 I'm working in conjunction here with, with Daryl and team to produce some of these labs and whatnot. And this particular one is going to be about logic analyzers. So my name is Jonathan signs, I'm a pen tester on the rapid seven team. And just to dive right in, what, what is the purpose of a logic analyzer. So in essence, developers use logic analyzers pretty heavily for doing things such as, you know, debugging protocols. So if they're doing something like what we see in the picture here that has probably some form of inner chip communication, maybe there's like SPI or I to see logic analyzers enable you to dig down and see underneath the hood what's actually going on works fantastically for troubleshooting. Just think like wire shark for hardware analysis, like I was mentioning it could also be used to debug so it's used to troubleshoot maybe some why why is my software not working why is, you know, this embedded firmware not talking from the, you know, SPI flash chip to my MCU logic analyzer can kind of help troubleshoot that. So that's the sort of developer perspective of using a logic analyzer. Now, what, how would we use them in IoT. So of course, you know, we have the pizza delivery pizza and doom guy and then the hacker with the ski mask underneath. We use them in IoT is our goal is to dump the firmware. So, you know, once the firmware is dumped, it's oftentimes mostly dumped through serial interfaces, unless we're doing something like removing a chip. So whenever we're talking about this, it's going to be more so focused on from the perspective of like doing something like dumping firmware from some type of interface, whether that be you are whether that be like SPI whether that be I to see. Also it's interactive with the device. I know that we if you've attended any of our other talks from today with regard to you boot or any of the talks yesterday, we've talked a lot about you are. So you are to be the serial, I guess, mechanism that we would use to interact with some of these devices. So what we want to do is identify what is the pinout of some of these devices. And we'll talk a little bit more about that later on in the slides here. But a lot of times the the pins, they're not labeled. So we need to figure out, OK, a what is a type of protocol is being used for these pins and be which individual channel is being sent or what kind of data is being transported over those pins. So things such as you can check things on a simple serial bus such as like SPI, I2S, I2C, you are things like that using a logic analyzer. What are the types of logic analyzers? Again, I know we're kind of talking about maybe some boring stuff, but just kind of take you a little bit back and back in time here. The bottom left corner is a desktop logic analyzer. You don't really see those that much these days. That looks more like an oscilloscope, but it's in fact a logic analyzer. If you kind of take a closer look and see that it's actually measuring digital frequencies, something that an oscilloscope does not do, which we'll talk about more later. Well, we'll what we will be talking about and looking at in our demos is going to be USB logic analyzers. And those look more like the things you see on the right side of the screen. So the sale is like one of the more popular ones. And you have a couple of the others like travel logic in this particular case. The USB analyzers tend to be cheap and they tend to be small. Desktop analyzers tend to be large and they tend to be expensive. We'll talk also a little bit about oscilloscopes later. But the large logic analyzer has a small amount of memory, but a large number of channels. That's pretty important because we'll kind of compare and contrast what might be right for you. If you're wanting to get started with some of the stuff, what would be best for you with what you're doing with whatever it is that your goal is? Logic analyzer is a visual representation of the data that it processes as well. So when I say that it's a visual representation, it's making the calculation and representing what it thinks is what that data looks like rather than an oscilloscope, which is the actual analog signals that's traversing over the voltage with the voltages of the chip. These logic analyzers, we'll talk about price later, but like I mentioned earlier, USB logic analyzers tend to be very cheap. OK, logic analyzer is not an oscilloscope. So all these snippets I stole off the Saley website, the oscilloscope measures the idea in general is that it's measuring constantly. It's it's not like like it's quite possibly the most boring subject. So it sucks to be all. I'm just kidding. They're all equally bad. So anyway, is oscilloscope is not a logic. Oscilloscope measures analog, whereas logic analyzers measure digital and match to go back to this one because some logic analyzers can actually measure analog. We'll talk about that a little bit later. I'll kind of show you. We'll go over a few different logic analyzers just to kind of see what. But I probably shouldn't use like a blanket statement and say that logic analyzers cannot measure analog because that's not a true statement. They can to a certain extent, but many of them do not. So as I was mentioning, they are not used for any type of like you are connection. So you get them being transmitted over your words, but you can't actually set up like, OK, I want to toss in like, you know, let's let's connect to this using a bit, you know, parity. And then we'll of course do like vibrate of like 11, 5, 200 and then interact with this. Like that's not what you can do with logic. Logic analyzers is more of just a passive listen. It's something like wire to start core hardware. It's not an oscilloscope. So from an oscilloscope perspective, basically you're looking at and at voltages over a period of time. So it uses memory. So it's using, you know, safer for OCDD. So we have the same. Right. So the safely is I don't want to say the fact of it kind of is the fact of it's it's also some software and a pretty large online community and support that is available that is that goes hand in hand with this particular logic analyzer. There are other logic analyzers, of course, that exist. And we'll look a little bit more about the price. What do we think of these between like five and 15, 20 bucks? I think it was like 12 for one and 24 for the other. Very cheap. You know, like go sell like a garbage bag full, you know, aluminum cans and then buy like this stuff because you can just it's just outrageously cheap. So anyways, we'll do some pros and cons between all these guys, but we're going to kind of just give like let's just go ahead and hook something up with it. What we're actually going to look at with it is going to be a Raspberry Pi. What we're going to look at also with that is Raspberry Pi has a new art interface, I'm sure as many of you guys know. And I'm going to try to just take the examples to kind of give you an idea. But here is the Raspberry Pi like sort of coming out and hopefully everyone can see that. Now, Daryl, is this shown up on the screen? Yes. OK, perfect. So whenever you're looking at it, it's basically how how it's laid out. So just be aware of it. OK, how does it look? I look good. Cool. So as you can see on the screen, we have ground, several grounds. And then right here on these two, we have RX and TX. So RX and TX are the two interfaces that we're going to target for you. So we count down one, two, three, four, is RX or TX rather. And then one, two, three, four, five is RX. So and then we'll have a ground down here at the bottom of the corner. So let's get this sucker hooked up. I'm going to I want to start this off with you guys with the just, I guess, just better in this particular case. But whenever you're looking at the actual like logic channelizer, you can see that there's like a mapping of the pins on it as well. So it's basically like channel zero through seven. And then there's two grounds. And what that's based off of is the actual like layout of the pins on