 Hi, I'm going to be sitting quietly here for a bit and actually learning what he does because I have no fucking idea. He does this weird hardware stuff and all these really terrible smells come out of the room and when he gets the chemicals out it's even worse. So yeah, this is going to be interesting. What can I say? I'm a farter. Okay, so we're going to take you guys through a bit of hardware reverse engineering and I think you're going to have fun with it. We certainly did. So we are aperture labs. We are not aperture laboratories. They're someone completely different. We do occasionally get a bit of mis-rooted mail though. So here's a piece of mail we got. Dear aperture laboratories, do you make portal guns? Do they work? Well, I have an idea for a portal gun. Here is the picture. The portal colours are yellow and rainbow from Joshua. So apart from the dreadful photoshopping on this picture. That's really me crying. Yeah. You notice that the thumbs aren't pointing the right way around? So I think I'm a reasonably smart guy and I was just completely not thinking when I went onto Google Images and searched for the word fist. I swear to God. Holy shit. It's like, yeah. There was one I thought he was trying to pick her nose from the inside. It was mind bleach. Okay. So just to recap, okay. So we're going to talk or I'm going to talk about simple decapping that you can do and the kind of benefits you'll get from it. Call it the plink-plink-fizz method. Need some ingredients. Some nitric acid. So normally between 70% and 90%. You can get it up to 99%. 70% is probably good enough and there are issues with chemicals like these. So just like you might think you really want the 99% stuff, yeah, probably really don't. Acetone, which is an organic solvent. A hot plate because the hotter the nitric acid is, the faster the reaction. So you can have a chip. You can drop it in room temperature nitric acid. Nothing will happen. Actually, that's not quite true. The legs will miraculously disappear and just actually disappear right into the package. It's like, oh, there's very small holes on the side. But as soon as you start to get it a bit warmer, amazing things happen. Boracilicate glass beakers. These are pyrex beakers so they can withstand a bit of heat without shattering. A pipette just for moving liquids around and an acetone wash bottle. Again, just an easy way to apply your acetone. And some petri dishes which are useful for sorting out the results. So you see that? What can I say? And the other one, the other great place to get some of this stuff from, Amazon. Who'd have thought? I bought some, I'm trying to think, potassium nitrate from Amazon. And I'm like, okay. And at the bottom, and I've seen this on a couple of occasions, the other people bought sulfur and charcoal. And it's like, okay. My favorite was, I was looking for aluminium powder. And other people bought iron oxide and magnesium ribbon. I'll sling them into one of these slides actually, now I remember it. Okay, so ebay is your friend. The shit we bought from ebay is astounding. So as you can probably gather, this stuff can get quite nasty. Nitric acid, particularly, particularly bad. So it does what we want, particularly to dissolve organics. So the epoxy packaging on the chip is the thing we want to get rid of. But it will also take out metals as well. Dissolves copper. And does all the other lovely things acid does. It will burn you. It has choking fumes. So as soon as you take the cap off the bottle, it will start fuming away. You get fumes from the acid. You get fumes from the stuff the acid reacts with. And that's typically nitrogen dioxide. Toxic, of course. And yeah, if you get a lungful of nitric acid vapor, there's about an eight-hour delay before it has a nice catastrophic effect. I mean, it will be really unpleasant initially. And then eight hours later, bad stuff will happen. Oh, yeah. And it causes spontaneous combustion of organics. And this is probably an important point to note. Kitchen table? Yeah. This one's not for the kitchen table. Definitely outside and better with a cabinet. So you know, people wear latex gloves. And in general, in labs, people have started to move to nitrile gloves. Because they are, nitrile is great. It's resistant to most chemicals, doesn't react with them. This is what happens when you take a bit of nitrile glove and you add a little bit of nitric acid by my. So you definitely want to be a bit careful with it. Okay. Acetone is only a little evil. It will dissolve plastics in particular. It can be really handy for getting inside smart cards and things like that. Has choking fumes. And apartheid is a little bit carcinogenic as well. Oh, yeah. The fumes are heavier than air. So if I'm working with it up here, the fumes are going to cascade off the table and onto the floor and spread out. So the guy back there is going to have a nice little pool of acetone fumes around him. If it rolls down into the basement, yeah, it's interesting stuff. Yeah. And again, you won't realize, you won't really smell anything, but there's a nice layer of it on the ground. And yeah, bang. So safety. We use a fume cabinet. You've just got to also think about how you're dealing with this stuff, especially the nitric acid and where you're storing it. Handling it. Think about where it is, where you're moving it to. Is the container open? If you've got a pipette and you're moving it across to your sample, if the pipette drips, what's it going to drip on? If it spills, where's it going to run? And what's it going to hit as it runs? So just kind of be aware in your head what's going on. Also, you can neutralize it with baking soda because it's an acid. We use an industrial neutralizer which costs, you buy it in cases of sex, it costs about 200 bucks. It's amazing stuff. You just sprinkle it on and it color changes when it's safe. It's like perfect. Neutralization for dummies. So here's our fume cabinet. Any ideas where the fume cabinet was acquired? Ebey! 10 pounds this fume cabinet cost. It cost 35 pounds to have a cab go pick it up. Now, it sounds like a great deal but it is safety equipment and this is called a recirculating fume cabinet. Some fume cabinets just suck things up and vent them straight outside. This is designed to vent back into the room so everything goes through a filter. Therefore, there's no way I'm trusting the filters from a 10 quid Ebey fume cabinet. So a new set of filters cost about 500 quid to put in. But you can use direct vent outside or a lot... You don't like your neighbors, do you? A lot smaller fume cabinets. Again, you can do this stuff outside. That's how I started doing it. The other thing, just be aware of the wind because if the wind changes, your big plume of nitric acid fumes that was going over there all of a sudden heads towards you and even a tiny little bit, very unpleasant. So yeah, this is like, I really don't want to be near that shit ever again. So here's the nitric acid. You never guess where I got it, of course. You use a beaker and pipette and the great thing about this is you don't need to use a lot. 12, 15 mls of nitric acid at a time is plenty to decapitate, which is great. It means you don't have to have tons hanging around and you're not moving large quantities about. This is acetone wash bottle. So handy. You just fill it up with acetone. The straw, when you're not using it, you just pull up above the level of the acetone and the acetone will stay as it's heavier. We'll stay in the bottle. So here is a simple example. This is a pickchip, pick 32. And as you know, we have a tradition at DEF CON that all first-time speakers have to do a shot. And we figured you were a first-time speaker at DEF CON 21. So as short as it is, as short of Jack. How surprising since it's you. So you realize when I fuck the rest of my talk up, I'm just going to blame you. You know what? Wait a minute. Back up. Excellent. How come I have to drink one because he didn't? That's not fair. All right. Let's hear it for these first-time speakers. Thank you, sir. Please may I have another? Thanks, Proctor. As you were. Thank you. This is a microchip, pick 32 chip, which I'm knocking around and I had more than one of them. So we'll use this guy. It's a very modern chip, so it's very highly integrated. So the level of detail on