[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:09.67,0:00:12.35,Default,,0000,0000,0000,,So, I have already been introduced
Dialogue: 0,0:00:12.35,0:00:14.18,Default,,0000,0000,0000,,My name is Stefan Widmann
Dialogue: 0,0:00:14.18,0:00:18.32,Default,,0000,0000,0000,,and maybe I can have my slides?
Dialogue: 0,0:00:26.22,0:00:28.98,Default,,0000,0000,0000,,Hello, my slides?
Dialogue: 0,0:00:34.49,0:00:39.53,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:00:39.53,0:00:42.15,Default,,0000,0000,0000,,Ich bin am VGA drauf.
Dialogue: 0,0:00:47.60,0:00:50.12,Default,,0000,0000,0000,,[hums]
Dialogue: 0,0:00:52.34,0:00:54.13,Default,,0000,0000,0000,,Yeah, um...
Dialogue: 0,0:00:57.90,0:01:00.10,Default,,0000,0000,0000,,[mumbling]
Dialogue: 0,0:01:10.58,0:01:17.19,Default,,0000,0000,0000,,Okay, so while we're waiting until\Nmy slides appear somehow.
Dialogue: 0,0:01:17.19,0:01:19.27,Default,,0000,0000,0000,,Who has seen the incredible talk about
Dialogue: 0,0:01:19.27,0:01:22.31,Default,,0000,0000,0000,,hacking the VoIP phones from Cisco, last year
Dialogue: 0,0:01:22.31,0:01:25.60,Default,,0000,0000,0000,,either live or on video?
Dialogue: 0,0:01:25.60,0:01:28.03,Default,,0000,0000,0000,,Okay some of you.
Dialogue: 0,0:01:28.03,0:01:30.53,Default,,0000,0000,0000,,When we think about this talk
Dialogue: 0,0:01:30.53,0:01:34.94,Default,,0000,0000,0000,,The Cisco VoIP phones have an embeddd
Dialogue: 0,0:01:34.94,0:01:37.89,Default,,0000,0000,0000,,Linux operating system, but they did not only
Dialogue: 0,0:01:37.89,0:01:41.89,Default,,0000,0000,0000,,have to deal with the linux OS, but also with
Dialogue: 0,0:01:41.89,0:01:44.37,Default,,0000,0000,0000,,the firmware of the DSP.
Dialogue: 0,0:01:44.37,0:01:50.91,Default,,0000,0000,0000,,So I want to tell you there's\Nnot only one system,
Dialogue: 0,0:01:50.91,0:02:03.30,Default,,0000,0000,0000,,but several systems. Several\Nsub-systems containing firmware
Dialogue: 0,0:02:03.30,0:02:06.94,Default,,0000,0000,0000,,Slides would be nice, we can start\Nwithout slides, there's no problem.
Dialogue: 0,0:02:06.94,0:02:09.90,Default,,0000,0000,0000,,So what are we going to talk about today?
Dialogue: 0,0:02:09.90,0:02:15.50,Default,,0000,0000,0000,,First we are going to talk about motivation,\Nwhy should we do firmware analysis.
Dialogue: 0,0:02:15.50,0:02:25.54,Default,,0000,0000,0000,,Then we need to be able to do it, so we\Nhave some prerequisites to bring with us.
Dialogue: 0,0:02:25.54,0:02:34.10,Default,,0000,0000,0000,,Then we'll dig deep into the topics, We will\Ntry to look at how we obtain a firmware,
Dialogue: 0,0:02:34.10,0:02:41.19,Default,,0000,0000,0000,,how can we analyze it, and how can we modify it.
Dialogue: 0,0:02:41.19,0:02:54.00,Default,,0000,0000,0000,,Hmm. Angel: We are sorry for the brief hiccup, we're\Nworking on that. It's the second talk. I'm sorry.
Dialogue: 0,0:02:54.00,0:02:58.03,Default,,0000,0000,0000,,[speaks german]
Dialogue: 0,0:03:33.25,0:03:34.57,Default,,0000,0000,0000,,Hmm
Dialogue: 0,0:03:37.66,0:03:43.17,Default,,0000,0000,0000,,Okay, so we can do without slides, it's okay.
Dialogue: 0,0:03:43.17,0:03:48.90,Default,,0000,0000,0000,,Let's start with the motivation, why do we\Nwant to do firmware analysis.
Dialogue: 0,0:03:48.90,0:03:58.24,Default,,0000,0000,0000,,When talking to my lawyer I learned that I\Nhad to clean up 90% of my motivation slide.
Dialogue: 0,0:03:58.24,0:04:06.57,Default,,0000,0000,0000,,And left is, you can do it if you\Nwant to gain interoperability.
Dialogue: 0,0:04:06.57,0:04:10.11,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:04:10.11,0:04:14.79,Default,,0000,0000,0000,,You can do it if you want to get rid\Nof errors, and the manufacturer
Dialogue: 0,0:04:14.79,0:04:21.56,Default,,0000,0000,0000,,does not want to or is unable.\NAnd one interesting point under
Dialogue: 0,0:04:21.56,0:04:29.24,Default,,0000,0000,0000,,discussion is, what about forensics,\Ntaking a look in those thousands of devices
Dialogue: 0,0:04:29.24,0:04:35.73,Default,,0000,0000,0000,,in everyday life. Do they only do\Nwhat they are supposed to do?
Dialogue: 0,0:04:43.23,0:04:48.03,Default,,0000,0000,0000,,Herald: Yes, we are still hunting for a Video\NAngel to sort this little problem out. We should
Dialogue: 0,0:04:48.03,0:04:54.12,Default,,0000,0000,0000,,have one here within 1 minute.\NAgain, very sorry.
Dialogue: 0,0:05:06.47,0:05:11.99,Default,,0000,0000,0000,,We now have Nick Farr on stage,\Nour certified Powerpoint specialist.
Dialogue: 0,0:05:11.99,0:05:17.27,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:05:17.27,0:05:20.11,Default,,0000,0000,0000,,It can only take minutes now.
