0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/358 Thanks! 1 00:00:09,740 --> 00:00:12,119 Thanks, everybody, for coming to the talk 2 00:00:12,120 --> 00:00:14,449 and thank you to the Congress 3 00:00:14,450 --> 00:00:16,399 for having us again this year. 4 00:00:16,400 --> 00:00:18,799 We're really pleased to be here 5 00:00:18,800 --> 00:00:20,929 and to share with you some of our latest 6 00:00:20,930 --> 00:00:23,719 work, looking at 7 00:00:23,720 --> 00:00:25,909 some of the sort of the developments 8 00:00:25,910 --> 00:00:28,009 that have been going on in China and 9 00:00:28,010 --> 00:00:29,779 seeing what we can do to try to bridge 10 00:00:29,780 --> 00:00:31,429 the gap between what's happening there 11 00:00:31,430 --> 00:00:32,430 and here. 12 00:00:32,870 --> 00:00:34,909 So before we get into all the technical 13 00:00:34,910 --> 00:00:37,099 details, I wanted to share with you 14 00:00:37,100 --> 00:00:39,349 the provocation, the reason why 15 00:00:39,350 --> 00:00:41,299 we kind of got motivated to do this in 16 00:00:41,300 --> 00:00:42,300 the first place. 17 00:00:43,830 --> 00:00:45,079 There's a lot of people who have done 18 00:00:45,080 --> 00:00:46,849 work in the past and reverse engineering 19 00:00:46,850 --> 00:00:48,499 various based bands of phones and so 20 00:00:48,500 --> 00:00:50,719 forth. But this path, 21 00:00:50,720 --> 00:00:53,149 this whole project started about 22 00:00:53,150 --> 00:00:55,549 two years ago when we were wandering 23 00:00:55,550 --> 00:00:57,439 around in the markets of Shenzhen, China. 24 00:00:57,440 --> 00:00:58,609 If you haven't been there, I highly 25 00:00:58,610 --> 00:01:00,469 recommend it's a super cool place with 26 00:01:00,470 --> 00:01:02,209 lots of I mean, it's a it's a kind of 27 00:01:02,210 --> 00:01:03,649 place where you can go up to shelf and 28 00:01:03,650 --> 00:01:06,649 sort of just by taping real resistor 29 00:01:06,650 --> 00:01:08,149 like you would buy fish or meat at a 30 00:01:08,150 --> 00:01:09,229 store or something like that. 31 00:01:09,230 --> 00:01:11,419 So it's a hardware guys paradise. 32 00:01:11,420 --> 00:01:14,089 And we found a phone there, 33 00:01:14,090 --> 00:01:16,159 a complete GSM phone that can do 34 00:01:16,160 --> 00:01:18,409 calls, broadband, Bluetooth, all that. 35 00:01:18,410 --> 00:01:20,689 And it's twelve dollars, you know, not 36 00:01:20,690 --> 00:01:22,399 a full stop. But this is not with someone 37 00:01:22,400 --> 00:01:25,309 discount counting or subsidizing 38 00:01:25,310 --> 00:01:27,439 or some contract on the back side, 39 00:01:27,440 --> 00:01:29,089 the middleman margin, everything is 40 00:01:29,090 --> 00:01:31,369 there. And we were amazed at 41 00:01:31,370 --> 00:01:33,169 its low price. So of course, we bought 42 00:01:33,170 --> 00:01:35,389 one and took it apart and 43 00:01:35,390 --> 00:01:36,649 looked at what was on the inside and 44 00:01:36,650 --> 00:01:38,809 found that had this two hundred 45 00:01:38,810 --> 00:01:40,879 sixty megahertz, 32 bit CPU, 46 00:01:40,880 --> 00:01:43,159 and it had lots of features built into 47 00:01:43,160 --> 00:01:45,319 it. And we sort of 48 00:01:45,320 --> 00:01:47,539 looked at what sort of was 49 00:01:47,540 --> 00:01:50,179 the thing that the Chinese 50 00:01:50,180 --> 00:01:51,769 entrepreneurs were playing with at the 51 00:01:51,770 --> 00:01:53,689 time and compared it to what we saw, what 52 00:01:53,690 --> 00:01:55,249 most the Western entrepreneurs were 53 00:01:55,250 --> 00:01:56,569 playing with at the time, which was sort 54 00:01:56,570 --> 00:01:58,699 of something closer to an Arduino, 55 00:01:58,700 --> 00:02:00,859 which would be based on the mega with the 56 00:02:00,860 --> 00:02:03,259 eight bit CPU and assisting megahertz 57 00:02:03,260 --> 00:02:05,329 and still costing more in quantity 58 00:02:05,330 --> 00:02:07,729 one as sort of a 59 00:02:07,730 --> 00:02:09,279 reference point. Right. 60 00:02:09,280 --> 00:02:11,569 And so my feeling was, geez, 61 00:02:11,570 --> 00:02:14,029 how come we don't use this 62 00:02:14,030 --> 00:02:15,859 more often? Why isn't why aren't there a 63 00:02:15,860 --> 00:02:18,049 series of talks at places like 64 00:02:18,050 --> 00:02:19,859 this about people building stuff with the 65 00:02:19,860 --> 00:02:21,139 sort of hardware? 66 00:02:21,140 --> 00:02:22,639 And so we say, OK, well, can we have 67 00:02:22,640 --> 00:02:24,859 documentation if 68 00:02:24,860 --> 00:02:25,860 you can? 69 00:02:26,920 --> 00:02:28,589 Read or write a little Chinese or even 70 00:02:28,590 --> 00:02:30,539 use Google Translate and you know how to 71 00:02:30,540 --> 00:02:32,369 use Baidu, which is sort of China's 72 00:02:32,370 --> 00:02:34,649 version of Google, you can actually just 73 00:02:34,650 --> 00:02:36,689 find schematics, reference schematics for 74 00:02:36,690 --> 00:02:38,109 this online. 75 00:02:38,110 --> 00:02:40,079 Right. Which is pretty cool. 76 00:02:40,080 --> 00:02:41,729 And if you dig a little more, you can 77 00:02:41,730 --> 00:02:43,799 actually find downloadable source files. 78 00:02:43,800 --> 00:02:45,959 You can find the CAD 79 00:02:45,960 --> 00:02:47,909 files in an edible form. 80 00:02:47,910 --> 00:02:49,589 You can find the orchid schematic files 81 00:02:49,590 --> 00:02:51,809 just like you can get the cat files for 82 00:02:51,810 --> 00:02:53,639 the Arduino online. 83 00:02:53,640 --> 00:02:55,799 And if you dig even more digging, 84 00:02:55,800 --> 00:02:57,719 you can find, for example, the entire 85 00:02:57,720 --> 00:02:59,369 source code for the OS that runs on these 86 00:02:59,370 --> 00:03:01,159 phones. It's a seven point five gigabyte 87 00:03:01,160 --> 00:03:02,079 source archive. 88 00:03:02,080 --> 00:03:03,689 You can just dump it from Baidu. 89 00:03:03,690 --> 00:03:05,819 And, you know, you could 90 00:03:05,820 --> 00:03:07,709 kind of do what they call the Senzai 91 00:03:07,710 --> 00:03:09,059 thing out there, which is building your 92 00:03:09,060 --> 00:03:10,060 own phone. 93 00:03:11,230 --> 00:03:12,699 The question is, at the end, is it 94 00:03:12,700 --> 00:03:15,489 actually open, right, and the problem, 95 00:03:15,490 --> 00:03:17,769 of course, is that this stuff 96 00:03:17,770 --> 00:03:19,929 is either gray or restricted 97 00:03:19,930 --> 00:03:21,489 or unspecified. 98 00:03:21,490 --> 00:03:23,529 So if you go in, for example, read 99 00:03:23,530 --> 00:03:25,299 carefully, it will be confidential 100 00:03:25,300 --> 00:03:27,579 notices all over the data sheets 101 00:03:27,580 --> 00:03:29,679 or if you look at the schematics and 102 00:03:29,680 --> 00:03:31,389 so forth and don't even have a copyright 103 00:03:31,390 --> 00:03:33,279 notice, they don't they don't have that 104 00:03:33,280 --> 00:03:34,839 sort of notion of it. 105 00:03:34,840 --> 00:03:36,999 But it turns out that China just don't 106 00:03:37,000 --> 00:03:38,009 care. Right. 107 00:03:39,220 --> 00:03:41,409 This technicality does not stop 108 00:03:41,410 --> 00:03:42,849 the Shanghai. In fact, there's sort of 109 00:03:42,850 --> 00:03:44,949 this view if you read some of 110 00:03:44,950 --> 00:03:47,319 the common threads that people have about 111 00:03:47,320 --> 00:03:49,149 various Western innovation and stuff like 112 00:03:49,150 --> 00:03:50,769 that, you'll see people being like 113 00:03:50,770 --> 00:03:52,389 Western IP laws and ethical. 114 00:03:52,390 --> 00:03:54,189 These drug companies are overcharging for 115 00:03:54,190 --> 00:03:55,599 life saving drugs. 116 00:03:55,600 --> 00:03:57,369 This 20 dollar IP burden for mobile 117 00:03:57,370 --> 00:03:59,289 phones or thirty dollars for DVD is 118 00:03:59,290 --> 00:04:00,939 basically rich companies stealing from 119 00:04:00,940 --> 00:04:03,189 the poor. We came and put Reisen on our 120 00:04:03,190 --> 00:04:04,539 table and we worked so hard to 121 00:04:04,540 --> 00:04:06,369 essentially, they call it making Kabbage, 122 00:04:06,370 --> 00:04:07,539 like all this hardware is being cost 123 00:04:07,540 --> 00:04:08,859 reduced and then there's a huge amount of 124 00:04:08,860 --> 00:04:10,419 money going to the IP block. 125 00:04:10,420 --> 00:04:11,589 And so at the end of the day, sort of the 126 00:04:11,590 --> 00:04:13,719 enforcement of laws is kind of subjective 127 00:04:13,720 --> 00:04:14,770 and selective out there. 128 00:04:15,970 --> 00:04:18,398 But it's not like this is caused 129 00:04:18,399 --> 00:04:20,528 a degradation of innovation out 130 00:04:20,529 --> 00:04:22,359 there. In fact, if you go there and you 131 00:04:22,360 --> 00:04:24,609 look around, there's actually this 132 00:04:24,610 --> 00:04:26,139 sort of permissive IP environments 133 00:04:26,140 --> 00:04:27,279 bearing fruit. 134 00:04:27,280 --> 00:04:29,859 This here is sort of a shot of 135 00:04:29,860 --> 00:04:31,719 a typical display case. 136 00:04:31,720 --> 00:04:33,069 And when the mobile phone markets, every 137 00:04:33,070 --> 00:04:35,379 object you see there on the left 138 00:04:35,380 --> 00:04:37,509 is capable of placing a phone call, the 139 00:04:37,510 --> 00:04:38,949 cars have little phones in them. 140 00:04:38,950 --> 00:04:41,229 The little like Apple things have 141 00:04:41,230 --> 00:04:42,939 phones in them that aren't Apple phones. 