Episode 22: Chipping Away at Hardware Hacking

1
00:00:00,000 --> 00:00:04,760
Yeah, it's because Bugcrowd doesn't know that I can hack hardware.

2
00:00:04,760 --> 00:00:07,400
I need to hit them up and be like, hey, by the way.

3
00:00:07,400 --> 00:00:09,720
Yeah, me submits one bug a year on Bugcrowd .

4
00:00:09,720 --> 00:00:10,720
And it's like, who is this guy?

5
00:00:10,720 --> 00:00:11,720
Hardware, god.

6
00:00:11,720 --> 00:00:33,720
I didn't know.

7
00:00:33,720 --> 00:00:34,720
Yo yo yo, we're rolling.

8
00:00:34,720 --> 00:00:37,000
Yo yo, how's it going?

9
00:00:37,000 --> 00:00:38,000
Pretty good, dude.

10
00:00:38,000 --> 00:00:42,240
This past couple of weeks has been kind of crazy, but we're getting ready to kick off

11
00:00:42,240 --> 00:00:43,440
a live hacking event again.

12
00:00:43,440 --> 00:00:45,400
So it's not going to slow down, I don't think.

13
00:00:45,400 --> 00:00:47,400
Oh, dude, nonstop.

14
00:00:47,400 --> 00:00:49,160
It's like one thing to the next thing to the next thing.

15
00:00:49,160 --> 00:00:50,160
Yeah.

16
00:00:50,160 --> 00:00:53,000
Well, at least you got a week off last week from the pod.

17
00:00:53,000 --> 00:00:55,040
Yes, a little bit, barely.

18
00:00:55,040 --> 00:00:57,120
Yeah, you had crazy stuff going on though.

19
00:00:57,120 --> 00:00:59,120
So that's how it rolls.

20
00:00:59,120 --> 00:01:00,720
Yeah, yeah, yeah.

21
00:01:00,720 --> 00:01:01,720
All right.

22
00:01:01,720 --> 00:01:03,600
Yeah, let's check out the new stuff for the day.

23
00:01:03,600 --> 00:01:08,760
First, first up on the docket was Naham Khan, who are sponsoring this episode.

24
00:01:08,760 --> 00:01:10,120
So thank you, Naham Khan.

25
00:01:10,120 --> 00:01:15,360
Just wanted to give them a shout out and say, I'm going to be speaking there on the Saturday

26
00:01:15,360 --> 00:01:17,840
slot at 1220.

27
00:01:17,840 --> 00:01:24,880
And I'm going to be giving a presentation on PCI DSS, which is essentially payment card

28
00:01:24,880 --> 00:01:32,100
stuff and how pretty much every single website that we've seen is vulnerable to some sort

29
00:01:32,100 --> 00:01:39,440
of trickery in this area due to the way that the DSS recommended structure is.

30
00:01:39,440 --> 00:01:43,280
So there's going to be some really, really awesome content in that that will drop.

31
00:01:43,280 --> 00:01:46,760
So definitely don't miss that on Saturday at 12 PM PST.

32
00:01:46,760 --> 00:01:49,800
Yeah, dude, I'm really looking forward to that.

33
00:01:49,800 --> 00:01:55,880
I know that Naham always has amazing people on for his Khan and just for his show in general

34
00:01:55,880 --> 00:01:57,520
and all the content that he makes.

35
00:01:57,520 --> 00:01:59,040
But yeah, it's super awesome.

36
00:01:59,040 --> 00:02:01,280
I'm super stoked to see what you talk about there.

37
00:02:01,280 --> 00:02:05,120
I think the Khan in particular, I think is one of the one of the best structured ones

38
00:02:05,120 --> 00:02:10,840
for Bug Bounty Hunters because Ben just has such a good network in the Bug Bounty Hunter

39
00:02:10,840 --> 00:02:14,160
field that he can put together a bunch of people that really know what they're talking

40
00:02:14,160 --> 00:02:16,840
about and have differing expertise to share.

41
00:02:16,840 --> 00:02:22,160
I was looking at the lineup and there's a bunch of eclectic hacking styles and you've

42
00:02:22,160 --> 00:02:28,400
got people from influencers like Stulk all the way down to people like Douglas Day that

43
00:02:28,400 --> 00:02:31,960
just really get in the requests every single time.

44
00:02:31,960 --> 00:02:35,720
So it's really cool to see the whole gamut being run there.

45
00:02:35,720 --> 00:02:38,760
Yeah, it should be awesome.

46
00:02:38,760 --> 00:02:39,760
Yeah.

47
00:02:39,760 --> 00:02:40,880
Oh man.

48
00:02:40,880 --> 00:02:45,560
The next item on the news list makes me so sad, man.

49
00:02:45,560 --> 00:02:49,520
On Twitter, you see Gareth Hayes talk about JavaScript stuff all the time and he's one

50
00:02:49,520 --> 00:02:54,840
of those people that you can just feel the passion when he talks about JavaScript.

51
00:02:54,840 --> 00:03:00,520
He just freaking loves JavaScript and he tweeted out earlier this week and I threw it on the

52
00:03:00,520 --> 00:03:06,520
list that his favorite XSS vector is going to stop working, I think, is it like November

53
00:03:06,520 --> 00:03:08,720
when they're going to depreciate it?

54
00:03:08,720 --> 00:03:11,600
Yeah, I didn't catch the exact date.

55
00:03:11,600 --> 00:03:15,520
Yeah, Chrome 119 November 2023.

56
00:03:15,520 --> 00:03:21,680
They're going to depreciate data URLs inside of the use element in SVGs.

57
00:03:21,680 --> 00:03:22,680
Yeah.

58
00:03:22,680 --> 00:03:26,440
So for those who aren't aware, this is basically one of the really common ways that you would

59
00:03:26,440 --> 00:03:32,360
pop an XSS within an SVG, not just like SVG on error or on load or whatever, but within

60
00:03:32,360 --> 00:03:38,960
the SVG element itself, you can include stuff like, well, with this use element, you can

61
00:03:38,960 --> 00:03:40,680
use different things.

62
00:03:40,680 --> 00:03:43,240
I think it's meant to take a bunch of different data types.

63
00:03:43,240 --> 00:03:50,920
Yeah, it uses a data URL here and uses that within the SVG itself, but it seems like they

64
00:03:50,920 --> 00:04:01,160
want to have that piece, that data element removed from the SVG use element and that

65
00:04:01,160 --> 00:04:06,160
would result in, I guess, potentially you could still load it externally, but then you've

66
00:04:06,160 --> 00:04:08,160
got CSP stuff that you're going to run into.

67
00:04:08,160 --> 00:04:10,520
So it's a double edged sword there.

68
00:04:10,520 --> 00:04:16,720
Yeah, I know there are a couple other vectors and looking at the Web Security Academy on

69
00:04:16,720 --> 00:04:22,040
the Portswigger, there's these ones that use animate inside of SVG.

70
00:04:22,040 --> 00:04:24,440
Oh yeah, I've seen that.

71
00:04:24,440 --> 00:04:28,040
Some of them do use that use element, but not all of them do.

72
00:04:28,040 --> 00:04:31,240
So I'm wondering if that will still be a valid attack vector.

73
00:04:31,240 --> 00:04:37,040
Yeah, I mean, as long as it's not, because the use element is still staying, it's just

74
00:04:37,040 --> 00:04:42,520
that the data URL inside of the use element is kind of going away.

75
00:04:42,520 --> 00:04:46,960
And I think I'm looking at the reason for removal and it looks like it's largely because

76
00:04:46,960 --> 00:04:51,000
of the sort of same origin issue that's going on there.

77
00:04:51,000 --> 00:04:53,840
So sad to see that go, but really cool vector.

78
00:04:53,840 --> 00:05:00,200
And I'd always love to see Gareth Hayes talking about XSS stuff.

79
00:05:00,200 --> 00:05:04,160
He's one of the people that I do have notifications turned on for, tweet notifications turned

80
00:05:04,160 --> 00:05:07,480
on for, because every single time it's super high quality research.

81
00:05:07,480 --> 00:05:09,480
And I really appreciate that.

82
00:05:09,480 --> 00:05:10,480
Yeah, yeah, yeah.

83
00:05:10,480 --> 00:05:11,480
His book is amazing too.

84
00:05:11,480 --> 00:05:16,240
Yeah, I mean, he's just like, he's such a JavaScript fanatic, you know?

85
00:05:16,240 --> 00:05:18,320
It's like all he does, it's like his main focus.

86
00:05:18,320 --> 00:05:22,080
So he's one of those people that has so much insight about the nuance about what's going

87
00:05:22,080 --> 00:05:23,080
on.

88
00:05:23,080 --> 00:05:29,320
So anything that you can do to consume Gareth's knowledge is something I would recommend.

89
00:05:29,320 --> 00:05:35,040
And I love that little, I love that he wrote a little book too.

90
00:05:35,040 --> 00:05:39,680
I feel like that's something that people that specialize in the industry, it's really handy

91
00:05:39,680 --> 00:05:40,960
because the book is not long.

92
00:05:40,960 --> 00:05:47,240
It's not very hard to consume, but it outlines all of this cool shit that he has in his brain

93
00:05:47,240 --> 00:05:49,440
that otherwise we wouldn't have access to.

94
00:05:49,440 --> 00:05:54,380
And so I definitely endorse that method, not only just for knowledge sharing reasons, but

95
00:05:54,380 --> 00:05:58,280
also just for, it's a great thing to do when you're a specialist.

96
00:05:58,280 --> 00:06:02,560
Take the, however long it takes, do a little brain dump on this topic that you're just

97
00:06:02,560 --> 00:06:04,860
a super expert at and put it out there.

98
00:06:04,860 --> 00:06:09,720
And now you've got a product that you can, you're getting reoccurring income from, and

99
00:06:09,720 --> 00:06:12,680
you're also sharing that knowledge with a large community.

100
00:06:12,680 --> 00:06:14,000
Excuse me.

101
00:06:14,000 --> 00:06:16,400
So that's really, I really respect that.

102
00:06:16,400 --> 00:06:18,240
Yeah, for sure.

103
00:06:18,240 --> 00:06:20,640
And we've talked about this as well in the past.

104
00:06:20,640 --> 00:06:23,680
Any type of the, it doesn't have to be groundbreaking research, right?

105
00:06:23,680 --> 00:06:28,900
But any of that knowledge sharing type content is really amazing for building out the community

106
00:06:28,900 --> 00:06:32,440
and just helping other hackers learn and get better and helping secure everything as a

107
00:06:32,440 --> 00:06:33,440
whole.

108
00:06:33,440 --> 00:06:34,440
Works.

109
00:06:34,440 --> 00:06:37,840
Sometimes it ends up being one of these things where eventually the browsers will come and

110
00:06:37,840 --> 00:06:40,720
they'll patch something that shouldn't behave that way or whatever.

111
00:06:40,720 --> 00:06:45,240
But like, okay, yeah, that sucks for us as hackers, but it's good for security as a whole.

112
00:06:45,240 --> 00:06:48,040
And I think that insight is valuable regardless.

113
00:06:48,040 --> 00:06:49,040
Yeah, dude.

114
00:06:49,040 --> 00:06:50,040
It makes me think of that.

115
00:06:50,040 --> 00:06:54,040
Man, did we cover it on the pod or did it just make it into the news list?

116
00:06:54,040 --> 00:06:58,680
But it makes me remember this one at a live time at a live hacking event.

117
00:06:58,680 --> 00:07:06,320
There's this guy, BitKa that showed me this way that you can exfiltrate data via fetch.

118
00:07:06,320 --> 00:07:14,160
And what you do is you get it cached and then you say, hey, you force fetch to use cache.

119
00:07:14,160 --> 00:07:18,120
And it was like, at the time it was just like, oh, this is totally amazing because you could

120
00:07:18,120 --> 00:07:24,240
get a cookie, you could get a cookie to get the data and then it would cache the response.

121
00:07:24,240 --> 00:07:28,280
And then you could send the fetch request without the cookie with caching, pull from

122
00:07:28,280 --> 00:07:29,920
the cache set to mandatory.

123
00:07:29,920 --> 00:07:31,200
And then it would pull the results back.

124
00:07:31,200 --> 00:07:33,640
And it was just like, man, this is such a genius method.

125
00:07:33,640 --> 00:07:34,640
And so-

126
00:07:34,640 --> 00:07:35,640
That's really smart.

127
00:07:35,640 --> 00:07:40,680
It's sad because those methods get deleted as soon as they become popular.

128
00:07:40,680 --> 00:07:46,560
But if you're lucky enough to have met a great researcher at a live hacking event or at networking,

129
00:07:46,560 --> 00:07:50,440
sometimes you can pick up these little tidbits that will really help you pop some crazy bugs

130
00:07:50,440 --> 00:07:51,440
during engagements.

131
00:07:51,440 --> 00:07:53,440
Yeah, yeah, for sure.

132
00:07:53,440 --> 00:07:57,040
Did you hear about this move it, the move it vulnerability?

133
00:07:57,040 --> 00:07:58,880
Oh my gosh, yeah.

134
00:07:58,880 --> 00:08:01,320
It's hard to have not have heard of that, man.

135
00:08:01,320 --> 00:08:03,280
Twitter's kind of blowing up about it.

136
00:08:03,280 --> 00:08:04,640
Yeah, yeah.

137
00:08:04,640 --> 00:08:09,720
So I was reading about this and it's this file transfer app, right?

138
00:08:09,720 --> 00:08:10,720
Yeah, yeah.

139
00:08:10,720 --> 00:08:11,720
Yeah, that was my understanding.

140
00:08:11,720 --> 00:08:16,320
I hadn't actually heard of this before, like move it until the vulnerability.

141
00:08:16,320 --> 00:08:19,160
They were saying it's all over the place, but I actually hadn't seen it very much.

142
00:08:19,160 --> 00:08:22,840
I wonder actually how much net presence it does have.

143
00:08:22,840 --> 00:08:25,400
Yeah, yeah, it was super interesting.

144
00:08:25,400 --> 00:08:28,600
So I wasn't sure.

145
00:08:28,600 --> 00:08:34,440
They said that Huntress, is that who owns it or is that the people who found-

146
00:08:34,440 --> 00:08:38,040
I think that's John Hammond did some work with them.

147
00:08:38,040 --> 00:08:43,480
And I think he sort of did this whole, I guess sort of, I don't know if this is like an incident

148
00:08:43,480 --> 00:08:44,480
response.

149
00:08:44,480 --> 00:08:47,920
Yeah, they call it rapid response to this sort of vulnerability.

150
00:08:47,920 --> 00:08:53,480
And I thought this was really cool because, you know, even, and I also linked that and

151
00:08:53,480 --> 00:08:56,680
the click the Twitter link in the doc right below that Joel.

152
00:08:56,680 --> 00:08:58,800
Like I love to see this sort of thing.

153
00:08:58,800 --> 00:09:02,920
John is like out there at 4 a.m. tweeting like, oh man, I can't figure out like, oh,

154
00:09:02,920 --> 00:09:03,920
is this it?

155
00:09:03,920 --> 00:09:07,560
I'm putting screenshots of code and I just, you know, I read through that whole thread

156
00:09:07,560 --> 00:09:11,280
and I was like, man, this is why, you know, he rocks.

157
00:09:11,280 --> 00:09:15,920
This is why, you know, if you can come into this with this much passion where you're up

158
00:09:15,920 --> 00:09:21,920
at like 4 a.m. like, you know, really just trying to grind out this POC because what

159
00:09:21,920 --> 00:09:28,160
he was trying to do was reverse the POC, you know, reverse the flow from, I guess it looked

160
00:09:28,160 --> 00:09:36,080
like in the beginning all he had was a packet cap or like a like a log of the various endpoints

161
00:09:36,080 --> 00:09:37,080
that they hit.

162
00:09:37,080 --> 00:09:41,000
So, you know, if you click that that image at the top of the tweet, it's like, you know,

163
00:09:41,000 --> 00:09:46,120
it hit move it is API dot DLL and then it hits a couple other things.

164
00:09:46,120 --> 00:09:50,480
And so he's trying to like follow that flow and figure out how they ended up popping this

165
00:09:50,480 --> 00:09:52,400
the shell.

166
00:09:52,400 --> 00:09:57,520
So yeah, it's it's amazing to see, you know, when people are that into it and that like

167
00:09:57,520 --> 00:10:01,440
enthralled and then they look up it's like 4 a.m. and you're like, ah, what the heck?

