0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/493 Thanks! 1 00:00:09,200 --> 00:00:11,359 This talk now is 2 00:00:11,360 --> 00:00:13,519 KRCA Video Mouse How to 3 00:00:13,520 --> 00:00:15,619 turn your KVM into a Raging 4 00:00:15,620 --> 00:00:17,959 Logging Monster by Yanov 5 00:00:17,960 --> 00:00:19,469 Balmes. 6 00:00:19,470 --> 00:00:21,619 Um, there has been a 7 00:00:21,620 --> 00:00:23,719 lot of work on cloggers 8 00:00:23,720 --> 00:00:26,209 already. So the question is 9 00:00:26,210 --> 00:00:28,279 what can be done or what can be 10 00:00:28,280 --> 00:00:30,199 achieved even more? 11 00:00:30,200 --> 00:00:32,688 And this is what this talk is about. 12 00:00:32,689 --> 00:00:34,999 Um, Yanov is a software 13 00:00:35,000 --> 00:00:37,339 engineer and professional 14 00:00:37,340 --> 00:00:38,929 in the security field. 15 00:00:38,930 --> 00:00:41,539 He mainly deals with analyzing malware 16 00:00:41,540 --> 00:00:44,299 and vulnerability research. 17 00:00:44,300 --> 00:00:46,369 So give a warm applause 18 00:00:46,370 --> 00:00:47,370 to. 19 00:00:59,700 --> 00:01:01,259 So thank you very much for coming to my 20 00:01:01,260 --> 00:01:03,659 doc. It's called Your Mouth, so how 21 00:01:03,660 --> 00:01:05,979 you keep your the raging killer 22 00:01:05,980 --> 00:01:08,039 monster. Now, a few words 23 00:01:08,040 --> 00:01:09,599 about the team who made this research. 24 00:01:09,600 --> 00:01:11,369 So first of all, it's me. 25 00:01:11,370 --> 00:01:12,569 My name is Amy Palmos. 26 00:01:12,570 --> 00:01:13,570 And I'm. 27 00:01:19,150 --> 00:01:20,469 How is this? 28 00:01:27,400 --> 00:01:29,349 So my name is Jennifer Ramos and I'm a 29 00:01:29,350 --> 00:01:30,459 security researcher. 30 00:01:30,460 --> 00:01:32,049 I work for Checkpoint Software 31 00:01:32,050 --> 00:01:34,299 Technologies and my colleague 32 00:01:34,300 --> 00:01:36,489 in this project is called Leo 33 00:01:36,490 --> 00:01:39,369 Oftentime is also a security researcher 34 00:01:39,370 --> 00:01:41,139 and he is trying to understand what to do 35 00:01:41,140 --> 00:01:43,839 with the perimeter. 36 00:01:43,840 --> 00:01:46,239 And unfortunately, he couldn't 37 00:01:46,240 --> 00:01:47,739 be here today. 38 00:01:47,740 --> 00:01:50,019 But this research is much, much 39 00:01:50,020 --> 00:01:52,449 owes him a lot for getting 40 00:01:52,450 --> 00:01:54,579 being done. So let's start with 41 00:01:54,580 --> 00:01:56,649 the problem. So our problem, 42 00:01:56,650 --> 00:01:59,079 as many other computer science 43 00:01:59,080 --> 00:02:01,359 related problems, it all starts with 44 00:02:01,360 --> 00:02:02,589 computers, right? 45 00:02:02,590 --> 00:02:04,539 Well, we have computers. 46 00:02:04,540 --> 00:02:06,669 We have many computers. 47 00:02:06,670 --> 00:02:08,829 We actually have a lot of computers, 48 00:02:08,830 --> 00:02:10,538 you see. And when we have a lot of 49 00:02:10,539 --> 00:02:12,609 computers, then the thing is that 50 00:02:12,610 --> 00:02:14,709 each one of these computers actually 51 00:02:14,710 --> 00:02:16,809 needs a set of keyboard, video 52 00:02:16,810 --> 00:02:18,009 and mouse in order to operate. 53 00:02:18,010 --> 00:02:19,549 Right. Make sense. 54 00:02:19,550 --> 00:02:21,039 And the problem is that when we have a 55 00:02:21,040 --> 00:02:23,229 lot of these computers, then we also have 56 00:02:23,230 --> 00:02:24,639 a lot of these keyboards, a lot of these 57 00:02:24,640 --> 00:02:26,149 videos and a lot of these mice. 58 00:02:26,150 --> 00:02:28,059 Yeah. And when a single user wants to 59 00:02:28,060 --> 00:02:29,829 work on several of these computers at the 60 00:02:29,830 --> 00:02:32,109 same time, well, this 61 00:02:32,110 --> 00:02:34,089 creates a big mess on his desk. 62 00:02:34,090 --> 00:02:35,589 Right. Does all of the sudden a lot of 63 00:02:35,590 --> 00:02:36,609 keyboards that he doesn't know which 64 00:02:36,610 --> 00:02:38,379 keyboard goes to which computer and which 65 00:02:38,380 --> 00:02:39,519 monitors display is what. 66 00:02:39,520 --> 00:02:41,739 Right? Well, it's a big problem 67 00:02:41,740 --> 00:02:43,779 and well, some of you might be thinking 68 00:02:43,780 --> 00:02:46,029 that that's not a new problem and 69 00:02:46,030 --> 00:02:47,649 that's really not a new problem. 70 00:02:47,650 --> 00:02:49,899 And the solution to this problem is also 71 00:02:49,900 --> 00:02:51,009 not new at all. 72 00:02:51,010 --> 00:02:53,559 And it's called a cavium. 73 00:02:53,560 --> 00:02:55,779 Now, for those of you who don't actually 74 00:02:55,780 --> 00:02:57,849 know what a cavium is, so 75 00:02:57,850 --> 00:02:59,589 that's pretty simple. Keep the cavium 76 00:02:59,590 --> 00:03:01,659 simply stands for keyboard, 77 00:03:01,660 --> 00:03:02,799 video and mouse. 78 00:03:02,800 --> 00:03:04,119 Right. That simple. 79 00:03:04,120 --> 00:03:06,309 And its only purpose in life is 80 00:03:06,310 --> 00:03:08,499 to connect one or more 81 00:03:08,500 --> 00:03:11,439 sets of keyboard, video and mouse. 82 00:03:11,440 --> 00:03:13,119 I'm sorry to connect a single set of 83 00:03:13,120 --> 00:03:15,759 keyboard mouse to one or more computers. 84 00:03:15,760 --> 00:03:17,949 Right? Well, it all looks 85 00:03:17,950 --> 00:03:19,119 something like this. 86 00:03:19,120 --> 00:03:20,889 You see, you have two computers 87 00:03:20,890 --> 00:03:22,749 underneath your desk and there are inputs 88 00:03:22,750 --> 00:03:24,219 and outputs are then connected to the 89 00:03:24,220 --> 00:03:26,439 KVM. And the cavium in turn is connected 90 00:03:26,440 --> 00:03:28,299 to a single set of keyboard video mouse 91 00:03:28,300 --> 00:03:30,489 on your desk and 92 00:03:30,490 --> 00:03:32,109 then you can play your favorite video 93 00:03:32,110 --> 00:03:33,699 game or something like that. 94 00:03:33,700 --> 00:03:35,529 And when you hear your boss creeping in 95 00:03:35,530 --> 00:03:37,749 the office, you just manage to press 96 00:03:37,750 --> 00:03:39,849 the button and whoa, there you go. 97 00:03:39,850 --> 00:03:41,649 You had a nice code on your on your desk 98 00:03:41,650 --> 00:03:43,059 and catastrophe's avoided. 99 00:03:43,060 --> 00:03:45,129 And that's just as simple 100 00:03:45,130 --> 00:03:47,829 as that. There are these are crimes. 101 00:03:47,830 --> 00:03:50,019 Now, where can we find those 102 00:03:50,020 --> 00:03:51,729 creatures, those CDMS? 103 00:03:51,730 --> 00:03:53,169 Well, we can find them in a lot of 104 00:03:53,170 --> 00:03:55,089 places. We can find them on your 105 00:03:55,090 --> 00:03:57,159 desktops, such as the example I 106 00:03:57,160 --> 00:03:58,659 just showed you before. 107 00:03:58,660 --> 00:04:00,369 And another thing is that we can find 108 00:04:00,370 --> 00:04:02,469 them in your server wrecks. 109 00:04:02,470 --> 00:04:04,539 You see a typical server wreck 110 00:04:04,540 --> 00:04:06,399 holds like something, let's say eight, 111 00:04:06,400 --> 00:04:07,669 nine, 10 servers. 112 00:04:07,670 --> 00:04:09,909 Yeah. And in order to physically manage 113 00:04:09,910 --> 00:04:12,129 those servers, we must have some 114 00:04:12,130 --> 00:04:14,469 kind of KVM inside network to make to 115 00:04:14,470 --> 00:04:16,328 the server administrators life a bit 116 00:04:16,329 --> 00:04:17,229 easier. Right. 117 00:04:17,230 --> 00:04:19,509 So we do have cavium in server wrecks. 118 00:04:19,510 --> 00:04:21,669 And last but not least, we 119 00:04:21,670 --> 00:04:24,039 have CVS's in very, very 120 00:04:24,040 --> 00:04:25,599 secure environments. 121 00:04:25,600 --> 00:04:27,729 And the reason for that is that 122 00:04:27,730 --> 00:04:29,559 in those environments we usually have a 123 00:04:29,560 --> 00:04:31,779 lot of networks and those networks are 124 00:04:31,780 --> 00:04:33,969 a lot of times segregated 125 00:04:33,970 --> 00:04:35,619 or even air get from each other. 126 00:04:35,620 --> 00:04:37,659 Right. And then again comes the problem. 127 00:04:37,660 --> 00:04:39,339 The single user has to work on both of 128 00:04:39,340 --> 00:04:41,769 these networks. And in order to do that, 129 00:04:41,770 --> 00:04:43,239 you need to keep him on his desk. 130 00:04:43,240 --> 00:04:45,579 Right. This makes his life a lot easier. 131 00:04:45,580 --> 00:04:47,799 And if I want to sum it up, 132 00:04:47,800 --> 00:04:49,929 then CPMs are pretty much 133 00:04:49,930 --> 00:04:50,529 everywhere. 134 00:04:50,530 --> 00:04:51,999 Everywhere. I mean, in every 135 00:04:52,000 --> 00:04:53,469 technologically rich environment you'll 136 00:04:53,470 --> 00:04:55,389 ever go to, you'll probably find a lot of 137 00:04:55,390 --> 00:04:57,579 these creatures laying around all over 138 00:04:57,580 --> 00:04:58,580 the place. 139 00:04:59,350 --> 00:05:01,539 Well, let's take a brief look at the KVM 140 00:05:01,540 --> 00:05:03,459 evolution along the years. 141 00:05:03,460 --> 00:05:06,159 Yeah, it all started off in the 1980s 142 00:05:06,160 --> 00:05:08,349 or 1990s with something that looks like 143 00:05:08,350 --> 00:05:09,309 this. 144 00:05:09,310 --> 00:05:10,779 Some of you might be familiar with this, 145 00:05:10,780 --> 00:05:12,979 right? It's commonly known as an A.B. 146 00:05:12,980 --> 00:05:13,899 switch, right. 147 00:05:13,900 --> 00:05:15,489 All it is, it's cavium. 148 00:05:15,490 --> 00:05:17,739 But all it is, is just a stupid analog 149 00:05:17,740 --> 00:05:19,809 box. Yeah. It just connects the 150 00:05:19,810 --> 00:05:21,519 electronics from the airports to the 151 00:05:21,520 --> 00:05:23,389 keyboard and mouse. When you switch, the 152 00:05:23,390 --> 00:05:25,419 same goes for the keyboard and that's it. 153 00:05:25,420 --> 00:05:26,859 A stupid analog box. 154 00:05:26,860 --> 00:05:28,629 And that stupid analog box actually 155 00:05:28,630 --> 00:05:30,579 worked really fine for a lot of years. 156 00:05:30,580 --> 00:05:32,709 I mean, really a lot, a lot of years. 157 00:05:32,710 --> 00:05:35,379 But then came one one invention, 158 00:05:35,380 --> 00:05:36,909 one small invention that changed the 159 00:05:36,910 --> 00:05:37,899 world of caves. 160 00:05:37,900 --> 00:05:40,209 And I'm I'm specifically talking 161 00:05:40,210 --> 00:05:41,649 about USB keyboards. 162 00:05:41,650 --> 00:05:43,569 You see, when you have USB keyboards in 163 00:05:43,570 --> 00:05:45,639 those caves are simply not enough because 164 00:05:45,640 --> 00:05:47,109 they will work. But when you switch 165 00:05:47,110 --> 00:05:49,239 ports, then the USB needs to be connected 166 00:05:49,240 --> 00:05:51,369 to the computer and the like has some 167 00:05:51,370 --> 00:05:53,079 kind of two or three seconds delay until 168 00:05:53,080 --> 00:05:54,939 the computer actually recognizes that 169 00:05:54,940 --> 00:05:57,099 USB. So those key VMS now 170 00:05:57,100 --> 00:05:58,749 the mother and keyboards need to needed 171 00:05:58,750 --> 00:06:00,549 to implement some kind of USB stick in 172 00:06:00,550 --> 00:06:02,709 order to support smooth transitioning 173 00:06:02,710 --> 00:06:03,819 between the ports. Right. 174 00:06:03,820 --> 00:06:05,909 And that's where we met those 175 00:06:05,910 --> 00:06:07,569 cavium. Those are modern cavium. 176 00:06:07,570 --> 00:06:08,469 They are really cool. 177 00:06:08,470 --> 00:06:10,299 This is what we see on the desks of a lot 178 00:06:10,300 --> 00:06:12,729 of guys today, and it supports 179 00:06:12,730 --> 00:06:14,859 a whole lot of inputs and a whole 180 00:06:14,860 --> 00:06:15,789 lot of outputs. 