the same and then you have the actual pins. So what we'll do is we'll take these three jumper wires here and we're going to actually get rid of the old as great a kind of graph or actually just kind of move it over that way. And then we're going to just kind of hook these suckers up. You know what I mean? So we'll take ground. We can use black to try to be correct with their color. Use it here. Black for ground. So we'll hook that up to one of the two grounds there. And we'll hook up white to channel zero and we'll hook up this like silver color channel one. And if you guys think this is fun watching me do this, just wait until we get the SPI. So that's exciting to look forward to. And then as we saw earlier, the ground is the bottom left hand quarter one here. Remember, we hooked up white to channel zero. We're going to hook white up to channel the fourth pins. So we'll use the TX here and we'll hook up this little silver to our X. And that's it. So that is pretty much how we took up. And we'll look at several other devices. But I just wanted to give just to give everyone an idea. So we're not kind of, you know, functioning in the dark here. So let's put a pin in this and let's circle back to some of the slides here. So we now know what that looks like. Now, I've done a lot of talking here. Yeah, I think we have a couple of questions here. Let me look. There was one question you may have already covered it, but I want to make sure to ask it's in the channel. Are there any equipment models that you can do experience to come across any models of devices like that? Yeah, so some do have the capability of doing both analog and digital. Most of the cheaper ones are only digital. Now, the ones that support analog and digital are typically a little bit more expensive. And a great example of that is the staleing. It supports both and each channel. But yes, so some models do support it. Typically, you'll be paying a little bit more money for it. So I would definitely ask yourself, is analog something I truly needed for the type of debugging the type of troubleshooting the type of development or the type of hacking that I'll be doing. One other question here. So where would where can somebody buy the cheaper logic analyzers that you're demoing here? And would they work for newer to IoT versus having a larger investment? That is a very well-timed question because let me kind of slap this slide up here. This is a couple of examples of where you can get some of these logic analyzers. On the left side of the screen, Apple is directly from the Stalee website. Again, these are the nicer models that support both analog and digital. I'll also show everyone here on the call what it looks like and what it means to actually have a nicer one versus not so nice one. And so are you going to be spending, in this case, an example to have on the screen, 13 to 24 dollars or even the peak of that. But the left side of the screen here, the pricing is from Stalee. You can buy them on Amazon. You can buy them on eBay. You can buy them on you can buy them on Spotify. The price on the right, the two cheap ones below and above the dude whose wallet is on fire where all of Amazon had this screenshot of that maybe like three or four days ago. As far as the features between differences in between the cheaper one versus the more expensive one in your dance, we'll take a peek at that and a couple of the most used slides on the road. And more questions to get you to move on. Sweet. So moving on here, we, as I talked about earlier, this signaling, analog signaling is just to continuous changing values whereas the digital is defined values based on a range of vocation that we're going to see with these USB logic and logic analyzers. Bear in mind, it's not 100% accurate. So if you're like needing to be like pinpoint accuracy on the voltages, the logic analyzers is going to be accurate. I also want to share with you what those digital versus analog signals look like. So whenever we dive into the software we can kind of see what those weight forms are and how they differ from one another. The voltage above a certain threshold is and digital signaling with logic analyzers is binary. If it's going low, then that's considered a zero. It's going high, it's considered a one. And those that determination is based upon that particular threshold. The transistor, the technology is basically using logic analyzer will sample the voltages at various intervals and reconstruct what that table looks like. So just want to kind of just try a little bit of context as to analog versus digital. So there's two main types that I have used in my experience. Your mileage may vary. I know there's a lot of different other like software vendors makers out there on Mac based. So I'm going to handcuff the Mac, fortunately, because I would also be capable of running a Linux too. So the top left corner is Sigrax PulseView. So Sigrax is a manufacturer of logic analyzer as well as software and PulseView is the actual software name. Now, what we're going to talk actually has Sigrax Client and I'll be honest with you. I love the fact that they're open source. I love the fact that it's free. They're actually both the software here is free. But the PulseView, the graphic interface is just not the greatest. Like it's more of a bust, I guess you could say. So unfortunately, I'm not going to go over it today because it probably takes a little bit too much time. But to kind of dive in here, what I wanted to do was just kind of compare these two software sets with you. So with that being said, let's just dive right in. You know, let's just take a look here, screw it. So what I wanted to do first is I want to continue with where we left off with this particular logic analyzer because there's more expensive stuff about that. We've got a couple of wires here. We've got a power for the Raspberry Pi. I sit right here and have the USB power stripped here. I'm just going to kind of power off the pie real fast. And we'll go ahead and grab the other cable for our logic analyzer. That's right in there. Let's go ahead and plug this pump in, yeah? Now, as we're doing this, again, this is going to power for the record here, for the logic analyzer. And what we're going to do next is let me, there we go, that'd be cool. We'll do that here. So I'm going to bring up the software on the other side of the screen here for us. And the first one we're going to look at is pulse view. So I just want to kind of give you a quick little demo of what some of this looks like. So as you can see here, I'll shift that that way. We have everything hooked up on this side of the house. Remember, we have UART. So our XTX hooked up to this based off the handout that we found online. And of course, ground's hooked up as well. We followed the mappings here. So we're going to kind of take a white box approach with this and let's just assume that we know everything already. So let's assume that we found the data sheet for the device that we wanted to kind of probe and take a look at. What we want to do next is from the software here, I'll give you a quick little run through. So we'll go back to full screen. This is the SigRot pulse view. So with the pulse view, you can select the device you have plugged into your computer. And this particular one, the driver that we need is the FX2 LAFW. So we'll select that from the dropdown and we'll click scan for devices using the driver above. And then we'll click okay. And that basically has it hooked up. So what happens here is an airplane flying above here. So I'll be able to hear some background of that. What we see here is that there's eight channels starting at zero and ending at seven. So that's representing the eight channels that the logic analyzer has. Remember it's zero through seven on the logic analyzer. What we can do is we can lower that because we're only using RX and TX. Ground is assumed. You're always going to use ground. So we want to select D0 and D1. So we're going to remove some of these other guys here. Going