 Thank you everybody for coming and waking up at this ungodly hour on a Friday morning. I was sort of expecting the room to be empty so thank you guys for coming and choosing to listen to us for an hour or so. Yeah I think the ideal DEF CON should be you know be three weeks long and to be one talk at like 4 p.m. Yeah all right well my name is Joe Grand and this is Zaz Brooks yep and we are going to talk about a project called the Beast Automizer HD. This has been a very difficult project and we're going to show you some pretty fun stuff with also some pretty disgusting videos it's gonna be great. So basically this project came about we'll talk about this we um we were working on a project we Zaz writes a lot of software I uh designed a lot of hardware and we thought it would be fun to sort of do something again together and come up with uh with a new ridiculous project um so before we even start while everyone's still paying attention um what we ended up doing and you're going to you'll hear the whole process but we started working with something called FPGAs and we'll get into that and this was like a really really complicated thing something we'd never done before. This project wouldn't have happened at all um if it wasn't for some serious help from some friends of ours that really their name should also be on the on the title you know the presentation and stuff um so these guys Chris Chris Banson Leet Bunny who runs the hardware hacking village um suffered through some extremely late nights this past week trying to help us get stuff working um Rivas and Parker just helped us with FPGA so it really shows the power of kind of the the community and people willing to help uh yeah uh Longhorn engineer actually gave us uh some some software that enabled us to first convert an image to the memory initialization stuff that we needed to put in FPGA so even the very start of this project really wouldn't have happened without these guys helping us out. Yeah a lot of swearing on IRC um alright so the original besautomizer um for those of you who happen to sit on the talk at Defcon 16 was um our original project together that was a hardware based man in the middle type of device that you would put in between a laptop or desktop and a monitor and it normally would just pass the video through just fine um but you could remotely trigger it with a remote control or set some dip switches on uh on the board to have it trigger at certain times and switch intercept the video and throw up a uh preloaded fake blue screen of death. And that was uh at the time um it was when the parallax propeller was brand new so a lot of people know the propeller from uh a later Defcon badge but at that time uh no one had really used it for much and it just came out it was really exciting works a lot differently if anyone's here has played with it um to a normal microcontroller and it was capable of going fast enough to generate a VGA signal. But uh fortunately for the besautomizer the original one um old Windows peace odds of course are just text only and that's all the mode that the original besautomizer had was to be able to generate a 1024 by 768 image of only text. And if you want to screw with people everything's open source the links are at the end of the presentation you can still build your own um and use it and this was really a good learning exercise for us that's we like to screw with people but we also like learning things so this was like an attempt for us to learn about the propeller and then and then really annoy people. So somehow somehow I got roped into this Zaz had this great idea he's like the visionary he um he said we should do another Defcon talk let's do the besautomizer HD you know technology has increased let's do something different let's learn about FPGAs which is something that really I wanted to learn about but I've kind of been putting it off for a long time because I knew it was going to be hard and uh this was sort of the catalyst to do it and it's like alright whatever we get done like we'll share it with the community of course and um you know maybe whatever we come up with will be useful. Yeah there's a lot a lot of exciting stuff once you move to an FPGA because you're uh creating hard creating hardware in hardware with software um it it meant that we could do a lot of things uh with an updated besautomizer that the first one couldn't do because the first one just generates a text screen with an FPGA in as well as injecting full full screen graphics we could also do some other interesting and exciting things which we'll get to. Yeah and that's something that as soon as we decided to do this the first thing I had to do was figure out if we could even generate video on the screen so it was like alright let's try to figure out some things um do a little bit of uh kind of pre development work before we submitted the talk to DEF CON and you know for black hat tools arsenal and all this stuff um so we sat down and said what can we do? Well FPGAs can generate HDMI video uh so let's try to do 1080p that's more of like something people use now HDMI instead of VGA though it's funny because when we had released the besautomizer we were trying to trying to get it sold through like ThinkGeek and you know a lot of hardware places to distribute them to people and everyone's like no one uses VGA anymore um but people really still use VGA a lot uh so you know it's something like HDMI even though you know we're gonna move to display port and other things like it will still be a valid option. Well it's it's funny like you know every everyone's a hater right so when we said we were doing this to a few people and we're doing uh 1080p they're all like what no 4k? Yeah I know like well I think people are gonna keep using 1080p for a while just relax. Um okay so some of the features we wanted 1080p uh we thought it would be cool to have user loadable images from an SD card so instead of just preloading something in advance you'll see that we didn't get to all of this stuff we set some pretty lofty goals um we wanted to