181 00:06:15,790 --> 00:06:17,059 And it's really, really cool. 182 00:06:17,060 --> 00:06:18,100 It also looks sexy. 183 00:06:19,470 --> 00:06:21,859 And then came the next evolution in caves 184 00:06:21,860 --> 00:06:24,549 and came those monsters. 185 00:06:24,550 --> 00:06:26,489 Those are called Matrix. 186 00:06:26,490 --> 00:06:28,529 They are absolutely monsters, they have 187 00:06:28,530 --> 00:06:30,899 thousands and thousands of ports support 188 00:06:30,900 --> 00:06:33,059 staff like a KVM over 189 00:06:33,060 --> 00:06:35,129 IP and God knows what 190 00:06:35,130 --> 00:06:37,049 they are usually implemented in some kind 191 00:06:37,050 --> 00:06:39,179 of huge enterprises, huge server 192 00:06:39,180 --> 00:06:40,290 rooms and stuff like that. 193 00:06:41,340 --> 00:06:42,929 And that's it. That's actually the last 194 00:06:42,930 --> 00:06:44,429 evolution of cavium. 195 00:06:44,430 --> 00:06:46,499 Now we come to some kind 196 00:06:46,500 --> 00:06:49,829 of a conceptual problem, you see, because 197 00:06:49,830 --> 00:06:51,989 a lot of guys and when I say guys, 198 00:06:51,990 --> 00:06:54,199 I mean sys admin, administrator 199 00:06:54,200 --> 00:06:56,309 of security administrators, security 200 00:06:56,310 --> 00:06:58,559 researchers, a lot a lot of guys 201 00:06:58,560 --> 00:07:00,749 still consider today's VMS, 202 00:07:00,750 --> 00:07:02,879 those modern Keeves as those same 203 00:07:02,880 --> 00:07:05,039 old stupid boxes, same same old stupid 204 00:07:05,040 --> 00:07:06,029 analog boxes. 205 00:07:06,030 --> 00:07:07,779 Right. Well. 206 00:07:07,780 --> 00:07:09,999 Are these stupid boxes I mean, let's take 207 00:07:10,000 --> 00:07:11,799 a look at some of the features modern 208 00:07:11,800 --> 00:07:13,029 CDMS has. 209 00:07:13,030 --> 00:07:13,929 Look at this. 210 00:07:13,930 --> 00:07:16,149 They have on screen displays, they 211 00:07:16,150 --> 00:07:18,069 have configurable with menus. 212 00:07:18,070 --> 00:07:20,259 They have all kinds of stuff like 213 00:07:20,260 --> 00:07:22,539 this. Right? Well, obviously, 214 00:07:22,540 --> 00:07:25,359 those boxes are no longer stupid, 215 00:07:25,360 --> 00:07:26,679 right? 216 00:07:26,680 --> 00:07:28,779 Obviously, those boxes 217 00:07:28,780 --> 00:07:30,789 now run cold. 218 00:07:30,790 --> 00:07:33,069 Yeah, well, we were thinking 219 00:07:33,070 --> 00:07:35,199 to ourselves, OK, so if those caves 220 00:07:35,200 --> 00:07:37,269 now run cold, then what can we do 221 00:07:37,270 --> 00:07:38,619 with them? Right. 222 00:07:38,620 --> 00:07:41,139 And in order to answer that question, 223 00:07:41,140 --> 00:07:42,379 I have another question for you. 224 00:07:42,380 --> 00:07:44,679 What is the one common feature between 225 00:07:44,680 --> 00:07:46,749 all the features I've just showed you? 226 00:07:46,750 --> 00:07:48,939 What is the one common thing that OK and 227 00:07:48,940 --> 00:07:51,279 share all the features 228 00:07:51,280 --> 00:07:53,439 has? Well, the one common thing 229 00:07:53,440 --> 00:07:54,939 is that all these features actually 230 00:07:54,940 --> 00:07:57,189 require the KVM to be able 231 00:07:57,190 --> 00:07:58,809 to process keystrokes. 232 00:07:58,810 --> 00:08:00,819 You see, now, when you enter a keystroke, 233 00:08:00,820 --> 00:08:02,889 the cavium doesn't immediately send it to 234 00:08:02,890 --> 00:08:04,629 the computer. And it's the first inspect 235 00:08:04,630 --> 00:08:06,789 it and see, maybe this was a Web menu 236 00:08:06,790 --> 00:08:08,499 option. Maybe this was some kind of 237 00:08:08,500 --> 00:08:09,519 hotkey combo. 238 00:08:09,520 --> 00:08:11,349 Maybe it was something maybe I need to 239 00:08:11,350 --> 00:08:12,669 deal with that and not the actual 240 00:08:12,670 --> 00:08:14,049 computer was connected to it. 241 00:08:14,050 --> 00:08:15,969 And only if the answer to that is no is 242 00:08:15,970 --> 00:08:17,559 false, then it will pass the screen 243 00:08:17,560 --> 00:08:18,879 keystroke to the computer. 244 00:08:18,880 --> 00:08:21,039 Right? Well, 245 00:08:21,040 --> 00:08:23,199 you see, the 246 00:08:23,200 --> 00:08:25,269 thing is that all we need to do is to 247 00:08:25,270 --> 00:08:27,399 just alter the execution flow 248 00:08:27,400 --> 00:08:29,589 just a bit, you know, and find some kind 249 00:08:29,590 --> 00:08:31,479 of free memory space in there, taking a 250 00:08:31,480 --> 00:08:33,729 keystroke there, dump it 251 00:08:33,730 --> 00:08:35,979 later on when convenient to us and 252 00:08:35,980 --> 00:08:37,619 what we got. 253 00:08:37,620 --> 00:08:40,229 Yes, a kilogram a kilogram 254 00:08:40,230 --> 00:08:41,759 inside our cavium. 255 00:08:41,760 --> 00:08:43,209 I mean, think about it. 256 00:08:43,210 --> 00:08:44,189 How cool is that? 257 00:08:44,190 --> 00:08:46,619 I mean, we know software cloggers, 258 00:08:46,620 --> 00:08:47,620 right? 259 00:08:48,180 --> 00:08:49,619 One of the hosts this is not a software 260 00:08:49,620 --> 00:08:51,989 krca because there's no code running 261 00:08:51,990 --> 00:08:53,429 on on the computer. 262 00:08:53,430 --> 00:08:54,869 The entire code is running inside the 263 00:08:54,870 --> 00:08:56,849 cavium. And this also is not a hardware 264 00:08:56,850 --> 00:08:59,009 clogger. Well, because there's no 265 00:08:59,010 --> 00:09:00,959 special hardware, nothing that I needed 266 00:09:00,960 --> 00:09:02,339 to come to the office and connect to your 267 00:09:02,340 --> 00:09:04,649 computer. You connected a perfectly legit 268 00:09:04,650 --> 00:09:06,899 cavium to your computer, and 269 00:09:06,900 --> 00:09:08,289 that's it. You've got a keep going in 270 00:09:08,290 --> 00:09:10,529 there that will be incredibly hard 271 00:09:10,530 --> 00:09:12,359 to detect, right? 272 00:09:12,360 --> 00:09:13,799 Well, we thought that this is a great 273 00:09:13,800 --> 00:09:15,839 resource subject and we started 274 00:09:15,840 --> 00:09:16,739 researching it. 275 00:09:16,740 --> 00:09:18,689 And you know that the research that the 276 00:09:18,690 --> 00:09:20,789 first thing we need to do is to get 277 00:09:20,790 --> 00:09:21,689 a cavium. 278 00:09:21,690 --> 00:09:24,119 So we went to the store 279 00:09:24,120 --> 00:09:26,369 next to our office and both of them took 280 00:09:26,370 --> 00:09:28,649 the box, went to the office and happily 281 00:09:28,650 --> 00:09:30,869 opened it and started unpacking it. 282 00:09:30,870 --> 00:09:32,639 First thing we find in there is manuals. 283 00:09:32,640 --> 00:09:35,189 It's cables, it's warrantees. 284 00:09:35,190 --> 00:09:37,259 And I said, now 285 00:09:37,260 --> 00:09:39,479 that city contains a few very 286 00:09:39,480 --> 00:09:40,769 interesting files. 287 00:09:40,770 --> 00:09:43,019 One of them is called a former 288 00:09:43,020 --> 00:09:44,399 upgradeability. 289 00:09:44,400 --> 00:09:45,400 Hmm. 290 00:09:46,260 --> 00:09:48,719 And the other one very conveniently 291 00:09:48,720 --> 00:09:49,999 named Fumero. 292 00:09:50,000 --> 00:09:51,000 Those. 293 00:09:52,260 --> 00:09:53,909 OK, we were thinking this is going to be 294 00:09:53,910 --> 00:09:55,769 a bit too easy. 295 00:09:55,770 --> 00:09:57,979 So we started looking at this 296 00:09:57,980 --> 00:10:00,089 being file and we actually 297 00:10:00,090 --> 00:10:01,979 find out that this thing is a really high 298 00:10:01,980 --> 00:10:02,969 entropy levels. 299 00:10:02,970 --> 00:10:04,529 So that practically means that it's 300 00:10:04,530 --> 00:10:06,599 either encrypted or compressed 301 00:10:06,600 --> 00:10:08,249 in some way that we can't really 302 00:10:08,250 --> 00:10:10,529 decompress. So 303 00:10:10,530 --> 00:10:12,749 we were thinking, OK, both me and your 304 00:10:12,750 --> 00:10:14,579 dad, the guy that made this research, we 305 00:10:14,580 --> 00:10:16,769 are both pretty experienced, 686 306 00:10:16,770 --> 00:10:18,329 six guys. So all we need to do is to 307 00:10:18,330 --> 00:10:20,489 reverse engineer the film upgradeability. 308 00:10:20,490 --> 00:10:22,439 Yeah. And what we are expecting to see, 309 00:10:22,440 --> 00:10:24,569 uh, is, is that the fumito 310 00:10:24,570 --> 00:10:25,859 being fired will be loaded. 311 00:10:25,860 --> 00:10:27,719 Yeah. Then it will be like the compressed 312 00:10:27,720 --> 00:10:29,759 and open and maybe we can find it. 313 00:10:29,760 --> 00:10:31,889 However, this utility is 314 00:10:31,890 --> 00:10:32,909 a huge utility. 315 00:10:32,910 --> 00:10:34,619 It has thousands and thousands of 316 00:10:34,620 --> 00:10:36,689 functions. It's a C++ code 317 00:10:36,690 --> 00:10:38,879 full of vegetables, really, really a 318 00:10:38,880 --> 00:10:40,709 big mess. And we didn't really want to 319 00:10:40,710 --> 00:10:42,599 deal with it. But when we ran it in 320 00:10:42,600 --> 00:10:44,429 dynamically in a debugger, we saw the 321 00:10:44,430 --> 00:10:45,749 exact behavior that we expected. 322 00:10:45,750 --> 00:10:47,819 It actually took this file center it to 323 00:10:47,820 --> 00:10:49,499 some kind of decompression function and 324 00:10:49,500 --> 00:10:51,539 then stored the output in some kind of 325 00:10:51,540 --> 00:10:53,069 memory range in there. 326 00:10:53,070 --> 00:10:54,959 So we went to this memory range. 327 00:10:54,960 --> 00:10:57,569 And what did we find there? 328 00:10:57,570 --> 00:10:58,860 No challenge, except, yeah, 329 00:11:00,300 --> 00:11:02,639 well, we met a blob and this blob 330 00:11:02,640 --> 00:11:04,349 looks something like this. 331 00:11:04,350 --> 00:11:06,299 Right. And this is its image. 332 00:11:06,300 --> 00:11:08,579 Representation looks nice. 333 00:11:08,580 --> 00:11:10,199 Let's see some of the properties of this 334 00:11:10,200 --> 00:11:11,459 bog, a blob. 335 00:11:11,460 --> 00:11:13,559 So, first of all, it's a 64 K 336 00:11:13,560 --> 00:11:15,659 blob. And that makes sense because 337 00:11:15,660 --> 00:11:16,749 eight bit architecture. 338 00:11:16,750 --> 00:11:19,139 Sixty four K looks OK. 339 00:11:19,140 --> 00:11:21,179 And then now this blob has really low 340 00:11:21,180 --> 00:11:23,249 entropy, which again confirms 341 00:11:23,250 --> 00:11:25,529 our suspicion that it's now decompressed. 342 00:11:25,530 --> 00:11:27,689 That's also good, but 343 00:11:27,690 --> 00:11:30,029 it has completely not even a single 344 00:11:30,030 --> 00:11:31,499 string in it. Nothing at all. 345 00:11:31,500 --> 00:11:33,659 Nothing. And that's not what we're 346 00:11:33,660 --> 00:11:35,879 expecting to see something, some kind 347 00:11:35,880 --> 00:11:37,799 of warning there. And having no strings 348 00:11:37,800 --> 00:11:39,839 at all is not so good for us. 349 00:11:39,840 --> 00:11:41,909 But we go on and we 350 00:11:41,910 --> 00:11:43,979 make some kind of frequency analysis of 351 00:11:43,980 --> 00:11:45,899 this and we try to match it to other 352 00:11:45,900 --> 00:11:47,699 features and other assembly languages and 353 00:11:47,700 --> 00:11:49,799 stuff like that. And, well, nothing 354 00:11:49,800 --> 00:11:50,729 even comes close. 