This webcast was originally published on May 13, 2016.
In this video, the speakers discuss hardware hacking, focusing on techniques for identifying and exploiting vulnerabilities in various devices such as routers and access points. They demonstrate practical methods using tools like the Jtagulator and bus pirate to interface with device firmware, illustrating the potential to extract sensitive information or manipulate device functionalities. The session also highlights the importance of securing devices to prevent unauthorized access and data leakage.
- Hardware hacking involves exploiting vulnerabilities in common devices like routers, modems, and smart home systems, which often have outdated or static security measures.
- Techniques such as JTAG and UART are used to interface with device protocols, allowing hackers to debug, reprogram, or extract data from device firmware.
- Understanding and utilizing specialized hardware hacking tools like Jtagulator, Bus Pirate, and various soldering equipment is crucial for effective hardware security testing.
Highlights
Full Video
Transcript
John Strand
So we’re now recording. That’s good. That’s good. Look at it. Still scrambling up.
Brian Fehrman
Nice.
John Strand
This is gonna be a good, good turnout. All right. All right, say, let’s, throw on the camera here for a second so people can see us. So there we go.
Brian Fehrman
Now, last time I showed up, my camera, I had a beard, and people made fun of my neck beard.
John Strand
You do not have a neck beard. I don’t think Jada would let you have a neck beard.
Brian Fehrman
She’s, like, actually very groomed. Yeah, well, I experimented with a beard for about, like, three months, and my conclusion was I can’t grow a beard.
John Strand
Yeah, probably at that point, I thought it was warm and it was summertime, so, I thought I would shave.
Brian Fehrman
And that was a mistake because it.
John Strand
Immediately snowed, again. so I obviously don’t know what.
Brian Fehrman
Our camera is actually showing.
John Strand
All right, so this is usually the point where somebody types in the questions like jackasses, get on with it. Stop telling jokes all the time. so let’s go ahead and let’s get on with it then. screen share has been on for at least ten minutes.
That’s awesome. Somebody’s forwarding on a porno. That’s awesome. Thank you. All right, more jokes. All right, we’ll kill the video. We have more video. There is actually a lot of video with this webcast, and I’m going to warn you that there’s a very distinct possibility that crap’s not going to work.
And I blame Brian, not just because he did all the work, but that’s a big reason. But if it doesn’t work, it’s because Brian said, I tested everything three, four times.
Brian Fehrman
It’s going to work, which means it’s.
John Strand
Ended up totally not going to work. I’m going to shut off this camera for now. so once again, thank you so much, for showing up today. I really, really appreciate it.
this is brought to you by sans 504. Clearly, the slide has been butchered. but, sans 504, we talk about hacker techniques, exploits, and incident handling. It was also brought to you by Black Hills information.
Information security. we do this type of stuff. some people are like, screw that. We’re not going to work with Bhis. Who else do we recommend? I saw that Larry Pesci is on the webcast.
Brian Fehrman
Hi, Larry.
John Strand
And, we love Larry a lot, even though I’m pretty sure he’s the one that’s sending me porno links. so I would also recommend you guys check out enguardians, because enguardians is a fantastic corporation as well.
We like them a lot. And I’m going to hand it over to Brian. so Brian, this little thing goes off to the left and I’m going to go over there and I’m going to check comments and stuff and ask questions from random locations.
All right, Brian, take it over please.
Brian Fehrman
That sounds awesome. Sweet. So hey guys, we’re just going to go through some introductory slides here first and then we’ll get on, with some live demonstration stuff.
but just a little bit of background if I can work PowerPoint. so why do we care about hardware hacking? Get this thing out of the way. well one of the reasons is we have a lot of consumers who have a lot of the same hardware models.
And with this hardware, I mean, these devices are rarely getting updated. It’s not like Linux, java, whatever, where you’re getting updates pushed out every day. These things are a little bit harder to update and they’re not always getting updated as frequently as they should.
And sometimes we find that when vendors, put out these pieces of hardware, they’ll actually put in little back doors or default passwords, credentials that are just kind of there and present on all the devices.
So our job is to find them. And so this thing keeps popping up. All right, and so what do we mean by hardware? well, we’re talking about things like routers, your modems, key fobs for cars, for garage door openers.
now we’re starting to get more into smart home devices. You’re seeing lots of things about that. So even like hacking a thermostat, the stuff that everyone’s putting in their homes to make it smarter, that everyone has a lot of the same equipment, and also going and looking at smart grid devices.
So things that power companies are putting out, putting on your homes that are now, two way communication devices. It used to just be like a one way, so they receive a signal and that was it. But now they’re getting them set up so that they can talk back, to, call back home, talk to home base.
And so what good does this do this or what good does this do for us? so imagine you’ve got a public based device and you fingerprinted it to be a router. what router this is?
And so you go out and you buy this exact same model of the router. And after playing around with it, after hacking around with it a bit, you find that there’s a root account and this doesn’t get changed and now you have a way in.
So how do we do the hacking? well, one of the things that we look at is that a lot of these devices use standardized protocols. and so a lot of times the vendors, when they make these devices and they put them out to market, they’ll actually leave the protocols open.
The interfaces to these protocols open on these boards, when you just pick up and look at the board, it’s not always apparent on newer boards. I was actually at a friend’s house the other day. He’s got a ton of stuff, I mean just like baskets and baskets full of hardware.
And I was picking it up and on some of the older hardware devices you’ll get lucky and they will literally label the protocols with all the exact, pin outs. But on newer devices it’s not the case. However, we do have some tools that can help us out with this.
And so what are these different protocols that I’m talking about? Well, we have two main ones that I’m going to look at today. one is joint test action group JtAG. the other one is universal asynchronous receiver transmitter uart, and it’s also known aka serial in many cases is what you have heard of this as.
And so JTag, like the tv show? No, that’s Jag. Jtag is something that we use for both debugging and programming hardware chips. That’s some of the main uses. when we think of hardware on the chips, let’s think of firmware.
and we can also use the JTAG protocol in some cases to dump the firmware off of the device itself. So the firmware that’s been programmed on there, likely by the manufacturer, we can dump that off and we can start to analyze that and look for interesting things.
And so what can we do with this firmware? Well, once we have it, we can start looking around for things like passwords, things for like private keys for encryption, maybe look at the web endpoints that this device is trying to call out to endpoints that should otherwise be hidden, not made public.
but that you can go and you can look at these and see what kinds of things are open on these endpoints. What can I get to through these endpoints? there might also be some kind of interesting backdoors, things that are left open.
