Hardware Hacking with Matt Brown

Welcome to Syntax. Today, we have Matt Brown on. He is a YouTuber and security consultant who specializes in pen testing IoT hardware. He has a YouTube channel that's filled with fascinating videos. So for example, he found dozens of unsecured police license plate cameras, and they had a video feed. They had a stream of all of the data, which include the license plates, the car make and model, and the GPS coordinates.

He's act as smart grill and extracted the firmware from that, and he's dove into the network activity of dozens of cheap Chinese cameras. And recently, he let cloud code rip on one of them, which Wes really interesting. So we've had him on today to talk about how all of this hardware hacking stuff works, the legality of it, and, hopefully, a few interesting stories. Welcome, Matt. Thanks for coming on. Thank you for having me. Yeah.

So I've been watching your YouTube channel for, I don't know, probably for about a year now. I I'm not sure how I stumbled upon it, but you have these really good breakdowns of how you can take a piece of hardware, and then just dig into how it works or find some pieces of interesting pieces that you may not necessarily know Node buying something that's from, like, a different industry, like the police license plate readers. And then you could just buy one yourself and then just dig into it, and you find all the API endpoints, and then you realize, oh, this is maybe not as secure as as we thought it would be. So, look, how do you even get into all of this stuff?

That's a that's a great question.

I, I guess the the chief kind of hacker mentality of curiosity and letting that lead you in in the discovery of information and knowledge has always been a thing that I've done since my youth. So, you know, back in back in my high school and college days, you know, messing around with computers at my school, things like that. I've always been interested in going to thrift stores.

Back when I was in high school, I would go to Goodwill, which is a a US based, thrift store. Yeah. I don't know if they have them outside The United States. But Yeah. We have them in Canada. Oh, sweet. So I would just go buy used electronics and take them apart and see if I could, like, take them apart, put them back together, see how they worked.

And that led me, deeper and deeper down the hardware hacking rabbit hole where now I, on my, on my channel, I like to just buy used devices, take them apart. And usually I'm after two things.

I'm usually, like you said, interested in kind of revealing knowledge that might have security applications in the software.

Funny the funny thing JS, there are people that are, like, deep hardware silicon silicon, hardware security researchers, and that's actually not really my thing. Usually, hardware hacking is like a means to an end to hack on software or hack on APIs, to to reveal, you know, APIs that I wouldn't have known existed,

maybe, unless I dug into a piece of hardware. Okay. That's that's really interesting to me because, like, in in the web development world, we love spelunking into the dev tools. You know? You open up the network tab, and you see what's going on. Or, we have an an app on the desktop called Proximan, and that will allow you to monitor traffic that's coming in and out of it. And some of us dip into, like, maybe even, like, Wireshark Wes you get a little bit past, like, just HTTP traffic and and into some of the lower level stuff.

But once once it ends on, like, something running on your machine or maybe something running on, like, your phone and you proxy your phone's traffic through your computer, that's kinda where it ends for me of, like, dipping into it. And there's always, like, these like like, you get a camera or you get, like, this thing that you connect to your Wi Fi, and I'm always curious, like, man, like, what are the API calls, happening there? And it's it's kind of tricky. So, like, let's say you pick up a piece of hardware, what are your, like, first steps for sort of breaking that down, trying to find out what the APIs are?

Yeah. So if I'm looking at, kind of your standard IoT device that is going to make calls out to some backend server on the internet.

Most of the time that's gonna be wrapped in TLS. Right? So just opening it up in Wireshark, I'm gonna get a host name and nothing more. I'm not gonna get any endpoint information. I'm not gonna like because what we want, right, is we want it to be like the network tab on Yeah. Node dev tools. We wanna actually see, the Wes and the responses. Because then JS security, you Node, from a security or maybe just a tinkering perspective, maybe you want to write your own application that interacts with the back end. Right? Kinda some kind of a third party thing. There there's all sorts of applications of this Yeah. This hardware hacking, work.

And so there's a couple of avenues.

One is if we can get a root shell on that device, if we can if we can if we can gain control over the device, then we could potentially put a our own CA certificate in the trust store of that device.

Kind of like if you've ever used, Burp Scott or any of these proxying tools to look at Wes traffic from your web browser, you have to go in either to your computer's trust store or the browser's. Like, Firefox has its own independent trust store, Chrome uses the OS's.

And you have to add the proxy certificate to allow it to terminate that SSL, that TLS communications.

So that's why when, like, you get, like, a laptop from your employer and they install their own certificate, they're able to even though the website you're going to may may be HTTPS, they're still able to see every request that's that's coming through there because they literally are putting a secured certificate in the the chain. Right? That's exactly right. Yeah.

So we can effectively do the same thing in the hardware world if we if we if we obtain a root shell or we're able to, you know, modify that firmware somehow, modify the running device, and put our cert into the trust store. And I say trust store, we have to do some reverse engineering. Sometimes it's it's like a common Debian system Wes it's gonna be in, you know, Etsy SSL, you know, cert certificates or something like that. That's really common. Sometimes it'll be super hard Node into a binary that you kinda have to do some reversing and mod modifying of the system to figure out how to, ourselves in that chain of trust, then we can use a transparent or an intercepting proxy, which Burp Scott and Kaido, they do have a mode where you can enable that and allow it to to proxy your traffic. Node, then you have to you have to do some network shenanigans, maybe with IP tables or something with your router to, convince your device to route its traffic through this system that has a transparent proxy. But at that point, we we are able to see all the contents of those, that HTTP communication.