355 00:11:50,730 --> 00:11:52,499 We don't know what this blob is. 356 00:11:52,500 --> 00:11:54,149 So the next thing we do is use our 357 00:11:54,150 --> 00:11:56,099 favorite tool in this case has been work. 358 00:11:56,100 --> 00:11:57,419 Yeah, well, for those of you who are not 359 00:11:57,420 --> 00:11:59,249 familiar with Bismack, it's kind of a 360 00:11:59,250 --> 00:12:01,379 tool that when you enter a binary blob in 361 00:12:01,380 --> 00:12:03,669 there, it will check it for signatures 362 00:12:03,670 --> 00:12:05,699 and assemblies and non funerals and stuff 363 00:12:05,700 --> 00:12:07,109 like that. But the thing is that 364 00:12:07,110 --> 00:12:09,329 brainwork in this example 365 00:12:09,330 --> 00:12:10,589 had zero results. 366 00:12:10,590 --> 00:12:11,789 I mean, I've never seen something like 367 00:12:11,790 --> 00:12:13,829 this, actually. Zero results, nothing at 368 00:12:13,830 --> 00:12:15,689 all, nothing completely empty. 369 00:12:15,690 --> 00:12:16,979 Now, we were sitting looking at 370 00:12:16,980 --> 00:12:18,509 ourselves, looking at this blob and 371 00:12:18,510 --> 00:12:20,879 saying, well, 372 00:12:20,880 --> 00:12:23,009 I mean, what can we do that we we kind of 373 00:12:23,010 --> 00:12:24,569 we kind of lost here. 374 00:12:24,570 --> 00:12:26,819 So that entire part of research 375 00:12:26,820 --> 00:12:28,439 was a complete failure. 376 00:12:28,440 --> 00:12:30,719 And now we were doing it ourselves 377 00:12:30,720 --> 00:12:32,789 again. You know, there's two 378 00:12:32,790 --> 00:12:33,479 options for us. 379 00:12:33,480 --> 00:12:35,559 No one would be to go back to the 380 00:12:35,560 --> 00:12:37,769 future upgradeability and reverse 381 00:12:37,770 --> 00:12:39,029 engineer the entire thing. 382 00:12:39,030 --> 00:12:40,439 It will it will be specific job. 383 00:12:40,440 --> 00:12:42,659 It will take us days, weeks, months, I 384 00:12:42,660 --> 00:12:43,859 don't know. 385 00:12:43,860 --> 00:12:45,959 But we don't really like 386 00:12:45,960 --> 00:12:47,459 it. We don't really feel like doing it. 387 00:12:47,460 --> 00:12:49,469 So the other thing we come up we come up 388 00:12:49,470 --> 00:12:51,539 with is maybe we can be a 389 00:12:51,540 --> 00:12:53,639 bit creative about it, a bit 390 00:12:53,640 --> 00:12:55,889 innovative. And in 391 00:12:55,890 --> 00:12:57,299 order for you to understand what I mean 392 00:12:57,300 --> 00:12:58,829 when I say innovative, you must first 393 00:12:58,830 --> 00:13:01,119 understand how this fumer upgrade 394 00:13:01,120 --> 00:13:03,449 utility actually works, how this 395 00:13:03,450 --> 00:13:04,469 process works. 396 00:13:04,470 --> 00:13:06,539 Well, the thing is that you connect 397 00:13:06,540 --> 00:13:08,519 this kind of strange serial cable that 398 00:13:08,520 --> 00:13:10,739 you take from the from the box of the 399 00:13:10,740 --> 00:13:12,809 cavium. You connect to one side of 400 00:13:12,810 --> 00:13:14,519 it, to the other is to try to pull it off 401 00:13:14,520 --> 00:13:16,229 your computer and the other side goes 402 00:13:16,230 --> 00:13:18,419 into the cavium. You run the utility and 403 00:13:18,420 --> 00:13:19,889 everything is upgraded. 404 00:13:19,890 --> 00:13:21,269 The cavium is actually upgraded through 405 00:13:21,270 --> 00:13:22,199 the serial cable. 406 00:13:22,200 --> 00:13:23,519 Right. 407 00:13:23,520 --> 00:13:25,619 So we were saying, OK, maybe we 408 00:13:25,620 --> 00:13:28,049 can download some kind of generic serial 409 00:13:28,050 --> 00:13:30,299 sniffing software and sniff 410 00:13:30,300 --> 00:13:31,559 the serial protocol there. 411 00:13:31,560 --> 00:13:33,929 And then all we need to do is just to 412 00:13:33,930 --> 00:13:35,489 analyze, to understand the serial 413 00:13:35,490 --> 00:13:36,419 protocol itself. 414 00:13:36,420 --> 00:13:38,969 And hopefully now we will have the 415 00:13:38,970 --> 00:13:40,889 the framework going into the device 416 00:13:40,890 --> 00:13:42,059 through the serial protocol. 417 00:13:42,060 --> 00:13:43,199 Right. 418 00:13:43,200 --> 00:13:45,299 So that sounds also 419 00:13:45,300 --> 00:13:47,369 it so challenge accepted. 420 00:13:47,370 --> 00:13:48,370 We did just that. 421 00:13:50,010 --> 00:13:52,019 So we started sniffing the serial 422 00:13:52,020 --> 00:13:54,119 protocol and we got an output 423 00:13:54,120 --> 00:13:57,089 that looks something like this. 424 00:13:57,090 --> 00:13:59,369 Now let's analyze this together just 425 00:13:59,370 --> 00:14:00,629 very quickly. 426 00:14:00,630 --> 00:14:02,819 So first thing we see here that there are 427 00:14:02,820 --> 00:14:04,109 two types of messages. 428 00:14:04,110 --> 00:14:06,329 The red messages are from the cavium 429 00:14:06,330 --> 00:14:08,189 and the yellow messages are sent to the 430 00:14:08,190 --> 00:14:10,019 cavium over the serial cable. 431 00:14:10,020 --> 00:14:10,659 Right. 432 00:14:10,660 --> 00:14:13,349 Um, the first thing we notice 433 00:14:13,350 --> 00:14:15,599 is that each of these messages has some 434 00:14:15,600 --> 00:14:17,189 kind of fixed header to it. 435 00:14:17,190 --> 00:14:19,469 Right. The hex value of it is forty 436 00:14:19,470 --> 00:14:21,509 six. Fifty five, which is the ASCII 437 00:14:21,510 --> 00:14:22,889 representation of. 438 00:14:24,160 --> 00:14:25,160 A few. 439 00:14:28,330 --> 00:14:29,529 All right. 440 00:14:29,530 --> 00:14:31,749 So is anybody trying to tell 441 00:14:31,750 --> 00:14:33,039 us something here, if you. 442 00:14:34,110 --> 00:14:36,249 Well, yes, actually they are trying to 443 00:14:36,250 --> 00:14:37,689 tell us something and that something is 444 00:14:37,690 --> 00:14:39,099 fumero upgrade. 445 00:14:39,100 --> 00:14:40,100 Right? 446 00:14:48,180 --> 00:14:49,249 Yes, thank you. Thank you, sir. 447 00:14:49,250 --> 00:14:50,819 Feeling a bit amused about all this, we 448 00:14:50,820 --> 00:14:52,739 went on with the analysis and the next 449 00:14:52,740 --> 00:14:54,539 thing we noticed is there something that 450 00:14:54,540 --> 00:14:56,749 looks really suspiciously like an Opko 451 00:14:56,750 --> 00:14:57,209 here? 452 00:14:57,210 --> 00:14:58,859 I don't know if you can see, you probably 453 00:14:58,860 --> 00:15:01,049 can. It goes like a zero aswani to 454 00:15:01,050 --> 00:15:02,579 a tree at a tree. 455 00:15:02,580 --> 00:15:04,739 And almost all of this file is actually 456 00:15:04,740 --> 00:15:06,239 composed of the tree messages. 457 00:15:06,240 --> 00:15:08,249 So what this tells us that the first part 458 00:15:08,250 --> 00:15:10,619 here is some kind of serial handshake 459 00:15:10,620 --> 00:15:12,659 going on. And the second part, the big 460 00:15:12,660 --> 00:15:14,219 part is the data. 461 00:15:14,220 --> 00:15:15,929 Right. And we are actually interested in 462 00:15:15,930 --> 00:15:17,489 the data part of it. So we're going to 463 00:15:17,490 --> 00:15:19,139 take a closer look at this now. 464 00:15:19,140 --> 00:15:21,269 And the thing about the data, the 465 00:15:21,270 --> 00:15:22,889 next thing we notice, this is some kind 466 00:15:22,890 --> 00:15:23,999 of sequence number in here. 467 00:15:24,000 --> 00:15:26,099 You see it actually go zero, one, two, 468 00:15:26,100 --> 00:15:28,109 three, four, five, six up until the end 469 00:15:28,110 --> 00:15:30,039 of the file, whenever those transmission, 470 00:15:30,040 --> 00:15:31,559 the number repeats itself. 471 00:15:31,560 --> 00:15:33,659 So it seriously looks like a 472 00:15:33,660 --> 00:15:35,369 sequence number. And then we have it. 473 00:15:35,370 --> 00:15:37,589 And the only thing missing 474 00:15:37,590 --> 00:15:39,599 now is something that we expect to see in 475 00:15:39,600 --> 00:15:41,429 every serial protocol around the world. 476 00:15:41,430 --> 00:15:43,769 And that's some kind of a correction. 477 00:15:43,770 --> 00:15:45,959 Right. And then we know this is that 478 00:15:45,960 --> 00:15:48,329 this last bite in all of the 479 00:15:48,330 --> 00:15:50,429 all of the messages is actually 480 00:15:50,430 --> 00:15:52,019 an accumulated source of all the bytes. 481 00:15:52,020 --> 00:15:54,029 If you if you're making all the bytes, 482 00:15:54,030 --> 00:15:55,889 you get these bytes. So this seriously 483 00:15:55,890 --> 00:15:56,849 looks like a checksum. 484 00:15:56,850 --> 00:15:58,259 And we decided this is our check, some 485 00:15:58,260 --> 00:16:00,389 value. And when kipping, 486 00:16:00,390 --> 00:16:01,739 there's nothing more we can find keeping 487 00:16:01,740 --> 00:16:03,029 expecting this. 488 00:16:03,030 --> 00:16:04,529 No more buttons, no more nothing. 489 00:16:04,530 --> 00:16:06,479 So we figured out that that's it. 490 00:16:06,480 --> 00:16:08,309 We got this thing pretty much analyzed. 491 00:16:08,310 --> 00:16:09,899 And all we need to do now in order to 492 00:16:09,900 --> 00:16:12,119 extract the Fumero data from the serial 493 00:16:12,120 --> 00:16:14,249 protocol is just to, first 494 00:16:14,250 --> 00:16:16,349 of all, get rid of the handshake part 495 00:16:16,350 --> 00:16:17,819 because it's really not interesting. 496 00:16:17,820 --> 00:16:19,439 And then take a look at the data part. 497 00:16:19,440 --> 00:16:21,809 Then again, get rid of all the serial 498 00:16:21,810 --> 00:16:23,939 related, uh, bytes and then 499 00:16:23,940 --> 00:16:24,989 put it all together. 500 00:16:24,990 --> 00:16:26,939 And if we take a look at this, then 501 00:16:26,940 --> 00:16:29,309 hopefully now we will have all the 502 00:16:29,310 --> 00:16:30,310 right. 503 00:16:31,030 --> 00:16:32,030 Guess who? 504 00:16:33,240 --> 00:16:34,240 It's the same blood. 505 00:16:36,190 --> 00:16:38,009 The exact same job all these 506 00:16:39,020 --> 00:16:41,289 did was just to take this blob and send 507 00:16:41,290 --> 00:16:42,759 it over to Syria, political into the 508 00:16:42,760 --> 00:16:44,139 device itself, not the device, is 509 00:16:44,140 --> 00:16:45,759 probably responsible of opening this. 510 00:16:45,760 --> 00:16:47,349 But we had no way of knowing this. 511 00:16:47,350 --> 00:16:49,569 And we can say that that is another 512 00:16:49,570 --> 00:16:50,570 great failure. 513 00:16:52,030 --> 00:16:54,489 Well, again, feeling a bit depressed 514 00:16:54,490 --> 00:16:55,629 about this. 515 00:16:55,630 --> 00:16:57,879 We said, well, hey, you know, this 516 00:16:57,880 --> 00:16:59,709 thing, this blob is pressed into the 517 00:16:59,710 --> 00:17:02,109 device and then it's probably handled. 518 00:17:02,110 --> 00:17:04,449 Right. So the next logical step, 519 00:17:04,450 --> 00:17:06,249 the only logical step would be to. 520 00:17:07,410 --> 00:17:09,419 Yes, to open up the device. 521 00:17:09,420 --> 00:17:11,789 This is how it looks like under the hood 522 00:17:11,790 --> 00:17:13,889 right now, our first impression 523 00:17:13,890 --> 00:17:15,338 of this. 524 00:17:15,339 --> 00:17:17,919 Well, that's like a lot of electronics 525 00:17:17,920 --> 00:17:19,809 in there. We are software guys, not 526 00:17:19,810 --> 00:17:20,889 hardware guys. 527 00:17:20,890 --> 00:17:22,629 What do we do with this? 528 00:17:22,630 --> 00:17:24,189 What can we do with this stuff? 529 00:17:24,190 --> 00:17:26,379 And now we're feeling really 530 00:17:26,380 --> 00:17:28,689 depressed. And then a few whiskey shots 531 00:17:28,690 --> 00:17:31,179 later, we say to ourselves, 532 00:17:31,180 --> 00:17:33,339 you know, obviously there's a lot of 533 00:17:33,340 --> 00:17:34,269 big chips in there. 534 00:17:34,270 --> 00:17:35,679 So maybe we can Google them up. 535 00:17:35,680 --> 00:17:37,569 We can try to figure out what are these 536 00:17:37,570 --> 00:17:38,499 chips. 537 00:17:38,500 --> 00:17:39,939 Then maybe it will give us some kind of 538 00:17:39,940 --> 00:17:41,229 clue of what this thing is doing. 