So that your cable provider can get into these devices so that your, your energy service provider can get into these devices, and so we can try to look for these things.
Another thing you can do once you have the firmware and you start inspecting it, is we can look through this, we can modify the firmware, and we can reflash it onto the device to make it do cool things, make it do things it wasn’t intended to do, but things that we would like it to do.
And so what about Uart? I mentioned that, uart is sweet. Honestly, I like finding this on devices. And the two demos I’m going to do today, the live demos, I’m going to show you on two different devices where I found a uart interface, and it’s pretty sweet.
So with some of these, without having to do any extra effort other than just finding the ur and connecting to it, you’ll get a console on the device, root access, without needing any kind of password, and you can start just browsing around and looking for things without, having to do any extra work beyond that, other than just finding the interface, connecting up to it, and it’s pretty sweet.
And so key fobs, yeah, definitely. And so if we want to start playing around with key fobs, though, we’ll need to start looking into what’s called software defined radio SDR.
That’s one way, that we can capture these signals that are coming out from the key fobs, and try to replay these signals to see what we can get access to. But we’ll get into that a little bit later down the road.
What kind of tools should you get for this? one of the number ones, I would say would be the jtagulator. I’ll show you guys pictures of these, once we actually get the demos going, but, the jtagulator, awesome device.
I been playing around with this, and this thing is freaking sweet. If you’re going to do hardware hacking, where you’re trying to look for the interfaces like, jtag, you’re trying to look for, uart interfaces. This thing is cool, and I highly suggest, getting one of these.
And so basically what this is is it’s a device where, say you’ve got your circuit board and you can look on your circuit board and you’re thinking like, well, I see a couple different places on here that might be a UART interface, they might be a jtagger interface.
I’m not exactly sure. What this device allows you to do is you can solder up wires to all of these potential interface points. Hook it up to this jtagulator, run the software on it and it will go through and it will tell you whether or not these are interface, points to these different protocols, JtaG or UArT, and whether they’re enabled as well.
And another cool thing is with the uart, going back to the other slide, once you actually find the ur interface on the device, with the jtagulator, the jatagulator will also facilitate communication to that Ur protocol.
What are some of the other tools that you might want? I also suggest the bus pirate. I won’t actually be doing a live demo of that today. I’ll show you guys, some screenshots of another assessment I did with the bus pirate.
I’ll show you guys a picture of it as well too. but what the bus pirate is good for is once you find the jtag interface, you can use the bus pirate in openocd to start playing around with that interface.
you can do live debugging of the hardware, so of the firmware, and so you can boot up your device. And with this bus, pirate and openocd you can actually use also GDB to step through instruction by instruction on execution.
But then on top of that you can use it to pull off the firmware from the device, in some cases and also flash it back onto the device. So what else?
just basic stuff, for in terms of soldering, basic electric stuff a lot of you probably have. I would suggest getting a ton of different wire connectors. You can order them off like eBay, Amazon.
You can get bulk units for super cheap, get all different kinds of connections, so that you’re set and ready to go for whatever you’re going to be looking at. Multimeter. definitely super handy for determining what connects where, and figuring out is this ground is this power.
have I accidentally bridged two wires together? great thing to have. and you will definitely need a soldering iron. there are lots of them out there. There are lots of really good ones.
I honestly love my weller. the thing looks super old school, like they haven’t changed the design since the seventies, but this thing freakin rocks. I have had it for I think seven years now and I never had a problem with it other than having to swap out tips.
But you’ll definitely want to get one of those. And I know a lot of people might get a little bit, uneasy about things like soldering, but don’t. I’ll show you guys some tricks, to make things easier for you.
John Strand
So, we got a question from Linda Lee. he said, so how hard is it to load new firmware without bricking the device? I think that really depends on the device, doesn’t it?
Brian Fehrman
Yes, definitely, definitely depends on the device. and you just have to be really, really, really careful, when you go to do it, you want to make sure that your firmware, is not corrupt itself. And you want to make sure that the process does not get, interrupted.
John Strand
And Sheldon is saying links to the tools or it didn’t happen. for those of you that can’t google, we’ll be happy to provide links whenever I, send out the archive of this.
so we’ll be sure to get that out. Oh, God. We are recording it, I think, right?
Brian Fehrman
Yeah.
John Strand
Did I see?
Brian Fehrman
We were.
John Strand
Okay, cool. All right. And, Lee says he’s still using the same 25 to 30 watt iron that he always used in the eighties. And Dustin wants to know how many watts is your welder?
Brian Fehrman
Oh, I have. I honestly have no idea. Let’s look on the back.
John Strand
It’s got a hemi.
Brian Fehrman
It is a 60 watt.
John Strand
Yeah. And yeah, it’s got a hemi in it, too.
Brian Fehrman
Yes, that too.
John Strand
So it’s a very manly soldering iron.
Brian Fehrman
Yeah.
John Strand
All right, so, all right, how many gigawatts? Not enough. Not enough.
Brian Fehrman
Never enough. what about for the SDR portion? I had mentioned that. Oh, what about for the SDR portion?
so what I suggest is the hack RF device. this thing is sweet. It’s from great Scott gadgets and just the sheer frequency range that this thing can handle, makes it well worth it.
it’s compatible with GNU radio, which I’ll show you guys later. I highly, highly suggest checking out this device if you’re interested and doing some of the SDR stuff.
John Strand
And if it’s like in a lower range, it’s very easy to get a ham it up and then step it up into it so it can actually work with it as well. So as you said, there’s going to be a lot more SDR stuff coming up over the next twelve months.
Brian Fehrman
Yep. And so what about some of the different software? I’m using, when I did most of this testing, I used Ubuntu as the os. Others are work. I’m actually going to do all the demonstrations on Mac.
because all I need is just a serial console over to this device, and we’re good to go. openocd, Binwalk, which I’m actually not going to show you guys today, but once you get into the point where you’re dumping firmware and trying to analyze it, Binwalk is great for that.
and then good new radio for the software defined radio stuff. Anything else? Well, you have to have a hacker, kitty, of course. she always hops right into the chair as soon as they go into the office and is ready for hacking.
John Strand
Now, another great question. are there any popular emulators that firmware can run in? Yes, there are a number of different emulators. Once again, that depends on the firmware. A lot of the devices, you really won’t know what you’re getting into until you get into it.
because we’re going to talk about, we got some stuff that’s ripped apart. Sometimes you don’t even know what’s inside the case until you get the case open, and then it’s just horrifying as well.
