BSides Rochester 2019 - Pwning a cheap IP camera for fun, but not profit

oh all right uh hello everybody welcome to this talk as you can see on this slide Hardware actually that didn't match the description that's on I'm sorry it's I don't even remember the name that I gave them about it something about ponying IP cameras for fun and not profit I said not profit because I'm not going to report it I don't know how to report it it's another country kind of don't care about earning money from this I'm not going to hack cameras in order to blackmail people you know so so it's not for profit for me it's for fun and I think you all should try to attempt to do this for fun also it's a great way to learn about

electronics it's a great way to learn about Linux so this is kind of a 101 level course so Who am I well I'm not a dog that's a light switch but he's saying hello so hello everybody woof woof I am Francis okay I worked for a company in Rome New York in central New York I'm a software engineer and if you if you look around Rome New York you there's a lot of interesting companies around there I have a passing interest in IOT it's very interesting because you know you you look at it it's like the buzzword nowadays IOT and store your data in the cloud and control your light bulbs and control your light bulbs and

their thirst at make sure you control your damn thermostats because they might be too cold in New Yorkers ah you know ok so yeah I have an interest in IOT so IOT stands for invading and owning technology if you couldn't you know if you didn't know that before that's the official definition at least for these slides and also I've given a few other talks about physical security so I talked about lock-picking at ISC 2 in central New York I talked about 3d printing to a bunch of kids and makerfaire Mohawk Valley Mini Maker Faire and also I talked I taught a bunch of teenagers lock-picking at cyber post 500 in central New York which is really

funny because you see a bunch of kids with lock picks and they see these padlocks popping their hands and they're like are we allowed to do this sir and I'm like yes yes you must learn how to freakin do this and it's just like two pieces of metal that you're popping locks so you know it's not a dance move it's popping locks as a security move so finally my thank-yous and a demo so first some props I wanted to talk to I want to I want to give props to Sen Rio and exhibitor they either training with them and they helped me put a lot of things together in terms of my because I was interested in electronics when I was

a kid I was interested in coding later on in college and they helped me put those things together and I was interested in security I was read boxing as a kid I was doing some things as a kid that that may not be normal for most people and it was a lot of fun but now they took me into a way to think about things in terms of embedded electronics also exploit ears that RS has a great wiki they're pretty entertaining and also Cenac they have they have some great presentations and also who inspired me as a kid was Gordon McComb he had the gold gadget ears gold mine book that's back in the 90s and the 80s

also Gordon McComb he is a prolific author of instructional books from a defunct store called Radio Shack so if you wanted to learn about how transistors worked at a molecular level he had little smiley faces on electrons and holes and it's a great set of books to learn about basic analog electronics and he also gets into digital electronics slightly hmm and that last but not least kind of a demo now what the hell this is like the beginning of the talk why is there a demo if you don't already I mean what's wrong with this sitar okay well demo gods please have mercy on this on this and and I hope you guys don't get bored

so here I have as you can see this is the redacted I don't want to reveal the company name of this there's a logo here I don't want to reveal the company name of this particular IP camera I think they stopped selling it at the discount store that I purchased this from it's a nice cheap target to attack I was hoping to have a version package but unfortunately somebody already cut the tape I don't know if they've already hacked it before I did so we'll see how this works because I haven't I haven't really tested it out with this or this one yet you know I'll get into why I say this one so this is a regular IP camera

there's a oddly enough there's a speaker on the back of it so if you plug it in I'm a little nervous I'm between like crashing for my caffeine kick and getting really nervous so I'm really shaky for some reason but so powering it with the USB and just wait a little bit there's a click I only have 50 minutes come on okay so it tells you that that's that's kind of interesting so what you see here is there's also well there's a camera there's a red blinking light there's for some reason of micro SD card slot here so I decided to you know I'll just throw in a random SD card here so I'll unplug

this I'll throw this in I'm shaking I hope this doesn't fall off somewhere because I don't have another SD card to demo this with okay so this is gonna take a little bit of time but red light it's um it's not connected anything at least as far as I know oh yeah so I put a micro SD card and you know it's supposed to do something after a quick

all right right enough of that so what happened it was just an SD card I just unplugged the power put an SD card you know this could have been on the wall maybe like yeah hey I'll plug in an SD card and then I'll unplug it and replug it or there's like a pin hole in the back reset it so what happened and aside from wanting to inspire you guys if who here works with Linux like exclusively or it works with a lot of like great this is good for those of you who aren't now is a time to learn it because it's not for you know using it on your desktop although that's really cool but

