 Our next speaker has already some experience with reverse engineering first master seizes he took a look closer look at skype and Got into a bit of trouble with the company and got sued by them and got followed in two different countries by them now he turned his attention to another device and he's looking at these micro tick route routers and And hopefully he hasn't gotten any bad experience so far and he's quite hopeful that it will stay that way Let's see and enjoy the talk while it's last while he hasn't got any hasn't gotten sued yet So please welcome to the stage Kiril Solovich Thank you. Thank you very much well, I haven't been sued by these guys yet because this is the first conference I'm presenting this at I guess Yeah So I do have a lot of things to talk about To you today on this topic I actually had to cut my slide deck down a bit So the missing slides are going to be presented at balkon in Serbia 15th of september if you want to see them But because there are so much stuff to talk about I will Skip this part about who I am and what do I do? if you guys are interested About who am I you can follow my twitter You can see what I do on my research page So go there I'm hacking always even When companies wouldn't want Me to be reversing or looking at their stuff I always do that but still For this presentation here's a nice slide of a legal disclaimer The goal of this research That i'm doing here with micro tick is to achieve the interoperability of computer programs in this case So for running on micro tick routers with other computer programs and one example of course would be We have an apple on one side. We have a printer on the other side and there is neat protocol That apple devices talk To the printers called air print Well, if there's a micro tick router in between These two devices and they're on on different subnets Then it doesn't really work But luckily there are services That allow you to fix that the problem is you cannot really integrate this service into micro tick router because Not unlike these devices here Micro tick devices are also closed and you cannot get Full access to your hardware So one application of my research is that I also would of course like to acknowledge prior research done by other people Sometime ago Nine years ago if i'm not mistaken Antony from forum awmn.net Did initial analysis of npk format and we're going to talk about what that format is Drubica later on implemented npk file and packaging Open VRT team We're grateful to them for the kernel config files, which allows us To achieve what we have achieved a bit easier Also the team Only I could Come here today But we also have Jans Jansons who was doing static binary analysis and was creating the boot up sequence For our tool and we have Emiles Romanis who Did the music part so can we have a round of applause for these guys that are not here? So I want to talk about Four things I want you to give I want to give you a little bit of overview into router os Which is the operating system on? micro tick devices How many of you have heard of micro tick or router as before this event? Wow, how many how many if you use them or have used them? Okay, some of you that's good half of you are using so you know what i'm talking about And you will find this useful that's good Then we're gonna Look at reversing the support files. So these are files which your device can generate if you have a problem And their support will ask You to send the files in but you don't really have any idea or control Of what is in those files and is any of your private data at stake when you are sending these files to them for support On npk format, we're going to take a look at how Packages are being installed how systems are being upgraded And how the format works. So those two parts are going to be Technical parts of the stock and finally we're going to Try to get try to jailbreak a real physical micro tick router because it's easy for virtual machines, of course And see how it goes that's going to be a live demo Actually, we're going to have four live demos in this one hour if everything goes, okay Okay, let's get to it Let's start with the overview of router os Half of you have used router os This is the ecosystem for router os So we have the router And we have some Different things around it in green I have marked the mandatory components of router. So The company makes different models. They make these Middle-sized they make these huge huge devices that you put into rack their newest devices. This cool cool little thingy I think it's called hop mini really really small. It's still a router So depending on the device, um, there are some optional components Those are marked in yellow here Here for internal storage Depending on devices either flash and or a hard disk drive What we are really interested in Our is our our targets the access targets for us are the file system We want to see what is on the file system of the router And of course the access target is the sub out drift file the support file Our access vectors that is the possibilities how we can get our access targets Are marked in red We have the console our serial or usb As you can see serial and usb are yellow, which means this depends on the model We have npk files which are the package files and that we could craft in a specific manner to maybe try And attack the router, but these are vectors, which means those are possibilities We have direct access to removal storage again. It's optional if router has removal storage Say cf card We can directly access it Then micro tick provides some need tools That we can also use to As vectors They have the web interface. They have dude. They have windbox ssh ftp telnet and net boot Our approach uses net boot and That is the vector that we were able to leverage Let's spend 10 minutes on router's history When I was preparing this talk, I