0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/690 Thanks! 1 00:00:15,230 --> 00:00:17,140 So now we come to our next talk. 2 00:00:19,600 --> 00:00:21,759 It's about the Amazon dash 3 00:00:21,760 --> 00:00:24,459 button, who, if you 4 00:00:24,460 --> 00:00:27,309 knows what Amazon desperateness. 5 00:00:28,640 --> 00:00:30,709 OK, kind of everybody 6 00:00:30,710 --> 00:00:32,869 who has Amazon dash button. 7 00:00:35,860 --> 00:00:38,109 Who has used it to buy something 8 00:00:39,610 --> 00:00:40,610 like. 9 00:00:46,240 --> 00:00:48,099 So far, everybody who has never seen an 10 00:00:48,100 --> 00:00:49,929 Amazon dash button, you know, gets a 11 00:00:49,930 --> 00:00:51,999 chance, I brought one. 12 00:00:52,000 --> 00:00:53,000 It looks like this. 13 00:00:53,980 --> 00:00:56,169 It's a small, tiny thing. 14 00:00:56,170 --> 00:00:58,809 You can click on it, you can order stuff 15 00:00:58,810 --> 00:01:00,310 and you can order great stuff. 16 00:01:02,390 --> 00:01:03,779 Like. 17 00:01:03,780 --> 00:01:06,749 Things which make sense, like dog food, 18 00:01:06,750 --> 00:01:08,819 shampoo, stuff like that, 19 00:01:08,820 --> 00:01:10,829 but also fun things are things you need 20 00:01:10,830 --> 00:01:12,959 regularly, but 21 00:01:12,960 --> 00:01:14,579 also fun things like play doh. 22 00:01:16,180 --> 00:01:17,469 You know, is the stuff for kids. 23 00:01:17,470 --> 00:01:19,569 I have no idea who regularly needs 24 00:01:19,570 --> 00:01:22,299 to buy Plato, so I mean, 25 00:01:22,300 --> 00:01:24,549 where does it go? Is it like child 26 00:01:24,550 --> 00:01:26,230 eat it all up so you need a new one. 27 00:01:27,910 --> 00:01:30,429 So this is something 28 00:01:30,430 --> 00:01:32,229 we perhaps won't learn in this talk. 29 00:01:32,230 --> 00:01:33,279 So why we need this, 30 00:01:34,840 --> 00:01:37,629 but we will learn how 31 00:01:37,630 --> 00:01:39,699 you can hack it to use it 32 00:01:39,700 --> 00:01:40,760 for a different purpose. 33 00:01:42,220 --> 00:01:44,379 Some of you might say, OK, I have 34 00:01:44,380 --> 00:01:46,809 heard already about something like that. 35 00:01:46,810 --> 00:01:48,849 Yes, because the first version which was 36 00:01:48,850 --> 00:01:50,949 shipped out there, such 37 00:01:50,950 --> 00:01:53,259 an analysis was already done. 38 00:01:53,260 --> 00:01:54,849 But there's a new version. 39 00:01:54,850 --> 00:01:57,339 And like it's often with 40 00:01:57,340 --> 00:01:58,899 Internet, with the Internet of Things 41 00:01:58,900 --> 00:02:00,909 stuff, they try to make it more secure. 42 00:02:00,910 --> 00:02:02,439 I mean, that's what the S stands for. 43 00:02:02,440 --> 00:02:03,440 And I was. 44 00:02:06,660 --> 00:02:08,639 So what we'll hear about. 45 00:02:10,050 --> 00:02:13,469 It's about the hardware, 46 00:02:13,470 --> 00:02:15,279 the software, and also how is the 47 00:02:15,280 --> 00:02:17,069 communication with the server looks like? 48 00:02:18,140 --> 00:02:20,479 And once we give us a talk about 49 00:02:20,480 --> 00:02:22,309 this, he's somebody. 50 00:02:23,360 --> 00:02:26,509 Hacking hard work since quite a time. 51 00:02:26,510 --> 00:02:27,510 So. 52 00:02:28,350 --> 00:02:30,779 Let's give him a warm round 53 00:02:30,780 --> 00:02:33,059 of applause and 54 00:02:33,060 --> 00:02:34,060 let's learn. 55 00:02:40,030 --> 00:02:41,919 Thanks, nice to see you. 56 00:02:41,920 --> 00:02:44,019 Um, let's have a closer look 57 00:02:44,020 --> 00:02:45,699 at the Amazon dashboard now. 58 00:02:47,710 --> 00:02:50,019 The dash button is basically a Wi-Fi 59 00:02:50,020 --> 00:02:50,939 connected button. 60 00:02:50,940 --> 00:02:53,109 Yeah, it's been around in the 61 00:02:53,110 --> 00:02:55,569 United States since about 2000 62 00:02:55,570 --> 00:02:57,639 and 14, I think. 63 00:02:57,640 --> 00:02:59,679 And in Germany, it's available since 64 00:02:59,680 --> 00:03:00,680 August. 65 00:03:01,360 --> 00:03:03,519 Of course, of this year, 66 00:03:03,520 --> 00:03:04,869 there are two hardware revisions. 67 00:03:04,870 --> 00:03:06,999 And in this talk, I'll only cover 68 00:03:07,000 --> 00:03:08,679 it from two, because that is the current 69 00:03:08,680 --> 00:03:09,879 revision. 70 00:03:09,880 --> 00:03:11,589 I don't think you can still get the older 71 00:03:11,590 --> 00:03:12,590 version. 72 00:03:13,540 --> 00:03:15,909 The older version is also quite 73 00:03:15,910 --> 00:03:17,199 hacked already. 74 00:03:17,200 --> 00:03:19,539 Yeah, this button 75 00:03:19,540 --> 00:03:21,939 can be used to order or reorder 76 00:03:21,940 --> 00:03:24,289 certain consumables like pet food 77 00:03:24,290 --> 00:03:25,290 or. 78 00:03:26,260 --> 00:03:28,599 Yeah. Washing supplies and such 79 00:03:28,600 --> 00:03:29,799 stuff. 80 00:03:29,800 --> 00:03:31,719 It's only available for certain brands 81 00:03:31,720 --> 00:03:33,909 and products and you cannot 82 00:03:33,910 --> 00:03:34,970 configure it freely. 83 00:03:36,040 --> 00:03:38,709 It costs five euros and you get a refund 84 00:03:39,760 --> 00:03:41,669 on your first button triggered order. 85 00:03:42,760 --> 00:03:44,709 That's also a customizable version 86 00:03:44,710 --> 00:03:47,799 available at least in the United States 87 00:03:47,800 --> 00:03:49,119 for twenty dollars. 88 00:03:49,120 --> 00:03:51,189 And you 89 00:03:51,190 --> 00:03:53,349 can you still cannot load your own 90 00:03:53,350 --> 00:03:55,599 code on this button, but you can 91 00:03:55,600 --> 00:03:57,999 use the Amazon Web services to get the 92 00:03:58,000 --> 00:03:58,939 button presses. 93 00:03:58,940 --> 00:03:59,940 Yeah. 94 00:04:00,640 --> 00:04:02,619 So what's interesting about this thing, 95 00:04:02,620 --> 00:04:04,989 while it has Wi-Fi and 96 00:04:04,990 --> 00:04:07,179 it must be some sort of a computer, 97 00:04:07,180 --> 00:04:09,279 so it's sort of Internet of shit 98 00:04:09,280 --> 00:04:11,769 device, though it might be more useful 99 00:04:11,770 --> 00:04:13,150 than certain other products. 100 00:04:15,040 --> 00:04:16,659 One question, of course, is how does it 101 00:04:16,660 --> 00:04:19,328 work? Um, we just want to know 102 00:04:19,329 --> 00:04:20,799 then what about security? 103 00:04:20,800 --> 00:04:23,379 If we put this thing on our network, 104 00:04:23,380 --> 00:04:25,449 is this a security risk and can 105 00:04:25,450 --> 00:04:27,969 it be abused for cyber dust 106 00:04:27,970 --> 00:04:29,449 and so on? 107 00:04:29,450 --> 00:04:31,779 Um, another important 108 00:04:31,780 --> 00:04:33,879 aspect for the hardware hackers is 109 00:04:33,880 --> 00:04:36,129 whether we can program it 110 00:04:36,130 --> 00:04:37,779 for our customers. Internet of Things 111 00:04:37,780 --> 00:04:39,429 projects. 112 00:04:39,430 --> 00:04:41,859 It's more powerful than the common 113 00:04:41,860 --> 00:04:42,889 USP. 114 00:04:42,890 --> 00:04:45,879 Um, a 266 and the prices 115 00:04:45,880 --> 00:04:47,259 comparable. 116 00:04:47,260 --> 00:04:48,260 Um. 117 00:04:49,170 --> 00:04:50,909 The next point is, of course, if you 118 00:04:50,910 --> 00:04:52,739 cannot run cold on it, we don't really 119 00:04:52,740 --> 00:04:54,889 own it, so we want to run 120 00:04:54,890 --> 00:04:56,889 or comment on this. 121 00:04:56,890 --> 00:04:58,979 There are some prior research that has 122 00:04:58,980 --> 00:05:01,769 already been done for the old party. 123 00:05:01,770 --> 00:05:03,899 You can get those lights from the 124 00:05:05,700 --> 00:05:06,809 far plan. 125 00:05:06,810 --> 00:05:08,999 And I will refer to 126 00:05:09,000 --> 00:05:12,259 these two links later during the talk. 127 00:05:12,260 --> 00:05:13,709 Um, yeah. 128 00:05:13,710 --> 00:05:16,379 So this has been done already 129 00:05:16,380 --> 00:05:17,429 broken up. 130 00:05:17,430 --> 00:05:20,009 And the easy way of repurposing 131 00:05:20,010 --> 00:05:22,769 the dash button is 132 00:05:22,770 --> 00:05:24,119 to use the smartphone app 133 00:05:25,590 --> 00:05:27,719 and configure the dash just 134 00:05:27,720 --> 00:05:28,979 normally. 135 00:05:28,980 --> 00:05:31,079 But you close the app. 136 00:05:31,080 --> 00:05:33,329 Um, once you get to choosing 137 00:05:33,330 --> 00:05:34,330 a product, 138 00:05:35,790 --> 00:05:37,949 then this prevents the dash from ordering 139 00:05:37,950 --> 00:05:39,139 anything. 140 00:05:39,140 --> 00:05:41,339 Um, the product selection is stored 141 00:05:41,340 --> 00:05:43,439 server side while the Wi-Fi, 142 00:05:43,440 --> 00:05:45,479 um, configuration is stored in the 143 00:05:45,480 --> 00:05:47,649 button. So the buttons 144 00:05:47,650 --> 00:05:49,619 still contacts the server and says, I 145 00:05:49,620 --> 00:05:50,669 want to order something. 146 00:05:50,670 --> 00:05:52,889 Whatever there is configured. 147 00:05:52,890 --> 00:05:54,539 The server says, no, there's nothing 148 00:05:54,540 --> 00:05:56,699 configured and the button blinks threat 149 00:05:56,700 --> 00:05:57,809 and that's it. 150 00:05:57,810 --> 00:05:59,459 So you don't get stuff. 151 00:05:59,460 --> 00:06:01,529 Um, and of course 152 00:06:01,530 --> 00:06:03,929 it does a lot of things to get online. 153 00:06:03,930 --> 00:06:05,849 Um, it connects to your Wi-Fi. 154 00:06:05,850 --> 00:06:08,069 It does then at the request 155 00:06:08,070 --> 00:06:10,169 of requests, DNS look up and 156 00:06:10,170 --> 00:06:11,849 so on so you can monitor all these 157 00:06:11,850 --> 00:06:13,189 things, um, 158 00:06:14,340 --> 00:06:16,889 to find out when the button is activated 159 00:06:16,890 --> 00:06:19,289 and um, monitoring the DHP 160 00:06:19,290 --> 00:06:21,509 lock file. Of course this is the 161 00:06:21,510 --> 00:06:23,669 most easy way I 162 00:06:23,670 --> 00:06:24,839 guess. 163 00:06:24,840 --> 00:06:26,100 Who's doing this already. 164 00:06:27,270 --> 00:06:29,249 OK, few but three people, 165 00:06:30,530 --> 00:06:32,729 yeah, we'll go a lot further than this in 166 00:06:32,730 --> 00:06:33,730 this talk. 167 00:06:35,210 --> 00:06:37,289 First, we'll have a look at the hardware. 168 00:06:37,290 --> 00:06:40,169 So what's in this dash button? 169 00:06:40,170 --> 00:06:41,999 The communication protocols and the 170 00:06:42,000 --> 00:06:43,949 crypto, the film. 171 00:06:43,950 --> 00:06:46,079 The revision of this revision 172 00:06:46,080 --> 00:06:48,629 was still the most recent 173 00:06:48,630 --> 00:06:49,619 on 25th. 174 00:06:49,620 --> 00:06:50,670 I checked it last 175 00:06:52,170 --> 00:06:54,059 and we will run some custom code on the 176 00:06:54,060 --> 00:06:56,310 button without disclosing anything. 