1 00:00:00,000 --> 00:00:04,760 Yeah, it's because Bugcrowd doesn't know that I can hack hardware. 2 00:00:04,760 --> 00:00:07,400 I need to hit them up and be like, hey, by the way. 3 00:00:07,400 --> 00:00:09,720 Yeah, me submits one bug a year on Bugcrowd . 4 00:00:09,720 --> 00:00:10,720 And it's like, who is this guy? 5 00:00:10,720 --> 00:00:11,720 Hardware, god. 6 00:00:11,720 --> 00:00:33,720 I didn't know. 7 00:00:33,720 --> 00:00:34,720 Yo yo yo, we're rolling. 8 00:00:34,720 --> 00:00:37,000 Yo yo, how's it going? 9 00:00:37,000 --> 00:00:38,000 Pretty good, dude. 10 00:00:38,000 --> 00:00:42,240 This past couple of weeks has been kind of crazy, but we're getting ready to kick off 11 00:00:42,240 --> 00:00:43,440 a live hacking event again. 12 00:00:43,440 --> 00:00:45,400 So it's not going to slow down, I don't think. 13 00:00:45,400 --> 00:00:47,400 Oh, dude, nonstop. 14 00:00:47,400 --> 00:00:49,160 It's like one thing to the next thing to the next thing. 15 00:00:49,160 --> 00:00:50,160 Yeah. 16 00:00:50,160 --> 00:00:53,000 Well, at least you got a week off last week from the pod. 17 00:00:53,000 --> 00:00:55,040 Yes, a little bit, barely. 18 00:00:55,040 --> 00:00:57,120 Yeah, you had crazy stuff going on though. 19 00:00:57,120 --> 00:00:59,120 So that's how it rolls. 20 00:00:59,120 --> 00:01:00,720 Yeah, yeah, yeah. 21 00:01:00,720 --> 00:01:01,720 All right. 22 00:01:01,720 --> 00:01:03,600 Yeah, let's check out the new stuff for the day. 23 00:01:03,600 --> 00:01:08,760 First, first up on the docket was Naham Khan, who are sponsoring this episode. 24 00:01:08,760 --> 00:01:10,120 So thank you, Naham Khan. 25 00:01:10,120 --> 00:01:15,360 Just wanted to give them a shout out and say, I'm going to be speaking there on the Saturday 26 00:01:15,360 --> 00:01:17,840 slot at 1220. 27 00:01:17,840 --> 00:01:24,880 And I'm going to be giving a presentation on PCI DSS, which is essentially payment card 28 00:01:24,880 --> 00:01:32,100 stuff and how pretty much every single website that we've seen is vulnerable to some sort 29 00:01:32,100 --> 00:01:39,440 of trickery in this area due to the way that the DSS recommended structure is. 30 00:01:39,440 --> 00:01:43,280 So there's going to be some really, really awesome content in that that will drop. 31 00:01:43,280 --> 00:01:46,760 So definitely don't miss that on Saturday at 12 PM PST. 32 00:01:46,760 --> 00:01:49,800 Yeah, dude, I'm really looking forward to that. 33 00:01:49,800 --> 00:01:55,880 I know that Naham always has amazing people on for his Khan and just for his show in general 34 00:01:55,880 --> 00:01:57,520 and all the content that he makes. 35 00:01:57,520 --> 00:01:59,040 But yeah, it's super awesome. 36 00:01:59,040 --> 00:02:01,280 I'm super stoked to see what you talk about there. 37 00:02:01,280 --> 00:02:05,120 I think the Khan in particular, I think is one of the one of the best structured ones 38 00:02:05,120 --> 00:02:10,840 for Bug Bounty Hunters because Ben just has such a good network in the Bug Bounty Hunter 39 00:02:10,840 --> 00:02:14,160 field that he can put together a bunch of people that really know what they're talking 40 00:02:14,160 --> 00:02:16,840 about and have differing expertise to share. 41 00:02:16,840 --> 00:02:22,160 I was looking at the lineup and there's a bunch of eclectic hacking styles and you've 42 00:02:22,160 --> 00:02:28,400 got people from influencers like Stulk all the way down to people like Douglas Day that 43 00:02:28,400 --> 00:02:31,960 just really get in the requests every single time. 44 00:02:31,960 --> 00:02:35,720 So it's really cool to see the whole gamut being run there. 45 00:02:35,720 --> 00:02:38,760 Yeah, it should be awesome. 46 00:02:38,760 --> 00:02:39,760 Yeah. 47 00:02:39,760 --> 00:02:40,880 Oh man. 48 00:02:40,880 --> 00:02:45,560 The next item on the news list makes me so sad, man. 49 00:02:45,560 --> 00:02:49,520 On Twitter, you see Gareth Hayes talk about JavaScript stuff all the time and he's one 50 00:02:49,520 --> 00:02:54,840 of those people that you can just feel the passion when he talks about JavaScript. 51 00:02:54,840 --> 00:03:00,520 He just freaking loves JavaScript and he tweeted out earlier this week and I threw it on the 52 00:03:00,520 --> 00:03:06,520 list that his favorite XSS vector is going to stop working, I think, is it like November 53 00:03:06,520 --> 00:03:08,720 when they're going to depreciate it? 54 00:03:08,720 --> 00:03:11,600 Yeah, I didn't catch the exact date. 55 00:03:11,600 --> 00:03:15,520 Yeah, Chrome 119 November 2023. 56 00:03:15,520 --> 00:03:21,680 They're going to depreciate data URLs inside of the use element in SVGs. 57 00:03:21,680 --> 00:03:22,680 Yeah. 58 00:03:22,680 --> 00:03:26,440 So for those who aren't aware, this is basically one of the really common ways that you would 59 00:03:26,440 --> 00:03:32,360 pop an XSS within an SVG, not just like SVG on error or on load or whatever, but within 60 00:03:32,360 --> 00:03:38,960 the SVG element itself, you can include stuff like, well, with this use element, you can 61 00:03:38,960 --> 00:03:40,680 use different things. 62 00:03:40,680 --> 00:03:43,240 I think it's meant to take a bunch of different data types. 63 00:03:43,240 --> 00:03:50,920 Yeah, it uses a data URL here and uses that within the SVG itself, but it seems like they 64 00:03:50,920 --> 00:04:01,160 want to have that piece, that data element removed from the SVG use element and that 65 00:04:01,160 --> 00:04:06,160 would result in, I guess, potentially you could still load it externally, but then you've 66 00:04:06,160 --> 00:04:08,160 got CSP stuff that you're going to run into. 67 00:04:08,160 --> 00:04:10,520 So it's a double edged sword there. 68 00:04:10,520 --> 00:04:16,720 Yeah, I know there are a couple other vectors and looking at the Web Security Academy on 69 00:04:16,720 --> 00:04:22,040 the Portswigger, there's these ones that use animate inside of SVG. 70 00:04:22,040 --> 00:04:24,440 Oh yeah, I've seen that. 71 00:04:24,440 --> 00:04:28,040 Some of them do use that use element, but not all of them do. 72 00:04:28,040 --> 00:04:31,240 So I'm wondering if that will still be a valid attack vector. 73 00:04:31,240 --> 00:04:37,040 Yeah, I mean, as long as it's not, because the use element is still staying, it's just 74 00:04:37,040 --> 00:04:42,520 that the data URL inside of the use element is kind of going away. 75 00:04:42,520 --> 00:04:46,960 And I think I'm looking at the reason for removal and it looks like it's largely because 76 00:04:46,960 --> 00:04:51,000 of the sort of same origin issue that's going on there. 77 00:04:51,000 --> 00:04:53,840 So sad to see that go, but really cool vector. 78 00:04:53,840 --> 00:05:00,200 And I'd always love to see Gareth Hayes talking about XSS stuff. 79 00:05:00,200 --> 00:05:04,160 He's one of the people that I do have notifications turned on for, tweet notifications turned 80 00:05:04,160 --> 00:05:07,480 on for, because every single time it's super high quality research. 81 00:05:07,480 --> 00:05:09,480 And I really appreciate that. 82 00:05:09,480 --> 00:05:10,480 Yeah, yeah, yeah. 83 00:05:10,480 --> 00:05:11,480 His book is amazing too. 84 00:05:11,480 --> 00:05:16,240 Yeah, I mean, he's just like, he's such a JavaScript fanatic, you know? 85 00:05:16,240 --> 00:05:18,320 It's like all he does, it's like his main focus. 86 00:05:18,320 --> 00:05:22,080 So he's one of those people that has so much insight about the nuance about what's going 87 00:05:22,080 --> 00:05:23,080 on. 88 00:05:23,080 --> 00:05:29,320 So anything that you can do to consume Gareth's knowledge is something I would recommend. 89 00:05:29,320 --> 00:05:35,040 And I love that little, I love that he wrote a little book too. 90 00:05:35,040 --> 00:05:39,680 I feel like that's something that people that specialize in the industry, it's really handy 91 00:05:39,680 --> 00:05:40,960 because the book is not long. 92 00:05:40,960 --> 00:05:47,240 It's not very hard to consume, but it outlines all of this cool shit that he has in his brain 93 00:05:47,240 --> 00:05:49,440 that otherwise we wouldn't have access to. 94 00:05:49,440 --> 00:05:54,380 And so I definitely endorse that method, not only just for knowledge sharing reasons, but 95 00:05:54,380 --> 00:05:58,280 also just for, it's a great thing to do when you're a specialist. 96 00:05:58,280 --> 00:06:02,560 Take the, however long it takes, do a little brain dump on this topic that you're just 97 00:06:02,560 --> 00:06:04,860 a super expert at and put it out there. 98 00:06:04,860 --> 00:06:09,720 And now you've got a product that you can, you're getting reoccurring income from, and 99 00:06:09,720 --> 00:06:12,680 you're also sharing that knowledge with a large community. 100 00:06:12,680 --> 00:06:14,000 Excuse me. 101 00:06:14,000 --> 00:06:16,400 So that's really, I really respect that. 102 00:06:16,400 --> 00:06:18,240 Yeah, for sure. 103 00:06:18,240 --> 00:06:20,640 And we've talked about this as well in the past. 104 00:06:20,640 --> 00:06:23,680 Any type of the, it doesn't have to be groundbreaking research, right? 105 00:06:23,680 --> 00:06:28,900 But any of that knowledge sharing type content is really amazing for building out the community 106 00:06:28,900 --> 00:06:32,440 and just helping other hackers learn and get better and helping secure everything as a 107 00:06:32,440 --> 00:06:33,440 whole. 108 00:06:33,440 --> 00:06:34,440 Works. 109 00:06:34,440 --> 00:06:37,840 Sometimes it ends up being one of these things where eventually the browsers will come and 110 00:06:37,840 --> 00:06:40,720 they'll patch something that shouldn't behave that way or whatever. 111 00:06:40,720 --> 00:06:45,240 But like, okay, yeah, that sucks for us as hackers, but it's good for security as a whole. 112 00:06:45,240 --> 00:06:48,040 And I think that insight is valuable regardless. 113 00:06:48,040 --> 00:06:49,040 Yeah, dude. 114 00:06:49,040 --> 00:06:50,040 It makes me think of that. 115 00:06:50,040 --> 00:06:54,040 Man, did we cover it on the pod or did it just make it into the news list? 116 00:06:54,040 --> 00:06:58,680 But it makes me remember this one at a live time at a live hacking event. 117 00:06:58,680 --> 00:07:06,320 There's this guy, BitKa that showed me this way that you can exfiltrate data via fetch. 118 00:07:06,320 --> 00:07:14,160 And what you do is you get it cached and then you say, hey, you force fetch to use cache. 119 00:07:14,160 --> 00:07:18,120 And it was like, at the time it was just like, oh, this is totally amazing because you could 120 00:07:18,120 --> 00:07:24,240 get a cookie, you could get a cookie to get the data and then it would cache the response. 121 00:07:24,240 --> 00:07:28,280 And then you could send the fetch request without the cookie with caching, pull from 122 00:07:28,280 --> 00:07:29,920 the cache set to mandatory. 123 00:07:29,920 --> 00:07:31,200 And then it would pull the results back. 124 00:07:31,200 --> 00:07:33,640 And it was just like, man, this is such a genius method. 125 00:07:33,640 --> 00:07:34,640 And so- 126 00:07:34,640 --> 00:07:35,640 That's really smart. 127 00:07:35,640 --> 00:07:40,680 It's sad because those methods get deleted as soon as they become popular. 128 00:07:40,680 --> 00:07:46,560 But if you're lucky enough to have met a great researcher at a live hacking event or at networking, 129 00:07:46,560 --> 00:07:50,440 sometimes you can pick up these little tidbits that will really help you pop some crazy bugs 130 00:07:50,440 --> 00:07:51,440 during engagements. 131 00:07:51,440 --> 00:07:53,440 Yeah, yeah, for sure. 132 00:07:53,440 --> 00:07:57,040 Did you hear about this move it, the move it vulnerability? 133 00:07:57,040 --> 00:07:58,880 Oh my gosh, yeah. 134 00:07:58,880 --> 00:08:01,320 It's hard to have not have heard of that, man. 135 00:08:01,320 --> 00:08:03,280 Twitter's kind of blowing up about it. 136 00:08:03,280 --> 00:08:04,640 Yeah, yeah. 137 00:08:04,640 --> 00:08:09,720 So I was reading about this and it's this file transfer app, right? 138 00:08:09,720 --> 00:08:10,720 Yeah, yeah. 139 00:08:10,720 --> 00:08:11,720 Yeah, that was my understanding. 140 00:08:11,720 --> 00:08:16,320 I hadn't actually heard of this before, like move it until the vulnerability. 141 00:08:16,320 --> 00:08:19,160 They were saying it's all over the place, but I actually hadn't seen it very much. 142 00:08:19,160 --> 00:08:22,840 I wonder actually how much net presence it does have. 143 00:08:22,840 --> 00:08:25,400 Yeah, yeah, it was super interesting. 144 00:08:25,400 --> 00:08:28,600 So I wasn't sure. 145 00:08:28,600 --> 00:08:34,440 They said that Huntress, is that who owns it or is that the people who found- 146 00:08:34,440 --> 00:08:38,040 I think that's John Hammond did some work with them. 147 00:08:38,040 --> 00:08:43,480 And I think he sort of did this whole, I guess sort of, I don't know if this is like an incident 148 00:08:43,480 --> 00:08:44,480 response. 149 00:08:44,480 --> 00:08:47,920 Yeah, they call it rapid response to this sort of vulnerability. 150 00:08:47,920 --> 00:08:53,480 And I thought this was really cool because, you know, even, and I also linked that and 151 00:08:53,480 --> 00:08:56,680 the click the Twitter link in the doc right below that Joel. 152 00:08:56,680 --> 00:08:58,800 Like I love to see this sort of thing. 153 00:08:58,800 --> 00:09:02,920 John is like out there at 4 a.m. tweeting like, oh man, I can't figure out like, oh, 154 00:09:02,920 --> 00:09:03,920 is this it? 155 00:09:03,920 --> 00:09:07,560 I'm putting screenshots of code and I just, you know, I read through that whole thread 156 00:09:07,560 --> 00:09:11,280 and I was like, man, this is why, you know, he rocks. 157 00:09:11,280 --> 00:09:15,920 This is why, you know, if you can come into this with this much passion where you're up 158 00:09:15,920 --> 00:09:21,920 at like 4 a.m. like, you know, really just trying to grind out this POC because what 159 00:09:21,920 --> 00:09:28,160 he was trying to do was reverse the POC, you know, reverse the flow from, I guess it looked 160 00:09:28,160 --> 00:09:36,080 like in the beginning all he had was a packet cap or like a like a log of the various endpoints 161 00:09:36,080 --> 00:09:37,080 that they hit. 162 00:09:37,080 --> 00:09:41,000 So, you know, if you click that that image at the top of the tweet, it's like, you know, 163 00:09:41,000 --> 00:09:46,120 it hit move it is API dot DLL and then it hits a couple other things. 164 00:09:46,120 --> 00:09:50,480 And so he's trying to like follow that flow and figure out how they ended up popping this 165 00:09:50,480 --> 00:09:52,400 the shell. 166 00:09:52,400 --> 00:09:57,520 So yeah, it's it's amazing to see, you know, when people are that into it and that like 167 00:09:57,520 --> 00:10:01,440 enthralled and then they look up it's like 4 a.m. and you're like, ah, what the heck? 168 00:10:01,440 --> 00:10:02,440 Yeah. 169 00:10:02,440 --> 00:10:03,440 Yeah, no, that's awesome. 