00:00:00.167,00:00:03.437
>> Um, thank you guys for
coming. My name is Joe Grand, I

00:00:03.437,00:00:06.773
am a Portland based uh
electrical engineer, hardware

00:00:06.773,00:00:11.445
hacker, uh product designer. I
love electronics. >> My name is

00:00:11.445,00:00:14.882
Joe Fitzpatrick, I am a Portland
based electrical engineer,

00:00:14.882,00:00:18.118
hardware hacker, I love
electronics. >> Yeah so

00:00:18.118,00:00:20.888
sometimes it's hard to tell us
apart. >> We, we ran into each

00:00:20.888,00:00:23.257
other a little while back and
realized that we had a little

00:00:23.257,00:00:27.027
bit in common. >>Yeah [Laughs]
>> Like we both have brown hair.

00:00:27.027,00:00:28.996
>> That's right, but he has a
much better looking beard though

00:00:28.996,00:00:32.533
than I do. So um we've been
designing electronics for a long

00:00:32.533,00:00:36.970
time and um we've run into all
sorts of problems and failures

00:00:36.970,00:00:41.008
with uh usually unintentionally
but sometimes intentionally of

00:00:41.008,00:00:43.310
breaking electronics. So we
thought it'd be good as like a

00:00:43.310,00:00:46.713
DC 101 talk for people who wanna
get involved in electronics and

00:00:46.713,00:00:49.816
and get involved in hardware. So
to learn from our mistakes and

00:00:49.816,00:00:51.885
uh we can sort of share our pain
with you guys so hopefully you

00:00:51.885,00:00:54.254
don't have to go through the
same thing. >> So yeah, who, who

00:00:54.254,00:00:57.891
has ever bricked something
before? Yeah! >> Oh wow! >>

00:00:57.891,00:00:59.726
You're the right audience. >>
See you guys could all come up

00:00:59.726,00:01:02.029
here to and... >> You should be
teaching us. We'll take turns,

00:01:02.029,00:01:04.998
who wants to go first? >> Share
your stories. Um so yeah we we

00:01:04.998,00:01:09.336
sort of broken this, we broke
this down into uh 101 different

00:01:09.336,00:01:11.805
sections. >> Uh...One oh one. >>
Yeah, Oh sorry. One oh one.

00:01:11.805,00:01:14.641
hundred and one, whatever,
binary. >> yeah, cause you'd,

00:01:14.641,00:01:18.145
that would be a long talk.
[Laughs] >> Yeah, fooled you,

00:01:18.145,00:01:21.615
there's only five or whatever.
What is this? Yeah five.

00:01:21.615,00:01:23.817
[Laughter] Starting at one. So
we're sort of cheating 'cause

00:01:23.817,00:01:27.854
we're not starting at zero, we
cheated. >> Yeah. [Laughter] >>

00:01:27.854,00:01:29.289
So yeah, so we have a few
different, you know kind of

00:01:29.289,00:01:31.625
broke it down into different
sections. So... >> So first we

00:01:31.625,00:01:35.262
gotta define what a brick is. So
the authoritative source of all

00:01:35.262,00:01:38.165
of this is what of course Urban
Dictionary. Brick. A pound or a

00:01:38.165,00:01:42.102
kilogram.. kilogram of any drug.
Item requires clarification from

00:01:42.102,00:01:45.806
speaker as to the amount
intended. Um yeah so that's what

00:01:45.806,00:01:47.975
a brick is. So we're gonna talk
about a hundred.. no. >> Well we

00:01:47.975,00:01:50.077
gotta do the I get my dope
straight off a brick. >> Oh,

00:01:50.077,00:01:52.446
there you go. >> There, you
gotta give the example of it. >>

00:01:52.446,00:01:54.815
I got a lot of bricks at home to
get dope off of. [Laughs] >> Uh,

00:01:54.815,00:01:59.219
so brick. Uh uh‚ To brick
something‚ >> Alright so yeah,

00:01:59.219,00:02:01.621
this is the action of rendering
any small-medium size electronic

00:02:01.621,00:02:04.257
device useless. This can happen
while changing the firmware,

00:02:04.257,00:02:06.960
soldering or any other process
involving hardware or software.

00:02:06.960,00:02:09.262
This was actually in an Urban
Dictionary? >> Yeah. >> Someone

00:02:09.262,00:02:12.099
added that in, wow. Okay cool.
>> Yeah, it was Jules Verne. >>

00:02:12.099,00:02:14.167
Awesome, so it's an actual real
verb now so now... >> Yeah >>

00:02:14.167,00:02:16.803
Now it's like beyond DefCon...
>> Uh huh. >> t's a real

00:02:16.803,00:02:19.339
thing. >> I bricked my mobile
phone when I tried to install

00:02:19.339,00:02:21.441
Linux on it. >> That guys a
noob. [Laughter] >> Uh. Okay, so

00:02:21.441,00:02:27.848
we have two different types of
bricks. Um there's the soft

00:02:27.848,00:02:30.117
brick. >> So the soft brick's
kind of easy. You know like you

00:02:30.117,00:02:33.020
did something, it doesn't work,
it doesn't turn on. But it does

00:02:33.020,00:02:35.322
have signs of life right, this
is when you get like this, the

00:02:35.322,00:02:38.191
little message on those those
those Jesus phones that like ooh

00:02:38.191,00:02:41.528
you got to plug it in to itunes.
Phone home. Um or on an Android

00:02:41.528,00:02:44.097
you get the, the little Android
with the, the little belly uh

00:02:44.097,00:02:47.267
virus thing sticking out. >>
Yeah. Operate on me. >> So yeah

00:02:47.267,00:02:49.436
but this you know soft brick,
that's the software problem.

00:02:49.436,00:02:52.272
Let's talk about hard bricks.
This is what gets rid of them.

00:02:52.272,00:02:54.841
[Laughter] >> Who, who who loves
the hard brick gang? >> Yeah. >>

00:02:54.841,00:02:57.811
Ah yeah. >> Yeah. [Clapping]
Hard bricks are awesome. >>

00:02:57.811,00:02:59.980
Yeah. >> So yeah, these are the
things that actually require

00:02:59.980,00:03:04.851
some sort of hardware hacking
uhhm, modification or fix or

00:03:04.851,00:03:08.288
something usually if you can get
it unbricked again. So there is

00:03:08.288,00:03:11.958
this sort of variation. We are
focused pretty much exclusively

00:03:11.958,00:03:13.794
on hard bricks. Right? >> Yeah
and the great thing about hard

00:03:13.794,00:03:16.096
bricks is it's a hard brick.
Like you're not going to brick

00:03:16.096,00:03:18.131
it harder right? >> Right. Once
you've yeah, once you're done,

00:03:18.131,00:03:20.600
you're done. >> Yeah so. >>
Yeah, you can only undo it. So

00:03:20.600,00:03:22.602
yeah, we'll go through a bunch
of different sections. Starting

00:03:22.602,00:03:25.272
with probably the most common
and the most obvious is is

00:03:25.272,00:03:27.974
Bricking through Messing up
Firmware. >> Yeah. >> Um so we

00:03:27.974,00:03:31.078
have lots of you know, crazy
examples. I should mention so

00:03:31.078,00:03:34.981
these are examples of our actual
bricks. And we have you know, a

00:03:34.981,00:03:39.119
lot, a lot of them here that
we're sharing um the same things

00:03:39.119,00:03:42.389
could happen on your stuff
right? So you might actually go

00:03:42.389,00:03:45.025
to the same problems just not
with the same products. Um

00:03:45.025,00:03:47.027
starting with the DefCon 18
badge. How many of you guys have

00:03:47.027,00:03:51.064
the DefCon 18 badge? Like five
people. Are you serious? All you

00:03:51.064,00:03:53.900
guys, all you guys are newer
since then? [Comment from

00:03:56.870,00:03:58.705
audience: They ran out!] >> Oh.
[Laughter] Apologies! Cool

00:03:58.705,00:04:01.108
that's awesome alright so no one
has it which is better because

00:04:01.108,00:04:05.445
you probably run into this issue
but welcome to Defcon. Um so the

00:04:05.445,00:04:07.747
DefCon 18 badge was one that I
designed it was the last one

00:04:07.747,00:04:11.351
that I designed and um this
particular one had an MC56F8006.

00:04:11.351,00:04:14.821
It was a free skill-based
digital signal controller.

00:04:14.821,00:04:17.324
Micro-controller that have lots
of good hardware functionality

00:04:17.324,00:04:19.960
for sort of DSP types of
functions but in a

00:04:19.960,00:04:23.029
micro-controller and I um I had
a boot loader in there that you

00:04:23.029,00:04:27.601
could load through USB um new
code in. To try to make it

00:04:27.601,00:04:29.770
easier for people to jack on
their badges without needing

00:04:29.770,00:04:32.339
JTAG hardware and DBUG hardware
and all that stuff. So just

00:04:32.339,00:04:36.042
through USB but if you mess up
during the linking process like

00:04:36.042,00:04:38.778
with your compiler and if you
point your code in the wrong

00:04:38.778,00:04:42.249
spot if you don't include the
boot loader back in and you

00:04:42.249,00:04:44.551
reprogram it and you screw
something up in the badge isn't

00:04:44.551,00:04:47.721
going to work. So sort of a
lesson in an proper compiler

00:04:47.721,00:04:50.857
configuration and the only
failure so at that point it

00:04:50.857,00:04:53.693
would not work at all and the
only way to fix it is to use the

00:04:53.693,00:04:56.630
JTag interface the standard
developing tools to reload

00:04:56.630,00:04:59.199
everything. And JTAG being an
industry-standard debug

00:04:59.199,00:05:03.170
interface that is useful but
more of a pain in the ass

00:05:03.170,00:05:05.472
because now you need the tools
to connect up to solder on the

00:05:05.472,00:05:08.175
connector and do all of that so
that's sort of a standard thing.

