Breaking and Entering with SDR Hacking Physical Access Control Systems and Garage Door Openers

like to thank our silver silver level sponsors the NSA hexa beam Accenture federal services open security titanium level cybersex jobs Denham group Alamo Issa and Lamarque Solutions and next is breaking and entering with SDR with red saying thank you very much alright give me a few more seconds here I'm still finishing setting up all right hey thank you guys for hanging out for the last presentation of the day I know it's been a long day everyone hung in there good job go ahead yeah we'll just do that won't we all right did nobody hear me I'm gonna try I disappeared for a while my career up again so here's what we're gonna do we're gonna focus on breaking into a

garage door door systems and and so before we begin every every good fun hacking article or experience starts with just a clicker does anything sort of the disclaimer disclaimer is that oh that's better perfect yells great that's even better okay yeah point is don't give me a trouble so what I'm gonna show you guys today will allow you to get access to complexes what that does not mean to allow you to the to individual people's doors but that gets you access to the physical building the reason that's to me before get a little bit too far into this there's I think that's kind of important is because succor me I actually I thought I felt

safe and secure behind this concept and so when I found out I'm not kind of it changed my mind so take that kind of light harder we go with this we're gonna have a fun conversation today but you can't get in trouble so just be real careful about what you do and make good decisions hopefully you're all adults all right so we're gonna try something a little bit different that I typically do what I think I perceived is that this talk is very technical and so if that's true what I want you to do is if I start getting really complicated and technical and you don't understand because I talk fast I want you to raise your hand now

that doesn't mean I'm going to call on you because I don't actually care what I want to know is if enough hands go up then I'll slow down the stop okay so before we can jump into this a show of hands who here is played with a sovereign to find radio before Wow a lot of you guys alright so here's how so what I like to do is I like to tell stories here's how I got into this I stayed up one night and I spend a thousand dollars on equipment and then somebody that really loves me told me that I needed to justify that payment or return them and so I decided that I

would attack the first thing that's all I written near me and it was keep up and so it started with this and so I like what I like to do is I'd like to tell a story about how I got about doing this so I first started with buying software-defined radios and if those of you are familiar here's some examples of some up there have some other examples down here this is the a Dom Pluto this allows you to transmit and receive here's the line there's a mini LimeWire allows you to transmit and receive what I'm going to be using for the demo is the rtl-sdr little silver thing it only allows you to receive if you're gonna play with

this I recommend and you're and you're nervous and have anxiety like I do i reck'n mind buying the rtl-sdr because it's receive-only and you can't transmit and get in trouble just a suggestion right so I stayed up late one night and I bought a bunch of this stuff and I thought okay so now I need to figure how to like how to break into these things and so this is what we're attacking I'm gonna actually pass these around I've got one for either side you guys can look at them and play with them if you guys are doing that so one of these is to my house I swear to god I need that back I'm just saying

I did not clone my own key fob I should have done that if you've seen these before that they look really familiar to me I over 10 15 years living apartment complexes I've seen these variations time and time again and it seems like if tell me if I got this wrong but I feel like I captured the majority of kind of those up there on that screen if these look familiar to you guys have you seen these four yes no okay great good great I want to hear that good deal all right so this is what we're attacking again don't know how it works the next step is that I start to check Google because what better hacker what

good hacker doesn't Google right so all my greatest hacks came from googling and so what I started with is how does this work and so the first thing that you do is whoever has it you can flip it on the back there's a little thing on there it says FCC something something something something right so the first thing you do is you're going to Google the FCC something something something something and actually walk you through here a little bit of time gonna show you some of the stuff we'll pull up you get the FCC reports and really what this is is is documentation on how to go after so inside so here's how you start look at

that idea on the back you'll have a sec information inside the FCC information you'll have the how to do it you'll have what frequency it operates on you'll have the gist the marketing gist of how they're selling it so how the market consumes it and then you have the technology aspect of for the most part how it works so you don't want that one you want to do there are pictures all this goes in your FCC doc so here is the the sales piece that goes with it and inside the sales piece we have our operation information the number of keys we also have a little bit more information in here and you'll see them

here it says the word wagon right so has anybody heard this word wagon before you've been to a hacker conference the past 15 years right okay so I'll get her I caught up the proximity cards so where you go peep and you get in the front door back then I mean maybe still a lot of them still use the wagon plugin protocol basically you're transmitting a facility code and a certain serial number and it opens up the access door this is the exact same attack except now we can do it from football fields away and we show you how to do that all right so let's go back to the presentation so again what I'm doing

