 thank you all for coming and continuing to come and to sit there and be lazy. I don't know what's going on. So welcome to breaking your expensive crap or the actual name we submitted as doing bad things to good security appliances. This is going to be kind of a primer, quasi, not really primer on hardware hacking as we see it in dealing with security appliances of all types. Am I echoing really bad or is that just me? Figured. So, dispense with the pleasantries here. Fork, if you'd like to take about five seconds and introduce yourself. I've been breaking stuff since I was six years old. I've been breaking things since I was about six years old to include things like my dad's radio, the TV, all sorts of other stuff, taking things apart. Women's hearts. Generally no, but taking software apart as well. I've been a reverse engineer since I was probably about ten or eleven years old taking part 6502 code on a Vic 20. Having a great time. Loving all the stuff, love technology my whole life and continue to learn. So we've gotten now to a point where it's much more fun and work for all sorts of people, all sorts of places, everything from driving pizzas to different government services. All right, we're done. That's it. All right, so. You can hear his live story later, I promise. So, I'm Evel Rob. I will be your quasi-MC. I love that word, quasi. So, I have been breaking things for quite a long time, mostly to everyone chagrin. I'm not going to tell you my life story, but be good, fire bad. That's about all you have to know about me. Before we actually get started talking about the equipment and what we're doing, we just want to point out some of the people whose research and efforts in this area have really helped us out and saved us lots and lots of time. I totally want to pimp the JTAGulator that Joe Grand is selling and making. It is freaking awesome. Go buy one. And it's extendable with new firmware, so get one. It's not going to just do JTAG, it's going to do all kinds of other stuff. And we'll talk about the JTAGulator a little bit if you don't know what it is. So, yeah, what we're going to be doing, we're going to walk you through the basics-ish of hardware attack and analysis based on some of the practical examples we've done here in the past couple months. We're going to discuss the tools and mentality you should have to be successful. Not required, but definitely good to have. We'll discuss some of the common attack techniques when you're dealing with hardware. A lot of this talk is focused purely around the hardware and the theoretical attacks based on hardware and not so much on the BSP or the firmware or anything else that is associated with that actual hardware. And a comment on this also, there is a larger set of material on the CD that covers this, but we have 45 minutes as opposed to the roughly three or four hours we would need to cover all the material in the slide deck. So if you look at your DEF CON CDs, they have a large quantity of material about each of the items, bullet points, what interfaces look like, what provisioning interfaces look like in a fairly detailed summary of how to get started doing hardware hacking. It's about a hundred and some slides of hardware attacking and how you do it and what you don't do and how people screw up and burn themselves with chemicals. So the last thing we're going to do is show you pretty pictures and attempt to point at those pretty pictures. I don't know if we'll succeed. So the tools of the trade, this is stuff we use, stuff we have laying around the labs, really handy to have any time you're messing with hardware in any way. Most of this stuff can be acquired for less than $1,000. Most of it can be acquired for under $500. It just, the more features you have, the more expensive it gets. A few of the big items, you know, we'll cover these in detail as we need them when we're actually talking about the hardware analysis. Your brain is important. It helps you control your body and it allows you to consume alcohol, food, look at things, possibly. A voltmeter surface mount soldering station, how to rework station. If you don't know what those are, Google it. Basically it's a soldering station and a tube that blows out 500 degree air. It melts things. And that's Celsius. It's really hot. It's really, really hot. So soldering stuff, flux, magnifying glasses, microscopes, by the way, if you're using a magnifying glass to look at a physical one, to look at a chip, put some renex on it, otherwise it's going to fog up like every three seconds and you're just going to be pissed. So. Pro tip. Yeah, pro tip, don't be pissed. Bus pirate, amazing little device. It is like the end all be all for raw bus analysis up to a certain Hertz range. Debugging interfaces, great to have spare ones around. We'll talk about some of the mistakes here in a second that hardware manufacturers tend to make. And I don't know if you know this, but just desoldering the header doesn't protect your board from having a header put back on. So pro tip. Yes, IDA pro, we'll cover the, we'll quasi cover this, quasi. More on the slides on the desk. Yeah, more on the slides on