 So, SIT codes here is proving the point when you ask the question, who thinks your tractor is sexy? This is the man. All right, good afternoon everyone. My name's SIT codes, just had an issue with the slides that the font didn't come across because I was using LibreOffice for those GNU fans out there. My presentation here is called Hack in the Farm. This is about breaking into agriculture security devices. So yeah, the prime focus here is today our food security. And what I mean by that is the food supply chain. One of the biggest parts of that, one of the biggest parts of the GDP of the entire country is that is food and agriculture, which accounts for about 20%. So one-fifth of the US GDP is literally just agriculture. And I wanted to kind of be like a little bit of a wake-up call because it's kind of a big deal. And the main takeaways, I want you to feel like this is super easy and be like, oh, well, that's like one of the easiest things ever. And I want you to feel like you can also do it. That's one of the big takeaways. You want to be able to do it to everything, your fridges, your watches, your smart fridges, I already said that. And this talk's suitable for anyone who eats food. So I assume that's most everyone here. Yeah, so sit back, relax, and just enjoy the presentation. So this is the OVH, the OVH data center. Some of you might remember this. And one of the big takeaways from this data center fire, something that I picked up pretty straightforward, was this comment by the CEO of OVH saying, I believe this incident will change the standards of the industry in relation to free backups for future incidents like this. And my take on that is newsflash, OVH, everyone else was already doing backups. You were the only company that wasn't. So it kind of sucks for the customers that lost their data. But things have to happen before you transition into a new, I guess, modus operandum. And yeah, consider the risks before you jump onto the information highway, super highway. Big key here is you wouldn't upload the supply chain. John Deere, oh, sorry, John Deere seems to think otherwise. Yeah, so John Deere, we have a check in history myself and John Deere. I was the first researcher in their program. That was about last year, August last year, just before DEF CON last year, did a talk on that a little bit different. And that was supposed to be a bit of a silver lining in the background. So they actually generated it. They've got the program now. And they've got some reports to resolve. We've got 94 reports to resolve. One of the key things that I've tried to mention to John Deere is that they don't have equipment in stock. Sorry, in scope, and in stock either because of the chip shortage. But yeah, they don't have equipment in scope. So I kind of took that, you don't have a bounty program that pays money that I know about, by the way. And you don't have a program that pays for hardware that's in scope. So who do I tell the vulnerabilities to? And are they actually vulnerabilities? So just reminding you, have a good day today. I want you to make it look easy and don't think that you can drive a tractor after this talk either. But yeah, and never give up. So these are some of the issues that I had, you know, shearing. Just mayhem and just annoying things like that, you know, breaking screwdrivers and just shearing the only bit that fits in one of the nuts in here. This is another one, this is the previous device that I looked at, the modular telematics gateway and actually broke that in half, which it's so annoying because then you have to buy another entire unit just to get that chip, which has the software on it. So that's the only chip I wanted and I broke it. So looking back in hindsight, obviously there's way better ways to do it, like, you know, low melt solder and things like that. But there was a lot of epoxy underneath. They tend to use a lot of epoxy on their stuff. So it's kind of like an extra layer of glue. But yeah, once you get that chip off, this is one of the most common chips you'll see in most USB sticks and things like that. You can just take it off, get one of these open source nan light design boards from a guy in Poland. So the design's open source to an extent. We can find it on Alibaba and stuff like that for a dollar. And then, yeah, you can actually basically read and write those chips straight, you know, firmware and things like that. And the software that comes with it is actually written in Polish, which is kind of tricky to use. And I actually ended up getting another one of those devices, the one that I snapped, and actually accidentally overwrote the chip instead of reading from it. And I kind of put it to bed for a while. So. But yeah, it kept going. So, yeah, things like this, you know, just shearing out screws and things, but here's a little thing I just want to mention just because we're kind of near the start, but these companies will be in it, you know, companies have always emailed me after things like this and gone, oh, you know, we're in the talk and things like that. So I put them all at the start and said that so they don't actually have to look through the slides and have a look for themselves after. None of the research days paid for all the researchers in good faith. Nothing today represents me, et cetera. No gag orders. It's all CC zero and all the trademarks belong to the real people that own them. And there's all my socials. You can follow me on Twitter, LinkedIn, GitHub, et cetera. If you want to do some work, hit me up. And that's a tractor. So that's a that's a chainsaw looking thing. It is a forage harvester. One of those autonomous ones of those are pretty scary. So, yeah, the thing on top is actually the the GPS dome on top, which is actually turns it into a remote controlled device. And in the in the cabin that in the in the guys seat, there's actually a display that he's using and I actually have one of those displays here as well. So I'll get into that shortly, but. Um, so the three parts really to attract or or machine or an implement, et cetera, get the actual