it is very small. But slightly older chips are fun because you can actually really start to understand how they're built up and how the gating is done and things like that. So as soon as I pop this in here, one of the things I want you guys to look for is on the bottom side here, as soon as it's dropped in the beaker, it'll react instantly. This acid is about 90 degrees Celsius. It'll boil at 120. And so as soon as the chip goes in, it'll start reacting immediately. And what you'll see is around the bottom here, you'll see a spool coming off of the epoxy. So, yeah. And no one's seen this video, are they? I am. It's great. It is. Evil, evil, evil Microsoft. Actually, that was... Okay, so look for the spool around the bottom of the beaker. Here we go. Instant reaction, boom. The petri dish on top is just to contain the fumes a little bit. So the brown fumes are nitrogen dioxide and you can see here, this dark cloud is the epoxy coming off the chip. Okay. So once it's finished reacting, tip the acid into the second beaker, your disposal beaker, and take the beaker, rinse it with the acetone and decant it into the petri dish. And what you'll end up with is a dye, with all the bond wires still intact, because the acid is going to eat not just the epoxy, but the entire lead frame as well, both externally and internally from the chip. So get the dye, rinse it in a little bit more acetone, and this is what you'll end up with. And it kind of looks a bit yucky. There's still a little bit of epoxy on there. But again, another fantastic eBay purchase. These are like 30 quid, and they're amazing. They will just remove all the shit from anything, including chips. No, they're really cool. So we've used them with water, we've used them with water in them, and then a beaker of acetone with the chip sitting in it. And absolutely fantastic. And if you have watches or jewelry or glasses, and you pop them in this, the first thing you're going to go is, holy shit, am I a filthy person? The amount of it, you'll see it coming off. It's like, oh my God. But they're amazing. They're super cheap these days, little ones. And if you get one, don't forget to do your wives and girlfriends jewelry. You'll love it. Okay. So after it's had a trip through the cleaner, this is what we've ended up with. Now this is not a particularly great microscope picture because a really cool microscope doesn't have a lens big enough to take the whole chip. So this was done with a small crappy USB microscope, but you can see it's cleaned up a lot. One of the other things you'll notice it's missing are the bond wires, or a lot of the bond wires. That's because the chip was vibrating around in the ultrasonic bath and they simply got knocked off. They're pretty fragile. So let's take a bit of a closer look. So this is it under a microscope and this is one of the identification areas of the chip. These numbers here represent the layers. So the dye is built up in layer upon layer upon layer. So as the chip's manufactured, you take your puck or silicon, you've got your wafer slice off it, and you can see it's constant. So basically you expose, or you, okay, start from the beginning. You've got your wafer. You lay down a mask, which is a chemical that is etched away by typically ultraviolet light. Once that's coated, that resist is coated on the dye, you have a large image of the portion of the chip. You focus it down onto the dye, onto the wafer, expose it with ultraviolet light, and then you rinse the resist chemical away. And that just leaves an exposed area, which you can then dope with another layer of silicon and just build it up and build it up and build it up. So these identifiers are kind of registration marks for each layer as it got laid down. So they can see, well, actually, you know, we did actually put down layer 156. The reason the colors are different is because of the different depths, they are reflecting the light slightly differently. Okay. Never again, not Jack Daniels. So let's zoom in a little bit more. A little bit more. So you can get some really great detail. Okay. Here are the bond wires. These, as you see, there's the two on the left-hand side of this picture are actually missing. They got simply vibrated off. So there are typically two types of bonds. This is called a ball bond, which is the more modern technique. The older technique is called a wedge bond. And you can actually find wedge bonders on eBay, of course, if you wanted to take the dye and try and put it into a new lead frame. But there's better techniques. The ball bonds are quite clever. The wire comes out. It gets hit by a little paddle. There's an electric charge between them. And it kind of causes the little gold wire to fuse into a ball. And then it ultrasonically pushes that ball down and ultrasonically welds it onto the pad. If you go into YouTube and search for dye bonding, the speed the dye bond machines go at is truly unbelievable. And they're literally dropping a bond on the dye, taking it to the lead frame at the speed of light. It's unbelievable. So why the hell are we doing this? There is a reasonable question. You've sat there very patiently while I've rambled on. Well, there are some really good reasons to do this, actually. So here's a really simple example. A friend of mine is a cinema model maker. And he was actually one of the guys that built the Hogwarts model. And we're having a beer one day and he started talking about this plug. Now, this is given away cheaply by one of our power companies in the U.K. And it's power saving device. You plug your computer into the master socket or your TV. And your peripherals into the slave socket is on the side. And when you turn the master on, it turns on the peripherals. Simple, easy. But what they wanted to use it for was dust collection for per tools. So basically they'll plug the per tool into the master. The extraction system will be plugged into the slave. And as soon as you turn it on, extraction starts and they can go. The only problem with this is there's a five second delay between the master turning on and the slave turning on. And they just can't handle that. The alternatives, the actual, if you went to buy one of these, they charge 150 quid. So about 250 bucks for something like this. This costs eight quid. So for something that's doing pretty much exactly the same thing. So he'd mentioned that someone had hacked this and was asking me about it. So let me actually take a look at it. It's a pretty simple device. So on the top here you have a little power supply. The next important thing is this resistor here, resistor 17, which is to measure the current. So here are the actual important bits. We have two chips here. A Cirrus Logic chip, which is nice and clearly marked. Cirrus Logic is the vendor. It's a CS5466-ISZ. Type that into Google and you'll get the data sheet and you're off. And then we've got the OC706. Or if you look at the other plug, it's the OC708. You can't find anything about this device. Now when you read the Cirrus Logic data sheet, this is a current frequency converter chip. So it's measuring the current across that resistor and it's outputting a frequency that's proportional to the current consumed. And it needs a clock as well. And this, when you reverse the circuit, this OC706 chip is supplying the clock to the Cirrus Logic chip. But after a ton of Googling, and it's quite interesting because you'll actually see other people searching for, you know, Google suggesting, oh, did you mean OC708? It's like people are searching for similar parts. Now, it makes sense that this is a small market controller. But unless we know what it is, it's completely useless. So the guy that hacked it basically pretty much replaced this entire chip with a PIC chip, clutched it in and away it went. But we can do better than that. So if you plink this, plink-plink-fizz this chip, this is what you get. And thank you, NEC, for having nice big part numbers here. This is a D78F9212. It's a little market controller. You go into the NEC site. Here's a compiler for it. Here's all the development tools. They're all free. So we're away. Major here hasn't quite had it dumped on him to write the code. But that's coming shortly. That's because somebody destroyed the chip. Plenty more of where those came from. Okay. So other interesting