539 00:17:41,230 --> 00:17:42,939 Right. So let's do this together. 540 00:17:42,940 --> 00:17:45,189 Now, first thing we know, this 541 00:17:45,190 --> 00:17:46,959 two really big chips in here. 542 00:17:46,960 --> 00:17:48,579 They have the vendor name engraved on 543 00:17:48,580 --> 00:17:50,259 them completely. 544 00:17:50,260 --> 00:17:52,479 No information about them in Google 545 00:17:52,480 --> 00:17:53,649 big black boxes. 546 00:17:53,650 --> 00:17:55,749 We think they're 86, just judging by the 547 00:17:55,750 --> 00:17:57,279 number of pins they have. 548 00:17:57,280 --> 00:17:58,869 But we actually have no clue what they 549 00:17:58,870 --> 00:18:00,999 do. And then we find another 550 00:18:01,000 --> 00:18:02,859 chip. Now, this chip, we do know what it 551 00:18:02,860 --> 00:18:05,199 is. It's a device now peeled 552 00:18:05,200 --> 00:18:06,849 for those of you who don't know it stands 553 00:18:06,850 --> 00:18:09,039 for programable logic device. 554 00:18:09,040 --> 00:18:10,659 Yeah, that's something like you design 555 00:18:10,660 --> 00:18:13,059 your own you are your own circuit, 556 00:18:13,060 --> 00:18:15,219 your own circuit, and then you bring it 557 00:18:15,220 --> 00:18:17,319 into the the chip, the chip and then the 558 00:18:17,320 --> 00:18:18,399 chip runs your circuit. 559 00:18:18,400 --> 00:18:20,289 Right. So we do know it's a building. 560 00:18:20,290 --> 00:18:22,239 We have no idea what it's running and we 561 00:18:22,240 --> 00:18:23,649 don't know how to look for it. 562 00:18:23,650 --> 00:18:26,259 So we left it alone for for a moment. 563 00:18:26,260 --> 00:18:27,729 And then we find something that we know 564 00:18:27,730 --> 00:18:29,439 it's RAM, it's memory. 565 00:18:29,440 --> 00:18:31,179 That's great. It's also connected to 566 00:18:31,180 --> 00:18:32,739 something called the Delarge. 567 00:18:32,740 --> 00:18:35,109 Again, something the alleged flipflop, 568 00:18:35,110 --> 00:18:37,359 flipflop, I remember from my university 569 00:18:37,360 --> 00:18:39,039 days. How is it all connected to the 570 00:18:39,040 --> 00:18:40,509 picture? I don't know yet. 571 00:18:40,510 --> 00:18:42,699 But anyway, that's a memory. 572 00:18:42,700 --> 00:18:45,129 Right? And the last chip here 573 00:18:45,130 --> 00:18:46,899 was actually the most interesting chip of 574 00:18:46,900 --> 00:18:48,999 them all. This chip is an eighty 575 00:18:49,000 --> 00:18:50,799 fifty two processor, right? 576 00:18:50,800 --> 00:18:52,689 It's an Intel based chip. 577 00:18:52,690 --> 00:18:54,479 It's the next version, the advanced for 578 00:18:54,480 --> 00:18:56,289 the commercial version of another chip 579 00:18:56,290 --> 00:18:57,969 called eighty fifty one. 580 00:18:57,970 --> 00:18:59,919 It runs assembly and disassembly is 581 00:18:59,920 --> 00:19:01,809 called eighty fifty one assembly. 582 00:19:01,810 --> 00:19:04,089 Right. Well, now we're suspecting 583 00:19:04,090 --> 00:19:06,039 of this chip to be the brains behind this 584 00:19:06,040 --> 00:19:08,049 device, but we actually don't know what's 585 00:19:08,050 --> 00:19:09,189 going on here yet. 586 00:19:09,190 --> 00:19:11,439 And this actually got us pretty lost 587 00:19:11,440 --> 00:19:12,579 for some time. 588 00:19:12,580 --> 00:19:14,989 And we tried figuring out how this all 589 00:19:14,990 --> 00:19:17,079 how this all put together what's going 590 00:19:17,080 --> 00:19:17,739 on here. 591 00:19:17,740 --> 00:19:20,469 And the question is, 592 00:19:20,470 --> 00:19:23,409 we do know the future upgrade 593 00:19:23,410 --> 00:19:24,639 comes in through this port. 594 00:19:24,640 --> 00:19:26,139 This is a serial port I was talking 595 00:19:26,140 --> 00:19:28,209 about. Right. And then where does it 596 00:19:28,210 --> 00:19:30,429 go to? I mean, it goes somewhere, but 597 00:19:30,430 --> 00:19:32,529 where it can go into the 852 598 00:19:32,530 --> 00:19:34,629 chip. Right. But it can also 599 00:19:34,630 --> 00:19:36,699 go into those big black boxes. 600 00:19:36,700 --> 00:19:38,769 Right. And it can also go into another 601 00:19:38,770 --> 00:19:41,079 chips and it could be divided into chunks 602 00:19:41,080 --> 00:19:43,479 and each chunk goes into different chip. 603 00:19:43,480 --> 00:19:45,459 We don't know we don't know what to do. 604 00:19:45,460 --> 00:19:46,629 So what do we do? 605 00:19:46,630 --> 00:19:48,069 We don't know what to do. 606 00:19:48,070 --> 00:19:50,319 Well, we use Google and. 607 00:19:51,850 --> 00:19:54,369 When we use Google, we found this 608 00:19:54,370 --> 00:19:56,769 very, very interesting BCB 609 00:19:56,770 --> 00:19:59,049 in some kind of Russian KVM review 610 00:19:59,050 --> 00:19:59,799 site. 611 00:19:59,800 --> 00:20:01,999 I have no idea why or 612 00:20:02,000 --> 00:20:03,599 why anybody reviewing a given. 613 00:20:03,600 --> 00:20:05,679 We would need to look at the piece of 614 00:20:05,680 --> 00:20:07,929 it, but they had a pretty good picture 615 00:20:07,930 --> 00:20:09,459 of it. And you see, there's something 616 00:20:09,460 --> 00:20:10,689 really interesting about this one. 617 00:20:10,690 --> 00:20:12,969 This is like almost the exact same 618 00:20:12,970 --> 00:20:14,379 model as we have. 619 00:20:14,380 --> 00:20:16,479 The only thing is that our model, the one 620 00:20:16,480 --> 00:20:18,669 that we are researching, researching, has 621 00:20:18,670 --> 00:20:19,479 for ports. 622 00:20:19,480 --> 00:20:22,209 Right. And this one is eight ports, 623 00:20:22,210 --> 00:20:23,739 eight ports right now. 624 00:20:23,740 --> 00:20:24,849 Look at this. There's something really 625 00:20:24,850 --> 00:20:25,989 interesting about it. 626 00:20:25,990 --> 00:20:27,939 Those big black boxes I was mentioning 627 00:20:27,940 --> 00:20:30,669 before. Right now, there's four of them. 628 00:20:30,670 --> 00:20:32,349 Yeah. And those people, these are the 629 00:20:32,350 --> 00:20:33,429 ones I mentioned before. 630 00:20:33,430 --> 00:20:35,769 Again, two of them. So double the ports, 631 00:20:35,770 --> 00:20:36,770 double digits. 632 00:20:38,260 --> 00:20:39,260 Why is that funny? 633 00:20:43,580 --> 00:20:45,829 OK, double, triple, double 634 00:20:45,830 --> 00:20:47,899 digits. Um, the 635 00:20:47,900 --> 00:20:49,339 thing is that this is not double the 636 00:20:49,340 --> 00:20:51,979 thing, it is still single in here is 637 00:20:51,980 --> 00:20:54,159 the RAM and. 638 00:20:54,160 --> 00:20:56,259 Yeah, you guessed it, the 80 to. 639 00:20:56,260 --> 00:20:58,839 This is a single chip, so this now 640 00:20:58,840 --> 00:21:01,059 really, really smells like this thing 641 00:21:01,060 --> 00:21:03,669 is the brains behind this entire KVM. 642 00:21:03,670 --> 00:21:05,769 Right? And now we would like to 643 00:21:05,770 --> 00:21:08,079 know how these 852 chip 644 00:21:08,080 --> 00:21:09,069 gets upgraded. 645 00:21:09,070 --> 00:21:11,049 It must get upgraded somehow. 646 00:21:11,050 --> 00:21:12,699 But how so? 647 00:21:12,700 --> 00:21:14,889 It turns out that each one of the 648 00:21:14,890 --> 00:21:17,079 you 1852 chips has an integrated 649 00:21:17,080 --> 00:21:18,549 you are reporting them right. 650 00:21:18,550 --> 00:21:21,249 You are stands for universal asynchronous 651 00:21:21,250 --> 00:21:23,349 received transmit some kind of generic 652 00:21:23,350 --> 00:21:24,309 Sevele protocol. 653 00:21:24,310 --> 00:21:26,649 Right. And the thing is, OK, 654 00:21:26,650 --> 00:21:27,699 we know it as a you are. 655 00:21:27,700 --> 00:21:29,769 But which pins which which of the 656 00:21:29,770 --> 00:21:31,719 chip pins are actually responsible for 657 00:21:31,720 --> 00:21:32,619 this upgrade. 658 00:21:32,620 --> 00:21:34,809 Well, we can or we can answer this 659 00:21:34,810 --> 00:21:36,789 question pretty easily by just looking at 660 00:21:36,790 --> 00:21:37,689 the specs. Right. 661 00:21:37,690 --> 00:21:39,699 So we open up the specs of this chip and 662 00:21:39,700 --> 00:21:40,359 we see this. 663 00:21:40,360 --> 00:21:42,729 And it clearly states that 664 00:21:42,730 --> 00:21:44,859 these chips here you see the 665 00:21:44,860 --> 00:21:47,529 Arrigo's and the expense are connected 666 00:21:47,530 --> 00:21:49,629 through Portree of the chip to the 667 00:21:49,630 --> 00:21:51,699 you outport. So these are our you 668 00:21:51,700 --> 00:21:53,949 are pins. 669 00:21:53,950 --> 00:21:56,289 Great. Now we only need to inspect 670 00:21:56,290 --> 00:21:58,359 what's going on in these pins in order 671 00:21:58,360 --> 00:22:00,439 to understand and to see the film 672 00:22:00,440 --> 00:22:03,039 were hopefully coming into this chip 673 00:22:03,040 --> 00:22:04,040 challenge accepted. 674 00:22:05,260 --> 00:22:07,539 So thirty to forty five 675 00:22:07,540 --> 00:22:09,039 China shipping these later. 676 00:22:11,380 --> 00:22:14,019 We can finally use logic and 677 00:22:14,020 --> 00:22:16,239 this thing here again, for 678 00:22:16,240 --> 00:22:18,249 those of you who were not familiar, this 679 00:22:18,250 --> 00:22:19,239 is a logic analyzer. 680 00:22:19,240 --> 00:22:21,069 OK, what it does, it just connects to the 681 00:22:21,070 --> 00:22:23,169 pins and you see the actual electronic 682 00:22:23,170 --> 00:22:25,269 signals going into these pins. 683 00:22:25,270 --> 00:22:27,489 Right. Have these nice clips, uh, 684 00:22:27,490 --> 00:22:29,589 in there. Uh, it actually comes with this 685 00:22:29,590 --> 00:22:31,689 great, great, uh, postcard saying thank 686 00:22:31,690 --> 00:22:32,890 you for your awesomeness. 687 00:22:35,540 --> 00:22:37,089 OK, so we did just that. 688 00:22:37,090 --> 00:22:39,279 We we plugged the pins into the 689 00:22:39,280 --> 00:22:41,439 uniques, into the Arrigo's and the 690 00:22:41,440 --> 00:22:43,539 exports. And this revealed 691 00:22:43,540 --> 00:22:44,889 the you are signals, right. 692 00:22:44,890 --> 00:22:46,659 It looks something like this, you see are 693 00:22:46,660 --> 00:22:48,459 antiques. And the third one. 694 00:22:50,010 --> 00:22:51,109 Again, why is this funny, 695 00:22:52,530 --> 00:22:54,719 our and the third one, in case you were 696 00:22:54,720 --> 00:22:56,999 wondering, is ground right in order 697 00:22:57,000 --> 00:22:59,159 for us to differentiate between zeros 698 00:22:59,160 --> 00:23:01,049 and ones and that's it. 699 00:23:01,050 --> 00:23:03,209 Using the awesome, awesome UI 700 00:23:03,210 --> 00:23:05,489 of logic analyzer we have 701 00:23:05,490 --> 00:23:08,009 now, we make the final approval process 702 00:23:08,010 --> 00:23:10,499 and we reveal the signals going into 703 00:23:10,500 --> 00:23:12,839 these pins, into the chip during 704 00:23:12,840 --> 00:23:13,769 the final upgrade. 705 00:23:13,770 --> 00:23:15,059 And we see stuff like this. 706 00:23:15,060 --> 00:23:17,129 You see we see some kind of pattern here. 707 00:23:17,130 --> 00:23:19,259 You see there's stuff going from the yard 708 00:23:19,260 --> 00:23:21,309 and there's stuff going to the yard. 709 00:23:21,310 --> 00:23:23,009 Yeah. And if we zoom out of this picture 710 00:23:23,010 --> 00:23:24,869 for a second, then we see an obvious, 711 00:23:24,870 --> 00:23:26,969 obvious pattern. I mean, this stuff is 712 00:23:26,970 --> 00:23:28,409 going to the yard, you see, and this 713 00:23:28,410 --> 00:23:29,819 stuff is going from the yard. 714 00:23:29,820 --> 00:23:31,679 So it goes from the you are to the you 715 00:23:31,680 --> 00:23:33,629 are from the you are to the yard again. 