177 00:06:57,690 --> 00:06:59,879 I didn't analyze the Amazon smartphone 178 00:06:59,880 --> 00:07:02,069 apps because this is way too high 179 00:07:02,070 --> 00:07:03,099 level for me. 180 00:07:03,100 --> 00:07:05,249 Um, yeah. 181 00:07:07,280 --> 00:07:09,559 Um, regarding the hardware and 182 00:07:09,560 --> 00:07:11,719 the housing, sealed, sealed plastic, 183 00:07:11,720 --> 00:07:14,099 so you cannot open the, um, 184 00:07:14,100 --> 00:07:16,429 a screw, you have to somehow 185 00:07:16,430 --> 00:07:18,749 break it open or cut it open. 186 00:07:18,750 --> 00:07:20,929 My first attempt was with a 187 00:07:20,930 --> 00:07:24,139 knife cutting along the seal, 188 00:07:24,140 --> 00:07:26,239 but that didn't work so well. 189 00:07:26,240 --> 00:07:28,459 I removed some assumed components in 190 00:07:28,460 --> 00:07:29,749 this process. 191 00:07:29,750 --> 00:07:32,239 And, um, when my latest 192 00:07:32,240 --> 00:07:34,879 attempt is was and this was 193 00:07:34,880 --> 00:07:36,949 successful, um, using 194 00:07:36,950 --> 00:07:39,019 a cutting wheel from the top 195 00:07:39,020 --> 00:07:41,209 because I already knew where what 196 00:07:41,210 --> 00:07:43,129 where the stuff is, where I want to get 197 00:07:43,130 --> 00:07:45,289 you can see the points here. 198 00:07:45,290 --> 00:07:47,509 So, um, and this was the 199 00:07:47,510 --> 00:07:49,819 microcontroller, so I simply 200 00:07:49,820 --> 00:07:51,769 cut it open. There's some space between 201 00:07:51,770 --> 00:07:53,899 the plastics package and 202 00:07:53,900 --> 00:07:54,900 the PCB. 203 00:07:55,730 --> 00:07:58,399 Um, the PCB has four layers 204 00:07:58,400 --> 00:08:01,219 and a lot of smiddy 205 00:08:01,220 --> 00:08:02,419 to zero one parts. 206 00:08:02,420 --> 00:08:03,709 You can see those here. 207 00:08:03,710 --> 00:08:06,689 So this is all very tiny. 208 00:08:06,690 --> 00:08:09,919 Um, and you can see that 209 00:08:09,920 --> 00:08:11,959 here. You can see the parts of the 210 00:08:11,960 --> 00:08:13,429 microcontroller here. 211 00:08:13,430 --> 00:08:15,199 You cannot because there's some black 212 00:08:15,200 --> 00:08:17,709 stuff poured over it. 213 00:08:17,710 --> 00:08:19,909 Um, I don't know why exactly 214 00:08:19,910 --> 00:08:22,069 they are doing this, but, um, 215 00:08:22,070 --> 00:08:24,319 you can remove it carefully and 216 00:08:24,320 --> 00:08:26,989 it can be softened a bit with acetone. 217 00:08:26,990 --> 00:08:28,719 That makes things easier. 218 00:08:28,720 --> 00:08:30,079 Um, yeah. 219 00:08:30,080 --> 00:08:32,239 The microcontroller is actually quite 220 00:08:32,240 --> 00:08:33,469 powerful. It's aquatics. 221 00:08:33,470 --> 00:08:35,808 And for, um, with a floating point 222 00:08:35,809 --> 00:08:37,879 on it and it runs at or it 223 00:08:37,880 --> 00:08:39,709 can be clocked at one hundred and twenty 224 00:08:39,710 --> 00:08:41,869 megahertz, which is half 225 00:08:41,870 --> 00:08:44,839 a megabyte of flash and uh, 160 226 00:08:44,840 --> 00:08:46,759 kilobytes of RAM. 227 00:08:46,760 --> 00:08:48,919 Um, the downside is the package of 228 00:08:48,920 --> 00:08:51,049 this chip. So you cannot easily 229 00:08:51,050 --> 00:08:53,659 sell the additional stuff there 230 00:08:53,660 --> 00:08:56,329 and the black stuff. 231 00:08:56,330 --> 00:08:57,759 Yeah. Then there's the Wi-Fi. 232 00:08:57,760 --> 00:09:00,349 I see this is this um 233 00:09:00,350 --> 00:09:02,719 chip here and 234 00:09:02,720 --> 00:09:05,299 it's two point four gigahertz and 235 00:09:05,300 --> 00:09:07,429 that's up to, uh, seventy two megabit. 236 00:09:08,660 --> 00:09:10,909 That's a one two of course. 237 00:09:10,910 --> 00:09:13,189 And they are supporting IP stack. 238 00:09:13,190 --> 00:09:16,009 So it works a bit like 239 00:09:16,010 --> 00:09:18,569 you do like with sockets in Unix. 240 00:09:18,570 --> 00:09:20,809 Um this wi 241 00:09:20,810 --> 00:09:23,029 fi chip basically handles all the IP 242 00:09:23,030 --> 00:09:25,219 stuff and you simply open the socket 243 00:09:25,220 --> 00:09:27,499 from the controller and then 244 00:09:27,500 --> 00:09:29,990 you can communicate just in the socket. 245 00:09:31,120 --> 00:09:33,559 Um, it does have built in SSL 246 00:09:33,560 --> 00:09:35,719 and support and 247 00:09:35,720 --> 00:09:37,309 plenty of stuff. 248 00:09:37,310 --> 00:09:38,479 Yeah. Of course there needs to be a 249 00:09:38,480 --> 00:09:41,119 voltage regulator because um 250 00:09:41,120 --> 00:09:43,279 there's a single triple A battery 251 00:09:43,280 --> 00:09:45,349 with um one point five volts 252 00:09:45,350 --> 00:09:47,509 or less on this 253 00:09:47,510 --> 00:09:48,799 uh in the button. 254 00:09:48,800 --> 00:09:51,139 And um it needs to be boosted 255 00:09:51,140 --> 00:09:53,209 to three point three volts. 256 00:09:53,210 --> 00:09:55,399 So this is done with a voltage regulator. 257 00:09:55,400 --> 00:09:57,109 Um, this is actually a quite powerful 258 00:09:57,110 --> 00:09:58,249 regulator. 259 00:09:58,250 --> 00:10:00,469 Um, they could have used 260 00:10:00,470 --> 00:10:01,699 a cheaper one. 261 00:10:01,700 --> 00:10:03,919 Um, anyway, that's 262 00:10:03,920 --> 00:10:05,599 also Bluetooth, low energy. 263 00:10:05,600 --> 00:10:07,219 And you can see this here. 264 00:10:07,220 --> 00:10:09,169 This is the Bluetooth low energy. 265 00:10:09,170 --> 00:10:11,359 Um, I, I'm not sure 266 00:10:11,360 --> 00:10:12,709 if they are using this already. 267 00:10:12,710 --> 00:10:15,229 They might do with iOS app. 268 00:10:15,230 --> 00:10:17,809 Um, but I haven't analyzed 269 00:10:17,810 --> 00:10:18,829 this. 270 00:10:18,830 --> 00:10:21,289 Um, there's a four megabyte API 271 00:10:21,290 --> 00:10:23,839 flash. This is this here and 272 00:10:23,840 --> 00:10:25,429 uh, a microphone. 273 00:10:25,430 --> 00:10:26,899 This is here. 274 00:10:26,900 --> 00:10:29,179 You can see the package remove this 275 00:10:29,180 --> 00:10:30,829 happened accidentally. 276 00:10:30,830 --> 00:10:33,109 Um then there's an led 277 00:10:33,110 --> 00:10:35,239 um canopies in here, but 278 00:10:35,240 --> 00:10:37,549 it's um three LCD actually 279 00:10:37,550 --> 00:10:38,959 red, green and blue. 280 00:10:38,960 --> 00:10:41,029 And um the thing is clocked 281 00:10:41,030 --> 00:10:43,369 from thirty two kilohertz oscillator. 282 00:10:43,370 --> 00:10:45,919 This is this thing here and 283 00:10:45,920 --> 00:10:48,389 it generates a higher um, 284 00:10:48,390 --> 00:10:51,319 frequency internally using peatlands. 285 00:10:51,320 --> 00:10:53,329 So there are also some discrete 286 00:10:53,330 --> 00:10:55,009 semiconductors here. 287 00:10:55,010 --> 00:10:57,709 They use them for the powering 288 00:10:57,710 --> 00:10:59,359 uh stuff. 289 00:10:59,360 --> 00:11:01,789 Yeah. Um, if we put it all together 290 00:11:01,790 --> 00:11:03,889 it looks more or less like this. 291 00:11:03,890 --> 00:11:06,019 This is a bit more simpler 292 00:11:06,020 --> 00:11:08,239 than the reality. But yeah, 293 00:11:08,240 --> 00:11:10,399 we have the Bluetooth connected to you at 294 00:11:10,400 --> 00:11:12,739 the, um, wi fi is connected 295 00:11:12,740 --> 00:11:15,179 to a spy boss and the spy 296 00:11:15,180 --> 00:11:17,179 flash is also connected to another spy. 297 00:11:17,180 --> 00:11:19,249 But, um, the 298 00:11:19,250 --> 00:11:21,139 interesting thing here is that there's an 299 00:11:21,140 --> 00:11:23,149 additional you what that's used for 300 00:11:23,150 --> 00:11:24,709 debugging. Yeah. 301 00:11:24,710 --> 00:11:25,710 Um, 302 00:11:26,900 --> 00:11:28,999 the voltage regulator gets started 303 00:11:29,000 --> 00:11:30,289 by the button press. 304 00:11:30,290 --> 00:11:32,449 And, um, one interesting thing is 305 00:11:32,450 --> 00:11:34,699 there is no other wake up source, no real 306 00:11:34,700 --> 00:11:36,619 time clock or something like that. 307 00:11:36,620 --> 00:11:38,659 Um, that means the pattern can never wake 308 00:11:38,660 --> 00:11:40,129 up on its own terms. 309 00:11:40,130 --> 00:11:42,049 You always have to press the button and 310 00:11:42,050 --> 00:11:44,179 once it goes back to sleep, it 311 00:11:44,180 --> 00:11:45,919 cannot wake up again without the button 312 00:11:45,920 --> 00:11:46,920 being pressed. 313 00:11:47,780 --> 00:11:49,849 Um, power and cable is held 314 00:11:49,850 --> 00:11:51,859 by an external latch, so the 315 00:11:51,860 --> 00:11:54,229 microcontroller simply closes latch and 316 00:11:54,230 --> 00:11:56,389 then it goes to shut down. 317 00:11:56,390 --> 00:11:58,999 Um, the microcontroller can also measure 318 00:11:59,000 --> 00:12:01,729 the battery by using the ADC 319 00:12:01,730 --> 00:12:04,189 and as an able signal 320 00:12:04,190 --> 00:12:06,229 to connect or disconnect the battery from 321 00:12:06,230 --> 00:12:07,230 the. 322 00:12:08,000 --> 00:12:10,219 This rally was also sent to the server, 323 00:12:10,220 --> 00:12:12,259 so NASA knows when your battery is 324 00:12:12,260 --> 00:12:13,260 getting empty 325 00:12:15,110 --> 00:12:17,539 regarding the power consumption, 326 00:12:17,540 --> 00:12:19,699 Petroff already did a lot of 327 00:12:19,700 --> 00:12:21,139 measurements regarding this. 328 00:12:21,140 --> 00:12:22,140 And 329 00:12:23,270 --> 00:12:25,099 you can see that Wi-Fi is throwing a lot 330 00:12:25,100 --> 00:12:27,229 of power for a hundred 331 00:12:27,230 --> 00:12:29,029 million bucks a pop. 332 00:12:29,030 --> 00:12:31,279 And without Wi-Fi, it's 333 00:12:31,280 --> 00:12:33,469 down to about 80 milliwatts. 334 00:12:33,470 --> 00:12:35,149 And there's some power saving. 335 00:12:35,150 --> 00:12:37,549 You should be able to go down to about 336 00:12:37,550 --> 00:12:40,249 50 milliwatts. 337 00:12:40,250 --> 00:12:42,559 Yeah, but in battery, it's about. 338 00:12:44,140 --> 00:12:46,749 Half about an hour, and 339 00:12:46,750 --> 00:12:48,969 so that's about 75 minutes with wi 340 00:12:48,970 --> 00:12:51,189 fi enabled and about 10 341 00:12:51,190 --> 00:12:53,739 hours with, um, some 342 00:12:53,740 --> 00:12:55,089 very good power saving. 343 00:12:55,090 --> 00:12:57,639 So basically you could 344 00:12:57,640 --> 00:12:59,769 make a back 345 00:12:59,770 --> 00:13:01,839 back with this and listen to the 346 00:13:01,840 --> 00:13:04,059 microphone for some time and then 347 00:13:04,060 --> 00:13:06,729 transmitted via Wi-Fi. 348 00:13:06,730 --> 00:13:08,879 But it's still limited, um, 349 00:13:08,880 --> 00:13:10,179 with battery power. 350 00:13:11,920 --> 00:13:14,169 So the debugging interface 351 00:13:14,170 --> 00:13:15,909 is also there. 352 00:13:15,910 --> 00:13:18,549 You already saw those test points 353 00:13:18,550 --> 00:13:19,569 earlier. 354 00:13:19,570 --> 00:13:21,879 The dash button had single wire 355 00:13:21,880 --> 00:13:24,099 debugging enabled and a serial 356 00:13:24,100 --> 00:13:25,839 console with debugging commands. 357 00:13:25,840 --> 00:13:28,269 You could simply dump memory 358 00:13:28,270 --> 00:13:29,649 using the serial console. 