1 00:00:00,000 --> 00:00:02,250 ZAC FRANKEN: Good afternoon, Everyone. 2 00:00:02,250 --> 00:00:03,709 I'm Zac Franken. 3 00:00:03,709 --> 00:00:05,292 This is Major Malfunction. 4 00:00:05,292 --> 00:00:08,667 ADAM 'MAJOR MALFUNCTION' LAURIE: I will be sitting quietly a bit, 5 00:00:08,667 --> 00:00:12,209 because I have no fucking idea what he does. 6 00:00:12,209 --> 00:00:15,125 He does this hardware stuff and terrible smells come 7 00:00:15,125 --> 00:00:19,876 out of the room and as he gets the chemicals out as he works, 8 00:00:19,876 --> 00:00:23,375 so this is going to be interesting. 9 00:00:23,375 --> 00:00:25,667 ZAC FRANKEN: What can I say, I'm a farter. 10 00:00:25,667 --> 00:00:27,834 We are going to take you guys through a bit 11 00:00:27,834 --> 00:00:32,751 of hardware reverse engineering, and I think you are going 12 00:00:32,751 --> 00:00:35,375 to have fun with it. 13 00:00:35,375 --> 00:00:36,959 We certainly did. 14 00:00:36,999 --> 00:00:39,999 So we are Aperture Labs. 15 00:00:40,584 --> 00:00:46,000 We are not aperture laboratories. 16 00:00:49,250 --> 00:00:54,000 We do get occasional misrouted mail though. 17 00:00:54,375 --> 00:00:59,501 So here is a piece of mail we got, dear aperture laboratories, 18 00:00:59,501 --> 00:01:02,751 do you make portal guns? 19 00:01:02,959 --> 00:01:03,999 Do they work? 20 00:01:04,334 --> 00:01:06,918 Well, I have an idea for a portal gun. 21 00:01:06,918 --> 00:01:10,250 Here is the picture, the portal colors are yellow 22 00:01:10,250 --> 00:01:12,292 and rainbow. 23 00:01:12,876 --> 00:01:15,167 From Joshua. 24 00:01:15,751 --> 00:01:18,083 Brilliant. 25 00:01:18,667 --> 00:01:23,375 ZAC FRANKEN: So apart from the dreadful photo shopping 26 00:01:23,375 --> 00:01:25,959 on this picture. 27 00:01:25,959 --> 00:01:28,999 ADAM 'MAJOR MALFUNCTION' LAURIE: It's really me crying. 28 00:01:28,999 --> 00:01:30,999 ZAC FRANKEN: You notice that the thumbs aren't pointing 29 00:01:30,999 --> 00:01:33,083 the right way around. 30 00:01:35,999 --> 00:01:42,667 So I think I'm reasonably smart guy, and I was just completely not thinking 31 00:01:42,667 --> 00:01:49,125 when I went onto Google images and searched for the word fist. 32 00:01:52,209 --> 00:01:54,083 I swear to God! 33 00:01:54,083 --> 00:01:55,083 Holy shit! 34 00:01:57,542 --> 00:02:02,083 It's like there was one, I thought he was trying to pick her nose 35 00:02:02,083 --> 00:02:04,209 from the inside. 36 00:02:04,209 --> 00:02:07,167 It was mind bleach. 37 00:02:07,334 --> 00:02:08,375 Okay. 38 00:02:09,083 --> 00:02:13,459 So just to recap, (Laughter). 39 00:02:19,918 --> 00:02:26,292 So we are going to talk or I'm going to talk about simple decapping that you 40 00:02:26,292 --> 00:02:31,999 can do, and the kind of benefits you will get from it. 41 00:02:32,250 --> 00:02:35,999 We will call it the plink, plink, fizz method. 42 00:02:38,542 --> 00:02:39,999 (Music). 43 00:02:42,542 --> 00:02:49,999 So we need some ingredients, some nitric acid. 44 00:02:49,999 --> 00:02:57,999 So normally between 70 and 90%, you can get it up to 99%. 45 00:02:58,375 --> 00:03:01,375 70% is probably good enough. 46 00:03:01,751 --> 00:03:05,375 And it's there are issues with chemicals like these, so, 47 00:03:05,375 --> 00:03:09,125 you know, just like you might think you really want 48 00:03:09,125 --> 00:03:13,209 the 99% stuff, you probably really don't. 49 00:03:14,751 --> 00:03:20,584 Acetone which is organic solvent, hot plate because the hotter 50 00:03:20,584 --> 00:03:28,167 the nitric acid is, the faster the reaction, so you can have a chip, you can drop 51 00:03:28,167 --> 00:03:34,792 in room temperature night trick acid, nothing will happen. 52 00:03:34,792 --> 00:03:35,999 Actually that's not true. 53 00:03:35,999 --> 00:03:38,375 The legs will miraculously disappear 54 00:03:38,375 --> 00:03:42,417 and disappear right into the package. 55 00:03:42,417 --> 00:03:44,709 It's like oh, very small holes on this side. 56 00:03:44,959 --> 00:03:52,959 But as soon as you start to get it a bit warmer, amazing things happen. 57 00:03:52,999 --> 00:03:55,999 These are Pyrex speakers, so they can with stand a bit 58 00:03:55,999 --> 00:03:58,375 of heat without shattering. 59 00:03:59,751 --> 00:04:06,834 A pellet for moving liquids and an acid wash, just an easy way 60 00:04:06,834 --> 00:04:12,584 to apply acetone, and petri dishes which are useful 61 00:04:12,584 --> 00:04:16,209 for sorting out results. 62 00:04:16,792 --> 00:04:18,375 So --(Laughter). 63 00:04:20,584 --> 00:04:22,542 Do you see that? 64 00:04:23,250 --> 00:04:25,125 What can I say? 65 00:04:26,083 --> 00:04:28,459 And the other one, the other great place to get some 66 00:04:28,459 --> 00:04:30,667 of the stuff from, Amazon. 67 00:04:30,667 --> 00:04:31,918 Who would have thought? 68 00:04:32,167 --> 00:04:37,959 I bought some I'm trying to think, potassium nitrate from Amazon, 69 00:04:37,959 --> 00:04:43,083 and I'm like, okay, and at the bottom and I have seen it 70 00:04:43,083 --> 00:04:48,417 on a couple of occasions, the other people bought sulfur 71 00:04:48,417 --> 00:04:50,709 and charcoal. 72 00:04:50,709 --> 00:04:53,999 It's like okay (Laughter). 73 00:04:53,999 --> 00:04:58,167 My favorite was I was looking for aluminum powder and other people 74 00:04:58,167 --> 00:05:02,250 bought iron oxide and magnesium ribbon. 75 00:05:05,417 --> 00:05:08,626 I'll sling them into one of these slides actually. 76 00:05:09,375 --> 00:05:11,999 So eBay is your friend. 77 00:05:11,999 --> 00:05:15,083 The shit we bought from eBay is astounding. 78 00:05:16,292 --> 00:05:20,999 So as you can probably gather, this stuff can get quite nasty. 79 00:05:21,709 --> 00:05:26,250 Nitric acid, particularly bad. 80 00:05:26,584 --> 00:05:32,334 So it does what we want, particularly to dissolve organics, so 81 00:05:32,334 --> 00:05:38,667 the epoxy packaging on the chip is the thing we want to get rid of, 82 00:05:38,667 --> 00:05:44,999 but it will also take out metals as well, dissolves copper and does 83 00:05:44,999 --> 00:05:49,834 all of the other lovely things acid does. 84 00:05:49,834 --> 00:05:50,876 It will burn you. 85 00:05:50,999 --> 00:05:54,250 It has choking fumes so as soon as you take the cap off the bottle it 86 00:05:54,250 --> 00:05:56,584 will start fuming away. 87 00:05:57,125 --> 00:06:01,542 You get fumes from the acid, you get fumes from the stuff 88 00:06:01,542 --> 00:06:06,083 the acid reacts with, and that's typically nitrogen dioxide, 89 00:06:06,083 --> 00:06:08,375 toxic, of course. 90 00:06:08,542 --> 00:06:14,999 And, yes, if you get a lung full of nitric acid vapor, there 91 00:06:14,999 --> 00:06:23,375 is about an eight hour delay before it has a nice catastrophic effect. 92 00:06:23,375 --> 00:06:27,999 It will be really unpleasant initially, and then eight hours later, 93 00:06:27,999 --> 00:06:30,918 bad stuff will happen. 94 00:06:31,083 --> 00:06:32,999 Oh, yes, and it causes spontaneous combustion 95 00:06:32,999 --> 00:06:34,709 of organics. 96 00:06:34,999 --> 00:06:39,417 This is probably an important point to note. 97 00:06:39,417 --> 00:06:43,792 Kitchen table, yes, this one is not for the kitchen table. 98 00:06:43,792 --> 00:06:47,918 Definitely outside and better with a cabinet. 99 00:06:50,083 --> 00:06:53,501 So people wear latex gloves and in general 100 00:06:53,501 --> 00:06:58,999 in labs people started moving to nitro gloves because nitro is great, 101 00:06:58,999 --> 00:07:04,709 it's resistant to most chemicals, doesn't react with them. 102 00:07:05,250 --> 00:07:09,250 This is what happens when you take a bit of Nitro glove and you add 103 00:07:09,250 --> 00:07:11,999 a little bit of nitric acid. 104 00:07:16,375 --> 00:07:18,459 My, my (Laughter). 105 00:07:22,959 --> 00:07:32,542 ADAM 'MAJOR MALFUNCTION' LAURIE: 16 seconds 106 00:07:32,542 --> 00:07:38,334 before is catches fire. 107 00:07:38,334 --> 00:07:41,751 ZAC FRANKEN: You definitely want to be a bit careful with it. 108 00:07:41,834 --> 00:07:44,876 Okay, acetone is only a little evil. 109 00:07:45,250 --> 00:07:49,334 It will dissolve plastics in particular. 110 00:07:49,334 --> 00:07:53,709 It can be really handy for getting inside smart cards and things like that. 111 00:07:53,876 --> 00:08:01,999 It has choking fumes, and it's a little bit carcinogenic as well. 112 00:08:02,999 --> 00:08:07,584 Oh, yes, the fumes are heavier than air, so if I'm working with it up here, 113 00:08:07,584 --> 00:08:11,584 the fumes are going to cascade off the table and on to the floor 114 00:08:11,584 --> 00:08:13,501 and spread out. 115 00:08:13,959 --> 00:08:19,542 So the guy back there is going to have a nice little pool 116 00:08:19,542 --> 00:08:23,584 of acetone fumes around him. 117 00:08:23,999 --> 00:08:30,918 If it rolls down into the basement, yes, it's interesting stuff. 118 00:08:32,125 --> 00:08:35,918 And, again, you won't realize, you won't really smell anything, 119 00:08:35,918 --> 00:08:40,417 but there is a nice layer of it on the ground, and, yes, bang! 120 00:08:42,792 --> 00:08:47,417 So safety. 121 00:08:47,999 --> 00:08:49,999 We use a fume cabinet. 122 00:08:50,876 --> 00:08:53,999 You have just got to also think about how you are dealing 123 00:08:53,999 --> 00:08:57,334 with this stuff, especially the nitric acid and where you are 124 00:08:57,334 --> 00:08:58,999 storing it. 125 00:09:01,834 --> 00:09:08,375 Handling it, think about where it is, where you are moving it to, is it, 126 00:09:08,375 --> 00:09:11,375 is the container open? 127 00:09:11,584 --> 00:09:14,083 If you have got prepared and you are moving 128 00:09:14,083 --> 00:09:18,501 across to your sample, if the pipette drips, what is it going 129 00:09:18,501 --> 00:09:20,209 to drip on? 130 00:09:20,417 --> 00:09:26,459 If it spills, where is it going to run and what is it going to hit as it runs? 131 00:09:26,459 --> 00:09:32,999 So just be aware in your head what's going on. 132 00:09:34,999 --> 00:09:39,417 Also you can neutralize it with baking soda because it's an acid. 133 00:09:40,834 --> 00:09:47,334 We use an industrial neutralizer which costs you buy it in cases of six. 134 00:09:47,334 --> 00:09:48,626 It costs about $200. 135 00:09:48,834 --> 00:09:49,999 It's amazing stuff. 136 00:09:49,999 --> 00:09:54,375 You sprinkle it on, and it color changes when it's safe. 137 00:09:54,375 --> 00:09:55,876 It's like perfect. 138 00:09:55,999 --> 00:09:57,501 Neutralization for dummies. 139 00:09:58,417 --> 00:10:00,792 So here is our fume cabinet. 140 00:10:01,999 --> 00:10:04,999 Any ideas where the fume cabinet was acquired? 141 00:10:05,000 --> 00:10:06,959 Ebay. 142 00:10:06,999 --> 00:10:09,918 Ten pounds this fume cabinet cost. 143 00:10:10,999 --> 00:10:16,459 It cost 35 pounds to have a cab go pick it up. 144 00:10:16,999 --> 00:10:21,334 Now, it sounds like a great deal, but it's safety equipment, and this 145 00:10:21,334 --> 00:10:25,083 is called a recirculating fume cabinet. 146 00:10:25,083 --> 00:10:29,375 So some fume cabinets just suck things up and vent them straight outside. 147 00:10:29,584 --> 00:10:33,834 This is designed to vent back into the room so everything goes 148 00:10:33,834 --> 00:10:38,999 through a filter, therefore, there is no way I'm trusting the filters 149 00:10:38,999 --> 00:10:44,501 from a 10 pound Ebay fuel cabinet so a new set of filters cost around 500 150 00:10:44,501 --> 00:10:49,417 but you can use direct vent, outside, or, you know ADAM 'MAJOR 151 00:10:49,417 --> 00:10:54,542 MALFUNCTION' LAURIE: Don't like the neighbors, do you? 152 00:10:54,667 --> 00:10:58,000 ZAC FRANKEN: A lot smaller fume cabinets. 153 00:10:59,250 --> 00:11:02,501 Oh, and, again, you can do this stuff outside. 154 00:11:02,999 --> 00:11:05,999 That's how I started doing it. 155 00:11:06,083 --> 00:11:08,501 The other thing, just be aware of the wind, 156 00:11:08,501 --> 00:11:11,375 because if the wind changes, your big plume 157 00:11:11,375 --> 00:11:14,501 of nitric acid fumes that was going over there 158 00:11:14,501 --> 00:11:17,876 all of a sudden heads towards you. 159 00:11:17,999 --> 00:11:22,999 And even a tiny little bit, very unpleasant. 160 00:11:23,083 --> 00:11:29,083 So, yes, this is, like, yes, I don't want to be near that shit ever again. 161 00:11:29,501 --> 00:11:30,999 So here is the nitric acid. 162 00:11:34,542 --> 00:11:36,959 You never guess where I got it, of course. 163 00:11:37,667 --> 00:11:41,334 You use a beaker and pipette and the great thing about this 164 00:11:41,334 --> 00:11:44,292 is you don't need to use a lot. 165 00:11:45,459 --> 00:11:52,709 12, 15 ml's of nitric acid at a time is plenty to decap a chip. 166 00:11:52,999 --> 00:11:55,709 Which is great, it means you don't have 167 00:11:55,709 --> 00:12:00,999 to have tons hanging around, and you are not moving large quantities 168 00:12:00,999 --> 00:12:02,501 of it. 169 00:12:02,584 --> 00:12:05,667 This is acetone wash bottle, so handy. 170 00:12:05,667 --> 00:12:07,626 You just fill it up with acetone. 171 00:12:07,999 --> 00:12:12,999 The straw, when you are not using it, you just pull up above the level 172 00:12:12,999 --> 00:12:18,542 of the acetone, and the acetone will stay as it's heavier, it will stay 173 00:12:18,542 --> 00:12:20,667 in the bottle. 174 00:12:22,083 --> 00:12:27,959 So here is a simple example. 175 00:12:27,959 --> 00:12:33,999 This is a PIC chip, PIC 32, and. 176 00:12:35,792 --> 00:12:39,751 As you know, we have a tradition at Def Con that 177 00:12:39,751 --> 00:12:43,999 all first time speakers have to do a shot. 178 00:12:44,417 --> 00:12:53,751 And we figured you were a first time speaker at Def Con 21. 179 00:12:53,751 --> 00:12:54,834 ZAC FRANKEN: Okay. 180 00:12:54,834 --> 00:12:55,834 (Applause). 181 00:12:55,834 --> 00:12:57,083 ZAC FRANKEN: A shot it is. 182 00:12:57,083 --> 00:12:58,751 A shot of Jack, how surprising! 183 00:13:01,751 --> 00:13:04,999 So you realize when I fuck the rest of my talk up, I'm just going 184 00:13:04,999 --> 00:13:06,626 to blame you. 185 00:13:06,667 --> 00:13:10,167 Wait a minute, back up. 186 00:13:17,501 --> 00:13:19,501 ADAM 'MAJOR MALFUNCTION' LAURIE: How come I have 187 00:13:19,501 --> 00:13:21,834 to drink one because he doesn't? 188 00:13:21,834 --> 00:13:22,999 That's not fair. 189 00:13:23,918 --> 00:13:25,083 Let's hear it for the first time speakers 190 00:13:25,083 --> 00:13:26,626 at Def Con 21. 191 00:13:28,999 --> 00:13:30,292 (Applause). 