wanted to understand How routers evolve because I put the previous slide together And I looked at all these possibilities or these optional components and I thought wow, that's that's quite a mess That's quite many options available So What I could find Is micro tick version two specification sheet That in the top right corner is date. So the july 2000 I don't know what happened to version one. Maybe it was internal version but version two was where we started that And those of you who use micro tick might find this sentimental or interesting These were the features of the network system at that time These are this is a complete list. There's nothing left out of the network features And you see that some of them having brackets that this will we will ship this in 2.1 They started Really really simple and they're growing quite fast and that that amazes me by the way micro tick are are latvian company I come from latvia. They are also latvian company. So at least if they want to sue me They didn't will not have to send a lawyer to a different country. So that's good for them right Network interfaces were supported you can see that some specific network interfaces very limited amount of network interface were supported And if you remember these isa cards called ne 2000 Yeah, I was assistant back then And hardware required so micro tick version two was actually a software. It was not a hardware package at all You needed 486 dex or better cpu. You need 16 megabytes of ram and 32 megabytes or more of hard disk Of course for installation monta and the keyboard were great and floppy drive was needed and five floppy discettes was Everything you needed to get it installed well I In preparation for the stock I tried to use only pictures that I own myself And I dug Dug up my archive of my pictures This is the oldest picture I could get This is actually not 2000 this 2004 because 2004 was the year when I got my first digital camera This one here, sorry this one here is my router Maybe you can't see it says IBM ps1 on on the corner in the blue there It did not run micro tick because back then micro tick software cost like 200 dollars It runs like where and I set up routing myself But those were the boxes That might have run micro tick back then in 2000 We'll quickly go through the next couple slides This is mainly for reference here year 1999 version two software is released Upgrades are upgrades are are already available as packages I don't know if there was our npk packages or some other format But upgrades already happen as packages and you can install them manually In 2000 according to marking materials 2.1 comes out. I've never seen it, but it should have kind of came out 2001 we have two more versions NPK format is first mentioned in 2.3 In january 2002 they changed their name From micro tick router software to router os Nothing else changes. Well features that changes, but nothing major router os is finally born 2002 in january So if anyone here is a wikipedia fan and you update wikipedia you can Put that in there right some more versions In 12 february 2004 router os version 2.8 was released and software key system changed of course As i already told you it is a software Which means you need software keys to use it and there was a key system In 2.8 it changed and it actually has changed to the current algorithm And even though official documentation says you can use our current license keys with any version down to 2.9 2.8 also works. So if any one of you wants to use 2.8 go ahead you can downgrade Your hardware might break, but you can at least the key algorithm will match and you will be able to import your key august 2005 version 2.9 released This is where new architecture is introduced for now. We've had only x86 In 2005 six years after version 2.2. We actually have our first router board. It's rb 500 It's based on mips architecture little andian version November 2005 How i know that i reversed a bunch of firmware versions for them So There's a file called on the file system called nova bin login And it's been it's been linux since the very beginning since version 2 In this file a string novaetc Slash devil-login appears apparently This file bin login processes your logins over telnet And what it does on this version 2.9.8 Is it checks if the file novaetc devil-login exists And the username you're using is devil and the password matches the password of user admin Then it launches bin sh for you rather than the shell of microtic Which is a known thing right how many of you already knew that? Just one two. Oh, wow. Okay. Well, it sounds they're on the internet not in this not in such a pretty form right But it sounds they're on the internet and this is this already known and that allowed I wouldn't say this was a requirement for me to be able for my team to be able to complete the research But this gave us the motivation behind the research and actually some Some light at the end of the tunnel that there is A way to do what we wanted to do Two and a half years later. We're still at 2.9 2.9 51 is the last version of branch 2 Branch 3 introduced in january 2008 mid 2008 around version 3.10 Anthony who already mentioned releases Two scripts to python script create npk and dump npk on the forums of Athens wireless metropolitan network These scripts well one of them Allows you to unpack npk files, which are now not only upgrade files But also feature files also package files that you can add as a features to your router The other script allows you to create your own package files Obviously it didn't take long For people to figure out that you can create the package file that creates a file on the file system and get root right So that was sometime middle of 2008 Then this just this is just interesting note. It doesn't have anything to do with Jailbreaking microdip routers, but I couldn't find 3.1 anywhere Everywhere