 I'm Abend. This is David. I'm Dave or non sequitur. We're talking about hardware hacking and this talk is really for the people that have written software before but haven't really worked directly with hardware. So if you've never written a bareboard app or something without an operating system or read a schematic to figure out how exactly to write your software then you're in the right place. Our motivation for the talk was to encourage people to get into hardware hacking. It's something that we've seen as an increasing trend. Make magazine coming out. It's an increasing trend in the hobby market that is to do it yourself ethic and growth of improving your own devices whereas there's a contrary trend in the industry to produce devices that are more and more restricted. So we're hopefully going to get, at least if we get one person to open up their Tivo or whatever and improve it then we'd call it a success. I suspect most of you priority did that though. Can you skip to the next? We're going to cover building a lab, tools that you can build yourself, where to get some useful tools and the forward engineering and reverse engineering processes in kind of a general overview. We don't have sufficient time to get into every detail of everything. The reason we're calling it forward engineering is more to distinguish it from reverse engineering. So it's really just embedded engineering in general. So I'm going to go through pretty much what you need in your lab and how to get started with starting your own do-it-yourself projects, whether it be robotics or some random microcontroller somewhere that you want to load code onto and just sort of how to design a program for it. My focus has been on the tools, especially making them cheap because I'm a cheapskate and back when I was a college student I didn't have a lot of money so it was good to get what you need without blowing 1,000, 1,500, 2,000, 10,000, however much money you want to spend on electronic test equipment. A normal setup in any sort of industry lab is going to cost anywhere between 30,000 to 100,000 starting. So we hope to avoid that. Yeah. Take it a little bit more accessible. For the basic requirements of setting up your own lab, well, first of all, why would you want your own lab as opposed to say doing it on your dining room table? The main reason that I found now that I actually have a lab in the place that I live is continuity. I can set things down, come back to them later and it's just as I left it. Nothing's had to be shoved out of the way for dinner or got knocked on the floor by the cat or anything like that. And it provides a certain space where you can get into a mindset. You get used to, you go into your lab and you focus and when you have, you don't get that when you don't have a dedicated space. You don't really require a huge amount of space. I grew up in a 12 by 12 bedroom and basically started there for years and that was sufficient. Right now I have a basement that's about 15 by 30 and that's still sufficient. It's mostly just storage. Well, in addition to the space, it's also very important how you set up the space. So if you have a table like this one here, you're not going to want to put any electronics on it because this is a tablecloth. And I'm sure half of you in here have heard of ESD, electrostatic discharge. You won't know if ESD has damaged your device unless you hit the lottery and basically it makes it not work at all. And most ESD damage to any sort of circuitry, you're not going to know about for months. And then just one feature or it might be cascading failures down the line. But it can be, it's the cause of a lot of things not working in it. It's nice to have that control so you know it's not your equipment, it's your software or whatever. So you know that you've reduced a number of variables from getting something, a hack working. So one way to start is an ESD mat and some grounding bracelets and maybe a coat if you've got cats or what not. Because even if you've got fur on the outside of the coat, it's a material that's going to keep the static from building up on the fur and not going to short your devices. So the coats are actually fairly useful, especially if you have pets. Other basic stuff to look for in a lab is good ventilation. There's a lot of hobby electronics entails a lot of semi-dangerous chemicals. I work with lead solder because it's actually better than the safer non-lead kind. Just wet's better. The fumes from that are unpleasant. The fumes from etching your own circuit boards are very unpleasant. You've got to keep your lungs in good shape or you're not going to be doing this for very long. Lighting is also key. Basically if you, the brighter your lights are, the better your eyes resolving power is. It's just a matter of having small pupils. Work surfaces and grounding we've covered, just very basic. I mean it sounds like a lot, but I have a basement. I have a little fume hood and I have a countertop that has a conductive mat over it. And that's all it takes. Soldering is a very basic skill if you're going to get into this field. It's the process. How many people actually know what soldering is? I don't want to be talking down to anybody. Yeah, okay, so everybody knows what it is. How many people in here have