BG - Emulation, PowerPC, and Transition

uh good afternoon uh welcome to besides Las Vegas uh this talk is by Aaron it's it is power PC emulation and transition I got a few announcements before we start uh we'd like to thank our sponsor our Diamond sponsor Adobe and our gold sponsors prism Cloud srip Plex track uh it's with their support that we're able to do this event and keep going next year uh we also want to thank all of our donors the volunteers everybody uh quick reminder about cell phones if you have them in your pocket please put them on silent uh even the vibrates really annoying so please make sure it doesn't show up on our recording later um if you

have questions at the end uh there's a microphone by the projector there feel free to come up and ask them uh Aon said she'd be happy to take questions thank you so much phones 5 seconds while I remember to turn my phone on VI on

silent there we go all right so let's get going I am Aaron I can't wander oops sorry bad habits we'll see how this goes uh I'm Aaron Cornelius or Acorn uh take your pick and if you want to know what the hell the thing in the bottom left is go to onion shark.com it's got a little background story there um pronoun see her um I am I've been a a see I'm currently senior staff uh security researcher or something like that at Grim I've been been at this job for a little over six years in this particular job um I in this particular job I do a lot of uh you know uh reverse engineering of Hardware software do

vulnerability research I do training development I give training um one of the things that is one of my key thing key passions sure that'll work key passions is helping to teach people and helping to Mentor people and now I'm going to give all of you one of the things that I tell you something that I tell the people that I Mentor which is if somebody knows what they're talking about if somebody sounds like they know what they're talking about there's only three possibilities one is that they're full of [ __ ] which is an extremely popular option second one is that they've been working with that system you know software whatever for like three plus years last option is that

they uh made the thing right created it so they know everything about it probably everything um so that's one thing I wanted to say up front here if it sounds like some of these things are confusing and you're not familiar and it feels intimidating or for me or for anybody else speaking anywhere this week just remember that after you have had experience doing the same thing for like three plus years you'll also know things and you will know way more than people who've not had experience with it so just some level setting there so this talk is about emulation and power PC uh and transition we'll get to that um we'll get to the story time in a

little bit but before we do that I need to lay some technical uh Baseline here uh why emulate something um there's a couple different reasons uh in my line of work I specialize in cyber physical systems uh so it's bare metal systems we don't get quite as much visibility with the debugging uh and so trying to attach JT debuggers to embedded systems can be problematic times or it can just be slow I've worked with a lot of you know really weird architectures and really weird piece of crap debuggers and they're slow and they make everything kind of more annoying than it feels like it really should be so that's one reason that uh you know having an emulator can

be handy uh also full system emulation provides a lot more opportunities for collecting information and for uh you know especially for doing reverse engineering the slide my notes it can be in reverse engineering for example if you have a program that has tamper Protections in it right anti- debug features on Linux uh one of the common one of the ways that you get debug access to a program is with the p trce system call so programs which uh P TR a uh the P trce system call um so if the program itself wants to stop anybody else from debugging it it can just call the P trce system call for itself and register as a debugger um which means

then that uh nobody else will be able to debug that particular application it'll be prevented from it uh then so then that program itself knows that if once it registers for that nobody else can attach after that if it attempts to register and somebody else is already debugging the program then the program knows immediately that it's being debugged and it can take the appropriate action to exit or whatever to make my life annoying basically but if the if you have full system emulation you don't have to rely on the real system calls you can just return whatever information you want to return right you can just have say yeah there's nobody else debugging this program no

problem Carry On And the reason that it works fine because you're not debugging it right you're not actually debugging it you're emulating everything uh there's a tool called vivc which is going to be key in a little bit and for vivisect uh it uses emulation in some interesting ways it's actually one of the ways that it finds uh the finds what is and is not a function you it takes a block of code and attempts to um decode each instruction as it goes and if it you know hits a proper return at the end of something then it knows this is a valid function that's how that's how it uses emulation to actually do disassembly and also you can do kind of

