00:00:00.167-->00:00:05.606
>>Thank you everybody for coming
and waking up at this ungodly
hour on a friday morning I was

00:00:05.606-->00:00:09.776
sort of expecting the room to be
empty so thank you guys for
coming and choosing to listen to

00:00:09.776-->00:00:15.082
us for uh an hour or so >>Yeah I
think the ideal Defcon should be
you know be three weeks long and

00:00:15.082-->00:00:20.087
then be one talk at like four pm
>>Yeah Um alright well my name
is Joe Grand and this is Zoz >>I

00:00:22.389-->00:00:28.595
am Zoz Brooks yep >>And we are
uh going to talk about a project
called the BSODomizer HD this

00:00:28.595-->00:00:33.800
has been a uh a very difficult
project and we're going to show
you some pretty fun stuff uh

00:00:33.800-->00:00:40.107
with also some pretty disgusting
videos uh it's going to be
great. So basically this project

00:00:40.107-->00:00:45.078
came about well we'll we'll talk
about this we um we were working
on a project we Zoz writes a lot

00:00:45.078-->00:00:50.250
of software I uh design a lot of
hardware and we thought it would
be fun to sort of do something

00:00:50.250-->00:00:57.124
again together and and come up
with uh with a new ridiculous
project um so before we even

00:00:57.124-->00:01:01.194
start while everyone is still
paying attention um what we
ended up doing and you're gonna

00:01:01.194-->00:01:04.131
you'll hear the whole process
but we started working with
something called FPGAs and we'll

00:01:04.131-->00:01:07.568
get into that and this was like
a really really complicated
thing something we'd never done

00:01:07.568-->00:01:13.240
before this project wouldn't
have happened at all um if it
wasn't for some serious help

00:01:13.240-->00:01:17.411
from some friends of ours that
really their names should also
be on the on the title you know

00:01:17.411-->00:01:21.548
of the presentation and stuff um
so these guys Kris Kris Bahnsen
l33tbunni who leads the hardware

00:01:21.548-->00:01:26.253
hacking village um suffered
through some extremely late
nights this past week trying to

00:01:26.253-->00:01:31.124
help us get stuff working um
Raivis and Parker just helped us
with FPGA so it really shows the

00:01:31.124-->00:01:36.029
power of kind of the community
and people willing to help >>Uh
yep Longhorn Engineer actually

00:01:36.029-->00:01:40.701
gave us uh some some software
that enabled us to first convert
an image to the memory

00:01:40.701-->00:01:44.104
initialization stuff that we
needed to put in the FPGA so
even the very start of this

00:01:44.104-->00:01:47.274
project really wouldn't have
happened without these guys
helping us out >>Yeah, a lot of

00:01:47.274-->00:01:53.280
swearing on IRC um alright so
the original BSODomizer um for
those of you who happened to sit

00:01:53.280-->00:01:57.284
on the talk at Defcon16 was um
our original project together
that was a harbor based man in

00:01:57.284-->00:02:04.124
the middle type of device that
you would put in between a
laptop or desktop and a monitor

00:02:04.124-->00:02:08.829
and normally it would just pass
the video through just fine um
but you could remotely trigger

00:02:08.829-->00:02:13.867
it with the remote control or
set some dip switches on uh on
the board to have it trigger at

00:02:13.867-->00:02:19.806
certain times and switch
intercept the video and throw up
a uh preloaded fake blue screen

00:02:19.806-->00:02:25.445
of death >>And that was uh at
the time um it was when the
parallax propeller was brand new

00:02:25.445-->00:02:30.183
so a lot of people know the
propeller from uh a de- a later
defcon badge but at that time uh

00:02:30.183-->00:02:33.487
no one had really used it for
much and it had just come out
and was really exciting works a

00:02:33.487-->00:02:38.258
lot differently if anyone's here
has played with it um to a
normal microcontroller and it

00:02:38.258-->00:02:44.297
was capable of going fast enough
to generate a VGA signal but uh
fortunately for the BSODomizer

00:02:44.297-->00:02:49.136
the original one um old Windows
BSODs of course are just text
only and that's all the mode

00:02:49.136-->00:02:54.441
that the original BSODomizer had
was to be able to generate a
1024 by 768 image of only text

00:02:54.441-->00:02:57.644
>>And if you want to screw with
people everything's open source
the links are at the end of the

00:02:57.644-->00:03:01.615
presentation you can still build
your own um and use it and this
was really a good learning

00:03:01.615-->00:03:05.886
exercise for us, that's we like
to screw with people but we also
like learning things so this was

00:03:05.886-->00:03:10.891
like an attempt for us to learn
about the propeller and then and
then really annoy people. So

00:03:13.660-->00:03:19.533
somehow somehow I got roped into
this Zoz had this great idea
he's like the visionary he um he

00:03:19.533-->00:03:23.970
said we should do another Defcon
talk let's do the BSODomizer HD
you know technology has

00:03:23.970-->00:03:28.809
increased let's do something
different let's learn about
FPGAs which is something that

00:03:28.809-->00:03:32.212
really I wanted to learn about
but I've kind of been putting it
off for a long time because I

00:03:32.212-->00:03:36.917
knew it was going to be hard and
uh this was sort of the catalyst
to do it and it's like alright

00:03:36.917-->00:03:40.887
whatever we get done like we'll
share it with the community of
course and um you know maybe

00:03:40.887-->00:03:44.724
whatever we come up with will be
useful >>Yeah there's a lot of
lot of exciting stuff once you

00:03:44.724-->00:03:51.098
move to an FPGA because you're
uh creating creating hardware in
hardware with software it that

00:03:51.098-->00:03:56.136
uh it meant that we could do a
lot of things uh with an updated
BSODomizer that the first one

00:03:56.136-->00:04:00.407
couldn't do it the first one
just generates a text screen
with an FPGA in as well as

00:04:00.407-->00:04:04.411
injecting full full screen
graphics we could also do some
other interesting and exciting

00:04:04.411-->00:04:08.849
things which we'll get to >>Yeah
and that's something that as
soon as we decided to do this

00:04:08.849-->00:04:12.686
the first thing that we had to
do was figure out if we could
even generate video on the

00:04:12.686-->00:04:16.890
screen so it was like alright
let's try to figure out some
things um do a little bit of

00:04:16.890-->00:04:21.862
kind of pre development work
before we submitted the talk to
Defcon and you know for blackhat

00:04:21.862-->00:04:26.800
tools arsenal and all this stuff
um so we sat down and said what
can we do well FPGAs can

00:04:26.800-->00:04:32.539
generate HDMI video uh so let's
try to do 1080p that's more of
like something people use now

00:04:32.539-->00:04:37.577
HDMI instead of VGA though it's
funny because when we had
released the BSODomizer we were

00:04:37.577-->00:04:41.515
trying to se trying to get it
sold through like thinkgeek and
you know a lot of hardware

00:04:41.515-->00:04:46.787
places to distribute them to
people and everyone's like no
one uses VGA anymore but people

00:04:46.787-->00:04:51.992
really still use VGA a lot uh so
you know it's something like
HDMI even though you know we're

00:04:51.992-->00:04:55.629
going to move to displayport and
other things like it will still
be a valid option >>well it's

00:04:55.629-->00:04:59.232
it's funny like you know every
everyone's a hater right? So
when we said we were doing this

00:04:59.232-->00:05:05.972
to a few people and we're doing
1080p they're all like what? No
4k? We're like well I I think

00:05:05.972-->00:05:11.878
people are gonna keep using
1080p for awhile just relax >>Um
okay so some of the features we

00:05:11.878-->00:05:16.283
wanted, 1080p, um we thought it
would be cool to have user
loadable images from an SD card

00:05:16.283-->00:05:19.686
so instead of just preloading
something in advance you'll see
that we didn't get to all of

00:05:19.686-->00:05:23.890
this stuff we set some pretty
lofty goals um we wanted to do
some animations because now if

00:05:23.890-->00:05:29.496
we're able to write directly to
HDMI reading from memory we can
basically modify memory in real

