SlideShare ist ein Scribd-Unternehmen logo

Pwning the 44CON Nerf Tank

44CON
44CON

Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back. That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs. At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project. This puppy is so over-specced it would drive you to tears. The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing. Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills. We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun. This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.

Technologie
1 von 49
Downloaden Sie, um offline zu lesen
Pwning the 44Con Nerf Tank
Why the hell? Interesting technology Unusual protocols in use Shows basics of reverse engineering and hardware hacking IT’S A FRIGGING NERF TANK!!!!
We could only get one device No destructive testing Could we reverse it from the air? We needed a plan… Initial work – RF investigation
RF investigation Took one USRP, GNUradio And sniffed And we got…
Taking it Apart
Taking it Apart We disassembled the device and assessed the hardware components And we found…. External Memory A Blob on Board
The Firmware Analysis of the firmware was not required for reverse engineering Used the full 32-bit ARM instruction Can be easily identified by looking at a hexdump
The Firmware
The Firmware
The Firmware
Identifying Thumb All operations are 16-bit aligned PUSH instructions use 0xB5 as second byte POP instructions use 0xBD as second byte POP and PUSH instructions will likely be found back-to-back BL instructions start with 0xFF 0xF7 BXLR instructions defined as 0x70 0x47 These are helpful for quickly determining whether a block of code is likely to be Thumb
Identifying Thumb
The Module – Logic Analysis
The Module – Logic Analysis Wires connected to each pin on the module Communication analysed from start up SPI communication found
The Module – Logic Analysis
The Module – Logic Analysis
The Module – SPI Communication Five sets of commands found: • Register setting commands from 0x00 – 0x3f • Register reading commands from 0x00 – 0x3f, with 0x40 always set • One byte commands where 0x80 is always set • Register read and write commands at 0x45 and 0x05 Analysing these commands allowed us to present the data in a readable format
Analysing The Data - Receiving Filtering read commands allowed us to view all received data This showed an incrementing value at the start of each frame which reset, allowing for us to see the start and end of data payloads
Analysing The Data – Receiving Frames can be stitched together, allowing for analysis of each payload in turn The header of the payload should be assessed first, as this will contain the most relevant data
Analysing Data Without a Discernible Header Looks like seemingly random data This could mean it is encrypted or compressed A compressed payload will have some form of non-random data
Analysing Data Without a Discernible Header
Analysing Data Without a Discernible Header If this data was encrypted, it would require assessment of the firmware Search firmware for information relevant to the packet, such as a standard size Standard constants or tables used by encryption algorithms, such as AES Sboxes Search in the binary for XOR instructions with a jump instruction to a previous point in subroutine
Analysing The Data – Receiving We found a header which looked like: • A 32 bit value denoting the full size of the payload • A 32-bit CRC for error checking • A 32-bit value providing the number of blocks the payload was separated into • And finally a JPEG header
Analysing The Data – Receiving Now we have JPEG images to be to be viewed Tiny: 240x180px resolution A large number of the packets were found to be corrupted
Analysing The Data – Receiving
Analysing The Data – Receiving
Analysing The Data - Sending Controller data was simpler and in one frame Followed standard practice for controllers • 8-bit values used for analogue controls, with the neutral value being 0x80 • Single bits being set and unset for buttons A single byte checksum used for data integrity, consisting of a sum of all control values
Analysing The Data – Sending The two analogue controls were the speed settings for the two tank treads The tank crashed upon rapidly changing the speed of the wheels Controls were only sent when requested by the tank • every 22nd frame • set a bit
Analysing The Data – Sending 0x80 was the neutral speed of the treads 0x30 was reverse 0xd0 was forward 0xff was TURBO
Searching For The Module Most common 2.4GHz transceiver manufacturers iRangeX, contains four common transceivers: • Texas Instruments CC2500 • Nordic Semiconductor NRF24L01 • Cypress CYRF6936 • Amiccom A7105 Searching the datasheets for these modules revealed that the A7105 was the closest match
Searching For The Module Replaying SPI commands from the logic analyser was inconsistent Transceiver in use was very likely to be a “similar” chip in the same series Datasheets were not the most useful: • copy-and-pasted • few differences between them Finding the appropriate transceiver would be difficult
Searching For The Module A large number of the transceivers were found not to be accessible by the general public Datasheets were hard to find We ended up cheating stealing the module from the legitimate controller
Hijacking The Tank Choice of a Raspberry Pi or an STM32 development board Raspberry Pi was too inflexible An ST NUCLEO-L496ZG development board was used • Fast • Precise timings
Hijacking The Tank STM32 boards are extremely easily set up, with tools like the STM Cube allowing for precise definitions of what each pin does
Hijacking The Tank Programmed the board to: • replay the initialisation SPI commands • Send and receive the appropriate packets Module starts in Half-Duplex SPI mode and has to be set to run in full duplex Sent received images to the USB host and received controls back Next step was through the browser…
Target Acquisition
Demo