more targeted type reverse engineering where you take a function that has been found and you start emulating it and you fill up theed registers they emulated registers and memory with what's called a tank value which then allows you to track what uh results as the program goes are affected by those input values and if all of a sudden you get a program counter that's set to like the tank Value Plus a certain Value Plus some other thing then you know immediately that you've got code execution in this function if you can provide if you can you know manipulate the input parameters so basically this all sums up as it's useful so there's a lot of other

emulation tools out there why I'm making a new one uh there's one called qmu which is very popular open source emulator uh it's codebase is terrible this is my personal opinion sometimes things just don't mesh well like if you look at a code base that people have written um if any of you were do any sort of development whatsoever you'll know that people have different development Styles and sometimes they don't really play Happy Together Like the Way one person does things doesn't make sense to some somebody else that's just the way it works people think about problems in different ways so existing code bases don't make me happy um if you and also they can

break like if you've ever tried to emulate a full system Raspberry Pi image last I tried to do that it was actually fully broken even though I was I was trying to do a Raspberry Pi 3 and it's because the uh the ethernet device the emulated ethernet device that tried to have you the instructions I'll tell you to add doesn't work um so ENT you know in the end also there's because I want to right there's something very valuable about making a new tool you learn a lot about how things work you you know and you gain new knowledge and expertise in the process uh and also it was uh my job so you know that one kind of overcomes the

rest of them but there's other good reasons too power PC I said this talk is emulation power PC and emulation power PC why in the world is anybody using power PC who in the hell uses power PC anymore uh and the answer is in embedded systems uh a lot of you know cyber physical systems if you must be that way uh and it's very common in automotive it's very common in Aerospace these industries have used it for a long time um you know at the time they started using these power PC chips back you know in the you know mid 90s whenever they first were created I didn't look up the timeline it's been too long since I've done

that uh you know why were they using power PC versus something else maybe there's a good technical reason at the time uh maybe it's basically because they want to right if some if an industry uses a particular thing if a company uses a particular platform and Tool they will just keep using it because that works right uh friend of mine says if it works don't breathe on it don't [ __ ] touch it otherwise it's going to break right so if this system works and they know how to debug it and they know how to develop for it they will keep using that same exact platform so short answer is they use it because they have used

it um there isn't a whole lot that actually does emulation for power PC uh there's a few things qmu does provide some but uh you can emulate like an early 2000s Mac with uh qmu but when we started this process I haven't checked recently but when we started this process any of the standard open source debug uh emulation tools uh they did not support some of the newer I should probably put some quotes around that newer power PC features like vle uh vle stands for variable length encoding you can think of it very much like arm thumb to um so there's an entire instruction set that's not supported in the emulators um and also there's additional

custom features for some of the embedded controllers that is not really addressed within current emulation tools um and um again you know uh very much like the last slide it was also part of what I was assigned I was assigned to make make an emulator for power PC so here we are right what project was I assigned to oh yeah Dar amp program I almost forgot to put it down there so DARPA amp program itself um I'm not going to go and read a bunch of stuff to you you can look at the web page right there if you want uh it stands for assured micro patching um and you can read about it if you want more

detail because I've already gone on too long without getting to the story I will give you a very quick summary of what amp is about the goal here is to uh this part project is to the goal is to make um create or Advance the state-of-the-art in tools that will take a binary and lift it up into higher level language let you modify that highlevel program whether it's C or something like C and then take that modified program recompile it back into a binary and then take the original binary and then patch it in in a way that's unobtrusive to the actual program execution the very last and most most challenging in my opinion part of this

project is to provide tool make those tools be able to provide assurance that the uh you know the changes that are made don't negatively impact the behavior of the program so that's you know what's been going on um I'm not going to be going into details about the these particular tools because that's not really what I've been working on right that's the overall goal of the program there's a lot of other tools that have been talked about this year previous years um like ofra from Red Balloon last year uh fish is going to be doing a talk about anger and anger's been making there's been a lot of changes going on with that that I