Dialogue: 0,0:06:06.33,0:06:10.76,Default,,0000,0000,0000,,Maybe we can continue. So I will just tell\Nyou something about prerequisites you
Dialogue: 0,0:06:10.76,0:06:19.19,Default,,0000,0000,0000,,should bring when starting to analyse\NYou should at least have a good knowledge
Dialogue: 0,0:06:19.19,0:06:26.08,Default,,0000,0000,0000,,of embedded system architecture.\NYou should have dealt with peripherals,
Dialogue: 0,0:06:26.08,0:06:32.22,Default,,0000,0000,0000,,bus interfaces and so on.\NYou should be able to read
Dialogue: 0,0:06:32.22,0:06:35.18,Default,,0000,0000,0000,,and write assembler.\NSome might say:
Dialogue: 0,0:06:35.18,0:06:39.20,Default,,0000,0000,0000,,I have a very good decompiler,\Nwhich is fine.
Dialogue: 0,0:06:39.20,0:06:45.52,Default,,0000,0000,0000,,If it works for you, okay, but don't\Nrely on the availability of a decompiler
Dialogue: 0,0:06:45.52,0:06:49.19,Default,,0000,0000,0000,,for the architecture you're going to be working on
Dialogue: 0,0:06:49.19,0:06:55.68,Default,,0000,0000,0000,,Especially if you are going to work\Nlow down in the register stuff.
Dialogue: 0,0:06:55.68,0:07:03.66,Default,,0000,0000,0000,,And in my opinion, a decompiler output\Nwill confuse you more than help you.
Dialogue: 0,0:07:03.66,0:07:12.54,Default,,0000,0000,0000,,You will go to disassemble maybe, C runtime\Nlibraries, optimized to be as small as possible
Dialogue: 0,0:07:12.54,0:07:18.37,Default,,0000,0000,0000,,That can be really hard in decompiler output.
Dialogue: 0,0:07:18.37,0:07:28.73,Default,,0000,0000,0000,,If you want to practice how embedded systems\Nare working, then it might be a good idea to fetch
Dialogue: 0,0:07:28.73,0:07:36.34,Default,,0000,0000,0000,,your arduino or whatever. You write some\Nlittle C code, handling some hardware stuff.
Dialogue: 0,0:07:36.34,0:07:45.50,Default,,0000,0000,0000,,Then you just compile it and take a look,\Nwhat the disassembly looks like.
Dialogue: 0,0:07:45.50,0:07:55.77,Default,,0000,0000,0000,,Very nice to have is a device reader or programmer,\Nlike galib. The problem is they are expensive.
Dialogue: 0,0:07:55.77,0:08:03.93,Default,,0000,0000,0000,,If you think we are going to do firmware analysis, it\Nmay be a valuable investment for your hackerspace.
Dialogue: 0,0:08:03.93,0:08:09.33,Default,,0000,0000,0000,,And last but not least, what you need most is time.
Dialogue: 0,0:08:09.33,0:08:16.51,Default,,0000,0000,0000,,Time, time, time. It may take hours, days\Nwithout any progress, so please be patient.
Dialogue: 0,0:08:20.95,0:08:26.56,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:08:29.68,0:08:35.89,Default,,0000,0000,0000,,Any volunteers to make up some slides here?
Dialogue: 0,0:08:43.63,0:08:50.97,Default,,0000,0000,0000,,I swear, it worked perfectly okay with\Nmy external monitor.
Dialogue: 0,0:08:50.97,0:09:04.30,Default,,0000,0000,0000,,Yes? [illegible]
Dialogue: 0,0:09:04.30,0:09:08.30,Default,,0000,0000,0000,,So I'll have to fetch my USB stick, wait a moment.
Dialogue: 0,0:09:08.30,0:09:52.52,Default,,0000,0000,0000,,No problem, we're flexible.\N[whistling]
Dialogue: 0,0:10:09.57,0:10:15.26,Default,,0000,0000,0000,,So is there anyone who knows their\Nway around a computer around here?
Dialogue: 0,0:10:15.26,0:10:19.80,Default,,0000,0000,0000,,Herald: While we figure that out, it might\Nbe a good possibility to remind you all
Dialogue: 0,0:10:19.80,0:10:27.50,Default,,0000,0000,0000,,that we are still looking for some Angels.\NYou could do video angels, which are in
Dialogue: 0,0:10:27.50,0:10:32.70,Default,,0000,0000,0000,,high demand right now. Or you could just\Ndo any other work you'd like to.
Dialogue: 0,0:10:32.70,0:10:38.19,Default,,0000,0000,0000,,You can do one or two shifts, that's fine.\NIt would be greatly appreciated
Dialogue: 0,0:10:38.19,0:10:49.23,Default,,0000,0000,0000,,because we require volunteer work for this event.\NAlso if you brought any beverages in here,
Dialogue: 0,0:10:49.23,0:10:54.26,Default,,0000,0000,0000,,it'd be awesome if you could take them out\Nwith you. And put them into the little
Dialogue: 0,0:10:54.26,0:11:01.99,Default,,0000,0000,0000,,storage cases located all around the building.\NTrust me when we are finished,
Dialogue: 0,0:11:01.99,0:11:10.77,Default,,0000,0000,0000,,you'll be able to do this announcement.\NAre we good? No, not really.\N
Dialogue: 0,0:11:10.77,0:11:12.54,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:11:12.54,0:11:15.81,Default,,0000,0000,0000,,It looks good on the laptop.
Dialogue: 0,0:11:15.81,0:11:19.18,Default,,0000,0000,0000,,You want to give a quick intro\Nto the new Ubuntu desktop?
Dialogue: 0,0:11:19.18,0:11:27.89,Default,,0000,0000,0000,,Because I did not get that at all.
Dialogue: 0,0:11:27.89,0:11:33.40,Default,,0000,0000,0000,,Yeah, mirror displays man.
Dialogue: 0,0:11:33.40,0:11:39.71,Default,,0000,0000,0000,,4 zur 3 folien.
Dialogue: 0,0:11:39.71,0:11:41.82,Default,,0000,0000,0000,,Now we are making progress
Dialogue: 0,0:11:41.82,0:11:45.50,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:11:45.50,0:11:47.81,Default,,0000,0000,0000,,Enjoy the talk!
Dialogue: 0,0:11:47.81,0:11:51.75,Default,,0000,0000,0000,,Okay, perfect, now with slides.
Dialogue: 0,0:11:51.75,0:11:56.98,Default,,0000,0000,0000,,One small announcement, there will be\N5 more minutes of extra talk at the end.
Dialogue: 0,0:11:56.98,0:12:04.20,Default,,0000,0000,0000,,We'll do that. So just please ignore the yellow bars.
Dialogue: 0,0:12:04.20,0:12:07.80,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:12:07.80,0:12:18.31,Default,,0000,0000,0000,,Not really no.