do some animations because now we're able to write directly to HDMI reading from memory we can basically modify memory in real time and have a new image come up on the screen or have a slightly modified image come on the screen so there's a lot of possibilities for the mischief side. One thing we uh had really wanted to do in the original one is uh because it had some switches to switch between windows and Mac mode and then Mac uh kernel panics changed to you know scrolling down the black thing which we just there's no way we could do that with the original one but uh with the one we have now uh we have the capability to capture the screen and you could edit it in memory and scroll scroll down the uh the gray overlay to say it's crashed reboot. Yeah once we get that once we get that received part working um so we figured well you know the other tool was very mischief focused and yes you could use it for pen test some people use it like they they you know walked into a building put the beast automizer in place and then had it say like surprise we were here or whatever um but we thought okay let's see if we can try to legitimize it even more given how huge pen testing is now in red teams like let's see if we can try to do capture and this idea actually came after we had gotten some of the trans the HDMI transmitting working we're like well it doesn't seem like it would be that hard to receive a frame at the same time unknown to the user because we could split the signal off which you'll see in some drawings um and capture the HDMI stream at the same time that's going to the sink to the monitor um so that's sort of a future thing you'll see we kind of ran into some issues there but the the base functionality is there and it's just a matter of kind of tweaking some of the code the hardware support is there which is pretty rad um and then you know we're like well you can just you can do some video display calibration and whatever but really I think the most important thing is having you know another open source tool something people can learn from and take our chunks of code like we are totally FPGA noobs um and we hacked a bunch of stuff together but we've written some solid modules that people can take and put into their own projects and that's the beauty of FPGAs which we'll get into uh so HDMI is you know of course the uh the video standard of choice I guess the issue here is that HDMI is very high speed and you know we all take it for granted of you plug something in and it works but the signals are very very fast uh there uh differential signals meaning you have a positive signal and an inverted negative signal that travel together and the the pixels the bits are being sent at a very high speed that's done for noise immunity and and for other electrical issues um so you basically the things we're we're concerned with for the besautomizer are the three video lines um and a clock line there are some other things with HDMI uh some digital control lines that are used to communicate with the monitor and some other things there was a DEF CON presentation last year the year before on fuzzing devices that have HDMI so fuzzing monitors through the digital control interface uh we're just looking at video in this project but that could you know be rolled into it if that's what somebody wanted. But so uh you know if you if you do the math you're doing you're pushing uh over around 120 million pixels a second at 60 hertz so that's just a lot of pixels and if you look at the actual bit rate it's 3.6 gigahertz so there's just no way that you're gonna find a microcontroller out there to do that. Yeah and and FPGAs as we'll talk about are designed to sort of do heavy lifting of digital functions so if you wanted to have you know you could take differential signaling in and process it but you'd need a really really high speed powerful um device uh so we you know decided we we had to figure out a way to be able to process video and generate it in some sort of timely manner in real time and uh dealing with the straight serial data is hard so we ended up focusing on a system that we can now get a pixel clock of 148.5 megahertz and that's going to simplify things a little bit by looking at parallel uh data. I should read the slide instead of doing rough calculations in my head so 100 nearly 150 million pixels not 120. Yeah close enough it's alright it's early. Um alright so FPGAs this is just a little bit of an intro slide you'll you'll sort of see our suffering through this but FPGAs are field programmable gate arrays and it's an electronic device that basically is like a blank slate of digital logic so you know microcontroller systems, computers, all the digital things we use are based on low level logic digital logic that's basically processing ones and zeros and doing stuff so CPUs are built up of millions of of gates or logic. Um FPGAs let you be the artist and sort of fill this canvas with whatever you want um as opposed to a microcontroller you know that's running things step by step you have your program counter doing things sequentially um FPGAs can do things in parallel and you're not writing software you're writing hardware which is a great combination for us to sort of merge the two um and it's sort of like and stuff is executing in parallel synchronized to a clock or to different clock signals and it's a complete mind fuck if you come from the software side or embedded system side of how a system's working. For example if you're a software person and you're used to putting a value in a variable and then using that variable and reading it back and having the new value be in that variable then you'll be surprised with FPGAs because everything happens on clock ticks so within a block of logic um if you set for example you know uh a value in a variable it doesn't actually take that value until the next clock tick so if you refer to that same variable in the same block of logic it's still got the old value so there's just like a lot of ways for a software person that's used to a normal uh programming language