things. This is some Mastrom. It's another chip. So slightly older. And we're going to zoom in a little bit. And zoom in. And it starts to look quite interesting. So this is an area on the chip. Really close. And you can actually really start to see some proper texture. Okay. So one of the things we decided to do was clean the image up a bit. So we're going to use an asset. So the very top layer of the die is what's called a passivation layer. It's just a simple layer of silicon dioxide glass to protect the chip, the electronics underneath from any contaminants in the epoxy. So it's just basically to seal the top. But again, if we remove that, we'll get a nice fresh image. So anyone get any ideas? Hydrofluoric acid. So some people have tried to polish it off. And that works to a certain extent. But it can be really hard getting the chip perfectly flat because these layers are incredibly thin. And if it's just off slightly, then you start digging in deeper on one end of the chip and you lose detail. It's a nightmare. Hydrofluoric acid. And hydrofluoric acid is used in the chip manufacture process. When I was talking about the resists, they use hydrofluoric acid. The resists hydrofluoric acid which they use to remove material. So nitric acid is pretty nasty. Hydrofluoric acid is fucking horrendous. I'll find our point on it. So yeah. Pure, pure horrendously evil stuff. Not quite this time. It is the piss of the devil. You can imagine some little sinners getting dipped in it repeatedly. Okay. So for those of you not familiar, it's an acid so it does all the kind of usual bad stuff that the nitric acid does. It dissolves glass. So that can be a little bit of an issue. But that's actually what we want it to do. So we're cool with that. It's quite toxic. Somewhat. Oh, it eats calcium and magnesium. And depending on the concentration, if you actually get it on you, you won't notice for 24 hours. So bad, bad, bad, bad, bad shit. Okay. So I mentioned it dissolved calcium. Yeah. Loves calcium. Yeah. You wish. It looks like this. So anyone notice anything about this picture, especially the one on the right? Apart from its extreme grossness? Sorry? Okay. So the reason his finger is all wrinkly at the top is because there's no bone in there anymore. It's all gone. And what's more, it will work its way up. Yeah. Bad, bad, bad, bad, bad shit. So the Skelligrow isn't going to help. But the calcium gluconate gel will. So the whole point of the gel is to feed the acid calcium. So it prefers the calcium gluconate rather than the calcium in your bones. So there are lots of, I mean, when I say hydrofluorics bad, it gets even worse. So if you read any treatment regimens for hydrofluoric acid, not only will they say slap on lots of calcium gluconate or potentially inject it into you. So in fact, they have kind of EpiPens within. The treatment regimen says under no circumstances give the victim any pain relief whatsoever. No local anesthetics, nothing. Because they know that they finally treated you when it stops hurting. So basically throughout the treatment, you're going to be in agony and they're going to keep you in agony because they know when it stops hurting, you're probably okay. So I really wanted to do this. And it's like, how the hell am I going to do this? And I had a course of dental treatment. My dentist is quite kind of young and hip and we're chatting away and what do you do, et cetera, et cetera. And he happens to mention, oh, we use hydrofluoric acid. I'm like, really? And that's really interesting and slightly scary. So this is the stuff that I love. This is dental hydrofluoric acid gel. No, a company called Henry Shine, dental supply. So, sorry? Ask your dentist nicely. Absolutely. Oh, and he'll do that too. We'll get there in a minute. Okay. So I'm like, oh, where would you get some? Oh, yeah, there's the various dental suppliers. He wrote me a little list and one of them was a company called Henry Shine. Okay. So this is a little, this shows you the level of insanity that's out there. When I order components from one of the big UK component suppliers like RS or 4NL, if I'm crazy enough to want something like a lithium coin cell, like two lithium coin cells, because I happen to need some and I just threw them on another order, hazard lights start flashing and it's like, oh, this is a hazardous material. So basically, what that means is your lithium coin cells will arrive by a separate shipment three days later than you actually needed them. And they'll be in a box like this. No, I'm not shitting you. For two coin cells, slapped with big hazard diamonds. It's like, holy crap, this is alive in the little box. No markings at all. It's like, okay. So it arrives in these little syringes and yeah, some interesting things. So they actually use it inside your mouth. So the hygienists will be there with the extractor sucking away whilst the dentist is putting it on your crowns to roughen them up before he applies an adhesive. But it's designed for dentists. It's not for chemists or for people working in fabs. It's designed for a dentist who is kind of quite technical, but he's not a chemist. He's not a rocket scientist. He's a dentist. So it comes in a gel form, which is pretty cool, because again, I want it to be as safe as possible for me. Simple as that. It's dyed so you can see exactly where it's going, which is quite handy. And it's a quite low concentration. It's 9.6%, which is low, but it's still effective. And the other thing, when you're doing stuff like this by yourself, you don't want something to react necessarily super quickly. You want to be able to control it. So actually the fact that it takes a little bit longer to react, that's just perfect. But yeah, you definitely want a fume cabinet for this stuff. So this is a before and after. So this is the before pic. And this is the after. And it looks a little bit blurry, and that's simply because this image is a little bit blurry. But it's cleaned up the image remarkably. And as I said, just removing that top passivation there. So here is another shot. This is another part of the chip. It has a bug in it. And actually that is the bloody microscope camera. And it was reasonably cheap. Actually, was it eBay? I think it might have been eBay. But yeah, we bought it. It was super cheap. And I think it got dropped internally within it. Crap got on the lens. And trying to actually clean it out. Impossible. And ideally with the sort of imaging we do, we wanted to kind of get the whole thing imaged. And when it's got bits of crap on it, it's not ideal. This particular bit of crap I actually think was on the die. So yes, it was. So you can see there's a color change between these two images. And that's because we've now removed a layer. So as I said earlier, colors represent depth. And the depths have all changed because there's now no longer a layer. And it also opens this die up for micro probing. So you can buy micro probing station, which is an amazing piece of kit. And it will allow you to put probes on these lines and actually sniff the data going through. eBay. I think that was our most expensive eBay purchase. That was about 5,000 bucks. First came from San Diego. And it was the best eBay deal ever. It had lots of accessories. And a great microscope. But have a look, it's called a micro probing station. And basically it's a microscope with a special stage. And you have micro positioners that allow you to move a very fine probe. And when we're talking about fine, I have probes that are 0.25 of a micron. So you can move them very accurately and just plot them on these lines and you can sniff the data on the chip buses. But that's for another talk. So it is, you did say be nice to your dentist. And it really is important to be nice to your dentist. I was nice to my dentist. And this is what he gave me. So I was in for several sessions and said, hey, can I bring some stuff in and get you to x-ray them for me? And I was like, sure, that sounds like fun. It's like excellent. And I did. So I was just kind of one of those things. It's like dental x-ray, is it going to be useful and interesting for this sort of stuff? And as it turns out, yes it is. So I brought a little selection of chips and plot them down. He zapped them. And this is what we've ended up with. So the good thing