170 00:10:03,440 --> 00:10:05,040 Yeah, it actually looks like he works. 171 00:10:05,040 --> 00:10:06,480 He's a researcher at Huntress. 172 00:10:06,480 --> 00:10:07,480 So yeah. 173 00:10:07,480 --> 00:10:08,480 Yeah. 174 00:10:08,480 --> 00:10:10,360 So super, super interesting. 175 00:10:10,360 --> 00:10:13,400 It sounds like they basically, yeah, like they got a packet capture or something like 176 00:10:13,400 --> 00:10:15,000 that. 177 00:10:15,000 --> 00:10:19,200 And so they started digging into it and trying to figure out like how it was working and 178 00:10:19,200 --> 00:10:20,200 the whole chain. 179 00:10:20,200 --> 00:10:24,000 And I don't want to like spoil all of this because I think it's worth reading. 180 00:10:24,000 --> 00:10:29,560 Yeah, they don't drop the full exploit either, which is, you know, for me, a little bit disappointing, 181 00:10:29,560 --> 00:10:33,040 but also, you know, totally reasonable, I think. 182 00:10:33,040 --> 00:10:35,600 Surely it's already somebody's already figured it out. 183 00:10:35,600 --> 00:10:36,600 Yeah. 184 00:10:36,600 --> 00:10:37,600 Yeah. 185 00:10:37,600 --> 00:10:38,600 So it's a really awesome. 186 00:10:38,600 --> 00:10:42,160 I feel like this would have fit perfectly with our source code analysis episodes that 187 00:10:42,160 --> 00:10:43,720 we just did. 188 00:10:43,720 --> 00:10:46,600 But yeah, this is one of those cases where you just do the deep dive. 189 00:10:46,600 --> 00:10:50,520 You keep digging, digging, going through rabbit holes, trying to figure out like, how does 190 00:10:50,520 --> 00:10:51,520 this code work? 191 00:10:51,520 --> 00:10:52,520 How does this code work? 192 00:10:52,520 --> 00:10:53,520 What is this code doing? 193 00:10:53,520 --> 00:10:55,720 And eventually you get to the root of it. 194 00:10:55,720 --> 00:10:58,680 And it's really awesome. 195 00:10:58,680 --> 00:11:02,840 It's a super interesting case study for sure in terms of like how something like this would 196 00:11:02,840 --> 00:11:05,360 work out in the wild. 197 00:11:05,360 --> 00:11:09,080 And I think that there's definitely some like learnings that you could pull away from like 198 00:11:09,080 --> 00:11:14,480 an organizational standpoint or how could you secure your org to protect against this 199 00:11:14,480 --> 00:11:17,400 like in the future, like what kinds of rules and stuff would you want to keep an eye out 200 00:11:17,400 --> 00:11:21,280 for other certain traffic patterns that you should be like looking out for that might 201 00:11:21,280 --> 00:11:23,880 have popped up if you were exploited by this second and stuff? 202 00:11:23,880 --> 00:11:29,440 Yeah, he adds like some Yara rules and like some indicators of compromise to the write 203 00:11:29,440 --> 00:11:32,280 up, which is great too. 204 00:11:32,280 --> 00:11:36,620 And yeah, just like you said, you know, about going down rabbit holes, if you go to John 205 00:11:36,620 --> 00:11:40,920 Hammond's Twitter right now and you know, on June 3rd, I saw it, that's the next day, 206 00:11:40,920 --> 00:11:43,080 you know, he's like, oh, we finally got it. 207 00:11:43,080 --> 00:11:46,460 And he's like, PS, it doesn't have anything to do with the crazy shit that I was viewing 208 00:11:46,460 --> 00:11:49,240 it for. 209 00:11:49,240 --> 00:11:51,920 So it's like, I just I feel that man. 210 00:11:51,920 --> 00:11:57,480 And yeah, it's cool to see, you know, for those of you that are always thinking like, 211 00:11:57,480 --> 00:11:58,480 oh, man, I'm not sure. 212 00:11:58,480 --> 00:11:59,920 Am I going down the right path? 213 00:11:59,920 --> 00:12:02,200 You know, how do I how do I know? 214 00:12:02,200 --> 00:12:06,040 Look at John here, you know, one of the most skilled guys out there on the arena, you know, 215 00:12:06,040 --> 00:12:10,120 he does education in, you know, cybersecurity stuff all the time. 216 00:12:10,120 --> 00:12:11,720 Shout out to his YouTube channel. 217 00:12:11,720 --> 00:12:13,920 Excellent, amazing YouTube channel. 218 00:12:13,920 --> 00:12:18,280 And even he goes down these rabbit holes and ends up, you know, this is the wrong thing. 219 00:12:18,280 --> 00:12:19,360 So it definitely happens. 220 00:12:19,360 --> 00:12:20,360 It's part of the process. 221 00:12:20,360 --> 00:12:24,200 And at the end of the day, if you keep on being persistent, just like John, you'll you'll 222 00:12:24,200 --> 00:12:26,200 end up popping the full bug for sure. 223 00:12:26,200 --> 00:12:27,800 Yeah, for sure. 224 00:12:27,800 --> 00:12:33,360 I think as well, it's really interesting. 225 00:12:33,360 --> 00:12:37,260 Like I feel like I've been in that scenario so many times where I've spent like eight 226 00:12:37,260 --> 00:12:40,840 hours or like more just like looking at one thing. 227 00:12:40,840 --> 00:12:45,120 And I'm so invested that I don't want to step out of it. 228 00:12:45,120 --> 00:12:46,120 Yeah. 229 00:12:46,120 --> 00:12:49,080 So do you have any what do you do when you're in that scenario? 230 00:12:49,080 --> 00:12:52,520 It's funny you mentioned that because I'm going to actually just pull it up on my email 231 00:12:52,520 --> 00:12:53,520 right now. 232 00:12:53,520 --> 00:13:00,080 There's somebody messaged this week into info at critical thinking podcast.io. 233 00:13:00,080 --> 00:13:03,440 And he said this is the question he said when you were hunting and you're doing recon and 234 00:13:03,440 --> 00:13:06,580 getting a feel for the app, you have something interesting that you are poking at. 235 00:13:06,580 --> 00:13:09,040 How do you know you are on to something promising? 236 00:13:09,040 --> 00:13:13,440 Do you have any tips for knowing when it is time to cut bait and move on? 237 00:13:13,440 --> 00:13:18,800 How to know when the potential for success is there or whether it's not worth the effort? 238 00:13:18,800 --> 00:13:21,560 And I was like, yeah, that's the rub, right? 239 00:13:21,560 --> 00:13:24,800 You know, to just bring it back to the Shakespearean eye. 240 00:13:24,800 --> 00:13:25,980 That's the rub. 241 00:13:25,980 --> 00:13:30,800 You know, whether it is nobler to continue to pursue down your rabbit hole or to, you 242 00:13:30,800 --> 00:13:33,160 know, I forget the rest of the quote, but it's Macbeth. 243 00:13:33,160 --> 00:13:36,160 So yeah, I was not. 244 00:13:36,160 --> 00:13:40,240 English was maybe my least favorite class. 245 00:13:40,240 --> 00:13:43,840 They made us do like a presentation of that and I was the guy reading that, so I should 246 00:13:43,840 --> 00:13:44,840 remember it. 247 00:13:44,840 --> 00:13:48,640 But you know, whether it is nobler to continue to hack or whether it is nobler to not continue 248 00:13:48,640 --> 00:13:50,840 to hack is the question. 249 00:13:50,840 --> 00:13:54,500 And yeah, it's really hard to know, man. 250 00:13:54,500 --> 00:13:57,720 And I think at some point, you know, you kind of get to a point where you're like, all right, 251 00:13:57,720 --> 00:14:00,560 I've looped on my brain so many times. 252 00:14:00,560 --> 00:14:04,080 Like I keep on just coming to the same conclusion, same conclusion, same conclusion. 253 00:14:04,080 --> 00:14:07,600 And for me, it's probably five or 10 cycles of that, you know, somewhere between five 254 00:14:07,600 --> 00:14:11,200 and 10 cycles of that before I'm like, man, I'm not really sure I'm going to find anything 255 00:14:11,200 --> 00:14:14,600 else at this at this specific code pathway. 256 00:14:14,600 --> 00:14:15,940 And that's when you start working back. 257 00:14:15,940 --> 00:14:19,800 And I will add, this is one of the things that I think was developed for me a lot by 258 00:14:19,800 --> 00:14:25,040 the OSCP because the OSCP has a has a time limit, right? 259 00:14:25,040 --> 00:14:26,560 You know, you've got 24 hours. 260 00:14:26,560 --> 00:14:31,680 And if you spend too much time going down a rabbit hole that you can't, you know, that 261 00:14:31,680 --> 00:14:33,860 doesn't end up with anything, you've lost a bunch of time. 262 00:14:33,860 --> 00:14:38,840 So that is that is something that pretty much only comes with experience, I think, is knowing 263 00:14:38,840 --> 00:14:46,280 whether when to cut, you know, cut your losses and move on or whether there's something there. 264 00:14:46,280 --> 00:14:51,240 So I would say, you know, to the listeners that are wondering about this question, yeah, 265 00:14:51,240 --> 00:14:52,800 I'll just call them CG. 266 00:14:52,800 --> 00:14:53,800 Thanks for that. 267 00:14:53,800 --> 00:14:55,600 Thanks for the question, CG. 268 00:14:55,600 --> 00:14:58,200 You know, experiment with it, right? 269 00:14:58,200 --> 00:15:02,360 So, you know, if you maybe you'll do one session where you're like, all right, anytime I run 270 00:15:02,360 --> 00:15:04,920 into a wall, I'm just going to move along. 271 00:15:04,920 --> 00:15:05,920 Right. 272 00:15:05,920 --> 00:15:08,000 And I know some people that do that, actually. 273 00:15:08,000 --> 00:15:09,720 And, you know, it works for them. 274 00:15:09,720 --> 00:15:10,720 And that's great. 275 00:15:10,720 --> 00:15:15,160 And I know some people that, you know, if they run into a wall 15 times at the same 276 00:15:15,160 --> 00:15:17,400 endpoint, they're still going to keep going at it. 277 00:15:17,400 --> 00:15:22,280 So you've got to figure out what is right for you as a hacker and where that limit lies. 278 00:15:22,280 --> 00:15:26,640 And it can be something that's intuitive, or it can be something, you know, that's set 279 00:15:26,640 --> 00:15:30,400 and concrete saying, hey, I've thought, where am I going to go five times now? 280 00:15:30,400 --> 00:15:31,400 Time to move on. 281 00:15:31,400 --> 00:15:33,320 And then you're back, you know, and you move along. 282 00:15:33,320 --> 00:15:35,560 So what do you think about that, Joel? 283 00:15:35,560 --> 00:15:41,760 Yeah, I think I'm very similar where it's not like I'm not an instant kind of pass when 284 00:15:41,760 --> 00:15:43,080 it's pushing back a little bit. 285 00:15:43,080 --> 00:15:47,520 I do like to push through it a little bit further just to see, like, am I missing something 286 00:15:47,520 --> 00:15:48,520 here? 287 00:15:48,520 --> 00:15:49,520 Is there something more to this? 288 00:15:49,520 --> 00:15:54,360 Am I just doing something like, you know, very minor here that is blocking me up here? 289 00:15:54,360 --> 00:15:56,960 Like sometimes I'll be like testing something for a while. 290 00:15:56,960 --> 00:16:00,000 And I've just made like a simple error in my request or something. 291 00:16:00,000 --> 00:16:01,840 It's like it's the worst, right? 292 00:16:01,840 --> 00:16:02,840 You spent like an hour. 293 00:16:02,840 --> 00:16:04,000 You're like, I guess this is like total. 294 00:16:04,000 --> 00:16:07,000 And then you're like, oh, my God, I've been using the wrong the wrong request this whole 295 00:16:07,000 --> 00:16:08,440 time or something like that. 296 00:16:08,440 --> 00:16:10,240 Like, yeah, that's what that happens to me. 297 00:16:10,240 --> 00:16:11,800 Really help to write. 298 00:16:11,800 --> 00:16:14,520 Yeah, that extra set of eyes is so useful. 299 00:16:14,520 --> 00:16:17,920 Just having somebody who's like, hey, that's the that's the wrong request. 300 00:16:17,920 --> 00:16:22,400 Like just add the extra little second brain on your shoulder. 301 00:16:22,400 --> 00:16:25,080 Yeah, that's super helpful. 302 00:16:25,080 --> 00:16:29,120 But I think for me, it's something like it's very similar to like what you have. 303 00:16:29,120 --> 00:16:33,240 It's like some it's I don't have a specific number, but it's a certain number of times 304 00:16:33,240 --> 00:16:34,920 where I run it and hit the brick wall. 305 00:16:34,920 --> 00:16:37,680 And I'm like, OK, I should probably move on. 306 00:16:37,680 --> 00:16:41,080 And some of it will also depend on whether or not I have other interesting things to 307 00:16:41,080 --> 00:16:42,080 be looking at. 308 00:16:42,080 --> 00:16:47,320 I feel like that also affects my like how lenient I am to just move on and go to the 309 00:16:47,320 --> 00:16:50,480 next thing, because if something has been really like pulling at me like this is something 310 00:16:50,480 --> 00:16:54,800 interesting I need to look at, but I need to finish what I'm looking at right now. 311 00:16:54,800 --> 00:16:58,080 If I'm not getting anywhere with what I'm looking at right now, I'm more likely to go 312 00:16:58,080 --> 00:16:59,400 start looking at that new thing. 313 00:16:59,400 --> 00:17:00,920 No, that that totally makes sense. 314 00:17:00,920 --> 00:17:03,440 And I think I have that same mentality. 315 00:17:03,440 --> 00:17:07,520 But for me, I think it feels a little bit more like a surrender when I move away from 316 00:17:07,520 --> 00:17:08,520 it. 317 00:17:08,520 --> 00:17:12,600 Like I think I do have a little bit more of that fighting spirit than is good for me sometimes. 318 00:17:12,600 --> 00:17:16,040 You know, and I've talked about this publicly on the pod before how I used to not really 319 00:17:16,040 --> 00:17:17,040 do that at all. 320 00:17:17,040 --> 00:17:18,040 And I would just move along. 321 00:17:18,040 --> 00:17:22,120 And, you know, those were the days when I was finding a bunch of like, you know, I doors 322 00:17:22,120 --> 00:17:25,740 and access control stuff because I was getting a bunch of volume because I was moving along 323 00:17:25,740 --> 00:17:30,280 so quickly as soon as anything would would, you know, bump into my way. 324 00:17:30,280 --> 00:17:31,280 Right. 325 00:17:31,280 --> 00:17:34,760 And, you know, if it's a function of volume, you know, for those sort of bugs, because 326 00:17:34,760 --> 00:17:38,440 it works or it doesn't work, it's not there's no fiddling normally. 327 00:17:38,440 --> 00:17:43,480 But when I started, you know, banging my head up against a wall, sometimes when I saw an 328 00:17:43,480 --> 00:17:49,140 attack vector, that's when I started finding these more serious volumes that are more deeply 329 00:17:49,140 --> 00:17:52,240 embedded in the apps and started walking away with some bigger bounties. 330 00:17:52,240 --> 00:17:58,640 And, you know, to be perfectly honest, looking at the statistics, my amount earned hasn't 331 00:17:58,640 --> 00:18:00,840 changed that much between those two strategies. 332 00:18:00,840 --> 00:18:03,560 I think it's a little bit higher where I'm at now. 333 00:18:03,560 --> 00:18:09,000 But you know, my amount earned does not actually deviate that much because like we've said 334 00:18:09,000 --> 00:18:12,780 in before, those I doors and those access control issues can be extremely impactful. 335 00:18:12,780 --> 00:18:14,840 And if you can get a bunch of those, it really pays off big. 336 00:18:14,840 --> 00:18:17,240 So it's really up to the individual hacker. 