Embedded - 259: Calculators Changed My Life
Episode Date: September 7, 2018Brandon Wilson (@brandonlwilson) shared his stories about hacking TI calculators (and other things). TICalc.org has the latest on getting started yourself including Z80 assemblers, or start on Brandon...’s website: brandonw.net Bradon will be speaking at Hardwear.io, a security conference for the hardware and security community. The conference consists of training (11th - 12th Sept 2018) and conference (13th - 14th Sept 2018). It is in The Hague, Netherlands. His talk is The Race to Secure Texas Instruments Graphing Calculators. He will also be hosting a village called Dumping the ROM of the Most Secure Sega Genesis Game Ever Created. Topics: 00:00:00 Introduction 00:00:33 Brandon Wilson 00:01:39 Lightning Round 00:02:37 Calculators! 00:03:58 Programmable calculators, using TI BASIC 00:05:00 Ti-85, programmable via assembly language 00:06:35 App store for my calculator? 00:07:34 How does TI prevent cheating? 00:09:41 Testguard for teachers 00:12:53 Some are WiFi capable 00:13:41 How Brandon learned to hack the TI 00:15:12 Processors used in the TI calcs 00:16:39 What tools are available for reverse engineering? 00:17:42 Breaking the keys 00:18:49 Flash unlock protection 00:20:14 TI hacker community 00:21:32 TI used 512-bit RSA keys 00:22:32 Key broken after 2 months of brute force 00:22:58 TI threatened the first key breaker 00:23:31 Built a distributed community to attack keys 00:24:38 TI was not happy 00:25:03 DMCA takedown notice 00:27:28 EFF offered to help 00:29:30 The ethics of circumventing TIs protection 00:33:23 Calculators as a platform for learning HW/FW 00:35:11 Hackers' responsibility toward the hacked 00:39:05 Hacks Brandon is uncomfortable with 00:42:55 Bug bounties, are they effective? 00:44:02 Brandon's other projects 00:44:26 TI calculator processors used all over 00:44:50 Sega Genesis 00:47:54 Code execution via the Sega Genesis CD 00:53:35 Calculators changed my life (back up) 00:54:21 Other projects, USB 00:55:31 Abuse the USB protocol 00:58:24 Modifying USB flash drive FW 01:03:21 Reverse engineering tools 01:06:13 Hardwear.io conference, Brandon's hacking village 01:09:22 Brandon's Final Thought 01:10:19 Outro 01:11:20 Final Quote
Transcript
Discussion (0)
Welcome to Embedded.
I'm Elysia White.
My co-host is Christopher White.
Do you remember your favorite calculator?
Was it RPN or Infix?
HP or TI?
We all have our favorites.
Boy, do we get passionate about them.
Our guest this week is Brandon Wilson.
He has been hacking TI calculators for years.
He's here to tell us about it.
Hi, Brandon. Thanks for joining us.
Hello.
As you might notice, I did in fact swallow a frog.
I believe Christopher and Brandon taking the challenge also swallowed frogs.
So it might be a little scratchy here, but we have lots to say. So,
Bren, could you tell us about yourself? Yes. Well, I like to primarily think of
myself as a software developer. Writing code is something I've been doing since middle school,
ever since I got my first graphing calculator, which that was over 20 years ago.
So that's what got me into low-level programming and optimizations, which I think kind of gave me an advantage over people who were starting out with scripting languages
or really high-level stuff that hides so many details from you.
So I really wanted to focus in on that kind of thing.
And that got me thinking about attacking devices from a security perspective
because there are plenty of legitimate reasons you might want to do that.
That got me into the security industry,
and so that's kind of where I'm at now.
Cool.
I want to do lightning round where we ask you short questions,
and we want short answers, and if we're behaving ourselves, we won't ask how and why and tell us more.
Are you ready?
I'm ready.
What is your favorite calculator?
The TIU4 Plus Silver Edition.
Do you prefer to complete one project or start a dozen?
I would prefer to complete one, but I always start a dozen.
Hacking, freaking, engineering, or programming.
All of the above.
Infix.
XBI.
Favorite fictional handheld computer. gosh um let's say the hand link from quantum leap
that's right yeah it was on your list okay so um maybe a longer question uh let's go with
calculators because when i mentioned we were going to have the show, a friend said, why do you need a calculator these days?
Everybody has their phone.
What kind of calculators are you talking about when you say calculator?
Graphic calculators, specifically ones made by Texas Instruments.
So like especially in high school, you'd see the really big tall ones that had a big screen that you could graph equations on it.
And depending on your exposure to it, maybe play games as well.
So definitely the more advanced ones, not little scientific ones.
But I have a graphing calculator even on my phone.
Why can't people just use their phones?
They could in a professional environment,
but where it really matters is in school, like in high school. You know, when I was in high school eons ago, graphing calculators were really all you had. You couldn't, cell phones weren't really
a thing and you certainly couldn't bring them in the classroom and you couldn't bring computers in
the classroom. But the one thing you were allowed to have was the graphing calculator so
if you could make it do something more than what it was advertised to do you were you were on top
you probably don't want to bring in wikipedia to your exam either yeah exactly and so the These calculators are programmable?
Yes, they are capable of running programs written in a language that TI made up.
It's called TI Basic.
It's pretty similar to Basic. It pretty much just lets you execute the built-in commands that are on the calculator, including graphing equations and that kind of thing.
But they do have some limited
features
that allow you to make really simple games
and that kind of thing. It's really used
for making quadratic equation
solvers and things like that.
But there are people who make games in that language.
But the more
interesting language would be
assembly language. You can write programs in assembly language and flash applications in assembly language on it, which are much more powerful because that gives you access to all of the hardware on it.
But TI doesn't want you to do that.
Actually, they kind of do.
The first graphing calculator to ever run assembly programs natively was the TID-5.
And that came out in the early 90s, I believe.
And the story, there's some rumors, the story goes that people internally at TI actually
placed bets to see how long it would take somebody to actually hack it in order to run
programs on it.
And somebody over there won that bet because we did
figure it out. It was done through backing up the memory on the calculator. You can actually back it
up to a computer. And that image is basically just a dump of RAM. And the operating system stores some menu entry addresses in that backup.
So you can actually manipulate those and cause it to execute code somewhere else.
And that was used to execute a shell that was called ZShell.
And that program allowed you to run other programs.
So that was the first stepping stone into being able to
write assembly programs on the calculator. So initially, they actually didn't want that.
And then later on in other models, they actually added easier to use backdoors to make it easier
to do that kind of thing, the kind of exploring the interest and seeing if people really wanted
to do this. And it turns out they absolutely did. And later on, they made it so that you could not only write programs without having to hack it or anything,
but you could actually create Flash applications.
You could even charge money for them.
And so it definitely came a long way since the C85.
So there's like an app store for my calculator?
There was.