00:05:29.496-->00:05:33.833
time and have a new image come
up on the screen or have a
slightly modified image come on

00:05:33.833-->00:05:38.238
the screen so there's a lot of
possibilities for the mischief
side >>One one thing we uh had

00:05:38.238-->00:05:41.975
really wanted to do in the
original one is because it had
some switches to switch between

00:05:41.975-->00:05:47.414
Windows and Mac mode and then
mac uh kernel pen exchanged to
you know scrolling down the

00:05:47.414-->00:05:51.451
black thing which we just
there's no way we could do that
with the original one but uh

00:05:51.451-->00:05:56.923
with the one we have now uh we
have the capability to capture
the screen and you could edit it

00:05:56.923-->00:06:02.162
in memory and scroll scroll down
the the gray overlay to say it's
crashed reboot >>Yeah once we

00:06:02.162-->00:06:07.500
get once we get the receive part
working um so we figured well
you know the other tool was very

00:06:07.500-->00:06:11.204
mischief focused and yes you
could use it for pen test some
people use it like they they you

00:06:11.204-->00:06:15.875
know walked into a building put
the BSODomizer in place and then
had it say like surprise we were

00:06:15.875-->00:06:20.247
here or whatever um but we
thought okay let's see if we can
try to legitimize it even more

00:06:20.247-->00:06:25.185
given how huge pen testing is
now in red teams like let's see
if we can try to do capture and

00:06:25.185-->00:06:29.823
this idea actually came after we
had gotten some of the trans the
HDMI transmitting working we're

00:06:29.823-->00:06:34.261
like well it doesn't seem like
it would be that hard to receive
a frame at the same time unknown

00:06:34.261-->00:06:38.531
to the user because we could
split the signal off which
you'll see in some drawings um

00:06:38.531-->00:06:44.004
and capture the HDMI stream at
the same time it's going to the
sync to the monitor um so that's

00:06:44.004-->00:06:48.908
sort of a a future thing you'll
see we kind of ran into some
issues there but the the base

00:06:48.908-->00:06:52.045
functionality is there and it's
just a matter of kind of
tweaking some of the code the

00:06:52.045-->00:06:55.815
hardware support is there which
is pretty rad. Um and then you
know we were like well you can

00:06:55.815-->00:06:59.986
dis- you can do some video
display calibration and whatever
but really I think the most

00:06:59.986-->00:07:03.657
important thing is having you
know another open source tool
something people can learn from

00:07:03.657-->00:07:08.662
and take our chunks of code like
we were totally FPGA noobs um
and we hacked a bunch of stuff

00:07:08.662-->00:07:12.866
together but we've written some
solid modules that people can
take and put into their own

00:07:12.866-->00:07:19.506
projects and that's the beauty
of FPGAs which we'll get into.
Um so HDMI is of course you know

00:07:19.506-->00:07:26.346
the the video standard of choice
I guess the issue here is that
HDMI is very high speed and I'll

00:07:26.346-->00:07:30.083
you know we all take it for
granted you plug something in
and it works but the signals are

00:07:30.083-->00:07:35.121
very very fast uh there uh
differential signals meaning you
have a positive signal and an

00:07:35.121-->00:07:39.993
inverted negative signal that
travel together and the the
pixels the bits are being sent

00:07:39.993-->00:07:45.932
at a very high speed that's done
for noise immunity and for other
uh uh electrical issues um so

00:07:45.932-->00:07:50.503
you basically the things we're
concerned with for the
BSODomizer are the three video

00:07:50.503-->00:07:55.909
lines um and a clock line there
are some other things with HDMI
uh some digital control lines

00:07:55.909-->00:07:59.279
that are used to communicate
with the monitor and some other
things there was a defcon

00:07:59.279-->00:08:04.718
presentation last year or the
year before on fuzzing devices
that have HDMI so fuzzing

00:08:04.718-->00:08:10.023
monitors through the digital
control interface uh we're just
looking at video in this project

00:08:10.023-->00:08:14.060
but that could you know be
rolled into it if that's what
somebody wanted. >>But so uh you

00:08:14.060-->00:08:17.964
know if you if you if you do the
math you're doing you're pushing
uh over you know around a

00:08:17.964-->00:08:21.701
hundred and twenty million
pixels a second at sixty hertz
so that's just a lot of pixels

00:08:21.701-->00:08:26.539
and if you look at the actual
bit rate it's three point six
gigahertz so there's just no way

00:08:26.539-->00:08:31.144
that you're gonna find a
microcontroller out there to do
that >>Yeah and and FPGAs as

00:08:31.144-->00:08:35.815
we'll talk about are designed to
sort of do heavy lifting of
digital functions so if you

00:08:35.815-->00:08:39.686
wanted to have you know you
could take differential
signaling in and process it but

00:08:39.686-->00:08:45.759
you'd need a really really high
speed powerful device uh so we
decided we we we had to figure

00:08:45.759-->00:08:51.698
out a way to be able to process
video and generate it in some
sort of timely manner in real

00:08:51.698-->00:08:56.936
time and uh dealing with the
straight serial data is hard so
we ended of focusing on a system

00:08:56.936-->00:09:01.041
that we can now get a pixel
clock of 148 point 5 megahertz
and that's going to simplify

00:09:01.041-->00:09:05.712
things a little bit by looking
at parallel data >>I should read
the slide instead of doing rough

00:09:05.712-->00:09:10.784
calculations in my head and so
hundred nearly a hundred and
fifty million pixels not a

00:09:10.784-->00:09:14.854
hundred and twenty >>yeah close
enough that's alright it's early
um alright so FPGAs this is just

00:09:14.854-->00:09:19.659
a little bit of a intro slide
you you'll sort of see our
suffering through this but FPGAs

00:09:19.659-->00:09:23.863
are field programmable gate
arrays and it's an electronic
device that basically is like a

00:09:23.863-->00:09:29.602
blank slate of digital logic so
you know microcontroller systems
computers all the digital things

00:09:29.602-->00:09:35.208
we use are based on low level
logic digital digital logic
that's basically processing ones

00:09:35.208-->00:09:40.213
and zeros and doing stuff. So
CPUs are built up of millions of
of gates or logic um FPGAs let

00:09:43.950-->00:09:49.889
you be the artist and sort of
fill this canvas with whatever
you want um as opposed to a

00:09:49.889-->00:09:53.593
microcontroller you know that's
running things step by step you
have your program counter doing

00:09:53.593-->00:10:00.066
things sequentially um FPGAs can
do things in parallel and you're
not writing software you're

00:10:00.066-->00:10:04.838
writing hardware which was a
great combination for us to sort
of merge the two um and it's

00:10:04.838-->00:10:08.741
sort of like and stuff is
executing in parallel
synchronized to a clock or to

00:10:08.741-->00:10:12.946
different clock signals and it's
a complete mind fuck if you come
from the software side or

00:10:12.946-->00:10:18.918
embedded systems side of how a
systems working >>for example if
you're a software person and

00:10:18.918-->00:10:23.523
you're used to putting a value
in a variable and then using
that variable and reading it

00:10:23.523-->00:10:27.827
back and having the new value be
in that variable then you'll be
surprised with FPGAs because

00:10:27.827-->00:10:33.399
everything happens on clock
ticks so within a block of logic
if you set for example you know

00:10:33.399-->00:10:37.604
a a value in a variable it
doesn't actually take that value
until the next clock tick so if

00:10:37.604-->00:10:41.274
you refer to that same variable
in the same block of logic it's
still go the old value so

00:10:41.274-->00:10:45.445
there's just like a lot of ways
for a software person that's
usted to a normal uh programming

00:10:45.445-->00:10:49.916
language to fuck it up >>yeah
and one of the things i tried to
explain this to my kids um

00:10:49.916-->00:10:54.554
because Zoz did come over a few
times to work on this project
and we're slaving away for hours

00:10:54.554-->00:10:58.224
you know up until 2 and 3 in the
morning so my son comes in one
day and says Daddy what what are

00:10:58.224-->00:11:01.261
you working on so I tried to
explain it and I said well we're
trying out a new piece of