Dialogue: 0,0:12:18.31,0:12:26.33,Default,,0000,0000,0000,,High level devices. Big complexity. YES!
Dialogue: 0,0:12:28.56,0:12:31.12,Default,,0000,0000,0000,,Perfect, thank you, without yellow bars, thank you.
Dialogue: 0,0:12:31.12,0:12:41.75,Default,,0000,0000,0000,,Okay. So we already talked about prerequisites,\Nso now we're going deep into the topics.
Dialogue: 0,0:12:41.75,0:12:49.85,Default,,0000,0000,0000,,First we need to obtain a firmware. We\Nwill go from non-invasive to invasive.
Dialogue: 0,0:12:49.85,0:12:57.51,Default,,0000,0000,0000,,Because first thing we want to try is getting\Nthe firmware without opening the device.
Dialogue: 0,0:12:57.51,0:13:03.26,Default,,0000,0000,0000,,We will first try to download a plain binary\Nfrom the manufacturer.
Dialogue: 0,0:13:03.26,0:13:12.15,Default,,0000,0000,0000,,or maybe someone else have extracted\Na binary and placed it on the internet.
Dialogue: 0,0:13:12.15,0:13:19.44,Default,,0000,0000,0000,,You can try to download a bootdisk, USB,\NCD-ROM, bootimage, whatever the manuf. provides.
Dialogue: 0,0:13:19.44,0:13:25.64,Default,,0000,0000,0000,,and extract it using, for example, WinRAR\Non windows or just mount it on linux.
Dialogue: 0,0:13:25.64,0:13:34.78,Default,,0000,0000,0000,,Search for files named .bin, .hex, .s19, .mot.\Nlike motorola, .rom or .raw.
Dialogue: 0,0:13:34.78,0:13:42.44,Default,,0000,0000,0000,,Most times binary, that means .bin, .rom or\N.raw files are already real binary files.
Dialogue: 0,0:13:42.44,0:13:50.69,Default,,0000,0000,0000,,Non-binary files should be converted to\Nbin files, e.g with converters like hex2bin.
Dialogue: 0,0:13:50.69,0:13:55.88,Default,,0000,0000,0000,,If this doesn't work out, maybe we get\Nan updater from the manufacturer
Dialogue: 0,0:13:55.88,0:14:00.46,Default,,0000,0000,0000,,Normally they're .exe files built for windows.
Dialogue: 0,0:14:00.46,0:14:07.43,Default,,0000,0000,0000,,There are different updater types.\NFirst the self-extracting archives.
Dialogue: 0,0:14:07.43,0:14:12.42,Default,,0000,0000,0000,,It might be an installer too,\Nlike Installshield or whatever.
Dialogue: 0,0:14:12.42,0:14:18.97,Default,,0000,0000,0000,,It might be an updater, simple .exe file\Nwithout any installation, just containing the image.
Dialogue: 0,0:14:18.97,0:14:25.49,Default,,0000,0000,0000,,It might be an updater that is downloading\Nan image, or it might be some of the others,
Dialogue: 0,0:14:25.49,0:14:31.68,Default,,0000,0000,0000,,but packed with an executable packer\Nlike UPX or PECompact.
Dialogue: 0,0:14:31.68,0:14:33.49,Default,,0000,0000,0000,,Let's go a little bit into detail.
Dialogue: 0,0:14:33.49,0:14:43.00,Default,,0000,0000,0000,,So if it's a self-extracting archive search\Nfor signatures like RARSFX or PK.
Dialogue: 0,0:14:43.00,0:14:53.44,Default,,0000,0000,0000,,You can unpack them, e.g. if you rename\Na PK containg file to .zip you can unzip it.
Dialogue: 0,0:14:53.44,0:14:59.22,Default,,0000,0000,0000,,If it is an installer, like Installshield, there are\Nspecial unpackers, but the problem is they are
Dialogue: 0,0:14:59.22,0:15:06.15,Default,,0000,0000,0000,,very hard to use and extremely version specific.\NIt might work, it might not.
Dialogue: 0,0:15:06.15,0:15:10.99,Default,,0000,0000,0000,,The best way is to just let it install\Nand search in the installed files
Dialogue: 0,0:15:10.99,0:15:20.24,Default,,0000,0000,0000,,for a plain image or updater. If it's an\Nupdater containing the firmware image,\N
Dialogue: 0,0:15:20.24,0:15:26.28,Default,,0000,0000,0000,,we can search for the image in the executable\Nusing your favorite hex-editor.
Dialogue: 0,0:15:26.28,0:15:33.68,Default,,0000,0000,0000,,Maybe the updater is writing the data to a file, a temporary file in most cases, and deleting
Dialogue: 0,0:15:33.68,0:15:40.74,Default,,0000,0000,0000,,it after usage. You can use ProcessMonitor\Nwhich is like strace but on Windows
Dialogue: 0,0:15:40.74,0:15:45.90,Default,,0000,0000,0000,,and you can take a look at what files\Nare written to disk can try to capture it
Dialogue: 0,0:15:45.90,0:15:52.30,Default,,0000,0000,0000,,before it's deleted. Maybe the updater is\Njust checking your device, so its just
Dialogue: 0,0:15:52.30,0:15:57.48,Default,,0000,0000,0000,,a little downloader. Checking your device\Ntype, take a look on the ftp-site of the
Dialogue: 0,0:15:57.48,0:16:02.52,Default,,0000,0000,0000,,manufacturer and is downloading an\Nimage if there's one available.
Dialogue: 0,0:16:02.52,0:16:08.58,Default,,0000,0000,0000,,So if it's downloading the image to a\Nfile, use ProcessMonitor again.
Dialogue: 0,0:16:08.58,0:16:19.29,Default,,0000,0000,0000,,If it's just downloading to RAM, you have\Nto go for a debugger, and dump it from memory.
Dialogue: 0,0:16:19.29,0:16:27.30,Default,,0000,0000,0000,,If you have a packed updater, which\Nof course is only done to save size.
Dialogue: 0,0:16:27.30,0:16:36.52,Default,,0000,0000,0000,,If it's standard UPX, you can download UPX\Nand use UPX -d to unpack it.
Dialogue: 0,0:16:36.52,0:16:44.14,Default,,0000,0000,0000,,Sometimes the manufacturer violate the\Nlicense of UPX and modify UPX by removing
Dialogue: 0,0:16:44.14,0:16:51.50,Default,,0000,0000,0000,,vital file information to make it un-depackable.\NSo you would need a special unpacker.