192 00:13:32,751 --> 00:13:34,834 ADAM 'MAJOR MALFUNCTION' LAURIE: Thank you, sir, 193 00:13:34,834 --> 00:13:36,918 please may I have another? 194 00:13:36,999 --> 00:13:39,999 ZAC FRANKEN: Thanks proctor. 195 00:13:39,999 --> 00:13:42,083 You are welcome. 196 00:13:42,542 --> 00:13:48,542 You are cut off, buddy. 197 00:13:48,542 --> 00:13:49,542 As you were. 198 00:13:49,626 --> 00:13:54,999 ZAC FRANKEN: Thank you. 199 00:13:55,417 --> 00:13:59,918 The empty one. 200 00:14:00,250 --> 00:14:04,999 Oh, yes, we better take it. 201 00:14:04,999 --> 00:14:06,083 ZAC FRANKEN: Okay. 202 00:14:06,083 --> 00:14:08,709 ADAM 'MAJOR MALFUNCTION' LAURIE: Where was I? 203 00:14:08,709 --> 00:14:09,709 Who was I? 204 00:14:09,709 --> 00:14:10,083 ZAC FRANKEN: So this is microchip PIC 32 chip which I'm 205 00:14:10,083 --> 00:14:16,751 knocking around, and I have more than one of them so I'm like, okay, 206 00:14:16,751 --> 00:14:19,751 we will use this guy. 207 00:14:19,999 --> 00:14:23,876 It's a very modern chip so it's very highly integrated so the level 208 00:14:23,876 --> 00:14:27,999 of detail on it is very small, but slightly older chips are fun 209 00:14:27,999 --> 00:14:32,501 because you can actually really start to understand how they are built 210 00:14:32,501 --> 00:14:36,918 up and how the gating is done and things like that. 211 00:14:38,250 --> 00:14:42,999 So as soon as I pop this in here, one of the things I want you guys to look 212 00:14:42,999 --> 00:14:47,999 for is on the kind of bottom side here, as soon as it's dropped in the beaker, 213 00:14:47,999 --> 00:14:50,501 it will react instantly. 214 00:14:50,834 --> 00:14:55,083 This acid is about 90 degrees Celsius. 215 00:14:55,083 --> 00:14:59,459 It will boil at 120, and so as soon as the chip goes in, it 216 00:14:59,459 --> 00:15:03,999 will start reacting immediately, and what you will see 217 00:15:03,999 --> 00:15:07,999 is around the kind of bottom here you will see 218 00:15:07,999 --> 00:15:11,542 a spot coming off of the epoxy. 219 00:15:17,209 --> 00:15:22,584 So yes, and ADAM 'MAJOR MALFUNCTION' 220 00:15:22,584 --> 00:15:26,083 LAURIE: It's great! 221 00:15:26,083 --> 00:15:27,083 Wow! 222 00:15:27,083 --> 00:15:28,083 Look at that! 223 00:15:28,083 --> 00:15:32,999 ZAC FRANKEN: Evil, evil, evil, Microsoft. 224 00:15:47,999 --> 00:15:49,083 Okay. 225 00:15:49,083 --> 00:15:53,834 So look for the spall around the bottom of the beaker, 226 00:15:53,834 --> 00:15:56,999 instant reaction, boom! 227 00:15:58,709 --> 00:16:06,542 The Petri dish on top is just to contain the fumes a little bit so 228 00:16:06,542 --> 00:16:15,250 the brown fumes are nitrogen dioxide, and you can see here this dark cloud 229 00:16:15,250 --> 00:16:20,167 is the epoxy coming off the chip. 230 00:16:20,167 --> 00:16:21,167 Okay. 231 00:16:27,167 --> 00:16:33,792 So once it's finished reacting, take the acid into second beaker, 232 00:16:33,792 --> 00:16:40,792 your disposable beaker, and take the beaker, rinse it with the acetone 233 00:16:40,792 --> 00:16:45,083 and decant it into the Petri dish. 234 00:16:45,292 --> 00:16:50,417 What you will end up with is a dye with all of the wires intact 235 00:16:50,417 --> 00:16:55,709 because the acid will eat not just the epoxy but the entire frame 236 00:16:55,709 --> 00:17:00,999 as well both externally and internally from the chip. 237 00:17:02,083 --> 00:17:04,999 So get the dye, rinse it in more acetone and this 238 00:17:04,999 --> 00:17:07,667 is what you will end up with. 239 00:17:07,999 --> 00:17:09,626 It looks a bit yucky. 240 00:17:11,083 --> 00:17:17,459 There is still a little bit of epoxy on there, but, again, 241 00:17:17,459 --> 00:17:21,999 another fantastic Ebay purchase. 242 00:17:22,083 --> 00:17:26,250 These are like 30 quid, and they are amazing. 243 00:17:28,083 --> 00:17:33,334 They will just remove all of the shit from anything including chips. 244 00:17:33,334 --> 00:17:34,999 No, they are really cool. 245 00:17:34,999 --> 00:17:39,250 So we have used them with water, we have used them with water in them, 246 00:17:39,250 --> 00:17:44,542 and then a beaker of acetone with the chip sitting in it. 247 00:17:44,999 --> 00:17:49,999 And absolutely fantastic. 248 00:17:49,999 --> 00:17:55,417 And if you have watches or jewelry or glasses and you pop them in this, 249 00:17:55,417 --> 00:18:02,209 the first thing you are going to go is holy shit am I a filthy person. 250 00:18:03,167 --> 00:18:05,751 You will see it just coming off. 251 00:18:05,751 --> 00:18:06,999 It's like oh, my God! 252 00:18:07,999 --> 00:18:09,876 But they are amazing. 253 00:18:09,876 --> 00:18:12,918 They are super cheap these days, little ones, and 254 00:18:12,918 --> 00:18:16,417 if you get one don't forget to do your wife's 255 00:18:16,417 --> 00:18:19,417 and girlfriend's jewelry. 256 00:18:19,417 --> 00:18:20,417 She will love it. 257 00:18:20,417 --> 00:18:21,417 Okay. 258 00:18:21,999 --> 00:18:24,584 So after it's had a trip through the cleaner, this 259 00:18:24,584 --> 00:18:27,083 is what we have ended up with. 260 00:18:27,083 --> 00:18:29,626 Now, this is not particularly great microscope 261 00:18:29,626 --> 00:18:32,626 picture because a really cool microscope 262 00:18:32,626 --> 00:18:37,667 doesn't have a lens big enough to take the whole chip. 263 00:18:37,667 --> 00:18:40,959 So this was done with a small crappy USB microscope, 264 00:18:40,959 --> 00:18:44,876 but you can see it's cleaned up a lot. 265 00:18:44,999 --> 00:18:47,083 One of the other things you will notice is missing are 266 00:18:47,083 --> 00:18:50,209 the bond wires or a lot of the bond wires. 267 00:18:50,542 --> 00:18:54,959 That's because the chip was vibrating around in the ultrasonic bath and 268 00:18:54,959 --> 00:18:57,834 they simply got knocked off. 269 00:18:57,834 --> 00:18:59,083 They are pretty fragile. 270 00:19:00,334 --> 00:19:02,876 So let's take a bit of a closer look. 271 00:19:03,667 --> 00:19:08,250 So this is it under a microscope, and this is one of the kind 272 00:19:08,250 --> 00:19:11,999 of identification areas of the chip. 273 00:19:12,459 --> 00:19:16,167 These numbers here represent the layers. 274 00:19:16,542 --> 00:19:21,999 So the dye is built up in layer upon layer upon layer. 275 00:19:22,334 --> 00:19:31,751 So as the chip is manufactured, you take your puck of silicon, 276 00:19:31,751 --> 00:19:44,083 you have your wafer, and it's constant, so basically you expose or you okay. 277 00:19:44,375 --> 00:19:45,792 Start from the beginning. 278 00:19:45,792 --> 00:19:51,083 You have your wafer, you lay down a mask, which is chemical that 279 00:19:51,083 --> 00:19:56,709 is etched away by typically ultraviolet light. 280 00:19:58,083 --> 00:20:03,667 Once that's coated, that resist is coated on the dye, you have 281 00:20:03,667 --> 00:20:08,209 a large image of the portion of the chip. 282 00:20:09,626 --> 00:20:14,167 You focus it down onto the dye, onto the Wafer, expose it 283 00:20:14,167 --> 00:20:17,709 with ultraviolet light, and then you rinse 284 00:20:17,709 --> 00:20:22,876 the resist chemical away, and that just leaves an exposed area, 285 00:20:22,876 --> 00:20:25,999 which you can then dot with another air 286 00:20:25,999 --> 00:20:32,125 of silicon and just build it up and build it up and build it up. 287 00:20:32,125 --> 00:20:37,000 So these identifiers are kind of registration marks for each layer 288 00:20:37,000 --> 00:20:42,626 as it got laid down so they can see, well, actually, you know, 289 00:20:42,626 --> 00:20:46,876 you did actually put down layer 156. 290 00:20:46,999 --> 00:20:53,999 The reason the colors are different is because of the different depths. 291 00:20:53,999 --> 00:20:58,999 They are reflecting the light slightly differently. 292 00:21:03,999 --> 00:21:05,876 Never again. 293 00:21:05,876 --> 00:21:06,876 No Jack Daniels. 294 00:21:10,417 --> 00:21:16,083 So let's zoom in a little bit more, a little bit more. 295 00:21:16,999 --> 00:21:20,792 So you can get really great detail. 296 00:21:23,083 --> 00:21:24,999 Here are the bond wires. 297 00:21:25,083 --> 00:21:29,999 These, as you see, there is the two on the left hand side 298 00:21:29,999 --> 00:21:34,334 of this picture are actually missing. 299 00:21:34,334 --> 00:21:36,918 They got simply vibrated off. 300 00:21:36,999 --> 00:21:40,709 So there are typically two types of bonds. 301 00:21:40,709 --> 00:21:45,125 This is called a bowl bond, which is the more modern technique. 302 00:21:45,125 --> 00:21:47,459 The older technique is called a wedge bond, 303 00:21:47,459 --> 00:21:52,083 and you can find wedge bonders on Ebay, of course. 304 00:21:52,209 --> 00:21:54,167 If you wanted to take the dye and try and put it 305 00:21:54,167 --> 00:21:58,083 into a new elite frame, but there is better techniques. 306 00:21:58,083 --> 00:22:00,876 The ball bonds are quite clever. 307 00:22:02,125 --> 00:22:05,918 The wire comes out, it gets hit by a little paddle. 308 00:22:05,918 --> 00:22:09,209 There is an electric charge between them, and it causes 309 00:22:09,209 --> 00:22:15,626 the little gold wire to fuse into a ball and then it ultrasonically pushes that 310 00:22:15,626 --> 00:22:19,501 ball down and welds it onto the pad. 311 00:22:19,792 --> 00:22:26,083 If you go to You Tube and search for dye bonding, the speed 312 00:22:26,083 --> 00:22:31,999 the dye bonds go at is truly unbelievable. 313 00:22:32,918 --> 00:22:37,751 And they are literally dropping a bond on the dye, taking it 314 00:22:37,751 --> 00:22:41,999 to the elite frame at the speed of light. 315 00:22:41,999 --> 00:22:42,999 It's unbelievable. 316 00:22:43,209 --> 00:22:46,167 So why the hell are we doing this? 317 00:22:47,167 --> 00:22:49,709 That's a reasonable question. 318 00:22:49,709 --> 00:22:52,999 You have stat there very patiently while I have rambled on. 319 00:22:52,999 --> 00:22:55,999 Well, there are some really good reasons to do this actually. 320 00:22:57,083 --> 00:22:59,083 So here is a really simple example. 321 00:23:00,459 --> 00:23:06,083 A friend of mine is a model maker and he was actually one 322 00:23:06,083 --> 00:23:11,334 of the guys that built the Hogwarts model. 323 00:23:11,999 --> 00:23:16,918 And we are having a beer one day, and he started talking about this plug. 324 00:23:16,999 --> 00:23:22,459 This is given away cheaply by one of our power companies in the U.K. 325 00:23:22,459 --> 00:23:27,083 And it's power saving device. 326 00:23:27,083 --> 00:23:31,292 You plug your computer into the master socket or your TV, 327 00:23:31,292 --> 00:23:35,999 and your peripherals into the slave sockets on the side, 328 00:23:35,999 --> 00:23:42,167 and when you turn the master on, it turns on the peripherals. 329 00:23:42,334 --> 00:23:43,918 Simple, easy. 330 00:23:44,125 --> 00:23:48,626 But what they wanted to use it for was dust collection for power tools. 331 00:23:48,626 --> 00:23:51,250 So basically you plug the power tool into the master. 332 00:23:51,250 --> 00:23:54,250 The extraction system will be plugged into the slave and 333 00:23:54,250 --> 00:23:59,125 as soon as you turn it on, extraction starts and they can go. 334 00:23:59,125 --> 00:24:03,250 The only problem with this is there is a five second delay 335 00:24:03,250 --> 00:24:08,999 between the master turning on and the slave turning on. 336 00:24:08,999 --> 00:24:10,959 And that, they just can't handle that. 337 00:24:10,999 --> 00:24:17,542 The alternatives, the actual, if you went to buy one of these, 338 00:24:17,542 --> 00:24:24,959 they charge 150quid, so about $250 for something like this. 339 00:24:24,959 --> 00:24:27,083 This costs 8 quid for something doing pretty much 340 00:24:27,083 --> 00:24:29,709 exactly the same thing. 341 00:24:29,959 --> 00:24:37,417 So he mentioned that someone had hacked this and was asking me about it. 342 00:24:37,626 --> 00:24:42,459 So when we actually take a look at it, it's a pretty simple device. 343 00:24:42,876 --> 00:24:47,083 So on the top here you have a little power supply 344 00:24:47,083 --> 00:24:53,501 the most important thing is this resister here, resister 17 which 345 00:24:53,501 --> 00:24:56,999 is to measure the current. 346 00:24:58,083 --> 00:25:03,999 Are so here are the actual born bits, we have two bits here, 347 00:25:03,999 --> 00:25:08,999 a logic chip which is clearly marks, sear crus logic 348 00:25:08,999 --> 00:25:15,999 is CS456 and you type that into Google, get the data sheet and you are 349 00:25:15,999 --> 00:25:24,167 off and then we have the OC706 or if you look at the other plug, the OC708. 350 00:25:25,999 --> 00:25:29,083 Can't find anything about this device. 351 00:25:29,501 --> 00:25:33,542 Now, when you read the cirrus logic data sheet, this 352 00:25:33,542 --> 00:25:38,292 is currency frequency converter chip so it's measuring current 353 00:25:38,292 --> 00:25:42,876 across the resister and outputting frequency. 354 00:25:43,125 --> 00:25:48,792 And it needs a clock as well, and this, when you reverse the circuit, 355 00:25:48,792 --> 00:25:54,250 this OC706 chip is supplying the clock to the cirrus logic chip, 356 00:25:54,250 --> 00:25:59,876 but after the ton of Googling, and it's interesting because you 357 00:25:59,876 --> 00:26:05,459 will see other people searching, you know, Google suggesting, oh, 358 00:26:05,459 --> 00:26:11,626 did you mean OC708, people are searching for similar parts. 359 00:26:12,167 --> 00:26:17,083 Now, it makes sense that this is a small micro controller, 360 00:26:17,083 --> 00:26:22,834 but unless we know what it is, it's completely useless. 361 00:26:22,834 --> 00:26:28,918 So the guy that hacked it basically pretty much replaced this entire chip 362 00:26:28,918 --> 00:26:34,626 with a PIC chip, clutched it in and away he went. 363 00:26:34,709 --> 00:26:41,375 But we can do better than that so if you Plink, plink fizz this chip, this 364 00:26:41,375 --> 00:26:43,999 is what you get. 365 00:26:44,250 --> 00:26:49,375 And thank you, NEC for having nice big part numbers here. 366 00:26:49,375 --> 00:26:50,999 This is D70F9212. 367 00:26:52,751 --> 00:26:54,918 It's a little micro controller. 368 00:26:54,999 --> 00:26:56,959 You go onto the NEC site. 369 00:26:58,209 --> 00:27:01,918 Here is a compiler for it, here is all of the development tools. 370 00:27:01,918 --> 00:27:02,918 They are all free. 371 00:27:02,918 --> 00:27:04,083 So we are away. 372 00:27:04,709 --> 00:27:09,792 Major here hasn't quite had it dumped on him to write the code, 373 00:27:09,792 --> 00:27:12,918 but that's coming shortly. 