Empfohlen

The art of_firewalking-by-sujay
The art of_firewalking-by-sujayThe art of_firewalking-by-sujay
The art of_firewalking-by-sujayRaghunath G
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadhShailendra Sadh - CISSP
 
Snort by SecArmour
Snort by SecArmour Snort by SecArmour
Snort by SecArmourSec Armour
 
Presentation 6
Presentation 6Presentation 6
Presentation 6Mandeep Singh Kapoor
 

Empfohlen

The art of_firewalking-by-sujay
The art of_firewalking-by-sujayThe art of_firewalking-by-sujay
The art of_firewalking-by-sujayRaghunath G
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadhShailendra Sadh - CISSP
 
Snort by SecArmour
Snort by SecArmour Snort by SecArmour
Snort by SecArmourSec Armour
 
Presentation 6
Presentation 6Presentation 6
Presentation 6Mandeep Singh Kapoor
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Architecture of pentium family
Architecture of pentium familyArchitecture of pentium family
Architecture of pentium familyUniversity of Gujrat, Pakistan
 
RFID: EPC protocol
RFID: EPC protocolRFID: EPC protocol
RFID: EPC protocolAmjed Majid
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB Victor Asanza
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V International
 
Offloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TCOffloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TCNetronome
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Timing Analysis
Timing AnalysisTiming Analysis
Timing Analysisrchovatiya
 
Al2ed chapter3
Al2ed chapter3Al2ed chapter3
Al2ed chapter3Abdullelah Al-Fahad
 
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...Linaro
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017Fred Moyer
 
ParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_DoinParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_DoinJonny Doin
 
Communication Protocols (UART, SPI,I2C)
Communication Protocols (UART, SPI,I2C)Communication Protocols (UART, SPI,I2C)
Communication Protocols (UART, SPI,I2C)Emertxe Information Technologies Pvt Ltd
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Networkamiable_indian
 
Data Presentations Cassandra Sigmod
Data Presentations Cassandra SigmodData Presentations Cassandra Sigmod
Data Presentations Cassandra SigmodJeff Hammerbacher
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Ch 2 inside systems unit
Ch 2 inside systems unitCh 2 inside systems unit
Ch 2 inside systems unitSajid Mewati
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 

Weitere ähnliche Inhalte

Was ist angesagt?

BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
RFID: EPC protocol
RFID: EPC protocolRFID: EPC protocol
RFID: EPC protocolAmjed Majid
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFRI, Inc.
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB Victor Asanza
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V International
 
Offloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TCOffloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TCNetronome
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Timing Analysis
Timing AnalysisTiming Analysis
Timing Analysisrchovatiya
 
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...Linaro
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017Fred Moyer
 
ParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_DoinParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_DoinJonny Doin
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Networkamiable_indian
 
Data Presentations Cassandra Sigmod
Data Presentations Cassandra SigmodData Presentations Cassandra Sigmod
Data Presentations Cassandra SigmodJeff Hammerbacher
 

Was ist angesagt? (19)

BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Architecture of pentium family
Architecture of pentium familyArchitecture of pentium family
Architecture of pentium family
 
