacBook Pro, sir. 260 00:09:15,510 --> 00:09:16,510 All right. 261 00:09:20,010 --> 00:09:22,049 If I don't slip and fall, 262 00:09:23,640 --> 00:09:24,640 it'll be good. 263 00:09:25,590 --> 00:09:27,209 Thank you, sir. 264 00:09:27,210 --> 00:09:28,210 All right. 265 00:09:29,670 --> 00:09:32,579 Big hand for that guy. 266 00:09:32,580 --> 00:09:34,379 Thank you for also shaking up the bottle 267 00:09:34,380 --> 00:09:35,380 in the first place. 268 00:09:36,810 --> 00:09:38,009 All right. So I found these some 269 00:09:38,010 --> 00:09:40,499 interesting serial protocols down 270 00:09:40,500 --> 00:09:42,359 on these PCBs, and I started finding them 271 00:09:42,360 --> 00:09:44,069 in routers and stuff. 272 00:09:44,070 --> 00:09:45,359 And again, this is from harbor hacking 273 00:09:45,360 --> 00:09:47,039 for software people, which is a talk you 274 00:09:47,040 --> 00:09:49,169 can still get the video of online. 275 00:09:49,170 --> 00:09:51,329 But first thing I did was 276 00:09:51,330 --> 00:09:53,249 bust, open my cable modem at home and on 277 00:09:53,250 --> 00:09:54,839 my cable modem, and I set up this kind of 278 00:09:54,840 --> 00:09:56,579 little crappy rig, which I'll explain in 279 00:09:56,580 --> 00:09:57,580 a second. 280 00:09:58,140 --> 00:10:00,119 This is a Broadcom chipset, and all this 281 00:10:00,120 --> 00:10:02,279 little Broadcom 282 00:10:02,280 --> 00:10:04,799 I found for exposed cables, 283 00:10:04,800 --> 00:10:06,659 like for exposed pens. 284 00:10:06,660 --> 00:10:08,969 So I used a bunch of techniques which I 285 00:10:08,970 --> 00:10:11,009 go into detail on the other talk an 286 00:10:11,010 --> 00:10:13,049 oscilloscope to identify the pins and 287 00:10:13,050 --> 00:10:14,459 some basic pen reverse engineering 288 00:10:14,460 --> 00:10:16,439 techniques, which is basically just 289 00:10:16,440 --> 00:10:18,779 combinatorics and trial and error, 290 00:10:18,780 --> 00:10:20,429 and basically figured out that there was 291 00:10:20,430 --> 00:10:22,619 a you are waiting on those pins or 292 00:10:22,620 --> 00:10:24,569 a serial console. 293 00:10:24,570 --> 00:10:25,570 And from that, 294 00:10:27,090 --> 00:10:28,089 I could watch the thing booth. 295 00:10:28,090 --> 00:10:29,699 So it's an E costs real time operating 296 00:10:29,700 --> 00:10:31,109 system. 297 00:10:31,110 --> 00:10:33,029 And then so once we thought we got a 298 00:10:33,030 --> 00:10:35,129 little logs of it booting, we 299 00:10:35,130 --> 00:10:37,289 did a little fuzzing and 300 00:10:37,290 --> 00:10:39,059 then we got a crash. 301 00:10:39,060 --> 00:10:41,309 So we there's a built in HDTV 302 00:10:41,310 --> 00:10:43,439 server running embedded on the Broadcom 303 00:10:43,440 --> 00:10:45,509 for doing landing pages and 304 00:10:45,510 --> 00:10:46,829 things like that, or like internal 305 00:10:46,830 --> 00:10:48,659 redirections that the service provider 306 00:10:48,660 --> 00:10:50,189 would do on your modem. 307 00:10:50,190 --> 00:10:51,569 Like configure it this way, blah blah 308 00:10:51,570 --> 00:10:52,649 blah. So it was running this really 309 00:10:52,650 --> 00:10:55,349 crappy modem, and we made a get request 310 00:10:55,350 --> 00:10:57,629 with a really ridiculously long request 311 00:10:57,630 --> 00:10:59,729 string and it crashed. 312 00:10:59,730 --> 00:11:01,859 And so this isn't arm per se, 313 00:11:01,860 --> 00:11:04,019 it's MIPS, but this was my 314 00:11:04,020 --> 00:11:06,239 first foray into hardware hacking 315 00:11:06,240 --> 00:11:08,309 or software hacking enabled by 316 00:11:08,310 --> 00:11:09,509 hardware techniques. 317 00:11:09,510 --> 00:11:11,039 And so this was now this is familiar 318 00:11:11,040 --> 00:11:13,109 territory, right? I have a debug console, 319 00:11:13,110 --> 00:11:14,729 presumably a debug console. 320 00:11:14,730 --> 00:11:16,079 I got a crash. 321 00:11:16,080 --> 00:11:17,729 Now what do I do next? 322 00:11:17,730 --> 00:11:19,919 So this is kind of the impetus for 323 00:11:19,920 --> 00:11:21,629 all of this the last few years of 324 00:11:21,630 --> 00:11:22,630 research. 325 00:11:23,730 --> 00:11:25,829 So what we did was now that we 326 00:11:25,830 --> 00:11:27,959 know that this is possible, we can do 327 00:11:27,960 --> 00:11:30,689 things like fuzz hardware devices. 328 00:11:30,690 --> 00:11:32,369 We can find crashes. 329 00:11:32,370 --> 00:11:33,869 Now we need to start really learning 330 00:11:33,870 --> 00:11:36,269 about how embedded systems work. 331 00:11:36,270 --> 00:11:38,369 So we looked around 332 00:11:38,370 --> 00:11:39,659 a little bit. We didn't focus on MIPS. 333 00:11:39,660 --> 00:11:40,660 We chose ARM. 334 00:11:41,490 --> 00:11:43,559 And so we wanted to first set up 335 00:11:43,560 --> 00:11:45,089 our lab environment. So we mess around a 336 00:11:45,090 --> 00:11:47,369 little bit and we set up 337 00:11:47,370 --> 00:11:50,939 a kumu arm environment 338 00:11:50,940 --> 00:11:53,340 and kumu is is great to get started. 339 00:11:54,390 --> 00:11:55,379 It's really good because you can get 340 00:11:55,380 --> 00:11:57,659 comfortable with GDB and some of your 341 00:11:57,660 --> 00:11:59,219 your new tool chains and things like 342 00:11:59,220 --> 00:12:01,019 that. You can start doing some assembly 343 00:12:01,020 --> 00:12:02,849 coding. You can write some basic shell 344 00:12:02,850 --> 00:12:05,039 code and test harnesses and, 345 00:12:05,040 --> 00:12:06,689 you know, Test C programs. 346 00:12:06,690 --> 00:12:08,669 You can suck these binaries into IDA. 347 00:12:08,670 --> 00:12:09,869 You can start getting comfortable with 348 00:12:09,870 --> 00:12:12,539 arm assembly and stuff like that. 349 00:12:12,540 --> 00:12:14,099 And what we started to do was exactly 350 00:12:14,100 --> 00:12:16,319 that. So we we compiled the gene 351 00:12:16,320 --> 00:12:17,609 API tool chain. 352 00:12:17,610 --> 00:12:18,959 We ran it on Kumu. 353 00:12:18,960 --> 00:12:21,179 We started basically 354 00:12:21,180 --> 00:12:22,139 writing our own. 355 00:12:22,140 --> 00:12:23,669 If you guys are old school like me, you 356 00:12:23,670 --> 00:12:25,199 remember Gary as insecure programing 357 00:12:25,200 --> 00:12:26,159 examples. 358 00:12:26,160 --> 00:12:28,169 We basically did that for ARM. 359 00:12:28,170 --> 00:12:30,389 So we did StackOverflow as we did 360 00:12:30,390 --> 00:12:31,739 some basic stuff where we'd have to do 361 00:12:31,740 --> 00:12:33,179 return to live C. We learned it. 362 00:12:33,180 --> 00:12:35,249 We learned a lot about the 363 00:12:35,250 --> 00:12:36,899 protection mechanisms like Exxon 364 00:12:38,070 --> 00:12:39,070 and all that kind of stuff. 365 00:12:40,200 --> 00:12:42,059 So we did this all in keeping you all 366 00:12:42,060 --> 00:12:43,469 well and good, and then we wanted to move 367 00:12:43,470 --> 00:12:45,509 to like real hardware. 368 00:12:45,510 --> 00:12:46,709 So we looked around for a little while 369 00:12:46,710 --> 00:12:49,859 for developer systems 370 00:12:49,860 --> 00:12:50,819 that would kind of do this. 371 00:12:50,820 --> 00:12:53,399 And at the time, the Raspberry Pi. 372 00:12:53,400 --> 00:12:54,400 Woops, 373 00:12:56,010 --> 00:12:58,169 I think I'm just going to quote you 374 00:12:58,170 --> 00:13:00,179 guys want to just like grab a beer or 375 00:13:00,180 --> 00:13:01,590 something for the next 45 minutes. 376 00:13:03,660 --> 00:13:05,249 All right, there we go. 377 00:13:05,250 --> 00:13:06,599 So there's a lot of systems out there 378 00:13:06,600 --> 00:13:08,759 now. The Raspberry Pi, the Beagle 379 00:13:08,760 --> 00:13:10,559 board, Raspberry Pi, I think was like a 380 00:13:10,560 --> 00:13:11,909 Kickstarter project or something at the 381 00:13:11,910 --> 00:13:12,929 time it hadn't released yet. 382 00:13:12,930 --> 00:13:15,239 It was still kind of in its early stages, 383 00:13:15,240 --> 00:13:16,919 so we didn't use that. 384 00:13:16,920 --> 00:13:18,299 There's a few others out there, but 385 00:13:18,300 --> 00:13:20,459 eventually we looked around and 386 00:13:20,460 --> 00:13:22,589 we settled on the gum sticks 387 00:13:22,590 --> 00:13:23,999 platform. And it's used a lot. 388 00:13:24,000 --> 00:13:25,349 And like, you have systems 389 00:13:27,480 --> 00:13:29,639 like temperature control systems 390 00:13:29,640 --> 00:13:32,309 and it's basically just a small PC 391 00:13:32,310 --> 00:13:33,929 the size of a gum stick, hence the name 392 00:13:33,930 --> 00:13:36,059 gum sticks and it runs on a 393 00:13:37,140 --> 00:13:38,279 micro SD card. 394 00:13:38,280 --> 00:13:39,779 And there's a bunch of free comp. 395 00:13:39,780 --> 00:13:41,189 Linux distributions and stuff for it. 396 00:13:41,190 --> 00:13:43,319 So we just started off 397 00:13:43,320 --> 00:13:45,209 using one of the suggested ones using the 398 00:13:45,210 --> 00:13:47,459 landro chain 399 00:13:47,460 --> 00:13:49,049 tool chain, but eventually we kind of 400 00:13:49,050 --> 00:13:51,689 spun up our own and 401 00:13:51,690 --> 00:13:54,089 we got Linux running on these things. 402 00:13:54,090 --> 00:13:55,090 So here's how they look. 403 00:13:56,550 --> 00:13:58,529 The thumbsticks board is pretty small, 404 00:13:58,530 --> 00:14:00,870 and in it it seats 405 00:14:02,610 --> 00:14:04,859 via mezzanine connectors into an 406 00:14:04,860 --> 00:14:06,239 expansion board. You can get different 407 00:14:06,240 --> 00:14:07,619 types of expansion boards for it to get 408 00:14:07,620 --> 00:14:08,969 Ethernet and all that kind of stuff. 409 00:14:08,970 --> 00:14:10,829 But the core board is really small, as 410 00:14:10,830 --> 00:14:12,009 you can see compared to the rest of the 411 00:14:12,010 --> 00:14:13,010 stuff. 412 00:14:13,620 --> 00:14:15,929 So then we bought a bunch of these 413 00:14:15,930 --> 00:14:17,519 and we called this the lackluster hack 414 00:14:17,520 --> 00:14:18,520 cluster. 415 00:14:22,500 --> 00:14:24,839 So now what we've done is we've gone from 416 00:14:24,840 --> 00:14:26,849 a purely software emulated environment 417 00:14:26,850 --> 00:14:29,159 like qemu to hardware, and we can 418 00:14:29,160 --> 00:14:31,799 start doing some of these exercises 419 00:14:31,800 --> 00:14:32,800 on hardware. 420 00:14:35,340 --> 00:14:37,469 Right? So what we did is we had by 421 00:14:37,470 --> 00:14:38,549 this time we had like a whole bunch of 422 00:14:38,550 --> 00:14:39,959 notes on arm and all this other stuff. 423 00:14:39,960 --> 00:14:41,579 And so we decided, wait a minute, why 424 00:14:41,580 --> 00:14:42,939 don't we just give this to the community 425 00:14:42,940 --> 00:14:45,179 when we figure out how we can just bundle 426 00:14:45,180 --> 00:14:47,279 this stuff up and get people ramped up 427 00:14:47,280 --> 00:14:49,409 on arm exploitation 428 00:14:49,410 --> 00:14:51,539 and potentially owning mobiles? 429 00:14:51,540 --> 00:14:53,759 So we are we've kind of built this 430 00:14:53,760 --> 00:14:55,829 into a steady 431 00:14:55,830 --> 00:14:57,329 progression like Guerra's and secure 432 00:14:57,330 --> 00:14:58,410 programing examples. 433 00:14:59,910 --> 00:15:01,619 And so we started distributing some of 434 00:15:01,620 --> 00:15:03,359 these exercises to people kind of handing 435 00:15:03,360 --> 00:15:05,489 them out as crack meets or or own 436 00:15:05,490 --> 00:15:06,779 maze and stuff like that. 437 00:15:06,780 --> 00:15:08,819 And the word got out and then people 438 00:15:08,820 --> 00:15:09,839 started saying, Why don't you just roll 439 00:15:09,840 --> 00:15:11,369 this into a training? Do it at Black Hat? 440 00:15:13,080 --> 00:15:14,699 So I said, Well, we'd probably do that, 441 00:15:14,700 --> 00:15:16,139 but we don't really have a lot of 442 00:15:16,140 --> 00:15:17,760 Real-World exploitation experience. 443 00:15:19,020 --> 00:15:21,419 So we started doing a few contracts, 444 00:15:21,420 --> 00:15:22,769 so I did some stuff with some smart 445 00:15:22,770 --> 00:15:23,770 meters. 