And if you want to see all of the errors in your application, you'll want to check out Sanity at century.io/ syntax. You don't want a production application out there that, well, you have no visibility into in case something is blowing up, and you might not even know it. So head on to reduce entry dot I o forward slash syntax. Again, we've been using this tool for a long time, and it totally rules. Alright.

And, like, what's usually running on these devices? You mentioned, like, Debian. Like, are are a lot of these things just running, like, Linux on them, or is it it does it depend?

Yeah. So in the IoT world, there's kind of two categories of devices.

There are more traditional Linux based devices, and then there are microcontrollers.

And so you'll often see these used Node, different applications. If you need, like, a low power application, if it's a battery powered device. Node, the these these lines can blur, of course. But generally speaking, if you you have low power battery powered device, those are Node times gonna be microcontrollers, which are a whole a whole another game in terms of, how to do that firmware modification. Like an ESP 32 or, like, one of those, like, Raspberry Pi Picos or something like that? Exactly. Yeah. And that's and, yeah, the Raspberry Pi world is a great distinction. So Raspberry Pi Pico, microcontroller, regular traditional Raspberry Pi JS gonna be a, a microprocessor that runs Tolinski, full Linux kind of operating system. Exactly.

So in the Linux case, that's that's what you're gonna find most of the time. If you're if you're targeting routers, IP cameras, most of the time those are gonna be Linux. Now that is changing, because people like battery powered cameras, they like lighter weight devices that, don't need to be plugged in. And so you are seeing, some advancements in microcontrollers in that in that space.

For Linux devices, yeah, it's it's oftentimes gonna be just a very kind of custom, like, I call it like an SDK where a chip provider will provide an entire build system that will include a kernel and, the all the root file system necessary to boot Linux. And then on top of that, a device manufacturer will build all their custom business logic in the form of some kind of a daemon that will run and that will communicate out to the cloud.

In what language is that stuff written in typically?

Mostly, it's c. You'll see some c plus plus.

In very odd cases, you'll see some higher level languages like Python being used. But it's it's mostly a bunch of c code that is ripe for finding, you know, command injection, buffer overflow type vulnerabilities,

that are that are kinda commonly plagued those languages. Yeah. Okay. So you get something and like, how do you even get root access to that thing in the first place? So you plug it in via USB. Often, it will just, like, go into the mode where it just, like, mounts as a USB drive or or acts as a camera. How do you get the lower level, which JS access to, like, the firmware that's running on this thing?

Yeah. So so typically, what I'm gonna do is I'm gonna open up the device.

And the first thing I'm gonna look for is the UART console header or debug pins on that device. It's typically going to be a four pin header or connector that might not even be populated.

Right? They they might for their debug version or their kinda development version of that device, they might actually have a header populated.

Whereas in production, they might try to, like, take that component out just to save a little bit on their, on their bill of materials cost for the device.

But, you're you're gonna look for that connector, and that's where, kind of in my videos, I talk about how there are these USB to UART adapters.

And those are gonna be set to a certain voltage. 3.3 volts is, like, the most common one you find out there. And when you connect up to, you know, the TX and the RX ESLint, so it's just an asynchronous, physical communication. My my analogy I like to talk about is it's kind of like a physical UDP socket.

Right? It's you can you can send and receive data across this these physical wires, and then on the device that can be connected up to a couple different things. So on a Linux device that's typically gonna be connected to the console, and so if you are connected properly and you power on your device, you're going to start to see the bootloader logs roll by. And maybe you can enter maybe you can, like, smash a key and interrupt that boot process.

If we let it boot up fully, maybe they're they're, you know, dumb enough to just leave a logged in root shell. Right? Yeah. They they don't even make you log in. Or maybe there is a login prompt. Right? And this is where we start to rabbit hole into different ways to turn the situation into that root shell. Okay. So so, it's it's there there's there's a lot of different tricks, you can do. But if you have that console access, you can oftentimes turn it into a root shell. That's that's so fascinating to me. Because, like, you open up any electronics, you're often going to see a couple little dots that'll say TX, RX, and and ground. Right? And those Yarn your UART connections. And Yep. And you can you can buy pnpm Amazon. You buy, like, a $5 little USB converter,

where you just attach to those pins. I know there's some probably some more advanced, like, things. But at the very basic, you're trying to connect those three wires to a USB, and then you can directly connect to that from your computer, and then when you turn it on. The the way I know about this is is I did a, putting JavaScript on my Roomba video.

And if anyone's, like, looking to get into having fun, the old crappy Roombas are, like, $6 at a thrift store, and there's full documentation.

And there's there's a pin header right on the on the top of the Roomba. You don't even have to open it up, and you can connect directly to it. And then when it boots up, you can see all of the logs, and then you can just start sending and receiving commands from it. And there's there's libraries out there that will help you, both send what the commands are, you know, as well as receive things like the battery temperature and and and the how fast something is driving, all that interesting stuff. Oh, that's so cool. Yeah. But so, like, I'm curious. Like, that's, like that was really well documented for me. Right? Like, Roomba Roomba wants you to hack them, which is kind of a bummer Node Roomba's falling for bankruptcy.

But, like, what do you do to figure out what these commands are when someone doesn't want you to to hack with it?

Yeah. That's that's a great Wes. And that kinda leads into the second activity. So if, like, if the first activity is, like, finding that Yarn console and if it doesn't immediately give you what you want, right, it doesn't just, like, drop you into a Linux shell.