Dialogue: 0,0:16:51.50,0:17:00.73,Default,,0000,0000,0000,,Other executable packers are most times\Ndesigned not to be uncompressed.
Dialogue: 0,0:17:00.73,0:17:05.38,Default,,0000,0000,0000,,So you would need special unpackers too.
Dialogue: 0,0:17:05.38,0:17:12.24,Default,,0000,0000,0000,,One challenge that awaits us is, maybe\Nthe updaters contain compressed images.
Dialogue: 0,0:17:12.24,0:17:20.71,Default,,0000,0000,0000,,They are normally unpacked before the image\Nis written to the device, so we can just watch
Dialogue: 0,0:17:20.71,0:17:27.24,Default,,0000,0000,0000,,the process memory with a debugger and dump it.
Dialogue: 0,0:17:27.24,0:17:34.20,Default,,0000,0000,0000,,What's a bit more challenging is when the\Nfirmware is sent compressed to the device.
Dialogue: 0,0:17:34.20,0:17:40.83,Default,,0000,0000,0000,,So we have to use invasive techniques\Nwe will talk about later.
Dialogue: 0,0:17:40.83,0:17:47.75,Default,,0000,0000,0000,,It's a good idea to get a sniffer ready\Nwhen you first connect your device to your PC.
Dialogue: 0,0:17:47.75,0:17:56.23,Default,,0000,0000,0000,,Maybe the favourite bloatware coming with\Nthe device wants to update it instantly.
Dialogue: 0,0:17:56.23,0:18:04.26,Default,,0000,0000,0000,,What can you do to sniff the transfers?\NOn Windows XP and I'm sorry it's only XP,
Dialogue: 0,0:18:04.26,0:18:14.31,Default,,0000,0000,0000,,there's TraceSPTI, a fantastic tool tracing SPTI\NSCSI PassThrough Interface.
Dialogue: 0,0:18:14.31,0:18:22.57,Default,,0000,0000,0000,,So you might think SCSI? I do not have any SCSI\Ndevices, but very much communication is done using
Dialogue: 0,0:18:22.57,0:18:33.24,Default,,0000,0000,0000,,this protocol on Windows. to identify S/ATA\NUSB devices, especially if they are ATAPI.
Dialogue: 0,0:18:33.24,0:18:39.04,Default,,0000,0000,0000,,On the linux side you might use Wireshark\Nto trace the communication, because Wireshark
Dialogue: 0,0:18:39.04,0:18:47.31,Default,,0000,0000,0000,,on linux can trace and sniff USB. There are\Nvarious other tools like Bushound and so on
Dialogue: 0,0:18:47.31,0:18:54.75,Default,,0000,0000,0000,,to watch communication on buses. But the\Nproblem is they are normally very expensive.
Dialogue: 0,0:18:54.75,0:19:00.77,Default,,0000,0000,0000,,A problem you'll have if you're trying to sniff\Nthe update transfer and reconstruct the image is
Dialogue: 0,0:19:00.77,0:19:13.61,Default,,0000,0000,0000,,that it's like a puzzle. You don't know how to\Nbuild the image, and if you're doing it right or not.
Dialogue: 0,0:19:13.61,0:19:20.64,Default,,0000,0000,0000,,If we do not have a firmware yet,\Nit might get invasive now.
Dialogue: 0,0:19:20.64,0:19:26.89,Default,,0000,0000,0000,,We'll search for serial interfaces, sometimes\Nthey are accesible without opening the device,
Dialogue: 0,0:19:26.89,0:19:33.54,Default,,0000,0000,0000,,sometimes not. Do we have an embedded linux\Nsystem? Yes, we can search for a serial console.
Dialogue: 0,0:19:33.54,0:19:42.22,Default,,0000,0000,0000,,Maybe we have to use JTAG, there was a very\Ngood talk on 27C3 about JTAG, serial flash and so on,
Dialogue: 0,0:19:42.22,0:19:47.51,Default,,0000,0000,0000,,so I've included a link here.
Dialogue: 0,0:19:47.51,0:19:53.20,Default,,0000,0000,0000,,So, still no firmware? Get your screwdriver,\Nlet's void warranties.
Dialogue: 0,0:19:53.20,0:19:58.56,Default,,0000,0000,0000,,We open the device and we search for\Nmemory devices on the PCB.
Dialogue: 0,0:19:58.56,0:20:07.38,Default,,0000,0000,0000,,If you have a very old device, maybe you'll\Nencounter EPROMS or even PROMS, 27-somethings
Dialogue: 0,0:20:07.38,0:20:15.23,Default,,0000,0000,0000,,If it's a little bit newer, you might see EEPROMS\Nand flash. 28, 29, 39, 49 something and
Dialogue: 0,0:20:15.23,0:20:25.95,Default,,0000,0000,0000,,and the big flash devices with 48-pins for\Nexample with various other names.
Dialogue: 0,0:20:25.95,0:20:35.51,Default,,0000,0000,0000,,Very nice to see is that serial flashes,\Nthose 8-pin devices 25..., sometimes 24...
Dialogue: 0,0:20:35.51,0:20:42.99,Default,,0000,0000,0000,,are more and more becoming the standard.\NThey are easy to de-solder, easy to re-solder
Dialogue: 0,0:20:42.99,0:20:51.68,Default,,0000,0000,0000,,and there are very cheap readers and programmers\Navailable. But please, even if some say we can
Dialogue: 0,0:20:51.68,0:21:02.33,Default,,0000,0000,0000,,do it in system without desoldering the chip,\Nplease don't do it. It can lead to very big problems.
Dialogue: 0,0:21:02.33,0:21:07.63,Default,,0000,0000,0000,,To make it a little bit harder, firmware can be\Ncontained in chip-internal memories.
Dialogue: 0,0:21:07.63,0:21:17.14,Default,,0000,0000,0000,,You can try to use proprietary programming\Ninterfaces to read the firmware, of course JTAG.
Dialogue: 0,0:21:17.14,0:21:24.39,Default,,0000,0000,0000,,Some devices do have bootloaders in a mask ROM.\NYou can try to use them.
Dialogue: 0,0:21:24.39,0:21:29.62,Default,,0000,0000,0000,,If none of these approaches succeed,\Nyou can try microprobing.