I went it it went 319 320 322 323 So if anyone has 319 Oh, sorry 321, please mail it to me. I want to take a look. What are they hiding there? I mean, I have the changelog it it's nothing but You can't find it anywhere, but it was released. I can't find references of it on the forums Anyway back to previous slide. So mid 2008 Anton released these tools almost a year later Microtic added in version 3.10.2 verification and signing for npk files installer, which is the binary that installs upgrades or features checks the checks amount of file and the signature So we do not get any more free launches there I've seen around on the internet some npk files that are said to be signed for version 5.25, I think That are supposed to install that backdoor or that root access to the jailbreak I couldn't confirm Thank you for that I couldn't confirm any of them working Even though people say it works. I tried them that didn't work What's important to note here starting 3.22 installer fully checks both the checksum and both the signature So I don't know what people are talking about when they created that 5.25 version npk Right, then we have 4.0 in year 2009 find more 0 in 11 release cycle is now getting slower 6.0 is released in 7th of May 2013 since beta 3 of 6.0 SquashFS is used in npk files if and I'm sure some of you are interested in Doing similar research for greater good. This is useful to you. I'm sure so squashFS is employed um Which means it's a bit easier to Unpack Unpack npk files because you don't have to deal with their on format And the final slide for the history Version 6 30 and today I think we're at 6 40 version 6 30 2015 They added sha1 who loves this change one here. Can you get round of applause for sha1? great function July 2015 they added sha1 digest block to npk files But the format which is this which it's in which is ascii not binary suggest It's not for verification or signing. It's mainly for identifying different versions of different packages. That's my wild guess And the 6 30 3 package also include distribution channel, which is a new feature okay So yes, this router here cap mini This is how it looks inside. It's quite quite small If if we compare it to how they look back in the day Oh, by the way, that's my phone seriously I I took this picture to compare the size to my to my phone but Then I also took this picture. Okay. I photoshopped it. I mean games it but there it is okay half of you use Or have used router eyes I decided I couldn't find it anywhere online So I decided it will be beneficial to release a full command tree of router os Which is what I'm doing today This is how it looks from far from far away Each center there is one of the 60 to top level commands I'm going to zoom in on one part of it. But first My computer has 16 gigs of RAM. So it works for me and I couldn't I could even create the files and and and Outer them so slash ip the png file that represents slash ip Takes up four gigabytes of your RAM when you open it with x viewer on my computer And the others take a bit less so you can play around the files themselves are not that large They are one megabyte seven megabytes max. I think Okay, so let's take a look at that part of the image These are the smaller commands. These are just just to know how it looks 15 of the 62 commands so three for those commands, of course for for other commands. So that's much more complicated Right the the border means that it's basically it represents what you see in the console It's graphic class as the colors match and the bold is represented by the border and those are parameters, of course here Okay The fun part Sap out riff Again, this is a file That you can create On your router with command, which I have forgotten System sap out or something you can look it up in the forums And it creates a binary file it takes depending on the model It it it can take half a minute for this small box It it can take up to five minutes also depending on how much configuration you have And so what it creates Is a file that looks like that It has this begin router s sap out section and router s sap out section and around 60 of them 50 60 These sections one by another and then we have base 64 encoded data Which is not actually basics for encoded data But that's a different story probably for Baldcon in september so each section decodes as this Is each section decodes a section name followed by byte zero And followed by content that is compressed by zealip So it's actually inside the sap out riff when you're looking into it It contains your whole configuration of your router It contains whatever is inside the folder proc At the time you launch It contains memory addresses of the processes running obviously it also contains the list of processes right It contains your log meaning slash log print whatever is there it contains it And it contains much more you can see that on the picture Let me show you a demo here So all demos are live. I have pre-recorded something but I did test them out Before coming here. Actually one of the demos I tried three times in a row It failed three times in a row then it started working because I changed the user end table Okay All right, let's remove this Okay, let's make a larger Great So there's my python script And there are two riff files. Let's decode one of them That's it done. It's quite quick. No encryption. Oh Maybe they called encryption. Basically that's there's some encoding These are the sections that are inside there. So 57 sections in this sub-outry file Those are the names Notice the names of the first Five sections that will be important later on Anyway, if we do less again Let me move that up We have this new folder With these nice files And we can take a look at some of them Some IPs I can output Let's take a look at the startup file There should be log file So that's a small demo For some time now