Maybe maybe it leaves you at a login prompt, and you're like, okay. How how would I guess what the, you know, the username and password is? Kind of the second activity then is firmware extraction, in terms of hardware hacking. Again, always for that purpose of hacking the software.

So this is, like, where we are able to, you know, with a hot air gun, I've got over on the bench here, able to desolder a a chip. Some sometimes you can read the chips in circuit, meaning you can leave it attached to the board, and you can attach a, you know, a Vercel, like, a programmer, a firmware reader to a chip.

Some chips are just not able to be attached to that way based on the physical, layout of the chip. And so, that's why I prefer to desolder things. Also, you can run into some issues where if your in circuit programmer reader can, like, inject power, it can basically power the board and cause it to do a bunch of, undefined things. So

usually I'll Let the smoke out? Is does that happen sometime?

It can. It can. Or it can just, like, mess with mess with your firmware read JS what is what's probably more like Oh, ICIC. Okay. Because then you'll like power up the CPU or the MCU, and it will try to start talking to the flash chip too, to read and write from it while your, while your programmer is also trying to interact with it. And so you're you're, like, both, like, arguing over who has control over the flash chip.

Oh, I see. Yeah.

Okay. Okay. So so once once you once you remove that flash chip, you're gonna plug you're gonna you're gonna put it into a programmer, and then, obviously, you need to have a bunch of different kind of adapters to fit the different kinds of chips.

But once we do that and and once we read that software off, we you're usually left with a binary blob that is the entire contents of that flash chip. And so usually on a Linux based device, that is going to contain multiple partitions, multiple file systems.

And so that's when our handy tools like Binwalk are gonna come in handy for searching through that binary blob to extract out well known file systems. So you'll you'll see things, especially on more heavy Linux systems or, like, Android based devices, you'll see, like, EXT four file systems. There are also a lot of file systems that are made specifically for embedded Vercel, like squashfs.

There there there's a whole number of file systems that you'll never see outside of kind of the IoT space.

But these things are, like, are, like, well known. That that's what was so interesting to me about this is that, like, just like us web developers, we're reaching for, like, React and Node and all of these, like, well known things. People who are making hardware are are also reaching for well known things. Often, they'll take a chip off the shelf that is, like, 80% of the way there.

And because those things are well known, then they are also a little bit easier to decrypt with tools like Binwalk. Is that true?

That is true. Yeah. So so Binwalk, usually, if you the the the the common flag you pass it is dash Lowercase e, which is just, hey. Extract JS the extraction flag. Like, say, hey. Go through go through this file and extract out all of the well known file systems.

And so if that works and, you know, there's there's a whole bunch of caveats of, you know sometimes a manufacturer will try to be cute and, like, slightly modify a file system specification. But most of the time, they don't do that. And you're left with the contents of, like, maybe the root file system and maybe a another partition. So most of the time on these IoT devices, there'll be multiple partitions, and the root file system will be read only.

Kind kind of as a a reliability mechanism, right, to to keep creep and and errors from making the system unbootable.

And so and then you'll you'll have data stored in another partition.

And those are all of the things that you need to then go start searching through the file system for binaries you might want to throw into a reverse engineering tool or say the the the Etsy shadow file to, grab password hashes out of. And then you can try to crack those password hashes to go back to your UART console to attempt to log in. Okay.

Man, that this is so fascinating to me. Sorry, Scott. I'm not letting you Node. I haven't let Scott talk at at all. I don't do any of this stuff. So, Wes is the the hardware hacker on this show, so I'm just kind of, like, listening and soaking it in. So, no, I I I appreciate I appreciate your insight, Wes.

Alright. Oh, good. Oh, so, like like, what's the next step then? So, like, once you've dumped this firmware and you've used Binwalk to sort of look through it, like, what are you Scott then looking for?

Yeah. So like I said, if if I if my goal is still like, if I haven't accomplished that root shell goal yet, then I might look for things like, you know, the shadow file.

And then I might grab those password hashes, those Linux password hashes, and throw them into hashcat, use my GPU to to try to crack, those passwords.

And so if that's successful, then that gets me in. If that's not successful, there's kind of the next step down the rabbit hole of attempting to modify that firmware image.

So if there's if there's a password that I can't crack, but but there's a shadow file, maybe I could replace it with with with a hash that I do know the the corresponding password to.

And then if I can package all the file systems back up into that binary blob, and then use my programmer to write back to the chip, and then solder the chip back onto the board Oh, my gosh. Then it would assuming there's no kind of secure boot controls, there's no integrity controls on the system, which you're seeing more devices that have those, but some of them there there's still lots out there that don't have those kind of controls. So Can I tell you a story of one time I accidentally did that? Yeah.

I had bought a this was probably, like, twelve years ago, and I had bought a camera off of, I think AliExpress or or Deal Extreme back in then. And it Wes, like, the Chinese version of a very popular North American brand.

And I was like, I wonder if I can just load the firmware from the North American one onto the Chinese one. So I I went on GitHub, and I found somebody had dumped the firmware from one of the North American cameras. So I just dumped that on my camera, booted it up, paired it to the North American app. No problem. And all of a sudden, I see video from somebody else's camera.

And I was like, oh, no.

Like, this is it must have, like, a like, it must have, like, flashed the MAC address or some sort of identifier, and it was, like, in someone's bedroom. So I I unplugged it, and I have never, to this day, plugged that camera back in again because I was like, I don't know if I just what I just did was illegal or whatever, but I was just trying to get added to my own thing.