446 00:15:24,330 --> 00:15:26,279 We did embedded systems like point of 447 00:15:26,280 --> 00:15:28,589 sale systems and 448 00:15:28,590 --> 00:15:30,809 specifically mobile devices. 449 00:15:30,810 --> 00:15:33,419 Android, some Windows seven 450 00:15:33,420 --> 00:15:35,519 and some embedded Linux systems as 451 00:15:35,520 --> 00:15:36,520 well. 452 00:15:37,560 --> 00:15:38,879 So then now with that exploitation 453 00:15:38,880 --> 00:15:40,319 experience, what we did is all right now, 454 00:15:40,320 --> 00:15:41,519 we have real world exploitation 455 00:15:41,520 --> 00:15:42,869 experience. Let's roll this into a real 456 00:15:42,870 --> 00:15:44,009 course and that's what we did. 457 00:15:44,010 --> 00:15:45,269 So we built the practical arm 458 00:15:45,270 --> 00:15:46,709 exploitation course. 459 00:15:46,710 --> 00:15:48,539 It's basically three to five days, 900 460 00:15:48,540 --> 00:15:50,219 slides, blah blah blah blah. 461 00:15:50,220 --> 00:15:51,719 And we teach you everything you need to 462 00:15:51,720 --> 00:15:52,720 know. 463 00:15:53,720 --> 00:15:55,999 So a bunch of people have taken it, 464 00:15:56,000 --> 00:15:57,979 and we did it, it can sack it, sold out 465 00:15:57,980 --> 00:15:59,629 in a week, we did it Black Hat, two years 466 00:15:59,630 --> 00:16:01,249 in a row, it's sold out in a couple of 467 00:16:01,250 --> 00:16:02,509 weeks. 468 00:16:02,510 --> 00:16:03,709 We've done private trainings. 469 00:16:03,710 --> 00:16:05,509 We did one in Tokyo, we did one at 470 00:16:05,510 --> 00:16:06,409 Switzerland. 471 00:16:06,410 --> 00:16:08,629 We did a workshop at Insomniac 472 00:16:08,630 --> 00:16:09,630 last year. 473 00:16:10,640 --> 00:16:12,589 But what does this all teach us? 474 00:16:12,590 --> 00:16:14,449 It teaches us that we're in the post-PC 475 00:16:14,450 --> 00:16:15,829 exploitation environment. 476 00:16:15,830 --> 00:16:18,139 Mobile devices, embedded systems are way 477 00:16:18,140 --> 00:16:20,269 more popular than the computer that you 478 00:16:20,270 --> 00:16:22,459 leave on your desk or on your couch. 479 00:16:22,460 --> 00:16:23,899 Right? It's always with you, with your 480 00:16:23,900 --> 00:16:24,900 pocket. 481 00:16:25,670 --> 00:16:27,079 So we're in the post-PC threatened 482 00:16:27,080 --> 00:16:28,309 environment. 483 00:16:28,310 --> 00:16:29,569 So these are just things to think about. 484 00:16:29,570 --> 00:16:31,399 If we're just as users are consumers of 485 00:16:31,400 --> 00:16:33,379 the technology. This is really there's an 486 00:16:33,380 --> 00:16:34,369 interest in this stuff. 487 00:16:34,370 --> 00:16:35,839 People want to know how to own mobiles. 488 00:16:37,160 --> 00:16:38,089 It's just something for you to think 489 00:16:38,090 --> 00:16:39,319 about. 490 00:16:39,320 --> 00:16:41,479 So the world is changing, as 491 00:16:41,480 --> 00:16:42,480 I mentioned, 492 00:16:44,000 --> 00:16:45,619 and I'll tell you a few interesting bits 493 00:16:45,620 --> 00:16:48,499 from our Rob course, from our ALM course, 494 00:16:48,500 --> 00:16:50,089 we did quite a bit of research on this 495 00:16:50,090 --> 00:16:51,090 stuff. 496 00:16:51,530 --> 00:16:53,149 And obviously, the big thing that you're 497 00:16:53,150 --> 00:16:54,289 going to want to know how to do for 498 00:16:54,290 --> 00:16:56,119 exploitation is return oriented 499 00:16:56,120 --> 00:16:57,109 programing. 500 00:16:57,110 --> 00:16:58,969 And for those of you unfamiliar, you need 501 00:16:58,970 --> 00:17:01,189 to do return oriented programing 502 00:17:01,190 --> 00:17:03,319 to evade modern protection 503 00:17:03,320 --> 00:17:06,259 or exploitation protection mechanisms 504 00:17:06,260 --> 00:17:08,719 such as Exxon or on 505 00:17:08,720 --> 00:17:11,179 operating systems like iOS code signing. 506 00:17:11,180 --> 00:17:13,098 You can't load binaries or execute 507 00:17:13,099 --> 00:17:14,838 binaries from another system. 508 00:17:14,839 --> 00:17:16,459 You have to use native code that already 509 00:17:16,460 --> 00:17:18,169 exists, so you need to figure out how to 510 00:17:18,170 --> 00:17:20,449 use bits of code 511 00:17:20,450 --> 00:17:21,618 that are already inside of the 512 00:17:21,619 --> 00:17:22,848 executable. 513 00:17:22,849 --> 00:17:24,828 For those of you are unfamiliar with ROP 514 00:17:24,829 --> 00:17:26,629 and the concept of Rob inadvisable, we 515 00:17:26,630 --> 00:17:28,969 had a really great analogy that 516 00:17:28,970 --> 00:17:29,929 that you came up with. 517 00:17:29,930 --> 00:17:31,159 I was living in New York at the time. 518 00:17:31,160 --> 00:17:32,269 We all used to hang out and we were 519 00:17:32,270 --> 00:17:33,349 having beers. 520 00:17:33,350 --> 00:17:35,779 And one of the girlfriends said, I think 521 00:17:35,780 --> 00:17:36,780 Brandon 522 00:17:38,810 --> 00:17:41,209 Dr. Reid, as he's known, was explaining 523 00:17:41,210 --> 00:17:43,819 rap to the girls, to the girlfriends. 524 00:17:43,820 --> 00:17:45,619 And one of the girls said, Oh, it's kind 525 00:17:45,620 --> 00:17:47,749 of like those old ransom 526 00:17:47,750 --> 00:17:49,399 letters you remember, like on the old 527 00:17:49,400 --> 00:17:51,439 motor she road days like, you know, the 528 00:17:51,440 --> 00:17:53,209 bad guy didn't want his handwriting to be 529 00:17:53,210 --> 00:17:55,189 recognized, so he would snip small pieces 530 00:17:55,190 --> 00:17:57,379 of newspaper clippings 531 00:17:57,380 --> 00:17:59,239 and magazines together to create a ransom 532 00:17:59,240 --> 00:18:01,549 note. That's essentially what Rob is 533 00:18:01,550 --> 00:18:03,649 using small bits of pieces of code to 534 00:18:03,650 --> 00:18:05,839 form a larger message or a larger 535 00:18:05,840 --> 00:18:07,639 functional executable that that does 536 00:18:07,640 --> 00:18:08,640 something that you want. 537 00:18:10,580 --> 00:18:12,739 So those small snippets of code 538 00:18:12,740 --> 00:18:14,539 are called gadgets. 539 00:18:14,540 --> 00:18:16,519 They're small bits of executable assembly 540 00:18:16,520 --> 00:18:18,829 code that exists somewhere 541 00:18:18,830 --> 00:18:21,379 in the process space of an executable, 542 00:18:21,380 --> 00:18:23,449 in this case on ARM. 543 00:18:23,450 --> 00:18:25,789 And the idea is that if you can do clever 544 00:18:25,790 --> 00:18:27,919 things with these small bits of code, 545 00:18:27,920 --> 00:18:29,269 you can string them together to do 546 00:18:29,270 --> 00:18:31,429 something malicious or something useful 547 00:18:31,430 --> 00:18:32,430 to use an attacker. 548 00:18:33,350 --> 00:18:34,849 So what we did is we we 549 00:18:35,900 --> 00:18:38,899 built a Linux distribution for our course 550 00:18:38,900 --> 00:18:41,209 and we settle on a specific 551 00:18:41,210 --> 00:18:42,619 version of Lipsy. 552 00:18:42,620 --> 00:18:44,239 And then we went gadget hunting inside of 553 00:18:44,240 --> 00:18:46,339 Lipsy. And I'll talk to you briefly 554 00:18:46,340 --> 00:18:47,479 about how we did some of that gadget 555 00:18:47,480 --> 00:18:48,949 hunting, but it's extremely boring and I 556 00:18:48,950 --> 00:18:50,329 can see some of your already glazing 557 00:18:50,330 --> 00:18:51,589 over. 558 00:18:51,590 --> 00:18:53,719 But I'll go 559 00:18:53,720 --> 00:18:54,949 into a bit of how that's done, but if you 560 00:18:54,950 --> 00:18:55,879 want to learn more about it, there's 561 00:18:55,880 --> 00:18:56,900 plenty of stuff on the web. 562 00:18:58,190 --> 00:18:59,449 So essentially what we do is we search 563 00:18:59,450 --> 00:19:00,739 through Lipsy. We found a bunch of 564 00:19:00,740 --> 00:19:02,959 gadgets and then we built a library 565 00:19:02,960 --> 00:19:05,359 for you to quickly build your 566 00:19:05,360 --> 00:19:06,360 payloads from. 567 00:19:07,850 --> 00:19:10,369 So there's a bunch of different 568 00:19:10,370 --> 00:19:12,199 bunch of different gadgets that we found, 569 00:19:12,200 --> 00:19:14,509 but this is an example of interesting 570 00:19:14,510 --> 00:19:15,709 rock gadget. 571 00:19:15,710 --> 00:19:17,299 This one that lives down in Lipsy and 572 00:19:17,300 --> 00:19:19,399 this is on our Linux distribution at 573 00:19:19,400 --> 00:19:20,599 nine one eight DC. 574 00:19:21,800 --> 00:19:23,779 And essentially this gadget, all it does 575 00:19:23,780 --> 00:19:26,179 is pop out zero hour, one hour or two 576 00:19:26,180 --> 00:19:28,349 hour, three hour, 12 and 577 00:19:28,350 --> 00:19:30,469 LR. So it removes those values 578 00:19:30,470 --> 00:19:32,839 off the stack and then it branches 579 00:19:32,840 --> 00:19:34,129 to R12. 580 00:19:34,130 --> 00:19:35,959 And so for those of you unfamiliar with 581 00:19:35,960 --> 00:19:37,489 Rob, essentially all of this instruction 582 00:19:37,490 --> 00:19:39,799 does is it removes things 583 00:19:39,800 --> 00:19:41,929 from the stack and 584 00:19:41,930 --> 00:19:44,989 loads them into registers 585 00:19:44,990 --> 00:19:47,119 and then begins executing at one 586 00:19:47,120 --> 00:19:48,679 of the registered that it loads off the 587 00:19:48,680 --> 00:19:49,579 stack. 588 00:19:49,580 --> 00:19:50,869 So essentially what we're doing is we're 589 00:19:50,870 --> 00:19:52,279 just putting a bunch of values onto the 590 00:19:52,280 --> 00:19:53,929 stack through a Stack Overflow or 591 00:19:53,930 --> 00:19:55,789 something like that and then using 592 00:19:55,790 --> 00:19:58,009 gadgets like this to call functions. 593 00:19:58,010 --> 00:19:59,839 And we call this gadget the function 594 00:19:59,840 --> 00:20:01,159 called gadget, and it's kind of the one 595 00:20:01,160 --> 00:20:04,159 that the entire course hinges around. 596 00:20:04,160 --> 00:20:05,689 So this is the this is the kind of stuff 597 00:20:05,690 --> 00:20:06,799 that we teach and of course, 598 00:20:08,060 --> 00:20:11,269 how to go hunt for gadgets we use it to 599 00:20:11,270 --> 00:20:12,829 to call interesting functions like 600 00:20:12,830 --> 00:20:15,079 protect change, the phrase permissions 601 00:20:15,080 --> 00:20:18,409 to circumvent certain exploitation 602 00:20:18,410 --> 00:20:20,419 protection mechanisms. 603 00:20:20,420 --> 00:20:22,369 We also use its call functions like IMAP 604 00:20:22,370 --> 00:20:24,829 and copy, and 605 00:20:24,830 --> 00:20:26,419 I would go into a lot more detail about 606 00:20:26,420 --> 00:20:27,949 this, but I have a bunch more slides to 607 00:20:27,950 --> 00:20:30,229 go into and I don't want to bore you all. 608 00:20:31,400 --> 00:20:33,659 And again, this is just more stuff on 609 00:20:33,660 --> 00:20:35,239 on Rob. If you if you want to check out 610 00:20:35,240 --> 00:20:36,799 these slides we have them on, don't stuff 611 00:20:36,800 --> 00:20:37,940 things up your nose that come. 612 00:20:39,560 --> 00:20:41,149 The huge take away from Rob is that 613 00:20:41,150 --> 00:20:42,829 basically because you're piecing together 614 00:20:42,830 --> 00:20:44,269 small bits of usable code 615 00:20:46,640 --> 00:20:49,039 or small small bits of executable code 616 00:20:49,040 --> 00:20:51,259 to to do a larger function, it 617 00:20:51,260 --> 00:20:53,669 becomes really convoluted. 618 00:20:53,670 --> 00:20:55,799 And so this is an example 619 00:20:55,800 --> 00:20:58,199 of us simply trying to move one value 620 00:20:58,200 --> 00:21:00,359 our six or the value 621 00:21:00,360 --> 00:21:02,369 inside of a register are six to one 622 00:21:03,660 --> 00:21:06,839 without changing another register. 623 00:21:06,840 --> 00:21:09,029 And so this just the act 624 00:21:09,030 --> 00:21:11,159 of moving one value between 625 00:21:11,160 --> 00:21:13,499 two registers from one register 626 00:21:13,500 --> 00:21:15,719 to another without changing 627 00:21:15,720 --> 00:21:17,879 another register took 14 628 00:21:17,880 --> 00:21:20,189 steps and 629 00:21:20,190 --> 00:21:22,049 through methods of interaction, we had 630 00:21:22,050 --> 00:21:24,539 the right values into memory. 