142 00:04:42,940 --> 00:04:45,009 And on the right hand side is 143 00:04:45,010 --> 00:04:46,689 this example of a guy who just really 144 00:04:46,690 --> 00:04:47,769 like Skeleton's. 145 00:04:47,770 --> 00:04:49,209 And he built this phone in the shape of a 146 00:04:49,210 --> 00:04:50,679 skeleton, complete with like on the 147 00:04:50,680 --> 00:04:52,239 inside, there's like this sort of etched 148 00:04:52,240 --> 00:04:53,439 metal case cases, the skeleton on the 149 00:04:53,440 --> 00:04:55,239 inside. It has a skeleton theme, boot 150 00:04:55,240 --> 00:04:56,439 sequence and all sort of stuff. 151 00:04:56,440 --> 00:04:58,599 And they just build it because they 152 00:04:58,600 --> 00:05:00,039 want to build it. Right. It's so 153 00:05:00,040 --> 00:05:02,169 effortless in that ecosystem 154 00:05:02,170 --> 00:05:04,029 because there's lower barriers for them 155 00:05:04,030 --> 00:05:06,309 to go ahead and rip, mix, burn and create 156 00:05:06,310 --> 00:05:07,779 kind of interesting little things like 157 00:05:07,780 --> 00:05:08,780 this. 158 00:05:09,170 --> 00:05:11,449 Unfortunately, the West does 159 00:05:11,450 --> 00:05:13,789 care, right, you can't build 160 00:05:13,790 --> 00:05:15,859 a business on, quote unquote, stolen 161 00:05:15,860 --> 00:05:17,029 IP, right? 162 00:05:17,030 --> 00:05:18,469 So why not just ask, for example, 163 00:05:18,470 --> 00:05:19,879 mediatheque, that people make these chips 164 00:05:19,880 --> 00:05:21,079 for a license? 165 00:05:21,080 --> 00:05:23,089 And I know people who have tried it and 166 00:05:23,090 --> 00:05:25,669 either you get no response 167 00:05:25,670 --> 00:05:27,769 or you get sort of a demand for a 168 00:05:27,770 --> 00:05:30,199 quarter million dollar prepayment on 169 00:05:30,200 --> 00:05:31,459 potential order volume. 170 00:05:31,460 --> 00:05:33,199 Right. That you have or something like 171 00:05:33,200 --> 00:05:34,909 that. And this is just not practical for 172 00:05:34,910 --> 00:05:36,799 individuals and startups, a huge barrier. 173 00:05:36,800 --> 00:05:38,539 I mean, people out there in China don't 174 00:05:38,540 --> 00:05:39,859 don't have a quarter million dollars to 175 00:05:39,860 --> 00:05:41,659 drop on a potential IP license for 176 00:05:41,660 --> 00:05:43,819 something. They they actually build these 177 00:05:43,820 --> 00:05:45,319 whole phones and get them out for, you 178 00:05:45,320 --> 00:05:47,269 know, tens of thousands of dollars. 179 00:05:47,270 --> 00:05:49,069 Full stop. Right. 180 00:05:49,070 --> 00:05:51,409 And so there's a sort of feeling 181 00:05:51,410 --> 00:05:53,539 you get the sort of sadness is like, 182 00:05:53,540 --> 00:05:55,939 so you're telling me that 183 00:05:55,940 --> 00:05:58,009 the Chinese both get to build our 184 00:05:58,010 --> 00:06:00,139 iPhones and the cool little 185 00:06:00,140 --> 00:06:01,879 weird phones. Right. 186 00:06:01,880 --> 00:06:04,039 And the West gets to focus on 187 00:06:04,040 --> 00:06:06,229 building things are accessories to 188 00:06:06,230 --> 00:06:07,189 our smartphones. 189 00:06:07,190 --> 00:06:08,869 Like we can build the egg minder to tell 190 00:06:08,870 --> 00:06:10,369 us how many eggs are in our fridge that 191 00:06:10,370 --> 00:06:11,509 work with your iPhone. 192 00:06:11,510 --> 00:06:12,949 Or you can have like this tank that's 193 00:06:12,950 --> 00:06:14,399 controlled by iPhones, not included. 194 00:06:14,400 --> 00:06:16,699 Right. That's sort of state of the art 195 00:06:16,700 --> 00:06:17,869 right now that's happening here. 196 00:06:17,870 --> 00:06:19,969 It's sort of just like 197 00:06:19,970 --> 00:06:22,069 why it really blows 198 00:06:22,070 --> 00:06:23,479 my mind. I have to agree with this guy. 199 00:06:23,480 --> 00:06:24,619 Right. 200 00:06:24,620 --> 00:06:26,839 And so our question is 201 00:06:26,840 --> 00:06:28,959 like, can we hack the 202 00:06:28,960 --> 00:06:30,439 system? Right. 203 00:06:30,440 --> 00:06:32,290 And of course, challenge accepted. 204 00:06:33,800 --> 00:06:36,079 So before 205 00:06:36,080 --> 00:06:37,909 walking in, we want to kind of understand 206 00:06:37,910 --> 00:06:40,129 the lay of the land and 207 00:06:40,130 --> 00:06:41,839 we want to know sort of what's at stake. 208 00:06:41,840 --> 00:06:43,639 And so this is where sort of the the 209 00:06:43,640 --> 00:06:45,179 legal sort stuff comes out. 210 00:06:45,180 --> 00:06:47,029 Of course, the standard disclaimer, we're 211 00:06:47,030 --> 00:06:48,319 not lawyers, right? 212 00:06:48,320 --> 00:06:50,149 We're not giving you legal advice. 213 00:06:50,150 --> 00:06:51,889 We're going to show you the set of views. 214 00:06:51,890 --> 00:06:54,439 However, that being said, I want 215 00:06:54,440 --> 00:06:56,539 people to. 216 00:06:56,540 --> 00:06:58,849 Feel that law is like a tool, it's a tool 217 00:06:58,850 --> 00:07:00,409 that if you use it, it can have 218 00:07:00,410 --> 00:07:02,329 potentially life changing consequences, 219 00:07:02,330 --> 00:07:04,339 but it's also a very powerful tool. 220 00:07:04,340 --> 00:07:06,229 Right. And like most people in this 221 00:07:06,230 --> 00:07:07,939 audience, we like tools are extremely 222 00:07:07,940 --> 00:07:10,129 powerful. And so we should learn 223 00:07:10,130 --> 00:07:12,229 the law and we should learn our rights 224 00:07:12,230 --> 00:07:14,239 in the law and exercise our rights 225 00:07:14,240 --> 00:07:15,709 vigorously. 226 00:07:15,710 --> 00:07:17,959 And so the set of laws 227 00:07:17,960 --> 00:07:19,159 that we're sort of looking at in this 228 00:07:19,160 --> 00:07:20,870 case are copyright 229 00:07:22,490 --> 00:07:25,609 issues like the CFA about accessing 230 00:07:25,610 --> 00:07:28,039 the servers and so forth, contract law 231 00:07:28,040 --> 00:07:29,329 patents and so on, so forth. 232 00:07:29,330 --> 00:07:30,589 It's a very complex set of issues that 233 00:07:30,590 --> 00:07:32,119 won't go very deep into them, but sort of 234 00:07:32,120 --> 00:07:33,349 touch on the surface. 235 00:07:33,350 --> 00:07:35,359 If has a great FAQ on this called reverse 236 00:07:35,360 --> 00:07:36,469 engineering fact, there's a link up 237 00:07:36,470 --> 00:07:37,470 there. 238 00:07:37,820 --> 00:07:39,769 If you want to read more, you can check 239 00:07:39,770 --> 00:07:41,540 it out there. But sort of 240 00:07:42,650 --> 00:07:45,379 the very sort of root of what we 241 00:07:45,380 --> 00:07:47,659 look at when we're sort of reading 242 00:07:47,660 --> 00:07:49,639 these Shandi documentation and figuring 243 00:07:49,640 --> 00:07:51,769 out how we can kind of do a clean 244 00:07:51,770 --> 00:07:53,929 translation is a set of 245 00:07:53,930 --> 00:07:55,519 case law out there. 246 00:07:55,520 --> 00:07:57,589 This is an example of one feisty 247 00:07:57,590 --> 00:07:59,729 rule where sort of they was a 248 00:07:59,730 --> 00:08:01,789 lawsuit about phone books being copied 249 00:08:01,790 --> 00:08:04,099 between different people, and they ruled 250 00:08:04,100 --> 00:08:06,589 that you could go ahead and recompile 251 00:08:06,590 --> 00:08:08,779 lists of facts so long 252 00:08:08,780 --> 00:08:10,429 as you did not feature the same selection 253 00:08:10,430 --> 00:08:11,449 arrangement of facts. 254 00:08:11,450 --> 00:08:12,409 Right. 255 00:08:12,410 --> 00:08:14,839 And we feel that, for example, 256 00:08:14,840 --> 00:08:16,789 if you give me a list of registers and 257 00:08:16,790 --> 00:08:19,159 their addresses will be present 258 00:08:19,160 --> 00:08:21,589 in the data sheet, those are kind of like 259 00:08:21,590 --> 00:08:22,769 items in the phone directory. 260 00:08:22,770 --> 00:08:23,959 Those are just facts. 261 00:08:23,960 --> 00:08:26,509 And the address and data pairs 262 00:08:26,510 --> 00:08:28,309 about what each bit does or the measure 263 00:08:28,310 --> 00:08:30,289 is also a fact. So when you say set of 264 00:08:30,290 --> 00:08:31,879 the PLL by writing this data to this 265 00:08:31,880 --> 00:08:33,949 register, that's a fact that's 266 00:08:33,950 --> 00:08:35,149 not copyrighted. 267 00:08:35,150 --> 00:08:36,709 But we can go ahead and understand those 268 00:08:36,710 --> 00:08:39,229 facts and express it in our code 269 00:08:39,230 --> 00:08:41,329 and apply an open license to 270 00:08:41,330 --> 00:08:44,269 it and in that way sort of repatriate 271 00:08:44,270 --> 00:08:46,249 intellectual property from one ecosystem 272 00:08:46,250 --> 00:08:47,250 into another. 273 00:08:48,050 --> 00:08:50,239 So and the basic 274 00:08:50,240 --> 00:08:52,759 idea of this is there's a couple of cases 275 00:08:52,760 --> 00:08:54,979 that were heard that sort of ruled 276 00:08:54,980 --> 00:08:56,869 that we have a fair use, right, to 277 00:08:56,870 --> 00:08:59,089 achieve interoperability. 278 00:08:59,090 --> 00:09:00,709 Our rules of engagement then is that we 279 00:09:00,710 --> 00:09:02,529 only make the copies that we need. 280 00:09:02,530 --> 00:09:04,069 They're absolutely necessary for reverse 281 00:09:04,070 --> 00:09:05,029 engineering. 