is I wanted to walk you through kind of how I started this is how I got my hands around I know that I need to look at 2:00 and 95 megahertz and I and I believe based on the communication that I'm looking for something called Wiegand let me back up cuz I'm fast I don't know anything about software-defined radio this is my first project I'm a developer by nature so if any of this is wrong let me know I've made up my own terminology I did my own things is all my own [ __ ] so if I'm wrong just like correct me OK alright let's keep rolling here so from here based upon that so we're telling a

story so based upon that documentation I can I said ok let's go look up wagon receivers so we are a wagon transmitter let's go look at wagon receivers and so this is the way it works here our example wagon receivers the way the system works is that these wagon receivers talk to these transmitters and then over a pins will pin into some sort of general access control panel that will pass you the wagon code from this module so basically that you have you're in that in that generic access control module works just like the proximity car systems because once it gets it in the wagon format it doesn't matter how it came from it came from a cat car clothes

card or if it came from long distance and so essentially they wire them into that central computer and then essential computer runs the the door software for securing it and that's basically how that works I think any questions on kind of how the how it all piece it together this thing plugs in a server ok great so here's what we're gonna do before I kind of jump to it we're gonna make one of these things using software that's what we're gonna be doing so how do you start with Safa defined radio and hacking with this so the first thing I did is I started with cubic STR I know because it told me that it's 200 foot 95 megahertz so I

punched in 295 megahertz here and I clicked record and I spit it down the wire and this is kind of what comes out you'll see that the the yellow and red represents energy it's it's the the strength of the transmission and so we sit looks look like caterpillar to me but basically this is what your axis your axis thing looks like when you send it across so take a step further then we record it because if you think about it so one of things I do for a hobby is I do music stuff and when I started realizing that that's this is a these are mp3 files playing notes and we're dealing with a song then I started

treating it like music and breaking it down into measurable measures right and so this is what it looks like from the view when you measure it based upon signal strength so this other view the last word was based on signal streak to some degree but also gave you the hits the heat map because it gives you a heat map of all the different areas it allows you to look at the data differently well now that we know that we want to look at 295 we can we can slice and dice that data the other way and we start to see a pattern and so this is what it looks like it when it comes across you have a

little March and the marks are spaced out periodically and so so as I'm telling the story all of this is done in one night so far so I probably an hour a half into this I've got this up and I just pull out a notepad and I thought yeah I think you know what I think I see a pattern and so I just sort of marking my pattern out and writing down the bitstream myself by hand and so let's see if we can guess this together so it streams are either 0 or 1 right and so that's not me so I noticed that the only thing the difference is is not the signal strength it's the offset of where those beats are

right so we talked about a rhythm I see yeah we have a hit a hit a hit and then it's an offset hit hit right I think okay that's a weird pattern that's weird what does that mean well I can make the assumption that the first bits going to be a zero because I well technically I made the first assumption that bits a one so I did everything backwards but I fixed it so it works now but essentially they have to be bits and so we I sort of figured out is that when it changes positions that position means something and so it's actually position dependent so we'll be starting our first position and we stay in our first position it's going

to be that same value but when we shift positions it's a new value once you've shifted that position and it's just back and I'm sorry keeps going then it'll be the same value but if it's just again it's gonna be a new value and so this is what it looks like when you hold it down for one second it spits 33 digits five times so for every yeah it's five five seconds you hold it down it spits it out a bunch of times and so this is what it looks like together with a bunch of them now the point to this is that because I'm going to get to the demodulation of modulation of data but to the point of this is that

we want to hack this right we we want to demonstrate that we can own this stuff and so the first thing that I see you tell me the data is the same over and over right all right same same pattern looks like the same patter to me so what does that mean what does that mean to us that means that if the day is exactly the same I don't know I have to cat note I don't have to know the content of the data to replay it so out of the gate you can clone these things so I don't think they make them because this is over VHF very high frequency 295 megahertz but you can make one of them just like they

do for the the RFID key files where you put them close together in 2000 megahertz because the pattern doesn't change all it's doing is recording a sound mp3 file not data and then replaying that sound mp3 file alright so out of the gate we've already cloned our key fobs in the first hour all right alright well let's keep going because that's not enough so I do so so before before I go any further you know we always want to get credit where credit is due and so Holly grace has done about a lot of research on this as well so kudos to her we always want to support women's security so Thank You Holly all right next side okay so Kiki cloning

is great keyfob cloning is great that's that's low-hanging fruit that's the easy stuff let's get harder in it because I'm better than that and I'm a software guy and because I haven't got to the software side of it yet I haven't done my duty alright so here's where I can't start learning new things so it's called mod D ever heard of a modem modulator demodulator yeah so the concept of converting into data and back based upon signals there are a bunch of different ways of modulating data over-the-air there are so many freaking ways that that will probably be your number one hang-up when doing this I can tell you that pulse position independent pulse position modulation isn't even on