All right.
Brian Fehrman
All right, let’s do it. Demo time. Cross fingers, do dances, and probably grab the fire extinguisher.
John Strand
Did we kill the goat?
Brian Fehrman
no. We should probably go do that quick. standby.
John Strand
Bring out the goat. M. All right, so let’s bring out the camera here real quick. Is the cat ready? The cat is always ready, yes. so let’s bring up cameras, get started.
Oh, you’re supposed to be at a webcast now.
Brian Fehrman
Oh, okay, cool.
John Strand
Yeah, we had trouble getting the, camera working, on Mac, but it seems to work just fine in Colin.
Brian Fehrman
So, we got to refresh it. Yep. Oh, come on.
John Strand
You’ve got to be kidding me.
Brian Fehrman
It was just working.
John Strand
I mean, we just had this, like, right here. This is where we’re going to die. This is it.
Brian Fehrman
Oh. Oh. Enter. Wow, that’s great.
John Strand
All right, cool.
Brian Fehrman
Hang up.
John Strand
We’re going to try rebooting it. This is also really important to have lots of extension cords.
Brian Fehrman
Yes.
John Strand
this is the part where I dance. So you guys enjoy your work? Yes, we do. Demo gods are not amused by our shenanigans. No, they are not. did anyone hack your camera?
Probably. I blame Larry. let’s go ahead and let’s bring up, photo booth real quick, and we can kind of walk through the gear that you have right now while we’re getting that camera up and running.
See, we have backups because we are security people, and backups are what we do. All right, yeah, that really looks awesome. Streaming video over gotowebinar.
Brian Fehrman
That looks great.
John Strand
It, jitters. Every moment here. All right, so here we go. so let’s turn this around, not break anything.
This is inside the, corporate offices of bhis. Let’s kind of walk through some of the gear that you have here if you want to come around. and, you should be able to see what you’re actually pointing at.
Brian Fehrman
At different times really slowly.
John Strand
No, you should also know that it’s really important that you get lots of ancient gear that, just so you can set it on your desk so it looks cool. because if you’re going to get into hardware hacking, a big part of it is looking cool.
If you can make things blink, it’s even better. All right, so let’s go through kind of what these things are and show them. You’re going to have to hold it slow. And, I guess not.
Brian Fehrman
Let me try the other camera once more. Oh, we’ve got the other camera. Is that any better?
John Strand
I don’t know. I mean, we can use that one. That one’s good. Let me check it here.
Brian Fehrman
Yeah, check that.
John Strand
All right, so the other camera is up. so let’s see what we got. Yeah, it just kind of. No, it’s once every second or so.
Brian Fehrman
Okay.
John Strand
All right, so, people say it is better.
Brian Fehrman
Okay. Okay, I’m gonna go ahead and I’m gonna kill photo booth then, so we aren’t trying to do that too. Okay.
John Strand
Any words on that whiteboard?
Brian Fehrman
No, no, nothing. Good. I checked it.
John Strand
Periscope for this? Wouldn’t that be hilarious? Periscope probably has better bandwidth than, we’re doing. All right.
Brian Fehrman
All right, here we go.
John Strand
Let’s move this over.
Brian Fehrman
Alrighty.
John Strand
Let’s start with this little red thing right here.
Brian Fehrman
So this is the bus pirate. Unfortunately, this camera apparently does not have autofocus. All right, so this is the bus pirate. It’s just this little red device here just, hooks up via, Whoops, that’s the wrong side.
Via USB. And here you’ve got a couple different, can’t really see it there, but you’ve got a couple different pins you can plug into, for the jtag stuff, you just end up using four of these, five of these.
I’m sorry. and there’s little diagrams online that tell you what, go where? So that thing’s pretty sweet.
Onto this one.
John Strand
Bring things to ips. That’s probably a good idea.
Brian Fehrman
All right, so this is the jtagulator in all of its glory. so here you actually have two different, interfaces. Here is, if you want to plug in, wires.
so you have just kind of loose wire ends. you can go ahead and plug those in, to this bank, but, they hook up to the same channels that are over here, which allows you to just, do the, the push on, pull off wires, which is what we’re going to be, what we’re going to be dealing with.
John Strand
So it’s basically just flexible. This one’s, you can just plug the wires in. This one you can screw them, and it just makes it a lot easier for options.
Brian Fehrman
Yep, exactly. So whatever, whatever you want to do, it gives you a couple options. and then it’s also just a, USB interface right there. There we go.
Okay.
John Strand
Yeah, very cool.
Brian Fehrman
Cool.
John Strand
Some joker is asking, hey, could you guys just like, make it bigger? Like make it full screen? No, we’re not risking it.
Brian Fehrman
No. nope. Nope. There we go. All right. so let’s go ahead and let’s show a couple other things here.
Here is my trusty weller.
John Strand
Lift this up a little.
Brian Fehrman
There we go. yep. I bought this probably seven years ago or so. Again, it looks old school, but, man, this thing is freaking sweet. And I like the adjustable dial on it.
It’s fantastic. Soldering iron, in my opinion. some other things we’ve got, so we’ve got our wires that we’ll be needing.
Male female connectors. I highly suggest one of these kits. It’s just a little screwdriver, tool kit. So you’ve got a bunch of different picks over here.
And, then here you’ve got just a bunch of small, little m. Different adapters. I really, really suggest one of these. They’re good at poking around and, prying things and taking things apart. It’s great.
one of these, I also suggest two. so this thing is called a helping hand. It’s got a magnifying glass. You can look like a little inspector when you’re looking at things.
it’s great, though, to either hold wires when you’re trying to solder them, if you need to solder two wires together. it’s also good for the magnifying glass using, to look closely to see if, two things are bridged together, if they’re connected, not connected.
All that good stuff. multimeter. I picked this thing up for like $20 from Walmart. You could probably get them even cheaper online.
But I mean, just a basic multimeter, probably some of the, the key feature is going to be the continuity feature to, see if two things are connected or not. and then the voltage feature. That’s really, mostly what you’re going to need for this, some other stuff if you get into having to solder things that are really close together.
This liquid solder flux, aka the magic sauce. this stuff is amazing. it’ll help keep the solder where it needs to be, without.
It’ll also help prevent solder bridges, which, is also really bad because those, a lot of times let out the magical smoke and things will stop working.
And I’ve just got some various other things over here, too. Some of these, little like paint brush things can be handy. just for kind of brushing things off, cleaning them off. I also like to use the end of them, first if I need to kind of like, scrape things off, but I don’t want to like, ruin things.
