[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:15.00,0:00:22.30,Default,,0000,0000,0000,,So now we come to our next talk,\Nit's about the Amazon Dash button.
Dialogue: 0,0:00:23.19,0:00:30.18,Default,,0000,0000,0000,,Who of you knows what the Amazon Dash\Nbutton is? Okay... kind of everybody.
Dialogue: 0,0:00:30.64,0:00:33.29,Default,,0000,0000,0000,,Who has a Amazon Dash button?
Dialogue: 0,0:00:35.45,0:00:38.50,Default,,0000,0000,0000,,Who has used it to buy something?
Dialogue: 0,0:00:40.08,0:00:45.98,Default,,0000,0000,0000,,Okay. [clapping and laughter]
Dialogue: 0,0:00:46.70,0:00:50.41,Default,,0000,0000,0000,,So for everybody who has never seen a\NAmazon Dash button you now get the chance.
Dialogue: 0,0:00:50.66,0:00:50.91,Default,,0000,0000,0000,,I brought one.
Dialogue: 0,0:00:52.42,0:00:53.20,Default,,0000,0000,0000,,It looks like this.
Dialogue: 0,0:00:53.92,0:00:55.40,Default,,0000,0000,0000,,It's a small tiny thing.
Dialogue: 0,0:00:56.37,0:01:00.44,Default,,0000,0000,0000,,You can click on it, you can order stuff,\Nand you can order great stuff.
Dialogue: 0,0:01:01.12,0:01:08.26,Default,,0000,0000,0000,,Like... things which make sense, like\Ndog-food, shampoo, stuff like that.
Dialogue: 0,0:01:08.98,0:01:11.58,Default,,0000,0000,0000,,But also fun things... so things you need\Nregulary...
Dialogue: 0,0:01:12.31,0:01:17.48,Default,,0000,0000,0000,,But also fun things like Play-Doh,\Nyou know, it's the stuff for kids.
Dialogue: 0,0:01:18.14,0:01:23.34,Default,,0000,0000,0000,,I have no idea who regulary needs to buy\NPlay-Doh... where does it go?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Is it like your child eat it all up so you\Nneed new one? Or...?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So this is something we perhaps won't\Nlearn in this talk, so why we need this.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But we will learn how you can hack\Nit to use for a different purpose.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Some of you might say "Okay wait, I've\Nalready heard of something like that"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Yes, because the first version was shipped\Nout, there such an analysis was already done
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But there is a new version and like\Nit's often with the Internet of Things
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,stuff they tried to make it more\Nsecure.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I mean that's what the 'S' stands\Nfor in "IoT".
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What we'll hear about is about\Nthe hardware, the software
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and also how the communication with\Nthe server looks like.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And hanz will give us a talk\Nabout this.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,He is somebody hacking hardware\Nsince quite a time so...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Let's give him a warm round of\Napplause and let's learn. [clapping]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Thanks, nice to see you.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Let's have a closer look at\Nthe Amazon Dash button now.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The Dash button is basically a\NWi-Fi connected button
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's been around in the US since\Nabout 2014, I think.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And in Germany it's available\Nsince August of this year.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There are two hardware revisions and\Nin this talk I'll only cover revision 2
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because that is the current revision.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I don't think you still can get\Nthe old revision.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The old revision is also quite\Nhacked already.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This button can be used to order\Nor reorder certain consumer goods
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,like pet-food or washing supplies\Nand stuff
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's only available for certain brands\Nand products and you can not configure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it freely.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It costs five Euros and you get a refund\Non your first button-triggered order.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There is also a customizable version\Navailable, at least in the US
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,for twenty dollars and you still\Ncan't load your own code on this button
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but you can use the Amazon Web Services\Nto get the button presses.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So what is interesting about this thing?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Well, it has Wi-Fi and it must be some\Nsort of a computer
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so it's a sort of Internet of Shit\Ndevice, though it might be more useful
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,than certain other products.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,One question of course is: How does it work?\NWe just want to know.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then: What about security? If we put this\Nthing on our network is this a security risk
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and can it be used for cyber, ddos and so on?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Another important aspect for the hardware\Nhackers is whether we can reprogram it
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,for our custom Internet of Thing project.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's more powerful than the common ESP8266\Nand the price is comparable.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The next point of course is: If we can\Nnot run code on it we don't really own it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we want to run our code on it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There is some prior research that\Nhas already been done for the old button
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You can get the slides from the Fahrplan\Nand I'll refer to these two links later
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,during the talk. So this has been done\Nalready, you can read it up.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The easy way of repurposing the Dash button\Nis to use the smartphone app
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and configure the Dash just normally,\Nbut you close the app
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,once you get to choosing a product
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then this prevents the Dash from ordering\Nanything
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The product selection is stored server-side\Nwhile the Wi-Fi configuration is stored in the button