168
00:10:01,440 --> 00:10:02,440
Yeah.

169
00:10:02,440 --> 00:10:03,440
Yeah, no, that's awesome.

170
00:10:03,440 --> 00:10:05,040
Yeah, it actually looks like he works.

171
00:10:05,040 --> 00:10:06,480
He's a researcher at Huntress.

172
00:10:06,480 --> 00:10:07,480
So yeah.

173
00:10:07,480 --> 00:10:08,480
Yeah.

174
00:10:08,480 --> 00:10:10,360
So super, super interesting.

175
00:10:10,360 --> 00:10:13,400
It sounds like they basically, yeah, like they got a packet capture or something like

176
00:10:13,400 --> 00:10:15,000
that.

177
00:10:15,000 --> 00:10:19,200
And so they started digging into it and trying to figure out like how it was working and

178
00:10:19,200 --> 00:10:20,200
the whole chain.

179
00:10:20,200 --> 00:10:24,000
And I don't want to like spoil all of this because I think it's worth reading.

180
00:10:24,000 --> 00:10:29,560
Yeah, they don't drop the full exploit either, which is, you know, for me, a little bit disappointing,

181
00:10:29,560 --> 00:10:33,040
but also, you know, totally reasonable, I think.

182
00:10:33,040 --> 00:10:35,600
Surely it's already somebody's already figured it out.

183
00:10:35,600 --> 00:10:36,600
Yeah.

184
00:10:36,600 --> 00:10:37,600
Yeah.

185
00:10:37,600 --> 00:10:38,600
So it's a really awesome.

186
00:10:38,600 --> 00:10:42,160
I feel like this would have fit perfectly with our source code analysis episodes that

187
00:10:42,160 --> 00:10:43,720
we just did.

188
00:10:43,720 --> 00:10:46,600
But yeah, this is one of those cases where you just do the deep dive.

189
00:10:46,600 --> 00:10:50,520
You keep digging, digging, going through rabbit holes, trying to figure out like, how does

190
00:10:50,520 --> 00:10:51,520
this code work?

191
00:10:51,520 --> 00:10:52,520
How does this code work?

192
00:10:52,520 --> 00:10:53,520
What is this code doing?

193
00:10:53,520 --> 00:10:55,720
And eventually you get to the root of it.

194
00:10:55,720 --> 00:10:58,680
And it's really awesome.

195
00:10:58,680 --> 00:11:02,840
It's a super interesting case study for sure in terms of like how something like this would

196
00:11:02,840 --> 00:11:05,360
work out in the wild.

197
00:11:05,360 --> 00:11:09,080
And I think that there's definitely some like learnings that you could pull away from like

198
00:11:09,080 --> 00:11:14,480
an organizational standpoint or how could you secure your org to protect against this

199
00:11:14,480 --> 00:11:17,400
like in the future, like what kinds of rules and stuff would you want to keep an eye out

200
00:11:17,400 --> 00:11:21,280
for other certain traffic patterns that you should be like looking out for that might

201
00:11:21,280 --> 00:11:23,880
have popped up if you were exploited by this second and stuff?

202
00:11:23,880 --> 00:11:29,440
Yeah, he adds like some Yara rules and like some indicators of compromise to the write

203
00:11:29,440 --> 00:11:32,280
up, which is great too.

204
00:11:32,280 --> 00:11:36,620
And yeah, just like you said, you know, about going down rabbit holes, if you go to John

205
00:11:36,620 --> 00:11:40,920
Hammond's Twitter right now and you know, on June 3rd, I saw it, that's the next day,

206
00:11:40,920 --> 00:11:43,080
you know, he's like, oh, we finally got it.

207
00:11:43,080 --> 00:11:46,460
And he's like, PS, it doesn't have anything to do with the crazy shit that I was viewing

208
00:11:46,460 --> 00:11:49,240
it for.

209
00:11:49,240 --> 00:11:51,920
So it's like, I just I feel that man.

210
00:11:51,920 --> 00:11:57,480
And yeah, it's cool to see, you know, for those of you that are always thinking like,

211
00:11:57,480 --> 00:11:58,480
oh, man, I'm not sure.

212
00:11:58,480 --> 00:11:59,920
Am I going down the right path?

213
00:11:59,920 --> 00:12:02,200
You know, how do I how do I know?

214
00:12:02,200 --> 00:12:06,040
Look at John here, you know, one of the most skilled guys out there on the arena, you know,

215
00:12:06,040 --> 00:12:10,120
he does education in, you know, cybersecurity stuff all the time.

216
00:12:10,120 --> 00:12:11,720
Shout out to his YouTube channel.

217
00:12:11,720 --> 00:12:13,920
Excellent, amazing YouTube channel.

218
00:12:13,920 --> 00:12:18,280
And even he goes down these rabbit holes and ends up, you know, this is the wrong thing.

219
00:12:18,280 --> 00:12:19,360
So it definitely happens.

220
00:12:19,360 --> 00:12:20,360
It's part of the process.

221
00:12:20,360 --> 00:12:24,200
And at the end of the day, if you keep on being persistent, just like John, you'll you'll

222
00:12:24,200 --> 00:12:26,200
end up popping the full bug for sure.

223
00:12:26,200 --> 00:12:27,800
Yeah, for sure.

224
00:12:27,800 --> 00:12:33,360
I think as well, it's really interesting.

225
00:12:33,360 --> 00:12:37,260
Like I feel like I've been in that scenario so many times where I've spent like eight

226
00:12:37,260 --> 00:12:40,840
hours or like more just like looking at one thing.

227
00:12:40,840 --> 00:12:45,120
And I'm so invested that I don't want to step out of it.

228
00:12:45,120 --> 00:12:46,120
Yeah.

229
00:12:46,120 --> 00:12:49,080
So do you have any what do you do when you're in that scenario?

230
00:12:49,080 --> 00:12:52,520
It's funny you mentioned that because I'm going to actually just pull it up on my email

231
00:12:52,520 --> 00:12:53,520
right now.

232
00:12:53,520 --> 00:13:00,080
There's somebody messaged this week into info at critical thinking podcast.io.

233
00:13:00,080 --> 00:13:03,440
And he said this is the question he said when you were hunting and you're doing recon and

234
00:13:03,440 --> 00:13:06,580
getting a feel for the app, you have something interesting that you are poking at.

235
00:13:06,580 --> 00:13:09,040
How do you know you are on to something promising?

236
00:13:09,040 --> 00:13:13,440
Do you have any tips for knowing when it is time to cut bait and move on?

237
00:13:13,440 --> 00:13:18,800
How to know when the potential for success is there or whether it's not worth the effort?

238
00:13:18,800 --> 00:13:21,560
And I was like, yeah, that's the rub, right?

239
00:13:21,560 --> 00:13:24,800
You know, to just bring it back to the Shakespearean eye.

240
00:13:24,800 --> 00:13:25,980
That's the rub.

241
00:13:25,980 --> 00:13:30,800
You know, whether it is nobler to continue to pursue down your rabbit hole or to, you

242
00:13:30,800 --> 00:13:33,160
know, I forget the rest of the quote, but it's Macbeth.

243
00:13:33,160 --> 00:13:36,160
So yeah, I was not.

244
00:13:36,160 --> 00:13:40,240
English was maybe my least favorite class.

245
00:13:40,240 --> 00:13:43,840
They made us do like a presentation of that and I was the guy reading that, so I should

246
00:13:43,840 --> 00:13:44,840
remember it.

247
00:13:44,840 --> 00:13:48,640
But you know, whether it is nobler to continue to hack or whether it is nobler to not continue

248
00:13:48,640 --> 00:13:50,840
to hack is the question.

249
00:13:50,840 --> 00:13:54,500
And yeah, it's really hard to know, man.

250
00:13:54,500 --> 00:13:57,720
And I think at some point, you know, you kind of get to a point where you're like, all right,

251
00:13:57,720 --> 00:14:00,560
I've looped on my brain so many times.

252
00:14:00,560 --> 00:14:04,080
Like I keep on just coming to the same conclusion, same conclusion, same conclusion.

253
00:14:04,080 --> 00:14:07,600
And for me, it's probably five or 10 cycles of that, you know, somewhere between five

254
00:14:07,600 --> 00:14:11,200
and 10 cycles of that before I'm like, man, I'm not really sure I'm going to find anything

255
00:14:11,200 --> 00:14:14,600
else at this at this specific code pathway.

256
00:14:14,600 --> 00:14:15,940
And that's when you start working back.

257
00:14:15,940 --> 00:14:19,800
And I will add, this is one of the things that I think was developed for me a lot by

258
00:14:19,800 --> 00:14:25,040
the OSCP because the OSCP has a has a time limit, right?

259
00:14:25,040 --> 00:14:26,560
You know, you've got 24 hours.

260
00:14:26,560 --> 00:14:31,680
And if you spend too much time going down a rabbit hole that you can't, you know, that

261
00:14:31,680 --> 00:14:33,860
doesn't end up with anything, you've lost a bunch of time.

262
00:14:33,860 --> 00:14:38,840
So that is that is something that pretty much only comes with experience, I think, is knowing

263
00:14:38,840 --> 00:14:46,280
whether when to cut, you know, cut your losses and move on or whether there's something there.

264
00:14:46,280 --> 00:14:51,240
So I would say, you know, to the listeners that are wondering about this question, yeah,

265
00:14:51,240 --> 00:14:52,800
I'll just call them CG.

266
00:14:52,800 --> 00:14:53,800
Thanks for that.

267
00:14:53,800 --> 00:14:55,600
Thanks for the question, CG.

268
00:14:55,600 --> 00:14:58,200
You know, experiment with it, right?

269
00:14:58,200 --> 00:15:02,360
So, you know, if you maybe you'll do one session where you're like, all right, anytime I run

270
00:15:02,360 --> 00:15:04,920
into a wall, I'm just going to move along.

271
00:15:04,920 --> 00:15:05,920
Right.

272
00:15:05,920 --> 00:15:08,000
And I know some people that do that, actually.

273
00:15:08,000 --> 00:15:09,720
And, you know, it works for them.

274
00:15:09,720 --> 00:15:10,720
And that's great.

275
00:15:10,720 --> 00:15:15,160
And I know some people that, you know, if they run into a wall 15 times at the same

276
00:15:15,160 --> 00:15:17,400
endpoint, they're still going to keep going at it.

277
00:15:17,400 --> 00:15:22,280
So you've got to figure out what is right for you as a hacker and where that limit lies.

278
00:15:22,280 --> 00:15:26,640
And it can be something that's intuitive, or it can be something, you know, that's set

279
00:15:26,640 --> 00:15:30,400
and concrete saying, hey, I've thought, where am I going to go five times now?

280
00:15:30,400 --> 00:15:31,400
Time to move on.

281
00:15:31,400 --> 00:15:33,320
And then you're back, you know, and you move along.

282
00:15:33,320 --> 00:15:35,560
So what do you think about that, Joel?

283
00:15:35,560 --> 00:15:41,760
Yeah, I think I'm very similar where it's not like I'm not an instant kind of pass when

284
00:15:41,760 --> 00:15:43,080
it's pushing back a little bit.

285
00:15:43,080 --> 00:15:47,520
I do like to push through it a little bit further just to see, like, am I missing something

286
00:15:47,520 --> 00:15:48,520
here?

287
00:15:48,520 --> 00:15:49,520
Is there something more to this?

288
00:15:49,520 --> 00:15:54,360
Am I just doing something like, you know, very minor here that is blocking me up here?

289
00:15:54,360 --> 00:15:56,960
Like sometimes I'll be like testing something for a while.

290
00:15:56,960 --> 00:16:00,000
And I've just made like a simple error in my request or something.

291
00:16:00,000 --> 00:16:01,840
It's like it's the worst, right?

292
00:16:01,840 --> 00:16:02,840
You spent like an hour.

293
00:16:02,840 --> 00:16:04,000
You're like, I guess this is like total.

294
00:16:04,000 --> 00:16:07,000
And then you're like, oh, my God, I've been using the wrong the wrong request this whole

295
00:16:07,000 --> 00:16:08,440
time or something like that.

296
00:16:08,440 --> 00:16:10,240
Like, yeah, that's what that happens to me.

297
00:16:10,240 --> 00:16:11,800
Really help to write.

298
00:16:11,800 --> 00:16:14,520
Yeah, that extra set of eyes is so useful.

299
00:16:14,520 --> 00:16:17,920
Just having somebody who's like, hey, that's the that's the wrong request.

300
00:16:17,920 --> 00:16:22,400
Like just add the extra little second brain on your shoulder.

301
00:16:22,400 --> 00:16:25,080
Yeah, that's super helpful.

302
00:16:25,080 --> 00:16:29,120
But I think for me, it's something like it's very similar to like what you have.

303
00:16:29,120 --> 00:16:33,240
It's like some it's I don't have a specific number, but it's a certain number of times

304
00:16:33,240 --> 00:16:34,920
where I run it and hit the brick wall.

305
00:16:34,920 --> 00:16:37,680
And I'm like, OK, I should probably move on.

306
00:16:37,680 --> 00:16:41,080
And some of it will also depend on whether or not I have other interesting things to

307
00:16:41,080 --> 00:16:42,080
be looking at.

308
00:16:42,080 --> 00:16:47,320
I feel like that also affects my like how lenient I am to just move on and go to the

309
00:16:47,320 --> 00:16:50,480
next thing, because if something has been really like pulling at me like this is something

310
00:16:50,480 --> 00:16:54,800
interesting I need to look at, but I need to finish what I'm looking at right now.

311
00:16:54,800 --> 00:16:58,080
If I'm not getting anywhere with what I'm looking at right now, I'm more likely to go

312
00:16:58,080 --> 00:16:59,400
start looking at that new thing.

313
00:16:59,400 --> 00:17:00,920
No, that that totally makes sense.

314
00:17:00,920 --> 00:17:03,440
And I think I have that same mentality.

315
00:17:03,440 --> 00:17:07,520
But for me, I think it feels a little bit more like a surrender when I move away from

316
00:17:07,520 --> 00:17:08,520
it.

317
00:17:08,520 --> 00:17:12,600
Like I think I do have a little bit more of that fighting spirit than is good for me sometimes.

318
00:17:12,600 --> 00:17:16,040
You know, and I've talked about this publicly on the pod before how I used to not really

319
00:17:16,040 --> 00:17:17,040
do that at all.

320
00:17:17,040 --> 00:17:18,040
And I would just move along.

321
00:17:18,040 --> 00:17:22,120
And, you know, those were the days when I was finding a bunch of like, you know, I doors

322
00:17:22,120 --> 00:17:25,740
and access control stuff because I was getting a bunch of volume because I was moving along

323
00:17:25,740 --> 00:17:30,280
so quickly as soon as anything would would, you know, bump into my way.

324
00:17:30,280 --> 00:17:31,280
Right.

325
00:17:31,280 --> 00:17:34,760
And, you know, if it's a function of volume, you know, for those sort of bugs, because

326
00:17:34,760 --> 00:17:38,440
it works or it doesn't work, it's not there's no fiddling normally.

327
00:17:38,440 --> 00:17:43,480
But when I started, you know, banging my head up against a wall, sometimes when I saw an

328
00:17:43,480 --> 00:17:49,140
attack vector, that's when I started finding these more serious volumes that are more deeply

329
00:17:49,140 --> 00:17:52,240
embedded in the apps and started walking away with some bigger bounties.

330
00:17:52,240 --> 00:17:58,640
And, you know, to be perfectly honest, looking at the statistics, my amount earned hasn't

331
00:17:58,640 --> 00:18:00,840
changed that much between those two strategies.

332
00:18:00,840 --> 00:18:03,560
I think it's a little bit higher where I'm at now.

333
00:18:03,560 --> 00:18:09,000
But you know, my amount earned does not actually deviate that much because like we've said

334
00:18:09,000 --> 00:18:12,780
in before, those I doors and those access control issues can be extremely impactful.

335
00:18:12,780 --> 00:18:14,840
And if you can get a bunch of those, it really pays off big.

336
00:18:14,840 --> 00:18:17,240
So it's really up to the individual hacker.

337
00:18:17,240 --> 00:18:18,240
Yeah.