00:05:08.175,00:05:10.810
You mess up a boot loader, save
it with JTAG. And that's

00:05:10.810,00:05:13.713
something we see a lot of people
having routers and phones and

00:05:13.713,00:05:15.715
things like that. Because they
can always recover it, usually

00:05:15.715,00:05:18.985
through JTAG, um though not, not
necessarily. >> And like most

00:05:18.985,00:05:22.055
devices start their life you
know as a nonfunctional block of

00:05:22.055,00:05:25.492
something that gets programmed
by manufacturer so you know,

00:05:25.492,00:05:27.294
there's got to be a way to get
something that doesn't have any

00:05:27.294,00:05:29.763
code on it to get code on it.
JTAG is usually that way. >>

00:05:29.763,00:05:32.365
Usually you would put JTAG to
load the boot loader and then

00:05:32.365,00:05:34.668
the boot loader to load your
code but if you brick the boot

00:05:34.668,00:05:37.370
loader then you got to start all
over again. >> Or you just buy a

00:05:37.370,00:05:40.006
new one [Laughter] >> Yeah, or
get someone else to buy a new

00:05:40.006,00:05:42.509
one. >> So uh, Wiping Critical
Sections. So this is a

00:05:42.509,00:05:45.045
Chromebook firmware. So who's
ever used a Chromebook? They're

00:05:45.045,00:05:48.515
kind of cool so they do some
fancy bio stuff. They're all uh

00:05:48.515,00:05:50.283
the ones that are based on Linux
platforms. They have what's

00:05:50.283,00:05:53.186
called a manageability engine um
and you see the difference

00:05:53.186,00:05:56.923
between these two uh histograms
right here? So there's this big

00:05:56.923,00:06:01.194
uh block that's up here and uh
you know it's got a lot, a lot

00:06:01.194,00:06:03.196
of stuff right there. So this is
a histogram. It's a tool called

00:06:03.196,00:06:06.833
Binwalk. It analyzes binary
files firmware images and it's

00:06:06.833,00:06:09.836
missing in this other one so
what happened is it if you go

00:06:09.836,00:06:12.205
and you take your Chromebook and
kind of tamper with this thing

00:06:12.205,00:06:14.741
so let me let me get back up
first. You take a backup from

00:06:14.741,00:06:17.978
software you get this. You get
this big zero, a bunch of zeros

00:06:17.978,00:06:22.249
right here. Right? If you then
and you get the uh heart and oh

00:06:22.249,00:06:24.618
I bricked it, it doesn't work I
need to open it up. I need to

00:06:24.618,00:06:28.221
use my bus pirate or something
else or I need to plug pins on

00:06:28.221,00:06:31.558
there and refresh the chip, I'll
just flash this on there. You'll

00:06:31.558,00:06:35.028
totally brick it because this
block of code is a block of code

00:06:35.028,00:06:37.864
used for manageability engine on
the Intel PC's, if it's not

00:06:37.864,00:06:40.967
there, the thing doesn't boot,
so kind of sucks so you got a

00:06:40.967,00:06:43.370
software dump, it's different
from your hardware and you flash

00:06:43.370,00:06:46.473
it back via hardware and you
bricked it. >> So the lesson

00:06:46.473,00:06:49.876
being, if you can get hardware
access to get code out that's

00:06:49.876,00:06:52.145
probably safer  >> Yeah  >>Thing
to do if you happen to

00:06:52.145,00:06:56.149
have a backup of it before you
mess up. >> So another one on

00:06:56.149,00:06:58.018
the Chromebooks. I do a lot of
poking at this Chromebooks

00:06:58.018,00:07:01.688
because I have a lot of them. Um
so you can mount the read only

00:07:01.688,00:07:05.959
filesystem as read/write. Okay.
Um, that makes sense. And then

00:07:05.959,00:07:09.296
you can make changes and you can
reboot okay it let you do that,

00:07:09.296,00:07:13.133
that's cool. Um now the colonel
verifies the route before it

00:07:13.133,00:07:16.936
mounts it and it doesn't match
okay it checks the signature, it

00:07:16.936,00:07:20.140
checks all this crypto stuff
that that the math people can

00:07:20.140,00:07:23.076
figure out but all that matters
is a mismatch cause the error.

00:07:23.076,00:07:25.712
You made a simple like change
that shouldn't have bothered

00:07:25.712,00:07:28.615
anything but you, you tampered
with the whole chain of trust

00:07:28.615,00:07:32.085
and now you have a brick. Chrome
OS is missing or damaged, please

00:07:32.085,00:07:35.989
insert a recovery USB stick or
SD card note the blue USB port

00:07:35.989,00:07:41.361
will not work for recovery so
backup backup backup before you

00:07:41.361,00:07:45.532
take your hardware backups. It's
the only way. >> Ah, this is a

00:07:45.532,00:07:49.269
good one. >> So yeah. [Laughter]
Who's done this? Who's done

00:07:49.269,00:07:50.704
this? >> That finger
something >> Yeah okay. So

00:07:50.704,00:07:54.174
DD, like copy blocks of stuff
and you know you gotta copy to

00:07:54.174,00:07:59.713
this USB flash drive, you gotta
copy a hundred of them and

00:07:59.713,00:08:03.483
you're like okay, Sudo DD
interface. Install that iSO, OF

00:08:03.483,00:08:07.020
equals dev sda. So SDA is
generally the first uh serial

00:08:07.020,00:08:09.322
disk in your systems so that's
probably the drive you're

00:08:09.322,00:08:11.991
booting off of but you have to
do it as root because otherwise

00:08:11.991,00:08:15.495
you can't access the level of
locked devices so you just

00:08:15.495,00:08:19.599
erased everything on your
system. Who's done that before?

00:08:19.599,00:08:20.934
[Laughter] >> Wow. So many
people are admitting it too,

00:08:20.934,00:08:23.403
that's awesome. >> Back
everything up. Back everything

00:08:23.403,00:08:26.272
up. Yeah. >>Acceptance is the
first step >> Are we taking

00:08:26.272,00:08:27.974
pictures of all of them?
[Laughter] So here's the other

00:08:27.974,00:08:32.812
thing like now I've got an
laptop and it's got an x uh em

00:08:32.812,00:08:37.517
uh what's it called? NVME. Uh
a Non-Volatile Memory

00:08:37.517,00:08:41.888
Express. Storage drops in and
connects over to PCI Express. So

00:08:41.888,00:08:45.492
in Linux it's dev NVME one, nvm
uh, NVME. Uh and that's great

00:08:45.492,00:08:51.631
except I put a USB drive and I
now need to put something on it.

00:08:51.631,00:08:56.169
It shows up as dev SDA so I do
this all the time now and if I

00:08:56.169,00:08:59.439
ever get a new laptop I'm gonna
wipe it on a daily basis.

00:08:59.439,00:09:03.543
[Laughter] >>That's just evil.
>> So make backups. >> So yeah,

00:09:03.543,00:09:06.846
so unbricking these types of
firmware issues, um, if you have

00:09:06.846,00:09:08.548
a back up that you know that's
good. Um if you're gonna hack on

00:09:08.548,00:09:12.051
something try to get a good
known image before you start

00:09:12.051,00:09:17.257
messing with stuff. Um. >> Yeah,
yeah. Um, what? Who? >> I don't

00:09:17.257,00:09:19.359
know, directly read/write the
storage media. He wrote that

00:09:19.359,00:09:22.629
one. >> I did. Yeah, oh yeah if
you uh if you really want a back

00:09:22.629,00:09:25.565
up don't trust your operating
system don't trust your CPU just

00:09:25.565,00:09:28.568
go straight to the device and
read it right if you have a chip

00:09:28.568,00:09:31.371
of some sort read it with the
programmer don't read it with

00:09:31.371,00:09:34.507
software. >> Yup and other
hardware things too, it's funny

00:09:34.507,00:09:36.910
because you cannot unbrick you
know, your firmware using

00:09:36.910,00:09:39.479
hardware. Um swap out the flash
device, the memory device,

00:09:39.479,00:09:41.581
whatever you've bricked, if you
have another backup or maybe

00:09:41.581,00:09:45.318
take one from a product that is
good that has the same content

00:09:45.318,00:09:49.589
take one off one board or put on
another or copy one the raw off

00:09:49.589,00:09:51.991
put it in another one. And then
use Debug interface if it

00:09:51.991,00:09:55.195
exists. It usually does either
its Jtag or a vendor specific

00:09:55.195,00:09:59.165
interface of some sort that will
let you reload new code back in

00:09:59.165,00:10:02.035
assuming you took the back up in
the first place. >> So yeah, if

00:10:02.035,00:10:05.071
you got those back up its great
you know if you don't you might

00:10:05.071,00:10:07.607
have to buy a new device and
that sometimes expensive so

00:10:07.607,00:10:10.076
swapping out the physical flash
device whatever the device is

00:10:10.076,00:10:12.445
that you actually broke
sometimes is a lot cheaper than

00:10:12.445,00:10:15.515
replacing the whole system right
so if you if you worked a flash

00:10:15.515,00:10:17.350
chip or worked something else
like that, just replace that

00:10:17.350,00:10:20.053
chip, you're good. >> And just
return the one you uh just

00:10:20.053,00:10:23.289
bought. >> Yeah. [Laughter] >> I
don't condone that. People are

00:10:23.289,00:10:27.794
shaking their heads. No... >>
Cash only. [Indiscernible

00:10:27.794,00:10:29.128
comment from audience.]
[Laughter] >> Just stopped

00:10:29.128,00:10:30.463
working. That reminds me, we'll
tell a little story about that

00:10:30.463,00:10:32.966
with this >> I've never done
that I've never done that. >> No

00:10:32.966,00:10:35.969
me neither. >> Never. >> Alright
then, so the next section. >>

00:10:35.969,00:10:38.638
Actually, we got a question, can
anybody in the audience identify

00:10:38.638,00:10:42.442
what's wrong with this PCB? >>
Oh yeah. A little quiz. >> Tough

00:10:42.442,00:10:45.245
one. If you're new to hardware,
it might be difficult.