the desk. We'll talk about what you may be able to throw into IDA pro that you would have gotten out of the chips that we're attacking. And then other stuff you might need, chemicals, respirator, balls, also dongs. You know who you are. So security appliances. You know, what do we consider to be security appliances? I know a lot of people when I ask them, you know, what do they think about security appliances? They think of firewalls. They think of IDS. They think of all these actual things that have been categorized as appliances and sold to you by vendors who want to charge you lots and lots of money. What we consider to be security appliances is basically anything that can be used to secure something. So some of the examples we'll be looking at is securing people from themselves like a safe or a, we'll be looking at something like securing your data. So the encryption system that we'll be demoing, well, talking about here at the end. So it can be practically anything that has some kind of security setting and is hardware related. The steps that we generally take. Again, go consult a big massive deck of slides if you really want to break down all these steps or find me in a bar and I'll be happy to talk to you for a price. And there's an outline of a full methodology to do repeatable assessments on that slide deck as well. And again, we just don't have time to cover it because that takes 45 minutes by itself. Yeah. Pretty much. So generally what you want to do is you want to define the goals. You know, what are you actually going after? Why are you attacking this device? You don't ever walk into something, especially when you're doing any kind of reverse engineering and go, I'm just going to do this because. Because it takes forever. Because you will sit there going, oh, I'll look at this now. I'll look at this now. And at nine months of work, you will have nothing but a pile of, oh, look at this now. So you want to define the device. And what we do, what we're talking about when we want to define the device is we want to look at it based on our goals. If our goals are to rip something out of the NAND flash, I don't have to sit there and mess with every other piece of that hardware to get that NAND flash. You know, I want to go directly to the bus. I want to do this stuff related directly to that chip. So when we're attacking something, we always have to keep the goal in mind as we define the parameters of the device and what hardware and what equipment we'll need to actually get that out. Gather all the open source information you possibly can. I know some of you may be decent social engineers and if you ever talk to a sales guy, they just love to send you crap. The more you're like, I want to buy your piece of shit, they're like, here, have some documentation. Would you like chip specs? I've got some high res X-ray photos too. Yeah, seriously. Like, I got stuff from one guy. I was like, confidential company source information. I'm like, sweet. Thanks. No NDA. Thanks. Saves me from buying an electron microscope. It's in the budget, right? We're working on that. Yeah, exactly. You know, examine the device for entry. Yeah. So, you know, a lot of these companies that create these secure appliances, especially ones that deal with key management, tend to have case sensors. They tend to have something to a magnetic sensor of some sort or a light sensor or it just happens to be to detect case opening so that when you actually open the case, it theoretically dumps the keys. Say bye-bye to your SRAM. Yes. Say bye-bye to your SRAM. Yes. However, like the mistakes we'll be talking about here in a little bit, usually the implementation of those security mechanisms are terrible. It turns into a checklist. The security guys like, I need case protection and key protection and all this stuff and then the engineers like, done. And we all know how well that goes. So, you know, look at the best way and look at the way that's going to be the least intrusive in the particular device. And then analyze the device circuitry networks and device components once you actually open the case. Determine the most plausible attack vector for the actual hardware and then attack, like your life depended on it. Or go slowly however you prefer. Toro, toro, toro. That would be tiger, tiger, tiger. But, you know. Well, whichever. Attack, attack, attack. So, common mistakes by the actual reverse engineers themselves. And I don't know how many times I have fallen victim to my own stupidity and my friends as well. Due to not taking copious amounts of notes and not taking pictures. Because when you're sitting in a pile of chips with a desoldered board in front of you going, I think it goes here is not really the best time. And orientation is always important because if you hook them up upside down, they tend to let the magic smoke out. Yeah, yeah. Powering up a board with a badly soldered chip just is a mess. You know, burning yourself with chemicals or fire. Bad. Bad. Beer good. Fire bad. See, I've taught you all something already. You know, not properly prepping for ESD, you know, optical and magnetic isolation. If you need to work