back to the software here, you can change the amount of sampling that it does. In this particular case, I have it set at one millisamples per second. So that's the setting for that. And we'll talk about that a little bit more whenever we get into the saline software, but the cheaper logic analyzers can sample at a slower rate than the saline. So there's a little bit of a limitation here and here's the speeds as well. So we're going to stick 20 kilohertz. So let's just plug the sucker in. Let's just see what happens, right? So I'm going to hit the power button. We're going to see the lights come on on the Raspberry Pi right here. And then I'm going to hit the run button. Whoopsie daisy. Stop. Let's try that again. And then we can click this button here, which makes us keep up kind of with a tining of the actual logic analysis that's taking place. So we'll see kind of some spikes and voltages as things kind of happen. Again, this is over UART. So think of like the TTY connection over some type of serial or SSH interface. Imagine just the boot up of a Raspberry Pi. So it's just going to do its crap. And then at the end it's going to be like, okay, Raspberry login type stuff. So we'll go ahead and stop it. Now that we're getting kind of closer towards the end here. Yeah, that's the last one. So if we take a look here, this is basically the capture. I captured for, as you can see, 35 seconds. So the thing about this, let's go ahead and go back into full screen. We don't really need the camera so much right now, but we'll go ahead and expand everything back out. And let's just take a look over here because this is the, let's just pretend again, let's just assume that we know the answer to this. This is basically where it's just prompting for login through UART interface. So we'll go in here and we'll kind of scroll, scroll, scroll. And even if you were unsure of which one was RX or TX, you could pretty well assume if you at least knew that these two connections were UART, that this one's going to be TX and this one's going to be RX. How is that? Because TX is sending us data and RX is literally a flat line. So a couple of things there that can kind of help you out. And one other thing too is that this particular software does have protocol debuggers. So let's take a look at that. Let's go ahead and remember we set TX to D zero and we set RX to D one. So another thing too, we already have 11, 5, 200. We're going to keep everything else basically default here. Last, the least significant bit first is correct. We'll switch that to ASCII and it will come in here and then it should do some decoding for us. So it usually takes a second. See if she works here. Yeah, so again, just a high level example of the protocol decoding available for this particular PulseView software and some of the stuff you can do. So it recognizes stop bits, it recognizes frame errors, break conditions, things like that. Now, what I want to also do real quick, we'll just exit completely out of here. We don't want to save. Another thing too is it's pretty nifty. PulseView has a SigRock. They have like the room proprietary format where you can like save your data and then like import it into Saley or other. They can manipulate it also from the command line. We want to now switch over to the logic software from Saley. So Saley has their own set of software. They actually have two sets of software that we're going to review. And what I want to do is put it up here and what I want to do is show both, you guys both sets of software to kind of show you the epicness of what it has the capability of doing. So on the left hand side here, we have the Saley Logic 1.0, 1.2.18 software, I guess technically. And in this particular case, it's very similar. So remember, here's all the eight channels and that's pretty much the situation that we're looking at. Mind you, remember, this is all digital signaling. So there's no actual analog signals going on in this particular case. So very similar to the other software, you can do the same protocol analysis. So we have, for instance, Async Serial, which is UART. UART is an Async Serial Communication Protocol with I2C and SPI. So there's a whole list of different protocols supported also by the Saley software. Your decoded protocols, it can actually decode also. As we saw earlier with the other software, it decoded it, but it's kind of limited on the amount of information that it can present to you. The command line is where the SIGRA software is very strong compared to Saley. There's also annotation. So with the annotations, you can kind of capture during periods of time. But the thing I wanna show you guys the most here is with logic analyzers. It's not specific to Saley, but let's just go ahead and power this guy off. So as you can see on the right hand side of the screen, the light's now off on the Raspberry Pi. Let's go ahead and power it back on. But also let's, yep, we're capturing for 30 seconds. Let's just stick to four mega samples per second. And then we'll go and power the sucker back on while it starts. So as you can see right here, the only sad panda part about the Saley software is that it doesn't like live view show like the results of what's going on with everything. So you're kind of like, you're kind of stuck with like a, just this kind of boring screen here. So you can't really see the sort of interactive like, oh, here's like the waveforms and whatnot, but whatever, it's all good. We'll go over the 2.0 version of it where it does offer some sexier, gooey stuff. So here's the output of our capture. So let's scroll out and we can see very similar to the pulse view. Take this full screen that there was actually some data captured here, very similar to what we saw earlier. Now let's scroll in. And as we talked about earlier, remember channel zero is the TX line of the Raspberry Pi. So of course we're gonna see data. Now, a couple things is that, let's say we wanna add a protocol debugger just like what we did with the pulse view. Let's go ahead and add this. We'll say channel zero, the serial, that's the TX channel. And let's click auto bot, right? So let's pretend for a second that we do not even know the bot rate of this device. Let's pretend that we actually think that it's UR but we actually don't know if it's TX or RX. We've already actually kind of figured out that it's TX because remember channel zero, we're seeing data. It's transmitting data to us. RX is a flat line because we're not sending any data back. So we do not know the bot rate. Let's just pretend like we wanna open up like a screen session or some type of like a serial session with the device or TTY serial. But we do not know the actual bit rate of that serial connection. So we'll just leave it default, default 9600. We'll click this little checkbox here, auto bot. We'll keep everything else default as well. This is all pretty standard for a normal serial interface on an embedded system. We'll click save. We now see the async serial is here in this corner and kind of a cool little thing you can do also to help you figure out that bot rate. This is pretty neat. Now, earlier, I'm gonna bring this up for you guys real quick. In the actual slide presentation, I had this little table here that showed the actual microseconds as well as the bot rate in this table. So if it's 833 microseconds, it's the bit rate is 1200. If it's 52 microseconds, it's 1900. If it's eight microseconds, it's 11,5200. Now, if we go back here, what we can actually do is we see the actual, let's take a look here, the waveform. So from where the actual rising edge to a falling edge of one complete uniform wave. Here we go, that's a good one. It's super tiny, but I hope you guys can see that. 8.5 microseconds. It's pretty nifty because that basically tells us what the bot rate is without us even having to like measure the bot rate. So if we go back to our table here, remember 8.5, 8.5 is what it measured as the bot rate. We look here and eight microseconds is 11,5200. Remember, digital is never gonna be 