soldered on a modern PCB layout which is fairly tightly packed? Right. So I see about half the people raising their hands than before. And one of the important things is having the right solder and the right iron. Because if you use solder that's too thick or an iron that has a bad tip or too hot, you're going to ruin whatever you're working on. So getting very thin silver solder with a reason core and a very fine tip and good working temperature is going to help you minimize the amount of time you apply heat to the board and the amount of solder that you use so you don't accidentally short things with big globs of solder. And I'm probably not the only one that ruined a few boards learning that the hard way. How many of you have added the accelerometer or the ZigBee chip to the boards? I see two... Oh, three people. How hard was soldering that? A little bit tricky, very small pins. There's an increasing trend with electronics towards miniaturization and also towards packages that are not really designed to be soldered by hand anymore. Probably the epitome of this is the ball grid array package where there are solder points underneath the chip that you simply can't reach with any kind of human hand tool. There are, however, people who have been working with these chips in prototype and hobbyist environments and have come up with some pretty clever tricks for overcoming the limits of what a human can be and can solder. Toaster oven reflow soldering, skillet reflow soldering, and hot air tools are the three ways you're going to deal with anything basically smaller than the chips that you saw on the badges. The industrial equivalent to that is wave soldering where you've got a whole wave of solder, kind of like the wave coming out of an aerator in a fish tank where they've got a special coating on everywhere but where the solder is supposed to stick. And that's how they put all the parts for the assembly on top of the PCB when the board is ready. Reflow soldering is a process that uses powdered solder and flux to basically act as it binds the chips to the board temporarily and then the whole board is baked. The flux burns off cleaning the parts and then the solder melts and the flux takes as a part of the board. Usually a commercial IR reflow oven is a 2000 to many tens of thousands device depending on controllability and also how many boards you can put through it. The toaster oven reflow is a little simpler. People actually do this. They do not do it with the toaster ovens that they eat from if they have any brains at all. And if they do do it with the toaster oven they eat from, they won't have any brains at all soon. You can get kits to control the temperature of an oven because the typical reflow is not simply ramp the heat up and bring it back down. If they usually ramp up, hold steady to multiple solder, peak to melt anything that had a very big pad that it was being soldered to or had a very large piece of metal, and then drop off quickly to cool everything in place before any vibration knocks any parts loose. You could also just do this by twiddling the thing. I've led to believe it is not terribly precise. The one place that it would fail is a double-sided surface mount board like these. If you would throw this in the oven to try to solder something on the side of the batteries, you would lose all your LEDs and be saddened. Skillet reflow, same trick. It's just for one-sided boards only, works very well for surface mount, and is a whole $30 if you buy the skillet new in terms of parts investment, which is hard to beat. These pictures actually came from sparkfun.com, which is a site that has some fantastic tutorials on doing this, and supplies a lot of the useful parts for this sort of trickery. This is a home-built hot air pencil. You can get hot air guns pretty easily. They're just 1,000 degree, well, temperature controlled, but usually 6 to 1,500, 6,000... I can talk, really. 600 to, say, 1,600 degree stream of air, capable of melting solder. This is useful for when you're working with, when you're trying to rework a surface mount board. You just apply the heat, heat up all the pins of the chip at once, and you can just lift it off with tweezers, which is a lot better than trying to get each pin a single one at a time with a soldering iron. Another type of hot air gun is for a completely different purpose, but they've got these wire sleeves that shrink around connections, if you're putting sleeves to attach a wire to a pin. You don't actually need a hot air gun for those, you can just take a big lighter and shrink it to the wire that way without spending 90 bucks on an overpowered hair dryer. These are some basic tools that I use in doing hardware work. The voltometer is basic. If you don't have one of these chances, you're not really doing a lot of electronics. And a oscilloscope, a little less basic, but if you get one, you will not believe how useful it is. You'll never really remember how you live without it. Logic probes and logic analyzers are both for working with digital logic only, and logic analyzers are a little expensive. Logic probe is very simple. I'm going to go through these voltometers coming in two basic types. That's a digital one, as you can tell by the LCD display. There's also analog ones that