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The button still contacts the server\Nand says "I want to order something"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,whatever there is configured.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The server says "Nope, there is\Nnothing configured"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and the button blinks red and that's it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you don't get stuff and of course\Nit does a lot of things to get online
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It connects to your Wi-Fi, it does\Na DHCP request, ARP Request, DNS lookup
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and so on
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you can monitor all these things\Nto find out when the button is activated
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and monitoring the DHCP logfile of course\Nis the most easy way, I guess.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Who is doing this already?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Okay, a few, about three people.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We'll go a lot further than this in\Nthis talk.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,First we'll have a look at the hardware\Nso what's in this Dash button
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the communication protocol and the crypto.\NThe firmware revision, this revision was
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,still the most recent on 25th i checked it last
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and we'll run some custom code on the button\Nwithout desoldering anything.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I didn't analyze the Amazon smartphone\Napps because this is way to high-level for me
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Regarding the hardware...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The housing is heat-sealed plastic, so you\Ncan't open a screw, you have to somehow
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,break it open or cut it open
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,My first attempt was with a knife,\Ncutting along the seal
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but that didn't work so well. I removed\Nsome SMD components in this process and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,my latest attempt was using a cutting wheel\Nfrom the top, because I already knew where
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the stuff is, where I wanna get.\NYou can see the testpoints here.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And this is the microcontroller so I simply\Ncut it open there's some space between
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the plastic package and the pcb.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The PCB has four layers and a lot of\NSMD 0201 parts, you can see those here.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is all very tiny and you can\Nsee the pads of the microcontroller
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,here you can not because there is some\Nblack stuff poured over it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I don't know why exactly they are doing this\Nbut you can remove it carefully.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It can be softened a bit with acetone,\Nthat makes things easier.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The microcontroller is actually quite\Npowerful, it's a Cortex-M4 with a
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,floating point unit and it runs or it can\Nbe clocked at 120Mhz.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It has half a MB of flash and 160 kB of RAM
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The downside is the package of this chip
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you can not easily solder additional\Nstuff there and.. the black stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then there is the Wi-Fi IC, this is this\Nchip here, and it's 2.4 Ghz and thus
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,up to 72 Mbit/s, does WPA1/2 of course,\Nand there is a built-in IP-stack
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It works a bit like with sockets in Unix,\Nthis Wi-Fi chip basically handles all the IP-stuff
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and you simply open a socket from the controller\Nand then you can communicate using this socket
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It does have built-in SSL and TLS support\Nand plenty of stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Of course there needs to be a voltage regulator\Nbecause there is a single AAA battery
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with 1.5V or less in the button and this\Nneeds to boosted to 3.3V so this is done
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with a regulator. This is actually\Na quite powerful regulator
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,they could have used a cheaper one.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Anyway. There is also Bluetooth Low Energy\Nyou can see this here, this is a BLE IC.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm not sure if they are using this\Nalready, they might do with the iOS app
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but I haven't analyzed this.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There is a 4 MB SPI flash and a microphone
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is here. You can see the package\Nremoved, this happened accidentally.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then there is an LED, it can not be seen\Nhere but it's 3 LEDs actually
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,red, green and blue.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The thing is clocked from a 32KHz\Noscillator, this is this thing here
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it generates a higher clock frequency\Ninternally using PLL.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There are also some discrete\Nsemiconductors here
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,they use them for the powering stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If we put it all together it looks more or\Nless like this
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is bit more simpler than reality but\Nwe have the Bluetooth connected to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,a UART, the Wi-Fi is connected to the SPI\Nbus and SPI flash is also connected to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,another SPI bus.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This interesting thing here is that there\Nis an additional UART
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that is used for debugging.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The voltage regulator gets started by the\Nbutton press and one interesting thing is
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there is no other wake-up source, no real-\Ntime-clock or something like that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that means the button can never wake up\Non it's own terms.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You always have to press the button, and\Nonce it goes back to sleep it can't wake