374 00:27:12,918 --> 00:27:13,167 ADAM 'MAJOR MALFUNCTION' LAURIE: That's 375 00:27:13,167 --> 00:27:15,125 because some idiot destroyed the chip. 376 00:27:15,125 --> 00:27:18,999 ZAC FRANKEN: Plenty more where those came from. 377 00:27:21,459 --> 00:27:28,918 So other interesting things, this is the (inaudible) it's another chip, 378 00:27:28,918 --> 00:27:35,999 slightly older, and we are going to zoom in a little bit, and zoom in, 379 00:27:35,999 --> 00:27:41,167 and it starts to look quite interesting. 380 00:27:41,250 --> 00:27:43,501 So this is an area on the chip. 381 00:27:46,083 --> 00:27:49,125 Really close, and you can actually really start 382 00:27:49,125 --> 00:27:51,999 to see some proper texture. 383 00:27:53,292 --> 00:27:54,584 Okay. 384 00:27:54,584 --> 00:28:00,999 So one of the things we decided to do was clean the image up a bit. 385 00:28:03,125 --> 00:28:09,209 So we are going to use an acid, so the very top layer of the dye 386 00:28:09,209 --> 00:28:14,709 is what's called a passivation layer, it's a simple layer 387 00:28:14,709 --> 00:28:20,459 of silicon dioxide glass to protect the chip, the electronics 388 00:28:20,459 --> 00:28:25,876 underneath from any contaminants in the epoxy. 389 00:28:25,876 --> 00:28:28,626 So it's just basically to seal the top. 390 00:28:28,626 --> 00:28:33,834 But, again, if we remove that, we will get a nice, nice fresh image. 391 00:28:34,250 --> 00:28:38,501 So anyone get any ideas? 392 00:28:41,292 --> 00:28:43,375 Hydrochloric acid. 393 00:28:43,375 --> 00:28:47,999 ZAC FRANKEN: Some people have tried to polish it off, and that works 394 00:28:47,999 --> 00:28:52,083 to a certain extent, but it can be really hard getting 395 00:28:52,083 --> 00:28:56,792 the chip perfectly flat because these layers are incredibly 396 00:28:56,792 --> 00:29:01,999 thin, and if it's just off slightly, then you start digging in deeper 397 00:29:01,999 --> 00:29:06,375 on one end of the chip and you lose detail. 398 00:29:06,375 --> 00:29:07,375 It's a nightmare. 399 00:29:07,375 --> 00:29:11,626 Hydro fluoric acid and hydro fluoric acid is used 400 00:29:11,626 --> 00:29:17,417 in the chip manufacture process when I was talking about the resists 401 00:29:17,417 --> 00:29:23,250 they use hydro fluoric acid which they use to remove too. 402 00:29:24,834 --> 00:29:29,209 So nitric acid is pretty nasty. 403 00:29:29,209 --> 00:29:33,334 Hydro fluoric acid is fucking horrendous. 404 00:29:41,626 --> 00:29:47,999 Pure, pure, pure, horrendously evil stuff! 405 00:29:50,959 --> 00:29:52,999 Not quite this time. 406 00:29:53,999 --> 00:30:01,000 It is the piss of the devil. 407 00:30:01,000 --> 00:30:02,000 (Laughter). 408 00:30:02,000 --> 00:30:07,125 It's, you can imagine some little sinner getting dipped in it repeatedly. 409 00:30:08,167 --> 00:30:13,417 So for those of you not familiar, it's an acid, so it does all of the kind 410 00:30:13,417 --> 00:30:17,626 of usual bad stuff that the nitric acid does. 411 00:30:18,209 --> 00:30:21,542 It dissolves glass, so that can be a little bit of an issue, 412 00:30:21,542 --> 00:30:26,209 but that's actually what we want it to do, so we are cool with that. 413 00:30:27,751 --> 00:30:32,667 It's quite toxic somewhat. 414 00:30:33,501 --> 00:30:36,459 It eats calcium and magnesium. 415 00:30:37,292 --> 00:30:41,999 And depending on the concentration, if you actually get it on you, 416 00:30:41,999 --> 00:30:44,999 you won't notice for 24 hours. 417 00:30:44,999 --> 00:30:56,959 So bad, bad, bad, bad, bad, bad, bad shit okay. 418 00:30:57,626 --> 00:31:03,584 So I mentioned it dissolved calcium, yes, loves calcium. 419 00:31:06,667 --> 00:31:07,999 Yeah! 420 00:31:11,083 --> 00:31:12,834 You wish! 421 00:31:12,834 --> 00:31:14,167 It looks like this. 422 00:31:15,209 --> 00:31:19,542 So anyone notice anything about this picture, especially the one 423 00:31:19,542 --> 00:31:21,375 on the right? 424 00:31:21,999 --> 00:31:24,626 Apart from its extreme grossness. 425 00:31:30,250 --> 00:31:36,709 So the reason the finger is wrinkly at the top is because there is no bone 426 00:31:36,709 --> 00:31:39,834 in there, it's all gone. 427 00:31:39,999 --> 00:31:42,667 And what's more it will work its way up. 428 00:31:42,667 --> 00:31:50,959 Bad, bad, bad, bad, bad shit. 429 00:31:51,250 --> 00:31:55,999 So the calcium gluconate gel will. 430 00:31:55,999 --> 00:32:03,999 So the point of the gel is to feed the acid calcium. 431 00:32:04,459 --> 00:32:07,918 So it prefers the calcium gluconate rather than 432 00:32:07,918 --> 00:32:10,999 the calcium in your bones. 433 00:32:12,918 --> 00:32:18,083 So when I say hydrofluoric is bad, it gets worse. 434 00:32:18,083 --> 00:32:23,501 So if you read treatment regimens for hydrofluoric acid, 435 00:32:23,501 --> 00:32:32,125 it won't say slap on calcium gluconate, they have EpiPens with it in. 436 00:32:39,999 --> 00:32:43,999 The treatment regimen says under no circumstances give 437 00:32:43,999 --> 00:32:47,959 the victim any pain relief whatsoever. 438 00:32:47,999 --> 00:32:51,834 No local anesthetics, nothing, because they know that 439 00:32:51,834 --> 00:32:56,083 they finally treated you when it stops hurting. 440 00:32:56,626 --> 00:33:00,083 So basically throughout the treatment, you are going to be in agony, and 441 00:33:00,083 --> 00:33:02,083 they are going to keep you in agony 442 00:33:02,083 --> 00:33:06,709 because they know when it stops hurting, you are probably okay. 443 00:33:09,250 --> 00:33:18,999 So I wanted to do this and it's like how the hell I'm going to do this. 444 00:33:19,083 --> 00:33:24,167 I had a course of dental treatment, my dentist is quite young and hip 445 00:33:24,167 --> 00:33:29,334 and we were chatting away, what do you do, et cetera, et cetera, 446 00:33:29,334 --> 00:33:35,999 and he happens to mention, oh, we use hydro Fluoric, I'm like, really? 447 00:33:41,501 --> 00:33:48,083 And that's really interesting and slightly scary. 448 00:33:50,459 --> 00:33:52,584 So this is the stuff. 449 00:33:52,584 --> 00:33:56,501 This is dental hydro Fluoric acid gel. 450 00:33:57,876 --> 00:34:02,626 A company called Henry Schein Dental Supply. 451 00:34:04,083 --> 00:34:05,459 Sorry? 452 00:34:06,542 --> 00:34:09,167 Ask your dentist nicely, absolutely. 453 00:34:10,250 --> 00:34:12,209 And he will do that too. 454 00:34:12,209 --> 00:34:13,834 We will get there in a minute. 455 00:34:15,417 --> 00:34:18,999 So I'm like, oh, where would you get oh, yes, the various dental suppliers and 456 00:34:18,999 --> 00:34:20,584 he wrote me a list and one was called 457 00:34:20,584 --> 00:34:22,999 a company called Henry Schein. 458 00:34:24,375 --> 00:34:29,459 So this is a dill, this shows you the level of insanity that's out there. 459 00:34:29,918 --> 00:34:33,459 When I order components from one of the big U.K. 460 00:34:33,459 --> 00:34:36,125 component suppliers like RS, if I'm crazy enough 461 00:34:36,125 --> 00:34:39,417 to want something like a Lithium coin cell, 462 00:34:39,417 --> 00:34:43,751 like two Lithium coin cells because I happen to need some 463 00:34:43,751 --> 00:34:48,751 and I threw them on another order, hazard lights start flashing and 464 00:34:48,751 --> 00:34:51,999 they say, oh, this is a hazardous material, 465 00:34:51,999 --> 00:34:57,209 and so basically what that means is your Lithium coin cells will arrive 466 00:34:57,209 --> 00:35:02,501 by a separate shipment three days later than you actually needed them, 467 00:35:02,501 --> 00:35:06,125 and they will be in a box like this. 468 00:35:07,083 --> 00:35:11,918 I'm not shitting you, for two coin cells slapped 469 00:35:11,918 --> 00:35:15,292 with big hazard diamonds. 470 00:35:15,751 --> 00:35:19,999 It's like holy crap this arrived in a little box, no markings at all. 471 00:35:19,999 --> 00:35:24,250 It's like, okay. 472 00:35:28,626 --> 00:35:33,542 So it arrives in these little syringes, and, yes, 473 00:35:33,542 --> 00:35:41,125 some interesting things so they actually use it inside your mouth. 474 00:35:41,125 --> 00:35:44,167 So the hydro hygienist will be there 475 00:35:44,167 --> 00:35:50,667 with the distracter sucking away while the dentist is putting it 476 00:35:50,667 --> 00:35:56,999 on your crowns to roughen them up before he applies an adhesive, 477 00:35:56,999 --> 00:36:01,083 but it's designed for dentists. 478 00:36:01,292 --> 00:36:06,125 It's not for chemists or for people working in fabs. 479 00:36:06,125 --> 00:36:09,459 It's designed for a dentist who is kind of quite technical, 480 00:36:09,459 --> 00:36:14,083 but he is not a chemist, he is not a rocket scientist. 481 00:36:14,292 --> 00:36:15,542 He is a dentist. 482 00:36:15,792 --> 00:36:20,083 So it comes in a gel form, which is pretty cool, because, again, 483 00:36:20,083 --> 00:36:24,417 I wanted to be as safe as possible for me. 484 00:36:24,709 --> 00:36:25,751 Simple as that. 485 00:36:27,334 --> 00:36:32,792 It's dyed so you can see exactly where it's going, which is quite handy, 486 00:36:32,792 --> 00:36:39,751 and it's a low concentration, it's 9.6%, which is low, but it's still effective. 487 00:36:39,999 --> 00:36:41,999 And the other thing, when you are doing stuff 488 00:36:41,999 --> 00:36:44,083 like this yourself, you don't want something 489 00:36:44,083 --> 00:36:46,959 to react necessarily super quickly. 490 00:36:46,999 --> 00:36:48,876 You want to be able to control it. 491 00:36:48,876 --> 00:36:52,417 So actually the fact that it takes a little bit longer to react, 492 00:36:52,417 --> 00:36:54,959 that's just perfect. 493 00:36:55,125 --> 00:36:58,709 But, yes, you definitely want a fume cabinet for this stuff. 494 00:36:59,999 --> 00:37:03,292 So this is a before and after. 495 00:37:03,542 --> 00:37:07,751 So this is the before pic, and this is the after, and it looks blurry 496 00:37:07,751 --> 00:37:12,292 and that's simply because this image is a little bit blurry. 497 00:37:12,584 --> 00:37:18,999 But it's cleaned up the image remarkably. 498 00:37:19,417 --> 00:37:21,083 And as I said, just removing that top 499 00:37:21,083 --> 00:37:23,167 passivation layer. 500 00:37:25,209 --> 00:37:32,083 So here is another shot. 501 00:37:34,125 --> 00:37:36,667 This is another part of the chip. 502 00:37:38,792 --> 00:37:43,834 It has a bug in it, and actually that is the bloody microscope camera. 503 00:37:43,999 --> 00:37:48,959 And it was reasonably cheap actually. 504 00:37:48,959 --> 00:37:49,959 Was it Ebay? 505 00:37:49,959 --> 00:37:51,999 I think it might have been Ebay. 506 00:37:53,959 --> 00:37:57,083 But, yes, we bought it, it was super cheap, 507 00:37:57,083 --> 00:38:02,250 and I think it got dropped and internally within it and had a crack 508 00:38:02,250 --> 00:38:07,999 on the lens and trying to actually clean it out, impossible. 509 00:38:07,999 --> 00:38:11,417 And ideally with the sort of imaging we do, we wanted to get 510 00:38:11,417 --> 00:38:17,417 the whole thing imaged and when it has got bits of crap on it, it's not ideal. 511 00:38:18,083 --> 00:38:23,834 This particular bit of crap I actually think was on the dye. 512 00:38:24,751 --> 00:38:29,083 So yes, it was. 513 00:38:29,417 --> 00:38:31,999 So you can see there is a color change 514 00:38:31,999 --> 00:38:34,918 between these two images, and that's 515 00:38:34,918 --> 00:38:39,375 because we have now removed a layer so as I said earlier, 516 00:38:39,375 --> 00:38:43,459 colors represent depth, and the depths won't change 517 00:38:43,459 --> 00:38:47,167 because there is no longer a layer. 518 00:38:47,751 --> 00:38:51,083 And it also opens this dye up for micro probing, 519 00:38:51,083 --> 00:38:57,250 so you can buy micro probing station, which is an amazing piece of kit. 520 00:38:58,999 --> 00:39:04,083 And it will allow you to put probes on these lines, and actually sniff 521 00:39:04,083 --> 00:39:06,999 the data going through. 522 00:39:07,292 --> 00:39:08,292 Ebay. 523 00:39:08,751 --> 00:39:12,083 I think that was our most expensive Ebay purchase. 524 00:39:12,083 --> 00:39:13,209 That was about $5,000. 525 00:39:13,584 --> 00:39:20,083 Ours came from San Diego, and it was the best Ebay deal ever. 526 00:39:20,083 --> 00:39:24,083 It had lots of accessories, and a great microscope. 527 00:39:24,083 --> 00:39:27,999 But have a look, it's called the micro probing station, 528 00:39:27,999 --> 00:39:32,501 and basically it's a microscope with a special stage, 529 00:39:32,501 --> 00:39:38,667 and you have micro positioners that allow you to move a very fine probe 530 00:39:38,667 --> 00:39:45,709 and we are talking about fine, I have probes that are .25 of a micron. 531 00:39:46,167 --> 00:39:50,999 So you can move them very accurately and just plop them on these lines 532 00:39:50,999 --> 00:39:54,999 and you can sniff the data on the chip buses. 533 00:39:54,999 --> 00:39:56,542 But that's for another talk. 534 00:39:56,542 --> 00:40:01,125 So it is, you did say be nice to your dentist and it is important 535 00:40:01,125 --> 00:40:04,584 to be nice to your dentist. 536 00:40:04,792 --> 00:40:09,999 I was nice to my dentist, and this is what he gave me. 537 00:40:10,417 --> 00:40:14,375 So and I was in for several sessions and I said, hey, 538 00:40:14,375 --> 00:40:20,834 can I bring you some stuff in and get you to X ray them for me? 539 00:40:20,834 --> 00:40:23,000 He was like, sure, that sounds like fun. 540 00:40:23,999 --> 00:40:25,417 Excellent! 541 00:40:26,375 --> 00:40:27,876 And I did. 542 00:40:28,250 --> 00:40:32,209 So I was just kind of one of those things it's like dental X ray, 543 00:40:32,209 --> 00:40:37,083 is it going to be useful and interesting for this sort of stuff? 544 00:40:37,334 --> 00:40:39,709 And as it turns out, yes, it is. 545 00:40:40,083 --> 00:40:48,000 So I brought a little selection of chips and plopped them down. 546 00:40:48,250 --> 00:40:52,375 He zapped them, and this is what we have ended up with. 547 00:40:52,999 --> 00:40:58,459 So the good thing about these is X rays are one to one. 548 00:40:58,459 --> 00:41:02,999 So these are scale size chips. 549 00:41:02,999 --> 00:41:05,999 And it means that when you pop them under a microscope, 550 00:41:05,999 --> 00:41:08,999 you can do things like blow them up. 551 00:41:09,125 --> 00:41:12,999 These are the bond wires in situ inside the chip. 552 00:41:19,292 --> 00:41:24,959 And this guy here has three bond wires going to the same pad, and it turns 553 00:41:24,959 --> 00:41:30,834 out that's a power supply line, so that was a ground in that case. 554 00:41:30,918 --> 00:41:33,792 So chip needs more current, needs more bond wires to handle 555 00:41:33,792 --> 00:41:36,918 the current, so they stack three up. 556 00:41:39,584 --> 00:41:41,459 Any idea what this is? 557 00:41:41,876 --> 00:41:45,083 The texture at the back might give you a hint. 558 00:41:46,292 --> 00:41:47,709 No takers? 