00:11:01.261-->00:11:05.832
hardware called an FPGA um it's
much different than what daddy
normally works with which are

00:11:05.832-->00:11:08.134
microcontrollers um I said you
know microcontrollers you can
you know pat your head first rub

00:11:08.134-->00:11:10.470
your tummy second. FPGAs you
have to do both at the same time
and he tries it and he's like oh

00:11:10.470-->00:11:13.072
that's hard and I'm like yeah
that's why we're staying up so
late. So uh yeah so FPGA is

00:11:13.072-->00:11:18.077
really traditionally have been
very very complex systems the
development tools have not been

00:11:26.986-->00:11:32.392
free um they're definitely not
user friendly but they're
becoming more accessible and

00:11:32.392-->00:11:36.663
this is something like you can
look at projects now and you
might see an FPGA on there to do

00:11:36.663-->00:11:41.568
say some hardware acceleration
or some crypto or a video
generation and then usually

00:11:41.568-->00:11:45.505
there will be a microcontroller
associated with that to do the
normal microcontroller stuff

00:11:45.505-->00:11:51.344
that doesn't have to be in an
FPGA um >>so this there's two um
hardware design languages um

00:11:51.344-->00:11:55.214
that you can or hardware
descript description languages
that you can um choose choose to

00:11:55.214-->00:12:00.219
use uh one is VHDL uh which for
anyone that's done any
programming of the DOD it's a

00:12:00.219-->00:12:05.058
lot like Ada um it's got it's
got some sort of strong strong
typing and it'll stop you from

00:12:05.058-->00:12:08.761
shooting yourself in the in the
foot in certain ways and then
the other one is VeriLog which i

00:12:08.761-->00:12:12.932
sort of more C like and just
like C it'll let you make all
kinds of mistakes and not warn

00:12:12.932-->00:12:17.937
you >>It's horrible >>So partly
because um you know we've done a
lot more c recently I actually

00:12:20.740-->00:12:24.510
my first programming language
was ada but I haven't programmed
in a long time um and also

00:12:24.510-->00:12:30.617
because of the tools that were
available for the FPGA we were
using we used VeriLog um and

00:12:30.617-->00:12:34.120
really really there's just lots
of things that it won't warn you
about you know you can you can

00:12:34.120-->00:12:39.192
refer to signals that don't
exist and do do all this kind of
stuff you can put a typo in what

00:12:39.192-->00:12:42.695
what was the one where you were
using a different clock and it
was just like a typo clock?

00:12:42.695-->00:12:46.366
>>Yeah I made up a clock name
because I typed it wrong and the
system didn't tell me so

00:12:46.366-->00:12:50.803
probably four or six hours of
trying to figure out what it was
was the wrong name and to make

00:12:50.803-->00:12:55.642
matters worse with development
systems as the complexity of the
of the logic you're trying to

00:12:55.642-->00:13:01.581
compile and synthesize grows the
time it takes to compile and
synthesize grows so when we were

00:13:01.581-->00:13:07.120
working on the project it
basically took between ten and
fifteen minutes per compile to

00:13:07.120-->00:13:13.026
synthesize our code put it into
the FPGA and then execute it so
you can imagine the boredom of

00:13:13.026-->00:13:16.362
sitting there while it's
compiling and we would end up so
you know you make your change

00:13:16.362-->00:13:19.666
you compile it it runs it
doesn't work now you make
another change you do it again

00:13:19.666-->00:13:23.670
so we would try to fix our
problems that we found while it
was compiling and do it again

00:13:23.670-->00:13:28.041
but itled to the thing of which
which problem are we fixing and
what new things are we

00:13:28.041-->00:13:32.612
introducing that are going to
cause another problem >>Yeah and
if you you know just if you um k

00:13:32.612-->00:13:36.182
k k have to express like if
you're used to just tweaking a
tiny thing and quickly testing

00:13:36.182-->00:13:39.619
it out and and iterating and you
know iterating fast you just
can't do that when you have a

00:13:39.619-->00:13:43.322
fifteen minute compile time you
know it's like you try try four
different things and there's an

00:13:43.322-->00:13:47.460
hour gone >>So uh one other
thing with FPGAs I want to
mention is there's something

00:13:47.460-->00:13:52.198
called IP or intellectual
property that are basically
logic modules that you can buy

00:13:52.198-->00:13:56.669
or license from other companies
so for example if we wanted to
like with our development board

00:13:56.669-->00:14:01.941
that we have um Altera makes
something called the Nios
processor which is a CPU some

00:14:01.941-->00:14:05.578
architecture I don't remember
what because we didn't use it um
but you can license that from

00:14:05.578-->00:14:10.316
Altera so now you can have a
microcontroller inside of your
FPGA to do microcontroller stuff

00:14:10.316-->00:14:14.220
when you write code in C. So if
you're reverse engineering a
piece of hardware for example

00:14:14.220-->00:14:18.424
and you find an FPGA in there
you're not gonna know what it
does because it's literally a

00:14:18.424-->00:14:23.229
blank slate the problem though
is that we didn't want to design
anything that required licensing

00:14:23.229-->00:14:27.934
IP because that's totally lame
um we wanted to do something
where all the logic defined what

00:14:27.934-->00:14:32.905
it was and not rely on that so a
lot of the example code that
came with the development board

00:14:32.905-->00:14:38.644
was was all based on this Nios
CPU that we didn't want to pay
licensing fees to so we had to

00:14:38.644-->00:14:42.682
create you know our own lower
level interfacing but the beauty
of the FPGAs is that you could

00:14:42.682-->00:14:47.487
go out to like a place like
opencores dot org and choose
things that are open and free

00:14:47.487-->00:14:51.424
and integrate those into your
products and make make basically
make your own custom chip >>We

00:14:51.424-->00:14:54.193
also thought it was kind of it
would have been kind of cheating
for us to just drop a

00:14:54.193-->00:14:59.665
microcontroller in the FPGA um
instead of doing everything by
hand >>Yeah >>We should move a

00:14:59.665-->00:15:05.171
little faster here because uh
>>well I guess yeah I guess the
takeaway here is that FPGAs are

00:15:05.171-->00:15:10.676
really hard um okay so the
process is you know first thing
we need we like to do anyway is

00:15:10.676-->00:15:15.281
put together a block diagram
this is an early one that uh
doesn't hold true too much and

00:15:15.281-->00:15:19.919
I'll show you a better kind of
connectivity graph of how things
go together later on but the two

00:15:19.919-->00:15:25.224
main things we will need to work
with that first when we started
the project was find an FPGA

00:15:25.224-->00:15:30.329
that had some some sample code
that was accessible that was
available Zoz came over to my

00:15:30.329-->00:15:35.701
house for a week and we
basically had four days of time
to source the starter kit to

00:15:35.701-->00:15:39.438
figure out what FPGAs are what
you know what we want it to do
and then get the thing in hand

00:15:39.438-->00:15:43.276
and see if we could generate
some video >>Yeah at this point
we hadn't uh decided to submit

00:15:43.276-->00:15:47.313
to anything so it was like okay
we have one week let's get a dev
board get it up and running

00:15:47.313-->00:15:52.218
prove that we could do the thing
that we're gonna say we're do
the main thing the injection and

00:15:52.218-->00:15:57.390
uh then we can uh you know know
that we can get it done. >>So
this board has a lot of

00:15:57.390-->00:16:00.827
functionality on it it's a very
powerful part so we don't
actually need all that power but

00:16:00.827-->00:16:04.764
it's better to start large and
sort of cut back but it had you
know some dip switches and

00:16:04.764-->00:16:08.768
things that we can use for our
triggering um a lot of GPIO
that's going to be useful for

00:16:08.768-->00:16:14.740
the HDMI receive um it also had
um what's called and HDMI
transceiver or transmitter and

00:16:14.740-->00:16:20.646
what it does is take a parallel
data that the FPGA gives it at
the pixel clock of 148 point 5

00:16:20.646-->00:16:26.652
megahertz serializes it into the
eight high speed HDMI format and
pipes that out so now we don't