Wikipedia but that's what this is right but once you get it so anyway we'll go through these a little bit because I think it's worth it's worth mentioning PSK and ASX an FSK those seem to be them and so ok is a subset of ASX those seem to be the most common ones out there though and so the way it works so correct me if I'm wrong because I probably am with FSA FSK it's it's going to shift that data across frequencies so it's gonna work similar to like your FM radio where it shifts it across frequency so that's why when it rains your effort I don't listen rate anymore but when it rains FM radio sounds better

because it's not messed up by the the water drops but a radio sounds like crap you know that all right cool right all right let's keep it up so I've come to subscribe this already but slow down alright so we broke it down so what we are looking at is the amplitude of the wave so this is a sine wave right adopt what wave going across and we call this the baseband so we're looking at the 295 295 megahertz in this example there's so I've seen other implementations of this at 400 and something megahertz so there's three or four of these frequency ranges that vendors have FCC license is transmitted on but it's the same technology and I'll

tell you all right so the next one I mentioned the pulsing piece so and I'll go back and explain because I enjoy this part tying this back to a song with measures and notes right and so we think about in this example we only have two beats per measure for those music people because beat 1 is 0 and beat 2 is 1 but to think about it is that it's if you were to do that simply on if beat one hit left and beat to hit on the right side of the measure that would actually be called pause it's called something else and the reason that's not as good is because you have to clock synch with the thing you're

sending so they both know the beats at the same time it's a lot harder so there's a lot more technology involved to get that done versus pew-pew Inge a bunch of stuff you know based upon offsets all right oh yes so PW that would be called PWM based upon offset and PWM requires clock sync so that's why they do what's called ppm pulse position modulation or differential pulse position modulation yeah so we're getting very technical but this part is important this is how you tie it into data because once we tighten the data then we can go ham right all right sweet all right so I kind of gave the cat out of the bag already we're attacking wagon

again so I I am is a little bit of old hat but it's an it's packaged up in a brand new shiny box so kind of break it down a little bit further and what these how this works in your bit stream it's going to send you so 26 bits 33 digits 33 bits excuse me and one of those key fobs it's 36 and the other key fob it's 33 bits I'll show you guys in the demos but basically they sort of tried to stick with a standard but and the newer key fobs they thrown it out the window because you can do whatever you want with the bit sequence in the bit space you have so basically you have

a facility code and an ID number your facility code well any uh parity bits okay so parity in a second facility code says I am in building number zero building number one let's not get confusing I'm in building number one and my ID number is 1 1 1 1 right the reason the facility code is important is because when they sell the exact same system to the company next door you don't want to have access to their system as well right so their facility code might be 4 right so that's they felt like that was one one moment of strength of confidence to help alleviate any type of security issues and we all know this that's garbage

the next piece is going to be as your number now and 26 bits you have a 16 bit number can anybody here tell me how big the number is of 16 bits what's the highest number you can have who said that attaboy good job right yeah everybody raise your hear or said that good job yes go team go team that's correct so you're telling me that I just have to if I know that the Saudi code I just have to enumerate 65,000 requests before I get your answer good so they said you know what we'll throw more bits in there we'll make it 33 bits and you're thinking 33 it's a weird number why are you doing that well because they

need parity bits what that is those are bits on the front and back end that do a something like a CRC check but it's a parity check it's single bit parity check and the reason that's important is because when you're peeling this stuff over the weather and it's bouncing off of other buildings and you don't know what the hell it's actually receive right so you have to make sure that the message intended to be delivered is the one that was received and so that's the parity portion all right so with 33 bits we now have a single byte facility coach means we can go from 0 to 255 I gave that one for you gave unto

you and then that means also the last end of it should be 24 bits so 24 bits the highest number is like 16 million and change so that's better right it's better much better so on the 36 I think it's a whole it's a whole unsigned integer 32-bit integer all right so all right so let's suppose jump right into this I talked to you about the first part where we cloned it that was an easy low-hanging fruit when I'm not about the easy wins about the hard wins I don't know how to use the new radio I learned it's really hard but it it's hard for me because I am a software guy I'm not a radio guy and