338
00:18:18,240 --> 00:18:22,400
So do you have a preference between the two in hindsight, having done both and seeing

339
00:18:22,400 --> 00:18:24,800
that there's not a huge impact on the on the earnings?

340
00:18:24,800 --> 00:18:26,680
Would you ever go back to the first one?

341
00:18:26,680 --> 00:18:30,960
No, I mean, I think my preference is strongly where I'm at now because it's more interesting

342
00:18:30,960 --> 00:18:33,080
and it feels more risky.

343
00:18:33,080 --> 00:18:36,200
And sometimes it's a little bit less, you know, a little bit more stressful because

344
00:18:36,200 --> 00:18:40,160
you're like, well, if this doesn't pop, then I'm screwed, you know.

345
00:18:40,160 --> 00:18:45,540
But, but, you know, I think as I've developed as a hacker in my stress management and my

346
00:18:45,540 --> 00:18:49,560
anxiety management as well, you know, over bug bounty and as I've become a little bit

347
00:18:49,560 --> 00:18:53,160
more financially stable as well and, and, you know, realizing, hey, it's not the end

348
00:18:53,160 --> 00:18:54,160
of the world.

349
00:18:54,160 --> 00:18:57,960
And I've also just become a little bit more confident in who I am as a hacker as well,

350
00:18:57,960 --> 00:19:00,320
you know, in my identity as a hacker.

351
00:19:00,320 --> 00:19:03,760
I, you know, definitely lean a little bit more towards the latter now.

352
00:19:03,760 --> 00:19:05,600
It's like, oh, let me, let me spend a little extra time.

353
00:19:05,600 --> 00:19:12,020
Let me find some cool shit and spend a little bit less time grinding through the burp requests.

354
00:19:12,020 --> 00:19:17,160
But I definitely recommend that in the beginning for any beginner as well, because if you can

355
00:19:17,160 --> 00:19:21,040
hit a lot of volume, you'll see a lot of, you'll see a lot of HTTP requests.

356
00:19:21,040 --> 00:19:23,920
And like we talked about those reps lead you to be a better hacker.

357
00:19:23,920 --> 00:19:27,680
So there's, there's definitely, you know, you could go either way, depending on which

358
00:19:27,680 --> 00:19:29,240
way you want to grow.

359
00:19:29,240 --> 00:19:30,240
Yeah.

360
00:19:30,240 --> 00:19:31,240
Yeah.

361
00:19:31,240 --> 00:19:35,680
And I think one of the other things I recommend is especially this, this happens early on

362
00:19:35,680 --> 00:19:39,720
a lot when you first start hacking, you're just going to be like looking at stuff and

363
00:19:39,720 --> 00:19:43,520
it's going to be hard to find your first bug.

364
00:19:43,520 --> 00:19:47,280
And moving on is really difficult because when you first start, you don't know when

365
00:19:47,280 --> 00:19:48,280
you should move on.

366
00:19:48,280 --> 00:19:52,680
And like you have like no context in terms of like, what, what does that feel like?

367
00:19:52,680 --> 00:19:55,680
Or like, where is the right place to draw the line?

368
00:19:55,680 --> 00:20:01,000
And so I'd say like, if when you do decide like to move on, don't like, don't think

369
00:20:01,000 --> 00:20:02,000
about it too much.

370
00:20:02,000 --> 00:20:05,360
Like don't let it beat you up because you'll have to remember that like all the bug bounty

371
00:20:05,360 --> 00:20:07,000
is basically trying to beat the odds.

372
00:20:07,000 --> 00:20:10,680
You're trying to like find something that is bad, that shouldn't exist.

373
00:20:10,680 --> 00:20:14,280
And you're trying to like break the system that is designed to keep, you know, customer

374
00:20:14,280 --> 00:20:16,080
data safe or whatever it is.

375
00:20:16,080 --> 00:20:21,760
And so if you don't find anything, it doesn't mean that like you failed, right?

376
00:20:21,760 --> 00:20:25,120
It just means like that app might be secure and that's good.

377
00:20:25,120 --> 00:20:26,600
And that's, that's okay.

378
00:20:26,600 --> 00:20:29,600
And you know, it's time to just move on to the next thing and find something that feels

379
00:20:29,600 --> 00:20:32,080
less secure so that you can find all the holes in it.

380
00:20:32,080 --> 00:20:33,080
Yeah.

381
00:20:33,080 --> 00:20:34,080
Yeah.

382
00:20:34,080 --> 00:20:35,480
And you know, we, we preach this on the pod all the time.

383
00:20:35,480 --> 00:20:38,440
You know, there's a whole team of people that are dedicated to you not being able to do

384
00:20:38,440 --> 00:20:39,920
your job when you're doing book bounty.

385
00:20:39,920 --> 00:20:44,000
So it's a really, it's a really challenging thing, but we believe in you, you got it.

386
00:20:44,000 --> 00:20:46,120
So go get those bounties.

387
00:20:46,120 --> 00:20:51,240
And I will say, you know, for the more experienced hackers out there as well, don't get set in

388
00:20:51,240 --> 00:20:52,240
your ways.

389
00:20:52,240 --> 00:20:58,360
Don't, don't get so tied up in your approach that you never, that you never experiment

390
00:20:58,360 --> 00:21:03,080
because I know I grow a lot as a hacker as I started experimenting away into the more

391
00:21:03,080 --> 00:21:09,800
rabbit holdy sort of find the weird shit sort of things rather than the volume of requests.

392
00:21:09,800 --> 00:21:14,360
So I think there's a lot of room for growth there as you experiment with the various techniques.

393
00:21:14,360 --> 00:21:15,360
Yeah.

394
00:21:15,360 --> 00:21:16,360
A hundred percent nice man.

395
00:21:16,360 --> 00:21:18,460
Well, we, that was, that was a nice little, little vibe.

396
00:21:18,460 --> 00:21:21,440
We deviated a little bit from the plan, but I'm, I'm glad we talked about that because

397
00:21:21,440 --> 00:21:23,320
that's, that's just really important things.

398
00:21:23,320 --> 00:21:25,120
Yeah, for sure.

399
00:21:25,120 --> 00:21:26,300
All right.

400
00:21:26,300 --> 00:21:29,520
So this is what I had on, on, on the plan for today, Joel.

401
00:21:29,520 --> 00:21:35,200
We did, as we mentioned before, we've done a good bit of hardware hacking lately with

402
00:21:35,200 --> 00:21:38,040
the live hacking event that we last went to.

403
00:21:38,040 --> 00:21:42,840
So this is the episode where we talk a little bit more about that, where we give some details

404
00:21:42,840 --> 00:21:48,280
on some of the techniques that we used and kind of go into detail.

405
00:21:48,280 --> 00:21:50,560
So I mean, we could start with the hardware recon.

406
00:21:50,560 --> 00:21:51,560
Is that, does that work for you, Joel?

407
00:21:51,560 --> 00:21:53,560
Or you got anywhere else you want to start?

408
00:21:53,560 --> 00:21:55,520
Let's, let's, let's start from the top.

409
00:21:55,520 --> 00:21:56,520
Yeah.

410
00:21:56,520 --> 00:22:01,800
So click, click that link that's about, that's in under the, the next bullet point there.

411
00:22:01,800 --> 00:22:04,280
Cause I wanted to ask you something specifically about this.

412
00:22:04,280 --> 00:22:08,760
So you know, if you scroll down and we'll link this link, this is, this is River loop

413
00:22:08,760 --> 00:22:11,480
securities hardware hacking right up.

414
00:22:11,480 --> 00:22:15,400
You know, you scroll down and eventually they're soldering onto test pins on the backside of

415
00:22:15,400 --> 00:22:17,880
an EMC chip, right?

416
00:22:17,880 --> 00:22:18,880
Yep.

417
00:22:18,880 --> 00:22:28,440
So for those of you that just, that just sounded like garbage EMMC is an embedded multimedia

418
00:22:28,440 --> 00:22:29,440
card.

419
00:22:29,440 --> 00:22:30,440
Is that right?

420
00:22:30,440 --> 00:22:31,440
I think that's, yes.

421
00:22:31,440 --> 00:22:32,440
Yes.

422
00:22:32,440 --> 00:22:39,920
And that is sort of like the hard drive of these IOT applications where they're storing

423
00:22:39,920 --> 00:22:40,920
the file system.

424
00:22:40,920 --> 00:22:43,960
It's the non-violet volatile storage, right?

425
00:22:43,960 --> 00:22:48,680
And so one of the reasons we want to get at that is because it contains the source code

426
00:22:48,680 --> 00:22:51,720
and the actual file system for the IOT device.

427
00:22:51,720 --> 00:22:54,600
We can be really insightful to us as hackers.

428
00:22:54,600 --> 00:23:00,480
So what I wanted to talk, I wanted to ask you, Joel, in this sort of hardware recon section

429
00:23:00,480 --> 00:23:06,600
is like, there are these test pins on the back of that and we can use those.

430
00:23:06,600 --> 00:23:11,640
If we can find these test pins that correlate to this EMMC protocol, I guess we can use

431
00:23:11,640 --> 00:23:15,840
those to read from the EMMC chip as well.

432
00:23:15,840 --> 00:23:17,880
And we don't even have to pull the chip right off the board.

433
00:23:17,880 --> 00:23:18,880
Is that right?

434
00:23:18,880 --> 00:23:19,880
Yes.

435
00:23:19,880 --> 00:23:20,880
So in some cases, yes.

436
00:23:20,880 --> 00:23:21,880
It's kind of two routes.

437
00:23:21,880 --> 00:23:22,880
Some cases, no.

438
00:23:22,880 --> 00:23:23,880
Yeah.

439
00:23:23,880 --> 00:23:24,880
They talk about it a little bit.

440
00:23:24,880 --> 00:23:31,120
So typically if you want to read off of an EMMC chip while it's like in use, it's probably

441
00:23:31,120 --> 00:23:33,800
not a great idea for a couple of reasons.

442
00:23:33,800 --> 00:23:37,800
It would be basically like trying to read a hard drive while it's plugged in and being

443
00:23:37,800 --> 00:23:38,800
used.

444
00:23:38,800 --> 00:23:43,960
So there are other operations happening on the drive at the same time from a different

445
00:23:43,960 --> 00:23:46,540
like from the host OS that hasn't mounted.

446
00:23:46,540 --> 00:23:48,560
And so it might be reading and writing at the same time.

447
00:23:48,560 --> 00:23:49,560
It might be performing operations.

448
00:23:49,560 --> 00:23:52,180
It might have stuff locked like you never know.

449
00:23:52,180 --> 00:23:58,360
And there might be like conflicting data with the controller within the EMMC that will cause

450
00:23:58,360 --> 00:24:00,320
it to like have problems.

451
00:24:00,320 --> 00:24:02,800
So sometimes that works.

452
00:24:02,800 --> 00:24:03,800
Sometimes it doesn't.

453
00:24:03,800 --> 00:24:08,200
But it's really good for at least at the minimum, like looking at like debug, like what's going

454
00:24:08,200 --> 00:24:11,320
on like, are these pins the right pins?

455
00:24:11,320 --> 00:24:12,320
Is this chip functional?

456
00:24:12,320 --> 00:24:14,240
Like, am I looking in the right area?

457
00:24:14,240 --> 00:24:15,240
All that kind of stuff.

458
00:24:15,240 --> 00:24:19,960
Is it potentially possible to use those test points to interact with the chip if we can

459
00:24:19,960 --> 00:24:27,920
figure out a way to have the chip activated, you know, with power and not have the CPU,

460
00:24:27,920 --> 00:24:29,720
you know, hitting that same bus?

461
00:24:29,720 --> 00:24:30,720
Is that right?

462
00:24:30,720 --> 00:24:31,720
Right.

463
00:24:31,720 --> 00:24:32,720
Yeah.

464
00:24:32,720 --> 00:24:37,720
So like to the best of my understanding, you could literally just pull up the spec for that

465
00:24:37,720 --> 00:24:41,800
chip, read through it, see what the voltage is supposed to be, see what the amperage is

466
00:24:41,800 --> 00:24:47,240
supposed to be, take out a DC power supply, set it to the right voltage and amperage,

467
00:24:47,240 --> 00:24:51,080
connect it to the VCC and ground and power it up.

468
00:24:51,080 --> 00:24:52,080
Power it up.

469
00:24:52,080 --> 00:24:53,080
Yeah.

470
00:24:53,080 --> 00:24:54,080
Yeah.

471
00:24:54,080 --> 00:24:58,280
And then, okay, so that's cool because that actually gives us a second sort of route to

472
00:24:58,280 --> 00:25:02,560
get, or I guess maybe a third or fourth route, depending on how much stuff we get to cover

473
00:25:02,560 --> 00:25:03,560
today.

474
00:25:03,560 --> 00:25:08,800
But essentially for me, as a more of a beginner, I feel like I've kind of got a grip on some

475
00:25:08,800 --> 00:25:11,000
of the hardware hacking stuff now.

476
00:25:11,000 --> 00:25:16,440
But what my playbook kind of looked like was like, okay, is there a UART interface on this

477
00:25:16,440 --> 00:25:17,440
device?

478
00:25:17,440 --> 00:25:20,520
So you search around, you look for the UART interface, and we'll talk about UART and JTAG

479
00:25:20,520 --> 00:25:21,520
on a different episode.

480
00:25:21,520 --> 00:25:25,240
That'll be a hardware hacking episode too.

481
00:25:25,240 --> 00:25:30,960
And then if you can't find those, then you just do a chip pull and throw it into a reader

482
00:25:30,960 --> 00:25:34,760
and then try to pull the operating system off that way.

483
00:25:34,760 --> 00:25:38,240
But there's actually another method that doesn't destroy your device because that's the problem

484
00:25:38,240 --> 00:25:41,000
with the chip off method is it destroys your device.

485
00:25:41,000 --> 00:25:49,040
And if you can solder some pins onto these sort of test pins there, or solder some connectors

486
00:25:49,040 --> 00:25:56,400
onto those test pins and hook that up to some sort of device that can communicate over EMMC,

487
00:25:56,400 --> 00:26:00,520
and I think in this blog that we'll link in the description, they use a logic analyzer

488
00:26:00,520 --> 00:26:08,960
here to figure out which individual pin correlates to what part of the EMMC, right?

489
00:26:08,960 --> 00:26:14,160
Then you could potentially get a file system read through that, and it would still come

490
00:26:14,160 --> 00:26:17,240
across as like an SD card to your computer, right?

491
00:26:17,240 --> 00:26:18,240
Yeah.

492
00:26:18,240 --> 00:26:23,320
So generally, I like this approach because it's very ground up.

493
00:26:23,320 --> 00:26:27,120
It doesn't require you to pull up the data sheet or anything like that.

494
00:26:27,120 --> 00:26:32,440
However, I would say in most cases, like 99% of cases, you can literally just take the

495
00:26:32,440 --> 00:26:37,200
chip number, Google it, pull up the data sheet, and you know exactly what the pinout is.

496
00:26:37,200 --> 00:26:42,240
Most of the time, you don't need to be figuring out which is the clock pin because they're

497
00:26:42,240 --> 00:26:43,480
not changing that stuff.

498
00:26:43,480 --> 00:26:46,320
That comes straight from the manufacturer of the chip.

499
00:26:46,320 --> 00:26:51,600
There are cases that I've seen where either there will be like...

500
00:26:51,600 --> 00:26:56,240
So typically, there's a dot on top of a chip, and that dot is in one of the corners, and

501
00:26:56,240 --> 00:27:00,120
that references which one is pin one.

502
00:27:00,120 --> 00:27:05,800
And so sometimes, they'll put a dot somewhere else, or they'll put a dot on multiple corners

503
00:27:05,800 --> 00:27:09,920
so you don't know which pin is pin one, and so you have to figure it out yourself.

504
00:27:09,920 --> 00:27:10,920
That's savage, dude.

505
00:27:10,920 --> 00:27:11,920
That's so freaking savage.

506
00:27:11,920 --> 00:27:12,920
Yeah.

507
00:27:12,920 --> 00:27:17,040
And I'm not sure whether or not that's purposeful or whether or not that's just...

508
00:27:17,040 --> 00:27:21,120
They make a chip that can be used in multiple configurations, so they put it in multiple...

509
00:27:21,120 --> 00:27:24,240
I don't know, but I have seen that.

510
00:27:24,240 --> 00:27:28,800
I've seen pictures of that on the wild, so that's just something to be aware of.