machine itself, which is the thing that you can actually get parts for, which is another thing I'll mention today is right to repair the parts you can get for like hardware, you know, like nuts, bolts, you know, pieces of metal, really. But the things that you can't get are copies of the software from the manufacturer and copies of the unlock codes and copies of the special codes copies of, you know, the source, things like that source code, which, you know, and they might offer any particular John do does offer that. And just just lastly on this, all three of those three of those components are interconnected. They all actually talk to each other. So you can actually control the device, the machine from the gateway and also from the display. And you can also update the display from the gateway and the machine, et cetera, et cetera. You can go all the way around over canvas, automotive ethernet and a number of other different things to talk to the things, including wireless. And this is the last thing I'll mention of the gateway before I jump into the cool thing, which is the display, which is what I've been working on for the last month, part of me one year. This is the gateway. And yeah, like I said, this is the only part of the tractor that's controlled by the net, the network. It's got network controls, connectivity. These are the four series of displays. I was going to say water. We've got the 1800 display, the 2600, the 2630 and the 4640. I actually have a 4240, which is the budget version of the 4640. And it's actually the flagship model of the series. It's actually the flagship device at the moment. This is the previous one. This is the brown box. And this actually still works. And farmers actually have this tendency to stick with stuff that works. And a lot of people might think, are farmers actually less intelligent for using the older stuff, the more traditional devices? But the answer is no, they want stuff to work when it's actually required. They want stuff to be extremely reliable, on point. When it's reliable, they don't want anything to go wrong. When stuff goes wrong during planting and harvesting season, farmers get frustrated to say the least. And to think that things like software and updates, think about Windows updates, I like Windows, but think about updates during planting season. Like you can't use your tractor. And I'll get into that soon, because that actually happened to me, even though I'm not a planner or a farmer. It actually happened to me and I had an experience that I'll enlighten you on truly. So these devices are actually 25, 25 years old and they still work, right? They still work, they're actually still in use. They sell for about 600 bucks still. So 25 year old devices, 600 bucks and they have lifetime on locks. And what I mean by unlocks is the devices themselves have certain codes that let you use the device without restrictions in terms of software packages, like an app store, right? They have an app store, that's technically an app store. It's the John Deere app store. And we'll get into that shortly as well. So the 1800 was one that was rarely used. It was a Windows C6 device and they sell for about 800 bucks. So they're still getting used today. This is like August this year. So it's very recent. They still go for a full price. And then we have the Windows, so this one here I think was VxWorks. The slide's gonna say Windows CE. But it was actually VxWorks and the other copy of the slides had VxWorks. But yeah, it's a different version of like embedded system. It's practically Linux. 2600, $5600. This is almost 10, 15 years old now as well. Still goes for a reasonable price. And then you've got the main one. This is the 2630. This is the workhorse of the industry. Everyone uses this device. And it's running Windows CE6. So Windows CE6, if you aren't aware, is, oh just quickly, there are about $8,000 roughly at the moment for a device that's end of life, okay? So Windows CE6 is EOL. To think that a device that's EOL or end of life, does not get any updates, running Windows, embedded, and basically taking the brunt of the entire food supply chain is quite concerning to me. I hope to you as well. But yeah, credit's due, where credit is due, and Windows CE6 keeps the food supply chain running. Still works actually pretty good. Farmers, I'm gonna simplify it here, but farmers actually have a pretty straightforward task. Plant seeds, wait for them to grow, pick them up, sell them, and then buy more. And yeah, there's actually pretty much like farming simulator, but in real life. So if anyone's played that game, it's actually very accurate. So yeah, it's quite interesting. This is just some of the licensing agreements where you can actually ask John Deere for copies of the source code. You may, I'm just gonna, there was actually a video here, but you may obtain the complete corresponding source code from us for a period of three years. So I've actually got a copy of that from them. We'll talk about it later, but that code is actually obviously allegedly open sourced, but that's another issue that is currently being disputed by multiple parties, I guess. The 4240 is what the one that I've got today. That's the one that I've got there. It's sitting there. It's all wired up. We've got RS232 up the back. You know, just a bunch of little cables around. I've just twisted them all up here. You probably can't see it, but you can come up after and have a look and you'll be able to do something else as well. But yeah, these go for about four and a half grand. They're a little bit cheaper than the other ones because these ones actually have non-lifetime unlocks. They have subscription based unlocks. So the ones that I showed you before, they have the same unlocks, but they are lifetime unlocks. So farmers prefer reliability, things that are proven familiarity and less device restrictions. You don't want to be able to, you don't want to go into farming, into harvesting season with no 100% reliability. Like you don't want to be relying on something that is like as temperamental as a end of life