have an actual meter movement. The only real reason I can think of to go with analog, and somebody who's been in the field longer than me probably knows better, is that if you hook it up to AC, you'll be able to tell if the meter will actually vibrate. Otherwise, these are fantastic. The basic ones, you'll just get ohms, volts, measure resistance and voltage. Current, usually a diode or continuity check. You can get all sorts of crazy features. Capacitance meters are pretty common. Some of them have temperature sensors via thermocouples, which are useful for controlling your toaster oven. Oh yes, clamp meters for going around something that you believe to be carrying a current that can pick up the current by induction. Another useful use for an analog oscilloscope is when you're debugging your PCB layouts, and you're looking for EMI, which might be affecting the operation, so you don't know why it doesn't work, and you've double checked your logic 15 times. You might find that your interference from, say, your power supply part of the board is coming in on your analog inputs, and it's not properly isolated with the grounding, and the components are too close, and you might get some signal leakage, even though the traces are isolated, but they're just too close on the board, so that will show you whether or not your levels, what exactly is on that wire, and what is on all the other spots without having to guess. How many people know what an oscilloscope does? It's basically a graphic plot of voltage over time. Most basic models will have usually two channels that they can display simultaneously. Analog ones look like this and have an actual cathode ray tube. Digital ones have usually an LCD screen, and usually a lot smaller, especially shallower, basically. You can build your own oscilloscope, but chances are the bandwidth is not going to be fantastic. It'll probably be good for audio work, possibly for some TV work, but you'll start to lose it around RF, and it certainly won't do 100 MHz buses on modern microprocessors. Buying them can be expensive if you're getting them new. Second-hand ones are good if you can make sure that it's working. It probably won't be calibrated anymore, and if it's too old, you don't want to get anything less than 100 MHz, just because, again, they'll have a bandwidth, and 100 MHz is pretty much the low end for being really useful for a lot of stuff. Yes? This gentleman informs you that liquidation.com has really good prices on them? Oh, governmentliquidations.com. Well, another alternative is to use USB-based oscilloscopes, but the display is not going to be anywhere near real-time, and there's usually going to be, like, a noticeable three, four-second delay. Like, if you're monitoring a serial port with it, and you're trying to look at your frame size, and you hit a button on your console and watch it go on the oscilloscope, it might be three seconds before you actually see it. But those things, the USB instruments can be very useful because it'll only be a couple hundred dollars rather than tens of thousands of dollars for the equivalent full instrument that you'd see in a lab. The... Yes, hand-fest definitely. We come from, well, I come from the Boston area, so the MIT flea market is good there. You can look up on the internet. It's basically get-togethers like this only for ham radio people instead of computer security people, and the vendor room tends to have a lot of this sort of electronic test equipment, radio gear, that sort of thing. The device I've pulled up on the screen here is a Logic Probe, which is basically a display's one bit of data. It's the state of a single logic line, and it's useful for checking if you've built a logic circuit. You can just check the outputs, make sure they are what you expect. I actually have a couple of them up here. They're pretty easy to build. I'm actually, I have kits that I brought that are for building a very basic Logic Probe. The choice between building it yourself or buying one is pretty much six and one half dozen of the other. If you're just getting into electronics, it's a useful project. You learn some digital electronics, basic assembly. If you understand how it works already, you probably don't need to build it. Logic Analyzer is basically a whole bunch of Logic Probes side by side with some recording and playback capacity usually. This can be good for debugging buses which contain peripheral devices, like a lot of microcontroller based devices will have either an SPI bus or an I2C bus. Those are both proprietary names. They'll also be called generically two wire buses for I2C or three wire buses for SPI even though SPI buses are usually four wires because they have a clock wire, data in, data out, and then a slave select to select between which device on the bus is being talked to. When you're using a Logic Analyzer, you can look at all four of those lines and see how the chips on the board are communicating and whether or not there's where the bugs are in your code or your layout or whatever. These peripherals we're talking about are on a single board. This would be like communication between one chip and another. I don't think that iSpreadC is usually used to communicate between individual devices like a computer and router or