716 00:23:33,630 --> 00:23:35,459 This seriously look at looks like a 717 00:23:35,460 --> 00:23:36,719 protocol. Right. 718 00:23:36,720 --> 00:23:38,819 So we take all the signals that we 719 00:23:38,820 --> 00:23:41,069 could gather from this UI and we just 720 00:23:41,070 --> 00:23:42,449 put them in the right order. 721 00:23:42,450 --> 00:23:44,609 And yeah, somebody is laughing 722 00:23:44,610 --> 00:23:45,610 what we find. 723 00:23:47,350 --> 00:23:48,350 Yeah. 724 00:23:50,740 --> 00:23:52,809 It's the same civil protocol, 725 00:23:52,810 --> 00:23:53,949 so. 726 00:23:53,950 --> 00:23:55,419 Well, thank you. 727 00:23:55,420 --> 00:23:56,619 Well, I mean, 728 00:23:57,760 --> 00:23:59,439 the thing with what's going on here is 729 00:23:59,440 --> 00:24:00,939 that the SEAL protocol is connected to 730 00:24:00,940 --> 00:24:03,609 the cavium and then the lines go directly 731 00:24:03,610 --> 00:24:04,959 into the 850 tooltip. 732 00:24:04,960 --> 00:24:07,119 Right. So, again, everything is probably 733 00:24:07,120 --> 00:24:09,369 decoded inside the chip itself. 734 00:24:09,370 --> 00:24:11,079 So now we need to, you know, to some kind 735 00:24:11,080 --> 00:24:12,429 of chemicals and to open the chip. 736 00:24:12,430 --> 00:24:13,989 And no, we don't want to deal with that. 737 00:24:15,400 --> 00:24:18,319 So this is now a great failure, right. 738 00:24:18,320 --> 00:24:20,389 Or is it I mean, yeah, it is 739 00:24:20,390 --> 00:24:22,369 a great failure, but it is something that 740 00:24:22,370 --> 00:24:25,129 we know now that we didn't know before, 741 00:24:25,130 --> 00:24:27,289 the thing that we know now is that 742 00:24:27,290 --> 00:24:29,389 this thing, this blob that we 743 00:24:29,390 --> 00:24:31,969 see must be actually translated 744 00:24:31,970 --> 00:24:34,739 somehow into eighty one assembly. 745 00:24:34,740 --> 00:24:36,349 Yeah. Now we know the destination 746 00:24:36,350 --> 00:24:38,689 language of this gibberish that we see. 747 00:24:38,690 --> 00:24:40,429 Right. So this gives us some kind of hint 748 00:24:40,430 --> 00:24:42,649 here and what we can try 749 00:24:42,650 --> 00:24:44,419 and do, as I said. 750 00:24:44,420 --> 00:24:47,029 Yeah. And what we can try and do 751 00:24:47,030 --> 00:24:49,309 is to try and break this code 752 00:24:49,310 --> 00:24:51,139 and break this obfuscation because 753 00:24:51,140 --> 00:24:53,269 obviously it's it's not encrypted. 754 00:24:53,270 --> 00:24:55,279 The entropy levels are low. 755 00:24:55,280 --> 00:24:56,749 So we are expecting to see an 756 00:24:56,750 --> 00:24:58,969 application. And maybe now 757 00:24:58,970 --> 00:25:00,709 since we know the destination language, 758 00:25:00,710 --> 00:25:02,899 maybe we can try and break it. 759 00:25:02,900 --> 00:25:04,729 So challenge accepted. 760 00:25:04,730 --> 00:25:05,749 Let's try to do that. 761 00:25:07,130 --> 00:25:08,989 Let's take another look at our blog. 762 00:25:08,990 --> 00:25:10,159 Not sure if you remember it. 763 00:25:10,160 --> 00:25:11,599 It looks something like this. 764 00:25:11,600 --> 00:25:13,099 Now, for those of you who has really, 765 00:25:13,100 --> 00:25:14,839 really good eyesight, you might have 766 00:25:14,840 --> 00:25:17,329 noticed that the end of this blog 767 00:25:17,330 --> 00:25:19,549 is actually composed of the same 768 00:25:19,550 --> 00:25:21,669 hex value in this case, 53, 769 00:25:21,670 --> 00:25:22,789 53, 53. 770 00:25:22,790 --> 00:25:24,769 So when we see stuff like this, what we 771 00:25:24,770 --> 00:25:26,929 do, what we do, yeah, we usually 772 00:25:26,930 --> 00:25:28,699 do an X or operation on that. 773 00:25:28,700 --> 00:25:31,309 Right. And what we expect is 774 00:25:31,310 --> 00:25:33,289 that somebody did an x ray operation. 775 00:25:33,290 --> 00:25:34,999 And the original thing was one of two 776 00:25:35,000 --> 00:25:37,369 things either and not 777 00:25:37,370 --> 00:25:39,529 just a lot a lot of knobs or a zero 778 00:25:39,530 --> 00:25:41,419 padding, just a lot of zeros. 779 00:25:41,420 --> 00:25:43,639 And luckily in our case, 780 00:25:43,640 --> 00:25:45,409 eighty, fifty one knob is zero. 781 00:25:45,410 --> 00:25:47,659 So we just need to sort this thing 782 00:25:47,660 --> 00:25:49,939 with 53 and that's 783 00:25:49,940 --> 00:25:52,099 it. We got this really nice 784 00:25:52,100 --> 00:25:53,519 blob that looks like this. 785 00:25:53,520 --> 00:25:55,219 Still no strings, no nothing. 786 00:25:55,220 --> 00:25:56,329 But you know what? 787 00:25:56,330 --> 00:25:57,679 Let's give it a try. That's right. 788 00:25:57,680 --> 00:25:59,749 Open it. Opening it in either in 789 00:25:59,750 --> 00:26:02,599 our dissembler and try to 790 00:26:02,600 --> 00:26:04,729 disassemble it as a 851 code and see 791 00:26:04,730 --> 00:26:06,259 what we get. 792 00:26:06,260 --> 00:26:08,389 Yes, we get a simpler code that that 793 00:26:08,390 --> 00:26:09,139 is perfect. 794 00:26:09,140 --> 00:26:11,059 We we are really happy now and we're 795 00:26:11,060 --> 00:26:13,219 going to our office and starting to, you 796 00:26:13,220 --> 00:26:15,169 know, reverse engineer this and try to 797 00:26:15,170 --> 00:26:16,399 understand what it's doing. 798 00:26:16,400 --> 00:26:18,529 And like just two or three minutes 799 00:26:18,530 --> 00:26:20,269 later, we meet up at the kitchen again 800 00:26:20,270 --> 00:26:22,729 and say to ourselves, say something 801 00:26:22,730 --> 00:26:25,039 here is not so not so good. 802 00:26:25,040 --> 00:26:27,379 And you see, let me show you an example. 803 00:26:27,380 --> 00:26:29,419 You see here the last two instructions. 804 00:26:29,420 --> 00:26:32,239 Move a R6, move a R6. 805 00:26:32,240 --> 00:26:34,299 Now, I'm not I'm not a big, uh, 806 00:26:34,300 --> 00:26:36,469 a big genius about eighty 807 00:26:36,470 --> 00:26:38,569 fifty one. But maybe they need 808 00:26:38,570 --> 00:26:40,339 to perform the same operation twice in 809 00:26:40,340 --> 00:26:41,819 order to make sure it works. 810 00:26:41,820 --> 00:26:42,820 Um, 811 00:26:44,360 --> 00:26:46,819 well, no, the answer is obviously 812 00:26:46,820 --> 00:26:48,079 no. 813 00:26:48,080 --> 00:26:49,879 So we have a feeling of what's going on 814 00:26:49,880 --> 00:26:51,169 here. So we made a little test. 815 00:26:51,170 --> 00:26:53,269 We took Excel, which is obviously an 816 00:26:53,270 --> 00:26:54,529 eighty six code. Right. 817 00:26:54,530 --> 00:26:56,809 And we tried to disassemble it as 851 818 00:26:56,810 --> 00:26:59,029 assembly. And what we know, again, we 819 00:26:59,030 --> 00:27:00,179 got proper assembly. 820 00:27:00,180 --> 00:27:01,159 Oh, OK. 821 00:27:01,160 --> 00:27:03,199 So this starts to look a bit strange. 822 00:27:03,200 --> 00:27:05,569 So what we did in order to verify our 823 00:27:05,570 --> 00:27:07,819 assumption is take this picture of a cat 824 00:27:07,820 --> 00:27:10,099 and loaded into either as eighty 825 00:27:10,100 --> 00:27:11,899 fifty one assembly and what do you know, 826 00:27:11,900 --> 00:27:12,889 proper assembly. 827 00:27:12,890 --> 00:27:14,059 Yeah, there's functions, there's 828 00:27:14,060 --> 00:27:16,400 everything here and that's. 829 00:27:24,730 --> 00:27:26,559 Thank you. Now, this is the moment that 830 00:27:26,560 --> 00:27:28,179 we actually realized that if you really 831 00:27:28,180 --> 00:27:30,399 try hard enough, everything 832 00:27:30,400 --> 00:27:31,779 is 80, 50 one assembly. 833 00:27:37,910 --> 00:27:39,859 OK, OK, let's let's let's be serious 834 00:27:39,860 --> 00:27:42,049 again. Now back to our blog, back 835 00:27:42,050 --> 00:27:44,809 to back to step one or maybe 836 00:27:44,810 --> 00:27:46,939 square two, because we decided to 837 00:27:46,940 --> 00:27:48,709 keep the operation because it looks like 838 00:27:48,710 --> 00:27:50,059 something good to do. 839 00:27:50,060 --> 00:27:51,859 But I think now that, again, those of you 840 00:27:51,860 --> 00:27:53,989 with good eyesight might have noticed 841 00:27:53,990 --> 00:27:55,969 that the last eight bites of this blob 842 00:27:55,970 --> 00:27:57,209 are actually different. 843 00:27:57,210 --> 00:27:59,449 Yeah, but what are they what 844 00:27:59,450 --> 00:28:00,449 are those bites? 845 00:28:00,450 --> 00:28:01,609 Are they a clue? 846 00:28:01,610 --> 00:28:02,029 Yeah. 847 00:28:02,030 --> 00:28:03,739 Is this some kind of clue left to us by 848 00:28:03,740 --> 00:28:06,679 the embedded developer? 849 00:28:06,680 --> 00:28:07,639 What can we do with them? 850 00:28:07,640 --> 00:28:09,289 Well, the first thing that comes to mind 851 00:28:09,290 --> 00:28:10,489 is a little correction. 852 00:28:10,490 --> 00:28:11,839 Yeah, they they are in the end of the 853 00:28:11,840 --> 00:28:13,489 file, so maybe they are some kind of 854 00:28:13,490 --> 00:28:15,589 correction. So we take these bites 855 00:28:15,590 --> 00:28:18,319 and try to check them for check some CCRC 856 00:28:18,320 --> 00:28:20,449 Adlerian. They have a lot of other little 857 00:28:20,450 --> 00:28:22,759 corrections and no, nothing even comes 858 00:28:22,760 --> 00:28:24,829 close. So it's probably not in our 859 00:28:24,830 --> 00:28:26,689 collection, at least not a known one. 860 00:28:26,690 --> 00:28:29,149 And then we understand 861 00:28:29,150 --> 00:28:31,729 that up till now we've only looked at one 862 00:28:31,730 --> 00:28:33,409 version of the femur. 863 00:28:33,410 --> 00:28:35,539 Right. And we can take a look maybe 864 00:28:35,540 --> 00:28:37,519 at the last eight bites of a lot of them 865 00:28:37,520 --> 00:28:39,709 were upgraded from a version because 866 00:28:39,710 --> 00:28:41,209 the vendor lets us just download, 867 00:28:41,210 --> 00:28:43,759 however, similar many 868 00:28:43,760 --> 00:28:44,809 versions that we want. 869 00:28:44,810 --> 00:28:46,939 So these are all the eight bytes from 870 00:28:46,940 --> 00:28:48,259 a lot of different versions, right? 871 00:28:48,260 --> 00:28:49,189 They are all different. 872 00:28:49,190 --> 00:28:50,179 And look at this. 873 00:28:50,180 --> 00:28:52,459 Something here just it looks 874 00:28:52,460 --> 00:28:54,559 strange, you see, because 875 00:28:54,560 --> 00:28:56,779 look at this. The A1 appears 876 00:28:56,780 --> 00:28:58,069 17 times, right? 877 00:28:58,070 --> 00:28:59,279 This is not random. 878 00:28:59,280 --> 00:29:01,399 There's some some kind of data in here. 879 00:29:01,400 --> 00:29:03,169 We just need to understand what it is. 880 00:29:03,170 --> 00:29:04,640 But how how do we do this? 881 00:29:05,680 --> 00:29:07,989 So this is 882 00:29:07,990 --> 00:29:09,879 this was actually the Eureka moment for a 883 00:29:09,880 --> 00:29:11,859 project, what we decided to do is run 884 00:29:11,860 --> 00:29:14,109 those eight bytes just next to 885 00:29:14,110 --> 00:29:15,969 the Fumer version version. 886 00:29:15,970 --> 00:29:17,869 Right. So this is from the three point 887 00:29:17,870 --> 00:29:19,959 three point three, one, two and whatever. 888 00:29:19,960 --> 00:29:21,189 Right. And look at this. 889 00:29:21,190 --> 00:29:23,349 There's some kind of obvious pattern in 890 00:29:23,350 --> 00:29:25,509 here. You see the byte 99 891 00:29:25,510 --> 00:29:27,429 appears three times in here and the 892 00:29:27,430 --> 00:29:29,649 number three appears three times in here. 893 00:29:29,650 --> 00:29:32,139 Right. And and 894 00:29:32,140 --> 00:29:34,449 the byte A1 appears twice here. 895 00:29:34,450 --> 00:29:36,579 And then the number four appears twice 896 00:29:36,580 --> 00:29:38,319 here, while also the number one appears 897 00:29:38,320 --> 00:29:39,789 twice. But we actually know it's four 898 00:29:39,790 --> 00:29:41,199 because it's actually consistent 899 00:29:41,200 --> 00:29:43,059 throughout the entire table. 