this is meant for the radio guys it was built for them and so really for me to be successful I hate to I'm not I'm gonna here dog them I felt I was very frustrated and putting this together I didn't feel like they had adequate documentation to get things accomplished you know what helped me get this done Wikipedia Wikipedia solved 90% of this project I'm not kidding alright so I will I'm not gonna describe this one I will describe it when we do the demo this is here to scare you because it got smaller alright so I have to test this thing well I live downtown Dallas in a twenty thirty story high-rise and if you'll see you can

actually get an antenna out there and come to find out you can pick up buildings from four blocks away in the rain so over a weekend I got everybody's access code for all the buildings around and it was pretty fun to see that demonstrated and so it looks a little bit like this and so we're gonna do live demos but essentially the new radio is going to take that data in it's going to do the demodulation of it and pass it to a module that I wrote and that module then converts it to a bit stream and they converts that bitstream to a wagon code and gives you the wagon output so in this example again we're gonna do we're

gonna spend more time on this you get your bitstream so you can actually take this and debug it on the internet because there's Wiegand debuggers on the internet if you can imagine that and then here's your actual results so here's my facility code and my card ID number and whether or not the Perry succeeded your mom all right so let's keep rockin any question I'm going a little fast doesn't make sense oh [ __ ] yeah all right well let's get to the fun stuff so again reading is only half the fun it's it's thirty percent of the fun because if we have information we can't do anything with it then what's what's there to do

so on this regard I thought you know what I have to be able to translate these things so what can I do if I transmit these things I could brute-force other access codes but is that valuable isn't that valuable because I just spent all weekend picking up 1,200 do I really need another one probably not what but what if I jammed a bunch of it sent a bunch of codes out or wrong over and over and did let anybody in their building I can be beneficial what if I Jam the doors open let the homeless in terrible idea or furthermore what if I what if I frame somebody for a crime right these things are used for

locks fine all right all right so next let's talk about sending this data again basically you do the exact same thing in Reverse instead of a demodulator modulator so I have not released the code for the modulation ID oh I'm waiting to do measurements to see whether or not I get sued so let's let's just do the read-only portion of it and we're gonna wait and see what the market says because I don't work in trouble but yeah so basically it's the exact same process backwards the thing I think is really important because we do want to talk about the legalese there's like Tim how did you how do you your stuff works great question I did

not try this at home what I did is even though you'll see here even though you can dump it to a an SDR and send that data out you can also dump it to a file and if you dump it to a WAV file then you can pipe that WAV file back into your D mod code and test it that way I think smarter all right all right so what's the value of that right so my limit here my limitations I'm loaded to about five messages a second sometimes it might take one or two tries again and a twenty and so I break down the key space so so what is does it really make sense for me to

brute-force all values no but maybe and I'm gonna give you the example of maybe at the end so basically this is how the math checks out it would take me a lot longer so on what's sixteen point seven million records transmitting to a second it's gonna be a long time a long time there are some creative ideas that I've seen on other people's talks on merging those messages and making them go faster so I think there's some innovation available to do that sort of stuff but for my talk I didn't spend the time on that all right here's the next one so I had this I added this one recently market impact I can't really measure it

I'm having a hard time so here's what I measured so far and DFW where I'm from 70% of the info set guys at the talks I give because I've given this a couple locals they're just the vet it most of the people there have a delimited apartment complex have this and so what I'm trying to understand is how how prevalent is this out there in fact if you guys are brave enough maybe raise your hand who here has one this guy this guy two three listen okay that's fun that's fine that's fine I'll figure out how to find out all right so you might need help on in order to make this a better talk for

Def Con I need some of the business metrics on what the risk impact is in to the world and I can't get that so if you guys can help me out and help me kind of measure that would be greatly appreciated because as you guys know he who lies in this industry will not live long right all right so next level stuff 15 minutes so we talked about key key fob cloning one of the things I did is I actually bred boarded my own transmitter using components so you can actually buy the individual components from Alibaba and such and you can read board your own you open these things up they actually have the the schematics and the FCC guides so

that was pretty easy the the trick to that is that you have to have the the reprogram er the inline programmer for the the the flash the CMOS or the MMU whatever it is because you have to dump it off an existing one and then remount it back into another that was the only limitation I had is because they quit making that and I had to order 20 of them just to do it but I proved it I could do it so that's important right okay so one things I wanted mention one things I want to mention is God codes I think they're out there but I need to crowdsource them because I don't have