whatever. You can make a Do-It-Yourself Logic Analyzer. I have also kits for that. I'm thinking since we have the question and answer room I'll be giving some of these kits out there. They hook up the parallel port and can watch eight lines at once due to the relative slowness of the parallel port. They get about one million samples per second so they can't pick up a signal much more than one megahertz. Actually it has to be much less than one megahertz for those of you who are familiar with it. But on the other hand it's cheap. It's $1.79 chip. We already mentioned the USB tool. This tool here is the USB BEE for maximal confusion. It's a USB logic analyzer, protocol, debugger, oscilloscope. It's basically an entire lab in a little box the size of an ice cube. The downside is it costs $1,500. If you have the money for it I'm sure it's fantastic. I don't. This is also a Windows only device. There's not Linux support for this thing. That's surprising. For do-it-yourself tools XoScope is a program for Linux that allows you to use your sound card as an oscilloscope. It's not a fantastic oscilloscope. It's permanently AC coupled because the way sound cards are constructed which basically means that it's not great for dealing with signals that will stay with one another for a very long time. It's a little tricky to use and the bandwidth is not good. It's about the audio bandwidth of the human ear because that's what sound cards are optimized for. Parallel port logic analyzers are already mentioned. JTAG lip wigglers will come to in a little bit. Those are used for debugging embedded systems and flash dumpers for removing or retrieving the contents of flash RAM for firmware reverse engineering. Some sources were already mentioned. HamFests. My oscilloscope is a 100 megahertz unit that I pulled out of the garbage at a college fully working with all manuals and probes. I don't know that everybody will be that lucky but one can hope. Also colleges, if you have friends who are in a college and are in an EE program, definitely ask them what they have in their labs. I got very lucky and found somebody who had an EEPROM dumper that they could let me use for a reverse engineering project that I'll go over in a little bit. eBay of course has all sorts of stuff but of course at variable prices and variable quality. As far as teaching yourself the basics of electronics, which won't be any time you want, Forrest Minns is an author who wrote for Radio Shack for a long time. His books tend to be very full on schematics. So they're a cookbook approach. There's not a huge amount of theory in them. But if you want a basic circuit to do something simple, logic probe circuits, for example, 5.5.5 timer circuits for tone generators, pulse delays, that sort of thing, they're a great resource. One of the classic books is Art of Electronics. Now that book's been around for at least a couple dozen years. My boss recently recommended that to me because I just got a new job doing a different sort of embedded engineering. And basically it takes what you learn from the doubly and seals it into things that you don't need to be a doubly to understand. So one of the reviews I read for it was a professor handed it to one of his grad students. They made a fubard op amp circuit and the very next morning he had it completely fixed, working and polished. Because it's really where the rubber meets the road and not so much theory, but it's all practical how to use each component. If you run into a component on a board, like an optocoupler do, you look it up in that and it's probably going to have five sections on it. So it's a great resource and if you basically it starts at the beginning and goes through advanced electronics it's over a thousand pages long and one of the most complete resources I've seen. It's also structured as a textbook, so it's useful if you're teaching yourself the field. It also is referred to as the Bible. So you know what that means. If the book is the Bible of a field it's generally highly regarded. It does show a little bit of dating in storage methodologies for digital stuff. It doesn't cover as much flash as it does eProms and it's focused on microcontrollers is Motorola 6800 architectures but... They're gradually going away. But the principles still hold. The application notes are published by the manufacturers of hardware and they basically cover how to use an individual chip. The funny thing about some stuff is that it's just the application note in a box. This is especially true of video cards. People will take NVIDIA for example's chip and the documentation for it and just build that, maybe add a few parts maybe not add a few parts and start. Okay, embedded engineering. It's not reverse engineering. In this case we wanted to emphasize the similarities to the software development process. First step is gathering requirements of the device, what it has to do, what it has to not do, situations where it is permissible to fail or not fail. Then research the resources, what's available to build this thing, assemble it, generally a prototype first before production runs. Low cost, maybe easy to assemble and able to be built in a home lab. But there are also the functional requirements of your device. Like this one, the requirements are user