about these is x-rays are one to one. So these are scale size chips. And it means that when you pop them under a microscope, you can do things like blow them up. These are the bond wires in situ inside the chip. And actually something I never knew. This guy here. So I'm pointing at the right one. Possibly this guy here has three bond wires going to the same pad. And it turns out that's a power supply line. So that was a ground in that case. So chip needs more current, needs more bond wires to handle the current. So they stack three up. Any idea what this is? The texture at the right give you a hint. No takers? So this texture is a very thin sheet of fiberglass. And it's a little bit hard to see. This is a sim chip. So you can actually see the bond wires coming from the die in the center. The die you can't really see. But you can see the bond wires outlining the die going to the various pads of the sim chip. Now this one is particularly interesting. We were doing some testing for a client. One of the things we do apart from kind of security reverse engineering is we do a little bit of assurance work as well. And we knew what we were kind of looking for with this chip. And when we X-rayed it, it's like holy shit. We know about chips one and two. These two guys over here. What the fuck is this? And it turns out that that is a radio chip. Which we weren't expecting in this particular device. And as it turns out, it's there legitimately. But it could be completely illegitimate. So there are issues with supply lines being compromised. Fabs, churning out dies that have modifications. And here, there's a small RF device that could be embedded in the die itself. Sorry? No, that wasn't a USB stick actually. I can't really tell you what it is unfortunately. But it was like holy crap. So given that the guy in the middle is a processor and the one on the left is an e-prom. What we were actually doing was looking to look at the bond wires between the processor and the e-prom and watch the conversation between the two. And yeah, that RF chip, the way we actually figured out it was an RF chip was he pulled it out of the bottom of the jar when we blink blink fizzed it and zoomed in. And there was the manufacturer's part number on it again. You could just look it up. Holy crap. But the interesting thing was I must have blinked half a dozen of these chips. And I'm going to go through the debris and I'm picking out and actually in this particular case, the processor and the e-prom, there's bond wires between them so they're joined together. So they're easy to spot and you just pick them out. And then I kept coming across like a few weeks later after I'd done a whole bunch of them, I noticed that there was bigger chunks in the crap at the bottom and it turned out to be this little die. Yeah, at that point we hadn't X-rayed it so we didn't know exactly what we were dealing with and we only were expecting those two chips in there. So that was very interesting. And as I said, it's like, oh, what is this? Oh, there's several of these. Where the hell did these come from? And actually there was on every chip I'd blinked, there was one of those lurking in the grunge at the bottom. So with this particular project, we wanted access to sniff the data on these lines going between the MCU and this e-prom chip. So, blink, blink, fizzing it isn't going to cut it because I need the chip to be operable. So there is a handy machine to do it. It's called the Nicene Jet-H. It's amazing. It's like this size and you pop your chip in and it will etch a hole in it down to the die. Only problem, $22,000. I have a constant eBay search for a problem. Yeah, I haven't seen one yet. So it's like, okay, it's $22,000 but I reckon it's doable. So I came up with this design. This device is called the Decapinator. And I wrote a blog post about it and I'm saying, okay, I've got this design, I'm going to send out for the bits and I'll fill you in. Well, I'm a lazy fuck and haven't actually updated to say actually, yeah, it works. So you actually get to see the results. So this was my plan for it. So you have a hot plate at the bottom. You're a flask of nitric acid. You have in this drawing a syringe pushing air in so that the nitric acid comes up. I ended up using an aquarium pump. And Teflon is resistant to hot nitric acid. So I got Teflon rod of two different sizes. And I wanted to try and use simple tools. So this can all be done with a drill press. And just some simple woodworking bits. And the Teflon cuts like a dream if you use woodworking tools on it. So I chopped out these two cups, drilled a hole through the bottom. I learned a little bit about pulling glass pipettes. It is simple. Unless you want the pipette to be absolutely straight, in which case it's a fucking pain in the arse, but it's doable. And I also wanted to be able to control where the acid was going to mask it into a particular area. So after a lot of research, I came across this rubber, this gasket material called Viton ETP 600S. And then I tried to find it. So I looked in all the usual places, eBay and Amazon. And I didn't do Craigslist actually. I've never done Craigslist. I don't know why. I'll have a look actually. Sorry. Okay. Well, I eventually tracked down some people that did. And on the way I came across it's made by DuPont. I came across a DuPont distributor, because apparently it's quite new, that when I said, oh, I'd like a sample of Viton ETP, he actually wet himself on the phone. He was laughing down the phone at me and saying, this is rare as rocking or shit. So I finally tracked someone else that I could order a sheet off. And I said, okay, so I'd like to order some Viton. And it's like, oh, how much do you need? Well, I don't need a lot. Just really, you know, six inch square would be fine. It's like, oh, no, that won't meet the minimum order, which is 940 millimeters square. And I'm like, okay. Yeah, that would be fine. Okay. That would be 1,700 pounds plus VAT. So basically the better part, 2,500 bucks. And I'm like, yeah, I don't need the Viton that badly. And I did actually track down someone that sold me a kind of six inch by six inch slot piece of it. I actually had a hole punched in it. So I think it was actually on a proper sample sheet, sample little book. It was 200 quid. But in the meantime, I'd gotten some regular Viton on Amazon. Big sheet like this, 40 quid, 60 bucks. And I realized that actually the cheat stuff works because I'm only exposing it for a reasonably short period of time. The Viton ATP600 is designed for making gaskets for pipelines that are pumping nitric acid and shit like this. So actually I can have something, the regular Viton, when you look at the specs on how they test this stuff, it's like, okay, we're going to immerse it in nitric acid for 24 hours. And it's like, oh, yes, and it expands 5%. And it's like, okay, that's fine. It's going to be nowhere near like 24 hours. And even if it did expand 5%, who cares? Not with the stuff that we're doing. So we ended up not using the wing nuts. We actually have a spring pressing down. So the nuts are still there. But under the nuts is a spring. And it just presses down that top plate. And there we go, that's slightly better. And I also realized that the, once you cut the aperture and the Viton, a handy thing to do is to superglue it to the chip. So therefore, it becomes a kind of monolithic, you know, thing. And the Viton isn't going to be slipping off the chip, et cetera. And it ended up using little strips of Viton with the hole cut in the end so you could put it in and line it up with the aperture that the acid is going to jet through. So this was an early mask, simply cut with a scalpel. But you can use handy things like leather punches and things like that. And this was the first trial. So this was, I think this is an MSP chip, little TI MCU. And this was the first go. And actually the results are not too bad. It got a little bit close to the edge because it wasn't particularly well-aligned. And my aperture is a lot larger than I actually needed for the die. And actually that's one useful thing about doing X-rays or doing the plink-plink fizz is that you can actually find out exactly how big the die is and where the die is in order to do some alignment. So if we zip back to this guy, remember what I want