to fuck it up. Yeah and one of the things I tried to explain this to my kids um because Zaza come over a few times to work on this project and we're slaving away for hours you know up until two and three in the morning so my son comes in one day and says daddy what what are you working on? So I tried to explain it and I said well we're trying out a new piece of hardware called an FPGA um it's much different than what daddy normally works with which are micro controllers um I said you know micro controllers you can you know pat your head first rub your tummy second. FPGAs you have to do the both at the same time and he tries it he's like oh that's hard I'm like yeah that's why we're staying up so late. So uh yeah so FPGA is really traditionally have been very very very complex systems the development tools have not been free um they are definitely not user friendly but they're becoming more accessible and this is something like you can look at projects now and you might see an FPGA on there to do say some hardware acceleration or some crypto or video generation and then usually there'll be a microcontroller associated with that to do the normal microcontroller stuff that doesn't have to be in an FPGA. Um so there's there's two um hardware design languages um that you can know how to description languages that you can choose choose to use uh one is VHDL uh for anyone who's done any programming for the DOD it's a lot like ADA um it's got it's got some sort of strong strong typing it'll stop you from shooting yourself in the in the foot in certain ways and then the other one is Veralog which is sort of more C like and just like C uh it'll let you make all kinds of mistakes and not warn you um and uh so partly because um you know we've done a lot more C recently I actually my first program programming language was ADA but I haven't programmed in a long times um and also because of the tools that were available for the FPGA we were using we used Veralog um and really really uh there's just lots of things that it won't warn you about you know you can you can refer to signals that don't exist and do all this kind of stuff you can put a typo in uh what what was the one where you were using a different clock and it was just like a typo clock. Yeah I made up a clock name because I typed it wrong and the system didn't tell me so probably four or six hours of trying to figure out what it was was the wrong name and to make matters worse with development systems as the complexity of the of the logic you're trying to compile and synthesize grows the time it takes to compile and synthesize grows so when we were working on the project it basically took between 10 and 15 minutes per compile to synthesize our code put it into the FPGA and then execute it so you can imagine the boredom of sitting there while it's compiling and we would end up so you know you make a change you compile it it runs it doesn't work and you make another change you do it again so we would try to fix our problems that we found while it was compiling and do it again but it led to the thing of like which which problem are we fixing and what new things are we introducing that are going to cause another problem. Yeah and if you you know just if you um have to express like if you're used to just tweaking a tiny thing and quickly testing it out and iterating you know iterating fast you just can't do that when you have a 15 minute compile time you know it's like you try try four different things and there's an hour gone. So um one other thing with FPGAs I want to mention is there's something called IP or intellectual property that are basically logic modules that you can buy or license from other companies so for example if we wanted to like with our development board that we have um Altera makes something called the NIOS processor which is a CPU some architecture I don't remember what because we didn't use it um but you can license that from Altera so now you can have a microcontroller inside of your FPGA to do microcontroller stuff and you write code in C. So if you're a reverse engineering piece of hardware for example and you find an FPGA in there you're not going to know what it does because it's literally a blank slate. The problem though is that we didn't want to design anything that required licensing IP because that's totally lame. We wanted to do something where all the logic defined what it was and not rely on that so a lot of the example code that came with the development board was was all based on this NIOS CPU that we didn't want to pay licensing fees to so we had to create you know our own lower level interfacing but the beauty of the FPGAs is that you could go out to like a place like opencores.org and choose things that are open and free and integrate those into your products and make basically make your own custom chip. We also thought it was kind of it would have been kind of cheating for us to just drop a microcontroller in the FPGA um instead of doing everything by hand yeah but we should move a little faster here because I guess yeah I guess the takeaway here is that FPGAs are really hard. Okay so the process is you know first thing we like to do anyways put together a block diagram this is an early one that doesn't hold true too much and I'll show you a better kind of connectivity graph of how things go together later on but the two main things we won't need to work with at first when we started the project was find an FPGA that had some some sample code that was accessible that was available. Zaz came over to my house for a week and we basically had four days of time to source the starter kit to figure out what FPGAs are you know what we want to do and then get the thing in hand and see if we could generate some video. Yeah at this point we hadn't decided to submit to anything so it's like okay well one week let's get a dev board get it up and running prove that we can do the thing that we are gonna say we're gonna do the main thing the injection and then we can you know know that we can get it done. So this board has a lot