in an argon pressure environment, if you're dealing with nitrized chips, very, very important to have your test environment set up so that you're not actually going to ruin the thing that someone paid you or that you acquired to test yourself. Always, always, always take the time to make sure your environment is set up correctly and save yourself hours and hours of headache. And then my absolute favorite, get a backup device or a device of like make or something that's comparable to the chip set you're using because once you let the magic smoke out of the thing you should be testing, you have pretty much failed. So you can't put it back in. It just doesn't work. And the list can continue ad nauseam based on the stupidity of the reverse engineer themselves. You know who you are. So, common mistakes by the people who sell you the really expensive appliances. Putting your case sensor wires right next to the vents. So, a paper clip and a pair of vampire clips and I've just taken out your massively complex wire. And that handy dandy heavy gauge steel case too. Yeah, I love that. And the heavy steel case too. Yes, very impressive steel cases and then you put vents in it. You know, hiding your chips under epoxy. Epoxy is not a security mechanism for God's sakes. It really isn't. Like, you get this $30,000 piece of equipment with your security processor that holds your keys in it and you're like, I'm just going to put epoxy on it. It's cool. Nobody can get to it. It's a bitch to get off. It's fine. You know, not using a built-in encryption protection mechanism on embedded processors. Big fail. Not setting the read write protect bits on the processor flash. There are fuses for a reason. And you know, they're a real pain in the ass to get around. So if you set them, it'll only take me slightly more time in aggravation, but it's more time in aggravation. And if I get aggravated enough, I go find beer and I stop working on your device. You know, not limiting access to debugging and provisioning ports. We're talking about the protection mechanisms for a desoldered JTAG port is not an actual protection mechanism. So if you're actually going to do that, you know, think it out. You know, lock it down, use secure JTAG, use some kind of key mechanism, use authentication where possible depending on your chip set to actually protect said device. And then my favorite, Mark's favorite as well, running your ITC and SPI buses up to the user LCD then back into your really hard case with all of your security mechanisms where it directly attaches to the boot flash bus. Because then you just take the panel off and you're on the bus. And then you can rewrite your boot flash and maybe get some PXE action or a bunch of other stuff. Yes. For those of you who would like to save me time, do that. And then, you know, there's so many more attack vectors and mistakes we can go into based on the way the devices are actually engineered. But for the sake of brevity and possible beer later, I won't go into this. So possible attack methods. There is voltage glitching, timing manipulation. You can Google these or go find that giant slide deck. Fuse resetting. If you can basically polish a chip in a clean room using a UV method, not for noobs. Just to warn you. Anytime you talk about chip saving and nitronized chipsets and everything else, not a first-time experience. Not good. You know, the JTAG video and provisioning interface debug, those are easily, easily screwed up because most times they're made for debugging. So if you can get on to those and mess with it and twiddle some bits and, you know, do other very dirty sounding things to equipment, you have a good chance of actually causing it to spill its beans. And then debug path manipulation using the I squared C. Switching flash pin, mutex attacks, which he'll get into when we actually talk about the boards. So the examples for the actual talk here. The thermostat in your secure hotel room. And you're like, why? Why does that thermostat matter? Well, most times these are actually tied into the central HVAC system. They're monitored. They're controlled by industrial control systems, which in most times, due to human laziness, sits on the same network as someone's admin network or something else because, you know, it's never true. It's never true. Hotel room safes. I love safes. I love electronic safes. They're the best. You know, encrypted storage device, which we're going to talk about here. And then Java cards, which we'll touch on because they relate directly to the encrypted storage device. So the thermostat. We attained a demonstration unit from some random hotel. It is an interesting device from this random hotel that has some really good prism loving features. It has an occupancy sensor on it, an infrared programming capability, a bus interconnect, and the centralized monitoring configuration station where you're talking about. And then the usual HVAC controls and relays and pushy buttons and display and what have you. So I'm going to turn it into, you know, Vanna White over here and he will talk about the attack methods. All right. I'm going to try to speak up so everybody