900 00:29:43,060 --> 00:29:44,979 Right. So we got some kind of mapping 901 00:29:44,980 --> 00:29:47,169 between bites and the number in 902 00:29:47,170 --> 00:29:48,879 the version. Right. 903 00:29:48,880 --> 00:29:50,799 Well, is there a pattern here? 904 00:29:50,800 --> 00:29:52,599 Right. What can we do? 905 00:29:52,600 --> 00:29:54,789 Maybe we, you know, list, 906 00:29:54,790 --> 00:29:57,099 you know, the digits that we see, one 907 00:29:57,100 --> 00:29:58,689 in the hex, we see eighty nine. 908 00:29:58,690 --> 00:30:00,639 This is our mapping and the binary 909 00:30:00,640 --> 00:30:02,529 values. Maybe this will give us some kind 910 00:30:02,530 --> 00:30:03,909 of clue. Right. 911 00:30:03,910 --> 00:30:06,429 Look at this. Look at the binary values. 912 00:30:06,430 --> 00:30:08,359 There's an obvious pattern here. 913 00:30:08,360 --> 00:30:10,419 This part here is fixed and 914 00:30:10,420 --> 00:30:12,199 this part here. 915 00:30:12,200 --> 00:30:14,689 Is not and not only that, it's not fixed, 916 00:30:14,690 --> 00:30:17,149 but it's some kind of counter, 917 00:30:17,150 --> 00:30:18,649 right? Look at this, one, two, three, 918 00:30:18,650 --> 00:30:19,639 four. By now he can't. 919 00:30:19,640 --> 00:30:21,649 Right. And then we're doing it ourselves 920 00:30:21,650 --> 00:30:22,559 accountable. 921 00:30:22,560 --> 00:30:24,619 Why is the counter what is 922 00:30:24,620 --> 00:30:26,749 it doing in the middle of the bytes here? 923 00:30:26,750 --> 00:30:27,869 It should be in the right hands. 924 00:30:27,870 --> 00:30:30,109 So let's shift it or rotate 925 00:30:30,110 --> 00:30:31,619 it to the right by three. 926 00:30:31,620 --> 00:30:33,679 And when we did this, this is 927 00:30:33,680 --> 00:30:35,869 what we got. And this is the X values of 928 00:30:35,870 --> 00:30:37,009 this binary value. 929 00:30:37,010 --> 00:30:39,109 And for those of you or ask, asking for 930 00:30:39,110 --> 00:30:41,389 is a bit lacking, then, yes, 931 00:30:41,390 --> 00:30:43,489 these are the same ASCII values as 932 00:30:43,490 --> 00:30:44,869 the digits. Right. 933 00:30:44,870 --> 00:30:46,999 So all we need to do is to take 934 00:30:47,000 --> 00:30:49,339 this blob and rotate its entire 935 00:30:49,340 --> 00:30:50,340 byte by three. 936 00:30:51,730 --> 00:30:53,149 By three. And what do we get? 937 00:30:53,150 --> 00:30:54,599 We get this right. 938 00:30:54,600 --> 00:30:55,699 This looks much better. 939 00:30:55,700 --> 00:30:56,959 This looks like strings. 940 00:30:56,960 --> 00:30:58,549 Now, we are so happy about it. 941 00:30:58,550 --> 00:31:01,189 But looking about this a bit more, 942 00:31:01,190 --> 00:31:03,679 the strings, they don't look exactly 943 00:31:03,680 --> 00:31:04,759 right. Look, look at this. 944 00:31:04,760 --> 00:31:05,869 Look at this example. 945 00:31:05,870 --> 00:31:07,939 This is like an alphanumeric 946 00:31:07,940 --> 00:31:09,649 string. Yeah. 947 00:31:09,650 --> 00:31:11,569 It's just in the wrong order. 948 00:31:11,570 --> 00:31:13,709 And and I mean, they 949 00:31:13,710 --> 00:31:14,989 take a look at this again, this is the 950 00:31:14,990 --> 00:31:16,609 same string that we saw before. 951 00:31:16,610 --> 00:31:18,769 There's some kind of shuffling going on 952 00:31:18,770 --> 00:31:20,359 here. And if you stare at this long 953 00:31:20,360 --> 00:31:21,679 enough, you understand that this 954 00:31:21,680 --> 00:31:23,449 shuffling is going on in a chunk of eight 955 00:31:23,450 --> 00:31:24,699 bytes. 956 00:31:24,700 --> 00:31:26,659 Let me explain this a bit better. 957 00:31:26,660 --> 00:31:28,129 These are the chunk of bytes. 958 00:31:28,130 --> 00:31:30,329 Right. And the bytes are actually not in 959 00:31:30,330 --> 00:31:32,599 the order, but only within the same 960 00:31:32,600 --> 00:31:33,949 chunk. Now, look at this. 961 00:31:35,120 --> 00:31:37,549 The Byte A is in the right, the 962 00:31:37,550 --> 00:31:38,509 A's in the right place. 963 00:31:38,510 --> 00:31:39,769 The eight are in the queue. 964 00:31:39,770 --> 00:31:41,929 Now, the the O and the W needs to be 965 00:31:41,930 --> 00:31:43,459 moved from the second position to the 966 00:31:43,460 --> 00:31:45,799 seventh position. And this goes on 967 00:31:45,800 --> 00:31:47,269 and on and on. 968 00:31:47,270 --> 00:31:49,429 And it's consistent throughout the entire 969 00:31:49,430 --> 00:31:50,479 blob. Right. 970 00:31:50,480 --> 00:31:52,609 So what we got ourselves is some kind 971 00:31:52,610 --> 00:31:53,839 of permutation table. 972 00:31:53,840 --> 00:31:56,299 And if we apply this permutation table 973 00:31:56,300 --> 00:31:58,459 on the entire blob, what will we 974 00:31:58,460 --> 00:31:59,460 get? 975 00:32:00,960 --> 00:32:03,299 Yes, assembly, proper 976 00:32:03,300 --> 00:32:05,399 assembly, this is our film 977 00:32:05,400 --> 00:32:06,400 room. 978 00:32:14,600 --> 00:32:15,679 Yes, thank you. Thank you. 979 00:32:15,680 --> 00:32:17,149 No, it's not it's not over yet. 980 00:32:17,150 --> 00:32:18,349 You know, usually when we do reverse 981 00:32:18,350 --> 00:32:20,479 engineering of this, so 982 00:32:20,480 --> 00:32:21,739 the first thing we do is load it up in a 983 00:32:21,740 --> 00:32:23,959 disassemble. And the funny thing is in 984 00:32:23,960 --> 00:32:25,819 hardware, the last thing that you do is 985 00:32:25,820 --> 00:32:27,799 open the door, open it in, disassemble. 986 00:32:27,800 --> 00:32:29,899 So it was really, uh, 987 00:32:29,900 --> 00:32:31,309 from here, it was really fun. 988 00:32:31,310 --> 00:32:33,829 And now this is 851 989 00:32:33,830 --> 00:32:35,269 assembly. So all we need to do is to 990 00:32:35,270 --> 00:32:38,089 understand 851 so 991 00:32:38,090 --> 00:32:40,339 we can now actually design our own custom 992 00:32:40,340 --> 00:32:42,769 fit. Well, if we can understand this and 993 00:32:42,770 --> 00:32:44,139 all we need to do is just to understand 994 00:32:44,140 --> 00:32:45,099 851. 995 00:32:45,100 --> 00:32:47,509 And for those of you who don't know, we 996 00:32:47,510 --> 00:32:49,729 prepared a short review of 851 997 00:32:49,730 --> 00:32:51,559 assembly. The thing is that it has only 998 00:32:51,560 --> 00:32:53,719 twenty five twenty two hundred 999 00:32:53,720 --> 00:32:55,759 fifty five up codes in around for the 1000 00:32:55,760 --> 00:32:57,229 instructions. Really a pretty, pretty 1001 00:32:57,230 --> 00:32:58,579 easy assembly to learn. 1002 00:32:58,580 --> 00:33:00,139 The thing is that functions in this 1003 00:33:00,140 --> 00:33:02,179 assembly are not only functions, it jumps 1004 00:33:02,180 --> 00:33:03,379 into the middle of functions and 1005 00:33:03,380 --> 00:33:04,519 fundamental functions. 1006 00:33:04,520 --> 00:33:06,229 A whole lot of spaghetti code we didn't 1007 00:33:06,230 --> 00:33:07,129 really understand. 1008 00:33:07,130 --> 00:33:09,439 And then there's only a single memory 1009 00:33:09,440 --> 00:33:11,839 access register when whenever 1010 00:33:11,840 --> 00:33:13,339 you want to access memory is stored in 1011 00:33:13,340 --> 00:33:15,259 this register and then move the memory of 1012 00:33:15,260 --> 00:33:17,449 the big, big mess and then 1013 00:33:17,450 --> 00:33:19,519 registers for some reason keep changing 1014 00:33:19,520 --> 00:33:20,929 in the middle of the of the code of the 1015 00:33:20,930 --> 00:33:22,579 execution. That's because there's some 1016 00:33:22,580 --> 00:33:24,049 kind of register banks. 1017 00:33:24,050 --> 00:33:25,459 That's a nice idea. 1018 00:33:25,460 --> 00:33:27,889 But anyway, we gave this 1019 00:33:27,890 --> 00:33:29,179 one and a half stars out of five 1020 00:33:30,240 --> 00:33:32,299 x eighty six is still much better 1021 00:33:32,300 --> 00:33:33,269 in our opinion. 1022 00:33:33,270 --> 00:33:35,509 Um, and that's 1023 00:33:35,510 --> 00:33:37,219 it. Once we have this understood this, we 1024 00:33:37,220 --> 00:33:39,289 can probably analyze this 1025 00:33:39,290 --> 00:33:41,599 this code. And this is a screenshot 1026 00:33:41,600 --> 00:33:43,819 from either from our dissembler and 1027 00:33:43,820 --> 00:33:45,679 it presents the main function of this 1028 00:33:45,680 --> 00:33:47,749 cavium. Now it's divided into a 1029 00:33:47,750 --> 00:33:49,519 few interesting parts. 1030 00:33:49,520 --> 00:33:51,019 One is aged passing. 1031 00:33:51,020 --> 00:33:53,149 Now EGD stands for human interface 1032 00:33:53,150 --> 00:33:54,289 device. Right. This is what we were 1033 00:33:54,290 --> 00:33:56,239 looking for. This is where the actual 1034 00:33:56,240 --> 00:33:57,799 keystrokes are being processed. 1035 00:33:57,800 --> 00:34:00,379 And then this place here, uh, processes, 1036 00:34:00,380 --> 00:34:02,479 uh, hotkeys like if you press 1037 00:34:02,480 --> 00:34:04,339 some kind of hotkeys, which is the port 1038 00:34:04,340 --> 00:34:06,739 and stuff like this, and this port here 1039 00:34:06,740 --> 00:34:08,329 actually controls the letters of the 1040 00:34:08,330 --> 00:34:09,829 keyboard, like the letters for some 1041 00:34:09,830 --> 00:34:11,299 functionalities, it has to flash the 1042 00:34:11,300 --> 00:34:13,638 letters and, you know, stuff like this. 1043 00:34:13,639 --> 00:34:15,559 And then this part was the really 1044 00:34:15,560 --> 00:34:17,779 interesting part. You see, this part 1045 00:34:17,780 --> 00:34:19,819 is a keyboard emulation. 1046 00:34:19,820 --> 00:34:21,988 So this is where we understand that this 1047 00:34:21,989 --> 00:34:24,379 KVM is not simply imitating 1048 00:34:24,380 --> 00:34:26,299 a keyboard. It is a keyboard. 1049 00:34:26,300 --> 00:34:28,488 It is emulating a keyboard. 1050 00:34:28,489 --> 00:34:29,629 Do you understand? 1051 00:34:29,630 --> 00:34:32,149 I mean, this means that we can actually 1052 00:34:32,150 --> 00:34:34,189 put some kind of a rubber ducky inside 1053 00:34:34,190 --> 00:34:36,289 our cavium. It's an actual keyboard, 1054 00:34:36,290 --> 00:34:37,609 right? This is amazing. 1055 00:34:37,610 --> 00:34:39,669 We can type whatever keystrokes we want 1056 00:34:39,670 --> 00:34:40,968 to into the machine. 1057 00:34:40,969 --> 00:34:43,399 Right. So we prepared a little demo. 1058 00:34:43,400 --> 00:34:44,928 And if you don't understand the 1059 00:34:44,929 --> 00:34:47,089 implications, I will show it to you now. 1060 00:34:47,090 --> 00:34:49,309 So we have two networks 1061 00:34:49,310 --> 00:34:50,899 to air networks. 1062 00:34:50,900 --> 00:34:52,279 One would be an Internet connected 1063 00:34:52,280 --> 00:34:54,169 network and the other would be an air gap 1064 00:34:54,170 --> 00:34:56,178 network. One hundred percent secure, as 1065 00:34:56,179 --> 00:34:57,560 this article says. 1066 00:34:58,860 --> 00:35:01,289 Now, a lot of people, a lot of engineers 1067 00:35:01,290 --> 00:35:03,329 work days and nights in order to secure 1068 00:35:03,330 --> 00:35:04,919 those environments and keep them totally 1069 00:35:04,920 --> 00:35:06,569 separated from each other by doing a lot 1070 00:35:06,570 --> 00:35:08,099 of interesting stuff. 1071 00:35:08,100 --> 00:35:09,479 And they did it really nicely. 