337 00:18:17,240 --> 00:18:18,240 Yeah. 338 00:18:18,240 --> 00:18:22,400 So do you have a preference between the two in hindsight, having done both and seeing 339 00:18:22,400 --> 00:18:24,800 that there's not a huge impact on the on the earnings? 340 00:18:24,800 --> 00:18:26,680 Would you ever go back to the first one? 341 00:18:26,680 --> 00:18:30,960 No, I mean, I think my preference is strongly where I'm at now because it's more interesting 342 00:18:30,960 --> 00:18:33,080 and it feels more risky. 343 00:18:33,080 --> 00:18:36,200 And sometimes it's a little bit less, you know, a little bit more stressful because 344 00:18:36,200 --> 00:18:40,160 you're like, well, if this doesn't pop, then I'm screwed, you know. 345 00:18:40,160 --> 00:18:45,540 But, but, you know, I think as I've developed as a hacker in my stress management and my 346 00:18:45,540 --> 00:18:49,560 anxiety management as well, you know, over bug bounty and as I've become a little bit 347 00:18:49,560 --> 00:18:53,160 more financially stable as well and, and, you know, realizing, hey, it's not the end 348 00:18:53,160 --> 00:18:54,160 of the world. 349 00:18:54,160 --> 00:18:57,960 And I've also just become a little bit more confident in who I am as a hacker as well, 350 00:18:57,960 --> 00:19:00,320 you know, in my identity as a hacker. 351 00:19:00,320 --> 00:19:03,760 I, you know, definitely lean a little bit more towards the latter now. 352 00:19:03,760 --> 00:19:05,600 It's like, oh, let me, let me spend a little extra time. 353 00:19:05,600 --> 00:19:12,020 Let me find some cool shit and spend a little bit less time grinding through the burp requests. 354 00:19:12,020 --> 00:19:17,160 But I definitely recommend that in the beginning for any beginner as well, because if you can 355 00:19:17,160 --> 00:19:21,040 hit a lot of volume, you'll see a lot of, you'll see a lot of HTTP requests. 356 00:19:21,040 --> 00:19:23,920 And like we talked about those reps lead you to be a better hacker. 357 00:19:23,920 --> 00:19:27,680 So there's, there's definitely, you know, you could go either way, depending on which 358 00:19:27,680 --> 00:19:29,240 way you want to grow. 359 00:19:29,240 --> 00:19:30,240 Yeah. 360 00:19:30,240 --> 00:19:31,240 Yeah. 361 00:19:31,240 --> 00:19:35,680 And I think one of the other things I recommend is especially this, this happens early on 362 00:19:35,680 --> 00:19:39,720 a lot when you first start hacking, you're just going to be like looking at stuff and 363 00:19:39,720 --> 00:19:43,520 it's going to be hard to find your first bug. 364 00:19:43,520 --> 00:19:47,280 And moving on is really difficult because when you first start, you don't know when 365 00:19:47,280 --> 00:19:48,280 you should move on. 366 00:19:48,280 --> 00:19:52,680 And like you have like no context in terms of like, what, what does that feel like? 367 00:19:52,680 --> 00:19:55,680 Or like, where is the right place to draw the line? 368 00:19:55,680 --> 00:20:01,000 And so I'd say like, if when you do decide like to move on, don't like, don't think 369 00:20:01,000 --> 00:20:02,000 about it too much. 370 00:20:02,000 --> 00:20:05,360 Like don't let it beat you up because you'll have to remember that like all the bug bounty 371 00:20:05,360 --> 00:20:07,000 is basically trying to beat the odds. 372 00:20:07,000 --> 00:20:10,680 You're trying to like find something that is bad, that shouldn't exist. 373 00:20:10,680 --> 00:20:14,280 And you're trying to like break the system that is designed to keep, you know, customer 374 00:20:14,280 --> 00:20:16,080 data safe or whatever it is. 375 00:20:16,080 --> 00:20:21,760 And so if you don't find anything, it doesn't mean that like you failed, right? 376 00:20:21,760 --> 00:20:25,120 It just means like that app might be secure and that's good. 377 00:20:25,120 --> 00:20:26,600 And that's, that's okay. 378 00:20:26,600 --> 00:20:29,600 And you know, it's time to just move on to the next thing and find something that feels 379 00:20:29,600 --> 00:20:32,080 less secure so that you can find all the holes in it. 380 00:20:32,080 --> 00:20:33,080 Yeah. 381 00:20:33,080 --> 00:20:34,080 Yeah. 382 00:20:34,080 --> 00:20:35,480 And you know, we, we preach this on the pod all the time. 383 00:20:35,480 --> 00:20:38,440 You know, there's a whole team of people that are dedicated to you not being able to do 384 00:20:38,440 --> 00:20:39,920 your job when you're doing book bounty. 385 00:20:39,920 --> 00:20:44,000 So it's a really, it's a really challenging thing, but we believe in you, you got it. 386 00:20:44,000 --> 00:20:46,120 So go get those bounties. 387 00:20:46,120 --> 00:20:51,240 And I will say, you know, for the more experienced hackers out there as well, don't get set in 388 00:20:51,240 --> 00:20:52,240 your ways. 389 00:20:52,240 --> 00:20:58,360 Don't, don't get so tied up in your approach that you never, that you never experiment 390 00:20:58,360 --> 00:21:03,080 because I know I grow a lot as a hacker as I started experimenting away into the more 391 00:21:03,080 --> 00:21:09,800 rabbit holdy sort of find the weird shit sort of things rather than the volume of requests. 392 00:21:09,800 --> 00:21:14,360 So I think there's a lot of room for growth there as you experiment with the various techniques. 393 00:21:14,360 --> 00:21:15,360 Yeah. 394 00:21:15,360 --> 00:21:16,360 A hundred percent nice man. 395 00:21:16,360 --> 00:21:18,460 Well, we, that was, that was a nice little, little vibe. 396 00:21:18,460 --> 00:21:21,440 We deviated a little bit from the plan, but I'm, I'm glad we talked about that because 397 00:21:21,440 --> 00:21:23,320 that's, that's just really important things. 398 00:21:23,320 --> 00:21:25,120 Yeah, for sure. 399 00:21:25,120 --> 00:21:26,300 All right. 400 00:21:26,300 --> 00:21:29,520 So this is what I had on, on, on the plan for today, Joel. 401 00:21:29,520 --> 00:21:35,200 We did, as we mentioned before, we've done a good bit of hardware hacking lately with 402 00:21:35,200 --> 00:21:38,040 the live hacking event that we last went to. 403 00:21:38,040 --> 00:21:42,840 So this is the episode where we talk a little bit more about that, where we give some details 404 00:21:42,840 --> 00:21:48,280 on some of the techniques that we used and kind of go into detail. 405 00:21:48,280 --> 00:21:50,560 So I mean, we could start with the hardware recon. 406 00:21:50,560 --> 00:21:51,560 Is that, does that work for you, Joel? 407 00:21:51,560 --> 00:21:53,560 Or you got anywhere else you want to start? 408 00:21:53,560 --> 00:21:55,520 Let's, let's, let's start from the top. 409 00:21:55,520 --> 00:21:56,520 Yeah. 410 00:21:56,520 --> 00:22:01,800 So click, click that link that's about, that's in under the, the next bullet point there. 411 00:22:01,800 --> 00:22:04,280 Cause I wanted to ask you something specifically about this. 412 00:22:04,280 --> 00:22:08,760 So you know, if you scroll down and we'll link this link, this is, this is River loop 413 00:22:08,760 --> 00:22:11,480 securities hardware hacking right up. 414 00:22:11,480 --> 00:22:15,400 You know, you scroll down and eventually they're soldering onto test pins on the backside of 415 00:22:15,400 --> 00:22:17,880 an EMC chip, right? 416 00:22:17,880 --> 00:22:18,880 Yep. 417 00:22:18,880 --> 00:22:28,440 So for those of you that just, that just sounded like garbage EMMC is an embedded multimedia 418 00:22:28,440 --> 00:22:29,440 card. 419 00:22:29,440 --> 00:22:30,440 Is that right? 420 00:22:30,440 --> 00:22:31,440 I think that's, yes. 421 00:22:31,440 --> 00:22:32,440 Yes. 422 00:22:32,440 --> 00:22:39,920 And that is sort of like the hard drive of these IOT applications where they're storing 423 00:22:39,920 --> 00:22:40,920 the file system. 424 00:22:40,920 --> 00:22:43,960 It's the non-violet volatile storage, right? 425 00:22:43,960 --> 00:22:48,680 And so one of the reasons we want to get at that is because it contains the source code 426 00:22:48,680 --> 00:22:51,720 and the actual file system for the IOT device. 427 00:22:51,720 --> 00:22:54,600 We can be really insightful to us as hackers. 428 00:22:54,600 --> 00:23:00,480 So what I wanted to talk, I wanted to ask you, Joel, in this sort of hardware recon section 429 00:23:00,480 --> 00:23:06,600 is like, there are these test pins on the back of that and we can use those. 430 00:23:06,600 --> 00:23:11,640 If we can find these test pins that correlate to this EMMC protocol, I guess we can use 431 00:23:11,640 --> 00:23:15,840 those to read from the EMMC chip as well. 432 00:23:15,840 --> 00:23:17,880 And we don't even have to pull the chip right off the board. 433 00:23:17,880 --> 00:23:18,880 Is that right? 434 00:23:18,880 --> 00:23:19,880 Yes. 435 00:23:19,880 --> 00:23:20,880 So in some cases, yes. 436 00:23:20,880 --> 00:23:21,880 It's kind of two routes. 437 00:23:21,880 --> 00:23:22,880 Some cases, no. 438 00:23:22,880 --> 00:23:23,880 Yeah. 439 00:23:23,880 --> 00:23:24,880 They talk about it a little bit. 440 00:23:24,880 --> 00:23:31,120 So typically if you want to read off of an EMMC chip while it's like in use, it's probably 441 00:23:31,120 --> 00:23:33,800 not a great idea for a couple of reasons. 442 00:23:33,800 --> 00:23:37,800 It would be basically like trying to read a hard drive while it's plugged in and being 443 00:23:37,800 --> 00:23:38,800 used. 444 00:23:38,800 --> 00:23:43,960 So there are other operations happening on the drive at the same time from a different 445 00:23:43,960 --> 00:23:46,540 like from the host OS that hasn't mounted. 446 00:23:46,540 --> 00:23:48,560 And so it might be reading and writing at the same time. 447 00:23:48,560 --> 00:23:49,560 It might be performing operations. 448 00:23:49,560 --> 00:23:52,180 It might have stuff locked like you never know. 449 00:23:52,180 --> 00:23:58,360 And there might be like conflicting data with the controller within the EMMC that will cause 450 00:23:58,360 --> 00:24:00,320 it to like have problems. 451 00:24:00,320 --> 00:24:02,800 So sometimes that works. 452 00:24:02,800 --> 00:24:03,800 Sometimes it doesn't. 453 00:24:03,800 --> 00:24:08,200 But it's really good for at least at the minimum, like looking at like debug, like what's going 454 00:24:08,200 --> 00:24:11,320 on like, are these pins the right pins? 455 00:24:11,320 --> 00:24:12,320 Is this chip functional? 456 00:24:12,320 --> 00:24:14,240 Like, am I looking in the right area? 457 00:24:14,240 --> 00:24:15,240 All that kind of stuff. 458 00:24:15,240 --> 00:24:19,960 Is it potentially possible to use those test points to interact with the chip if we can 459 00:24:19,960 --> 00:24:27,920 figure out a way to have the chip activated, you know, with power and not have the CPU, 460 00:24:27,920 --> 00:24:29,720 you know, hitting that same bus? 461 00:24:29,720 --> 00:24:30,720 Is that right? 462 00:24:30,720 --> 00:24:31,720 Right. 463 00:24:31,720 --> 00:24:32,720 Yeah. 464 00:24:32,720 --> 00:24:37,720 So like to the best of my understanding, you could literally just pull up the spec for that 465 00:24:37,720 --> 00:24:41,800 chip, read through it, see what the voltage is supposed to be, see what the amperage is 466 00:24:41,800 --> 00:24:47,240 supposed to be, take out a DC power supply, set it to the right voltage and amperage, 467 00:24:47,240 --> 00:24:51,080 connect it to the VCC and ground and power it up. 468 00:24:51,080 --> 00:24:52,080 Power it up. 469 00:24:52,080 --> 00:24:53,080 Yeah. 470 00:24:53,080 --> 00:24:54,080 Yeah. 471 00:24:54,080 --> 00:24:58,280 And then, okay, so that's cool because that actually gives us a second sort of route to 472 00:24:58,280 --> 00:25:02,560 get, or I guess maybe a third or fourth route, depending on how much stuff we get to cover 473 00:25:02,560 --> 00:25:03,560 today. 474 00:25:03,560 --> 00:25:08,800 But essentially for me, as a more of a beginner, I feel like I've kind of got a grip on some 475 00:25:08,800 --> 00:25:11,000 of the hardware hacking stuff now. 476 00:25:11,000 --> 00:25:16,440 But what my playbook kind of looked like was like, okay, is there a UART interface on this 477 00:25:16,440 --> 00:25:17,440 device? 478 00:25:17,440 --> 00:25:20,520 So you search around, you look for the UART interface, and we'll talk about UART and JTAG 479 00:25:20,520 --> 00:25:21,520 on a different episode. 480 00:25:21,520 --> 00:25:25,240 That'll be a hardware hacking episode too. 481 00:25:25,240 --> 00:25:30,960 And then if you can't find those, then you just do a chip pull and throw it into a reader 482 00:25:30,960 --> 00:25:34,760 and then try to pull the operating system off that way. 483 00:25:34,760 --> 00:25:38,240 But there's actually another method that doesn't destroy your device because that's the problem 484 00:25:38,240 --> 00:25:41,000 with the chip off method is it destroys your device. 485 00:25:41,000 --> 00:25:49,040 And if you can solder some pins onto these sort of test pins there, or solder some connectors 486 00:25:49,040 --> 00:25:56,400 onto those test pins and hook that up to some sort of device that can communicate over EMMC, 487 00:25:56,400 --> 00:26:00,520 and I think in this blog that we'll link in the description, they use a logic analyzer 488 00:26:00,520 --> 00:26:08,960 here to figure out which individual pin correlates to what part of the EMMC, right? 489 00:26:08,960 --> 00:26:14,160 Then you could potentially get a file system read through that, and it would still come 490 00:26:14,160 --> 00:26:17,240 across as like an SD card to your computer, right? 491 00:26:17,240 --> 00:26:18,240 Yeah. 492 00:26:18,240 --> 00:26:23,320 So generally, I like this approach because it's very ground up. 493 00:26:23,320 --> 00:26:27,120 It doesn't require you to pull up the data sheet or anything like that. 494 00:26:27,120 --> 00:26:32,440 However, I would say in most cases, like 99% of cases, you can literally just take the 495 00:26:32,440 --> 00:26:37,200 chip number, Google it, pull up the data sheet, and you know exactly what the pinout is. 496 00:26:37,200 --> 00:26:42,240 Most of the time, you don't need to be figuring out which is the clock pin because they're 497 00:26:42,240 --> 00:26:43,480 not changing that stuff. 498 00:26:43,480 --> 00:26:46,320 That comes straight from the manufacturer of the chip. 499 00:26:46,320 --> 00:26:51,600 There are cases that I've seen where either there will be like... 500 00:26:51,600 --> 00:26:56,240 So typically, there's a dot on top of a chip, and that dot is in one of the corners, and 501 00:26:56,240 --> 00:27:00,120 that references which one is pin one. 502 00:27:00,120 --> 00:27:05,800 And so sometimes, they'll put a dot somewhere else, or they'll put a dot on multiple corners 503 00:27:05,800 --> 00:27:09,920 so you don't know which pin is pin one, and so you have to figure it out yourself. 504 00:27:09,920 --> 00:27:10,920 That's savage, dude. 505 00:27:10,920 --> 00:27:11,920 That's so freaking savage. 