100% accurate. It's gonna do its best at that representation. Also, there's latency in the cable. There's latency in USB 2.0. In this case, this is one of the cheaper logic analyzers using USB 2.0. So either way, it's not gonna be 100% accurate. It's gonna be like slightly off, but it's safe to assume that it's closest to that number than it is to any of these other numbers. So that being said, let's just do something a little wacky here and just enjoy the luxurious features of the Staley software. So I just lowered the sample time to five seconds. Remember, if we go back here to the settings, we have it set, let's just see it automatically detected. It's already changed, but let's just put it back to 9,600. Imagine this is like a fresh scan. So we'll power the device off and then it will power the sucker back on. And then we'll go ahead and start sampling. So based off of the sample rate, the Staley software is smart enough to realize what that particular bot rate is. In this case, it already converted to us. All that is not the actual bit rate, even though that would probably work. It's 11,500. It's close enough for what we're trying to do here. So let's take it a step further and then let's switch this back over to 30 seconds. And it's powered off. And then let's power it back on again. Now that we know our bot rate, we'll just see what it can do. And let's make a full screen because we all know what our Raspberry Pi looks like. I can't make a full screen. I'm gonna sit here and just stare at this thing glued up. So while we're having a little break, let me ask you one of the questions. So I have a question here. Is the Staley or the PulseView logic analyzer software free and open source? How would you go about downloading or purchasing those? The Staley software, it is actually free. It is not open source, however. It's free. You can download it straight from their website. You can't compile it because it's not open source, but it's 100% free. You don't have to spend a dime for it. However, the Sigrock, so the PulseView software, I believe the GUI is open source. 100%, I know the Sigrock Y is open source because I just compiled it actually like two hours ago. But yeah, so the Staley logic free, not open source. Sigrock PulseView, 100% free, maybe open source. Sigrock, Kly, free and open source. And taking a peek here real quick, we can see the decoded protocol section here that we actually have the output of what we saw over the UART interface. So under voltage, it's kind of printed funky here, but that's the actual output of what it's seeing. We had it set to the ASCII. So the output is being displayed in ASCII format. So kind of neat. You can see all that kind of stuff, scrolling even further down here. And we have detected, blah, blah, blah, but go to the very bottom. Maybe we missed it, but it would even capture. Yep, there we go, like Raspberry Pi login. And that's basically on the UART connection, waiting for the, you know, the typical Pi, you know, password Raspberry, because no one ever changes their default on that. So anyways, as for that particular demonstration, that's pretty much it. And, you know, kind of continuing on with that particular question that was asked regarding the free and open source nature, are there any other questions, I guess, up until now? Yeah, I have just one more for you. What is the max number of logic interlators or channels needed for most IoT situations? That's a good question. And I'll be perfectly honest, like I rarely run into an instance and I do this, you know, I'm not like hacking on IoT like full time with my day job, again, I'm a contestor, but I do it a lot just kind of as a hobbyist, as well as just kind of as a side type thing. There's very rare instances that I've run into a situation where I needed more than eight channels. So in cases that I've ever used these logic analyzers, it's mostly been on three different protocols. UART, SPI and I2C and none of those three, I guess, protocols really require more than eight channels. Now, I don't want to say it wouldn't be necessary, but I would say that it's kind of a low likelihood that if you're trying to get started as like a hobbyist, that you'll actually need more than eight channels and all of the devices that we're working with here support eight channels. You can buy them up to like, shoot, I don't even know. I know Morgan on our team has the big one, I think it's 16 channels, is that their biggest or is it the one I had at me? I think it has 16. 16, yeah, the big boy. And I don't know that I would like have a need, however, it would be super handy to have in case I ever did have that need. But I would probably err on the side of saying that it's likely that eight channels would be good enough for you. Okay, yeah, no more questions yet. Well, so speaking of which, UART, SPI and I2C, how do they function? So as we saw earlier, UART's an asynchronous connection. So what that actually means is that there's no clock on either side of the connection controlling the actual rate that data is being transferred. It's an agreed upon, it's an agreed upon number where you're supposed to actually know. So the bit rate and the Bob rates important for that. How it determines the actual connection speeds also is it uses parity bits. So there's basically another layer of overhead that's being sent over the line of communication so that the negotiation and the actual transfer of data can take place. With SPI and I2C, they're actually synchronous, meaning there is a clock that's determining the communication time. So for instance, SPI operates on a slave master model. So the master has is the actual determination of the clock speed. That's the one with the actual crystal that's going to determine how quickly data is going to be sent. The slave is going to basically accept that at that particular rate and that number is negotiated throughout the process. I2C is very functions in a very similar way. Moving on to the actual interfaces associated with these three different protocols. Again, UART has two channels. Again, the channels column here is assuming that ground's hooked up. So disregard ground right now. This is only the data lines and the information communication lines that's taken place that we're really concerned with here. That's RX and TX for UART. SPI has four channels. That's going to be MISO, MOSI, CS, and clock. Chip select is enable and clock is again the determination of how quickly that data is going to be sent and received. MISO and MOSI are a little bit interchangeable. It can just depend on the situation that's going on. So with SPI specifically, remember there's master slave. The master will send out data to the slave over MOSI that stands for master out slave in. It will receive, the master will receive data from the slave over master in slave out. The master will determine the clock rate and the chip select is the enable. So the chip select is only applicable whenever there's multiple slaves communicating with a master. And then I2C is pretty simple. It's SDA and SCL. SCL is the communication for the determination of how quickly data is to be sent and received and SDA is the actual data line. So moving on from that is, I guess are there any questions maybe with regard to SPI, those two protocols with how they apply maybe to logic analyzers? Maybe not, because I know we just, kind of just answered some questions. Yeah, I'm sorry, I was kind of muted. Currently, we don't have any questions specifically on this, but I do want to encourage people that are in the, in the actual channel as attendees, please think of questions and post them into the Q and A session. Okay, you can move on, Jonathan. Cool. Yeah, I think we had a disabled chat because we had some flattering comments earlier that was kind of, kind of awesome. The first, I think Sam was mentioning, it was one of the first issues we had to bring him to with something exciting here. But anyways, okay, so let's move on to the first exercise. No, you guys, yeah. So let's move on to the