1072 00:35:09,480 --> 00:35:10,979 But the thing is that at the end of the 1073 00:35:10,980 --> 00:35:13,019 day, a user needs to work on both of his 1074 00:35:13,020 --> 00:35:15,449 networks. Right. And if there is a user, 1075 00:35:15,450 --> 00:35:16,799 there are computers and these are 1076 00:35:16,800 --> 00:35:18,869 computers. There are videos and mice 1077 00:35:18,870 --> 00:35:20,519 and keyboards. And the user is again 1078 00:35:20,520 --> 00:35:21,989 frustrated. So he goes through his 1079 00:35:21,990 --> 00:35:24,209 purchasing department and purchases 1080 00:35:24,210 --> 00:35:25,589 a cavium. Right. 1081 00:35:25,590 --> 00:35:27,839 And when he did that, then he 1082 00:35:27,840 --> 00:35:30,119 doesn't need those two sets of keyboard. 1083 00:35:30,120 --> 00:35:31,679 Video mouse only needs one. 1084 00:35:31,680 --> 00:35:32,969 Now, his life is easy. 1085 00:35:32,970 --> 00:35:35,309 Right? So what will happen 1086 00:35:35,310 --> 00:35:38,139 if this cavium is malicious, 1087 00:35:38,140 --> 00:35:40,559 if it contains our malicious fumer? 1088 00:35:40,560 --> 00:35:42,669 Uh, we can discuss 1089 00:35:42,670 --> 00:35:44,219 this. Cavium can wake up in the middle of 1090 00:35:44,220 --> 00:35:45,599 the night. Right. 1091 00:35:45,600 --> 00:35:46,650 Just in the middle of the night. 1092 00:35:48,150 --> 00:35:50,369 And start typing on the 1093 00:35:50,370 --> 00:35:52,439 user password on the Internet 1094 00:35:52,440 --> 00:35:54,539 connected network right now, some 1095 00:35:54,540 --> 00:35:55,969 of you might be asking yourself where. 1096 00:35:55,970 --> 00:35:57,569 Wait, wait. The computer is password 1097 00:35:57,570 --> 00:35:59,069 protected. How does he know the password? 1098 00:35:59,070 --> 00:36:01,229 And I ask you back, well, how 1099 00:36:01,230 --> 00:36:02,999 do you enter your password to your 1100 00:36:03,000 --> 00:36:04,389 keyboard? Yes. 1101 00:36:04,390 --> 00:36:05,849 So the key already knows this. 1102 00:36:06,870 --> 00:36:08,609 He types in the password and then it 1103 00:36:08,610 --> 00:36:11,249 performs like a double digit or something 1104 00:36:11,250 --> 00:36:13,559 and gets the malicious, uh, 1105 00:36:13,560 --> 00:36:15,869 virus from the cloud, from the Internet 1106 00:36:15,870 --> 00:36:17,759 into the Internet connected computer. 1107 00:36:17,760 --> 00:36:20,099 Now, that's perfect persistency, right? 1108 00:36:20,100 --> 00:36:21,839 Look at this. There's nothing you can do 1109 00:36:21,840 --> 00:36:22,979 in order to prevent this attack. 1110 00:36:22,980 --> 00:36:25,079 I mean, you can reformat your hard 1111 00:36:25,080 --> 00:36:26,879 drive. You can switch your computer. 1112 00:36:26,880 --> 00:36:28,739 And again, as long as the KVM is there 1113 00:36:28,740 --> 00:36:30,899 every night, you will get infected again 1114 00:36:30,900 --> 00:36:32,309 and again. Right. 1115 00:36:32,310 --> 00:36:34,619 This is cool, but this is not. 1116 00:36:35,910 --> 00:36:38,969 But this is not cool enough because we 1117 00:36:38,970 --> 00:36:41,609 we want to get into the air gapped 1118 00:36:41,610 --> 00:36:43,439 and network. So what we did is design a 1119 00:36:43,440 --> 00:36:45,509 very special special malware, which 1120 00:36:45,510 --> 00:36:47,009 what it does when it's ran on the 1121 00:36:47,010 --> 00:36:49,829 computer, it actually replicates itself. 1122 00:36:49,830 --> 00:36:52,199 And when it replicates itself, it 1123 00:36:52,200 --> 00:36:54,179 starts typing itself into the into the 1124 00:36:54,180 --> 00:36:56,099 computer. And when doing this, our 1125 00:36:56,100 --> 00:36:58,589 agents, our agents get these keystrokes 1126 00:36:58,590 --> 00:37:00,509 and passes this malware into the memory, 1127 00:37:00,510 --> 00:37:02,879 uh, into the memory of the cavium. 1128 00:37:02,880 --> 00:37:05,309 Then it very casually switches 1129 00:37:05,310 --> 00:37:07,829 the ports and retype this malware 1130 00:37:07,830 --> 00:37:09,359 into the other network. 1131 00:37:09,360 --> 00:37:11,669 And so we got now to malware 1132 00:37:11,670 --> 00:37:13,709 is two of the same tools in the in both 1133 00:37:13,710 --> 00:37:16,649 of the networks and effectively 1134 00:37:16,650 --> 00:37:18,779 bridging the gap between those networks. 1135 00:37:18,780 --> 00:37:21,239 Those are not no longer erga networks 1136 00:37:21,240 --> 00:37:23,219 right there, networks. 1137 00:37:23,220 --> 00:37:24,840 So this is what we did. 1138 00:37:25,860 --> 00:37:28,109 And now we have a I 1139 00:37:28,110 --> 00:37:29,579 have a little demo for you. 1140 00:37:29,580 --> 00:37:30,600 Hopefully it will work. 1141 00:37:32,160 --> 00:37:33,869 I'm holding my fingers, I'll put it down 1142 00:37:33,870 --> 00:37:34,870 for a second. 1143 00:37:58,260 --> 00:37:59,260 Not everyone in. 1144 00:38:03,170 --> 00:38:04,280 Uh uh. 1145 00:38:06,180 --> 00:38:07,369 I'll keep using this. 1146 00:38:07,370 --> 00:38:09,449 OK, so what you see now is 1147 00:38:09,450 --> 00:38:11,639 the output of the computer, 1148 00:38:11,640 --> 00:38:12,779 right? I have two computers. 1149 00:38:12,780 --> 00:38:15,119 One is the ticker, the Internet connected 1150 00:38:15,120 --> 00:38:17,519 one and the other one is the attack, the 1151 00:38:17,520 --> 00:38:19,079 network computer. 1152 00:38:19,080 --> 00:38:21,089 Right. And they are only connected to 1153 00:38:21,090 --> 00:38:23,159 this cavium. I have on the desk no other 1154 00:38:23,160 --> 00:38:24,719 connections between them, only through a 1155 00:38:24,720 --> 00:38:26,009 cavium right now. 1156 00:38:26,010 --> 00:38:27,269 Look at this. This is the attacker 1157 00:38:27,270 --> 00:38:28,270 computer. 1158 00:38:29,130 --> 00:38:30,130 I just need to. 1159 00:38:31,300 --> 00:38:32,559 Run my mouth. We're here. 1160 00:38:34,260 --> 00:38:36,390 Let me just lock the screen. 1161 00:38:37,920 --> 00:38:38,989 Let's see what will happen. 1162 00:38:40,690 --> 00:38:41,690 He woke up. 1163 00:38:44,820 --> 00:38:45,820 No, Hennes. 1164 00:38:53,580 --> 00:38:56,279 Well, now 1165 00:38:56,280 --> 00:38:57,280 the thing is that, 1166 00:38:59,790 --> 00:39:00,989 well, you're laughing, but this is 1167 00:39:00,990 --> 00:39:02,939 actually a really neat trick that we so 1168 00:39:02,940 --> 00:39:04,949 we actually needed to type the binary 1169 00:39:04,950 --> 00:39:05,969 into that computer. 1170 00:39:05,970 --> 00:39:07,889 Right. And the way to do that is to use 1171 00:39:07,890 --> 00:39:09,989 base64 and what we use, these stealth 1172 00:39:09,990 --> 00:39:12,479 util, which is a different utility 1173 00:39:12,480 --> 00:39:15,329 that comes with any Windows installation. 1174 00:39:15,330 --> 00:39:17,699 And we just type the basic form 1175 00:39:17,700 --> 00:39:19,349 of our malware into this. 1176 00:39:19,350 --> 00:39:21,719 Yeah, we save it as a text file and then 1177 00:39:21,720 --> 00:39:23,789 decode it. And then we got a binary, 1178 00:39:23,790 --> 00:39:25,559 actual actual binary on the on the 1179 00:39:25,560 --> 00:39:27,509 computer now. 1180 00:39:27,510 --> 00:39:29,339 It's not a big file, but it will take a 1181 00:39:29,340 --> 00:39:31,619 bit to work, so if anyone 1182 00:39:31,620 --> 00:39:32,620 has any jokes. 1183 00:39:38,420 --> 00:39:39,420 OK. 1184 00:39:41,350 --> 00:39:42,350 It will finish soon. 1185 00:39:44,120 --> 00:39:45,120 20 more minutes. 1186 00:39:54,700 --> 00:39:55,929 Come on, come on. 1187 00:39:55,930 --> 00:39:57,730 OK. Looks like it's going to finish soon. 1188 00:40:14,920 --> 00:40:16,469 I could have. 1189 00:40:16,470 --> 00:40:18,509 But this is a life demo and give me some 1190 00:40:18,510 --> 00:40:19,510 respect for the. 1191 00:40:30,820 --> 00:40:33,279 That's it, we have our text file 1192 00:40:33,280 --> 00:40:35,709 and now, yeah, and the certificate 1193 00:40:35,710 --> 00:40:37,510 into encoded text. 1194 00:40:39,910 --> 00:40:42,279 Go on, go on now, Circuital 1195 00:40:42,280 --> 00:40:44,559 decoded into the code of doping, 1196 00:40:44,560 --> 00:40:46,539 which is our malicious file, very 1197 00:40:46,540 --> 00:40:47,540 malicious. 1198 00:40:49,550 --> 00:40:50,629 You know, we run it. 1199 00:40:51,750 --> 00:40:53,489 And yes. 1200 00:41:04,490 --> 00:41:05,389 Thank you very much. 1201 00:41:05,390 --> 00:41:07,039 Thank you very much. So we're to talk 1202 00:41:07,040 --> 00:41:08,689 about not really a Gupte, as you thought, 1203 00:41:08,690 --> 00:41:10,249 if you have a cavium connected to them 1204 00:41:10,250 --> 00:41:12,349 and if I'm lucky enough, there's 1205 00:41:12,350 --> 00:41:14,419 one more thing my malicious software 1206 00:41:14,420 --> 00:41:15,979 knows how to do. 1207 00:41:15,980 --> 00:41:17,149 Let's see if it works. 1208 00:41:21,800 --> 00:41:22,800 Mm hmm. 1209 00:41:26,860 --> 00:41:28,019 Back to our presentation. 1210 00:41:38,020 --> 00:41:39,429 So I'm running out of time, so let's do 1211 00:41:39,430 --> 00:41:40,659 it quickly. So what are the attack 1212 00:41:40,660 --> 00:41:42,219 vectors of? Some of you might be asking 1213 00:41:42,220 --> 00:41:44,139 yourselves, hey, hey, you need to have 1214 00:41:44,140 --> 00:41:45,639 physical access to the cavium. 1215 00:41:45,640 --> 00:41:46,659 And that's right. 1216 00:41:46,660 --> 00:41:48,189 I need to have physical access to the 1217 00:41:48,190 --> 00:41:50,169 cavium. Still with physical access. 1218 00:41:50,170 --> 00:41:51,849 We have a few attack vectors that are 1219 00:41:51,850 --> 00:41:52,929 really reliable. 1220 00:41:52,930 --> 00:41:54,669 One of them would be, you know, just give 1221 00:41:54,670 --> 00:41:56,619 me 30 seconds alone with your cavium and 1222 00:41:56,620 --> 00:41:57,729 that's it. 1223 00:41:57,730 --> 00:41:59,979 And the other one would be, 1224 00:41:59,980 --> 00:42:01,089 let's attack the supply chain. 1225 00:42:01,090 --> 00:42:02,799 Yeah, the seller of the seller of the 1226 00:42:02,800 --> 00:42:04,389 seller that tells you the cavium. 1227 00:42:04,390 --> 00:42:06,429 We can just switch it and you get a 1228 00:42:06,430 --> 00:42:08,469 malicious cavium right out of the box. 1229 00:42:08,470 --> 00:42:10,389 That's nice. And that's been known to be 1230 00:42:10,390 --> 00:42:11,390 done before. 1231 00:42:12,970 --> 00:42:15,399 Now, however, there are many key VMS, 1232 00:42:15,400 --> 00:42:16,959 not the one that we research that are 1233 00:42:16,960 --> 00:42:19,179 being operated through IP. 1234 00:42:19,180 --> 00:42:21,069 And if they are upgraded to IP, then 1235 00:42:21,070 --> 00:42:23,289 theoretically we can exploit the same 1236 00:42:23,290 --> 00:42:24,879 thing remotely. 1237 00:42:24,880 --> 00:42:27,269 That would be really, really cool to do. 1238 00:42:27,270 --> 00:42:28,839 And it is possible. 1239 00:42:28,840 --> 00:42:30,489 And the thing is that CVS's are really 1240 00:42:30,490 --> 00:42:31,429 not exploitable. 1241 00:42:31,430 --> 00:42:33,889 I mean, just Googling on top of it, DLC, 1242 00:42:33,890 --> 00:42:36,159 these are related to cavium 1243 00:42:36,160 --> 00:42:38,379 that are upgraded, the 1244 00:42:38,380 --> 00:42:39,939 Internet and the IP. 1245 00:42:39,940 --> 00:42:42,099 So it is it is really possible 1246 00:42:42,100 --> 00:42:44,289 just it was out of our scope of research 1247 00:42:44,290 --> 00:42:45,290 to do. 1248 00:42:46,010 --> 00:42:48,189 Now, what can you do to protect 1249 00:42:48,190 --> 00:42:50,319 yourself from these kind of attacks? 1250 00:42:50,320 --> 00:42:51,969 First of all, know your environment. 