506 00:27:11,920 --> 00:27:12,920 Yeah. 507 00:27:12,920 --> 00:27:17,040 And I'm not sure whether or not that's purposeful or whether or not that's just... 508 00:27:17,040 --> 00:27:21,120 They make a chip that can be used in multiple configurations, so they put it in multiple... 509 00:27:21,120 --> 00:27:24,240 I don't know, but I have seen that. 510 00:27:24,240 --> 00:27:28,800 I've seen pictures of that on the wild, so that's just something to be aware of. 511 00:27:28,800 --> 00:27:32,720 But if you have a very straightforward chip, it is like a single dot on the top. 512 00:27:32,720 --> 00:27:33,920 You can also just... 513 00:27:33,920 --> 00:27:35,400 There are easy things you can verify. 514 00:27:35,400 --> 00:27:39,200 So for example, every chip is going to have a voltage and a ground pin. 515 00:27:39,200 --> 00:27:44,600 So if you take your multimeter and you put it on continuity testing, which will basically 516 00:27:44,600 --> 00:27:49,280 tell whether or not the signal is going between one probe and the other probe, typically, 517 00:27:49,280 --> 00:27:52,800 there's a way to make it so it beeps, and then you tap the leads together and it goes 518 00:27:52,800 --> 00:27:53,800 beep, right? 519 00:27:53,800 --> 00:27:55,480 So that's continuity testing. 520 00:27:55,480 --> 00:27:58,400 You put one lead on the ground pin from your data sheet. 521 00:27:58,400 --> 00:27:59,400 You read the data sheet. 522 00:27:59,400 --> 00:28:01,000 You go, okay, this should be the ground pin. 523 00:28:01,000 --> 00:28:04,640 And then you can go as far back as you want. 524 00:28:04,640 --> 00:28:07,120 You could go all the way to the power connector. 525 00:28:07,120 --> 00:28:08,860 And one of those pins should be power. 526 00:28:08,860 --> 00:28:10,480 One of them should be ground. 527 00:28:10,480 --> 00:28:14,720 And you can test and see, is there continuity between these pins? 528 00:28:14,720 --> 00:28:15,720 Yes or no. 529 00:28:15,720 --> 00:28:16,840 And you can do the same thing for VCC. 530 00:28:16,840 --> 00:28:20,880 And that's also how you can test the test pads and see, is this pad pointing to this 531 00:28:20,880 --> 00:28:23,440 pin or this pin on the chip? 532 00:28:23,440 --> 00:28:26,640 And then that's a pretty easy way to determine whether or not it's using a standard pin out 533 00:28:26,640 --> 00:28:27,640 or not. 534 00:28:27,640 --> 00:28:28,640 Nice. 535 00:28:28,640 --> 00:28:34,840 So I mean, I guess we can do that to a certain degree with a multimeter, right? 536 00:28:34,840 --> 00:28:38,760 And with the continuity testing like you were talking about. 537 00:28:38,760 --> 00:28:43,240 But when it gets to something like, for example, in this article, it was talking about the 538 00:28:43,240 --> 00:28:48,640 various pieces of EMMC protocol, which I'll kind of touch on very lightly for the audience 539 00:28:48,640 --> 00:28:51,720 that haven't read the write-up yet. 540 00:28:51,720 --> 00:28:56,640 But essentially, there's three main parts of the protocol that you need to identify. 541 00:28:56,640 --> 00:29:02,400 There's the clock, there's the CMD, which is the line that's used for sending commands, 542 00:29:02,400 --> 00:29:05,160 and then there's data zero. 543 00:29:05,160 --> 00:29:11,200 And that's the minimum requirements that you need to be able to communicate over EMMC with 544 00:29:11,200 --> 00:29:12,300 the actual chip. 545 00:29:12,300 --> 00:29:17,280 So we're getting much lower than we normally do here on the pod because we mostly talk 546 00:29:17,280 --> 00:29:19,040 about web and mobile stuff. 547 00:29:19,040 --> 00:29:22,880 But this is actually talking about hardware level protocol stuff, which I think is really, 548 00:29:22,880 --> 00:29:25,320 really fun to dive into. 549 00:29:25,320 --> 00:29:29,160 But once we start trying to identify all those little pieces, that's where we really need 550 00:29:29,160 --> 00:29:35,000 a logic analyzer versus a multimeter because we have to be able to actually read the blips 551 00:29:35,000 --> 00:29:39,000 in power coming across those various lines. 552 00:29:39,000 --> 00:29:40,000 Is that right? 553 00:29:40,000 --> 00:29:41,000 Yeah. 554 00:29:41,000 --> 00:29:42,000 Yeah. 555 00:29:42,000 --> 00:29:45,840 So basically, what the logic analyzer is going to be doing is it's going to be looking at 556 00:29:45,840 --> 00:29:50,720 shifts between high and low, where that's basically a high voltage or a low voltage, 557 00:29:50,720 --> 00:29:54,640 where it's either drawing, where it's pulling it down or it's pushing it up. 558 00:29:54,640 --> 00:30:00,680 And so, for example, the clock pin that they identify, super easy to identify that because 559 00:30:00,680 --> 00:30:02,040 it runs like a clock, right? 560 00:30:02,040 --> 00:30:04,400 It goes on, off, on, off, on, off, on, off on a very regular schedule. 561 00:30:04,400 --> 00:30:08,200 And that's basically telling the chip how fast it should be operating. 562 00:30:08,200 --> 00:30:13,040 And then data is for data and CMD is for telling it what to do. 563 00:30:13,040 --> 00:30:16,660 And so, it's basically as straightforward as that. 564 00:30:16,660 --> 00:30:20,780 But logic analyzers will make that so much easier just because a lot of the stuff that's 565 00:30:20,780 --> 00:30:23,280 built into the software will do it automatically. 566 00:30:23,280 --> 00:30:25,920 So in the article, they use a sale. 567 00:30:25,920 --> 00:30:34,280 I use, it's called analog discovery two by Digilent. 568 00:30:34,280 --> 00:30:35,280 It's pretty good. 569 00:30:35,280 --> 00:30:36,640 It's cheaper than a sale. 570 00:30:36,640 --> 00:30:43,280 But I think if I were to buy one again, I'd probably go with the sale just because it's 571 00:30:43,280 --> 00:30:44,280 a little bit higher specced. 572 00:30:44,280 --> 00:30:48,560 It's a little bit more expensive, but the software is really, really good. 573 00:30:48,560 --> 00:30:54,680 And it's generally considered one of the top of the line tools that are out there. 574 00:30:54,680 --> 00:31:01,040 Digilent actually did just like last week announce the analog discovery three, which 575 00:31:01,040 --> 00:31:03,160 is an improvement to what I have. 576 00:31:03,160 --> 00:31:07,760 It has, I think, faster polling rates, faster measurement rates. 577 00:31:07,760 --> 00:31:10,200 It uses USB-C instead of micro USB. 578 00:31:10,200 --> 00:31:12,400 It's got a couple different things. 579 00:31:12,400 --> 00:31:17,400 But yeah, no, any sort of like logic analyzer is going to be a good investment if you're 580 00:31:17,400 --> 00:31:22,300 doing this type of hardware hacking just to identify like what's going on. 581 00:31:22,300 --> 00:31:23,700 Is this pin UART? 582 00:31:23,700 --> 00:31:24,700 Is this pin JTAG? 583 00:31:24,700 --> 00:31:25,700 Is this nothing? 584 00:31:25,700 --> 00:31:26,700 Like, what is it? 585 00:31:26,700 --> 00:31:27,700 Yeah. 586 00:31:27,700 --> 00:31:28,960 Yeah, that's a good point. 587 00:31:28,960 --> 00:31:32,960 I think I get a little excited about this stuff and I jump right in. 588 00:31:32,960 --> 00:31:36,960 Let me just say, this is relevant to you all as bug bounty hunters out there. 589 00:31:36,960 --> 00:31:43,040 The majority of our audiences are active bug bounty hunters because this is a very, very 590 00:31:43,040 --> 00:31:45,000 untouched scope normally. 591 00:31:45,000 --> 00:31:49,960 Like if you can go ahead because one, because the tools are very expensive and you know 592 00:31:49,960 --> 00:31:54,000 what we talk about here on the pod, you invest the money, you get the tools, you buy the 593 00:31:54,000 --> 00:31:58,840 premium and it opens up a bunch of scope that pays for itself. 594 00:31:58,840 --> 00:32:02,480 And a lot of these hardware hacking programs out there on Hacker One or Bug Crowd, you 595 00:32:02,480 --> 00:32:05,920 have to buy the piece of hardware yourself and then you're going to break it and it's 596 00:32:05,920 --> 00:32:08,260 going to be annoying. 597 00:32:08,260 --> 00:32:14,040 But if you go through that difficulty, if you pay the price, the bounties are much higher. 598 00:32:14,040 --> 00:32:18,720 So I'm hoping that we can inspire some of you to sort of pivot into the hardware hacking 599 00:32:18,720 --> 00:32:19,720 realm. 600 00:32:19,720 --> 00:32:24,160 It's really fascinating and there are a lot of really good write-ups out there actually 601 00:32:24,160 --> 00:32:25,160 on it. 602 00:32:25,160 --> 00:32:28,440 And so, and it's not as hard as you would think to pivot into it. 603 00:32:28,440 --> 00:32:29,440 Yeah. 604 00:32:29,440 --> 00:32:34,320 So one of the things I would recommend, if you or somebody that you know has a background 605 00:32:34,320 --> 00:32:42,200 in electrical engineering, this is a great space to dig into because like a fundamental 606 00:32:42,200 --> 00:32:47,360 electrical engineering background is so helpful for just understanding some of the basic stuff. 607 00:32:47,360 --> 00:32:50,680 Like why are things behaving the way they are? 608 00:32:50,680 --> 00:32:51,880 How would I interface with this? 609 00:32:51,880 --> 00:32:56,460 If I want to read data off of this pin, do I need to like have a pull down resistor? 610 00:32:56,460 --> 00:32:57,460 What is a pull down resistor? 611 00:32:57,460 --> 00:32:58,460 Right? 612 00:32:58,460 --> 00:33:04,640 So many fundamental electronic questions that would be so much easier to answer if you have 613 00:33:04,640 --> 00:33:07,160 any sort of electronics background. 614 00:33:07,160 --> 00:33:10,840 It doesn't even have to be like a full electrical engineering background. 615 00:33:10,840 --> 00:33:16,240 If you've done basic electronics stuff for many years, which I know lots of people have, 616 00:33:16,240 --> 00:33:19,280 yeah, like robotics, any of that kind of stuff, working with electronics, you're familiar 617 00:33:19,280 --> 00:33:24,240 with like voltages, like how circuit boards are designed, created, built, all that kind 618 00:33:24,240 --> 00:33:25,240 of stuff. 619 00:33:25,240 --> 00:33:26,660 Like this is a great area. 620 00:33:26,660 --> 00:33:28,840 There's not a lot of people who know this kind of stuff. 621 00:33:28,840 --> 00:33:32,000 It's a very like sparse knowledge space within hacking. 622 00:33:32,000 --> 00:33:33,000 So good. 623 00:33:33,000 --> 00:33:34,000 Yeah. 624 00:33:34,000 --> 00:33:35,000 Yeah. 625 00:33:35,000 --> 00:33:38,760 Like if you can pop one of these devices, it usually pays like a significant amount 626 00:33:38,760 --> 00:33:42,280 of money because most of these are owned by like large conglomerates. 627 00:33:42,280 --> 00:33:43,660 They have a lot of money on the line. 628 00:33:43,660 --> 00:33:46,000 They have a lot of people with this device in their hands. 629 00:33:46,000 --> 00:33:47,000 Yeah. 630 00:33:47,000 --> 00:33:48,360 And there's just a skillset mismatch too, right? 631 00:33:48,360 --> 00:33:52,120 There's not as many people that can do hardware hacking stuff as there are web because it 632 00:33:52,120 --> 00:33:53,120 requires tools. 633 00:33:53,120 --> 00:33:55,080 It requires background knowledge. 634 00:33:55,080 --> 00:34:02,080 And so I think the competition is a little bit less and there's more of a demand, supply 635 00:34:02,080 --> 00:34:04,480 and demand just sort of dictates that the boundaries would be higher. 636 00:34:04,480 --> 00:34:05,480 Yeah. 637 00:34:05,480 --> 00:34:06,480 Yeah. 638 00:34:06,480 --> 00:34:07,480 Yeah, for sure. 639 00:34:07,480 --> 00:34:10,080 I also just wanted to mention two things on what you just said. 640 00:34:10,080 --> 00:34:16,320 One, this is a great reference to the conversation that Corbin and I had last week on the pod 641 00:34:16,320 --> 00:34:18,680 and we'll link that in the description. 642 00:34:18,680 --> 00:34:23,360 But we have a great conversation about what kind of degree is best for a hacker to get. 643 00:34:23,360 --> 00:34:27,920 And this conversation we're having with Joel here is one of the main reasons why I suggest 644 00:34:27,920 --> 00:34:33,040 a computer engineering or maybe even electrical engineering degree for some hackers because 645 00:34:33,040 --> 00:34:37,440 you get a lot lower level understanding of things and it's so much easier to build on 646 00:34:37,440 --> 00:34:41,240 top when you have the bottom bricks, right? 647 00:34:41,240 --> 00:34:43,040 Think of it, think of it. 648 00:34:43,040 --> 00:34:45,480 Sometimes if you're trying to get an understanding of things and you don't know what's happening 649 00:34:45,480 --> 00:34:49,720 underneath, you kind of got this very shaky understanding, you're very shaky base and 650 00:34:49,720 --> 00:34:51,700 then you're trying to build bricks on top of it. 651 00:34:51,700 --> 00:34:55,000 But if you have a solid base, then it becomes so much easier to just boom, build up the 652 00:34:55,000 --> 00:34:57,360 wall and you've got a great understanding. 653 00:34:57,360 --> 00:34:58,360 I don't know, man. 654 00:34:58,360 --> 00:35:03,000 I have a little bit of a self-consciousness about my analogies because Mariah is like, 655 00:35:03,000 --> 00:35:04,800 Justin, that analogy doesn't make any sense. 656 00:35:04,800 --> 00:35:07,920 But hopefully that one came through to you guys. 657 00:35:07,920 --> 00:35:11,320 No, no, I 100% know what you mean. 658 00:35:11,320 --> 00:35:14,960 I get that same sense where, especially with hardware hacking, I'll be honest, hardware 659 00:35:14,960 --> 00:35:21,360 hacking is that for me as well because I'll be working on something and I'll be so confused 660 00:35:21,360 --> 00:35:22,800 as to why it's not working. 661 00:35:22,800 --> 00:35:27,580 And a lot of the time it's just because I've made a simple mistake due to a lack of fundamental 662 00:35:27,580 --> 00:35:29,280 knowledge or understanding. 663 00:35:29,280 --> 00:35:36,320 And it's very hard to find those problems or answer those unknown questions without 664 00:35:36,320 --> 00:35:37,320 the knowledge, right? 665 00:35:37,320 --> 00:35:41,080 So I think this applies to beginner hackers as well. 666 00:35:41,080 --> 00:35:45,660 It's like, how do you know when to draw the line to stop hacking and move on? 667 00:35:45,660 --> 00:35:50,800 How do you know when you have no experience and no knowledge or context, when to draw 668 00:35:50,800 --> 00:35:51,800 that line? 669 00:35:51,800 --> 00:35:53,240 Do you just guess? 670 00:35:53,240 --> 00:35:55,480 Is there any sort of concrete identifier? 671 00:35:55,480 --> 00:35:59,960 And that is very similar for hardware hacking where it's like, how do you know if this is 672 00:35:59,960 --> 00:36:05,920 just a fundamental thing that you need to go learn or if this is just a common problem 673 00:36:05,920 --> 00:36:08,640 that even the experts hit or what is going on here? 674 00:36:08,640 --> 00:36:09,800 Where do you draw the line? 675 00:36:09,800 --> 00:36:12,140 So I wouldn't beat yourself up too much over it. 676 00:36:12,140 --> 00:36:15,580 But if you have that solid fundamental knowledge, that solid foundation, it's going to make 677 00:36:15,580 --> 00:36:16,580 things so much easier. 