They actually stopped making, they actually stopped charging for those applications,
but you actually can go to their website and you can download applications to do all sorts of
things. They've got little organizers, they've got periodic table programs, they've got programs to
extend the math capabilities of the operating system, and they even have a couple of games.
So they have all sorts of things on there.
And that started at least 15 years ago.
So it's something that's been around a long time.
I can understand wanting to program a small program into my calculator in the basic program.
There have been times when I've had quadratic equations or more complicated things that fed into each other.
And so if I was going to take a test or something, it would be nice to have it be all in one place.
But one of the reasons people are using these calculators are cheat-proof with encouraging people to write Flash programs?
That's something that's kind of evolved over time. initially, they didn't place any restrictions at all on what programs could be run,
because they were all programs that ran in RAM.
And if the programs were unstable for whatever reason,
it would just reset memory and you'd be good to go. But later on, they started adding flash.
They started adding a flash memory to these calculators,
which meant that programs could persist and survive memory resets, RAM resets.
And at that point, they needed to start adding protections into their calculator to prevent copying programs that cost money, for example.
So they needed some way to lock down the flash memory, which is where these applications are stored.
And the way they did that is they implemented some hardware protections
so that it wouldn't be possible
to run programs in flash memory
unless you had a specific signing key
that you could use to sign your application
and then install it.
And the same with their operating systems.
Those were signed with a particular key
so that you couldn't simply make patches to their operating system or install your own operating system.
And so it was important to protect their own operating systems so that you couldn't bypass those flash unlock and execution protections so that people could just buy an application once and then find out how to copy it and then give it to the whole world.
So that was one of the first challenges they had to solve.
And so they did that through that Flash Unlock Protection.
And then later on, when people started to find ways of writing programs that would help them cheat,
like on tests, they had to come up with other mechanisms.
And one of them is called TestGuard. That's actually an application that teachers can run
on their own calculators, and they can connect it to student calculators and initiate a process that
locks down the student's calculator in a particular way so that they couldn't execute programs or
flash applications, and they couldn't even open TI basic programs, for example,
because they could type notes in there to help them on their test or whatever.
There's also something called press to test.
It's kind of a similar related feature where they could actually press a certain key combination
on the calculators and put it in that same mode and lock it down.
Well, couldn't you just use a different key combination to unlock it?
You could modify the OS to do that.
That's where the cat and mouse game really started.
But one of the big problems that I have with that particular piece of functionality
is that once it's in that mode, how do you get it out of that mode?
Yeah, that was what I was thinking.
And what they came up with is they made it so that it would unlock itself
if you were to initiate a file transfer while it was connected to a computer.
So in other words, the only way to unlock it would be to connect it to a computer.
So if your calculator was put in that mode,
you can't get out of that mode unless you can connect it to a computer.
And that might be good in a test-taking setting because no one has a computer with them in order to unlock it.
Yeah, as a teacher, that would be reassuring.
Yeah.
But it's bad for other students because, and I can speak from experience because when I was in high school, this happened to me.
I was kind of the calculator guy.
I was the one that had all the calculators.
I had all the games.
I could hook you up.
If a class had a substitute teacher and it was particularly boring that day and there was nothing to do, you came to me and I could help you out and you could play games in class.
So what they would do is people who didn't – let's just call them acquaintances.
I didn't particularly like them, but I would let them use it just to get them away from me.
So they'd play games on it, and then when they were done, they would actually clear the memory on it, or they would press that key combination and lock
me out. So I couldn't play games. I couldn't do anything until I got home that day.
How rude.
I know. Yeah. Yeah. So the way that they came up with that sort of protection,
I had a problem with. And that's one of the reasons why I broke it, is because I wanted to be able to do what I
wanted with it once the test was over or once they were done, thinking they were locking me out or
whatever. So that could be through installing my own key combination to unlock it on its own, or
changing the functionality for that key combination so it looks like it's locked down, but it's really not.
Or kind of a fake memory reset thing, make it look like the memory's reset, but really everything's still there.
Or maybe it appears like it's all missing until you press a secret key combination, and then it all comes back.
So I would be able to trick that guy who wanted to hurt me, and he thought he succeeded.
But really, I can still do what I want. So I guess I'm saying there's good reasons for being able to circumvent these protections, and of course, there's also bad reasons.
One of the things you said was that the teacher could push something on their calculator, and it would go to all of the students' calculators.
Are these Wi-fi capable
some of them are yeah it's a calculator okay um yeah oh is it also infrared or is it just wi-fi
for that sort of thing it's just wi-fi there are people who have there's an io a 2.5 millimeter link port on and people
have abused that to do all sorts of things that's the standard at least on the older models that was
the standard way of linking them to a computer but you could do other things with them you could
you could link them to other calculators you could hook up an infrared led you could actually play
sound through them um you know there's all sorts of things you can do with that board So how did you learn to hack these and program them?
Was it widely known which processor was in them?
Certainly the memory map for peripherals and stuff wasn't available, was it?
Or did you just have to discover this stuff?
To some extent, initially we had to discover it
and I think we may have kind of
impressed them on how much we figured out on our own, because once we had the ability to execute
code on it, we started immediately dumping the operating system, looking at how it interacts
with the hardware and making educated guesses about how to interact with the LCD, how to
quickly and efficiently make grayscale games, how to interact with different parts of the hardware.
In later models,
they actually have USB ports.
And so we looked at the operating system
to see how they interacted with their USB
controller.
We basically looked at what the OS did
and figured out how it was able to
interact with a computer and other peripherals
and then recreate it. So a lot of it
is straight- up reverse engineering.
When you say looked at, are you using something like IDA,
a decompiler, or hex editing?
What does looked at mean?
A disassembler, yeah, like IDA.
There are some other, and you've got to keep in mind
this is a long time ago, Back when I was really a thing.
But yeah, we would use that.
We would use other disassemblers.
We didn't really need to decompile anything because the memory and the operating system was so primitive that it wasn't written in C or anything.
It was written in assembly, in ZLog Z80 assembly.
And we were looking at it the same way.
So, you know, I don't know if it's ZLog or Zilog. I've always said ZLog, Z-80 assembly. And we were looking at it the same way. So, you know, I don't know if it's Z-Log or Zilog.
I've always said Z-Log.
I've always said Zilog, but I've never actually heard anybody say which it was definitive.
Who could say definitively?
The company.
All right.
Let's call them up.
That's true.
I think it actually is Zilog, but I prefer Zilong.
So they're still Z80 based?
Most of them are, yes.
That's amazing.
That chip has lived forever.
There are, across all of them today, there are four.
There is the Z80, which is first, and then the Motorola 68K for some of the more advanced models.
And the Inspire series uses ARM.
And the latest 84 Plus series, which is called the TI4 Plus CE,
that's the one that has the color screen,
that one uses an extension of Z80 called EZ80.
And it uses 24-bit addressing,
and it's laid out differently than the Z80 ones.