microtik com also offers you a reader for these step out files So you can check what's inside before sending it to them. All the only thing is it's on their home page So you upload the file and it shows you What's in the file? Let's let's try that out It won't show you everything of course Remember those five sections that start with a dot well conveniently those sections are not represented at all Not only you don't get the content you don't get to know that those sections are in the file Now you do Okay, the next demo Okay, I'm gonna I'm gonna put this here And I'm gonna put this over here. Perfect Okay, so this is the home page I was talking about It features the possibility to choose a step out ref uber And you can upload your step out ref file over here So let's do that I'm gonna choose this step out ref here and I'm gonna check out what's inside Upload Oh look a session ID That's a different browser over there That's a session ID that this user is logged into Microtik com So I guess that might mean there's an cross-site scripting problem there on microtik.com Anyway, you can view the files of course here the sections But that was not the point of the demo Let's get it on Let's remove this before someone oh, you know what I'll log out before someone Held it it will only take a second Now there are people watching this online with lots of lots of free time Okay, we're good. We're good All right npk format So we're done with the step out ref basically we we know what's inside. We know how to Read them and as I hope you understand the last demo showed we know how to create them npk This is how npk file looks like First of all some general principles for npk, which some of them are also called true for other files in microtik numeric values are unsigned little end end integers or whatever npk files consist of header file size parts and footer in that order you can use the colors to match with a sample npk file there. It's a real npk file full size is a small one, but it's full size npk file over there File size is eight bytes less Sorry, I I'm a bit I like to be precise about my presentations right eight bytes less than the actual size of the file Each part which is a specific name here. It's not generic part. It's it's part that we named part of npk consists of Wow, that's unreadable Okay part type which is a short You can see one here zero four zero zero It consists of payload size, which is long You can see 68 in hex And then in white here it consists of payload itself Which is what follows for those zero x 66 68 bytes in that example One thing that I learned only when making the presentation We didn't learn that during the research only when making the presentation I learned that there are actually two types of current npk files It's as far as I've researched. This hasn't been published anywhere There are package files and there are restrictions where I call them invisible packages because I tested them out They install but they do not show up in your package lists Normal packages as some of you may know contain the header one e f one d zero b a And since version 3.22 there's a footer Uh, that's that's over there Restrictions are different. They have different header completely different header I don't know why that is I mean I have my I have my guesses, but why would you make it are completely different for The same type of file same company Anyway fb zero f ten a one and a footer zero three and a bunch of and four and five zeros That's npk format. I also compiled a handy reference table for Part types and this also has never before been published online There are some scripts online and some references that cover small part of this table The red part and not the whole red part here. It is all all combined. The only thing We are not sure about is part type six Because we couldn't find any npk files that employ it And we didn't bother to reverse engineers that part of the installer But the idea is that The conception is since seven is install script for bash for the shell and eight is uninstall script for bash And we know that five is install script for lib install They actually have their own shared object library We we are guessing that six is uninstall script for lib install Anyway, also also on this handy table that you can use for progressing our work here We have listed if each part is mandatory to build a valid npk file and When which version was first this Part seen in an npk file and when it was last seen So that might you might find this handy. I hope Also one thing i'm going to talk about in In syrbium Is is about a bit more about this format. I had to cut a lot of slides exactly from this part of the presentation But if you want to get on to building npk files immediately Even though you can't really sign them What's important is If you have if you build a squash first block Which is uh 15 zero zero You have to add zero padding which is 16 zero zero beforehand A squash first block has to start at exactly four kilobytes its address has to be divisible by four kilobytes from the start of the file So you can use zero padding for that Right I left two slides here of two interesting parts The most interesting part is the signature part zero nine zero zero Again the same example there Signature is the last part in this file And since version 3.22 as I already told broken Packages will not be Installed but broken that means The green part doesn't match the file size doesn't match Something in the signature part doesn't match Part type for signature is as I said zero nine zero zero And size for signature is always And we've taken a look at Tons of npk files. It's always if it's there 44 bytes in hex So that is 68 bytes total First 20 bytes and we have verified that and other people have verified that before us is sha1 sum of everything from the previous part zero one up to this part And includes the part