first exercise here. Actually, I'm going to skip the first exercise. Let's move on to the second one because we just looked at UI. Let's look at something fun. Switch it over to SPI. Also, I want to show you the sexiness of this new Saley software as well. And let's bring up the new hotness here. I had actually never, I didn't know that Saley had released this new software. I think it was Morgan. So Morgan's our lab manager here at Rep7. I think it was either he or Darryl that had pointed this one out, but Darryl showed me some freaking sweet new features that are basically have to do with this new software. So like, just to give you the quick rundown here, we still have, I'm sorry for shifting this screen around stuff, but remember, we still have the old school, not the old school, the cheaper and logic analyzer hooked up. We're about to switch over to Saley though. I want to show you guys some other stuff. So this is the new Saley Logic 2 software. So we're now at two and you can change the amount of channels, of course, that are hooked up here. You can change like, you know, the different protocol analyzers associated with the connections that you're making. As of course, like timing markers, you can set, there's measurements you can take and this is the dopest part is that there's like an extension. It's like, I don't know if you guys use Burp Suite that much, but this is like the extender. The extender to Burp Suite is what the extensions are to Logic 2. It's sick. You can create extensions and just basically allows you to have a lot of plugins and stuff. So let's go ahead and swap this guy out. And we're going to look at set and a completely different device. So this Raspberry Pi is going bye-bye. I'm going to put it over there with a bunch of pile of other crap I got. And then we're going to switch to the Saley Logic Analyzer. And then also we're going to look at this particular device here. So I don't know if anyone on the call right now was at the Rapid 7 IoT Village last year. If they were, this will probably look super familiar. So a couple of things. As you can see, we have markings for SPI connection. There, you see MISO, MOSI, CS, Enable, A Clock, that kind of stuff. There's also some other stuff here. Disregard this, we're actually only going to use ground. This is for, I believe, an ICSP connection, but we're not going to be doing anything with YATML today. We're going to stick directly to the chip, the flash memory chip that we have on here. Now, it's going to be an open book situation, but we're also going to pretend like we don't know the pin out of this just to kind of make it interesting. We do know it, but I'll show you guys how you can probably make that determination because it's so common that, you know, maybe you'll have like a header pins that are soldered onto the actual vias or maybe they're only vias and you have to solder the header pins yourself and you have no idea what they are. And maybe, for instance, you have a WSON8. So that means WSON8, it doesn't have legs. So the flash memory chip, it's like all the solder points on the bottom or if it's BGA, those solder points on the bottom so you couldn't take a multimeter to figure out what the actual pinout is, even if you found the data sheet. So it's kind of nifty here. I'll show what that kind of stuff looks like. So with that being said, let's just hook this sucker up. This is the part I was telling you guys about earlier where I'm just like, you're going to have a good time watching me do this because there's actually four cables. This is double the amount of cables as we looked at earlier. And another little pro tip, actually all four of these cables are not required for doing SPI, particularly if you only have one slave connecting to master. You actually only need to connect master out slave in and clock in order to facilitate that connection. But just for shitting giggles, let's just connect them all. Also, I'm going to mooch off the ground interface of this ICSP down here just to have something. So anyways, very similar to what we saw with the other ones, the mappings of the salee are here at the bottom. You can kind of see a little blurry, but my camera's nothing greatest quality. Sorry guys, it goes from zero to seven. And then the channels are on the top, the grounds on the bottom, you can kind of see there how they're laid out. So we're going to just kind of start. I'm going to plug in ground here first. I'm going to put it in on the far end on the side. And then we'll, I'm cheating a little bit and remember we're supposed to pretend, but master out slave in, I'm going to make that zero. So that's red. So we're going to start red at zero and kind of work that way. You're kind of picking up what I'm throwing down here. So red, orange, yellow, green, and we need to plug this biatch in. So yeah, the salee uses a micro USB. The other cheaper logic analyzers use the mini mini USB, as you can see there. So we'll grab the micro USB again, hooked up to my computer. And you shouldn't see a light. It's totally normal to not see a light at first with this guy. And yeah, so let's continue on. So let's go ahead and shift the screen over to that side. And we should now see, so one beautiful thing is, I don't know if anyone on the call has dealt with salee before, but it's kind of a pain in the ass sometimes to deal with a logic analyzer and unplugging and plugging it back in to get to close the software and then open it again. Well, salee too, add the software already open. And as you can see here at the top, it's now connected, the light's on. So I think it's totally dope. But anyways, the salee software here, going back to the actual device itself, as I mentioned earlier, it supports both digital as well as analog. So as you can see here, here's the digital. So we want to put in four, we have a total of four channels going on right now. And we'll just go ahead and do analog and digital. We'll capture at 10 mega samples per second. And also a couple other things. So there's three different ways of capturing with this particular one. There's looping. So loop after a predefined amount of time, there's the timer where it will record for a period of time and there's a trigger. So just to kind of demo some stuff, let's go ahead and do a trigger. So remember zero, actually that's not trigger. Let's just do timer because we're trying to go black box, right? So let's assume we don't know which particular channels, which and we're just some blind device that we found online. If we don't know the data sheet and it's using something like a WSAN so we have no idea like which pins, which. So we have all the channels set up. We have the timer set up for three seconds of capture. Go down here. We're gonna go ahead and leave the analyzers blank and we're pretty much ready to start capturing here. So I'm gonna grab the old power cable for this guy and I've set for three seconds. So I kind of need to be quick with my trigger finger here. Stand up and go away, zoom. There we go. So we got the whole screen. All right, she's plugged in. All right, so we got it. Let's go ahead and zoom out here. Now, this is the capture that we just got, right? This is during the boot up process. So what you see here is zero through three channel. This is all digital and on the bottom it did its best at analog. And the analog, it's not the greatest. Like it's probably pretty accurate. You can kind of see the comparison between the two. Like it tried its best at measuring those voltages but probably didn't quite do the greatest that it could. But either way, there's analog. I just wanna show you guys some of the analog. It's cool to have and stuff like that but it's not really the purpose of what I'm wanting to show you guys right now. Now, say for instance, that you don't know the mechanism of, or you know that it's SPI but you don't know which pins which, right? So whenever we're looking at this device, remember the top here is MISO, the bottom's MOSI. Channel zero is master out slave in. As I mentioned