the time and also I look like a crazy person pulling on the door every two seconds with a laptop so however you guys want to help me out with that not look like a nut I appreciate it so where we are the next steps okay so I think my point to all this is that yeah great we could have had an easy win with cloning this at the beginning and just playing the song over and over but to really get our hands around it and to do more with it at the application layer we have to enable ourselves and so now that we've enabled ourselves that's what we're looking for is application bugs so in my

mind this is sort of a stepping stone talk to hopefully opening up new vectors of attacks on these types of systems now I can I kind of blew at the beginning I I think I was sort of shook into the core because I genuinely felt secure at home I know I'm in cybersecurity I know I get it I also run a gun company I feel like I feel secure in all these things but the reality is is I was secur I wasn't secure at all right and so what I've when I've measured and asked my friends and and the people at these conferences every else seems to and I think it's just cuz we're security

people you guys all seem to seem to agree that now you already knew ahead of time that you weren't secure and then that's and that's that's bullcrap but I gotta tell you man I like I I was on the other into that I was I felt absolutely ignorant so let's talk so what we did is we kind of just blew it blew up how it works we talked about how to read them how to write them what you can do with them then we've kind of covered that process so in order to be responsible we have to talk about how to sort it out right so the first thing the vendors recommend and so I pull this up a1

website it's not about this talk it's about just generically better securing it they recommend having unique facility codes per user how is that how is that beneficial yeah I mean yeah so it's not beneficial to me because like you guys like I just showed you guys the moments one person uses their key fob to get in the door doesn't matter right so right now the market doesn't have a good answer when I believe the answer might be there's a new key fob system because its wagon you can't fix the protocol that's it's an implementation decision you made if you'll go to the FCC documentation they will tell you that there's confidential proprietary information that will not be released in the FCC

guys because he will caught that will compromise the the security of the system when I read that I knew there's blood in the water because there's no such thing as security through obscurity or lack of documentation all right so I got about 15 minutes left now let's go ahead and do some demos real quick I mentioned about rotating Keys if you could set it up to where it's it's two-way transmitter receiving it's and it's a negotiation knowledge you know what I mean handshake thank you yeah one of those things then they can negotiate it on the fly right so I'd be a little bit better something close I mean even test about perfect better right

all right also all this code is available it's on github I don't know I'm sure I will get somebody so they can link it to you guys I'm not sure what that process is but as soon as I find out I will let you know and I will put it out there for you guys but I also post it on my Twitter account as well

all right let's go ahead and talk about this real quick so this is our D mod code and so on the D mod you're gonna have a you'll see it's not that's fine so in the in the D mod you have examples of being able to use an SDR so I I haven't here Pluto SDR lime SDR and an RTLS dr2 tagging there's also stuff in there to tag in the wav file you don't need to know the too much details about how that works but you can use a WAV file you can open it up here but basically what you do from there is you pass it through the AMD modulation module now the and demodulation module

is basically an easy wrapper module because what what what that really means what capilla says you first do a low band pass filter then you do a high band pass filter then you do a gain attenuation and then you do something AC attenuation than used something else all of those things are bundled into the AMD mod module soon as I found that out that's why that big slide before it got really small because it's the same thing so once you do that you basically what that does is that will allow you to see it kind of as an as an am as an AMC 10 I guess is the right way to say it and

then AGC is automatic gate control too so this allows me to gain it up the reason we're gaining it up is the so the processes we want to filter out all the noise around our window to listen on and then that window we're listening on we want to pitch it up as loud as we possibly can without interference obviously so there's a little bit of give and take there and once you've got that then you create an opportunity to have the cleanest line signal to be able to deal with the information once you have that actually you add a constant 0.07 and I'm going to show you guys why I did some some tuning on the signals and from

there you're going to pass it through the the pulse position modulation and the ppmd modulator is what you're seeing printing that data out at the bottom now let's go ahead and play with it so you press play and we're going to get a couple views here I think Oh

all right so this is actually two different views of the signal right now one of the things so before I get I get down to this if you ever have to debug it the first thing you have to do is adjust this this Auto range is total junk I don't know why it's there doesn't work the first thing you need to do so based upon your SDR your second swindle your time window is going to be really really tiny the the worst it is the bigger your window will be so you're actually gonna add seconds to it so I like to see something like 160 milliseconds so now we kind of have a bigger view of signal on the wire the