can hear me. Is that good? Okay. Good. So we're going to cover this thermostat. Hang on. There we go. Very, very quickly. So I'm going to look, if you look at the slides here, you can see that we've got a communications module that uses something that's somewhat like X10 protocol. You've got automatic light switches at the house that you mess with using the RF interface to the little box that sits into the wall and the power system and it modulates signals on your power lines. Yeah, I'm trying not to. So we also have, let's go from top down then. So we have the HVAC controls and we also have network communications there. If you see that, there's a five pin interface and I'm going to try to shoot this with a laser but I'm not sure if I can hit it from here. Yeah, that's a big fail actually. I think the, oh, there we go. Okay. So up in here is where we're looking at right now. And we see that there's also an infrared module which is used for, I would assume, programming this device as well. Didn't have time to do a full reverse engineer on it. And then you see the CPU here, which is a nice little 8-bit microcontroller. I believe it's a, I think it's actually the same as the SAFE which is an ADC 51 type instruction set. Different manufacturer though, so it's Phillips. And an interesting note about this microcontroller is that it has a serial interface, an in-system programming interface which is always on, can't be turned off from the look of things. And it's not hooked up to anything. So these chips are pre-programmed before they're on the board but you can definitely, definitely do surface mount soldering and dump that firmware right out. Right out. We also have an SPI, or I'm sorry, actually that's mislabeled. That's an I squared C configuration flash. And there's an LCD controller and then down at the bottom you see a bus connector. And that bus connector actually goes into a bus driver that goes into the microcontroller and then probably with the right software out into the communications module. This is the infrared emitter which in this particular thermostat was broken and causing the room to heat up pretty nastily and was repaired accordingly. Yeah, I'm trying not to spit into the mic. So the thermostat was repaired accordingly and was suddenly much more effective and the room cooled right off. Recently borrowed. Right. So this is the front of the thermostat board and you'll see the little chip, the tiny little 8-pin dip there. Sorry, the 8-pin dip there. All right. There-ish. Is the bus driver that we hook up to on those little 3-pin interfaces on the bottom. So originally I thought, oh my goodness, they actually put the serial interface to a port on the outside of the case for me so I can get straight to the in-system programmer and dump all the flash. Would have been kind of them, but they didn't. So this is the board as it's been decloaked as it were. Detached and actually pulled out of the case so you can get a good clean view of it. So there's a crystal, you can see the crystal, the CPU, the I-squared C-flash, the LCD controller, discrete components, a few other provisioning headers and the connectors for the infrared. Oh, sorry, the connectors for the provisioning infrared and all of that stuff. There's a close-up of the bus driver. All right. And so practically what we can do with this. All right. So what we can do with this practically, once you have the firmware, you have the keys to communicating with that X10-like protocol. It's an 8-bit micro. It's not hard to take apart. There's a number of registers in there, of course, and other instructions that do stuff. If you reverse engineer the subroutines and reverse engineer the communications protocol, you can get a very, very clear idea of how fast to send information to that module and exactly what to send to that module. Now, as an aside, the manual for the control software for this particular thermostat is freely available from the manufacturer on the Internet. It covers a lot of stuff, including a lovely diagram of exactly how it's all hooked up. So these thermostats, for example, might go to a floor controller, in which point they're networked into the rest of all the floor controllers and then back into the back-end office where the main control system can determine whether it goes into VIP mode or not, for example, or whether it gets to be 95 degrees in someone's room or not, for example. And yeah, some other things, too, but we can't talk about those. That would be regrettable. Very regrettable. And I'm going to turn it back over to Rob to talk about some Roman hotels safe. So we may have found this box somewhere. And I'm a big fan of Roman history, obviously, that's why that's on there. You know, some highlights of this particular device. It's a decent metal box that's been bolted down. It has a four- to eight-digit variable pin. It's manually operated for power conservation, usually by the hotel staff if they want something in it. Not saying anyone's bad or anything, but you know, don't trust the safe. So, about the hotel safe, looking sexy from a random Roman hotel. Do you want to talk about the board here? Yeah, I'll