Windows CE6 device on the middle of a barren farm in the heat. So the second reason I'm packing this device and not one of the older ones is because this one's actually used in the secondhand fleet market. And what I mean by that is big fleets that have farming equipment now, those devices are actually going to be passed down to the current generation of farmers via secondhand because a lot of farmers, you know, mom and dad shops, et cetera, or family owned businesses, they don't kind of afford brand new equipment that a lot of the big farming operations can. And that equipment is actually going to be passed down theoretically through auctions and things like that for second generation. That's why everyone has the 2630 and that's why I have a 4240 because the previous generation gave down the 2630 and that's why all the farmers all over America have the lower, the Windows CE6 one. Agricultural tech adoption is very unique in that exactly what I just said is people uptake things very, very slowly, they're very meticulous when they come to purchasing things because they want to make sure that it's going to last A for a long time and it's not as hard to understand as what they'd previously been using. And just showing you the compatibility, they've got all sorts of things like Can, RS232, Fizzerial, Analog, Digital, et cetera, et cetera. GPS, N-Trip, and I'll tell you a few things shortly, but there's another one there. The second one there, Isid Bus VT, that's the specific type of application that you can run and it comes up as a pop-up via Canbus in the app and I'm actually working on some special stuff with that. I haven't actually completed that but we'll get into that shortly. So the actual OS is Wind River Linux and that's a ex-Intel company but now partnered with Intel and they make specific stuff that you'll find in, like things like F-16, it's the Linux that you'll find in F-16s, 18s, 22s, 35s, all the different types of aircraft, Stinger missiles, Tomahawk missiles, and the Mars rovers, I thought it was only one, but anyway, that's the device that I've got today. Looks really nice like that, you know, pristine. It looks a lot better than the brown one that I showed you, right? It's 3D, it's, you know, actually I'll tell you about that 3D thing shortly, but you can actually play with this online. So you can go on the display simulator website by John Deere and actually have a go. You now need to log in via Okta because they added Okta for a lot of different pages after I had a look into their stuff last year but now they've got Okta covering pretty much everything so you've got to sign up. You can sign up as a free developer. I'm not sure if they're giving them away still though, but yeah, I was able to sign up as a developer last year but I'm looking against that because yeah, it's not the point of today's exercise, but yeah, that's what the device looks like, power it on, and that's my farm there, covered in corn, obviously. It's actually someone else's farm because it's from some guy in Italy that I got off eBay and his farm's still hooked into it so I've just been using his data. So he hasn't actually used the demo as well, so there's actually demos, so could you believe this right? Even though it's GPL, even though the GPL strictly says, certain parts of the GPL, even though the GPL specifically says that things such as subscriptions aren't allowed to stop working after you stop paying for them any version of the GPL, we've still got demos now that stop working after 15 hours of machine time use. So I know actually a couple of guys have actually built things that stop the clock on these and actually roll it back every day so you can keep getting the demo. And there's a couple of guys in Brazil that do that but that's not what I'm talking about right now so I'm talking about some fun stuff. So yeah, dollar bills, this is how much those licenses are. So I've got a big nice price list here for you. Some of the expensive stuff, $23,000 for an EOL 2630. That's not cheap, right? So that's $26. The most important things are RTK activation, three and a half grand, that's lifetime unlock by the way, three and a half grand for RTK activation. That lets you use radio, right? That's already there, right? It's already on the device, it's already programmed. I've seen it on the device, right? That program's already there and all you're doing is paying for the unlock which I understand there's a point for that but I'm just showing the prices, that's all. So yeah, more prices here. The new ones a little bit different as you can see, subscriptions, subscriptions, subscriptions. Yeah, if you look at this, these are just upgrades between different versions of the 4600. So Gen 4 is the Gen 4 that I've got, the generation of devices I've got here. This is me having a crack at opening it. Yeah, it's got that, you know that glue between your phone screen and the device, it's got that but everywhere. It's a pain in the arse to open. It's running at NXP, IMX6, so pretty old. Not necessarily pretty old, I think it's 2015, 2016. Round about that time. IMX6 eights out, I think nine's out actually but someone from NXP is probably here. Yeah, you've got RAM, you know, the little RAM there covered in this yellow stuff. If anyone knows what yellow stuff is, I've been trying to find out for quite some time. It's actually really, I don't know if it's like some sort of fiberglass or. Yeah, I get that it's heat sink, I don't know what it's made of because it's like almost caustic. It feels like you got itchy stuff after you've touched it but one of the devices they've got, they actually covered the entire thing in that yellow stuff for heat sink purposes in terms of when you actually took off the device, it would rip off the NAND and irreparably you wouldn't be able to put that flashback on the thing just for opening the device. And yeah, it's happened in more than one occasion on the same device. So just having a look at the other side, pretty bare bare board, it's black continental and I thought at the start of this they just made soups and