And just a little plastic on that, you can scrape what’s pretty good. Just, some various electrical tape if you want to label things. And that’s, pretty much it.
All right, let’s do some stuff, though. Yeah, let’s do some stuff.
John Strand
Someone said your fly is open. It’s totally not, but,
Brian Fehrman
Bonus feature. so, jackasses, screen just went, oh.
John Strand
Screensavers are required at bhis.
Brian Fehrman
There we go.
John Strand
There we are.
Brian Fehrman
All right, we’re back. Sweet. So, the first device we’re going to look at is this.
All right, cool. so this is just a little linksys router that I’ve torn apart. and, so we’ve just got the small board in here.
There we go. and that focus is terrible. Wonder if we should pull up the other camera. What should bring up photo booth again.
All right, bear with us. All right, let’s see if this is any better.
There we go. That is much better. Okay, cool. So we’ve got this, we have this, router that I’ve torn apart here. And so, when we’re looking at it, so we pull this open, and this is pretty much what you see.
And so you want to take a closer look. What you want to look for on the board, is you want to look for points like this. I don’t know if you guys can see that.
There we go right there. So down on the lower left there, you can see where I’ve actually already soldered on, but there were five unsoldered, holes right next to each other.
And, if you look really close at the board, which you’re probably not going to be able to see here, you’ll notice that out of those five, only three of them actually have traces connected to them.
So the other two, that I haven’t soldered to, those are probably either disconnected to ground or not connected at all. So we’re not really interested in those. but with this five pin interface, this is typically going to be a, uart.
If it’s actually connected to anything, the jtag ones are usually going to be like the one that’s next to it, right above it. And those will typically be either a ten pin, or twelve pin, sometimes 14 pin, configuration.
But, we’re going to be looking at the one on the bottom there, which is the potential uart interface. So we see those pins, and like I was mentioning earlier, we think those might be uart, but. But we’re not sure.
So let’s find out. Let’s solder up some stuff.
John Strand
You just do what you do, and I’ll move the camera around. Move the soldering line onto the other side.
Brian Fehrman
Yep.
John Strand
Okay, so go ahead and just keep going. I’ll take care of the camera.
Brian Fehrman
All right, I’m gonna grab my wires off of here. Oh.
John Strand
There we go.
Brian Fehrman
All right, cool. and so one thing that I like to do when I solder, I like to do what’s called pretending. And so I’ll puts, rather than try to simultaneously, just solder the things together.
Like take two things that haven’t been soldered before, slap solder on them together at the exact same time. I like to put solder on each piece. So I’ll put solder on each of the wires here, which I’ve already done.
and then I’ll put solder on what I’m, what I’m trying to solder them onto. And I found that that can make things a lot easier if they haven’t had solder on them before. And you try to put solder on both of them at the same time, it makes it a lot harder, in my opinion.
And so I’ve got, I’ve got these things pretend I’m, going to make sure I solder to the right pieces.
John Strand
You’re soldering. I’m going to do something real quick.
Brian Fehrman
Okay. All right, cool.
John Strand
I’m going to go away for a couple seconds just to type. No, I just took a picture sweet. There we go. Got that done. Awesome.
Switching over to this camera. All right, now this should be a little bit better there.
So now we’re using the built in camera, into gotowebinar. So it’s not trying to refresh the entire screen all the time. So you don’t look like a robot. And it was really just a sleight of hand, to let him do, his camera work or his soldering work.
All right, so there we go.
Brian Fehrman
Yep. All right, so I’ve got those connected. Those are soldered up here, somewhere around there like that.
There you go. See? Soldered on. All right, so this next step is also really important. if you don’t do this, it’s likely not going to work. What you need, in addition to soldering these onto the potential interface, points, is you need to have a common round between, the board, this board that we’re testing, and the jtagulator, the board that’s going to be doing, probing around and trying to find our interface.
So say it would make common ground very important. So where do we find this common ground? you could take your multimeter, you could probe around on the board, and you could try to find where there’s a ground, pin, a ground interface.
What I like to do is, is on the side. So you’ve got the power piece right here on the side of it.
John Strand
Hold it still for a little bit so the camera crisps it up. And then when you move it. All right, so there’s the power.
Brian Fehrman
Yep. And then on the side, there’s that little metal valve. And that’s, almost always connected to the ground. If you’re unsure, you want to look at your power cord.
there’s usually a little diagram on it. Look up the diagram and it’ll tell you, it should be able to tell you if that’s going to be on the, if that’s going to be your ground or not, or use your multimeter. So I’m going to go ahead, I’m going to solder onto that again.
I’ve already pre tend both of these. So I pretend this and I pretend the, connection on the side of this, of the power connector. Let’s go ahead and solder that on.
All right, we got a connection.
John Strand
I got a question here. Emmanuel, asked and he said, how do which wire goes to which of the three solder points?
Brian Fehrman
So that’s the cool part. That’s the awesome part about the jtagulator, is you don’t have to know. all I did was I just took, these three wires. The color code, the color doesn’t really matter until, we find out which pins are which.
And then we can trace them from the jig pagulator to this board. But when you solder them up, that’s the beauty of this device and of this process, is you don’t have to know which pins go where.
this device is going to tell us which pins are which. It’s freaking awesome. And they had a wire that’s missing.
All right, I’m going to pop that on and I’m going to hook these up to my board.
All right, so on this side of the jtagulator, on, both sides of, actually, you’ve got these different channels. they’re labeled channel zero up through channel 23.
So you have 24 possible, wires you can put on here all at once. And, when you hook this up, you’ll want to start at channel zero and work your way up. And so I’m going to go wire disconnected channel zero, channel one, channel two.
Okay. And then don’t forget the common ground. Put that up to the ground here. There’s also on each of these three banks, you have these three banks here. Each of these have a ground pin and you can just pick anyone that you want.
So let’s put it on there. make sure my wire is hooked up here. There we go. All right, so, the next thing I need to do, is I’m going to go ahead and I’m going to plug in my detagulator.
Okay.
John Strand
There we go. So I just took away the camera.
Brian Fehrman
so cool.
John Strand
Back to seeing your screen.
Brian Fehrman
All right, so right now I am plugging in the jetagulator connect to my Mac.
It’s powering on. the other thing is you want to make sure to power on the device, too. The device needs to be powered on while you’re doing these tests. And so I’m going to plug in the router device.