631 00:21:24,540 --> 00:21:26,879 We had to use techniques called staggered 632 00:21:26,880 --> 00:21:28,619 memory, where we write these values into 633 00:21:28,620 --> 00:21:30,689 memory and then load these bottom 634 00:21:30,690 --> 00:21:32,219 three values out of memory. 635 00:21:32,220 --> 00:21:34,049 It becomes really convoluted, and this is 636 00:21:34,050 --> 00:21:35,339 the challenge of Rob. 637 00:21:35,340 --> 00:21:36,659 And this is where the bar is for 638 00:21:36,660 --> 00:21:38,849 exploitation, specifically on arm 639 00:21:38,850 --> 00:21:39,779 and mobile devices. 640 00:21:39,780 --> 00:21:41,279 That's the huge take away. 641 00:21:43,380 --> 00:21:44,909 So this is, again, some more rough stuff, 642 00:21:44,910 --> 00:21:47,309 this is how we build rob gadgets. 643 00:21:47,310 --> 00:21:49,469 And this is essentially a representation 644 00:21:49,470 --> 00:21:50,759 of the stack. 645 00:21:50,760 --> 00:21:52,949 If you start up on the top left, we have 646 00:21:52,950 --> 00:21:54,839 the address of a wrap gadget, which is 647 00:21:54,840 --> 00:21:56,699 that function called gadget pop r zero 648 00:21:56,700 --> 00:21:59,219 hour, three hour, 12 hour LRB, XL, 649 00:21:59,220 --> 00:22:02,069 LR and roethke. 650 00:22:02,070 --> 00:22:03,719 These raw payloads are essentially just 651 00:22:03,720 --> 00:22:05,669 addresses on the stack. 652 00:22:05,670 --> 00:22:06,569 That's all we're doing is we're just 653 00:22:06,570 --> 00:22:08,369 putting addresses onto the stack and then 654 00:22:08,370 --> 00:22:10,349 somehow kicking off our up rob chain, 655 00:22:10,350 --> 00:22:11,699 depending on what the vulnerability of 656 00:22:11,700 --> 00:22:12,839 the nature of the vulnerability is. 657 00:22:14,460 --> 00:22:15,779 So it's hard, it's error prone. 658 00:22:15,780 --> 00:22:17,129 It's very difficult. So what we did for 659 00:22:17,130 --> 00:22:19,949 the course is we built a Python script, 660 00:22:19,950 --> 00:22:22,319 which has the address annotations 661 00:22:22,320 --> 00:22:24,389 about the Rob gadgets 662 00:22:24,390 --> 00:22:25,829 and we built it on to a builder. 663 00:22:25,830 --> 00:22:28,139 So you just like drop into the Seelye 664 00:22:28,140 --> 00:22:30,119 and you can build your payloads with a 665 00:22:30,120 --> 00:22:31,739 few simple commands. 666 00:22:31,740 --> 00:22:33,509 And and we think this is very useful 667 00:22:33,510 --> 00:22:35,459 because it allows you to access the the 668 00:22:35,460 --> 00:22:37,769 concepts without really digging 669 00:22:37,770 --> 00:22:39,539 into the details of how ROP works and 670 00:22:39,540 --> 00:22:40,799 stuff. And if you want to, you can. 671 00:22:44,070 --> 00:22:46,949 So a little bit about ARM. 672 00:22:46,950 --> 00:22:48,749 ARM has a few different instruction 673 00:22:48,750 --> 00:22:50,939 modes, and this is one 674 00:22:50,940 --> 00:22:52,859 of the key things that we also want 675 00:22:52,860 --> 00:22:55,049 people to take away from our talks and 676 00:22:55,050 --> 00:22:56,050 our research. 677 00:22:58,350 --> 00:23:00,539 ARM arm processors have to most of our 678 00:23:00,540 --> 00:23:03,029 mode, which is a 32 bit instruction mode, 679 00:23:03,030 --> 00:23:05,189 and they have some mode, which is a 680 00:23:05,190 --> 00:23:07,289 16 bit instruction mode and 681 00:23:07,290 --> 00:23:08,219 they actually have a few other 682 00:23:08,220 --> 00:23:09,299 instruction modes. 683 00:23:09,300 --> 00:23:12,659 There's this old one called Thumb IEEE, 684 00:23:12,660 --> 00:23:14,849 which has special instructions to enter 685 00:23:14,850 --> 00:23:16,589 small bits of code. But this mode of 686 00:23:16,590 --> 00:23:18,809 execution is specifically for 687 00:23:18,810 --> 00:23:21,479 processors to execute jetted code 688 00:23:21,480 --> 00:23:23,219 code that's generated by Git. 689 00:23:23,220 --> 00:23:25,049 There's also a deprecated instruction 690 00:23:25,050 --> 00:23:27,629 mode called Jaisal, and that was 691 00:23:27,630 --> 00:23:29,369 arm processors could actually execute 692 00:23:29,370 --> 00:23:31,319 Native Java code, which is really scary, 693 00:23:31,320 --> 00:23:32,320 right? 694 00:23:33,600 --> 00:23:35,339 But they could do it for a little while. 695 00:23:35,340 --> 00:23:37,439 I think this was deprecated and 696 00:23:37,440 --> 00:23:40,049 ARM V7 or something like that, but 697 00:23:40,050 --> 00:23:41,429 these processors could do it, and it was 698 00:23:41,430 --> 00:23:42,899 a feature originally designed for old 699 00:23:42,900 --> 00:23:44,609 feature phones. If you remember, like 700 00:23:44,610 --> 00:23:47,069 prior to smartphones, there was a lot of 701 00:23:47,070 --> 00:23:49,139 Java J2, HMI and 702 00:23:49,140 --> 00:23:51,389 stuff like that running on phones, so 703 00:23:51,390 --> 00:23:52,709 it was built into the processor that it 704 00:23:52,710 --> 00:23:53,710 could do this stuff. 705 00:23:54,540 --> 00:23:56,069 But the key takeaway, though we want 706 00:23:56,070 --> 00:23:58,139 people to know, is that even 707 00:23:58,140 --> 00:24:00,419 though ROP is hard right or rough, 708 00:24:00,420 --> 00:24:03,329 it's not hard. It's indirect 709 00:24:03,330 --> 00:24:05,789 and it takes a lot more work. 710 00:24:05,790 --> 00:24:06,959 We have these different instruction 711 00:24:06,960 --> 00:24:08,279 modes. We have our mode, we have some 712 00:24:08,280 --> 00:24:10,409 mode, you have these weird, these 713 00:24:10,410 --> 00:24:11,700 really bizarre instruction modes. 714 00:24:12,840 --> 00:24:14,129 And one of the interesting things about 715 00:24:14,130 --> 00:24:16,379 that. And remember Rob, the idea 716 00:24:16,380 --> 00:24:18,479 with Rob is that we're using bits of code 717 00:24:18,480 --> 00:24:19,979 that already are in the process. 718 00:24:19,980 --> 00:24:20,980 We're trying to exploit 719 00:24:22,140 --> 00:24:23,729 what we can use, the fact that these 720 00:24:23,730 --> 00:24:26,099 processors have different instruction 721 00:24:26,100 --> 00:24:27,100 modes. 722 00:24:27,860 --> 00:24:30,559 To actually find more Rob gadgets, 723 00:24:30,560 --> 00:24:32,719 so this is one of the examples that 724 00:24:32,720 --> 00:24:33,720 of the course, so 725 00:24:35,270 --> 00:24:37,579 one of the gadgets we use is a pop 726 00:24:37,580 --> 00:24:40,099 R zero R two PC. 727 00:24:40,100 --> 00:24:42,229 And what this does is it removes a value 728 00:24:42,230 --> 00:24:44,359 from the stack and puts it in R zero for 729 00:24:44,360 --> 00:24:45,829 most value from the stack puts in in 730 00:24:45,830 --> 00:24:47,719 order to remove the value from the stack 731 00:24:47,720 --> 00:24:49,849 and puts it in PC pieces like 732 00:24:49,850 --> 00:24:51,229 IP on x86. 733 00:24:51,230 --> 00:24:53,179 It's the it's the instruction pointer. 734 00:24:53,180 --> 00:24:54,649 It points to the next thing the process 735 00:24:54,650 --> 00:24:56,059 is going to execute. 736 00:24:56,060 --> 00:24:57,979 So using that, we can actually redirect 737 00:24:57,980 --> 00:25:00,109 execution. We can pop a value out 738 00:25:00,110 --> 00:25:01,669 of our zero or two. 739 00:25:01,670 --> 00:25:03,529 And the key thing about R zero on R2 is 740 00:25:03,530 --> 00:25:05,089 that there used as parameters to a 741 00:25:05,090 --> 00:25:06,559 function. So this is a really great 742 00:25:06,560 --> 00:25:08,539 gadget for calling a function. 743 00:25:08,540 --> 00:25:10,549 You pop out zero R two and then tell it 744 00:25:10,550 --> 00:25:12,590 where to go by popping PC. 745 00:25:14,090 --> 00:25:16,339 So we really we've been using pop 746 00:25:16,340 --> 00:25:17,660 r zero r to PC, 747 00:25:18,800 --> 00:25:20,089 but we don't see it anywhere in there in 748 00:25:20,090 --> 00:25:21,559 the disassembly, right? 749 00:25:21,560 --> 00:25:23,149 And the reason is because we're just 750 00:25:23,150 --> 00:25:25,309 assembling and 32 bit arm mode. 751 00:25:25,310 --> 00:25:27,589 If we disassemble small, if we 752 00:25:27,590 --> 00:25:29,000 take the same region of memory 753 00:25:30,140 --> 00:25:31,280 and we disassemble it, 754 00:25:32,420 --> 00:25:34,729 starting at three eight five zero 755 00:25:34,730 --> 00:25:37,159 C, we get ftf seven 756 00:25:37,160 --> 00:25:38,479 zero five b d. 757 00:25:38,480 --> 00:25:40,549 I don't know if you can see that between 758 00:25:40,550 --> 00:25:42,049 the two lines. 759 00:25:42,050 --> 00:25:44,150 And if we reinterpret that as thumb mode, 760 00:25:45,380 --> 00:25:47,839 we get a pop out 0r two PC. 761 00:25:48,890 --> 00:25:50,899 So what happens is is that where pieces 762 00:25:50,900 --> 00:25:53,029 of code are supposed to run is 32 bit 763 00:25:53,030 --> 00:25:54,019 code. 764 00:25:54,020 --> 00:25:56,059 We can, using a few tricks, tell the 765 00:25:56,060 --> 00:25:58,219 processor, execute this 766 00:25:58,220 --> 00:26:00,079 as a different instruction mode, use the 767 00:26:00,080 --> 00:26:02,209 same instructions, but execute 768 00:26:02,210 --> 00:26:03,979 as a different instruction mode and you 769 00:26:03,980 --> 00:26:06,379 can find extra gadgets. 770 00:26:06,380 --> 00:26:07,709 So this is a key thing about arm. 771 00:26:07,710 --> 00:26:09,349 So on your mobile platforms, on your 772 00:26:09,350 --> 00:26:11,479 mobile devices, even though ROP is 773 00:26:11,480 --> 00:26:13,519 difficult, it's actually a little bit 774 00:26:13,520 --> 00:26:15,319 easier because these processors have 775 00:26:15,320 --> 00:26:16,459 different instruction modes. 776 00:26:18,500 --> 00:26:20,749 So we teach them other tricks also, 777 00:26:20,750 --> 00:26:22,250 we just basic stuff like 778 00:26:23,450 --> 00:26:25,309 when you're doing exploitation places to 779 00:26:25,310 --> 00:26:27,589 write stuff like really extra scratch 780 00:26:27,590 --> 00:26:29,689 space. This is a really cool technique 781 00:26:29,690 --> 00:26:32,119 is using the deltas 782 00:26:32,120 --> 00:26:35,239 between sections and the executable. 783 00:26:35,240 --> 00:26:37,279 You can write there because nothing in 784 00:26:37,280 --> 00:26:39,709 the program will be addressed to places 785 00:26:39,710 --> 00:26:41,839 outside the inside the 786 00:26:41,840 --> 00:26:43,249 delta between the pages. 787 00:26:43,250 --> 00:26:45,979 These are really specific techniques, but 788 00:26:45,980 --> 00:26:47,659 we go into them in great detail and you 789 00:26:47,660 --> 00:26:50,069 can also learn about them by downloading 790 00:26:50,070 --> 00:26:51,799 the slide deck or checking out or talk. 791 00:26:53,810 --> 00:26:55,879 We also go into stack overflows and 792 00:26:55,880 --> 00:26:57,619 how to bypass the Zen. 793 00:26:57,620 --> 00:26:59,059 Basically, at the beginning of our 794 00:26:59,060 --> 00:27:00,679 course, you can know absolutely nothing 795 00:27:00,680 --> 00:27:02,929 about exploitation with a little 796 00:27:02,930 --> 00:27:04,819 bit of experience using Linux and Python 797 00:27:04,820 --> 00:27:06,049 and some assembly code. 798 00:27:06,050 --> 00:27:08,239 And by the end of the course, you'll 799 00:27:08,240 --> 00:27:10,609 be bypassing all the modern protection 800 00:27:10,610 --> 00:27:12,049 mechanisms on Linux. 801 00:27:13,730 --> 00:27:15,829 So we we talk about stack pivots. 802 00:27:15,830 --> 00:27:18,589 This is again George, which 803 00:27:18,590 --> 00:27:20,359 who, who's also an author of the Android 804 00:27:20,360 --> 00:27:22,549 Hacker's Handbook, explained, 805 00:27:23,630 --> 00:27:25,579 We call them pivots and he's German, and 806 00:27:25,580 --> 00:27:27,829 he had an accent. He called them pirates. 807 00:27:27,830 --> 00:27:29,689 So we pay homage to him with this by 808 00:27:29,690 --> 00:27:32,119 calling this technique pirates. 