it's also to learn how it's working in all of these little tiny devices um so the thing is let's say you're in a corporation and you're the IT guy and they say this this this camera is not working what's happening well you might have to do forensics and you'll see there's a micro SD card what the hell happened so you get to like take a look at it and see what was the flow of how they how they did that so you saw a normal behavior we just said please connect this to telephone Wi-Fi service or something and then you saw me rickroll all of you guys so what was in that SD card well I'll reveal that later

but I want to get you to the process of how I formulated whatever was in that SD card from beginning so but let's start from the beginning what is hardware hacking well there's a lot of definitions of hardware hacking is it embedded embedded hardware so is it like the microcontroller who here works with Arduinos all right all right good good good ok so you'll you'll know things like I Square C spi uart that kind of stuff debugging and just firmware and learning all that stuff is embedded Linux that's what this is the reason why it's kind of important to learn Linux is a hobbyist alterations well I just put a bigger battery in this device and I

hacked it well there's that too but however no matter what you're doing it's having fun with your hardware and making it do something else so it's a gosh-dang fun time but today I'm going to talk about intruding into embedded Linux and also I have a few points where maybe I'll ask a question or have something where like for example mmm here's a question for all of you who watch YouTube channels so who is the youtuber who created a teflon knife in order to remove intrusion stickers yes now I don't have Teflon a Teflon knives but I do have plastic razors that are used in order to cheat on Rubik's cubes

so I'm gonna be asking questions so why am i presenting this because it's fun because you own it you bought the hardware so you should pone it okay so when I say because you own it I want to hear you all say so I should pone it okay because you own it because you own it okay that's pretty good also personal security and an evaluation in consideration so before Jeff was talking about governments and systems and there's there's kind of some some standards and some rules that governments systems require and maybe you might have to evaluate whether or not your facility wants to have something like this on it and I'll get to that later patching so

like if you if you get into something then hey you know maybe there's like bad binary or a bad script or even just a default password so why not change it see if there's a default password on there change it maybe there's a service running on it that you shouldn't have on a freaking IP camera so why not get in there and configure it to not run that service and we'll get into that later humor so maybe you just want to have a prank you know maybe there's a way you can do this and reverse it maybe you can have it so that the video stream is like Barney or something I don't know whatever tickles your funny bone feel

better about myself the fact that this is being sold in hundreds or thousands of stores and the fact that you're better than them it makes you feel a little better about yourself especially if you're not employed yet you'll be like I EFT with this thing alright so so that's that's really fun too and also I just want to emphasize physical security because the thing is you bought this thing and it's in your hands anybody who's done Linux and you forgotten your password what do you do single user mode right so once you have physical access its that's right it's getting old all right so so listen yeah it's just like going back to going to a desktop

you because you you have it right in front of you and you can control it you can see it you can observe it and you can do whatever you want you can break it apart you can you know there's there's a guy here that did decapping talking b-sides and you know and he showed how you can look at the the silicon you know it's just you you have ownership over it and you have to know that you're going to own it so here's a process that you know basically you should go through first of all get physical with it so take it apart desolder of things or take it apart take a look at it do some background research

on it see what the numbers mean see if what the silk screens might mean hmm see why there's a certain number of pins there at the headers part to get inside it so get the foot in the door so this is you know generally what's usually the the fun part so this is where you say basically get root in this embedded device but that's not the main thing that you want to do what you also want to do is part three look at it analyze it have fun with it and exploit it so you get in you get root you find out the weaknesses and then that fit you develop an exploit for it and then part four

freaking do it right the ex is just somebody like okay that's cool you know this is a stupid script okay well whatever just do it you know freaking rickroll somebody or whatever so observation research hmm tools you need I some screwdrivers magnifying glass spread sure I mean this if this isn't like you know this is an obvious or I should just speed right through it curiosity in Google or DuckDuckGo just like what Jeff said before we have Google now use it and when you Google thinks it's quite amazing how much can be revealed because of documentation and government standards on my unwitting target so look for cheap IOT devices Big Lots or Walmart and then you know there's

there's a lot of things to just basically exercise and get into the shallow end of things and the real and also another reason I'm talk I want to give this talk is because we're getting into the early stages of IOT as much as people want to think that this is in the mid stages we're in the early stages security is very poor I want you guys to have fun right now okay because back then it's like you know there were some other things that were really easy to hack and now there's all the security around it's like I don't want to deal with the research or they're worse at engineering at that level so start with