RFID: EPC protocol
RFID: EPC protocolRFID: EPC protocol
RFID: EPC protocol
 
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis systemFFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
 
Offloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TCOffloading Linux LAG Devices Via Open vSwitch and TC
Offloading Linux LAG Devices Via Open vSwitch and TC
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Timing Analysis
Timing AnalysisTiming Analysis
Timing Analysis
 
Al2ed chapter3
Al2ed chapter3Al2ed chapter3
Al2ed chapter3
 
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
BKK16-503 Undefined Behavior and Compiler Optimizations – Why Your Program St...
 
Wireshark
WiresharkWireshark
Wireshark
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
 
Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017Fredmoyer postgresopen 2017
Fredmoyer postgresopen 2017
 
ParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_DoinParallelLogicToEventDrivenFirmware_Doin
ParallelLogicToEventDrivenFirmware_Doin
 
Communication Protocols (UART, SPI,I2C)
Communication Protocols (UART, SPI,I2C)Communication Protocols (UART, SPI,I2C)
Communication Protocols (UART, SPI,I2C)
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
 
Data Presentations Cassandra Sigmod
Data Presentations Cassandra SigmodData Presentations Cassandra Sigmod
Data Presentations Cassandra Sigmod
 

Ähnlich wie Pwning the 44CON Nerf Tank

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Ch 2 inside systems unit
Ch 2 inside systems unitCh 2 inside systems unit
Ch 2 inside systems unitSajid Mewati
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!Linaro
 
Implementing a Distributed Hash Table with Scala and Akka
Implementing a Distributed Hash Table with Scala and AkkaImplementing a Distributed Hash Table with Scala and Akka
Implementing a Distributed Hash Table with Scala and AkkaTristan Penman
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingSam Bowne
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotPaul Terrasi
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf ToolsRaj Pandey
 
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...Spark Summit
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro ControllerMidhu S V Unnithan
 
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer SystemsChapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systemscmkandemir
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 

Ähnlich wie Pwning the 44CON Nerf Tank (20)

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Ch 2 inside systems unit
Ch 2 inside systems unitCh 2 inside systems unit
Ch 2 inside systems unit
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
 
Implementing a Distributed Hash Table with Scala and Akka
Implementing a Distributed Hash Table with Scala and AkkaImplementing a Distributed Hash Table with Scala and Akka
Implementing a Distributed Hash Table with Scala and Akka
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
WEEK6_COMPUTER_ORGANIZATION.pptx
WEEK6_COMPUTER_ORGANIZATION.pptxWEEK6_COMPUTER_ORGANIZATION.pptx
WEEK6_COMPUTER_ORGANIZATION.pptx
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum Robot
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf Tools
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...
Real-Time Detection of Anomalies in the Database Infrastructure using Apache ...
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro Controller
 
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer SystemsChapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 