of functionality on it it's a very powerful part so we don't actually need all that power but it's better to start large and sort of cut back but it had you know some dip switches and things that we can use for our triggering a lot of GPIO that's going to be useful for the HDMI receive it also had what's called an HDMI transceiver or transmitter and what it does is take parallel data that the FPGA gives it at the pixel clock of 148.5 megahertz serializes it into the eight high speed HDMI format and pipes that out so now we don't need to generate 3.6 gigahertz bit rate signals which you could do with some FPGAs but they're gonna cost you a lot of money so using this one now we have this chip that takes the FPGA data that we're generating passes it through feeds it out to HDMI which now sounds like oh it's easy all we did was pipe some parallel data through but that's not not actually true we thought it was going to be very easy it definitely made it easier so here's what the early proof of concept looked like it was the development board hooked up to HDMI you can see like some extra hardware along the side I'll talk about that but it was some unique kind of power things we had to deal with so yeah we talked about that you know FPG development being slow tools are hard but the goal was to figure out how to draw something on the screen so the sort of main thing that we had to do here is the block block memory inside the FPGA that we had is only I think five five hundred and twelve K so not big enough to hold a full frame buffer of a color 1080p image so what we were what we did instead was put in a monochrome image because there's only two colors on a blue screen of death so as long as we can display a b-side no problem so we loaded a monochrome image and then just set instead of black to the the Microsoft blue the slides background is and to do that you know we have to start with a source image and convert that to what's called a memory initialization file which is this thing that the FPGA takes that just fills up that block RAM so you have to you know put it in the format that it needs with the right with the right headers and the right size for block RAM and that's where longhorn engineer really helped us out that week because he had this image to myth function that he had sort of half written it took in certain kinds of images and certain kinds of bit depths and he gave us that and then we forked that and made it do the things that we need to do to generate the 1080p well to load the 1080p monochrome image which his was his was designed for a gameboy he'd hacked a gameboy to take the parallel data that was going to the LCD and then port that to a larger screen so he was only looking at four bit four colors so yeah Zaza modified the code to basically take in a bitmap and then pack it into a one bit per pixel 1080p because that's like he said the only amount of space we had in the internal RAM and putting things in internal RAM is good but it's sort of it's sort of a pain because you have to preload as you compile the the FPGA so that's one example and one function that we have in the tool but not the ultimate one that we wanted but that was the one that we first could use to prove the concept yeah the the problem with doing that we want the thing to have a bunch of different modes where you can output different images and so using just the internal RAM that gets loaded you know at the time that the FPGA is compiled and so it would you'd be limited to that just that one image if you did it that way which is okay because that's what you get for now because that's as far as our code gets but the functionality of the hardware is there to do more which we'll talk about so the other issue is we got the FPGA board working we could display some some video and we'll go through some of the pictures but one issue we had is how do we power the thing because if this ends up being a actual tool that you're going to inject in somebody's place or facility you don't want to have to plug in a power jack to it right or a wall wart or plug in like a USB cable to get power because that's just lame so the original besautomized I had a you can see the clip here for to see how 2032 batteries the same ones that are on the defcon badge this year and big that's because you don't get any power from VGA this time we're really excited right because we're like yeah you got five volts from the HDMI we you know it's going to be super simple a little power itself off the HDMI line and then we looked up the spec and you can only get you know 55 to 100 milliamps of power off that five volt line and we're just fuck right shit we're just not enough we're thwarted here and we looked around and like there's a lot of devices that violate the spec you know this like sketchy Chinese HDMI devices that just they don't care and also a lot of HDMI you know supply like devices will sort of let you violate the spec but we wanted to do it right and make a device that that follow the spec especially because if you're going to use this for penetration testing you don't want to plug it into some machine and have a close problems and have someone notice it right away yeah you don't want to interfere with the target right so we had to figure out a way to get that working and it turns out as you'll see the block diagram we ended up designing a front-end board that handles a lot of the timing the remote triggering and stuff like that and we have a circuit on there that basically will allow normal pass-through mode of the HDMI signal and charge a battery trickle charge a battery while the system is technically off so while we're just doing pass-through and then when the when the user will trigger the visa atomizer that enables the rechargeable battery and the battery itself powers the FPGA board and just turns it on when needs three through a single line to a MOSFET which is kind of cool so we'll get into some details of that but that was a way to overcome the power sourcing issue is you know have a battery and just have a trickle charge and it will