Hi. And welcome. In the following hour we will talk about how to -- and how to (audio blipped) and communication. Now, let me introduce ourselves first. We are from -- and (muffled) we also designed a lot of interesting gadgets. Of course we have a lot of -- and my name is Yuwei Zheng and I'm interested in security embedded systems (audio blipped) and the blackberry is all my task in 2011. And this is another speaker, Haoqi Shan? >> Hi everyone. A lot of people so I'm a little nervous. My name is Haoqi Shan and I'm a researcher on the unicorn team. I have a bachelor degree of electronic engineering this year. So a little bit of -- while I'm hacking into some embedded device and some electronic device. So I focus on the Wi-Fi hacking systems. Your routers and switchers. Now let's take a look at this. Why do we [indiscernible] from the cell. I believe you guys have seen -- hacking, the day before yesterday, what, yeah, so Wednesday just - this vehicle is not in Wi-Fi (audio blipped) connect through three generation or two generation. So if you want to know what is going on, you need a Femoto cell. That is useful advice. Besides when you want to do research on the products that are integrated -- the -- cell is the best choice that you have. If you want to capture or hijack or modify the FMS, the voice, the data traffic, you need it. So maybe someone wants to ask why do you guys not just use [indiscernible] such as open -- or USRP or -- radio. Why not? Because if you want to -- can do the -- hijacker but if you want to know the FMS - if you wanted to modify the data traffic, it's not okay. And it will access denied to the -- network. It has no real up link or down link so you cannot hijack it. You can know what is going in but you will know what is going out. This is a familiar, this is -- cells advantage. Now you have the XS to the letter -- to the network operators core network. If you hack this, you can know what is going on, you can know [indiscernible] and data traffic. You can capture it, you can hijack it, you can modify it. Now you will have the ability to - in the operator's network. You can hack their switcher, you can hack their security gate way. If you are good, you can hack everything. If you guys want to use -- in research, such as you want to -- a vehicle with a modem, you can capture. Such as the FMS [indiscernible] that you can modify the -- data. Well, actually some device that use the data traffic will know that -- if it's connected with a true or fake -- this is a real -- so you can bypass it. And besides the data traffic [indiscernible] you can find some spots and now you can fix it or just hack it. How can I get this free from the cell? In China it's a little bit difficult to buy one. According to some policy they won't allow you to buy it. If you want to buy it, it's illegal. We can [indiscernible]. Let's just use reverse engineering. In China if you guys -- that will have not -- signals, we can make a phone call to a customer's device and you will tell them, hi, ma'am, kind of like a phone call to my home. What is going on? [indiscernible] you can just make a call again and again. Finally in the end you can make a complaint to the management department. This department will say, yes, they should solve the problem. And finally, sir, please [indiscernible] from the cell and it's free. And you can make your network signal's quality better. So now we have one -- to let's hack it - about these things, [indiscernible] Wi-Fi and absolutely, apparently, one port and two lamp posts. This is the most important thing, configuration IP. And the routers, 197.1 and the [indiscernible] IPEs, 197.241. Well, you guys can see that absolutely, the most important IPs is the home ID IP. This is the signal that you can configure. That's a quick and simple [indiscernible]. Let's map it. We got a lot of -- it's interesting. Just [indiscernible] it comes up -- [indiscernible] operating system. The first thing is just enemy router. That's wrong. And something interesting is the [indiscernible] (muffled) longer and longer time. So forgot about the -- try it another way. Well, according to -- you can just - something more about it. It's a real-time operating system used a lot in military device, medication device, just, you know -- welshing of course it's not open source. So it's hard to break it. Well, just Google it. Just two [indiscernible] that comes out -- let's try -- ut-oh, you will know that the last three years and before the last three years, also at DEFCON the -- fell and it was modified a lot. It looked similar to this one. But in a very different sense. There is -- and you can just run a module and get in here. But it's pretty hard. This is a -- a different -- much harder. Remember the portal that we just scanned, there will be a [indiscernible]. Will have the -- just use the -- and try it. This doesn't work. Of course, this as well was -- [indiscernible] of course to -- version, well, it fell again. So what is going on? We just try it another way. We disassemble this and see what's in here and try to modify it and - to analysis. And this is the two parts. The home and the [indiscernible]. Contents of the -- and across - if you guys want a hacker embedded device, you know that -- lots of device that have bug ports. So the developer can just develop them and bug it through this portal. What we do is find out -- it's