Mehr von 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 

Mehr von 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 

Kürzlich hochgeladen

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Pwning the 44CON Nerf Tank

  • 1. Pwning the 44Con Nerf Tank
  • 2. Why the hell? Interesting technology Unusual protocols in use Shows basics of reverse engineering and hardware hacking IT’S A FRIGGING NERF TANK!!!!
  • 3.
  • 4.
  • 5. We could only get one device No destructive testing Could we reverse it from the air? We needed a plan… Initial work – RF investigation
  • 6.
  • 7. RF investigation Took one USRP, GNUradio And sniffed And we got…
  • 8.
  • 10. Taking it Apart We disassembled the device and assessed the hardware components And we found…. External Memory A Blob on Board
  • 11. The Firmware Analysis of the firmware was not required for reverse engineering Used the full 32-bit ARM instruction Can be easily identified by looking at a hexdump
  • 15. Identifying Thumb All operations are 16-bit aligned PUSH instructions use 0xB5 as second byte POP instructions use 0xBD as second byte POP and PUSH instructions will likely be found back-to-back BL instructions start with 0xFF 0xF7 BXLR instructions defined as 0x70 0x47 These are helpful for quickly determining whether a block of code is likely to be Thumb
  • 17. The Module – Logic Analysis
  • 18. The Module – Logic Analysis Wires connected to each pin on the module Communication analysed from start up SPI communication found
  • 19. The Module – Logic Analysis
  • 20. The Module – Logic Analysis
  • 21. The Module – SPI Communication Five sets of commands found: • Register setting commands from 0x00 – 0x3f • Register reading commands from 0x00 – 0x3f, with 0x40 always set • One byte commands where 0x80 is always set • Register read and write commands at 0x45 and 0x05 Analysing these commands allowed us to present the data in a readable format
  • 22. Analysing The Data - Receiving Filtering read commands allowed us to view all received data This showed an incrementing value at the start of each frame which reset, allowing for us to see the start and end of data payloads
  • 23. Analysing The Data – Receiving Frames can be stitched together, allowing for analysis of each payload in turn The header of the payload should be assessed first, as this will contain the most relevant data
  • 24. Analysing Data Without a Discernible Header Looks like seemingly random data This could mean it is encrypted or compressed A compressed payload will have some form of non-random data
  • 25. Analysing Data Without a Discernible Header
  • 26. Analysing Data Without a Discernible Header If this data was encrypted, it would require assessment of the firmware Search firmware for information relevant to the packet, such as a standard size Standard constants or tables used by encryption algorithms, such as AES Sboxes Search in the binary for XOR instructions with a jump instruction to a previous point in subroutine
  • 27. Analysing The Data – Receiving We found a header which looked like: • A 32 bit value denoting the full size of the payload • A 32-bit CRC for error checking • A 32-bit value providing the number of blocks the payload was separated into • And finally a JPEG header
  • 28. Analysing The Data – Receiving Now we have JPEG images to be to be viewed Tiny: 240x180px resolution A large number of the packets were found to be corrupted
  • 29. Analysing The Data – Receiving
  • 30. Analysing The Data – Receiving
  • 31. Analysing The Data - Sending Controller data was simpler and in one frame Followed standard practice for controllers • 8-bit values used for analogue controls, with the neutral value being 0x80 • Single bits being set and unset for buttons A single byte checksum used for data integrity, consisting of a sum of all control values
  • 32. Analysing The Data – Sending The two analogue controls were the speed settings for the two tank treads The tank crashed upon rapidly changing the speed of the wheels Controls were only sent when requested by the tank • every 22nd frame • set a bit
  • 33. Analysing The Data – Sending 0x80 was the neutral speed of the treads 0x30 was reverse 0xd0 was forward 0xff was TURBO
  • 34.
  • 35. Searching For The Module Most common 2.4GHz transceiver manufacturers iRangeX, contains four common transceivers: • Texas Instruments CC2500 • Nordic Semiconductor NRF24L01 • Cypress CYRF6936 • Amiccom A7105 Searching the datasheets for these modules revealed that the A7105 was the closest match
  • 36. Searching For The Module Replaying SPI commands from the logic analyser was inconsistent Transceiver in use was very likely to be a “similar” chip in the same series Datasheets were not the most useful: • copy-and-pasted • few differences between them Finding the appropriate transceiver would be difficult
  • 37. Searching For The Module A large number of the transceivers were found not to be accessible by the general public Datasheets were hard to find We ended up cheating stealing the module from the legitimate controller
  • 38. Hijacking The Tank Choice of a Raspberry Pi or an STM32 development board Raspberry Pi was too inflexible An ST NUCLEO-L496ZG development board was used • Fast • Precise timings
  • 39. Hijacking The Tank STM32 boards are extremely easily set up, with tools like the STM Cube allowing for precise definitions of what each pin does
  • 40. Hijacking The Tank Programmed the board to: • replay the initialisation SPI commands • Send and receive the appropriate packets Module starts in Half-Duplex SPI mode and has to be set to run in full duplex Sent received images to the USB host and received controls back Next step was through the browser…
  • 41.
  • 42.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49. Demo