programmable, modable and display text on a bunch of LEDs. So it does all that. Generally this process is iterative. If you see a board that's got REV it, that's how many times they've done a different release of that board. Usually companies start with special revision numbers, so they don't have to tell anyone how many REVs they went through before it worked. A few notes on architecture. With a lot of the smaller, not micro controllers, you have your choice between 4-bit, 8-bit, 16-bit and 32-bit. Now the biggest difference between these other than what you register with is cost. And a lot of it is also speed of the processors. With a lot of the lower and 16 and 8-bit stuff you're going to max out around 40 megahertz. And your onboard flash and RAM is going to be less than a meg combined. So you might have 2K of RAM and less than 500 and 12K of flash. And you'll like it because really it's a very simple chip and it's more than enough space to be able to do what it needs to do. Because it doesn't really have that much IO speed. But for simple things like this anything more than a couple K is overkill anyway. The chip I used for a few projects is the 18 Mega 168 made by Atmel. 16 megahertz system clock, 16 kilobits of storage space just flash on the chip. Programmable pretty easily in the variance of C. A lot of microcontrollers have moved to system on the chip architectures where you've got not only the CPU core it's called which is the core determines what instruction set it uses but also standard peripheral systems. So you're going to have like an SPI module maybe a couple CAM modules which is a proprietary communication protocol which is very common in automotive, marine and avionic applications. You've got SPI of course that could interconnect for other devices which may be ethernet chips or whatever and then you've got EEPROM that might be off-board as well off-board RAM that you've got to interact with. As well as communications there's sometimes stuff just completely built into the chip real-time clocks and watchdog timers are pretty common which are useful for setting the chip to do something in the future basically if you have a part of the code that you won't run every n seconds or resetting the chip and then it goes horribly awry. The other thing to look at is how many pins the chip has out because a lot of the picks will have 16 pins on each side where 8 of those pins are devoted to VCC ground and associated crystal stuff and then you have 8 address pins and 16 data pins for communicating just dedicated all your GPIOs to one other device like off-board memory and some of those also dual purpose all those pins where you can select in the memory mapped registers of the chip whether or not you're going to be using GPIOs as in bulk or like an SPI bus or any number of other system on a chip type configurations and they get pretty fancy with what they provide some of them will have secure ROMs where you cannot read out the ROM through anything once it's been loaded for protecting IP of course this is true for certain values of cannot read out if anybody caught Bunny's talk at Shmucon two years ago he basically deep potted a chip removed plastic from the top of it and then shown UV in at an angle to get under the aluminum layer that was covering the fuses that were set when the chip was set to be write only and that way managed to clear the fuse and dump all the code out of the chip let's say that's not a very easy operation it's doable or something a noob should attempt yeah he used a lot of acid for that to attach the chip top off when you're specking out a new project whether it be for robotics or just you're trying to emulate let's say you got the ROM dumped of some chip and you order a different chip to load it onto so you can debug it you're going to want an evaluation board because I'm not an electrical engineer I know several very good ones that can design a PCB for me but I don't really have the knowledge to do that myself so you can order evaluation boards for just about any microcontroller out there that already have the power already done crystals attached to the board breakout boards for all the IO pins solderless breadboards to put whatever peripherals you want on there and basically allow you to start working without actually having to be as good if you only know how to write software like me the downside of using these is that they can be a little bit too good it's a situation where they'll usually have the best revision of the chip with all the features enabled in a board that's been designed by the people who know every quirk of the chip to support it perfectly and a real world application might be a little harsher however you can usually get these depending on what the manufacturer is trying to promote you can get these I do not have an evaluation board in there I don't have an evaluation board at all oh you can find evaluation boards just anywhere online let's say you just take a chip name and type in prototype or evaluation board you're going to get tons of them up there now you can be able to build firmware for this using standard new tools like GCC and everything else that you'll need basically what you do is you have to compile a cross compiler which basically you delve into the specifics of all