359 00:13:30,670 --> 00:13:32,739 The new button has test pads 360 00:13:32,740 --> 00:13:34,449 for Singhvi or debug and a serial 361 00:13:34,450 --> 00:13:36,699 console, um, 362 00:13:36,700 --> 00:13:38,799 via debugging is disabled and 363 00:13:38,800 --> 00:13:41,229 the serial console is stripped down 364 00:13:41,230 --> 00:13:42,579 to a few boring commands. 365 00:13:42,580 --> 00:13:45,319 Will come to these later. 366 00:13:45,320 --> 00:13:46,320 Yeah. 367 00:13:47,970 --> 00:13:50,369 Here you can see the debugging interfaces 368 00:13:50,370 --> 00:13:51,450 from the bottom side 369 00:13:52,500 --> 00:13:54,269 to Kim Mounter Connector there, 370 00:13:55,500 --> 00:13:57,119 which connector you can find on the 371 00:13:57,120 --> 00:13:58,169 Petroff website, 372 00:13:59,460 --> 00:14:01,229 all of these eyeholes are three point 373 00:14:01,230 --> 00:14:02,759 three volts. 374 00:14:02,760 --> 00:14:04,889 The pin out is basically compatible 375 00:14:04,890 --> 00:14:05,890 to the old button. 376 00:14:07,200 --> 00:14:09,869 So here are some commands 377 00:14:09,870 --> 00:14:11,369 you can see. There are three different 378 00:14:11,370 --> 00:14:12,929 modes. There's a test mode manual. 379 00:14:12,930 --> 00:14:15,269 This has a lot of more commands and 380 00:14:15,270 --> 00:14:17,399 they probably use this in the factory 381 00:14:17,400 --> 00:14:19,139 to do some calibration and testing. 382 00:14:20,310 --> 00:14:22,499 This is the user mode menu you 383 00:14:22,500 --> 00:14:23,500 have. 384 00:14:24,000 --> 00:14:25,859 If you open the button and connect the 385 00:14:25,860 --> 00:14:28,139 Syria pot, there's just 386 00:14:28,140 --> 00:14:29,639 some firmer a revision. 387 00:14:29,640 --> 00:14:31,949 You can query 388 00:14:31,950 --> 00:14:34,899 and you can measure the battery voltage 389 00:14:34,900 --> 00:14:36,660 in model and model is 390 00:14:37,980 --> 00:14:40,259 immortal, prevents the automatic 391 00:14:40,260 --> 00:14:42,809 shutdown. It stays then on 392 00:14:42,810 --> 00:14:44,579 it, then they'll stay on until you issue 393 00:14:44,580 --> 00:14:46,649 one shutdown or you'll 394 00:14:46,650 --> 00:14:47,730 switch to model again. 395 00:14:49,110 --> 00:14:51,329 The developer mode menu has some 396 00:14:51,330 --> 00:14:53,289 more interesting commands there. 397 00:14:53,290 --> 00:14:55,109 Still no memory access, but 398 00:14:56,280 --> 00:14:58,499 yeah, you can enter certain 399 00:14:58,500 --> 00:15:00,599 modes, configure mode, access point 400 00:15:00,600 --> 00:15:03,269 mode can for Wi-Fi 401 00:15:03,270 --> 00:15:04,270 and so on. 402 00:15:06,030 --> 00:15:08,849 So let's have a look at the communication 403 00:15:08,850 --> 00:15:10,919 protocols and the crypto 404 00:15:10,920 --> 00:15:11,920 stuff. 405 00:15:14,260 --> 00:15:16,509 The communication works like this, 406 00:15:16,510 --> 00:15:19,089 you have to the cemetery, 55 407 00:15:19,090 --> 00:15:21,219 is the microcontroller, then 408 00:15:21,220 --> 00:15:22,929 you have those the. 409 00:15:25,270 --> 00:15:27,539 Well, if I chip, this is this 80 410 00:15:27,540 --> 00:15:29,619 wink and this 411 00:15:29,620 --> 00:15:31,779 chip handles all the stuff, 412 00:15:31,780 --> 00:15:34,149 so those two 413 00:15:34,150 --> 00:15:37,029 communicate in plain text using S.P.I 414 00:15:37,030 --> 00:15:39,699 and then 415 00:15:39,700 --> 00:15:42,099 the dash button seems to, uh, 416 00:15:42,100 --> 00:15:44,259 use those https when connecting 417 00:15:44,260 --> 00:15:46,209 to the Amazon server. 418 00:15:46,210 --> 00:15:48,609 Um, so you can see plaintext 419 00:15:48,610 --> 00:15:50,859 data here and, um, it's clocked 420 00:15:50,860 --> 00:15:52,089 at 40 megahertz. 421 00:15:52,090 --> 00:15:54,189 So, um, this is rather 422 00:15:54,190 --> 00:15:56,469 fast and um. 423 00:15:56,470 --> 00:15:57,470 Yeah. 424 00:16:00,500 --> 00:16:02,899 One of the first things I did was 425 00:16:02,900 --> 00:16:04,939 I wanted to analyze the communication 426 00:16:04,940 --> 00:16:07,009 that was there because I didn't 427 00:16:07,010 --> 00:16:09,299 actually know if they are using 428 00:16:09,300 --> 00:16:12,109 tearless inside the 429 00:16:12,110 --> 00:16:14,329 Wi-Fi nick or if they are doing the 430 00:16:14,330 --> 00:16:17,209 else in the microcontroller. 431 00:16:17,210 --> 00:16:19,009 They did it in the microcontroller in the 432 00:16:19,010 --> 00:16:20,599 last hardware revision. 433 00:16:20,600 --> 00:16:23,119 And so I put on FPGA 434 00:16:23,120 --> 00:16:25,699 between those two things and locked 435 00:16:25,700 --> 00:16:28,669 all the data that came by. 436 00:16:28,670 --> 00:16:30,979 I did cut the bar so I could 437 00:16:30,980 --> 00:16:32,419 do two men in the middle as well. 438 00:16:33,560 --> 00:16:35,599 And I did this before I had the full dash 439 00:16:35,600 --> 00:16:37,729 from the knowledge and 440 00:16:37,730 --> 00:16:39,139 all this wouldn't really have been 441 00:16:39,140 --> 00:16:40,469 necessary. 442 00:16:40,470 --> 00:16:42,649 Um, it looked like this. 443 00:16:42,650 --> 00:16:44,899 So you can see 444 00:16:44,900 --> 00:16:47,179 I removed the microcontroller here 445 00:16:47,180 --> 00:16:50,039 and added plenty of layers. 446 00:16:50,040 --> 00:16:52,549 Um, this then go to, 447 00:16:52,550 --> 00:16:55,219 um, some sort of pasteboard where I can, 448 00:16:55,220 --> 00:16:57,439 um, plug in a breakout bot 449 00:16:57,440 --> 00:16:59,389 for the microcontroller. 450 00:16:59,390 --> 00:17:01,189 The microcontroller is actually here on 451 00:17:01,190 --> 00:17:03,889 this. There are some LSD for 452 00:17:03,890 --> 00:17:04,909 um. 453 00:17:04,910 --> 00:17:07,099 Yeah, they are to be a use 454 00:17:08,150 --> 00:17:09,949 here. I have a serial console here. 455 00:17:09,950 --> 00:17:12,239 I have a single wire debugging 456 00:17:12,240 --> 00:17:14,059 the reset button and here is the actual 457 00:17:14,060 --> 00:17:15,060 dash button. 458 00:17:15,800 --> 00:17:17,479 This here is three point three voyaged, 459 00:17:17,480 --> 00:17:18,858 uh, supply. 460 00:17:18,859 --> 00:17:20,809 And you can see a lot of Trampas here. 461 00:17:20,810 --> 00:17:22,309 These are all the connections to 462 00:17:22,310 --> 00:17:23,689 Bluetooth and Wi-Fi. 463 00:17:23,690 --> 00:17:26,029 So I can simply remove the chomper and 464 00:17:26,030 --> 00:17:27,140 two men in the middle there. 465 00:17:28,400 --> 00:17:30,709 This is the thing with the, 466 00:17:30,710 --> 00:17:32,659 uh, with the FPGA board plugged in. 467 00:17:34,010 --> 00:17:35,010 Um. 468 00:17:35,780 --> 00:17:37,069 Yeah, so 469 00:17:38,120 --> 00:17:40,669 that's how I analyze this communication 470 00:17:40,670 --> 00:17:43,099 that I'm now going to present 471 00:17:44,120 --> 00:17:46,219 the this the Wi-Fi 472 00:17:46,220 --> 00:17:48,589 based configuration is used by the 473 00:17:48,590 --> 00:17:50,509 Android Amazon app. 474 00:17:50,510 --> 00:17:52,789 I don't know if the app 475 00:17:52,790 --> 00:17:53,809 uses the same mode. 476 00:17:57,450 --> 00:17:59,489 To get into the configuration mode, you 477 00:17:59,490 --> 00:18:01,259 have to press the button for several 478 00:18:01,260 --> 00:18:04,129 seconds until the 479 00:18:04,130 --> 00:18:06,669 AGP fades blue. 480 00:18:06,670 --> 00:18:09,089 Um, then the button is in access 481 00:18:09,090 --> 00:18:10,679 point mode and you can connect to a 482 00:18:10,680 --> 00:18:13,499 network called Amerson Configure Me. 483 00:18:13,500 --> 00:18:15,569 There's also a DHT piece of for for 484 00:18:15,570 --> 00:18:17,969 IP assignment, and 485 00:18:17,970 --> 00:18:20,039 that's a simple HTP server running 486 00:18:20,040 --> 00:18:22,229 on this thing. Um, it actually 487 00:18:22,230 --> 00:18:24,419 runs on the CPU and not on 488 00:18:24,420 --> 00:18:26,129 the Wi-Fi controller. 489 00:18:26,130 --> 00:18:28,409 Um, and there's a webpage with basic 490 00:18:28,410 --> 00:18:29,999 info. It looks like this. 491 00:18:30,000 --> 00:18:31,919 You have the serial number and the 492 00:18:31,920 --> 00:18:34,019 firmware and the battery level is 493 00:18:34,020 --> 00:18:36,179 in percent. They always do 494 00:18:36,180 --> 00:18:37,619 the battery level in person. 495 00:18:38,670 --> 00:18:40,739 Yeah, not very 496 00:18:40,740 --> 00:18:43,319 interesting, um, the apple 497 00:18:43,320 --> 00:18:45,449 of the apple on the other side does more 498 00:18:45,450 --> 00:18:47,279 interesting things. 499 00:18:47,280 --> 00:18:50,189 It fetches the device info, um, 500 00:18:50,190 --> 00:18:52,949 from the root location elsewhere, 501 00:18:52,950 --> 00:18:54,539 but it sets the content type to 502 00:18:54,540 --> 00:18:57,269 application Chazen and it 503 00:18:57,270 --> 00:18:58,529 gets more information. 504 00:18:58,530 --> 00:19:00,569 It gets a list of all the Wi-Fi networks 505 00:19:00,570 --> 00:19:01,769 that are there. 506 00:19:01,770 --> 00:19:03,989 And yeah, 507 00:19:03,990 --> 00:19:06,719 then the app, um, 508 00:19:06,720 --> 00:19:07,720 generates an. 509 00:19:09,750 --> 00:19:11,979 Elliptic after her monkey and posts 510 00:19:11,980 --> 00:19:12,980 this Popke 511 00:19:14,160 --> 00:19:16,259 to this location and then 512 00:19:16,260 --> 00:19:17,819 gets the same or 513 00:19:18,880 --> 00:19:20,999 the public key from the 514 00:19:21,000 --> 00:19:23,759 dashboard, from the same location, 515 00:19:23,760 --> 00:19:25,379 it posts the local config. 516 00:19:25,380 --> 00:19:27,239 We'll see what this is later. 517 00:19:27,240 --> 00:19:29,429 Um, the local config is 518 00:19:29,430 --> 00:19:31,799 quite it's not very interesting 519 00:19:31,800 --> 00:19:34,589 and therefore it's in plaintext. 520 00:19:34,590 --> 00:19:36,779 It posts an encrypted token, 521 00:19:36,780 --> 00:19:39,119 um, to as token and and posts 522 00:19:39,120 --> 00:19:41,309 the encrypted network config 523 00:19:41,310 --> 00:19:43,189 to the network location. 524 00:19:43,190 --> 00:19:45,299 Um, after this configuration is 525 00:19:45,300 --> 00:19:46,649 basically complete. 526 00:19:46,650 --> 00:19:48,929 Um, for the button, 527 00:19:48,930 --> 00:19:50,999 um, the button then connects to 528 00:19:51,000 --> 00:19:53,129 wi fi and registers with the 529 00:19:53,130 --> 00:19:54,509 Amazon server. 530 00:19:54,510 --> 00:19:56,729 And um now an interesting, 531 00:19:56,730 --> 00:19:58,889 uh, interesting step 532 00:19:58,890 --> 00:20:02,039 happens. It gets a customer secret. 533 00:20:02,040 --> 00:20:04,169 So this is a specific 534 00:20:04,170 --> 00:20:06,239 secret key that is stored in 535 00:20:06,240 --> 00:20:08,009 the flash and then used for the 536 00:20:08,010 --> 00:20:09,449 orderings. 