earlier, master out slave in is the information that's basically being transmitted from the actual chip to us. And it's probably gonna be a little bit spontaneous. There's a lot of op codes being set. There's a lot of different various settings being aligned with the actual device. And typically that's one of the first things that will start communicating as we can see here. So we zoom in and a little bit of a telltale thing is that we're starting to see some type of communication taking place right here, a little sporadic. We also see right here, channel one. Channel one in this case is clock. Remember clock is gonna actually set the cadence for how it communicates. One, two, three, four, five, six, seven, eight. It's a full actual byte of data. That's pretty telltale. So right here, of course, channel zero, we have a little bit of some type of like sporadic data being actually set. Channel one, we have kind of a constant cadence of information being like the waveform itself. And then enable, what enable is, say for instance, there's three slaves communicating with the actual master node. The enable will tell, it'll flip the bit for when that device can communicate or not. So you'll oftentimes see, there might be a little bit of a mismatch in our timing, which we can also fix, but you'll often see with the enable that for instance, right here, there's basically like a one, one, one, there's three ones right here. It's gonna kind of encompass that entire section if that makes sense or cycle. So it's pretty easy to tell if you just kind of scan it as we just did, which one's MOSI, which one's clock, and then which one's gonna be enable. Again, enable in our case, channel two and three is actually not even required. So taking a little bit of a deeper dive, let's take a look at the actual protocol and not analyze them. We'll click SPI here. Remember, we have MOSI set on zero, we have MISO set on three, we have clock set on one, and we have enable set on two. We'll leave everything else default and we'll click save. Kind of interesting because you can actually find like, you know, more deeper information about the actual device and the settings that it's applying as it's booting up. Let me kind of scroll in here. Should not lose my place. So like for instance, like right here, this is the actual decoded binary format. If we go here to the settings, we can change whether it's in binary decimal, hexadecimal, ASCII, and then take a look at the actual value. So in this particular case, it's like 1, 1, 0, 0, 1, 0, 1, 0. And that's the actual location where it made the determination. You can see it up here at the top as well, where it's decoded. And what's kind of also interesting with this is you can take it like a step further and you can pull up the datasheet of the device. In this particular case, the model of this is the MRF49XA. It's a, I believe this one was a SOP8. I'm not, I'm not a T-SOP8. I'm not 100% sure on that, but either way, it's just an RF flash memory chip. So let's take this code that we got here, 1, 1, 0, 0, 1, 0, 1, 0, and let's just copy that. And then let's go back here and let's just paste that in. So it's, I already had it pulled up, so I'm kind of cheating right now. So it's kind of interesting because you can take that and this is exactly what a developer would do as they're kind of producing these types of devices. They're gonna like set these codes and this is gonna sort of initiate the actual SPI flash storage of the chip. In this particular case, what we saw was 1, 1, 0, 0, 1, 0, 1, 0. Let's paste that in again. That's right here. So we see the command code bit right there. And then we can see here below that bit seven through four are the first in, first out, fill bit counts. We've got bit three. So in this particular case, what you wanna do is the immediate one below it is you match the next three and then map it back over to bit seven through four. And this particular, they don't always map like seven, like in a range like that. But in bit three, for instance, like this guy set to zero, bit three, that basically says synchronous character length bit. It's set to word long. So I don't wanna continue going down this rabbit hole here, but it's something that's kind of cool to when like when you're debugging, you can kind of map it back to the data sheet to actually figure out what's going on as far as settings being applied to the chip itself. One other really cool thing I'm gonna show everyone here real fast is we're gonna make some changes here. I'm gonna go back to the actual mapping of the SPI interface. Pretty sweet. I remember I mentioned earlier, we don't need MISO and we don't need enable. So let's select both of those to none and let's do something else. This is kind of cool. This is actually a plugin that you can use. With this, we're gonna select SDMMC from SPI. So this chip, it's not either an SD nor is it an EMMC chip. It's just flash storage. It's not like a solid, it's not like it's like an SD actual device nor is it a multimedia controller. But let's just pretend like it is for a second. You select the input to go into this particular plugin and then we'll click finish. And if it were an SD or if it were an EMMC, it'd be pretty sweet because up here, as you can see where I have kind of hovering over, it'll kind of just show you the actual off codes and the actual information that it's presenting. It'll kind of interpret that for you. So just kind of another sweet feature of the logic, the Saley logic analyzer software. I just wanna kind of show you guys that real quick. And I know we're running kind of low on time, Darrell. Are we kind of towards the end right now? No, we got time for some questions. I have a couple of questions here before you move on. So this is kind of stepping back, but do you have to worry about sample rate with cheaper analyzers like missing data or misalignments and things like that? Yeah, that's a good question. I'll try to enter that with a little demo of what that sample rate actually means for the, like for instance, the Saley logic analyzer, which can have very high sample rates. The quick and dirty, the TLDR, I'll give you, is that for the protocols that we're kind of looking at here, for the most part, the sample rates at the cheaper, these two cheaper guys support are satisfactory for what we're needing. I mean, it's whenever you're diving into the really quick protocols, that it really makes like a lot more of a difference because a lot of times with the really quick sample rates, like say for instance, let's increase this to, well, I don't know if I'll be able to because I'll be honest, the Saley logic analyzer can only go up to 50, but screw it, let's do it anyway. Another question on there is similar to that same topic. Is there a general rule on what samples per second selection that you actually make when you're setting something up? There's not really a general rule. It's more of a, this is just my own experience. Now, Darryl, you might have your own answer for this, but I would say I typically use it for the default, just depending on what it is. And what I use this for is typically for UART, SPI and I2C, I would heavily be interested to hear what you have to say. Typically, I'm pretty much the same way. What I will do is if the sample rate's not high enough, I've actually had my Saley start throwing errors and tell me that it was missing data that it wasn't sampling quick enough. I had that just recently looking on some data flow. As soon as I kicked it off, I bet it started throwing error and telling me that it was a missample rate. So I was able to crank it up until the error went away. So again, sometimes I also just crank it up out of the blue if I know for a fact that it's a high speed device that's gonna be generating a lot of fast traffic. Typically, when you're looking at UART, SPI and stuff like that, amazingly enough, the speed is often not used as even high as the chip can go. Like UART, I've seen interchip comms on a UART that could literally, the chip they're