559 00:41:48,417 --> 00:41:53,375 So this texture is a very thin sheet of fiberglass, and it's 560 00:41:53,375 --> 00:41:56,417 a little bit hard to see. 561 00:41:56,417 --> 00:41:57,417 This is a sim chip. 562 00:41:57,751 --> 00:42:00,792 So you can actually see the bond wires coming from the dye 563 00:42:00,792 --> 00:42:02,626 in the center. 564 00:42:02,626 --> 00:42:04,709 The dye you can't really see, but you can see 565 00:42:04,709 --> 00:42:08,584 the bond wires outlining the dye going to the various pads 566 00:42:08,584 --> 00:42:10,709 of the sim chip. 567 00:42:12,542 --> 00:42:15,125 Now, this one is particularly interesting. 568 00:42:15,999 --> 00:42:18,999 We were doing some testing for a client. 569 00:42:19,501 --> 00:42:21,667 One of the things we do apart from kind 570 00:42:21,667 --> 00:42:24,584 of security reverse engineering is we do a little bit 571 00:42:24,584 --> 00:42:26,999 of assurance work as well. 572 00:42:27,542 --> 00:42:32,999 And when you we were kind of looking for with this chip, 573 00:42:32,999 --> 00:42:38,250 and when we X rayed it, it's like holy shit! 574 00:42:38,250 --> 00:42:42,250 We know about chips one and two, these two guys over here. 575 00:42:42,250 --> 00:42:44,209 What the fuck is this? 576 00:42:45,918 --> 00:42:52,792 And it turns out that that is a radio chip, which we weren't expecting 577 00:42:52,792 --> 00:42:56,250 in this particular device. 578 00:42:56,250 --> 00:43:00,459 And as it turns out, it's there legitimately, 579 00:43:00,459 --> 00:43:06,834 but it could be completely illegitimate, so there are issues 580 00:43:06,834 --> 00:43:11,999 with supply lines being compromised, fabs churning 581 00:43:11,999 --> 00:43:19,834 out dyes that have modifications, and here is a small RF device that could 582 00:43:19,834 --> 00:43:23,999 be embedded in the dye itself. 583 00:43:25,083 --> 00:43:27,999 I'm sorry? 584 00:43:27,999 --> 00:43:29,459 No, that wasn't a USB actually. 585 00:43:29,709 --> 00:43:33,999 I can't tell you what it was, unfortunately but it was like holy crap! 586 00:43:33,999 --> 00:43:37,209 ADAM 'MAJOR MALFUNCTION' LAURIE: The guy in the middle 587 00:43:37,209 --> 00:43:40,083 is a processor and the one on the left was 588 00:43:40,083 --> 00:43:44,334 an (inaudible) what we were doing is looking at the bond wires 589 00:43:44,334 --> 00:43:47,667 between the processor and the Eprom and watching 590 00:43:47,667 --> 00:43:51,542 the conversation between the two, and, yes, that RF chip, 591 00:43:51,542 --> 00:43:55,167 the way we actually figured out it was an RF chip, was 592 00:43:55,167 --> 00:43:59,083 he pulled it out of the bottom of the char when we plink, 593 00:43:59,083 --> 00:44:01,959 plink fizzed it, zoomed in and there was 594 00:44:01,959 --> 00:44:06,584 the manufacturer's part number, look it up, holy crap! 595 00:44:06,999 --> 00:44:11,999 ZAC FRANKEN: The interesting thing was I must have Plinked half 596 00:44:11,999 --> 00:44:17,083 a dozen of these chips, and I'm going to go through the debris, 597 00:44:17,083 --> 00:44:22,999 and I'm picking out, and actually in this particular case the processor 598 00:44:22,999 --> 00:44:25,999 on the Eprom, there are bond wires so 599 00:44:25,999 --> 00:44:29,417 they are joined together so they are easy 600 00:44:29,417 --> 00:44:32,999 to spot and you pick them out. 601 00:44:33,584 --> 00:44:36,999 And I kept coming across like a few weeks later 602 00:44:36,999 --> 00:44:41,999 after I done a whole bunch of them, I noticed that there was, you know, 603 00:44:41,999 --> 00:44:48,751 bigger chunks in the crap at the bottom, and it turned out to be this little dye. 604 00:44:48,751 --> 00:44:51,999 ADAM 'MAJOR MALFUNCTION' LAURIE: At that point we hadn't X rayed 605 00:44:51,999 --> 00:44:55,083 is so we didn't know exactly what we were dealing 606 00:44:55,083 --> 00:44:59,999 with and we were only expecting those two chips in there, so. 607 00:44:59,999 --> 00:45:02,209 ZAC FRANKEN: So that was very interesting. 608 00:45:02,209 --> 00:45:04,417 And as I said, it's like, what is this? 609 00:45:04,626 --> 00:45:05,999 There are several of these. 610 00:45:05,999 --> 00:45:07,792 Where the hell did these come from? 611 00:45:07,792 --> 00:45:12,125 And actually on every chip I plinked, there was one of those lurking 612 00:45:12,125 --> 00:45:15,375 in the grunge at the bottom. 613 00:45:20,417 --> 00:45:26,999 So with this particular project, we wanted access to sniff the data 614 00:45:26,999 --> 00:45:30,667 on these lines going between the MCU 615 00:45:30,667 --> 00:45:33,918 and this E prong chip. 616 00:45:34,999 --> 00:45:40,417 So plink, plink fizzing it isn't going to cut it because I need the chip 617 00:45:40,417 --> 00:45:42,626 to be operable. 618 00:45:42,834 --> 00:45:46,999 So there is a handy machine to do it. 619 00:45:47,292 --> 00:45:48,999 It's called a Nisene JetEtch. 620 00:45:49,375 --> 00:45:50,626 It's amazing. 621 00:45:50,667 --> 00:45:55,501 It's this size and you pop your chip in and it will etch a hole in it 622 00:45:55,501 --> 00:45:57,626 down to the dye. 623 00:45:58,584 --> 00:46:01,626 The only problem, $22,000. 624 00:46:02,250 --> 00:46:08,584 I have a constant E bay search for one and I haven't seen one yet. 625 00:46:09,375 --> 00:46:16,584 So it's like, okay, it's $22,000, but I reckon it's doable. 626 00:46:16,999 --> 00:46:23,999 So came up with this device, this device is called the decapenator, 627 00:46:23,999 --> 00:46:29,792 and I wrote a blog post about it, and I'm saying, okay, 628 00:46:29,792 --> 00:46:36,501 I have got this design, I'm going to send out for the bets, and I 629 00:46:36,501 --> 00:46:39,209 will fill you in. 630 00:46:39,209 --> 00:46:41,999 Well, I'm a lazy fuck and I haven't actually 631 00:46:41,999 --> 00:46:45,083 updated to say, yes, it works. 632 00:46:45,083 --> 00:46:47,375 So you actually get to see the results. 633 00:46:47,375 --> 00:46:53,959 So this was my plan for it, so you have a hot plate at the bottom, 634 00:46:53,959 --> 00:47:01,751 your flask of nitric acid, you have in this drawing a syringe pushing air 635 00:47:01,751 --> 00:47:07,999 in so that that the nitric acid comes up, I ended up using 636 00:47:07,999 --> 00:47:15,334 an aquarium pump and Teflon is resistant to hot nitric acid. 637 00:47:15,584 --> 00:47:20,125 So I got Teflon rod of two different sizes, and I wanted 638 00:47:20,125 --> 00:47:26,209 to try and use simple tools so this could all be done with a drill press, 639 00:47:26,209 --> 00:47:30,375 and just some simple woodworking bits. 640 00:47:30,375 --> 00:47:35,459 And the Teflon cuts like a dream if you use woodworking tools on it. 641 00:47:35,834 --> 00:47:40,999 So I chopped out these two cups, drilled a hole through the bottom, 642 00:47:40,999 --> 00:47:44,999 learned a little bit about pulling glass pipettes 643 00:47:44,999 --> 00:47:50,459 is simple unless you want the pipette to be absolutely straight, 644 00:47:50,459 --> 00:47:56,751 in which case it's a fucking pain in the ass, but it's doable. 645 00:47:59,292 --> 00:48:04,626 I also wanted to be able to control where the acid was going 646 00:48:04,626 --> 00:48:08,292 to mask into a particular area. 647 00:48:08,334 --> 00:48:13,083 So after a lot of research, I came across this rubber, 648 00:48:13,083 --> 00:48:20,626 this gasket material called Viton, ETP, 600S, and then I tried to find it. 649 00:48:20,959 --> 00:48:26,250 I looked in all of the usual places, Ebay, and Amazon, 650 00:48:26,250 --> 00:48:32,417 and I didn't do Craig's List, I have never done Craig's List, 651 00:48:32,417 --> 00:48:35,083 I don't know why. 652 00:48:35,083 --> 00:48:36,626 I will have a look, actually. 653 00:48:42,834 --> 00:48:46,999 Well, I eventually tracked down some people that did, and 654 00:48:46,999 --> 00:48:50,999 on the way, I came across it's made by DuPont, I came 655 00:48:50,999 --> 00:48:55,792 across a DuPont distributor, because apparently it's quite new, 656 00:48:55,792 --> 00:49:01,417 that when I said I would like a sample of Viton ETP, he actually wet himself 657 00:49:01,417 --> 00:49:03,375 on the phone. 658 00:49:03,375 --> 00:49:05,792 He was laughing on the phone at me and saying this is as rare 659 00:49:05,792 --> 00:49:07,959 as rocking horse shit. 660 00:49:08,584 --> 00:49:10,083 No, it is. 661 00:49:10,292 --> 00:49:15,834 So I finally tracked someone else that I could order shit off, and I said, okay, 662 00:49:15,834 --> 00:49:20,959 I would like to order some Viton, how much do you need? 663 00:49:20,959 --> 00:49:26,334 Well, I don't need a lot, just really a six inch square would be fine. 664 00:49:26,584 --> 00:49:30,834 It's like oh, no, that won't meet the minimum order, which 665 00:49:30,834 --> 00:49:37,459 is 940 millimeters square, and I'm like, okay, yes, that will be fine. 666 00:49:37,834 --> 00:49:38,834 Okay. 667 00:49:38,834 --> 00:49:41,792 That will be 1700 pounds plus that. 668 00:49:41,792 --> 00:49:42,918 So $2,500. 669 00:49:42,999 --> 00:49:47,667 And I'm like I don't need the Viton that badly. 670 00:49:48,834 --> 00:49:52,751 And I did track down someone who sold me 671 00:49:52,751 --> 00:49:57,083 a six inch by six inch piece of it. 672 00:49:57,083 --> 00:49:59,167 I actually had a hole punched in it. 673 00:49:59,167 --> 00:50:04,542 So I think it was actually on a proper sample sheet, a sample, 674 00:50:04,542 --> 00:50:11,959 it was 200 quid, but in the meantime, I had gotten regular Viton on Amazon, 675 00:50:11,959 --> 00:50:16,250 a big sheet like this, 40quid, $60. 676 00:50:17,999 --> 00:50:21,918 And I realized that actually the cheap stuff works 677 00:50:21,918 --> 00:50:27,999 because I'm only exposing it for a reasonably short period of time. 678 00:50:27,999 --> 00:50:31,083 The Viton etp600 is designed for making gaskets 679 00:50:31,083 --> 00:50:37,626 for pipelines that are pumping nitric acid and shit like this. 680 00:50:37,834 --> 00:50:42,375 So actually, I can have something, the regular Viton, when you look 681 00:50:42,375 --> 00:50:47,876 at the specs on how they test this stuff, it's like, okay, we are going 682 00:50:47,876 --> 00:50:52,834 to immerse it in nitric acid for 24 hours and it's like, oh, yes, 683 00:50:52,834 --> 00:50:54,918 it expands 5%. 684 00:50:54,918 --> 00:50:56,999 It's like, okay, that's fine. 685 00:50:57,000 --> 00:51:02,375 It's going to be nowhere near 24 hours, and even if it did expand 5%, 686 00:51:02,375 --> 00:51:04,167 who cares? 687 00:51:04,417 --> 00:51:07,375 Not with the stuff that we were doing. 688 00:51:07,375 --> 00:51:12,999 So we ended up not using the wing nuts. 689 00:51:13,250 --> 00:51:15,751 We actually have a spring pressing down, so 690 00:51:15,751 --> 00:51:19,584 the nuts are still there, but under the nuts is a spring, 691 00:51:19,584 --> 00:51:23,250 and it just presses down that top plate. 692 00:51:23,876 --> 00:51:28,334 And there we go. 693 00:51:28,334 --> 00:51:29,626 That's slightly better. 694 00:51:30,375 --> 00:51:35,334 And I also realized that the once you cut the aperture 695 00:51:35,334 --> 00:51:40,083 in the Viton a handy thing to do is to super glue it 696 00:51:40,083 --> 00:51:44,542 to the chip so it becomes a monolithic thing and 697 00:51:44,542 --> 00:51:51,167 the Viton isn't going to be slipping off the chip, et cetera, and I ended 698 00:51:51,167 --> 00:51:55,542 up using little strips of Viton with a hole cut 699 00:51:55,542 --> 00:51:59,709 in the end so you could put it in and line it 700 00:51:59,709 --> 00:52:05,999 up with the aperture that the acid is going to jet through. 701 00:52:06,999 --> 00:52:12,292 So this was an early mask, simply cut with the scalpel, 702 00:52:12,292 --> 00:52:17,125 but you can use handy things like leather punches 703 00:52:17,125 --> 00:52:20,250 and things like that. 704 00:52:21,250 --> 00:52:24,459 And this is this was the first trial. 705 00:52:24,459 --> 00:52:28,959 So this is an MSP chip, a little TIMCU. 706 00:52:30,459 --> 00:52:32,918 And this was the first go. 707 00:52:32,918 --> 00:52:35,292 And actually, the results are not too bad. 708 00:52:36,167 --> 00:52:38,999 It got a little bit close to the edge 709 00:52:38,999 --> 00:52:43,542 because it wasn't particularly well aligned and my aperture 710 00:52:43,542 --> 00:52:48,417 is a lot larger than I actually needed for the dye. 711 00:52:48,834 --> 00:52:53,542 And actually that's one useful thing about doing X rays or doing the plink, 712 00:52:53,542 --> 00:52:57,999 plink, fizz, is that you can actually find out exactly how big the dye 713 00:52:57,999 --> 00:53:02,417 is and where the dye is in order to do some alignment. 714 00:53:04,083 --> 00:53:09,999 So if we jet back to this guy, remember, what I want to do 715 00:53:09,999 --> 00:53:16,083 is intercept these five lines going from the large central chip 716 00:53:16,083 --> 00:53:19,459 to the chip on the left. 717 00:53:19,709 --> 00:53:22,918 So we can sniff the data between them. 718 00:53:25,417 --> 00:53:29,999 So this one was close, but it went too deep. 719 00:53:30,292 --> 00:53:33,209 So you can see the bond wires connecting the two. 720 00:53:34,292 --> 00:53:37,709 But we actually ended up going underneath those chips 721 00:53:37,709 --> 00:53:40,792 and destroying the lead frame that was providing 722 00:53:40,792 --> 00:53:44,125 the interconnects to the outside world. 723 00:53:44,125 --> 00:53:49,375 So that one was a bust, however, this one is just right. 724 00:53:49,417 --> 00:53:55,918 Take it down just far enough to expose the bond wires to tap onto. 725 00:53:56,292 --> 00:54:00,083 Now, I'm actually going to quickly jump back here. 726 00:54:00,959 --> 00:54:04,667 So there are some issues with this initially. 727 00:54:04,959 --> 00:54:08,083 One of them was the air. 728 00:54:08,083 --> 00:54:10,999 So I got the aquarium pump and I put a valve 729 00:54:10,999 --> 00:54:14,209 in so I can adjust the flow. 730 00:54:14,292 --> 00:54:19,375 And then I quickly realized actually that's a variable, and the best thing 731 00:54:19,375 --> 00:54:24,083 for me to do is to try and remove all of the variables. 