just stand up, that's fine. Okay, so, this is a sexy, sexy-looking safe. Got a control board, got a servo arm, got the actual bolt attached to it, and some lovely batteries. Copper tops, they last a little longer. So, a total of six bolts of power being supplied to this board. The main board is broken up into several discrete areas and several connectors. So we have, if you look up at the top of this board, you see the battery connector, which is also a, going back to the other slide here, also a connector for one of the switches. We see the front panel connector, which goes to the little pushy buttons and the latch register, I'm sorry, the LCD display circuitry. And we also see a motor driver, which is just the typical servo motor for, you know, for phase servo driver. Some switches that detect whether the switch, the safe bolt is open or closed, and whether the door is open or closed. And the second front panel connector. And we also have a 64K EE prom and a two kilobyte flash rom. And of course, the other red box that's not labeled, I'm sorry, the two red boxes aren't labeled, are a Dallas real-time clock module with battery included and a CPU module, which I believe, as I said, is again a 658, I'm sorry, a ADC 51, but of the Siemens variety as opposed to Phillips. So I'm gonna zip through the rest of the stuff. So there's some interesting things on this safe. So if you've looked under the handle of these safes, you'll notice there's an RJ5 interface and a small barrel connector, one 16th inch barrel connector. And the reason the barrel connector is there is because batteries die and people still need to get their stuff. So you can power this from an external source if you need to. Additionally, the RJ45 is connected directly to pin four on the controller, which is an attention pin. It says, wake up, I need to send you something. And directly the serial receive and transmit pins on the microcontroller. So if you send it a particular sequence of bytes, it opens right up. And this is not a good thing. You can just repeat it over and over and over and over and over and over to other people's safes. Yes, you can. Now, there are a couple of distinctions. So I'm gonna zip back and look at this real quick as well. So if you see down here in the, let me see if I can hit that. So right in here, what that actually says is there's a code printed on it. And I'm not gonna zoom in for you because you have to do your own research. But that code is a uniform code per hotel from what our research indicates. So if you have this code and a couple of other elements which I unfortunately again can't tell you about because we haven't disclosed it to the manufacturer, then yes, you can open the safe right up. So if you look at the Siemens microcontroller, you see that the numbering is actually C501 on it. But if you pull up that particular data sheet, it says 8051 on it. So this is a variety. 8051 is a very old processor for anybody who doesn't know this. And it's a very prevalent processor in embedded devices. Fairly power efficient, 8-bit micro. So if you need something that lasts forever and can trigger a few servos or detect a few sensor motions, that's a great processor for it. Can we just take cover of this? Okay. So the SecureSan encryption board. In fact, do you wanna pop the case and get those out so you can pull them up? So, okay. So we have a couple of these SecureSan encryption boards and these devices were obtained from eBay. We had a reason to look into them. And we found that eBay is a great source for almost anything. You can usually get surplus chips, for example, that were actually from the manufacturer in China. They made an extra run of whatever. Some of them even have the same EEPROM version identifier numbers as the product you're attacking. So we've taken epoxy off. And then when we're looking for that particular chip model on eBay to go and sock it onto a carrier board and test it for different things, we find a picture of the sticker that was under the epoxy on the flash device on eBay. By the way, the greatest thing about eBay is when companies refresh all their equipment, some random guy in like Texas gets a $30,000 encryption device and then sells you these cards for 30 bucks. That is correct. It has no clue. And they'll also sell broken devices on eBay. Now these broken devices might go for 100 bucks for the weight of the component gold or whatever like that. Well, that's all well and good, but when it's a solder joint on the power supply that's broken off and you re-solder it, you've now got a $30,000 appliance that works just fine. And it allows you to research some really high-end components and really high-end stuff without spending much. Makes a personal research budget very happy. The Linux chips on the chip. Yes, and if you know where I can get a scanning electron microscope, come and see me afterwards actually. So some of the features, the device itself is actually very well put together. It's a heavy gauge steel and its purpose is to manage the keys are like the brocade encrypting fiber channel switches. So the way it works is it manages the keys, it sends that to the