designed to drive at over three million bits per second across there, but yet the developers of the device had it set up to communicate at 9,600 ball. So. That makes sense. Yeah, and I've also found that if you go too high, this particular staley does not support it, but you also don't wanna go too high because if you go too high, this what you see right here, get out of the screen, it'll just be a giant blob. It's just a mess. It's capturing too much sampling and it's kind of just inaccurate at that point. So it's a fine line between the two. And another quick point on that also is typically the higher the sample rate, the more memory you're gonna eat up to. That's a good point. Are there any other questions? Not at this time. Cool, and quick question, I apologize. How much more time do we have here? Just to make sure I don't wanna go too far over time. I think we've been at it for an hour. So I think we got at least another 10 or 15 minutes. Yeah, yeah, definitely. You can definitely go for another 15 minutes. The next talk starts at 8 p.m. Perfect, okay, cool. I wasn't 100% sure on that, but that works out great because we have one more demo as well. So we've talked about, we did a little kind of a cheater exercise on Raspberry Pi. We did, I showed you guys how to sort of blindly identify SPI as well. And then next, let's switch back over to you Art and more of a real world example. So let me go ahead and unplug these guys and plug the power first on this guy here. Let's switch back here, make sure I don't bust off any of these header pins live on camera because this is Daryl's device and it would start to break it right in front of them. And let's pull over another device. That's gonna be this guy. So we're gonna stick to the theme with the Saley. So Saley's still gonna be used. In this particular case, we're gonna check out UART but using the new Saley 2 software. This particular device, it's a Z-Wave hub, I guess so to speak. So it's a hub used in home automation. I'm pretty heavy in a home automation here at my place and kind of something I've always been like fascinated with but this particular device, it's a Z-Wave hub and let's dig right in. So right off the bat, something that can easily be kind of noticed I guess is that on this device, there was these three header pins. I soldered the headers on but previously it was just like three holes just kind of sitting there and that's kind of like tell-tale that maybe that might be kind of interesting to kind of poke at, it can be anything. It can be I2C, maybe there's an EEPROM chip on here that's disclosed or it can be anywhere. It could also like not be on here. And when I mentioned WSON earlier, actually I can't quite tell if this is WSON or actually a BGA but either way, same difference. Sometimes you can't actually see the legs of the device where you map it out. So like say for instance, these headers but rather like sometimes you can which is what you see right here. This is a traditional T-SOP 8. So T-SOP 8, it's got the legs, WSON does not. And I'm pretty sure it's WSON, it might be BGA but I'm pretty confident that it's WSON. This one for sure is a BGA microcontroller but either way, sometimes you can't like take a multimeter to check that this pin right here connects to that pin right there. So therefore sometimes a logic analyzer will come into play and then that's where it's usually beneficial to do this type of stuff. So let's just move on, let's plug this sucker in and see what we get. So we only need a couple of connections here. So I'm gonna borrow the cables that I was using earlier for the UART. So in this particular case, there's only three connections being made. One thing you can do with this is basically take a multimeter to figure out which one's ground in that case. Let's just assume that I did that because I know which one's ground but like it's pretty easy to tell which one's ground with just a multimeter. So and the ground is actually gonna be the pin on the far right in this particular case. So let's hook up black to ground and let's just hook up white and like this silver one to the other two, not knowing which one's which. So again, using the handy-dandy mappings that we have on the saline, we plug that sucker right in to ground and then we plug in the other two to channels plug into zero and one. Make it kind of easy. And next, let's, you know what? Let's do a trigger. We're kind of gambling right now. We're supposed to be in Vegas right now. So let's do some topic gambling, right? We don't know which one's which one's transmit but what we're betting on right now is that channel zero is transmit. We have no idea. So let's just figure out that's what it was. And what we're triggering on is a rising edge. And what that says is that whenever you see a rising edge in the transmission and that waveform, that's when you start capturing. So in memory, it's capturing the whole time but the actual capture that comes back and returns to you is the actual, the trigger that you set here. You can trigger rising edge, falling edge, high pulse or low pulse. In this particular case, let's just say as soon as you see some type of traffic going on on channel one, that's when we want you to capture. And we want you to capture for three seconds, delete everything else afterwards. And we only need two channels here. So let's get rid of those other two. We're gonna leave it at 50 mega samples per second. And that is that we're not gonna capture on analog. So let's actually, what we're gonna do next is we're gonna close out of that. We're gonna click start. And it's literally waiting for the trigger. So you see down there in the bottom right-hand corner waiting for trigger. Let's plug this bastard in. Holy shit, we're correct. Yeah, so we still have the stupid mosey. Let me delete these, the decoders. This is my bad. I can get rid of that. And yeah, if we're in Vegas, we basically, we bet like a hundred bucks on red and it landed on red because it's exactly what happened here. So go us, right? Channel zero is TX just as we were hoping for. So that trigger was met and it recorded for three seconds. So scrolling into here, we can see some of the data. Of course, you know, this is like the zero one, zero one. And this is the part as I showed you earlier with the OG logic analyzer, sorry, the OG logic software. We'll put input channel, we're set to zero, 11, 5, 200. We already, we don't know what the bottom rate is for this guy, I believe it actually is 11, 5, 200. Remember, we talked about how to check that. But of course, here we go. We're seeing all the data as well as part of the boot up. So boot, SPL, 2017, and just various other information that it's printing out the standard out as it's performing the boot sequence. So anyway, I just wanted to show you guys another example of that on the new software here. It's pretty slick. It's totally awesome. I like it a lot. That's super useful. You can see like the parody bits. This is basically the little white dots is kind of managing the communication timing whenever it's sending data back and forth. In this case, it's transmitting. So anyways, that being said, that's kind of the end of the demo here. I just wanted to give another example of what it means to communicate or what it looks like to communicate using the new Saley 2 software. Questions? Yeah, let's go ahead. I think we have some questions. Let me look at this first. If the Saley software works for any analyzer, what would be the consideration in purchasing the more expensive offer over a cheaper hardware option shown? So why would I, one, why would I want to buy a expensive $600 logic analyzer when I can buy a $24 logic analyzer since I could use the software? Yeah, that makes sense. So as we talked about the speeds, I don't want to say they're negligible, but you do get significantly higher recording speeds with the Saley than you would do with these cheaper versions as well. Another thing too is that the actual accuracy of the protocol decoding, I've noticed is higher with the