511
00:27:28,800 --> 00:27:32,720
But if you have a very straightforward chip, it is like a single dot on the top.

512
00:27:32,720 --> 00:27:33,920
You can also just...

513
00:27:33,920 --> 00:27:35,400
There are easy things you can verify.

514
00:27:35,400 --> 00:27:39,200
So for example, every chip is going to have a voltage and a ground pin.

515
00:27:39,200 --> 00:27:44,600
So if you take your multimeter and you put it on continuity testing, which will basically

516
00:27:44,600 --> 00:27:49,280
tell whether or not the signal is going between one probe and the other probe, typically,

517
00:27:49,280 --> 00:27:52,800
there's a way to make it so it beeps, and then you tap the leads together and it goes

518
00:27:52,800 --> 00:27:53,800
beep, right?

519
00:27:53,800 --> 00:27:55,480
So that's continuity testing.

520
00:27:55,480 --> 00:27:58,400
You put one lead on the ground pin from your data sheet.

521
00:27:58,400 --> 00:27:59,400
You read the data sheet.

522
00:27:59,400 --> 00:28:01,000
You go, okay, this should be the ground pin.

523
00:28:01,000 --> 00:28:04,640
And then you can go as far back as you want.

524
00:28:04,640 --> 00:28:07,120
You could go all the way to the power connector.

525
00:28:07,120 --> 00:28:08,860
And one of those pins should be power.

526
00:28:08,860 --> 00:28:10,480
One of them should be ground.

527
00:28:10,480 --> 00:28:14,720
And you can test and see, is there continuity between these pins?

528
00:28:14,720 --> 00:28:15,720
Yes or no.

529
00:28:15,720 --> 00:28:16,840
And you can do the same thing for VCC.

530
00:28:16,840 --> 00:28:20,880
And that's also how you can test the test pads and see, is this pad pointing to this

531
00:28:20,880 --> 00:28:23,440
pin or this pin on the chip?

532
00:28:23,440 --> 00:28:26,640
And then that's a pretty easy way to determine whether or not it's using a standard pin out

533
00:28:26,640 --> 00:28:27,640
or not.

534
00:28:27,640 --> 00:28:28,640
Nice.

535
00:28:28,640 --> 00:28:34,840
So I mean, I guess we can do that to a certain degree with a multimeter, right?

536
00:28:34,840 --> 00:28:38,760
And with the continuity testing like you were talking about.

537
00:28:38,760 --> 00:28:43,240
But when it gets to something like, for example, in this article, it was talking about the

538
00:28:43,240 --> 00:28:48,640
various pieces of EMMC protocol, which I'll kind of touch on very lightly for the audience

539
00:28:48,640 --> 00:28:51,720
that haven't read the write-up yet.

540
00:28:51,720 --> 00:28:56,640
But essentially, there's three main parts of the protocol that you need to identify.

541
00:28:56,640 --> 00:29:02,400
There's the clock, there's the CMD, which is the line that's used for sending commands,

542
00:29:02,400 --> 00:29:05,160
and then there's data zero.

543
00:29:05,160 --> 00:29:11,200
And that's the minimum requirements that you need to be able to communicate over EMMC with

544
00:29:11,200 --> 00:29:12,300
the actual chip.

545
00:29:12,300 --> 00:29:17,280
So we're getting much lower than we normally do here on the pod because we mostly talk

546
00:29:17,280 --> 00:29:19,040
about web and mobile stuff.

547
00:29:19,040 --> 00:29:22,880
But this is actually talking about hardware level protocol stuff, which I think is really,

548
00:29:22,880 --> 00:29:25,320
really fun to dive into.

549
00:29:25,320 --> 00:29:29,160
But once we start trying to identify all those little pieces, that's where we really need

550
00:29:29,160 --> 00:29:35,000
a logic analyzer versus a multimeter because we have to be able to actually read the blips

551
00:29:35,000 --> 00:29:39,000
in power coming across those various lines.

552
00:29:39,000 --> 00:29:40,000
Is that right?

553
00:29:40,000 --> 00:29:41,000
Yeah.

554
00:29:41,000 --> 00:29:42,000
Yeah.

555
00:29:42,000 --> 00:29:45,840
So basically, what the logic analyzer is going to be doing is it's going to be looking at

556
00:29:45,840 --> 00:29:50,720
shifts between high and low, where that's basically a high voltage or a low voltage,

557
00:29:50,720 --> 00:29:54,640
where it's either drawing, where it's pulling it down or it's pushing it up.

558
00:29:54,640 --> 00:30:00,680
And so, for example, the clock pin that they identify, super easy to identify that because

559
00:30:00,680 --> 00:30:02,040
it runs like a clock, right?

560
00:30:02,040 --> 00:30:04,400
It goes on, off, on, off, on, off, on, off on a very regular schedule.

561
00:30:04,400 --> 00:30:08,200
And that's basically telling the chip how fast it should be operating.

562
00:30:08,200 --> 00:30:13,040
And then data is for data and CMD is for telling it what to do.

563
00:30:13,040 --> 00:30:16,660
And so, it's basically as straightforward as that.

564
00:30:16,660 --> 00:30:20,780
But logic analyzers will make that so much easier just because a lot of the stuff that's

565
00:30:20,780 --> 00:30:23,280
built into the software will do it automatically.

566
00:30:23,280 --> 00:30:25,920
So in the article, they use a sale.

567
00:30:25,920 --> 00:30:34,280
I use, it's called analog discovery two by Digilent.

568
00:30:34,280 --> 00:30:35,280
It's pretty good.

569
00:30:35,280 --> 00:30:36,640
It's cheaper than a sale.

570
00:30:36,640 --> 00:30:43,280
But I think if I were to buy one again, I'd probably go with the sale just because it's

571
00:30:43,280 --> 00:30:44,280
a little bit higher specced.

572
00:30:44,280 --> 00:30:48,560
It's a little bit more expensive, but the software is really, really good.

573
00:30:48,560 --> 00:30:54,680
And it's generally considered one of the top of the line tools that are out there.

574
00:30:54,680 --> 00:31:01,040
Digilent actually did just like last week announce the analog discovery three, which

575
00:31:01,040 --> 00:31:03,160
is an improvement to what I have.

576
00:31:03,160 --> 00:31:07,760
It has, I think, faster polling rates, faster measurement rates.

577
00:31:07,760 --> 00:31:10,200
It uses USB-C instead of micro USB.

578
00:31:10,200 --> 00:31:12,400
It's got a couple different things.

579
00:31:12,400 --> 00:31:17,400
But yeah, no, any sort of like logic analyzer is going to be a good investment if you're

580
00:31:17,400 --> 00:31:22,300
doing this type of hardware hacking just to identify like what's going on.

581
00:31:22,300 --> 00:31:23,700
Is this pin UART?

582
00:31:23,700 --> 00:31:24,700
Is this pin JTAG?

583
00:31:24,700 --> 00:31:25,700
Is this nothing?

584
00:31:25,700 --> 00:31:26,700
Like, what is it?

585
00:31:26,700 --> 00:31:27,700
Yeah.

586
00:31:27,700 --> 00:31:28,960
Yeah, that's a good point.

587
00:31:28,960 --> 00:31:32,960
I think I get a little excited about this stuff and I jump right in.

588
00:31:32,960 --> 00:31:36,960
Let me just say, this is relevant to you all as bug bounty hunters out there.

589
00:31:36,960 --> 00:31:43,040
The majority of our audiences are active bug bounty hunters because this is a very, very

590
00:31:43,040 --> 00:31:45,000
untouched scope normally.

591
00:31:45,000 --> 00:31:49,960
Like if you can go ahead because one, because the tools are very expensive and you know

592
00:31:49,960 --> 00:31:54,000
what we talk about here on the pod, you invest the money, you get the tools, you buy the

593
00:31:54,000 --> 00:31:58,840
premium and it opens up a bunch of scope that pays for itself.

594
00:31:58,840 --> 00:32:02,480
And a lot of these hardware hacking programs out there on Hacker One or Bug Crowd, you

595
00:32:02,480 --> 00:32:05,920
have to buy the piece of hardware yourself and then you're going to break it and it's

596
00:32:05,920 --> 00:32:08,260
going to be annoying.

597
00:32:08,260 --> 00:32:14,040
But if you go through that difficulty, if you pay the price, the bounties are much higher.

598
00:32:14,040 --> 00:32:18,720
So I'm hoping that we can inspire some of you to sort of pivot into the hardware hacking

599
00:32:18,720 --> 00:32:19,720
realm.

600
00:32:19,720 --> 00:32:24,160
It's really fascinating and there are a lot of really good write-ups out there actually

601
00:32:24,160 --> 00:32:25,160
on it.

602
00:32:25,160 --> 00:32:28,440
And so, and it's not as hard as you would think to pivot into it.

603
00:32:28,440 --> 00:32:29,440
Yeah.

604
00:32:29,440 --> 00:32:34,320
So one of the things I would recommend, if you or somebody that you know has a background

605
00:32:34,320 --> 00:32:42,200
in electrical engineering, this is a great space to dig into because like a fundamental

606
00:32:42,200 --> 00:32:47,360
electrical engineering background is so helpful for just understanding some of the basic stuff.

607
00:32:47,360 --> 00:32:50,680
Like why are things behaving the way they are?

608
00:32:50,680 --> 00:32:51,880
How would I interface with this?

609
00:32:51,880 --> 00:32:56,460
If I want to read data off of this pin, do I need to like have a pull down resistor?

610
00:32:56,460 --> 00:32:57,460
What is a pull down resistor?

611
00:32:57,460 --> 00:32:58,460
Right?

612
00:32:58,460 --> 00:33:04,640
So many fundamental electronic questions that would be so much easier to answer if you have

613
00:33:04,640 --> 00:33:07,160
any sort of electronics background.

614
00:33:07,160 --> 00:33:10,840
It doesn't even have to be like a full electrical engineering background.

615
00:33:10,840 --> 00:33:16,240
If you've done basic electronics stuff for many years, which I know lots of people have,

616
00:33:16,240 --> 00:33:19,280
yeah, like robotics, any of that kind of stuff, working with electronics, you're familiar

617
00:33:19,280 --> 00:33:24,240
with like voltages, like how circuit boards are designed, created, built, all that kind

618
00:33:24,240 --> 00:33:25,240
of stuff.

619
00:33:25,240 --> 00:33:26,660
Like this is a great area.

620
00:33:26,660 --> 00:33:28,840
There's not a lot of people who know this kind of stuff.

621
00:33:28,840 --> 00:33:32,000
It's a very like sparse knowledge space within hacking.

622
00:33:32,000 --> 00:33:33,000
So good.

623
00:33:33,000 --> 00:33:34,000
Yeah.

624
00:33:34,000 --> 00:33:35,000
Yeah.

625
00:33:35,000 --> 00:33:38,760
Like if you can pop one of these devices, it usually pays like a significant amount

626
00:33:38,760 --> 00:33:42,280
of money because most of these are owned by like large conglomerates.

627
00:33:42,280 --> 00:33:43,660
They have a lot of money on the line.

628
00:33:43,660 --> 00:33:46,000
They have a lot of people with this device in their hands.

629
00:33:46,000 --> 00:33:47,000
Yeah.

630
00:33:47,000 --> 00:33:48,360
And there's just a skillset mismatch too, right?

631
00:33:48,360 --> 00:33:52,120
There's not as many people that can do hardware hacking stuff as there are web because it

632
00:33:52,120 --> 00:33:53,120
requires tools.

633
00:33:53,120 --> 00:33:55,080
It requires background knowledge.

634
00:33:55,080 --> 00:34:02,080
And so I think the competition is a little bit less and there's more of a demand, supply

635
00:34:02,080 --> 00:34:04,480
and demand just sort of dictates that the boundaries would be higher.

636
00:34:04,480 --> 00:34:05,480
Yeah.

637
00:34:05,480 --> 00:34:06,480
Yeah.

638
00:34:06,480 --> 00:34:07,480
Yeah, for sure.

639
00:34:07,480 --> 00:34:10,080
I also just wanted to mention two things on what you just said.

640
00:34:10,080 --> 00:34:16,320
One, this is a great reference to the conversation that Corbin and I had last week on the pod

641
00:34:16,320 --> 00:34:18,680
and we'll link that in the description.

642
00:34:18,680 --> 00:34:23,360
But we have a great conversation about what kind of degree is best for a hacker to get.

643
00:34:23,360 --> 00:34:27,920
And this conversation we're having with Joel here is one of the main reasons why I suggest

644
00:34:27,920 --> 00:34:33,040
a computer engineering or maybe even electrical engineering degree for some hackers because

645
00:34:33,040 --> 00:34:37,440
you get a lot lower level understanding of things and it's so much easier to build on

646
00:34:37,440 --> 00:34:41,240
top when you have the bottom bricks, right?

647
00:34:41,240 --> 00:34:43,040
Think of it, think of it.

648
00:34:43,040 --> 00:34:45,480
Sometimes if you're trying to get an understanding of things and you don't know what's happening

649
00:34:45,480 --> 00:34:49,720
underneath, you kind of got this very shaky understanding, you're very shaky base and

650
00:34:49,720 --> 00:34:51,700
then you're trying to build bricks on top of it.

651
00:34:51,700 --> 00:34:55,000
But if you have a solid base, then it becomes so much easier to just boom, build up the

652
00:34:55,000 --> 00:34:57,360
wall and you've got a great understanding.

653
00:34:57,360 --> 00:34:58,360
I don't know, man.

654
00:34:58,360 --> 00:35:03,000
I have a little bit of a self-consciousness about my analogies because Mariah is like,

655
00:35:03,000 --> 00:35:04,800
Justin, that analogy doesn't make any sense.

656
00:35:04,800 --> 00:35:07,920
But hopefully that one came through to you guys.

657
00:35:07,920 --> 00:35:11,320
No, no, I 100% know what you mean.

658
00:35:11,320 --> 00:35:14,960
I get that same sense where, especially with hardware hacking, I'll be honest, hardware

659
00:35:14,960 --> 00:35:21,360
hacking is that for me as well because I'll be working on something and I'll be so confused

660
00:35:21,360 --> 00:35:22,800
as to why it's not working.

661
00:35:22,800 --> 00:35:27,580
And a lot of the time it's just because I've made a simple mistake due to a lack of fundamental

662
00:35:27,580 --> 00:35:29,280
knowledge or understanding.

663
00:35:29,280 --> 00:35:36,320
And it's very hard to find those problems or answer those unknown questions without

664
00:35:36,320 --> 00:35:37,320
the knowledge, right?

665
00:35:37,320 --> 00:35:41,080
So I think this applies to beginner hackers as well.

666
00:35:41,080 --> 00:35:45,660
It's like, how do you know when to draw the line to stop hacking and move on?

667
00:35:45,660 --> 00:35:50,800
How do you know when you have no experience and no knowledge or context, when to draw

668
00:35:50,800 --> 00:35:51,800
that line?

669
00:35:51,800 --> 00:35:53,240
Do you just guess?

670
00:35:53,240 --> 00:35:55,480
Is there any sort of concrete identifier?

671
00:35:55,480 --> 00:35:59,960
And that is very similar for hardware hacking where it's like, how do you know if this is

672
00:35:59,960 --> 00:36:05,920
just a fundamental thing that you need to go learn or if this is just a common problem

673
00:36:05,920 --> 00:36:08,640
that even the experts hit or what is going on here?

674
00:36:08,640 --> 00:36:09,800
Where do you draw the line?

675
00:36:09,800 --> 00:36:12,140
So I wouldn't beat yourself up too much over it.

676
00:36:12,140 --> 00:36:15,580
But if you have that solid fundamental knowledge, that solid foundation, it's going to make

677
00:36:15,580 --> 00:36:16,580
things so much easier.

678
00:36:16,580 --> 00:36:17,580
Yeah.

679
00:36:17,580 --> 00:36:22,920
I think the procrastination education piece with hardware hacking is a little bit different

680
00:36:22,920 --> 00:36:26,640
too because sometimes you really do need to be like, ah, actually, I don't know about

681
00:36:26,640 --> 00:36:28,720
this very specific little thing.

682
00:36:28,720 --> 00:36:34,440
For example, Joel and I were working on a project where we needed to read from an RPMB

683
00:36:34,440 --> 00:36:36,680
sort of, it's not really a partition.