282 00:09:05,030 --> 00:09:06,739 We read the data sheets, the binaries and 283 00:09:06,740 --> 00:09:08,689 the codes we produce from the facts, and 284 00:09:08,690 --> 00:09:10,969 then we turn them into our own expressive 285 00:09:10,970 --> 00:09:13,369 works that we can apply a license to. 286 00:09:13,370 --> 00:09:15,469 We don't do any copy and paste of code, 287 00:09:15,470 --> 00:09:17,269 including kind of comments. 288 00:09:17,270 --> 00:09:19,129 And we also in order to prevent what we 289 00:09:19,130 --> 00:09:20,959 call subconscious plagiarism, if you're a 290 00:09:20,960 --> 00:09:23,059 coder and you read a code motif, 291 00:09:23,060 --> 00:09:25,339 you can walk away and then almost code it 292 00:09:25,340 --> 00:09:26,839 like verbatim from memory because, you 293 00:09:26,840 --> 00:09:28,609 know, understand everything and it tends 294 00:09:28,610 --> 00:09:30,379 to be the same representation. 295 00:09:30,380 --> 00:09:32,599 Regardless, we actually created a sort 296 00:09:32,600 --> 00:09:34,219 of pseudocode language that will go into 297 00:09:34,220 --> 00:09:36,859 later on that will help us avoid 298 00:09:36,860 --> 00:09:38,359 this. There's a sort of a preview of the 299 00:09:38,360 --> 00:09:40,219 pseudocode language on the left is sort 300 00:09:40,220 --> 00:09:41,819 of what the C code looks like that you 301 00:09:41,820 --> 00:09:43,969 would might find if you were to look 302 00:09:43,970 --> 00:09:45,409 in sort of some of these code databases, 303 00:09:45,410 --> 00:09:46,909 which pages and pages stuff, and we just 304 00:09:46,910 --> 00:09:48,859 turn it into this list of facts is on the 305 00:09:48,860 --> 00:09:50,899 right hand side for, for example, in this 306 00:09:50,900 --> 00:09:52,580 case, initializing the PLO. 307 00:09:54,490 --> 00:09:56,019 A lot of people worry about things like 308 00:09:56,020 --> 00:09:58,119 the DMCA, the good news in 309 00:09:58,120 --> 00:09:59,769 our case is that we didn't have to 310 00:09:59,770 --> 00:10:01,089 circumvent anything. 311 00:10:01,090 --> 00:10:03,189 So DMCA is about circumvention. 312 00:10:03,190 --> 00:10:05,529 So there's probably no DMCA problem 313 00:10:05,530 --> 00:10:07,719 because all the files and bindings were 314 00:10:07,720 --> 00:10:08,739 kind of in Playtex. 315 00:10:08,740 --> 00:10:10,479 There's maybe some shotgun checks, but 316 00:10:10,480 --> 00:10:11,979 that's not an access control. 317 00:10:11,980 --> 00:10:14,109 That's just a verification of the 318 00:10:14,110 --> 00:10:15,549 contents. 319 00:10:15,550 --> 00:10:17,349 There's some question about things like 320 00:10:17,350 --> 00:10:18,989 contracts and CFA search. 321 00:10:18,990 --> 00:10:21,099 So, for example, if we had to 322 00:10:21,100 --> 00:10:23,229 access a server in an unnatural fashion 323 00:10:23,230 --> 00:10:25,329 to go ahead and get these files, there 324 00:10:25,330 --> 00:10:27,099 could be some liability under US law for 325 00:10:27,100 --> 00:10:28,789 doing that. But the good news is all the 326 00:10:28,790 --> 00:10:30,069 stuff we can just sort of do a search 327 00:10:30,070 --> 00:10:31,899 query download from public service. 328 00:10:31,900 --> 00:10:32,949 So I think we're clear there. 329 00:10:32,950 --> 00:10:35,109 And we also these phones came with 330 00:10:35,110 --> 00:10:37,179 no shrinkwrap. There was no cut here. 331 00:10:37,180 --> 00:10:38,689 And we have all your rights. 332 00:10:38,690 --> 00:10:40,749 There's no click here in 333 00:10:40,750 --> 00:10:42,219 terms of use on all these phones. 334 00:10:42,220 --> 00:10:44,349 So basically, we there was no point at 335 00:10:44,350 --> 00:10:45,729 which we could have waived our rights to 336 00:10:45,730 --> 00:10:47,679 reverse engineer as well in this 337 00:10:47,680 --> 00:10:49,029 particular ecosystem. 338 00:10:49,030 --> 00:10:50,139 So that's also good news. 339 00:10:51,830 --> 00:10:53,389 So at the end of the day, OK, is what 340 00:10:53,390 --> 00:10:54,439 we're doing legal? 341 00:10:54,440 --> 00:10:56,149 I don't know. I mean, like we've we did 342 00:10:56,150 --> 00:10:58,459 some research, we asked some lawyers 343 00:10:58,460 --> 00:11:00,499 and we you know, we want to avoid running 344 00:11:00,500 --> 00:11:02,659 afoul of the law, but it's 345 00:11:02,660 --> 00:11:05,329 impossible to be 100 percent sure. 346 00:11:05,330 --> 00:11:07,459 One of the things you just have to do is 347 00:11:07,460 --> 00:11:10,069 you just have to do it right 348 00:11:10,070 --> 00:11:11,639 and you have to put yourself out there. 349 00:11:11,640 --> 00:11:13,759 Maybe you get sued and 350 00:11:13,760 --> 00:11:15,979 maybe you win. And if you win, then 351 00:11:15,980 --> 00:11:17,269 it becomes legal precedent. 352 00:11:17,270 --> 00:11:18,859 Sort of one of the sad part is that 353 00:11:18,860 --> 00:11:21,229 there's no lawsuit and or whatnot. 354 00:11:21,230 --> 00:11:22,909 It doesn't really actually make a 355 00:11:22,910 --> 00:11:24,529 difference, legally speaking, but it does 356 00:11:24,530 --> 00:11:26,809 help sway the community feeling 357 00:11:26,810 --> 00:11:29,089 and reduce the chill around some 358 00:11:29,090 --> 00:11:30,090 of these activities. 359 00:11:31,250 --> 00:11:32,659 But at the end of day, we think we have 360 00:11:32,660 --> 00:11:34,459 fair use rights and we're happy to 361 00:11:34,460 --> 00:11:35,460 exercise it. 362 00:11:37,040 --> 00:11:38,869 There's also an issue around patents that 363 00:11:38,870 --> 00:11:40,319 would be a whole nother talk. 364 00:11:40,320 --> 00:11:42,109 So I'm not going to get too into it. 365 00:11:42,110 --> 00:11:43,489 There's a whole bunch of people who have 366 00:11:43,490 --> 00:11:45,679 patent claims, you know, 367 00:11:45,680 --> 00:11:47,569 but, you know, people here, for example, 368 00:11:47,570 --> 00:11:49,549 watched their movies on their laptops 369 00:11:49,550 --> 00:11:51,619 with codecs that have patents on 370 00:11:51,620 --> 00:11:53,269 them and this whole gray area of who's 371 00:11:53,270 --> 00:11:54,229 responsible for what. 372 00:11:54,230 --> 00:11:55,579 And no one really knows what's happening 373 00:11:55,580 --> 00:11:56,629 there. 374 00:11:56,630 --> 00:11:59,389 But basically, we don't 375 00:11:59,390 --> 00:12:00,649 we don't think there's going to be any 376 00:12:00,650 --> 00:12:01,609 problem in that space. 377 00:12:01,610 --> 00:12:03,679 But maybe maybe someone will have a claim 378 00:12:03,680 --> 00:12:05,759 against us and we'll find that later on. 379 00:12:05,760 --> 00:12:06,770 Now, we're OK with that. 380 00:12:07,850 --> 00:12:10,129 So now that we 381 00:12:10,130 --> 00:12:12,229 feel that we 382 00:12:12,230 --> 00:12:13,230 have, 383 00:12:14,330 --> 00:12:16,039 you know, the rights to do this and the 384 00:12:16,040 --> 00:12:17,659 ability to do this, what are we what are 385 00:12:17,660 --> 00:12:19,009 we trying to do? 386 00:12:19,010 --> 00:12:20,809 We decide we're going to go ahead and try 387 00:12:20,810 --> 00:12:23,269 to access one of these sort of Chinese 388 00:12:23,270 --> 00:12:25,189 microcontrollers as a microcontroller 389 00:12:25,190 --> 00:12:27,019 first. So in other words, if when we were 390 00:12:27,020 --> 00:12:28,759 like groping in the dark and thinking 391 00:12:28,760 --> 00:12:30,469 we're going to build this little project 392 00:12:30,470 --> 00:12:32,629 which we use for at Mega or a.T.M 30 393 00:12:32,630 --> 00:12:35,269 to or should we use like a cornetist, 394 00:12:35,270 --> 00:12:37,159 the six to 60 should be on that list for 395 00:12:37,160 --> 00:12:38,329 us. It shouldn't be one of those things. 396 00:12:38,330 --> 00:12:39,379 We're not going to use it because we 397 00:12:39,380 --> 00:12:40,339 don't know how to use it. 398 00:12:40,340 --> 00:12:42,409 Right. So and at that level, 399 00:12:42,410 --> 00:12:43,999 the level of functionality is not to the 400 00:12:44,000 --> 00:12:45,649 point. We want Bluetooth, the GSM going. 401 00:12:45,650 --> 00:12:47,509 We just want to be able to run an open 402 00:12:47,510 --> 00:12:49,579 source OS, build code for it and use 403 00:12:49,580 --> 00:12:51,799 it like any other microcontroller. 404 00:12:51,800 --> 00:12:53,869 And we also want to create an open 405 00:12:53,870 --> 00:12:55,909 by Western standards, hardware and 406 00:12:55,910 --> 00:12:57,499 software platform that we can share with 407 00:12:57,500 --> 00:12:59,539 everybody so other people can go ahead 408 00:12:59,540 --> 00:13:01,639 and get involved and help develop a legal 409 00:13:01,640 --> 00:13:03,979 methodology and precedent for pulling 410 00:13:03,980 --> 00:13:06,259 IP from the Chinese ecosystem back into 411 00:13:06,260 --> 00:13:07,260 the Western ecosystem. 412 00:13:08,990 --> 00:13:11,089 So one thing is we sort of transition 413 00:13:11,090 --> 00:13:13,489 from the very first flight, I 414 00:13:13,490 --> 00:13:15,619 called out the 60 to 50, we're using 62 415 00:13:15,620 --> 00:13:17,719 60 to future proof 416 00:13:17,720 --> 00:13:18,859 our work a little bit. 417 00:13:18,860 --> 00:13:20,629 These chips do cycle rapidly through the 418 00:13:20,630 --> 00:13:22,579 market, the ground for about one or two 419 00:13:22,580 --> 00:13:24,539 years before they go away. 420 00:13:24,540 --> 00:13:25,759 We figure I'll take about that long for 421 00:13:25,760 --> 00:13:27,589 us to make some progress. 