It has a flat memory model.
The protection hardware is completely different.
It's brand new.
Actually, there was no disassembler for it,
so I had to write an IDA plug-in to support it
so that I could start looking at the OS.
So it was relatively unknown.
I haven't really used IDA.
I only know about it from ScanLime's CoasterMilt series.
What are the disassemblers that exist? What else would I be looking at?
If I wanted to do something like this, what are the tools I need?
IDA is without a doubt the best one there is.
But it's expensive.
It's expensive, yeah.
But if you can get your hands on it, I highly recommend it.
The main community website is called ticalc.org, and it has some Z80 disassemblers, especially once people wrote themselves.
So there's some good resources there. There are actually some on-calculator disassemblers. So you can disassemble the operating system while you're on the calculator and look at the instructions that are being executed,
as well as manipulate memory, RAM, or Flash at any point.
So we've come a long way in terms of utilities
that we can run on the calculator
to help with reverse engineering and programming.
But one of the things you have to do in order to run the Flash was those keys.
You said that to run things, you had to have keys.
You broke the keys. How did you break
the keys? How does one break keys?
Well, for many years, we knew that that was
highly unlikely.
Trying to break keys is not something your average high school student is going to be able to do.
So we knew that we weren't going to be able to do that.
So initially, what we did was we worked around it.
We knew that the code that actually performs these operating system updates on the calculator
was in a boot sector on the flash chip,
an area that's supposedly read-only that contains all the code necessary
for receiving an OS update over that IOPort or over USB
and actually writing it directly to the flash chip.
So we knew the code that it would take in order to do it.
We just didn't have the privileges to be able to do it.
One of the things that protects those calculators is something we call flash unlock protection.
There's an ASIC inside the calculator that is responsible for all the I.O. that the processor performs.
So any hardware like the keyboard, the LCD, that IO port, things like that, that it
interacts with, it all goes through that, including modifying the data on the flash chip.
And there is a particular sequence of commands that you need to be able to execute in order to
unlock the protection on that flash chip so that you can issue, write, and erase commands to that
flash chip. And those commands have to be around before you can do it.
There's a special sequence that unlocks it and a special sequence that locks it back.
And the boot sector will do this whenever it performs an OS update.
But the thing about those instructions is that those instructions have to execute
from what they call a privileged page of the flash chip.
And naturally, the only privileged
pages would be the ones that the boot sector's on, which is theoretically read-only. So you can't
manipulate it. You have to get it to execute it. So what we would do is we would manipulate
various aspects of the calculator registers and memory so that we could actually jump directly
into the code that would unlock the flash chip. They would execute those privileged instructions. And once it did that,
we would then steal away control from the calculator, from the boot sector. We would
steal control away before it had a chance to lock the flash chip back. And once we did that,
then we had control. Then we could modify the OS. We could install our own applications. We could do
whatever we wanted. And we call that flash unlocklock Exploits. So that is what we relied
on initially before we had the signing keys.
Who is we in this story?
The community as a whole. I was not the first to come up with Flash Unlock Exploits.
I may have been the first to publicize them.
The people who initially did it were really just kind of tinkering around,
learning more about the hardware.
They didn't necessarily want to release those exploits
because, you know, for whatever reason.
But I knew that there would be value
in being able to install our own OSs.
And that's something I wanted to do.
I wanted to be able to install my own operating system.
I wanted to build a right one and install it it, as well as write my own Flash applications.
So on those calculators, Flash applications have certain privileges that regular RAM programs don't have. One of the big things is that they can actually persist in memory, so they're more stable.
So if the calculator crashes or it resets or something, you don't lose it. It's still there. So it's a convenience thing.
There's lots of reasons.
There's lots of technical reasons why you would want to do that.
But once I had that, then I started developing tools that would allow you to install your own OS and that sort of thing using those unlock exploits.
But there is a better way.
It would be nicer if we actually had the signing keys.
That way we wouldn't have to rely on these ugly exploits that might only work on certain OS versions or certain hardware versions.
It would be better to have the keys.
And on these particular calculators, they use 512-bit RSA keys, which by today's standards is a joke.
But we're talking 1997 where computing power was not what
it is today there's there's no way you could factor those keys um and that's what it would
take we would we would have to factor an extremely large that's basically what rsa is that's the
strength in rsa you need to be able to factor a very large number uh into primes and computing
power just it just couldn't it just couldn't be done at the time.
But fast forward, let's say 10 years, one person in the community, not me, somebody else in the
community managed to actually factor one of the keys. They were curious, and they had looked into
the math behind how it works. There's something called the general number field civ that uh lets you let that let you do that and and he was curious so
he just let it run and he let it run on his computer and it took it it took him two months
but he actually did factor one of the keys and uh then he published that fact and ti threatened him
they legally threatened him uh they actually, if I recall,
they actually came to his,
or not them,
but they sent someone to come to his house
and ask him to stop.
And that scared the absolute crap out of him.
So he disappeared
as far as that was concerned.
But because he published the fact that he did it,
we knew it could be done.
We kind of dismissed the idea a long time ago that it was even possible.
But the fact that he had revisited it and did it, we knew it was possible.
So at that point, we took it upon ourselves to come up with a distributed computing project.
And we had hundreds of people in the community, maybe thousands, all working to try to factor the remaining keys as fast as we possibly could.
And at the time, there were a total of 15 keys, 15 512-bit keys.
And one of them TI actually gave us.
That was the one that allowed us to create Flash applications on the TI D3 Plus series.
But they hadn't released any OS keys, and they hadn't released the application key for any other calculator and at the time there
were seven models that were flash upgradable and so that would be two keys for each of those
because you have the flash application key and then you have the operating system key
so that's 14 and then a common shared date stamp
key. So that's 15 total. And we already had one, and that guy had factored one, so there were 13
left. And we had factored all 13 of them inside of a month using that distributed computing project.
Which now you knew that TI did not want you to do.
Absolutely. They were not a fan of that.
We managed to get all 13 done before they found out about it.
And so once we had those, and at the time there weren't really any tools to utilize these OS keys because no one had ever had an OS key.
Why would you need a tool to sign an operating system because we've never had the key?
So I had to write those tools to make that work. And once I did, I published that application and the keys that you would need
to use with it. And TI did not like that. And they threatened me instead.
Wait, wait. How old were you at this point? Or where were you? Were you in college? Were
you in high school? What was happening in your life at this point or or where were you were you in college were you in high school what was happening in your life at this point i was out of college maybe a year or two out of college but you'd been playing
with these since high school yeah okay middle school since middle school okay so year two out
of college ti is now banging on your door saying no yeah i was lucky enough to not be visited personally. They actually just sent me
a DMCA takedown notice telling me to stop. Okay, what is a DMCA takedown notice for people who
aren't in the U.S. and don't know? The DMCA stands for the Digital Millennium Copyright Act,
and it's basically a law that states that if you believe your copyright's being violated by
somebody, you can send a notice, what's called a takedown notice to them, informing them that they are violating your copyright and that they need to stop.