think that's a Defcon talk um but there's a there's a bunch of different tools that are used in the industry for doing disassembly and reverse engineering and as well as new tools being created as a result of this program doing some really cool stuff and that wasn't what I was working on what I was working on is testing those tools so part of the Dara project is that there's a team that's actually does a um so their companies AIS Cummins and Grim were the team that actually is testing and also um you know with uh some people from CSU uh are the team testing those tools the end goal is to be able to um find

bugs in a real embedded controller because Commons is a partner and that means that the end goal the end test is going to be on an engine a real commins engine controller a bug is going to be placed in it needs to be found and patched and they need to be able to verify with all the complexity of a modern engine controller that the patch made does not negative does not negatively impact it um but this Pro the tool the processor in this controller is a modern you know for a given value of modern power PC chip which means that there were no emulators that actually did the did what is necessary for this to emulate this Beast uh this this

is the particular chip and that engine controller and it doesn't really you don't have to look around and pay too much attention to this eye chart this is just from the reference manual from nxp um the things probably to point out here are that in that little yellow I could probably let me see here hey it works in this little yellow box here um you can see that it's got a couple different things here's vle we talked about that before mmu um memory management stuff virtual memory there's also this block here called SP2 and that's really annoying SP2 is an nxp proprietary component that implements custom floating point and Vector instructions which means even if there

was a standard uh emulator out there that did those things we'd potentially need to be implementing new custom instruction decoding and emulation also um so you know there's there's there was work to be done at the beginning there and I'm going to show you this here this is like the I didn't add I should have added up the number of pages all these reference manuals were it's probably around 5,000 or more pages um loads of fun but thankfully I didn't it it was a fewe project right this is like three years that's I've been doing this um but I'm not going to dwell on here too much if you have questions about if you have technical questions

about any of this stuff obviously feel free to get a hold of me afterwards and I'm H more than happy to talk about it um so almost to story time but we're going to real really quick mentioned this here Conway's law I don't know if anyone's familiar with this particular um you know I not law idea concept the idea is that any organization that designs a system will produce a design whose structure is a copy of how that particular organization communicates if you've got four groups that are making a particular product then you're going to end up having four individual subcomponents and the way they talk together way they work together is based on how those teams communicate with each

other so um and you know in terms of at a at a lower scale I know this is true you know this should be fairly obvious because the way I write tools and you know rate tools for myself is all based around how I think about problems right so the tools that I write work well for me and they let me look at the pieces of information that I find interesting during the pro during the you know while using the tool this is also one of the reasons I encourage everybody to make their own tools um because often times the tools that are out there don't really mesh well and work for the way you think about problem solving or let's

try to solve particular problems so you know and like I said before making your own tool will help you uh you know learn more about it in the process anyway so it's time for some story we'll talk about uh kind of how the you know how what the work that was done on the emulator um the different challenges that were there uh by now I you know assume it's obvious that I'm trans when I say figuring myself out um oops what was that figuring myself out did I miss one oops [Music]

oops all right I'm not sure what that note was all about I must have typo something here I'm not going to go into the nitty-gritty of a bunch of things because I don't have the time for it um and things can get a little personal um and also this talk is already way more personal than anything I've ever done before and I've been a little bit nervous about that hopefully it's not coming off too badly we'll see I'm sure I'll find out afterwards so what do making an emulator and power PC and you know coming out as trans have to do with anything nothing they're not related well okay I suppose power PC and the emulator related to

each other um you know coming out as you know coming out as trans is more of a uh just a thing that happened at the same time as the other things I was started on this project well let's start here right so start here's the beginning um this is the only surviving selfie I ever actually tried to take care uh take of myself before coming out I have no idea how it wasn't deleted um it's only really relevant in this particular situation because this is around the same time that I started thinking more in depth about you know myself and like gender do I have one Etc um it's worth mentioning right here that I don't mind