switch and says, I have this particular piece of media that I need to access and says, okay, well, here's the key that I want you to apply to that. So all your data is encrypted at rest. It's a great idea. It's a really great idea. It actually, the device does key management well, but they made a few critical mistakes with where they store keys and how they store keys and how keys are passed back and forth. And again, because we haven't disclosed it to the manufacturer, we can't tell you, I'm really sorry, check back in like a month, hopefully. This is probably more like a couple of years on this one. Check back in a couple year month things. But anyway, so it also has a lovely Windows Java front end. And I'm gonna go on a bit of a rant here on this on the Java card stuff. So it uses Java cards to store the master keying material. I don't have time to rant, apparently, okay. Well, let me just say this then in calm tones. Don't include your Java card sources in the JAR archives for your admin interface. This is a very fire back idea. Part of the security through obscurity model with Java cards is they are EAL4 certified in most cases. That means that you're not getting the code out, but if you compile it to standard Java, you can use a tool called JAD, which probably most of you are familiar with, to decompile this code to clean source. So. Big props to them for that. Saved a lot of time. Thank you, thank you. Yeah, thank you very much. So this is our hardware formerly known as expensive, and its new symbol is the dollar sign, I gather. So you can see on the bottom the device with the epoxy on it. And we actually have these devices up here. Yeah, after the talk, you can come look at them if you'd like. Come and take a look. If they leave the table, I'll beat you. That sounds like an evil promise from Evil Rob. And these devices, as you can see, we're gonna zoom in on the epoxy version here a little bit, and then we're gonna look at this guy. And we have high res photos of these as well that I'll possibly bring up here in a moment. But the chip that you're seeing that has the cover peeled off, right here. Lovely polished silicon, it's a flip chip. If you guys remember that particular manufacturing technique. And there's a heat sink and the actual chip cover. That is a Zilinx Pro 2 Plus FPGA. And that particular chip loads its information from flash memory. So I'm gonna show you a chip picture of the board before we've removed a couple of the critical chips. I'm trying to hit it again, there it goes. Okay, so that is the actual flash chip that the Zilinx chip gets its information from. So it loads that every time it boots up. Zilinx supports an absolutely fantastic encryption protocol. And it stores the key internal to the FPGA. The only way to get it out is through well, but technically power consumption monitoring on the voltage pins on the FPGA. So you can hopefully get the key and it takes I think roughly 10,000 iterations to make statistical significance. So you can get a likely candidate. In case you're taking notes. Great. The other chip is a Atmel AT90S6464C. And anybody who's done Tivo hacking knows this chip as a 3232C. We don't advocate hacking your Tivo. Of course not. These two chips, so there was a fatal flaw in this. They did not use the Zilinx encryption protocol. So we were able to dump out the entire Zilinx configuration bit stream. Now, I didn't really feel like reverse engineering Zilinx bit stream entirely. So a very, very nice person named Casey Morford who did his master's thesis on this was kind enough to run it through his tool set. Now he wouldn't give us the tools unfortunately, but- His tool set is BA, seriously. It's very, very impressive. It does complete decomposition of the Zilinx bit stream. So it's very nice. Takes it right down to a tech stream and tells you what each byte does. So anyway, we're gonna cover also one more thing on this one, or a few more things actually, booby traps. So hardware manufacturers who use epoxy like to do silly things like booby traps. And what you see here, right beside that tiny Zilinx chip there, is a booby trap switch. Now, if that booby trap switch is not depressed, no current goes to the SRAM and the keys dump. So if you're taking the epoxy off and you've been very careful or you're chemically infulminating your nitric acid or doing whatever you're doing, take it off. And that switch pops up. It's game over. The solution to not having the chip pop up is to not cut the epoxy around the chip. So, that's a really expensive mechanism can be stopped by being lazy. Just the way we like it. So in addition, one other thing I wanna highlight on this slide is, you see the row of six empty holes there. That is most likely the initial provisioning interface for the Atmel chip. However, because they're clever designers, they use some leveling capacitors and some other tricks to ensure that you can't really get good voltmeter test runs. Everything kind of goes to a middle voltage detection and you don't get the beep when you have your voltmeter set to beep when you touch the traces. So, it's good on them. It was a good try. And so that's a closer