last many hours as you'll see so yeah the 1080p one bit per pixel our first test this took this took a few days of time to get going yeah actually my flight back got cancelled due to storms in Houston I had an extra day on the week and that's when we got it working we didn't quite make the original week but I had had that extra day and then we got it working and it was just like you know it just was like being back in the 80s and driving a CRT screen you know where you compile everything 15 minutes you hit the button and then the vertical hold would be off you know and the image would be scrolling crazily or it would be smeared across the screen and you just be like what the hell is going on here yeah because we needed to just like I'd written an Atari 2600 game a few ten years ago I guess now just for fun and you have to deal with like tracking the scan line before you draw your graphics it's the same thing we need to know where where the scan line is really what pixel we're on so we don't end up having timing issues and this is really when we started it once we got video on the screen or an image on the screen we're like yeah but then once we started debugging it we're like fuck like that's when we realized that how hard it is to work with FPGAs the debugging tools also by the way are very very limited there's something called a signal tap which is at least without terror is a logic analyzer that you can compile into your code so you're basically looking at gates and at nodes inside your chip but every time you add a new node and you're like oh I want to I want to look at this line you have to recompile it so it's very very hard and we ended up using it it did save our ass at the end but it was a hard process to get through like why is the pixel shifted in everything so these are the so one problem there's lots of things you can clock off on the FPGA yeah that's me you know looking for glitches with a with a magnifying glass to see if we're really you know that that line of pixels is is probably vertical but you can clock off a lot of things on the FPGA and one problem we had was figuring out what line we were on and we're clocking off the pixel clock and we're like why isn't thing why aren't things on the right line of the of the display and it turned out it's because the pixel clock keeps counting during the horizontal blanking time there's no real reason you have to do that you know digitally but it's just like old school like you know how you would redraw parts of your frame in the horizontal blanking time to counteract the fact you didn't have enough memory back in the Atari days and do do processing in the time where it's not drawing on the screen so there's still some function for that I think it's sort of a hold over from from CRTs but once we solve that problem now we could actually display something that we had preloaded into the internal RAM which was killer so here's our like first little B saw that came up I don't remember which version this was Windows XP yeah maybe I'm not sure this might be actually a be a B saw from the original we saw them as a development I'm not sure that we grabbed it and this is this is yeah oh so many I don't whatever year that was yeah so what we did then is alright we had this is this is where it gets really bad we had the proof of concept working Zaz was like about to leave and we're like well we need some video to submit to Def Con to show that we can at least generate video and then we'll worry about everything else later like once we get to HDMI the rest of it's going to be easy which was so not the case and I think like we sort of got suckered because even though it was hard we we got it we're like yeah this is FBJ is nothing piece of cake so we needed to make a video and my wife happened to be around who's not very technical though some you guys might remember her from calling me when I was on stage talking about the Def Con badge from a long time ago in my and she was pregnant with our first child and I had my phone on and she calls and there's like three thousand people in the room and stuff so she's been here a few times but she's not technical we're like can you just like pretend to be using your computer and I will manually be sawed you and then like you'll see a blue screen to death and and this was you know because you probably have seen the announcement that the new wind 10 b-sods are going to have a QR code on them so it was like this is perfect will generate like one of these new fangled b-sod screens with the QR code and get her to scan it with the phone and then we can yeah we've done before yeah and then we can send use that QR code to send her somewhere that she won't expect so we basically told her like use this app scan the QR code pretend you know just act it out but you can see the point in time where it goes from like very obvious acting to very obvious like WTF is going on so here's the first first of three videos that we have that will show you throughout the presentation so she basically was like what the hell is this this is the dumbest thing ever if you guys actually focused your time on like doing something useful imagine what you could do so then yeah so she had no idea about QR codes and the fact that you could preload it with a malicious url so imagine if you're actually using this for a pen test and have somebody scan a QR code and you know then go to a malicious website phone their phone whatever it is but the Rick Rose classic as she had no idea what it was okay so we had that working we submitted the talk to Defcon now we said now we need to actually try to get done other functionality and you know that consisted of making sure we could power it making sure we had a way to control it instead of using dip switches we wanted to we didn't have enough space in block ram for the full 1080p 24 bits per pixel so we needed a way to use external DDR2 RAM low-powered DDR2 SD RAM which is on the development board and we figured doing dealing with the block ram was easy so how much harder could it be to deal with external memory