this 30 bucks 40 bucks okay and and also get a sacrificial lamb so this was not my sum that's my term sacrificial lamb is just buy something that you're gonna work on you're gonna tear apart and then when you have a target you you test it on a on a complete target that you don't you know you're trying to not break into you're trying not to unscrew stuff just make it an external attack but figure it out internally with a your sacrificial lamb yeah okay what to start off with well you have a lot of a lot of IOT devices a lot of choices for example why is Big Lots selling a $30 Wi-Fi outlet

that's not running Linux I looked it up but it is running a micro control that's very popular in the hobbyist circles so if you're working with that kind of microcontroller you probably know how to hack it same thing they have a $40.00 Wireless you know outlet strip now Wi-Fi range it's extenders those are a lot of fun too because they're incredibly cheap at 20 bucks and they're most likely running Linux on some MIPS or an ARM processor so take a shot at it it's only here only out 20 bucks seriously this one's pretty cool Skylink wait there's a lot of security devices like say if you go to Harbor Freight or hazard front that some people would call

it they have four camera four channel DVRs they're probably running Linux they have a hard drive in them just take a look actually there's probably I think there was a there's a Russian web like forum where all they do is intrude on DVRs for security they will reveal all the default passwords they will they'll just run John the Ripper and just decrypt the hashes security that's that's IOT or connected or really complex just dive into it okay and also um oh this was in a drugstore there's also Wi-Fi outlets at a drugstore that you know so if you don't have a Walmart you're within walking distance go to your local drugstore see what electronics they have in the

electronics section it might be on clearance for half off who knows whatever also there's there's some other things like streaming boxes Roku boxes chromecast there's a ton of chromecast clones out there they can get on eBay televisions so you know go onto facebook marketplace and buy a broken television if it's HDMI and high def it's probably running even maybe the same processors puts on this camera and and it's running Linux also there's an interesting github wiki for a Subaru stereo system which I actually have in my car and I'm kind of afraid look for the article jailbreaking Subaru StarLink and he goes step by Store she I don't know he or she goes step by step into how they got into the

QNX operating system for that radio it's pretty cool so what's the sacrificial lamb like I said anybody recognize what movie this is from sneakers alright so they had to break into an office and they're like what kind of security system did they have well one of the one things was they had a thermal body motion detector and they had to find the weaknesses in it so they bought the the motion detection system and they said oh well you know you can wear this this suit which hides your body heat and you you you'll suffocate but at least you'll you won't be detected or what you can do is you know increase the temperature of the

room on the thermostat to body temperature and then afterwards you walk like I don't know one inch a second or something like that so you have to walk really slow in order to not trip the motion detection and it won't detect your body heat because the gradients not extreme enough for it to trigger another part was that there was a door I had an air lock on it you swipe the card and you say a particular phrase and they would try to match your voice to the original person who who was recorded for that card does anybody know what that phrase was

I think you're missing something in the beginning

oh man III had like these handouts you know these power bracelets if you could just all right I'm sorry no power bracelet for you but maybe I'll get you a plastic razor later so take it apart learn from all the physical aspects of the device take it apart look at the chips write their numbers down so you know what the model ships they are and you can try to look them up read the silk screens so so sometimes it's just really simple it'll it'll just say on this little team JTAG you know data out data in clock or ms or it'll say something like you know UART txt or XD he'll be like ah well you know maybe

that's a serial terminal it probably is a serif someone photograph them sometimes you can't see the thing so you'll have to you know you'll try the microscope and you're trying to magnifying glass it also it's kind of weird because different angles depending on if it's like slope screened or laser etched on the on the enclosure it'll mess with how the lights reflecting off the chip so you have to go into weird angles and have a lamp that's like in weird angles and eventually it'll it'll clear up and you can see the numbers but use your phone camera use a regular camera with macro lens and also search FCC ID IO or you can look at I fix it so

you can get some idea of what's inside there also Oh before that before stalking them on Facebook you can also depending on what's being sold or what you get you can even find papers or pin outs on eBay DHgate Alibaba because they don't want to send you documentation with this so it's like okay you bought this thing here's the documentation on our advertising if you don't download it right now well you're you're up the creek so that's that's a very interesting thing which is finding pin outs on the sales but you can't find the pin outs at the company yeah and don't don't don't stalk them on Facebook that's another presentation mmm so a really fast FCC example there's