And if they do not, they have a certain time frame to comply.
And if they do not, you can sue them.
And so they sent me that because I had published their secret private signing keys for all of their applications
and all of their operating systems. But these were just numbers. They're just numbers. Exactly. How
do you copyright a number? Because I have copyrighted 42 and you all owe me a lot of money.
Well, I think part of the argument, and I don't know, I haven't followed this in a long time,
but it used to be that just breaking a protection was a violation of the DMCA.
Not that you had necessarily published anything copywritten, but just that you'd given people the means by which they could.
And that was the argument, I guess.
There is an exemption that says, in the interest of interoperability, you are allowed to do certain things. And writing our own operating system from scratch, not using any of their copyrighted code,
but just repurposing the hardware for our own means is something that we wanted to do,
and we felt that we had a right to do.
For interoperability?
Yes.
Okay.
And so they sent me that notice, which, you know, that scares the crap out of anyone when they get a notice like that.
And I'm trying to think back to exactly how the circumstances happened, but there was a journalist that got involved at one point who wanted to publish a story about the fact that they had threatened me.
And they published it, and that journalist contacted the EFF on my behalf.
And the EFF is the Electronic Frontier Foundation.
They are a nonprofit group that – it's basically like the ACLU for digital rights.
They protect people who are being legally threatened in circumstances like this.
So they contacted the EFF on my behalf, and then the EFF reached out to me and said, hey, this is a travesty.
I hate to swear to you.
Do you want to do something about it?
We can help you.
And I said, yeah, absolutely.
Before they had reached out, what were you going to do?
Were you going to take it down?
Were you going to go to court?
What was your plan?
I was going to take it down.
There was nothing I could do.
And that's what the AFF does. For people in exactly that situation that feel like there's nothing they can do, they step in.
So was this an early or late test case of the DMCA?
I'm not sure.
The DMCA has been around for quite some time.
So I'm sure it was not new at the time.
Okay.
But the idea of copywriting a number and especially threatening someone over a calculator, that's what, that's what made the, that's kind of what made the news at the, at the time was, what, this guy wants to put his own OS on a calculator. Why are you threatening? Why are you harassing him? Just leave him alone. It's just a number. So they said that they would write a letter on my behalf to TI saying, They have not sued me. They've not done anything.
And if they had, the EFF would have continued to support me.
But since they didn't, the matter was dropped.
So looking at it from TI's perspective, they have been trying to get into schools for a long time to say that their calculators are cheat-proof and should be used on tests.
And now you're helping people defeat some of their preventative things.
How do you balance that?
Was that ever part of your consideration?
It was never my goal to help people, you know, to help them cheat or to help them circumvent those types of protections. It is my goal to point out some of the flaws with
what they've done. So, for example, that test card thing where the fact that you have to be
near a computer to unlock it, I think that's going a little too far. I think that's a little
unreasonable. I think there are other solutions that could be done instead to get around that what other solutions uh well
they could have calculators in the classroom that are configured in a particular way maybe
they're running a different operating system where that feature can't be turned off so that
student calculators uh do not are not susceptible to just any old person who wants to come and unlock it.
Or maybe there is something where only you install some sort of certificate or something, so only your teacher can unlock it.
And that's something you – day one when you come into the classroom, you have to connect your calculator to your teacher's setup, and it's kind of tied to them and only them only they can trigger those types of
restrictions so that does not anybody can do it with this you know simple key combination or
whatever there's lots of different ways that they could enforce that with instead of making it less
secure for me it's just wide open for me or for anyone else who wants to get their hands on my
calculator for even a second yeah you can imagine some student grabbing your calculator before an exam
and doing something nefarious to it, and then you're out of luck.
But as an engineer, I can see thinking,
oh, well, we have to have this special mode.
Oh, well, how do we let the student get out of this mode?
Well, I don't know.
We can't have another key code that doesn't make sense
I just I can see how
they ended up with the you have to plug it in
I think part of the
mistake is thinking of this as
protecting the calculator or protecting
from cheating as their problem
because it does
kind of push it away from the schools
to say oh you can have whatever
you want students whatever calculator you use and we'll just depend on TI to protect it.
Well, I mean, that's a horrendous problem.
How do you... Well, I mean, he was suggesting having dedicated calculators.
You'd think TI would have gone in for that solution because it would have sold more calculators.
I mean, that's a problem, too, is it costs the schools more money.
I mean, these calculators cost like $150 at most for the ones that are used in high school.
And you're asking every student to have one of those.
That's true.
And I can tell you, it costs way less to manufacture than that.
They're using Z80s?
Z80s, yeah.
Yeah.
It costs way less.
They have new Z80s.
EZ80s.
Yeah.
I can see how they got there, but I also don't see why they're still having this problem.
They are still having this problem, aren't they?
Yeah.
That's where the cat and mouse game comes in.
And that's why this talk at Harvard.io, that's why it's called the Race to Secure Texas Instruments Gravitas Calculators because they want to secure them against students who want to cheat or do whatever.
But you also have the users who want to use them the way that they want to use them.
It's hardware that they own, and they paid a lot of money for it.
I mean imagine being in high school, and that's all you have is that calculator, and you want to be able to do what you want with it.
Not just for running things, but maybe you want to do your own research and your own programming.
And I think they're fantastic devices for learning programming and reverse engineering.
I might be a little biased on that front, but I think it's just fantastic. I've seen so many students grow up programming for these things and learning low-level fundamentals that it's just hard to get anywhere else.
And I've seen so many people move on, and again, this is a long time ago, but I saw a lot of them move on to Game Boy programming and just start careers based on what they learned in that community.
So you can learn an awful lot from these things.
It's a lot more than just doing math.
Oh, especially the way you're doing it, with learning operating systems and assembly
and how all this stuff works and maybe making your own compiler with Forth
or doing another version of BASIC.
You would learn a ton from these calculators.
If you can imagine it, it's been done in the community, I can tell you.
There have been alternatives to TI BASIC.
People have made their own programming languages,
kind of a hybrid between BASIC and Assembly.
There are people who have made,
they've actually made Game Boy emulators
on something that is not much more powerful than a Game Boy.
I mean, the optimizations that people have come up with
and the way that they've made grayscale games and color games
on things that don't have dedicated video,
don't have dedicated gaming graphics or anything.
This is stuff that they have to, they need every,
every instruction cycle matters.
You know, every cycle matters.
So they optimize them in ways that are just unheard of.
There's really some just ingenious stuff in,
in all the, in the library of applications that are, that are out there.
How much responsibility do people have to tell the company of gaps or,
or found RSA keys before telling the world about them?
They have some responsibility.
That's always a complicated question.
There's always a gray area.
I mean, there are some things that are 100% wrong you should not do.