537 00:20:09,450 --> 00:20:11,819 Um, there are a few secret 538 00:20:11,820 --> 00:20:14,099 keys involved. Um, the device secret 539 00:20:14,100 --> 00:20:16,169 is 20 Char's uppercase and 540 00:20:16,170 --> 00:20:18,329 Dittrich Mix, and it is written 541 00:20:18,330 --> 00:20:20,719 to the Flash during production. 542 00:20:20,720 --> 00:20:23,069 Um, this is fixed for the device. 543 00:20:23,070 --> 00:20:24,569 It cannot be changed. 544 00:20:24,570 --> 00:20:26,789 The custom a secret is obtained 545 00:20:26,790 --> 00:20:28,919 during the configuration or at 546 00:20:28,920 --> 00:20:31,679 the end of the uh configuration face 547 00:20:31,680 --> 00:20:33,479 from the Amazon server. 548 00:20:33,480 --> 00:20:35,969 And um, this is generated randomly 549 00:20:35,970 --> 00:20:37,109 by the server. I guess 550 00:20:38,460 --> 00:20:40,829 you'll get a new secret if you do a new 551 00:20:40,830 --> 00:20:42,479 registration. 552 00:20:42,480 --> 00:20:44,369 Both of these are stored in the internal 553 00:20:44,370 --> 00:20:46,679 flash of the microcontroller and 554 00:20:46,680 --> 00:20:49,619 they are used for h make on the requests. 555 00:20:49,620 --> 00:20:52,649 So, um, yeah, the 556 00:20:52,650 --> 00:20:54,839 elliptic after Fidelman during config 557 00:20:54,840 --> 00:20:57,599 uses a subprime two hundred and fifty 558 00:20:57,600 --> 00:20:59,849 six cuff and this 559 00:20:59,850 --> 00:21:02,579 is then used to generate a temporary 560 00:21:02,580 --> 00:21:05,039 uh symmetric key um for 561 00:21:05,040 --> 00:21:07,169 our counter mode with is 562 00:21:07,170 --> 00:21:09,169 and um. 563 00:21:09,170 --> 00:21:11,299 Yeah, they are using two 564 00:21:11,300 --> 00:21:14,239 hundred and fifty six, um, 565 00:21:14,240 --> 00:21:16,789 to generate this key, um, 566 00:21:16,790 --> 00:21:19,369 and the data for the ACLU 567 00:21:19,370 --> 00:21:21,919 account amount is uh trv encoded 568 00:21:21,920 --> 00:21:23,689 the you need three tax. 569 00:21:23,690 --> 00:21:24,690 Um. 570 00:21:25,180 --> 00:21:27,159 Tax hero is the ciphertext, then you need 571 00:21:27,160 --> 00:21:29,619 the initialization vector and 572 00:21:29,620 --> 00:21:31,689 attack, the length of 573 00:21:31,690 --> 00:21:34,089 this still uses 16 bit and 574 00:21:34,090 --> 00:21:36,519 um, then the plaintext data 575 00:21:36,520 --> 00:21:38,169 is Chazen encoded. 576 00:21:38,170 --> 00:21:39,249 That's a bit funny. 577 00:21:39,250 --> 00:21:41,679 And they seem to like Paz's because 578 00:21:41,680 --> 00:21:43,569 they're using Tealeaf or the encrypted 579 00:21:43,570 --> 00:21:45,669 data. And once you decrypt it, you 580 00:21:45,670 --> 00:21:46,670 get chasten data. 581 00:21:48,610 --> 00:21:50,349 Here's some example data. 582 00:21:50,350 --> 00:21:53,049 You can see public and 583 00:21:53,050 --> 00:21:54,879 local is actually just the country. 584 00:21:54,880 --> 00:21:57,339 Yeah, the token 585 00:21:57,340 --> 00:21:58,599 is the server token. 586 00:21:58,600 --> 00:22:01,659 So this is something 587 00:22:01,660 --> 00:22:03,789 the app, the Amazon app 588 00:22:03,790 --> 00:22:06,309 gets from the Amazon server 589 00:22:06,310 --> 00:22:08,289 once you started and Stach the 590 00:22:08,290 --> 00:22:10,419 configuration of a new 591 00:22:10,420 --> 00:22:12,369 dish. But because this ties your dash 592 00:22:12,370 --> 00:22:14,689 button to your Amazon account, 593 00:22:14,690 --> 00:22:16,869 um, the token is thirty 594 00:22:16,870 --> 00:22:17,799 two bits. 595 00:22:17,800 --> 00:22:20,129 And yeah, 596 00:22:20,130 --> 00:22:22,269 the network is encoded 597 00:22:22,270 --> 00:22:23,379 this way. 598 00:22:23,380 --> 00:22:25,479 And the interesting thing 599 00:22:25,480 --> 00:22:27,549 is that the HTP server 600 00:22:27,550 --> 00:22:30,189 has another unused location. 601 00:22:30,190 --> 00:22:32,049 It lists the app doesn't use it. 602 00:22:32,050 --> 00:22:34,239 Um, it's called Flash and this 603 00:22:34,240 --> 00:22:35,979 seems to allow flash access. 604 00:22:35,980 --> 00:22:38,079 I have analysts in detail, but, 605 00:22:38,080 --> 00:22:40,749 um, there seems to be some authentication 606 00:22:40,750 --> 00:22:42,999 going on. So you can easily 607 00:22:43,000 --> 00:22:45,339 use this without understanding the 608 00:22:45,340 --> 00:22:46,340 crypto. 609 00:22:48,720 --> 00:22:50,849 The final registration at 610 00:22:50,850 --> 00:22:53,159 the Amazon search for the. 611 00:22:53,160 --> 00:22:55,409 This is the thing the button does once 612 00:22:55,410 --> 00:22:56,999 it has been configured by the app, 613 00:22:58,470 --> 00:23:00,899 it as opposed to this warrell 614 00:23:00,900 --> 00:23:03,479 on the Amazon sofa 615 00:23:03,480 --> 00:23:05,789 and it transmits the device 616 00:23:05,790 --> 00:23:08,069 serial number. You can see this here and 617 00:23:08,070 --> 00:23:10,439 there's a transaction counter. 618 00:23:10,440 --> 00:23:13,139 This is a 32 bit calendar. 619 00:23:13,140 --> 00:23:15,209 And also you 620 00:23:15,210 --> 00:23:17,009 can see the token from the app. 621 00:23:17,010 --> 00:23:18,929 The transaction counter is later used 622 00:23:18,930 --> 00:23:21,509 during the order requests 623 00:23:21,510 --> 00:23:22,409 as well. 624 00:23:22,410 --> 00:23:23,609 It prevents replays. 625 00:23:23,610 --> 00:23:25,769 Yeah. Um, then they 626 00:23:25,770 --> 00:23:28,109 do an H mech using the Dubai 627 00:23:28,110 --> 00:23:30,089 secret key because there's no customer 628 00:23:30,090 --> 00:23:31,259 security yet. 629 00:23:31,260 --> 00:23:33,329 And the response then includes the 630 00:23:33,330 --> 00:23:34,499 customer secret key. 631 00:23:34,500 --> 00:23:37,619 So this is then used to sign the orders. 632 00:23:37,620 --> 00:23:39,839 Um, there are also 633 00:23:39,840 --> 00:23:41,939 some timestamps. 634 00:23:41,940 --> 00:23:44,339 They are always using your next stage 635 00:23:44,340 --> 00:23:45,359 here. 636 00:23:45,360 --> 00:23:47,519 Um, now once you press the button, 637 00:23:47,520 --> 00:23:49,919 after all the configuration stuff 638 00:23:49,920 --> 00:23:52,499 and, um, to order something, 639 00:23:52,500 --> 00:23:54,180 it has to post requests 640 00:23:55,440 --> 00:23:58,079 to this gateway here from Amazon 641 00:23:58,080 --> 00:24:01,289 and it uses content type in a real 642 00:24:01,290 --> 00:24:03,539 um, the B 643 00:24:03,540 --> 00:24:05,609 request is the actual or the request and 644 00:24:05,610 --> 00:24:07,529 it has a second request with debugging 645 00:24:07,530 --> 00:24:09,749 info. So they are sending some metrics 646 00:24:09,750 --> 00:24:11,639 about how often the button has been 647 00:24:11,640 --> 00:24:14,309 pressed and how often 648 00:24:14,310 --> 00:24:16,619 it was paired with Bluetooth 649 00:24:16,620 --> 00:24:18,249 and such things. 650 00:24:18,250 --> 00:24:20,279 Um, I think I have an example in the 651 00:24:20,280 --> 00:24:22,229 appendix of the slides. 652 00:24:22,230 --> 00:24:23,699 It's not really that interesting, 653 00:24:25,020 --> 00:24:26,549 but an interesting thing is that the 654 00:24:26,550 --> 00:24:28,619 server can demand a the update of the 655 00:24:28,620 --> 00:24:30,989 button and then 656 00:24:30,990 --> 00:24:33,089 an additional post to the F, 657 00:24:33,090 --> 00:24:35,129 uh, location is triggered in the film 658 00:24:35,130 --> 00:24:36,130 where it's downloaded 659 00:24:38,550 --> 00:24:41,429 the post to the um, to the order 660 00:24:41,430 --> 00:24:43,409 location is looks like this. 661 00:24:43,410 --> 00:24:45,689 So again, we have the device serial, no 662 00:24:45,690 --> 00:24:48,209 transaction counter and 663 00:24:48,210 --> 00:24:49,529 the Mac. 664 00:24:49,530 --> 00:24:51,449 And this is then generated with the 665 00:24:51,450 --> 00:24:53,069 customer secret. 666 00:24:53,070 --> 00:24:54,159 Yeah. 667 00:24:54,160 --> 00:24:56,759 Um, then 668 00:24:56,760 --> 00:24:58,829 you get the status code from the 669 00:24:58,830 --> 00:25:00,720 software obviously. And this is used 670 00:25:01,740 --> 00:25:03,839 to determine if the order was successful 671 00:25:03,840 --> 00:25:05,189 or not. 672 00:25:05,190 --> 00:25:07,589 So if the button blinks green, 673 00:25:07,590 --> 00:25:09,689 it must have been uh two hundred 674 00:25:09,690 --> 00:25:12,599 HTP status and 412 675 00:25:12,600 --> 00:25:14,789 for example, is used to signify 676 00:25:14,790 --> 00:25:17,369 to signal that you didn't complete 677 00:25:17,370 --> 00:25:19,079 the product selection. 678 00:25:19,080 --> 00:25:21,449 Um, there's also a timestamp 679 00:25:21,450 --> 00:25:24,209 in the body and 680 00:25:24,210 --> 00:25:26,219 yes, the flag for firmware update 681 00:25:26,220 --> 00:25:27,159 request. 682 00:25:27,160 --> 00:25:29,249 Um, before I had 683 00:25:29,250 --> 00:25:31,979 all the secret keys, I use the FPGA 684 00:25:31,980 --> 00:25:34,109 to tackle this 685 00:25:34,110 --> 00:25:36,449 flag to get a firmware update. 686 00:25:36,450 --> 00:25:38,219 But the server said, no, no, you already 687 00:25:38,220 --> 00:25:40,319 have the latest from Brazil was a bit 688 00:25:40,320 --> 00:25:42,140 disappointed, but yeah. 689 00:25:43,230 --> 00:25:45,869 Um, now regarding the security 690 00:25:45,870 --> 00:25:47,170 conclusions, um, 691 00:25:48,180 --> 00:25:50,309 during the configuration phase with the 692 00:25:50,310 --> 00:25:52,709 access point mode, um, 693 00:25:52,710 --> 00:25:55,139 you can simulate 694 00:25:55,140 --> 00:25:57,179 a dash button because the dash button 695 00:25:57,180 --> 00:26:00,029 doesn't have to authenticate to the app. 696 00:26:00,030 --> 00:26:01,859 This allows for evil twin and men in the 697 00:26:01,860 --> 00:26:03,959 middle attacks. This means an 698 00:26:03,960 --> 00:26:06,089 attacker can obtain the Wi-Fi 699 00:26:06,090 --> 00:26:08,879 credentials and the dash token for 700 00:26:08,880 --> 00:26:11,249 the ordering, um, thing. 701 00:26:11,250 --> 00:26:13,529 So if you set up 702 00:26:13,530 --> 00:26:15,809 this stuff and, um, 703 00:26:15,810 --> 00:26:18,059 some day your neighbor, um, 704 00:26:18,060 --> 00:26:20,249 gets a dash button and configure it, you 705 00:26:20,250 --> 00:26:22,999 can grab his wi fi credentials. 706 00:26:23,000 --> 00:26:25,139 Um, well, but 707 00:26:25,140 --> 00:26:26,579 you have to have it running for quite 708 00:26:26,580 --> 00:26:28,019 some time, I think. 709 00:26:28,020 --> 00:26:30,479 Um, so the risk isn't that high because 710 00:26:30,480 --> 00:26:32,579 the time span of this configuration 711 00:26:32,580 --> 00:26:34,649 is actually pretty low 712 00:26:34,650 --> 00:26:35,999 or pretty short. 713 00:26:36,000 --> 00:26:37,979 Um, yeah. 714 00:26:37,980 --> 00:26:39,839 The configuration with the Saffar uses 715 00:26:39,840 --> 00:26:42,209 https and I think they check 716 00:26:42,210 --> 00:26:44,309 the I said at least that's what the 717 00:26:44,310 --> 00:26:45,310 Internet says, 718 00:26:47,160 --> 00:26:48,629 the client requests. 