John Strand
That could get embarrassing. So another great question. Alan asked, when having a schematic for the device help, and where would you find such a schematic?
Brian Fehrman
Good question. It depends on the device. If you can find a schematic for the device, that would be immensely helpful because, then you really don’t even need to go through this process. If you have something that tells you, where these pinouts are, then you’re good to go hook up to them and, hack away.
but it all depends on the device. And whether or not you’re going to be able to find that schematic. But if you don’t have the schematic, that’s what the jtagulator is for. Okay.
John Strand
And then Joel asked, does it matter which order you power things up? The device and the jtagulator or the jtagulator and then the device.
Brian Fehrman
Excellent question. I found in most cases it doesn’t really matter, you can, as long as they’re both powered on at the same time, you should be good to go, while you’re running this, but the order doesn’t really seem to matter.
There we go. All right, router’s powering on. So I’m going to use screen, to connect to the jtagulator. if I want to find out which device I need to connect to.
I’m just going to do an LS dev tty, if you’re doing this on a Linux based system, on like Ubuntu Kali, something like that, it’s probably going to show up as tty USB zero or tty usb one.
On Mac, it shows up as tty usbserial, and some extra junk. So I’m just going to copy that and I’m going to use screen, I’m going to paste in that device space and then I need to give it a baud rate.
The baud rate of the jtagulator is 115,200. so you guys don’t miss out on the cool aSCII art. I’m going to go ahead, I’m going to reset the geotagulator device.
There’s a little button on it. I’m going to hit it, give it a second. Bam. AScIi art can’t miss out on that. So this is going to boot up. You got the console.
I’m going to go ahead and hit h for help. And here we can see, the different things that are available to us. So we have two different, JTAG commands we can, or a couple different JTAG commands we can use.
two of those are to identify the pinout, the id code. The first one there, that works pretty quickly. it gives you three of the four pins that you need, but, it doesn’t give you the fourth one.
But that’s basically if you want to determine is this JTAG or not, and you want to do it quickly, the id code is a good one to use. But once you’ve determined that, yes, this is an id code or this is a jTag, interface, then you can go ahead and do the bypass scan.
That one takes quite a bit longer, but it will tell you all four pins that you need. the one that we’re going to be looking at now is the uart. we’re going to use the feature that will allow us to identify whether or not these are uart pinouts on this device.
Before we can do any of that, though, we need to set the voltage, in most cases. So I’m going to go ahead and do v. In most cases, the voltage is going to be 3.3.
on most devices I’ve tested, it’s almost always the case, but if you’re unsure, look at the board, see if you can see any markings. If not, break out your handy dandy multimeter, set it to voltage mode and see if you can determine if it’s a lower voltage than, 3.3.
So here, I’m going to go ahead, I’m going to enter 3.3.
John Strand
So nick just asked a question. He said if you connect the jtagulator into another jtagulator, will it create a black hole and destroy the universe?
Brian Fehrman
Quite possibly, yes. Let’s just go with yes, yes, we’ll stay away. All right, so I’ve got my voltage set. Next, thing I’m going to do, I’m going to type u to identify the uart pinout.
And so what this is going to do is it’s going to try to use a standard part of the UART protocol in which it can pass a string into the, Tx and receive it back on the RX line.
And so this is asking us what string do we want to test? Well, I’m just going to put in. Oh, well, I mistyped it, but we’ll just go with it twisting. So that’s going to be the string we’re going to look for and ask how many channels are we using?
This is the number of wires that you have hooked up. So in our case, we hooked up three. So I’m going to type three and it’s telling you. Okay, we’re going to look on channels zero through two, six, possible permutations.
Just giving you one last chance to double check and go ahead and press spacebar to begin. Oh, all right.
John Strand
Oh, God, it’s on fire.
Brian Fehrman
Scan complete.
John Strand
It’s complete. I’m sorry, I thought it was on fire.
Brian Fehrman
All right, so we’ve got a bunch of results that popped up. just the fact that we see these results coming up means that we have found a UArT interface. Now we need to go through and we need to find out what is the correct baud rate on each of these outputs here.
It tells us which pins it used for tx and rx, as well as the baud rate and the data that it saw. So remember, our test string was twisting. So let’s go and let’s look for that.
Since I’m in screen, I’m going to hit control a escape to go into copy mode. Let’s go up and. Oh, there it is. Baud rate, 115 200.
That’s our baud rate. we have a tx pin on, number one and an rx pin on number two.
John Strand
So a couple of questions came in. what about 5 volts?
Brian Fehrman
this cannot handle five volt. so if you have a board that does 5 volts, ports protocol, it can’t handle that. But so, some of these boards, the actual input to the board might be different, than what the voltage is here.
So the protocol that you’re looking for is likely going to use a voltage between 1.2 to 3.3. Communicating. For communicating. Yep, that’s communication logic level. Very cool.
John Strand
Another question was, is JTAG always four pin and you are always five pin or can they?
Brian Fehrman
so, the protocol for, jtag, the number of pins that you use are typically going to be four, although there’s an extra one, there’s a fifth one.
t reset, which, isn’t required, but could also be present for uart, it’s typically going to actually be two pins that you use. But with that said, when you’re looking at these boards, and you’re trying to determine it just based upon the number of pins that you see there, it could be different.
So, for instance, sometimes you will only have two interface points. Here we have five potential ones. I have seen it on, one of the other boards we’re going to look at actually has it on a ten pin interface.
Jtag, same thing. It could be a ten pin interface, it could be a twelve pin, it could be 14, it could be 16. so the number of pins, the number of pins in the grouping on the board can vary from board to board.
John Strand
Very cool.
Brian Fehrman
All right, so now we’ve identified this. Oh yeah. One other thing that I like to use is the, how do I do the camera? This one camera, is the handy dandy notebook.
I know it seems silly, but it, can help a lot just to have one of these nearby so that you can write down these pins and you can write down the color of your wires. And so you can make sure that, if you go to remove these things that, you have everything recorded down and you don’t have to go back and figure out which wires are which and which.
We’re going where. So. Handy dandy. Nope. All right, so, our Txpin is one and our RTP is two. So the next thing I’m going to do is I’m going to use the passthrough command, which is just p, it tells me enter my tx pin, which is one, enter my rx pin, which is two, and the baud rate, which was 115 200.
Local echo, sure, or no, we’ll save that on no. All right, so we get this, and we don’t actually have anything here. That’s, that’s strange.
but let’s try typing ls. Oh, check that out. File system access. So, so now, just to save time, I’m not going to do it.