Dialogue: 0,0:21:29.62,0:21:38.32,Default,,0000,0000,0000,,There was a talk on last years congress\Nabout low-cost chip microprobing, I've
Dialogue: 0,0:21:38.32,0:21:46.96,Default,,0000,0000,0000,,included a link here. So just for matter of\Ncompleteness I've mentioned CPLDs and FPGAs.
Dialogue: 0,0:21:46.96,0:21:53.86,Default,,0000,0000,0000,,You know CPLDs are built up using internal EEPROMs.
Dialogue: 0,0:21:53.86,0:22:04.11,Default,,0000,0000,0000,,FPGAs, Field Programmable Gate Arrays have internal\NSRAM and an external serial configuration flash.
Dialogue: 0,0:22:04.11,0:22:12.41,Default,,0000,0000,0000,,Some years ago they were marketed as being\Nreverse-engineer proof, okay. Yeah, maybe.
Dialogue: 0,0:22:12.41,0:22:22.96,Default,,0000,0000,0000,,There's a talk tomorrow, same time I think, in\NSaal 2, about taking a closer look at FPGAs.
Dialogue: 0,0:22:22.96,0:22:29.13,Default,,0000,0000,0000,,Yeah, congratulations, we've done it,\Nwe have our firmware, perfect.
Dialogue: 0,0:22:29.13,0:22:33.66,Default,,0000,0000,0000,,So what's next, now we have to analyze it.
Dialogue: 0,0:22:33.66,0:22:40.30,Default,,0000,0000,0000,,The problem is what processor is used.\NWe don't know which disassembler to use.
Dialogue: 0,0:22:40.30,0:22:45.53,Default,,0000,0000,0000,,So we are searching the web for any\Ndatasheets, can we get any information.
Dialogue: 0,0:22:45.53,0:22:57.62,Default,,0000,0000,0000,,Can we find out what processor is in use? The\Nproblem is in many cases you won't get the datasheets.
Dialogue: 0,0:22:57.62,0:23:08.38,Default,,0000,0000,0000,,The manufacturer says, you buy 1 million devices\Na year, and you sign an NDA, you get the datasheets.
Dialogue: 0,0:23:08.38,0:23:16.72,Default,,0000,0000,0000,,Now you have to be really patient, now it gets\Nto trial and error, trying different disassemblers.
Dialogue: 0,0:23:16.72,0:23:24.30,Default,,0000,0000,0000,,You can use specific disassemblers, they\Nare only built for one architecture.
Dialogue: 0,0:23:24.30,0:23:29.76,Default,,0000,0000,0000,,You can use a very good tool, the Interactive Disassembler, IDA. There's a freeware version.
Dialogue: 0,0:23:29.76,0:23:37.90,Default,,0000,0000,0000,,I've included a link in the link section of this talk,\Nbut the freeware only has a little set of architectures.
Dialogue: 0,0:23:37.90,0:23:46.42,Default,,0000,0000,0000,,If you want the full set, it gets very expensive.\NBut there is a new tool that I really like.
Dialogue: 0,0:23:46.42,0:23:55.05,Default,,0000,0000,0000,,It's ODA, the Online Disassembler, supporting\Nthirty something architectures, and it's free.
Dialogue: 0,0:23:55.05,0:24:01.48,Default,,0000,0000,0000,,You can upload binary files, you can\Nupload code, and try different architectures,
Dialogue: 0,0:24:01.48,0:24:07.50,Default,,0000,0000,0000,,and find out what might be the correct one,\Nand we'll do that now.
Dialogue: 0,0:24:07.50,0:24:12.35,Default,,0000,0000,0000,,So I've prepared some binary code.
Dialogue: 0,0:24:12.35,0:24:17.52,Default,,0000,0000,0000,,I know which architecture this has been\Nwritten for, because I did it.
Dialogue: 0,0:24:17.52,0:24:24.54,Default,,0000,0000,0000,,I put this code to Online Disassembler,\Nand I chose different architectures,
Dialogue: 0,0:24:24.54,0:24:28.28,Default,,0000,0000,0000,,and now lets look at what\Nthe disassembly looks like.
Dialogue: 0,0:24:28.28,0:24:36.50,Default,,0000,0000,0000,,Let's first start with former Hitachi, now\NRenesas, H8S. I hope you can read it.
Dialogue: 0,0:24:36.50,0:24:41.54,Default,,0000,0000,0000,,Take some time and please raise your hand\Nif you think this is valid disassembly and
Dialogue: 0,0:24:41.54,0:24:48.30,Default,,0000,0000,0000,,we have found our architecture.
Dialogue: 0,0:24:48.30,0:24:53.33,Default,,0000,0000,0000,,I see one hand.
Dialogue: 0,0:24:53.33,0:24:59.59,Default,,0000,0000,0000,,Okay, I have to disappoint you, I'm sorry, it's not valid disassembly, we can see it in the second line.
Dialogue: 0,0:24:59.59,0:25:06.22,Default,,0000,0000,0000,,The disassembler was not able to disassemble\Nthe data and it's just an undefined instruction.
Dialogue: 0,0:25:06.22,0:25:12.88,Default,,0000,0000,0000,,There are several .word's in the code. It's not H8S.
Dialogue: 0,0:25:12.88,0:25:22.25,Default,,0000,0000,0000,,Let's try MIPS. Again take some time and raise\Nyour hand if you think that's valid.
Dialogue: 0,0:25:22.25,0:25:27.21,Default,,0000,0000,0000,,{\i1}laughter{\i0} again?
Dialogue: 0,0:25:27.21,0:25:39.48,Default,,0000,0000,0000,,It's invalid too. We can see it in the second line,\Nbecause there's a dword that's not disassembled.
Dialogue: 0,0:25:39.48,0:25:50.69,Default,,0000,0000,0000,,What about Panasonic MN103 family?\NThe same hand again? Oh I see another hand.
Dialogue: 0,0:25:50.69,0:25:57.13,Default,,0000,0000,0000,,Ok, several hands now. Yeah, OK, thank you.
Dialogue: 0,0:25:57.13,0:26:01.22,Default,,0000,0000,0000,,So the problem is, it's not valid.\NI have to disappoint you.
Dialogue: 0,0:26:01.22,0:26:06.79,Default,,0000,0000,0000,,The problem is in this case, it looks really good\Nand you have to dig deeper.
Dialogue: 0,0:26:06.79,0:26:14.02,Default,,0000,0000,0000,,You will have to look at, are all subroutines\Ncorrect. Do they make sense?
Dialogue: 0,0:26:14.02,0:26:17.27,Default,,0000,0000,0000,,Are there subroutine calls at all and so on.
