All You Need Is Pi by David Lodge

right hello lastork are your so hopefully this is an easy one that you should go down relatively quickly so hi I'm Dave my talk is all you need is pie if you saw Marcus talk about how he you have multiple items to do all this now all you need one of these it's just a recipe pie for most of the hardware hacking stuff so we just so this is about there's some basic hardware hacking so an introduction to understand some protocols how you work out what a1 and a0 is and to prove that you don't really need stupid amount of things to do this so for example if you get into hardware hacking you could have loads of

stuff there's a bush pirate and all sorts of you know USB PT convert mo um thing I waited most of my money on at one point was something called a hard spike which I spent about how you quit on and have never used because it never really worked don't bite total waste of money one of the things I'm gonna say is is what's wrong with using say a beagle board BeagleBone black or buzz pirate there's nothing wrong with it they if they work they work I just used a PI cuz I had one in the cupboard basically when I was going around and using it and basic lesson is if you understand how these things work matter what you use an

Arduino user parries BBB Odroid to any of these sort of embedded things so we believe them Bob joke just for obvious this hi so I don't normally do an introduction but I sort of want to make a point here so I've been doing IT security for about 15 odd years originally I was a developer then did UNIX this admin moaning hardware training was doing CDT design technology back in 1919 I'm pretty much all I remember from that is Ohm's law a really offensive way remembering resistor codes which I'm not going to repeat it and that use a 555 timer for everything I started doing hardware hacking because we started I started messing around with various different IOT device started

with the Kaela dog which you might have seen on our stand and then actually getting into looking in depth at how this stuff worked and what I could find from it I've also got an interesting retrocomputing I used to from when I was young so there are a few references to that in this talk out of curiosity that my avatar this is a full full thing Percy it's a Furby this is generally what happens when I take Hardware apart it tends a tendency to explode actually that one was yeah we said far too because it was funny oh yeah that that's from me when I use have long hair and that's a cloud pet and I just thought to

be more interesting to use as a glove bodied your choice so why did I choose to use a PI for this rather than all the different things it's small its cheap you can get one for 25 quid I'm using rats of Pi 3 you get PI 0 W so a lot cheaper there's lots of general GPIO pins you can use everything sports you can get a load of the drivers by default more importantly I had one something I could of doing anything in fact I've got alone could use stuck in my car we're doing nothing and you've got most potential to see it's time to board this is the case I prefer has access to all

the GPIO pins right I'm gonna start off with a quick demo now technically I'm going to break the law twice here once he in radio performance rules because you know you don't have a license and secondly I'm going to do some broadcasters which is technically illegal I say it is illegal so I'm gonna just switch over to my PI before I do anything so I'm just using the PI through anomalies net connection okay my body's not booting mmm let me just reboot my pike this is not a good start this is where the demo things fail it worked perfectly every time I tried this saari raat this No aah yeah sometimes if you have a GPIO pin

connected when you actually power on it goes a bit silly right so he's going to turn the braid you want I'm I understand a broadcast over radio one home of banal and music everywhere what I'm doing it there is a sort of I have turned up a pointer here if you might know Sierra's a bit stubby because well testing this accident turned it the wrong way and broke it off so this is emergency cannibalization Ariel and actually great are getting no signal that's one

yep I'm going to no signal I'm gonna have to just broadcast over it anyway so one of the nice things are out of Pi is it's got PWM chip in it which is opposed to pulse width width modulation which will basically you can use CIN for it stuff at various frequencies so one of the nice things is you can actually broadcast it from the PI this is now I'm not going to work because I can't get a radio signal but let's try it Oh sugar that's better oh if you can so you can hear a bit of sabbaths coming from there but it would have been a lot better if it's really one actually playing oh no because radio

so that there is actually a modification we can send stuff to the radio texture from that so radio Texas is subcarrier frequency that you can also send text to so I can actually instead of just playing over radio one I can just send messages to the people listening to it so hear them say you know any old stuff now one of the nice things about the radius of carriers is have you ever heard of something called TMC which is traffic management control so all those things on your Sat Navs but you get weight goes there's an accident at Junction 21 of the motorway avoid yeah you can write to those it's unencrypted you could say zombies here

avoid unfortunate I couldn't get that demo working so that's one that never got so that was technically illegal fortune there's no signal in here anyway so most important thing that to go onto is how do we take some units Hardware something that's got the physics of how things work and how we translate them to bits how we make sense of it how we do all that sort of thing what's one what's to zero wasn't was just noise there are many ways of doing it want to play a finger videos like is about Morse code so in Morse code you got this you got - so you've got basically timing scopes so if you've got a sort of time frame you