the GCC compilation settings and pick your architecture to compile cross compile binaries for now what this allows you to do is if I've got GCC the cross compiles to arm on this thing I can make an arm binary load it onto an arm chip and have it be able to run it natively that's very important because none of these microcontrollers will use the same instruction set as my x86 laptop here because x86 is almost never used in embedded applications just because it's overkill an overly complicated instruction set a lot of pins just a lot of legacy stuff in it I actually use a cross compilation toolchain for working with the AVR microcontrollers that uses AVR glibc it's all open source stuff so it's free, easy to come by however as it said availability is highly variable it's whatever people are developing for and whatever they can get the information on if the manufacturer of the chip wants to maintain a lock on their software end of the market as well they won't make the internals of the chip as available to developers so they won't be able to create cross compilation toolchains for it now the next thing you'll need in making your own embedded device is to decide which way to go whether or not you want an operating system at all and some things that can determine this is if you have real time deadlines that you have to meet let's say you're doing some sort of control application for an airplane and if you don't send a certain signal every 500 milliseconds the engines stop now basically that's a hard deadline and very hard you need a real time OS that will schedule things based on deadline priorities to make sure that all those deadlines are met now that's one application that you need a real time OS but for simple things like this badge if this thing stops working I'm not going to be shedding any tears and I don't think anyone else will either but so basically this just uses an infinite while loop and I've got the code here he's been modifying his badge slightly it now supports a 30 character text string and some other stuff it also doesn't change state randomly from bumping against his stomach yeah thank you anyway notice that it says while one so basically this will execute this loop of code forever and after it starts up because it's got initialization code somewhere in here which is as you see assembly code which what it will do is it's going to initialize various registers on this chip and get it configured for working with these shifters on the back and the optional accelerometer and Zigbee chip so that the chip knows how to talk to its peripherals and that will all happen before you hit the main loop once you get into main basically all you do is you loop around here is he's implemented a state machine using a while loop and a current state and he's got all his interrupts for the keyboard as interrupts rather than polling the status so he can sit in infinite loops while waiting for more input to occur and when it does occur it just jumps over to that and then jumps back it's very simple code and it's very easy to modify it if you know what it's doing most embedded applications will have an infinite while loop and then they'll have basically a driver stack and it will go round robin through each driver and determine what messages it needs to send based on it's all the global data it has now in the application world you hear that global data is bad on an embedded device like this there's no dynamic memory allocation everything is going to be determined at startup and basically anything that will dynamically allocate memory could crash your device especially if you're doing safety critical applications you don't want any of that so everything has to be completely mapped out and well before you even write a line of code for what your memory requirements are going to be now this one he had a lot of extra strings in there for his easter eggs and some other useless stuff that I saw and when I took that out I was able to free up 30 character buffer for the scrolling display you'll see I have up up down down left right left right the ABA select start fully display shard of your bad influence woo the downside of not having an operating system is of course that you have to do all the hardware access yourself however if the process is simple enough that you can't put an OS on it there's not going to be a lot of hardware to be accessing it's generally the ABR chips that I'm most familiar with doing SPI communications is a simple matter of setting a few registers and then loading one variable with what you want sent out the SPI port and then checking it a few seconds a few milliseconds actually later to see what came back in now a lot of embedded applications they will use while loops without a scheduler but the way they meet soft deadlines is they do a timing analysis to make sure that each stack each driver in the stack when you're going around Robin is guaranteed to take less than the worst-case time and all the worst-case times added together is less than the next time that a certain task needs to be executed twice in that way you can ensure that everything's going to happen on time now for other more complicated things you might have things running on timers where this only executes every 100 milliseconds and each task may have