422 00:13:27,590 --> 00:13:29,419 It's got to 364 megahertz CPUs. 423 00:13:29,420 --> 00:13:31,219 It's a little faster and it also has four 424 00:13:31,220 --> 00:13:33,409 megabytes of nonvolatile storage on Chip. 425 00:13:33,410 --> 00:13:35,149 And here's sort of an interesting aside 426 00:13:35,150 --> 00:13:36,259 about the chip. 427 00:13:36,260 --> 00:13:38,599 This chip you can buy for three dollars, 428 00:13:38,600 --> 00:13:40,279 a single quantity. 429 00:13:40,280 --> 00:13:41,389 Like I said, you can do those markets 430 00:13:41,390 --> 00:13:42,769 where they have rules, they cut them off. 431 00:13:42,770 --> 00:13:45,109 You see here, like notan the guys tend 432 00:13:45,110 --> 00:13:46,460 to just walk away with it 433 00:13:47,780 --> 00:13:49,909 has multiple arm cores, eight megabytes 434 00:13:49,910 --> 00:13:52,019 of RAM for megabytes of 435 00:13:52,020 --> 00:13:54,139 Bluetooth, GSM battery charger, audio 436 00:13:54,140 --> 00:13:56,299 codec touchscreen, so and so forth. 437 00:13:56,300 --> 00:13:58,459 How many chips do you think are 438 00:13:58,460 --> 00:14:00,559 pieces of silicon inside this chip for 439 00:14:00,560 --> 00:14:02,629 three dollars? Like who thinks there's 440 00:14:02,630 --> 00:14:05,329 one piece of low cost, right? 441 00:14:05,330 --> 00:14:06,379 Two pieces. 442 00:14:07,420 --> 00:14:09,370 Three more 443 00:14:10,420 --> 00:14:12,669 oh, interesting, I guess maybe I set 444 00:14:12,670 --> 00:14:15,129 it up so he took an x ray of 445 00:14:15,130 --> 00:14:17,349 the chip sort of before 446 00:14:17,350 --> 00:14:19,509 we got really into it, because we 447 00:14:19,510 --> 00:14:20,749 we want to know, for example, we're 448 00:14:20,750 --> 00:14:22,119 getting real chips or fake chips or 449 00:14:22,120 --> 00:14:23,319 what's going on the inside. 450 00:14:23,320 --> 00:14:25,509 And if you if I had a laser pointer, 451 00:14:25,510 --> 00:14:26,709 I could point to this. 452 00:14:26,710 --> 00:14:28,389 If you look at it, you can see the 453 00:14:28,390 --> 00:14:30,489 outlines of bond wires and sort of 454 00:14:30,490 --> 00:14:31,659 these rectangular fashions. 455 00:14:31,660 --> 00:14:33,249 You can see multiple rectangles only. 456 00:14:33,250 --> 00:14:35,709 There's at least four chips inside 457 00:14:35,710 --> 00:14:38,019 this chip. And it's kind of amazing that 458 00:14:38,020 --> 00:14:39,489 for three dollars, they actually build a 459 00:14:39,490 --> 00:14:42,129 multi chip module, bonded all together, 460 00:14:42,130 --> 00:14:44,019 pack it up and sell it to full with arm 461 00:14:44,020 --> 00:14:44,199 core. 462 00:14:44,200 --> 00:14:45,819 And all these bits and pieces is really, 463 00:14:45,820 --> 00:14:48,159 really quite amazing technology. 464 00:14:48,160 --> 00:14:49,160 So 465 00:14:50,650 --> 00:14:52,749 going over that here 466 00:14:52,750 --> 00:14:54,499 is sort of the system diagram. 467 00:14:54,500 --> 00:14:56,590 But what we ended up building 468 00:14:57,760 --> 00:14:59,829 to based our work off of, we built 469 00:14:59,830 --> 00:15:02,049 sort of a base board, a main board 470 00:15:02,050 --> 00:15:03,939 that just sort of has like the art and 471 00:15:03,940 --> 00:15:06,249 speaker battery camera, a USB 472 00:15:06,250 --> 00:15:07,959 micro SD slot, Bluetooth and sort of 473 00:15:07,960 --> 00:15:09,549 Arduino like headers on it. 474 00:15:09,550 --> 00:15:11,049 And when you go ahead and split off the 475 00:15:11,050 --> 00:15:13,119 GSM part, so the GSM 476 00:15:13,120 --> 00:15:14,709 front end so that users have to make a 477 00:15:14,710 --> 00:15:16,809 bonafide choice about which GSM 478 00:15:16,810 --> 00:15:18,969 analog amplifier to use and that 479 00:15:18,970 --> 00:15:21,039 way hopefully get to sidestep 480 00:15:21,040 --> 00:15:23,109 some of the emissions testing issue that 481 00:15:23,110 --> 00:15:25,299 might have later on because it becomes a 482 00:15:25,300 --> 00:15:26,300 user issue. 483 00:15:27,040 --> 00:15:29,349 And also we make the UI stuff 484 00:15:29,350 --> 00:15:31,059 on a separate board as well, like the 485 00:15:31,060 --> 00:15:33,069 keypad SIM card, the touchscreen, 486 00:15:33,070 --> 00:15:35,169 telephone, LCD, because 487 00:15:35,170 --> 00:15:36,639 those things can be laid on a much 488 00:15:36,640 --> 00:15:38,799 simpler to layer PCB that people can 489 00:15:38,800 --> 00:15:40,629 design and eagle whatever favorite tool 490 00:15:40,630 --> 00:15:41,769 they have. And they don't have to deal 491 00:15:41,770 --> 00:15:43,149 with this sort of complex stuff on the 492 00:15:43,150 --> 00:15:45,309 bottom. So it's a little more friendly to 493 00:15:45,310 --> 00:15:47,409 people to hack and play with down 494 00:15:47,410 --> 00:15:48,429 the road. 495 00:15:48,430 --> 00:15:49,839 We originally wanted to sort of build 496 00:15:49,840 --> 00:15:52,239 this to make it compatible 497 00:15:52,240 --> 00:15:54,369 with the spark core ecosystem for those 498 00:15:54,370 --> 00:15:56,739 who don't know spark core spark that is 499 00:15:56,740 --> 00:15:58,929 sort of this Internet of Things module 500 00:16:00,130 --> 00:16:02,109 and they have this twenty four bit pin 501 00:16:02,110 --> 00:16:04,569 gypsum, but we couldn't pack enough 502 00:16:04,570 --> 00:16:05,859 into this footprint. 503 00:16:05,860 --> 00:16:07,599 So the actual implementation and we sort 504 00:16:07,600 --> 00:16:09,939 of show it know with an arduino 505 00:16:09,940 --> 00:16:11,559 to show scale looks like this. 506 00:16:11,560 --> 00:16:14,349 This is the actual mainboard. 507 00:16:14,350 --> 00:16:16,449 The single chip on there you see is the 508 00:16:16,450 --> 00:16:18,549 six you see and it's like one 509 00:16:18,550 --> 00:16:20,139 chip which is great for all that 510 00:16:20,140 --> 00:16:22,359 functionality. It makes it very 511 00:16:22,360 --> 00:16:24,729 low cost and easy to build these things. 512 00:16:24,730 --> 00:16:26,979 And this is what it looks like 513 00:16:26,980 --> 00:16:29,469 when it gets all mounted up 514 00:16:29,470 --> 00:16:31,569 with the expansion 515 00:16:31,570 --> 00:16:32,769 boards. I mentioned. For the other 516 00:16:32,770 --> 00:16:34,299 instance, if it starts to kind of look a 517 00:16:34,300 --> 00:16:35,559 little more like a phone, but you can go 518 00:16:35,560 --> 00:16:37,659 ahead and mod it and do what you want to 519 00:16:37,660 --> 00:16:39,729 do to go ahead and build into it, you 520 00:16:39,730 --> 00:16:41,260 want to build it to be 521 00:16:43,120 --> 00:16:44,169 the design process. 522 00:16:44,170 --> 00:16:46,299 I mean, it is pretty standard 523 00:16:46,300 --> 00:16:48,429 what you expect since we 524 00:16:48,430 --> 00:16:50,919 had sort of some of the documentation 525 00:16:50,920 --> 00:16:52,659 for what the pin out should be, not full 526 00:16:52,660 --> 00:16:54,129 documentation, but we had sort of lists 527 00:16:54,130 --> 00:16:56,289 of ball outs and names 528 00:16:56,290 --> 00:16:58,449 of the balls. At least we could guess 529 00:16:58,450 --> 00:17:00,309 what the functions were, by and large, 530 00:17:00,310 --> 00:17:01,569 what everything was. 531 00:17:01,570 --> 00:17:03,279 We did know copy and paste from the 532 00:17:03,280 --> 00:17:04,598 reference material. So everything was 533 00:17:04,599 --> 00:17:06,189 redrawn from scratch. 534 00:17:06,190 --> 00:17:08,259 And and we kind of built it 535 00:17:08,260 --> 00:17:10,179 together based on experience, educated 536 00:17:10,180 --> 00:17:12,009 guesses, a little reverse engineering 537 00:17:12,010 --> 00:17:14,019 where we had some ambiguities like what 538 00:17:14,020 --> 00:17:15,068 these supplies did. 539 00:17:15,069 --> 00:17:17,108 We busted out the different connectors 540 00:17:17,109 --> 00:17:19,269 and did some comparisons to other 541 00:17:19,270 --> 00:17:21,759 designs we could find on the Internet. 542 00:17:21,760 --> 00:17:23,409 And so this is what the schematics end up 543 00:17:23,410 --> 00:17:25,899 looking like. We have 544 00:17:25,900 --> 00:17:28,809 should have a link live now, publishing 545 00:17:28,810 --> 00:17:31,089 all of the source sources that we have 546 00:17:31,090 --> 00:17:32,409 for this. You can download it and play 547 00:17:32,410 --> 00:17:35,019 with it. This is done in Altium and 548 00:17:35,020 --> 00:17:36,399 we have the circuit board layouts. 549 00:17:36,400 --> 00:17:38,289 Of course, you can go ahead and download 550 00:17:38,290 --> 00:17:40,629 and play with those yourself as 551 00:17:40,630 --> 00:17:41,630 much as you like. 552 00:17:42,280 --> 00:17:43,809 So that's the hardware platform. 553 00:17:44,890 --> 00:17:45,890 And then. 554 00:17:46,830 --> 00:17:48,419 There's a whole question of how do we get 555 00:17:48,420 --> 00:17:50,669 the Fermor on it, we can't go ahead 556 00:17:50,670 --> 00:17:53,009 and just very well say, hey, guys, just 557 00:17:53,010 --> 00:17:55,529 download like the mediatheque 558 00:17:55,530 --> 00:17:57,209 compiler and all the source code to build 559 00:17:57,210 --> 00:17:59,429 it. That would be kind of lame. 560 00:17:59,430 --> 00:18:01,439 So we we, of course, had to do a bunch of 561 00:18:01,440 --> 00:18:02,789 things like, for example, figure the boot 562 00:18:02,790 --> 00:18:05,009 process was, figure out where the things 563 00:18:05,010 --> 00:18:07,199 are. So we always start by pulling 564 00:18:07,200 --> 00:18:09,149 off the ROM and dumping the rum. 565 00:18:09,150 --> 00:18:10,589 We found this little it looks kind of 566 00:18:10,590 --> 00:18:13,109 like an iPhone. It's like little tiny 567 00:18:13,110 --> 00:18:16,079 iPhone size for contrast. 