old pictures of myself and this is uh this is can be extremely personal for Trans people and it is uh so don't assume anybody you talk to is okay with you know looking at old pictures or showing people old pictures of thems right it's an extremely personal thing um personally it doesn't look like me and it never felt like me so you know it's kind of more of an abstract thing only reason I find old pictures kind of interesting is because uh how much how different they look for me now it's also worth mentioning that this is probably around the time that um at this time I'd already figured learned that I was ADHD diagnosed as an adult um and I

was slowly learning how that impacted me in terms of you know how how that uh impacted life I guess for me it's probably the most generic way to say it um you know the story is about kind of emulation and power PC it's also essentially a part you know the undercurrent of all this is related to reverse engineering we're developing an emulator because this needs to be emulated for this particular program that we're working on but we're doing the emulator in a particular way because it also should help us be able to um you know be able to use this tool in the future for doing reverse engineering right this is the one reason we

structured it the way we did so we can get additional analysis and information from it part of this is essentially me looking at the patterns in myself you know and mentally and slowly reverse engineering essentially myself and my own brain so enough of this let's move on summer 2018 uh you know work started on the power PC support in vivisect which I talked about vivisect is a revers uh uh vulnerability research tool vulnerability research toolkit something like that I always forget the specific words uh there's also another cooworker at this time created a power PC vle disassembler plugin for binary ninja that's up on that GitHub address there vivc which I should have put the address

there um also is that like github.com viviv so uh let's see oops not that uh the next thing here winter summer this you know kind of improvements were made the initial project not a whole lot of progress was made initially because work seemed to keep getting in the way go figure um you know eventually then kind of the next year uh Grim got an award from nmfta to officially add an improve power PC support to vivisect because power PC is so common in transportation they were trying to kind of push forward a bit of the state-of-the-art in terms of you know tools for doing vulnerability research and um you know disassembling power PC and embedded

systems I didn't help with the initial stuff um but I did make a load of unit tests for it I made it the way I always do things which is I script it so I took an existing program I found all the instructions in the program and then I dumped those out with an existing tools and I made a giant file of tests to run through and like verified that the disassembly was correct and I found a lot of bugs uh in both our tool and in the commercial tools because there's bugs everywhere all right anyway so next uh here's the last picture I have before the pandemic started before I started growing my hair

out um I had always wanted to grow my hair out but it for some stupid reason I felt that uh I should look professional instead um which was stupid but you know that's kind of where I was at the time uh with regardless of all the other completely terrible things that have happened due to the pandemic um at the very least it was a good excuse for me not to grow not to a haircut I've been working at Grim for about three years at this point um and I'd mostly overcome my initial impostor syndrome I hadn't fully grown and confident in my own abilities to like teach and Mentor at that time um also more mental progress type stuff I'd

already figured out that I was probably autistic at this point um as a result of that it didn't really change anything too much is more along lines of helping me realize that there's certain situations and like physical you know noise levels or whatever that become over completely overwhelming for me and um instead of trying to like power through it and push myself through those things I realize it's much easier and healthier and in the long in the short term and long term I recover quicker if I just take a moment go find a quiet corner to chill out in you know kind of reset myself and then I can get back to whatever I was doing right so it's more

of a self-care type uh process um you know say uh poor a in here had no idea what was in store for her uh in the next few years uh at this point I was pretty sure I was non-binary at some point um but I'd also decided that gender was all [ __ ] anyway so who the [ __ ] cares um I do want to emphasize very much right here that just because somebody feel says they're non-binary it doesn't mean it's like intermediate State it's very much for me at this time it was just easier for me to accept nonbinary rather than accepting that I was you know transom um and you know that's just because

honestly I wasn't I wasn't ready yet uh it took a while for me to be able to accept myself but the you know thinking I was non-binary was less scary uh but yeah very much so and just want to repeat that one more time again that you know people who say they're non-binary you know they're non-binary right it's it's not like they're not yet decided that was just for me the way my brain was thinking so summer 22 um the DARPA amp program finally kicks off and my some of my colleagues started working on the emulator work I had not joined yet I was working on a different project um my colleague uh Matt created

the initial emulator framework along with defining like the memory mapped IO reads and writes that would allow pluging like generic uh peripherals to do like certain actions to happen when you read and write memory if you're familiar with how low-level embedded systems work when you read certain memory it lets you like read a message that's been received if you write memory to a certain specific memory address it allows uh like messages to be sent over a network uh the type in network and the addresses you read and all that junk are part of the reference manual so you just got to look it up depending on what you're working on um late fall um I started helping