And it it started streaming in someone else's video, and I was like I was almost kinda scared there. And I just I have never plugged it in again. I think I tossed it a couple Yarn ago because it was kinda scary. But that's something that could happen. Right?

Oh, yeah. So so that's yeah. So so going back to the there how there's commonly, like, a root file system that's that that's kind of, you know, unmodifiable.

The and then there's the data partition.

So what was probably wrapped up in that in the data partition somewhere is some kind of APIs, tokens, keys that, identifiers that corresponded to probably the person who made that repo and the firmware dump. Right? Yeah. Yeah. And and and then and then in and then you, by flashing that onto onto your device, you basically you basically cloned the device. Right? Mhmm. And so, that is an attack that, you know, that that that could be considered valid, you know, in in some cases. Now, obviously, you need, like, physical access. You need a firmware dump to somebody else's camera. So it's like in in in a lot of cases, that won't be, like, a security vulnerability. Right? Yeah. It's like, if I give my keys away to somebody else, it's like, okay. Yeah. Then they can then they can then they can access stuff. They can enter your house. Yeah. Okay. Yeah. Yeah. So I with all of this stuff, like, where does that legality

border exist?

Yeah. Have you ever had the police knock on your door?

No. No. No. No police. I've I've had some strongly worded emails, but, I haven't I haven't been sued yet. So that that's good. Knock knock on wood here. So generally speaking, my understanding, I'm not a lawyer, by the way, so this is not legal advice, is if I own the device, right? Like, I'm always very careful when doing security research to Like like like if I'm hitting API, like cloud APIs, that's where I draw a very strict line to, if I want to test, can like one device kinda access the stuff of another device, then I'll buy two Vercel. And I'll create I'll create two accounts. Right? And I'll try to do those cross account attacks on myself.

Again, Scott legal advice.

It that might still be considered an unauthorized test. And then, obviously, the hardware is that's my property when I buy it.

There there are some United States laws against reverse engineering, but, at least today, they still all have carve outs for what is called good faith security research.

So, again, I'm not a lawyer and don't know the the specific definition of that term, but I try to do my research in good faith, Yeah. And and to not not to use it maliciously, not to attack other people.

And so, at least in The United States, we have the kind of those protections.

I obviously don't know about about other countries what the situation is there. Yeah. Alright. So

where where were we with the the process of

I think yeah. Like, what what to do with the firmware extraction. So another thing that might that might be interesting, especially to, like, kinda, like, in in getting into the web topic is so the first kind of theoretical IoT device we talked about was where the device reaches out to a cloud server via its APIs.

But also, a lot of times, these devices will have their own embedded web servers on them. They'll have or or other network services that can be connected into. Right? So maybe maybe there's a mobile application and let let let's talk about a video camera. Right? So in the video camera use case, you could think of, okay, I wanna be able to access my camera remotely. And so when I'm away from my home, on the mobile app, that that data has to go up to the cloud server. But if I'm in my house, now there's a lot of latency. There's a lot of video latency in that first case. So maybe when I'm in my house, I'm on the same network, I want it to stream directly from from phone to camera. And so a lot a lot of video cameras will do this. They'll have a way that that it can sense that, and the mobile application can directly connect to a service that's running on the device. And so once I have that firmware, I can usually find the binaries that are hosting those web servers or those custom binary protocols that are running on the device.

And the the web servers are especially interesting because sometimes you'll see kind of standardized servers that use, like, CGI, like, light HTTP, which will, so so light HTTPD will manage kind of the basic web stuff, but then it will make calls to a Sanity, to, like, a c program that will actually, like, execute when you make a web request to certain endpoints.

Also, you'll see people roll their own web server and web application all in one binary, which is, which is always fascinating. Because then they're they're doing all the raw they're writing they're rolling their own web server many times. And so there's all sorts of, you know, potential security issues there. And then the application

actually, the the business logic is all implemented all in one binary. That that's exactly what I did with my Roomba. The, the React JS code, the web server, the WebSocket server, and the, like, lower level communicate, send bytes to the the Roomba, that was all in a single binary. So that's that's generally not a good idea, you're saying?

Node it it it like, I guess what I'm saying, in the IoT world, there's not like, there's some standards, but it it hasn't coalesced as much as the traditional web world, I guess, around a certain set of frameworks and standards.

There's a lot of different people who had their own ideas about how to implement a web server and or a web application.

And it just leads to a lot of security bugs Wes each case is different. It's not like I can run, like, it's not like I have a security tool that audits, like, react applications. And then I run, I run that tool, and then I find Volns, like, common mistakes people make with that framework. There's not like just oftentimes, it requires custom reverse engineering of each web server slash web application on each device to really uncover if there's anything that's, not being done correctly.

Oh, man. Alright. So you you have access. You figure out what the API endpoints Yarn.

And then, like, what's your process for trying to replicate what these these things are? Do you then bring that to your just to your computer, or then or do you try to, like, put a custom firmware on the device?

Yeah. That kinda depends. Usually, I'll try to extract, some of that logic out. Right? Like like, you wanna figure out how the authentication is being done.

And even that, you'll see being done in kind of a multitude of ways.

You'll, it might be using, you know, mutual TLS authentication with the kind of, like, client client certificate auth auth, or or, you know, some kind of API key that's on the device. If I can get that off the device and replicate it in, you know, Python or or in my own browser, that's something that I like to do a lot.

But, yeah.

A Scott of times, it's just like making little custom Python scripts on my on my desktop side to to emulate the device and its calls, and then I can fiddle with, you know, hey, can, like, I I have a device on this account and a device on this account Node device a access, or make API calls as if it was device b. Okay. I see.