00:10:47.547,00:10:49.983
[Laughter] >> Okay so, now we're
getting into some actual

00:10:49.983,00:10:53.853
physical destruction. Um
bricking PCBs. A main concern

00:10:53.853,00:10:56.856
when people get into hardware
hacking is am I gonna damage the

00:10:56.856,00:10:59.993
board am I gonna damage a chip,
I don't know. I don't know how

00:10:59.993,00:11:02.896
to solder. Um, normally it takes
a lot like circuit boards are

00:11:02.896,00:11:06.432
pretty robust to heat. Chips are
designed to withstand a decent

00:11:06.432,00:11:08.301
amount of heat when they go
through a reflow oven when

00:11:08.301,00:11:11.271
they're being soldered. And
typically the failure modes are

00:11:11.271,00:11:14.040
thermal cycling if you're
removing a part, putting it back

00:11:14.040,00:11:15.775
on the board, or removing a
part, putting it back on the

00:11:15.775,00:11:19.312
board uh but sometimes you get a
little overzealous and other

00:11:19.312,00:11:23.316
problems happen like we'll talk
about here. >>So yeah, um who's

00:11:23.316,00:11:25.785
ever had ever taken was like a
wireless router something like

00:11:25.785,00:11:29.522
that okay they're fun fun
program and you will come up and

00:11:29.522,00:11:31.758
you can find all sorts of neat
headers on them so if you're

00:11:31.758,00:11:35.094
poking around. Can I get over
there, ah I can't get over

00:11:35.094,00:11:36.696
there. >> You have to describe
it with words. >> I have to

00:11:36.696,00:11:39.332
describe it, I don't know words.
[Laughter] So what we've got is

00:11:39.332,00:11:42.669
a bunch of uh pins on here and
this is just a bare header that

00:11:42.669,00:11:45.004
is sitting there on the
motherboard and we need to get

00:11:45.004,00:11:47.340
that solder out of there to get
the header in there so we can

00:11:47.340,00:11:50.410
use a JTAG adapter . So it's
unpopulated, and you know

00:11:50.410,00:11:52.679
sometimes just want to get
something done and you're

00:11:52.679,00:11:55.114
sitting there so you crank the
iron all the way up come on come

00:11:55.114,00:11:58.384
on melt solder, melt solder. You
really don't have patience and

00:11:58.384,00:12:01.588
uh you need patience because too
much heat sloppy work um I

00:12:01.588,00:12:04.324
basically completely completely
peeled out the through hole

00:12:04.324,00:12:07.827
lining of each of these. Um, I
usually do a better job

00:12:07.827,00:12:10.697
soldering but that's kind a like
that happens sometimes. >> This

00:12:10.697,00:12:13.633
is a great job chop soldering.
[Laughter] >> So actually, I've

00:12:13.633,00:12:15.835
seen I've seen worse I have to
have I done worse jobs. >>

00:12:15.835,00:12:18.538
Actually I have too. >> I've
done worse jobs. This week, this

00:12:18.538,00:12:20.740
week. >> And the way, the reason
this is happening the way that

00:12:20.740,00:12:23.576
circuit boards manufactured is
you have a conductive layer and

00:12:23.576,00:12:28.014
it's basically glue down to a
non-nonconductive layer and that

00:12:28.014,00:12:31.084
glue will get softened with a
lot of heat and you can pulled

00:12:31.084,00:12:33.753
right off the board. >> So yeah,
you can pull the copper off of

00:12:33.753,00:12:36.956
the board you can pull the
layers of the board apart and

00:12:36.956,00:12:40.026
it's really messy. >> So yeah
patients really is the answer

00:12:40.026,00:12:42.695
and um also you know this really
common problem because most

00:12:42.695,00:12:45.732
devices that have through whole
parts in them are assembled with

00:12:45.732,00:12:47.867
what's called a wave soldering
station or a wave soldering

00:12:47.867,00:12:52.071
machine where like a big wave of
solder basically solders all of

00:12:52.071,00:12:54.240
the through whole parts that are
underneath your coming to the

00:12:54.240,00:12:57.610
board and that's why when you
get products, consumer products

00:12:57.610,00:13:00.146
all of the holes are filled with
solder because of that wave flow

00:13:00.146,00:13:03.349
or the reflow and the way
soldering in the service tension

00:13:03.349,00:13:05.618
pulls up the soldering to the
holes. So the first thing you

00:13:05.618,00:13:07.587
usually have to do when you're
hacking stuff, is like suck that

00:13:07.587,00:13:10.890
stuff out. >> So another one um,
I play with these things a lot.

00:13:10.890,00:13:14.460
Uh pogoplug is like $10 networks
and network network attached

00:13:14.460,00:13:18.297
storage device um I think I
dropped the pictures of it uh

00:13:18.297,00:13:21.501
yesterday uh where I plug PCI
cards into it but that's beside

00:13:21.501,00:13:24.103
the point. I was trying to
figure out whether JTAG pins

00:13:24.103,00:13:27.540
were on this guy. I knew the CPU
I knew where they were, I knew

00:13:27.540,00:13:29.842
where the pins were on the CPU
but I thought that there had to

00:13:29.842,00:13:32.578
be test points and so I just
decide okay you know what I'm

00:13:32.578,00:13:34.747
just gonna, I'm just gonna take
the chip off. I'll figure it

00:13:34.747,00:13:37.216
out, I'll look at the traces
underneath. In the process of

00:13:37.216,00:13:40.086
doing that like you can see the
exploded view in the bottom

00:13:40.086,00:13:43.823
right. Uh, it's kind of tiny but
there's a couple traces that in

00:13:43.823,00:13:46.325
the process of taking the chip
off. You know, you you sit there

00:13:46.325,00:13:50.029
with a hot uh a hot iron hot
iron uh hot air and you blow on

00:13:50.029,00:13:52.465
the chip and the chip gets
warmer and warmer and warmer

00:13:52.465,00:13:55.101
very patiently. And what's
really annoying is the last

00:13:55.101,00:13:57.837
thing to melt is the solder,
right? Because the solder

00:13:57.837,00:13:59.806
conducts the heat wave so you
just sit there, you gotta be

00:13:59.806,00:14:01.908
patient. Gotta be patient and
when you want to get something

00:14:01.908,00:14:04.177
to work you are not patient so
then I'm, like okay so it's

00:14:04.177,00:14:06.479
what's almost off so I stick
something in there and I try to

00:14:06.479,00:14:08.748
lever it up and in the process
of doing that everything I stuck

00:14:08.748,00:14:10.883
under there, I scratched a whole
bunch of traces off. SO they

00:14:10.883,00:14:13.686
were disconnected. And you know,
pull it off. And you know after

00:14:13.686,00:14:15.922
all that effort I find out that
there wasn't even test points

00:14:15.922,00:14:18.191
for JTAG anywhere. I thought
they were routed underneath the

00:14:18.191,00:14:22.028
chip they weren't um so you know
in this case though I actually

00:14:22.028,00:14:24.564
kind of said screw it I don't
care if I brick this one I mean

00:14:24.564,00:14:28.601
it's 10 bucks and I was fine
with losing the 10 bucks but I

00:14:28.601,00:14:30.770
learned something from it I
guess. >> Well and this is a

00:14:30.770,00:14:32.939
good example too is if you are
hacking on stuff, is if you can

00:14:32.939,00:14:36.142
get multiple units to have a
sacrificial lamb to do something

00:14:36.142,00:14:38.911
like that if you do need to look
at what's underneath the part,

00:14:38.911,00:14:41.080
it's like alright if I break
this one when I don't care, now

00:14:41.080,00:14:44.016
I'll get the information I need
to do an attack on another one.

00:14:44.016,00:14:46.085
Like that's okay but if you
don't and you only have one,

00:14:46.085,00:14:47.420
then you're screwed. >> Yeah,
and then you return it and

00:14:47.420,00:14:49.522
you're like, hey it's bricked, I
don't know what happened.

00:14:49.522,00:14:52.992
[Laughter] I just opened it up.
>> Um alright so Shorting

00:14:52.992,00:14:57.130
Traces. This is totally uh you
know, something that happens a

00:14:57.130,00:15:00.666
lot. Um and this is this is a
Hirsch ScramblePad so this is a

00:15:00.666,00:15:05.171
uh, um an access controlled
device that is use at like the

00:15:05.171,00:15:07.540
White House and other federal
buildings and airports and

00:15:07.540,00:15:09.976
stuff. And‚ it's it's designed
in the 80s, I think they've

00:15:09.976,00:15:12.378
updated it since then but you've
probably seen them before. You

00:15:12.378,00:15:15.648
push a button on the pad and the
key or the number ordering

00:15:15.648,00:15:18.751
changes every time it goes like
[sound effect] and like changes

00:15:18.751,00:15:22.789
every time so someone can't you
know look at the watermarks or

00:15:22.789,00:15:24.824
your fingerprints on the thing
and try to narrow down the key

00:15:24.824,00:15:28.194
space. It also has really narrow
viewing angles. Um, so I put one

00:15:28.194,00:15:30.663
of these in my office. Which is
funny because you could just

00:15:30.663,00:15:33.266
kick the door down if you wanted
to. Don't get any ideas by the

00:15:33.266,00:15:36.702
way. Um. So I got one of these
things on Ebay, I was messing

00:15:36.702,00:15:39.338
around with it, uh I had some
batteries. I was kind of testing

00:15:39.338,00:15:42.642
out the system. Taking some
measurements on the linear

00:15:42.642,00:15:46.212
regulator. Just a standard you
know, run the mill, LM 7805. A 5

00:15:46.212,00:15:48.948
volt regulator that was taking
in, can't remember what it was

00:15:48.948,00:15:52.819
12, 12 volts in um so I want to
measure the input, make sure I

00:15:52.819,00:15:54.687
wasn't gonna fry the rest of the
circuitry because this

00:15:54.687,00:15:59.492
particular board was from 1992
and I didn't have a backup of

00:15:59.492,00:16:01.994
the uh of the code on the micro
controller in case I broke

00:16:01.994,00:16:05.731
something. Um, I don't know what
happened but one of my probes

00:16:05.731,00:16:08.768
slipped and shorted the input
which are these very

00:16:08.768,00:16:12.071
high-capacity batteries with
very high current output um

00:16:12.071,00:16:17.176
directly ground which causes a
short circuit and a spark and

00:16:17.176,00:16:19.378
damage to the uh to the board.
You can sort of see in the

00:16:19.378,00:16:21.681
exploded view. Like All of the
solder mask and part of the

00:16:21.681,00:16:25.384
board is actually missing. Um
and I was really scared that I

00:16:25.384,00:16:29.956
just completely ruined this
device luckily the uh the

00:16:29.956,00:16:32.725
regulator is pretty robust I
didn't do any damage still had a

00:16:32.725,00:16:36.395
stable five volt output um but I
sort of sat in the corner and

00:16:36.395,00:16:38.798
whimpered for a while. I had a
bruised ego but I immediately

00:16:38.798,00:16:42.068
sent a picture to Joe and was
like we can use this in our

00:16:42.068,00:16:44.403
presentation. [Laughter] >> Yeah
it was great, I, I mentioned

00:16:44.403,00:16:48.140
this idea to Joe and he was like
ah I can brick this, I can brick

00:16:48.140,00:16:51.744
that, I can brick that and went
and he broke everything he had.