to do is intercept these five lines going from the large central chip to the chip on the left so we can sniff the data between them. So this one was close but it went too deep. So you can see the bond wires connecting the two. But we actually ended up going underneath those chips and destroying the lead frame that was providing the interconnects to the outside world. So that one was a bust. However, this one was just right. Take it down just far enough to expose the bond wires until I was to tap on two. Now I'm actually just going to quickly jump back here. So there were some issues with this initially. One of them was the air. So I got the aquarium pump and I put a valve in so I can adjust the flow. And then I quickly realized that actually that's a variable and the best thing for me to do is to try and remove all the variables. So the little valve came out and the pump was simply on max all the time. Another variable was the temperature. So although I thought I was getting the temperature right, I wasn't. So I got a hot plate, again from eBay. I had a thermocouple probe which was supposed to be acid resistant and certainly was not. Yeah. No, no, no. I went through two before I'm like, okay. So I simply made a long tube, sealed the bottom of it, you know, with a blowtorch and injected thermal transfer compound into the bottom of it. I put my thermocouple in there. So when I eventually, or eventually, I'm going to write this up after con. You'll see the pictures and you'll see that third probe penetrating the stopper. So my acid is at a known concentration. My temperature is at a known setting. My pressure is at a known setting. So my only two other variables at that point are the permeability of the epoxy to the acid and time. So it becomes pretty controllable. So that was about three minutes and that is a minute and a half. One minute, 30 seconds and it will always do this. I've got 20 chips like this. Spot on. One minute, 30 seconds. This is where you get to. And that was absolute perfect for us to micro probe onto the bond wires and actually sniff the data passing through. So I will publish the results of that and the design. We're going to open source the design for the decapitator so that you guys can have a go at it as well. And you can start micro probing ICs that are actually running. And silicon is the last bastion of security. You can pull hard drives and analyze them. You can sniff memory. Everyone now are trying to lock away their secrets in silicon. That is where they hide the keys. So we need to be aware of this area. The kit is very expensive. Christopher is well known and has made a fabulous business out of this. However he has a lab with millions and millions of dollars worth of equipment. He is not shopping on ebay. Actually that's not true. He may well be. But when you buy used fab equipment which is available on ebay, it still costs a million dollars for it. Sorry? Cable money. Yes, exactly. So in a week's time or so I will have written this up and hopefully I want to get to the point where we have a set of plans that you can just take and build and possibly we might try and put together some kits that you can buy and screw together and decap away. So that's it from me. Now I work from Code Monkey over here. And remember just to recap. So now I know what the smell is coming from his office anyway. Strange stuff. Okay, so at this point he handed it over to me. And he's like, okay, so we're doing the probing and we're doing the decapping and working and so on. Now we need to get the actual code out. We can sniff the data going between these two buses. But how about extracting the actual code that's running on the chip? We want to see what instructions, what it's doing with that data. Now the difference between mass ROM and a programmable chip is a mass ROM chip, it's hard-wired into the chip. So it never changes. Every chip is programmed. It never gets programmed. It's actually manufactured. The instructions are manufactured into the chip. So the challenge is how do we read the mass ROM? Well as that mentioned, we identified the image, the part of the image that is the mass ROM, which is this. And then we look at it and we say, okay, well there's an obvious pattern there. Can we actually read it? So if we look at this and say, well is that a one, one, zero? Sorry, one, one, one, zero, one, zero, one, zero, one, zero, one, one. So yes we can. That's binary data. If I just take that and turn it into hex, there's my instructions. So it's like, okay, this is just way too obvious. This must have been done before. Someone's already doing this. And in fact there's some code, some very good code that deals with even smarter images than this called degate. Anyone here played with or heard of degate? No? Okay, so there's an open source of one guy at the back. I guess not a lot of people actually blame this stuff. But the guys who polished the chips off developed this package called degate and what it does is image recognition. So you look at what they were doing was trying to figure out a crypto algorithm. So a bunch of gates and they were looking at all gates and AND gates and so on. And they wanted to build a pattern of what the chip was doing. So they used pattern recognition. So they would take a picture of an OR gate and say, right, that's one OR gate, find all the other OR gates. Here's an AND gate, find all the other AND gates. And they packaged it up into this cool bit of software which will then spit out a graphic representation of what that logic was doing. Fantastic. That's going to be easy. I'll just point that code at this and we'll read the mass ROM and then we've got the code. In fact, when I started playing with it, I couldn't find anything in there for doing a simple here's a mass ROM, read the data, please. So I thought I was being thick and I emailed the authors and they said, yeah, no, we've never done that. We couldn't think of a use case for it. It would be easy to do but I'm like, damn it. Okay, who else has done this kind of stuff? Okay, the main community, they're constantly reading ROMs and getting games and any of you guys actually involved in main here, main hacking? Not a lot. Any of you use it, have it, play it? Yeah, that's more like it. Okay. So again, I reached out to the main community and said, well, how do you guys do it? And they said, oh, it's really simple. What you do is you take a picture, you divide it up into chunks, you send it out to hundreds of people and they sit there looking at it typing 1-0, 1-0, 1-1. Okay, so slave labour basically is how they do it. I think the technical term is crowdsourcing. Crowdsourcing, yeah. So very cool and it works obviously because we end up with main games that we can play but I really didn't want to sit there typing in 5K of 1s and 0s. 5K bytes of 1s and 0s. And I couldn't crowdsource it because this was a confidential project. In fact, you're not allowed to look at this so you never saw this, okay. So what to do? So I thought, okay, well, we know how to do it, it just isn't in D-Gate. I'll just do it with image recognition. So I'll write a little bit of code that does this and I use OpenCV which is fantastic image manipulation code makes stuff like this an absolute doddle. All the hard work is done for you. It's in Python which rules because I love Python. It's a Python Nazi. It must be in Python. If it doesn't work in Python, it ain't worth having. That's my philosophy. But then I thought, well, actually, if you look at this image, there's lots of problems with it. So we know what the 1s and 0s look like. So these guys, a bright dot is a 1 and the absence of a bright dot is a 0. That's pretty simple. But there's a lot of clutter as well. There's all this crap. So you've got these lines. We've got what look like columns of data. So here we've got a chunk of data and then you've got a separator. Then you've got another chunk and then you've got a separator and so on. You've got all this crap at the top. You've got these lines that go along horizontally between the data. So I figured I'm going to spend so much time trying to get the code to tell the difference between good data and bad data that I'm not actually going to be able to successfully automate this process. So then I thought, okay, the hell with it? I'll semi-automate the