Yeah. That's fascinating.

What could what gets you inspired to look at stuff, specifically? Like, what do you how do you pick a project that you're working on? Is it just, you see something and you have a question and, like, you mentioned, your your innate curiosity kind of takes over?

Yeah. I guess Yeah. I I I guess it is that curiosity.

And I'm I'm always, like, looking for challenges in new industries.

Right? So, like, let let like, right now, like, this is something I haven't even made a video on yet, but, I'm kinda getting interested in drone technology and and drone hacking. And so then there's a whole bunch of, like, skill sets that that that involves. So I might look for different devices to, like, help me build a certain skill set. Right? So, Vercel set. Right? So there's been times where I've purposely sought out, devices that I think will have a certain kind of microcontroller or a certain component that I wanna learn more about. And so I'll kind of try to cherry pick the hardware to to teach me something because, honestly, making content, making the videos JS one of the best ways that I learn and and I get better as a professional.

Totally. Just, yeah, trying to do something new.

Yeah. What about, doing more, like, man in the middle, detection? So I'm thinking about right now, we have I've got a fleet of these, like, 12 volt Fisher Price cars that our kids drive on.

And we have one that's called a wild thing, Wes it's it's kinda like a little wheelchair you sit in, and you have two joysticks.

It I found on the side of the road in the trash, and and I it didn't work. It was erratic.

So I replaced the main, like, motherboard on it with a brand new one, and it still didn't fix it. So I was like, oh, the the joysticks themselves have, little daughter boards on them, like tiny little boards. And and I'm I'm not at a point now where I'm like, how do I figure out what the daughter board is sending to the main board? That's is that something that you dip into as well? It's not really APIs. It's more lower level. I think about, like, the button to talk to my garage door is not simply just, like, a closing a loop of electricity. It's it's sending some sort of data. How would I figure out what that data is?

Yeah. That that's a great question, and that is that is stuff that I do.

And the tool is gonna be a logic analyzer that's that's going to help get you insight into those digital communications that are happening, kinda like like, between different chips on a PCB or between two different PCBs.

So,

yeah. So you typically, a logic analyzer is what's going to help you. And and then connecting up to those,

those lines. Right? So if we go back to the to the case of the UART console, right, those that's just digital communications, but there's, like, there's not yet another end connected to it. Right? So sometimes if I'm trying to, even debug a UART, kinda interface, may maybe it has a really weird, baud rate, the like, a symbol rate for for for how for how fast it transmits.

Sometimes then I have to go back a step. I I I have to set aside that USB to to UART adapter for a second and actually connect up a logic analyzer.

So the best way to think about a logic analyzer is if if if if we know what a multimeter JS. Right? A multimeter measures voltage. Right? And Yeah. A multimeter is slow. Right? So it's like I connect it up to, like, a circuit. It might say if I connect it up to, like, a UART, where where a digital signal, where it's oscillating between zero volts and 3.3 volts, then a multimeter, it might, like, it might, like, give you a little fluctuation if there's some data being communicated, but it's gonna be really slow.

Yeah. But a logic analyzer can sample a lot faster and can give you a nice clean kind of a square wave that it that represents that digital signal.

And then

yeah. Go ahead. Is is that what, like, an oscilloscope is? I see it over your shoulder right now.

So so yeah. No. That and that that's that's a great, like, thing to put on the spectrum because on on the kind of spectrum of sample rate, multimeter, super low.

Logic analyzer kinda sits in the middle, and then oscilloscope is, like, super fast sample rate. So it's kind of, like, figuring out the right tool for the right job. But they're they're kind of all sampling, you know, the DC voltage and giving you kind of a readout of of what that situation is. So most of the times to to interpret a digital signal, you don't need to go as far as an oscilloscope.

Usually, a logic analyzer Wes will And a logic analyzer will also record it. So you could, like I could hook it up, hit the button, or, like like like, pull the controller back, and then go back and look at it and Sanity sent, like, it sent just, like, high highs and lows. Is that is that what it's sending?

Yeah. Exactly. So the most common one out there, that that that goes with us so Salie makes a lot of very nice they're a little more expensive logic analyzers. You can also get little ones for, like, $10 that are kind of, like, knockoffs, on Amazon, and it it it will work with their software as well. It's called, like, Logic two is the name of the software. And, yeah, it will give you a graph that you can you can zoom in and out on the signals, and then it will include all of these analyzers. Right? So if you're like, okay. I think this is a serial communications, then you can you can kinda add the analyzer, and it will let's say if it's, like, transmitting, like, just ASCII data back and forth, like, kind of that you are console, situation would. You can have it interpret, and and you you'll see, like, over a set of eight bytes, it it it can put the symbol. It can say, okay. This is the letter a that's being transmitted, if Okay. If you're interpreting that correctly. And you and and that's where you can kinda test hypothesis is to be, like, I think this is a UART signal, and I think the signal rate is this.

There's also other protocols that can be used, like, you know, like SPI or, I squared c. There's there's the different digital protocols that, you know, use one or more wires to communicate a digital signal.

Okay.

Because so GitHub Vercel had a a badge that was like like a little PCB. It has a Raspberry Pi microcontroller on it.

And there's a little I only recently learned it's not I two c. It's I squared c. But that's often where you can buy, like, a microphone or a little display or something that also sends I squared c communication. It's a kind of a nice hot plug thing. Yeah. Yeah. And so so those those logic analyzers

are what to use when you like like you're like, okay, I think it's using one of those well defined protocols, but I don't know which one it is. Right? It's Yeah. Kind of your first step to uncovering that mystery.