568 00:18:16,080 --> 00:18:17,080 Right. 569 00:18:18,390 --> 00:18:20,969 And it's 570 00:18:20,970 --> 00:18:23,099 it's you know, it's called the MP 571 00:18:23,100 --> 00:18:24,059 for Terminator X. 572 00:18:24,060 --> 00:18:25,589 You take it apart has when these chips on 573 00:18:25,590 --> 00:18:27,209 the inside and we and this one had a 574 00:18:27,210 --> 00:18:30,089 separate spiral, it would just dump 575 00:18:30,090 --> 00:18:32,129 the data out of the little static 576 00:18:32,130 --> 00:18:34,289 analysis, you know, some pretty 577 00:18:34,290 --> 00:18:36,029 obvious sections where bootloader might 578 00:18:36,030 --> 00:18:38,129 be in some recent vector tables and 579 00:18:38,130 --> 00:18:39,389 so and so forth. 580 00:18:39,390 --> 00:18:41,579 Did have been walke found some 581 00:18:41,580 --> 00:18:43,349 stuff that looked like compressed some 582 00:18:43,350 --> 00:18:45,479 zip files. And so the good 583 00:18:45,480 --> 00:18:46,979 news is basically there was very little 584 00:18:46,980 --> 00:18:48,749 encrypted stuff on here, if any. 585 00:18:48,750 --> 00:18:50,909 So it was a it was going to be not 586 00:18:50,910 --> 00:18:52,049 a walk in the park, but certainly 587 00:18:52,050 --> 00:18:53,050 accessible. 588 00:18:53,910 --> 00:18:56,129 Then we want to figure out sort of what 589 00:18:56,130 --> 00:18:58,229 bits were actually run first and how much 590 00:18:58,230 --> 00:19:00,029 was run inside the internal Soucy 591 00:19:00,030 --> 00:19:01,199 Beltrami versus externally. 592 00:19:01,200 --> 00:19:03,389 So we took an afternoon with the tech 593 00:19:03,390 --> 00:19:05,609 scope and sort of figured out 594 00:19:05,610 --> 00:19:07,379 where things are going. This I love the 595 00:19:07,380 --> 00:19:09,449 scope because, for example, 596 00:19:09,450 --> 00:19:11,069 if you see here, you can go ahead and 597 00:19:11,070 --> 00:19:13,439 take a captcha. 598 00:19:13,440 --> 00:19:14,399 You're just we're just popping out and 599 00:19:14,400 --> 00:19:16,739 say, oh, that looks like probably serial 600 00:19:16,740 --> 00:19:18,779 data and that looks like spy data. 601 00:19:18,780 --> 00:19:20,189 And then we can go ahead and later on 602 00:19:20,190 --> 00:19:22,649 say, go ahead and interpret that. 603 00:19:22,650 --> 00:19:24,629 That's analog data as Sirio. 604 00:19:24,630 --> 00:19:26,129 And so you can see how the science is in 605 00:19:26,130 --> 00:19:27,579 it. Done six one. 606 00:19:27,580 --> 00:19:28,559 That's actually what's printing out of 607 00:19:28,560 --> 00:19:30,209 the port. But the scope is telling me 608 00:19:30,210 --> 00:19:32,009 that. And then it actually right after 609 00:19:32,010 --> 00:19:33,299 that, you see the spyware to start 610 00:19:33,300 --> 00:19:34,439 starting. So you know that there's a 611 00:19:34,440 --> 00:19:35,759 there's a bunch of stuff that happens on 612 00:19:35,760 --> 00:19:37,349 an internal bootloader before the spiffed 613 00:19:37,350 --> 00:19:38,399 just happen. 614 00:19:38,400 --> 00:19:40,409 And then it tells you where the addresses 615 00:19:40,410 --> 00:19:41,909 are coming from. So you can see in the 616 00:19:41,910 --> 00:19:44,399 sayan lines here that the address fetches 617 00:19:44,400 --> 00:19:45,929 and the codes are going across the spy. 618 00:19:45,930 --> 00:19:48,149 So with this tool, we're very quickly 619 00:19:48,150 --> 00:19:50,099 able to sort of figure out where the 620 00:19:50,100 --> 00:19:52,319 entry vector is and what's being 621 00:19:52,320 --> 00:19:53,320 done. First 622 00:19:54,450 --> 00:19:56,579 we go ahead and we, of course, 623 00:19:56,580 --> 00:19:59,159 just do some quick mods to 624 00:19:59,160 --> 00:20:00,689 some strings that we find in there. 625 00:20:00,690 --> 00:20:02,909 And if the boot fails, right. 626 00:20:02,910 --> 00:20:04,559 So there's some kind of verification 627 00:20:04,560 --> 00:20:05,560 going on. 628 00:20:06,090 --> 00:20:08,309 And so the next step we do is we go ahead 629 00:20:08,310 --> 00:20:09,869 and we instrument the phone. 630 00:20:09,870 --> 00:20:12,029 So we built the laptop called 631 00:20:12,030 --> 00:20:14,159 Navina, which is actually we're using 632 00:20:14,160 --> 00:20:15,749 the talking right now. We go ahead and we 633 00:20:15,750 --> 00:20:17,879 stick the phone inside a Navina. 634 00:20:17,880 --> 00:20:20,039 There's an FPGA in the Naveena and we 635 00:20:20,040 --> 00:20:22,169 go ahead and we build a ROM 636 00:20:22,170 --> 00:20:24,239 emulator for the Spyro. 637 00:20:24,240 --> 00:20:26,999 Basically, this is 638 00:20:27,000 --> 00:20:27,989 the diagram of it. 639 00:20:27,990 --> 00:20:29,879 There's an FPGA that we go ahead. 640 00:20:29,880 --> 00:20:31,979 We just kind of man in the middle between 641 00:20:31,980 --> 00:20:34,379 the original spiral and the CPU, 642 00:20:34,380 --> 00:20:36,659 the chip select line, take a sixty four 643 00:20:36,660 --> 00:20:38,759 K block of RAM and go ahead map 644 00:20:38,760 --> 00:20:40,929 that into the Linux kernel 645 00:20:40,930 --> 00:20:43,049 just so you can now map to 646 00:20:43,050 --> 00:20:44,609 what would be the code that's running on 647 00:20:44,610 --> 00:20:45,899 the phone itself. 648 00:20:45,900 --> 00:20:47,549 We wire up the power line and now we can 649 00:20:47,550 --> 00:20:50,009 go ahead and just patch data from Linux, 650 00:20:50,010 --> 00:20:51,509 hit the reboot and see what happens. 651 00:20:51,510 --> 00:20:53,549 So now we can go ahead and very rapidly 652 00:20:54,660 --> 00:20:56,789 do live exploration on the 653 00:20:56,790 --> 00:20:58,679 phone without having to decide or do any 654 00:20:58,680 --> 00:21:00,509 sort of stuff. And you do it. 655 00:21:00,510 --> 00:21:02,459 S.H. In the box, you can be traveling and 656 00:21:02,460 --> 00:21:04,079 continuing your reversing work on your 657 00:21:04,080 --> 00:21:05,080 hardware. 658 00:21:06,060 --> 00:21:08,249 So using this regulator, we poked a bunch 659 00:21:08,250 --> 00:21:10,529 of regions, um, did a little stack 660 00:21:10,530 --> 00:21:12,749 and also found some Szechwan constants 661 00:21:12,750 --> 00:21:14,429 and figured that there was a short one 662 00:21:14,430 --> 00:21:16,619 hash appended 663 00:21:16,620 --> 00:21:19,079 to the initial bootloader region 664 00:21:19,080 --> 00:21:21,809 and indeed just going ahead and manually 665 00:21:21,810 --> 00:21:23,279 re computing the hash, sticking it in the 666 00:21:23,280 --> 00:21:25,169 Romney later trying to reboot and change 667 00:21:25,170 --> 00:21:25,619 your screen. 668 00:21:25,620 --> 00:21:27,689 We can tell that, say, hey, yo, food to 669 00:21:27,690 --> 00:21:30,209 your mama, you know, bootloader 670 00:21:30,210 --> 00:21:31,649 finished. Great. 671 00:21:31,650 --> 00:21:33,909 So hand it over to jobs, 672 00:21:33,910 --> 00:21:35,129 talk about some of the things we did 673 00:21:35,130 --> 00:21:36,179 next. 674 00:21:36,180 --> 00:21:38,279 So it's all well and good to 675 00:21:38,280 --> 00:21:40,589 be to manually modify and recompute 676 00:21:40,590 --> 00:21:42,449 the hash every time. But that's that's a 677 00:21:42,450 --> 00:21:43,949 lot of work. 678 00:21:43,950 --> 00:21:45,899 We're lazy. So the first thing we did was 679 00:21:45,900 --> 00:21:47,429 we took Rotary two. 680 00:21:47,430 --> 00:21:48,689 I have no idea how you're supposed to 681 00:21:48,690 --> 00:21:50,669 pronounce that, but it's an open source 682 00:21:50,670 --> 00:21:52,769 kind of eita equivalent that we could 683 00:21:52,770 --> 00:21:54,839 actually compile on the arm CPU that 684 00:21:54,840 --> 00:21:56,069 is on Navina. 685 00:21:57,210 --> 00:21:59,479 So this Biram is a 64 686 00:21:59,480 --> 00:22:01,649 make 64 kilobyte window that is 687 00:22:01,650 --> 00:22:04,679 present within the Naveena CPU space. 688 00:22:04,680 --> 00:22:06,929 So we got Rotary A two. 689 00:22:06,930 --> 00:22:08,909 We've got a plugin that lets us treat 690 00:22:08,910 --> 00:22:11,129 that area as the file that is being 691 00:22:11,130 --> 00:22:13,829 read by the assembler. 692 00:22:13,830 --> 00:22:15,929 And what we did was we 693 00:22:15,930 --> 00:22:18,149 had it load code in and every time 694 00:22:18,150 --> 00:22:20,009 you modify a bite, it would recompute the 695 00:22:20,010 --> 00:22:21,599 signature and 696 00:22:22,950 --> 00:22:24,269 reboot the phone. 697 00:22:24,270 --> 00:22:25,529 And so we're doing this. 698 00:22:25,530 --> 00:22:27,779 We can actually do an assembly dump 699 00:22:27,780 --> 00:22:29,849 and disassembly and see what the 700 00:22:29,850 --> 00:22:31,079 live code is. 701 00:22:31,080 --> 00:22:33,449 And because we've computed the hash, 702 00:22:33,450 --> 00:22:35,459 the phone will actually execute the code 703 00:22:35,460 --> 00:22:36,959 and load it. And based on that, we can 704 00:22:36,960 --> 00:22:38,909 begin a reverse engineering process and 705 00:22:38,910 --> 00:22:41,519 figuring out how to get software 706 00:22:41,520 --> 00:22:44,099 running on the phone now 707 00:22:44,100 --> 00:22:46,499 in our searches from earlier. 