process. What I'll do is automate the process of creating a way of reading it cleanly and then automatically reading what's done. So I created a thing called Romper, which is ROM parser. I'm going to switch this screen to my laptop and I apologize. I hate doing this and sitting down and speaking from behind a laptop because I'm going to be doing a lot of missing and fiddling. I'm now going to disappear for you guys. Bye. It's horribly wrong. They promised me it would just come straight up. So the laugh is when we were in the green room and testing it with the projector in there it was my laptop that was fucking up left right in the center. He was like, yeah, mine's fine. Okay. We've got bags of time. Just talk amongst yourselves. Go for a question. The question was how do globtops impact? Globtops are is it a chip on board you're talking about? Yeah. So the industry term is COB, chip on board. So basically the die is placed directly on to the PCB and then it's die bonded across and then they drop a drop of very runny epoxy to actually solidify. So we haven't tried those. We've tried them to the point that we've decapped using the Plink Fizz method things like Sims which are so heavily armored in the silicon it's unbelievable. So you can see all the chips we've seen here, they look great. You can actually see the pathways and areas on the chip. If you look at a sim which is intended to be secure silicon the top of it is just pretty much a layer of gold armor designed to disable the chip if you penetrate it. Interestingly enough it may well be possible to do with the decapinator because once I ended up being such a useful tool I could actually decapinate the chip. So initially I was taking the chip off the PCB putting it through the decapinator putting it back on. I was actually able to get to the point where I could decapinate the chip while it was still on the PCB. So I was putting whole PCBs into the decapinator and pitting that one chip and yeah, that was pretty cool. That's what it may be possible to do and it turns out it totally is. I mean the boards were very small so if you had a larger board you're going to have to have some sort of support structure but it's totally, totally doable. Only, so the question was sometimes they're almost spherical does that impact the time to etch and the answer is yes. The simply the greater the depth of epoxy the more time it takes. Well you'll almost never be able to do this and get it right first time round. So expect to go through a few chips until you actually work out okay it's going to take X amount of time and well done. Yeah, so expect to go through a few chips before you actually work out okay actually in that case it's going to take me 130 to actually get to where I want to be. Okay, major. Cool, thank you. Demo gods are with me hopefully so far. Okay, so if you remember the original image we had columns of data and basically what you have to do is look at those columns and try and figure out exactly what you're trying to create. So my idea was I'm going to create a grid over the image and where there's an intersection because it's all nice and neat rows and columns. Where there's an intersection that's a point of interest and if there's a dot there that's a one and if there isn't a zero and if you're outside the grid just ignore everything. So romper you tell it basically the image name the number of bits in your horizontal line and the number of rows in your horizontal line. So if I say romper bitmap I counted 16 in each column and I'm going to do two rows at a time. You'll see why this is relevant in a minute. So if I go back to the original view so basically this is our image and I reckon there's 16 bits in each of these sections. So the first thing we do is apply just a color filter and I can actually filter it to try and get the dots down a bit smaller because remember we're trying to identify whether it's there or not. So now what the tool allows you to do is create this grid. So the first thing I'm going to do is say okay this column here is my start column hopefully you can see a little blue line has appeared. Can you see a blue line on there? No, okay. Yep. So here's my final column 16 because it's nice and even it's drawn in the rest of the lines for me. So that's two mouse clicks so far. So now here's my first row and here's my second row remember I said there's two in each row. So again if I get rid of the image we've now got a little grid which is two sets of intersections. And now if I just say okay here's another group and here's another group. Here's another group so we're very quickly building up our grid and I'm going to do this fully so bear with me a second. Okay that's enough but you see how quick it is to do so we're down to a few dozen mouse clicks to create a grid that matches that entire thing. So if we now go back to the image what I can do is say okay wherever there's an intersection tell me if there's a bit there or not. So I'm going to do a read and it's now gone yeah I see a bit there. These guys don't quite line up we know that this pattern is completely the same you know it's a repeating pattern but all of these lines should look the same so what I can do is click on this guy this is just me being slightly inaccurate when I'm clicking the mouse I try and center basically when I click on a mouse on a dot I try and automatically center the line horizontally and vertically the problem is you can't really tell with a mouse where your exact click point is what I ought to do is change the cursor to something more accurate but I'm lazy and it was quick and easy so if I now go into edit mode I can just move that line until it lines up a bit better move this guy or if it's out horizontally I can move it that way and that way but you get the idea so we can now mess around and try and create a grid that perfectly lines up let's go back to looking at the original image if I think that's a bit clearer it's kind of hard to see what's going on so again I just thought well I'm trying to automate this process I'm not trying to fully automate it I'm trying to semi-automate it so I'm going to do things that make it easier for my eye the human brain is very good at processing images and patterns so I'm just going to make it as easy as possible for my eye to process this stuff and do things like switching off the grid and checking what's underneath switching between the original and the masked and then I have this nice mode called peephole mode so you get rid of everything that's not an intersection and if we also get rid of the grid you can now see well this guy is not lined up at all so if I go and edit him I can quickly line that up and you see when you're dead on and there's a nice round dot in the center of your thing and if I re-read it all goes horribly wrong because I'm not just playing the grid put the grid back on we've now got a clean read of those four bits we also want to try and make sense of the data so in this particular case we knew that an unused piece of ROM has a hex value of C1 so what looks like if I come out of peephole mode and we look back at the original image there are these big chunks of unused data here so here's obviously program and here is nothing and this repeating pattern therefore we would say that must be C1s so what we should see here because it's 16 bits I'm hoping is C1 C1 now the quicker amongst you will have noticed I'm going to get that so what I can do is say okay take these bits and actually show me a hex value we'll get rid of the mask and the image reduce the font so we can read it and here we have the actual values that are decoding for each of our groupings and clearly that's wrong so what the hell is going on so if we go back to our image turns out see these guys here, these are lead wires coming in to read a column of bits and if you count them 1, 2, 3, 4, 5, 6, 7, 8 and if we were to scroll down and look at the bottom of the image there's another set of these coming up and they're interleaved with these guys so what we've actually got is 8 bits interleaved with another 8 bits so what we're going to have to do here go back in say actually it's not 16 it's 8 and we're going to start again with 8 and now you can actually see okay so those are apertures basically the automatic aperture size is based on the size of