00:16:51.744,00:16:53.112
[Laughter] >> Very easy. >>
Which is great because that's

00:16:53.112,00:16:55.982
what I've been doing for the
past two weeks before that. >>

00:16:55.982,00:16:59.185
Um so here's another one. Um
Burning Traces. This was, this

00:16:59.185,00:17:01.754
was a fun example. I
was reverse engineering a um a

00:17:01.754,00:17:05.791
vacuum sealing uh food, you know
like a food thing to to vacuum

00:17:05.791,00:17:09.762
seal food. Uh I was working on a
project designing basically uh

00:17:09.762,00:17:12.198
something very similar that. So
I was reversing this board to

00:17:12.198,00:17:17.904
figure out how it was design and
um made a really beginner error

00:17:17.904,00:17:20.406
uh using my oscilloscope I want
to visualize you know some of

00:17:20.406,00:17:23.242
the traces on the board but what
I didn't realize that I was

00:17:23.242,00:17:27.046
creating uh some ground loop and
I was accidentally measuring a

00:17:27.046,00:17:29.115
signal, a AC signal that I
should not have been measuring

00:17:29.115,00:17:31.284
when I had things that I
probably should've maybe been

00:17:31.284,00:17:34.787
using a multimeter that was
isolated. Um and there was one

00:17:34.787,00:17:38.424
trace on the board that is
designed to be a fuse so that

00:17:38.424,00:17:40.993
circle there. You can sort of
see the square and then it kind

00:17:40.993,00:17:44.030
of goes out in a right angle
like a really thin trace before

00:17:44.030,00:17:47.366
it gets to the rest that was a
fuse designed into the circuit

00:17:47.366,00:17:51.938
board which saved not only me
but it saved my oscilloscope um

00:17:51.938,00:17:55.875
from actually you know getting
destroyed. And um normally you

00:17:55.875,00:17:58.144
know, this is, this is kind of
what happened. >> [Video: And

00:18:00.279,00:18:02.815
what happens? Bang!] [Laughter]
>> Yeah so, that was Dave Jones

00:18:02.815,00:18:05.284
if you haven't seen his EEV blog
videos you should check them

00:18:05.284,00:18:08.888
out. He's uh a very interesting
engineer with um lots of lots of

00:18:08.888,00:18:11.590
good technical detail and lots
of opinions. >> Actually you

00:18:11.590,00:18:15.227
wanna go back to the picture of
that PCB? Uh there's a moral to

00:18:15.227,00:18:19.999
be gained from this right? Um
this is uh a Food Saver V850.

00:18:19.999,00:18:24.837
[Laughter] Okay. Joe's hacking a
Food Saver V850. This is not

00:18:24.837,00:18:28.074
a a Smart food saver, is not
an internet enabled food saver,

00:18:28.074,00:18:30.776
this is like the vacuum thing
that you put like steaks in so

00:18:30.776,00:18:33.346
you can freeze them. Okay. >>
And vegetables. >> If you're, if

00:18:33.346,00:18:35.948
you're bored and need and you
something to hack, don't just

00:18:35.948,00:18:38.150
look at computer stuff
everything's hackable. >> That's

00:18:38.150,00:18:41.287
right. >> Open your mind. >>
That's right, yeah. [Clapping]

00:18:41.287,00:18:46.726
Good point. This was all digital
logic no micro controller or

00:18:46.726,00:18:48.961
anything so it was a good
experience actually in learning

00:18:48.961,00:18:52.565
how to reverse engineer analog
electronics um but then I

00:18:52.565,00:18:54.734
eventually I just gave up and
designed a digital system to do

00:18:54.734,00:18:57.136
the same thing. >> But you know
what's great, is there's no

00:18:57.136,00:18:59.372
firmware to brick right? >>
That's right, no firmware. And

00:18:59.372,00:19:01.674
so the key thing here is learn
how to use your oscilli.

00:19:01.674,00:19:04.677
oscilloscope properly. Which
after this I went and studied up

00:19:04.677,00:19:07.046
on ground loops and hooking up
you know AC things to

00:19:07.046,00:19:09.048
oscilloscopes and needing an
inspiration transformer. [Video:

00:19:09.048,00:19:12.084
What happens? Bang] >> And bam.
[Laughter] >> Yeah so‚ But if

00:19:12.084,00:19:15.187
I had broken my scope that
would've been really bad. >> You

00:19:15.187,00:19:19.625
just return it right? [Laughter]
>> I don't know if that one

00:19:19.625,00:19:23.396
would work. [Laughter] So ways
to fix, unbrick your PC Boards.

00:19:23.396,00:19:26.565
Um be patient in the first place
and don't just go straight at it

00:19:26.565,00:19:29.435
with you know, don't turn the
heat up to 11 on your soldering

00:19:29.435,00:19:32.805
iron. Um you know, blue wires
will actually work like in a

00:19:32.805,00:19:36.075
little wire wrap wires that you
see on boards sometimes to fix

00:19:36.075,00:19:38.978
prototypes if you get some 30
gauge wire wrap wire or some

00:19:38.978,00:19:42.648
magnet wire some Angel Angel
Wire, I think they call it. Um

00:19:42.648,00:19:45.885
to fix broken traces and to fix
um you know, things on the

00:19:45.885,00:19:48.020
circuit board that you're not
gonna be able to fix a blown

00:19:48.020,00:19:51.323
area but you can just patch it
with wire is a good way. >>

00:19:51.323,00:19:53.893
Yeah. >> Oh go ahead. >> And
PCBs are actually kind of really

00:19:53.893,00:19:56.162
resilient. I mean they're just
kind of like fiberglass and and

00:19:56.162,00:19:58.998
metal. And they work right so
you, even if you have that board

00:19:58.998,00:20:01.667
from the front that's like torn,
even if you line those things

00:20:01.667,00:20:04.537
up, you put some glue down there
and you like solder it up well

00:20:04.537,00:20:07.206
enough that board will probably
still work. >> Assuming it's not

00:20:07.206,00:20:09.709
a multi layer board with stuff.
>> Well yeah, you know. >> For

00:20:09.709,00:20:11.677
the ground planes you'd be fine.
>> Level of detail. [Laughter]

00:20:11.677,00:20:16.215
>> Hey [indiscernible] >>Yeah?
[Indiscernible comment from

00:20:16.215,00:20:18.184
audience] So the question is do
we ever use Chip Quick? So Chip

00:20:18.184,00:20:21.821
Quick is a special alloy used to
help you remove surface mount

00:20:21.821,00:20:24.890
parts from boards and it
basically reduces the overall

00:20:24.890,00:20:27.593
melting point of the solder so
if you have multiple pins coming

00:20:27.593,00:20:30.963
off the part, you use chip quick
and it melts everything at once

00:20:30.963,00:20:33.799
and you can slide if off the
board. So the answer is yes and

00:20:33.799,00:20:36.202
the good advantage with Chip
Quick is that it doesn't heat

00:20:36.202,00:20:39.505
your part too much. The
disadvantage is that the stuff

00:20:39.505,00:20:43.142
stays molten for so long that it
will dribble and get stuck on

00:20:43.142,00:20:46.045
other parts and if that happens
you can have solder this

00:20:46.045,00:20:48.848
solder alloy everywhere. >>
I'm completely capable of

00:20:48.848,00:20:52.017
bricking hardware without Chip
Quick. [Laughter] >> Yeah. Yeah,

00:20:52.017,00:20:54.286
so you have to be really careful
to use it but yes. So sometimes

00:20:54.286,00:20:58.157
use that or you just use hot air
rework but it sort of depends.

00:20:58.157,00:21:03.129
Alright anybody recognize uh
this beast up here? Does anybody

00:21:03.129,00:21:08.267
remember why it's blinking red?
No? >> Bad connection. >> Yeah,

00:21:08.267,00:21:12.705
you don't remember blowing into
your cartridge to try to get..

00:21:12.705,00:21:14.039
[Blowing air into microphone]
... Better connection? So uh

00:21:14.039,00:21:16.475
yeah, bricking connectors this
is you know messing up for

00:21:16.475,00:21:20.212
mechanical physical things of
systems. >> So uh I mentioned

00:21:20.212,00:21:23.182
before, uh something about the
Chromebooks. The C720s; I kind

00:21:23.182,00:21:25.751
of like them because I got a lot
of them and reason I got a lot

00:21:25.751,00:21:27.953
of them is you know because I
can get cheap right you go look

00:21:27.953,00:21:30.189
around, you can get them for
like 100 bucks each but I'm

00:21:30.189,00:21:32.791
really cheap so like I am always
looking for the cheaper. So I

00:21:32.791,00:21:37.296
found a lot of 10 broken ones on
eBay and I'm like hey what's the

00:21:37.296,00:21:39.832
worst that can happen right 40
bucks each that sounds like a

00:21:39.832,00:21:43.636
good deal. So I open them all
up, I ‚I got 10 of them and of

00:21:43.636,00:21:47.406
the 10 one had a cracked screen
so not much to do with that. >>

00:21:47.406,00:21:50.342
Boo. >> Um but then I went to
the other nine and actually the

00:21:50.342,00:21:55.247
the tenth one as well. Um they
all had, uh broke like loose

00:21:55.247,00:21:58.817
cables in the display so if you
look in the back panel of the

00:21:58.817,00:22:01.787
display it has, a or sorry. The
motherboard has a cable, it goes

00:22:01.787,00:22:04.757
up through the hinge up to the
back panel display on this one

00:22:04.757,00:22:06.926
this one model just has a thing
you just keep opening and

00:22:06.926,00:22:09.995
closing, opening and closing it.
It just‚ tugs a little bit and

00:22:09.995,00:22:12.431
so the little edge of that
connector slips out the tiniest

00:22:12.431,00:22:14.667
bit, a fraction of a millimeter
and that's enough for the

00:22:14.667,00:22:18.404
display not work. So all I did
was kinda pop open the displays

00:22:18.404,00:22:21.340
tighten these connectors and I
suddenly went from 400 bucks

00:22:21.340,00:22:24.577
worth of chrome books to 900
bucks worth of chrome books. So

00:22:24.577,00:22:28.714
um so that was kind of fun. And
there was something else I was

00:22:28.714,00:22:30.916
gonna say about this. >> If this
was happening with normal use

00:22:30.916,00:22:32.918
too right? >> So yeah, this was
normal use. You keep opening and

00:22:32.918,00:22:34.887
closing, opening and closing,
you eventually kind of wore it

00:22:34.887,00:22:38.857
out a little bit too much. >>
Sort of bad design. >> Yeah. Oh

00:22:38.857,00:22:43.028
yeah this one [Laughter] Yeah.
So this is a little mini PC that

00:22:43.028,00:22:46.232
I was using and actually ended
up using this to build an A.R.