ties but they make more products than that. So that's the proprietary thing called HS AutoLink 2. So the Molex connector that you can't get anywhere because it's like proprietary as hell. And that's what they look like. It's just a 12 pin, two rows. Didn't really make, I think John Deere on these is a couple of the pins anyway. So they just went from a more, they just made it more abstract and more difficult to play with. That video's missing. But yeah, this is the pin out of that 26 pin connector on the back. What I'll point out to you here is you just need three wires to turn it on. I've got three wires here. I'll just show you what it looks like. Even though you can't see, even though you can't see because you're probably in the audience and everything but you can come out and look after but it's just running off three wires at the moment. And those three wires are connected. But then there's two secret wires. And I don't know if it's John Deere's secret wires or if there's just two secret wires there but that's RS232 serial. So you can pop a shell with those ones. Yeah, the blue one and the yellow one correspond to the pin two and pin three on RS232 and you just hook straight into it. So I'll actually burn out. I'll tell you about that in a sec. But yeah, this is the same connector you find in like your old printers and things like that. So you can probably find these around the house and in cupboards and things like that. Everyone knows what it is anyway. Or the younger generation. Yeah, you can go digging for them but they're pretty easy to find. Like they're usually pretty old and dusty but John Deere's got his own pin out for that. Like I said, two, three and five. It's just in out and ground. And then what happened was I actually connected the connected this up with the 12 volt ground and you're not supposed to do that. And actually got into this state where this is actually not because of that error that I told you, but this is an error. This is an error that happens when you reboot the device 10 times without actually letting it boot fully. So if it reboots 10 times, you get to this error screen, right? So it says you must contact the dealer. You absolutely must contact the dealer. And I thought, okay, so we jump in that serial that I was just talking about there. You probably can't read that, but it says file system check. We're having a look. And I thought, but now's a good time to desolder the NAND flash and have a look and change the boot count that they've got in there from like 10 to like a thousand or 10,000 or something like that. So I desoldered it, right? And changed this here. So it's got max boot count in this boot sector. So that's in the boot partition. It's literally just plain text, right? So that's max boot count 10, recovery boot count six. I believe it's a running tally. So what I did, this is the terminal that pops up. I actually desoldered it, chucked it into the flash reader that I showed you earlier. You know, mounted one of the partitions that I was working with, re-balled it. And this takes, this is a nightmare, by the way. And I think Lewis Russell was here earlier and he would think this is disgusting. That's the way I've treated this board. But yeah, it looks all right under, yeah, like that. And then you can rub it on like a piece of paper and get it to level the balls out. But yeah, that looks terrible. But anyway, when it goes back on, I'd actually set the max boot count. I think the max boot count to 10, but I changed the current running number to 9999. And obviously it was not gonna boot because it was already past 10, right? So then I went into the manuals that I just got from the disk. And there was instructions there about how to actually recover this, right? You have to contact the dealer. Please contact your local John Deere dealer. And what if I don't have a dealer? What if I'm in Thailand, which I do live in Thailand, right? What if I don't have a dealer? What if I don't have a local dealer in Thailand? And I could, oh, let's find one, right? We go to the virtual Asia showroom. So we've got the virtual John Deere Asia showroom and let's find a dealer. So this, this is like spins forever, by the way. There's no dealers. I went, found some. This is like a 20 day walk or something like that if you get there. So I thought, I'll take this into my own hands. Yeah, I'll become the dealer now. So you then you get this thing called the software manager for John Deere. It's quite a, yeah, John Deere software manager. It's pretty always right. So this actually downloads, as you can see the running tally, it downloads over 235 packages. And what I mean by packages, I mean RPMs. It downloads the John Deere RPMs. So anyone in understands what an RPM is. It's literally just a dot deb for, for REL Debian, I'm sorry, for Red Hat based Linuxes. And would you have, would you happen to know that WinRiver Linux is REL based. So we can just install these on any, any Red Hat based Linux, but I'll get into that shortly. Cause John Deere's going to love it. So yeah, so you get 12 gigs when you download that stuff as well. They give you 12 gigs, 12 huge gigs. And you don't actually need all of them. So it actually downloads multiple architectures. And you actually get ARM V7, Atom, i7, ARM V7 V2, I think it is. And then you've got no arch which works on everything by the way. So I thought to myself, let's have a look through the files that I downloaded. So there's this thing in here. I think this is from the device itself when I desoldered it or from the, from the updates stuff. But you can see this file here. If you can't read it, I'll read it out. The reprogramming image check file. And if you don't know a check file is, I assume that it's a file that would be there that would tell it that it's going to do something. And then it says JD, JD, a bootable USB flag. So I thought, okay, what would that be? So, oh, this might be something that really lets me pass that bloody black screen that I had before. So I've got the John Deere display updates here, the 22 gigs that it downloads onto USB