719 00:26:48,630 --> 00:26:51,209 So the client does not have a security 720 00:26:51,210 --> 00:26:52,229 search. 721 00:26:52,230 --> 00:26:54,719 The buttons do not have, uh, Saad's 722 00:26:54,720 --> 00:26:56,969 they only use this h 723 00:26:56,970 --> 00:26:58,649 make using the counter and the secret 724 00:26:58,650 --> 00:26:59,819 keys. 725 00:26:59,820 --> 00:27:01,739 Um, but this prevents replays and 726 00:27:01,740 --> 00:27:03,239 ordering without knowing the secret. 727 00:27:03,240 --> 00:27:05,309 Q So this is pretty 728 00:27:05,310 --> 00:27:06,689 solid, I think. 729 00:27:06,690 --> 00:27:08,909 Um, but the 730 00:27:08,910 --> 00:27:11,039 most interesting thing when it comes to 731 00:27:11,040 --> 00:27:13,289 security is that the button 732 00:27:13,290 --> 00:27:15,359 is really only active after key 733 00:27:15,360 --> 00:27:17,549 press and connected to wi fi 734 00:27:17,550 --> 00:27:18,689 for a few seconds. 735 00:27:18,690 --> 00:27:21,119 So there's no self-induced wake up and 736 00:27:21,120 --> 00:27:23,249 the battery life limits the damage 737 00:27:23,250 --> 00:27:24,929 that can be done with this thing. 738 00:27:24,930 --> 00:27:26,729 And also there are no open parts. 739 00:27:26,730 --> 00:27:28,979 It doesn't use Kuprin P or something like 740 00:27:28,980 --> 00:27:30,000 that. So 741 00:27:31,050 --> 00:27:33,299 there's not really much 742 00:27:33,300 --> 00:27:34,799 you can do from the outside. 743 00:27:37,940 --> 00:27:40,009 So let's have a look at the 744 00:27:40,010 --> 00:27:41,010 analysis then. 745 00:27:43,500 --> 00:27:45,789 The old pattern had 746 00:27:45,790 --> 00:27:47,010 brought communist 747 00:27:48,090 --> 00:27:50,339 chipset and real time 748 00:27:50,340 --> 00:27:52,949 operating system from Express Logic 749 00:27:52,950 --> 00:27:55,559 with a networks IP stack. 750 00:27:55,560 --> 00:27:57,569 The new button has a custom OS. 751 00:27:57,570 --> 00:27:59,819 I think Amazon wrote it themselves. 752 00:27:59,820 --> 00:28:01,199 They also wrote the bootloader 753 00:28:01,200 --> 00:28:03,359 themselves. It seems you cannot find 754 00:28:03,360 --> 00:28:05,069 anything on the Internet about this. 755 00:28:06,870 --> 00:28:09,269 You can see this is the output 756 00:28:09,270 --> 00:28:10,889 of the serial port. 757 00:28:10,890 --> 00:28:13,099 I'm not sure. I don't think the 758 00:28:13,100 --> 00:28:15,059 way it does normally gives you all this 759 00:28:15,060 --> 00:28:17,399 info. I enable development 760 00:28:17,400 --> 00:28:19,469 and Smith enabled logging 761 00:28:19,470 --> 00:28:21,269 to get all these info's. 762 00:28:21,270 --> 00:28:22,359 I come to that later. 763 00:28:22,360 --> 00:28:23,549 How that worked. 764 00:28:25,160 --> 00:28:27,389 Yeah, they have 765 00:28:27,390 --> 00:28:28,739 multiple tasks. 766 00:28:28,740 --> 00:28:31,199 Main task transection task 767 00:28:31,200 --> 00:28:33,689 of Ocado Button Task Avocado's 768 00:28:33,690 --> 00:28:35,759 seems to be the project name for 769 00:28:35,760 --> 00:28:36,760 the dash button. 770 00:28:38,010 --> 00:28:40,229 There's an extra task for Chibi, 771 00:28:40,230 --> 00:28:42,959 a common Tendler 772 00:28:42,960 --> 00:28:45,869 and network manager task. 773 00:28:45,870 --> 00:28:48,009 You can see some of those tasks here. 774 00:28:48,010 --> 00:28:49,010 Yeah. 775 00:28:51,240 --> 00:28:53,459 Yeah, now when 776 00:28:53,460 --> 00:28:55,259 you want to dump the film, obviously will 777 00:28:55,260 --> 00:28:57,269 try singlemindedly Buckfast, 778 00:28:58,350 --> 00:29:00,839 but this cannot be used because 779 00:29:00,840 --> 00:29:03,329 they are using the security lock 780 00:29:03,330 --> 00:29:05,429 to prevent access using 781 00:29:05,430 --> 00:29:08,219 the single wire dybbuk and 782 00:29:08,220 --> 00:29:10,529 you cannot get until the Buttram either. 783 00:29:10,530 --> 00:29:12,089 And that's prevented as well. 784 00:29:13,380 --> 00:29:14,879 And the only way, according to the 785 00:29:14,880 --> 00:29:17,729 datasheet of the microcontroller, 786 00:29:17,730 --> 00:29:19,919 is to clear this 787 00:29:19,920 --> 00:29:22,319 lock that is with a few flash 788 00:29:22,320 --> 00:29:24,689 arrays and full flash 789 00:29:24,690 --> 00:29:27,029 arrays can be done by using the arrays 790 00:29:27,030 --> 00:29:29,159 pin, but that is wired 791 00:29:29,160 --> 00:29:30,689 hard to the ground. 792 00:29:30,690 --> 00:29:32,549 So you have to disable the complete 793 00:29:32,550 --> 00:29:35,089 microcontroller to get there. 794 00:29:35,090 --> 00:29:37,169 Um, and iterations of the 795 00:29:37,170 --> 00:29:39,659 flash content. So not that's not 796 00:29:39,660 --> 00:29:42,029 so good if you want to dump the film. 797 00:29:42,030 --> 00:29:44,309 And, um, well, 798 00:29:44,310 --> 00:29:46,469 I had a look at the external The Flash 799 00:29:46,470 --> 00:29:48,389 and sorted it out. 800 00:29:48,390 --> 00:29:49,769 You can see it here. 801 00:29:49,770 --> 00:29:52,079 Uh, it's to a tiny 802 00:29:52,080 --> 00:29:54,839 piece of PCB and, um, 803 00:29:54,840 --> 00:29:56,999 hooked it up to, um, Raspberry 804 00:29:57,000 --> 00:29:59,159 Pi and 805 00:29:59,160 --> 00:30:01,229 dumped it. There's this tool 806 00:30:01,230 --> 00:30:03,029 called Flash from it's actually pretty 807 00:30:03,030 --> 00:30:06,059 good. And you can dump 808 00:30:06,060 --> 00:30:08,249 more or less any flash from there 809 00:30:08,250 --> 00:30:10,140 is out there and 810 00:30:12,600 --> 00:30:14,819 you can find the fembot in this flash, at 811 00:30:14,820 --> 00:30:16,809 least part of the film there. 812 00:30:16,810 --> 00:30:19,289 Now, the thing with this is 813 00:30:19,290 --> 00:30:21,629 that the microcontroller cannot 814 00:30:21,630 --> 00:30:23,729 execute the film directly from this 815 00:30:23,730 --> 00:30:24,809 spy, Flesche. 816 00:30:24,810 --> 00:30:26,939 It has to be copied into an 817 00:30:26,940 --> 00:30:29,279 internal memory either to ram or 818 00:30:29,280 --> 00:30:31,559 to flash. And, um, 819 00:30:31,560 --> 00:30:33,719 therefore, the film must also be present 820 00:30:33,720 --> 00:30:35,799 in the internal flash. 821 00:30:35,800 --> 00:30:37,859 So, um, you have 822 00:30:37,860 --> 00:30:39,989 a duplicate probably. 823 00:30:39,990 --> 00:30:42,179 And we can dump this and 824 00:30:42,180 --> 00:30:44,369 analyze it using Hex editor and just 825 00:30:44,370 --> 00:30:47,579 assembler, and that's what I did. 826 00:30:47,580 --> 00:30:49,649 So, um, if 827 00:30:49,650 --> 00:30:51,929 you analyze the S.P.I flesh, um, 828 00:30:51,930 --> 00:30:54,089 you can see that it contains the firmware 829 00:30:54,090 --> 00:30:56,519 and some, uh, dynamic storage 830 00:30:56,520 --> 00:30:58,619 that's used with Chunlin. 831 00:30:58,620 --> 00:31:00,779 The dynamic storage seems to start 832 00:31:00,780 --> 00:31:03,059 at this location and this includes debug 833 00:31:03,060 --> 00:31:03,899 locks. 834 00:31:03,900 --> 00:31:06,179 Um, so you can see in 835 00:31:06,180 --> 00:31:08,279 text output, um, what the 836 00:31:08,280 --> 00:31:10,589 button did and you can also 837 00:31:10,590 --> 00:31:13,119 find the transaction control there. 838 00:31:13,120 --> 00:31:15,269 Um, the start of the flash 839 00:31:15,270 --> 00:31:17,369 contains a list of static blocks. 840 00:31:17,370 --> 00:31:19,139 It looks like this. 841 00:31:19,140 --> 00:31:21,119 And you see the structure is pretty 842 00:31:21,120 --> 00:31:23,249 simple. Um, that's just the name of 843 00:31:23,250 --> 00:31:25,589 the block. And uh, 844 00:31:25,590 --> 00:31:27,149 at the end there's the version of the 845 00:31:27,150 --> 00:31:29,729 block and then there's the offset 846 00:31:29,730 --> 00:31:31,439 within the flash. And the length of this 847 00:31:31,440 --> 00:31:33,719 block can be figured 848 00:31:33,720 --> 00:31:34,829 out quite easy. 849 00:31:34,830 --> 00:31:36,059 And um. 850 00:31:36,060 --> 00:31:38,129 Yeah. So, um, I wrote the 851 00:31:38,130 --> 00:31:40,769 structure and parts of the list and 852 00:31:40,770 --> 00:31:42,159 um this is what we get. 853 00:31:42,160 --> 00:31:44,279 So the cemetery fifty five 854 00:31:44,280 --> 00:31:46,079 obviously has to be the frame for the 855 00:31:46,080 --> 00:31:47,409 microcontroller. 856 00:31:47,410 --> 00:31:49,469 Um it's four hundred 857 00:31:49,470 --> 00:31:51,929 and seventy seven um kilobytes. 858 00:31:51,930 --> 00:31:54,239 So that matches pretty good with 859 00:31:54,240 --> 00:31:56,309 uh half megabyte of flash. 860 00:31:56,310 --> 00:31:58,409 Um you can see 861 00:31:58,410 --> 00:32:00,569 there's an additional header for this 862 00:32:00,570 --> 00:32:03,329 firmware and um 863 00:32:03,330 --> 00:32:05,489 yeah the payload of this block includes 864 00:32:05,490 --> 00:32:07,679 the Sadr and the other 865 00:32:07,680 --> 00:32:09,749 probably for the Bluetooth and for the wi 866 00:32:09,750 --> 00:32:11,669 fi chip. So the Wi-Fi chip also has a 867 00:32:11,670 --> 00:32:13,079 built in microcontroller. 868 00:32:13,080 --> 00:32:14,789 But it's not, um, it's some other 869 00:32:14,790 --> 00:32:16,919 architecture and it also 870 00:32:16,920 --> 00:32:18,989 has plenty of less flash storage. 871 00:32:18,990 --> 00:32:21,539 You can see this here. It, um, 872 00:32:21,540 --> 00:32:23,579 the film is about four hundred kilobytes 873 00:32:23,580 --> 00:32:25,859 as well. But, uh, well, that's 874 00:32:25,860 --> 00:32:26,860 not a piece. 875 00:32:27,520 --> 00:32:29,159 Um, okay. 876 00:32:29,160 --> 00:32:31,349 So I dumped the G 877 00:32:31,350 --> 00:32:33,509 fifty five block to an extra file 878 00:32:33,510 --> 00:32:34,919 and analyzed it. 879 00:32:34,920 --> 00:32:36,989 And um, if you want 880 00:32:36,990 --> 00:32:39,269 to analyze one piece of film 881 00:32:39,270 --> 00:32:41,639 that goes into an microcontroller in 882 00:32:41,640 --> 00:32:43,410 context and three or four 883 00:32:44,910 --> 00:32:47,789 M0 as well, um, 884 00:32:47,790 --> 00:32:50,009 you know that the static usually 885 00:32:50,010 --> 00:32:52,469 starts at this location and the internal 886 00:32:52,470 --> 00:32:54,449 flash is list that's here. 887 00:32:54,450 --> 00:32:56,699 So at the beginning 888 00:32:56,700 --> 00:32:58,949 of this flash or. 889 00:32:58,950 --> 00:33:01,259 Yeah, you usually have the nested 890 00:33:01,260 --> 00:33:03,359 vector interrupt controller table. 891 00:33:03,360 --> 00:33:05,069 This is the table with all the interrupt 892 00:33:05,070 --> 00:33:06,749 service routines. 893 00:33:06,750 --> 00:33:08,819 And, um, you also have the 894 00:33:08,820 --> 00:33:11,189 exception handlers there and the recent 895 00:33:11,190 --> 00:33:12,419 entry point. 