And then once you do that, then you can use kind of a dedicated tool that that speaks whatever the protocol JS, like in our USB to UART example. If it's a Siri if it's serial communications, that that's what UART is. Right? It's it's it's a it's a it's a form of, it's a two way, you know, serial,

asynchronous, serial communications.

JS this what, like, tuners are doing in cars as well? Because in your car, you've got, like, an OBD port, and there's all kinds of pins on that thing. Is and then that you can get some guy to, like, tune your Dodge Ram or whatever, right, to roll coal. Is is that what they're doing here?

Yeah. And so that's that's another protocol.

Yeah.

More or Wes, but they're probably gonna be, again, using a dedicated tool because they know what protocol that is. It's gonna be CAN. So CAN bus. Yes. Yeah. Yeah. CAN is is the protocol that pretty much all, automotive stuff uses, to to communicate. So, you know, your your wheel sensor can communicate to the ECU and all the other components in your car, can can read the messages of what's going on in the car. And so that's that's what that o d b two port is giving you access to. So you could use a logic analyzer, but in that case, pretty much everybody knows they're like, okay. It's it's gonna be speaking can, so we can use a can specific tool. The the the the logic analyzer is the generalist tool, And then usually, you you figure out what what what language, what protocol, those physic those digital communications are using. And then you and then you use a purpose built tool, to kinda hone in on that.

Oh, that's cool. I've always wondered that because in, like, the Tesla world, there's all these, like, aftermarket accessories that will, like, pop the passenger door open or or, like, recline the passenger or turn the back lights on, and people just add buttons wherever they want. And it's because they're just they're adding a little module somewhere in the can stream and, I guess, intercepting those requests and or sending them down the pipe if they need to.

Yeah. That's cool. Have have you dug into any of the car hacking stuff yet, or is there plenty on your bench to work on? Yeah. Yeah. That that that that hasn't been an area of focus yet. I

like I said, I'm curious about everything, so it's just a matter of, managing that curiosity.

Haven't gotten quite into the, the automotive world yet.

Do you have any, like, crazy stories of of things you've done recently that JS kinda fun? Or or even just, like like, hardware IRL. Like, I every time I see, like, a massage chair or, like, an arcade claw machine, I'm always trying to hit combinations of buttons or, like, trying to, like, reset it. Like, I or the the in screen entertainment systems and the plane. They're always trying to hit the buttons and figure out what that is.

Yeah. I think I had a post on x about that. I was I was, like, flying back. I think it was from Defcon, and, like, I was able to figure out, like like, I wasn't able to get a full escape back to, like, the Android. But you but, like, those most of those in screen displays are are Android.

Yeah.

In in in fact, I I like this is a little bit of context into the the industry that I'm most familiar with. But most, like, security panels at home that have a nice display, not like a super old, like, crappy LCD display, but a a proper display on them, those are usually running Android as well.

Interesting. But, yeah. Those in in those in screen displays, I was able to, like, enter a game and then, like, it would it would show the Node, like, the go home button, or or or or the or the, like, the button in Android to, like, access your other running applications. And you, like, you could span that really fast. And, like, it would escape back to the, like, just the the app selection menu, but it didn't let you escape any further than that. But

yeah. Oh, that's so fascinating. I also had a post on pnpm a while ago asking, like, what these things are built in. We had a couple people from the industry chime in as to, like, what they're built in, and and it was it was a really interesting read just to get a peer into these how all of this stuff works, especially on a plane. You Node? It's it's a fairly closed loop system because the shows are on a drive on the plane.

Oh, yeah. Node. No. No. That stuff is, is super fascinating. Yeah. With with hardware, I'm always I'm always looking around me in the world for targets. So I'm I'm like that weird person that's like in a coffee shop and I'm like, oh, they have that brand of security camera running. You know? And, but, I think you mentioned my grill video because that's you know, I I I had that smart grill for probably, like, a couple Yarn, and I was and I've always been like, oh, man. I should really rip this apart, but I don't wanna break my grill.

So so that that was a fun adventure. And that always leads me to, like, eBay. Right? Like like, eBay is just a is just a great place for me to go find a bunch of weird used, industrial technology or or consumer technology,

to to always hack on. That's so tell us what you did with the grill, though. I think that was pretty interesting.

Yeah. So so that was yeah. It was just a fascinating experience because, first, I again, the motivation is, like, I use my grill. I don't wanna I don't wanna, like, accidentally brick my grill because I'm, like, trying to do firmware extraction on it. Yeah. And so I I so so I went on eBay, and I found a replacement computer module that was supposed to work as a drop in replacement for for my grill.

And so I I, you know, I went and I started to do the analysis on that. And I was like, this this is weird. This, like, doesn't properly connect out to the Internet.

And so then I was like, alright. I just need to go do it on my own grill. And so I and so I ripped them off, and I was comparing apples to apples.

And it was like a different hardware, revision, which JS really fascinating. So I don't know if that Wes, like the the thing I bought on eBay was someone, bought that device, you know, like, that device was, some kind of a a development unit or some kind of a unit that didn't pass QA, and they're like, oh, I'm gonna make some money by by reselling this on eBay.

But I was always curious about that as Wes. It's like, how hard is it for people just to create, like, aftermarket boards for these things? Is that something that happens?