stick. And that's my sewer number. And yeah. So yeah, so we upload that into the USB stick. And this other one there, that was another one that I found the 434341. So I chucked that in there. And then it comes up with this now when I reboot the device. Comes up with 1.0. Deal of authentication, system recovery version 1.1, 1.2, 3.1. And it's actually boot lubed at the moment because I'm actually trying to overload, I'm trying to run four different system recovery images at once. And that was actually the genuine problem. All I had to do was remove two of them and the ultimate solution was dealerauth.txt. And that would actually get us to this stage which bypasses that dealer page. So yeah. Farmers can use that to bypass that page in the field. Yeah, that's it. So on your dealer authentication bypass, you just put a text file. So that's dealerauth.txt. You can literally do it with your phone. You can OTP cable, OTP cable. You can do it out in the field. You just chuck it on there. That's literally if you boot the device 10 times in a row and it doesn't, I don't want to do it right now because I don't want to be able to use this. But if you reboot it 10 times, you'll get stuck at that page and then you get that reboot thing. And it's just magic, you know? Just like, yeah. So then it starts to reinstall. It starts to fix itself. Yeah, I don't have to go for a 10-day walk to Bangkok. Then it comes here. So we've got the full, yeah. We've got it back to the Yula. And I'll talk about my Yula in a little bit as well. So yeah, that fully worked. And then we've got logs. It sent back logs back to the USB stick that I plugged in. In fact, it sent back 1.6 gigabytes of logs. So it was actually logs, like full, you know, they would just go to like CD slash and go find and get like massive lists of all the files are in there. You know, connected devices, all the system, all of the system delogs, lol. Just literally everything. And then I had the shell back. I had the shell. I could come back in and RS232 straight in. So what we're looking at here is the FS tab. I thought to myself, okay, so why would I want to edit the FS tab? Okay, I want to be able to edit this stuff now. So I want to modify the device that I've got. This is my device. I own it. It's my tractor, allegedly. And I want to edit it, you know? So what do I want to do? I want to change everything to read write. So obviously you can't read, you know, read-only disks, you can't muck around with them. But so I took the disk off again and I want to root the device now. You know, I want to root it. So these are just connected stuff on a whitelisted devices, eProm, which I've actually got a little bit of information about shortly. That actually contains the serial number. And I'll tell you a little trick about that soon. But yeah, we've got a couple of things here. You know, we've got the real-time clock, your I2C, you've got the video and two frame buffers because you've got two different types of, you know, kind of extended displays, excuse me. Then you've got this one here, read write. So the SSH keys must be generated while the unit is in read write mode. So an easy way to do this is to start and stop the SSH daemon. So this is in the John Deere proprietary code, allegedly. And the SSH keys have to be done in read write. So how do we get to read write mode? I'm thinking, okay, so I have to generate FSTabber. No, the only way you do it is you just do mount-ov-remount-readwrite slash. And that's it. You're in read write mode. So I thought to myself, well, every time you take that disk off the board, right, it gets damaged, so it gets damaged. It gets like heat. You bring it up to 450 degrees or 400 or whatever, and then you take it off and you get that scratches everywhere, like I did, if you're a novice like myself. But if you go on the back of the board, you could hook up your pins there and get MMC, and that's actually wrong, and someone will point out, they're actually back to front, the two ones. And this didn't work, by the way. This is continuous failures, okay? Continuous failures. And that's kind of where I'm trying to get at, is like, you just got to keep going. You just got to keep going and just never give up. So yeah, the boot count failed, that no, no, no, no, boot count failed, obviously. But we bypassed that when we re-boot it. We re-flashed the device through that, deal it, blah, blah, blah. And we got to the stage where we've got this little thing now where I can actually modify it. And what I did, I'll show you in a sec, this is, there's actually a command in there that I found when I was looking at the OS called reboot clear boot count. So I can actually reset that 10 every time now. So I've set it up now. So every time that it reboots, it re-clears the counter. So I don't have to worry about the reboot counter anymore. So that's quite significant. And this is what happens when you don't solder it on properly. You can actually get these second hand from Alibaba, because these chips are end of life as well. But you can actually get these chips from, yeah, just chopped straight out of a real board. They're actually end of life. So you literally can't buy them anywhere else except for these places or second hand. And usually the second hand ones have data on them. So, and sometimes you've got to improvise. This is actually a hot plate, a PCB hot plate that you can make from an iron. It's actually quite dangerous, but gets the job done. This isn't mine. It's a guy that I was working with at Eastern Europe. So he's got this one. So yeah. So this is what happens when you muck around with Lib SDL and there might be a giveaway for what's happening soon. But yeah, that's what happens when you muck around with some of the graphic stuff and I'll get into the graphic stuff shortly and why that happens. But what I did was I added some specific thing to the cron jobs when I was playing with it. So that when I was, when it was rebooted, it would actually do this. And we get a terminal every two minutes. So we put a cron job and we get a root terminal every two minutes. It's