678 00:36:16,580 --> 00:36:17,580 Yeah. 679 00:36:17,580 --> 00:36:22,920 I think the procrastination education piece with hardware hacking is a little bit different 680 00:36:22,920 --> 00:36:26,640 too because sometimes you really do need to be like, ah, actually, I don't know about 681 00:36:26,640 --> 00:36:28,720 this very specific little thing. 682 00:36:28,720 --> 00:36:34,440 For example, Joel and I were working on a project where we needed to read from an RPMB 683 00:36:34,440 --> 00:36:36,680 sort of, it's not really a partition. 684 00:36:36,680 --> 00:36:37,680 Yeah, a protected memory block. 685 00:36:37,680 --> 00:36:40,920 A protected memory block on an EMC chip. 686 00:36:40,920 --> 00:36:42,620 And we had never even heard of that. 687 00:36:42,620 --> 00:36:47,560 So we both had to go and read the white paper on that specific piece of technology and kind 688 00:36:47,560 --> 00:36:51,000 of understand what it does at a lower level to be able to come back and hack. 689 00:36:51,000 --> 00:36:57,320 So there's definitely some different tricks in the hardware hacking field to get caught 690 00:36:57,320 --> 00:36:58,320 up on. 691 00:36:58,320 --> 00:37:04,080 But if you can pull it off, one, I don't think I'll ever forget this moment in my entire 692 00:37:04,080 --> 00:37:05,080 life. 693 00:37:05,080 --> 00:37:07,920 Joel, that first time we took the chip off of there and I put it into my computer and 694 00:37:07,920 --> 00:37:13,120 I just saw like 15 different partitions like new disk, new disk, new disk, new disk found. 695 00:37:13,120 --> 00:37:14,120 I was like, you've got to be kidding me. 696 00:37:14,120 --> 00:37:15,120 It's so satisfying. 697 00:37:15,120 --> 00:37:16,920 I cannot believe I just pulled. 698 00:37:16,920 --> 00:37:18,600 I took this to put device apart. 699 00:37:18,600 --> 00:37:24,560 I took the chip out of the device and I put it into a thing and my computer just read 700 00:37:24,560 --> 00:37:26,400 it like that's nuts. 701 00:37:26,400 --> 00:37:31,480 So there's lots of really amazing feelings that kind of come along with diving into hardware 702 00:37:31,480 --> 00:37:36,640 hacking and finding your first little pathway to getting source code or a bug. 703 00:37:36,640 --> 00:37:37,640 Yeah. 704 00:37:37,640 --> 00:37:39,240 Dude, I'm not going to lie. 705 00:37:39,240 --> 00:37:41,200 Even after all that reading on RPMBs. 706 00:37:41,200 --> 00:37:45,040 Dude, no one, that's a stupid protocol, man. 707 00:37:45,040 --> 00:37:47,000 I don't even know. 708 00:37:47,000 --> 00:37:52,440 I don't know if I could describe what it is, how it works, how it's supposed to be, if 709 00:37:52,440 --> 00:37:53,880 we did anything right there. 710 00:37:53,880 --> 00:37:59,160 Because when we eventually got on the device while it was running, we could access it, 711 00:37:59,160 --> 00:38:00,640 but after we had pulled the chip, we couldn't. 712 00:38:00,640 --> 00:38:02,480 So I don't know. 713 00:38:02,480 --> 00:38:05,920 It's still very confusing to me, but it's a super interesting topic area. 714 00:38:05,920 --> 00:38:06,920 Yeah. 715 00:38:06,920 --> 00:38:08,960 It's replay protected memory block. 716 00:38:08,960 --> 00:38:09,960 Replay. 717 00:38:09,960 --> 00:38:10,960 Oh, that's what it is. 718 00:38:10,960 --> 00:38:12,360 It's replay protected memory block. 719 00:38:12,360 --> 00:38:17,800 And so essentially the whole point of that is you shouldn't be able to write to that 720 00:38:17,800 --> 00:38:23,680 block without going through the authentication protocol. 721 00:38:23,680 --> 00:38:28,360 But there's a bunch of things that say online, because the spec is a little fuzzy, about 722 00:38:28,360 --> 00:38:31,880 whether you can read from that without having the authentication key. 723 00:38:31,880 --> 00:38:37,880 And really, if you read the actual doc, the actual spec for the device, it shows that 724 00:38:37,880 --> 00:38:45,760 the encryption piece of RPMB is just an HMAC on the read side. 725 00:38:45,760 --> 00:38:52,400 So if you don't choose to validate that MAC, then you can read from it just fine. 726 00:38:52,400 --> 00:38:59,760 And it's mostly, I think, designed to protect against tampering at a hardware level. 727 00:38:59,760 --> 00:39:01,920 So anyway, it's a cool thing. 728 00:39:01,920 --> 00:39:05,200 I do know a lot more about it now than I did before. 729 00:39:05,200 --> 00:39:06,240 So that's cool. 730 00:39:06,240 --> 00:39:09,280 But I don't know when that will ever come in handy again. 731 00:39:09,280 --> 00:39:10,720 Next time I'm doing some crazy... 732 00:39:10,720 --> 00:39:13,640 It's just one of those little brain space fillers. 733 00:39:13,640 --> 00:39:14,640 Exactly. 734 00:39:14,640 --> 00:39:15,640 Exactly. 735 00:39:15,640 --> 00:39:16,640 OK. 736 00:39:16,640 --> 00:39:19,400 So getting back, we look around on the board for test pins. 737 00:39:19,400 --> 00:39:25,120 Let's see if we can hook up to those test pins, see if we can figure out some way to 738 00:39:25,120 --> 00:39:27,480 power up the chip via VCC. 739 00:39:27,480 --> 00:39:32,480 Or maybe, I think in the article, yeah, we'll definitely check out the article. 740 00:39:32,480 --> 00:39:36,920 Because there's still some stuff they mention here about glitching with the CPU to get it 741 00:39:36,920 --> 00:39:41,700 to not try to read over that disk. 742 00:39:41,700 --> 00:39:44,080 So maybe there's some cool stuff you can do there. 743 00:39:44,080 --> 00:39:48,400 Yeah, you could definitely do some power glitching and stuff to try and get the CPU in a weird 744 00:39:48,400 --> 00:39:49,760 state. 745 00:39:49,760 --> 00:39:55,080 I do generally like trying to power it with the onboard power stuff, if I can. 746 00:39:55,080 --> 00:39:58,840 So for example, if I'm trying to use UART or something, I definitely want to have it 747 00:39:58,840 --> 00:39:59,840 do its normal. 748 00:39:59,840 --> 00:40:03,080 I basically want the device to think that everything is normal and that it's getting 749 00:40:03,080 --> 00:40:07,840 all the same power delivery and everything that it would while functioning normally instead 750 00:40:07,840 --> 00:40:09,640 of trying to rig that myself. 751 00:40:09,640 --> 00:40:12,960 I probably could, but I don't know if something's going to go wrong. 752 00:40:12,960 --> 00:40:17,000 I don't know if there's special power requirements that the chip is doing or that other things 753 00:40:17,000 --> 00:40:18,320 on the board might need. 754 00:40:18,320 --> 00:40:21,240 And the last thing you want to do is fry something on the board accidentally. 755 00:40:21,240 --> 00:40:22,760 I'm scared of that. 756 00:40:22,760 --> 00:40:26,800 That's the biggest risk, in my opinion, is that you fry something in an expensive piece 757 00:40:26,800 --> 00:40:31,600 of hardware and then you have to buy another one or call it quits. 758 00:40:31,600 --> 00:40:32,600 Those are nice. 759 00:40:32,600 --> 00:40:36,360 And sometimes HackerOne, and I assume Bugcrowd does this too, but I haven't had that experience 760 00:40:36,360 --> 00:40:37,880 with Bugcrowd, so I don't know. 761 00:40:37,880 --> 00:40:38,880 They do. 762 00:40:38,880 --> 00:40:39,880 Okay. 763 00:40:39,880 --> 00:40:41,840 Yeah, it's because Bugcrowd doesn't know that I can hack hardware. 764 00:40:41,840 --> 00:40:44,520 I need to hit them up and be like, hey, by the way. 765 00:40:44,520 --> 00:40:47,080 Me submits one bug a year on Bugcrowd. 766 00:40:47,080 --> 00:40:50,080 It's like, hardware, God. 767 00:40:50,080 --> 00:40:53,720 Yeah, but it's really nice when the HackerOne programs and the Bugcrowd programs actually 768 00:40:53,720 --> 00:40:57,160 send you the hardware to test on without you having to pay for it. 769 00:40:57,160 --> 00:40:58,160 Okay. 770 00:40:58,160 --> 00:41:00,720 So we talked about the logic analyzer. 771 00:41:00,720 --> 00:41:02,120 We talked about a little bit of recon. 772 00:41:02,120 --> 00:41:08,840 So let's say, for example, we can't get the test pin to work, test pin method, with our 773 00:41:08,840 --> 00:41:14,160 sort of natural power and we can't get it to power up, you know, giving it power directly. 774 00:41:14,160 --> 00:41:17,520 So we got to go for a chip pull. 775 00:41:17,520 --> 00:41:19,260 And yeah. 776 00:41:19,260 --> 00:41:23,320 So there are some equipment that we need for this. 777 00:41:23,320 --> 00:41:25,680 And I kind of noted some of them down here. 778 00:41:25,680 --> 00:41:29,320 Joel, you can kind of take a quick look over that and make sure I wasn't missing anything. 779 00:41:29,320 --> 00:41:34,800 But the essentials are a heat, a heat, sort of a heat gun or a heat hot air station, I 780 00:41:34,800 --> 00:41:37,200 think is what they're called. 781 00:41:37,200 --> 00:41:43,280 And that will allow you to just very send very focused hot air on the specific chip. 782 00:41:43,280 --> 00:41:47,480 So you know, you strip down the device, you find the EMMC chip, and you can find that 783 00:41:47,480 --> 00:41:49,400 by Googling, you know, what text is on it. 784 00:41:49,400 --> 00:41:51,680 And sometimes it's obvious from the way that it looks. 785 00:41:51,680 --> 00:41:56,440 But yeah, you know, you set that hot air station up, you shoot hot air on it. 786 00:41:56,440 --> 00:41:57,640 And then what happens? 787 00:41:57,640 --> 00:41:58,640 Yeah. 788 00:41:58,640 --> 00:42:03,160 So basically, for like the mental image, for people who are just listening, a hot air station 789 00:42:03,160 --> 00:42:06,640 is if you've seen a heat gun, it's not like a blow dryer. 790 00:42:06,640 --> 00:42:12,120 It's like just the like, straight part of a blow of a blow dryer without the handle. 791 00:42:12,120 --> 00:42:15,160 And it basically is just an electric coil that blows hot air. 792 00:42:15,160 --> 00:42:17,920 And then it has these little funnels on the end, like you mentioned that, like narrow 793 00:42:17,920 --> 00:42:21,020 the hot air down to like a very. 794 00:42:21,020 --> 00:42:22,020 You can see it. 795 00:42:22,020 --> 00:42:23,020 You're pointing at it right behind you. 796 00:42:23,020 --> 00:42:26,880 I'm sorry, for those on YouTube, you can actually see it on my desk behind me. 797 00:42:26,880 --> 00:42:29,320 But for those of you on audio, listen to Joel, sorry. 798 00:42:29,320 --> 00:42:30,320 Yeah. 799 00:42:30,320 --> 00:42:32,960 So there's like a little, you know, it's like a giant pen kind of thing. 800 00:42:32,960 --> 00:42:35,080 It's wired up to this power supply. 801 00:42:35,080 --> 00:42:38,200 And then on the power supply, you set what temperature you want it to run at. 802 00:42:38,200 --> 00:42:43,240 And then there's a little nozzle on the end that controls how large of an airflow that 803 00:42:43,240 --> 00:42:44,420 it's pushing hot air out. 804 00:42:44,420 --> 00:42:48,120 And then just as a fan over a heating element, it just blows hot air. 805 00:42:48,120 --> 00:42:49,120 OK. 806 00:42:49,120 --> 00:42:51,840 So hot air can go very, very hot. 807 00:42:51,840 --> 00:42:52,840 Very, very, very hot. 808 00:42:52,840 --> 00:42:53,840 Easily burn yourself. 809 00:42:53,840 --> 00:42:55,480 Very, very, very, very hot. 810 00:42:55,480 --> 00:42:59,240 So this is not something to like just, you know, mess around with. 811 00:42:59,240 --> 00:43:02,480 Obviously, be careful as you're using these tools. 812 00:43:02,480 --> 00:43:05,000 You know, respect, respect what it can do. 813 00:43:05,000 --> 00:43:06,000 It is a heat gun. 814 00:43:06,000 --> 00:43:07,000 It creates heat. 815 00:43:07,000 --> 00:43:08,000 You can get burned. 816 00:43:08,000 --> 00:43:09,000 I have gotten burned. 817 00:43:09,000 --> 00:43:10,000 Yes. 818 00:43:10,000 --> 00:43:11,000 Yeah, me as well. 819 00:43:11,000 --> 00:43:12,000 Yes. 820 00:43:12,000 --> 00:43:15,640 I had a hot plate that I was also doing some desoldering with it. 821 00:43:15,640 --> 00:43:17,480 I just like stuck my hand on it by accident. 822 00:43:17,480 --> 00:43:19,520 I forgot I was on. 823 00:43:19,520 --> 00:43:20,680 So that was fun. 824 00:43:20,680 --> 00:43:25,200 But yes, so a hot gun, a heat gun, a hot air reflow rework station. 825 00:43:25,200 --> 00:43:26,520 It's called a lot of different things. 826 00:43:26,520 --> 00:43:30,600 We'll link some stuff down in the description for those of you that kind of want a basic 827 00:43:30,600 --> 00:43:31,600 setup. 828 00:43:31,600 --> 00:43:32,600 Yeah. 829 00:43:32,600 --> 00:43:37,200 But what you need to, all you need to know is that basically chips, generally speaking, 830 00:43:37,200 --> 00:43:38,320 have two different forms. 831 00:43:38,320 --> 00:43:42,120 They have pins that are like coming off the side of them that are then soldered down to 832 00:43:42,120 --> 00:43:43,120 the board. 833 00:43:43,120 --> 00:43:47,080 And then they have these things called a BGA, a ball grid array. 834 00:43:47,080 --> 00:43:55,840 And a BGA is essentially little tiny balls of solder that connect underneath. 835 00:43:55,840 --> 00:43:57,920 Like it literally, it's sandwiches on top. 836 00:43:57,920 --> 00:44:01,040 There's the chip, then there's balls of solder, and then there's the board right underneath 837 00:44:01,040 --> 00:44:03,440 it, and there's contacts on the board underneath it. 838 00:44:03,440 --> 00:44:08,760 And it holds it, you know, once the solder is not melted, it holds it there essentially 839 00:44:08,760 --> 00:44:14,080 acting as the pins that connects it between the contacts on the bottom of the chip and 840 00:44:14,080 --> 00:44:16,560 the contacts on top of the board. 841 00:44:16,560 --> 00:44:23,880 And so when we use a hot air gun, we're essentially heating up those little balls of solder underneath 842 00:44:23,880 --> 00:44:28,560 such that they liquefy enough and then you pull the chip off. 843 00:44:28,560 --> 00:44:29,800 And that's it. 844 00:44:29,800 --> 00:44:30,800 That's basically all you're doing. 845 00:44:30,800 --> 00:44:38,080 You're doing what you would do with a soldering iron, like the hot tip thing and you put it 846 00:44:38,080 --> 00:44:39,920 on whatever it smokes and chip. 847 00:44:39,920 --> 00:44:41,840 It's all that, but it's just like from a distance. 848 00:44:41,840 --> 00:44:44,160 So you're just doing it with hot air. 849 00:44:44,160 --> 00:44:45,160 Yeah. 850 00:44:45,160 --> 00:44:46,160 With hot air. 851 00:44:46,160 --> 00:44:51,360 So, you know, I guess more concretely, you know, you get the hot air station and you're 852 00:44:51,360 --> 00:44:55,320 kind of using that pen and you're going back and forth and back and forth. 