header Including the type and the size in sha1 sum and includes The part header of zero one part Do not underestimate this and we we are still continuing our research and we hope we come up with a better way Because signature applies read carefully Only to data from the previous zero one part And you can have multiple zero one parts and they will have multiple signatures The question is and we haven't been successful even though we only tried for a day So that's not real research yet We haven't been successful in making installer accept something in between But basically the format doesn't forbid you to to insert some stuff some parts in between zero nine and the following zero one So we're going to be looking at that Remaining 48 bytes are unknown signature. There are some speculations online About what kind of signature that is but I can leave that to you to google because we have not confirmed Any of the algorithms we tried multiple algorithms Nothing worked. Oh, we did find Probably a public key though here it is you can make it into a flag so that uh, it doesn't disappear Who has the presentation like freedom flag or something? Maybe it's a seed for some algorithm It it is a seed for we found an algorithm again this research This part hasn't been completed So we think the public key is that because when we change that into the binary the second part verification fails Also, very interesting last byte of the signature is always less than Zero x 10 in this example is zero d We've never seen a signature with last byte being more than that so We hope this will also allow us to better understand what it is and use this interesting feature to try to identify at least the type of The algorithm used here if not fully Repeat the verification step. Of course It is very likely it is a public key. It is very likely it is asymmetrical cryptography, which means That we would not be able to Create npk files with valid signature But then again, there are ways Which is not part of this presentation. Okay part 17 digest I already mentioned it. It's actually on the top of the file It's 40 bytes long and it's ask your representation of sh1 sh1 hash of something We weren't able to yet understand what exactly But it being in ascii means it's We're quite sure it's not really An encrypt or security feature It's more likely an identifier because ascii is used for human readable information Rather than something that you want to process by a small binary and a small device like that If you if we change that the file doesn't install because it is It is hashed by this signature block. That's the reason But other than that it's it's easily changeable Okay Fun part number two So how do you route a router? For those of you who are not good with networks Probably gather half who hasn't used microtik, right? Router is the device routing is getting root or adamant privileges on device We can call it jailbreaking routers if it's Float if it floats your boat right So how to get shell all technically it's easy you create the file And you tell net and it works So The problem is uh, how do you create a file on here when we had the hardest drives? 17 years ago Well, we still have them but for for this software when we were using hardest drives. It was easy We saw the access vectors at the beginning of the presentation. We can use some of those But let's imagine we somehow create a file Then we tell net and we are greeted with root prompt Then we type ls to check out what's happening there And the less isn't there So we can't really see anything which is a pity Luckily That's not really a problem Because uh, well They didn't disable Tab completion This is even better than doing echo asterisk because it's it's format sits for you correctly Or you can of course do it properly and upload the busy box If you do that make sure it's statically linked and it's for the right architecture Uname minus m after you get your root will tell you what architecture are you on Um, this link might be of interest for for those of you doing that But you can find it online, of course Now the question becomes can we Speed this process up Yes, yes, we can speed it up a virtual box appliance that does Most of the work for you And this should work out nicely But again We will add more support for more systems until september Currently it works if your cpu is exactly ar 9344, which are these devices We have actually tested it on the on these two devices We are sure it might work on them The tool actually Says that you will break your device for for legal reasons, right? So you will break your device Right Okay, so how to use the appliance This is slides here is for reference And we can do the demo So what you do is you import the appliance Into virtual box by double clicking on it if you have graphical interface Um You should make sure that your bridge network card Is set to ethernet You should disconnect all wires from the router and power it up. That's what I just did So I took my router. I just powered it up. It has no wires connected It just booted it should start the virtual machine and follow to instructions And you should be ready to swiftly replug the cable when prompted Okay Let's do it Right So this is already imported it, of course We can go to settings here And verify that network is indeed set to bridged Ethernet zero is the adapter I'm going to be using here My laptop I have a wire plugged into that Let's start it up Presentation is not affiliated with Oracle or virtual box Actually guys, you know what? When I was demo testing these today I remembered that I should shut down the wireless interface because they they come from factory without the password It's open wi-fi everything I did now Okay, so here it is It's our interface um It says Stuff that this says I hope you can read So what we need to do we need to plug in the cable from that set network