896 00:33:12,420 --> 00:33:13,420 And um, 897 00:33:14,730 --> 00:33:16,229 so we would expect 898 00:33:17,760 --> 00:33:19,949 to find the vector table 899 00:33:19,950 --> 00:33:22,109 somewhere in the frame and this 900 00:33:22,110 --> 00:33:23,129 is what we look for. 901 00:33:23,130 --> 00:33:25,199 The stack pointer should point to REM. 902 00:33:25,200 --> 00:33:27,299 So somewhere here, uh, to 903 00:33:27,300 --> 00:33:29,069 the end of the room actually is somewhere 904 00:33:29,070 --> 00:33:31,169 around the end of the room and 905 00:33:31,170 --> 00:33:34,229 the handler should point until the flesh. 906 00:33:34,230 --> 00:33:36,359 Um, if you have a closer look at the 907 00:33:36,360 --> 00:33:38,609 firmware, this is the additional header 908 00:33:38,610 --> 00:33:39,869 we had before. 909 00:33:39,870 --> 00:33:41,939 So we can see that, uh, it doesn't 910 00:33:41,940 --> 00:33:44,069 really make sense, um, to 911 00:33:44,070 --> 00:33:45,869 use this as a vector table, because the 912 00:33:45,870 --> 00:33:48,269 first thing obviously 913 00:33:48,270 --> 00:33:49,199 is a flash. 914 00:33:49,200 --> 00:33:51,629 Address, and after that, it's 915 00:33:51,630 --> 00:33:53,099 an invalid address. 916 00:33:53,100 --> 00:33:55,259 Um, so that's 917 00:33:55,260 --> 00:33:57,329 how I figured it out, that this must be 918 00:33:57,330 --> 00:33:59,189 the length of the film and so on, 919 00:34:00,240 --> 00:34:01,859 then there are plenty of zeros. 920 00:34:01,860 --> 00:34:04,409 And at this location in Hex, 921 00:34:04,410 --> 00:34:06,689 we can find the stack pointer and after 922 00:34:06,690 --> 00:34:09,119 the stack point of the handler 923 00:34:09,120 --> 00:34:11,279 entries for the vector interrupt 924 00:34:11,280 --> 00:34:12,419 controller. 925 00:34:12,420 --> 00:34:14,999 So my initial 926 00:34:15,000 --> 00:34:17,249 assumption was that the first 927 00:34:17,250 --> 00:34:20,129 two hundred bytes had to be stripped and 928 00:34:20,130 --> 00:34:22,829 this thing put to this location. 929 00:34:22,830 --> 00:34:25,110 However, that didn't work out 930 00:34:26,370 --> 00:34:29,099 because if you get the 931 00:34:29,100 --> 00:34:31,138 offset wrong, you can see this in the 932 00:34:31,139 --> 00:34:33,299 disassembly that the references don't 933 00:34:33,300 --> 00:34:34,408 match up. 934 00:34:34,409 --> 00:34:36,658 So I gave it another 935 00:34:36,659 --> 00:34:38,879 try and put it up and didn't 936 00:34:38,880 --> 00:34:40,979 strip this header and then everything was 937 00:34:40,980 --> 00:34:43,049 fine. So I had 938 00:34:43,050 --> 00:34:45,119 the firmware and disassembly 939 00:34:45,120 --> 00:34:47,669 or at least part of the finger. 940 00:34:47,670 --> 00:34:50,399 And, um, yeah, 941 00:34:50,400 --> 00:34:52,799 the problem here was that it started 942 00:34:52,800 --> 00:34:54,689 at 4000 in the flesh. 943 00:34:54,690 --> 00:34:56,789 So there must be obviously some kind 944 00:34:56,790 --> 00:34:58,739 of bootloader code before that. 945 00:34:58,740 --> 00:35:01,439 And this code I didn't have 946 00:35:01,440 --> 00:35:03,569 also I later 947 00:35:03,570 --> 00:35:05,669 found out that apart from the bootloader, 948 00:35:05,670 --> 00:35:07,859 that's the configuration storage, 949 00:35:07,860 --> 00:35:10,049 which includes the Mac address and serial 950 00:35:11,070 --> 00:35:13,109 number of the device and the security of 951 00:35:13,110 --> 00:35:15,359 the device and also 952 00:35:15,360 --> 00:35:17,099 configuration. And this is the part where 953 00:35:17,100 --> 00:35:18,929 the Wi-Fi contract is stored. 954 00:35:18,930 --> 00:35:20,969 So this is before the actual firmware, 955 00:35:20,970 --> 00:35:22,829 which I found in the external flash. 956 00:35:24,690 --> 00:35:26,999 So, um, I tried 957 00:35:27,000 --> 00:35:29,189 something and it would be great 958 00:35:29,190 --> 00:35:31,979 if we could execute the dumped firmware 959 00:35:31,980 --> 00:35:33,209 without this bootloader. 960 00:35:33,210 --> 00:35:35,309 And so I simply wrote this fembot 961 00:35:35,310 --> 00:35:37,389 to an empty microcontroller and so 962 00:35:37,390 --> 00:35:39,779 on, compatibly one and 963 00:35:39,780 --> 00:35:42,149 duplicated the actual table 964 00:35:42,150 --> 00:35:43,379 to the start of the flash. 965 00:35:43,380 --> 00:35:45,509 So all the pointers would match 966 00:35:45,510 --> 00:35:46,919 fine. And 967 00:35:48,210 --> 00:35:50,309 yes, is the cockpit to start from the 968 00:35:50,310 --> 00:35:52,409 flash and the firmware worked. 969 00:35:52,410 --> 00:35:54,539 So I did have 970 00:35:54,540 --> 00:35:56,999 debug output and yeah, everything 971 00:35:57,000 --> 00:35:59,879 was great and I had debugging 972 00:35:59,880 --> 00:36:02,099 using singleplayer debug so I could use 973 00:36:02,100 --> 00:36:04,319 LPM OCD and connect with a debugger 974 00:36:04,320 --> 00:36:05,579 to this thing. 975 00:36:05,580 --> 00:36:07,799 And I had suddenly I had 976 00:36:07,800 --> 00:36:10,529 a developer console on the serial UAT, 977 00:36:10,530 --> 00:36:13,019 so I had an 978 00:36:13,020 --> 00:36:15,089 analyze this a bit and I found 979 00:36:15,090 --> 00:36:16,949 out that the simply checked the security 980 00:36:16,950 --> 00:36:18,899 lock it and if the security lock isn't 981 00:36:18,900 --> 00:36:21,329 checked isn't such, it's obviously 982 00:36:21,330 --> 00:36:22,749 in the developer mode. 983 00:36:23,790 --> 00:36:26,429 So, um, however, 984 00:36:26,430 --> 00:36:28,739 um, there was a slight problem 985 00:36:28,740 --> 00:36:31,199 because obviously, um, 986 00:36:31,200 --> 00:36:33,749 I wasn't able to use this new button, 987 00:36:33,750 --> 00:36:36,149 um, because the credentials 988 00:36:36,150 --> 00:36:38,289 of the secret keys were missing. 989 00:36:38,290 --> 00:36:40,499 And um, so somehow I needed 990 00:36:40,500 --> 00:36:42,659 to dump the internal flash of the locked 991 00:36:42,660 --> 00:36:44,789 microcontroller and I wanted 992 00:36:44,790 --> 00:36:46,769 to dump off the bootloader anyway. 993 00:36:46,770 --> 00:36:48,989 So I went for code 994 00:36:48,990 --> 00:36:50,569 execution. 995 00:36:50,570 --> 00:36:51,570 Um. 996 00:36:52,650 --> 00:36:54,749 That meant exploiting the 997 00:36:54,750 --> 00:36:55,750 fembot somehow, 998 00:36:57,420 --> 00:36:59,189 if you have a disassembly of the finger 999 00:36:59,190 --> 00:37:01,439 and debugging access, it cannot get any 1000 00:37:01,440 --> 00:37:03,969 more comfortable, comfortable, 1001 00:37:03,970 --> 00:37:06,449 um, when when you try to exploit 1002 00:37:06,450 --> 00:37:08,609 things because you can set breakpoints, 1003 00:37:08,610 --> 00:37:09,569 it can do tracing. 1004 00:37:09,570 --> 00:37:11,279 You can look at the registers and other 1005 00:37:11,280 --> 00:37:13,469 things, and this makes things a lot 1006 00:37:13,470 --> 00:37:14,470 easier. 1007 00:37:15,270 --> 00:37:17,189 So the first attempt obviously was 1008 00:37:17,190 --> 00:37:19,079 putting a really long line on the serial 1009 00:37:19,080 --> 00:37:21,569 console. However, that didn't work and 1010 00:37:21,570 --> 00:37:23,729 it really had length checking in place on 1011 00:37:23,730 --> 00:37:25,079 the serial console. 1012 00:37:25,080 --> 00:37:26,129 So it's limited. 1013 00:37:26,130 --> 00:37:28,319 Two hundred and, uh, to two hundred and 1014 00:37:28,320 --> 00:37:30,119 fifty six bytes. 1015 00:37:30,120 --> 00:37:32,699 So that was surprising. 1016 00:37:32,700 --> 00:37:34,829 And um, so 1017 00:37:34,830 --> 00:37:36,209 I thought some other options 1018 00:37:37,350 --> 00:37:39,809 and exploiting low level network 1019 00:37:39,810 --> 00:37:42,269 protocols like the HTP, 1020 00:37:42,270 --> 00:37:44,519 um, what hit the wi fi 1021 00:37:44,520 --> 00:37:45,389 is. I see. 1022 00:37:45,390 --> 00:37:47,609 And that wouldn't help me because 1023 00:37:47,610 --> 00:37:49,679 I would because I actually want 1024 00:37:49,680 --> 00:37:51,389 the arm microcontroller 1025 00:37:52,920 --> 00:37:55,199 and on the um microcontroller there's the 1026 00:37:55,200 --> 00:37:57,299 piece of running and 1027 00:37:57,300 --> 00:37:59,429 um it has a trv and Chase 1028 00:37:59,430 --> 00:38:01,859 and Imposer. So that might be 1029 00:38:01,860 --> 00:38:03,839 an interesting thing. 1030 00:38:03,840 --> 00:38:05,909 But there's also something um 1031 00:38:05,910 --> 00:38:08,159 from earlier, the audio 1032 00:38:08,160 --> 00:38:10,469 configuration, the audio configuration 1033 00:38:10,470 --> 00:38:11,669 protocol. 1034 00:38:11,670 --> 00:38:13,349 This was used by the old button. 1035 00:38:13,350 --> 00:38:15,929 Um, if you use stand up, 1036 00:38:15,930 --> 00:38:17,889 I'm not sure if it's still used with the 1037 00:38:17,890 --> 00:38:20,099 new button or if it's been 1038 00:38:20,100 --> 00:38:21,449 replaced by Bluetooth. 1039 00:38:21,450 --> 00:38:23,759 And however, this code is still 1040 00:38:23,760 --> 00:38:25,859 there and it still does support 1041 00:38:25,860 --> 00:38:27,719 the audio configuration protocol. 1042 00:38:28,770 --> 00:38:30,989 This protocol has been analyzed 1043 00:38:32,370 --> 00:38:33,779 by Trey Greco. 1044 00:38:33,780 --> 00:38:36,059 And, um, before digging into 1045 00:38:36,060 --> 00:38:38,489 this, I contacted him and, 1046 00:38:38,490 --> 00:38:40,649 um, because I didn't have sample data, 1047 00:38:40,650 --> 00:38:42,839 so I asked him if he could send me 1048 00:38:42,840 --> 00:38:45,119 an amplifier with a recording 1049 00:38:45,120 --> 00:38:47,969 so I could have a valid credentials 1050 00:38:47,970 --> 00:38:49,559 and analyze them. 1051 00:38:49,560 --> 00:38:51,659 And, um, he did send me 1052 00:38:51,660 --> 00:38:53,819 a sample and he also sent me an update on 1053 00:38:53,820 --> 00:38:56,159 his block. And, um, it's 1054 00:38:56,160 --> 00:38:58,649 not actually ASCII, 1055 00:38:58,650 --> 00:39:01,559 but and with four KARIUS 1056 00:39:01,560 --> 00:39:03,959 and it's, um, simply looked like a disc 1057 00:39:03,960 --> 00:39:06,269 because of the Lopez filtering. 1058 00:39:06,270 --> 00:39:08,339 So I knew it was SK and I 1059 00:39:08,340 --> 00:39:10,529 had a valid sample data. 1060 00:39:10,530 --> 00:39:12,659 And so I analyzed 1061 00:39:12,660 --> 00:39:14,309 the sample data I had. 1062 00:39:14,310 --> 00:39:16,469 And um, this was 1063 00:39:16,470 --> 00:39:19,169 the payload of the audio protocol. 1064 00:39:19,170 --> 00:39:20,489 That's a preamble. 1065 00:39:20,490 --> 00:39:22,619 Um, the packet 1066 00:39:22,620 --> 00:39:25,079 length is one byte and the 1067 00:39:25,080 --> 00:39:27,329 complete package must be smaller than one 1068 00:39:27,330 --> 00:39:29,669 hundred and twenty eight bytes. 