And there are some things that are 100% right that you should do.
And then there's the area in between.
So, like these signing keys, for example,
maybe at the time,
maybe there was a middle ground where you kind of keep the keys under wraps,
but you make it so that people can
write their own operating systems easily
and install it on their own calculators.
There are methods of making it
so that you could actually,
you could come up with a system
where you could sign certificate updates on calculators.
It's like making developer keys.
So that people could make their own operating systems on their own without affecting anything else.
And maybe they have to submit them to, I don't know, a calculator community authority and then they actually sign them.
Maybe you don't make the tools public.
Maybe you keep certain aspects under wraps. Maybe you don't release the exploits. Maybe you keep certain aspects under wraps. Maybe you don't release
the exploits. Maybe you just release the tools that use
the exploits. Maybe you obfuscate the code somehow.
I mean, there's a million different
things that could be done.
And I really think it depends on the
circumstances and the state
of, at least in a graph
and calculator example, the state of the community at the time,
our relationship with TI,
what they're trying to protect against at with TI, what they're trying to protect
against at that time, what we're trying to
preserve as far as rights at that
time. It's just very
complicated. It's based on a number of factors that
it's very
circumstance
or scenario specific.
Yeah, and calculators are a good
scenario.
Because on one hand, who the hell cares?
On the other hand, who's responsible for that civil engineer having a bridge fall down because they cheated on their test?
Yeah.
It goes both ways.
And so, it seems low stakes, but there are high stakes, at least theoretical examples.
I mean, I don't know of any bridges falling down.
Well, due to that, anyway.
Due to that.
I would like to think that if somebody is cheating on an Algebra 1 test, that they will never get to a position where they are solely responsible for
their bridge is going to collapse or not.
I would hope there's a system of checks and balances that prevents that kind
of thing from happening,
but you know,
who knows?
I don't know.
It's funny.
Cause thinking about when I had a calculator in class,
which was not that long before you,
um,
I had an HP 48,
which did all this similar stuff and you could program it and it would graph
things.
And I think there was a hacker community around that even at that time.
Uh,
and school didn't care and nobody checked it.
And that was true for college and grad school.
And it's,
it's,
you know,
I never cheated with it because there's why,
but,
um,
there are easier ways to cheat than to learn assembly not where i was headed
but uh yeah it's just it's interesting to me that attitudes change and different schools
have different attitudes and yeah it's it's it's it's a tough question because
on some level one solution is just to make the exam so hard that it doesn't matter if you can
cheat which is what happened in some of my classes.
It was like, yeah, you have a calculator? Great.
Go nuts, do whatever you want with it because you're doomed no matter what.
But you obviously can't do that for like, you know, eighth grade, Algebra 1.
There's no way to make the exam so hard that a calculator can't help you if you could cheat.
So anyway.
Okay, so back to responsibilities.
Are there examples of hacks that have gone public that you're uncomfortable with,
that you wish that they had talked to the company first?
Speaking generally or about calculators?
Generally, I'm having trouble. Well, actually about calculators, if you have any,
but then generally, because I don't, I'm having trouble picturing that.
With calculators, I don't think so. I would say the one circumstance that kind of bothered me was, you know, I always take the position that you should, you know, if you have an exploit that is good and can help the community as a whole and you think it will help better than more than hurt, you should put it out and you should make it so people can use it.
But there is a responsibility to make sure that you do things correctly because it is possible to to break these calculators you've actually there was it was one project
of mine where i was trying to find out if you could permanently break it permanently break it
is there something you can do that would make it from a software perspective that would make it so
you could never ever use it again and which is very very hard to do but it turns out there is a way you can do it and so there's a responsibility not to release that but uh there's also a it's also good to
let the information out there that it can be done and that this is a particular aspect of the
hardware that you should not be messing with because it has the potential to do that like on the calculators there's an area of memory called the certificate uh it's a it's a particular aspect of the hardware that you should not be messing with because it has the potential to do that.
Like on the calculators, there's an area of memory called the certificate.
It's a particular flash sector that the boot code actually parses and scans.
And if you are able to corrupt it in a very particular way,
you can cause the boot code to crash.
So if you erase your operating system
and the boot code attempts to parse that invalid certificate
before it attempts to receive a new operating system,
then it can never receive one.
So that is one thing that would be really bad.
But there's also advantages to being able to manipulate the certificate,
and the certificate's a privileged area, so you have to use one of these exploits in order to modify it in any way.
And one of the things you can do is you can install new keys in there. So instead of factoring
TI's operating system keys, you can install your own operating system key.
And that's actually something that happened right before the key refactors. We figured out that we could do that.
And so we made it so you could install your own
generated OS key in the certificate. That way you alone
could install whatever custom OS you wanted.
And through doing that,
we had to release a program
that had an unlock exploit in it
so people could disassemble it
and figure out what it was
and use it and reuse it.
And you had to have the code out there
that would actually erase the certificate
and install a new one.
And so that's scary.
And if somebody took that and disassembled
it and modified it in a way that they didn't quite understand and then released it, they've
released something that malicious that can break other people's calculators. And I can think of
one case where one person thought they understood what they were doing, and took code very similar to that
and released something that had the potential
to majorly screw up the memory on the flash chip.
And I thought that was irresponsible of that person,
but I also lay some blame because I'm the one
who put the exploit out there that made it possible for him to do it.
So that's just one of those gray areas where I don't know.
It was a bad thing that happened, and I have some responsibility for it.
And so does the other person.
But that one case, you know, all the good things that you that the community gets from that far outweighs that one that one little incident.
You do more hacking than this, though.
More than calculators.
Yeah. I've always wondered about bug bounties do they
work is it just a way for the company to say yes we're doing stuff is it a way for the company to
pay off people so that they aren't so the exploits aren't publicized due to bug bounties are they
real or fake uh i don't know i've never been a part of one okay i i don't
i have no interest in being a part of one uh it's just not for me i i don't need money to
you know to do what i like to do and i'm sure there are people out there that do do it for
money but i'm i'm not one of them i'm sure it does bring in more people than if they didn't have one but is it
worth it i don't know i my my thought my opinion is no but you know i don't know it i guess i guess
it depends on the environment and the community and the circumstances like uh for for much bigger
uh communities and uses like say game consoles or something, maybe it does matter. But for calculators, no, it certainly doesn't matter.
Okay, so other projects that you have maybe solved your own hardware problems by modifying in software in ways that maybe the manufacturer didn't intend?
The calculators kind of provided a good starting point for being able to do stuff with other types of devices, mainly because the processes that the calculators use are used in so many other things. You've got the Z80. You've got the Motorola 6TK. Those are used in a lot of things, things that people don't even realize, like the Sega Genesis, for example, example they'd used a motorola 60k old max used
that uh and even uh the pcms the computers inside older cars use that processor and so i've done
i've done projects using both of those uh that have those processes in them
uh just as one example and this is one project I'll be talking about at hardware.io,
is the Sega Genesis, if you remember that old console.