Matt with the power PC emulator was really at that point was a lot of learning how vivact itself worked and how the emulator capabilities in vivact was worked was working in December we hired a new Junior researcher also uh who didn't have a lot of uh Jordan who didn't have much experience with doing assembly or even or programming python but he said he wanted to learn and so a lot much of the next year so I was helping Mentor him to you know teach him how to do Python and how assembly Works how to decode instructions and so on and so forth I don't think he's too pissed off at me for teaching him power PC as

his very first Assembly Language I hope I do feel a little bad about it so software Watchdog timer that's what s swt is that's kind of the first peripheral that was made the one of the benefits is that it forced us to kind of come up with the way we're going to manage the tracking of time when a when a system boots up it tracks like how many you know system clock ticks have occurred so this was the first go at it um we tried to come up with something the way that was efficient it did kind of bite us a little bit in the end but it was good enough to start with that's

often what you need to do when you're developing a complex system next thing that was done SIU which is stands for system integration unit and fmll which is frequency modulated phase lock loop again these are just words garbage words from the reference manual you don't have to care what they mean but they're related to basically getting the system to power up and getting the initial things to behave properly and getting the initial system clock to be set so with those three things done we were ready to actually start emulating the real code right so I have a 2350 c2350 boot uh that was on my desk cracked it open attached a debugger to it and

ripped the firmware out of it I mean strictly speaking I did have another firmware image already but this one was useful because it was um I like having duplicates of things it helps me confirm how things behave and also because I got the debugger hooked up I was able to even though Hardware debugging is annoying and can be clunky and less easy than having an emulated thing to run uh it is a nice way nice to be able to actually hook up a debugger and confirm that when these particular values are set that the correct things that my emulator is doing the same behavior as the real thing itself like I'm able to read the correct values I'm able to see

messages be transmitted and so on

so uh let's see that year so that was kind of the you know that was meet up to May next thing that happened here I had a talk at escar in 2021 I was held virtually obviously this was a professional head shot that my partner took for me um my gr going my hair out was going pretty well at that point um you know at this point I'd kind of come around to the idea that yeah maybe I wanted to be a woman at some point but but like so what gender is all [ __ ] anyway right uh it's not like in my thought was very much I'm old now so who cares it's not like it's worth

doing at this point in my life um at least that's where my mind was you probably know how this story ends uh but I'm going to emphasize how very very wrong I was about that thing about it being too old and being not worth it next there's a lot of work that was done in May it was kind of easy when we didn't have a whole lot of framework to worry about because the more things that were added the more complicated adding new things in became and we also kind of chose what things to add initially because those were the like the basis of how a lot of other things needed to work in the

system so mmu is how you configure uh for virtual memory addresses it's also on power PC fun fact that the um these are special purpose registers because everything in power PC is special purpose registers um that's one of the things that makes it kind of annoying but over here this uh I can't mmu assist register 2 something like that yeah these flags here are the ones that control whether or not a certain page of memory is vle and uh so if you want to know which parts of memory in a power PC system our vle versus the regular 32-bit instructions you have to have the mmu configuration it doesn't have like a simple bit flag like it does an

arm also fun fact in power PC systems you can configure different pages of memory to be big or little Indian this has no real relevance whatsoever this is just one of those things that annoyed the [ __ ] out of me when I was trying to emulate this damn thing so over here you see this e flag that's the Indian flag so just you know just in case you ever want to mess around with things and make terrible terrible power PC uh ctfs uh you can have a lot of fun with these things because nobody knows this or realizes these things next made flash you don't have to worry about the you you know again you don't have to worry