1069 00:39:29,670 --> 00:39:31,829 That's a CRC of this ID 1070 00:39:31,830 --> 00:39:33,480 is the token from the server 1071 00:39:34,880 --> 00:39:37,259 as ID password and 1072 00:39:37,260 --> 00:39:39,659 the realm is the country code stuff 1073 00:39:39,660 --> 00:39:40,660 again. 1074 00:39:41,340 --> 00:39:42,340 Um. 1075 00:39:43,070 --> 00:39:45,259 Now, if we have a closer 1076 00:39:45,260 --> 00:39:47,389 look at the function, 1077 00:39:47,390 --> 00:39:49,489 the processes, the 1078 00:39:49,490 --> 00:39:51,709 payload, we can find 1079 00:39:51,710 --> 00:39:53,869 that apart from from this 1080 00:39:53,870 --> 00:39:55,729 one hundred and twenty eight length 1081 00:39:55,730 --> 00:39:57,829 check, there's not a single length 1082 00:39:57,830 --> 00:39:59,149 check in place. 1083 00:39:59,150 --> 00:40:01,449 So, um, all those 1084 00:40:01,450 --> 00:40:03,649 buffers like Realm, they 1085 00:40:03,650 --> 00:40:05,749 are simply copied and copied 1086 00:40:05,750 --> 00:40:08,329 to the stack and 1087 00:40:08,330 --> 00:40:10,319 so they are trivial to exploit. 1088 00:40:10,320 --> 00:40:12,409 Yeah, I use the realm 1089 00:40:12,410 --> 00:40:14,839 because I think it was the last 1090 00:40:14,840 --> 00:40:16,159 thing on the stack. 1091 00:40:16,160 --> 00:40:19,069 And yeah, 1092 00:40:19,070 --> 00:40:21,619 now we can have a look at the um, 1093 00:40:21,620 --> 00:40:23,749 the stack, we 1094 00:40:23,750 --> 00:40:25,909 can see the realm above and there's some 1095 00:40:25,910 --> 00:40:27,949 additional usable space where we can also 1096 00:40:27,950 --> 00:40:29,149 put our payload. 1097 00:40:29,150 --> 00:40:31,369 And um, there's also some 1098 00:40:31,370 --> 00:40:33,239 additional space in the password and a 1099 00:40:33,240 --> 00:40:35,179 side above us. 1100 00:40:35,180 --> 00:40:37,309 But we have to make sure that we do not 1101 00:40:37,310 --> 00:40:39,410 exceed the one hundred and twenty seven 1102 00:40:41,000 --> 00:40:42,619 total payload length. 1103 00:40:42,620 --> 00:40:45,049 So the problem is that after 1104 00:40:45,050 --> 00:40:47,599 the additional space, there's some, 1105 00:40:47,600 --> 00:40:49,669 um, values on the stack and if we 1106 00:40:49,670 --> 00:40:52,009 overwrite them, it'll trigger 1107 00:40:52,010 --> 00:40:53,719 the exception handler because there are 1108 00:40:53,720 --> 00:40:55,639 some pointers and there are some values 1109 00:40:55,640 --> 00:40:58,339 for copy, some length values. 1110 00:40:58,340 --> 00:41:00,649 And if we simply write zeros 1111 00:41:00,650 --> 00:41:02,959 there, the the mem copies 1112 00:41:02,960 --> 00:41:04,789 won't do a thing and the exception 1113 00:41:04,790 --> 00:41:06,709 handler won't get triggered. 1114 00:41:06,710 --> 00:41:08,869 Um, so but 1115 00:41:08,870 --> 00:41:11,449 there was another thing, um 1116 00:41:11,450 --> 00:41:13,519 we needed, um I 1117 00:41:13,520 --> 00:41:15,649 could disable we have this real operating 1118 00:41:15,650 --> 00:41:17,869 system so there's plenty of cool stuff 1119 00:41:17,870 --> 00:41:18,829 going on. 1120 00:41:18,830 --> 00:41:20,929 And um, once we fuck up the 1121 00:41:20,930 --> 00:41:23,060 stack things won't 1122 00:41:24,110 --> 00:41:25,189 go very well. 1123 00:41:25,190 --> 00:41:27,859 Um, if we do some task switching. 1124 00:41:27,860 --> 00:41:29,209 Um yeah. 1125 00:41:29,210 --> 00:41:31,429 Then Watchdog needs to be a service 1126 00:41:31,430 --> 00:41:34,519 that's actually a watchdog in the um 1127 00:41:34,520 --> 00:41:36,829 in the directive and it shuts 1128 00:41:36,830 --> 00:41:38,359 the dash down after a while. 1129 00:41:38,360 --> 00:41:40,250 This is the model and model thing. 1130 00:41:42,110 --> 00:41:43,459 Young before the program. 1131 00:41:43,460 --> 00:41:45,529 Count on the stack we have the register 1132 00:41:45,530 --> 00:41:47,599 for and after what, 1133 00:41:47,600 --> 00:41:50,029 uh some additional stack where we can put 1134 00:41:50,030 --> 00:41:51,259 some payload. 1135 00:41:51,260 --> 00:41:54,199 And so I built 1136 00:41:54,200 --> 00:41:56,629 this payload, um, I put the 1137 00:41:56,630 --> 00:41:58,339 this is the instruction to disable the 1138 00:41:58,340 --> 00:42:00,630 interrupts and um. 1139 00:42:01,930 --> 00:42:03,759 These two instructions I put directly 1140 00:42:03,760 --> 00:42:05,979 after the program counter and afterwards 1141 00:42:05,980 --> 00:42:08,499 I put some additional registers 1142 00:42:08,500 --> 00:42:10,659 because normally on, um, you 1143 00:42:10,660 --> 00:42:12,729 have to do a load, um, 1144 00:42:12,730 --> 00:42:15,279 a relative to the program counter. 1145 00:42:15,280 --> 00:42:16,419 Yeah. 1146 00:42:16,420 --> 00:42:18,579 And this takes two plus 1147 00:42:18,580 --> 00:42:20,799 four bytes for a load. 1148 00:42:20,800 --> 00:42:22,959 And with this method, you can save 1149 00:42:22,960 --> 00:42:25,119 some space to bytes, purchase 1150 00:42:25,120 --> 00:42:27,249 the, um, immediate 1151 00:42:27,250 --> 00:42:28,659 values are always needed. 1152 00:42:28,660 --> 00:42:31,689 We need this for the watchdog and so on. 1153 00:42:31,690 --> 00:42:33,189 And um yeah. 1154 00:42:33,190 --> 00:42:35,319 Putting them on the stack and popping 1155 00:42:35,320 --> 00:42:36,519 them saves a few bytes. 1156 00:42:36,520 --> 00:42:38,649 So I did it this way 1157 00:42:38,650 --> 00:42:40,809 and now 1158 00:42:40,810 --> 00:42:42,399 we can dump the flesh. 1159 00:42:42,400 --> 00:42:44,529 So I put the, uh, the 1160 00:42:44,530 --> 00:42:46,599 source point of this is basically the 1161 00:42:46,600 --> 00:42:48,109 start of the flash. 1162 00:42:48,110 --> 00:42:50,229 Um, I put this pointer in to 1163 00:42:50,230 --> 00:42:52,449 register one and register 1164 00:42:52,450 --> 00:42:53,800 two. Is that you base 1165 00:42:55,660 --> 00:42:57,859 then since I have analyzed 1166 00:42:57,860 --> 00:43:00,339 the the symbol for Desh button, 1167 00:43:00,340 --> 00:43:02,589 I have found the you outride function. 1168 00:43:02,590 --> 00:43:04,959 It's basically uh something 1169 00:43:04,960 --> 00:43:07,329 like um. Yeah right to you are right 1170 00:43:07,330 --> 00:43:09,609 and bytes to where you are and 1171 00:43:09,610 --> 00:43:10,610 um. 1172 00:43:11,210 --> 00:43:13,369 Yeah, this function takes the the you 1173 00:43:13,370 --> 00:43:15,299 are the base address of the you are the 1174 00:43:15,300 --> 00:43:17,599 text, the source point and 1175 00:43:17,600 --> 00:43:19,339 the number of bytes that should be 1176 00:43:19,340 --> 00:43:20,239 written to the you. 1177 00:43:20,240 --> 00:43:21,240 And 1178 00:43:22,400 --> 00:43:24,319 then I needed to service the watchdog, 1179 00:43:24,320 --> 00:43:27,289 otherwise it would reset after a while. 1180 00:43:27,290 --> 00:43:29,089 So I used the destination for the 1181 00:43:29,090 --> 00:43:31,849 watchdog register and 1182 00:43:31,850 --> 00:43:33,649 where the watchdog where you in the 1183 00:43:33,650 --> 00:43:34,900 register four and five. 1184 00:43:36,410 --> 00:43:38,759 So the payload is actually pretty small. 1185 00:43:38,760 --> 00:43:41,119 Um, I do some chunks, 1186 00:43:41,120 --> 00:43:43,639 uh, do chunks of four kilobytes 1187 00:43:43,640 --> 00:43:45,739 and afterwards after each chunk I 1188 00:43:45,740 --> 00:43:48,299 poke the watchdog, um, 1189 00:43:48,300 --> 00:43:50,699 some length checking in place after the 1190 00:43:50,700 --> 00:43:52,789 um to find out if 1191 00:43:52,790 --> 00:43:54,889 I have reached the end of the flash and 1192 00:43:54,890 --> 00:43:56,669 once I reach the end of the flash. 1193 00:43:56,670 --> 00:43:58,669 Um yeah. 1194 00:43:58,670 --> 00:44:00,829 It's um here is 1195 00:44:00,830 --> 00:44:03,289 an endless loop uh chump to done 1196 00:44:03,290 --> 00:44:05,869 this instruction is missing on the slide. 1197 00:44:05,870 --> 00:44:08,389 I can see. 1198 00:44:08,390 --> 00:44:10,309 So I simply let the watchdog expire and 1199 00:44:10,310 --> 00:44:12,349 the dashboard will shut down again to 1200 00:44:12,350 --> 00:44:13,350 save the battery. 1201 00:44:14,510 --> 00:44:16,010 I have a demo video of this. 1202 00:44:20,350 --> 00:44:21,350 So 1203 00:44:23,380 --> 00:44:26,349 here I have the dash button opened with 1204 00:44:26,350 --> 00:44:28,509 the serial cable connected 1205 00:44:28,510 --> 00:44:30,669 and one 1206 00:44:30,670 --> 00:44:32,469 cannot really see this very good, but 1207 00:44:32,470 --> 00:44:34,689 this is your plug off on 1208 00:44:34,690 --> 00:44:37,009 your phone or from your 1209 00:44:37,010 --> 00:44:38,049 headphones. 1210 00:44:38,050 --> 00:44:40,179 And, um, here I 1211 00:44:40,180 --> 00:44:42,249 made, uh, a tiny 1212 00:44:42,250 --> 00:44:44,469 script, um, the script. 1213 00:44:44,470 --> 00:44:46,659 I can give some assembly instructions 1214 00:44:46,660 --> 00:44:49,239 and we generate some audio 1215 00:44:49,240 --> 00:44:51,069 that includes this assembler instruction 1216 00:44:51,070 --> 00:44:53,079 and the complete exploit. 1217 00:44:53,080 --> 00:44:55,149 And, um, here in the 1218 00:44:55,150 --> 00:44:57,219 background, you can see the serial 1219 00:44:57,220 --> 00:44:58,630 output of the dash button. 1220 00:45:00,100 --> 00:45:02,229 I put it through a filter to strip away 1221 00:45:02,230 --> 00:45:04,299 my my private secret keys and so 1222 00:45:04,300 --> 00:45:06,669 on. And, um, yeah. 1223 00:45:06,670 --> 00:45:09,249 Then I simply enter configuration mode 1224 00:45:09,250 --> 00:45:11,379 and, um, invoke my script, 1225 00:45:11,380 --> 00:45:13,959 which generates the audio file and 1226 00:45:13,960 --> 00:45:16,359 um plays it using the headphones. 1227 00:45:16,360 --> 00:45:18,429 So let's try this. 1228 00:45:18,430 --> 00:45:20,349 This is the normal output from the dash 1229 00:45:20,350 --> 00:45:22,419 button here and now it's in 1230 00:45:22,420 --> 00:45:23,639 configuration mode. 1231 00:45:23,640 --> 00:45:25,239 Here starts my script and 1232 00:45:27,040 --> 00:45:29,379 uh, it's dumping all the flash. 1233 00:45:29,380 --> 00:45:31,539 So, um, this takes a bit because 1234 00:45:31,540 --> 00:45:33,710 it's half a megabyte and. 1235 00:45:40,820 --> 00:45:43,309 So, um, yeah, the, 1236 00:45:43,310 --> 00:45:45,979 um, the audio was actually, 1237 00:45:45,980 --> 00:45:48,229 um, quite short, it 1238 00:45:48,230 --> 00:45:51,149 doesn't really have to you don't need 1239 00:45:51,150 --> 00:45:53,389 it gets repeated several times. 1240 00:45:53,390 --> 00:45:55,699 So one of those packets 1241 00:45:55,700 --> 00:45:57,259 is correctly received. 