00:16:26.652-->00:16:31.090
need to generate 3 point 6
gigahertz bit rate signals which
you could do with some FPGAs but

00:16:31.090-->00:16:35.394
they're going to cost you a lot
of money uh so using this one
now we have this chip that takes

00:16:35.394-->00:16:40.766
the FPGA data that we're
generating passes it through
feeds it out to HDMI which now

00:16:40.766-->00:16:44.070
sounds like oh it's easy all we
did was pipe some parallel data
through but that's not not

00:16:44.070-->00:16:50.076
actually true we thought it was
going to be very easy uh it
definitely made it easier so

00:16:50.076-->00:16:54.180
here's what the early proof of
concept looked like it was the
development board um hooked up

00:16:54.180-->00:16:59.185
to HDMI you can see like some
extra hardware along the side,
I'll talk about that um but it

00:16:59.185-->00:17:04.891
was some unique kind of power
things we had to deal with. So
yeah we talked about it that you

00:17:04.891-->00:17:09.295
know FPGA development being slow
tools are hard um but the goal
was to figure out how to draw

00:17:09.295-->00:17:14.300
something on the screen. >>Um so
the um the so the main thing
that we had to do here is the

00:17:17.536-->00:17:22.642
block block memory inside the
FPGA that we had um is only I
think five hundred and twelve k

00:17:22.642-->00:17:28.681
so not big enough to hold a full
frame buffer of a color 1080P
image so what we were what we

00:17:28.681-->00:17:33.853
did instead was put in a
monochrome image because there's
only two colors on a blue screen

00:17:33.853-->00:17:39.292
of death so as long as we can
display it beside no problem so
we uh loaded a monochrome image

00:17:39.292-->00:17:45.131
um and then just set instead of
black to the the uh Microsoft
blue um that the slides

00:17:45.131-->00:17:51.737
background is um and to do that
you know we had to start with a
source image and convert that to

00:17:51.737-->00:17:55.141
what's called a memory
initialization file which is
this thing that the FPGA takes

00:17:55.141-->00:18:00.079
that just fills up that block
ram so you um uh have to you
know put it in the format that

00:18:02.782-->00:18:06.052
it needs with the right with the
right headers and uh the right
size for the block ram and

00:18:06.052-->00:18:09.822
that's where LonghornEngineer
really helped us out that week
because he had this image to mif

00:18:09.822-->00:18:15.661
function that had sort of have
written it took him um certain
kinds of images and certain

00:18:15.661-->00:18:21.367
kinds of bit depths and he gave
us that and then we forked that
and uh made it do the things

00:18:21.367-->00:18:25.871
that we need to do to generate
the 1080p um or to load the
1080p monochrome image >>Which

00:18:25.871-->00:18:29.976
his was his was designed for a
gameboy he had hacked a gameboy
to take the parallel data that

00:18:29.976-->00:18:35.247
was going to the LCD and then
port that to a larger screen so
he was only looking at 4 bit 4

00:18:35.247-->00:18:41.187
colors so yeah Zoz had modified
the code to basically take in a
bitmap and then pack it into a

00:18:41.187-->00:18:46.192
one bit per pixel 1080p because
that's like he said the only
amount of space we had in the

00:18:46.192-->00:18:50.796
internal ram and putting things
in internal ram is good but it's
sort of it's sort of a pain

00:18:50.796-->00:18:57.169
because you have to preload as
you compile the FPGA so that's
one example um and one function

00:18:57.169-->00:19:00.673
that we have in the tool but not
the ultimate one that we wanted
uh but that was the one that we

00:19:00.673-->00:19:04.744
first could use to prove the
concept >>yeah the the the
problem with doing that we want

00:19:04.744-->00:19:07.847
the thing to have a bunch of
different modes where you can
output different images and so

00:19:07.847-->00:19:14.720
um using just the internal ram
um that gets loaded you know at
the time that the FPGA uh is is

00:19:14.720-->00:19:19.091
compiled and so um you you'd be
limited to that just that one
image if you did it that way

00:19:19.091-->00:19:22.128
>>which is okay because that's
what you get for now because
that's as far as our code gets

00:19:22.128-->00:19:25.297
but the functionality of the
hardware is there to do more
which we'll talk about so the

00:19:25.297-->00:19:30.302
other issue is we got the FPGA
board working um we could
display some some video and

00:19:30.302-->00:19:35.041
we'll go through some of the
pictures but one issue we had is
how do we power the thing

00:19:35.041-->00:19:39.945
because if this ends up being a
actual tool that you're gonna
inject in somebodies place or

00:19:39.945-->00:19:45.284
facility you don't want to have
to plug in a power jack to it or
a wall wart or plug in like a

00:19:45.284-->00:19:49.388
USB cable to get power because
that's just lame. >>So the
original BSODimizer had a you

00:19:49.388-->00:19:55.428
can see the clip here for a two
uh Cr2032 batteries the same
ones that are on the uh defcon

00:19:55.428-->00:19:59.932
badge this year and uh that's
because you don't get any power
from VGA this time we were

00:19:59.932-->00:20:03.402
really excited right because we
were like yeah you got five
volts from the HDMI we were you

00:20:03.402-->00:20:07.673
know it's going to be super
simple it'll power itself off
the HDMI line and then we looked

00:20:07.673-->00:20:11.811
up the spec and you could only
get you know fifty five to a
hundred milliamps of power off

00:20:11.811-->00:20:17.583
that five volt line and we're
fuck >>Right? >>shit we're we're
we're thwarted here um and we

00:20:17.583-->00:20:20.486
looked around and like there's a
lot of devices that violate the
spec you know there's like

00:20:20.486-->00:20:26.592
sketchy Chinese HDMI devices
that um just they don't care and
also a lot of HDMI um you know

00:20:26.592-->00:20:32.098
su- supply uh uh like devices
will sort of let you violate the
spec but we wanted to to do it

00:20:32.098-->00:20:35.935
right and make a device um that
that followed the spec
especially because if you're

00:20:35.935-->00:20:39.138
going to use this for
penetration testing you don't
want to plug it into some

00:20:39.138-->00:20:42.942
machine and have it cause
problems and have someone notice
it right away >>Yeah you don't

00:20:42.942-->00:20:46.178
want to interfere with the
target right so we had to figure
out a way to get that working

00:20:46.178-->00:20:50.349
and it turns out as you'll see
the block diagram we ended up
designing a front end board that

00:20:50.349-->00:20:55.988
handles a lot of the timing um
the remote triggering and stuff
like that and we have a circuit

00:20:55.988-->00:21:00.926
on there that basically will
allow normal pass through mode
of the HDMI signal um and charge

00:21:03.028-->00:21:06.499
a battery trickle charge a
battery while the system is
technically off so while we're

00:21:06.499-->00:21:11.971
just doing pass through and then
when the when the user will
trigger the BSODimizer that

00:21:11.971-->00:21:16.842
enables the rechargeable battery
and the battery itself powers
the FPGA board and just turns it

00:21:16.842-->00:21:20.146
on when it needs through through
a single line to a mosfet which
is kind of cool so we'll get

00:21:20.146-->00:21:25.084
into some details of that but
that was a way to overcome the
the power sourcing issue is you

00:21:25.084-->00:21:28.821
know have a battery and just
have it trickle charge and it
will last uh many hours as

00:21:28.821-->00:21:35.060
you'll see so yeah the 1080p one
bit per pixel our first test
this took this took a few days

00:21:35.060-->00:21:40.799
of time to get going um >>Yeah I
actually um I my flight back got
cancelled due to storms in

00:21:40.799-->00:21:44.403
Houston and I had an extra day
on the week and that's when we
got it working we didn't quite

00:21:44.403-->00:21:48.340
make the original week but I had
had that extra day and then we
got it working and it was just

00:21:48.340-->00:21:53.279
like you know it just was like
being back in the eighties and
uh driving a CRT screen you know

00:21:53.279-->00:21:58.651
where you you compile everything
fifteen minutes you hit the
button and then the vertical

00:21:58.651-->00:22:01.921
hold would be off you know and
the image would be scrolling
crazily or it would be smeared

