Ep. 0 - Reverse Engineering Plus Plus

Show Notes

INTROS

• Who We Are

  • Sidebars during this portion

    • Pay phone from Limor Fried Lady Ada and Phillip Torrone

    • Stumble Upon - Browser Plugin by garret camp

    • Live from the desk of Lady Ada

TALK ABOUT POTENTIAL FORMATTING OF THE SHOW

• Some honesty about it not really being settled yet.

• Reverse engineering plus plus: low-level electronics, computer programming, software-defined radio, who knows -- 3d printing, materials properties++

• What is the formatting? Envision a few different ones:

  • • Aaron/Dell talk shop

    • Where either of us comes in and shares a tidbit or nugget. Possibly with live streams or video

    • Interviews with people (coming up with a dream sheet)

    • Sidebars during this portion

      • Unicorn Engine /Capstone

      • Joplin

      • XKCD Git Commits over time

      • OBS

TALKING SHOP

• Some favorite tooling:

  • Hardware

    • STM32

    • Alambe94 github

    • ST-link in-circuit debugger

    • USB-blaster

    • Jtagulator

    • Shikra

    • JTAGenum

    • Cyphunk Gitlab

    • Bus Pirate

    • TL866II Programmer

    • Segger J-Link

    • Multi-tasking on the Arduino

    • FTDI gate

    • Sony Scandal

    • Eijah and AACS encryption Key

    • Hacking the XBOX

    • Saleae Logic 8

    • RIGOL 1054Z O-Scope

    • HackRF

    • Lime SDR

    • Gnu Radio

    • SDR#

    • GQRX

    • Inspectrum

    • Noelec NSEDR

    • Epiq

    • ADALM-Pluto SDR

    • Blade RF

    • Yaesu FT-60

    • POCSAG

    • ARRL Antenna Book

    • Discone Antennas

    • VB Audio

    • Flipper Zero

    • Flipper Zero Shennanigans

    • Dennis Yurichev Beginners.re

    • GNU Debuffer

    • GDB-GEF

    • Godbolt

    • Azeria

    • Live Overflow

    • RPISEC Modern Binary Exploitation

    • Binwalk

    • Sysinternals

    • IDR Interactive Delphi Reconstructor

    • Windbg

    • OOAnalyzer

    • DNSpy

    • Jadx Java decompiler

    • Hack The Box
      
      

  • Software.

    • • GDB with gef. Dennis Yurichev begginners.re

      • IDA pro

      • C++ OOAnalyzer

      • IDR (Interactive Delphi Reconstructor, decompiler)

Quick Primer on JTAG

• RE of a device starts at being able to trace pins to a CPU and see if you can find the data sheet or not. Without documentation, no easy way to know what connects to what and what pins are where. This is particularly true if you have a board with > 2 layers. You can use a multimeter (but it outputs a certain voltage in order to determine resistance or continuity and this can be more than components you're poking can handle. Be careful.). For a pin you trace that goes to a via (hole on the PCB that connects layers) you can use a multimeter. If you set your multimeter to ohms (or continuity/beep mode if you have it) connect one probe to the pin you want to investigate and look for other vias to try. If you hear a beep or have no resistance you have a connection (sometimes a little resistance is expected).

• But outside of that, if you can find JTAG you can move more quickly. JTAG stands for Joint Test Action Group and the idea of JTAG is to be able to test a chip after manufacturing to determine if there are flaws. It uses a 4+ pin serial interface and is sort of like SPI. Most common JTAG has TMS, TCK, TDO, and TDI.

• JTAG is a state machine with two chains: data register, and instruction register). TMS controls movement between each state. All actions take place on rising edge of TCK input. The entire chain can be like one big shift register. Something is always clocked out of the TDO line but might not be.

• Now if you have a USB blaster, Xilinx DLC9G, Bus Pirate, etc you can rely on their clock speed/tooling to interact. Altera USB blaster seems to be among the most widely supported JTAG programmer for free tools.

• There are 3 required JTAG instructions (all fall under "boundary scan"): EXTEST (meant for testing connections between devices), PRELOAD/SAMPLE (runs like normal, but you can load data into the chain that can later be applied to the IO bits with EXTEST (PRELOAD) or you can grab the current value of IO pins (SAMPLE)), BYPASS (skip this device). Different vendors support more advanced commands and for this you typically need the BSDL. Thinks like the JTAGULATOR have a big db of common ones.

• BYPASS is important because devices cna be chained. JTAG is very SPI-like. When you have multiple devices chained thenyou need a way of letting one listen at a time. This is what BYPASS does. If it has BYPASS mode then it just echos what it reads in. If you clock in a pattern of bits then you can measure the amount of clocks it takes to get that pattern back and that tells you how many devices there are in the chain.

• SAMPLE is also useful. It allows you to snoop on what is happening to the device's IO pins. Something like TopJTAG Probe gives graphical representation of whats going on in the chip. You can even plot the values of the IO pins using a logic analyzer type view.

• If you have all this you can start cooking with gas, especially useful in BGA packages that you cant attach to. Next you need to find out what you need to connect to.

• http://bsdl.info

MUSIC

• Intro: Gvidon

• Outro: Alex Grohl