684
00:36:36,680 --> 00:36:37,680
Yeah, a protected memory block.

685
00:36:37,680 --> 00:36:40,920
A protected memory block on an EMC chip.

686
00:36:40,920 --> 00:36:42,620
And we had never even heard of that.

687
00:36:42,620 --> 00:36:47,560
So we both had to go and read the white paper on that specific piece of technology and kind

688
00:36:47,560 --> 00:36:51,000
of understand what it does at a lower level to be able to come back and hack.

689
00:36:51,000 --> 00:36:57,320
So there's definitely some different tricks in the hardware hacking field to get caught

690
00:36:57,320 --> 00:36:58,320
up on.

691
00:36:58,320 --> 00:37:04,080
But if you can pull it off, one, I don't think I'll ever forget this moment in my entire

692
00:37:04,080 --> 00:37:05,080
life.

693
00:37:05,080 --> 00:37:07,920
Joel, that first time we took the chip off of there and I put it into my computer and

694
00:37:07,920 --> 00:37:13,120
I just saw like 15 different partitions like new disk, new disk, new disk, new disk found.

695
00:37:13,120 --> 00:37:14,120
I was like, you've got to be kidding me.

696
00:37:14,120 --> 00:37:15,120
It's so satisfying.

697
00:37:15,120 --> 00:37:16,920
I cannot believe I just pulled.

698
00:37:16,920 --> 00:37:18,600
I took this to put device apart.

699
00:37:18,600 --> 00:37:24,560
I took the chip out of the device and I put it into a thing and my computer just read

700
00:37:24,560 --> 00:37:26,400
it like that's nuts.

701
00:37:26,400 --> 00:37:31,480
So there's lots of really amazing feelings that kind of come along with diving into hardware

702
00:37:31,480 --> 00:37:36,640
hacking and finding your first little pathway to getting source code or a bug.

703
00:37:36,640 --> 00:37:37,640
Yeah.

704
00:37:37,640 --> 00:37:39,240
Dude, I'm not going to lie.

705
00:37:39,240 --> 00:37:41,200
Even after all that reading on RPMBs.

706
00:37:41,200 --> 00:37:45,040
Dude, no one, that's a stupid protocol, man.

707
00:37:45,040 --> 00:37:47,000
I don't even know.

708
00:37:47,000 --> 00:37:52,440
I don't know if I could describe what it is, how it works, how it's supposed to be, if

709
00:37:52,440 --> 00:37:53,880
we did anything right there.

710
00:37:53,880 --> 00:37:59,160
Because when we eventually got on the device while it was running, we could access it,

711
00:37:59,160 --> 00:38:00,640
but after we had pulled the chip, we couldn't.

712
00:38:00,640 --> 00:38:02,480
So I don't know.

713
00:38:02,480 --> 00:38:05,920
It's still very confusing to me, but it's a super interesting topic area.

714
00:38:05,920 --> 00:38:06,920
Yeah.

715
00:38:06,920 --> 00:38:08,960
It's replay protected memory block.

716
00:38:08,960 --> 00:38:09,960
Replay.

717
00:38:09,960 --> 00:38:10,960
Oh, that's what it is.

718
00:38:10,960 --> 00:38:12,360
It's replay protected memory block.

719
00:38:12,360 --> 00:38:17,800
And so essentially the whole point of that is you shouldn't be able to write to that

720
00:38:17,800 --> 00:38:23,680
block without going through the authentication protocol.

721
00:38:23,680 --> 00:38:28,360
But there's a bunch of things that say online, because the spec is a little fuzzy, about

722
00:38:28,360 --> 00:38:31,880
whether you can read from that without having the authentication key.

723
00:38:31,880 --> 00:38:37,880
And really, if you read the actual doc, the actual spec for the device, it shows that

724
00:38:37,880 --> 00:38:45,760
the encryption piece of RPMB is just an HMAC on the read side.

725
00:38:45,760 --> 00:38:52,400
So if you don't choose to validate that MAC, then you can read from it just fine.

726
00:38:52,400 --> 00:38:59,760
And it's mostly, I think, designed to protect against tampering at a hardware level.

727
00:38:59,760 --> 00:39:01,920
So anyway, it's a cool thing.

728
00:39:01,920 --> 00:39:05,200
I do know a lot more about it now than I did before.

729
00:39:05,200 --> 00:39:06,240
So that's cool.

730
00:39:06,240 --> 00:39:09,280
But I don't know when that will ever come in handy again.

731
00:39:09,280 --> 00:39:10,720
Next time I'm doing some crazy...

732
00:39:10,720 --> 00:39:13,640
It's just one of those little brain space fillers.

733
00:39:13,640 --> 00:39:14,640
Exactly.

734
00:39:14,640 --> 00:39:15,640
Exactly.

735
00:39:15,640 --> 00:39:16,640
OK.

736
00:39:16,640 --> 00:39:19,400
So getting back, we look around on the board for test pins.

737
00:39:19,400 --> 00:39:25,120
Let's see if we can hook up to those test pins, see if we can figure out some way to

738
00:39:25,120 --> 00:39:27,480
power up the chip via VCC.

739
00:39:27,480 --> 00:39:32,480
Or maybe, I think in the article, yeah, we'll definitely check out the article.

740
00:39:32,480 --> 00:39:36,920
Because there's still some stuff they mention here about glitching with the CPU to get it

741
00:39:36,920 --> 00:39:41,700
to not try to read over that disk.

742
00:39:41,700 --> 00:39:44,080
So maybe there's some cool stuff you can do there.

743
00:39:44,080 --> 00:39:48,400
Yeah, you could definitely do some power glitching and stuff to try and get the CPU in a weird

744
00:39:48,400 --> 00:39:49,760
state.

745
00:39:49,760 --> 00:39:55,080
I do generally like trying to power it with the onboard power stuff, if I can.

746
00:39:55,080 --> 00:39:58,840
So for example, if I'm trying to use UART or something, I definitely want to have it

747
00:39:58,840 --> 00:39:59,840
do its normal.

748
00:39:59,840 --> 00:40:03,080
I basically want the device to think that everything is normal and that it's getting

749
00:40:03,080 --> 00:40:07,840
all the same power delivery and everything that it would while functioning normally instead

750
00:40:07,840 --> 00:40:09,640
of trying to rig that myself.

751
00:40:09,640 --> 00:40:12,960
I probably could, but I don't know if something's going to go wrong.

752
00:40:12,960 --> 00:40:17,000
I don't know if there's special power requirements that the chip is doing or that other things

753
00:40:17,000 --> 00:40:18,320
on the board might need.

754
00:40:18,320 --> 00:40:21,240
And the last thing you want to do is fry something on the board accidentally.

755
00:40:21,240 --> 00:40:22,760
I'm scared of that.

756
00:40:22,760 --> 00:40:26,800
That's the biggest risk, in my opinion, is that you fry something in an expensive piece

757
00:40:26,800 --> 00:40:31,600
of hardware and then you have to buy another one or call it quits.

758
00:40:31,600 --> 00:40:32,600
Those are nice.

759
00:40:32,600 --> 00:40:36,360
And sometimes HackerOne, and I assume Bugcrowd does this too, but I haven't had that experience

760
00:40:36,360 --> 00:40:37,880
with Bugcrowd, so I don't know.

761
00:40:37,880 --> 00:40:38,880
They do.

762
00:40:38,880 --> 00:40:39,880
Okay.

763
00:40:39,880 --> 00:40:41,840
Yeah, it's because Bugcrowd doesn't know that I can hack hardware.

764
00:40:41,840 --> 00:40:44,520
I need to hit them up and be like, hey, by the way.

765
00:40:44,520 --> 00:40:47,080
Me submits one bug a year on Bugcrowd.

766
00:40:47,080 --> 00:40:50,080
It's like, hardware, God.

767
00:40:50,080 --> 00:40:53,720
Yeah, but it's really nice when the HackerOne programs and the Bugcrowd programs actually

768
00:40:53,720 --> 00:40:57,160
send you the hardware to test on without you having to pay for it.

769
00:40:57,160 --> 00:40:58,160
Okay.

770
00:40:58,160 --> 00:41:00,720
So we talked about the logic analyzer.

771
00:41:00,720 --> 00:41:02,120
We talked about a little bit of recon.

772
00:41:02,120 --> 00:41:08,840
So let's say, for example, we can't get the test pin to work, test pin method, with our

773
00:41:08,840 --> 00:41:14,160
sort of natural power and we can't get it to power up, you know, giving it power directly.

774
00:41:14,160 --> 00:41:17,520
So we got to go for a chip pull.

775
00:41:17,520 --> 00:41:19,260
And yeah.

776
00:41:19,260 --> 00:41:23,320
So there are some equipment that we need for this.

777
00:41:23,320 --> 00:41:25,680
And I kind of noted some of them down here.

778
00:41:25,680 --> 00:41:29,320
Joel, you can kind of take a quick look over that and make sure I wasn't missing anything.

779
00:41:29,320 --> 00:41:34,800
But the essentials are a heat, a heat, sort of a heat gun or a heat hot air station, I

780
00:41:34,800 --> 00:41:37,200
think is what they're called.

781
00:41:37,200 --> 00:41:43,280
And that will allow you to just very send very focused hot air on the specific chip.

782
00:41:43,280 --> 00:41:47,480
So you know, you strip down the device, you find the EMMC chip, and you can find that

783
00:41:47,480 --> 00:41:49,400
by Googling, you know, what text is on it.

784
00:41:49,400 --> 00:41:51,680
And sometimes it's obvious from the way that it looks.

785
00:41:51,680 --> 00:41:56,440
But yeah, you know, you set that hot air station up, you shoot hot air on it.

786
00:41:56,440 --> 00:41:57,640
And then what happens?

787
00:41:57,640 --> 00:41:58,640
Yeah.

788
00:41:58,640 --> 00:42:03,160
So basically, for like the mental image, for people who are just listening, a hot air station

789
00:42:03,160 --> 00:42:06,640
is if you've seen a heat gun, it's not like a blow dryer.

790
00:42:06,640 --> 00:42:12,120
It's like just the like, straight part of a blow of a blow dryer without the handle.

791
00:42:12,120 --> 00:42:15,160
And it basically is just an electric coil that blows hot air.

792
00:42:15,160 --> 00:42:17,920
And then it has these little funnels on the end, like you mentioned that, like narrow

793
00:42:17,920 --> 00:42:21,020
the hot air down to like a very.

794
00:42:21,020 --> 00:42:22,020
You can see it.

795
00:42:22,020 --> 00:42:23,020
You're pointing at it right behind you.

796
00:42:23,020 --> 00:42:26,880
I'm sorry, for those on YouTube, you can actually see it on my desk behind me.

797
00:42:26,880 --> 00:42:29,320
But for those of you on audio, listen to Joel, sorry.

798
00:42:29,320 --> 00:42:30,320
Yeah.

799
00:42:30,320 --> 00:42:32,960
So there's like a little, you know, it's like a giant pen kind of thing.

800
00:42:32,960 --> 00:42:35,080
It's wired up to this power supply.

801
00:42:35,080 --> 00:42:38,200
And then on the power supply, you set what temperature you want it to run at.

802
00:42:38,200 --> 00:42:43,240
And then there's a little nozzle on the end that controls how large of an airflow that

803
00:42:43,240 --> 00:42:44,420
it's pushing hot air out.

804
00:42:44,420 --> 00:42:48,120
And then just as a fan over a heating element, it just blows hot air.

805
00:42:48,120 --> 00:42:49,120
OK.

806
00:42:49,120 --> 00:42:51,840
So hot air can go very, very hot.

807
00:42:51,840 --> 00:42:52,840
Very, very, very hot.

808
00:42:52,840 --> 00:42:53,840
Easily burn yourself.

809
00:42:53,840 --> 00:42:55,480
Very, very, very, very hot.

810
00:42:55,480 --> 00:42:59,240
So this is not something to like just, you know, mess around with.

811
00:42:59,240 --> 00:43:02,480
Obviously, be careful as you're using these tools.

812
00:43:02,480 --> 00:43:05,000
You know, respect, respect what it can do.

813
00:43:05,000 --> 00:43:06,000
It is a heat gun.

814
00:43:06,000 --> 00:43:07,000
It creates heat.

815
00:43:07,000 --> 00:43:08,000
You can get burned.

816
00:43:08,000 --> 00:43:09,000
I have gotten burned.

817
00:43:09,000 --> 00:43:10,000
Yes.

818
00:43:10,000 --> 00:43:11,000
Yeah, me as well.

819
00:43:11,000 --> 00:43:12,000
Yes.

820
00:43:12,000 --> 00:43:15,640
I had a hot plate that I was also doing some desoldering with it.

821
00:43:15,640 --> 00:43:17,480
I just like stuck my hand on it by accident.

822
00:43:17,480 --> 00:43:19,520
I forgot I was on.

823
00:43:19,520 --> 00:43:20,680
So that was fun.

824
00:43:20,680 --> 00:43:25,200
But yes, so a hot gun, a heat gun, a hot air reflow rework station.

825
00:43:25,200 --> 00:43:26,520
It's called a lot of different things.

826
00:43:26,520 --> 00:43:30,600
We'll link some stuff down in the description for those of you that kind of want a basic

827
00:43:30,600 --> 00:43:31,600
setup.

828
00:43:31,600 --> 00:43:32,600
Yeah.

829
00:43:32,600 --> 00:43:37,200
But what you need to, all you need to know is that basically chips, generally speaking,

830
00:43:37,200 --> 00:43:38,320
have two different forms.

831
00:43:38,320 --> 00:43:42,120
They have pins that are like coming off the side of them that are then soldered down to

832
00:43:42,120 --> 00:43:43,120
the board.

833
00:43:43,120 --> 00:43:47,080
And then they have these things called a BGA, a ball grid array.

834
00:43:47,080 --> 00:43:55,840
And a BGA is essentially little tiny balls of solder that connect underneath.

835
00:43:55,840 --> 00:43:57,920
Like it literally, it's sandwiches on top.

836
00:43:57,920 --> 00:44:01,040
There's the chip, then there's balls of solder, and then there's the board right underneath

837
00:44:01,040 --> 00:44:03,440
it, and there's contacts on the board underneath it.

838
00:44:03,440 --> 00:44:08,760
And it holds it, you know, once the solder is not melted, it holds it there essentially

839
00:44:08,760 --> 00:44:14,080
acting as the pins that connects it between the contacts on the bottom of the chip and

840
00:44:14,080 --> 00:44:16,560
the contacts on top of the board.

841
00:44:16,560 --> 00:44:23,880
And so when we use a hot air gun, we're essentially heating up those little balls of solder underneath

842
00:44:23,880 --> 00:44:28,560
such that they liquefy enough and then you pull the chip off.

843
00:44:28,560 --> 00:44:29,800
And that's it.

844
00:44:29,800 --> 00:44:30,800
That's basically all you're doing.

845
00:44:30,800 --> 00:44:38,080
You're doing what you would do with a soldering iron, like the hot tip thing and you put it

846
00:44:38,080 --> 00:44:39,920
on whatever it smokes and chip.

847
00:44:39,920 --> 00:44:41,840
It's all that, but it's just like from a distance.

848
00:44:41,840 --> 00:44:44,160
So you're just doing it with hot air.

849
00:44:44,160 --> 00:44:45,160
Yeah.

850
00:44:45,160 --> 00:44:46,160
With hot air.

851
00:44:46,160 --> 00:44:51,360
So, you know, I guess more concretely, you know, you get the hot air station and you're

852
00:44:51,360 --> 00:44:55,320
kind of using that pen and you're going back and forth and back and forth.

853
00:44:55,320 --> 00:45:03,600
And I think the last time we did an assessment, Joel, we set it to about 400 degrees Celsius.

854
00:45:03,600 --> 00:45:09,480
But I think the best way to do it to preserve the safety for the devices, excuse me, is

855
00:45:09,480 --> 00:45:15,880
to set it at like a lower level, maybe like 250 or so, and then sort of slowly work your

856
00:45:15,880 --> 00:45:16,880
way up.

857
00:45:16,880 --> 00:45:20,720
So, you know, you shoot it, you know, back and forth, back and forth for about a minute

858
00:45:20,720 --> 00:45:22,240
and a half, two minutes.

859
00:45:22,240 --> 00:45:25,560
And then, you know, you try to lift the chip and it's, you're not going to be forcing

860
00:45:25,560 --> 00:45:26,560
it.