next thing we're gonna do is reduce the size of it so it looks small right and so now you see a signal line around negative 0.3 basically and so really what I did is by adding and subtracting that that constant I'm adjusting it to get closest to zero because in my pulse precision detector my threshold of zero to detect the peak so anything over zero says hey I got a peak let me do something about it and it passes it to the next step so what you want to do is get that signal as close as possible zero without going over to where when you hit the button who has my clicker here you go see and it comes across like

that hold it again that's what they look like alright so then you go down here and here's codes so facility code ie code that's actually that's the one for my house nice who has the other one hold the other one out so that's the 33 bit one hold the other one down perfect okay so here's the other one good job okay you stop now okay so in this example so the last I did both and pretty quickly this example my facility code so it's right here here's the entire code here's the size of it in 36 bits my facility codes one here's my ID number and there's a parry success in some instances it the parity may not

check out but it's still correct on that and I'm still figuring that Rimmer right I'd literally made all this up at home so somehow something else as I don't have right yeah so I real a little quickly on that we got about eight minutes left any questions hmm else do in life let me see it yeah bro I got you

I don't offer any legal advice or anything like that I don't tell you guys

so it's on a different frequency great question what's yours let's see that would first do you think you want you can help me out and final frequency here huh oh is it three three one all right let's find out I told you three three one first so I'm gonna stop this oh did you do three three one okay and then we're going to adjust this here three three three five three five three one generate play doo doo doo doo all right go bro

yeah yeah three three one yeah yeah well maybe I'll bring it closer maybe who knows it should work but oh yeah this was different it might be well that's weird oh this is Alexis key bro yeah so on the Lexus these are these are two-way handshakes these are way different those yeah it's gonna be a whole other spectrum so these are going to be just under cars car security right car security is the next level like oMFG this is just under that this is your house secure you're not that make a deal right yeah 318 thanks okay

okay we'll do that one next so I see yours come across and it looks like it needs a little tuning here it's what oh oh oh okay so basically what I need to do is record your wav file and tweak it and it'll because it's gonna be the same basic thing okay okay can I see you real quick more time

yeah okay so okay here's here's so this is this awesome timing here's the difference your spacing on your notes is different than my spacing my notes are at every point five one and one point five and to position yours positioning because I have debug code here as it zero point eight one point eight and zero point two so your your your timing is a little off so we'd have to do is I'd have to adjust this and make it work for you know make it work yeah that's how it works I just I have failed mostly there okay I can do it I'm professional I can fail I'll go with that all right guys I really enjoyed this

what what question is going to answer for you yes sir it's not no so I'm gonna go out on a limb and say maybe in the stuff in the 90s but any anything recent no it's a whole other set of problems and so those are recovered by stuff that Charlie Miller is done and some of those guys that did the entire auto hacking village and that kind of jazz this is so again we are so it gets kind of confusing because even though it looks the same how it works on the underneath is can be completely different across vendors what we're attacking here is specifically anything that is called click safe compatible think it's click

safe they gave us the branding to know however how you're affected anything that is right here did click if it's auto I think it's also called Auto key compatible yep yeah okay so cause AutoKey compatible so I believe that's gonna be the yeah protocol I don't keep compatible so anything that's Auto key compatible I believe that's our attack vector across vendors yeah yes sir you know from what I can tell it's very similar it's it's even cheaper so there's other stuff that's out there no one's actually demand demodulator to modulate that data yet but if you can do it given it get an SDR and record the wav file and send it to me I'll help you

figure it out gonna be that hard I did this some one night nobody else would question yes sir yes I mean so I do draw a base that we already have a lot of pews yeah I got on it alright I'm open to that I definitely need some creative insight anybody else yes sir great you know so he had a very good question the question was that so it may not make sense to brute-force the entire key space but do you have a hint or suggestion of where to start and you know I forgot to tell you that trick you're exactly right so the starting position is 600,000 the new ID number 600,000 up to I think I've seen up to

1.3 million on the ID number I've never seen an ID number less and I bought I probably bought 15 of these things and with all the data I collected very good question so the key space is not being used yeah all right what else guys I'm done oh yeah oh yeah so it's beer-thirty everybody so let's close out though so first of all is like generally from the bottom I alright thank you guys so much for having me out here I want to thank the venue as well I just I really appreciate I thought they did a great job putting this together I know how much work and effort it takes to put it in this so I know that we opened with

this but I'd like to close as well can we give the everyone around two hand applause buttons together alright it's my understanding there's beer available is that correct