853 00:44:55,320 --> 00:45:03,600 And I think the last time we did an assessment, Joel, we set it to about 400 degrees Celsius. 854 00:45:03,600 --> 00:45:09,480 But I think the best way to do it to preserve the safety for the devices, excuse me, is 855 00:45:09,480 --> 00:45:15,880 to set it at like a lower level, maybe like 250 or so, and then sort of slowly work your 856 00:45:15,880 --> 00:45:16,880 way up. 857 00:45:16,880 --> 00:45:20,720 So, you know, you shoot it, you know, back and forth, back and forth for about a minute 858 00:45:20,720 --> 00:45:22,240 and a half, two minutes. 859 00:45:22,240 --> 00:45:25,560 And then, you know, you try to lift the chip and it's, you're not going to be forcing 860 00:45:25,560 --> 00:45:26,560 it. 861 00:45:26,560 --> 00:45:27,560 It's literally just going to be a lift. 862 00:45:27,560 --> 00:45:29,400 Like you're going to put the grab your tweezers. 863 00:45:29,400 --> 00:45:30,400 That's another thing you need. 864 00:45:30,400 --> 00:45:31,400 You're going to grab your tweezers. 865 00:45:31,400 --> 00:45:34,480 You're going to grab the chip with tweezers and you're going to try to lift up. 866 00:45:34,480 --> 00:45:36,800 And if it doesn't come with you, don't force it. 867 00:45:36,800 --> 00:45:40,040 And then you sort of back off, let the chip cool down a little bit because you don't want 868 00:45:40,040 --> 00:45:41,040 to fry it. 869 00:45:41,040 --> 00:45:46,040 You can maybe wait two or three minutes and then, you know, bump up the heat to 275 or 870 00:45:46,040 --> 00:45:48,080 300 or something like that. 871 00:45:48,080 --> 00:45:50,040 And then sort of work your way up. 872 00:45:50,040 --> 00:45:56,000 I think the place we found it was around 400, 425 maybe is a good spot. 873 00:45:56,000 --> 00:46:01,080 And then eventually, you know, you do that for sometimes it's not even 30 seconds. 874 00:46:01,080 --> 00:46:04,840 Sometimes it's like, you know, a shorter amount of time and you'll be able to just lift the 875 00:46:04,840 --> 00:46:07,080 chip right off. 876 00:46:07,080 --> 00:46:11,320 And then you've done a successful pull, hopefully, if you didn't rip off any pads. 877 00:46:11,320 --> 00:46:12,320 Yeah. 878 00:46:12,320 --> 00:46:17,560 So I'm sure that there are some hardware people cringing as they listen to this being like 879 00:46:17,560 --> 00:46:20,800 400 degrees, 425. 880 00:46:20,800 --> 00:46:29,960 So the one thing I'll say is most of these hot air guns are made cheaply and they do 881 00:46:29,960 --> 00:46:35,520 not have the best quality control and they're not the most consistent things, especially 882 00:46:35,520 --> 00:46:38,940 across brands and across devices. 883 00:46:38,940 --> 00:46:45,360 So your mileage is going to vary probably greatly from someone else's and you will just 884 00:46:45,360 --> 00:46:47,680 need to do some testing on your own. 885 00:46:47,680 --> 00:46:52,200 Like Justin said, I would start at a low temp, like start at melting point of solder. 886 00:46:52,200 --> 00:46:55,720 So like probably around 200 C and just work your way up. 887 00:46:55,720 --> 00:47:01,160 If you're, you know, you're constantly moving your air gun, you're heating the whole area. 888 00:47:01,160 --> 00:47:04,120 The thing that you mentioned this, but you didn't really explain it. 889 00:47:04,120 --> 00:47:08,080 You need to be constantly moving the air gun around the chip because you need all of the 890 00:47:08,080 --> 00:47:11,160 balls of solder underneath the chip to be melted at the same time. 891 00:47:11,160 --> 00:47:12,160 Yeah. 892 00:47:12,160 --> 00:47:13,160 Evenly. 893 00:47:13,160 --> 00:47:14,160 Right. 894 00:47:14,160 --> 00:47:15,160 And the other thing is flux. 895 00:47:15,160 --> 00:47:16,160 Oh my God. 896 00:47:16,160 --> 00:47:17,160 Flux is your best friend. 897 00:47:17,160 --> 00:47:18,160 Yeah. 898 00:47:18,160 --> 00:47:19,160 So yeah. 899 00:47:19,160 --> 00:47:22,080 So flux based flux, it basically, it helps solder flow. 900 00:47:22,080 --> 00:47:23,080 This is not really optional. 901 00:47:23,080 --> 00:47:25,600 I, you know, this is very important. 902 00:47:25,600 --> 00:47:26,600 Yes. 903 00:47:26,600 --> 00:47:27,600 You need flux like big time. 904 00:47:27,600 --> 00:47:30,000 So flux helps solder flow. 905 00:47:30,000 --> 00:47:32,660 It helps prevent it from oxidizing. 906 00:47:32,660 --> 00:47:37,720 And so essentially what that's going to do, solder has surface tension, essentially. 907 00:47:37,720 --> 00:47:40,120 That's what holds it in place. 908 00:47:40,120 --> 00:47:45,800 When Justin said that the chip will be very easy to pull off, it's like a water bug on 909 00:47:45,800 --> 00:47:47,600 top of a surface of water. 910 00:47:47,600 --> 00:47:48,600 It's a really good analogy. 911 00:47:48,600 --> 00:47:53,160 The chip is basically magneted in place because there are copper contacts underneath it and 912 00:47:53,160 --> 00:47:57,860 there are copper contacts on the top of the chip and the balls of solder that are between 913 00:47:57,860 --> 00:48:03,280 it are surface tension to those pieces of copper and it's holding, like if you were 914 00:48:03,280 --> 00:48:08,880 to bump the chip, it would snap back basically because the solder is holding it in place. 915 00:48:08,880 --> 00:48:10,920 If it's doing that, that means it's ready to lift. 916 00:48:10,920 --> 00:48:13,760 So your goal is that you want all the solder to be liquid enough that you can basically 917 00:48:13,760 --> 00:48:16,520 bump the chip and see it wiggle and then just lift it. 918 00:48:16,520 --> 00:48:17,520 And it's very, I mean. 919 00:48:17,520 --> 00:48:19,220 There should be no force. 920 00:48:19,220 --> 00:48:20,440 You're not peeling. 921 00:48:20,440 --> 00:48:24,360 You're not, you're not sort of, you know, starting at one side and like sort of lifting 922 00:48:24,360 --> 00:48:25,360 it up a little bit. 923 00:48:25,360 --> 00:48:26,840 No, you're going to break the chip that way. 924 00:48:26,840 --> 00:48:27,840 Don't do that. 925 00:48:27,840 --> 00:48:32,800 It's really, you know, very lightly and, you know, maybe not even with the pointed tip 926 00:48:32,800 --> 00:48:36,600 of your tweezers because you don't want to like scratch it or like, you know, cause any 927 00:48:36,600 --> 00:48:37,600 damage to the chip. 928 00:48:37,600 --> 00:48:39,720 You're just kind of gently pushing against it. 929 00:48:39,720 --> 00:48:44,440 And if you, like Jill said, if you don't see that sort of movement, then it's not ready 930 00:48:44,440 --> 00:48:45,440 to pull. 931 00:48:45,440 --> 00:48:47,680 So yeah, there's a lot of really good videos. 932 00:48:47,680 --> 00:48:49,320 Well, actually there's not. 933 00:48:49,320 --> 00:48:50,680 There's a couple of really good videos. 934 00:48:50,680 --> 00:48:53,400 Yeah, I was going to say, I don't think so. 935 00:48:53,400 --> 00:48:54,840 Yeah, yeah. 936 00:48:54,840 --> 00:48:58,760 People find, I think a lot of these are more like for repair and they don't, they don't 937 00:48:58,760 --> 00:49:03,360 care so much about the integrity of the chip that they're pulling off. 938 00:49:03,360 --> 00:49:05,240 And that's fine. 939 00:49:05,240 --> 00:49:08,880 It's like a demonstration, but just keep that in mind with temperature, right? 940 00:49:08,880 --> 00:49:12,660 Like generally speaking, if you were to read the spec sheet for these chips, these chips 941 00:49:12,660 --> 00:49:17,760 are not designed to be in environments that are above probably like a hundred degrees 942 00:49:17,760 --> 00:49:21,520 Fahrenheit or like, you know, 30 degrees Celsius or something. 943 00:49:21,520 --> 00:49:25,360 Meanwhile we're heating them up to like 200, 400 degrees Celsius. 944 00:49:25,360 --> 00:49:30,560 So you know, part of that is that that's a direct temperature coming out of the gun, 945 00:49:30,560 --> 00:49:33,000 but that's not the temperature that's hitting the chip. 946 00:49:33,000 --> 00:49:36,400 And that's also why we want to move it around and we want to keep constant flow so that 947 00:49:36,400 --> 00:49:38,880 all that heat isn't targeted into one specific place. 948 00:49:38,880 --> 00:49:42,200 It's going to fry or melt stuff within the chip. 949 00:49:42,200 --> 00:49:44,860 So yeah, those tweezers, super useful. 950 00:49:44,860 --> 00:49:48,920 If you look at any videos online, you're going to see basically lots of flux, lots of moving 951 00:49:48,920 --> 00:49:49,920 the heat gun around. 952 00:49:49,920 --> 00:49:52,520 Eventually, you know, they'll tap it. 953 00:49:52,520 --> 00:49:56,600 They'll tap it with like some really fine point tweezers and they'll see that it moves. 954 00:49:56,600 --> 00:50:01,360 And then they just grab the edges of it and just lift it up. 955 00:50:01,360 --> 00:50:04,560 You know, microscopes, some people really like to do it under microscopes. 956 00:50:04,560 --> 00:50:06,600 Some people like to do it under like a magnifying glass. 957 00:50:06,600 --> 00:50:10,420 Some people like to just do with their eyeballs, depending on the size of the chip. 958 00:50:10,420 --> 00:50:12,640 You may or may not need to do that. 959 00:50:12,640 --> 00:50:17,520 You know, it's really, it's really up to you and your eyesight, I guess. 960 00:50:17,520 --> 00:50:19,560 But I do it without a microscope. 961 00:50:19,560 --> 00:50:23,200 The other thing is, for those of you watching on YouTube again, you can see over my shoulder 962 00:50:23,200 --> 00:50:29,840 this little device that Joel, you know, freaking influenced me into buying. 963 00:50:29,840 --> 00:50:30,840 It's called, what is it called? 964 00:50:30,840 --> 00:50:31,840 Is it called? 965 00:50:31,840 --> 00:50:32,840 Handy Hands. 966 00:50:32,840 --> 00:50:33,840 Handy Hands. 967 00:50:33,840 --> 00:50:34,840 That's it. 968 00:50:34,840 --> 00:50:35,840 Yeah. 969 00:50:35,840 --> 00:50:37,240 And it's got like these little sort of, for those of you listening, it's sort of like 970 00:50:37,240 --> 00:50:44,860 Doc Ock style, you know, flexible arms that kind of grip the actual board. 971 00:50:44,860 --> 00:50:50,400 And then they have sort of a magnifying glass light and they've got like a little clamp 972 00:50:50,400 --> 00:50:52,120 there that you can use to hold the board. 973 00:50:52,120 --> 00:50:57,280 And it's just got some nice things that make the whole process go smoother. 974 00:50:57,280 --> 00:51:00,080 And so I would recommend those that made it a lot easier for me. 975 00:51:00,080 --> 00:51:04,920 I know when I did, cause I didn't have that when Joel and I were doing my first pull, 976 00:51:04,920 --> 00:51:12,800 I was actually trying to heat up the chip on top of a heat sink to keep it flat. 977 00:51:12,800 --> 00:51:15,200 And Joel was like, dude, what are you doing? 978 00:51:15,200 --> 00:51:16,200 No, stop. 979 00:51:16,200 --> 00:51:20,240 And so, yeah, definitely, definitely a good recommend there. 980 00:51:20,240 --> 00:51:21,240 Yeah. 981 00:51:21,240 --> 00:51:23,320 And then any kind of Handy Hands is really good. 982 00:51:23,320 --> 00:51:24,320 Yeah. 983 00:51:24,320 --> 00:51:25,320 The really good product. 984 00:51:25,320 --> 00:51:26,800 I really like it. 985 00:51:26,800 --> 00:51:30,060 And then, so once you pull the chip off, you got to clean it and you got to clean it better 986 00:51:30,060 --> 00:51:31,840 than you think you got to clean it. 987 00:51:31,840 --> 00:51:34,480 Just coming from a beginner's perspective here, cause I was like, ah, you know, this 988 00:51:34,480 --> 00:51:35,480 is probably fine. 989 00:51:35,480 --> 00:51:40,280 Nah, you really want to take the time with isopropyl alcohol and a Q-tip and, you know, 990 00:51:40,280 --> 00:51:45,880 gently with some tweezers and, you know, you want to put, I think you, Joel, even use like 991 00:51:45,880 --> 00:51:53,160 the tip of a soldering iron and sort of drag some flux or some solder around on it, right? 992 00:51:53,160 --> 00:51:54,160 Yeah, yeah. 993 00:51:54,160 --> 00:51:55,520 So it's called reflowing. 994 00:51:55,520 --> 00:52:00,600 And basically you take like, you know, a larger than normal blob of solder and you can just 995 00:52:00,600 --> 00:52:02,320 heat it up and get it. 996 00:52:02,320 --> 00:52:09,440 So it's like stuck kind of, yeah, it's melted, but it's stuck to the end of your soldering 997 00:52:09,440 --> 00:52:10,760 iron tip. 998 00:52:10,760 --> 00:52:15,700 And then you just want to glide that ball of solder over the contacts, over the copper 999 00:52:15,700 --> 00:52:18,600 contacts on the bottom side of the chip after you removed it. 1000 00:52:18,600 --> 00:52:23,440 And that's going to one, pick up any extra solder that is on those pins. 1001 00:52:23,440 --> 00:52:29,500 And it's also going to put a thin layer of solder back on top of any ones that don't 1002 00:52:29,500 --> 00:52:30,600 have solder on them. 1003 00:52:30,600 --> 00:52:32,160 So it's going to basically like clean up. 1004 00:52:32,160 --> 00:52:35,240 It's going to uniformly, right, right, right. 1005 00:52:35,240 --> 00:52:39,120 And then you just, you know, lift it off and you should have your big blob of solder still 1006 00:52:39,120 --> 00:52:41,240 on your iron. 1007 00:52:41,240 --> 00:52:44,680 And that's going to help prevent any contacts from getting bridged, any of that kind of 1008 00:52:44,680 --> 00:52:45,680 stuff. 1009 00:52:45,680 --> 00:52:50,640 The flux, yeah, isopropyl alcohol, the higher percentage, the better 99%. 1010 00:52:50,640 --> 00:52:55,240 If you can get it, 91 is probably what you'll find at like a store or something. 1011 00:52:55,240 --> 00:52:59,720 But yeah, just a Q-tip or a cotton swab or anything like that. 1012 00:52:59,720 --> 00:53:03,400 You know, just be aware that it can leave like little fibers behind. 1013 00:53:03,400 --> 00:53:04,400 Yeah, I don't like that. 1014 00:53:04,400 --> 00:53:05,400 Yeah. 1015 00:53:05,400 --> 00:53:06,400 Yeah. 1016 00:53:06,400 --> 00:53:10,800 And you know, some Q-tips are less fibrous than others, I guess, less hairy than others. 1017 00:53:10,800 --> 00:53:15,760 So what I did when I was doing it was I actually pulled off a little bit of the hair, you know, 1018 00:53:15,760 --> 00:53:20,240 and kind of made it a little bit less hairy, you know, when I first started using the Q-tip. 1019 00:53:20,240 --> 00:53:23,360 And then, you know, that sort of got it to drop less fibers. 1020 00:53:23,360 --> 00:53:27,920 So, or maybe even you could like, you know, twist it in your hand and try to compact some 1021 00:53:27,920 --> 00:53:31,840 of that down so that it doesn't leave as many fibers on there because that is a pain to 1022 00:53:31,840 --> 00:53:32,840 get off afterwards. 