the gaps between the lines so I can actually reduce those a bit if it's over reading we'll adjust this guy adjust this oh you can flip bits as well obviously and actually here you can see how useful peephole mode is because when you're trying to manually check if you've got a 0 or a 1 in the right place and you've got all these other dots interleaved with these guys sometimes it can be quite confusing so if I go into peephole mode all the extraneous imaging that my brain doesn't need to have to deal with is being removed and I can just look at only the dots that I'm interested in so that really helps and if we go over here and again show the hex values let's get rid of our image so we can read it get rid of our grid and there we go there's our C1s thank you so yeah that was quite a satisfying moment it's like it actually works so we can dump that to a file and I've already done that so I now have a hex file which if we go and look at that this is only a tiny portion of the code obviously but it's enough to show you that without my client having to put a hit on us and they would okay so here we have our C1 so lots of little blank areas so at this point it's like okay we've got the code we've extracted the code from the chip and now what? we need to disassemble it okay well that's easy it's a published device it's this particular thing it's called the Mark 4 I'll just go and download Toolkit, Developers Kit and disassemble it so we had a look on guess where? eBay and no we came up nil, zilch and used the Google and the Google said yeah we can get you those it's a $200 product that stopped being produced about 20 years ago so to you I like your phase $25,000 so like no thank you so we did find the manuals so we had the instruction set and we had how to convert it so we just sat down with it, we'll write our own so our friend Python comes in again so Mark 4 DASM was born and if you point Mark 4 DASM at a file it does something like this so basically this is going to be slightly nonsensical because it's only a small chunk of the code so what it will give you is a little summary of ROM addresses and labels that have jumped to that address if nothing if it's obviously a subroutine with an exit but nothing calls it it's an orphan but if it's a known address like an interrupt, a bit of interrupt code it will give it the correct label the other really handy thing which meant we could tell when we found the beginning of the program is there are these two guys that always have to be there and it sits in a little tight loop just waiting for an interrupt and there's a routine called reset and reset is actually what C1 is doing C1 is a jump to the address where reset lives so if your code goes mental and your program starts running off into oblivion eventually it will hit a C1 and C1 will reset the chip so all the blank space in the code is a jump to reset which was a really smart thing to do so instead of just being a knob so anyway you get a little summary of what it's found you get summary of variables and then you get the actual disassembled code which is wrapping horribly because my screen is too small yeah so my disassembler gives you the instruction in the format that the original compiler would have done it so you could run this if you wanted to if you had one and here's auto sleep, it does a knob it does a sleep sets branch and carry and then it just jumps back on itself and it sits there waiting to be interrupted here's our reset sets up the stack sets up the return pointer and then jumps to zero and off you go so we knew we've correctly identified the beginning of the code how do we know we've actually read the code, all the code properly well they helpfully put a checksum at the end now it's wrong in this case because this is only a partial chunk but here's the checksum embedded in the ROM and here's the calculated checksum that the disassembler gave us and if they match then we got it right everything's lovely okay one of the other things we really wanted was to be able to run the code and see what the hell this thing's doing we've read the eProm so we know what the data that's gone in but we don't know what it's doing with it so we could sit and try and manually step through this or we could write an Ida Pro plug-in or something cool like that again the development kit would have had an emulator in it $25,000 we're not going to buy that actually I did find a copy of the software for the dev kit it was in German and it was on a Russian wear site so we decided to give that one a miss so yeah Python is your friend a whole chunk of this is being cut off I have to say I was absolutely blown away when he showed me this this is cool shit so we can single-step the code we can set break points on read or write on the output port over here you can't see you've got all the registers the stack it's got two whole variables X and Y so really powerful chip we can set breaks on things like branches and so on and we can just go and it will just run so if I take that break off it's now sitting in its little loop and you can see the branch remember that instruction that set branch and carry and then jump to zero that's what we're doing and I will probably crash it if I now generate an interrupt so it's jumped off into code that doesn't actually exist because this is only a partial fragment of the code but this gives us now the ability to run whatever we want we can feed the data in virus pseudo e-prom which is plugged into this and so we now completely own that chip and all the code that was in it and all the data it was truing on so that's it thank you just before we go to questions one of the cool things about this was the manufacturer was so super secure in their belief that no one was ever going to get the data off this chip I always mass rom, no one can read mass rom once it gets its fuse blown there's a diagnostic routine that allows them once the chip is assembled to verify the code and then they blow a fuse and it's gone so couldn't possibly do it no way to read it out because with flash you have the ability to read it out but here it's mass so you don't need that facility so it just checks the check sum yes, okay now that routine gets turned off the interconnect between the MCU and the e-prom again all inside the package yeah, it's not exposed to anyone no one is ever going to get the code off this e-prom and it just shows you what you can actually achieve and how really some of their thinking is so let's take some questions for you guys just a tiny addition to that so sometimes we send chips off to people to do stuff like this for things that we couldn't handle before we did this and we ask them, okay we got a mass rom chip how much would that be that's tricky $10,000 per chip to give you the code and it'll take three months and that chip the chip we asked about had 512 bytes mass rom this had 5k and actually I think it was actually 25,000 bucks it was horrendously expensive okay while we've got your attention this is unrelated but our next project will be launching on Kickstarter so get your camera out and take a picture of that QR code that's my blog entry which I posted about an hour before we came in to give this talk that describes exactly what it is it's a software defined which is the trendy buzz word at the moment but for RFID so this does the same thing for RFID as stuff like hackRF does for RF so you get access to the low level raw data you do whatever the hell you want with it within a day of building it we were cloning and emulating pretty much anything we could put in front of it oh and it's cheap 30 pounds maximum so anyway questions well so depending on the complexity of the chip there's actually do put a lot of security features in place so they will bury things in layers so it won't be on the top layer it'll be eight layers down and they'll put a security layer over the top a security mesh which is designed to destroy keys if the chip's powered and it's damaged in any way and when we first got into it we were actually quite pleasantly surprised that the chip manufacturers actually take security seriously of course what they're trying to secure is their customers IP so we tend to find that we do a lot of embedded systems reverse engineering normally a lot of the security is crap so they're taking crown jewels the