 I'm Mike Davis. I'm here to talk about hacking or hacker ref. Can you hear me now? Yeah, okay I'll just shout a bit. I'm a little bit hungover and I got a bit of a cold so you know my voice is a bit deep but yeah so I'm talking about hacking or hacker ref. Basically the idea is to show you guys how to take a hacker ref apart a little bit and maybe modify it and make it do some things it's not supposed to which is kind of cool. I'm Elastic Ninja on Twitter, Mike Davis, doing a masters in information security and yeah I love hacking stuff. I've done a lot of hardware talks and I built this badge as well so yeah you talk to me about that later if you want. Okay so what is a hacker ref? So I've actually got my hacker ref apart on the table in front of me here and it's a pretty sketchy set up there but that's a hacker ref pretty much open. It's a software defined radio and you can get it from Great Scott Gadgets. It's quite a nice accessible device. It's $330 I think and it's open source hardware which is why I get all excited about it. So one of the fun things about a hacker ref if you want to change it is actually taking it apart. The first time I did it there were a lot of bad cracking noises and I actually broke the case. I used the tool on the left and if you go search on the internet there's quite a few talks about how to actually do it the proper way and the best way is to use Jared Boone Sherbrain's little guitar pick and he's got a very specific type so you can just go buy one at the store and the thing just pops open. So he's actually done a 10 second video on it so that's what you can look at. So here's a map of the world of the internals of the hacker ref. On the top right hand section is just RF and dragons and like don't fiddle there. There's not a lot you can do in there but you can change it in software so that's the interesting part but I'm going to focus on the other side of it which is basically everything from the RF section onwards. If you go have a look at the baseband header you can get the raw 20 mega sample megahertz rather a baseband both the transmitter and the receiver is in there. The only problem I have with that header is I don't think it's a good RF header so you probably if you want to do something with that you probably want to replace it or maybe put something with better contacts in it. This is the CPLD it does a lot of the heavy lifting decimation and moving the data from the so I didn't mention the front end which is the little chip on the bottom left there and that samples the raw baseband and turns it into digital data so that's actually the bit that you can see the digital part of the STR. So the CPLD is kind of like a I like to call it a weak FPGA but that's not really what it is. It's a logical device. You can program it to map I mean in this case I think it's mapping pins between the front end and the actual processor. It does decimation and does a bunch of other RF type activities. And then you've got the actual micro control itself with all the headers and that's the bit that's pretty interesting for me and if you take a look at this this is a great fat so they've actually chopped the hacker up in half and just given you that bit on the left there in a slightly different format and slightly different chip as well. But if you ask them about the great fat it's quite a nice little device. I think they've done a lot of talks on like infrared and all that kind of thing and basically you can also use it for as a kind of logic analyzer as well if you want. So that's quite a cool thing. So most of the work I've done has been in this little section here. It involves a lot of this kind of thing. Breadboards and little wires sticking all over place. I've seen someone did a very nice PCB to join two hacker refs together. It was an academic project and I'll try and find that link but it's really cool what they did. They worked on the CPLD side and modified that to synchronize two hacker refs. I focused on the process aside and I failed. So anyway I had a good time doing it. So like I said before one of the great things about the hacker ref is that it's open source hardware. They publish all the schematics and you can go have a look through it and really you can go to Michael Osmond's GitHub and just have a look at the, have a look at an Kycat. So when you're opening Kycat that's the kind of view you get. You can see all the traces between the different components and if you do a little bit of work you can just get rid of all the layers that you don't care about and instead focus on the processor and the headers for this particular thing. The datasheet for the processor that they use is really hard to, like if you look for the pin outs it's somewhere in the middle of the document and I can never find it. I wanted to put it on the page here but basically most of the pins that you would be interested in are actually mapped to the headers. So the question is is it just open source hardware and are multiple manufacturers manufacturing it? So Grace Scott gadgets designed it and make it and I believe there's a thing called a blue RF or something like that which is cheaper and uses cheaper components and breaks more often and occasionally if you ask them very nicely they'll fix it for you but I wouldn't recommend using it especially because it's literally a clone that's using cheaper parts. So I'd rather support Grace Scott gadgets but I mean you could make it yourself. So I talk a little bit later about what I want to do and how I want to change it and so I'll be kind of, I'll be making a few myself and then making it open source as well. Yep. Um, okay so it's got a, I didn't put the name on it. LPC 4320 is on the