1023 00:53:32,840 --> 00:53:36,520 I think maybe I used a microfiber cloth or something like that at one point to try to 1024 00:53:36,520 --> 00:53:37,520 get this off. 1025 00:53:37,520 --> 00:53:38,520 Yeah. 1026 00:53:38,520 --> 00:53:39,520 Yeah, something like that. 1027 00:53:39,520 --> 00:53:43,920 So yeah, reflowing it and using isopropyl to clean any excess flux. 1028 00:53:43,920 --> 00:53:47,160 Those are the two ways that I generally clean the bottom of a chip. 1029 00:53:47,160 --> 00:53:51,440 If you're having a read problem with a chip and it looks like visibly like there's no 1030 00:53:51,440 --> 00:53:56,320 defects in the chip, there's no physical damage, all the contacts look like they're intact, 1031 00:53:56,320 --> 00:54:00,000 it doesn't look like any of them have been ripped off or anything like that, clean it 1032 00:54:00,000 --> 00:54:01,000 again. 1033 00:54:01,000 --> 00:54:02,600 Just that's number one. 1034 00:54:02,600 --> 00:54:07,000 I just say clean it again because we had that happen both on my side and Justin's side where 1035 00:54:07,000 --> 00:54:11,400 a chip wasn't reading properly in the reader, took some more ISO, just cleaned it one more 1036 00:54:11,400 --> 00:54:12,400 time. 1037 00:54:12,400 --> 00:54:16,120 There must have been like a thin layer of flux or something that was, you know, interrupting 1038 00:54:16,120 --> 00:54:17,120 their... 1039 00:54:17,120 --> 00:54:18,120 Yeah, I don't know. 1040 00:54:18,120 --> 00:54:19,120 But yeah, that fixed it. 1041 00:54:19,120 --> 00:54:22,720 And that last one, that last pull that you did on the last exercise or the last thing 1042 00:54:22,720 --> 00:54:27,680 we were working on, like it was, I mean, he was holding it up to the, you know, to the 1043 00:54:27,680 --> 00:54:30,600 webcam and it looked like it just came out of the factory, man. 1044 00:54:30,600 --> 00:54:32,560 It was like clean as could be. 1045 00:54:32,560 --> 00:54:33,560 So that's the goal. 1046 00:54:33,560 --> 00:54:35,600 It was mint. 1047 00:54:35,600 --> 00:54:37,800 So that was really cool. 1048 00:54:37,800 --> 00:54:41,440 And then one of the other things I just wanted to mention, we're going back, you know, so, 1049 00:54:41,440 --> 00:54:43,360 well, actually we'll go back after. 1050 00:54:43,360 --> 00:54:44,360 Let's go ahead and finish this up. 1051 00:54:44,360 --> 00:54:50,000 So you clean it and then we're going to go ahead and put it in a EMMC chip reader. 1052 00:54:50,000 --> 00:54:53,000 There are quite a few different devices out there. 1053 00:54:53,000 --> 00:54:57,960 The only one I have experience using is not on my desk right now, but it's an all socket 1054 00:54:57,960 --> 00:55:00,720 EMMC reader, very easy to use. 1055 00:55:00,720 --> 00:55:07,040 It has a bunch of nice little plastic fittings you can use for different sizes of EMMCs. 1056 00:55:07,040 --> 00:55:10,480 It does not, we did run into an issue last time where it actually didn't have the right 1057 00:55:10,480 --> 00:55:18,080 plastic size to get it to read, which was kind of a pain, but we found another way to 1058 00:55:18,080 --> 00:55:19,080 do it. 1059 00:55:19,080 --> 00:55:20,080 So that was good. 1060 00:55:20,080 --> 00:55:21,200 But yeah, so that's one option. 1061 00:55:21,200 --> 00:55:24,720 And then I know people also use something called a T56. 1062 00:55:24,720 --> 00:55:25,720 Yeah. 1063 00:55:25,720 --> 00:55:29,440 Let me pull it up, universal programmer. 1064 00:55:29,440 --> 00:55:30,800 And I've had some success with that. 1065 00:55:30,800 --> 00:55:32,960 So, yeah, so I have both of these. 1066 00:55:32,960 --> 00:55:38,280 The BGA, so the all socket BGA EMMC reader, super, super useful. 1067 00:55:38,280 --> 00:55:43,760 Like you mentioned, it basically has different base plates that will hold it over the right 1068 00:55:43,760 --> 00:55:48,100 pin, like the pin readers within the socket adapter. 1069 00:55:48,100 --> 00:55:52,720 The thing to note about that is one, it's quite expensive for like, it's a very targeted 1070 00:55:52,720 --> 00:55:53,720 tool. 1071 00:55:53,720 --> 00:56:01,520 It's designed for, I think it's BGA 159 or something, 186 or, I mean, let me pull it 1072 00:56:01,520 --> 00:56:02,520 up real quick. 1073 00:56:02,520 --> 00:56:03,520 Yeah. 1074 00:56:03,520 --> 00:56:08,120 And when he says it's very expensive, I mean, it's in the hundreds range, not in the thousands 1075 00:56:08,120 --> 00:56:10,320 range because I'll just throw it out there. 1076 00:56:10,320 --> 00:56:15,520 It was $87, but it's just this adapter, right? 1077 00:56:15,520 --> 00:56:18,480 $87 plus $8 of shipping. 1078 00:56:18,480 --> 00:56:26,440 And it's designed for EMMC, FPGA 153 and 169. 1079 00:56:26,440 --> 00:56:27,440 Okay. 1080 00:56:27,440 --> 00:56:32,840 So specifically that's like, those are two different form factors of chip. 1081 00:56:32,840 --> 00:56:36,080 It might refer to like the number of, no, it doesn't. 1082 00:56:36,080 --> 00:56:38,240 It can't be the number of solder. 1083 00:56:38,240 --> 00:56:40,540 It's a specific form factor of chip basically. 1084 00:56:40,540 --> 00:56:43,240 And you'll see like, if you're reading the data sheet, that there will be different form 1085 00:56:43,240 --> 00:56:44,840 factors for different chips. 1086 00:56:44,840 --> 00:56:49,720 A lot of them will fall into the same categories, but as just mentioned, for example, we pulled 1087 00:56:49,720 --> 00:56:57,960 a BGA chip that was, I think it was a BGA 153, but it wasn't the right size dimensions. 1088 00:56:57,960 --> 00:57:01,000 It didn't have the faceplate to hold it in the adapter. 1089 00:57:01,000 --> 00:57:03,160 So we couldn't read it very easily. 1090 00:57:03,160 --> 00:57:08,360 And I had even tried like 3D printing an adapter to fit it in there and it didn't really work 1091 00:57:08,360 --> 00:57:09,360 that well. 1092 00:57:09,360 --> 00:57:10,360 Yeah. 1093 00:57:10,360 --> 00:57:11,360 Yeah. 1094 00:57:11,360 --> 00:57:12,360 That was a little bit of a bummer. 1095 00:57:12,360 --> 00:57:17,240 But definitely, if you're going to buy specialized equipment for a specific thing, I think these 1096 00:57:17,240 --> 00:57:22,560 all socket EMMC readers will cover the large majority of the ones, but you got to know 1097 00:57:22,560 --> 00:57:26,240 you may run into a situation and you may want to measure the size of the chip beforehand 1098 00:57:26,240 --> 00:57:29,720 in millimeters and make sure it supports that form factor. 1099 00:57:29,720 --> 00:57:35,900 I do want to say, I said it just a second ago, but Joel said they're expensive. 1100 00:57:35,900 --> 00:57:40,340 There are some things on Amazon that are selling these things for like two and a half grand. 1101 00:57:40,340 --> 00:57:42,580 That is not what we're asking you to buy. 1102 00:57:42,580 --> 00:57:44,680 Do not buy that. 1103 00:57:44,680 --> 00:57:46,360 They're cheaper options. 1104 00:57:46,360 --> 00:57:49,600 I think it was like, yeah, $100 or $700. 1105 00:57:49,600 --> 00:57:52,840 So we'll link some of those down in the description. 1106 00:57:52,840 --> 00:57:54,960 You can find them on some of them, you can find on Amazon. 1107 00:57:54,960 --> 00:57:57,920 Some of them you can find on some of the other websites. 1108 00:57:57,920 --> 00:58:01,720 So definitely don't go and spend like two and a half grand for one of these things because 1109 00:58:01,720 --> 00:58:02,720 it's ridiculous. 1110 00:58:02,720 --> 00:58:03,720 Yeah. 1111 00:58:03,720 --> 00:58:04,720 Yeah. 1112 00:58:04,720 --> 00:58:06,200 For the T56, that's really good for like... 1113 00:58:06,200 --> 00:58:07,200 Yeah, tell me about that. 1114 00:58:07,200 --> 00:58:08,200 Yeah. 1115 00:58:08,200 --> 00:58:09,840 So that's good for like NAND flashes and stuff. 1116 00:58:09,840 --> 00:58:11,880 It has different use cases. 1117 00:58:11,880 --> 00:58:12,880 Generally when I use that... 1118 00:58:12,880 --> 00:58:14,880 What is a NAND flash? 1119 00:58:14,880 --> 00:58:19,920 Well, a NAND is just like a basic part of a chip. 1120 00:58:19,920 --> 00:58:26,440 It's like an electronic structure, but a NAND flash, it's just a different type of flash. 1121 00:58:26,440 --> 00:58:27,440 Okay, gotcha. 1122 00:58:27,440 --> 00:58:33,860 As opposed to an EMMC or a NAND flash, they're different types of flashes, NOR flashes. 1123 00:58:33,860 --> 00:58:38,020 But you can buy these large sets of adapters. 1124 00:58:38,020 --> 00:58:44,680 So I have a huge box that's full of just like every type of T-SOP, like T-SOP 48, T-SOP 1125 00:58:44,680 --> 00:58:51,600 56, like every single T-SOP or SOP adapter that you can think of. 1126 00:58:51,600 --> 00:58:56,000 And then on the bottom, it has these little pins that they're just pin headers. 1127 00:58:56,000 --> 00:58:59,880 And essentially you clamp it in this T56 and then you plug it into your computer and you 1128 00:58:59,880 --> 00:59:02,260 can read it. 1129 00:59:02,260 --> 00:59:05,480 And it's just, it's a different way of mounting it. 1130 00:59:05,480 --> 00:59:10,120 Basically the all socket one I'm using for BGA stuff. 1131 00:59:10,120 --> 00:59:13,600 I suppose you probably could do BGA stuff this way with the T56. 1132 00:59:13,600 --> 00:59:16,000 Yeah, it says, if you... 1133 00:59:16,000 --> 00:59:18,480 Here, I'll send it to you right now on Discord. 1134 00:59:18,480 --> 00:59:28,720 If you look at the third item down, it says supports BGA 45, 63, 64, 153, 162, 169, 221. 1135 00:59:28,720 --> 00:59:34,080 So I think it definitely has a wide range of BGA that it's compatible with. 1136 00:59:34,080 --> 00:59:35,080 Yeah. 1137 00:59:35,080 --> 00:59:36,080 Yeah. 1138 00:59:36,080 --> 00:59:39,960 So I think the main thing is you just have to get the right adapters for it. 1139 00:59:39,960 --> 00:59:43,960 I'm honestly not sure how this thing works. 1140 00:59:43,960 --> 00:59:49,760 Every time I've ever used it, I just plug it in and it either has the chip in the software 1141 00:59:49,760 --> 00:59:50,760 or it doesn't. 1142 00:59:50,760 --> 00:59:53,200 And it just like, yeah, I don't know. 1143 00:59:53,200 --> 00:59:56,040 It's kind of weird, but it's pretty useful. 1144 00:59:56,040 --> 00:59:57,040 Yeah. 1145 00:59:57,040 --> 01:00:01,840 So this could be a good one to check out and add to your arsenal as well. 1146 01:00:01,840 --> 01:00:06,520 I think probably altogether, I spent maybe five or $600 on sort of like a beginner's 1147 01:00:06,520 --> 01:00:10,920 setup for all of this stuff when I was first starting out. 1148 01:00:10,920 --> 01:00:15,360 So definitely it's not cheap to get into it, but also now I've got the tools that I'll 1149 01:00:15,360 --> 01:00:17,880 use in the future as well. 1150 01:00:17,880 --> 01:00:20,440 So that's pretty helpful. 1151 01:00:20,440 --> 01:00:21,440 Yeah. 1152 01:00:21,440 --> 01:00:22,440 Yeah. 1153 01:00:22,440 --> 01:00:24,880 Hardware hacking is one of those things where you could easily spend a couple thousand dollars 1154 01:00:24,880 --> 01:00:31,080 on tools and still not have the right thing that you need. 1155 01:00:31,080 --> 01:00:36,040 So I would just say do a lot of research before you buy stuff, especially specifically for 1156 01:00:36,040 --> 01:00:37,040 your use case. 1157 01:00:37,040 --> 01:00:40,160 So like what specific chip do you want to use this tool for? 1158 01:00:40,160 --> 01:00:42,080 Is it going to work for that chip? 1159 01:00:42,080 --> 01:00:47,000 And don't be surprised if it doesn't work for other chips. 1160 01:00:47,000 --> 01:00:49,180 That's kind of just the way it is. 1161 01:00:49,180 --> 01:00:54,160 If you can find some of those more generic tools, sometimes they're more expensive and 1162 01:00:54,160 --> 01:00:58,960 they'll require some more like effort on your side in terms of like programming or like 1163 01:00:58,960 --> 01:01:02,760 maybe you'll have to write something custom to interface with it, but those tools will 1164 01:01:02,760 --> 01:01:04,680 let you interface with almost anything. 1165 01:01:04,680 --> 01:01:05,680 Nice. 1166 01:01:05,680 --> 01:01:06,680 Yeah, that's awesome. 1167 01:01:06,680 --> 01:01:11,240 I definitely value that flexibility a little bit because it's nothing worse than like you 1168 01:01:11,240 --> 01:01:14,600 sit down on a weekend and you're ready to go and you're like, all right, I'm just going 1169 01:01:14,600 --> 01:01:18,160 to hack this and you get like an hour in and you're like, I don't actually have the thing 1170 01:01:18,160 --> 01:01:19,160 that I need. 1171 01:01:19,160 --> 01:01:20,160 Yes. 1172 01:01:20,160 --> 01:01:21,160 That's a pain. 1173 01:01:21,160 --> 01:01:22,160 All right. 1174 01:01:22,160 --> 01:01:25,280 So you cleaned it, you put it in your reader. 1175 01:01:25,280 --> 01:01:28,480 Like Joe mentioned in the beginning, there's a little dot at the corner of a lot of the 1176 01:01:28,480 --> 01:01:33,080 EMMC chips that show you where the number one pin is and you'll want to align that with 1177 01:01:33,080 --> 01:01:39,840 the arrow on your all socket EMMC reader if you're using that and sort of clamp it down, 1178 01:01:39,840 --> 01:01:45,160 slide it right into a SD card slot either on your computer. 1179 01:01:45,160 --> 01:01:52,160 Ideally your computer has a EMMC reader built in at a sort of internal chip level rather 1180 01:01:52,160 --> 01:01:56,440 than using like a USB thing, but the USB things will work as well unless you're trying to 1181 01:01:56,440 --> 01:02:03,760 access some specific features that only a EMMC reader can access rather than an SD card 1182 01:02:03,760 --> 01:02:07,840 reader because they are sort of cross compatible, but EMMC has some features that SD can't handle, 1183 01:02:07,840 --> 01:02:08,840 I think. 1184 01:02:08,840 --> 01:02:09,840 Right. 1185 01:02:09,840 --> 01:02:10,840 Yeah. 1186 01:02:10,840 --> 01:02:13,000 So like the RPMB stuff that we talked about, like that is one of those specific things where 1187 01:02:13,000 --> 01:02:18,240 you need an EMMC controller that is in like on your device in order to interface with 1188 01:02:18,240 --> 01:02:19,240 something like that. 1189 01:02:19,240 --> 01:02:24,600 They sell PCIe ones that are like proper EMMC controllers, but most of the time you're going 1190 01:02:24,600 --> 01:02:30,840 to find it needs to be like an onboard full size SD reader on your computer on like a 1191 01:02:30,840 --> 01:02:32,160 laptop or something. 1192 01:02:32,160 --> 01:02:35,280 And even then a lot of the times it won't. 1193 01:02:35,280 --> 01:02:42,240 If you use like a USB reader, USB like SD readers, they are basically just storage interfaces 1194 01:02:42,240 --> 01:02:43,360 for EMMC. 1195 01:02:43,360 --> 01:02:49,880 So they have an EMMC controller on the, you know, in the USB adapter or whatever. 1196 01:02:49,880 --> 01:02:53,420 But when you plug that in, all it's doing is exposing those storage interfaces. 