an individual timer or they may all share a single time base where every 5 milliseconds this occurs every 100 milliseconds this occurs and you just set flags for whether those deadlines have been passed and then the next step up is of course a real-time OS or embedded Linux or ECOS which is a free real-time OS and then I think Abe had something to say about DOS is not a real-time OS however when your process is running the DOS is not doing much itself it's not hard real-time and I don't think want to use it in anything that people's lives have depended on but the band The Sisters of Mercy used it as a drummer for a long time so if it's good enough for them it's good enough for me now I've already gone over the task loop and of course the global data now the global data is usually used as a database and that determines your state of your device because at any given moment your global data determines what it's going to do next so that's fairly important and when we're running out of time so I'm going to have to speed this up now in a lot of larger applications you're going to have several microcontrollers and you might have multiple microcontrollers that do exactly the same thing hooked up to a bigger microcontroller so you can use an object oriented approach to build larger distributed systems and basically get a lot accomplished with very low cost parts similarly from a hobbyist point of view there are some modules that are basically things that you can use to plug together a system without having to design them yourself this comes in really handy if you're doing RF for example and like me you don't know a whole lot of radio you can buy radio modules they're like a little simple thing you get power, ground and data and you put data in, data comes out you don't have to worry about resonance or frequencies or tuning anything it's simple now for the part you've all been waiting for reverse engineering process you start with a completed thing figure out what the parts of it are determine how everything is hooked together how everything works and what each thing does generally when you're reverse engineering there's a specific thing that you want it to do that it doesn't do or something that it does do that you wish it would quit so you want to be able to select the areas that you want to focus on and ignore things like the power supply unless the power supply is the source of your problems printed circuit boards are actually remarkably readable if you look you know there's, you got your chips and they all got their part numbers so you use those to search on the internet get data sheets a lot of manufacturers don't provide a lot of data sheet information but the ones that do are generally very very useful for figuring out where functionality that the chip has that you might not have known about figuring out what the chip could be talking to on the board I have a monocle sort of display that was set up for PAL but I opened it up and looked at the circuit board and I noticed that right next to the resistor that sets this is a PAL video input we're a pair of empty pads looking at the data sheet I found out that sets NTSC and I got it to work better with you know my US equipment as opposed to the rest of the world where they use PAL traces are useful to look at big thick traces generally means it's power or carrying a lot of current thin traces usually a signal and the silk screen will tell you not only what type each part is especially for small things that you can't really read the numbers off of like service mount devices whether they're resistors, capacitors microchips or just ordinary transistors the nice thing is the PCBs are expensive and it costs money to put extra layers on there so most devices aren't going to have many many layers so most of it's going to be visible which helps in the engineering reverse engineering process unpopulated pads are also useful I unfortunately missed your brand's talk but even just looking at this I knew that it was doing wireless because it has a pair of antennas on it these loop tracks this thing's 10-9-1 I agree. Recognizing common subsystems is just a skill that you'll get if you look into a lot of devices power stuff is easy to recognize there's big capacitors, big inductors big traces it's all chunky stuff compared to everything else in the circuit which fuses yes big fuses, no thank you if you have to reverse engineer a protocol a communications protocol between two devices you have a few options you snoop on the protocol if you have something that can speak it so you can just watch as the two things talk to each other the schematic that's up here is a serial sniffer I believe this is a half duplex one so it will only catch one half of a communication but this is for just ordinary 232 serial there are devices available for USB that do this there's also fuzzing everybody's favorite topic you could just throw random stuff at it over the serial port and serial response and if you're lucky you can just pull out the firmware and see how the protocol is done in there pulling out the firmware can be done in a variety of ways BDM stands for background debug module unfortunately you can't dump the firmware from a BDM cable or verify that it's on there but you can erase it and write new firmware