00:22:46.232,00:22:49.335
sandbox. You ever sent those?
There must be a picture later

00:22:49.335,00:22:52.271
and the problem is uh it was
very poorly designed it was a

00:22:52.271,00:22:56.442
little micro USB connector that
was used for power input. And it

00:22:56.442,00:22:59.979
wasn't just a regular like USB
cable it's exactly Intel X86 uh

00:22:59.979,00:23:05.351
uh bay trail for core thing you
do. Um and what would happen is

00:23:05.351,00:23:08.654
I have three amp power supply. 5
Volts, 3 amps. That's quite a

00:23:08.654,00:23:11.957
bit but you still use tiny
traces inside and it kept like

00:23:11.957,00:23:15.494
burning out those traces and
heating up and melting this

00:23:15.494,00:23:18.797
little connector. So um the
traces really weren't well sized

00:23:18.797,00:23:20.866
for the amount of current.
Regulate for thermal regulation

00:23:20.866,00:23:24.236
wasn't well-controlled. Um if
you start using the CPU too much

00:23:24.236,00:23:26.405
like it would be able to supply
the power over the connector,

00:23:26.405,00:23:29.875
connector, it would just
disconnect‚ shutdown. So um I

00:23:29.875,00:23:31.744
kinda got sick and tired of
that. I tried replacing the

00:23:31.744,00:23:34.313
cable I felt like maybe bad
micro USB cables because I that

00:23:34.313,00:23:37.449
happens a lot to me. Probably
because I use cheap cables. But

00:23:37.449,00:23:40.486
uh I just basically said screw
that I opened up the case, I

00:23:40.486,00:23:43.622
soldered the power lines
directly to a grown point and a

00:23:43.622,00:23:46.625
power point very messily too. >>
Yeah. >> Not as bad as that

00:23:46.625,00:23:49.061
other one, that through hole
one. But I soldered it up, it

00:23:49.061,00:23:52.197
works and yet it still works. >>
Sometimes it doesn't have to be

00:23:52.197,00:23:54.600
beautiful to work, right?
That's what my wife tells me

00:23:54.600,00:23:59.605
all the time. [Laughter] Take
that as you want. I didn't mean

00:24:03.175,00:24:07.446
it that way. You guys are
disgusting. [Laughter] >> You

00:24:07.446,00:24:11.650
should hear what he he says to
her. Um so uh uh another one you

00:24:11.650,00:24:13.686
know uh again, I play with all
of these systems. I got these

00:24:13.686,00:24:16.689
tablets these are the cheapest
tablet you can possibly buy that

00:24:16.689,00:24:19.658
run Windows and actually you can
buy them even cheaper because

00:24:19.658,00:24:21.961
everybody goes to the store and
they buy them because they're

00:24:21.961,00:24:23.595
cheap. And they can take them
home and they can't run anything

00:24:23.595,00:24:26.332
on them so they return them and
spend more money so I go in and

00:24:26.332,00:24:28.701
buy all the open box ones
because they're even cheaper.

00:24:28.701,00:24:32.104
Anyway this TW700 tablet. It's a
little 7 inch Windows tablet.

00:24:32.104,00:24:35.774
And it's got this like micro USB
connector um for power charging

00:24:35.774,00:24:38.510
input and you know I use these a
lot. I charge them all and I

00:24:38.510,00:24:41.280
just charge them all and charge
them all. Um but every time you

00:24:41.280,00:24:43.982
plug in that USB cable it
wobbles this connector a little

00:24:43.982,00:24:48.721
bit. Um the housing. The case of
the cab‚ connector... The

00:24:48.721,00:24:52.825
case‚ case of the tablet does
not have uh a flush connect‚

00:24:52.825,00:24:55.260
uh case around this connector.
There's a little bit of wiggle

00:24:55.260,00:24:57.963
room. And that wiggle room keeps
wiggling every time you plug it

00:24:57.963,00:25:02.401
in and take it out. Solder is
never ever ever designed to hold

00:25:02.401,00:25:05.671
any load or any strain or any
physical strain right. It's

00:25:05.671,00:25:09.141
solely designed as an electrical
conductivity. So what happen is

00:25:09.141,00:25:12.845
after awhile those four little
tiny are five sorry. Five little

00:25:12.845,00:25:16.181
tiny connectors, on the bottom
of that USB connector all got

00:25:16.181,00:25:19.651
broken um so yeah it was pain in
the butt, I had to replace a

00:25:19.651,00:25:22.221
bunch of them but hey it works
now. >> And this is a good

00:25:22.221,00:25:24.757
example of if you're designing
electronics try to use the

00:25:24.757,00:25:28.894
connector that has through hole
uh uh uh ports on the side or

00:25:28.894,00:25:31.296
whatever they are for mechanical
stability that something that

00:25:31.296,00:25:33.232
companies don't like to do
because it's an additional step

00:25:33.232,00:25:37.269
to solder them in but it's going
to prevent that from happening.

00:25:37.269,00:25:39.671
>> So here's another uh another
thing that I've done many many

00:25:39.671,00:25:42.408
of times this just the most
recent example. Um this is a

00:25:42.408,00:25:45.277
low-cost consumer device. This
is another cheap Chromebook

00:25:45.277,00:25:48.147
'cause you know, I got a thing
for Chromebooks I guess. Um it

00:25:48.147,00:25:51.850
has USB audio running over a
flexible printed circuit to the

00:25:51.850,00:25:53.585
so‚ the other side of the
laptop. So they make the

00:25:53.585,00:25:56.422
motherboard small, it goes on
one side one, they put all one

00:25:56.422,00:25:58.357
connectors on one side and they
have a little ribbon cable that

00:25:58.357,00:26:01.527
floats through the case to the
other side. If you open the case

00:26:01.527,00:26:05.364
without knowing that the cable
is there um you're very likely

00:26:05.364,00:26:09.501
that like to tear it or pull it
if you're lucky then it

00:26:09.501,00:26:12.137
disconnects. It just pulls it
out of that black socket if

00:26:12.137,00:26:15.774
you're not lucky then it pulls
an angle and it tears a bunch of

00:26:15.774,00:26:19.945
the traces and you know it's
just a piece of plastic and

00:26:19.945,00:26:22.514
metal but the thing is that for
some reason these are really

00:26:22.514,00:26:26.385
expensive to buy as replacements
at one off. >> Relatively

00:26:26.385,00:26:28.387
expensive. >> Relatively. >>
It's a low cost... >> Well we're

00:26:28.387,00:26:31.056
talking about Joe Fitz expensive
which means it might cost like

00:26:31.056,00:26:34.159
ten bucks for this cable but
sometimes someone else plays

00:26:34.159,00:26:39.498
with much much much much more
expensive toys. >> So notice how

00:26:39.498,00:26:42.434
there's no detail on the slide
let's just say that it's a very

00:26:42.434,00:26:47.206
expensive uh consumer device and
this mistake was very costly and

00:26:47.206,00:26:50.909
if you look on that circle is
the flat flex cable so it's a

00:26:50.909,00:26:53.412
flexible circuit board where
normally you might have one or

00:26:53.412,00:26:56.949
two layers on a flexible board
this is a multilayered flex

00:26:56.949,00:27:00.986
board connecting very expensive
pieces of equipment together

00:27:00.986,00:27:05.757
that I accidentally tore. And um
tried to fix it. I was like oh,

00:27:05.757,00:27:07.960
some wires right like if you can
solder the top and bottom but

00:27:07.960,00:27:11.563
they're multilayer and it was
horrendously embarrassing and

00:27:11.563,00:27:15.033
never to be spoken of again and
now it's on film. >> You just

00:27:15.033,00:27:18.370
returned it right? >> Actually
we just returned it. [Laughter]

00:27:18.370,00:27:21.406
No lie. >> Uh‚ [Laughter] I
think the moral of the story I

00:27:21.406,00:27:25.911
think behind that is uh do not
hack on what you cannot afford

00:27:25.911,00:27:31.183
to lose. >> Yes, that's right.
Or what you can't get credit

00:27:31.183,00:27:33.252
for. >> Or return. >> Or that
you can't return. Save your

00:27:33.252,00:27:36.655
receipts. >> Save your receipts.
[Laughter] >> Um okay so

00:27:36.655,00:27:39.491
solutions to unbrick your
connectors mechanical

00:27:39.491,00:27:41.793
reinforcement is actually a
really common one, like just use

00:27:41.793,00:27:43.962
some tape, use some epoxy. >>
Yeah, on those chrome books I

00:27:43.962,00:27:46.265
have that had that wiggly port,
if I just gone in and put a drop

00:27:46.265,00:27:48.534
of epoxy on each one when I got
them new, which is what I do

00:27:48.534,00:27:50.702
now, um they would have all been
fine. They would have never

00:27:50.702,00:27:53.105
broken in the first place. >>
And vendors are just too cheap

00:27:53.105,00:27:55.307
to do that. >> Yeah, too too
cheap. Epoxy's expensive.. It

00:27:55.307,00:27:58.544
costs cents. >> Yeah. Um. >>
Fractions of cents. [Laughter]

00:27:58.544,00:28:01.113
>> Uh electrical reinforcement
like Joe did patching over weak

00:28:01.113,00:28:03.615
connectors and putting in
better, better connections

00:28:03.615,00:28:06.251
there. Um learning how to you
know locate replacements if you

00:28:06.251,00:28:08.687
do mess something up, see if you
can source a part. You know,

00:28:08.687,00:28:12.424
looking at common distributors
for various places. Um reading

00:28:12.424,00:28:15.761
mechanical drawings so you know
which part to use and DigiKey's

00:28:15.761,00:28:18.864
your friend. You know you can
get parts shipped same day,

00:28:18.864,00:28:21.166
delivered next day if you need
to,to you know continue on with

00:28:21.166,00:28:23.869
your project. >> yeah, it takes
awhile to like get the skill to

00:28:23.869,00:28:26.405
actually find anything on
Digikey, but usually you know,

00:28:26.405,00:28:29.141
just keep searching, find
something close. Find something

00:28:29.141,00:28:31.143
up in that category and then
they ship it really quickly.