708 00:22:46,500 --> 00:22:48,809 Bonnie mentioned that we had some 709 00:22:48,810 --> 00:22:51,119 partial documentation and there were some 710 00:22:51,120 --> 00:22:52,769 blocks that were actually documented in 711 00:22:52,770 --> 00:22:55,179 this. This is a close up of the manual. 712 00:22:55,180 --> 00:22:57,219 You can see we have the keypad scanner, 713 00:22:57,220 --> 00:22:58,919 we have the GPO blocks. 714 00:22:58,920 --> 00:23:01,079 We have the general-purpose timers, which 715 00:23:01,080 --> 00:23:02,579 are going to be necessary for getting a 716 00:23:02,580 --> 00:23:04,709 multitasking operating system going. 717 00:23:04,710 --> 00:23:06,179 And we have the serial yard. 718 00:23:06,180 --> 00:23:08,789 So we have a partial documentation for 719 00:23:08,790 --> 00:23:11,249 some of these blocks. 720 00:23:11,250 --> 00:23:13,919 And based on that, we can start 721 00:23:13,920 --> 00:23:16,439 building a putative memory map 722 00:23:16,440 --> 00:23:18,969 that starts with zero address is 723 00:23:18,970 --> 00:23:21,119 looks appears to be rame address. 724 00:23:21,120 --> 00:23:22,949 One thousand appears to be the spy chip 725 00:23:22,950 --> 00:23:24,389 that we're executing. Our first of all of 726 00:23:24,390 --> 00:23:26,549 our code is going to be referenced to 727 00:23:26,550 --> 00:23:28,439 relative to 1000. 728 00:23:28,440 --> 00:23:30,719 Then there are a lot of question marks. 729 00:23:30,720 --> 00:23:31,889 We know there's data there. 730 00:23:31,890 --> 00:23:33,629 If we wrote to it, sometimes it sticks, 731 00:23:33,630 --> 00:23:35,099 sometimes it's random data that comes 732 00:23:35,100 --> 00:23:36,959 back. Sometimes it's all FS. 733 00:23:36,960 --> 00:23:39,029 We don't really know, but we can 734 00:23:39,030 --> 00:23:40,259 fill in the ones we do know. 735 00:23:40,260 --> 00:23:41,909 For example, the last two lines are the 736 00:23:41,910 --> 00:23:43,829 two units that are actually documented in 737 00:23:43,830 --> 00:23:45,569 the reference manual. 738 00:23:45,570 --> 00:23:47,489 And so based on that, we get 739 00:23:47,490 --> 00:23:49,199 documentation like this. 740 00:23:49,200 --> 00:23:51,419 This is the transmit holding 741 00:23:51,420 --> 00:23:52,739 register. 742 00:23:52,740 --> 00:23:54,389 And you could see it's it's fairly nice 743 00:23:54,390 --> 00:23:56,009 documentation. And I think that they 744 00:23:56,010 --> 00:23:57,299 actually released this because it's a 745 00:23:57,300 --> 00:23:59,429 useful port to be able 746 00:23:59,430 --> 00:24:01,769 to use when you're building Sean's iPhone 747 00:24:01,770 --> 00:24:03,239 like this. 748 00:24:03,240 --> 00:24:05,009 So with this information, we started 749 00:24:05,010 --> 00:24:07,139 developing what we call Fernleigh. 750 00:24:07,140 --> 00:24:08,819 It's our Fernvale command line 751 00:24:08,820 --> 00:24:10,619 environment. It has the basics, it has 752 00:24:10,620 --> 00:24:12,689 pick, it has Polke and 753 00:24:12,690 --> 00:24:14,099 it has hex dump. 754 00:24:14,100 --> 00:24:15,839 And then depending on what we're trying 755 00:24:15,840 --> 00:24:17,969 to look for, it has one off programs that 756 00:24:17,970 --> 00:24:19,559 are so short lived that they don't even 757 00:24:19,560 --> 00:24:21,959 make it in to get to search for various 758 00:24:21,960 --> 00:24:24,149 patterns for various blocks. 759 00:24:24,150 --> 00:24:26,159 Now, the one restriction is that this 760 00:24:26,160 --> 00:24:28,229 bootloader must fit within the 761 00:24:28,230 --> 00:24:30,389 next bootloader, which is 762 00:24:30,390 --> 00:24:32,219 fine because it's fairly small to begin 763 00:24:32,220 --> 00:24:33,220 with. 764 00:24:34,400 --> 00:24:35,629 So first up, we're going to figure out 765 00:24:35,630 --> 00:24:36,859 that you are we're going to try and get 766 00:24:36,860 --> 00:24:39,499 the driver for the work you are working, 767 00:24:39,500 --> 00:24:41,599 it's the same you are is in a bunch of 768 00:24:41,600 --> 00:24:43,339 other mediatheque phones. 769 00:24:43,340 --> 00:24:46,309 It's the same UAT that's used in 770 00:24:46,310 --> 00:24:47,749 reference manuals that are completely 771 00:24:47,750 --> 00:24:49,159 open, that have been released for ancient 772 00:24:49,160 --> 00:24:51,139 phones 10 years ago. 773 00:24:51,140 --> 00:24:52,669 And it's part of the Manfred's manual we 774 00:24:52,670 --> 00:24:54,739 had. And there are drivers for Linux that 775 00:24:54,740 --> 00:24:56,539 we could look at and it doesn't require 776 00:24:56,540 --> 00:24:59,659 any interrupts, which is great. 777 00:24:59,660 --> 00:25:01,069 So based on this, we're able to get put 778 00:25:01,070 --> 00:25:02,179 Caira and get care. 779 00:25:02,180 --> 00:25:04,129 And with that, we can get a whole show 780 00:25:04,130 --> 00:25:05,130 going. 781 00:25:05,700 --> 00:25:07,879 Next up, GPO also 782 00:25:07,880 --> 00:25:08,779 very easy. 783 00:25:08,780 --> 00:25:10,759 You write a value to register a light 784 00:25:10,760 --> 00:25:13,219 turns on, you're happy you go home. 785 00:25:13,220 --> 00:25:15,379 It doesn't require any interrupts 786 00:25:15,380 --> 00:25:17,239 unless you want to get a button, which is 787 00:25:17,240 --> 00:25:18,259 great. 788 00:25:18,260 --> 00:25:20,089 Not very useful at this point, though, 789 00:25:20,090 --> 00:25:21,440 unless you want to turn a light on 790 00:25:23,390 --> 00:25:24,439 after that. 791 00:25:24,440 --> 00:25:26,569 The general purpose timer, you need that 792 00:25:26,570 --> 00:25:28,459 for the periodic tick, for multi 793 00:25:28,460 --> 00:25:29,869 threading multitasking. 794 00:25:29,870 --> 00:25:31,849 And that's also in the reference manual. 795 00:25:31,850 --> 00:25:34,279 The problem is all these three require 796 00:25:34,280 --> 00:25:36,079 one thing that was not in the reference 797 00:25:36,080 --> 00:25:38,269 manual and we could not fix 798 00:25:38,270 --> 00:25:39,270 the thing that we needed. 799 00:25:41,100 --> 00:25:42,100 We need to interrupt, 800 00:25:44,370 --> 00:25:45,479 we couldn't find any way to get 801 00:25:45,480 --> 00:25:47,579 interrupted, so 802 00:25:47,580 --> 00:25:49,679 unarmed, there's one interrupt. 803 00:25:49,680 --> 00:25:51,269 What happens is an interrupt fires. 804 00:25:51,270 --> 00:25:53,129 It jumps to offset twenty four and then 805 00:25:53,130 --> 00:25:54,569 that jumps to your interrupt handler. 806 00:25:54,570 --> 00:25:56,789 That standardized that's standardized 807 00:25:56,790 --> 00:25:58,740 across pretty much all armed ships. 808 00:25:59,910 --> 00:26:01,859 The problem is we had earlier 809 00:26:01,860 --> 00:26:04,179 documentation, but each mediatheque 810 00:26:04,180 --> 00:26:06,059 chip is different. 811 00:26:06,060 --> 00:26:08,339 We had documentation's for the empty 62 812 00:26:08,340 --> 00:26:10,649 zero five and we had documentation 813 00:26:10,650 --> 00:26:11,939 for the six two three five. 814 00:26:11,940 --> 00:26:14,159 That's the one that Osmakac has been 815 00:26:14,160 --> 00:26:15,989 worked on in the past. 816 00:26:15,990 --> 00:26:17,009 And if you look here, first off, you 817 00:26:17,010 --> 00:26:19,259 could see that they don't actually 818 00:26:19,260 --> 00:26:20,999 give you the complete offset. 819 00:26:21,000 --> 00:26:23,069 They say it's at CAQ 820 00:26:23,070 --> 00:26:24,239 plus zero zero one four. 821 00:26:24,240 --> 00:26:26,309 They don't tell you what address CAQ is. 822 00:26:27,330 --> 00:26:29,699 And these two are also very different. 823 00:26:29,700 --> 00:26:31,499 You can see that one of them is sixteen 824 00:26:31,500 --> 00:26:33,579 bits, one of them 32, one of them 825 00:26:33,580 --> 00:26:34,589 that offset fourteen. 826 00:26:34,590 --> 00:26:36,209 The other ones that offset thirty eight. 827 00:26:36,210 --> 00:26:38,639 They're similar enough, but just 828 00:26:38,640 --> 00:26:40,229 completely different. 829 00:26:40,230 --> 00:26:41,759 So we couldn't use these to actually 830 00:26:41,760 --> 00:26:44,339 figure out what the interrupt 831 00:26:44,340 --> 00:26:47,129 and the block looked like. 832 00:26:47,130 --> 00:26:49,289 So we're going to try and analyze what 833 00:26:49,290 --> 00:26:51,059 we have already. 834 00:26:51,060 --> 00:26:53,159 Look at the RAM, the boot room in the 835 00:26:53,160 --> 00:26:54,869 phone and dump it and figure out how the 836 00:26:54,870 --> 00:26:56,759 boot does it. 837 00:26:56,760 --> 00:26:59,189 Try some more in-depth static analysis of 838 00:26:59,190 --> 00:27:01,799 the boot run of the spectrum 839 00:27:01,800 --> 00:27:03,299 that we pulled off of the phone. 840 00:27:03,300 --> 00:27:05,519 Try and analyze that with idea, 841 00:27:05,520 --> 00:27:06,959 because this is a common chip. 842 00:27:06,960 --> 00:27:08,579 You can find ROMs for other phones 843 00:27:08,580 --> 00:27:10,079 online. So see if they did anything 844 00:27:10,080 --> 00:27:11,429 different in theirs. 