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,up again without the button being pressed.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Power-Enable is held with an external\Nlatch, so the microcontroller simply
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,clears this latch and goes to shutdown.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The microcontroller can also measure the\Nbattery voltage using the ADC and there
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is an enable-signal to connect or\Ndisconnect the battery from the ADC.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This value is also sent to the server, so\NAmazon knows when your battery
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is going empty.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Regarding the power consumption...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,mpetroff already did a lot of measurements\Nregarding this and you can see that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Wi-Fi is drawing a lot of power, 400 mW.\NWithout Wi-Fi it's down to 80 mW and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with some power-saving you should be\Nable to go down to about 50 mW.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The built-in battery is about half a Wh,\Nso that's about 75 minutes with Wi-Fi
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,enabled, and about 10 hours with some\Nvery good power-saving
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Basically you could make an acoustic bug\Nwith this and listen to the microphone for
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,some time and then transmit it via Wi-Fi,\Nbut it's still limited with this
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,battery power.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The debugging interface is also there, you\Nalready saw those test-points earlier
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The old Dash button hat single-wire-\Ndebugging enabled and a serial console
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with debugging commands, you could simply\Ndump memory using the serial console
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The new button has test-pads for SWD and\Na serial console, but SWD is disabled and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the serial console is stripped down to a\Nfew boring commands
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We'll come to these later.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Here you can see the debugging interfaces\Nfrom the bottom side, you can mount a
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,connector here. Which connector you can\Nfind on the petroff website, all of these
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,IOs are 3.3V, the pinout is basically\Ncompatible to the old button.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Here are some UART commands, you can see\Nthere are three different modes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There is a test mode menu, this has a lot\Nor more commands, they probably use this
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,in the factory to do some calibration and\Ntesting.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is the user mode menu. You have if\Nyou open the button and connect the serial
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,port. There's just some firmware revision\Nyou can query and you can measure the
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,battery voltage. "immortal" prevents the\Nautomatic shutdown, it stays then on
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,until you issue a shutdown or you switch\Nto "mortal" again.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The developer mode menu has some more\Ninteresting commands.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There is still no memory access, but you\Ncan enter certain modes, configure mode,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,access point mode, scan for Wi-Fi, and so\Non.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Let's have a look at the communication\Nprotocols and the crypto stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The communication works like this, you\Nhave the SAMG55, this is the
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,microcontroller, then you have the Wi-Fi\Nchip, this is this ATWINC, and this chip
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,handles all the TLS stuff, so those two\Ncommunicate in plain-text using SPI
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and then the Dash button uses HTTPs\Nwhen connecting to the Amazon server.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you can see plain-text data here and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it's clocked at 40 MHz so this is rather\Nfast.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,One of the first things I did was I wanted\Nto analyze the communication
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that was there because I didn't actually\Nknow if they are using TLS inside the
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Wi-Fi NIC or if they are doing the TLS in\Nthe microcontroller
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,They did it in the microcontroller in the\Nlast hardware revision, and so I put an
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,FPGA between those two things and logged\Nall the data that came by.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I did cut the bus so I could do man-in-\Nthe-middle as well, and I did this before
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I had the full Dash firmware, with the\Nknowledge know this wouldn't really have
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,been necessary.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I looked like this, you can see I removed\Nthe microcontroller here and added plenty
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,of wires, this then go to some sort of\Nbase-board where I can plug in a break-
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,out-board for the microcontroller.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The microcontroller is actually here on\Nthis board, there are some LEDs for...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,yea they are the RGB leds. Here I have\Nthe serial console, here I have SWD,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,here is the reset button, and here is the\Nactual Dash button.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This here is 3.3V supply and you can see\Na lot of jumpers here, these are all the
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,connections to bluetooth and Wi-Fi, so I\Ncan simply remove the jumper and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,do man-in-the-middle there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is the thing with the FPGA-board\Nplugged in.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's how I analyzed this communication\Nwhich I'm now going to present.