00:28:31.143,00:28:34.413
That's what I like. >> Do a do a
parametric search, narrow down

00:28:34.413,00:28:37.316
until theres like a few items on
one page. You just choose one of

00:28:37.316,00:28:41.086
those. >> Or you buy all of
them. >> One of each. >> Return

00:28:41.086,00:28:44.323
the, return the rest. >> Yeah.
[Laughter] Um okay. So now we're

00:28:44.323,00:28:47.092
getting into bricking chips so
actually integrated circuits on

00:28:47.092,00:28:49.428
the physical circuit boards
themselves. Um‚ >> Talk about

00:28:49.428,00:28:52.965
absolute maximums. >> Yeah sure
okay so Absolute Maximums, I

00:28:52.965,00:28:55.867
think we might actually have an
example of this but.. >> Oh we

00:28:55.867,00:28:58.904
do, okay. >> Integrated Circuits
are are sensitive to their

00:28:58.904,00:29:02.274
voltage levels um whether
they're on signal pins power

00:29:02.274,00:29:05.811
pins and data sheets of these
parts will usually tell you the

00:29:05.811,00:29:09.748
the maximum allowable values and
things like that it usually if

00:29:09.748,00:29:12.284
you you go above them, the
manufactures not going to let

00:29:12.284,00:29:14.820
you return it and you sort of
let out the magic smoke and

00:29:14.820,00:29:16.955
you're done. >> And it's kind of
a RTFM case because if you look

00:29:16.955,00:29:19.858
over here it says pretty clearly
operating range use this voltage

00:29:19.858,00:29:22.461
range. If you're not gonna read
the datasheet then like oh well,

00:29:22.461,00:29:24.396
whenever. >> Who reads data
sheets anyway? >> But yeah. >>

00:29:24.396,00:29:26.898
Until you brick something. >>
Yeah. >> And you go, that's why.

00:29:26.898,00:29:28.734
I should have read that thing.
>> Yo.. YOLO Wiring. [Laughter]

00:29:28.734,00:29:34.006
So speaking of YOLO Wiring, um I
found another tablet because I

00:29:34.006,00:29:36.642
tend to acquire a lot of these
cheap tablets. This is a cheap

00:29:36.642,00:29:41.079
Chinese tablet and it's got a 1
point 8 bolts SPI Flash Chip and

00:29:41.079,00:29:43.382
this is like, I think one of the
first ones that I poked out that

00:29:43.382,00:29:45.717
was actually one point eight
volts so I didn't really expect

00:29:45.717,00:29:48.320
to worry about it so I just yeah
you know, whatever, just open it

00:29:48.320,00:29:51.823
up popped it open uh grabbed
whatever tool I was using

00:29:51.823,00:29:55.127
probably an FTDI Chip. Wired it
up and tried to dump the SPI

00:29:55.127,00:29:59.064
Flash contents and then the
system didn't boot. Um I also

00:29:59.064,00:30:00.932
didn't get any SPi flash
contents. So I was trying to

00:30:00.932,00:30:03.535
figure all that out and it turns
out that I actually need to

00:30:03.535,00:30:06.571
level shift right? All these
tools we've got, um they tend to

00:30:06.571,00:30:08.774
be five volt and three point
three volt tools. Some of them

00:30:08.774,00:30:12.244
are five volt tolerant, some of
them can work at lower levels.

00:30:12.244,00:30:15.614
But if you do something at a
higher voltage than the devices

00:30:15.614,00:30:19.117
made to uh withstand you're
gonna do something bad. You

00:30:19.117,00:30:21.486
might not totally brick it, you
know, in this case what happened

00:30:21.486,00:30:25.190
was I actually just erased the
flash contents. So the flash

00:30:25.190,00:30:29.227
chip still worked, the CPU still
worked but uh the process of

00:30:29.227,00:30:32.030
trying to read it at five uh
three point three volts made

00:30:32.030,00:30:35.267
that one point eight volt flash
chip die. >> And um a lot of

00:30:35.267,00:30:38.804
chips do have internal
protection diodes on iO pins uh

00:30:38.804,00:30:41.339
so to protect you from
accidentally doing that but

00:30:41.339,00:30:43.909
you're not supposed to rely on
those like those are almost like

00:30:43.909,00:30:46.611
it's like getting catastrophic
like health insurance or

00:30:46.611,00:30:49.281
something like that. You don't
wanna rely on that um in case

00:30:49.281,00:30:52.651
there's an accident. >> So yeah,
uh another thing I was playing

00:30:52.651,00:30:53.985
with, oh uh is that good?
Onward. So, pulling up too much

00:30:53.985,00:30:55.320
current so this is uh someone
might call a FTDI cable, it's

00:30:55.320,00:31:00.258
not an FTDI cable it's just a
USB to serial cable. It's got a

00:31:03.361,00:31:07.532
chip on it that says that it's a
prolific PL2303. You plug it in

00:31:07.532,00:31:10.402
on one end to a USB port, it's
got TXRX powering ground on the

00:31:10.402,00:31:14.239
other end. Um I bought a bag of
like a hundred of them, and

00:31:14.239,00:31:17.109
'cause they're cheap that way,
they're like a dollar each. And

00:31:17.109,00:31:20.011
this one I was using, I forget
what I was doing with it but it

00:31:20.011,00:31:23.448
kept like stop working I would
go and what would happen is, I

00:31:23.448,00:31:26.952
would look in the D message log
of a system. The USB side system

00:31:26.952,00:31:28.987
and it kept saying like oh, this
device disconnected, device

00:31:28.987,00:31:31.223
disconnected. So I would have to
go and unplug it and plug it in.

00:31:31.223,00:31:33.859
I left it, walked away, I would
come back a little while later

00:31:33.859,00:31:37.596
to do, to work on it again and
it's not working so I go to pull

00:31:37.596,00:31:41.333
it out and my finger sticks into
the plastic and mooshes it

00:31:41.333,00:31:44.836
around and I'm like huh... I
don't think that's how it's

00:31:44.836,00:31:48.440
supposed to work. So I pulled it
out and uh ran water over my

00:31:48.440,00:31:52.144
finger and uh opened it up the
board is definitely a little bit

00:31:52.144,00:31:55.180
singed right there, um I don't
know whether this was just

00:31:55.180,00:31:58.850
shoddy manufacturing and there
or whether I was hooking it up

00:31:58.850,00:32:01.653
wrong and I was actually drawing
too much current. But it got

00:32:01.653,00:32:05.290
really hot and hot enough to
melt the plastic and blackened

00:32:05.290,00:32:08.693
the board. So.. >> Did we, did
we wipe your fingerprints from

00:32:08.693,00:32:10.829
that image before we submitted
these to DefCon? >>I don't know

00:32:10.829,00:32:13.865
it doesn't it doesn't actually
look like my fingerprint. >>

00:32:13.865,00:32:17.402
Joe's thumb is there. >> Uh oh.
>> You used Biometrics? >> Yeah,

00:32:17.402,00:32:19.871
good thing the hotel doesn't use
biometrics right? >> Yeah, um

00:32:19.871,00:32:22.874
okay so another example that's
another example of pulling too

00:32:22.874,00:32:25.043
much current. This is an actual
tiny little chip level um this

00:32:25.043,00:32:28.113
was for a product that was
working on for consumer device

00:32:28.113,00:32:30.315
so I had some preproduction
prototypes. SO I sent those to a

00:32:30.315,00:32:33.485
manufacturer to start getting
ready to ramp up for full

00:32:33.485,00:32:36.288
production and they had some
changes to some parts which is

00:32:36.288,00:32:38.990
not uncommon they might say oh
we have a we have a supplier

00:32:38.990,00:32:41.626
that can provide a similar
second source part. We're gonna

00:32:41.626,00:32:44.296
put that in place of this chip
that that you the engineer

00:32:44.296,00:32:47.065
slaved over to specify. So they
sort some times of put in what

00:32:47.065,00:32:50.135
they think is the right
replacement and not tell you or

00:32:50.135,00:32:55.273
tell you later. Um so these came
back and um we noticed that once

00:32:55.273,00:32:58.310
in a while we would have
failures of this particular

00:32:58.310,00:33:00.345
linear, linear low drop out
linear regulators. So taking

00:33:00.345,00:33:03.949
power in and bringing it down to
a lower voltage and um we just

00:33:03.949,00:33:05.984
couldn't figure out what it was
and this was company I wasn't

00:33:05.984,00:33:07.986
very familiar with. I think they
were Chinese based, I'm not

00:33:07.986,00:33:12.757
sure. And um the only thing we
can think of is let's d-cap the

00:33:12.757,00:33:16.061
chip. Let's take the plastic
covering off of the chip itself

00:33:16.061,00:33:18.563
and look at the dye. Look at the
actual integrated circuit to see

00:33:18.563,00:33:22.400
if we could uh locate a failure.
So we sent a bunch of chips to

00:33:22.400,00:33:25.303
Chris Tarnoffskie who is, I
would say the chip hacker in the

00:33:25.303,00:33:28.139
world, who's given talks at
DefCon and Black Hat and and all

00:33:28.139,00:33:31.910
sorts of crazy satellite TV
hacking and smart car hacking um

00:33:31.910,00:33:36.081
and had him take out the chips
and look and um he went in and

00:33:36.081,00:33:38.617
and very quickly realize that
there was damage on the physical

00:33:38.617,00:33:41.019
die so like that pr‚ you know
the previous one we just showed

00:33:41.019,00:33:43.955
had damage on the board. An
integrated circuit is really

00:33:43.955,00:33:46.925
like a circuit board of
microscopic level so there was

00:33:46.925,00:33:50.629
damage on the die because of the
way the system was designed is

00:33:50.629,00:33:54.466
basically there was current flow
to that giant tab but that tab

00:33:54.466,00:33:57.535
was actually designed to handle
current flow it was just mostly