809 00:27:32,120 --> 00:27:33,169 And this is a really interesting 810 00:27:33,170 --> 00:27:34,669 technique, and it's really simple and 811 00:27:34,670 --> 00:27:36,169 people do it on x86 all the time. 812 00:27:36,170 --> 00:27:37,170 If you're familiar with 813 00:27:38,990 --> 00:27:40,549 with x86 exploitation, 814 00:27:41,630 --> 00:27:43,189 that idea essentially to 815 00:27:44,930 --> 00:27:46,189 if you have a raw payload that you've 816 00:27:46,190 --> 00:27:47,190 built 817 00:27:48,290 --> 00:27:50,139 and you want to and it's exists on 818 00:27:50,140 --> 00:27:52,339 Maheep, how do you get the stack to point 819 00:27:52,340 --> 00:27:53,299 into the heap? 820 00:27:53,300 --> 00:27:54,529 And the idea is that you find an 821 00:27:54,530 --> 00:27:56,329 instruction that basically tells the 822 00:27:56,330 --> 00:27:57,949 stack pointer to point somewhere into the 823 00:27:57,950 --> 00:27:59,629 heap and we call that pivoting. 824 00:27:59,630 --> 00:28:02,149 So that's just a technique to again 825 00:28:02,150 --> 00:28:03,150 evade some 826 00:28:04,370 --> 00:28:07,439 sun protection mechanisms. 827 00:28:07,440 --> 00:28:08,839 Going to flip through some of this stuff. 828 00:28:10,040 --> 00:28:11,179 Ignore the book Haki. 829 00:28:11,180 --> 00:28:12,289 That's what we call heap spray 830 00:28:14,210 --> 00:28:15,789 for those exploiters in the audience. 831 00:28:15,790 --> 00:28:17,239 Appreciate that. 832 00:28:17,240 --> 00:28:18,289 I want to talk about some of the other 833 00:28:18,290 --> 00:28:19,909 stuff, too the hardware specific stuff 834 00:28:19,910 --> 00:28:21,229 skipping through the arm exploitation 835 00:28:21,230 --> 00:28:22,909 stuff, which you can you can find out 836 00:28:22,910 --> 00:28:25,279 later. This is my company exhibitor, 837 00:28:25,280 --> 00:28:26,479 and this is really kind of more of a 838 00:28:26,480 --> 00:28:28,189 slide show. This is more of a memoir of 839 00:28:28,190 --> 00:28:29,899 some of the stuff I've been doing in the 840 00:28:29,900 --> 00:28:31,099 last year or so. 841 00:28:33,440 --> 00:28:34,879 And so one of the first things that I 842 00:28:34,880 --> 00:28:36,379 wanted to do was learn how to interface 843 00:28:36,380 --> 00:28:37,549 the buggers with hardware. 844 00:28:37,550 --> 00:28:38,899 I showed you the example where we're 845 00:28:38,900 --> 00:28:41,089 using uart to get stuff that 846 00:28:41,090 --> 00:28:42,289 was sent by the application. 847 00:28:42,290 --> 00:28:44,749 Maybe like that you are was tied to 848 00:28:44,750 --> 00:28:46,039 the air or something like that, and they 849 00:28:46,040 --> 00:28:47,390 were printing debug messages. 850 00:28:50,160 --> 00:28:52,409 But maybe we want a way to actually debug 851 00:28:52,410 --> 00:28:53,819 the processor. 852 00:28:53,820 --> 00:28:56,099 So, of course, JTG, 853 00:28:56,100 --> 00:28:58,319 everyone says Jack, Jack, just jack 854 00:28:58,320 --> 00:29:00,659 that. And I was thinking 855 00:29:00,660 --> 00:29:02,009 as this coming from the software world. 856 00:29:02,010 --> 00:29:04,289 Oh, Jack might just be a way to get 857 00:29:05,370 --> 00:29:06,749 the way to debug hardware. 858 00:29:06,750 --> 00:29:09,119 It's just going to be let me plug GDB 859 00:29:09,120 --> 00:29:11,159 into a chip and watch the chips going. 860 00:29:11,160 --> 00:29:12,539 I can read registers and do stuff like 861 00:29:12,540 --> 00:29:14,969 that. It's not a silver bullet. 862 00:29:14,970 --> 00:29:17,159 Every manufacturer, every chip, they 863 00:29:17,160 --> 00:29:18,839 do it a little bit different. 864 00:29:18,840 --> 00:29:20,279 And there's many different geotag 865 00:29:20,280 --> 00:29:22,589 adapters and each geotag adapter 866 00:29:22,590 --> 00:29:25,109 needs to have understand the wireline 867 00:29:25,110 --> 00:29:27,299 protocol and the serial protocol 868 00:29:27,300 --> 00:29:29,519 that's spoken over Jay Tag, which 869 00:29:29,520 --> 00:29:30,749 is another common misconception. 870 00:29:30,750 --> 00:29:32,789 People think Jay Tag is the debug 871 00:29:32,790 --> 00:29:33,689 mechanism. 872 00:29:33,690 --> 00:29:34,979 It's actually not. There's actually a 873 00:29:34,980 --> 00:29:37,079 small piece of the JTG specification for 874 00:29:37,080 --> 00:29:39,509 debugging, but 875 00:29:39,510 --> 00:29:41,369 one of the first things that I realize is 876 00:29:41,370 --> 00:29:42,989 that there was this huge misconception 877 00:29:42,990 --> 00:29:44,429 about Jay Tag. 878 00:29:44,430 --> 00:29:46,769 So my first foray into this, I got 879 00:29:46,770 --> 00:29:49,529 something called the Jay Link, 880 00:29:49,530 --> 00:29:51,419 which is a debugger, and I used it on 881 00:29:51,420 --> 00:29:53,789 this Dolores arm development kit, 882 00:29:53,790 --> 00:29:55,679 which you can get for about 90 bucks. 883 00:29:55,680 --> 00:29:57,719 It comes with a preloaded bare metal 884 00:29:57,720 --> 00:29:59,219 image, which means that there's no 885 00:29:59,220 --> 00:30:01,289 operating system. There's just a single 886 00:30:01,290 --> 00:30:03,479 executable running on the chip and then 887 00:30:03,480 --> 00:30:05,519 you get these headers and you can just 888 00:30:05,520 --> 00:30:08,039 literally plug the link adapter 889 00:30:08,040 --> 00:30:10,199 into the into the hardware. 890 00:30:11,370 --> 00:30:13,529 And then it plugs in the jailing plugs in 891 00:30:13,530 --> 00:30:15,629 over USB to your computer, and 892 00:30:15,630 --> 00:30:18,119 then you can you can use GDB 893 00:30:18,120 --> 00:30:20,409 or they're debugging interface to 894 00:30:20,410 --> 00:30:21,749 to talk to the software. 895 00:30:21,750 --> 00:30:22,979 Again, this is another shot of the J 896 00:30:22,980 --> 00:30:24,059 Link. 897 00:30:24,060 --> 00:30:25,170 This is another cool thing. 898 00:30:26,640 --> 00:30:28,949 Ralph Philip Wyman has a really awesome 899 00:30:28,950 --> 00:30:30,359 paper. It's actually one of my favorite 900 00:30:30,360 --> 00:30:32,579 papers right now on the 901 00:30:33,870 --> 00:30:35,819 on the baseband exploitation I'm sure you 902 00:30:35,820 --> 00:30:36,809 guys have heard about. 903 00:30:36,810 --> 00:30:38,489 If you haven't, definitely look up Ralph 904 00:30:38,490 --> 00:30:39,899 Philip Weinman anyway. 905 00:30:39,900 --> 00:30:41,249 In his paper at the very beginning, he 906 00:30:41,250 --> 00:30:44,099 talks about how to use an Android One, 907 00:30:44,100 --> 00:30:46,619 and he was able to tag debug the baseband 908 00:30:46,620 --> 00:30:48,209 processor. Cell phones have two 909 00:30:48,210 --> 00:30:50,039 processors, application processor and 910 00:30:50,040 --> 00:30:51,539 baseband processor. 911 00:30:51,540 --> 00:30:53,039 So I found a Polish company called 912 00:30:53,040 --> 00:30:55,139 Multicam GCPL, and they made the special 913 00:30:55,140 --> 00:30:57,209 adapter that fit the 914 00:30:57,210 --> 00:30:59,519 Android G1, and it gave me geotag 915 00:30:59,520 --> 00:31:01,680 access to the Android G1. 916 00:31:03,720 --> 00:31:05,189 You also will run into cases where you 917 00:31:05,190 --> 00:31:07,259 have this is again, 918 00:31:07,260 --> 00:31:08,789 this is kind of like slideshow memoir 919 00:31:08,790 --> 00:31:09,689 stuff here. 920 00:31:09,690 --> 00:31:11,759 You'll get cases where you'll 921 00:31:11,760 --> 00:31:13,979 see a connector that you suspect 922 00:31:13,980 --> 00:31:16,019 is probably has. You are or J tag or 923 00:31:16,020 --> 00:31:17,669 something like that on it, but you won't 924 00:31:17,670 --> 00:31:18,779 know how to get access to it. 925 00:31:18,780 --> 00:31:20,129 And this is an example. This is something 926 00:31:20,130 --> 00:31:21,119 called. 927 00:31:21,120 --> 00:31:22,769 This is from a specific project I worked 928 00:31:22,770 --> 00:31:25,019 on where I had no idea 929 00:31:25,020 --> 00:31:25,979 how to interface with this thing. 930 00:31:25,980 --> 00:31:27,839 I knew for a fact that had J Tag. 931 00:31:27,840 --> 00:31:29,249 I knew for a fact. There's probably going 932 00:31:29,250 --> 00:31:30,779 to be uart on it based on the way it was 933 00:31:30,780 --> 00:31:32,999 positioned next to the board, but 934 00:31:33,000 --> 00:31:34,229 I didn't know what kind of connector that 935 00:31:34,230 --> 00:31:36,119 was. And so this is the kind of stuff you 936 00:31:36,120 --> 00:31:37,859 do, you know, spending hours, trolling 937 00:31:37,860 --> 00:31:40,259 manufacturers, parts of lists 938 00:31:40,260 --> 00:31:41,819 and Googling serial numbers, and 939 00:31:41,820 --> 00:31:44,099 eventually I found this customized Rolex 940 00:31:44,100 --> 00:31:45,149 part. 941 00:31:45,150 --> 00:31:46,079 It turns out these things are called 942 00:31:46,080 --> 00:31:48,239 mezzanine connectors, but this 943 00:31:48,240 --> 00:31:49,989 mezzanine connector is something called 944 00:31:49,990 --> 00:31:51,359 SSD if you're not. 945 00:31:51,360 --> 00:31:52,650 Does anyone know what else AMD is? 946 00:31:54,130 --> 00:31:56,109 Yeah. It's called surface mount, so 947 00:31:56,110 --> 00:31:58,629 surface mount format 948 00:31:58,630 --> 00:32:00,489 is basically something that sticks onto a 949 00:32:00,490 --> 00:32:02,649 PCB and it has a like 950 00:32:02,650 --> 00:32:04,929 very small pins is basically meant to be 951 00:32:04,930 --> 00:32:06,459 machine assembled by something called a 952 00:32:06,460 --> 00:32:07,389 pick and place machine. 953 00:32:07,390 --> 00:32:09,729 It's a little robot that uses a file 954 00:32:09,730 --> 00:32:11,979 called a centroid that knows 955 00:32:11,980 --> 00:32:13,509 the coordinates of where things belong on 956 00:32:13,510 --> 00:32:15,999 a PCB. So the robot puts it down, 957 00:32:16,000 --> 00:32:18,099 applies a very miniscule amount of 958 00:32:18,100 --> 00:32:20,169 solder and applies here to 959 00:32:20,170 --> 00:32:22,239 it. And that's how circuits get bonded to 960 00:32:22,240 --> 00:32:23,529 PCBs. 961 00:32:23,530 --> 00:32:26,379 So this study here is a surface mount. 962 00:32:26,380 --> 00:32:28,809 It's not meant for, you know, 963 00:32:28,810 --> 00:32:30,769 guys with big, clumsy hands like myself 964 00:32:30,770 --> 00:32:32,109 to interface with. 965 00:32:32,110 --> 00:32:33,639 So how was I going to get this Model X 966 00:32:33,640 --> 00:32:36,039 connector connected to that thing? 967 00:32:36,040 --> 00:32:37,179 So these are just some of the tricks you 968 00:32:37,180 --> 00:32:38,589 come up with. 969 00:32:38,590 --> 00:32:39,590 This is a 970 00:32:40,720 --> 00:32:42,669 this is a smart board, and it's just the 971 00:32:42,670 --> 00:32:44,799 PCB made by some, some guy. 972 00:32:44,800 --> 00:32:46,539 And like the Wahoo, Nebraska or 973 00:32:46,540 --> 00:32:47,889 something, he just makes these little 974 00:32:47,890 --> 00:32:50,019 boards that are 975 00:32:51,280 --> 00:32:53,559 they're basically breakout boards for 976 00:32:53,560 --> 00:32:55,689 many different types of SMG components. 977 00:32:55,690 --> 00:32:58,029 And what you can do is attach 978 00:32:58,030 --> 00:32:59,769 your small component to the inner part of 979 00:32:59,770 --> 00:33:00,849 the board. 980 00:33:00,850 --> 00:33:02,349 And then you see there's these horizontal 981 00:33:02,350 --> 00:33:04,029 lines there. You can just attach this 982 00:33:04,030 --> 00:33:06,429 that the slightest bit of 983 00:33:06,430 --> 00:33:07,430 the tip of a 984 00:33:08,650 --> 00:33:11,289 of a soldering iron, and it'll liquefy 985 00:33:11,290 --> 00:33:13,149 everything in the same horizontal line so 986 00:33:13,150 --> 00:33:15,619 you can place the chip that you want. 987 00:33:15,620 --> 00:33:17,379 Touch your soldering iron over on the 988 00:33:17,380 --> 00:33:19,599 side and it'll liquefy and it'll 989 00:33:19,600 --> 00:33:21,219 bind the parts to the board. 990 00:33:21,220 --> 00:33:22,899 But then the nice thing is is that those 991 00:33:22,900 --> 00:33:25,659 leads also connect out to jumpers, 992 00:33:25,660 --> 00:33:27,249 where you can then plug your pins in and 993 00:33:27,250 --> 00:33:28,479 start to do stuff. 