845 00:27:11,430 --> 00:27:13,269 And also look at phones. 846 00:27:13,270 --> 00:27:14,969 If we can't figure out something from 847 00:27:14,970 --> 00:27:17,039 these manuals for the 60 to 35 or the 848 00:27:17,040 --> 00:27:19,289 sixty two twenty five or six to zero 849 00:27:19,290 --> 00:27:21,359 five, in all of 850 00:27:21,360 --> 00:27:22,979 our static analysis, we did find this 851 00:27:22,980 --> 00:27:25,019 function in RAM. 852 00:27:25,020 --> 00:27:27,119 It's takes an integer, 853 00:27:27,120 --> 00:27:29,849 a pointer to a function and a string. 854 00:27:29,850 --> 00:27:31,919 It's always called if either 30 or 855 00:27:31,920 --> 00:27:33,029 and then a function. 856 00:27:33,030 --> 00:27:35,429 So the first one is where they're calling 857 00:27:35,430 --> 00:27:36,989 it. Actually, this is what's installing 858 00:27:36,990 --> 00:27:37,889 the interrupt handlers. 859 00:27:37,890 --> 00:27:39,629 And this is actually really great because 860 00:27:39,630 --> 00:27:41,699 it lets us map it lets us figure out that 861 00:27:41,700 --> 00:27:44,189 Interrupt 18 is actually the handler. 862 00:27:44,190 --> 00:27:45,959 Let's figure out that interrupt 13 is 863 00:27:45,960 --> 00:27:47,219 actually the spy handler. 864 00:27:47,220 --> 00:27:49,649 It doesn't tell us how it installs this 865 00:27:49,650 --> 00:27:51,269 because there's some interaction that's 866 00:27:51,270 --> 00:27:52,589 going on, but it's actually it's not a 867 00:27:52,590 --> 00:27:54,269 bad first step. 868 00:27:54,270 --> 00:27:55,270 So 869 00:27:56,430 --> 00:27:57,809 let's get back to that file that bunny 870 00:27:57,810 --> 00:28:00,059 mentioned earlier, the empty K 871 00:28:00,060 --> 00:28:02,219 11, B 13, 08, 872 00:28:02,220 --> 00:28:03,220 a great naming scheme. 873 00:28:04,650 --> 00:28:06,899 It's customized to the empty 60 to 874 00:28:06,900 --> 00:28:08,789 60. And it's the source code for the 875 00:28:08,790 --> 00:28:10,829 entire operating system. 876 00:28:10,830 --> 00:28:12,359 And the nice thing is that the AYAKA 877 00:28:12,360 --> 00:28:13,859 exists in source form. 878 00:28:13,860 --> 00:28:15,329 So you could look at this file, this 879 00:28:15,330 --> 00:28:17,609 Syracuse, England, to control 880 00:28:17,610 --> 00:28:19,709 underscore MTIs six 881 00:28:19,710 --> 00:28:20,789 two six zero. 882 00:28:20,790 --> 00:28:22,409 And that contains a list of all the 883 00:28:22,410 --> 00:28:24,479 interrupts, along with a list 884 00:28:24,480 --> 00:28:27,359 of register offsets and addresses 885 00:28:27,360 --> 00:28:29,280 where the various bits are. 886 00:28:30,360 --> 00:28:31,859 But it also gives us a complete memory 887 00:28:31,860 --> 00:28:33,659 map in this header file here under Reg 888 00:28:33,660 --> 00:28:35,759 based INC, which lets us figure it lets 889 00:28:35,760 --> 00:28:37,379 us remove all the question marks that we 890 00:28:37,380 --> 00:28:38,789 had in that memory map that we were 891 00:28:38,790 --> 00:28:41,189 building based on that 892 00:28:42,240 --> 00:28:44,219 limited reference manual we had. 893 00:28:44,220 --> 00:28:46,199 It's not as good as a data sheet, but 894 00:28:46,200 --> 00:28:47,200 it'll do. 895 00:28:48,430 --> 00:28:50,139 And so with this, the Iraqi problem is 896 00:28:50,140 --> 00:28:51,140 solved. 897 00:28:51,720 --> 00:28:53,429 We know how to unmask Arcus, we know how 898 00:28:53,430 --> 00:28:55,829 to acknowledge that they fired, but 899 00:28:55,830 --> 00:28:58,249 one illustration as to how 900 00:28:58,250 --> 00:28:59,699 source code is not as good as a reference 901 00:28:59,700 --> 00:29:01,259 manual. All the Iraqis are off. 902 00:29:01,260 --> 00:29:02,429 They're off by five. 903 00:29:02,430 --> 00:29:04,889 For some reason, the spy interrupts 904 00:29:04,890 --> 00:29:06,479 the hook, number 30, but it's actually 905 00:29:06,480 --> 00:29:07,889 35. 906 00:29:07,890 --> 00:29:09,719 The handler, they hook 18, but it's 907 00:29:09,720 --> 00:29:11,549 actually 23. 908 00:29:11,550 --> 00:29:12,869 I don't know why they do that. 909 00:29:12,870 --> 00:29:15,059 But in our code, we actually use Iraki 910 00:29:15,060 --> 00:29:17,279 23. And that's an important distinction 911 00:29:17,280 --> 00:29:18,899 that we make. You can see that obviously 912 00:29:18,900 --> 00:29:20,879 we're not just copying code, we're 913 00:29:20,880 --> 00:29:22,949 actually interpreting it and making 914 00:29:22,950 --> 00:29:23,950 it better. 915 00:29:25,680 --> 00:29:27,689 So with this, we had enough to put a 916 00:29:27,690 --> 00:29:29,909 basic Nadex, not a BSD 917 00:29:29,910 --> 00:29:32,339 licensed. It's kind of a POSIX type 918 00:29:32,340 --> 00:29:34,289 Alake type thing. 919 00:29:34,290 --> 00:29:36,809 Osmo commissar's it for their phone 920 00:29:36,810 --> 00:29:38,759 thanks to the general purpose timer and 921 00:29:38,760 --> 00:29:41,999 the IQ, we have multitasking support. 922 00:29:42,000 --> 00:29:43,499 One thing to know about this chip, it's a 923 00:29:43,500 --> 00:29:45,869 really weird arm seven. 924 00:29:45,870 --> 00:29:47,789 It's the only rs7 I've ever seen that has 925 00:29:47,790 --> 00:29:50,369 an arm V5 instruction set, 926 00:29:50,370 --> 00:29:52,409 but it doesn't have a core processor 15. 927 00:29:52,410 --> 00:29:54,449 So there's no memory protection, there's 928 00:29:54,450 --> 00:29:55,829 no cache, none of this. 929 00:29:55,830 --> 00:29:57,899 So you can't run full Linux, 930 00:29:57,900 --> 00:29:59,999 for example, but not X has no 931 00:30:00,000 --> 00:30:01,000 problem with this. 932 00:30:02,280 --> 00:30:04,019 And with all this, with an operating 933 00:30:04,020 --> 00:30:06,449 system running with this code goal one, 934 00:30:06,450 --> 00:30:08,729 I think it's basically achieved 935 00:30:08,730 --> 00:30:09,730 so. 936 00:30:16,280 --> 00:30:18,529 So we can run code, we can load code, 937 00:30:18,530 --> 00:30:19,530 we don't have 938 00:30:20,810 --> 00:30:22,039 a lot of features that are missing, we 939 00:30:22,040 --> 00:30:23,959 only have partial LCD support, we don't 940 00:30:23,960 --> 00:30:25,489 have automatic refresh working out. 941 00:30:25,490 --> 00:30:27,079 But with interrupts, we should get that 942 00:30:27,080 --> 00:30:28,399 soon. 943 00:30:28,400 --> 00:30:30,199 We don't have a full spy's 944 00:30:30,200 --> 00:30:31,669 implementation, but we can do things like 945 00:30:31,670 --> 00:30:33,829 query the spy ID and the road 946 00:30:33,830 --> 00:30:36,079 is there to get full spy support. 947 00:30:36,080 --> 00:30:38,389 Audio support requires some DMA 948 00:30:38,390 --> 00:30:39,529 that we're still working on. And there's 949 00:30:39,530 --> 00:30:40,579 a bunch of other things. 950 00:30:40,580 --> 00:30:42,799 Of course, Bluetooth and GSM, they aren't 951 00:30:42,800 --> 00:30:44,959 on here, but they should be possible 952 00:30:44,960 --> 00:30:47,239 to get working naked 953 00:30:47,240 --> 00:30:48,619 under the point where we have all this. 954 00:30:48,620 --> 00:30:49,620 It's great, but 955 00:30:51,290 --> 00:30:53,899 we don't want everyone to have a novena 956 00:30:53,900 --> 00:30:54,919 to use the Fernvale phone. 957 00:30:54,920 --> 00:30:56,299 That just doesn't work. 958 00:30:56,300 --> 00:30:58,069 So we need a better way to do it. 959 00:30:58,070 --> 00:30:59,359 Now, the thing is, these phones are 960 00:30:59,360 --> 00:31:01,489 really cheap and 961 00:31:01,490 --> 00:31:02,779 they have to have a way to get the 962 00:31:02,780 --> 00:31:05,179 software on there on cheap 963 00:31:05,180 --> 00:31:06,799 commodity hardware. 964 00:31:06,800 --> 00:31:08,719 And the solution there is to use the 965 00:31:08,720 --> 00:31:09,920 factory flashing tool. 966 00:31:11,210 --> 00:31:12,829 This is very easy to find. 967 00:31:12,830 --> 00:31:15,049 This is the easiest software 968 00:31:15,050 --> 00:31:17,329 to find just because it's used in every 969 00:31:17,330 --> 00:31:19,459 corner shop to reflash the firmware, 970 00:31:19,460 --> 00:31:21,559 to unlock it, to do whatever. 971 00:31:21,560 --> 00:31:23,299 And it's also used to run this. 972 00:31:23,300 --> 00:31:25,699 This particular tab is a memory test. 973 00:31:25,700 --> 00:31:27,829 So you can test rame, you can test 974 00:31:27,830 --> 00:31:29,959 nor flash, you can test NAND flash in 975 00:31:29,960 --> 00:31:31,579 addition to just writing a new firmware 976 00:31:31,580 --> 00:31:32,629 image to it. 977 00:31:32,630 --> 00:31:34,969 And this basically starts 978 00:31:34,970 --> 00:31:37,249 out the mediatheque default 979 00:31:37,250 --> 00:31:38,839 that this is their boot sequence, it 980 00:31:38,840 --> 00:31:40,129 starts in the ROM. 981 00:31:40,130 --> 00:31:41,779 And if you have a spy attached because 982 00:31:41,780 --> 00:31:43,159 the internal bootloader and then the 983 00:31:43,160 --> 00:31:44,749 external bootloader and then it actually 984 00:31:44,750 --> 00:31:47,089 loads the operating system, or if 985 00:31:47,090 --> 00:31:48,829 you're in that corner shop or you're in a 986 00:31:48,830 --> 00:31:51,049 factory, it goes from the ROM to one 987 00:31:51,050 --> 00:31:53,239 be able to to build over USB 988 00:31:53,240 --> 00:31:55,069 and then other ones master factory. 