00:22:01.921-->00:22:06.759
across the screen and you just
we like what the hell is going
on here >>Yeah because we needed

00:22:06.759-->00:22:11.430
to ju just like I had written an
Atari 2600 game a few a ten
years ago I guess now just for

00:22:11.430-->00:22:15.401
fun and you have to deal with
like tracking the scan line
before you draw your graphics

00:22:15.401-->00:22:19.171
it's the same thing we need to
know where our where the scan
line is really what pixel we're

00:22:19.171-->00:22:24.009
on um so we don't end up having
timing issues and this is really
when we started once we got

00:22:24.009-->00:22:27.479
video on the screen er uh image
on the screen we're like yeah
but then once we started

00:22:27.479-->00:22:32.051
debugging it we were like fuck!
Like that's when we realized
that how hard it is to work with

00:22:32.051-->00:22:36.355
FPGAs the debugging tools also
by the way are very very limited
um there's something called a

00:22:36.355-->00:22:41.560
signal tap which is at least
with Altera is a logic analyzer
that you can compile into your

00:22:41.560-->00:22:46.565
code so you're basically looking
at gates and at nodes inside
your chip but every time you add

00:22:46.565-->00:22:50.135
a new node and you're like oh I
want to I want to look at this
line you have to recompile it so

00:22:50.135-->00:22:55.307
it's very very hard and we ended
up using it it did save our ass
at the end but it was uh a hard

00:22:55.307-->00:22:59.478
process to get through like why
is the pixel shifted and
everything so these are sort of

00:22:59.478-->00:23:03.115
the >>Yeah so so one problem
there's also things you can
clock off on the FPGA yeah

00:23:03.115-->00:23:07.386
that's me uh you know looking
for glitches with a with a
magnifying glass to see if we're

00:23:07.386-->00:23:13.492
really um you know that that
line of pixels is is properly
vertical um but uh you can clock

00:23:13.492-->00:23:18.097
off a lot of things on FPGA and
one other problem we had was
figuring out what line we were

00:23:18.097-->00:23:21.767
on and we were clocking off the
pixel clock and we're like why
isn't thi- why aren't things on

00:23:21.767-->00:23:25.871
the right line of the of the
display um and it turned out
it's because the pixel clock

00:23:25.871-->00:23:29.942
keeps counting during the
horizontal blanking time there's
no real reason you have to do

00:23:29.942-->00:23:35.014
that you know uh digitally but
um it was just like old school
like you know uh how you would

00:23:35.014-->00:23:38.851
redraw parts of your frame in
the horizontal blanking time to
uh to counteract the fact that

00:23:38.851-->00:23:42.554
you didn't have enough memory
back in the Atari days >>Yeah or
and do do processing in the time

00:23:42.554-->00:23:45.858
where it's not drawing on the
screen so there's still some
function for that and I think

00:23:45.858-->00:23:50.062
it's sort of a holdover from
from CRTs but once we solved
that problem now we could

00:23:50.062-->00:23:55.167
actually display something that
we had preloaded into the
internal ram which was killer so

00:23:55.167-->00:24:00.072
here's our like first little um
BSOD that came up I don't
remember which version this was

00:24:00.072-->00:24:06.312
Windows XP? >>Uh yeah maybe uh
the uh I'm not sure this might
be actually um a b a BSOD from

00:24:06.312-->00:24:09.948
the original BSODimizer
development I'm not sure >>That
we >>but it's a >>no this is

00:24:09.948-->00:24:14.953
this is yeah oh so in whatever
year that was >>yeah >>So what
we did then is alright we had um

00:24:18.157-->00:24:21.860
this is this is where it gets
really bad we had the proof of
concept working Zoz was like

00:24:21.860-->00:24:26.999
about to leave and um we're like
well we need some video to
submit to Defcon to show that we

00:24:26.999-->00:24:30.636
can at least generate video and
then we'll worry about
everything else later like once

00:24:30.636-->00:24:34.873
we can do HDMI the rest of it's
going to be easy which was so
not the case and I think like we

00:24:34.873-->00:24:39.211
sort of got suckered because
even though it was hard we we
got it and we're like yeah this

00:24:39.211-->00:24:44.650
is FPGA is nothing piece of cake
um so we needed to make a video
and my wife happened to be

00:24:44.650-->00:24:49.054
around who is not very technical
though some of you guys might
remember her from calling me

00:24:49.054-->00:24:53.425
when I was on stage talking
about the Defcon badge from a
long time ago and my and she was

00:24:53.425-->00:24:56.929
pregnant with our first child
and I had my phone on and she
calls and there's like three

00:24:56.929-->00:25:00.099
thousand people in the room and
stuff so she she's been here a
few times but she's not

00:25:00.099-->00:25:05.270
technical and we're like can you
just like pretend to be using
your computer and I will

00:25:05.270-->00:25:10.909
manually BSOD you and then like
you'll see a blue screen of
death um >>And and and this was

00:25:10.909-->00:25:15.214
uh you know because you you've
probably seen the announcement
that the new Win 10 BSODs are

00:25:15.214-->00:25:20.386
going to have a QR code on them
so it was like this is perfect
we'll generate like one of these

00:25:20.386-->00:25:24.857
new fangled BSOD screens with
the QR code and get her to scan
it with the phone uh and then we

00:25:24.857-->00:25:29.094
can >>which which yeah which she
couldn't have done before >>Yeah
and then we can send use that QR

00:25:29.094-->00:25:32.898
code to send her somewhere that
she won't expect >>So we
basically told her like use this

00:25:32.898-->00:25:37.870
app scan the QR code pretend you
know just act it out um but you
can see the point in time where

00:25:37.870-->00:25:43.809
it goes from very obvious acting
to very obvious WTF is going on
[laughter] so here's the first,

00:25:43.809-->00:25:48.013
first of three videos that we
have that we'll show you
throughout the presentation

00:26:15.841-->00:26:20.846
[video plays softly]
[laughter][music] you've just
been BSODomized and Rickrolled.

00:26:58.417-->00:27:03.155
So she basically was like what
the hell is this this is the
dumbest thing ever if you guys

00:27:03.155-->00:27:06.658
actually focused your time on
like doing something useful
imagine what you could do

00:27:06.658-->00:27:11.663
[laughter] so then the yeah
[applause] So she had no idea
about QR codes and the fact that

00:27:18.504-->00:27:22.674
you can preload it with a
malicious URL so imagine if
you're actually using this at

00:27:22.674-->00:27:27.713
for a pen test and have somebody
scan a QR code and you know then
go to a malicious website pwn

00:27:27.713-->00:27:33.785
their phone whatever it is but
the rick roll is classic and she
had no idea what it was okay so

00:27:33.785-->00:27:37.189
we had that working and we
submitted the talk to defcon now
we said now we need to actually

00:27:37.189-->00:27:42.427
try to get done other
functionality and you know that
consisted of making sure we

00:27:42.427-->00:27:47.165
could power it making sure we
had a way to control it instead
of using dip switches um we

00:27:47.165-->00:27:52.538
wanted to we didn't have enough
space in block ram for the full
1080p twenty four bits per pixel

00:27:52.538-->00:27:57.609
so we needed a way to use
external DDR2 ram low power DDR2
SD ram which is on the

00:27:57.609-->00:28:02.214
development board um and we
figured doing dealing with the
block ram was easy so how much

00:28:02.214-->00:28:07.219
harder could it be to deal with
external memory um and we were
way wrong about that we also

00:28:07.219-->00:28:12.858
wanted to have an SD card so you
could preload images and with
the screen capture mode save

00:28:12.858-->00:28:17.763
those images back and as you'll
see the hardware is in place
again the the code note quite um

00:28:17.763-->00:28:23.402
but all of the the heavy lifting
kind of low level memory reading
and writing and displaying is

00:28:23.402-->00:28:28.140
done which I'm really really
happy about so the rest of it um
[chuckle] which is funny I say

00:28:28.140-->00:28:31.743
this every time shouldn't be
that hard uh but we'll see you
know we'll see if that happens

00:28:31.743-->00:28:37.916
and we needed to combine it into
something that was useful >>So
uh we uh the main thing is as we