00:33:57.535,00:34:01.373
mostly designed for thermal heat
dissipation. Um so maybe that

00:34:01.373,00:34:03.508
was a designer error, they
swapped that in it it was just a

00:34:03.508,00:34:07.078
miss miss design sort of under
design at the part. Uh relying

00:34:07.078,00:34:09.414
on the engineer to read the
datasheet before they actually

00:34:09.414,00:34:12.317
designed the board. >> Yeah but
that sounds like work. >> A lot

00:34:12.317,00:34:15.887
of work, yeah. >> YOLO silicon.
[Laughter] Uh so yeah we gotta

00:34:15.887,00:34:18.456
gotta figure out ways to unblock
these systems and it says

00:34:18.456,00:34:20.992
unbricking your ICs but really
we got talk about unbricking the

00:34:20.992,00:34:23.361
whole system because most of
time if you've done like a

00:34:23.361,00:34:25.797
electrical damage to the chip
you just have to replace that

00:34:25.797,00:34:30.001
chip. So replace it. But figure
out the problem first because if

00:34:30.001,00:34:31.903
you go when you fix your
connection issues or your board

00:34:31.903,00:34:35.740
issues or you fix your or you
don't fix all those issues first

00:34:35.740,00:34:37.943
and you replace the chip. You're
gonna end up with two dead

00:34:37.943,00:34:41.012
chips. And then you're like wait
wait, what happened? And then

00:34:41.012,00:34:43.615
you get three dead chips. It's
like a chip killer. >> But you

00:34:43.615,00:34:46.585
fix the, what do they say you
treat the treat the cause not

00:34:46.585,00:34:49.621
the symptom. >> Yeah, yeah so
again DigiKey is your friend. >>

00:34:49.621,00:34:52.891
Yeah. We're not sponsored by
them we just like them. >> Yeah.

00:34:52.891,00:34:55.293
>> There's other distributors
too if you like Mouser, Mouser

00:34:55.293,00:34:57.629
is still your friend. >> So
personally I like to deal with

00:34:57.629,00:35:00.265
DigiKey because they have USPS
shipping that's generally very

00:35:00.265,00:35:03.301
quick and very inexpensive. >>
Yeah. So shipping is not as

00:35:03.301,00:35:06.004
obscene compared to your 10
cents worth of parts. >> So I

00:35:06.004,00:35:08.406
pay like two dollars worth of
shipping for a dollar worth of

00:35:08.406,00:35:11.977
resistors instead of like $18
shipping for a dollar worth of

00:35:11.977,00:35:14.479
resistors. Which makes a big
difference. >> Um alright so

00:35:14.479,00:35:19.884
here we are at our 101st uh
section. Um one oh one, >> One

00:35:19.884,00:35:23.221
of one. >> First, first section.
>> One oh onest. >> Bricking

00:35:23.221,00:35:25.056
scenarios that we couldn't think
of fitting anywhere else but

00:35:25.056,00:35:31.730
sort of like WTF, what is going
on? Um we have uh. Oh what? >>

00:35:31.730,00:35:34.065
Yeah. So uh‚ >> Anti-Tamper‚
>> Anti-Tamper Mechanism. So

00:35:34.065,00:35:37.002
this is a photo of the inside of
an AT&T microcell. There are a

00:35:37.002,00:35:41.139
couple people who talked about
these a few years ago. Um and um

00:35:41.139,00:35:43.675
the‚ what happens is you open
this guy up and inside there's

00:35:43.675,00:35:47.312
this little gray thing that
holds a bunch of jumpers right.

00:35:47.312,00:35:51.182
And those jumpers may either
connect or not connect. Um the

00:35:51.182,00:35:55.020
thing to the case when you pull
the case open, the case is

00:35:55.020,00:35:58.156
designed so that it pulls those
jumpers out and you don't know

00:35:58.156,00:36:00.825
what arrangement they go when
you put them back in right. If

00:36:00.825,00:36:04.863
you do this and you don't notice
what you did you powered up. It

00:36:04.863,00:36:08.833
sets a tamper flag right and
phones home and tells AT&T that

00:36:08.833,00:36:11.536
you been doing bad things and
you should probably expect a

00:36:11.536,00:36:14.105
return from this customer. >>
Yeah. Well there's actually, so

00:36:14.105,00:36:17.075
so a discussion about this, if
you search online people have

00:36:17.075,00:36:19.878
you know tried to open these up
and um you know pull out the

00:36:19.878,00:36:22.313
jumpers and try to put it all
back together. They're like ah

00:36:22.313,00:36:24.215
oh no, I saw something fly
across the room and then they

00:36:24.215,00:36:26.951
call up AT&T and they're like ah
my micro cells not working,.

00:36:26.951,00:36:28.787
Well looks like it's been
tampered with. And they're like

00:36:28.787,00:36:31.389
oh, it must have fallen on the
floor something. >> And they're

00:36:31.389,00:36:35.160
like okay. >> Yeah. Sure.
[Laughter] Um, yeah so anti-

00:36:35.160,00:36:37.295
tamper mechanism are you know
things that are physical

00:36:37.295,00:36:40.331
security to protect you from
tampering with an electronic

00:36:40.331,00:36:43.635
device. Here's another one. This
is another one this is from a

00:36:43.635,00:36:46.871
VeriFone PINpad 1000SE uh you
know point-of-sale terminal

00:36:46.871,00:36:50.975
thing, you'd enter in your pin.
Uh, they have a lot of

00:36:50.975,00:36:53.411
mechanisms on this particular
device and I had, purchased a

00:36:53.411,00:36:55.947
whole bunch of different pin
pads at a surplus store for five

00:36:55.947,00:36:59.717
bucks a piece and uh this just
happened to be one of them. Um

00:36:59.717,00:37:01.753
that had multiple multiple
mechanisms so you open up the

00:37:01.753,00:37:05.757
device, There's.. there's a
button that gets depressed um

00:37:05.757,00:37:09.327
but the coolest thing about this
one is that there is a active um

00:37:09.327,00:37:11.730
circuit board there. It's like a
multilayer circuit board for

00:37:11.730,00:37:15.667
layers the top and the bottom
layers are copper planes in the

00:37:15.667,00:37:19.804
inner layers are like a mesh of
wire like a maze so if this

00:37:19.804,00:37:22.073
thing is powered on and you try
to like drill through it or

00:37:22.073,00:37:25.510
remove the cover the systems
gonna know and give you some

00:37:25.510,00:37:28.480
sort of your tamper tamper
detected and not work and you'd

00:37:28.480,00:37:31.483
have to rekey everything. So
this is just a fun one and

00:37:31.483,00:37:35.754
another great reason to have
sacrificial lambs um if you can

00:37:35.754,00:37:38.690
because if you tamper something
like this on your first one and

00:37:38.690,00:37:40.759
you only have one you're gonna
be in a lot of trouble. >> So

00:37:40.759,00:37:43.428
I'd like to comment on the whole
like having scarification lambs.

00:37:43.428,00:37:46.631
If you've ever just looking for
devices to hack on and like you

00:37:46.631,00:37:49.701
said All express which is a
place to get like really cheap

00:37:49.701,00:37:54.305
junk from China. Um buy more
than one because you buy one and

00:37:54.305,00:37:58.343
you go and you take it apart and
you're like hey I hacked this

00:37:58.343,00:37:59.911
thing it's really cool. Let me
go buy 10 more. You buy 10 more.

00:37:59.911,00:38:01.179
They're going to be different.
Right? They're going to have the

00:38:01.179,00:38:03.548
same color on the outside, going
to have the same picture, with

00:38:03.548,00:38:06.951
like 18 logos that have been
with Photoshopped out and

00:38:06.951,00:38:09.687
written over uh watermarks but
you're gonna have a different

00:38:09.687,00:38:12.090
device inside. SO buy them all
at once, buy buy a bunch at the

00:38:12.090,00:38:14.359
beginning and then just hack
them. >> Yeah, they just grab it

00:38:14.359,00:38:17.095
from a different factory or just
like iterative their design

00:38:17.095,00:38:20.198
process is just too crazy. Um so
some weird environmental

00:38:20.198,00:38:22.667
conditions which are the worst
thing. If any of guys have

00:38:22.667,00:38:26.271
worked with RF systems before um
you know they're sort of black

00:38:26.271,00:38:28.706
magic around RF design and it's
really, really sort of a

00:38:28.706,00:38:31.376
nightmare so when the
environment conspires against

00:38:31.376,00:38:34.746
you to mess up your circuitry
like it's really hard thing to

00:38:34.746,00:38:39.551
deal with. Um this particular
design is a uh RFID read/write

00:38:39.551,00:38:43.354
module series of RFID readers
and writers uh for parallax

00:38:43.354,00:38:46.791
which is like a hobbyist
electronics company. This is the

00:38:46.791,00:38:51.696
fourth in a series that would be
really easy fix um to add on USB

00:38:51.696,00:38:55.266
functionality to our standard
read/write serial version. That

00:38:55.266,00:38:59.304
would take in TTL level serial
so this one with USB well I

00:38:59.304,00:39:04.442
could just add a uh serial USB
device take the TTL level serial

00:39:04.442,00:39:08.112
add a USB port on there and we
would be good. Not so true. Uh

00:39:08.112,00:39:12.283
about three years later after
debugging this on and off for

00:39:12.283,00:39:14.852
three years just I just realized
this and we were able to put it

00:39:14.852,00:39:18.556
in the slides, is that I was
receiving all this noise on the

00:39:18.556,00:39:21.526
RFID receive line like I was
receiving modulated data like

00:39:21.526,00:39:24.729
there is no tag over the reader.
So it was like a mystery of what

00:39:24.729,00:39:29.100
was what was being demodulated
and it turns out that my reader

00:39:29.100,00:39:33.271
was demodulating noise from the
environment because the antenna

00:39:33.271,00:39:37.342
was too sensitive and I didn't
know that. It was one change in

00:39:37.342,00:39:41.279
capacitor value to decrease the
sensitivity and it really reared

00:39:41.279,00:39:46.217
its head when you're powering
directly from a uh a USB device.