hacker app. Like I said that datasheet is terrible in terms of just trying to find the pin outs. Usually it's the first 10 pages but in this case I checked last night I couldn't actually find it. Um, but it has everything you need in there for to do what you want to do. It's got two cores in it. It's got an M4 which is a reasonably powerful kind of processor and then it's got a little M0 sitting on the side. Um, that is, it's kind of difficult to get them to communicate but you can actually pass data between them. So that's useful for things like driving displays and doing all that kind of thing. While the main processor does a lot of the hard work. Um, as I'll show you later, uh, there's DMA in the, you know, as you'd expect from a one processor. And a lot of the hacker apps, uh, the main loop in the hacker app doesn't actually do anything. So most of the work is done in DMA. So if you want to fiddle in there it's a little bit of assembly and that kind of thing. So, but it's not a lot of code. Um, it can drive an SD card. It can drive ethernet. It's got ADCs and DACs. So you can do things like sample microphones and output speakers and that kind of thing. That's pretty cool. Uh, and it's got all the rest of the kind of things you may expect. Um, just quick overview of all the different headers. Um, there's, there's four headers. There's P22, it's got stuff like the clocks and, uh, SPI you can see on the bottom left there. Um, I don't folk, I don't use this very often. Uh, P28 headers. These are all the ones that are surrounding the actual processor. Um, again this is, uh, SD card stuff. Um, there's your baseband header. And like I said, I'm not sure, I haven't tried it, but I'm not sure that that's actually, I'm not sure that you'd actually be able to get the quality of signal that you want out of it, but I, like, I haven't really tried it. So, um, yeah. And this is the one that I normally, I normally play with. It's got a whole bunch of things. It's got the, um, you can get, uh, put voltage into it. You can get voltage out of it. Uh, a lot of ground pins and a whole bunch of GPI opens that are kind of useful. Okay, so the firmware is also open source. So you can just go to Michael Osman's, uh, uh, get a repo and you can play with the firmware. Um, so as I said before, the typical main loop is just setting up, uh, USB mainly. And then, um, and then just sitting in a while, true. So it doesn't really do a lot. Normally I take this out and replace it with something else. Um, and in this case, I want to show off a little, the typical kind of hello world, which is a blinky light, blinky LED. I believe so, but I'll tweet them out. Elastic Ninja. Make it easy. Have you got it? Yeah. Okay. So, I mean, if you, if you want to, uh, typically if you want to blink a light, you have to interact with, uh, GPI opens. So general purpose eye opens. Um, in this case, it's neatly wrapped up in, uh, for the, uh, anyway, they've got three LEDs in the front of the hacker app. So this is neatly wrapped up in a little LED on, LED off, and LED toggle. And, uh, and so you can literally just, for hello worlds, replace the, the whole main loop with just LED on, delay for half a second, LED off, and delay again. And, uh, I'm going to try my best not to break this. So you can see the green light, I hope, and that is currently blinking. Um, so that's basically that code there, just, um, just blinking every half second or so. Okay, so when you program the device, um, normally there's the hacker or SPI flash, and that just interacts with the USB and then pushes that, uh, pushes your, your binary into the flash chip. And then it, you know, as soon as you reboot, it loads off that and it's fine. But I tend to remove the USB handling because most of what I'm doing doesn't actually have USB attached to it. Um, so after breaking the USB, you have to use DFU util. And it's super easy to just push the DFU button on the, on the front, reset it, and then it's in DFU mode. And that'll get it into, uh, it'll get your code onto the device. Um, getting it back is an interesting exercise in, get reset and that kind of thing. Okay, so, um, that's the typical loop that I, I mean, that's the base of the loop. So the question is, how do you break USB or why does it break? Um, uh, where was that code? So this is the actual main loop in the, in the normal code. And as you can see, there's, there's two sets of USB kind of transfer code and it runs that continuously. And as soon as you take that out, I think it's within a couple of seconds of the device, uh, it, it times out and it stops responding to USB in terms of the, the host actually, um, I forgot the word, but disconnects it. Uh, so it's very quickly not useful as a USB device. I mean, you can leave this stuff in here, um, but if there's no USB device connected while your stuff is running, weird things happen. So I, I'll just take it out. Yeah. Um, okay, so I did the Blinky demo, sorry. Uh, right, so obviously you want to do something useful with the Hacker App. You don't want to just blink an LED. Well, you may want to do that, but, um, so there's quite a few interesting other open source projects. There's the Portapak, uh, which I'll describe later. Uh, I've got a badge that I wrote, so I used some of that code. Um, and if you dig around in the Hacker App code itself, there's a lot of, uh, a lot of bits of code that actually access the, the hardware in interesting ways. So like, there's a Blinky demo in the actual Hacker App source code. So, um, you can go dig around there, have a look, but Portapak is actually the thing to look at. If you want to build something that's not a, uh, a host-based SDR, you know, or a host, a host connected