and we were way wrong about that we also wanted to have an SD card so you could preload images and with the screen capture mode save those images back and as you'll see the hardware is in place again like the code not quite but all of the heavy lifting kind of low level memory reading and writing and displaying is done which I'm really really happy about so the rest of it who just funny I say this every time shouldn't be that hard but we'll see you know we'll see if that happens and we needed to combine it into something that was useful so well we the main thing is as we mentioned with the power power consumption the FPGA is the thing that draws all the power so we want that to be basically off as much as possible while the battery is trickle-charging so to do the front-end the front-end's got to be because we wanted to drive it with a be trigger it with an infrared remote control something's got to be a way called the time watching for the infrared signal so we decided to use a pick for that because Joe had a board he was working on shortly prior to that that was all already set up with you know broken out for it for development so we just use that board to make our lives easy and save time with the IR external trigger the part numbers there and also the timer mode so the front-end pick keeps track of time for time mode so you know for when it's just goes off to after 10 minutes or so and it also monitors the battery level yeah so what we can do is you can you know trigger the b-sod but then have it not actually go off for 10 minutes or 30 minutes or something so you walk away and do it and really with the front-end what we have is just that single line to enable the FPGA so if you wanted to modify this and say well I want to use Wi-Fi or I want to use Bluetooth remotely control stuff you can and just you know feed in a different output to that FPGA and move the pick but this is all low-current stuff that's running all the time the original one we just used Sony TV codes because everyone's got a TV remote control but for this one we thought well this was Joe's idea people aren't if you're if you're walking around a facility with a big fat TV remote control you know in the office people are gonna be like what's going on here so it would be cool if it would use the more covert remote and now you can get a lot of these little Apple remotes surplus from various you know surplus places so Joe was like alright I'm gonna order a bunch of Apple remotes and let's figure out how hard it's gonna be to use you know trigger off this instead of using a standard TV remote yeah and a lot of the information online that we found about the infrared remote for Apple people have reverse engineered them but not a lot of the information from the different websites lined up some pieces did and we ultimately just created our own kind of brute force decoding mechanism and then just identified where the signal was sending the command signal for the six different buttons that we were using yeah you can see on that oscilloscope trace there basically how the format works it's a transmission protocol called any see which is not the version that not the protocol that we thought it was going to be initially but there's like there's this one sort of long pulse to begin with and then there's a short space after that and then it clocks the bits in and it's just the width of the pulses is the width of the bits so looking for that sort of start pulse and and space gets started then all these bits came in and we couldn't a lot a lot of what those bits are we don't know what they are the stuff online is contradictory and confusing but we figured out the space that uniquely defines which of the six buttons is being pressed and we just read those out once we figured out that the bits are in the reverse order which also wasn't wasn't documented anywhere yeah so I should mention to that the front end the microchip pick stuff is standard microcontroller written in C so you could take this code you know that we've done for Apple decoding if that's all you want to take out of this presentation take it and plop it in something else to now decode out for remote so there is some stuff in C that's a little easier to work with for the HDMI receiving we're using a ADV 7611 so basically the opposite of what we're doing for transmit we're transmitting we're pushing in parallel data getting getting serial out this we're receiving the serial data from a chip and then the parallel data goes into the FPGA that can then be clocked in and ultimately stored into memory which can then be used there's a board called the HDMI light which is a project that somebody put together that takes HDMI in and kind of just very simply read some of the color pixels around the edges of the screen and then turns on some RGB LEDs around his his bezel of the screen to sort of extend the color which I think a lot of TVs are doing now so we use that as a breakout board sort of a reference board since we didn't have time to make our own board to get stuff done so we use that one and then hook that up through an interface board to the FPGA so we have the stack up that you'll see it's it's pretty wild and for this we use it might my PC board prototyping machine which generally is good for creating lots of interface boards and we ended up with this was a standard board you know just taking one set of pinouts and converting it to another but the trick is that we had to deal with 12 12 mil traces 12 thousands of an inch which are pretty small not so small like when you're getting a PC board professionally fabricated that's not a big deal but when you're milling stuff because this basically is milling traces out of the copper there's a lot of mechanical stress and those traces end up being very small and what ended up happening is as I was soldering the connectors on the glue between the copper and the fiberglass of the circuit board was getting delaminated because those traces were so small there's no solder mask to protect the traces and stuff so I ended up having to go in and manually