actually rude. So in addition, there was actually a lot of binaries missing something. And okay, so, you know, when you tab tab and it's like display 1000 something more combinations. I'm like, okay, there's extra ones. So I built a script that just gets all the extra parts and lo and behold, there's an extra 40 binaries. So what would be in those binaries? Some really cool ones like CH root and the reset boot count was in there as well, just the extra binaries. All the good ones, you know, all the good ones. So what I thought is now that I've got this SDL from, I didn't know what the problem was at the time. I thought, okay, let's re-flash the device back to the semi-factory state, change the root password, add login ever SSH, read write the disk, add a terminal like I just did, fix some Udev rules. And this sounds like a lot of work and it actually was and it didn't work, but I'll tell you about that shortly. This is what happens when you try and change the root password. There's actually checksums there in the bottom right. You won't be able to read it size too font, but it says checksums and they just check some, all of the different passwords. And I'm like, okay, well, I don't want to backtrack on someone else's brain fart and try and figure out all these checksum mechanisms. I'd rather just change the root password. And you can just remove the password from the, I think it's Etsy shadow, Etsy password and just remove it and then it just logs in automatically. But John, do you have something in there that defeated that? So then we've got the FS tab. So I actually added the FS tab and would you believe it, it didn't work because it was checksummed. And this was the jailbreak that I used. It was just out of root terminal every two minutes. I changed it, I put flock in front of it later. If you know what flock does, it puts a file lock on it so you can have one instead of having like, because this would produce 50 terminals in a row and they just kept coming up and then you have to go and exit them all. So, and it's touchscreen actually as well. So it's quite, it's not fun after all, but yeah. So I added that onto just one of the cron jobs that were already there because I knew it was gonna execute. You know, you've got to go with the tools you've got. Worked out that they've actually blacklisted a couple of things like not the, not the wifi, but ethernet cables that are not internet, that are not wifi related because I wanted to use an ethernet cable without wifi, you know, plug it in and like actually hook up to it and connected to my computer. Because I don't want John, I don't want to connect to the wifi and have John do you actually see that I'm connecting by the way, so from Thailand because it wouldn't be hard to work it out. So didn't actually need to change the UDF rules in the end. There was a couple of little administrative control pins. 111 was one of them. So this was in a DB that was in there. And this is actually the code that unlocks the stolen device. So that's one of the negatives of having access to the unencrypted disk, which is not encrypted by the way. You could just read the pin. I thought, why don't I want it? I want to emulate this now. I want to emulate this device. I want to have a crack at emulating it. You know, John D is going to love that. So this is me pulling the, adding the John D packages to my own Fedora. So I added, I just added Fedora, Raspberry Pi, same architecture, same, close enough. And added John D's repo. They'll probably see my IP, but it's behind a VPN anyway guys. So it's all good. Thought, okay, well, let's try and emulate it. You know, QMU and get it started. You know, IMX6. Saw this package, had a crack at it myself, couldn't get it to work. So I found this actually random project, got, it would get you to boot, it would actually boot a IMX6. And with the same sort of boot output, and that's the beauty of GitHub, is this random projects with like, what 24 stars or just, you know, free forks, it's a tiny project. Exactly what I needed. And shout out to Ryzen Lover. I also love Ryzens. But yeah, this actually didn't work. And I started to mix and match the, like I was like, oh, maybe it works with QMU. And QMU 32 bit versus 64 bit, and ended up getting kernel panics. So it actually led to getting a CVE out of it. So I was like, oh yeah, sweet. But I sent that through to the QMU project. And they were like, we don't consider this a CVE because it's in the TCG component. I go, okay, this is, it was, because I said, the email was from Red Hat, right? I said, I don't think you understand that QMU is not a Red Hat project. It might be covered by Red Hat engineers, but it's not actually owned by Red Hat. And I think NIST or MITA would have a different opinion about what you could classify as a CVE versus MITA, et cetera. So, well, the general community does. So yeah, so that actually went through. But yeah, the secure password hash, that didn't work either. Yeah, this is just farting around in the system. Just some random code that they have there. And I thought, okay, well, if we can't emulate it, this is crashing the PC. Why don't I just try and get a dev board and do it? So dev boards are really helpful as well. You can get most dev boards for most architectures, like usually like 50 to 100 bucks. This is like 99 or something like that. And low key, it didn't work. So yeah, the reason why it didn't work is because these devices, you know, it's iOS CD right now. I'll get stuck on this one, but it's iOS CD. It's got all these different connectors. You can do all these different extra stuff that you can't do with a real IMX6. But the reason that it wasn't working was because it doesn't support graphics on the small version that I get that I got. But I want to talk about now is the stuff that, I don't know if anyone's dealt with NXP before, but they have this strange tendency to extrapolate. That's just me hooking up serial to it. But yeah, and it worked as well. By the way, it booted up perfectly naturally. And there's this weird thing, and this will come into what I'm