994 00:33:28,480 --> 00:33:30,099 So in this one particular case, I had 995 00:33:30,100 --> 00:33:31,839 that unknown connector. 996 00:33:31,840 --> 00:33:33,579 I found the meeting part, ordered it from 997 00:33:33,580 --> 00:33:35,859 Rolex, bonded it to this smart 998 00:33:35,860 --> 00:33:37,989 board and got something like 999 00:33:37,990 --> 00:33:40,179 that and 1000 00:33:40,180 --> 00:33:42,609 took lots of notes 1001 00:33:42,610 --> 00:33:44,919 and eventually had this huge monstrosity 1002 00:33:44,920 --> 00:33:46,779 where I was able to connect underneath. 1003 00:33:46,780 --> 00:33:48,849 That is the maiden connector. 1004 00:33:48,850 --> 00:33:50,229 And on the other side, I soldered 1005 00:33:50,230 --> 00:33:52,509 headers, and from this 1006 00:33:52,510 --> 00:33:54,729 I can go back into my DJ 1007 00:33:54,730 --> 00:33:55,730 link. 1008 00:33:57,790 --> 00:33:59,649 And in the end of the day, I had debug 1009 00:33:59,650 --> 00:34:02,109 connection to this point of sale system. 1010 00:34:02,110 --> 00:34:03,399 So these are just the kind of tricks you 1011 00:34:03,400 --> 00:34:04,539 come up with. 1012 00:34:04,540 --> 00:34:06,039 Hardware hacking is a lot of arts and 1013 00:34:06,040 --> 00:34:07,359 crafts. It's a lot of stuff that you 1014 00:34:07,360 --> 00:34:09,459 don't think is going to be applicable. 1015 00:34:09,460 --> 00:34:11,619 But then at the end of the day, you get 1016 00:34:11,620 --> 00:34:13,359 debugger access, command line, debugger 1017 00:34:13,360 --> 00:34:14,739 access, which is really awesome. 1018 00:34:16,850 --> 00:34:19,009 So so we can get debugger access to 1019 00:34:19,010 --> 00:34:20,689 stuff we see we we see we can access 1020 00:34:20,690 --> 00:34:22,279 yards and stuff like that. 1021 00:34:22,280 --> 00:34:24,349 Now what? So maybe one of the things we 1022 00:34:24,350 --> 00:34:25,759 want to do is pull the firmware out of a 1023 00:34:25,760 --> 00:34:28,279 thing, and this was illuminating 1024 00:34:28,280 --> 00:34:29,658 for me. I was working with electrical 1025 00:34:29,659 --> 00:34:31,849 engineer. I'd never pulled firmware from 1026 00:34:31,850 --> 00:34:34,099 a device before, and he really 1027 00:34:34,100 --> 00:34:35,149 kind of showed me the ropes. 1028 00:34:35,150 --> 00:34:37,369 So you'll see some photos of him in here. 1029 00:34:37,370 --> 00:34:39,499 So this guy, Chris, we looked at 1030 00:34:39,500 --> 00:34:40,459 the schematics for the board. 1031 00:34:40,460 --> 00:34:41,658 The manufacturer was nice enough to give 1032 00:34:41,659 --> 00:34:42,659 us schematics. 1033 00:34:43,400 --> 00:34:45,529 And so we narrowed these 1034 00:34:45,530 --> 00:34:47,419 pins down to, you know, to the chips that 1035 00:34:47,420 --> 00:34:48,859 we wanted to target. 1036 00:34:48,860 --> 00:34:50,629 We found the traces we want. 1037 00:34:50,630 --> 00:34:51,979 Sometimes you get these schematics on 1038 00:34:51,980 --> 00:34:53,269 hardware, reverse engineering products, 1039 00:34:53,270 --> 00:34:54,468 sometimes you don't. 1040 00:34:54,469 --> 00:34:56,089 And when you don't, you've got to pull 1041 00:34:56,090 --> 00:34:58,219 the firmware. So how do you do it? 1042 00:34:58,220 --> 00:35:00,349 So in this particular case, and 1043 00:35:00,350 --> 00:35:02,689 this is a bit of information here 1044 00:35:02,690 --> 00:35:03,769 about how this is done. 1045 00:35:05,090 --> 00:35:06,649 Remember, I said some key components are 1046 00:35:06,650 --> 00:35:08,209 bonded to the board with small bits of 1047 00:35:08,210 --> 00:35:09,169 Sadr, right? 1048 00:35:09,170 --> 00:35:10,939 And Sadr is just liquid metal. 1049 00:35:10,940 --> 00:35:12,199 Basically, once you heat it up, it 1050 00:35:12,200 --> 00:35:13,549 liquefies. 1051 00:35:13,550 --> 00:35:16,099 So how do you get pieces like that 1052 00:35:16,100 --> 00:35:17,029 off the board? 1053 00:35:17,030 --> 00:35:18,109 Well, they have something called chip 1054 00:35:18,110 --> 00:35:20,359 quick and chip quick is basically an 1055 00:35:20,360 --> 00:35:22,669 alloy also, but it has a higher melting 1056 00:35:22,670 --> 00:35:23,629 temperature. 1057 00:35:23,630 --> 00:35:25,369 And so what we did here is we melted this 1058 00:35:25,370 --> 00:35:27,559 chip quick stuff onto the pins 1059 00:35:27,560 --> 00:35:29,659 that attached the the 1060 00:35:29,660 --> 00:35:31,409 component to the board. 1061 00:35:31,410 --> 00:35:33,739 And so what we can do is we can liquefy 1062 00:35:33,740 --> 00:35:36,139 the hotter alloy or the stronger alloy. 1063 00:35:36,140 --> 00:35:38,329 It transfers heat to the solder 1064 00:35:38,330 --> 00:35:39,409 underneath. 1065 00:35:39,410 --> 00:35:41,030 And because it has a higher 1066 00:35:42,410 --> 00:35:44,119 liquefying temperature, it keeps the 1067 00:35:44,120 --> 00:35:46,729 solder hotter longer, keeps it liquified 1068 00:35:46,730 --> 00:35:48,049 and gives you enough time to pull the 1069 00:35:48,050 --> 00:35:49,639 components away from the board. 1070 00:35:49,640 --> 00:35:51,889 So, so we did that for this small nand 1071 00:35:51,890 --> 00:35:52,890 chip here. Excuse me? 1072 00:35:54,980 --> 00:35:56,899 And so now you see it, now, you don't it, 1073 00:35:59,000 --> 00:36:00,439 you pull the chip off the board and it 1074 00:36:00,440 --> 00:36:01,429 looks like this. 1075 00:36:01,430 --> 00:36:03,379 You got to clean off the the chip quick 1076 00:36:03,380 --> 00:36:04,849 and the and the alloy. 1077 00:36:04,850 --> 00:36:07,069 And this is Chris meticulously doing 1078 00:36:07,070 --> 00:36:09,259 that with a soldering iron and a heat gun 1079 00:36:09,260 --> 00:36:11,899 and something to straighten out the pins. 1080 00:36:11,900 --> 00:36:13,129 And eventually you'll get something like 1081 00:36:13,130 --> 00:36:14,130 that. 1082 00:36:14,750 --> 00:36:15,929 So now we got the chip free. 1083 00:36:15,930 --> 00:36:17,299 So what do we do? 1084 00:36:17,300 --> 00:36:18,529 So I called Travis Goodspeed. 1085 00:36:18,530 --> 00:36:20,449 I asked him, How do you know? 1086 00:36:20,450 --> 00:36:21,649 How can I read something? 1087 00:36:21,650 --> 00:36:23,329 Is there a universal reader or flash 1088 00:36:23,330 --> 00:36:24,589 program or something? 1089 00:36:24,590 --> 00:36:26,449 And he recommended a device called the XL 1090 00:36:26,450 --> 00:36:27,739 Tech the XL Tech 5000. 1091 00:36:27,740 --> 00:36:29,539 It's a pretty high ticket, high priced 1092 00:36:29,540 --> 00:36:31,249 item, but if you have a contract or 1093 00:36:31,250 --> 00:36:33,350 something, you can justify the expense. 1094 00:36:34,820 --> 00:36:36,469 And so what Chris did and I did was we 1095 00:36:36,470 --> 00:36:38,089 got the right adapter cable for the 1096 00:36:38,090 --> 00:36:40,399 adapter set for it slotted 1097 00:36:40,400 --> 00:36:41,400 the chip in. 1098 00:36:42,650 --> 00:36:43,650 And looks like so 1099 00:36:45,380 --> 00:36:47,479 we plugged it into the Zetec 1100 00:36:47,480 --> 00:36:49,399 cell tech immediately identified the chip 1101 00:36:49,400 --> 00:36:51,949 as an STM 32 arm core. 1102 00:36:51,950 --> 00:36:53,539 And now we're seeing the tie in, right? 1103 00:36:53,540 --> 00:36:55,099 We can do arm exploitation. 1104 00:36:55,100 --> 00:36:56,779 We're attacking an arm core. 1105 00:36:56,780 --> 00:36:58,109 Now we're getting convergence right. 1106 00:36:58,110 --> 00:36:59,599 We're using these hardware techniques to 1107 00:36:59,600 --> 00:37:02,689 attack embedded devices, 1108 00:37:02,690 --> 00:37:04,459 so we're able to pull the firmware. 1109 00:37:04,460 --> 00:37:06,529 And once we pull the firmware, we can 1110 00:37:06,530 --> 00:37:07,610 suck this thing into IDA. 1111 00:37:08,630 --> 00:37:10,489 Sometimes you'll get a bare metal image 1112 00:37:10,490 --> 00:37:12,589 like a single executable that's 1113 00:37:12,590 --> 00:37:13,549 doing direct. 1114 00:37:13,550 --> 00:37:14,659 I own the pins. 1115 00:37:14,660 --> 00:37:17,809 Sometimes you'll get many 1116 00:37:17,810 --> 00:37:19,759 file system images like a cramp fest or 1117 00:37:19,760 --> 00:37:20,959 something like that. Then you'll have to 1118 00:37:20,960 --> 00:37:23,359 use something like Ben Walk to slice 1119 00:37:23,360 --> 00:37:24,889 up the binary file and figure out what 1120 00:37:24,890 --> 00:37:27,379 part is the file system, what parts the 1121 00:37:27,380 --> 00:37:28,670 bootable image of the kernel. 1122 00:37:30,170 --> 00:37:31,369 You're going to have to fight with it a 1123 00:37:31,370 --> 00:37:33,889 lot, and there's a lot of 1124 00:37:33,890 --> 00:37:36,109 how how tos out there for how to carve 1125 00:37:36,110 --> 00:37:37,399 up certain executable types 1126 00:37:38,630 --> 00:37:40,039 and we're actually going to be releasing 1127 00:37:40,040 --> 00:37:41,209 in 2014. 1128 00:37:41,210 --> 00:37:43,069 This is kind of pre information, a 1129 00:37:43,070 --> 00:37:44,509 hardware hacking course where you will 1130 00:37:44,510 --> 00:37:46,699 pull firmware images, learn how to load 1131 00:37:46,700 --> 00:37:48,889 them into IDA and do some basic 1132 00:37:48,890 --> 00:37:50,089 arm exploitation on them. 1133 00:37:50,090 --> 00:37:51,649 We're hoping to release that this year at 1134 00:37:51,650 --> 00:37:53,389 Black Hat. If not, a Black Hat will 1135 00:37:53,390 --> 00:37:54,619 definitely do it. One of the smaller 1136 00:37:54,620 --> 00:37:56,479 community events doing that with a guy 1137 00:37:56,480 --> 00:37:58,159 named Joe Fitzpatrick, he's a really 1138 00:37:58,160 --> 00:38:00,049 awesome hardware hacker that spent about 1139 00:38:00,050 --> 00:38:01,069 a decade at Intel. 1140 00:38:01,070 --> 00:38:03,229 So, you know, keep keep 1141 00:38:03,230 --> 00:38:04,219 your eye out for that. 1142 00:38:04,220 --> 00:38:05,599 It's real world hardware hacking. 1143 00:38:05,600 --> 00:38:07,219 We're going to introduce that, of course, 1144 00:38:07,220 --> 00:38:08,220 later this year. 1145 00:38:09,080 --> 00:38:10,369 So what's some other stuff we might want 1146 00:38:10,370 --> 00:38:11,959 to do? Let's build some hardware 1147 00:38:11,960 --> 00:38:14,059 interfaces. So we had 1148 00:38:14,060 --> 00:38:16,399 a device that spoke to 30 pin 1149 00:38:16,400 --> 00:38:17,400 cable and 1150 00:38:18,950 --> 00:38:20,150 EOS cable. 1151 00:38:21,500 --> 00:38:22,699 And this is another one. 1152 00:38:22,700 --> 00:38:24,229 So we found this device called a pod 1153 00:38:24,230 --> 00:38:25,609 gizmo. 1154 00:38:25,610 --> 00:38:27,079 You might have seen stuff on USSR's 1155 00:38:27,080 --> 00:38:29,329 tweets about building these debug 1156 00:38:29,330 --> 00:38:31,009 cables and things for iPhones and stuff. 1157 00:38:31,010 --> 00:38:32,629 You use the iPod gizmo. 1158 00:38:32,630 --> 00:38:34,549 And it's basically just a 30 pin cable 1159 00:38:34,550 --> 00:38:36,049 that gives you these headers. 1160 00:38:36,050 --> 00:38:37,879 You get these breakout headers. 1161 00:38:37,880 --> 00:38:40,159 All you can do is take these pod gizmos 1162 00:38:40,160 --> 00:38:42,709 if you have a receptacle or plug side. 1163 00:38:42,710 --> 00:38:44,239 And then this one particular case we just 1164 00:38:44,240 --> 00:38:46,579 wanted to build a tab, so we connected 1165 00:38:46,580 --> 00:38:48,109 the receptacle one side. 1166 00:38:48,110 --> 00:38:50,149 We connected the plug on the other side 1167 00:38:50,150 --> 00:38:52,039 and then we made a receptacle in between. 1168 00:38:52,040 --> 00:38:53,179 And the idea is that we're going to be 1169 00:38:53,180 --> 00:38:55,159 intercepting data on the bus. 1170 00:38:55,160 --> 00:38:56,449 So we're going to be intercepting serial 1171 00:38:56,450 --> 00:38:58,609 data across a 30 pin dock connector. 1172 00:39:00,200 --> 00:39:02,029 You take meticulous notes when you're 1173 00:39:02,030 --> 00:39:03,889 doing all this kinds of stuff. 