something called the euphy genie smart speaker so you can get that on Amazon it's a Lexel compatible it's very cheap thirty dollars actually they sold out so now you can only buy it from secondary sellers for $30 as well I don't know how they're making money off that but hmm so here it is there's the there's the euphy genie smart speaker all right so what you do is you go cite FCC ID I oh that's if you know google google hacking and you put the name there sometimes they have a secret code name for the product and you have to look it up somewhere else so you have to just keep digging keep digging and

figure it out and eventually you might find it but here you can see on the links the first one first hit internal photographs so FCC well in order to adduce in order to pass FCC they have to order a company the the company has to order another company to evaluate their devices for interference and things like that so they'll have to submit a manual they have to submit submit internal photographs so sometimes that's pretty useful so here's the internal photographs of that you feed genie speaker speaker you know antenna whatever so scroll down you find this so that's pretty interesting there's a wind bond Ram chip on the left

probably flash nor lordship speaking SPI maybe quad SPI and because usually if it's a power or a level converter it's a little bit thinner so after that well also also remember the silkscreen that's pretty interesting so let's look that up I didn't even put FCC ID dot IO and that pops up as a first search result to get the the manual for the length play the second one is the company link and then the third one is where you can get an evaluation board so remember what I said about sacrificial lambs getting an evaluation board is pretty handy without having to purchase the UFE genie speak speaker although I apparently the evaluation boards 25 bucks so you'll

only be saving five bucks whatever okay so what you want is pinouts you want your surface attack

[Music] young power I - I said you know anything with raspberry PI's and working with retro any leaders that's the output for every kind zero usually there's a net business that's pretty useful you know USB data minus theta plus that's pretty useful because if you get in then you can you can didi the image of the flash and then put it into the USB Drive you are txt one you are RHD one that's a transmit receive for the new arts you are - what most probably in the next terminal session okay that's pretty interesting - this is something I learned from exhibitor which is you can use CPU reset in order to hold your CPU in like mode because if

you want to use flash wrong in order to snarf up the nor flash you can't have you interfering with it as you're trying to talk to it so what you do is you hold the CPU and reset so it's not doing anything and then after that you use your your Shakur or whatever it is to talk to that nor flash and then you snarf it up and also in this document it tells you how to debug it

very simple so uh okay uh for those of you know how to calculate it approximately how many microseconds is the pulse for one bit at 57600 baud this is a power bracelet and some plastic razors that way you can use a power bracelet to protect your wrist from not slitting yourself okay whoever whoever tells me I'll leave this up here and I'll let you guys compute that I know somebody who can do it because he memorizes the the the microsecond pulses for four particular baud rates so that's not cheating but uh I want to give somebody else a chance I'm sorry so okay so let's go into what I purchased so here is my rejected

packaging for whatever it is that I purchased you saw what I pulled out and here's what I initially saw when I first took it apart so I'm sorry for the blurriness but yeah this is the that's the front that's the back actually that's the front nested bag it depends on how you see opening it up okay so what is on that thing so ask yourself what's what's the is it a processor or Migron controller and what processor is it followers what microcontrollers I find the data sheets are there any peripheral thing it's like you know is there what's you know leave saw there's flash and there's there's Ram but what else is there is there like a radio

that's talking outside also look for a your chip because maybe there's a there's a USB interface on the casing where you just plug a USB cable right into that thing and then that you are chip will immediately speak you are to the processor and that that takes a lot of weight off of your soldering and everything like that mmm and spi all the flash stuff non-volatile storage USB contacts sometimes you see four pins ones 5 volt ones ground what are the other two I heard some mumblings all right any strange contacts so do you tack pin headers I don't I'm not gonna go into J tag that's a whole nother talk but if you see like 2 by 7 2 by 10 2 by 5 2 by