can sort of sort of work out what a 1 and 0 is so let's go back in time and that's a plot does any we know what is a plot of that's okay obviously no that's a sample from a tape file from a BBC micro elite file just zoomed up a bit that is four bits of BBC micro elite on how we would actually turn out to be a WAV file so what I've done here is I've just done a couple of one's done a collective one so in the specification away with 240 Hertz 2400 Hertz is a warm and a 1200 is you've got two waves is a zero so we can actually work out how to

make sense so if I just have some annotations to it so we can see the sample points there with the little arrows off and just the separators show where the bit patterns are so you can see the first one is a one so we've got two waves there a one anybody gets the next yeah and I want and that is based of the fundamentals of 1980s computing and how to read and write data so let's go into digital it's a lot easier on digital this is an example of an SPI protocol and we have a couple we have two data lines which is shown one's got an enable which says what which the direction of

traffic and a clock so as you saw if you saw marks one when you have a clock change it tells it to read a sample so in this case I'll do the same breaking out on it later here's one byte there's your sample points on when the clock rises and there you can see the bikes are 1 0 a 1 and you can just only guess the rest that's fundamentally what we do is really simple so what the title is a bit wrong there cuz I do this really adding this right to the last minute so this is the raspy Pi GPIO header this is how it is so you've got 40 pins on it

similar design to specific things a lot in the powerpoints ground points so you can always tap off they're quite useful throughout but the numbering schemes a bit weird that's how it numbers internally so that's why it goes from pin you GPIO pins like pin to his neck is sorry you got 17 and 18 in weird places in 1727 juice below 70 so we're going to just have a look at some protocols here so I'm just going to swap my pies to earlier so you arced is a very simple serial protocol which is often used for consoles and stuff like that which you can easy read on on the PI but there are two you arts that are built into the

chip there's a hardware you are twitch on the PI 3 is this is the tight tight booties which I don't want to touch because I like home Bluetooth and I because I can use up forever things and there's a myth a mini UART which is I've got a few features that the major one doesn't do but it will still work and I just need a custom cable so this is a Broadcom Rooter just not calm it's a GL Oh narrator which is just has a convenient you are connect you on to it so I'm just going to connect here and hope that it bounced so I'm connecting pins 14 and 15 with your RX and TX and

the ground and my mouse is just clicked on the right mouse button and I'm just gonna power it on so just reconnect and hope your DAC cv connects this is not the time for my price to fail can you actually read that I'll just zoom Tim all right so so I'm just gonna grate I'm sorry I'm having I thought the bond with this was actually the PI power supply but this should be full voltage

this is why you never do live demos because everything dies yeah okay that's not working sorry I do apologize so that's not going to work for chunk of the screenshot so you're connecting pins 14 15 and ground you need to cancel the default getty because the console also runs at 14 these counter you get weird stuff happening so that's what you end up with doing which is a screenshot of what I was going to demonstrate so this is your UART terminal of the actual thing so rather than actually having on a PC you would have a single board like that you'd have to use that to plug in this one just so but more interesting

stuff is trying to read firmware so this is a thing that we do all the time if you try and do it Andrew showing you ways earlier of trying to extract stuff from microcontrollers this is actual firmware chips itself there are multiple ways of actually get talking to these chips different protocols spi - singing microwire most common ones you see are esperan by 2c so these all have their own way this is on the right is what he is sorry breaks off you've got a typical psych or saw layout which shows how ITC works so you got space et simple wires SEO for a clock SDA for data and you got a load of address pins which may or may

not be needed depends on how configuration is and there we have that's roughly what the package for ITC looks like so is that laser it isn't so second line down because he is obviously a clock top one is actually where the danger is it's really simple everything's bite wise and to read data you have a control code set a few bits send that packet out data comes back on SDA it's a really simple process I'm not actually going to demo this life because my chips oh yes I actually have my control there is a chip in there but with it with the current problems I'm having that one flaky so I'm not gonna actually demo this one I'm

just gonna skip to SPI which is the most common one you'll find it you can have quite large amounts of data on spi chip which is quite common you find on this the the actual GBA the GL board actually has the SPI chip there you probably can't see it is that time little chip there for pin as I ate pin chip it's nice thing about is there's a standard called JEDEC standard which has a lone set by code even worse it works on a simple byte code system I am going to attempt to read this one and hopefully should hopefully show you how it works by oxy entries some raw JEDEC stuff in so I use clip spacey to make life easier

and they just clip onto the chip individually and get into the right place so I've put that in and if you notice the board has turned on because I'm actually feeding 3 volts through to the chip and that's actually going pass to the board Nancy semi booting it right where's my turn here it is I'm just going to restart the session and hopefully I'm ran out of space

come on boot this is not going well yeah I'm really selling this anti 1/2 so just as a demo of the actual how how it works is so I've got a tool here which is basically a pretty raw version the SPI one so I can actually huge draw bike commands from here so one of the basic commands is rdid command which basically says identify the chip so i've just expanded slightly to show you what the actual bytes are you can see it's a 9f bike which is a cut which is basically the opcode for ID and comes back with the actual data unintelligible third grasp on that chip we just reseat back to know the most annoying thing about

this is when I was trying this out there were perfectly every time yeah brilliant