861
00:45:26,560 --> 00:45:27,560
It's literally just going to be a lift.

862
00:45:27,560 --> 00:45:29,400
Like you're going to put the grab your tweezers.

863
00:45:29,400 --> 00:45:30,400
That's another thing you need.

864
00:45:30,400 --> 00:45:31,400
You're going to grab your tweezers.

865
00:45:31,400 --> 00:45:34,480
You're going to grab the chip with tweezers and you're going to try to lift up.

866
00:45:34,480 --> 00:45:36,800
And if it doesn't come with you, don't force it.

867
00:45:36,800 --> 00:45:40,040
And then you sort of back off, let the chip cool down a little bit because you don't want

868
00:45:40,040 --> 00:45:41,040
to fry it.

869
00:45:41,040 --> 00:45:46,040
You can maybe wait two or three minutes and then, you know, bump up the heat to 275 or

870
00:45:46,040 --> 00:45:48,080
300 or something like that.

871
00:45:48,080 --> 00:45:50,040
And then sort of work your way up.

872
00:45:50,040 --> 00:45:56,000
I think the place we found it was around 400, 425 maybe is a good spot.

873
00:45:56,000 --> 00:46:01,080
And then eventually, you know, you do that for sometimes it's not even 30 seconds.

874
00:46:01,080 --> 00:46:04,840
Sometimes it's like, you know, a shorter amount of time and you'll be able to just lift the

875
00:46:04,840 --> 00:46:07,080
chip right off.

876
00:46:07,080 --> 00:46:11,320
And then you've done a successful pull, hopefully, if you didn't rip off any pads.

877
00:46:11,320 --> 00:46:12,320
Yeah.

878
00:46:12,320 --> 00:46:17,560
So I'm sure that there are some hardware people cringing as they listen to this being like

879
00:46:17,560 --> 00:46:20,800
400 degrees, 425.

880
00:46:20,800 --> 00:46:29,960
So the one thing I'll say is most of these hot air guns are made cheaply and they do

881
00:46:29,960 --> 00:46:35,520
not have the best quality control and they're not the most consistent things, especially

882
00:46:35,520 --> 00:46:38,940
across brands and across devices.

883
00:46:38,940 --> 00:46:45,360
So your mileage is going to vary probably greatly from someone else's and you will just

884
00:46:45,360 --> 00:46:47,680
need to do some testing on your own.

885
00:46:47,680 --> 00:46:52,200
Like Justin said, I would start at a low temp, like start at melting point of solder.

886
00:46:52,200 --> 00:46:55,720
So like probably around 200 C and just work your way up.

887
00:46:55,720 --> 00:47:01,160
If you're, you know, you're constantly moving your air gun, you're heating the whole area.

888
00:47:01,160 --> 00:47:04,120
The thing that you mentioned this, but you didn't really explain it.

889
00:47:04,120 --> 00:47:08,080
You need to be constantly moving the air gun around the chip because you need all of the

890
00:47:08,080 --> 00:47:11,160
balls of solder underneath the chip to be melted at the same time.

891
00:47:11,160 --> 00:47:12,160
Yeah.

892
00:47:12,160 --> 00:47:13,160
Evenly.

893
00:47:13,160 --> 00:47:14,160
Right.

894
00:47:14,160 --> 00:47:15,160
And the other thing is flux.

895
00:47:15,160 --> 00:47:16,160
Oh my God.

896
00:47:16,160 --> 00:47:17,160
Flux is your best friend.

897
00:47:17,160 --> 00:47:18,160
Yeah.

898
00:47:18,160 --> 00:47:19,160
So yeah.

899
00:47:19,160 --> 00:47:22,080
So flux based flux, it basically, it helps solder flow.

900
00:47:22,080 --> 00:47:23,080
This is not really optional.

901
00:47:23,080 --> 00:47:25,600
I, you know, this is very important.

902
00:47:25,600 --> 00:47:26,600
Yes.

903
00:47:26,600 --> 00:47:27,600
You need flux like big time.

904
00:47:27,600 --> 00:47:30,000
So flux helps solder flow.

905
00:47:30,000 --> 00:47:32,660
It helps prevent it from oxidizing.

906
00:47:32,660 --> 00:47:37,720
And so essentially what that's going to do, solder has surface tension, essentially.

907
00:47:37,720 --> 00:47:40,120
That's what holds it in place.

908
00:47:40,120 --> 00:47:45,800
When Justin said that the chip will be very easy to pull off, it's like a water bug on

909
00:47:45,800 --> 00:47:47,600
top of a surface of water.

910
00:47:47,600 --> 00:47:48,600
It's a really good analogy.

911
00:47:48,600 --> 00:47:53,160
The chip is basically magneted in place because there are copper contacts underneath it and

912
00:47:53,160 --> 00:47:57,860
there are copper contacts on the top of the chip and the balls of solder that are between

913
00:47:57,860 --> 00:48:03,280
it are surface tension to those pieces of copper and it's holding, like if you were

914
00:48:03,280 --> 00:48:08,880
to bump the chip, it would snap back basically because the solder is holding it in place.

915
00:48:08,880 --> 00:48:10,920
If it's doing that, that means it's ready to lift.

916
00:48:10,920 --> 00:48:13,760
So your goal is that you want all the solder to be liquid enough that you can basically

917
00:48:13,760 --> 00:48:16,520
bump the chip and see it wiggle and then just lift it.

918
00:48:16,520 --> 00:48:17,520
And it's very, I mean.

919
00:48:17,520 --> 00:48:19,220
There should be no force.

920
00:48:19,220 --> 00:48:20,440
You're not peeling.

921
00:48:20,440 --> 00:48:24,360
You're not, you're not sort of, you know, starting at one side and like sort of lifting

922
00:48:24,360 --> 00:48:25,360
it up a little bit.

923
00:48:25,360 --> 00:48:26,840
No, you're going to break the chip that way.

924
00:48:26,840 --> 00:48:27,840
Don't do that.

925
00:48:27,840 --> 00:48:32,800
It's really, you know, very lightly and, you know, maybe not even with the pointed tip

926
00:48:32,800 --> 00:48:36,600
of your tweezers because you don't want to like scratch it or like, you know, cause any

927
00:48:36,600 --> 00:48:37,600
damage to the chip.

928
00:48:37,600 --> 00:48:39,720
You're just kind of gently pushing against it.

929
00:48:39,720 --> 00:48:44,440
And if you, like Jill said, if you don't see that sort of movement, then it's not ready

930
00:48:44,440 --> 00:48:45,440
to pull.

931
00:48:45,440 --> 00:48:47,680
So yeah, there's a lot of really good videos.

932
00:48:47,680 --> 00:48:49,320
Well, actually there's not.

933
00:48:49,320 --> 00:48:50,680
There's a couple of really good videos.

934
00:48:50,680 --> 00:48:53,400
Yeah, I was going to say, I don't think so.

935
00:48:53,400 --> 00:48:54,840
Yeah, yeah.

936
00:48:54,840 --> 00:48:58,760
People find, I think a lot of these are more like for repair and they don't, they don't

937
00:48:58,760 --> 00:49:03,360
care so much about the integrity of the chip that they're pulling off.

938
00:49:03,360 --> 00:49:05,240
And that's fine.

939
00:49:05,240 --> 00:49:08,880
It's like a demonstration, but just keep that in mind with temperature, right?

940
00:49:08,880 --> 00:49:12,660
Like generally speaking, if you were to read the spec sheet for these chips, these chips

941
00:49:12,660 --> 00:49:17,760
are not designed to be in environments that are above probably like a hundred degrees

942
00:49:17,760 --> 00:49:21,520
Fahrenheit or like, you know, 30 degrees Celsius or something.

943
00:49:21,520 --> 00:49:25,360
Meanwhile we're heating them up to like 200, 400 degrees Celsius.

944
00:49:25,360 --> 00:49:30,560
So you know, part of that is that that's a direct temperature coming out of the gun,

945
00:49:30,560 --> 00:49:33,000
but that's not the temperature that's hitting the chip.

946
00:49:33,000 --> 00:49:36,400
And that's also why we want to move it around and we want to keep constant flow so that

947
00:49:36,400 --> 00:49:38,880
all that heat isn't targeted into one specific place.

948
00:49:38,880 --> 00:49:42,200
It's going to fry or melt stuff within the chip.

949
00:49:42,200 --> 00:49:44,860
So yeah, those tweezers, super useful.

950
00:49:44,860 --> 00:49:48,920
If you look at any videos online, you're going to see basically lots of flux, lots of moving

951
00:49:48,920 --> 00:49:49,920
the heat gun around.

952
00:49:49,920 --> 00:49:52,520
Eventually, you know, they'll tap it.

953
00:49:52,520 --> 00:49:56,600
They'll tap it with like some really fine point tweezers and they'll see that it moves.

954
00:49:56,600 --> 00:50:01,360
And then they just grab the edges of it and just lift it up.

955
00:50:01,360 --> 00:50:04,560
You know, microscopes, some people really like to do it under microscopes.

956
00:50:04,560 --> 00:50:06,600
Some people like to do it under like a magnifying glass.

957
00:50:06,600 --> 00:50:10,420
Some people like to just do with their eyeballs, depending on the size of the chip.

958
00:50:10,420 --> 00:50:12,640
You may or may not need to do that.

959
00:50:12,640 --> 00:50:17,520
You know, it's really, it's really up to you and your eyesight, I guess.

960
00:50:17,520 --> 00:50:19,560
But I do it without a microscope.

961
00:50:19,560 --> 00:50:23,200
The other thing is, for those of you watching on YouTube again, you can see over my shoulder

962
00:50:23,200 --> 00:50:29,840
this little device that Joel, you know, freaking influenced me into buying.

963
00:50:29,840 --> 00:50:30,840
It's called, what is it called?

964
00:50:30,840 --> 00:50:31,840
Is it called?

965
00:50:31,840 --> 00:50:32,840
Handy Hands.

966
00:50:32,840 --> 00:50:33,840
Handy Hands.

967
00:50:33,840 --> 00:50:34,840
That's it.

968
00:50:34,840 --> 00:50:35,840
Yeah.

969
00:50:35,840 --> 00:50:37,240
And it's got like these little sort of, for those of you listening, it's sort of like

970
00:50:37,240 --> 00:50:44,860
Doc Ock style, you know, flexible arms that kind of grip the actual board.

971
00:50:44,860 --> 00:50:50,400
And then they have sort of a magnifying glass light and they've got like a little clamp

972
00:50:50,400 --> 00:50:52,120
there that you can use to hold the board.

973
00:50:52,120 --> 00:50:57,280
And it's just got some nice things that make the whole process go smoother.

974
00:50:57,280 --> 00:51:00,080
And so I would recommend those that made it a lot easier for me.

975
00:51:00,080 --> 00:51:04,920
I know when I did, cause I didn't have that when Joel and I were doing my first pull,

976
00:51:04,920 --> 00:51:12,800
I was actually trying to heat up the chip on top of a heat sink to keep it flat.

977
00:51:12,800 --> 00:51:15,200
And Joel was like, dude, what are you doing?

978
00:51:15,200 --> 00:51:16,200
No, stop.

979
00:51:16,200 --> 00:51:20,240
And so, yeah, definitely, definitely a good recommend there.

980
00:51:20,240 --> 00:51:21,240
Yeah.

981
00:51:21,240 --> 00:51:23,320
And then any kind of Handy Hands is really good.

982
00:51:23,320 --> 00:51:24,320
Yeah.

983
00:51:24,320 --> 00:51:25,320
The really good product.

984
00:51:25,320 --> 00:51:26,800
I really like it.

985
00:51:26,800 --> 00:51:30,060
And then, so once you pull the chip off, you got to clean it and you got to clean it better

986
00:51:30,060 --> 00:51:31,840
than you think you got to clean it.

987
00:51:31,840 --> 00:51:34,480
Just coming from a beginner's perspective here, cause I was like, ah, you know, this

988
00:51:34,480 --> 00:51:35,480
is probably fine.

989
00:51:35,480 --> 00:51:40,280
Nah, you really want to take the time with isopropyl alcohol and a Q-tip and, you know,

990
00:51:40,280 --> 00:51:45,880
gently with some tweezers and, you know, you want to put, I think you, Joel, even use like

991
00:51:45,880 --> 00:51:53,160
the tip of a soldering iron and sort of drag some flux or some solder around on it, right?

992
00:51:53,160 --> 00:51:54,160
Yeah, yeah.

993
00:51:54,160 --> 00:51:55,520
So it's called reflowing.

994
00:51:55,520 --> 00:52:00,600
And basically you take like, you know, a larger than normal blob of solder and you can just

995
00:52:00,600 --> 00:52:02,320
heat it up and get it.

996
00:52:02,320 --> 00:52:09,440
So it's like stuck kind of, yeah, it's melted, but it's stuck to the end of your soldering

997
00:52:09,440 --> 00:52:10,760
iron tip.

998
00:52:10,760 --> 00:52:15,700
And then you just want to glide that ball of solder over the contacts, over the copper

999
00:52:15,700 --> 00:52:18,600
contacts on the bottom side of the chip after you removed it.

1000
00:52:18,600 --> 00:52:23,440
And that's going to one, pick up any extra solder that is on those pins.

1001
00:52:23,440 --> 00:52:29,500
And it's also going to put a thin layer of solder back on top of any ones that don't

1002
00:52:29,500 --> 00:52:30,600
have solder on them.

1003
00:52:30,600 --> 00:52:32,160
So it's going to basically like clean up.

1004
00:52:32,160 --> 00:52:35,240
It's going to uniformly, right, right, right.

1005
00:52:35,240 --> 00:52:39,120
And then you just, you know, lift it off and you should have your big blob of solder still

1006
00:52:39,120 --> 00:52:41,240
on your iron.

1007
00:52:41,240 --> 00:52:44,680
And that's going to help prevent any contacts from getting bridged, any of that kind of

1008
00:52:44,680 --> 00:52:45,680
stuff.

1009
00:52:45,680 --> 00:52:50,640
The flux, yeah, isopropyl alcohol, the higher percentage, the better 99%.

1010
00:52:50,640 --> 00:52:55,240
If you can get it, 91 is probably what you'll find at like a store or something.

1011
00:52:55,240 --> 00:52:59,720
But yeah, just a Q-tip or a cotton swab or anything like that.

1012
00:52:59,720 --> 00:53:03,400
You know, just be aware that it can leave like little fibers behind.

1013
00:53:03,400 --> 00:53:04,400
Yeah, I don't like that.

1014
00:53:04,400 --> 00:53:05,400
Yeah.

1015
00:53:05,400 --> 00:53:06,400
Yeah.

1016
00:53:06,400 --> 00:53:10,800
And you know, some Q-tips are less fibrous than others, I guess, less hairy than others.

1017
00:53:10,800 --> 00:53:15,760
So what I did when I was doing it was I actually pulled off a little bit of the hair, you know,

1018
00:53:15,760 --> 00:53:20,240
and kind of made it a little bit less hairy, you know, when I first started using the Q-tip.

1019
00:53:20,240 --> 00:53:23,360
And then, you know, that sort of got it to drop less fibers.

1020
00:53:23,360 --> 00:53:27,920
So, or maybe even you could like, you know, twist it in your hand and try to compact some

1021
00:53:27,920 --> 00:53:31,840
of that down so that it doesn't leave as many fibers on there because that is a pain to

1022
00:53:31,840 --> 00:53:32,840
get off afterwards.

1023
00:53:32,840 --> 00:53:36,520
I think maybe I used a microfiber cloth or something like that at one point to try to

1024
00:53:36,520 --> 00:53:37,520
get this off.

1025
00:53:37,520 --> 00:53:38,520
Yeah.

1026
00:53:38,520 --> 00:53:39,520
Yeah, something like that.

1027
00:53:39,520 --> 00:53:43,920
So yeah, reflowing it and using isopropyl to clean any excess flux.

1028
00:53:43,920 --> 00:53:47,160
Those are the two ways that I generally clean the bottom of a chip.

1029
00:53:47,160 --> 00:53:51,440
If you're having a read problem with a chip and it looks like visibly like there's no

1030
00:53:51,440 --> 00:53:56,320
defects in the chip, there's no physical damage, all the contacts look like they're intact,

1031
00:53:56,320 --> 00:54:00,000
it doesn't look like any of them have been ripped off or anything like that, clean it

1032
00:54:00,000 --> 00:54:01,000
again.