4 sometimes and they look like surface mount headers that that they haven't populated yet also sometimes they they might even say what JTAG pins they are or you can also trace it out from the CPU or whatever JTAG target you're looking for and trace it out to those those contacts but look for like look for possible g-tech headers and that's where you can use jtagulator to probe them buses SPI I square C so see awkward copper pads and test points so there's something called flying probes copper pads are used for testing after the manufacturing of the PCB so that you can see continuity good to see whether or not it has good soldering and everything

like that see if the processors are working correctly and the thing is that's used for testing after development so that's pretty interesting to tinned pads so that goes into tin pads sometimes the development board will become a production board what they do is take out some of the things that will bridge the the interface for testing or debugging but it leaves some other things like that require testing with the flying probes so they need a way to test things without those debugging chips or why basically like level shifters or something like that silk-screening so yeah I just read the silkscreening and you might be able to figure out it sometimes it's really easy and here's a here's a picture of a

flying probe tester and basically it's just needles poking at copper pads and the accuracy is amazing and that's how they test things in the non developer mode but in the production mode so googling Jerry DuckDuckGo if you're interested in privacy use dr. go so that nobody knows you're trying to develop a link play speaker so what are you waiting for just freaking google it alright so let's look it up read the numbers google it on your phone tell us what it is I don't know if we have enough time for that but and then look out for pin outs so the processor this is an example of a bad angle for cameras and light so when you twist it it pops

out a lot more so over here

yep so what can you tell me about

okay so remember what I said before about sometimes a particular organization will have rules about particular manufacturers and you say hey this is this comes from an American company but the internals not so much okay over here

okay this is a big competitor to win bond it's called Giga device they make a lot of they did they have a lot of a nor flash for BIOS and for basically cheap electronics so that's that's where the file system is going to be sitting on top of that you can see the the Wi-Fi chip so

okay so it might be USB so if you need like a storage thing and you don't have that microSD card maybe you just desolder that thumb drive on to it you know it's pretty interesting okay so if you look up for if you look for the the spec sheets this is not the correct one the the 35 180 V 200 is still not released to the public but this is one for V 100 you can see

this is a ball grid array so it's really tough to get but sometimes on some embedded devices on the back they have through-hole views for the ball grid array so what you do is you get pogo pins and you start poking at them sometimes they put solder mask on them just sand off the solder mask and start poking at them guessing out where the pins are for according to that the pin grid mapping sometimes sometimes that happens sometimes so silk-screening copper pads

ground over here if you tilt your head 90 degrees counterclockwise and over here all right what do you think that refers to serial interface all right [Music] however like I said there was flying probes these are not soldered over here and there's these three so it's a sacrificial lamb so I might as well just try soldering it so anyway you have enough information you know the processor you know the peripheral chips you know what the pin outs are the possible attack surface okay foot in the door this is where you want to get into the Linux session for 10 about 10 bucks you can get a channel analyzer it pretends to be a sale EA a

channel analyzer I recommend if you're going to buy this because you're not supporting sale EA that you use Sig rock so underneath there there's a there's a software package called suit rock impulse view instead of using silly a logic which is a very nice well polished logic analyzer but sitting rock is pretty good to the calculator so if you see JTAG and copper pads just start probing them there are possible JTAG so also probe so you'll start soldering things just starts crimping headers and stuff like that multimeter for continuity testing so if you have a pin on the chip but you want to see if it breaks out to something else like je tags optional soldering iron

third ends in line power switch so that's what these are so these these power what I call power bracelets these are inline power switches because when you have an IOT device or any other embedded device and you're plugging into it and then you're holding these probes and you have to you know tap your keyboard with the mouse and you're trying to oh I screwed it up okay well I'll have to unplug it oh it moved your device your probe is skipping and it's shorting something out in you after all so what you have is you have this thing that's low friction you know you just hit a button and it turns it off hit it

again you turn it back on this is a barrel jack so well have it's it's pretty handy hey I really love these what else yeah that's cool all right yeah oh okay those are pictures of things that I was talking about that's Sig rock right there yeah I showed you all that stuff let's keep going jtagulator pretty awesome recon alright figure the function of the hardware so look at the processor or either pinouts maybe there's transmit/receive find the debugging hardware find out if there are other interfaces to exploit maybe you are it's maybe USB maybe JTAG probe it out you know use your your logic analyzer you see a tag jtagulator and exploit your way in to grab at the

internals so

let's see huh usually there's a video here but let me

see if there's a oops

okay I have it on here excuse me just

okay so here I'm connecting to the you are

okay so you have playing the time difference

so there's there's some very common baud rates in in the industry or in the world you know if you if you work with modems 1214 point 4 28 for things like this and if you do Arduino you know 9600 and 115 to is very common it's like you want the slowest rate of text possible or the fastest you can get from an Arduino this is closer to the standard of 115 to sometimes some embedded devices they have off bonds but this is probably not on off baud so what you do is you put a decoder so then after that you'll start seeing text so you go forward