1174 00:39:03,890 --> 00:39:05,569 I'm pretty ghetto. I just use a 1175 00:39:05,570 --> 00:39:07,159 continuity connector for a lot of this 1176 00:39:07,160 --> 00:39:09,949 beeps. If you connect two pins together, 1177 00:39:09,950 --> 00:39:11,209 you can figure out if you have a direct 1178 00:39:11,210 --> 00:39:12,210 connection. 1179 00:39:13,680 --> 00:39:14,999 I'll come back to this a minute because 1180 00:39:15,000 --> 00:39:16,439 we're going to Segway into talking about 1181 00:39:16,440 --> 00:39:18,359 the face dancer in just a moment, which 1182 00:39:18,360 --> 00:39:21,749 is Travis Goolsbee's awesome USB 1183 00:39:21,750 --> 00:39:23,939 debugging tool, but some of the other 1184 00:39:23,940 --> 00:39:24,929 stuff you might want to do is build 1185 00:39:24,930 --> 00:39:26,249 custom power interfaces. 1186 00:39:26,250 --> 00:39:28,529 What I do for this is just hacking 1187 00:39:28,530 --> 00:39:31,049 together, basically splice cables. 1188 00:39:31,050 --> 00:39:33,389 And then I use this lab power supply. 1189 00:39:33,390 --> 00:39:35,309 The B.K. precision, which is a really 1190 00:39:35,310 --> 00:39:36,689 nice, low cost lab. 1191 00:39:36,690 --> 00:39:39,089 Power supply lets you vary the average 1192 00:39:39,090 --> 00:39:41,459 and the voltage to specifically power 1193 00:39:41,460 --> 00:39:42,389 devices. 1194 00:39:42,390 --> 00:39:43,829 Sometimes you might be pulling components 1195 00:39:43,830 --> 00:39:45,749 away. You want to individually power a 1196 00:39:45,750 --> 00:39:47,279 small chip or something. 1197 00:39:47,280 --> 00:39:48,869 The B.K. precision is perfect for that. 1198 00:39:49,980 --> 00:39:51,689 So I mentioned before that we're going to 1199 00:39:51,690 --> 00:39:53,249 be sniffing stuff on the USB port. 1200 00:39:53,250 --> 00:39:55,469 So Travis good speeds device is awesome 1201 00:39:55,470 --> 00:39:57,719 for just some 1202 00:39:57,720 --> 00:39:59,789 sniffy type things, but it's really 1203 00:39:59,790 --> 00:40:02,219 good for simulating traffic 1204 00:40:02,220 --> 00:40:03,119 like creating traffic. 1205 00:40:03,120 --> 00:40:04,709 And that way it's a unique tool. 1206 00:40:04,710 --> 00:40:05,710 But the 1207 00:40:07,020 --> 00:40:09,479 The Beagle 5000, 1208 00:40:09,480 --> 00:40:11,129 which is created by a company named Total 1209 00:40:11,130 --> 00:40:13,189 Phase, which also created the 1210 00:40:13,190 --> 00:40:15,329 sniffers that Charlie Miller and Dino 1211 00:40:15,330 --> 00:40:17,519 dies over use for the car hacking stuff. 1212 00:40:17,520 --> 00:40:19,109 They create some really great debugging 1213 00:40:19,110 --> 00:40:21,839 interfaces, and this is their full speed. 1214 00:40:21,840 --> 00:40:23,249 This is two of their devices, actually a 1215 00:40:23,250 --> 00:40:25,829 full speed USB device, 1216 00:40:25,830 --> 00:40:27,959 USB sniffer, and essentially what it does 1217 00:40:27,960 --> 00:40:29,939 is you plug a device into the front, 1218 00:40:31,260 --> 00:40:33,449 you plug the thing the device 1219 00:40:33,450 --> 00:40:34,559 was supposed to plug into. 1220 00:40:34,560 --> 00:40:36,539 Also into the front there is the host and 1221 00:40:36,540 --> 00:40:38,789 then out the back end, it gives you a 1222 00:40:38,790 --> 00:40:41,009 cable that plugs into your computer and 1223 00:40:41,010 --> 00:40:42,509 then you use like they're really custom 1224 00:40:42,510 --> 00:40:44,609 Wireshark style interface to 1225 00:40:44,610 --> 00:40:46,289 intercept traffic. 1226 00:40:46,290 --> 00:40:48,059 Are we are we good on time? 1227 00:40:48,060 --> 00:40:49,060 Yeah, OK. 1228 00:40:50,540 --> 00:40:51,540 All right. 1229 00:40:52,160 --> 00:40:53,160 So I feel like I 1230 00:40:54,410 --> 00:40:56,149 might be born a little bit here, so let's 1231 00:40:56,150 --> 00:40:58,039 let's quickly jump forward and talk about 1232 00:40:58,040 --> 00:41:00,290 how we can spy on these communications. 1233 00:41:01,640 --> 00:41:03,739 So I mentioned before I built this custom 1234 00:41:03,740 --> 00:41:06,469 device to tap into this specific 1235 00:41:06,470 --> 00:41:07,470 piece of hardware. 1236 00:41:09,170 --> 00:41:10,639 And in the hardware hacking for software, 1237 00:41:10,640 --> 00:41:12,499 people talk. I go into a little bit how 1238 00:41:12,500 --> 00:41:14,869 you can use Oscilloscope 1239 00:41:14,870 --> 00:41:17,059 and things like that to to to 1240 00:41:17,060 --> 00:41:18,060 view some data. 1241 00:41:19,640 --> 00:41:21,019 But I want to specifically talk about 1242 00:41:21,020 --> 00:41:23,059 this USB sniffer so we can get on to 1243 00:41:23,060 --> 00:41:24,949 talking about Travis is really cool to 1244 00:41:26,430 --> 00:41:27,619 15 minutes. 1245 00:41:27,620 --> 00:41:28,620 All right. 1246 00:41:29,120 --> 00:41:31,339 So this this total phase device, 1247 00:41:31,340 --> 00:41:32,629 it looks kind of like this. You remember 1248 00:41:32,630 --> 00:41:34,669 we built the the dock connector way back 1249 00:41:34,670 --> 00:41:35,670 here. 1250 00:41:38,350 --> 00:41:39,709 Right there. 1251 00:41:39,710 --> 00:41:41,619 Right, so we built this really cool tab. 1252 00:41:41,620 --> 00:41:43,119 We know there's going to be USB stuff 1253 00:41:43,120 --> 00:41:44,829 across that cable. How do we listen to 1254 00:41:44,830 --> 00:41:46,719 it? So we're going to use this device 1255 00:41:46,720 --> 00:41:47,720 called the total phase. 1256 00:41:49,160 --> 00:41:51,859 And we'll plug the total phase into our 1257 00:41:51,860 --> 00:41:53,989 really hacked cable, and 1258 00:41:53,990 --> 00:41:55,189 the great thing about the total phase 1259 00:41:55,190 --> 00:41:57,289 devices that they have a breakout 1260 00:41:57,290 --> 00:41:58,339 cable that comes with it. 1261 00:41:58,340 --> 00:42:00,589 So you just plug it into their interface 1262 00:42:00,590 --> 00:42:02,689 and it breaks out into these little 1263 00:42:02,690 --> 00:42:03,799 header pins and you can. 1264 00:42:05,060 --> 00:42:07,339 And when you plug it all in, you get a 1265 00:42:07,340 --> 00:42:09,889 really, really great representation 1266 00:42:09,890 --> 00:42:11,389 of what's happening on the USB bus. 1267 00:42:12,920 --> 00:42:15,289 So we have ways to sniff, 1268 00:42:15,290 --> 00:42:16,249 right? 1269 00:42:16,250 --> 00:42:18,529 We have tools like the total phase. 1270 00:42:18,530 --> 00:42:20,299 We have tools like the face dancer. 1271 00:42:20,300 --> 00:42:22,459 So we have ways to sniff and intercept 1272 00:42:22,460 --> 00:42:23,449 the data. 1273 00:42:23,450 --> 00:42:24,829 How do we attack the data? 1274 00:42:24,830 --> 00:42:26,729 We also have the firmware image right. 1275 00:42:26,730 --> 00:42:28,399 We can debug the processor. 1276 00:42:28,400 --> 00:42:30,679 Now, let's start putting stuff 1277 00:42:30,680 --> 00:42:32,479 into the device. 1278 00:42:32,480 --> 00:42:34,159 So we've got like our Jaelan connected 1279 00:42:34,160 --> 00:42:36,319 there. We can use 1280 00:42:36,320 --> 00:42:38,329 GDB through another two, our rule called 1281 00:42:38,330 --> 00:42:40,459 PFI, which is the port for it, 1282 00:42:40,460 --> 00:42:42,769 so you can push it forward and have GB 1283 00:42:42,770 --> 00:42:44,689 running and attacking and debugging the 1284 00:42:44,690 --> 00:42:46,939 device so we can build 1285 00:42:46,940 --> 00:42:49,629 custom Python interfaces to 1286 00:42:49,630 --> 00:42:50,629 to generate traffic. 1287 00:42:50,630 --> 00:42:52,819 But what device can we use to to 1288 00:42:52,820 --> 00:42:55,219 actually attack these things? 1289 00:42:56,480 --> 00:42:58,099 So one of the great devices that we can 1290 00:42:58,100 --> 00:42:59,869 use its slide is a little out of water. 1291 00:42:59,870 --> 00:43:00,879 I apologize. 1292 00:43:00,880 --> 00:43:03,019 We can use the face to answer, 1293 00:43:03,020 --> 00:43:04,699 and I'll go into that in a second. 1294 00:43:04,700 --> 00:43:06,109 But one of the key things that you get 1295 00:43:06,110 --> 00:43:08,599 from attacking low level devices 1296 00:43:08,600 --> 00:43:09,949 is you get crashes, right? 1297 00:43:09,950 --> 00:43:12,439 Like before I told you, I was the 1298 00:43:12,440 --> 00:43:14,509 built in HP server and we got a crash 1299 00:43:14,510 --> 00:43:15,589 on the You are. 1300 00:43:15,590 --> 00:43:17,359 Well, if we can fudge stuff like on the 1301 00:43:17,360 --> 00:43:19,429 USB bus, we'll also get crashes. 1302 00:43:19,430 --> 00:43:20,599 We'll be able to observe them through our 1303 00:43:20,600 --> 00:43:21,739 debugging interfaces. 1304 00:43:23,210 --> 00:43:25,219 And lots and lots of devices will 1305 00:43:25,220 --> 00:43:27,409 implement their own USB stacks 1306 00:43:27,410 --> 00:43:29,929 and their own USB-C protocol extensions 1307 00:43:29,930 --> 00:43:31,939 and things like that in bare hardware. 1308 00:43:31,940 --> 00:43:33,499 And you can find a lot of really juicy 1309 00:43:33,500 --> 00:43:35,779 bugs if you can just tool up enough 1310 00:43:35,780 --> 00:43:38,029 with the hardware to begin 1311 00:43:38,030 --> 00:43:40,099 investigating that attack surface. 1312 00:43:41,330 --> 00:43:43,789 One specific everything's 1313 00:43:43,790 --> 00:43:45,019 iOS compatible now. 1314 00:43:45,020 --> 00:43:47,239 Everyone wants to talk to an iPhone, 1315 00:43:47,240 --> 00:43:48,889 so you get a lot of devices that 1316 00:43:50,180 --> 00:43:52,699 will have their own implementation of 1317 00:43:52,700 --> 00:43:53,929 the iOS stack. 1318 00:43:55,860 --> 00:43:58,079 That stem 32 1319 00:43:58,080 --> 00:43:59,729 chip that I showed you earlier when I got 1320 00:43:59,730 --> 00:44:01,919 the Jay Leno interface and it said, 1321 00:44:01,920 --> 00:44:03,839 Hey, this is an STM 30 to the one, we 1322 00:44:03,840 --> 00:44:04,860 ripped the firmware out of 1323 00:44:06,720 --> 00:44:08,519 these devices to these OEMs that to 1324 00:44:08,520 --> 00:44:10,259 create them. And in fact, the create the 1325 00:44:10,260 --> 00:44:12,359 devices will also build libraries 1326 00:44:12,360 --> 00:44:13,769 to implement some of this stuff, so they 1327 00:44:13,770 --> 00:44:16,079 implement their own USB 1328 00:44:16,080 --> 00:44:17,759 stack. Sometimes they'll implement the 1329 00:44:17,760 --> 00:44:19,859 EOS stack for you and give you libraries 1330 00:44:19,860 --> 00:44:21,569 to use to do that. 1331 00:44:21,570 --> 00:44:23,249 And this one manufacturer, in fact, does 1332 00:44:23,250 --> 00:44:25,229 they call it the IAP libraries? 1333 00:44:25,230 --> 00:44:26,489 So this is the EOS 1334 00:44:27,630 --> 00:44:29,729 see implementation that they recommend 1335 00:44:29,730 --> 00:44:31,259 for the STM 32 devices. 1336 00:44:31,260 --> 00:44:33,839 So when you start phasing via USB, 1337 00:44:33,840 --> 00:44:35,249 you're going to find crashes inside of 1338 00:44:35,250 --> 00:44:37,409 their EOS inside of their IAP 1339 00:44:37,410 --> 00:44:38,410 libraries and stuff. 1340 00:44:40,510 --> 00:44:41,510 So skipping forward. 1341 00:44:43,580 --> 00:44:45,230 So how do we inject a lot of this stuff? 1342 00:44:46,250 --> 00:44:47,929 How do we start beginning investigating 1343 00:44:47,930 --> 00:44:48,979 USB devices? 1344 00:44:50,000 --> 00:44:52,219 The de facto tool is Travis good 1345 00:44:52,220 --> 00:44:53,220 speeds face to. 1346 00:44:54,350 --> 00:44:55,669 It was the face dancer 10. 1347 00:44:55,670 --> 00:44:57,859 The Face Dancer 11. 1348 00:44:57,860 --> 00:44:59,719 A bunch of community people contributed 1349 00:44:59,720 --> 00:45:01,189 and made some modifications and we got 1350 00:45:01,190 --> 00:45:02,239 the face dancer. 1351 00:45:02,240 --> 00:45:04,819 Twenty one for the longest time. 1352 00:45:04,820 --> 00:45:06,859 This required assembly, and if you're 1353 00:45:06,860 --> 00:45:09,949 like me and you're new to hardware, 1354 00:45:09,950 --> 00:45:11,989 assembly is basically a barrier to entry 1355 00:45:11,990 --> 00:45:13,679 that's extremely hard to overcome, right? 1356 00:45:13,680 --> 00:45:14,989 You just want to sit down. 1357 00:45:14,990 --> 00:45:16,009 You're used to Python. 