1197 01:02:53,420 --> 01:02:55,840 So it's going to be all the storage partitions, but you're not going to have access to the 1198 01:02:55,840 --> 01:03:01,520 raw EMMC like RPMB and any of those other like special EMMC type things, unless you 1199 01:03:01,520 --> 01:03:03,640 have an onboard EMMC controller. 1200 01:03:03,640 --> 01:03:07,480 So if all you need to do is read data partitions, totally fine. 1201 01:03:07,480 --> 01:03:08,480 If you need to read RPMB. 1202 01:03:08,480 --> 01:03:10,480 Which is what you need to do normally. 1203 01:03:10,480 --> 01:03:11,480 Yes. 1204 01:03:11,480 --> 01:03:13,200 Normally speaking, like 99% of cases you'll probably be fine. 1205 01:03:13,200 --> 01:03:16,320 But if you want to try and get at RPMB or any of that kind of stuff, you're going to 1206 01:03:16,320 --> 01:03:18,840 need an onboard EMMC controller. 1207 01:03:18,840 --> 01:03:19,840 Yeah. 1208 01:03:19,840 --> 01:03:20,840 Yeah. 1209 01:03:20,840 --> 01:03:22,360 So now you've got it hooked up. 1210 01:03:22,360 --> 01:03:25,200 You're seeing the partitions pop in. 1211 01:03:25,200 --> 01:03:30,640 What we did last time is we just used the DD command in Linux to just pull a raw, you 1212 01:03:30,640 --> 01:03:36,160 know, device level image of that device into an image file. 1213 01:03:36,160 --> 01:03:38,360 And then we ended up using, was it 7-zip? 1214 01:03:38,360 --> 01:03:39,360 7-zip. 1215 01:03:39,360 --> 01:03:40,360 Yeah. 1216 01:03:40,360 --> 01:03:44,640 7-zip to go ahead and break that out into the individual partitions. 1217 01:03:44,640 --> 01:03:46,760 And then, you know, you'll see various files created. 1218 01:03:46,760 --> 01:03:52,560 And if you run file on them, you'll see like, you know, there's an ext4. 1219 01:03:52,560 --> 01:03:53,560 Ext4, yeah. 1220 01:03:53,560 --> 01:03:55,200 Or like a fat partition or whatever. 1221 01:03:55,200 --> 01:03:58,360 You know, there's going to be a bunch of different partitions because that's always what they 1222 01:03:58,360 --> 01:04:00,200 have in a bunch of these IoT devices. 1223 01:04:00,200 --> 01:04:05,200 But you know, identifying all of those various partitions is really fun. 1224 01:04:05,200 --> 01:04:10,120 And this kind of pivots into the last section that I wanted to cover, which is like, Joel, 1225 01:04:10,120 --> 01:04:12,360 what kind of like, preventions have you seen from this? 1226 01:04:12,360 --> 01:04:16,960 Because the only one that kind of comes to my head was like, man, we would have been 1227 01:04:16,960 --> 01:04:22,720 in trouble if they stuck all of the source code or like the file system for that device 1228 01:04:22,720 --> 01:04:28,920 inside of that lux encrypted partition that we saw for some of the more sensitive data. 1229 01:04:28,920 --> 01:04:35,960 And then, you know, stored the key for that lux encrypted partition in a secure on give 1230 01:04:35,960 --> 01:04:39,760 and at like a hardware level at the CPU or something like that. 1231 01:04:39,760 --> 01:04:43,760 That would have been a royal pain in the butt to get access to. 1232 01:04:43,760 --> 01:04:45,520 So I mean, there's that option. 1233 01:04:45,520 --> 01:04:49,320 I imagine that would sort of delay startup quite a bit because every time you wanted 1234 01:04:49,320 --> 01:04:55,520 to use the device, you'd have to decrypt everything on the partition and then also copy that into 1235 01:04:55,520 --> 01:04:58,220 an actual functioning partition. 1236 01:04:58,220 --> 01:05:00,160 So that might affect the boot speed a little bit. 1237 01:05:00,160 --> 01:05:04,160 But what other kind of hardware level preventions have you seen that might, you know, foil a 1238 01:05:04,160 --> 01:05:05,160 hacker? 1239 01:05:05,160 --> 01:05:06,160 Yeah. 1240 01:05:06,160 --> 01:05:10,320 I think I mentioned like that kind of stuff, that's going to be like 99% of the time is 1241 01:05:10,320 --> 01:05:12,760 going to stop like a lot of what you're trying to do. 1242 01:05:12,760 --> 01:05:16,220 You're going to have to find some other attacks near if you want like a shell or something 1243 01:05:16,220 --> 01:05:20,880 like that to figure out like what it's doing, you're going to need to like glitch it or 1244 01:05:20,880 --> 01:05:24,360 maybe you'll have to read the MMC while it's running or something like that. 1245 01:05:24,360 --> 01:05:25,360 Right. 1246 01:05:25,360 --> 01:05:29,860 Like this is one of those cases where that might actually be the right scenario. 1247 01:05:29,860 --> 01:05:37,080 But yeah, an encrypted partition would stop like pretty much all the stuff that we were 1248 01:05:37,080 --> 01:05:39,180 doing there. 1249 01:05:39,180 --> 01:05:43,720 Another thing that you see commonly, and this isn't for storage so much as it is for like 1250 01:05:43,720 --> 01:05:48,960 debugging stuff, but there's typically, there'll be like a fuse either within a chip or on 1251 01:05:48,960 --> 01:05:49,960 the board. 1252 01:05:49,960 --> 01:05:55,480 And it's typically called like a JTAG fuse or a UART or a debug fuse or something. 1253 01:05:55,480 --> 01:06:00,600 And they'll basically pop the fuse by like putting enough power to it and then it can 1254 01:06:00,600 --> 01:06:01,800 never be reverted. 1255 01:06:01,800 --> 01:06:08,600 So it has a physical break in the communication between like your test pins and the JTAG interface 1256 01:06:08,600 --> 01:06:09,800 on the chip. 1257 01:06:09,800 --> 01:06:15,800 And you can't get around that unless you like, I don't know, do some like really crazy like 1258 01:06:15,800 --> 01:06:18,800 pulling the chip apart. 1259 01:06:18,800 --> 01:06:19,800 Like I don't know. 1260 01:06:19,800 --> 01:06:21,960 You're going to have to like cut into the chip and like get access to it. 1261 01:06:21,960 --> 01:06:22,960 Which I've seen by the way. 1262 01:06:22,960 --> 01:06:23,960 That's crazy. 1263 01:06:23,960 --> 01:06:24,960 Yeah. 1264 01:06:24,960 --> 01:06:25,960 That's really gnarly. 1265 01:06:25,960 --> 01:06:31,680 That's interesting though that that's a counter measure that people might take, you know, 1266 01:06:31,680 --> 01:06:36,200 just kind of putting a fuse in there and blowing it, you know, severs the connection for that 1267 01:06:36,200 --> 01:06:37,200 sort of thing. 1268 01:06:37,200 --> 01:06:38,200 That's a good idea. 1269 01:06:38,200 --> 01:06:39,200 Yeah. 1270 01:06:39,200 --> 01:06:41,280 I've seen, there's a couple of really interesting Twitter threads out there. 1271 01:06:41,280 --> 01:06:45,320 I'm trying to remember who created them, but every once in a while you'll see like some 1272 01:06:45,320 --> 01:06:49,760 crazy hardware hacker just like put a video of what they're working on, like on Twitter. 1273 01:06:49,760 --> 01:06:55,260 And this one time there was this guy, he was using a razor blade to scratch away the surface 1274 01:06:55,260 --> 01:06:59,160 of a chip while it was on the board to expose the contacts underneath. 1275 01:06:59,160 --> 01:07:03,520 And then he took like, you know, probably, I don't know, speaker, speaker wire. 1276 01:07:03,520 --> 01:07:04,520 I don't even know. 1277 01:07:04,520 --> 01:07:11,160 Like, you know, like maybe like a coil wire or something like really, really fine wire, 1278 01:07:11,160 --> 01:07:14,440 like wire, wire gauge wire. 1279 01:07:14,440 --> 01:07:18,680 And then like, I think he soldered it down so it wouldn't move. 1280 01:07:18,680 --> 01:07:23,240 And then he soldered the like tip of it to like the contact on the chip. 1281 01:07:23,240 --> 01:07:25,120 Dude, it was so crazy. 1282 01:07:25,120 --> 01:07:26,120 I got to, I'll find it. 1283 01:07:26,120 --> 01:07:27,120 We'll put it in the show notes. 1284 01:07:27,120 --> 01:07:28,560 Yeah, no, definitely find that. 1285 01:07:28,560 --> 01:07:29,560 I want to see that. 1286 01:07:29,560 --> 01:07:36,480 And I know I watched a talk at Defcon by Leonard, I think is the guy that did it. 1287 01:07:36,480 --> 01:07:39,440 Hardware hacking guy, you know, just glitching. 1288 01:07:39,440 --> 01:07:44,920 I think it was some SpaceX or stuff or some whatever their, their wifi thing is that's 1289 01:07:44,920 --> 01:07:47,000 everywhere. 1290 01:07:47,000 --> 01:07:48,000 Just absolutely amazing. 1291 01:07:48,000 --> 01:07:52,600 There's so much to learn about in this space, which really excites me as a, as a more veteran 1292 01:07:52,600 --> 01:07:57,280 hacker in the, in the web and, and mobile space a little bit now. 1293 01:07:57,280 --> 01:08:02,240 You know, having another realm to dive deep into is really, is really cool. 1294 01:08:02,240 --> 01:08:05,880 So I'm excited to continue learning about that sort of thing and be able to do some, 1295 01:08:05,880 --> 01:08:12,360 some glitching and, and some, some of the stuff that I haven't tackled next time around. 1296 01:08:12,360 --> 01:08:13,640 Yeah, for sure. 1297 01:08:13,640 --> 01:08:18,320 I mean, there's this space is like, I feel like I've just barely scratched the surface 1298 01:08:18,320 --> 01:08:23,520 in terms of knowledge and understanding and, and what's possible and all that kind of stuff. 1299 01:08:23,520 --> 01:08:27,560 And I feel like I'm just, just like, I'm doing like, you know, a baby's first hardware hacking 1300 01:08:27,560 --> 01:08:28,560 right now. 1301 01:08:28,560 --> 01:08:31,600 So like there's so much, so much I, I don't know. 1302 01:08:31,600 --> 01:08:34,440 And there's so much I haven't explored that that seems so cool. 1303 01:08:34,440 --> 01:08:38,280 Well, it's very different too, you know, and if you talk to some of these lower level guys, 1304 01:08:38,280 --> 01:08:42,480 they, they don't have any, you know, experience doing web stuff. 1305 01:08:42,480 --> 01:08:47,200 And so it's just different realms and different sections of places where people are focusing. 1306 01:08:47,200 --> 01:08:49,680 And so it's cool to get some sort of cross experience. 1307 01:08:49,680 --> 01:08:54,920 It makes you really feel like a more well-rounded or developed hacker, I think. 1308 01:08:54,920 --> 01:08:58,480 I did want to add a disclosure at the end here. 1309 01:08:58,480 --> 01:09:01,360 This does not constitute a vulnerability. 1310 01:09:01,360 --> 01:09:08,040 So being able to pull the operating system off of a chip, I personally don't believe 1311 01:09:08,040 --> 01:09:10,080 constitutes a vulnerability. 1312 01:09:10,080 --> 01:09:11,880 I've seen some hackers report that. 1313 01:09:11,880 --> 01:09:15,280 I'm not sure whether they got paid or not. 1314 01:09:15,280 --> 01:09:18,760 But you know, there's not a really great countermeasure to it. 1315 01:09:18,760 --> 01:09:23,680 And, and so it's just kind of a part of hardware hacking and more like finding JavaScript files 1316 01:09:23,680 --> 01:09:32,120 in, in, in web stuff or more like decompiling an APK and grabbing at the Java source code, 1317 01:09:32,120 --> 01:09:34,240 you know, in mobile. 1318 01:09:34,240 --> 01:09:40,400 So definitely, definitely don't go and like, once you get your chip and you pull the data 1319 01:09:40,400 --> 01:09:44,440 off of it, don't go report it like critical, you know, source code disclosure, because 1320 01:09:44,440 --> 01:09:48,640 I believe most of the time that is something that is not going to get accepted by the program. 1321 01:09:48,640 --> 01:09:49,640 So there's your disclaimer. 1322 01:09:49,640 --> 01:09:50,640 Yes. 1323 01:09:50,640 --> 01:09:51,640 Yeah, for sure. 1324 01:09:51,640 --> 01:09:52,640 And I agree. 1325 01:09:52,640 --> 01:09:57,240 I've actually, I've seen people report this exact thing as, as a bug. 1326 01:09:57,240 --> 01:10:02,840 And it's personally, it's not something that I would report either, but I do see that there 1327 01:10:02,840 --> 01:10:04,680 is a security risk to it. 1328 01:10:04,680 --> 01:10:10,800 I think I would probably just like, it's a really hard attack scenario to like justify 1329 01:10:10,800 --> 01:10:15,380 is like, you know, to say like, oh, it's a higher crit or something. 1330 01:10:15,380 --> 01:10:19,240 That's a really hard thing to justify, depending on what it is, depending on what it is. 1331 01:10:19,240 --> 01:10:23,180 There are certainly hardware devices, like cell phones that are in like so many people's 1332 01:10:23,180 --> 01:10:26,020 hands and pockets that that might be a justifiable attack scenario. 1333 01:10:26,020 --> 01:10:31,280 But I think just in and of itself, having a decrypted partition, maybe not enough. 1334 01:10:31,280 --> 01:10:32,280 Yeah, totally agree. 1335 01:10:32,280 --> 01:10:33,280 Yeah. 1336 01:10:33,280 --> 01:10:34,280 All right, man. 1337 01:10:34,280 --> 01:10:35,280 So that's all on the notes for this episode. 1338 01:10:35,280 --> 01:10:38,160 You got anything else or are we going to wrap it up here? 1339 01:10:38,160 --> 01:10:39,160 Nope. 1340 01:10:39,160 --> 01:10:40,160 That's it. 1341 01:10:40,160 --> 01:10:41,160 I did find those links. 1342 01:10:41,160 --> 01:10:42,160 So we'll put them in the show notes. 1343 01:10:42,160 --> 01:10:43,160 Be sure to check out those links. 1344 01:10:43,160 --> 01:10:47,160 One is from Gtorix and one is from Hacking Things, both on Twitter. 1345 01:10:47,160 --> 01:10:48,880 I'm going to go, I'm going to go look those up right now. 1346 01:10:48,880 --> 01:10:55,240 I will say as we're heading out, so many of you went over to the website after last episode, 1347 01:10:55,240 --> 01:10:58,880 criticalthinkingpodcast.io and dropped your email in the newsletter. 1348 01:10:58,880 --> 01:10:59,880 Super appreciate that. 1349 01:10:59,880 --> 01:11:02,240 I would love if you continue to do that. 1350 01:11:02,240 --> 01:11:07,360 And also, please remember, NahantCon, that ends, let me pull up the dates really quickly. 1351 01:11:07,360 --> 01:11:10,360 I want to say it's June 15th to 17th. 1352 01:11:10,360 --> 01:11:13,800 Yeah, June 15th to 17th. 1353 01:11:13,800 --> 01:11:16,920 The Saturday is when I'll be speaking at the 1220 slot. 1354 01:11:16,920 --> 01:11:18,360 You won't want to miss out on that. 1355 01:11:18,360 --> 01:11:20,800 Lots of great, talented Bug Bounty Hunters there. 1356 01:11:20,800 --> 01:11:22,520 They're dropping some amazing presentations. 1357 01:11:22,520 --> 01:11:24,520 So we'll see you there. 1358 01:11:24,520 --> 01:11:25,520 Yes. 1359 01:11:25,520 --> 01:11:28,280 So remember, it starts one week from the drop of this episode. 1360 01:11:28,280 --> 01:11:32,120 So be sure to tune in if you want to hear a little bit more Justin. 1361 01:11:32,120 --> 01:11:34,480 And some other awesome John Hammond's going to be there. 1362 01:11:34,480 --> 01:11:36,720 So yeah, super, super awesome security conference. 1363 01:11:36,720 --> 01:11:37,720 Go check it out. 1364 01:11:37,720 --> 01:11:38,720 For sure. 1365 01:11:38,720 --> 01:11:39,720 All right. 1366 01:11:39,720 --> 01:11:40,720 Catch you all next week. 1367 01:11:40,720 --> 01:11:41,720 Peace. 1368 01:11:41,720 --> 01:11:42,720 All right. 1369 01:11:42,720 --> 01:12:04,680 No issues.