Dialogue: 0,0:26:17.27,0:26:23.14,Default,,0000,0000,0000,,And you will see something strange. Ok last try.
Dialogue: 0,0:26:23.14,0:26:28.53,Default,,0000,0000,0000,,What about Texas Instruments MSP430?
Dialogue: 0,0:26:28.53,0:26:33.26,Default,,0000,0000,0000,,And again, please raise your hands.
Dialogue: 0,0:26:33.26,0:26:40.90,Default,,0000,0000,0000,,Okay? Yeah, this time it is MSP430!
Dialogue: 0,0:26:40.90,0:26:48.17,Default,,0000,0000,0000,,We have found our architecture, perfect,\Neureka, bingo, we have it.
Dialogue: 0,0:26:48.17,0:26:56.77,Default,,0000,0000,0000,,But what's next? The offset in the file,\Nof the firmware file we loaded is often
Dialogue: 0,0:26:56.77,0:27:04.85,Default,,0000,0000,0000,,not the offset in address space. This is no\Nreal problem when the architecture is
Dialogue: 0,0:27:04.85,0:27:12.03,Default,,0000,0000,0000,,using relative adressing. Relative adressing\Nmeans we have register content and whatever
Dialogue: 0,0:27:12.03,0:27:20.13,Default,,0000,0000,0000,,we want to access is based on some\Nregisters content. Location independent code.
Dialogue: 0,0:27:20.13,0:27:27.47,Default,,0000,0000,0000,,But we have a big problem when absolute\Nadressing is being used, and even architectures
Dialogue: 0,0:27:27.47,0:27:36.62,Default,,0000,0000,0000,,supporting relative adressing do have some\Nabsolute adressing, somewhere on some accesses.
Dialogue: 0,0:27:36.62,0:27:40.89,Default,,0000,0000,0000,,We would not know, where's the entry point.\NWhere should we start?
Dialogue: 0,0:27:40.89,0:27:47.55,Default,,0000,0000,0000,,Interrupt vectors might be decoded completely\Nwrong, subroutine calls do not make any sense.
Dialogue: 0,0:27:47.55,0:27:54.38,Default,,0000,0000,0000,,They go to [addresses] outside of our firmware\Nfor example, or in the middle of instructions.
Dialogue: 0,0:27:54.38,0:28:01.23,Default,,0000,0000,0000,,So the load offset has to be found.
Dialogue: 0,0:28:01.23,0:28:08.91,Default,,0000,0000,0000,,I'll now show a method I call "call distance search".
Dialogue: 0,0:28:08.91,0:28:15.57,Default,,0000,0000,0000,,We will select closely located subroutine adresses\Nand we'll have to decide either to use
Dialogue: 0,0:28:15.57,0:28:21.96,Default,,0000,0000,0000,,preceding return instructions in front of\Nthe subroutines, or the start of the function
Dialogue: 0,0:28:21.96,0:28:31.32,Default,,0000,0000,0000,,entry sequence. We build a search string\Ncontaining wildcards, and then we search.
Dialogue: 0,0:28:31.32,0:28:36.28,Default,,0000,0000,0000,,Now we'll do that together, I've prepared an example.
Dialogue: 0,0:28:36.28,0:28:45.77,Default,,0000,0000,0000,,This is 8051 code. The 8051 core is very old, it's\Nan 8-bit controller, but it's still widely used in the field
Dialogue: 0,0:28:45.77,0:28:53.65,Default,,0000,0000,0000,,because it's cheap as dirt and you can\Nimplement it wherever you want.
Dialogue: 0,0:28:53.65,0:29:01.72,Default,,0000,0000,0000,,In the left column we see the addresses\Nof our example, from 0x00 to 0x13 hex.
Dialogue: 0,0:29:01.72,0:29:13.43,Default,,0000,0000,0000,,We see four subroutines, with the first being the root\Nsubroutine, calling the other three subroutines.
Dialogue: 0,0:29:13.43,0:29:23.44,Default,,0000,0000,0000,,We can see the first call to 0x100 is outside our\Nexample, we do not have 0x100 in this example.
Dialogue: 0,0:29:23.44,0:29:30.47,Default,,0000,0000,0000,,So what we do is take the three subroutine\Nadresses and sort them.
Dialogue: 0,0:29:30.47,0:29:40.68,Default,,0000,0000,0000,,So we're getting 0x100, 0x103, and 0x107. We calculate\Nthe difference to figure out the length of the subroutines.
Dialogue: 0,0:29:40.68,0:29:53.44,Default,,0000,0000,0000,,We get 3 bytes and 4 bytes. Now we look at how\Nsubroutines are built in this specific architecture.
Dialogue: 0,0:29:53.44,0:30:01.82,Default,,0000,0000,0000,,On x86 you will mostly find it, not on the 64-bit\Nplatforms, but on the 32-bit and 16-bit platforms,
Dialogue: 0,0:30:01.82,0:30:11.50,Default,,0000,0000,0000,,You will find a stack-frame entry sequence in\Nevery function, like push bp or push ebp 0x55
Dialogue: 0,0:30:11.50,0:30:15.23,Default,,0000,0000,0000,,So you can trigger on that one.
Dialogue: 0,0:30:15.23,0:30:24.55,Default,,0000,0000,0000,,On 8051 it's not possible. Take a look at address 0x0A It's 0xE0.
Dialogue: 0,0:30:24.55,0:30:28.53,Default,,0000,0000,0000,,Take a look at address 0x0D , it's 44, and 0x11 is 7B.
Dialogue: 0,0:30:28.53,0:30:32.11,Default,,0000,0000,0000,,The are not equal, it does not help us.
Dialogue: 0,0:30:32.11,0:30:39.69,Default,,0000,0000,0000,,So we look at the preceding returns\Nand yes there are returns in front
Dialogue: 0,0:30:39.69,0:30:45.48,Default,,0000,0000,0000,,of every subroutine.\NSo we take the 0x22 [ret] as our anchor.
Dialogue: 0,0:30:45.48,0:30:51.26,Default,,0000,0000,0000,,Our search string will look like this;\NWe start with the 0x22, we have a\N
Dialogue: 0,0:30:51.26,0:30:56.82,Default,,0000,0000,0000,,subroutine with a length of 3 bytes,\Nso we have 0x22 [ret], two wildcards and
Dialogue: 0,0:30:56.82,0:31:04.48,Default,,0000,0000,0000,,again a return. The second part of the\Nsearch string encodes the second\N
Dialogue: 0,0:31:04.48,0:31:13.24,Default,,0000,0000,0000,,subroutine with 4 bytes. So we have wildcard,\Nwildcard, wildcard and again a return [0x22]
Dialogue: 0,0:31:13.24,0:31:22.38,Default,,0000,0000,0000,,In this simple example we get only one hit,\Nperfect. We get a hit at address 0x09.