to it so once you get firmware in this little chip here it's there forever and you're never getting it back out unless you have a bootloader that can read it out but this one doesn't some BDM systems also let you do things like clock stepping to slow down the process and run inspecting each register as each clock cycle it passes modifying registers modifying memory locations these actually have a BDM port on the back as you see I put a pin header on it it's actually a one wire bus that allows you to debug the chip it uses some proprietary burst protocol which is not at all a standard so for different devices you have different BDM pin outs some of them will be 8 pins some of them are 6 and all of them require different pods it's a very expensive way to do development but since each pod is only about 15 to 100 bucks and if you notice the free scale pods if you connect them backwards it'll short the pod and you need a new one so you can go through a lot of them if you're using those in your manufacturing process BDM usually shows up on free scale and Motorola processors JTAG is an alternative to BDM it stands for Joint Test Application Group also not standard but well there are standards the pins there are named pins that have certain functions however the headers are highly variable I've got two devices here one of them has 10 pins one of them has 14 the connections are different and it's been largely trial and error trying to get JTAG connections into these devices it supports a lot of the same stuff as BDM basic JTAG won't let you do debug it won't let you step the clock one step at a time, it won't let you access the registers it will however let you set or clear the state of any pin around the device basically the JTAG talks to a chain of shift registers meaning the actual metal pin on the outside of the circuit and the silicon inside the device and allow you to change the pin states without the chip itself actually running these are a couple of JTAG pin outs and this is the shift register I'm going to go over this more in the Q&A section this is an eProm number that somebody built eProms are an older technology they create flash and are used for mass data storage generally they were UV erasable or electrically erasable and just used to store the code of a system I had some good luck with a magnetic card reader that had all of its code in one of these and so reverse engineering the protocol that it spoke over at serial port was as simple as pulling the chip putting it in a reader and then taking the read out version of the software and throwing it through IDA Pro which I'm sure a lot of you have used to show fans maybe IDA Pro represent another thing where resources from the embedded engineering or forward engineering process come in handy is when you got decompiled binary so first thing you look for are vectors that are defined in the chip spec like the reset vectors, the interrupt table vectors and figure out where the code starts and where it goes when it jumps from the code it's executing to an interrupt the general first interrupt is going to get when the chip starts up is the reset interrupt vector if you can find out where that is that's the entry point for your code you just tell IDA this is the entry point and it'll figure it out exactly the g-spot as it were the flash dumper thing I was talking about up there that is for accessing more modern stuff these 48 pin thin small outline package flash chips it turns out that XD cards for cameras and smart media cards for cameras are basically NAND flash in a funny package exactly the same interface and you can use one of them to build a flash dumper that you can just clip on to the chip and depending on the electrical characteristics of the board dump the flash via a USB cable it's two minutes I actually have one up here it's incredibly ghetto looking and got me all sorts of funny looks on the airplane over here but that's the card reader and I just decided to socket and hooked up little metal bits to connect they basically clip on to the chip itself and you can just use DD you get a hex image out of that and throw it into IDA Pro if anyone has any questions about how to hack this and write your own firmware we're going to be in the QA room later and I've got a development environment set up on my laptop but I'd like to take these last couple minutes to let everyone know that the best way to get started in this is to see who else is interested in the area and start a hacker space the hacker foundation has a hacker space as initiative where they'll help you once you get a group of people together that's motivated to get your own space they'll get you under the non-profit umbrella and help deal with the managerial aspects of maintaining it and basically make sure that you're on the track for success and the hacker foundation needs your support I guess the Riviera kind of raped them with some stuff they had shipped here they charged 30 bucks a box for receiving it and they lost over 400 dollars that way so they need your support they're selling t-shirts in the vendor area and please show your support and ask Nick if there's any hacker spaces which are setting up in your city if you're interested like thank you all for coming I hope you found something of interest in this