But if we were to reboot the device, while we’re in this state, you could actually watch the entire boot up process, which we’re going to do with the next device that we look at right now. We have, I think you’re hard to skip the beat.
John Strand
Let’s type ls and see if something works.
Brian Fehrman
Who, am I? It’s not on here, but we are root. So we do have a full on root shell. and so, what’s browser on?
John Strand
All right, take a look.
Brian Fehrman
Let’s, hop into cd etsy or hop into etsy. All right, so we’ve got a couple things. let’s do an ls lah. Okay, so, we can see a couple of these things are, linked to other files.
The first thing you’d probably want to do is like, can we cut out the etsy file or the Etsy shadow file not found. No, not on here.
See, we just have the root on here. All right, so let’s look at some of the other things in here, though. so we have two files here that look pretty interesting, right? So we have assert, pem m and we have a key pem.
Let’s, see what’s inside that key. Pem. RSA private key.
Cool. I wonder if it’s legit. So let’s go ahead, let’s grab this, copy it to our local system, and I don’t know, let’s just try to use openssl to generate a, public key based on the private key.
Cool. We have a public key, private key pair. Awesome. what else?
And a, certificate that we could play around with if we want to. I’ve actually already got it copied over here. I’m going to be lazy and I’m just going to go up and so I just copied over that certificate information earlier.
And, go ahead and print it out and you get some different information on the certificate itself so we can see it links. The certificate came with the device, RSA, encryption. A couple things about the encryption, so.
John Strand
Not too crazy, but at least getting you in the right direction. Some of the things you would look for on a lot of these embedded devices is you would actually look for certificates for key based authentication, for SSH, you’d find Ssh keys that call back home or maybe a certificate that’s being used all the time, and then they use the exact same certificate.
And then when you’re doing man in the middle attacks, now you have a certificate that you can use that almost every browser in the world would accept. So there’s a lot of things that you can do from this particular point on passwords. there’s nothing in this password, of course, but sometimes you find a password, it’s the same password for every single device.
So just a lot of. Just kind of plugging around. And this is awesome because it’s like hacking back in 1999. Again, it’s just a command prompt and a dream at that point.
Brian Fehrman
Yep, exactly. All right, so, that’s pretty much all I wanted to show you on this one. Like John said, lots of other things you want to look for, but this at least gives you an idea of how to get started, how to start browsing around and hopefully get you going on that.
So exit out there.
John Strand
Now, I do think we have to be careful about using the camera, the actual go to webinar camera, because I don’t think it records that camera whenever.
Brian Fehrman
We kick out the recording.
John Strand
so we’re probably going to use photobooth for small things and just kind of show them in stages while we talk it through. and I can, like, I guess I can mc it. So what’s the next device that you got here?
I know that you expensed in a whole bunch of crap from ebay.
Brian Fehrman
All right, so next device, pull up photo booth here.
John Strand
This guy right here.
Brian Fehrman
Cool. So, this one’s a cisco access point. I ordered this on eBay. I’m going up slowly. If you look close, you can see it’s filthy. This is literally how it showed up.
I mean, didn’t even fire to clean it off. Nothing. They just threw this thing in a box and shipped it out. So he’s playing around with this. here’s the board up here.
And, shoot a lot on time. I wonder if I’ll be able to sour this up. That’s okay.
John Strand
Just hold it for a couple seconds. All right.
Brian Fehrman
All right, so you’ve got the board. so normally there’d be little metal pieces that go over this kind, of like a Faraday cage to reduce electrical interference. I went ahead and pried those off because I wanted to see what was going on underneath, which is what that toolkit I showed you earlier is pretty good for Cisco access point that, I wanted to play around with.
And so I got this thing. I remember this thing was used and so on here, you flip it over on the back.
That’s what you’ll find. Again, we have five pins, but they’re not actual holes this time. they’re just solder pads. And they’re hidden on the back of the board.
John Strand
Matt just pointed out, he goes, don’t ever look at that access point with a black light.
Brian Fehrman
Ew.
John Strand
All right, so let’s kill a photo booth. And then you’re going to do some soldering, right?
Brian Fehrman
Yep.
John Strand
Wire connections.
Brian Fehrman
Yep. We’ll do some quick soldering. so again, I’m going to solder on the, common ground.
John Strand
Okay.
Brian Fehrman
Solder.
John Strand
And while you’re doing that, I’ll kill time by talking. All right, so the big point about all of this is we would like to see many, many, many more people get into trying to hack different devices that are around.
And as it goes into our webcast that we did a couple of weeks ago, this is about architecture. The more things you break, the more vulnerabilities we identify, the, better that we’ll be able to identify weaknesses in the structural components that we use every single day.
And that’s ultimately what we are after, trying to find more things that people can break into. Yeah, this kind of leads down stunt hacking. somebody hacks into a coffee pot or whatever. A lot of times we done via the same types of techniques that are talking about here, but it’s just basically trying to break into stuff.
Also, let’s get into enterprise level things. A lot of the exact same techniques that we use for these little devices that you can buy. I don’t know. How much was that device?
Brian Fehrman
Like $30, something like that.
John Strand
Okay. Like $30 or so. Okay. so, like, dirt cheap to practice. So even if you do like burn something completely out. you don’t necessarily have to worry about being out a tremendous amount of money.
Now the point of all of this also is for enterprises, a lot of the exact same types of techniques that we’re talking about here, the little tiny routers that were, that are being identified, hooking up, j tags and playing around with things.
The exact same techniques that you would use in that type of embedded device assessment, for like Scada devices or power grid devices, things of that nature. Somebody wants to show the soldering.
It’s like with the camera stuff that it’s been going. No, it just hasn’t been working that well. and then Mather, asked, can you dump the firmware and run strings against it?
It depends on the firmware, but generally, yeah, you can run strings against it. Sometimes you can mount it with Linux. so it’s just very cool. are you about ready?
Brian Fehrman
Yep, I’m ready.
John Strand
All right. So cool. I’ve killed enough time. I’m now going to hand it back over to Brian and he can show you a picture of, the soldering that was done since actually doing the live soldering.
I really do think periscope would actually work fantastic for this because explain to me why it is periscope, an app that our kids use, is so good at showing video and go to webinar.
Looks like it’s something straight out of 1999. All right, so here’s the soldering.
Brian Fehrman
If I can get my directions right here. Where is it? There we go. On the lower left there. Oops, I just broke the common ground off.