732 00:54:24,501 --> 00:54:28,459 So the little valve came out and the pump was simply on at max 733 00:54:28,459 --> 00:54:30,626 all of the time. 734 00:54:31,792 --> 00:54:34,292 Another variable was the temperature. 735 00:54:34,584 --> 00:54:37,999 So although I thought I was getting the temperature right, I wasn't. 736 00:54:37,999 --> 00:54:41,999 So I got a hot plate, again, from Ebay. 737 00:54:41,999 --> 00:54:44,542 I had a thermal couple probe, which was supposed 738 00:54:44,542 --> 00:54:48,125 to be acid resistant and certainly was not. 739 00:54:48,209 --> 00:54:52,083 No, no, up went through two before I'm like, okay. 740 00:54:52,584 --> 00:54:58,667 So I simply made a long tube, sealed the bottom of it, you know, 741 00:54:58,667 --> 00:55:03,125 with a blow torch, and injected thermal transfer 742 00:55:03,125 --> 00:55:09,125 compound into the bottom of it, put my thermal couple in there, 743 00:55:09,125 --> 00:55:15,959 so when I eventually or eventually, I will write this up after Con you 744 00:55:15,959 --> 00:55:22,167 will see the pictures and you will see that third probe penetrating 745 00:55:22,167 --> 00:55:24,334 the stopper. 746 00:55:24,584 --> 00:55:28,999 So my acid is at a known concentration. 747 00:55:29,125 --> 00:55:32,125 My temperature is at a known setting. 748 00:55:32,417 --> 00:55:34,667 My pressure is at a known setting. 749 00:55:34,834 --> 00:55:40,125 So my only two other variables at that point are the permeability 750 00:55:40,125 --> 00:55:44,250 of the epoxy to the acid and time. 751 00:55:44,751 --> 00:55:47,792 So it becomes pretty controllable. 752 00:55:47,999 --> 00:55:51,999 So that was about three minutes. 753 00:55:52,334 --> 00:55:54,876 And that is a minute and a half. 754 00:55:55,083 --> 00:55:58,918 One minute 30 seconds, and it will always do this. 755 00:55:58,918 --> 00:56:01,999 I have done 20 chips like this. 756 00:56:02,834 --> 00:56:04,375 Spot on. 757 00:56:04,751 --> 00:56:07,125 One minute, 30 seconds, this is where you get to, 758 00:56:07,125 --> 00:56:11,542 and that was absolute perfect for us to micro probe onto the bond wires 759 00:56:11,542 --> 00:56:15,167 and actually sniff the data passing through. 760 00:56:17,083 --> 00:56:22,999 So I will publish the results of that, and the design we are going 761 00:56:22,999 --> 00:56:28,209 to open source the design for the decapenator so you guys can 762 00:56:28,209 --> 00:56:33,501 have a go at it as well, and you can start micro probing ICs 763 00:56:33,501 --> 00:56:36,876 that are actually running. 764 00:56:37,542 --> 00:56:42,125 And silicon is the last bastion of security. 765 00:56:42,626 --> 00:56:44,667 You can pull hard drives and analyze them, 766 00:56:44,667 --> 00:56:47,375 you can sniff memory, everyone now are trying 767 00:56:47,375 --> 00:56:50,751 to lock away their secrets in silicon. 768 00:56:50,999 --> 00:56:52,999 That's where they hide the keys. 769 00:56:52,999 --> 00:56:55,999 So we need to be making moves in this area. 770 00:56:56,375 --> 00:56:59,209 The kit is very expensive. 771 00:56:59,209 --> 00:57:01,999 Chris Charnofski is very well known, has made a fabulous business 772 00:57:01,999 --> 00:57:05,334 out of this, however, he has a lab with millions and millions 773 00:57:05,334 --> 00:57:07,999 of dollars' worth of equipment. 774 00:57:08,083 --> 00:57:10,709 He is not shopping on Ebay. 775 00:57:11,083 --> 00:57:14,792 I can tell you that. 776 00:57:14,792 --> 00:57:18,999 Actually, that's not true, he may well be, but when you buy used fab equipment, 777 00:57:18,999 --> 00:57:22,999 which is available on Ebay, it still costs a million dollars 778 00:57:22,999 --> 00:57:25,999 for your focus I and B device. 779 00:57:28,083 --> 00:57:30,542 Cable money, yes, exactly. 780 00:57:34,083 --> 00:57:38,501 So in a week's time or so, I will have written this up, 781 00:57:38,501 --> 00:57:43,209 and hopefully I want to get to the point where we have a set 782 00:57:43,209 --> 00:57:48,667 of plans that you can just take and build and possibly we might try 783 00:57:48,667 --> 00:57:55,459 and put together some kits that you can buy and screw together and decap. 784 00:57:56,501 --> 00:57:58,542 So that's it for me. 785 00:57:58,667 --> 00:58:04,999 Now, I work from Hood Monkey over here, and, remember, just to recap. 786 00:58:16,834 --> 00:58:18,083 (Applause). 787 00:58:29,999 --> 00:58:33,250 ADAM 'MAJOR MALFUNCTION' LAURIE: Okay. 788 00:58:33,709 --> 00:58:34,709 Lovely. 789 00:58:34,709 --> 00:58:37,792 So now I know what the smell is coming from his office anyway. 790 00:58:38,125 --> 00:58:39,626 Strange stuff. 791 00:58:39,999 --> 00:58:44,667 So at this point he handed it over to me, and he is like, okay, so, you know, 792 00:58:44,667 --> 00:58:48,083 we are doing the probing and we are doing, you know, 793 00:58:48,083 --> 00:58:52,125 we have the decapping working and so on, now we need to get 794 00:58:52,125 --> 00:58:54,584 the actual code out. 795 00:58:54,584 --> 00:58:56,709 We can sniff the data going between these two buses, 796 00:58:56,709 --> 00:58:59,999 but how about extracting the actual code that's running 797 00:58:59,999 --> 00:59:01,667 on the chip. 798 00:59:01,667 --> 00:59:05,542 We want to see one instruction what it's doing with that data. 799 00:59:06,459 --> 00:59:09,209 Now, the difference between mass ROM 800 00:59:09,209 --> 00:59:13,667 and a programmable chip is a mass ROM chip is hard wired 801 00:59:13,667 --> 00:59:17,250 into the chip so it never changes. 802 00:59:17,250 --> 00:59:18,667 Every chip is identical. 803 00:59:18,667 --> 00:59:20,125 It never gets programmed. 804 00:59:20,125 --> 00:59:21,751 It's actually manufactured. 805 00:59:21,751 --> 00:59:24,209 The instructions are manufactured into the chip. 806 00:59:24,209 --> 00:59:28,751 So the challenge is how do we read the mass ROM? 807 00:59:29,125 --> 00:59:32,999 Well, as Zac mentioned, we identified the image, the part 808 00:59:32,999 --> 00:59:37,999 of the image that is the mass ROM, which is this, and then we look at it, 809 00:59:37,999 --> 00:59:41,876 and we say, okay, well, there is an obvious pattern there, 810 00:59:41,876 --> 00:59:44,375 can we actually read it? 811 00:59:44,667 --> 00:59:55,999 So maybe if we look at this and say, well, is that a 1, 1, 0, so 1, 1, 0, 01, 812 00:59:55,999 --> 00:59:58,083 01, 011. 813 00:59:58,083 --> 00:59:59,584 So, yes, that's binary data. 814 00:59:59,584 --> 01:00:03,999 If I take that and turn it into HEX there is my instructions. 815 01:00:04,999 --> 01:00:07,999 So it's like, okay, this is way too obvious. 816 01:00:07,999 --> 01:00:09,667 This must have been done before. 817 01:00:09,667 --> 01:00:11,375 Someone is already doing this. 818 01:00:11,542 --> 01:00:14,417 And in fact, there is some code, some very smart code that deals 819 01:00:14,417 --> 01:00:17,999 with even smarter images than this called degate. 820 01:00:18,209 --> 01:00:20,792 Anyone here played with or heard of degate? 821 01:00:20,999 --> 01:00:22,167 No. 822 01:00:22,167 --> 01:00:23,167 Okay. 823 01:00:23,167 --> 01:00:25,584 So there is an open source, one guy at the back. 824 01:00:25,584 --> 01:00:26,626 I guess not a lot of people actually play 825 01:00:26,626 --> 01:00:28,501 with this stuff, so. 826 01:00:28,751 --> 01:00:32,999 But the guy who polished the chips off developed this package called 827 01:00:32,999 --> 01:00:37,209 degate, and what it does is image recognition. 828 01:00:37,417 --> 01:00:40,250 So you look at what they were doing was trying to figure 829 01:00:40,250 --> 01:00:43,792 out the crypto algorithm so they had a bunch of gates and 830 01:00:43,792 --> 01:00:47,250 they were looking at all gates and end gates and so on, and 831 01:00:47,250 --> 01:00:50,999 they wanted to build a pattern of what the chip was doing, so 832 01:00:50,999 --> 01:00:53,876 they used pattern recognition. 833 01:00:54,000 --> 01:00:56,667 So they would take a picture of the all gate, kind 834 01:00:56,667 --> 01:00:59,167 all of the other all gate. 835 01:00:59,167 --> 01:01:01,584 Here is an end gate, find the other end gate as and 836 01:01:01,584 --> 01:01:04,125 they packaged it up into this software that 837 01:01:04,125 --> 01:01:06,876 will then spit out a graphic representation 838 01:01:06,876 --> 01:01:09,667 of what that circuit is doing. 839 01:01:10,667 --> 01:01:13,292 Fantastic, then I will just point that code at this, 840 01:01:13,292 --> 01:01:17,167 and we will read the mass ROM and then we have the code. 841 01:01:18,209 --> 01:01:22,334 In fact, when I started playing with it, I couldn't find anything in there 842 01:01:22,334 --> 01:01:26,792 for doing a simple here is a mass ROM, read the data, please. 843 01:01:26,999 --> 01:01:30,999 So I thought I was being thick, and I emailed the authors and they said, 844 01:01:30,999 --> 01:01:33,999 yes, no, we have never done that. 845 01:01:33,999 --> 01:01:35,999 We couldn't think of a use case for it. 846 01:01:35,999 --> 01:01:38,999 It would be easy to do, but we haven't done it. 847 01:01:38,999 --> 01:01:41,083 So I'm like, damn it, okay! 848 01:01:41,083 --> 01:01:42,999 Who else has done this kind of stuff? 849 01:01:43,083 --> 01:01:44,999 Okay, the main community. 850 01:01:45,083 --> 01:01:48,417 They are constantly reading ROMs and getting games and any 851 01:01:48,417 --> 01:01:53,125 of you guys actually involved in MAME here, MAME hacking? 852 01:01:53,125 --> 01:01:54,751 Not a lot. 853 01:01:54,999 --> 01:01:58,709 Any of you use it, have it, play it? 854 01:01:58,709 --> 01:01:59,751 That's more like it. 855 01:01:59,751 --> 01:02:00,751 Okay. 856 01:02:00,751 --> 01:02:03,626 So, again, I reached out to the MAME community and said, 857 01:02:03,626 --> 01:02:06,459 well, how do you guys do it? 858 01:02:06,834 --> 01:02:11,667 And they said, oh, it's really simple, what you do is you take a picture, 859 01:02:11,667 --> 01:02:16,709 you divide it up into chunks, you send it out to hundreds of people, 860 01:02:16,709 --> 01:02:21,209 and they sit there looking at it typing one nor, one nor, one, 861 01:02:21,209 --> 01:02:22,999 one, nor. 862 01:02:22,999 --> 01:02:25,375 So slave labor basically is how they do it. 863 01:02:25,375 --> 01:02:28,501 ZAC FRANKEN: I think the technical term is crowd sourcing. 864 01:02:28,501 --> 01:02:31,209 ADAM 'MAJOR MALFUNCTION' LAURIE: Crowd sourcing. 865 01:02:31,209 --> 01:02:31,667 Very cool and it works because we end 866 01:02:31,667 --> 01:02:34,959 up with lame games that we can play. 867 01:02:34,959 --> 01:02:39,083 But I really didn't want to sit there typing in 5K of 1s 868 01:02:39,083 --> 01:02:42,834 and NORs, and I couldn't crowd source it 869 01:02:42,834 --> 01:02:49,083 because this was a confidential project, in fact, you are not allowed 870 01:02:49,083 --> 01:02:51,626 to look at this. 871 01:02:52,083 --> 01:02:53,918 You never saw this. 872 01:02:54,250 --> 01:02:56,292 So what to do? 873 01:02:56,542 --> 01:02:59,292 So I thought, okay, well, we know how to do it, 874 01:02:59,292 --> 01:03:01,999 it just isn't in degate. 875 01:03:02,626 --> 01:03:04,999 I will just do it with image recognition. 876 01:03:05,334 --> 01:03:08,999 So I will write a little bit of code that does this, and I 877 01:03:08,999 --> 01:03:13,083 will use open CB, which is fantastic image manipulation code 878 01:03:13,083 --> 01:03:18,834 to make stuff like this and all of the hard work is done for you. 879 01:03:18,959 --> 01:03:22,999 It's in Python which rules because I love Python. 880 01:03:22,999 --> 01:03:24,792 ZAC FRANKEN: He is a Python Nazi. 881 01:03:24,792 --> 01:03:27,709 ADAM 'MAJOR MALFUNCTION' LAURIE: It must be in Python. 882 01:03:27,709 --> 01:03:29,999 If it doesn't work in Python, it's not worth it. 883 01:03:29,999 --> 01:03:34,292 That's my philosophy, but then I thought, well, actually, 884 01:03:34,292 --> 01:03:40,999 if you look at this image, there is lots of problems with it. 885 01:03:40,999 --> 01:03:43,999 So we know what the ones in NORs look like, so a bright dot 886 01:03:43,999 --> 01:03:48,167 is a 1 and the absence of a bright dot is a 0. 887 01:03:48,292 --> 01:03:51,959 That's pretty simple, but there is a lot of clutter as well. 888 01:03:51,959 --> 01:03:53,083 There is all of this crap. 889 01:03:53,083 --> 01:03:55,501 So you have got these lines. 890 01:03:55,834 --> 01:03:58,083 We have got what look like columns of data. 891 01:03:58,083 --> 01:04:00,959 So here we have a chunk which is obviously data and then you have got 892 01:04:00,959 --> 01:04:03,083 a separator, and then you have another chunk 893 01:04:03,083 --> 01:04:05,876 and another separator and so on. 894 01:04:06,083 --> 01:04:07,999 You have got all of this crap at the top. 895 01:04:07,999 --> 01:04:13,083 You have got these lines that go along horizontally between the data. 896 01:04:13,250 --> 01:04:17,334 So I figured I'm going to spend so much time trying to get 897 01:04:17,334 --> 01:04:21,999 the code to tell the difference between good data and bad data that 898 01:04:21,999 --> 01:04:26,999 I'm not actually going to be able to successfully automate this process 899 01:04:26,999 --> 01:04:33,125 so I thought is hell with it, what I will do is semi automate the process. 900 01:04:33,125 --> 01:04:35,999 I will automate a way of reading it cleanly 901 01:04:35,999 --> 01:04:40,584 and then automatically reading what's done. 902 01:04:40,999 --> 01:04:43,709 So I created a thing called roam per. 903 01:04:44,083 --> 01:04:49,250 And I will switch the screen to my laptop. 904 01:04:49,501 --> 01:04:52,334 I apologize I hate sitting down and doing this and speaking 905 01:04:52,334 --> 01:04:55,167 from behind a mouse top because I'm going to be doing a lot 906 01:04:55,167 --> 01:04:57,375 of mousing and fiddling. 907 01:04:58,542 --> 01:04:59,792 Bye. 908 01:05:23,083 --> 01:05:29,083 They promised me it would just come straight out. 909 01:05:29,250 --> 01:05:30,542 Okay. 910 01:05:30,834 --> 01:05:34,959 ZAC FRANKEN: So the laugh is when we were in the green room, 911 01:05:34,959 --> 01:05:40,167 it was my laptop that was fucking up left, right and center. 912 01:05:40,167 --> 01:05:41,999 And he was like, yes, mine is fine! 913 01:05:48,125 --> 01:05:51,334 ADAM 'MAJOR MALFUNCTION' LAURIE: Okay. 914 01:05:57,501 --> 01:06:00,501 We have got bags of time, just talk amongst yourselves. 915 01:06:05,417 --> 01:06:13,167 I have a question. 916 01:06:13,167 --> 01:06:18,125 ZAC FRANKEN: The question was I heard of glob tops and impact 917 01:06:18,125 --> 01:06:24,250 and glob tops is a chip on board you are talking about. 