1251 00:42:51,970 --> 00:42:53,529 That's the best suggestion I can give 1252 00:42:53,530 --> 00:42:55,629 you. I mean, sometimes it's not necessary 1253 00:42:55,630 --> 00:42:57,789 to connect really secure computer 1254 00:42:57,790 --> 00:43:00,189 to a non-secure computer through cavium. 1255 00:43:00,190 --> 00:43:02,169 And if it's not required, then please, 1256 00:43:02,170 --> 00:43:04,659 please remember this and don't do this. 1257 00:43:04,660 --> 00:43:07,149 But sometimes, of course, it's 1258 00:43:07,150 --> 00:43:08,769 unavoidable and you need to do this. 1259 00:43:08,770 --> 00:43:10,569 And if you do this, know that there are 1260 00:43:10,570 --> 00:43:13,179 some other creatures called Security VMS. 1261 00:43:13,180 --> 00:43:15,039 Now, those creatures look like this and 1262 00:43:15,040 --> 00:43:17,319 they actually close all all of 1263 00:43:17,320 --> 00:43:19,959 our of our tech servers. 1264 00:43:19,960 --> 00:43:22,119 They don't let us do anything from what 1265 00:43:22,120 --> 00:43:23,919 we show. The thing is that those devices 1266 00:43:23,920 --> 00:43:26,199 cost like 100 times more than normal 1267 00:43:26,200 --> 00:43:28,389 cables and actually know very, very 1268 00:43:28,390 --> 00:43:30,669 few people who actually buy this stuff. 1269 00:43:30,670 --> 00:43:32,799 Right. So if you do need to to 1270 00:43:32,800 --> 00:43:33,849 connect something really, really 1271 00:43:33,850 --> 00:43:36,189 important, then you might consider buying 1272 00:43:36,190 --> 00:43:38,379 one of these. And the last 1273 00:43:38,380 --> 00:43:40,599 thing is being innovative. 1274 00:43:40,600 --> 00:43:42,759 And by being innovative, I mean, we 1275 00:43:42,760 --> 00:43:44,949 sat down and we talked a bit about, 1276 00:43:44,950 --> 00:43:46,629 you know, what we what can we do in order 1277 00:43:46,630 --> 00:43:47,969 to protect against this? 1278 00:43:47,970 --> 00:43:49,539 What we came up with this nice idea. 1279 00:43:49,540 --> 00:43:50,919 It's not perfect, but it's nice. 1280 00:43:50,920 --> 00:43:53,139 What we do is place we wrote a small 1281 00:43:53,140 --> 00:43:55,209 agent that you can place on your computer 1282 00:43:55,210 --> 00:43:57,339 and this agent actually logs 1283 00:43:57,340 --> 00:43:59,829 keystrokes. It doesn't log the keystrokes 1284 00:43:59,830 --> 00:44:01,719 themselves, but the statistics and what 1285 00:44:01,720 --> 00:44:03,839 it looks for is some some 1286 00:44:03,840 --> 00:44:05,139 some deviation from the normal 1287 00:44:05,140 --> 00:44:06,849 statistics. Right. The thing what we did 1288 00:44:06,850 --> 00:44:07,749 here, this type a lot. 1289 00:44:07,750 --> 00:44:09,549 A lot. A lot of keystrokes. 1290 00:44:09,550 --> 00:44:10,779 That's that's a deviation. 1291 00:44:10,780 --> 00:44:12,459 Right. So if we detect some kind of 1292 00:44:12,460 --> 00:44:14,589 deviation, like not using backspaces 1293 00:44:14,590 --> 00:44:16,749 or the intervals between the characters 1294 00:44:16,750 --> 00:44:18,339 are relatively small, then something 1295 00:44:18,340 --> 00:44:19,269 weird is going on. 1296 00:44:19,270 --> 00:44:21,009 And all we need to do is just to pop a 1297 00:44:21,010 --> 00:44:23,079 message box and this will fuck up 1298 00:44:23,080 --> 00:44:25,539 the entire exploitation process. 1299 00:44:25,540 --> 00:44:26,809 That's a nice idea. 1300 00:44:26,810 --> 00:44:28,929 You might have better ones, but 1301 00:44:28,930 --> 00:44:31,239 we did it with the help of our, uh, 1302 00:44:31,240 --> 00:44:33,319 colleague to Rappoport 1303 00:44:33,320 --> 00:44:34,320 store. 1304 00:44:35,740 --> 00:44:37,509 And that's about it. Guys, that's my 1305 00:44:37,510 --> 00:44:38,709 presentation. Thank you. 1306 00:44:57,510 --> 00:44:59,789 Thank you very, very much for this very 1307 00:44:59,790 --> 00:45:01,949 entertaining and fun presentation. 1308 00:45:01,950 --> 00:45:03,689 So if you have any questions, come to the 1309 00:45:03,690 --> 00:45:06,329 microphone, series one and there's one 1310 00:45:06,330 --> 00:45:07,589 and ask your questions. 1311 00:45:07,590 --> 00:45:10,259 You can also ask them via the Internet 1312 00:45:10,260 --> 00:45:12,359 there. I think there are also questions 1313 00:45:12,360 --> 00:45:14,399 on the Internet. So maybe we start here 1314 00:45:14,400 --> 00:45:16,589 with you and the other 1315 00:45:16,590 --> 00:45:17,849 ones who are like 1316 00:45:19,710 --> 00:45:20,999 leaving this room. 1317 00:45:21,000 --> 00:45:23,189 Please be quiet because 1318 00:45:23,190 --> 00:45:25,439 there is still a question and answer 1319 00:45:25,440 --> 00:45:26,969 session here. 1320 00:45:26,970 --> 00:45:29,279 So please be quiet while 1321 00:45:29,280 --> 00:45:31,109 leaving this room. 1322 00:45:31,110 --> 00:45:32,319 Thank you. 1323 00:45:32,320 --> 00:45:33,320 OK, your question. 1324 00:45:37,270 --> 00:45:38,729 This doesn't work. 1325 00:45:41,880 --> 00:45:44,069 I can give, though, 1326 00:45:44,070 --> 00:45:45,300 is not know. 1327 00:45:47,800 --> 00:45:49,329 So now I thank you very much for the 1328 00:45:49,330 --> 00:45:50,689 talk, very great. 1329 00:45:50,690 --> 00:45:52,719 My question is, how much time did you 1330 00:45:52,720 --> 00:45:54,669 need to achieve this goal or how many 1331 00:45:54,670 --> 00:45:56,829 days, weeks, or 1332 00:45:56,830 --> 00:45:58,209 is that a no? 1333 00:45:58,210 --> 00:45:59,829 It's a good question because we worked on 1334 00:45:59,830 --> 00:46:01,389 it, like it on and off. 1335 00:46:01,390 --> 00:46:03,639 So overall, it took us like I think 1336 00:46:03,640 --> 00:46:05,349 six months. But it's not the straight 1337 00:46:05,350 --> 00:46:07,779 job. You're just like with picks. 1338 00:46:07,780 --> 00:46:08,780 OK, thank you. 1339 00:46:09,880 --> 00:46:10,880 Question over here. 1340 00:46:11,950 --> 00:46:14,199 I could think of just another 1341 00:46:14,200 --> 00:46:16,449 attack surface, because if you 1342 00:46:16,450 --> 00:46:18,849 even if your equipment doesn't update 1343 00:46:18,850 --> 00:46:20,949 over the Internet, if 1344 00:46:20,950 --> 00:46:23,229 it has USB four 1345 00:46:23,230 --> 00:46:26,289 keyboard and mouse and not PSU, 1346 00:46:26,290 --> 00:46:29,739 then maybe you could even 1347 00:46:29,740 --> 00:46:31,569 flash a new firmware just by spotting 1348 00:46:31,570 --> 00:46:33,909 some USB functionality 1349 00:46:33,910 --> 00:46:35,289 like bad USB. 1350 00:46:35,290 --> 00:46:37,269 Thank you. This is my next research. 1351 00:46:37,270 --> 00:46:38,270 OK. 1352 00:46:39,620 --> 00:46:41,030 A question from the Internet. 1353 00:46:42,160 --> 00:46:44,259 Um, yeah, we got a few 1354 00:46:44,260 --> 00:46:46,389 questions, one is, 1355 00:46:46,390 --> 00:46:48,519 can you upgrade the cavium, why the 1356 00:46:48,520 --> 00:46:51,159 connected USB keyboard, 1357 00:46:51,160 --> 00:46:53,679 like just 1358 00:46:53,680 --> 00:46:55,749 typing in just 1359 00:46:55,750 --> 00:46:58,299 a dongle or something like that? 1360 00:46:58,300 --> 00:46:59,340 Not that I know of. 1361 00:47:01,510 --> 00:47:03,639 And also another question, what 1362 00:47:03,640 --> 00:47:05,739 are the black boxes and the 1363 00:47:05,740 --> 00:47:07,729 sleights some people ask for that? 1364 00:47:07,730 --> 00:47:08,730 I still don't know. 1365 00:47:11,270 --> 00:47:12,079 Thank you. 1366 00:47:12,080 --> 00:47:14,209 But but but they probably has 1367 00:47:14,210 --> 00:47:15,649 something to do with the with the 1368 00:47:15,650 --> 00:47:16,579 output's, right? 1369 00:47:16,580 --> 00:47:19,249 I think they are, Veoh, um, 1370 00:47:19,250 --> 00:47:21,309 chips related to video chips or 1371 00:47:21,310 --> 00:47:22,310 something like this. 1372 00:47:24,200 --> 00:47:25,249 Thank you. 1373 00:47:25,250 --> 00:47:27,379 Over here again, um, you 1374 00:47:27,380 --> 00:47:29,689 said you could, like, copy the codes 1375 00:47:29,690 --> 00:47:32,809 that you got over the Internet, um, 1376 00:47:32,810 --> 00:47:34,429 over and all night. 1377 00:47:34,430 --> 00:47:36,229 Um, how long how long would it 1378 00:47:36,230 --> 00:47:38,539 approximately take to 1379 00:47:38,540 --> 00:47:40,669 type in the code? 1380 00:47:40,670 --> 00:47:43,309 Uh, it depends on the timer of the cavium 1381 00:47:43,310 --> 00:47:45,379 and how long how long is the 1382 00:47:45,380 --> 00:47:46,999 interval between the keystrokes. 1383 00:47:47,000 --> 00:47:49,219 So it varies between one type of cavium 1384 00:47:49,220 --> 00:47:51,259 to the other. This cavium is pretty slow. 1385 00:47:51,260 --> 00:47:53,569 And if you want to download the big, 1386 00:47:53,570 --> 00:47:55,459 uh, executable, I'm guessing that 1387 00:47:55,460 --> 00:47:57,139 something like thirty minutes. 1388 00:47:58,170 --> 00:48:00,149 OK, but there are other caves might take 1389 00:48:00,150 --> 00:48:01,859 five minutes or even less. 1390 00:48:01,860 --> 00:48:02,860 OK, thanks. 1391 00:48:03,910 --> 00:48:06,819 And over there, again, um, 1392 00:48:06,820 --> 00:48:08,469 I don't know whether you have thought 1393 00:48:08,470 --> 00:48:10,719 about implementing, um, bidirectional 1394 00:48:10,720 --> 00:48:12,849 communication, for example, by flashing 1395 00:48:12,850 --> 00:48:14,110 the keyboard LEDs. 1396 00:48:15,440 --> 00:48:17,569 Uh, we thought about it and we even tried 1397 00:48:17,570 --> 00:48:19,729 to do something, but we couldn't 1398 00:48:19,730 --> 00:48:21,499 really make anything, it would be really 1399 00:48:21,500 --> 00:48:22,810 cool if we could the. 1400 00:48:24,410 --> 00:48:26,449 And another question from the Internet, 1401 00:48:26,450 --> 00:48:28,549 um, two questions, um, the black 1402 00:48:28,550 --> 00:48:30,799 boxes was as chips, 1403 00:48:30,800 --> 00:48:33,109 the black box boxes was meant 1404 00:48:33,110 --> 00:48:35,450 for the censorship of the images. 1405 00:48:36,820 --> 00:48:38,229 I'm sorry, can you repeat the question I 1406 00:48:38,230 --> 00:48:40,449 didn't answer, you had some 1407 00:48:40,450 --> 00:48:42,399 images on the hex dump and the people 1408 00:48:42,400 --> 00:48:44,589 were asking why was 1409 00:48:44,590 --> 00:48:45,590 it sends it? 1410 00:48:46,520 --> 00:48:48,219 That's the vendor name. 1411 00:48:48,220 --> 00:48:49,899 OK, so another question. 1412 00:48:49,900 --> 00:48:51,969 Is there any way to, uh, shut down 1413 00:48:51,970 --> 00:48:53,979 the internal keyboard or as a coffee? 1414 00:48:53,980 --> 00:48:55,989 You know, that's a feature of the. 1415 00:48:55,990 --> 00:48:56,990 OK. 1416 00:48:58,340 --> 00:49:00,949 Is it possible to emulate a virtual 1417 00:49:00,950 --> 00:49:03,499 Ethernet device via the cavium 1418 00:49:03,500 --> 00:49:05,779 so you could really make a bridge between 1419 00:49:05,780 --> 00:49:07,619 those Agaba networks? 1420 00:49:07,620 --> 00:49:09,709 Well, um, I 1421 00:49:09,710 --> 00:49:12,029 saw something very similar, very similar 1422 00:49:12,030 --> 00:49:13,709 to DEFCON this year. 1423 00:49:13,710 --> 00:49:16,129 Uh, we couldn't do it. 1424 00:49:16,130 --> 00:49:17,869 I would be really happy to try and do 1425 00:49:17,870 --> 00:49:19,729 something like this, but we didn't try. 1426 00:49:19,730 --> 00:49:20,730 OK, thanks. 1427 00:49:22,260 --> 00:49:25,289 Are there any more questions? 1428 00:49:25,290 --> 00:49:28,199 I can't see anybody, so thank you again 1429 00:49:28,200 --> 00:49:29,939 very much, giving the one of the.