Saley than it is with either of these other two devices. That being said, it really just depends on what your needs are. In my opinion, it's pretty good quality. Like for instance, I've had a couple of times where I was doing some type of logic, I was doing basically decoding and actually live capture and both I had a crash with the software with both of these devices. So you'll notice that it's a little bit sluggish, it's a little bit rough around the edges. It's a, again, you kind of get what you pay for. The communication, again, there's been kind of like lags and hiccups with these two, they get the job done, but I've noticed that the accuracy for how close of how it captures is a little bit more specific with the Saley. So if what you're looking to do is gonna require you to know those voltages at more of an accurate level, then maybe consider the Saley versus these guys. I mean, if you're just doing some general, like debugging things like that, I think these are not a bad choice. That's just my opinion. Darrell, do you have anything to add to that? Yeah, I think accuracy is probably one of the bigger things and the ability to process at a higher speed, I think are the value. And that's why I went with a higher value product. Because I often, I personally often encounter things that those would not work on at all, just from the fact that it's higher speed. I often get into more internship communication analysis, which is often at a much higher speed than external communication. Makes sense. The other question here is a good question. Do you need special hardware for JTAG? So if you look here, the capability exists for adding JTAG, actually does it. I don't know if it does on this logic too or not. I'm still... I think it does. I'm not sure though. Yeah, it does. Yeah, I'm sure it does. Now, the question was, is there specific hardware needed for JTAG? In this case, if you're trying to identify what is TMS, what's TCK, if you're trying to identify with JTAG, what are those debug interfaces? You might have the capability of doing it with a logic analyzer. Now, at that point you're kind of, I don't want to say you're putting a round peg in a square hole, but I don't know if you're necessarily using the right tool. It has the capability of doing it like this, but you might consider using other pieces of hardware for doing something like JTAG. Like for JTAG, say for instance, you don't know what the pinouts are and you're trying to identify them. That's where you would use something like, for me personally, I would go after a multimeter first and I would try to ring it out with the MCU. So I'd try to find the datasheet and use that datasheet to identify where on the MCU based off those pins of the MCU, where does that fall out and use that to identify the pinouts of the JTAG if you don't have the datasheet or maybe you don't know where the MCU is or maybe it's a BGA MCU, then you'd maybe use some type of boundary scanner. Great example of that's the JTAGulator. Another thing that you could kind of use the Saley 4 as a boundary scanner sort of. In that particular instance, it could help you, yes. Now, if you're wanting to do something like program an MCU or program the device or upload device to a flash memory to program an MCU, then you would need some type of programmer and that's gonna be vendor specific. So say for instance, it's a STM32, you could use something like a STLink device. JLink supports open OCD in a lot of cases so it can support multi-manufacturers. If it's like an Atmel, you'll want to use a picket. So if you're wanting to either dump or flash some firmware onto an MCU or flash memory, you would use whatever programmer is assigned to that particular chip set. Outside that, you can use a logic analyzer for doing some like limited boundary scanning, but that's kind of not really why it's designed, but the capability exists. Yep, and on conclusion, there was one comment, there were a couple of comments in here I thought were funny. One was, it would be funny if someone designed a board with a honeypot header that had 50 volts on it. That's so Jonathan would hook up his $300 logic analyzer and watch it burst into flames. You're good. Yeah, that would fry the man bun right off my head. So I thought that was a funny comment, which is definitely the level of evil I would expect from a DEF CON. So thank you for that. And then a couple of comments saying you did a good job. So that was pretty good. So are there any more questions from anyone as we're getting ready to conclude? Wait, I think there's one more. One was asking more like model numbers on those cheaper ones. Do you have that information? I think those are so generic in nature. You know what I'm talking about? The two cheap logic analyzers. Is there any kind of information on there for acquisition? I think you had a page that actually showed the link to the information to the actual Amazon site. Yeah, let me see here. I'll actually just real quickly. Do one even better. For like whoever asked the question about that, like amazon.com, if you like just search like logic analyzer. I mean, one of the ones we're using is like. I think it was the first one in the list showed up. Yeah, that's one of them. If you go up to the top, I think the first one in the list was one of them we purchased right there. That's one of them. That's the high let go USB one. So. I actually have the other one too. It's kind of funny because it came with the, the Adify Toolkit or whatever. It's like got like a red face to it. I don't know. Yeah, you may have called any number of different names. Oh, it's SparkFun. Yeah, SparkFun. Yeah, SparkFun relabels that Chinese one. Yeah, it's this one. So I mean, just go online really. It's kind of like here's one of them and here's the other. And it's just, you can just Google or Google Amazon search those two. I'm pretty sure this is exactly both of them. Yep, perfect. Thanks a lot. Let's see. Any more questions? Are hand tech any good? Have you messed with a hand tech before? I'm not too sure. Hand. Hand tech logic. Oh, I'll sell a scope or the logic analyzer? Probably a logic analyzer, since this is a logic analyzer. I have not. Well, you were there a minute ago before you checked on the OSCOPE. There was one showing up there as a logic analyzer. Oh, sure. And then EK, T-E-K, because we're quickly running out of time here, but. Oh, I've seen pictures of these guys. It looks, I mean, it's got two gigs of DDR2 memory. I mean, that's a hell of a better than I think what any of the Salies have. So in my, the quick and dirty rule, real quick, but that one, that's a very high sample rate and that's a lot of memory. So higher the memory, the higher sample rate, the longer you can capture. And the more pinpoint accuracy you can get in those captures. That's probably, I guess, my two cents on that particular one. And it looks cool. It looks dope as hell. Cool. I have a mess with one, so. Okay, I think that pretty much concludes it. Hopefully the people that wanted to ask questions were able to ask questions. Feel free to reach out to any one of us. Jonathan, you can reach out to him anytime. He's available. I think he's on Twitter. Do you get your Twitter ID out there, man? Yeah, Twitter ID, Frankensteiner. There you go. I'm in that. So if you ever want to ask him any questions or harassing, there you go. Yeah, if you want to figure out what my address is, I'll honestly just give it to you if you're really that curious. You don't have to do whatever, Google it or whatever, like the person did at the beginning. Well, hey, thank you so much. I think there might be a few extra questions. So if either of you have time to jump into the IoTV Talk Questions Text Discord channel, there's definitely people that were pretty engaged with this talk. Despite the technical difficulties, this was our first and only live presentation that had any issues. So, I mean, what are the chances of that? It's like getting a bird pooping on your head. Maybe it's good luck. Nice, it is good luck.