918 01:06:24,250 --> 01:06:32,125 Yes, so the industry term is COB, chip on board, so basically the dye 919 01:06:32,125 --> 01:06:40,542 is placed directly on to the PCB, and then is dyed onto the cross, 920 01:06:40,542 --> 01:06:49,999 and then they drop a drop of very runny epoxy to actually solidify. 921 01:06:50,125 --> 01:06:51,999 So we haven't tried those. 922 01:06:51,999 --> 01:06:57,334 I mean, we have tried them to the point that we have decapped 923 01:06:57,334 --> 01:07:02,999 using the plink, plink, fizz method, things like Sims, 924 01:07:02,999 --> 01:07:10,417 which are so heavily armored in the silicon, it's unbelievable. 925 01:07:10,417 --> 01:07:12,751 So you can see all of the chips we have seen here, 926 01:07:12,751 --> 01:07:16,999 they look great, you can actually see, you know, the pathways and areas 927 01:07:16,999 --> 01:07:18,876 on the chip. 928 01:07:18,999 --> 01:07:24,334 If you look at sim, which is intended to be secure silicon, the top of it 929 01:07:24,334 --> 01:07:28,834 is just pretty much a layer of gold armor designed to disable 930 01:07:28,834 --> 01:07:31,999 the chip if you penetrate it. 931 01:07:31,999 --> 01:07:34,876 Interestingly enough it may well be possible to do 932 01:07:34,876 --> 01:07:37,999 with a decapenator because the decapenator ended 933 01:07:37,999 --> 01:07:41,834 up being such a useful tool, I can decapenate the chip, 934 01:07:41,834 --> 01:07:45,709 so initially I was taking the chip off the PCB, putting it 935 01:07:45,709 --> 01:07:49,709 through the decapenator, putting it back on. 936 01:07:49,834 --> 01:07:52,959 I was able to get to the point where I could decapenate 937 01:07:52,959 --> 01:07:56,375 the chip Chile it was still on the PCB. 938 01:07:56,501 --> 01:08:01,918 So I was putting whole PCBs into the decapenator and petting that 939 01:08:01,918 --> 01:08:05,999 one chip, and that was pretty cool. 940 01:08:05,999 --> 01:08:09,959 I thought it may be possible to do, and it turns out it totally is. 941 01:08:09,959 --> 01:08:12,292 I mean, the boards were very small, so if you had a larger board, 942 01:08:12,292 --> 01:08:15,751 you are going to have some sort of support structure, but it's totally, 943 01:08:15,751 --> 01:08:17,375 totally doable. 944 01:08:23,501 --> 01:08:25,834 Only, so the question was sometimes 945 01:08:25,834 --> 01:08:30,709 they are almost spherical, does that impact the time to etch? 946 01:08:30,709 --> 01:08:31,876 And the answer is yes. 947 01:08:33,751 --> 01:08:38,125 Simply the greater the depth of epoxy, the more time it takes. 948 01:08:40,999 --> 01:08:45,999 So you will almost never be able to do this and get it right first 949 01:08:45,999 --> 01:08:47,834 time round. 950 01:08:47,834 --> 01:08:50,083 So expect to go through a few chips 951 01:08:50,083 --> 01:08:56,667 until you actually work out, okay, it's going to take X amount of time, and, 952 01:08:56,667 --> 01:08:58,459 well done. 953 01:09:01,083 --> 01:09:02,375 (Applause). 954 01:09:02,375 --> 01:09:04,292 So expect to go through a few chips 955 01:09:04,292 --> 01:09:09,999 before you actually work out, okay, actually in that case it's going 956 01:09:09,999 --> 01:09:15,626 to take me one 30 to actually get to where I want to be. 957 01:09:15,751 --> 01:09:17,209 Okay, major. 958 01:09:17,209 --> 01:09:19,792 ADAM 'MAJOR MALFUNCTION' LAURIE: Thank you. 959 01:09:19,792 --> 01:09:22,542 Demi Gods are with me hopefully so far. 960 01:09:22,542 --> 01:09:25,999 So if you remember the original image, we had columns of data, 961 01:09:25,999 --> 01:09:30,501 and basically what you have to do is look at those columns and try 962 01:09:30,501 --> 01:09:33,417 and figure out exactly what you are trying 963 01:09:33,417 --> 01:09:35,083 to create. 964 01:09:35,083 --> 01:09:37,792 So my idea was I'm going to create a grid over the image 965 01:09:37,792 --> 01:09:40,334 and where there is an intersection because it's 966 01:09:40,334 --> 01:09:44,501 all nice and neat rows and columns, where there is an intersection, that's 967 01:09:44,501 --> 01:09:48,999 the point of interest, and if there is a dot there, that's a 1, and if it isn't, 968 01:09:48,999 --> 01:09:53,542 it's 0, and if you are outside the grid, just ignore everything. 969 01:09:54,334 --> 01:10:01,584 So ROM per, you tell it basically, the image name, the number of bits 970 01:10:01,584 --> 01:10:06,626 in your horizontal line, and the number of rows, 971 01:10:06,626 --> 01:10:09,751 the number of lines. 972 01:10:09,751 --> 01:10:15,999 So if I say ROM per, bit map, I counted 16 in each column 973 01:10:15,999 --> 01:10:21,626 and I'm going to do two rows at a time. 974 01:10:21,709 --> 01:10:26,834 You will seize why this is relevant in a see why this is relevant in a minute. 975 01:10:26,834 --> 01:10:29,042 If I go back to the original view, basically this 976 01:10:29,042 --> 01:10:34,959 is our image and I reckon there is 16 bits in each of these sections. 977 01:10:35,042 --> 01:10:38,626 So the first thing we do is apply just a color filter, 978 01:10:38,626 --> 01:10:41,999 and I can actually filter it to try and get the dots 979 01:10:41,999 --> 01:10:45,999 down a bit smaller, because, remember, we are trying to identify 980 01:10:45,999 --> 01:10:48,792 whether it's there or not. 981 01:10:49,000 --> 01:10:53,999 So now what it allows you to do is create this grid. 982 01:10:54,042 --> 01:10:57,209 So the first thing I will do is say this column here 983 01:10:57,209 --> 01:10:59,626 is my start column. 984 01:10:59,999 --> 01:11:03,292 Hopefully you can see a little blue line has appeared. 985 01:11:03,292 --> 01:11:04,999 Can you see a blue line on there? 986 01:11:05,167 --> 01:11:06,167 No. 987 01:11:06,542 --> 01:11:07,542 Can you now? 988 01:11:07,918 --> 01:11:09,292 Yes. 989 01:11:09,876 --> 01:11:13,292 So here is my final column, 16. 990 01:11:13,918 --> 01:11:18,626 Because it's nice and even, it's drawn in the rest of the shrines for me. 991 01:11:18,626 --> 01:11:20,417 So that's two mouse clicks so far. 992 01:11:21,584 --> 01:11:28,709 So now here is my first row and here is my second row. 993 01:11:28,709 --> 01:11:30,834 Remember, I said there is two in each row. 994 01:11:30,999 --> 01:11:34,999 So, again, if I get rid of the image, we have now got a little grid which 995 01:11:34,999 --> 01:11:37,999 is the two sets of intersections. 996 01:11:38,751 --> 01:11:43,792 And now if I just say, okay, here is another group, and here 997 01:11:43,792 --> 01:11:49,834 is another group, here is another group, so we are very quickly building 998 01:11:49,834 --> 01:11:54,083 up our grid, and I'm going to do this fully, so bear 999 01:11:54,083 --> 01:11:56,584 with me a second. 1000 01:12:16,834 --> 01:12:18,125 That's enough. 1001 01:12:18,125 --> 01:12:19,751 You see how quick it is to do. 1002 01:12:19,751 --> 01:12:22,709 So we are down to, you know, a few dozen mouse clicks 1003 01:12:22,709 --> 01:12:27,167 to create a grid that matches that entire thing. 1004 01:12:28,584 --> 01:12:33,584 So if we now go back to the image, what I can do is say wherever there 1005 01:12:33,584 --> 01:12:38,834 is an intersection, tell me if there is a bit there or not. 1006 01:12:38,999 --> 01:12:43,918 So I will do a read, and it's now going, yes, I see a bit there. 1007 01:12:44,999 --> 01:12:47,542 These guys don't quite line up. 1008 01:12:47,542 --> 01:12:50,751 We know that this pattern is completely the same, you know, 1009 01:12:50,751 --> 01:12:56,417 it's a repeating pattern, so all of these lines should look the same. 1010 01:12:56,959 --> 01:12:58,999 So what I can do is click on this guy. 1011 01:12:58,999 --> 01:13:02,709 This is me being slightly inaccurate when clicking the mouse. 1012 01:13:02,751 --> 01:13:04,083 I try and center. 1013 01:13:04,083 --> 01:13:07,083 Basically when I click on it, I try and automatically center 1014 01:13:07,083 --> 01:13:10,501 the line horizontally and vertically. 1015 01:13:10,876 --> 01:13:14,999 The problem is you can't really tell with a mouse where your exact click 1016 01:13:14,999 --> 01:13:16,542 point is. 1017 01:13:16,542 --> 01:13:19,501 What I ought to do is change the cursor to something more accurate, 1018 01:13:19,501 --> 01:13:23,999 but I'm lazy, and it kind of worked and it was quick and easy. 1019 01:13:25,083 --> 01:13:29,125 So if I now go into edit mode, I can move that line until it moved 1020 01:13:29,125 --> 01:13:31,125 up a bit better. 1021 01:13:31,542 --> 01:13:36,292 We have this guy or if it's out horizontally, 1022 01:13:36,292 --> 01:13:41,584 I can move it that way and that way. 1023 01:13:49,834 --> 01:13:51,375 You get the idea. 1024 01:13:51,375 --> 01:13:54,542 So we can now mess around and try and create 1025 01:13:54,542 --> 01:13:58,292 a grid that perfectly lines up. 1026 01:13:58,501 --> 01:14:00,459 I can go back to looking at the original image if I think that's 1027 01:14:00,459 --> 01:14:01,999 a bit clearer. 1028 01:14:02,209 --> 01:14:05,083 It's kind of hard to see what's going on. 1029 01:14:06,083 --> 01:14:10,292 So, again, I just thought, well, I'm trying to automate this process. 1030 01:14:10,292 --> 01:14:12,501 I'm not trying to fully automate it. 1031 01:14:12,501 --> 01:14:14,999 I'm trying to semi automate it so I will do things that make it easier 1032 01:14:14,999 --> 01:14:16,542 for my eye. 1033 01:14:16,834 --> 01:14:20,167 The human brain is very good at processing images and patterns so 1034 01:14:20,167 --> 01:14:25,334 I will make it as easy as possible for my eye to process this stuff. 1035 01:14:25,542 --> 01:14:30,959 So you can do things like switching off the grid and checking was 1036 01:14:30,959 --> 01:14:35,459 underneath, switching between the original and the mask, 1037 01:14:35,459 --> 01:14:38,999 and then I have this nice mode. 1038 01:14:39,999 --> 01:14:43,999 So you get rid of everything that is not an intersection, and 1039 01:14:43,999 --> 01:14:48,083 if we also get rid of the grid, you can see this guy is not lined 1040 01:14:48,083 --> 01:14:51,999 up at all, so if I go and edit him, I can quickly line that 1041 01:14:51,999 --> 01:14:55,209 up and you see when you are dead on. 1042 01:14:55,209 --> 01:14:59,999 There is a nice round dot in the center of your thing, and 1043 01:14:59,999 --> 01:15:06,083 if I reread, this is where it all goes horribly wrong. 1044 01:15:08,999 --> 01:15:11,584 Oh, because I'm not displaying the grid. 1045 01:15:11,584 --> 01:15:12,626 Put the grid back on. 1046 01:15:12,999 --> 01:15:15,667 We have now got a clean read of those four bits. 1047 01:15:16,999 --> 01:15:19,999 We also want to try and make sense of the data. 1048 01:15:19,999 --> 01:15:24,709 So in this particular case, we knew that an unused piece 1049 01:15:24,709 --> 01:15:28,459 of ROM has a HEX value of C1. 1050 01:15:28,834 --> 01:15:32,999 So what looks like, if I come out of peephole mode and we look 1051 01:15:32,999 --> 01:15:37,876 at the original image there are big chunks of unused data. 1052 01:15:38,167 --> 01:15:42,375 So here is obviously program and here is nothing. 1053 01:15:42,876 --> 01:15:47,250 And this repeating pattern, therefore, we would say that must be C1s. 1054 01:15:47,709 --> 01:15:51,999 So what we should see here because it's 16 bits, I'm hoping 1055 01:15:51,999 --> 01:15:53,876 is C1, C1. 1056 01:15:53,999 --> 01:15:56,417 Now, the quick amongst you would have 1057 01:15:56,417 --> 01:15:59,876 noticed I am not going to get that, but what I can do 1058 01:15:59,876 --> 01:16:03,876 is say take these bits and show me a HEX value. 1059 01:16:04,459 --> 01:16:07,918 We will get rid of the mask and the image. 1060 01:16:10,626 --> 01:16:13,667 Reduce the font so we can read it. 1061 01:16:13,876 --> 01:16:15,999 And here we have the actual values that are decoding 1062 01:16:15,999 --> 01:16:19,959 for each of our groupings, and clearly that's wrong. 1063 01:16:19,999 --> 01:16:22,584 So what the hell is going on? 1064 01:16:24,959 --> 01:16:28,918 So if we go back to our image it turns out, see, 1065 01:16:28,918 --> 01:16:32,459 these guys here, these are lead wires coming 1066 01:16:32,459 --> 01:16:38,584 in to read a column of bits, and if you count them, one, two, three, four, 1067 01:16:38,584 --> 01:16:44,999 five, six, seven, eight, and if we were to scroll down and look at the bottom 1068 01:16:44,999 --> 01:16:49,751 of the image, there is another set of these coming up, and 1069 01:16:49,751 --> 01:16:54,250 they are interleaved with these guys so what we have got 1070 01:16:54,250 --> 01:16:59,209 is 8 bits interleaved with another 8 bits so what we will do 1071 01:16:59,209 --> 01:17:04,334 is come out here, go back in, so actually it's not 16, it's 8, 1072 01:17:04,334 --> 01:17:08,626 and we are going to start again with 8. 1073 01:17:42,209 --> 01:17:46,125 And now you can actually see, so the aperture, basically 1074 01:17:46,125 --> 01:17:49,999 the automatic aperture is based on the size of the gaps 1075 01:17:49,999 --> 01:17:52,209 between the line. 1076 01:17:52,209 --> 01:17:55,999 So I can reduce those a bit if it's over reading. 1077 01:17:56,959 --> 01:17:58,792 We will adjust this guy. 1078 01:18:02,999 --> 01:18:05,876 You can flip it as well obviously. 1079 01:18:12,375 --> 01:18:16,626 Hire you can see how useful peephole is because if you are trying 1080 01:18:16,626 --> 01:18:21,334 to manually check if you have got a 1 in the right place and you have got 1081 01:18:21,334 --> 01:18:24,792 all of these other dots interleaved with these guys, 1082 01:18:24,792 --> 01:18:27,999 sometimes it can be quite confusing. 1083 01:18:28,292 --> 01:18:31,999 If I go into peephole mode, all of the extraneous imaging that my 1084 01:18:31,999 --> 01:18:36,542 brain doesn't need to have to deal with is being removed and I can just 1085 01:18:36,542 --> 01:18:40,083 look at only the dots I'm interested in. 1086 01:18:40,083 --> 01:18:41,167 So that really helped. 1087 01:18:41,292 --> 01:18:45,125 And if we go over here and show the HEX values. 1088 01:18:53,334 --> 01:18:54,999 There is our C1s. 1089 01:18:54,999 --> 01:19:02,459 Thank you, so, that was quite a satisfying moment, 1090 01:19:02,459 --> 01:19:09,167 it was like oh, it actually works! 