on the board. And I will tell you this is the bug board. It will say this is TX, this is RX. So you can simply connect it with your laptop. USB to - several ports. So you just connect to the port with a laptop. It's just [indiscernible]. Of course, let's just use it. And a lot of information -- device is -- this is 6.8. You can see it tells you (audio blipped) you can apply simple steps. Now just use it. Thank you. Let's just, well our nature is help or [indiscernible] list and say what commands we can use. Apparently some -- you see it, you will know which one is important. The changeable -- and the -- well of course, (muffled) copy memory. Memory is everything, right? So you can just take a quick look. Press P and enter. Well here comes something else. We try it. This -- is nothing. Let's see the -- structure. A lot of things, and apparently I use days to say -- which means what. Can we use it and how large is it. Well [indiscernible], really terrible. And well, now I can tell you that this is the most important thing, in my world. [indiscernible] the configuration file. And the user one is the -- the system and your router and -- number. And the two is -- [indiscernible], give us a little bit of -- so we can't just put in another structure. And back up, a back up virus. We don't have a lot of ways to hack it. So -- from there and -- system and analysis the system. Here are those things, how do we validate. From where. Memory use the [indiscernible] just a simple test, we upgrade, up load and download. It looks fine. We know the past which is the CP, and one by one. You can -- write a simple script. Not like me, I just type. According to our work, [indiscernible] most important. Now this might -- >> Okay. From the MP3 -- we can guess that maybe I compress the -- but, (audio blipped) information, I got nothing. After -- doing research, I found -- what is an -- [indiscernible] or compress or deflate all of them. But even though we -- plate, what I -- error. Got the 05050 from the header. The next -- I guess it's the length. This length plus -- equal to the file length. After we -- [indiscernible] to decompress it. And now, let's examine ... Thank you. Now, let's examine the -- and -- (muffled) contained a lot of literal -- and it's a success. Now, we can analyze somewhere -- binary. It's not contained any information about the location and the linking information. From the -- here, we can use a command to load the, we can see -- able to say 010000. This is the -- [indiscernible]. Is cued from. And now we can load in -- and address say 010, 0000. And difficult. Find the information difficult. I finally -- to create -- why [indiscernible] have been encoding the basic 64 -- after, 72 binary. (muffled)? >> So sorry. It's not ours. Here we're trying to bring out own laptop. Our laptop that kind of come to America. We should buy one, buy a Mac. Sorry. Almost done. We are back. Okay. Now the -- file - and [indiscernible] 256 and 32 bytes. So maybe - FHA to -- one to eight. We will try one to eight. Sometimes we don't have good luck. Each one -- which -- work. Somewhere. They had to change the password and the -- decoding. [indiscernible] have to -- this configuration, it's one thing. Have to get the original hash code and the -- and then compare the two. So we got the -- instructions. Run to the. Here we have -- and patch somewhere and the -- will compress it. The header length. We can also use - patch method. Compress the -- to the memory. And then a commander. Instruction from the [indiscernible]. FE8. You can actually -- we can get the -- and -- [indiscernible]. We can get the -- let's capture the -- try to analyze it. We can use the computer to -- (muffled) to capture the -- in realtime, now. Now -- we can view the -- open the packet. (audio blipped). Here, I got it. It's really hard to see. It's recording. It's a a big packet. We just captured two days and all our neighbors, we can all see. Decoded. You may say [indiscernible] maybe it's going to crash it. And it's encrypted with -- de-corrupted. [indiscernible] I think it's -- and now, de-corrupting it. That is the -- you need to find which protocol -- change the protocol. And after decoding the protocol we can analyze the -- and GPS is replaced with -- protocol. So -- decoder. This is the way we capture it. >> Here is my version. Which one is this one? Let's have a look at -- we can see the details. We can show you already -- well, here is the -- itself. Beside that -- you guys can have my phone number and now you can hack me. You can see -- well, now we are capturing the data, grows, grows, grows. That's just a tab for JSM/JSM. Well, here it is. Now we can see the details. Of course I have a video about how to capture the HTML contents, but according to our time, we -- also we have a vendor area in the vendor area. So if you guys want to know something, you can -- you have the PowerPoint and my email. You can send us an email or ask more of your questions. And I apologize for my -- according to some policy [indiscernible] and I'm really sorry about that. So if you guys want to, just come and speak with me in private. Okay? ...(applause)... Let me show you my email. This is okay. You have a PDF. Here is our email. This is a family and we got a lot of reference. This is my email. The unicorn team. You can buy things or just ask me a lot of questions. That's all. Thank you.