about this flash block layout this is just kind of the layout from the reference manual um if you're not familiar with how flash works in embedded systems you generally have to erase blocks before you can actually write new values to them uh which meant that to emulate how the system works because this is an engine controller and the way it takes updates over the can buus and there's a dealer tools uh that then are able to send new programs to it and if we're doing vulnerability research on this thing we absolutely want to pay attention to how new programs are written into it we can manipulate and affect that so I wrote flash emulation now this is um to kind

of track and follow the prop proper process for uh erasing and you know rewriting memory this is also how I very first my bricked my very first virtual image because uh I started everything up and ran it and then uh everything was going great every The Flash program configuration worked perfectly and then the program the you know the the engine controller program reao point where it was looking for some information for something I hadn't implemented yet and so it took some error path and the error path had it go down and update flash to indicate that this image is bad and it needs to take an update and then every single time I booted the system after

that might you know say booted ran the emulator after that every single time it stopped working like I couldn't get the same code flow that I had before and it took me an embarrassingly long time to realize that wait a minute something's different here and I took got a new Fresh Image off of the real hardware and compared it and realized that yes in fact this one here has some flag set that are not setting here um so uh that was kind of fun because it helped confirm that yes I was emulating Flash correctly uh it was also kind of frustrating because I didn't even consider that possibility at all I really should have but go

figure uh interrupt handling exceptions these are things like if you had a divide by zero error or if you get like if something tries to read memory address it doesn't exist right those you get these kind of low base level exceptions in a standard operating system those exceptions are kind of translated into error signals that are sent to the program that's running at the time bare metal systems it's not it's like there's just one giant application running which means that it might install handlers for those things most of the time for many of these things uh the pr programming the system assume that you know know that this isn't going to happen because it's not

doing any you're not like loading new things on there after the fact right you load the program on and it does the same thing every time you boot it for however many years you're going to turn you're going to use this particular controller so these don't all have to be implemented for embedded systems um but the framework has to be there because that framework is still used for things like getting notifications when a message arrives on a particular you know Communications bus few more peripherals here um if you don't know about can feel free to stop by The carakan Village at Defcon we have lots of fun teaching people how to do can Umi serial peripheral interface um

it the Wikipedia page is pretty good for uh for learning how to uh spy Works ADC is analog to digital conversion that's basically taking a voltage value and translating it into something that can be read um typically a fixed Point number of some sort ebi stands for external bus interface is how like you can add external RAM to the particular part um let's see uh most embedded systems uh that have all these different peripherals they're called system on chips orc's and they also usually have internal memory uh some internal SRAM but typically they also have a way to add in extra memory um and then I've got here summer to Winter lots and lots of integration

right this kind of you know this kind of us goes through a bunch of these things here from August on uh trying to take one of the real challenges that was developed and given to the different teams or demonstrated to different teams and trying to make sure see how it works all together in the emulator itself there's basically a lot of work developing these things and you know um like a month or so in August and then after August uh going through and you know trying to fix all the bugs that I wrote or things I did incorrectly how do we test these things make coming up with the test cuz these are it was all fairly

complex it's probably worth noting I think it was around October 2021 that one of the people I follow on Twitter just made a random mention that uh having trouble with long forming long-term uh memories is can be a symptom of cptsd up until that point um I had kind of assumed because I was ADHD and just didn't pay close attention to things um but you know uh it was now my mind was open to the fact that there is another possibility right um so I started trying to figure out grapple with the idea that maybe I did have cptsd and what did that mean uh some addition to vivisect analysis to make it easier to do raw PPC

firmware analysis with the tool um and then February 2022 the emulator was moved to GitHub and released for the teams to use it wasn't complete yet but it was complete enough for just start using it and manipulating it and playing around with it um I should probably I did forget to mention these slides will be up on my web page that was at the very beginning onion shark.com um but they're not there yet they will be um so also in early February I finally accepted myself you know that yes I probably was trans came out to my partner uh this is one of those things that when looking back on this particular timeline of how the what the