about, just about to say the universal update utility, UUU. And this is where NXP is on the abstraction and computer graph. Right up the end, because everything they do does not make much sense, actually, from what I've tried to understand. And like, for example, this is a universal utility. It only works on Linux and Windows. And it, yeah, it just doesn't work properly, yeah. So you need Windows 7, and you need to use the WinUSB. And Windows 10, when you install the drivers automatically, and no information about Linux, but this is apparently universal. So that's just what I found with the NXP system, or I would say the word would be atmosphere. Oh, what's the word for environment? It worked, but yeah, no graphics on the IMX, six ultra light. And I'll tell you why. This is the QT mailing list. Welcome to the hell that is 3D and QT. And the reason, one of the reasons why in 2017 QT Co went into a non-GPL style model, which I'm sure most people are aware of is apparently because they could make more money in the short term by locking in John Deere and others into subscription models. So I'm not sure if anyone's blood is boiling at the moment, but I was quite surprised to read that because I thought QT just naturally went into a subscription based in model. And of course, John Deere was apparently allegedly involved with some of that. And the reason was that he could get tractor animations in 3D. That's literally, yeah, the reason why, one of the reasons why QT went private per se. So another guy I was speaking to, well, I couldn't get onto him actually, but he runs IMX6 Rex project, Robert Ferenac. Ferenac, yeah, he's a cool guy. I think he does. He's a Altium hero. But yeah, he's an awesome YouTuber and he covers all sorts of like stuff that are fancy. But I didn't actually know, but he actually started a project called IMX6Rex.com or something like that. And he actually had one there, I thought, hang on, let's just pump the brakes here because going a bit off topic, why don't I just put the freaking thing back on the board and try and root it? Because all this emulation and dev board stuff, I was backing up the wrong tree, nothing was working. And I've got a perfectly good device here. Why don't I play with that? So if you have a look right there, see the little eight-legged thing next to the chip that's supposed to be there? That's the eProm. And it's actually an ST Microelectronics eProm. And that's what it looks like when you hook it up to a little dev board. Don't worry about those labels, this is just me like, I guess the word is it like just yoloing it. When you run out of things to like, you just hook it up to whatever you've got. And that's kind of what hardware hacking's all about. It's just like picking up stuff that you've got and just like using staples sometimes and like, you know, cutting wires out of remotes instead of, you know, just chopping up shit in the house. This is what the pinout look like and they use all these weird characters. But anyway, I found this really cool project by this guy, really tiny project, but it actually lets you read from that eProm. Don't worry about that, it's just that was me working on that thing. But yeah, it's not manually read out each line of memory and worked out that actually reads out the serial number. But actually just realized that if you boot the device and just a cat dev eProm, it actually gives you that as well. So I just did this for no reason. So time to chuck it back on the board. You get root terminal, this is the home stretch by the way, we're almost done. It might go on overtime or under time. Yeah, that's right. So yeah, the root terminal's sufficient and now it's time to read trivially, remount the OS, root the partition, get rid of that file, FS tab stuff, make sure it's not checked some change, all this crap that they've put in there to make it difficult to fuck with. We just want a root terminal. So that's what it looks like when it's nice and just rooted. That's the John, and it should be rooted right now. Yeah, there's a rooted John Deere right there. It's jailbroken, you can edit files, you can remount, you can delete stuff, you can accidentally delete everything. You can add stuff from USB, you can like add, you can plug in wifi in as well, you can put it like a, you can do anything with it. That's a full-blown Linux computer. It's a beauty. John Deere doesn't like it though. So yeah, you root as well, by the way. So everything's running as root, which is even better. Yeah, WinRiver 8, kernel 4.1, 0.2 ones, probably one of the long-term ones. Hasn't been updated for a while. I think that's local time, 2022 UTC, but actually notice actually John Deere was using, I don't know if this is common or something, but they were using whatever time it was, the essential standard time for all the things, so everything in the office would actually be the same time as what was in the field. So yeah, this is actually, that's a rooted John Deere. That's the flagship display, by the way, look here. Just showing John Deere for one moment. So how do we exploit this? How do we get this done without taking off the board? Like how do I get this done repeatedly? Repeatedly. Well, you can just build a little clip that just goes in the back and touches those pins that I showed you earlier and it'll just jailbreak it for you. You can actually just jailbreak it without even using USB, because USB when you think about it is just plus, negative, or VCC and ground, which is the same thing in some cases. And then you've got D plus and D minus. That's all you've got in the USB stick. You've still got the four little things in there, right? Well, this is five pins. We're not coming in every port. We're going in over the back of the chips. You just have to take it off the board. Same thing is touching it on the board, but, you know, is there a difference between coming in a USB exploit versus just clipping it on with a Pogo pin connecting thing on the back of the board? And that's what those little things look like. So you can get these little PCBs that you can print out and just