1091 01:19:09,918 --> 01:19:15,167 So we can dump that to a file, and I have already done that, 1092 01:19:15,167 --> 01:19:20,876 so I now have a HEX file which if we go and look at that, this 1093 01:19:20,876 --> 01:19:26,125 is only a tiny portion of the code actually, but it's enough 1094 01:19:26,125 --> 01:19:30,999 to show you that without my client having to put a hit 1095 01:19:30,999 --> 01:19:32,999 on it, so. 1096 01:19:34,125 --> 01:19:38,083 So here we have our C1s, a lot of little blank areas so 1097 01:19:38,083 --> 01:19:41,751 at this point we have got the code. 1098 01:19:41,751 --> 01:19:43,876 We have extracted the code from the chip. 1099 01:19:45,751 --> 01:19:47,542 Now what? 1100 01:19:47,626 --> 01:19:50,083 We need to disassemble it. 1101 01:19:50,083 --> 01:19:52,375 Well, that's easy, it's a published device. 1102 01:19:52,375 --> 01:19:58,667 The particular thing is called a mark 4.DASM download, 1103 01:19:58,667 --> 01:20:05,999 the tool developers kit, and disassemble so we had to look 1104 01:20:05,999 --> 01:20:11,209 at Ebay and we came up nil, zilch. 1105 01:20:11,209 --> 01:20:15,709 So we widened the search and the Google, and the Google said, yes, 1106 01:20:15,709 --> 01:20:18,167 we can get you those. 1107 01:20:18,375 --> 01:20:25,083 It's a $200 product that stopped being produced 20 years ago, so to you, I 1108 01:20:25,083 --> 01:20:28,334 like your face, $25,000. 1109 01:20:29,792 --> 01:20:33,709 So no thank you. 1110 01:20:33,709 --> 01:20:36,667 So we did find the manuals, so we had the instructions set 1111 01:20:36,667 --> 01:20:39,584 and we had how to convert it. 1112 01:20:40,000 --> 01:20:44,167 So we said the hell with it, we will write our own. 1113 01:20:44,167 --> 01:20:50,000 So our friend Python comes in again, so mark 4DASM was born and 1114 01:20:50,000 --> 01:20:57,417 if you point mark 4.DASM at a file it does something like this. 1115 01:21:01,083 --> 01:21:03,999 So basically this will be slightly nonsensical 1116 01:21:03,999 --> 01:21:07,999 because it's only a small chunk of the code so what it will give you 1117 01:21:07,999 --> 01:21:11,999 is a summary of ROM addresses and labels, things that have jumped 1118 01:21:11,999 --> 01:21:13,999 to that address. 1119 01:21:14,083 --> 01:21:19,626 If it's obviously a sub routine with an exit but nothing calls it, it's 1120 01:21:19,626 --> 01:21:23,709 an orphan, but if it's a known address like a bit 1121 01:21:23,709 --> 01:21:29,083 of interrupt code, it will give it the correct label. 1122 01:21:29,292 --> 01:21:32,999 The other really handy thing which meant we could tell when we found 1123 01:21:32,999 --> 01:21:37,083 the beginning of the program, is there are these two guys that always 1124 01:21:37,083 --> 01:21:39,125 have to be there. 1125 01:21:39,125 --> 01:21:41,459 There is a routine called auto sleep, and it sits 1126 01:21:41,459 --> 01:21:45,918 in a little tight loop just waiting for an interrupt. 1127 01:21:45,999 --> 01:21:48,083 And there is a routine called reset. 1128 01:21:48,250 --> 01:21:51,626 And reset is actually what C1 is doing. 1129 01:21:51,626 --> 01:21:55,459 C1 is a jump to the address where reset lives. 1130 01:21:55,459 --> 01:21:58,209 So if your code goes mental and your program starts running 1131 01:21:58,209 --> 01:22:03,334 off into oblivion, eventually it will hit C1 and C1 will reset the chip. 1132 01:22:03,501 --> 01:22:06,999 So all of the blank space in the code was a jump to reset, 1133 01:22:06,999 --> 01:22:10,083 which I thought was a really smart thing to do, 1134 01:22:10,083 --> 01:22:13,083 instead of just being a null. 1135 01:22:13,999 --> 01:22:16,999 You get a summary of what's found. 1136 01:22:16,999 --> 01:22:19,792 You get some of the variables, and then you get 1137 01:22:19,792 --> 01:22:24,250 the actual disassembled code, which is wrapping horribly 1138 01:22:24,250 --> 01:22:27,876 because my screen is too small. 1139 01:22:31,667 --> 01:22:35,584 So my disassembler gives you the instruction in the form that 1140 01:22:35,584 --> 01:22:39,584 the original compiler would have done it so you could run this 1141 01:22:39,584 --> 01:22:44,375 through the compiler if you had one and here is auto sleep. 1142 01:22:44,792 --> 01:22:48,918 It does a sleep, sets branch and carry, and then it just jumps back on itself 1143 01:22:48,918 --> 01:22:52,459 and it sits there waiting to be interrupted. 1144 01:22:53,083 --> 01:22:55,083 Here is our reset. 1145 01:22:55,083 --> 01:22:58,292 Sets up the stack, sets up the return pointer, and then jumps 1146 01:22:58,292 --> 01:23:01,292 to zero, and then off you go. 1147 01:23:02,334 --> 01:23:08,083 So we knew we have correctly identified the beginning of the code, awesome! 1148 01:23:08,125 --> 01:23:11,999 How do we know we have actually read all of the code properly? 1149 01:23:12,209 --> 01:23:15,292 Well, they hopefully put a check on the end. 1150 01:23:16,626 --> 01:23:20,542 Now, it's wrong in this case because this is only a partial chunk, 1151 01:23:20,542 --> 01:23:23,792 but here is the checksum embedded in the ROM and here 1152 01:23:23,792 --> 01:23:28,083 is the calculated checksum that this assembler gave us and if they match, 1153 01:23:28,083 --> 01:23:31,751 then we got it right, everything is lovely. 1154 01:23:33,999 --> 01:23:37,834 One of the other things we really wanted was to be able to run 1155 01:23:37,834 --> 01:23:41,999 the code and see what the hell this thing is doing. 1156 01:23:41,999 --> 01:23:42,918 We have read the Eprom so we know 1157 01:23:42,918 --> 01:23:46,083 the data that's gone in, but we don't know what it's doing 1158 01:23:46,083 --> 01:23:48,626 with it, so we could sit and manually walk 1159 01:23:48,626 --> 01:23:53,334 to this or we could write an I probe or something cool like that. 1160 01:23:55,125 --> 01:23:59,292 The development kit would have had an emulator in it. 1161 01:23:59,751 --> 01:24:00,250 $25,000 E. 1162 01:24:00,250 --> 01:24:02,999 we are not going to buy that. 1163 01:24:02,999 --> 01:24:08,334 ZAC FRANKEN: Actually, I did find a copy of the software 1164 01:24:08,334 --> 01:24:10,999 for the dev kit. 1165 01:24:11,375 --> 01:24:14,125 It was in German and it was on a Russian ware site, 1166 01:24:14,125 --> 01:24:17,209 so we decided to give that one a miss. 1167 01:24:18,542 --> 01:24:21,667 ADAM 'MAJOR MALFUNCTION' LAURIE: Python is your friend. 1168 01:24:28,709 --> 01:24:31,334 A whole chunk of this is being cut off. 1169 01:24:31,334 --> 01:24:32,999 ZAC FRANKEN: I have to say I was absolutely blown away 1170 01:24:32,999 --> 01:24:35,083 when he showed me this. 1171 01:24:35,083 --> 01:24:36,626 This is cool shit! 1172 01:24:36,999 --> 01:24:41,083 ADAM 'MAJOR MALFUNCTION' LAURIE: So we can single step 1173 01:24:41,083 --> 01:24:47,667 the code, we can set break points on read or writes on the output. 1174 01:24:47,959 --> 01:24:53,626 Over here you can't see, you have got all of the registers, 1175 01:24:53,626 --> 01:24:55,667 the stack. 1176 01:24:55,959 --> 01:24:58,792 It's got two whole variables, X and Y. 1177 01:24:58,792 --> 01:25:01,959 So really powerful chip. 1178 01:25:02,083 --> 01:25:06,999 We can set breaks on things like branches and so on. 1179 01:25:07,125 --> 01:25:11,792 And we can just go off you go, and it will just run until the breakoff. 1180 01:25:11,999 --> 01:25:14,584 It's now sitting in its little loop. 1181 01:25:18,584 --> 01:25:20,834 And you can see the branch. 1182 01:25:20,834 --> 01:25:22,167 You remember the instruction that set branch 1183 01:25:22,167 --> 01:25:24,709 and carry and then jump to zero. 1184 01:25:24,999 --> 01:25:26,584 That's what we are doing. 1185 01:25:26,792 --> 01:25:31,167 And I will probably crash it if I now generate an interrupt point. 1186 01:25:32,501 --> 01:25:34,626 So, it's jumped off into code that doesn't actually exist 1187 01:25:34,626 --> 01:25:37,292 because this is a partial fragment of the code. 1188 01:25:37,292 --> 01:25:43,459 But this gives us now the ability to run whatever we want. 1189 01:25:43,459 --> 01:25:45,999 We can feed the data in via a pseudo A prompt which 1190 01:25:45,999 --> 01:25:48,999 is plunked into this so we completely own that 1191 01:25:48,999 --> 01:25:51,999 chip and all of the code that was in it and 1192 01:25:51,999 --> 01:25:55,167 all of the data it was chewing on. 1193 01:25:56,167 --> 01:26:12,709 So that's it. 1194 01:26:12,709 --> 01:26:13,709 (Applause). 1195 01:26:13,709 --> 01:26:17,417 ZAC FRANKEN: Just before we go to questions, one 1196 01:26:17,417 --> 01:26:24,999 of the cool things about this was the manufacturer was so super secure 1197 01:26:24,999 --> 01:26:33,792 in their belief that no one was ever going to get the data off this chip. 1198 01:26:33,959 --> 01:26:38,209 No one can read mass ROM, once we, once it gets its fuse blown, there 1199 01:26:38,209 --> 01:26:43,834 is a diagnostic routine that allows them once the chip is assembled to verify 1200 01:26:43,834 --> 01:26:48,209 the code and then they blow a fuse and it's gone. 1201 01:26:49,334 --> 01:26:52,542 So couldn't possibly do it, no way to read it 1202 01:26:52,542 --> 01:26:56,751 out because with flash you have the ability to read it out, 1203 01:26:56,751 --> 01:27:01,250 but here it's massive you don't need that facility. 1204 01:27:01,250 --> 01:27:06,250 So it just checks the checks, yes, okay, okay, now that written thing gets 1205 01:27:06,250 --> 01:27:08,083 turned off. 1206 01:27:08,584 --> 01:27:12,999 The interconnect between the MCU and the Eprom, again, 1207 01:27:12,999 --> 01:27:16,125 all inside the package. 1208 01:27:18,292 --> 01:27:21,792 No one is ever going to get the code off this Eprom, 1209 01:27:21,792 --> 01:27:26,375 and it just shows you what you can actually achieve and how really some 1210 01:27:26,375 --> 01:27:28,834 of their thinking is. 1211 01:27:28,834 --> 01:27:30,999 So let's take some questions. 1212 01:27:30,999 --> 01:27:34,209 ADAM 'MAJOR MALFUNCTION' LAURIE: Just a tiny addition to that. 1213 01:27:34,209 --> 01:27:35,667 So sometimes we send stuff off to pet to do things like this 1214 01:27:35,667 --> 01:27:39,999 for things that we couldn't handle before we did this and we asked them 1215 01:27:39,999 --> 01:27:43,959 we have a mass ROM chip, how much would that be? 1216 01:27:44,250 --> 01:27:50,542 Oh, mass ROM, that's tricky, $10,000 per chip to give you the code. 1217 01:27:50,542 --> 01:27:52,999 And it will take three months. 1218 01:27:52,999 --> 01:27:56,999 ZAC FRANKEN: Yes, and the chip, the chip we asked 1219 01:27:56,999 --> 01:28:02,209 about had 512 bytes of mass ROM, this had 5K. 1220 01:28:02,459 --> 01:28:04,751 And I think it was $25,000. 1221 01:28:05,083 --> 01:28:07,542 It was horrendously expensive. 1222 01:28:07,542 --> 01:28:09,999 ADAM 'MAJOR MALFUNCTION' LAURIE: While we have got your 1223 01:28:09,999 --> 01:28:12,999 attention, this is unrelated but our next project which we 1224 01:28:12,999 --> 01:28:15,918 will be launching on kick starter so get your camera 1225 01:28:15,918 --> 01:28:18,792 and take a picture of that QR code. 1226 01:28:19,709 --> 01:28:24,751 That's my blog entry which I posted about an hour before we came 1227 01:28:24,751 --> 01:28:27,292 in to give this talk. 1228 01:28:27,584 --> 01:28:29,918 That describes exactly what it is. 1229 01:28:29,999 --> 01:28:33,375 It's a software defined, which is the trendy "Buzz" word 1230 01:28:33,375 --> 01:28:37,999 at the moment, but for RFID, so this does the same thing for RFID 1231 01:28:37,999 --> 01:28:41,459 as stuff like hacker IF does for RF. 1232 01:28:41,834 --> 01:28:44,417 So you get access to the low level raw data. 1233 01:28:44,417 --> 01:28:46,542 You do whatever the hell you want with it. 1234 01:28:46,999 --> 01:28:48,542 Within a day of building it we were cloning 1235 01:28:48,542 --> 01:28:52,751 and emulating pretty much anything we could put in front of it. 1236 01:28:52,751 --> 01:28:54,417 ZAC FRANKEN: Oh, and it's cheap. 1237 01:28:54,417 --> 01:28:57,584 ADAM 'MAJOR MALFUNCTION' LAURIE: Yes, 30 pounds maximum. 1238 01:28:57,584 --> 01:28:58,584 Sell it on Ebay. 1239 01:28:58,584 --> 01:29:01,501 ADAM 'MAJOR MALFUNCTION' LAURIE: Anyway, questions? 1240 01:29:01,501 --> 01:29:01,501 So what happens when chip manufacturers start putting bytes 1241 01:29:01,501 --> 01:29:02,501 on (inaudible). 1242 01:29:11,501 --> 01:29:15,751 ADAM 'MAJOR MALFUNCTION' LAURIE: So depending 1243 01:29:15,751 --> 01:29:21,792 on the complexity of the chip, the chip manufacturers actually do put 1244 01:29:21,792 --> 01:29:25,999 a lot of security features in place. 1245 01:29:25,999 --> 01:29:30,792 So they will bury things in layers so it won't be on the top layer. 1246 01:29:31,083 --> 01:29:37,209 It will be, you know, eight layers down, and they will put a security layer 1247 01:29:37,209 --> 01:29:42,999 over the top, a security mesh, which is designed to destroy keys 1248 01:29:42,999 --> 01:29:46,999 if the chip is damaged in any way. 1249 01:29:46,999 --> 01:29:49,999 So there is actually, and when we first got into it, 1250 01:29:49,999 --> 01:29:52,834 we were kind of pleasantly surprised that 1251 01:29:52,834 --> 01:29:57,626 the chip manufacturers actually take security seriously. 1252 01:29:57,834 --> 01:30:01,999 Of course, what they are trying to secure is their customer's IP. 1253 01:30:01,999 --> 01:30:06,584 So we tend to find that we do a lot of embedded systems 1254 01:30:06,584 --> 01:30:09,417 reverse engineering. 1255 01:30:09,751 --> 01:30:12,999 Normally a lot of the security is crap. 1256 01:30:13,125 --> 01:30:17,501 So they are taking the crown jewels, the super-secret key. 1257 01:30:17,501 --> 01:30:20,999 ADAM 'MAJOR MALFUNCTION' LAURIE: That's the polite word for it. 1258 01:30:20,999 --> 01:30:23,501 ZAC FRANKEN: Their super-secret master keys and 1259 01:30:23,501 --> 01:30:27,876 they are storing them in chips that aren't really designed 1260 01:30:27,876 --> 01:30:32,167 to secure, you know, keys and things like that. 1261 01:30:32,334 --> 01:30:38,292 So we looked at an RFID vendor, and their latest and greatest product, 1262 01:30:38,292 --> 01:30:43,999 and they had stored their keys in the PIC chip and we sent it 1263 01:30:43,999 --> 01:30:51,834 off to slightly dodgy company, and they said, oh, that will be $900, sir. 1264 01:30:51,834 --> 01:30:54,999 And they sent us back an entire dump of the code, 1265 01:30:54,999 --> 01:30:58,584 including all of their super-secret keys. 1266 01:30:58,999 --> 01:31:04,667 And we have had chips reversed that have cost as little as $90. 1267 01:31:04,876 --> 01:31:09,834 So if you have a cheap PIC chip, $90 will get you the code. 1268 01:31:10,083 --> 01:31:12,999 So they are tending to, with the higher end chips, 1269 01:31:12,999 --> 01:31:17,334 actually put some effort into trying to prevent this from happen, 1270 01:31:17,334 --> 01:31:19,417 proper security. 