per work that was done in the emulator was realized that it was very uh there's some weird time coincidences here right in this particular case this is one of them um so you'll notice from here we're kind of getting a little bit less populated with technical stuff honestly it's because most of the hard technical things were done earlier on uh but also because uh we're running out of time this talk is very much in danger of going on too long so 20 February I came out to my partner that's the picture of myself that I took the day after I came out um it was really weird like a switch flipped and all a sudden I looked at

myself and I was like maybe this isn't the worst thing I've ever seen in the world before that it definitely definitely was so then March I had the very first week of March I had a training to teach at the company I work for grim and I had to decide how I wanted to be did I want to be me did I want to be the you know person that people had been seeing for three plus years at this particular point I very much knew how my brain works and that if I didn't come out immediately it would never feel like the right time um so I was kind of felt like maybe I should do it for that and also because I

was happy I was happy for like the first time in my life um and I wanted to share the reason for it um I knew there were some people I follow on Twitter who came out publicly and I got a lot of inspiration from them so I thought maybe if I can be more public that it might be inspiring to other people um also my first work trip after coming out was at the end of March which was for the amp program where we went to CSU and were testing a bunch of tools and it laid right on top of March 31st trans day of visibility so that was kind of also a very symbolic thing where it was like

well I'm I hadn't actually worn like a skirt you know professionally at that point that was very much a let's just [ __ ] do this thing um I was extremely nervous but you know I'd already come out professionally came out LinkedIn t Twitter to my company um so you know all the people I've been working with for you know at that point about 1 and a half years you know I came out to them and it was incredible I've actually got a smile on my face as you can see here it was a good day uh next thing uh at I had a talk at escar so again a year after that one professional head shot I had another one

that had to be taken um and uh so my partner helped me with makeup um I'm still not fantastic at it um but I definitely wasn't at that time and then took this picture for me which um frankly I found astonishing and this last one here placeholder peripherals that's because some things just can't be nice and give and we can never have good things there's a part a little peripheral in the processor called the uh etpu 2 and the etpu 2 of this particular you know nxp processor is actually two tiny little dsps that run their own instruction Lang language and there's shared memory where you can populate some programs in there and have them do

like automatic analysis of pwm inputs or adcs or whatever which was a future problem because we couldn't deal with it at that time um that's making an entirely new emulator for a completely different architecture was a little bit above and beyond what we planned on having to do but so more work continued there um there was a lot more work with some of the other challenges coming on Defcon 30 last year I was there as myself it was amazing my friend Heather took this picture it was fantastic um i' told you before like in October I was talking I was reflecting on not remembering much of my life and here very much um the last since I have come out I remember it

feels like everything and there's so many things that have happened it's crazy wrap up a few more things here we had a few more floating Point instructions to make um including those proprietary ones not just just the power PC standard ones then we had to make some uh Vector instructions um Jordan helped with the floating Point instructions another colleague Dan helped with the uh Vector instructions um and testing them asms like a very simple system identification module like a unique ID in every processor type stuff uh dma and interrupts so we already talked about interrupts dma is a way to attach like automatic memory reads and writes to certain events that can be configured um

that also is again another step of complexity for this particular project oh [ __ ] I just remembered something I've got a demo video here it looks extremely faint right there but you'll very soon see it start scrolling um there's not a whole lot to demo for this particular thing because it's an emulator and de the thing running is actually just like a lot of text flying by on the screen here as you can see no not there let's see there you go all right it's going better late than never I meant to start that earlier after we like went in the bootloader you know I grabbed when I grabbed the firmware off of the thing so

it's running a little bit late um there you can see lots of text flying by which is going to be completely meaningless and is really only interesting to me but I'm going to show you that anyway but here at this point we're getting pretty close to being complete in terms of what is necessary to emulate the entire application last thing here we've got we added a remote gdv server um this was uh we never had time to this was initially created in the beginning of March uh but then we never really had time to fully integrate it into the uh into the actual emulator itself the benefit of this is you can start up the emulator and give it a flag