get them, like, you know, toggled onto the board. And that's what it looks like hooked up to one of their terminals that they've got on the board. There's JTAG there, but I think it was off. I didn't actually go too hard into it because it was about bad experiences with that many pins and that many pads. When you hook that up there, you get actually this weird boot-loaded terminal. It's not U-Bit or anything. It's just some weird diagnostic thing, but yeah, there's not much exciting stuff in there. But it lets you know that the device is alive. So these are cool little devices you can get. They're not devices. They're like expansion packs, I guess. So that chip that I showed you earlier, we're not gonna go back to it, but it's 100 balls. I think the one that's flipped over actually has 100 balls, but the third one across, EMMC-153, that's actually found in most mobile phones and literally like every device in the current brand of devices. You know, some older androids have the top left one. And as you can see, the buses on the... Whereas if you go to the second one and see the bottom, it's got D0, ground clock, VCC and command. So you only need those one, two, three, four, five pins to connect to the device. And that's where that would come into play if I was doing that to export it. I'm actually working on that low key, so I don't tell John Deere though. Yeah, it accepts this Wi-Fi stick. We've got just like the stock standard WN, whatever it is, 72, 5N. It's like literally everywhere. You've probably got one in your pocket. I think I know it as well. But yeah, that actually starts wireless. People were telling me while I was making it that there's no wireless. All the wireless is off. And I'm like, until you actually try it and put a wireless thing in there and look at the wireless settings, it actually does have wireless. So believe it or not, don't believe what people tell you as well sometimes. Maybe I've told you something that's wrong. But just go with your gut. So that was a fail because it wouldn't help. But what I did find out as well, by the way, is over the automotive ethernet bus, which I haven't gone into, it actually starts a server on there, but that's just the same as if you were doing it via Wi-Fi. So I'll think of it a few minutes here, but these are some of the cool commands. We've got reset boot count, reprogram config. By the way, this is 7,000 old display when there's like 20 grand worth of licenses when you get it running, but you can just reprogram it now yourself. So we've got can dump. We can play with some of the can bus addresses. You know, you can edit the config, you can dump all the can coming in, you can send can messages, you can sequence can messages, and some grand finale stuff. So I want to show you a little bit of a demo. So this is what happens, you remount, reroute. Let me just make sure, I won't say. Yeah, sorry, I don't think I'm all right. So mount dasho, remount, whatever, and then bang, you've got read write. Actually, what I found out as well is if you unplug the display, it comes up with the boots with the black screen, but there's actually X is still running, so the terminal still pops up that I had there earlier, but it comes up without the beautiful green and yellow windows manager by John Deere. And that's the jailbreak. It's literally just added a terminal to pop up every two minutes, and then set it to remount. And the only way you know that though is if you pulled the disc off and had a look at it and edited it. There's a demo video there and I'm about to show you the demo video. So can you tick what we got? Might have just spoiled it. That's, oh yeah, here we go. How do you get F11? What the fuck? Windows shit. Double click, right? No, there we go. Yeah, this is a little demo. I don't think there's sound. There's like party music in the background because I just, yeah, a bit of suspense, so. So CHroot was one of those commands that was beautifully in the extra parts, and you'll see what happens in a moment. So that's actually Tractor Edition Doom. So you can actually mow corn. It was a bit of overkill, but we thought we'd have to crack at it, but it was actually a lady in New Zealand that helped me design this mod because we, yeah, you can actually mow corn. It counts as a health bonus, and this one I think is an armor bonus corn, so yeah, the other one was wheat, whatever. But yeah, you can hunt down the pinkies, the demons, little piglets. But they're demon piglets, so don't worry about it. But yeah, we spent a bit of time on this one. Her name's Skelligant and she's a mad doom otter. But yeah, that's Doom on the farm. So yeah, it's actually epic. So that's on a John Deere. That's John Deere Doom on a John Deere Tractor display. So yeah. And I think that was it. Yeah, that was the original mod that we were gonna use. And let me just see if I can full screen this. I'm not even gonna try. Oh, there we go. Yeah, that was the original one that we were gonna use, but it wouldn't run on non-GPU accelerators, because that's GZ Doom. And for any Doom people out there, they'll know the difference between GZ Doom, Chocolate Doom, LZ Doom, QZ Doom, whatever it is. And there's just so many different types of dooms, but the one that actually worked on this one, you can come and play it by the way as well, if you wanna come play it after. Yeah, Chocolate Doom worked. And this one edited it, but I actually hadn't asked if I could edit it. And then there's, you know, dooms a bit, you know, like you wanna keep the spirit of the mod, the wad file they're called, but it wouldn't run without GZ Doom. And then, yeah, I reached out to Skelligant, her name is. She's a cool chick from New Zealand. And she, yeah, helped me make that awesome demo that I just showed you. Big thanks to her. Gussie Tech Brazil, last person. Alex Tsikenguru, I'm not gonna comment who he is. Kevin Kenney, Johannes from Agri GPS, Vlad Alex, Maro Dudas, Alex, Alex, Joe Grand, what's his name? Paul Roberts from Security Ledger, and I think he's one of the both. Karl Wiens, Karl Wiens, big ups, special ups. Thanks.