1033
00:54:01,000 --> 00:54:02,600
Just that's number one.

1034
00:54:02,600 --> 00:54:07,000
I just say clean it again because we had that happen both on my side and Justin's side where

1035
00:54:07,000 --> 00:54:11,400
a chip wasn't reading properly in the reader, took some more ISO, just cleaned it one more

1036
00:54:11,400 --> 00:54:12,400
time.

1037
00:54:12,400 --> 00:54:16,120
There must have been like a thin layer of flux or something that was, you know, interrupting

1038
00:54:16,120 --> 00:54:17,120
their...

1039
00:54:17,120 --> 00:54:18,120
Yeah, I don't know.

1040
00:54:18,120 --> 00:54:19,120
But yeah, that fixed it.

1041
00:54:19,120 --> 00:54:22,720
And that last one, that last pull that you did on the last exercise or the last thing

1042
00:54:22,720 --> 00:54:27,680
we were working on, like it was, I mean, he was holding it up to the, you know, to the

1043
00:54:27,680 --> 00:54:30,600
webcam and it looked like it just came out of the factory, man.

1044
00:54:30,600 --> 00:54:32,560
It was like clean as could be.

1045
00:54:32,560 --> 00:54:33,560
So that's the goal.

1046
00:54:33,560 --> 00:54:35,600
It was mint.

1047
00:54:35,600 --> 00:54:37,800
So that was really cool.

1048
00:54:37,800 --> 00:54:41,440
And then one of the other things I just wanted to mention, we're going back, you know, so,

1049
00:54:41,440 --> 00:54:43,360
well, actually we'll go back after.

1050
00:54:43,360 --> 00:54:44,360
Let's go ahead and finish this up.

1051
00:54:44,360 --> 00:54:50,000
So you clean it and then we're going to go ahead and put it in a EMMC chip reader.

1052
00:54:50,000 --> 00:54:53,000
There are quite a few different devices out there.

1053
00:54:53,000 --> 00:54:57,960
The only one I have experience using is not on my desk right now, but it's an all socket

1054
00:54:57,960 --> 00:55:00,720
EMMC reader, very easy to use.

1055
00:55:00,720 --> 00:55:07,040
It has a bunch of nice little plastic fittings you can use for different sizes of EMMCs.

1056
00:55:07,040 --> 00:55:10,480
It does not, we did run into an issue last time where it actually didn't have the right

1057
00:55:10,480 --> 00:55:18,080
plastic size to get it to read, which was kind of a pain, but we found another way to

1058
00:55:18,080 --> 00:55:19,080
do it.

1059
00:55:19,080 --> 00:55:20,080
So that was good.

1060
00:55:20,080 --> 00:55:21,200
But yeah, so that's one option.

1061
00:55:21,200 --> 00:55:24,720
And then I know people also use something called a T56.

1062
00:55:24,720 --> 00:55:25,720
Yeah.

1063
00:55:25,720 --> 00:55:29,440
Let me pull it up, universal programmer.

1064
00:55:29,440 --> 00:55:30,800
And I've had some success with that.

1065
00:55:30,800 --> 00:55:32,960
So, yeah, so I have both of these.

1066
00:55:32,960 --> 00:55:38,280
The BGA, so the all socket BGA EMMC reader, super, super useful.

1067
00:55:38,280 --> 00:55:43,760
Like you mentioned, it basically has different base plates that will hold it over the right

1068
00:55:43,760 --> 00:55:48,100
pin, like the pin readers within the socket adapter.

1069
00:55:48,100 --> 00:55:52,720
The thing to note about that is one, it's quite expensive for like, it's a very targeted

1070
00:55:52,720 --> 00:55:53,720
tool.

1071
00:55:53,720 --> 00:56:01,520
It's designed for, I think it's BGA 159 or something, 186 or, I mean, let me pull it

1072
00:56:01,520 --> 00:56:02,520
up real quick.

1073
00:56:02,520 --> 00:56:03,520
Yeah.

1074
00:56:03,520 --> 00:56:08,120
And when he says it's very expensive, I mean, it's in the hundreds range, not in the thousands

1075
00:56:08,120 --> 00:56:10,320
range because I'll just throw it out there.

1076
00:56:10,320 --> 00:56:15,520
It was $87, but it's just this adapter, right?

1077
00:56:15,520 --> 00:56:18,480
$87 plus $8 of shipping.

1078
00:56:18,480 --> 00:56:26,440
And it's designed for EMMC, FPGA 153 and 169.

1079
00:56:26,440 --> 00:56:27,440
Okay.

1080
00:56:27,440 --> 00:56:32,840
So specifically that's like, those are two different form factors of chip.

1081
00:56:32,840 --> 00:56:36,080
It might refer to like the number of, no, it doesn't.

1082
00:56:36,080 --> 00:56:38,240
It can't be the number of solder.

1083
00:56:38,240 --> 00:56:40,540
It's a specific form factor of chip basically.

1084
00:56:40,540 --> 00:56:43,240
And you'll see like, if you're reading the data sheet, that there will be different form

1085
00:56:43,240 --> 00:56:44,840
factors for different chips.

1086
00:56:44,840 --> 00:56:49,720
A lot of them will fall into the same categories, but as just mentioned, for example, we pulled

1087
00:56:49,720 --> 00:56:57,960
a BGA chip that was, I think it was a BGA 153, but it wasn't the right size dimensions.

1088
00:56:57,960 --> 00:57:01,000
It didn't have the faceplate to hold it in the adapter.

1089
00:57:01,000 --> 00:57:03,160
So we couldn't read it very easily.

1090
00:57:03,160 --> 00:57:08,360
And I had even tried like 3D printing an adapter to fit it in there and it didn't really work

1091
00:57:08,360 --> 00:57:09,360
that well.

1092
00:57:09,360 --> 00:57:10,360
Yeah.

1093
00:57:10,360 --> 00:57:11,360
Yeah.

1094
00:57:11,360 --> 00:57:12,360
That was a little bit of a bummer.

1095
00:57:12,360 --> 00:57:17,240
But definitely, if you're going to buy specialized equipment for a specific thing, I think these

1096
00:57:17,240 --> 00:57:22,560
all socket EMMC readers will cover the large majority of the ones, but you got to know

1097
00:57:22,560 --> 00:57:26,240
you may run into a situation and you may want to measure the size of the chip beforehand

1098
00:57:26,240 --> 00:57:29,720
in millimeters and make sure it supports that form factor.

1099
00:57:29,720 --> 00:57:35,900
I do want to say, I said it just a second ago, but Joel said they're expensive.

1100
00:57:35,900 --> 00:57:40,340
There are some things on Amazon that are selling these things for like two and a half grand.

1101
00:57:40,340 --> 00:57:42,580
That is not what we're asking you to buy.

1102
00:57:42,580 --> 00:57:44,680
Do not buy that.

1103
00:57:44,680 --> 00:57:46,360
They're cheaper options.

1104
00:57:46,360 --> 00:57:49,600
I think it was like, yeah, $100 or $700.

1105
00:57:49,600 --> 00:57:52,840
So we'll link some of those down in the description.

1106
00:57:52,840 --> 00:57:54,960
You can find them on some of them, you can find on Amazon.

1107
00:57:54,960 --> 00:57:57,920
Some of them you can find on some of the other websites.

1108
00:57:57,920 --> 00:58:01,720
So definitely don't go and spend like two and a half grand for one of these things because

1109
00:58:01,720 --> 00:58:02,720
it's ridiculous.

1110
00:58:02,720 --> 00:58:03,720
Yeah.

1111
00:58:03,720 --> 00:58:04,720
Yeah.

1112
00:58:04,720 --> 00:58:06,200
For the T56, that's really good for like...

1113
00:58:06,200 --> 00:58:07,200
Yeah, tell me about that.

1114
00:58:07,200 --> 00:58:08,200
Yeah.

1115
00:58:08,200 --> 00:58:09,840
So that's good for like NAND flashes and stuff.

1116
00:58:09,840 --> 00:58:11,880
It has different use cases.

1117
00:58:11,880 --> 00:58:12,880
Generally when I use that...

1118
00:58:12,880 --> 00:58:14,880
What is a NAND flash?

1119
00:58:14,880 --> 00:58:19,920
Well, a NAND is just like a basic part of a chip.

1120
00:58:19,920 --> 00:58:26,440
It's like an electronic structure, but a NAND flash, it's just a different type of flash.

1121
00:58:26,440 --> 00:58:27,440
Okay, gotcha.

1122
00:58:27,440 --> 00:58:33,860
As opposed to an EMMC or a NAND flash, they're different types of flashes, NOR flashes.

1123
00:58:33,860 --> 00:58:38,020
But you can buy these large sets of adapters.

1124
00:58:38,020 --> 00:58:44,680
So I have a huge box that's full of just like every type of T-SOP, like T-SOP 48, T-SOP

1125
00:58:44,680 --> 00:58:51,600
56, like every single T-SOP or SOP adapter that you can think of.

1126
00:58:51,600 --> 00:58:56,000
And then on the bottom, it has these little pins that they're just pin headers.

1127
00:58:56,000 --> 00:58:59,880
And essentially you clamp it in this T56 and then you plug it into your computer and you

1128
00:58:59,880 --> 00:59:02,260
can read it.

1129
00:59:02,260 --> 00:59:05,480
And it's just, it's a different way of mounting it.

1130
00:59:05,480 --> 00:59:10,120
Basically the all socket one I'm using for BGA stuff.

1131
00:59:10,120 --> 00:59:13,600
I suppose you probably could do BGA stuff this way with the T56.

1132
00:59:13,600 --> 00:59:16,000
Yeah, it says, if you...

1133
00:59:16,000 --> 00:59:18,480
Here, I'll send it to you right now on Discord.

1134
00:59:18,480 --> 00:59:28,720
If you look at the third item down, it says supports BGA 45, 63, 64, 153, 162, 169, 221.

1135
00:59:28,720 --> 00:59:34,080
So I think it definitely has a wide range of BGA that it's compatible with.

1136
00:59:34,080 --> 00:59:35,080
Yeah.

1137
00:59:35,080 --> 00:59:36,080
Yeah.

1138
00:59:36,080 --> 00:59:39,960
So I think the main thing is you just have to get the right adapters for it.

1139
00:59:39,960 --> 00:59:43,960
I'm honestly not sure how this thing works.

1140
00:59:43,960 --> 00:59:49,760
Every time I've ever used it, I just plug it in and it either has the chip in the software

1141
00:59:49,760 --> 00:59:50,760
or it doesn't.

1142
00:59:50,760 --> 00:59:53,200
And it just like, yeah, I don't know.

1143
00:59:53,200 --> 00:59:56,040
It's kind of weird, but it's pretty useful.

1144
00:59:56,040 --> 00:59:57,040
Yeah.

1145
00:59:57,040 --> 01:00:01,840
So this could be a good one to check out and add to your arsenal as well.

1146
01:00:01,840 --> 01:00:06,520
I think probably altogether, I spent maybe five or $600 on sort of like a beginner's

1147
01:00:06,520 --> 01:00:10,920
setup for all of this stuff when I was first starting out.

1148
01:00:10,920 --> 01:00:15,360
So definitely it's not cheap to get into it, but also now I've got the tools that I'll

1149
01:00:15,360 --> 01:00:17,880
use in the future as well.

1150
01:00:17,880 --> 01:00:20,440
So that's pretty helpful.

1151
01:00:20,440 --> 01:00:21,440
Yeah.

1152
01:00:21,440 --> 01:00:22,440
Yeah.

1153
01:00:22,440 --> 01:00:24,880
Hardware hacking is one of those things where you could easily spend a couple thousand dollars

1154
01:00:24,880 --> 01:00:31,080
on tools and still not have the right thing that you need.

1155
01:00:31,080 --> 01:00:36,040
So I would just say do a lot of research before you buy stuff, especially specifically for

1156
01:00:36,040 --> 01:00:37,040
your use case.

1157
01:00:37,040 --> 01:00:40,160
So like what specific chip do you want to use this tool for?

1158
01:00:40,160 --> 01:00:42,080
Is it going to work for that chip?

1159
01:00:42,080 --> 01:00:47,000
And don't be surprised if it doesn't work for other chips.

1160
01:00:47,000 --> 01:00:49,180
That's kind of just the way it is.

1161
01:00:49,180 --> 01:00:54,160
If you can find some of those more generic tools, sometimes they're more expensive and

1162
01:00:54,160 --> 01:00:58,960
they'll require some more like effort on your side in terms of like programming or like

1163
01:00:58,960 --> 01:01:02,760
maybe you'll have to write something custom to interface with it, but those tools will

1164
01:01:02,760 --> 01:01:04,680
let you interface with almost anything.

1165
01:01:04,680 --> 01:01:05,680
Nice.

1166
01:01:05,680 --> 01:01:06,680
Yeah, that's awesome.

1167
01:01:06,680 --> 01:01:11,240
I definitely value that flexibility a little bit because it's nothing worse than like you

1168
01:01:11,240 --> 01:01:14,600
sit down on a weekend and you're ready to go and you're like, all right, I'm just going

1169
01:01:14,600 --> 01:01:18,160
to hack this and you get like an hour in and you're like, I don't actually have the thing

1170
01:01:18,160 --> 01:01:19,160
that I need.

1171
01:01:19,160 --> 01:01:20,160
Yes.

1172
01:01:20,160 --> 01:01:21,160
That's a pain.

1173
01:01:21,160 --> 01:01:22,160
All right.

1174
01:01:22,160 --> 01:01:25,280
So you cleaned it, you put it in your reader.

1175
01:01:25,280 --> 01:01:28,480
Like Joe mentioned in the beginning, there's a little dot at the corner of a lot of the

1176
01:01:28,480 --> 01:01:33,080
EMMC chips that show you where the number one pin is and you'll want to align that with

1177
01:01:33,080 --> 01:01:39,840
the arrow on your all socket EMMC reader if you're using that and sort of clamp it down,

1178
01:01:39,840 --> 01:01:45,160
slide it right into a SD card slot either on your computer.

1179
01:01:45,160 --> 01:01:52,160
Ideally your computer has a EMMC reader built in at a sort of internal chip level rather

1180
01:01:52,160 --> 01:01:56,440
than using like a USB thing, but the USB things will work as well unless you're trying to

1181
01:01:56,440 --> 01:02:03,760
access some specific features that only a EMMC reader can access rather than an SD card

1182
01:02:03,760 --> 01:02:07,840
reader because they are sort of cross compatible, but EMMC has some features that SD can't handle,

1183
01:02:07,840 --> 01:02:08,840
I think.

1184
01:02:08,840 --> 01:02:09,840
Right.

1185
01:02:09,840 --> 01:02:10,840
Yeah.

1186
01:02:10,840 --> 01:02:13,000
So like the RPMB stuff that we talked about, like that is one of those specific things where

1187
01:02:13,000 --> 01:02:18,240
you need an EMMC controller that is in like on your device in order to interface with

1188
01:02:18,240 --> 01:02:19,240
something like that.

1189
01:02:19,240 --> 01:02:24,600
They sell PCIe ones that are like proper EMMC controllers, but most of the time you're going

1190
01:02:24,600 --> 01:02:30,840
to find it needs to be like an onboard full size SD reader on your computer on like a

1191
01:02:30,840 --> 01:02:32,160
laptop or something.

1192
01:02:32,160 --> 01:02:35,280
And even then a lot of the times it won't.

1193
01:02:35,280 --> 01:02:42,240
If you use like a USB reader, USB like SD readers, they are basically just storage interfaces

1194
01:02:42,240 --> 01:02:43,360
for EMMC.

1195
01:02:43,360 --> 01:02:49,880
So they have an EMMC controller on the, you know, in the USB adapter or whatever.

1196
01:02:49,880 --> 01:02:53,420
But when you plug that in, all it's doing is exposing those storage interfaces.

1197
01:02:53,420 --> 01:02:55,840
So it's going to be all the storage partitions, but you're not going to have access to the

1198
01:02:55,840 --> 01:03:01,520
raw EMMC like RPMB and any of those other like special EMMC type things, unless you

1199
01:03:01,520 --> 01:03:03,640
have an onboard EMMC controller.

1200
01:03:03,640 --> 01:03:07,480
So if all you need to do is read data partitions, totally fine.