super secret key they're super secret master keys and they're storing them in chips that aren't really designed to secure keys and things like that so we looked at an RFID vendor and they are kind of latest and greatest product and they'd stored their keys in the picture and we sent it off to a slightly dodgy company and they said oh that will be $900 sir and they sent this back an entire dump of the code including all their super secret keys and we've had chips reversed that have cost as little as 90 bucks so if you have a cheap picture 90 bucks will get you the code so they're tending to with the higher end chips actually put some effort into trying to prevent this from happening on die security this basic problem not just the the physical expertise for pulling apart the chips but the software expertise it's an amazing combination thank you that's a miss bend youth for those of us with that said sort of the amount of time you've poured into this project surely they were from the safety lecture you took your time and did your research and the python codes spitting by maybe what's an afternoon for you is a month for the rest of us what's your time code? we've been doing this stuff between us for 20 years so it's a bit here and a bit there I don't know if you actually sat down I don't know but the whole point of stuff like this and decapenator is we're trying to solve those problems and then step everyone forward we need to move into a situation where you guys can get up and running within a week not a year I guess how long did we start on acid? sorry guys I would have said probably this one project it kept diving into new areas so I would have said probably to get to the point where we had the decapenator and we were extracting data and ROMPAR was in existence maybe six months from starting from a hard cold start and it wasn't as if it was we were working on this full time for six months it was six months elapsed and it was a background project kind of ticking around so actually probably if you sat down and just focused on it probably something like a month to end up where we were it's fascinating thanks for sharing thank you great stuff I love it I have a question about it's kind of a chip implementation question in a lot of the microcontrollers like the pigs there's fuse bits that manufacturers can set like burn your code, verify the code any way else can read it would it be possible with the decapenator and the probes to reconnect a fuse rather than having to read all the data back out of it absolutely sweet so and in fact a guy called Bunny Kwan did go have a look at his blog it was a little demonstration it was fantastic so he hand decapped a chip and he masked out he worked out where the fuses were and realized that the fuses had been covered by a little metallic gold plate and he realized that okay you're covering it with a plate but there's still a passivation layer in between the plate and your actual kind of fuse which is effectively a transistor so what he realized was right if I mask out all the other UV sensitive parts of the chip and I put it at an angle I can get the UV to bounce under the shield and just cook it and discharge the little transistor and he could read the data right out so there are companies around that will go a lot further and will really dig for you a little related note we've used the decapitator to drill a hole and then his very precious micro probes to selectively break wires and then probe on and actually feed our own data instead of what was supposed to be coming from the other guy and the feeding machine so we're all about getting this into the back room economy so you can do this yourselves so where would we have got the thing that sends the data into these probed devices do you think not eBay, no, we got it from Spark Fund and it cost like 30 pounds and it was called a bus pirate Hi, this is amazing work I have to say the gentleman before me actually asked the question I was going to ask so that's easy but a quick comment about hydrogen fluoride you can, an alternate source as well which is fairly safe it's used for etching glass and it's not in a gel form it's in a cream form, I don't know if that's also usable for the same thing oh, almost certainly, I hadn't come across that I'll certainly have a look at that I mean that may well be a better source of it than the dental stuff and I used to work in a lab where they had the real stuff and scary is an understatement in a lab of 30 people only one person was allowed it in a lab which was cooled to below refrigeration temperature and not only did it have a fume cupboard the actual lab was an additional fume cupboard as well, it was just insane is that why you got both your hands in your pockets? I don't want to talk about that thank you thank you hi, you said CRC, right? as opposed to a more sort of secure algorithm oh, the checksum the checksum was actually quite interesting and it's documented and obviously the code is available, you can go to the Aperture Labs tools page and the Mark IV DAZM is linked off there you can download it and if you like Python you'll probably puke when you read my code but the checksum is actually two checksums the left hand byte is a left hand checksum and the right hand byte is a right hand checksum and they just do a slightly funny wandering algorithm that would definitely go wrong it's just there as an assurance to make sure that the code that was that runs on the so they'll have a test routine that will run through and read the ROM before they blow the fuse calculate the checksum and make sure it matches so it's not going to try and recover any lost bits just say yay or nay is there only to disable the test routines for the chip so can you generate the CRC after the fact to make sure it's still good yes, in fact the disassembler my disassembler will show you what was stored the last two bytes in the ROM are the checksum and it will also recalculate and tell you what those came out as so you can see if they match is this can you poke a running chip to get it to give you the checksum is it only this stored in the end or stored can you get it to calculate the checksum there is a test routine built into the chip in fact the chips there's two chunks of code when you look at the chip there's the chip that the customer put in and there's the chip sorry the code that the customer put in and the code that the manufacturer put in and the code that the manufacturer puts in leave it doesn't actually sorry the screen resolution is wrong so you couldn't really see what that was but the code the manufacturer put in will check it for you but it then gets disabled once they've done their tests possibly you could run it with a $25,000 emulation thing but we never got that I was wondering if you could use it as an oracle to glitch out parts of it as it was calculating that if you can I don't think so but yeah nice idea thank you by the way that screensaver did anyone recognize what that was so again I don't know if it's on is it on the the Aperture Labs page I don't know but in my blog I have a blog about writing the python code that went and grabbed the last frame of every episode of the big bang theory so that I could have a screensaver that has those and the code is published and if you want to save time so are the copyright infringing images brilliant work gentlemen I noticed that when you ran the romper program you used the original non-florinated versions of the chip you didn't use the etching compound before and after for that image for that particular process we had already finished by the time Zach perfected his technique I was already working on the original images and in fact the reason he looked at cleaning it up was because I was having difficulty with some of the bits it was not actually clear whether it was a 1 or a 0 and I couldn't determine looking at it so I couldn't even correct it myself because I was just guessing I don't know how much time we have left is there a speaker up to go in here we're the last talk so we can go as long as you guys can stand us so it will work with both the last thing between you and beer is us so it will work with both then so it will work with both whether you absolutely it's just how clean can you get your image I think that was the last question anyway so thank you