I have done this on millions of bores and millions of different things yeah funny works so that there is is what we call comes back from the audio ID which is identity are you the size of the chip and the manufacturer which is a lookup code that you can then look up and do if we want to read some data let's just read 100 read 100 bytes which is not working great never do live demos right fortunately I took a screenshot earlier so that was how to do it custom one that is what's meant to come back where you can actually see there's actually data in that so the pocky goes out says read which is a code 3 64 X

which is 100 decimal and then 64 byte those are the first 10 bytes from there right this is going to be a demo so when you normally read from a chip you normally use a program called flash ROM flash ROM is great but its interface requires you know a few things beforehand you got it you got to choose the chip exactly you've got to know what the chip it is you've got to have the right pattern if it doesn't understand the chip it won't read it and you're on your own then you have got to edit the source to edit your own definition to it or you can read it itself and also if you want to do a partial read you've got

to write a definition file say that to disk load the definition file in and it's a pain in the backside you can't be say naught 2 1 naught to 100 so I've actually got a bit of code that I wrote which I need a better name I called SP I really cuz I'm not very excited I think you learn names and it is literally a one-click read for SPIE through a web browser so just to make it easy now if we can get this working it should do this fine so I working baby term I'm sorry let me just go in here and make sure I can read yes I can't all right so that just opens a web browser on five

thousand so for example the ident am I allowed to swear thing alright seriously I no idea what's going on at the moment because it's really annoying me [Music] yeah I think I'm going to need it and then we want to seem to get drunk and sing bawdy songs I mean that's probably gonna be easier crime easier for there is a reason why I took two pies in the and the software's on both of them just in case this happens but yeah I don't have a journey a good history of talking in demos because they journey always fail on me right da that's why my clip has got a got a bent pin it sounds painful

nope that's not it okay I don't have it

no I don't have it on this machine damn it I am being cursed today sorry it would have been sensible if I just used the same card on both wouldn't it [Music]

sorry alright let's try again yay I can read it now that's better so as you can see the identifier the routine adds a bit more so it actually do close what the manufactured chip is but that's a bit that's to see identification so let's do the easy read and I'm now going to make myself look silly assist isn't work so here's the interface today we want to actually press that button to see how easy it is oh I'll do it alright and as you can see and that is reading your chip instead of having to remember load of things give square loss or pie and it eventually works because I'm trying to do a demo

down there so that that's basically you can read your chip like that it will just download to a file and that's relatively how simple it is so anyway you know I said those into retro this is another demo so I I have a load of all computers in my in my garage which i kz try and mess with one of them was an ORAC which i got to never work so one of the things that they've said for check-in on a number of different things check their pants at work so this here is the high 8k of anomic right it's 35 years old it's probably older than several people in this room and I just

went as a challenge can I read this so it's a very simple process unlike all the rest of it's a parallel read so you write an address set set your dress lines correctly to hype to an address you want to read and just read the D lines none of this messing around with clocks or anything like this just write and read so we're going to attempt to do through the browser again this is a complicated one as you can see one of the difficulties is is its 28 pins I have to make a separate board for it because you've got 28 pins of which 27 needs equally sorry 27 need to be connected and as you can see it's quite

complicated the connector it's normally meant to work from five volts but I found the three volt output should work so assuming that hasn't actually reset my PI and it all works we should be able to run this and oh I might have actually got the lead now sorry I'll go to the command line version sorry did it Oh might actually work Wow I'm so surprised something actually worked right let's open that in hex edit and there you are that's the chip that I've just read from a 35 year old prom if you if you notice expiry - you can probably read that but they were that's relatively how simple this sort of thing is and that pretty much is it but sort

of right through that I'm sorry any questions the technology does work honest Rob there's a computer release in 1981 were you even alive it's infinitely in favour to everything to be honest for falernum general hardware hacking stuff is one of the prongs he is trying to find all these the advantage of the PI's most the libraries are there so my SPI reader an ITC reader those are using common Python libraries the actual Python to do is a few lines of Python and you've got if you look in the GPIO library most of the things are based upon that so you've got Depot you got SPI basis or thought you got assembles which is an ITC reader in terms of in

terms of the actual EPROM stuff most of people who know how to write em off do this sort of thing know how to do this sort of thing don't tell people or they don't they think that everybody knows it so but the SPI stuff is already there it's pretty much you have to go and find the data sheets and make sure you have the information in is just trying to work out what they actually mean by the information is today sheets are written for electrical engineers yeah those sheets are the easiest ones always look for a date sheet and even questions before I now go and throw my pies away because I'm getting irritated with them

maybe I should have got a bb-big I'm who's just giving me a look edges sight told you yeah

you