and say wait until a debugger attach remote GDB remote session attaches and then you can continue to debug um this is very much like if you have external hardware and you have a some sort of debug server there this is also very much like if you are running qmu with a-g flag to let it pause until debugger attaches this whole emulator was intended to be somewhat of a drop in replacement for those types of workflows and it's getting there did have to tweak the timing have to make that took a little bit longer the external Watch Dog here is kind of the culmination of you know what culmination of the goal from the beginning where we had these layers of

emulation happening where vivisect is kind of the core disassembly and emulation and then we have this E200 z7 emulator and then there's the S so we're emulating then we're emulating like the PCB of the system itself in this case a watchdog is a thing that like if you has to be like you have to read or write to it or something every so often or else the system resets it's a way to make sure that software is still working properly typically system safety critical systems or you know real-time Control Systems have um have it Watchdog configured so that as you you know you've got like internal ones and then you also usually have one on the board

level where Maybe maybe things are working okay internally but there's an application Level stuff that's supposed to happen and if that application Level stuff freezes up then the external Watchdog will you know restart everything also so just different ways of recovering from errors and then that gets us to where we are right here at the end of May uh June I think technically that was the end of phase two of the darer project now going into phase three um if you're not familiar with the terminology here in for darer project s um phase three the J projects typically have three phases there's the phase one which is kind of the prove that you know a basic you know

prove you can do this thing um phase two then is like actually do the work so phase one be like proof of concept phase two is do the work phase three is what they call the transition phase um where in they're transitioning from kind of mostly for DARPA funding to being partially funded from external companies as well who are find interest in these Technologies and tools being built and are able to carry them on there's a bunch of stuff that still needs to be done on this um but in the end you know we're getting closer my goal is to have this be able to be a generic framework for doing any bare metal emulation and being able to do

this can a simple way vivisect is all written in Python emulator is all written in Python does mean there's some performance penalties for uh for it um but in general it is one of those things that kind of makes it easier and faster to develop and hopefully EAS easier for people to use and uh whatever shape form or shape is helpful um so there's still things to be done but if you're changing less than like 10% of the functionality of something then basically you're already done people can use it and you can go about fixing it and tweaking things you know as you have time so conclusion here uh emulator framework that works well for me works well for

doing reverse Eng engineering um it works well with the way my brain works um provides a bunch of different ways to do analysis so like every time a function is called you can see this text flying by here there's a lot of debug statements but there's also a lot of like function called function exited function called function exited log messages which you can't see because it's too fast you'll have to trust me on that one um and those are basically those are there because of an analysis hook which is every time you start a function here you know here's you can add a fun fun call for doing additional things every time the function returns

you can do additional things at the whenever an instruction is going to be before an instruction is emulated you can add additional hooks after an instruction is emulated you can add an additional hooks this is one of the benefits of vivact as a framework I've learned a ton about uh disassembly and emulation um I knew I had knew some going in but way more now than I used to I also know more about vivc because I had never used the tool before um I've also learned more about powerpc than I ever wanted to know most of my career was in embedded systems doing like Telecom Aerospace medical Etc and power PC is used in a lot of those things and

I um thought I knew about power PC and I've learned more more than I ever wanted to know so don't be afraid to make your own tool and to research things even if it's already been done before but we got more conclusions I actually like being me for the first time in my life um and I seem to enjoy life which is not a experience I ever thought I would have before um it is very much Never Too Late To Love Yourself it's never too late to be yourself um I cannot I would not be able to State enough the difference between how I felt before and how I feel now being able to stop being able to just

accept me and be me which very much at 45 minutes almost exactly takes us to the end I guess we can probably stop that demo video at this point oh oh um a friend also said for the when I was doing the first testing I had a cat video here so um that was my test video that I did when I was uh doing dry runs with a friend and she said I should keep that in there so it's a very cute video I don't even remember where it's from like a Tik Tok or something I don't remember a friend sent it to me uh but anyway so here back here where um any questions um I know we're kind of

at the end of it now so if you have questions and there's no time before they get us kicked out of here please find me I'm happy to answer questions about anything um so thank you