repair stuff on a on a point one inch header double row header it was a nightmare but now it works and we have you know hardware interfacing that was just another part of the stack up of circuitry and this was that was took the smallest milling bit that the the T-tech takes and we broke a milling bit then we had to you know hand fix everything so it's just another step where it's like oh here's an easy thing let's just like spin out the circuit board man next thing it's two in the morning and we're all swearing but without that that would have been an issue because we couldn't hand wire that board because the speeds of the signals like 148 megahertz seems slow but it's still pretty fast and if we were hand wiring things if the lengths of the traces were longer some of them are longer some of them are shorter that could introduce some timing errors if there was you know any sort of noise that was picked up by longer traces so we needed to have some sort of carrier board some other we had some other subsystems in there that that I'll show you in some pictures but really I wanted to show you the actual prototype that is also on the stage and that was used to create the next set of videos that you'll see is what I would call the circuit board sandwich yeah wrong sandwich picture Joe oh oh sorry okay this one there's the real circuit board sandwich so this board is the stack up down to the bottom we have the FPGA board up there is the HDMI light board that we're using for the carrier there's also the interface board that you can barely see you guys are welcome to come up and take a look at this after there's the pig front end board that whole whole board up there that has the infrared remote the battery charger there's battery charger there is the HDMI splitter so when we're doing HDMI receive we need to actively split the signal because if you're tapping into high-speed signals you could introduce noise and glitches and other things just passively so having an active splitter means you can pass the HDMI signal to the target monitor the user would never know and then you're sucking off the HDMI to do your capture on so that's what that board's for and then there is the HDMI switch which is switching between the target system and our generated HDMI signal so I'll leave these in here for you to review later just some drawings of how to understand how the system goes together and these are really helpful for us to graph and sort of put down and on paper what was what was happening it was very confusing process so current measurements yeah we basically with our battery it's about it's a lithium ion it's about an inch and a half or maybe two inches by two inches two thousand milliamp hour you can run for about three hours of active generating HDMI that's never going to be the case right because you're going to throw up a besod and a minute later or less somebody's going to turn off their computer the system's going to reset and then it will go back to pass the remote so you can get a lot of battery power and then of course it's going to charge while it's not being used which is most of the time the main challenge we had was dealing with the external memory and getting external DDR2 working where now we're dealing with 24 bits per pixel 32 bit words to simplify three weeks of complete pain and tears and suffering and everything what we ended up having to do is double the speed of the clock signal going to the external memory and we're basically clocking things twice as fast to the memory as we are to the screen so we can read data faster from memory put it into a FIFO buffer and then as the HDMI transmitter is ready for it it can grab it from the buffer so we're sort of pre loading a cache I guess if you will and this was this was something that lead bunny had helped out with some serious stuff we had had to implement a burst mode of the DDR2 which basically we're reading 128 bits at a time we tried to do pipelining and it was like this it was the worst experience of my life but now that it works it's awesome and you know we learned a lot about the development tools and stuff but here's sort of some videos you know you saw some pictures but this is like this is basically like a week before Defcon and we keep seeing like oh my god we're close we can kind of see things yeah so this is after a successful write to memory that was working just fine but then reading it back in we get video after video after video like this and writing it is actually easier because we don't have a time constraint of trying to drop to the screen but what we needed to do here is drawing to the screen by reading the memory and then writing it in real time so eventually we got stuff working and you know this is this is sort of Zazz in the midst of some of our debugging early on and yeah so you know we basically are like FPGAs are really hard they suck but there are actually good practical uses for them right so there are there are there are uses for them and it's just picking picking out the useful things especially things that can't be done in in in sequence so I just want to throw this picture up you can't really see it but you can generate what's called an RTL which is basically a schematic representation of our logic design and each of those blocks are a separate set of code creating this massive digital custom system of our own alright so now the part you guys have been waiting for this was something where I had so Zazz was away and we needed I wanted to have some more videos of real b-sotomy right once we got the the remote trigger and working all the front end stuff so as the guys came over you might recognize them one of them is Anch who runs the registration and one of them is Cript who helps run a lot of a lot of Defcon now they came over I created a special image for them and I'll just show you the video so to lead up to it my kids were there they love these guys and and I told them I said convince them to watch something on my TV screen so they basically convinced convince these guys to watch like a Pokemon basically my