It actually, a lot of people don't know this, but it actually has two processors in it.
It has a Motorola 68K, that's the main processor that it uses.
And then it also has a Z-Log Z80 as a sound coprocessor.
And those are two processors that I know very well from the calculators.
And there was a particular project that came up involving the Genesis
that involved dumping the ROM of a game,
a particular game that came out not too long ago.
I guess it's been maybe eight years ago, way after the console died.
And there was a group of homebrew developers for the Genesis
that really wanted to make their own game.
And not just make it to run in an emulator,
they wanted to actually run it on real hardware.
And the way they did that is they made a game
that was larger than what the Genesis could actually support.
So the Genesis can only support a four megabyte ROM, but they actually made a game that was larger than what the Genesis could actually support. So the Genesis can only support a 4 megabyte ROM,
but they actually made a game that was 8 megabytes.
And not only did they make the game,
but they came up with special hardware that they could put in a real Genesis cartridge.
So they were going to manufacture the cartridge,
manufacture that hardware, and install the game on it,
and mass produce that and sell that to people.
And that's what they did.
But one of the things they did is they made it
pretty much impossible to dump the ROM on it.
They had circuitry in it
that would defeat most hardware
devices that dump Genesis ROMs
as
was other
means of dumping ROMs that people use.
And
so they came out with this game,
and they mass-produced it, they released it,
they did one run of it,
and then did nothing else with it.
They had no intentions of
releasing any more copies of the game.
It was a very expensive game.
And
once they had sold out, that was it.
Nobody could play the game anymore.
So only the few hundred people who actually had a copy of it were the only ones who could run it, which bothered me.
So I wanted to be able to dump the ROM because there are lots of other people who might want to be able to play the game.
And so I managed to get my hands on one of these cartridges, and I was going to go about dumping the ROM on it.
Well, the big problem with dumping the ROM on it is that extra circuitry that's in the cartridge.
They actually
have
hardware in there that
checks to make sure that the game
is actually running in a real genesis.
So you can't put it in a hardware ROM
dumper and just dump the ROM that way.
The game actually has
to be running and executing normally in order
to be able to access all of the data in the ROM.
And so when I learned this
and realized that you couldn't just dump it the normal means,
I knew that I was probably going to have to find a way
to get code execution on the console
in order to actually dump the ROM.
And since the Genesis has two processors in it that I'm very familiar with,
this seems like a good project.
So that's when I got into it.
And I tried all number of different things.
But essentially what it came down to is I had to get code execution on it
by connecting a Sega CD attachment to the Genesis.
So that lets you – it's basically a CD attachment for the Genesis.
And so you can actually burn a CD of code
and put it right in there, and it will run it.
So code execution is very easy in that setup.
And I had to embed a ROM dumper in RAM, in memory,
on the console while it's on.
And once I did that, I hooked a Game Genie and the game together
and plugged that into the system while it's on and then reset it,
which causes it to start executing the Game Genie little ROM,
which has a code selection screen.
It's what lets you cheat in games.
It came with a little manual, and you could enter a bunch of codes.
Basically, it would patch the game in memory.
So whenever the console went to fetch
data from the actual cartridge,
if it was from a particular address, it would return
a different value instead. That's all those codes would do.
They would just return a different value.
And so through doing that, I could
patch the game to actually
jump into my code and run it,
my ROM dumping code. So once the game had actually jump into my code and run it, my ROM dumping code.
So once the game had actually started and done all the setup stuff that it needed to
do in order to access it, I could get code execution and then simply dump the ROM out
one of the controller ports back to a computer or something.
So when I did that, once I did do that, and once I did that, I still wasn't able to get access to the full ROM, and I couldn't understand why.
And the reason why is because the cartridge hardware is actually expecting instructions to be fetched from the cartridge all the time.
And when I got code execution, it was just executing my code in RAM.
So while my code is sitting and running in RAM, the game's not running, which means instructions aren't being fetched from
the cartridge, and
that protection circuitry kicks in.
So what I had to do was use
the game genie to lock the game up.
I had to patch an instruction
in there, so it would just jump at the beginning of
its little ROM over and over again
and enter an infinite loop.
And while it was doing that, I could use
the sound processor.
I had a little ROM dump running in its RAM,
and it would dump it out the controller board.
So while the main processor is sitting there locked up and spinning its wheels,
the sound processor is dumping the ROM out. And so that was the way that game was done.
Okay.
This story started with homebrew developers,
like hackers that developed a game
those uh those people are hardcore genesis fans they love the genesis just like i love calculators
they love genesis they wanted to be able to to make a really impressive game the most impressive
genesis game there ever was and they did succeed because it is uh technically the most impressive game for the Genesis. Because it doesn't fit in the Genesis.
Yeah, exactly.
And as I recall, the cartridge hardware also had some extra graphics processing in it.
So not only could it not fit in the Genesis,
but it was more than the Genesis was actually capable of.
So it was almost a console extension through the cartridge.
And not only that, but it had a serial EEPROM
that it was using to save game data.
So, you know, most games, most old consoles like that,
they have a battery that keeps RAM, you know.
But this game didn't have that
because it would actually store it in a serial EEPROM.
So there were a lot of firsts for this game,
and they wanted to protect all that.
Have they come after you and gone after your
calculators?
No.
Retaliatory strike.
I'm certain they didn't like it, but...
And
the thing about that game is
because there's so
much extra
processing that's done in
the cartridge hardware,
a regular old Genesis PC emulator can't run it because it doesn't have support for any of that extra hardware.
And some of the Genesis homebrew developers
that were working on that game
had also been the ones responsible for creating those emulators.
And they did not, because they had all the circuitry in there,
they did not want people to be able to run that game in an emulator.
So not only did the emulators not have support for it,
they actually publicly stated they will never add support
for that game to their emulator
because they don't want them to be able to run it in an emulator.
So once I had the ROM dumped, not only did I dump the ROM,
but then I modified an open-source Genesis emulator to support that game.
Because you need hardware to run it.
So it doesn't do you any good to have just the software.
But now you can run it on an emulator.
Yeah.
Communities are weird.
Communities are very weird.
I mean, I'm just, okay.
Hackers and hackers.
Hackers all the way down.
So let me ask you a question.
What is your career that you actually do make money from now?
I was a software developer for over 10 years,
and I recently transitioned into security consulting.
So that's kind of my day job.
That's kind of my day job,
but I'm not sure there's a job that matches all this type of stuff.
Well, where I was headed was, do you think you would be doing what you do now had you not discovered and gotten into the calculators?
I doubt it. I doubt it.
I think calculators changed my life.
I think that they made my life, and I don't regret one bit of it.
I am very glad that all of it happened
and I would do it over again.
And when you say you're a security consultant,
what does that mean?
Like, can I ask you my IoT security questions?