SDR. Um, and I'll show you that just now. One of the more interesting things about what I've been doing is trying to power a Hacker App without blowing it up. So what I'd like to do is push it into the USB bus, um, which means that I run the risk of blowing up my computer when I program it, but if you're careful enough, you can basically power it off, uh, put, uh, five volts into the V-Bus and then, uh, it manages the rest itself. So, uh, you can even, you can't really plug a battery in there. There is actually a V-Bats, uh, pin, but I haven't tried that. I'm not actually sure what that does, but it, it says battery. Sorry? Okay. Yeah, that makes more sense. But, um, if you want it, you really need to give it five volts and then it's, everything's happy. So, um, okay. So I, I've built a, a shaky demo. It basically, um, I'll show you the code now, but it sits in a loop and it, um, it pulls, pulls the 2.4 gig spectrum into little bins and then tries to display it on my little badge here. So, I did it in my hotel room. It's a little bit sketchy, but it kind of works. Also the contrast is a bit rubbish. I don't know if you can all see that. But so in theory, that's the 2.4 spectrum, uh, just doing a waterfall down here. So again, the Portapak does a much better job of this. Um, and it's a really nice sort of, um, device. But, uh, if you wanted to put a display on, there's also display drivers, uh, on that, well there's a display, uh, peripheral on the actual hacker app as well. So you could plug that in too. Um, so this is just a bit banged SPI talking to my badge. Anyway. Um, so the reason I started all of this was I wanted to have multiple hacker apps, um, synchronized so I could do TX and RX or I could do, uh, like multiple, so the whole band of Wi-Fi or, uh, in the one case it was, uh, direction finding. So that was my actual intent and the reason I started taking my device as a part. I also have far too many hacker apps because I was trying to do that kind of thing. So, um, if you want to buy one. Anyway, um, but, uh, so it was relatively simple. It's just like basically plugging a few GPIOs in together and synchronizing the clocks. So you'll see, you'll see on the hacker app there's two ports on the back and those are for, um, for accepting or transmitting a clock. And, um, the clock in the hacker app is not that great. So it drifts a bit. I think it's a, it's just a standard or relatively standard crystal and it's got 20 to 100 ppm kind of, um, accuracy. So there are, um, changes you can make to it to get much better. So doing things like GPS and that kind of thing you can actually do with a hacker app, but you need to do a lot of work. But anyway, so, um, the problem with this approach is you've got multiple USB ports that you have to synchronize and it turns out that synchronized USB is actually a terrible idea. So it doesn't actually work, but it, uh, for very low bandwidth signals you can actually get away with it. So the difference between the time of arrival of packets and that kind of thing is actually, it's, you can get away with it, but, um, I gave up on that project. Uh, and I started thinking about cutting a hacker off in half. And, uh, so the idea is that what I want to do is take the RF section on one side, not physically cutting it, sorry. But, uh, I don't know what would happen. But taking the RF section on one side and putting the processing section on another. And then hopefully making little boards that I could plug the, uh, you plug multiple RF sections into and, and then the discussion becomes what kind of processor do you use and how do you get all that data across. So then all of a sudden I'm working with USB 3, FPGAs and that kind of thing. So, um, I've kind of, uh, kind of put it on the shelf for now, but I've still, I still dream about it. It's like something I'd really like to do. Um, and there is actually a great Scott Gadget board out there that does multiple, it can do, uh, it adds another radio section to the hacker app. Um, I've gone and forgotten the name of it. Um, but it's a work in progress and I think that might be the easier path. I'm not sure. But, um, so if you have a look around at the, uh, Michael Osmond's Github repo, you'll actually find it there. Like all of the boards, the great FETs and everything are there. So, um, if you wanted to go and make one and give me one, that'd be great. But, um, anyway, so that's a project I'm working on. Um, I also fly drones. And, uh, that's a picture of my drone hanging off a wire that I, it took me ages to get out of, get it off of there. But, um, one of my projects is actually to put hacker apps, uh, or one hacker app that I'm willing to risk onto a drone and use it in place of, um, uh, the FPV gear that I, that you can buy commercially. So, uh, the FPV gear that you can buy commercially is pretty shockingly bad stuff. Um, it's an FM modulated, um, uh, video signal and it doesn't do well with, you know, interference. It doesn't do well with the bad antenna. So I thought maybe I could do better. So I've been strapping hacker app onto it and trying to receive the signal and I'm, I'm getting somewhere, you know. But I'm, I'm always worried about that. You know, landing up on, on something and then my hacker app is, you know, gone. So anyway. Um, so all of the things I've been talking about are kind of encapsulated in the Portapak. Um, you can buy it at, uh, at the vendor area. It's got little screens, it's got buttons, it's got, um, it's got a battery, it's got all the things in there. Um, I haven't bought one because I like to break stuff myself but, uh, this thing's pretty cool if that's all you're looking for. Okay. Um, yeah. And that is pretty much my talk.