00:28:37.916-->00:28:40.886
mentioned with the power power
consumption the FPGA is the
thing that draws all of the

00:28:40.886-->00:28:44.723
power so we want that to be
basically off as much as
possible uh while the battery is

00:28:44.723-->00:28:49.728
trickle charging so to to do the
front end the front ends gotta
be um uh because we wanted to

00:28:49.728-->00:28:54.633
drive it with a be trigger it
with an infrared remote control
uh something's gotta be awake

00:28:54.633-->00:28:59.204
all the time watching for the
infrared signal so we decided to
use uh um a pic for that because

00:28:59.204-->00:29:05.277
Joe had a board he was working
on um shortly prior to that that
was all already set up uh with

00:29:05.277-->00:29:11.049
um uh you know broken out for
development so we just used that
board to make our lives easier

00:29:11.049-->00:29:17.856
and save time um with the IR uh
external trigger uh the part
numbers there um and also the

00:29:17.856-->00:29:23.261
timer mode so the front end pic
keeps track of time for for
timed um mode so the for when

00:29:23.261-->00:29:27.899
it's just goes after after ten
minutes or so um and it also
monitors the battery level

00:29:27.899-->00:29:32.704
>>Yeah so what you could do is
you you could you know trigger
the BSOD but then have it not

00:29:32.704-->00:29:37.376
actually go off for ten minutes
or thirty minutes or something
just walk away and do it and

00:29:37.376-->00:29:41.613
really with the front end what
we have is just that single line
to enable the FPGA so if you

00:29:41.613-->00:29:44.816
wanted to modify this and say
well I want to use wifi or I
want to use bluetooth to

00:29:44.816-->00:29:50.522
remotely control stuff you can
um and just you know feed in a a
different output to that FPGA

00:29:50.522-->00:29:55.827
and and move the pic but this is
all all uh low current stuff
that's running all the time >>Um

00:29:55.827-->00:30:01.533
the original one uh we just used
Sony TV codes because everyone's
got a tv remote control uh but

00:30:01.533-->00:30:06.905
for this one we thought um well
this was Joe's idea um people
aren't if you're if you're

00:30:06.905-->00:30:10.742
walking around a facility with a
big fat TV remote control you
know in in the office people are

00:30:10.742-->00:30:15.047
going to be like what's going on
here so it would be cool if it
used a more covert remote um and

00:30:15.047-->00:30:18.917
now you can get a lot of these
little Apple remotes surplus
from various uh you know surplus

00:30:18.917-->00:30:22.587
places so Joe was like alright
I'm going to order a bunch of
Apple remotes and let's figure

00:30:22.587-->00:30:28.527
out how hard it's going to be to
um use you know trigger off this
instead of using a standard TV

00:30:28.527-->00:30:32.898
uh remote >>yeah and a lot of
the information online that we
found about the infrared remote

00:30:32.898-->00:30:36.735
for Apple people have reverse
engineered them but not a lot of
the information from the

00:30:36.735-->00:30:41.740
different websites lined up some
pieces did and we ultimately
just created our own kind of

00:30:41.740-->00:30:47.012
brute force decoding mechanism
and then just identified where
the signal was sending the

00:30:47.012-->00:30:50.615
command signal for the six
different buttons that we were
using >>Yeah you can see on that

00:30:50.615-->00:30:55.353
um uu oscilloscope trace there
basically how the format works
it's a transmission protocol

00:30:55.353-->00:30:59.424
called NEC which is not the
version that not the the
protocol that we thought it was

00:30:59.424-->00:31:05.097
going to be initially um but
there's like there's this one
sort of long uh pulse to begin

00:31:05.097-->00:31:09.134
with and then there's a short
space after that and then it
clocks a bit and it's just the

00:31:09.134-->00:31:15.207
width of the pulses is the width
of the bits so uh looking for
that sort of start um pulse and

00:31:15.207-->00:31:19.811
and and space uh gets gets us
started and then all these bits
came in and we couldn't a lot a

00:31:19.811-->00:31:24.649
lot of what those bits are we
don't know what they are um the
stuff online is contradictory

00:31:24.649-->00:31:29.488
and confusing but we figured out
the space that uniquely defines
which of the six buttons is

00:31:29.488-->00:31:34.126
being pressed and we just uh um
read those out once we figured
out that the bits are in the

00:31:34.126-->00:31:38.830
reverse order which also wasn't
uh wasn't documented anywhere um
so I should mention too that the

00:31:38.830-->00:31:43.235
front end the microchip pic
stuff is standard micro
controller written in C so you

00:31:43.235-->00:31:46.905
could take this could you know
that we've done for Apple
decoding if that's all you want

00:31:46.905-->00:31:51.543
to take out of this presentation
take it and plop it in something
else to now decode Apple remotes

00:31:51.543-->00:31:56.281
so there is some stuff in C
that's a little easier to work
with um for the HDMI receiving

00:31:56.281-->00:32:02.387
uh we're using a uh ADV7611 so
basically the opposite of what
we're doing for transmit we're

00:32:02.387-->00:32:06.691
transmitting we're pushing in
parallel data and getting
getting serial out. This we're

00:32:06.691-->00:32:11.196
receiving the serial data from a
chip and then the parallel data
going into the FPGA that can

00:32:11.196-->00:32:15.500
then be clocked in and
ultimately stored it to memory
which can then be used um

00:32:15.500-->00:32:19.271
there's a board called the HDMI
Light which is a project that
somebody put together that takes

00:32:19.271-->00:32:24.843
the HDMI in and kind of just
very simply reads some of the
color pixels around the edges of

00:32:24.843-->00:32:29.948
the screen and then turns on
some RGB LEDs around his his uh
bezel of the screen to sort of

00:32:29.948-->00:32:34.386
extend the color which I think a
lot of the TVs are doing now um
so we used that as a breakout

00:32:34.386-->00:32:38.056
board sort of a reference board
since we didn't have time to
make our own board to get stuff

00:32:38.056-->00:32:43.628
done so we used that one um and
then hooked that up through an
interface board to the FPGA so

00:32:43.628-->00:32:47.732
we have this stack up that
you'll see it's it's pretty
wild. Um and for this we had uh

00:32:47.732-->00:32:51.703
use uh my my PC Board
prototyping machine which
generally is good for creating

00:32:51.703-->00:32:56.174
lots of interface boards um and
we ended up with this with a
standard board you know just

00:32:56.174-->00:33:00.245
taking one set of pin outs and
converting it to another but the
trick is that we had to deal

00:33:00.245-->00:33:06.084
with twelve twelve mil traces
twelve thousandths of an inch
which are pretty small not so

00:33:06.084-->00:33:10.222
small like when you're getting a
PC board professional fabricated
that's not a big deal but when

00:33:10.222-->00:33:15.126
you're milling stuff because
this is basically milling traces
out of copper there's a lot of

00:33:15.126-->00:33:19.698
mechanical stress and those
traces end up being very small
and what ended up happening is

00:33:19.698-->00:33:24.302
as I was soldering the
connectors on the glue between
the copper and the fibreglass of

00:33:24.302-->00:33:28.073
the circuit board was getting
delaminated because those traces
were so small there's no solder

00:33:28.073-->00:33:33.411
mask to protect the traces and
stuff so I ended up having to go
in and manually repair stuff on

00:33:33.411-->00:33:38.149
a on a point one inch header
double row header it was a
nightmare but now it works and

00:33:38.149-->00:33:41.453
we have you know hardware
interfacing so that was just
another part of the stack up of

00:33:41.453-->00:33:45.824
circuitry >>Yeah and this was
that was uh took the smallest
milling bit that the the T-Tech

00:33:45.824-->00:33:51.162
takes uh takes and we we broke a
milling bit then we had to you
know hand fix everything so it's

00:33:51.162-->00:33:54.199
just another step where it's
like oh here's an easy thing
let's just like spin out this

00:33:54.199-->00:33:57.369
circuit board and then next
thing it's two in the morning
and we're all swearing >>but