00:39:46.217,00:39:49.153
And I was sort of treating USB
you know power like power line

00:39:49.153,00:39:52.190
is clean but that's not
necessarily true just generate a

00:39:52.190,00:39:55.226
lot of noise and I was having
all these problems and thought I

00:39:55.226,00:39:58.162
was a horrible engineer. Um and
once I realized I could change

00:39:58.162,00:40:01.666
one capacitor and I thought it
was awesome engineer. But I'm

00:40:01.666,00:40:08.273
never touching RF stuff again.
>> So uh this is another one and

00:40:08.273,00:40:10.508
that the picture doesn't do
justice to what will happen is

00:40:10.508,00:40:13.911
an AR Sandbox which is where
your have a sandbox that is full

00:40:13.911,00:40:18.049
of sand and a connect that looks
down at it and uh looks at what

00:40:18.049,00:40:20.351
you've got and that when you
when you move the sand away and

00:40:20.351,00:40:23.021
make a pile it turns into a
mountain and colors it green

00:40:23.021,00:40:27.358
when you dig a hole it makes it
water and it turns blue. Um so I

00:40:27.358,00:40:29.560
had this set up, I brought it to
TOR Camp which is a great

00:40:29.560,00:40:33.231
awesome like outdoor hacking
camp event but it is in the

00:40:33.231,00:40:36.034
Pacific northwest so it is a bit
moist in the next second morning

00:40:36.034,00:40:39.804
I turned on my connect and my
thing and it just was not

00:40:39.804,00:40:43.007
working properly this is a this
is a partial failure when

00:40:43.007,00:40:46.110
actually had it at TOR Camp as I
have a very corners of the frame

00:40:46.110,00:40:49.681
will show up as mountains of the
red and the middle was all black

00:40:49.681,00:40:52.784
like what the hell is going on.
And this is an environment

00:40:52.784,00:40:56.321
conspiring to work against you I
had this thing outside. I had it

00:40:56.321,00:40:58.790
underneath a black sheet which
had worked through all my

00:40:58.790,00:41:01.526
testing because the connect uses
infrared to find out what's

00:41:01.526,00:41:04.595
going on. I thought I had like
left it out and the moisture had

00:41:04.595,00:41:08.132
like you know melted or like
fried something inside no longer

00:41:08.132,00:41:11.769
working, I could replace the
connect. Turns out the sheet

00:41:11.769,00:41:14.439
that I used to have a mesh you
know pattern on it and any

00:41:14.439,00:41:17.675
infrared light from the sun
would cast down and make an

00:41:17.675,00:41:21.446
infrared pattern that the
connect was recognizing and not

00:41:21.446,00:41:23.915
throwing any color on properly.
So this is like okay where I

00:41:23.915,00:41:26.984
thought I had bricked hardware,
I thought everything was broken.

00:41:26.984,00:41:31.723
Turns out it was just sunny day.
>> Darn, damn, those sunny days.

00:41:31.723,00:41:34.659
They're the worst. Yeah so, but
you'll test your systems and you

00:41:34.659,00:41:37.662
know the right environment. Um
so optical glitching, this is

00:41:37.662,00:41:40.465
something that we just sorted
through here because when Joe is

00:41:40.465,00:41:44.002
over we are working on the
slides one day and I need to

00:41:44.002,00:41:47.705
take a picture of the scramble
pad showing earlier slides I had

00:41:47.705,00:41:51.342
my camera with the big flash on
it and I took a picture of the

00:41:51.342,00:41:55.013
scramble pad I went to locked
the door we went back in for

00:41:55.013,00:41:58.015
something later in and and my
access code was recognized, and

00:41:58.015,00:42:01.352
I was like huh, that's weird.
And I remembered about optical

00:42:01.352,00:42:04.288
glitching that you could
actually cause failures inside

00:42:04.288,00:42:08.593
of chips due to photons hitting
things the wrong way. And since

00:42:08.593,00:42:11.963
my that scramble pad had a
terrible had a E-prom to store

00:42:11.963,00:42:15.466
the program review UV erasable I
actually caused the system to

00:42:15.466,00:42:19.237
fail and you erase all of the
access control pin numbers in

00:42:19.237,00:42:22.306
there. So I sort of bricked it,
I was afraid that I actually

00:42:22.306,00:42:26.344
like changed some of the code um
but really like you know, chips

00:42:26.344,00:42:30.715
do not like light but you can
sometimes bend that your will if

00:42:30.715,00:42:32.917
you're intentionally trying to
use optical glitching to like

00:42:32.917,00:42:35.486
you know, skip over something
and do some glitching on the die

00:42:35.486,00:42:39.991
itself. That's sort of a crazy
advance attack but it is sort of

00:42:39.991,00:42:43.394
surprised me and it was like wow
light can damage things. >> Even

00:42:43.394,00:42:45.730
making a slide deck about
bricking can brick things.

00:42:45.730,00:42:50.735
[Laughter] >> Yeah that's right.
[Indiscernible comment from

00:42:56.808,00:42:58.476
audience.] >> Subtext.
[Indiscernible comment from

00:42:58.476,00:43:00.344
audience.] >> Yes.
[Indiscernible comment from

00:43:00.344,00:43:03.448
audience.] >> Yes. Yeah so the
BOSH BMP 0123450805 Pressure

00:43:03.448,00:43:06.317
Sensor is also sensitive to
that. Um, thee's also the

00:43:06.317,00:43:08.953
example of the raspberry pie 0
which maybe that was‚ >>

00:43:08.953,00:43:11.389
Raspberry Pie Two. >> Oh
Raspberry Pie Two, that uh, oh

00:43:11.389,00:43:13.391
that was the power regulator. So
yeah, there's lots of things you

00:43:13.391,00:43:17.028
assume it has a package over it
right uh uh a plastic package.

00:43:17.028,00:43:19.397
But light and photons can still
get through and mess with you

00:43:19.397,00:43:21.332
and that's like.. it's pretty
interesting. >> So these there

00:43:21.332,00:43:24.869
WTF Scenarios like it's kind of
tough like what the heck did you

00:43:24.869,00:43:27.171
do what did you break we didn't
change anything it worked

00:43:27.171,00:43:30.608
yesterday it worked today and it
just stops working. Um so what

00:43:30.608,00:43:33.344
can you do you get another piece
of hardware, be more careful, uh

00:43:33.344,00:43:36.047
you get another piece of
hardware and do a manual diff,

00:43:36.047,00:43:38.583
compare every single component
and test step-by-step swap them

00:43:38.583,00:43:42.286
out one by one or the best one I
like, you just go out and grab a

00:43:42.286,00:43:44.388
bite to eat and take a nap,
maybe it'll work tomorrow. >>

00:43:44.388,00:43:46.257
Maybe someone else will fix it.
>> Maybe it'll work tonight. >>

00:43:46.257,00:43:49.160
Uh yeah, these types of things
are actually actually the worst

00:43:49.160,00:43:51.662
and make you hate engineering,
um but then you solve them and

00:43:51.662,00:43:54.165
you know everything is okay
again. >> So as a little recap

00:43:54.165,00:43:57.068
we got the best ways to brick
and the best ways to avoid it.

00:43:57.068,00:43:59.804
So bricking your firmware,
right? Just wipe your flash.

00:43:59.804,00:44:04.175
It's wiped. >> Uh yeah, cut
traces. >> You know, yup.

00:44:04.175,00:44:06.744
>>Smash connectors. >> Smashing
connectors. Uh applying the

00:44:06.744,00:44:09.647
wrong voltage. Work on anything
the last minute and that's what

00:44:09.647,00:44:14.285
is WTF scenarios really win. So
avoiding it back up your

00:44:14.285,00:44:18.022
firmware. >> Um yeah so, you
know have a good workspace don't

00:44:18.022,00:44:20.758
rush things. Take your time.
Have protective measures don't

00:44:20.758,00:44:23.394
damage components. >> The P
word. Patients. >> Patients.

00:44:23.394,00:44:26.397
Yeah. >> Uh double check your
Pin outs and voltages. Read the

00:44:26.397,00:44:29.767
manual, read the data sheet. Um
have a predictable setup. >>

00:44:29.767,00:44:33.638
Indiscernible >> Yup. And
unbrick, who cares about that

00:44:33.638,00:44:36.440
it's no fun. Um restore your
backup because you got one

00:44:36.440,00:44:39.443
right? >> Yup. Um enhance your
soldering skills so you know you

00:44:39.443,00:44:41.946
don't make mistakes with
disgusting soldering. >> Yup.

00:44:41.946,00:44:44.615
DigiKey is your friend. Order
parts. DigiKey is your still

00:44:44.615,00:44:46.684
ware friend no matter what it is
that you're bricking. >> And

00:44:46.684,00:44:48.486
like you said, don't hack what
you can't afford to lose. I

00:44:48.486,00:44:51.822
never listen to that one. >>
Yeah, whatever. >> Um, so yeah,

00:44:51.822,00:44:53.991
so benefits. So having a
sacrificial brick maybe you

00:44:53.991,00:44:56.327
brick one but then you learn
from it anyway because hacking

00:44:56.327,00:44:58.930
is all about learning right? And
maybe you learn something and

00:44:58.930,00:45:02.433
then you're like okay, now I
know how to defeat that next

00:45:02.433,00:45:03.901
time, now I know how to not make
that mistake next time. And um

00:45:03.901,00:45:06.370
share your mistakes with your
friends. Like it's sort of

00:45:06.370,00:45:08.839
embarrassing to stand up here
and say like I fucked that up, I

00:45:08.839,00:45:10.841
fucked that up. >> Actually it's
kind of fun. >> Yeah, I guess it

00:45:10.841,00:45:13.678
is. But you know, there's lots
of failures and like sharing

00:45:13.678,00:45:16.047
those people can learn from
those we learn from them. >>

00:45:16.047,00:45:18.983
Blog posts are great I see lots
of blog posts of people bricking

00:45:18.983,00:45:21.185
things that I would have bricked
if I hadn't read the blog post

00:45:21.185,00:45:23.521
and then you know that again is
the way that the way to learn.

00:45:23.521,00:45:28.459
Everyone's to make mistakes and
don't be afraid >> So step one:

00:45:28.459,00:45:31.495
brick hardware. Step three,
profit. >> Yeah. And uh yup, so

00:45:31.495,00:45:33.497
yeah thank you for coming. Yeah,
apparently you can make a whole

00:45:33.497,00:45:35.199
presentation about this and
thanks for sitting through it.

00:45:35.199,00:45:37.201
[Applause]