Dialogue: 0,0:31:22.38,0:31:27.89,Default,,0000,0000,0000,,But we do not want the address of the\Nreturn, we want the address of the subroutine,
Dialogue: 0,0:31:27.89,0:31:33.45,Default,,0000,0000,0000,,so we are not using the 0x09, we are using the 0x0A.
Dialogue: 0,0:31:33.45,0:31:40.66,Default,,0000,0000,0000,,What we do is we take the original destination\Naddress 0x0100, we subtract 0x0A
Dialogue: 0,0:31:40.66,0:31:49.41,Default,,0000,0000,0000,,and we get the base address of our\Ncode example, which is 0xF6
Dialogue: 0,0:31:49.41,0:31:58.39,Default,,0000,0000,0000,,If we apply this newly found out load\Noffset to the code and we adjust the offset
Dialogue: 0,0:31:58.39,0:32:06.43,Default,,0000,0000,0000,,starting now at 0x00F6 in the left column\Nwe see that all three subroutines now match.
Dialogue: 0,0:32:06.43,0:32:14.71,Default,,0000,0000,0000,,The call to 0x0100, the call to 0x0107\Nand the call to 0x0103.
Dialogue: 0,0:32:14.71,0:32:22.71,Default,,0000,0000,0000,,Ok, I think this was hard, so let's\Nrepeat what we have already done.
Dialogue: 0,0:32:22.71,0:32:30.65,Default,,0000,0000,0000,,So we have obtained our image, we have\Nsuccessfully found the processor architecture,
Dialogue: 0,0:32:30.65,0:32:35.14,Default,,0000,0000,0000,,we have found a disassembler\Nto disassemble the firmware,
Dialogue: 0,0:32:35.14,0:32:43.75,Default,,0000,0000,0000,,and we have hopefully found the\Noriginal load offset. So what's next
Dialogue: 0,0:32:43.75,0:32:49.36,Default,,0000,0000,0000,,Maybe the question arises, is there\Nadditional firmware in this device?
Dialogue: 0,0:32:49.36,0:32:56.25,Default,,0000,0000,0000,,I see jumps and calls outside of firmware\Nwe already know, although we have adjusted
Dialogue: 0,0:32:56.25,0:33:02.45,Default,,0000,0000,0000,,the load offset. Is it chip internal?\NWe can see it on the figure, maybe
Dialogue: 0,0:33:02.45,0:33:10.39,Default,,0000,0000,0000,,we have only firmware part A. And maybe\Nit's using a library or chip internal part B.
Dialogue: 0,0:33:10.39,0:33:18.90,Default,,0000,0000,0000,,So we will have to see what we can do\Nusing a modification of the firmware.
Dialogue: 0,0:33:18.90,0:33:26.84,Default,,0000,0000,0000,,Now having done that, we can start\Nwith normal reverse engineering of the code.
Dialogue: 0,0:33:26.84,0:33:31.54,Default,,0000,0000,0000,,We search for strings, we search\Nfor references to the strings,
Dialogue: 0,0:33:31.54,0:33:39.35,Default,,0000,0000,0000,,but as we are in a very low end embedded\Nsystem, maybe we can search for very specialized,
Dialogue: 0,0:33:39.35,0:33:48.58,Default,,0000,0000,0000,,data references and operands. Search for USB\Ndescriptor fields, you have extracted with /bin/lsusb
Dialogue: 0,0:33:48.58,0:33:55.23,Default,,0000,0000,0000,,Take a look for USB magics like USBC and USBS,\Nyou know these two dwords are used in
Dialogue: 0,0:33:55.23,0:34:03.73,Default,,0000,0000,0000,,usb communications. Take a look for IDE,\NSATA and ATAPI ID strings, saying
Dialogue: 0,0:34:03.73,0:34:15.76,Default,,0000,0000,0000,,"I'm a OCZ SSD device" for instance. When\Nyou've sniffed the device communication
Dialogue: 0,0:34:15.76,0:34:21.92,Default,,0000,0000,0000,,you've already found some typical datablocks.\NYou can try to find them [in the binary]
Dialogue: 0,0:34:21.92,0:34:28.14,Default,,0000,0000,0000,,Last, but not least, maybe the device provides some error codes, and you can search for strings,
Dialogue: 0,0:34:28.14,0:34:33.89,Default,,0000,0000,0000,,or for operands in the opcodes.
Dialogue: 0,0:34:33.89,0:34:38.95,Default,,0000,0000,0000,,It's very interesting to find hidden\Nfirmware update sequences, because
Dialogue: 0,0:34:38.95,0:34:47.22,Default,,0000,0000,0000,,they would allow non-invasive modifications.\NFor example search for chip erase and
Dialogue: 0,0:34:47.22,0:34:51.87,Default,,0000,0000,0000,,programming commands, you can take the\Nappropriate commands from the datasheet
Dialogue: 0,0:34:51.87,0:35:01.52,Default,,0000,0000,0000,,if there's any external memory device available.\NWe've done it, we have analysed it and we've
Dialogue: 0,0:35:01.52,0:35:07.92,Default,,0000,0000,0000,,learnt a lot about the device.\NNow we are going to modify it.
Dialogue: 0,0:35:07.92,0:35:14.32,Default,,0000,0000,0000,,First, we have to think about, If we are\Ngoing to modify the firmware, we have
Dialogue: 0,0:35:14.32,0:35:19.69,Default,,0000,0000,0000,,to prepare to brick our device.
Dialogue: 0,0:35:19.69,0:35:25.04,Default,,0000,0000,0000,,Manufacturers implement several integrity\Nchecks, and why do they do that?
Dialogue: 0,0:35:25.04,0:35:34.77,Default,,0000,0000,0000,,They do it because firmware is stored to flash,\Nwhich is prone to aging, especially if heat is involved.
Dialogue: 0,0:35:34.77,0:35:42.41,Default,,0000,0000,0000,,So they do checksums. There are softwarebased\Nchecksum calculations, CRC for example.