It's web application penetration testing.
Oh.
Yeah, that's why I'm saying that. I'm sure that's very exciting.
Yeah, that's why I say it's my day job.
I like to work on these things in my spare time because there's no pressure.
There's no deadlines.
There's no pressure.
You just do it.
You do it until it works.
And I like that aspect of it, and I'm not sure I necessarily want to change that.
Are you still working on the calculators, or do you have other hardware that is more modern that you're interested in?
Plenty modern. There's the new Z80.
Okay, well, how about this for a question? This came up in the Slack channel.
How can TI be charging this much for calculators that haven't changed in 20 years?
Yeah, yeah.
I get that question a lot.
I never have an answer.
I don't know.
Why would you change it?
I mean, they're making a killing.
Why would you not?
Because people haven't stopped buying them.
That's the answer.
Yeah.
I think the educational department is their most profitable department.
Yeah, not a surprise.
I hope they get a discount.
But back to the original question,
is there anything
we're working on now?
Or do you still work on calculators?
I do still work on calculators,
not as much as I used to.
The calculators,
another aspect, other than just the fact that
they have processors that are used
in other things, another aspect of the calculators is
the fact that they,
a lot of the newer ones, have USB ports.
And I learned an awful
lot about USB just through the calculators.
They have a
very flexible USB
controller in them that is,
I don't want to say
rare, but it's not
as common as you would hope in other devices.
And you can do things, you can abuse the protocol on the USB protocol using its controller in ways that you just can't with other devices.
And I don't know if we have time to get into it, but there was years ago, way back when the PlayStation 3 first got its quote-unquote jailbreak, it was the first public exploit that allowed you to run your own code on it, there was an exploit that came out that was USB-related.
And it involved simulating – it involved plugging in a device that simulated a USB hub, and it would virtually attach and detach different USB devices in a very particular order in order to trigger a memory corruption exploit.
And there was a very limited number of devices.
Pretty much the Teensy at the time was the only device that could do it.
There's a very limited number of devices that could do that in hardware.
And so naturally, when that came out,
DT's all over the world sold out, nobody could get them,
but people still wanted to do this.
So I knew that the calculator was capable of doing it,
so I re-implemented that on the calculator.
So basically, you could use your calculator
to jailbreak the PlayStation 3.
So, and the way that worked was,
the device was, the calculator, the controller, USB controller in the calculator was capable of changing its own device address, which is not something that a lot of devices can do.
You're not supposed to do that.
Yeah, you're not to simulate a hub, a USB hub, that's one of the things you need to be able to do because when you first attach a hub, it connects on address zero.
And then the host negotiates with it, sets it up, and tells it, okay, now you're address one or two or whatever.
And so it's no longer address zero.
It's that new address.
And then as you plug in a new device on that hub, it has address zero, which is the default address.
And then the hub says, okay, well, you're address two.
And then it connects another address and goes, okay, you're address three. Well, this calculator
could actually say, okay, I'm a new device on this
hub, and it could actually switch to address zero. So then the host would talk to it as though
it were another device attached to the hub, even though it's really not. And then
once it was done doing that, it would then switch back to the hub and say, okay, now I've
got another device attached. And then it would then switch back to the hub and say, okay, now I've got another device attached.
Then it would switch back to address zero, and then it would set up that address.
Then it would switch back to the hub and say, okay, now I've got another device.
Then it would keep on doing that to trigger the exploit.
Long story short, I learned an awful lot about USB through this.
I started to work on other USB-related projects because of it.
And one of them was
modifying the
firmware on USB flash drives
because
there is a subset of USB
flash drives, very cheap USB flash drives out there,
that have no
code signing protections, nothing at all like that
at all. And you can update the firmware.
Yes. I don't put these in my computer, but yes.
Anybody who gives you a free USB flash drive, I know that's
just bad. Yeah. And you can
modify the firmware on them without having to deal with cracking any keys or anything like that.
And so I started to get into that. And
one of the things you have to do in order to replace the firmware on it is you're probably going to either need to patch the one that's there, or if you have it, or if you have it or if you can dump it.
And on some of them you can, some of them you can't.
And you're going to have to re-implement the firmware from scratch.
Well, to do that, you really need to understand some pretty low-level aspects of USB.
You're going to have to disassemble the firmware.
You're going to have to understand how it interacts with its USB controller. You're going to have to disassemble the firmware. You're going to have to understand how it interacts
with its USB controller.
You're going to have to know
everything about that.
And not only that,
but all the communication
with the NAND flash chip in it.
There's an awful lot of stuff
that has to be done
in order to replace
the firmware in that.
And one of the things
I would like to do
is to come up with
general-purpose firmware
that would work,
not just on that one particular drive, but on
the vast majority of drives that have no code signing
protection at all. And there are way more than you might think.
Pretty much any drive you can get for $5, it's probably
going to be susceptible to this. And so I think
it would be really valuable to have general purpose firmware
so that you could replace the firmware that's on there,
you could add features to it, like you could add encrypted drive support to it.
You could make it show up as different things. You could be like a rubber ducky type
thing, so you could have it pretend to be a USB keyboard and type out scripts.
So when you plug it into a computer, you could do whatever, install tools,
take control of it. So there's just a huge
wealth of things that you could do with it if you had the ability to change it. So there's just a huge wealth of things that you could do with it if you
had the ability to change it.
Do these have the ability to change their firmware?
Isn't this just ROM code?
Yes, they do.
The firmware is actually stored
on the NAND chip.
So when the device first
starts up, it does have a little
ROM in it that it uses to determine
is there firmware for me to boot?
It has a basic NAND chip communication, so it checks to see if it's there.
And if it is, it loads it into RAM and runs it.
But if not, it goes into a special mode where it waits to receive new firmware.
So a lot of them actually do have firmware updates.
You never hear about it because why would you need to update the firmware on a USB flash drive?
But there are tools out there that let you do it. And it can be done easily.
So some of these USB drives that I might use, except they flash,
I could just learn their firmware and then change it so that they didn't flash.
Yeah.
Or I could continue with the electrical tape.
Seems cheaper, or at least less time consuming.
The firmware actually, it has some special commands in it continue with the electrical tape seems cheaper or at least less less time consuming the firmware
actually uh it has some special commands in it that it will interpret and if if you send one of
those commands to it it will jump into its boot ROM and allow you to send to send new send any
code you want to it it doesn't have to be new firmware you could you could just run code in
ram you could do it could be a one-time thing a runtime thing you know it doesn't have to be
permanent there's There's lots
of things you can do with it. And I think a lot of people don't know that.
So getting
that word out there, which I think would help with
the trustworthiness of these flash
drives, but also
repurposing them.
I mean, like this whole idea
of adding encryption to them. You could
obsolete these really expensive
FIPS encrypted drives that they charge an arm and a leg for. You could obsolete these really expensive FIPS encrypted drives
that they charge an arm and a leg for.