00:33:57.369-->00:34:00.772
without that that would have
been an issue because we
couldn't hand wire that board

00:34:00.772-->00:34:05.710
because the speeds of the signal
is like 148 megahertz seems slow
but it's still pretty fast and

00:34:05.710-->00:34:09.681
if we were hand wiring things
the if the lengths of the traces
were longer some of them are

00:34:09.681-->00:34:14.352
longer some of them were shorter
that could introduce some timing
errors uh if there was you know

00:34:14.352-->00:34:17.656
any sort of noise that was
picked up by longer traces so we
needed to have some sort of

00:34:17.656-->00:34:21.893
carrier board um some other we
had some other subsystems in
there that that I'll show you in

00:34:21.893-->00:34:26.498
some pictures but really I
wanted to show you the actual
prototype that is also on the

00:34:26.498-->00:34:31.202
stage uh and that was used to
create the next set of videos
that you'll see um written by a

00:34:31.202-->00:34:35.607
guy called the Circuit Board
Sandwich >>Yeah wrong sandwich
picture Joe >>Oh oh sorry okay

00:34:35.607-->00:34:41.880
this one [chuckle] there's the
real circuit board sandwich um
so this board is the stack up

00:34:41.880-->00:34:47.385
down at the bottom we have the
FPGA board up there is the uh
the HDMI light board that we're

00:34:47.385-->00:34:51.656
using for the carrier there's
also the interface board that
you can barely see you guys are

00:34:51.656-->00:34:55.160
welcome to come up and take a
look at this after there's the
pic front end board that whole

00:34:55.160-->00:35:01.666
whole board up there that has
the infrared remote, the battery
charger there's the battery

00:35:01.666-->00:35:07.439
charger, there is the HDMI
splitter so when we're doing
HDMI receive we need to actively

00:35:07.439-->00:35:11.076
split the signal because if
you're tapping into high speed
signals you could introduce

00:35:11.076-->00:35:15.213
noise and glitches and other
things just passively so having
an active splitter means you can

00:35:15.213-->00:35:19.284
pass the HDMI signal to the
target monitor the user would
never know and then you're

00:35:19.284-->00:35:24.990
sucking off the HDMI to do your
capture on so that's what that
boards for and then there's the

00:35:24.990-->00:35:29.995
HDMI switch which is switching
between the target system and uh
our generated HDMI signal so

00:35:33.832-->00:35:38.303
I'll leave these in here for you
to review later just some
drawings of uh how to understand

00:35:38.303-->00:35:42.707
how the system goes together and
these were really helpful for us
to to graph and sort of put down

00:35:42.707-->00:35:48.213
in on paper what was what was
happening it was very confusing
process um so current

00:35:48.213-->00:35:52.650
measurements yeah we basically
with our battery it's about um
it's a lithium ion it's about an

00:35:52.650-->00:35:56.755
inch and a half or maybe two
inches by two inches uh two
thousand milliamp hour you can

00:35:56.755-->00:36:02.394
run for about three hours of
active generating HDMI that's
never gonna be the case right

00:36:02.394-->00:36:06.931
because you're going to throw up
a BSOD and a minute later or
less somebody's going to turn

00:36:06.931-->00:36:10.368
off their computer the system's
gonna reset and then it will go
back to pass through mode so you

00:36:10.368-->00:36:13.571
can get a lot of battery power
and then of course it's going to
charge while it's not being used

00:36:13.571-->00:36:19.177
which is most of the time. The
main challenge we had was
dealing with the external memory

00:36:19.177-->00:36:24.182
getting external DBR2 working um
where now we're dealing with 24
bits wi- per pixel 32 bit words

00:36:26.618-->00:36:31.523
to simplify three weeks of of
complete pain and tears and
suffering and everything what we

00:36:31.523-->00:36:38.096
ended up having to do is double
the speed of the clock signal
going to the external memory and

00:36:38.096-->00:36:42.300
we're basically clocking things
twice as fast to the memory as
we are to the screen so we could

00:36:42.300-->00:36:48.506
read data faster from memory put
it into a FIFO buffer and then
as the HDMI transmitter is ready

00:36:48.506-->00:36:52.210
for it it can grab it from the
buffer so we're sort of
preloading a cache I guess if

00:36:52.210-->00:36:57.315
you will um and this was this
was something that l33tbunni um
had helped out with some serious

00:36:57.315-->00:37:02.654
stuff we had had to implement a
burst mode of the DDR2 which
basically we're reading 128 bits

00:37:02.654-->00:37:07.892
at a time we've tried to do
pipelining and it was like this
uh it was the worst experience

00:37:07.892-->00:37:11.229
of my life but now that it works
it's awesome and we you know we
learned a lot about the

00:37:11.229-->00:37:14.766
development tools and stuff but
here's sort of some videos you
know you saw some pictures but

00:37:14.766-->00:37:19.704
this is like this is basically
like a week before Defcon and we
keep seeing like oh my god we're

00:37:19.704-->00:37:23.508
close we can kind of see things
but it's like >>Yeah so this
this is after a successful write

00:37:23.508-->00:37:28.780
to memory we that that was what
was fine but then reading it
back in we get video after video

00:37:28.780-->00:37:33.051
after video like this >>and
writing it is actually easier
because we don't have a time

00:37:33.051-->00:37:37.088
constraint of trying to draw to
the screen but what we needed to
do here is drawing to the screen

00:37:37.088-->00:37:41.292
by reading the memory and then
writing it in real time so
eventually we got stuff working

00:37:41.292-->00:37:46.297
and um you know this this was
sort of Zoz in the midst of some
of our debugging early on and uh

00:37:48.500-->00:37:53.605
huh year so you know we
basically are like FPGAs are
really hard they suck but there

00:37:53.605-->00:37:57.775
are actually good practical uses
for them right so there are
there are there are uses for

00:37:57.775-->00:38:01.146
them it's just picking picking
out the useful things um
specially things that can't be

00:38:01.146-->00:38:05.950
done in in uh in sequence. So I
just wanted to throw this
picture up you can't really see

00:38:05.950-->00:38:10.355
it but you can generate what's
called an RTL which is basically
a schematic representation of

00:38:10.355-->00:38:16.995
our logic design in each of
those blocks are a separate set
of of code creating this massive

00:38:16.995-->00:38:22.000
digital custom system of our
own. Alright so now the part you
guys have been waiting for um

00:38:24.502-->00:38:29.474
this was something where I had
uh uh so Zoz was away and we
needed I wanted to have some

00:38:29.474-->00:38:33.378
more videos of real BSODomy
right once we got the the remote
triggering working all the front

00:38:33.378-->00:38:37.315
end stuff um so some guys came
over you might recognize them
once of them is Onch who runs

00:38:37.315-->00:38:43.454
registration um and one of them
is Crypt who helps run a lot of
a lot of Defcon now um they came

00:38:43.454-->00:38:48.293
over I created a special image
for them and uh I'll just show
you the video so to lead up to

00:38:48.293-->00:38:52.931
it my kids were there they love
these guys and and I told them I
said convince them to watch

00:38:52.931-->00:38:57.068
something on my TV screen so
they basically convinced
convinced these guys to watch

00:38:57.068-->00:39:00.905
like the Pokemon basically my
wife dressed up as Pokemon and
the kids chasing her down the

00:39:00.905-->00:39:04.709
street in our neighborhood
because we didn't want them to
play Pokemon Go because we're

00:39:04.709-->00:39:10.048
paranoid about privacy of course
as we should be so we decided to
do Pokemon Go in real life so

00:39:10.048-->00:39:13.651
they the they were trying to c-
you know our my kids convinced
these guys to watch this video

00:39:13.651-->00:39:17.055
and then you'll see what happens
>>yeah and I actually have not
seen this video yet uh Joe Joe

00:39:17.055-->00:39:21.192
refused to show it to me until
the until the presentation so
I'm I'll be joining you guys in

00:39:21.192-->00:39:24.262
watching it for the first time
>>yes also if there are any
young children in the in the

00:39:24.262-->00:39:27.866
audience cover your ears if
you're with your parents make
sure they cover your eyes

00:39:27.866-->00:39:32.870
there's some nasty images on the
screen as a fair warning okay
here we go [video playing softly

00:39:36.808-->00:39:41.813
in background] he's watching the
video [laughter] >>Well played
sir >>thank you that's why no

00:39:45.450-->00:39:50.455
children are allowed in this
office [laughter] while I
BSODomize you in 1080p >>I'm

00:39:54.726-->00:39:59.731
rich bitch! >>That was pretty
good >>Uh Onch is not into it
>>it's his favorite it's his

00:40:06.004-->00:40:11.009
absolute favorite >>so here I'll
put it back now >>So well
played, did you do it remotely?