Yeah. Well and and then, like, part of the the security world that JS not usually the the, like, security flaws that I'm looking for, because the these are I'm not as concerned about. But there is a lot of, anti cloning work in the security community.

And so, so they are are trying to prevent firmware extraction.

Right? That they're trying to or or or they're trying to put some piece of the puzzle in a place. Maybe maybe it's in some kind of internal, you know, storage inside of the CPU, or it's a microcontroller where it they can actually lock the debug connection, and the firmware JS, like, locked inside the microcontroller.

Mhmm. And they'll do that to prevent cloners from from just, you know, reading out the firmware and then and then producing a

a compatible Sanity. Yeah. It's it's a hard thing because, like, part of me like, I have a CDU that's 20 years old. And you you go on AliExpress and buy an entire, like, computer, it's called the SPI, for your Sea Doo. And for, like, $80, you can if if you, for some reason, have blown your 20 year old computer, you know, on your Sea Doo, you can just get a brand new one and and slap that thing in, which is great for, like, right to repair, but also awful for, like, someone could steal your Sea Doo and just slap in a new, you know, slap in a new computer unit, and that thing is is untraceable now.

It's a it's a tricky area.

It it really is. And I yeah. I've I've gotten asked those questions before. And, like like, I'm not an expert. I'm I'm really interested in the whole right to repair movement.

Yeah. I I actually start I would not have started my YouTube channel if it hadn't been for Louis Rossman, actually, For for kind of a funny reason.

So, I hate video editing. I'm not good at it. And so, I watch I would, like, watch his videos and I'm like, this guy gets a ton of people watching border pair videos unedited, sometimes like an hour long video.

And I was like, okay. So, like, long form content, clearly not dead.

And, you know, attention spans in the hardware slash technical domain, there's an interest for that. So that's kinda what led me to start my YouTube channel and make it just a format where it's it's more or less unedited and long form.

So I'm I'm I yeah. I I I have a lot of lot to thank Lewis for. And That's good. Yeah. He's definitely interested in the movement. Yeah. Although he did start that paperclip

movement, which, like, the worst people that comment on our YouTube channel are all of the paperclips. Yeah. Oh my god. Avatar.

Oh, okay. It's so funny because I haven't watched Louis in, like, in a while. Right? Just because I, I'm busy with other stuff. And so I would see all these, like, TypeScript in my in my YouTube comments. And I'm like, what is going on? Are these, like, is this like a bot farm? Yeah. We thought it was the same thing.

Yeah.

Yeah. Yeah. And I was so I was so confused. And then I was like, and then, like, I I I finally, like, tracked it back. I'm like, this is, like, a Lewis Rossman thing.

Yeah. All the paper clips, please leave a comment right now. We need to see you. Node? Yeah.

Anything we haven't hit on that you'd you'd love to cover?

No. No. This is this is really cool. I'm just, like, yeah, glad to get to chat and, share something,

interesting to the audience. I've got I got one more question for you, and this is this entire podcast is very self serving.

I only want you on so I can ask you questions directly without having to pay for your time. No. I'm just joking. But, so for Christmas, we're getting your kids laser tag.

And as far as I understand, that that's RF.

Like, it sends an RF single. And I was thinking, like, I wanna build a Node.

Yeah. That like, I wanna build some device where I hit a button, and it does RF in every direction and just, like, boom, gets all the kids, and then they're all dead. You know? How fun would that be? Like, what what would even be my first step to building something like that?

Yeah. So so this is something that, this is a domain that I've recently started to produce some videos on.

So that that is gonna be kind of some, yeah, some radio protocol or reverse engineering.

And so, an a software defined radio, an SDR, is probably gonna be step one.

Also, the thing JS, if it's RF, you can do a lot of open source intelligence gathering through the FCC.

So, the FCC website and there's, like, a third party site. I think it's, like, fccid.io that just, like, scrapes the FCC website. Oh, I love it. You can see internal photos of everything.

Exactly.

Well and and the other thing they'll document on there is the frequency, the radio frequencies that are being used. And that saves you a lot of, like, scanning around with your Wes. If you know what what it's transmitting on, then you can listen.

And, you're gonna need an s now to actually do the the replay attack part of it, you're gonna need a radio that can transmit. So the simple, RTLSDR that everyone starts with, which is great, those can only receive, they can't transmit signals.

And so, you're gonna need something like a HackRF, maybe.

And so the HackRF even has really simple programs that will record a signal and try to replay it.

So Mhmm. Assuming that, you know, there's not some super advanced security

going on with the the laser tag system, If you can just capture a signal, right, like record and then and then shoot and then shoot like like Scott the gun at at the antenna and then record that signal and then try to replay it and see if it has, the effect that you're looking for. Man, I I think I have something like that. It's either RF or IR. I bought it to I think Scott might have done this as well. We have, like, these, like, little AC units that don't have, like, a Wi Fi chip in them. Yeah. But you can just, like, point the remote at it and and train it. Right? I should look into that because I actually Scott one for my LaserTag newbie.

Oh, that'd be awesome.

Yeah.

Joe, Wes hacking to cheat at LaserTag with his kids JS, for bringing it. And, like, it there's no chance it's it's, like,

like, TypeScript. Is it?

I I I highly doubt it. Highly doubt it. Okay. Now now now what might happen is, like, each gun might have its own, like, like, a part of the signal that's different if if it has any kind of, like, scoring system, right? Because then you need to know who shot who.

And so, there might be something that is encoded. I doubt it's encrypted, but there might be some part of the communications that is identifying that's, like, unique to each gun.