John Strand
So that’ll take a second to put back on.
Brian Fehrman
But there again, I’ve only soldered up three pins. because looking close at these, you can see that only three of the five pins, three of the five solder points actually have, connections on them.
John Strand
And those leads, if you look on the board itself, it’s kind of a discoloration. It looks like a wire inside the board that’s going away. So we’re only hooking up the ones that have that type of discoloration. And once again, to reiterate, you don’t have to actually know specifically which pins you’re plugging into.
And that’s one of the cool things. And I’m just going to leave the video up because it’s fun to see things fly around. I’m going to move this out of your way.
Brian Fehrman
That sounds good.
John Strand
You don’t need that one.
Brian Fehrman
Again, I accidentally, snapped off the ground there while I was trying to, show you guys something.
John Strand
Sorry. Now they’re getting a nice picture of your elbow. Cool. This is so much easier than it was in 1992.
I’m a good gaffer.
Brian Fehrman
It’s nice to know.
John Strand
Thank you.
Brian Fehrman
There we go.
John Strand
All right, let’s kill photobooth. Once again, photobooth to kill. It is not the big red button in the bottom, as we learned.
All right, there we go.
Brian Fehrman
So, power on.
John Strand
Lights blinking. That’s good.
Brian Fehrman
Blinky lights.
John Strand
it dropped.
Brian Fehrman
Dropped it. So let’s bring up another one. Window. It’s heading basic.
John Strand
No magic smoke.
So Sean has asked, why would you solder directly instead of using header pins? You don’t always have header pins.
Brian Fehrman
Yeah, exactly. Trust me.
John Strand
Header pins are awesome.
Brian Fehrman
Yep.
John Strand
But they’re not always there.
Brian Fehrman
Yep, you’re right. You’re right, Sean. and if also, if I had my own header pins, that is definitely what I would be using rather than soldering directory directly. So you can go on, like, digikey, mouser down to your local electronic store.
pick up some header pins and solder those on. if I had some, I would definitely be doing it because that is much, much cleaner and nicer than having to solder desolder. Solder desolder. And you’re going to run into a lot less issues.
John Strand
But we wanted to show the soldering live.
Brian Fehrman
Yes, that too, because, soldering. So, so I’ve got the console here. again, I’m going to set the voltage 3.3.
going to do uart. I’m going to do testing and three channels.
John Strand
While that’s loading. Justin asked a soldering question. What is the composition of solder you are using? Silver bearing.
Brian Fehrman
so this is 60 40, Rosin. And I think this is. I think it’s a silver based. I’m not sure.
Here, I’ll show you the, There we go.
John Strand
David said, is this similar to plugging into a council port? Yes, but different. If, you have a council port, that’s awesome. So please don’t think that we’re doing all of this just from the, perspective of, oh, my God.
There was a console port which could have plugged into. This means there isn’t one. So you’re going directly into the board. Yep.
Brian Fehrman
All right. so I run it again here. Again, it’s 115, 200 baud rate. this time we have a TX pin of one, rx pin of zero. Probably just with the order I soldered them on again.
I don’t worry about the order when I’m soldering them. I just solder them and I let it figure out the pins for me. So let’s go ahead and let’s do the pass through again.
John Strand
Jason asked, what are some device types that you tried to hack but couldn’t because there wasn’t a jtag, or you are, wow. Came across.
Brian Fehrman
Yep. So most of them, the problem I ran into, was not so much that they didn’t have the inner, was not so much that they didn’t have the interface was that they have it disabled.
And we’re actually going to see that, on this device here. I’m going to do this and I’m going to show you guys a couple screenshots. So what a lot of vendors will do is they’ll leave the header pins there or like the interfaces there that we’ve been talking about playing around with.
But they’ll break the leads on the board or they’ll remove resistors that you need in order for it to work.
John Strand
That means there’s something good.
Brian Fehrman
Yep.
John Strand
And you can see device manufacturers, if there’s a vulnerability, they’re like, well, why don’t we just break the leads before we ship it? Problem solved. Then people can’t hack our stuff anymore.
Brian Fehrman
Yeah. All right, so here we’re actually connected to the router right now and we can see it’s waiting for Wan IP address. And so I ran into this when I was playing around with it the other day, and so I was like, well, what happens if I go ahead and I just plug this router into the public facing Internet?
And so let’s go ahead and let’s reboot the router and still attach to it. I’m just powering it off, power it back on and you can actually watch the whole boot process.
And so I’m going to go ahead and I’m going to kill this for one specific reason. I’m going to pull this up now. So let’s do full screen view again.
If I can figure out PowerPoint play from current.
John Strand
No, not play from start, I can help.
Brian Fehrman
Yes.
John Strand
There’s one thing I’m good at, it’s PowerPoint.
Brian Fehrman
All right, so in playing with this, one thing I noticed is it was reaching out to an IP address. Remember I bought this thing used, I got this on ebay. and so I noticed this while I was watching it boot.
And after I plugged it into public facing Internet and I took this ip address. I was like, hey, I wonder who this belongs to. I enter it in, just do like a whois on it.
Turns out it actually belonged to a hospital. this was a router or an access point, I’m sorry. That a hospital had owned at one point and sold it off after they didn’t need anymore, but they did not do a factory reset on it.
and so it still likely has some of their information on it that might be sensitive and might be of interest to some people. And so I decided to dig a little bit further. I was like, well, let’s go ahead and let’s hook up the JTAG and let’s see what we can do.
Unfortunately, this is what I found. If you look closely on that slide there, this is what I was just talking about. So on the left, that JB three, that is the JTAG interface.
However, if you look really close, and that’s from me trying to solder around, they have, all of the leads are broken. So the top three, those are no problem. Those you can just solder blob together, you’re ready to go.
The problem one is the lower left, that one, you actually need a specific resistor to put there, and it will not work without that resistor. However, if you were able to solder those connections on and you were able to hook up the JTAG, you could likely dump the firmware off this device.
You could go through and you could probably pull off some sensitive information from this company for their router configuration that, they probably do not want out in the public forum.
Okay, so, what are we doing on time here?
John Strand
We’ve, go back to this, ten minutes. Less than ten minutes.
Brian Fehrman
Okay, cool. All right. Dang it. All right. All right, so we’re going to move on. Yeah, the cat. So we’re going to move on to the, next thing I want to talk about.