00:40:17.315-->00:40:22.320
Or was it timed? >>It's remotely
>>That's nice >>with the Apple
remote [laughter] it's a little

00:40:27.892-->00:40:32.897
more uh sleek for the for the
office space >>exactly I love it
>>And now we're back no more

00:40:36.868-->00:40:41.873
goatee sorry I had to do that to
you [laughter] BSODomey in HD
successful [video ends] yeah so

00:40:49.280-->00:40:54.285
[chuckle] [applause] so yeah so
Onch was basically disgusted and
was texting his wife babe Joe

00:41:00.525-->00:41:05.930
Grand just goateed me um but
what happened is they were so
loud that my kids were outside

00:41:05.930-->00:41:08.933
playing because I told them they
I was like I'm going to show
Jeremy a really disgusting video

00:41:08.933-->00:41:14.305
like you can't come in so they
heard all the noise and decided
to come in so I'm like alright

00:41:14.305-->00:41:19.310
I'm going to BSOD them too
children are not immune but nah
not with what you think alright

00:41:21.713-->00:41:28.486
so so now you know now the kids
are watching the video because
they think it's funny. [video

00:41:28.486-->00:41:33.491
plays] >>What happened? >>Daddy?
>>Did you break it? >>No Daddy
it's the BSODomizer [laughter]

00:41:45.903-->00:41:50.908
>>You guys are trained well yeah
so Daddy's using his BSODomizer
watch out! Um so you could see

00:42:00.284-->00:42:03.788
on the screen there was some
static on there that's another
mode that we generated to show

00:42:03.788-->00:42:08.159
that we could do animated video
generation is now you have
static which is awesome for kids

00:42:08.159-->00:42:11.462
because if you hook this thing
up and they're watching TV and
you don't want to be the bad

00:42:11.462-->00:42:15.566
parent by saying you gotta stop
watching TV you just you know
turn on the static mode and be

00:42:15.566-->00:42:22.407
like oh I guess the TV broke,
gotta go play outside Um so we
had some other modes and they're

00:42:22.407-->00:42:27.578
mostly used for testing um some
moire patterns some grayscale
stuff and that's all still in

00:42:27.578-->00:42:32.316
there so if you need to have a
legitimate reason to build the
tool you could do that um but

00:42:32.316-->00:42:37.522
really it comes down to you know
the challenges of dealing with
the FPGA designing the system in

00:42:37.522-->00:42:42.560
essentially five weeks of full
time work um with with us across
the country and Zoz basically

00:42:42.560-->00:42:46.831
receiving a bunch of emails of
me bitching about stuff and like
once in awhile sending a picture

00:42:46.831-->00:42:51.702
I did send him the goatee of the
image on the screen I didn't
hear from him for a few days I'm

00:42:51.702-->00:42:56.407
like oh shit I know he's hard to
piss off but I wonder if I
really pissed him off >>No I

00:42:56.407-->00:43:00.912
just wasn't reading email for a
few days due to travel >>So yeah
so you know the challenges of

00:43:00.912-->00:43:04.982
this is we picked something way
outside of our comfort zone um
and I'm proud that we were able

00:43:04.982-->00:43:09.687
to get to a point where we have
stuff to share we have stuff to
show um there's other FPGA

00:43:09.687-->00:43:12.990
nightmare stories and anybody
that's worked with FPGAs is
probably like haha you guys

00:43:12.990-->00:43:17.962
suckers um but things about even
like dealing with the different
signals at different clock

00:43:17.962-->00:43:21.833
speeds or like really hard thing
because you have to synchronize
stuff and that's what we did

00:43:21.833-->00:43:25.803
with the buffer or you're going
to have all sorts of problems um
things like we we need to

00:43:25.803-->00:43:30.241
generate a new clock with a
phase lock loop a PLL that's de-
that's in hardware and the SD

00:43:30.241-->00:43:34.879
ram interface the DDR2 interface
was using the PLL that we were
trying to use and it took about

00:43:34.879-->00:43:40.151
four hours to realize that we
were um not using the right one
and we had to physically specify

00:43:40.151-->00:43:43.721
in code where we wanted to
physically place a piece of
hardware inside the silicon

00:43:43.721-->00:43:48.626
which was pretty mind boggling
um so yeah it you know it was a
lot of fun kind of a hard

00:43:48.626-->00:43:53.531
project if you wanna start
working on your own project uh
all the code for the old design

00:43:53.531-->00:43:57.134
is up on my website um the
development notes and the
schematic for this project will

00:43:57.134-->00:44:01.506
be up once I get back to a safe
internet connection and I can
scan all my documents in there's

00:44:01.506-->00:44:07.845
two Github reposts one for the C
code for the front end one for
the HDL um for the FPGA so

00:44:07.845-->00:44:12.617
everything's available that
we've done will be online um and
you know the main thing I think

00:44:12.617-->00:44:17.889
here is that we FPGAs do fill a
gap like they're useful for
certain situations if you know

00:44:17.889-->00:44:21.993
what they are definitely don't
be scared to start using them
and get involved like there are

00:44:21.993-->00:44:26.230
some simpler FPGA boards because
being a hacker is all about
expanding your knowledge right

00:44:26.230-->00:44:29.634
and trying something new and
learning from it and like even
if this is a completely

00:44:29.634-->00:44:33.804
ridiculous project I'm confident
now that as an engineer I can go
and like design something with

00:44:33.804-->00:44:37.441
an FPGA >>Yeah we definitely
don't want to scare people off
you know with with saying how

00:44:37.441-->00:44:41.546
hard everything is just that
there's a learning curve like
there is t- t- to anything and

00:44:41.546-->00:44:46.918
um you you have to not be scared
of it and to dive in and just
you know commit to a few weeks

00:44:46.918-->00:44:50.221
of frustration to getting
everything up and running but
once you do you'll be like wow

00:44:50.221-->00:44:55.259
this is a really cool powerful
new tool in in my uh in my
arsenal that's alright >>Yeah so

00:44:55.259-->00:44:58.229
the final question that people
have been asking us a lot is is
are you going to turn this

00:44:58.229-->00:45:02.800
circuit board sandwich into an
actual project? I don't know
there's a lot of engineering

00:45:02.800-->00:45:07.171
that still has to happen um
mostly from the hardware design
side um Zoz is sort of like the

00:45:07.171-->00:45:11.876
>>Yeah I I really I really want
to do it and Joe's not sure if
he wants to do it it's got a re-

00:45:11.876-->00:45:15.246
it's a classic kind of Jobs
Wozniak situation going on here
because it's really easy for me

00:45:15.246-->00:45:18.583
to say yeah we should get this
in people's hands you know
people will really love it

00:45:18.583-->00:45:22.653
they'll use it but Joe's the
Joe's the one that has to do all
the hardware design >>I'm the

00:45:22.653-->00:45:25.122
sucker that's going to be stuck
with it so yeah you know
depending on if people want it

00:45:25.122-->00:45:29.427
whatever um we set up an email
address you can send comments
and and suggestions but

00:45:29.427-->00:45:34.031
everything's up there so you can
at least start hacking on stuff
on your own so >But yeah if you

00:45:34.031-->00:45:39.070
if you want it if you would if
you would buy one send email to
root@bsodomizer dot com and then

00:45:39.070-->00:45:43.608
we'll we'll gauge demand and
then maybe we'll make it >>So
yes, thank you for coming and uh

00:45:43.608-->00:45:45.610
the end [applause]