card Which is on zero on my laptop here into port two on the device And now we need some info we need the IP address of the router Oh My bad. Sorry. Um, I should show you that it's not jailbroken yet. Otherwise the demo is useless, right? Okay Let me connect it So i'm gonna use this protocol called telnet if you remember that I'm gonna use adamin There we are we're inside And i'm gonna try the same with devil And nothing happens Okay, so back to jailbreaking right enter the IP address The default IP address is handling there username and the password in this case password is not set And answer that it's correctly set So now it tries to get an IP address. Oh, I have 10 seconds. Hold on Okay So I had to quickly replug these rinse cable into port one So it's actually it's it's not super super nice tool, but it's quite easy All you have to do is press buttons on your computer and plug the cable So now it will wait for the device to boot into Our jailbreak This is the only demo that can actually Go wrong because it has gone wrong when testing. Okay. Cool. Cool For two now It has booted into Our jailbreak Image and now it will launch the jailbreak activate the jailbreak Connecting may be shown up to 20 times, but it will work in the end. Usually it shows just one time Sometimes it shows a lot of times. There are no need to worry here Unless you know you're In a hurry like doing a presentation or something Yeah, it's it's connected. I mean the the wire is connected, but it's trying to connect as a sage Okay, there we are it connects as a sage And you couldn't plug your device to any point. Now you don't have don't want to plug your device anymore Now it's executing the jailbreak Writing the files Okay, there we have jailbreak was successful Thank you So what it does it actually looks for all partitions on the device and tries to see if if if it's a router as partition it found one Partition number two and it did everything that had to be done including installing busybox Um Router already rebooted automatically for us. Let's press enter to shut down to shut it down Let's close virtual box. You don't need any more And now i'm gonna use my laptop to get an ip address Whoops Let's try to tell it down Okay, it should still work as admin Yep And if you type in devil There we are it's root. Thank you. Thank you So that's it's really this device. Um, how can I prove it to you? Well, I don't know Let me type Okay, this is yes. Oh well, but you're not gonna see it. Oh, let's This should work If I unplug this cable here it stops. So it's really this device Alrighty then Let's get back to a couple of slides we have remaining. We don't need this anymore so That was that was a nice demo Well, the only question That I have promised You I will answer today and I haven't done I haven't answered yet Is can the router but actually play? Who really there? Well Let's look at the demo I'm gonna get an ip address. This router is already jailbroken And it's not only jailbroken. I think it should have this file over here We can get the audio. Yes, we have it There we have it Thank you very much guys Okay, so Tools are not yet available on my github. There will be I hope I'm gonna get to that tomorrow Um, so you can ask me a question Soonish or you can also Uh get to me in one of those ways. Thank you very much. Thank you for that Quite great demonstration. I think Very courageous to do all that life. I would say I think works, isn't it? So now we still have 10 minutes left for questions. We have two microphones, please line up. Yes Can we check the front mic? Is it on? Then let's Let's start with a second back mic for now Um, can you ask a question? Is it working? Can you hear me? Hello, cool. Okay. Um, first of all, that's rather cool. Well done. Um, secondly Does this provide any Attacks that can be done without physical access to the machine as long as I keep the server room locked on my safe well, um So there is this organization called Cia right And there was this leak that was dubbed the world seven by some and there was this exploit for binary called web or dub dub dub I guess We didn't we didn't yet have the time to compare the two versions the patched one and unpatched one, but we will do that So that's there's your answer Hey, thanks for the Thanks for the talk. Um, I have a question. What's happening inside of the black box Of your ova image Um, nothing that I haven't told you so we do use Open wt, uh, we do create the file. We do install busybox. No magic. It's just easier to use And the image of course will also be available Today learned github doesn't accept, uh, 200 250 megabyte files. So There will be a link on github to the to the file All right, uh, second question. I don't want to be too difficult about it But have you reached out to my critique about the, uh, xss and Other stuff that you found? Well, other stuff isn't really stuff Um xss is the reason why we are not releasing the um tool for generating stuff of your files today Hey, please to me you do again one question the Uh hidden file when I install it on x86. I see this, uh, kalia option is that a hidden package Kalia is a real package. It's not a hidden package If you install it it actually shows up in your package list Kalia package is used for lawful intercepts in the united states and you can download it Rather freely and you can play around with it any more questions If not, I guess we can find you on the campgrounds or tweet you You are also an angel so people might run into you in that capacity Yes, yes, I became the speaker disc supervisor by accident and now I'm sitting over there This is my third talk. The first one was by billy Then I had a work trip yesterday and this is the third the third talk i'm attending this congress So thank you for a great talk. Thank you for being a great volunteer and just general. Thank you. Please. Thank you so much Thanks