picture of the Zillings Pro FPGA. And I wanna thank Anders if you're in the audience. Stick here. Anders, thank you so much for the use of your wonderful camera and your skill at this. These recent pictures that you're seeing up here are all courtesy of Anders and he did a great job. Thank you. So again, we're gonna look at the provisioning interface there, that's just a quickie. And that one's only got a bit of the epoxy cutaway. And we have a movie of epoxy removal anybody wants to see it later, but not right now. It took about 10 hours and an exacto knife. Well, actually it was, I think it was between 12 and 14 hours with a hot air reworks station set to 500 degrees centigrade. And several exacto knives with thermally resistant handles. Firebat, firebat. Burnt off fingerprints worse. Be very good. Be very good. The other thing we're gonna highlight here is the Miktor provisioning interface. So there's three of these total on the bottom of the board. So if you guys can see this, the Miktor is the interface provided by Agilent for their super high end, super expensive, super awesome equipment. It's impedance neutral. It does all sorts of other stuff. You can run test points to it. You can run JTAG through it and everything else. It's spiffy. It's also extremely expensive. And there's three of these guys on the bottom of this board when you take the epoxy off. If you look at this region here, wait, wait, I'm trying to correct for relative spacing. Oh, there they are. Okay, up here. And then one up in this area. So there's three of these interfaces, three very expensive Agilent interfaces, all of which could be a candidate JTAG interface. And that candidate JTAG would talk to all of the memory devices, for example, on this, as well as, well with the exception of the NAND flash and the FPGA. So I'm gonna actually back up a few slides here to show you one other chip. So there's another interesting comment on this. So there's an I squared C flashable MUX involved in this. And what I mean by that is that you can take a set of pins, a MUX is a device that lets you set pins to other pins basically. So you can map inputs to outputs if you think of it that way. And there's a device just north of the Atmel chip that is an I squared C multiplexer, a flash multiplexer. And what that device does in essence is it prevents you from talking to that chip unless you've initialized it properly. So it's a very interesting way to protect another type, you know, protect your keying material. So something to think about. And I'm gonna turn it back over to Rob and then hopefully we have enough time for some questions too. So what have we learned from analyzing all the random crap we get ahold of? Firebad, beer good, and that's it. Thanks for coming now. So the architecture of the whole system is really considering complex environments. I mean this is pretty much across the board in computer architecture, software architecture, it doesn't really matter. However, with hardware you have to be especially careful because like we were talking with the security appliance and how they, the brocade decrypter, how it actually functions and how it stores those keys can entirely negate your very expensive box. You know, always attack the implementation not the encryption, you'll spend all freaking day and let, or you know, year or year month day thing. If you're not, or until the sun actually burns out. Right, exactly. It'll take a long ass time. So you know, attack the implementation, usually it's designed by a human being who it makes it relatively flawed. Look for humans being lazy. That is also one of my favorite comments because like we said, epoxy is not a security mechanism. So you know, it will normally be even in large engineering efforts, people cut corners, there's deadlines, there's things that people overlook. There's one point I do wanna interject for safety reasons, don't try it at home. You have to do certain steps to be safe around burning epoxy. All right, so heating it up is one thing. Some of the off gases from these things, I mean you have a whole variety of things. I mean the process of what's called homeopolymerization which is what epoxy uses. Tangent, tangent, tangent. But anyway, the point is it off gases bad stuff and can kill you if you're not careful. Yeah, don't do this at home. We're kind of professionals. Or we're a respirator. So chips don't lie. A chip will have markings on it, it will have manufacturing on it, it will be pinned in a certain way, it'll be soldered a certain way. It only goes in one direction. And if it doesn't, it burns out. So, you know, look for the placement of the chip, look what it's paired to, look what bus it sits on, and it'll be easy to determine the actual device you're working with from there. And there are chip databases out there that have all kinds of markings and how they're hooked up. And if it's SPI or I-squared-C, it just huge amounts of information. And then I need more beer. So with that, we may have what, five minutes for any questions? Yes, no? Yes, all right, fantastic. So, thank you for coming to see this. And if you have any questions, we'll be here.