You could actually do that yourself
using flash drives you already have.
All you have to do is run...
Imagine if you could just run a program
and you could change the firmware on it
and you'd have the same functionality
that you get from one of these really expensive drives.
Are you writing that up somewhere?
Or is it somewhere... I know you have a blog are you
talking about that on the blog already i've given some talks at conferences about the idea of it
i did release uh years ago i released some code that for a very particular manufacturer of flash
drive controller and a very particular revision from that manufacturer that
would allow you to change the firmware on it and it had from scratch firmware from scratch
replacement firmware for that particular drive but what i don't have released yet and really
haven't even started yet is the general purpose firmware that would work not only for all the
revisions of drives from that from that, but from all the others as well.
I know it can be done. I've done some basic research into them all. I know that they have
no codes and protections. I know that you can change them. I just don't have anything written
or even started as far as adding support to the others. Well, it'll make a nice white paper for your consulting company.
One more question.
We talked about IDA, the disassembler.
And I had a couple of people ask about Binwalk and Hexinator and O10 and Radar Re2.
Do you know about those tools?
What are they?
And where do I go to get them?
And what do I use them for?
You can use those tools to learn more, like BenWalk.
You can use that to learn more about binaries.
You can learn more about what's in them.
They have a lot of built-in tests to look for different signatures of things you might typically find.
I find those tools more useful for things that are kind of well-known.
For example, routers.
A lot of routers run some sort of small version of Linux that you can run these tools against,
and they will quickly tell you where these signatures are and where these things are stored
and give you some clues as to how it boots them and how you can change them and that kind of thing.
So I think those tools are more useful for devices like that.
What I do is I tend to focus on devices that are weird, that are so weird that you can't just slap Linux on it.
It's something somebody custom wrote,
something that is completely unknown
just because I
find them more interesting. I think that
if
nobody knows anything about it and it's truly
a black box, then kind of everybody's on the same
level playing field, and
it's just more challenging
and more interesting that way.
But as far as those tools, you can get them from Google.
I mean, a lot of them, if not all of them,
are open source tools that you can get easily enough.
I have never used them.
And I look at them and I guess I have used like OptJumpDump.
How would you say that?
OptJump.
Okay.
And other things like that to look at my code to make sure it was organized or secured properly.
You're not usually reversing something.
I know.
But sometimes they want to.
Well, we have a whole house full of things.
Yes.
Although, Brandon, I do have a request for you.
Please don't mess with any of my devices.
Oh, I will not.
I'll do my best.
Although, the LeapFrog toys, you could go take those apart.
They were fun.
8051s, too.
Believe it or not, the flash drives, that's the processor they have.
It's an 8051.
So all that firmware is written in 8051.
These chips are never going to go
away. Why would they when they
cost two pennies?
Well, we should go back to
our days. Chris, do you have any
more questions?
We should probably ask about the
conference. Oh, right, right,
right, right.
You mentioned the hardware.io conference in September, mid-September in The Hagueculators. It's kind of a very technical,
historical overview of how things started
and how we got to where we are
and where we hopefully want to go.
And The Village is about that Genesis game,
about dumping the ROM of it.
There will be a setup
where you can hopefully dump it yourself
because it's a very complicated procedure.
I kind of i kind of
ran through it really quickly earlier where you have to plug things in at a certain time and you
have to you have to manually enter game genie codes i mean it's very complicated so i think
it would be interesting for somebody to kind of step through that themselves and and see how
how to trigger it and get a better understanding of how it works and why it works and what you can do to stop it.
Is there anything you're looking forward to attending at the conference?
I haven't looked at the other talks that closely,
but I am sure that they're interesting.
I am very excited to go and talk to different people and kind of share knowledge and swap stories.
I think it's going to be just a ton of interesting people, and they all have their own stories and perspectives that you just would really want to hear.
And I think that a lot of people think this stuff is kind of out of their reach, and it's really not.
It's really not.
The only reason I know so much about calculators is because I've wasted a lot of time since middle school doing it.
Anybody can do it.
It's just a matter of how motivated you are and what information you can get access to and the people you can talk to.
And once you kind of get over that hump, anybody can learn anything.
And I'm excited to learn a little sliver of what it is that they know.
Well, and it would be a lot easier to learn about calculators now with the Internet being more available than it would have been in 1997.
Oh, yeah. being more available than it would have been in 1997 oh yeah i uh actually there there you know i mentioned if it's possible to do it with a calculator you can do it there was there is
actually you actually have telnet for the calculators way way back when way back when
uh before usb ports and wi-fi uh attachments stuff like that, you could actually
attach the I.O. port on the
calculator straight to a modem and dial
in to wherever you wanted
and check your email at the time.
Whatever it is you
wanted to do.
If you can think of it,
it's been done on the calculators.
Bitcoin mining.
Not yet.
It's so efficient. Not yet. It's so efficient.
Not yet.
Well, Brandon, do you have any thoughts you'd like to leave us with?
Maybe just a piece of advice for anyone who's getting into this stuff.
Don't be afraid to work on something.
Just because you think you might get in trouble or you think you don't know enough to figure it out or whatever,'t let that stop you there's there's so many projects i've worked on that i knew absolutely nothing
about it when i started and you could argue i still don't uh there are you can take really
weird approaches that people would laugh at you if you know if you described it to them
they just they just won't believe it and don't let that stuff stop you um i've every time i go
to talk somewhere that's that's always been my final thought don't let that stuff stop you. Every time I go to talk somewhere, that's
always been my final thought. Don't let people stop you. You can do it. And it doesn't matter
what anyone else has to say. If it makes sense to you in your mind and you believe it can be done,
do it. Because those are the most worthwhile projects. And I can tell you it's definitely worth it. That's great.
Our guest has been Brandon Wilson,
software developer and application security consultant.
He will be at hardware.io conference next week in The Hague,
talking about the race to secure Texas Instruments graphing calculators
and that Sega Genesis hardware hacking village.
Thank you for being with us, Brandon.
Thank you.
Thank you to the folks at Hardware.io for connecting me to Brandon.
Thank you to the Patreon supporters for Brandon's mic.
Thank you also to Particle.io for their Spectra conference coupons and giveaway.
Don't forget to contact me if you want those.
You have until September 15th.
Of course, there'll be numerous links in the show notes if you want those. You have until September 15th. Of course, there'll be
numerous links in the show notes if you want to know more. Check out your podcast app or embedded.fm.
Finally, thank you to Christopher for producing and co-hosting and you for listening. You can
always contact us at show at embedded.fm or hit the contact link on that embedded.fm website.
And now a quote to leave you with this one from Wikipedia.
The name pronounced with a long I is an acronym of Z integrated logic.
Also thought of as Z for the last word of integrated logic.
That was of course on the Zilog page. show. We did not put them there and do not receive money from them. At this time, our sponsors are
Logical Elegance and listeners like you.