Dialogue: 0,0:35:42.41,0:35:48.54,Default,,0000,0000,0000,,There are even hardwarebased checksums\Nwhere some HW peripheral will do the job for us.
Dialogue: 0,0:35:48.54,0:35:57.18,Default,,0000,0000,0000,,So what you see in the code is maybe the start\Noffset, the end offset, and if you're lucky the polynomial.
Dialogue: 0,0:35:57.18,0:36:03.66,Default,,0000,0000,0000,,It might be hardcoded in the peripheral too,\Nso you won't see anything.
Dialogue: 0,0:36:03.66,0:36:13.17,Default,,0000,0000,0000,,It can be a combination of both, being done\Nonly on startup or cyclically in the background.
Dialogue: 0,0:36:13.17,0:36:18.74,Default,,0000,0000,0000,,What we have to do to modify the firmware\Nis either correct those checksums,
Dialogue: 0,0:36:18.74,0:36:26.14,Default,,0000,0000,0000,,or we have to patch those checksum\Nalgorithms not to trigger.
Dialogue: 0,0:36:26.14,0:36:32.31,Default,,0000,0000,0000,,What are the goals of our modification, of\Ncourse we heard it in our motivation section.
Dialogue: 0,0:36:32.31,0:36:44.75,Default,,0000,0000,0000,,We are about to correct errors, and maybe the errors\Nare contained in another part of firmware we are not
Dialogue: 0,0:36:44.75,0:36:51.37,Default,,0000,0000,0000,,having right now. Maybe we have to dump\Nadditional memory regions.
Dialogue: 0,0:36:51.37,0:37:02.25,Default,,0000,0000,0000,,That's what they did in the Cisco VoIP hack.\NThey tried to find a memcpy routine and use it.
Dialogue: 0,0:37:02.25,0:37:08.55,Default,,0000,0000,0000,,If you don't find a memcpy routine maybe\Nyou can implement your own. Why not?
Dialogue: 0,0:37:08.55,0:37:15.89,Default,,0000,0000,0000,,You could dump code from other memory\Nregions to output buffers.
Dialogue: 0,0:37:15.89,0:37:20.43,Default,,0000,0000,0000,,If you have space in an external memory\Ndevice, why not program it to the device
Dialogue: 0,0:37:20.43,0:37:29.92,Default,,0000,0000,0000,,and read it from the device. It can be very\Ninteresting to gather more device internal information.
Dialogue: 0,0:37:29.92,0:37:36.56,Default,,0000,0000,0000,,For example doing a RAM dump, because\Nduring static analysis, you always wonder
Dialogue: 0,0:37:36.56,0:37:48.44,Default,,0000,0000,0000,,what may be in RAM at this and that address.\NNow as we have modified the firmware,
Dialogue: 0,0:37:48.44,0:37:53.96,Default,,0000,0000,0000,,we can inject it back to the device. For\Nexample using the original updater.
Dialogue: 0,0:37:53.96,0:37:58.44,Default,,0000,0000,0000,,It might contain the next checksum check, who knows.
Dialogue: 0,0:37:58.44,0:38:06.60,Default,,0000,0000,0000,,We can try to re-program it to the external\Nmemory device if available, or to the processor.
Dialogue: 0,0:38:06.60,0:38:14.16,Default,,0000,0000,0000,,This might be done using a serial interface,\Neither JTAG or proprietary.
Dialogue: 0,0:38:14.16,0:38:17.97,Default,,0000,0000,0000,,That's it. Thank you very much.
Dialogue: 0,0:38:17.97,0:38:25.77,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:38:25.77,0:38:36.09,Default,,0000,0000,0000,,Angel: If you have any questions, please line up\Nat the room microphones, there are four here.
Dialogue: 0,0:38:42.57,0:38:47.12,Default,,0000,0000,0000,,Are there any questions? Microphone 1 please;
Dialogue: 0,0:38:47.12,0:38:54.43,Default,,0000,0000,0000,,Question: Not a question, but a tip. If you need some binary dump or some left over files on windows,
Dialogue: 0,0:38:54.43,0:39:06.46,Default,,0000,0000,0000,,you can deny the delete right, so the install\Nor updater program is unable to delete its tempfiles.
Dialogue: 0,0:39:06.46,0:39:08.86,Default,,0000,0000,0000,,So they are left over after reprogramming the device.
Dialogue: 0,0:39:08.86,0:39:10.73,Default,,0000,0000,0000,,A: Do you have tip what to use in that case?
Dialogue: 0,0:39:10.73,0:39:11.72,Default,,0000,0000,0000,,Q: Sorry?
Dialogue: 0,0:39:11.72,0:39:14.26,Default,,0000,0000,0000,,A: Do you have a tip, is there a special tool?
Dialogue: 0,0:39:14.26,0:39:18.90,Default,,0000,0000,0000,,Q: It's not necessary, windows has\Nthe function already built in.
Dialogue: 0,0:39:18.90,0:39:20.42,Default,,0000,0000,0000,,A: OK.
Dialogue: 0,0:39:20.42,0:39:26.62,Default,,0000,0000,0000,,Q:And I don't know the word.
Dialogue: 0,0:39:26.62,0:39:27.51,Default,,0000,0000,0000,,A: OK
Dialogue: 0,0:39:27.51,0:39:34.29,Default,,0000,0000,0000,,Q: But you are able to revoke rights completely\Nfrom a directory, there's a special right for deleting.
Dialogue: 0,0:39:34.29,0:39:37.41,Default,,0000,0000,0000,,A: OK, thank you.
Dialogue: 0,0:39:37.41,0:39:42.60,Default,,0000,0000,0000,,Angel: Are there any more questions?
Dialogue: 0,0:39:46.60,0:39:50.63,Default,,0000,0000,0000,,Angel: Doesn't look like it, please give a warm\Nround of applause to our speaker Stephan Widmann.
Dialogue: 0,0:39:50.63,0:39:54.82,Default,,0000,0000,0000,,{\i1}applause{\i0}\NA: On [microphone 2]
Dialogue: 0,0:39:54.82,0:39:57.46,Default,,0000,0000,0000,,Angel: There is one more question... No?
Dialogue: 0,0:39:57.46,0:39:59.55,Default,,0000,0000,0000,,A: OK
Dialogue: 0,0:39:59.55,0:40:02.88,Default,,0000,0000,0000,,Angel: If you're leaving please do take your...
Dialogue: 0,0:40:02.88,0:40:11.09,Default,,0000,0000,0000,,subtitles created by c3subtitles.de