1242 00:45:57,260 --> 00:45:59,929 Um, the internal speakers 1243 00:45:59,930 --> 00:46:00,989 broke as well. 1244 00:46:00,990 --> 00:46:03,349 I even thought about building a YouTube 1245 00:46:03,350 --> 00:46:04,499 video for this. 1246 00:46:04,500 --> 00:46:06,859 Um, yeah, but 1247 00:46:06,860 --> 00:46:08,329 well it works so far. 1248 00:46:08,330 --> 00:46:10,459 And now the question 1249 00:46:10,460 --> 00:46:12,469 is how to proceed. 1250 00:46:12,470 --> 00:46:14,839 So eventually Amazon will probably 1251 00:46:14,840 --> 00:46:16,939 fix this with no update. 1252 00:46:16,940 --> 00:46:19,009 And, um, the thing 1253 00:46:19,010 --> 00:46:22,219 is, they cannot update current patterns 1254 00:46:22,220 --> 00:46:24,469 unless the server can reach 1255 00:46:24,470 --> 00:46:26,599 them. So, um, 1256 00:46:26,600 --> 00:46:29,059 if you want to exploit your button and, 1257 00:46:29,060 --> 00:46:30,060 um. 1258 00:46:31,000 --> 00:46:33,549 Yeah, you and you want to reprogram 1259 00:46:33,550 --> 00:46:35,979 it some way, um, 1260 00:46:35,980 --> 00:46:38,049 you should deregister it from the 1261 00:46:38,050 --> 00:46:40,299 server, so if you press it, 1262 00:46:40,300 --> 00:46:42,579 it cannot get the update 1263 00:46:42,580 --> 00:46:43,580 accidentally. 1264 00:46:44,950 --> 00:46:47,109 Now, the thing is, clearing the security 1265 00:46:47,110 --> 00:46:49,269 bit without a doesn't work. 1266 00:46:49,270 --> 00:46:51,339 So I cannot use 1267 00:46:51,340 --> 00:46:52,749 this exploit to simply clear the 1268 00:46:52,750 --> 00:46:54,909 security. But, um, 1269 00:46:54,910 --> 00:46:57,159 it might be possible to trigger 1270 00:46:57,160 --> 00:46:58,809 a full iRace using software. 1271 00:46:58,810 --> 00:47:00,789 I haven't tried this yet. 1272 00:47:00,790 --> 00:47:03,069 Um, and otherwise we would need 1273 00:47:03,070 --> 00:47:05,469 some sort of multi-stage loader, um, 1274 00:47:05,470 --> 00:47:07,569 to reboot. Right. The flesh with a 1275 00:47:07,570 --> 00:47:09,369 custom firmware. 1276 00:47:09,370 --> 00:47:11,499 Um, you can grab the stuff I 1277 00:47:11,500 --> 00:47:13,719 did so far here from the, um, 1278 00:47:13,720 --> 00:47:15,309 the sketch repository. 1279 00:47:15,310 --> 00:47:18,279 That's also the, um, disassembly 1280 00:47:18,280 --> 00:47:20,379 annotations, um, file 1281 00:47:20,380 --> 00:47:21,489 in there. 1282 00:47:21,490 --> 00:47:23,439 And um, yeah. 1283 00:47:23,440 --> 00:47:25,569 It's also linked using uh 1284 00:47:25,570 --> 00:47:27,849 there's also a link on the page 1285 00:47:27,850 --> 00:47:30,189 and um well I'm, 1286 00:47:30,190 --> 00:47:32,319 I'm not really sure if I will do some 1287 00:47:32,320 --> 00:47:33,969 further work on this thing. 1288 00:47:33,970 --> 00:47:36,189 Um, so if you want to carry 1289 00:47:36,190 --> 00:47:38,259 on, contact me and I will happily 1290 00:47:38,260 --> 00:47:39,599 help. Yeah. 1291 00:47:39,600 --> 00:47:41,979 Um, can contact me using 1292 00:47:41,980 --> 00:47:45,519 this um credentials 1293 00:47:45,520 --> 00:47:46,959 and um. 1294 00:47:46,960 --> 00:47:49,449 Yeah well that concludes my talk 1295 00:47:49,450 --> 00:47:50,829 for now. 1296 00:47:50,830 --> 00:47:52,179 Um, so. 1297 00:47:53,890 --> 00:47:55,809 We'll get to the questions. 1298 00:48:06,910 --> 00:48:08,979 So same procedure like 1299 00:48:08,980 --> 00:48:11,319 everywhere, if you have questions, 1300 00:48:11,320 --> 00:48:13,419 please come up to one of the microphones. 1301 00:48:13,420 --> 00:48:15,339 We have it here. 1302 00:48:15,340 --> 00:48:18,159 So the way should never be so 1303 00:48:18,160 --> 00:48:20,169 far. Yes, we have our first question. 1304 00:48:20,170 --> 00:48:22,149 Microphone number one, please. 1305 00:48:22,150 --> 00:48:23,739 Oh, first off, good work. 1306 00:48:23,740 --> 00:48:24,999 That's quite impressive. 1307 00:48:25,000 --> 00:48:27,549 Just to get code execution on it. 1308 00:48:27,550 --> 00:48:29,469 The only question I have is how did you 1309 00:48:29,470 --> 00:48:32,229 manage to solder those tiny, tiny wires 1310 00:48:32,230 --> 00:48:34,839 like the spyglass and everything else? 1311 00:48:34,840 --> 00:48:36,429 Yeah, well, one by one 1312 00:48:38,410 --> 00:48:39,410 it's. 1313 00:48:43,640 --> 00:48:45,829 I usually put my finger above the 1314 00:48:45,830 --> 00:48:48,439 ones I already have, and then 1315 00:48:48,440 --> 00:48:50,599 I try to tip the next one 1316 00:48:50,600 --> 00:48:53,389 just briefly without 1317 00:48:53,390 --> 00:48:55,399 touching the other ones. 1318 00:48:55,400 --> 00:48:57,559 And, um, yeah, and 1319 00:48:57,560 --> 00:48:59,789 I keep the other ones pressed on with 1320 00:48:59,790 --> 00:49:00,919 the finger. 1321 00:49:00,920 --> 00:49:03,679 And that's basically the magic. 1322 00:49:03,680 --> 00:49:05,959 Um, what diameter wired with 1323 00:49:05,960 --> 00:49:08,269 deduce is that magnetic wire or zero 1324 00:49:08,270 --> 00:49:10,129 point one millimeters. 1325 00:49:10,130 --> 00:49:10,549 Thank you. 1326 00:49:10,550 --> 00:49:12,739 So, OK, we have a question from 1327 00:49:12,740 --> 00:49:13,909 the Internet. 1328 00:49:13,910 --> 00:49:15,619 Yes. Thank you. 1329 00:49:15,620 --> 00:49:17,269 First, thanks for the talk. 1330 00:49:17,270 --> 00:49:18,709 Excellent. Good job. 1331 00:49:18,710 --> 00:49:21,379 Um, what was the disassembly you used. 1332 00:49:21,380 --> 00:49:23,119 I don't know. OK, yeah. 1333 00:49:25,570 --> 00:49:28,569 Microphone number four could talk 1334 00:49:28,570 --> 00:49:31,359 just a question, how long did it take 1335 00:49:31,360 --> 00:49:33,159 to reverse engineer everything? 1336 00:49:33,160 --> 00:49:36,219 And you get the results you presented 1337 00:49:36,220 --> 00:49:38,139 days, weeks, months? 1338 00:49:38,140 --> 00:49:40,299 Um, yeah, that's a good question. 1339 00:49:40,300 --> 00:49:42,669 And, um, I don't really keep 1340 00:49:42,670 --> 00:49:44,799 track of time when I do these things 1341 00:49:44,800 --> 00:49:47,169 for my hobby, because 1342 00:49:47,170 --> 00:49:49,479 with some guys buy 1343 00:49:49,480 --> 00:49:51,559 a cinema ticket for 1344 00:49:51,560 --> 00:49:53,859 about ten years and get 1345 00:49:53,860 --> 00:49:55,929 90 minutes of fun and the 1346 00:49:55,930 --> 00:49:58,329 dash button four, five and have 1347 00:49:58,330 --> 00:50:00,699 plenty of weekends, so. 1348 00:50:06,900 --> 00:50:08,969 Actually, it wasn't really 1349 00:50:08,970 --> 00:50:10,679 that hard because there were some 1350 00:50:10,680 --> 00:50:12,779 assertions in the code and there are 1351 00:50:12,780 --> 00:50:15,119 several assertions so you can 1352 00:50:15,120 --> 00:50:18,029 get the function names quite easily and 1353 00:50:18,030 --> 00:50:19,889 then put it all together somehow. 1354 00:50:19,890 --> 00:50:21,330 OK, thanks. 1355 00:50:23,390 --> 00:50:25,789 Up there, there's a question, yes, yes. 1356 00:50:25,790 --> 00:50:28,129 Um, so in the beginning, there was a time 1357 00:50:28,130 --> 00:50:30,149 stamp. Did I see that correctly? 1358 00:50:30,150 --> 00:50:32,629 That was a four by time stamp 1359 00:50:32,630 --> 00:50:34,159 that I know about two thousand thirty 1360 00:50:34,160 --> 00:50:35,160 eight. 1361 00:50:35,970 --> 00:50:38,179 Yeah, well, 1362 00:50:38,180 --> 00:50:40,399 yeah, I have no idea what 1363 00:50:40,400 --> 00:50:41,479 happens then. 1364 00:50:41,480 --> 00:50:43,549 Maybe we will issue a firmware update 1365 00:50:43,550 --> 00:50:45,059 or something like that. 1366 00:50:45,060 --> 00:50:47,479 Um, also, um, 1367 00:50:47,480 --> 00:50:49,639 the certificates are stored in the 1368 00:50:49,640 --> 00:50:51,979 wi fi controller so they probably 1369 00:50:51,980 --> 00:50:54,229 need to update the certificates 1370 00:50:54,230 --> 00:50:56,429 from time to time and they 1371 00:50:56,430 --> 00:50:58,519 would probably do this with no update 1372 00:50:58,520 --> 00:51:00,739 as well. Um, I 1373 00:51:00,740 --> 00:51:02,509 just thought that was terribly sloppy of 1374 00:51:02,510 --> 00:51:03,510 them. 1375 00:51:03,750 --> 00:51:04,750 Uh. 1376 00:51:07,570 --> 00:51:09,799 And number four, yeah, 1377 00:51:09,800 --> 00:51:11,899 great work, I tried to dump the 1378 00:51:11,900 --> 00:51:14,149 firmware using a power line attack, 1379 00:51:14,150 --> 00:51:15,859 but I had no luck. 1380 00:51:15,860 --> 00:51:17,059 So I have a question. 1381 00:51:17,060 --> 00:51:19,099 Do you have any idea what your connection 1382 00:51:19,100 --> 00:51:21,869 to the Bluetooth module is used for? 1383 00:51:21,870 --> 00:51:24,859 Um, well, I 1384 00:51:24,860 --> 00:51:26,989 thought maybe they are using it in the 1385 00:51:26,990 --> 00:51:29,299 IOC app, um, but I 1386 00:51:29,300 --> 00:51:31,399 do not have an iOS device, so 1387 00:51:31,400 --> 00:51:33,859 I cannot confirm or, 1388 00:51:33,860 --> 00:51:36,799 um, this um, 1389 00:51:36,800 --> 00:51:39,169 they do talk to the Bluetooth 1390 00:51:39,170 --> 00:51:41,359 chip a bit and they check 1391 00:51:41,360 --> 00:51:43,159 if it's there. So, um, once I 1392 00:51:43,160 --> 00:51:44,989 disconnected it the film but didn't come 1393 00:51:44,990 --> 00:51:47,179 up, but I didn't have a closer look 1394 00:51:47,180 --> 00:51:48,639 at, uh, what's going on there. 1395 00:51:48,640 --> 00:51:50,719 OK, so the Android 1396 00:51:50,720 --> 00:51:53,029 app doesn't make use of the Bluetooth 1397 00:51:53,030 --> 00:51:54,030 low energy. 1398 00:51:55,490 --> 00:51:57,229 OK, OK, we have another question from the 1399 00:51:57,230 --> 00:51:58,219 Internet. 1400 00:51:58,220 --> 00:52:00,049 Yes. Do you think it's possible to 1401 00:52:00,050 --> 00:52:02,479 install an operating system like Linux 1402 00:52:02,480 --> 00:52:03,089 on the button? 1403 00:52:03,090 --> 00:52:05,509 No, um, that's 1404 00:52:05,510 --> 00:52:07,399 the the difference between a 1405 00:52:07,400 --> 00:52:10,159 microcontroller and the CPU 1406 00:52:10,160 --> 00:52:12,259 is the, uh, memory management 1407 00:52:12,260 --> 00:52:14,449 unit. And the microcontroller 1408 00:52:14,450 --> 00:52:16,549 does not have, um, a, 1409 00:52:16,550 --> 00:52:18,889 uh, memory management unit. 1410 00:52:18,890 --> 00:52:20,959 Basically, one could try 1411 00:52:20,960 --> 00:52:23,299 micro Linux. You see Linux. 1412 00:52:23,300 --> 00:52:25,549 Um, but I don't think, um, 1413 00:52:25,550 --> 00:52:27,739 one hundred and sixty 1414 00:52:27,740 --> 00:52:29,899 kilobytes of RAM are sufficient for this 1415 00:52:29,900 --> 00:52:31,999 either. So there are plenty 1416 00:52:32,000 --> 00:52:34,309 of, um, tiny, um, 1417 00:52:34,310 --> 00:52:36,409 realtime operating systems, open 1418 00:52:36,410 --> 00:52:39,379 source, um, one could use, you know, 1419 00:52:39,380 --> 00:52:40,380 but not Linux. 1420 00:52:42,750 --> 00:52:45,659 OK, thank you very much. 1421 00:52:45,660 --> 00:52:47,309 Please give him another round of 1422 00:52:47,310 --> 00:52:48,310 applause.