So, moving on, from m the uart. Okay, awesome. so moving on from the, And I guess just mention a little bit more about that device.
if I had more time, I probably would have went through the process of, trying to pull the stuff off of there, but I didn’t have enough time to get that all together, but at least wanted to show that guys, or show that to you guys. So if you go online, you buy some used hardware, you never know what you’re going to find fun to play around with, though.
And I bet a lot of you are probably even more excited to go out and buy some used hardware.
John Strand
Now.
Brian Fehrman
so the next thing, I just wanted to show you guys the, screenshots of the process of actually using the JtAG portion of this. So I’m not going to do a live demo of that, but, I’ll just show you some screenshots of the process.
So here, it’s the same thing inside the jtagulator. At first I run that id code scan, which is the top one. And so you can see it found tdo, tck, TMS and trst.
It, found all the pins except for one. We do need that TDI pin in order to do anything, but this runs really, really fast and it tells us that, yes, this is likely a JTAG interface.
Go ahead and proceed. The next one is the bypass scan. basically what this scan does is it sends information in on what it thinks is TDI and it looks for that information to come out on TDO.
Here it’s determined, that we do have full TDI, Tdo, tck, TMS and trst access. Again, the only ones you actually need to interface with the Jtag are the top four there.
The trst is an optional pin. So I found the JTAG interface. I hook up with the bus pirate. so now I’m using those four pins down on the bottom which use for interfacing the jTag.
I’ve got the common ground hooked up on the top. And so I hook this up via USB and then I use, OpenoCD, is the program that I use to deal with this.
And from looking at the board when I was doing this, playing around with this, I could see that it was some kind of an STM 32 chip. And so I told OpenocD, that that was the chip that I was trying to target.
And sure enough, it found, it, recognized, it said, yeah, yeah, definitely, this is an STM 32 chip. So again, I’m using openocD code, to run through the bus pirate that’s hooked up to a device on the jTAG interface of this device.
And so next, the next thing you can do is you can dump the firmware. And so, here, there’s a question.
John Strand
Yep, somebody said, but I thought it was broken. JTAG wasn’t working.
Brian Fehrman
Oh, no, no, we’re talking about another device here. I’m sorry, this is a different device. This is a different device. Yep, yep, sorry, this is moving on to a different device. You’re correct. The one, that access point that I got used, jtag broken I did not fix it.
It could be fixed.
John Strand
This is generally what happens when your boss says, hey, let’s do a webcast in three days.
Brian Fehrman
Yes. Okay, so here we’re talking about another device, this device, I won’t mention too much about this device other than, I was able to find the JTAG interface and dump the firmware off of it.
And so here, that’s the process. I run this flashbanks command against the device. It tells me where the firmware starts, the memory address, and it tells me how, large the firmware is.
and then you can go ahead and you can dump it off by running this dump image command, giving it a file name, and then telling it where to start and effectively how far to go. So then after you have that, you can run strings against it and, among other things you can do.
And one of the interesting things I found was, on this portion here, the, big green blob was a communication endpoint. and that actually called back to the company who had owned and configured this device.
And so that was pretty interesting. And here you have some other various, commands. at commands is what they’re called for, cDMA chips saying, don’t redact the info.
Yeah, no. And a couple other values here, too that you can go and you can look at. the other tool that you can run once you have the firmware is Binwalk.
unfortunately for this firmware, Binwalk was not able to determine, the file, like the, the file system type. and it wasn’t really able to find too much other information. So the most information I really got out of it was the strings here.
and the time that I have. All right. so we’re going to move on from the JTAg and uart stuff with a little bit of time we have left.
John Strand
Why don’t we push the SDR stuff to another webcast since we’re at the top of the hour?
Brian Fehrman
Okay, cool.
John Strand
We have some more stuff coming up with the SDR, and I hate to rush through it because it’s basically a key fob at that point that we’re trying to capture. Yeah, but, no, just kind of wrap things up.
You want to go to your conclusion slide if you have it. Oh, okay. We don’t have one good enough. Just kind of wrap things up. Once again, the main goal of this is to try to get people excited and going out and buying jtagulator.
And what we’re really looking for is the guy that makes the jtagulators to shoot us an email, basically say, oh my God, sales jumped like 2000% last week. but get out there, start finding things that you can break into and start breaking them apart because finding things in the firmware like user ids, passwords, certificates, keys for authentication, finding not necessarily access points but endpoints that it communicates back to outside of your network.
I mean, if you’re going to put a device on the inside of your network, you want to make pretty sure that it’s not going to phone home and have a VPN back to the manufacturer that gives them direct access into your network. And this will allow you to actually start looking at those types of things.
So like I said, we went a little bit long. We’ve got a couple of questions here. Let’s go through some of them. That’s cool. I used to have an Acura. That’s good.
all right, thanks guys, appreciate it. have you done anything with Amazon Echo? Find anything cool with those? I don’t think we bought an Amazon echo and masterpiece as well. Can you reverse engineer purchase vendor products without violating the DMCA?
Once again, be very careful in relation to the Digital Millennium Copyright act. I think whenever you’re just interfacing with it, giving the means that they have provided to you, I don’t necessarily believe that you’d be in violation of the EMCA.
But if you start going public and you’re like, well, here’s a vulnerability and here’s a device that we found, then you might actually get some attorneys very, very very excited. So what’s next after discovering the callback?
Usually what you do after you discover the callback is actually talk to the callback server. Does it have ssh? Does it have telnet? What does that callback server have that you can talk to?
Brian Fehrman
Yep.
John Strand
Exactly what color is your underwear today? My underwear is great. I don’t know if you’re expecting anything more than that. You.
Brian Fehrman
Mine are blue.
John Strand
Blue? Same.
Brian Fehrman
Actually, I think I have my punisher ones on. My wife has been trying to get rid of those for years.
John Strand
How hairy this is just going downhill. How airy is the line between vulnerability scanning stuff you put out on the network and reverse engineering forbidden by some license agreements? Usually whenever we’re doing assessments for our customers, the vendor is the one that sends us the crap.
Brian Fehrman
Mhm.
John Strand
it used to be vendors were very, very angry about their customers buying this, but now the vendors are like, hey, free pen test. so last time I think the vendors shipped us the crap directly, and we tore it apart.
And so they were right into it, as well. So thank you so much, everybody, and, get out of here. And we’ll see you at the next webcast. We’ll start on some SDR stuff. We might have a bro webcast before then.
We’re probably going to start stacking these things up pretty fast and furious. These slides will be posted. This video will be posted, here in just a little bit. And they’re gone. All right, take care, everyone.
Brian Fehrman
Bye, everyone.