wife dressed up as Pokemon and the kids chasing down the street in our neighborhood because we didn't want them to play Pokemon go because we're paranoid about privacy of course as we should be so we decided to do Pokemon go in real life so they were trying to you know my kids convinced these guys to watch this video and then you'll see what happens and I actually have not seen this video yet Joe refused to show it to me until the until the presentation so I mean I'll be joining you guys and watching it for the first time also if there are any young children in the in the audience cover your ears if you're with your parents make sure they cover your eyes there's some nasty images on the screen as a fair warning okay here we go is watching the video which has happened thank you that's why no children are allowed in this office why like desautomize you and tame you pee it's a little more sleek for the for the office space more goat's eat sorry I had to do that to you yeah so so yeah so Anche was basically disgusted and was texting his wife they Joe Gran just goat's eat me but what happened is they were so loud that my kids were outside playing because I told them they I was like I'm gonna show Jeremy really disgusting video like you can't come in so they heard all the noise and decided to come in so I'm like all right I'm gonna besaw them too children are not immune but not not with what you think all right so so now you know now the kids are watching the video because they think it's funny yeah so daddy's using his visa to watch out so you could see on the screen there was some static on there that's another mode that we generated to show that we could do animated video generation is now you have static which is awesome for kids because if you hook this thing up and they're watching TV and you don't want to be the bad parent by saying you got to stop watching TV you just you know turn on the static mode you'd be like oh I guess the TV broke got to go play outside so we had some other modes in there mostly used for testing some more a patterns some gray still stuff and that's all still in there so if you need to have like a legitimate reason to build the tool you could do that but really it comes down to you know the challenges of dealing with the FPGA designing the system in essentially five weeks of full-time work with with us across the country and Zaz basically receiving a bunch of emails of me bitching about stuff and like once in a while sending a picture I did send him the goat see of the image on the screen I didn't hear from him for a few days I'm like oh shit I know he's hard to piss off but I wonder if like I really pissed him off no I just wasn't ready reading email for a few days yeah to travel so yeah so you know the challenges of this is we picked something way outside of our comfort zone and I'm proud that we were able to get to a point where we have stuff to share we have stuff to show there's other FPGA nightmare stories and anybody that's worked with FPGAs is probably like hi you guys suckers but things about even like dealing with the different signals at different clock speeds are like really hard things you have to synchronize stuff and that's what we did with the buffer are you gonna have all sorts of problems things like we need to generate a new clock with a phase lock loop a PLL that's in hardware and the SD RAM interface the DDR2 RAM interface was using the PLL that we were trying to use and it took about four hours to realize that we were not using the right one and we had to physically specify in code where we wanted to physically place a piece of hardware inside the silicon which is pretty mind boggling so yeah it was a lot of fun kind of a hard project if you want to start working on your own project all the code for the old designers up on my website the development notes and the schematic for this project will be up once I get back to a safe internet connection and I can scan all my documents in there's two github repos one for the C code for the front end one for the HDL for the FPGA so everything's available that we've done will be online and you know the main thing I think here is that we FPGAs do feel a gap like they're useful for certain situations if you know what they are definitely don't be scared to start using them and get involved like there are some simpler FPGA boards because being a hacker is all about expanding your knowledge right and trying something new and learning from it and like even if this is a completely ridiculous project I'm confident now that as an engineer I can go and like design something with an FPGA yeah we definitely don't want to scare people off you know with with saying how hard everything is just that there's a learning curve like there is to anything and you have to not be scared of it and to dive in and just you know commit to a few weeks of frustration to getting everything up and running but once you do you'll be like wow this is a really cool powerful new tool in my arsenal that's right yeah so the final question that people have been asking us a lot is are you going to turn this circuit board sandwich into an actual product I don't know there's a lot of engineering that still has to happen mostly from the hardware design side Zaz is sort of like the yeah I really I really want to do it and Joe's not sure if he wants to do it it's got a it's a classic kind of jobs was in the act situation going on here because it's really easy for me to say yeah we should get this in people's hands you know people will really love it they'll use it but Joe's the Joe's the one that has to do all the hardware design to be stuck with it so yeah you know depending on if people want it whatever we set up an email address you could send comments and suggestions but everything's up there so you can at least start hacking on stuff on your own so but yeah if you want it if you if you would if you would buy one send email to root at besautomizer.com and then we'll we'll gauge demand and then maybe we'll make it so yes thank you for coming and the end