1358 00:45:16,010 --> 00:45:17,149 You're used to the buggers. 1359 00:45:17,150 --> 00:45:18,440 You want to just start using a tool. 1360 00:45:19,490 --> 00:45:21,709 So to address 1361 00:45:21,710 --> 00:45:23,719 this for the community, we got the idea 1362 00:45:23,720 --> 00:45:25,939 to start something called in three 1363 00:45:25,940 --> 00:45:27,259 dot cc. 1364 00:45:27,260 --> 00:45:29,779 If you go to the website three Dot CC, 1365 00:45:29,780 --> 00:45:31,429 you can. It's basically a community 1366 00:45:31,430 --> 00:45:34,189 driven web store for 1367 00:45:34,190 --> 00:45:36,589 information security related 1368 00:45:36,590 --> 00:45:38,449 tools, and the one we want it to start 1369 00:45:38,450 --> 00:45:39,499 with was the face dancer. 1370 00:45:39,500 --> 00:45:41,599 And the basic idea is that I, 1371 00:45:41,600 --> 00:45:43,729 my company, acceptor and 1372 00:45:43,730 --> 00:45:45,769 people who are working with me front the 1373 00:45:45,770 --> 00:45:47,989 cost of manufacturing, 1374 00:45:47,990 --> 00:45:50,629 assembly, shipping and fulfillment. 1375 00:45:50,630 --> 00:45:53,299 So if you come to me with a cool project 1376 00:45:53,300 --> 00:45:54,859 and you need help getting it to the 1377 00:45:54,860 --> 00:45:56,629 masses or getting it to conferences like 1378 00:45:56,630 --> 00:45:58,759 CCC, we'll basically pay for 1379 00:45:58,760 --> 00:46:00,229 manufacturing. And so what we did 1380 00:46:01,520 --> 00:46:02,809 this with was the face dancer. 1381 00:46:02,810 --> 00:46:03,739 Twenty. 1382 00:46:03,740 --> 00:46:05,029 You can buy them now. 1383 00:46:05,030 --> 00:46:06,889 We'll have them shipped to you within and 1384 00:46:06,890 --> 00:46:08,689 within a few days. 1385 00:46:08,690 --> 00:46:10,999 And since we opened the store in July, 1386 00:46:11,000 --> 00:46:13,219 we've sold hundreds of these things, 1387 00:46:13,220 --> 00:46:15,140 mostly international from the US. 1388 00:46:17,600 --> 00:46:18,600 Thank you. 1389 00:46:20,920 --> 00:46:21,920 Thank you. 1390 00:46:22,900 --> 00:46:24,339 So this is an example of slightly 1391 00:46:24,340 --> 00:46:26,679 modified face dancer. 1392 00:46:26,680 --> 00:46:28,269 This is an accepted or modified face 1393 00:46:28,270 --> 00:46:30,429 dancer 21. You can see Travis 1394 00:46:30,430 --> 00:46:32,079 name still there, but it's basically the 1395 00:46:32,080 --> 00:46:33,609 same device. 1396 00:46:33,610 --> 00:46:36,069 This is the web store and three dot CC. 1397 00:46:36,070 --> 00:46:37,539 And where we launched, we've launched a 1398 00:46:37,540 --> 00:46:38,649 few other simple products. 1399 00:46:38,650 --> 00:46:41,349 This was one called the USB condom, 1400 00:46:41,350 --> 00:46:43,629 and essentially it's a USB 1401 00:46:43,630 --> 00:46:45,999 connection that has the data pins chopped 1402 00:46:46,000 --> 00:46:47,769 off. So if you want to charge your cell 1403 00:46:47,770 --> 00:46:49,899 phone without, 1404 00:46:49,900 --> 00:46:51,369 you know, the fear of data sinking, you 1405 00:46:51,370 --> 00:46:52,690 can use a USB condom. 1406 00:46:53,830 --> 00:46:56,019 I made it mostly as a joke has to do free 1407 00:46:56,020 --> 00:46:57,849 giveaways at conferences and talks and 1408 00:46:57,850 --> 00:46:59,649 stuff. And there was a media frenzy 1409 00:46:59,650 --> 00:47:01,119 around it. WNBC picked it up 1410 00:47:02,320 --> 00:47:04,209 wired. Everyone picked the story up and 1411 00:47:04,210 --> 00:47:06,309 it was for sale on in three points. 1412 00:47:06,310 --> 00:47:08,079 We got 1.2 million hits in the first 1413 00:47:08,080 --> 00:47:09,189 weekend, The Verge. 1414 00:47:09,190 --> 00:47:11,229 It was on Slashdot news and a bunch of 1415 00:47:11,230 --> 00:47:12,230 places. 1416 00:47:13,330 --> 00:47:14,859 And so there's another project which is 1417 00:47:14,860 --> 00:47:16,659 also in the talk description that we're 1418 00:47:16,660 --> 00:47:18,069 running out of time for. 1419 00:47:18,070 --> 00:47:19,419 But it's a hardware device that we're 1420 00:47:19,420 --> 00:47:20,889 also selling on in three. 1421 00:47:20,890 --> 00:47:22,629 And we also hope to have the community 1422 00:47:22,630 --> 00:47:24,189 backs will maybe launch a Kickstarter 1423 00:47:24,190 --> 00:47:26,109 project for it later this year, and it's 1424 00:47:26,110 --> 00:47:27,729 a device called the Osprey. 1425 00:47:27,730 --> 00:47:29,409 And the idea is that Osprey is going to 1426 00:47:29,410 --> 00:47:31,420 be a hardware device. 1427 00:47:32,530 --> 00:47:35,019 It's basically Metasploit for hardware. 1428 00:47:35,020 --> 00:47:36,729 So if you want to do bust pirate stuff, 1429 00:47:36,730 --> 00:47:38,289 if you want to do glitching, you 1430 00:47:38,290 --> 00:47:40,299 basically download a firmware image, 1431 00:47:40,300 --> 00:47:42,549 flash it over USB and 1432 00:47:42,550 --> 00:47:44,739 buy the appropriate modules and 1433 00:47:44,740 --> 00:47:46,989 you can do whatever it is you're trying 1434 00:47:46,990 --> 00:47:48,369 to do. 1435 00:47:48,370 --> 00:47:49,749 So the Osprey is actually for 1436 00:47:49,750 --> 00:47:51,459 researchers. This is a tool that I want 1437 00:47:51,460 --> 00:47:53,079 to get in the hands of researchers within 1438 00:47:53,080 --> 00:47:54,080 the next year or so. 1439 00:47:55,120 --> 00:47:57,369 And the idea is that if you know enough 1440 00:47:57,370 --> 00:47:58,899 about the firmware, I know enough about 1441 00:47:58,900 --> 00:48:00,429 the device to help me develop firmware 1442 00:48:00,430 --> 00:48:01,389 images for it. 1443 00:48:01,390 --> 00:48:03,039 Great, if not. And you just want to use a 1444 00:48:03,040 --> 00:48:04,269 different firmware images, kind of like 1445 00:48:04,270 --> 00:48:06,339 Metasploit, you can be just a user 1446 00:48:06,340 --> 00:48:07,239 also. 1447 00:48:07,240 --> 00:48:09,339 But the problem is, is that manufacturing 1448 00:48:09,340 --> 00:48:11,169 costs are really high. 1449 00:48:11,170 --> 00:48:14,049 And so the idea behind this 1450 00:48:14,050 --> 00:48:15,099 and we don't know if it's going to be 1451 00:48:15,100 --> 00:48:17,439 successful yet is to launch it as 1452 00:48:17,440 --> 00:48:19,059 a consumer product. 1453 00:48:19,060 --> 00:48:21,249 So the idea is that I want to create this 1454 00:48:21,250 --> 00:48:23,199 product that's called Tarly. 1455 00:48:23,200 --> 00:48:26,109 And essentially, the device is used to 1456 00:48:26,110 --> 00:48:28,119 monitor your your home. 1457 00:48:28,120 --> 00:48:31,299 And so built into these these boards 1458 00:48:31,300 --> 00:48:32,769 is a small chip that's capable of 1459 00:48:32,770 --> 00:48:35,259 speaking Zigbee in these low power RF, 1460 00:48:35,260 --> 00:48:36,999 which people like us can use to attack 1461 00:48:37,000 --> 00:48:38,739 low power RF networks. 1462 00:48:38,740 --> 00:48:40,569 But functionally, to most consumers, what 1463 00:48:40,570 --> 00:48:42,909 this device is is a way to monitor 1464 00:48:42,910 --> 00:48:44,109 the world around them. 1465 00:48:44,110 --> 00:48:45,969 So you can take a tally device, you can 1466 00:48:45,970 --> 00:48:47,439 hang it on your door, you can take a 1467 00:48:47,440 --> 00:48:49,329 tablet device, you can put it in your 1468 00:48:49,330 --> 00:48:50,589 dog, can own it or monitor the 1469 00:48:50,590 --> 00:48:52,479 temperature. And all devices will 1470 00:48:52,480 --> 00:48:54,669 communicate via Zigbee or 1471 00:48:54,670 --> 00:48:57,339 simplicity as it's being prototyped now. 1472 00:48:57,340 --> 00:48:59,439 They'll speak RF to each other, monitor 1473 00:48:59,440 --> 00:49:01,269 the world around them and if any events 1474 00:49:01,270 --> 00:49:02,799 occur, like if you want to know if 1475 00:49:02,800 --> 00:49:04,299 someone came into your hotel room while 1476 00:49:04,300 --> 00:49:05,979 you're out of the conference, you can 1477 00:49:05,980 --> 00:49:08,079 hang a tally sensor on the door and in 1478 00:49:08,080 --> 00:49:10,149 a log that information's internally to an 1479 00:49:10,150 --> 00:49:12,249 MSI card, which will then be either 1480 00:49:12,250 --> 00:49:14,529 transmitted via Bluetooth 1481 00:49:14,530 --> 00:49:16,779 or USB to your cell 1482 00:49:16,780 --> 00:49:18,729 phone. And there's an app running on your 1483 00:49:18,730 --> 00:49:20,739 cell phone that I've written for Android 1484 00:49:20,740 --> 00:49:22,329 that receives all the log data from your 1485 00:49:22,330 --> 00:49:23,319 talay device. 1486 00:49:23,320 --> 00:49:24,819 And the idea is that this will be really 1487 00:49:24,820 --> 00:49:26,649 low cost 20 bucks a sensor. 1488 00:49:26,650 --> 00:49:29,019 You can expand your RF network 1489 00:49:29,020 --> 00:49:31,419 and then if you're a researcher, 1490 00:49:31,420 --> 00:49:33,129 you can be using the different firmware 1491 00:49:33,130 --> 00:49:35,169 images to do things like glitching or 1492 00:49:35,170 --> 00:49:36,819 attacking low power RF networks and 1493 00:49:36,820 --> 00:49:38,769 stuff. But to consumers, they think 1494 00:49:38,770 --> 00:49:39,939 they're getting a consumer product. 1495 00:49:39,940 --> 00:49:41,769 And for us, we have the consumers 1496 00:49:41,770 --> 00:49:43,959 subsidize the research tool, 1497 00:49:43,960 --> 00:49:44,960 right? 1498 00:49:51,420 --> 00:49:53,729 So that's that's the dream. 1499 00:49:53,730 --> 00:49:55,709 And hopefully later this year, if you 1500 00:49:55,710 --> 00:49:58,379 follow, you can sign up on the website 1501 00:49:58,380 --> 00:50:00,389 and help support the idea. 1502 00:50:00,390 --> 00:50:01,679 And if you are interested in helping 1503 00:50:01,680 --> 00:50:03,809 develop for it, that would be great 1504 00:50:03,810 --> 00:50:06,059 too. But right now 1505 00:50:06,060 --> 00:50:07,409 you can just sign up on the mailing list 1506 00:50:07,410 --> 00:50:08,819 and we'll probably launch the Kickstarter 1507 00:50:08,820 --> 00:50:10,109 later this year or something. 1508 00:50:10,110 --> 00:50:12,269 Or we'll figure out a way to do it as 1509 00:50:12,270 --> 00:50:13,829 a community. But right now, I just want 1510 00:50:13,830 --> 00:50:15,239 to use this as an opportunity to open a 1511 00:50:15,240 --> 00:50:16,650 dialog with folks like yourself. 1512 00:50:19,440 --> 00:50:21,149 So, Project Ospreay, so what are some of 1513 00:50:21,150 --> 00:50:22,229 the things we want to do? 1514 00:50:22,230 --> 00:50:24,299 It's got on board from and 1515 00:50:24,300 --> 00:50:26,459 micro SD for storage. 1516 00:50:26,460 --> 00:50:28,589 We can use it for attacking RF networks, 1517 00:50:28,590 --> 00:50:30,569 or we can use it for RF capability. 1518 00:50:30,570 --> 00:50:33,299 So low power, low cost, low power 1519 00:50:33,300 --> 00:50:35,579 we can do serial interfaces, go to 1520 00:50:35,580 --> 00:50:37,949 FTD eyes on it to speak a cereal 1521 00:50:37,950 --> 00:50:39,690 to to your computer. 1522 00:50:40,830 --> 00:50:43,079 It's got an expandable mezzanine, which 1523 00:50:43,080 --> 00:50:44,699 are those connectors along the side, and 1524 00:50:44,700 --> 00:50:46,709 I manufacture a small breadboard so you 1525 00:50:46,710 --> 00:50:48,689 can do. Prototyping on the bread board 1526 00:50:48,690 --> 00:50:50,639 slotted into the bore into the board and 1527 00:50:50,640 --> 00:50:52,139 then update the firmware image and boom. 1528 00:50:52,140 --> 00:50:53,140 You've got a whole new device. 1529 00:50:54,720 --> 00:50:56,369 There's the device there, some closer 1530 00:50:56,370 --> 00:50:58,019 pictures of it. You can see the mezzanine 1531 00:50:58,020 --> 00:50:59,020 along the top. 1532 00:50:59,850 --> 00:51:01,409 And these are the devices communicating 1533 00:51:01,410 --> 00:51:02,969 with each other. It's also powered on 1534 00:51:02,970 --> 00:51:05,109 consumer batteries to 1535 00:51:05,110 --> 00:51:07,109 Triple-A batteries, which is cool. 1536 00:51:07,110 --> 00:51:08,790 There's a plug into an Android device, 1537 00:51:09,990 --> 00:51:11,519 and so that's the idea. That's the dream. 