so that's that's how you get the baud rate for that after that you connect to your serial terminal session

and basically you just connect your UART and you get us a real terminal session then you set up the baud rate correctly

okay so logging it oh there it is ah dang it I was like futzing around with that okay so yeah basically a I I closed it they got the UART and then I cooked it up and got that working so hack all the things and also if you get into JTAG of it then you see where my memory offsets are in order to start getting like a single single abused remote session what are those weird things happen

flinching so that's when you ground out the data out there in order to cause an error maybe if it's not done correctly property online somewhere you alter it and then after that figure out how it gets in there you saw to the flash and just snarf it and then figure it out through there so anybody know what this video is yes we're games um so so there's a guy who says I can't believe it Jim that girl standing over there and you're telling her about our backdoor what does he respond

so here I'm going to show you and I know III have very few minutes left and if you want to you and so that it just sends out zeros or it depends on how that speaks but it'll send out a stream of either ones or zeros it'll error out the file read and it will cause a crash and if it's not handled correctly it's a bad thing so over here I mess up the timing so this is where I have to use the swish so I use a switch in order to turn back

and you'll see later on that it only runs route you know there's kind of a weird thing where you have web servers do you run Apache as route okay so why would you run some of these things with only route and it is you know it's easier but it's not it it's not secure so now that you've got a foot in the door this is where you start analyzing so look at the fall system what do you all show you the files yes more memes so what to look for oh well that's that kind of jumps really fast let's go back to this

okay well if I can read it correctly there's an it scripts so runtime level stuff see what it calls and where it goes so you just follow the boot the boot order see where all the the start scripts go the RCS script in it and it tab see all the stuff that's setting up on along the way look at the firmware updating some procedures so you see if there's any scripts Python scripts or whatever that shows you how to update the firmware what kind of authentication it tries to use maybe if it does ever all look at what it accesses internet IP addresses any access points sometimes you see hard-coded SS IDs and keys that's pretty interesting

main main program that gets kicked off so there's a binary program and that's why I have this picture that kind of animated on top of my text anybody know what that's related to that's a recent release yeah deidre that's free so you don't have to pay thousands of dollars for freaking Ida Pro and you get to see enemy two dragons so what did I encounter on the IP camera following it I saw all this stuff on init tab so it spawns a route terminal on the serial and stuff restart shut down all controllable eat what to do and it's the last time

RCS mounts filesystems displays a barrier bah blah you know in it some things partition to on the chip and mounts it to home okay that's weird and then what is that well what's start that H start that Sh and why is it in not an init script so let's look at starters SH and also at the end of it there's something called p2p cam that runs last so let's look at start bad SH and you probably can't see this [Music]

this is where you start looking at their parents okay that's pretty interesting check out grade

[Music]

comment about shelter it's like okay so the thing is you can see old versions or former updates on some of these things they just leave it in there and you have to see the mentality of like older vulnerable or broken waves of how they tried to update the firmware psycho goes back so I'm going to reveal to you check that speed car check boy firmware test firmware test okay what you want to look for the first partition I'm not a factory why are we running a demo code off a nice

it doesn't even ask if it's like ext2 to see if it's an executable file it just runs born so I guess that so it doesn't matter if it's fat or whatever otherwise

there's a check that it's not doing which is also very interesting and it's going to be running into overtime so if you guys are going to sacrifice lunch I'd like to show you or I can show you outside like a BOF kind of thing but write and run the exploit just freakin do it don't let your dreams be dreams if you dream about rickrolling people that have an IP camera this is your opportunity to do it so what's in my script

so this will reset it back to normal otherwise it'll pick the sibling to your SD card I'll pack that way which automatically plays that way father so in conclusion wrap it up observe your research into the foot of the door explain sacrificial lambs look for the buggers look for funny they won't ever see that strips there I mean you know this is this is what they expect out of selling you a product that there is a black box you can't look into you own it you own it you own it you know for back so I'm gonna get into that

and just do it so go forth and hack devices you know and also if you need some Carnivale hack some firewood so here are some resources links if you ever see any of these cheap blank

so targets UART stuff see and play around with cig rock and get familiar with it so thank you besides Rochester thank you very much and for you guys the audience thank you for attending use your knowledge for good not evil unless if it's a prank pranks are fun when deliciously evil please don't profit from this or not to maybe a little bit of profit I'm not your mom don't be a dick think twice when you buy used and audit your stuff and forensics any questions and bonus slides in case anybody is interested