1201
01:03:07,480 --> 01:03:08,480
If you need to read RPMB.

1202
01:03:08,480 --> 01:03:10,480
Which is what you need to do normally.

1203
01:03:10,480 --> 01:03:11,480
Yes.

1204
01:03:11,480 --> 01:03:13,200
Normally speaking, like 99% of cases you'll probably be fine.

1205
01:03:13,200 --> 01:03:16,320
But if you want to try and get at RPMB or any of that kind of stuff, you're going to

1206
01:03:16,320 --> 01:03:18,840
need an onboard EMMC controller.

1207
01:03:18,840 --> 01:03:19,840
Yeah.

1208
01:03:19,840 --> 01:03:20,840
Yeah.

1209
01:03:20,840 --> 01:03:22,360
So now you've got it hooked up.

1210
01:03:22,360 --> 01:03:25,200
You're seeing the partitions pop in.

1211
01:03:25,200 --> 01:03:30,640
What we did last time is we just used the DD command in Linux to just pull a raw, you

1212
01:03:30,640 --> 01:03:36,160
know, device level image of that device into an image file.

1213
01:03:36,160 --> 01:03:38,360
And then we ended up using, was it 7-zip?

1214
01:03:38,360 --> 01:03:39,360
7-zip.

1215
01:03:39,360 --> 01:03:40,360
Yeah.

1216
01:03:40,360 --> 01:03:44,640
7-zip to go ahead and break that out into the individual partitions.

1217
01:03:44,640 --> 01:03:46,760
And then, you know, you'll see various files created.

1218
01:03:46,760 --> 01:03:52,560
And if you run file on them, you'll see like, you know, there's an ext4.

1219
01:03:52,560 --> 01:03:53,560
Ext4, yeah.

1220
01:03:53,560 --> 01:03:55,200
Or like a fat partition or whatever.

1221
01:03:55,200 --> 01:03:58,360
You know, there's going to be a bunch of different partitions because that's always what they

1222
01:03:58,360 --> 01:04:00,200
have in a bunch of these IoT devices.

1223
01:04:00,200 --> 01:04:05,200
But you know, identifying all of those various partitions is really fun.

1224
01:04:05,200 --> 01:04:10,120
And this kind of pivots into the last section that I wanted to cover, which is like, Joel,

1225
01:04:10,120 --> 01:04:12,360
what kind of like, preventions have you seen from this?

1226
01:04:12,360 --> 01:04:16,960
Because the only one that kind of comes to my head was like, man, we would have been

1227
01:04:16,960 --> 01:04:22,720
in trouble if they stuck all of the source code or like the file system for that device

1228
01:04:22,720 --> 01:04:28,920
inside of that lux encrypted partition that we saw for some of the more sensitive data.

1229
01:04:28,920 --> 01:04:35,960
And then, you know, stored the key for that lux encrypted partition in a secure on give

1230
01:04:35,960 --> 01:04:39,760
and at like a hardware level at the CPU or something like that.

1231
01:04:39,760 --> 01:04:43,760
That would have been a royal pain in the butt to get access to.

1232
01:04:43,760 --> 01:04:45,520
So I mean, there's that option.

1233
01:04:45,520 --> 01:04:49,320
I imagine that would sort of delay startup quite a bit because every time you wanted

1234
01:04:49,320 --> 01:04:55,520
to use the device, you'd have to decrypt everything on the partition and then also copy that into

1235
01:04:55,520 --> 01:04:58,220
an actual functioning partition.

1236
01:04:58,220 --> 01:05:00,160
So that might affect the boot speed a little bit.

1237
01:05:00,160 --> 01:05:04,160
But what other kind of hardware level preventions have you seen that might, you know, foil a

1238
01:05:04,160 --> 01:05:05,160
hacker?

1239
01:05:05,160 --> 01:05:06,160
Yeah.

1240
01:05:06,160 --> 01:05:10,320
I think I mentioned like that kind of stuff, that's going to be like 99% of the time is

1241
01:05:10,320 --> 01:05:12,760
going to stop like a lot of what you're trying to do.

1242
01:05:12,760 --> 01:05:16,220
You're going to have to find some other attacks near if you want like a shell or something

1243
01:05:16,220 --> 01:05:20,880
like that to figure out like what it's doing, you're going to need to like glitch it or

1244
01:05:20,880 --> 01:05:24,360
maybe you'll have to read the MMC while it's running or something like that.

1245
01:05:24,360 --> 01:05:25,360
Right.

1246
01:05:25,360 --> 01:05:29,860
Like this is one of those cases where that might actually be the right scenario.

1247
01:05:29,860 --> 01:05:37,080
But yeah, an encrypted partition would stop like pretty much all the stuff that we were

1248
01:05:37,080 --> 01:05:39,180
doing there.

1249
01:05:39,180 --> 01:05:43,720
Another thing that you see commonly, and this isn't for storage so much as it is for like

1250
01:05:43,720 --> 01:05:48,960
debugging stuff, but there's typically, there'll be like a fuse either within a chip or on

1251
01:05:48,960 --> 01:05:49,960
the board.

1252
01:05:49,960 --> 01:05:55,480
And it's typically called like a JTAG fuse or a UART or a debug fuse or something.

1253
01:05:55,480 --> 01:06:00,600
And they'll basically pop the fuse by like putting enough power to it and then it can

1254
01:06:00,600 --> 01:06:01,800
never be reverted.

1255
01:06:01,800 --> 01:06:08,600
So it has a physical break in the communication between like your test pins and the JTAG interface

1256
01:06:08,600 --> 01:06:09,800
on the chip.

1257
01:06:09,800 --> 01:06:15,800
And you can't get around that unless you like, I don't know, do some like really crazy like

1258
01:06:15,800 --> 01:06:18,800
pulling the chip apart.

1259
01:06:18,800 --> 01:06:19,800
Like I don't know.

1260
01:06:19,800 --> 01:06:21,960
You're going to have to like cut into the chip and like get access to it.

1261
01:06:21,960 --> 01:06:22,960
Which I've seen by the way.

1262
01:06:22,960 --> 01:06:23,960
That's crazy.

1263
01:06:23,960 --> 01:06:24,960
Yeah.

1264
01:06:24,960 --> 01:06:25,960
That's really gnarly.

1265
01:06:25,960 --> 01:06:31,680
That's interesting though that that's a counter measure that people might take, you know,

1266
01:06:31,680 --> 01:06:36,200
just kind of putting a fuse in there and blowing it, you know, severs the connection for that

1267
01:06:36,200 --> 01:06:37,200
sort of thing.

1268
01:06:37,200 --> 01:06:38,200
That's a good idea.

1269
01:06:38,200 --> 01:06:39,200
Yeah.

1270
01:06:39,200 --> 01:06:41,280
I've seen, there's a couple of really interesting Twitter threads out there.

1271
01:06:41,280 --> 01:06:45,320
I'm trying to remember who created them, but every once in a while you'll see like some

1272
01:06:45,320 --> 01:06:49,760
crazy hardware hacker just like put a video of what they're working on, like on Twitter.

1273
01:06:49,760 --> 01:06:55,260
And this one time there was this guy, he was using a razor blade to scratch away the surface

1274
01:06:55,260 --> 01:06:59,160
of a chip while it was on the board to expose the contacts underneath.

1275
01:06:59,160 --> 01:07:03,520
And then he took like, you know, probably, I don't know, speaker, speaker wire.

1276
01:07:03,520 --> 01:07:04,520
I don't even know.

1277
01:07:04,520 --> 01:07:11,160
Like, you know, like maybe like a coil wire or something like really, really fine wire,

1278
01:07:11,160 --> 01:07:14,440
like wire, wire gauge wire.

1279
01:07:14,440 --> 01:07:18,680
And then like, I think he soldered it down so it wouldn't move.

1280
01:07:18,680 --> 01:07:23,240
And then he soldered the like tip of it to like the contact on the chip.

1281
01:07:23,240 --> 01:07:25,120
Dude, it was so crazy.

1282
01:07:25,120 --> 01:07:26,120
I got to, I'll find it.

1283
01:07:26,120 --> 01:07:27,120
We'll put it in the show notes.

1284
01:07:27,120 --> 01:07:28,560
Yeah, no, definitely find that.

1285
01:07:28,560 --> 01:07:29,560
I want to see that.

1286
01:07:29,560 --> 01:07:36,480
And I know I watched a talk at Defcon by Leonard, I think is the guy that did it.

1287
01:07:36,480 --> 01:07:39,440
Hardware hacking guy, you know, just glitching.

1288
01:07:39,440 --> 01:07:44,920
I think it was some SpaceX or stuff or some whatever their, their wifi thing is that's

1289
01:07:44,920 --> 01:07:47,000
everywhere.

1290
01:07:47,000 --> 01:07:48,000
Just absolutely amazing.

1291
01:07:48,000 --> 01:07:52,600
There's so much to learn about in this space, which really excites me as a, as a more veteran

1292
01:07:52,600 --> 01:07:57,280
hacker in the, in the web and, and mobile space a little bit now.

1293
01:07:57,280 --> 01:08:02,240
You know, having another realm to dive deep into is really, is really cool.

1294
01:08:02,240 --> 01:08:05,880
So I'm excited to continue learning about that sort of thing and be able to do some,

1295
01:08:05,880 --> 01:08:12,360
some glitching and, and some, some of the stuff that I haven't tackled next time around.

1296
01:08:12,360 --> 01:08:13,640
Yeah, for sure.

1297
01:08:13,640 --> 01:08:18,320
I mean, there's this space is like, I feel like I've just barely scratched the surface

1298
01:08:18,320 --> 01:08:23,520
in terms of knowledge and understanding and, and what's possible and all that kind of stuff.

1299
01:08:23,520 --> 01:08:27,560
And I feel like I'm just, just like, I'm doing like, you know, a baby's first hardware hacking

1300
01:08:27,560 --> 01:08:28,560
right now.

1301
01:08:28,560 --> 01:08:31,600
So like there's so much, so much I, I don't know.

1302
01:08:31,600 --> 01:08:34,440
And there's so much I haven't explored that that seems so cool.

1303
01:08:34,440 --> 01:08:38,280
Well, it's very different too, you know, and if you talk to some of these lower level guys,

1304
01:08:38,280 --> 01:08:42,480
they, they don't have any, you know, experience doing web stuff.

1305
01:08:42,480 --> 01:08:47,200
And so it's just different realms and different sections of places where people are focusing.

1306
01:08:47,200 --> 01:08:49,680
And so it's cool to get some sort of cross experience.

1307
01:08:49,680 --> 01:08:54,920
It makes you really feel like a more well-rounded or developed hacker, I think.

1308
01:08:54,920 --> 01:08:58,480
I did want to add a disclosure at the end here.

1309
01:08:58,480 --> 01:09:01,360
This does not constitute a vulnerability.

1310
01:09:01,360 --> 01:09:08,040
So being able to pull the operating system off of a chip, I personally don't believe

1311
01:09:08,040 --> 01:09:10,080
constitutes a vulnerability.

1312
01:09:10,080 --> 01:09:11,880
I've seen some hackers report that.

1313
01:09:11,880 --> 01:09:15,280
I'm not sure whether they got paid or not.

1314
01:09:15,280 --> 01:09:18,760
But you know, there's not a really great countermeasure to it.

1315
01:09:18,760 --> 01:09:23,680
And, and so it's just kind of a part of hardware hacking and more like finding JavaScript files

1316
01:09:23,680 --> 01:09:32,120
in, in, in web stuff or more like decompiling an APK and grabbing at the Java source code,

1317
01:09:32,120 --> 01:09:34,240
you know, in mobile.

1318
01:09:34,240 --> 01:09:40,400
So definitely, definitely don't go and like, once you get your chip and you pull the data

1319
01:09:40,400 --> 01:09:44,440
off of it, don't go report it like critical, you know, source code disclosure, because

1320
01:09:44,440 --> 01:09:48,640
I believe most of the time that is something that is not going to get accepted by the program.

1321
01:09:48,640 --> 01:09:49,640
So there's your disclaimer.

1322
01:09:49,640 --> 01:09:50,640
Yes.

1323
01:09:50,640 --> 01:09:51,640
Yeah, for sure.

1324
01:09:51,640 --> 01:09:52,640
And I agree.

1325
01:09:52,640 --> 01:09:57,240
I've actually, I've seen people report this exact thing as, as a bug.

1326
01:09:57,240 --> 01:10:02,840
And it's personally, it's not something that I would report either, but I do see that there

1327
01:10:02,840 --> 01:10:04,680
is a security risk to it.

1328
01:10:04,680 --> 01:10:10,800
I think I would probably just like, it's a really hard attack scenario to like justify

1329
01:10:10,800 --> 01:10:15,380
is like, you know, to say like, oh, it's a higher crit or something.

1330
01:10:15,380 --> 01:10:19,240
That's a really hard thing to justify, depending on what it is, depending on what it is.

1331
01:10:19,240 --> 01:10:23,180
There are certainly hardware devices, like cell phones that are in like so many people's

1332
01:10:23,180 --> 01:10:26,020
hands and pockets that that might be a justifiable attack scenario.

1333
01:10:26,020 --> 01:10:31,280
But I think just in and of itself, having a decrypted partition, maybe not enough.

1334
01:10:31,280 --> 01:10:32,280
Yeah, totally agree.

1335
01:10:32,280 --> 01:10:33,280
Yeah.

1336
01:10:33,280 --> 01:10:34,280
All right, man.

1337
01:10:34,280 --> 01:10:35,280
So that's all on the notes for this episode.

1338
01:10:35,280 --> 01:10:38,160
You got anything else or are we going to wrap it up here?

1339
01:10:38,160 --> 01:10:39,160
Nope.

1340
01:10:39,160 --> 01:10:40,160
That's it.

1341
01:10:40,160 --> 01:10:41,160
I did find those links.

1342
01:10:41,160 --> 01:10:42,160
So we'll put them in the show notes.

1343
01:10:42,160 --> 01:10:43,160
Be sure to check out those links.

1344
01:10:43,160 --> 01:10:47,160
One is from Gtorix and one is from Hacking Things, both on Twitter.

1345
01:10:47,160 --> 01:10:48,880
I'm going to go, I'm going to go look those up right now.

1346
01:10:48,880 --> 01:10:55,240
I will say as we're heading out, so many of you went over to the website after last episode,

1347
01:10:55,240 --> 01:10:58,880
criticalthinkingpodcast.io and dropped your email in the newsletter.

1348
01:10:58,880 --> 01:10:59,880
Super appreciate that.

1349
01:10:59,880 --> 01:11:02,240
I would love if you continue to do that.

1350
01:11:02,240 --> 01:11:07,360
And also, please remember, NahantCon, that ends, let me pull up the dates really quickly.

1351
01:11:07,360 --> 01:11:10,360
I want to say it's June 15th to 17th.

1352
01:11:10,360 --> 01:11:13,800
Yeah, June 15th to 17th.

1353
01:11:13,800 --> 01:11:16,920
The Saturday is when I'll be speaking at the 1220 slot.

1354
01:11:16,920 --> 01:11:18,360
You won't want to miss out on that.

1355
01:11:18,360 --> 01:11:20,800
Lots of great, talented Bug Bounty Hunters there.

1356
01:11:20,800 --> 01:11:22,520
They're dropping some amazing presentations.

1357
01:11:22,520 --> 01:11:24,520
So we'll see you there.

1358
01:11:24,520 --> 01:11:25,520
Yes.

1359
01:11:25,520 --> 01:11:28,280
So remember, it starts one week from the drop of this episode.

1360
01:11:28,280 --> 01:11:32,120
So be sure to tune in if you want to hear a little bit more Justin.

1361
01:11:32,120 --> 01:11:34,480
And some other awesome John Hammond's going to be there.

1362
01:11:34,480 --> 01:11:36,720
So yeah, super, super awesome security conference.

1363
01:11:36,720 --> 01:11:37,720
Go check it out.

1364
01:11:37,720 --> 01:11:38,720
For sure.

1365
01:11:38,720 --> 01:11:39,720
All right.

1366
01:11:39,720 --> 01:11:40,720
Catch you all next week.

1367
01:11:40,720 --> 01:11:41,720
Peace.

1368
01:11:41,720 --> 01:11:42,720
All right.

1369
01:11:42,720 --> 01:12:04,680
No issues.