1538 00:51:11,520 --> 00:51:13,749 Ospreys Osprey 1539 00:51:13,750 --> 00:51:15,569 is Ospreay for us, the researchers and 1540 00:51:15,570 --> 00:51:17,789 its tally to the consumer market, and 1541 00:51:17,790 --> 00:51:19,589 hopefully we can have them pay for really 1542 00:51:19,590 --> 00:51:20,879 awesome research tools for us. 1543 00:51:23,130 --> 00:51:25,259 Some other really cool side features, 1544 00:51:25,260 --> 00:51:26,819 we can use this thing for kind of bus 1545 00:51:26,820 --> 00:51:28,979 pirate functionality or a 1546 00:51:28,980 --> 00:51:30,449 good fit style functionality not to 1547 00:51:30,450 --> 00:51:32,639 replace Travis's awesome tool, but we can 1548 00:51:32,640 --> 00:51:34,409 use it for that kind of thing. 1549 00:51:34,410 --> 00:51:35,579 We can do it for simple glitching 1550 00:51:35,580 --> 00:51:37,679 attacks, attacking low power 1551 00:51:37,680 --> 00:51:39,899 RF networks and 1552 00:51:39,900 --> 00:51:40,939 some other neat interfaces. 1553 00:51:40,940 --> 00:51:42,179 That's got a Tag Connect programing 1554 00:51:42,180 --> 00:51:44,909 interface so we can 1555 00:51:44,910 --> 00:51:46,799 plug our computers into it and debug it 1556 00:51:46,800 --> 00:51:50,069 using a really cool debugging 1557 00:51:50,070 --> 00:51:51,479 interface. Those are the mezzanine 1558 00:51:51,480 --> 00:51:53,339 connectors I mentioned. 1559 00:51:53,340 --> 00:51:55,800 Those are the two antennas 1560 00:51:58,320 --> 00:51:59,969 right there. Those are the two antennas. 1561 00:51:59,970 --> 00:52:02,129 So there's one smart connector 1562 00:52:02,130 --> 00:52:04,379 and there's one built in 1563 00:52:04,380 --> 00:52:05,699 what's called a ceramic antenna. 1564 00:52:05,700 --> 00:52:07,559 So if you want to attach a stronger 1565 00:52:07,560 --> 00:52:09,659 antenna, you can screw it into the board. 1566 00:52:09,660 --> 00:52:12,029 If not, you can use the the permanent 1567 00:52:12,030 --> 00:52:13,139 ceramic that's on board. 1568 00:52:14,730 --> 00:52:16,079 Those are two USB connectors. 1569 00:52:16,080 --> 00:52:17,429 We've got an FTI. 1570 00:52:17,430 --> 00:52:19,289 The newer version has two extra eyes on 1571 00:52:19,290 --> 00:52:21,509 it, and that's basically 1572 00:52:21,510 --> 00:52:23,579 it. And like I said, in terms of 1573 00:52:23,580 --> 00:52:25,139 milestones, basically you want to figure 1574 00:52:25,140 --> 00:52:26,339 out how to get this to the consumer 1575 00:52:26,340 --> 00:52:28,289 market, maybe do a Kickstarter or 1576 00:52:28,290 --> 00:52:29,579 something and start doing first 1577 00:52:29,580 --> 00:52:31,529 production runs and getting these two 1578 00:52:31,530 --> 00:52:33,269 people in our community to do kind of 1579 00:52:33,270 --> 00:52:35,119 community driven development. 1580 00:52:35,120 --> 00:52:36,479 Figure out ways that people want to use 1581 00:52:36,480 --> 00:52:38,549 it to all of the features around it 1582 00:52:38,550 --> 00:52:40,619 and then have the consumer 1583 00:52:40,620 --> 00:52:41,670 subsidize it for us. 1584 00:52:43,730 --> 00:52:45,289 So conclusions and takeaways I know is a 1585 00:52:45,290 --> 00:52:47,419 lot of stuff, there's a lot of hardware, 1586 00:52:47,420 --> 00:52:50,149 embedded hacking tools and techniques, 1587 00:52:50,150 --> 00:52:52,009 arm exploitation. 1588 00:52:52,010 --> 00:52:53,779 Basically, what I want you to know is if 1589 00:52:53,780 --> 00:52:55,399 I can figure out how to do this stuff 1590 00:52:55,400 --> 00:52:57,079 without having known anything or gotten 1591 00:52:57,080 --> 00:52:59,149 any degree, it's very assessable 1592 00:52:59,150 --> 00:53:00,409 to you. If you know, if you're smart 1593 00:53:00,410 --> 00:53:02,179 enough to write software, you're smart 1594 00:53:02,180 --> 00:53:03,349 enough to learn about hardware because 1595 00:53:03,350 --> 00:53:05,689 hardware is simpler than software. 1596 00:53:05,690 --> 00:53:07,369 And what's really great is that through 1597 00:53:07,370 --> 00:53:09,499 community endeavors like CCC and things 1598 00:53:09,500 --> 00:53:11,479 like that, we can all band together and 1599 00:53:11,480 --> 00:53:13,219 start to really build some awesome tools. 1600 00:53:13,220 --> 00:53:15,769 Die and crack is an also example. 1601 00:53:15,770 --> 00:53:17,809 The face dancer is a great example. 1602 00:53:17,810 --> 00:53:19,099 And we're really stepping into a new 1603 00:53:19,100 --> 00:53:22,039 world of really awesome embedded security 1604 00:53:22,040 --> 00:53:24,049 and really custom embedded devices made 1605 00:53:24,050 --> 00:53:25,669 by us, the community. 1606 00:53:25,670 --> 00:53:27,409 And that's basically it. 1607 00:53:27,410 --> 00:53:28,939 That's all I have. And these are some 1608 00:53:28,940 --> 00:53:31,219 URLs you may want and thank 1609 00:53:31,220 --> 00:53:32,729 you very much for listening and hopefully 1610 00:53:32,730 --> 00:53:33,730 can make it happen. 1611 00:53:45,180 --> 00:53:46,379 Steven, thanks for the talk. 1612 00:53:46,380 --> 00:53:48,809 We have some time for questions. 1613 00:53:48,810 --> 00:53:51,269 Please try to not so much 1614 00:53:51,270 --> 00:53:53,819 up but line up behind the microphones. 1615 00:53:53,820 --> 00:53:56,219 And while we while you do that, 1616 00:53:56,220 --> 00:53:58,529 we have a question from our signal angel. 1617 00:53:58,530 --> 00:54:00,059 Yeah, maybe it's just a short one. 1618 00:54:01,230 --> 00:54:03,479 So the chip will use the chip quick 1619 00:54:03,480 --> 00:54:05,729 on why didn't you 1620 00:54:05,730 --> 00:54:08,789 access the G8X interface directly? 1621 00:54:08,790 --> 00:54:10,019 Why did you sold off? 1622 00:54:11,730 --> 00:54:14,069 Oh, in that case, you can hear me. 1623 00:54:14,070 --> 00:54:14,959 Yeah, I don't know. 1624 00:54:14,960 --> 00:54:15,960 Where are you? 1625 00:54:16,710 --> 00:54:17,989 Whereas who's speaking? 1626 00:54:17,990 --> 00:54:19,829 He made me up here. 1627 00:54:19,830 --> 00:54:20,999 There you go. 1628 00:54:21,000 --> 00:54:22,469 All right. Yeah. In that particular case, 1629 00:54:22,470 --> 00:54:23,909 there was no. Usually they have things 1630 00:54:23,910 --> 00:54:26,519 like test points on the PCB 1631 00:54:26,520 --> 00:54:27,809 where you can like sort of a header or 1632 00:54:27,810 --> 00:54:29,249 something. They had nothing. 1633 00:54:29,250 --> 00:54:32,369 There was this small PCB real estate. 1634 00:54:32,370 --> 00:54:33,389 So there's nothing we could really 1635 00:54:33,390 --> 00:54:34,319 connect to. 1636 00:54:34,320 --> 00:54:35,489 We could have probably gone in through 1637 00:54:35,490 --> 00:54:36,809 the top and like soldered pins 1638 00:54:36,810 --> 00:54:39,089 individually, but it's the same game 1639 00:54:39,090 --> 00:54:41,199 basically, or manually sorting pens is 1640 00:54:41,200 --> 00:54:43,169 just easy to pull it off, and you can 1641 00:54:43,170 --> 00:54:45,749 sacrifice one board, weaponize an attack 1642 00:54:45,750 --> 00:54:47,279 and then use it on other things like if 1643 00:54:47,280 --> 00:54:49,589 it's, you know, a mass, a mass consumer 1644 00:54:49,590 --> 00:54:51,659 product, you just sacrifice one and use 1645 00:54:51,660 --> 00:54:53,279 it to attack multiple. 1646 00:54:53,280 --> 00:54:55,319 So, OK, thank you. 1647 00:54:55,320 --> 00:54:57,179 OK. Could you be a little bit more quiet 1648 00:54:57,180 --> 00:54:58,409 while leaving and entering? 1649 00:54:58,410 --> 00:55:00,389 It's hard to do a Q&A session with so 1650 00:55:00,390 --> 00:55:02,249 much people talking, and there's a 1651 00:55:02,250 --> 00:55:04,709 question on microphone two, please. 1652 00:55:04,710 --> 00:55:05,879 Yeah. Hello. 1653 00:55:05,880 --> 00:55:07,959 OK, so let's 1654 00:55:07,960 --> 00:55:09,989 have a question with just a couple of 1655 00:55:09,990 --> 00:55:11,519 suggestions from my own experience 1656 00:55:12,600 --> 00:55:14,819 the in regards to what the gentleman 1657 00:55:14,820 --> 00:55:16,439 was just saying about, like why is this 1658 00:55:16,440 --> 00:55:18,749 harder? And I just use a JPEG. 1659 00:55:18,750 --> 00:55:19,829 Know you're talking about with JPEG. 1660 00:55:19,830 --> 00:55:21,929 There's a at a 1661 00:55:21,930 --> 00:55:23,729 kind. A couple of weeks ago and the guy 1662 00:55:23,730 --> 00:55:25,199 gave a presentation, I think called the 1663 00:55:25,200 --> 00:55:26,069 tabulator. 1664 00:55:26,070 --> 00:55:27,269 Yeah, that's awesome. 1665 00:55:27,270 --> 00:55:29,219 Which is like a bus pirate. 1666 00:55:29,220 --> 00:55:30,719 No, it's for J Tag. 1667 00:55:30,720 --> 00:55:32,759 Yeah, so definitely check that out. 1668 00:55:32,760 --> 00:55:34,259 I've got one. It's awesome. 1669 00:55:34,260 --> 00:55:37,739 Also, the XL Tech 5000 1670 00:55:37,740 --> 00:55:40,559 is really expensive, and 1671 00:55:40,560 --> 00:55:43,259 either fruit sells a carrier. 1672 00:55:43,260 --> 00:55:44,579 They don't have the software, they don't 1673 00:55:44,580 --> 00:55:45,599 have the programmer. 1674 00:55:45,600 --> 00:55:47,639 So it's it's just the carrier, but it's 1675 00:55:47,640 --> 00:55:49,799 like a carrier for for the for the 1676 00:55:49,800 --> 00:55:50,879 for the chips. 1677 00:55:50,880 --> 00:55:52,949 So and then it breaks it out and breaks 1678 00:55:52,950 --> 00:55:54,749 it on until like point one pins. 1679 00:55:54,750 --> 00:55:57,029 So and that's like 50 bucks 1680 00:55:57,030 --> 00:55:58,119 instead of fifteen hundred. 1681 00:55:58,120 --> 00:55:59,580 Yeah. So 1682 00:56:01,290 --> 00:56:02,999 and that was basically it. 1683 00:56:03,000 --> 00:56:03,389 Thanks. 1684 00:56:03,390 --> 00:56:05,249 Cool. Yeah. Now the J Tabulate is great 1685 00:56:05,250 --> 00:56:06,569 in the Android Hacker's handbook. 1686 00:56:06,570 --> 00:56:07,619 We have a little bit about the G 1687 00:56:07,620 --> 00:56:08,669 tabulator. 1688 00:56:08,670 --> 00:56:10,469 For those who are unfamiliar, J tabulator 1689 00:56:10,470 --> 00:56:12,839 is basically a way to brute force 1690 00:56:12,840 --> 00:56:14,069 debugging pens. 1691 00:56:14,070 --> 00:56:16,289 So if you have a tag interface, it isn't 1692 00:56:16,290 --> 00:56:17,879 identified with a silk screen like you 1693 00:56:17,880 --> 00:56:19,020 don't know what pens do. What 1694 00:56:20,070 --> 00:56:21,869 you may have five or six or seven or 1695 00:56:21,870 --> 00:56:23,789 eight pens sticking out of the board with 1696 00:56:23,790 --> 00:56:25,109 a g tabulator does is. 1697 00:56:25,110 --> 00:56:27,389 It lets you attach to all those pens 1698 00:56:27,390 --> 00:56:28,709 and then it does all the math, the 1699 00:56:28,710 --> 00:56:30,839 combinatorics and tests each 1700 00:56:30,840 --> 00:56:32,969 pen and tells you, OK, that one 1701 00:56:32,970 --> 00:56:35,249 is to go 1702 00:56:35,250 --> 00:56:37,439 that one's tie, that one's power, that 1703 00:56:37,440 --> 00:56:38,879 one's plus five volts. 1704 00:56:38,880 --> 00:56:40,859 So yes, that j tabulator is awesome. 1705 00:56:40,860 --> 00:56:41,999 And it's Joe Grand's tool. 1706 00:56:42,000 --> 00:56:43,889 It's a great, it's a great tool. 1707 00:56:43,890 --> 00:56:45,269 It's pink, but it's great. 1708 00:56:45,270 --> 00:56:46,270 It's really cool. 1709 00:56:47,070 --> 00:56:48,989 OK, for all those leaving the room right 1710 00:56:48,990 --> 00:56:51,149 now, I would like to ask you to 1711 00:56:51,150 --> 00:56:53,369 not only convert all the 1712 00:56:53,370 --> 00:56:55,529 chairs that have been used as a table, 1713 00:56:55,530 --> 00:56:58,019 now back to a chair, and 1714 00:56:58,020 --> 00:56:59,819 please also take your trust with you. 1715 00:56:59,820 --> 00:57:01,079 Are there any more questions? 1716 00:57:03,240 --> 00:57:04,240 All right. 1717 00:57:05,760 --> 00:57:07,109 No. So thanks a lot. 1718 00:57:07,110 --> 00:57:08,549 Please take your trust with you when you 1719 00:57:08,550 --> 00:57:09,550 are leaving.