But maybe you don't care about that if you're wanting to nuke.

Wes, well, then you should do it with your gun because you probably can't in the system, you probably can't shoot Vercel.

And so you would be immune if you captured your own gun signal and Scott out the nuke. Yeah. Yeah.

Oh, man. I I I think the first thing that ever got me interested in this is years ago, somebody figured out that you can take this, like, kid's diary from the nineties.

It was called the, like, I am me or something like that. It was like this little thing, and it had an RF, transceiver because you could go between them.

But somebody figured out that you can just make it go on loop and send every garage door code out.

And this was before garage doors had, like, rolling Node. So this was, like, like, like, 30 year old garage doors would just open, which is at our cottage, we have one it just randomly opens, and we've we haven't pinned it down as to what it is, but it's somebody's key fob for their, like, Dodge Caravan or something just causes our garage door to open.

Yeah. That's, Sanity Kamkar, his work, and he's got a Defcon talk that, I I, yeah, highly recommend. Oh, man. And stuff. Yeah. I wanna go to Sanity. He's done some crazy stuff now. So he JS getting into, laser, using lasers to transmit sound.

And he had a project where he could make an Amazon Alexa unit receive audio with a laser through a window.

So he could so he could transmit audio through a window, like like, if it was in somebody's house, like, to the Amazon Alexa, and it would the the the vibrations, like, the the signal that Like an unmodified

Alexa, they would just the vibrations would play. Oh, that's terrifying.

Holy hell.

Yeah. Yeah. He's he's getting really deep into laser,

technology, now. He's got some, like, Node brew, like like, laser technology, that it's like yeah. You gotta you gotta Wes proper eye protection. Holy shit.

So so my last question is Scott stuff. Do you have any the the classic thing is, like, I keep my IoT next to next to my bed with a gun.

Do you run any smart home stuff after all you've seen here?

I do. I yeah. I'm I'm maybe not as doomsday as, like, most people about it.

I, like, I've got, I don't Node. Like, I'm I'm just kind of a network nerd anyway, so I do have, like, networks. Some Scott not overly, like, paranoid, but I do have some network segmentation that I keep Okay. You know, some devices on a different network. And so, yeah. And it's just a matter about, you know, choosing what your risk profile is. I have some Vercel. I don't have a lot of Vercel. So, it's it's it's kind of a compromise in the middle. And obviously, I'm always playing around with things in my in my kind of like Wes lab here. So I've I've always got some some weird traffic going out of my my network.

Matt, that was really enlightening for me personally considering I I don't get my hands dirty with most of this stuff. So, I really, really enjoyed hearing all of this. So, now is the part of the show where we get into sick picks, which is something that you're just enjoying in life right now. It could be anything from a podcast, a YouTube channel, product, whatever.

Is there anything that you're just really feeling right now?

Yeah. So I I totally forgot to tell you about this. Usually, we have, like, a whole document we send ahead, but I did I did it a different way this time.

No. No. No. This is this is really good. So kind of my my side interest is, has has been business lately. So so so I've been, you know, running, my my my Node business, and I've been just getting more interested in in how to run a business effectively. So, reading books like, Key Person of Influence, by Daniel Priestley.

Just, yeah, just some general business books to kinda up my game in that area. Funny enough, my my undergrad is kind of in business, but it would it's because, like, management information systems, like, our I my IT degree was,

in the college of business at my college. So Oh, that's that's exactly what I went to school for. I went to school for business technology management, which is exactly, like, not enough coding, but more on the business side of things. But,

we It was really because I didn't wanna take calc three and, like, all in physics.

Oh, yeah. Why why why I chickened out of, CS? But, that's another story.

Oh, that's great. I got I have never read that one. Key Person of Influence. I'm gonna check that out.

Yeah. And and and it really, like I I really like that book because it talks about how you can use, you know, your like like, I I'll never call myself, like, an influencer or whatever, but but it it it talks about how you can use your your public presence, your content to build a business that kinda syncs with the rest of your life. And so the cool thing for me is I feel like it kinda follows the journey that I've gone on over the past two years because I made my YouTube channel when Wes I started my YouTube channel, I was like, if over the lifetime of the channel I get 10,000 subs, I can, like, be like, mission accomplished. And obviously, it, like, rocketed past that.

And so, that caused me to just get reached out to by businesses to be like, hey, can can you do some consulting for us? And so the business just kinda grew out of the content.

And so,

we're gonna we're just gonna see where that goes. That's awesome. How how long you've been doing your YouTube?

About two years now. So And you're almost at 200 k subscribers. That's amazing. Yeah. Yeah. It's, it's been a wild ride.

Yeah. Wow. Well, congrats. Thank you so much for your time today. And Oh, woah. Woah. Woah. Woah. Oh, sorry.

Never mind. Go ahead,

Scott. Also, the last thing is shamelessly plugging. So is there anything you would love to plug to our audience to make them aware? So we'll we'll link up your YouTube channel. It's a fantastic subscribe.

Anything else you wanna plug?

Yeah. Just, if anyone is in the need for a hardware pen testing, that's, like, the the one thing that I do, at my business. And so brownfindsecurity.com, is where you can find info on that. Nice. Sick.

Right on. And that JS YouTube is just Matt Brown. It's m a t t b r w n if you're going to YouTube as well. Yeah. You can click the link in the show Node, but if you're just typing it in, you'll find it in there.

Cool. Well, thanks again for all your time. This is super interesting. I appreciate all your all your time. Thank you. It's been a great great time.