1271 01:31:19,417 --> 01:31:23,999 Let me start by saying is I'm deeply impressed 1272 01:31:23,999 --> 01:31:30,334 with the of this basic problem, not just oh, hi. 1273 01:31:30,334 --> 01:31:31,334 Hot mic. 1274 01:31:31,918 --> 01:31:35,209 Not just the physical expertise for pulling apart the chips 1275 01:31:35,209 --> 01:31:39,292 but the software because it's an amazing combination. 1276 01:31:39,292 --> 01:31:39,751 ADAM 'MAJOR MALFUNCTION' LAURIE: Thank you, that's 1277 01:31:39,751 --> 01:31:41,083 a misspent youth. 1278 01:31:43,292 --> 01:31:47,083 For those of us with that said, I'm curious as to the amount 1279 01:31:47,083 --> 01:31:51,375 of time you have poured into this project end to end? 1280 01:31:51,834 --> 01:31:53,667 Surely there was, from the depth of safety lecture, 1281 01:31:53,667 --> 01:31:55,751 you took your time and did your research and 1282 01:31:55,751 --> 01:31:58,834 the Python code is spitting by, maybe what's an afternoon for you 1283 01:31:58,834 --> 01:32:01,999 is a month for the rest of us, what's your time? 1284 01:32:01,999 --> 01:32:05,834 ADAM 'MAJOR MALFUNCTION' LAURIE: We have been doing this stuff 1285 01:32:05,834 --> 01:32:11,083 between us for 20 years, so it's a bit here and a bit there. 1286 01:32:11,083 --> 01:32:15,626 I don't know, if you actually sat down and tried to do it in one chunk, 1287 01:32:15,626 --> 01:32:20,375 I don't know, but the whole point of stuff like this and decapenator 1288 01:32:20,375 --> 01:32:24,167 is we are trying to solve those problems and then step 1289 01:32:24,167 --> 01:32:26,417 everyone forward. 1290 01:32:26,417 --> 01:32:29,083 You know, we need to move into a situation where you guys can get 1291 01:32:29,083 --> 01:32:32,375 up and running within a week, not a year. 1292 01:32:32,375 --> 01:32:36,876 I mean, I guess how long did we start on ZAC FRANKEN: So I'm going 1293 01:32:36,876 --> 01:32:39,250 to say, sorry, guys. 1294 01:32:39,334 --> 01:32:42,999 I would have said probably this one project kind 1295 01:32:42,999 --> 01:32:47,209 of opened it kept diving into new areas. 1296 01:32:47,459 --> 01:32:51,999 So I would have said probably to get to the point where we had 1297 01:32:51,999 --> 01:32:57,999 the decapenator and we were extracting data and ROM per was in existence, 1298 01:32:57,999 --> 01:33:03,459 maybe six months from starting from a hard cold start. 1299 01:33:03,999 --> 01:33:07,918 And it wasn't as if we were working on this full time for six months. 1300 01:33:07,918 --> 01:33:08,999 It was six months elapsed, and it was 1301 01:33:08,999 --> 01:33:12,999 a background project that was kind of ticking around. 1302 01:33:13,459 --> 01:33:17,999 So actually, you know, probably if you sat down and just focused on it, 1303 01:33:17,999 --> 01:33:22,999 probably something like a month to end up where we were. 1304 01:33:22,999 --> 01:33:23,999 It's fascinating. 1305 01:33:23,999 --> 01:33:25,083 Thanks for chairing. 1306 01:33:25,083 --> 01:33:26,417 ZAC FRANKEN: Thank you. 1307 01:33:26,876 --> 01:33:29,167 Hi, guys, great stuff! 1308 01:33:29,167 --> 01:33:30,167 I love it! 1309 01:33:32,667 --> 01:33:36,292 In a lot of the micro controllers you mentioned there are fused bits that 1310 01:33:36,292 --> 01:33:38,999 the manufacturers can set, like burn your code, burn 1311 01:33:38,999 --> 01:33:42,999 the fused bits and nobody else can read it would it be possible to recapenate 1312 01:33:42,999 --> 01:33:45,250 the probes to reconnect a fuse rather than read 1313 01:33:45,250 --> 01:33:47,959 all of the data back out of it? 1314 01:33:47,959 --> 01:33:49,542 ZAC FRANKEN: Absolutely. 1315 01:33:49,542 --> 01:33:50,542 Sweet! 1316 01:33:50,626 --> 01:33:57,209 ZAC FRANKEN: And in fact, a guy called Bunny Wang did Go 1317 01:33:57,209 --> 01:34:05,083 look at his blog, it was a demonstration, it was fantastic. 1318 01:34:05,459 --> 01:34:09,584 He hand decapped a PIC chip and he masked out, he worked 1319 01:34:09,584 --> 01:34:13,083 out where the fuses were, and realized that 1320 01:34:13,083 --> 01:34:18,999 the fuses it money covered by a little metallic gold plate. 1321 01:34:18,999 --> 01:34:22,999 And he realized that, okay, you are covering it with a plate, 1322 01:34:22,999 --> 01:34:25,292 but there is still a passivation layer 1323 01:34:25,292 --> 01:34:31,417 between the plate and your actual kind of fuse which is effectively a transistor. 1324 01:34:33,209 --> 01:34:36,584 So what he realized was, right, if I mask 1325 01:34:36,584 --> 01:34:42,792 out all of the other UV sensitive parts of the chip, if I put it at an angle, 1326 01:34:42,792 --> 01:34:47,667 I can get the UV to bounce under the shield, and just cook it 1327 01:34:47,667 --> 01:34:54,459 and discharge the little transistor and he could read the data right out. 1328 01:34:55,125 --> 01:35:00,709 So there are companies around that will go a lot further, and 1329 01:35:00,709 --> 01:35:03,876 will really dig for you. 1330 01:35:03,876 --> 01:35:06,751 ADAM 'MAJOR MALFUNCTION' LAURIE: And on a relate the note, 1331 01:35:06,751 --> 01:35:08,999 we have used the decapenator to drill 1332 01:35:08,999 --> 01:35:13,417 a hole and then his very precious micro probes to selectively break wires 1333 01:35:13,417 --> 01:35:17,999 and probe on and actually feed our own data in instead of what was supposed 1334 01:35:17,999 --> 01:35:20,999 to be coming from the other guy. 1335 01:35:21,999 --> 01:35:25,999 And the feeding machine, so we are all about getting this 1336 01:35:25,999 --> 01:35:30,999 into the back room economy, so you can do this yourselves. 1337 01:35:31,083 --> 01:35:34,083 So where would we have gotten the thing that sends the data 1338 01:35:34,083 --> 01:35:37,417 into these probe devices do you think? 1339 01:35:37,709 --> 01:35:39,334 Not Ebay, no. 1340 01:35:39,334 --> 01:35:40,626 We got it from Spark Farm and it cost about 30 pounds 1341 01:35:40,626 --> 01:35:42,626 and it's called a Buspar. 1342 01:35:47,999 --> 01:35:50,751 Hi, this is amazing work! 1343 01:35:50,751 --> 01:35:51,751 I have to say. 1344 01:35:51,751 --> 01:35:52,918 The gentleman before me actually asked 1345 01:35:52,918 --> 01:35:56,125 the question I was going to ask, so that's easy. 1346 01:35:56,250 --> 01:35:59,250 But a quick comment about hydrogen fluoride. 1347 01:35:59,999 --> 01:36:03,209 You can, an alternate source as well which is fairly safe 1348 01:36:03,209 --> 01:36:06,667 is the stuff which you use for etching glass, and it's not 1349 01:36:06,667 --> 01:36:09,542 in a gel form, it's a cream form. 1350 01:36:09,542 --> 01:36:12,250 I don't know if that's also useable for the same thing. 1351 01:36:12,250 --> 01:36:13,999 ZAC FRANKEN: Almost certainly. 1352 01:36:13,999 --> 01:36:15,375 I hadn't come across that. 1353 01:36:15,751 --> 01:36:17,501 I will certainly have a look at that. 1354 01:36:17,792 --> 01:36:23,083 That may well be a better source of it than the dental stuff. 1355 01:36:23,083 --> 01:36:25,918 And I used to work in a lab where they had the real stuff, 1356 01:36:25,918 --> 01:36:28,626 and scary is an understatement. 1357 01:36:28,626 --> 01:36:31,083 In a lab of 30 people only one person was allowed it. 1358 01:36:31,250 --> 01:36:35,999 It had its own lab which was cooled to below refrigeration temperature, 1359 01:36:35,999 --> 01:36:39,999 and not only did it have a fume cover, but the actual lab was 1360 01:36:39,999 --> 01:36:42,459 a fume cupboard as well. 1361 01:36:42,459 --> 01:36:43,459 It was insane. 1362 01:36:43,459 --> 01:36:46,167 Is that why you have both your hands in your pockets? 1363 01:36:46,542 --> 01:36:51,125 I don't want to talk about that. 1364 01:36:51,125 --> 01:36:52,125 Thank you. 1365 01:36:52,125 --> 01:36:53,501 ZAC FRANKEN: Thank you. 1366 01:36:53,501 --> 01:36:58,999 Hi, you said CRC, right? 1367 01:36:58,999 --> 01:37:03,125 As opposed to a more sort of secure algorithm. 1368 01:37:03,125 --> 01:37:04,375 Oh, the checksum. 1369 01:37:05,083 --> 01:37:08,709 The checksum was quite interesting in its document. 1370 01:37:08,999 --> 01:37:13,667 The code is available, you can go to the aperture labs tools page, and 1371 01:37:13,667 --> 01:37:18,584 the mark 4 DASM is linked off there, you can download it and if you 1372 01:37:18,584 --> 01:37:22,083 like Python, you will probably puke when you read 1373 01:37:22,083 --> 01:37:23,834 my code. 1374 01:37:24,125 --> 01:37:28,292 But the checksum is actually two checksums. 1375 01:37:28,292 --> 01:37:29,999 The left hand byte is a left hand checksum and 1376 01:37:29,999 --> 01:37:32,999 the right hand byte is a right hand checksum. 1377 01:37:33,209 --> 01:37:35,834 And they do a slightly funny wandering algorithm 1378 01:37:35,834 --> 01:37:38,751 that would definitely go wrong. 1379 01:37:38,999 --> 01:37:43,375 It's just there as an assurance to make sure that the code that was, 1380 01:37:43,375 --> 01:37:46,959 that runs on so they have a test routine that will run 1381 01:37:46,959 --> 01:37:50,876 through and read the ROM before they blow the fuse, calculate 1382 01:37:50,876 --> 01:37:54,834 the checksum and make sure it matches so it's not going to try 1383 01:37:54,834 --> 01:37:59,250 and recover any lost bits, it will just say yea or nay. 1384 01:37:59,250 --> 01:38:03,667 And the fuse is there only to disable the rest routines for the chip. 1385 01:38:03,667 --> 01:38:05,709 So can you generate the CRC after the fact 1386 01:38:05,709 --> 01:38:08,292 to make sure it's still good. 1387 01:38:08,292 --> 01:38:10,999 ADAM 'MAJOR MALFUNCTION' LAURIE: Yes, in fact the disassembler, 1388 01:38:10,999 --> 01:38:13,375 my disassembler will show you what was stored 1389 01:38:13,375 --> 01:38:17,083 the last two bytes in the ROM are the checksum and it will recalculate 1390 01:38:17,083 --> 01:38:21,751 and tell you what those came out as so you can see if they match. 1391 01:38:21,751 --> 01:38:25,834 Is this, can you poke a running chip to get it to give you 1392 01:38:25,834 --> 01:38:31,250 the checksum or is it only this stored in the end or stored, I mean, 1393 01:38:31,250 --> 01:38:35,667 can you get it to calculate the checksum? 1394 01:38:35,667 --> 01:38:36,209 ADAM 'MAJOR MALFUNCTION' LAURIE: There 1395 01:38:36,209 --> 01:38:38,667 is a test routine built into the chip. 1396 01:38:38,667 --> 01:38:43,083 And in fact the chips have, there is two chunks of code. 1397 01:38:43,083 --> 01:38:44,334 When you look at the chip. 1398 01:38:44,542 --> 01:38:47,667 There is the chip that the customer put in, and there 1399 01:38:47,667 --> 01:38:51,375 is the I'm sorry, the code that the customer put in and 1400 01:38:51,375 --> 01:38:55,167 the code that the manufacturer put in, and the code that 1401 01:38:55,167 --> 01:38:58,876 the manufacturer puts in doesn't actually I'm sorry, 1402 01:38:58,876 --> 01:39:02,751 the screen resolution is wrong so you couldn't really see 1403 01:39:02,751 --> 01:39:07,083 what that was, but the code the manufacturer put in will check it 1404 01:39:07,083 --> 01:39:12,709 for you, but it then gets disabled once they have done their test. 1405 01:39:12,709 --> 01:39:13,709 Okay. 1406 01:39:13,709 --> 01:39:14,375 ADAM 'MAJOR MALFUNCTION' LAURIE: Possible lip you could run it 1407 01:39:14,375 --> 01:39:17,459 with the $25,000 emulation thing, but we never got that, so. 1408 01:39:17,459 --> 01:39:19,999 I was wondering if you could use it in Oracle to glitch 1409 01:39:19,999 --> 01:39:22,459 out parts of it as it was calculating, but not 1410 01:39:22,459 --> 01:39:25,959 if you can't ADAM 'MAJOR MALFUNCTION' LAURIE: I don't think 1411 01:39:25,959 --> 01:39:27,959 so, but nice idea. 1412 01:39:28,167 --> 01:39:29,584 Yes. 1413 01:39:29,999 --> 01:39:35,501 By the way, that screen saver, did anyone recognize what that was? 1414 01:39:35,501 --> 01:39:40,375 So, again, I don't know if it's on, is it on the aperture labs page, I don't know, 1415 01:39:40,375 --> 01:39:43,501 but in my blog, I have a blog about writing 1416 01:39:43,501 --> 01:39:47,375 the Python code that went and grabbed the last episode 1417 01:39:47,375 --> 01:39:52,125 of the big bang theory so I could have a screen saver as those, and 1418 01:39:52,125 --> 01:39:56,167 the code is published and if you want to save time, some 1419 01:39:56,167 --> 01:39:59,834 of the copyright infringing images. 1420 01:39:59,999 --> 01:40:02,250 Brilliant work, gentlemen. 1421 01:40:02,709 --> 01:40:08,292 I noticed that when you ran the romper program, you used 1422 01:40:08,292 --> 01:40:14,918 the original non fluorinated versions of the chip. 1423 01:40:14,918 --> 01:40:19,459 You didn't use the etching compound before and after. 1424 01:40:19,626 --> 01:40:22,292 ADAM 'MAJOR MALFUNCTION' LAURIE: Yes, for that image, 1425 01:40:22,292 --> 01:40:26,459 for that particular process, we had actually finished. 1426 01:40:26,459 --> 01:40:28,542 By the time Zac perfected his technique, 1427 01:40:28,542 --> 01:40:32,959 I was working on original images and the reason he looked 1428 01:40:32,959 --> 01:40:36,918 at cleaning it up is because I was having difficulty 1429 01:40:36,918 --> 01:40:39,501 with some of the bits. 1430 01:40:39,542 --> 01:40:41,999 It was not actually clear whether it was 1431 01:40:41,999 --> 01:40:46,083 a 1 or 0 and I couldn't determine looking at it so I couldn't correct it 1432 01:40:46,083 --> 01:40:50,375 myself because I was guessing if it was the 1 or the 0. 1433 01:40:50,375 --> 01:40:52,292 Do you know how much time we have left? 1434 01:40:54,626 --> 01:40:58,459 So we are the last talk, so we can go as long as you guys can stand us. 1435 01:40:58,959 --> 01:41:02,999 The last thing between you and beer is us. 1436 01:41:03,083 --> 01:41:05,999 So it will work with both then? 1437 01:41:05,999 --> 01:41:08,375 ADAM 'MAJOR MALFUNCTION' LAURIE: Say again. 1438 01:41:08,375 --> 01:41:09,584 So it will work with both, whether you ADAM 'MAJOR 1439 01:41:09,584 --> 01:41:11,751 MALFUNCTION' LAURIE: Yes. 1440 01:41:11,751 --> 01:41:13,083 ZAC FRANKEN: Absolutely. 1441 01:41:13,083 --> 01:41:15,250 It's just how clean can you get your image. 1442 01:41:15,292 --> 01:41:16,709 ADAM 'MAJOR MALFUNCTION' LAURIE: I think that was 1443 01:41:16,709 --> 01:41:18,542 the last question anyway. 1444 01:41:18,542 --> 01:41:19,542 So thank you. 1445 01:41:19,542 --> 01:41:20,959 ZAC FRANKEN: Thank you.