989 00:31:55,070 --> 00:31:57,379 But we don't want you to have to pirate 990 00:31:57,380 --> 00:31:59,179 and download the mediatheque software. 991 00:31:59,180 --> 00:32:00,799 We think we want this to be completely 992 00:32:00,800 --> 00:32:01,909 open. 993 00:32:01,910 --> 00:32:04,039 So we came up with Fernvale 994 00:32:04,040 --> 00:32:06,319 USB Loader based on 995 00:32:06,320 --> 00:32:08,059 stiffing the traffic and we found a way 996 00:32:08,060 --> 00:32:09,319 to load our own code. 997 00:32:10,400 --> 00:32:12,739 And from that it goes from the ROM 998 00:32:12,740 --> 00:32:14,389 either to the USB download or if you're 999 00:32:14,390 --> 00:32:16,609 going over USB or directly to Fernleigh 1000 00:32:16,610 --> 00:32:18,709 and then load Nadex. 1001 00:32:18,710 --> 00:32:21,649 But there's a small problem 1002 00:32:21,650 --> 00:32:23,959 on you previously. 1003 00:32:23,960 --> 00:32:26,089 You end up going through Interpol or one 1004 00:32:26,090 --> 00:32:28,489 bill, and the purpose of these is to 1005 00:32:28,490 --> 00:32:30,889 set up the clocks 1006 00:32:30,890 --> 00:32:32,659 and the RAM because when the ram comes up 1007 00:32:32,660 --> 00:32:34,819 and it's calibrated in the RAM doesn't do 1008 00:32:34,820 --> 00:32:36,949 that. So we have to do that in 1009 00:32:36,950 --> 00:32:38,639 our Fernleigh system. 1010 00:32:38,640 --> 00:32:40,189 But the thing is, that's really 1011 00:32:40,190 --> 00:32:41,719 complicated proprietary stuff. 1012 00:32:41,720 --> 00:32:43,399 And we've never seen any reference 1013 00:32:43,400 --> 00:32:45,619 manuals that talk about the calibration 1014 00:32:45,620 --> 00:32:47,419 sequence. And I think the only reference 1015 00:32:47,420 --> 00:32:49,519 we have for calibrating the memory 1016 00:32:49,520 --> 00:32:51,169 and turning on the clocks and powering up 1017 00:32:51,170 --> 00:32:53,539 everything is in the source code. 1018 00:32:53,540 --> 00:32:55,279 And you can't just release the source 1019 00:32:55,280 --> 00:32:56,569 code because that's that's a huge 1020 00:32:56,570 --> 00:32:57,740 copyright violation. 1021 00:32:58,880 --> 00:33:01,189 So because we don't have reference 1022 00:33:01,190 --> 00:33:03,049 manuals with this and we don't want to 1023 00:33:03,050 --> 00:33:04,759 ship everyone the internal bootloader, 1024 00:33:05,810 --> 00:33:07,369 how can we set up the chip at Bhoot? 1025 00:33:09,240 --> 00:33:11,609 And so we ended up coming 1026 00:33:11,610 --> 00:33:13,409 up with a solution that Bonnie mentioned 1027 00:33:13,410 --> 00:33:15,869 earlier, the scripting language, 1028 00:33:15,870 --> 00:33:17,489 it's a very simple command language. 1029 00:33:17,490 --> 00:33:19,649 It's kind of similar to the way most 1030 00:33:19,650 --> 00:33:21,719 system on ships like your phone when it 1031 00:33:21,720 --> 00:33:23,999 turns on, it has to have a set 1032 00:33:24,000 --> 00:33:26,369 of scripts that calibrate the particular 1033 00:33:26,370 --> 00:33:27,659 RAM ship that's paired with it. 1034 00:33:27,660 --> 00:33:29,339 And they have a series of POCs. 1035 00:33:29,340 --> 00:33:31,499 They're just polke values in a memory 1036 00:33:31,500 --> 00:33:32,939 and script is very similar to that, 1037 00:33:32,940 --> 00:33:34,979 except it runs on the CPU after it's been 1038 00:33:34,980 --> 00:33:36,269 booted. 1039 00:33:36,270 --> 00:33:37,949 And using this, we could just still 1040 00:33:37,950 --> 00:33:40,019 Faxton into scripts because there's only 1041 00:33:40,020 --> 00:33:43,049 really one way to set up the RAM 1042 00:33:43,050 --> 00:33:44,879 and that's a fact. 1043 00:33:44,880 --> 00:33:47,279 Scripts are explicitly not Turing 1044 00:33:47,280 --> 00:33:49,049 complete. It's just a series of steps to 1045 00:33:49,050 --> 00:33:51,329 take. We don't have any if then else 1046 00:33:51,330 --> 00:33:52,889 we don't have any jumps or anything like 1047 00:33:52,890 --> 00:33:55,199 that. But you can call CI 1048 00:33:55,200 --> 00:33:56,579 functions from script scripts. 1049 00:33:56,580 --> 00:33:58,269 So in that sense it can be considered 1050 00:33:58,270 --> 00:33:59,339 Turing complete. 1051 00:33:59,340 --> 00:34:01,499 This is required for the RAM calibration 1052 00:34:01,500 --> 00:34:03,179 because it has to keep trying values 1053 00:34:03,180 --> 00:34:05,129 until it finds one and then it averages 1054 00:34:05,130 --> 00:34:07,289 the two values and it's just 1055 00:34:07,290 --> 00:34:09,269 implemented as assembler macros and run 1056 00:34:09,270 --> 00:34:10,270 through GTC. 1057 00:34:11,610 --> 00:34:13,948 So we have just a few few commands 1058 00:34:13,949 --> 00:34:14,849 here. 1059 00:34:14,850 --> 00:34:17,519 Read 32, right, 32, 16 that reads 1060 00:34:17,520 --> 00:34:19,019 you sleep. That ends up being really 1061 00:34:19,020 --> 00:34:20,129 useful. 1062 00:34:20,130 --> 00:34:22,439 And this is what the actual 1063 00:34:22,440 --> 00:34:24,359 file looks like. This is a script script 1064 00:34:24,360 --> 00:34:27,388 that just starts to set up a memory. 1065 00:34:27,389 --> 00:34:29,099 You can see it's writing the value to to 1066 00:34:29,100 --> 00:34:31,619 remap the memory and then it's writing 1067 00:34:31,620 --> 00:34:33,809 some other values to the very end of RAM. 1068 00:34:33,810 --> 00:34:35,849 This is a special command sequence that 1069 00:34:35,850 --> 00:34:37,789 each leadership has to actually get 1070 00:34:37,790 --> 00:34:39,089 included. 1071 00:34:39,090 --> 00:34:40,859 But the important thing to note from this 1072 00:34:40,860 --> 00:34:42,718 slide is that you can send different 1073 00:34:42,719 --> 00:34:44,129 values to the RAM. 1074 00:34:44,130 --> 00:34:45,359 This just gives you an idea of how it 1075 00:34:45,360 --> 00:34:46,360 works, 1076 00:34:47,500 --> 00:34:49,559 a script it can call 1077 00:34:49,560 --> 00:34:51,359 functions. I mentioned that earlier. 1078 00:34:51,360 --> 00:34:53,609 This is the actual code to calibrate the 1079 00:34:53,610 --> 00:34:56,279 ram as well at Pascal's 1080 00:34:56,280 --> 00:34:58,379 Calibrate Ram with to return 1081 00:34:58,380 --> 00:35:00,899 zero and then continues 1082 00:35:00,900 --> 00:35:02,339 on its way. 1083 00:35:02,340 --> 00:35:04,289 Another interesting thing here is that 1084 00:35:04,290 --> 00:35:06,689 there's commands and 1085 00:35:06,690 --> 00:35:08,519 what it will do. It was a wait forever 1086 00:35:08,520 --> 00:35:10,589 until that values met and this happens a 1087 00:35:10,590 --> 00:35:11,669 lot of time in hardware. 1088 00:35:11,670 --> 00:35:13,649 You send a command, you say go do this 1089 00:35:13,650 --> 00:35:14,849 and then you wait for it to return 1090 00:35:14,850 --> 00:35:15,850 success. 1091 00:35:17,930 --> 00:35:20,059 Finally, because it runs through 1092 00:35:20,060 --> 00:35:22,369 a compiler, you can use include 1093 00:35:22,370 --> 00:35:24,919 files and for things such as the GPS 1094 00:35:24,920 --> 00:35:26,899 system where we do have a full manual, 1095 00:35:26,900 --> 00:35:28,999 you can actually use that masks and 1096 00:35:29,000 --> 00:35:31,069 you could be more explicit in 1097 00:35:31,070 --> 00:35:32,389 what you say. So if we have more 1098 00:35:32,390 --> 00:35:34,489 information about the chip, then you 1099 00:35:34,490 --> 00:35:36,139 get better scripting scripts. 1100 00:35:36,140 --> 00:35:38,309 If you have just constants from the code 1101 00:35:38,310 --> 00:35:40,449 you're using as a reference, 1102 00:35:40,450 --> 00:35:42,289 then you're going to just get constants 1103 00:35:42,290 --> 00:35:43,609 like we had before. 1104 00:35:43,610 --> 00:35:45,409 So you can use a bit mask's, you can do 1105 00:35:45,410 --> 00:35:47,779 or and all that, and you can 1106 00:35:47,780 --> 00:35:49,669 assemble it together and it will just 1107 00:35:49,670 --> 00:35:51,379 work. So. 1108 00:35:51,380 --> 00:35:52,399 Yep. 1109 00:35:52,400 --> 00:35:54,559 And so Sean, going 1110 00:35:54,560 --> 00:35:56,629 ahead and kind of gave an overview 1111 00:35:56,630 --> 00:35:58,849 of sort of what 1112 00:35:58,850 --> 00:36:01,069 we had done up to this 1113 00:36:01,070 --> 00:36:03,169 point in time and sort of some of 1114 00:36:03,170 --> 00:36:05,239 the mechanisms that we had used 1115 00:36:05,240 --> 00:36:07,369 to go ahead and address some of the 1116 00:36:07,370 --> 00:36:09,859 IP issues that we encountered head on. 1117 00:36:09,860 --> 00:36:11,929 So hopefully at this point in time, 1118 00:36:11,930 --> 00:36:14,359 we now have a draft process 1119 00:36:14,360 --> 00:36:16,099 for translating this sort of Shanghai 1120 00:36:16,100 --> 00:36:18,679 China style IP into something that's more 1121 00:36:18,680 --> 00:36:21,109 clean, licensed open Western 1122 00:36:21,110 --> 00:36:23,389 IP and the basic 1123 00:36:23,390 --> 00:36:25,999 processes we get documentation 1124 00:36:26,000 --> 00:36:27,739 and other examples from public download 1125 00:36:27,740 --> 00:36:29,179 to reverse engineer it out of the 1126 00:36:29,180 --> 00:36:31,009 existing code base. 1127 00:36:31,010 --> 00:36:33,469 We work within the fair use framework 1128 00:36:33,470 --> 00:36:34,969 based upon the rights that are available 1129 00:36:34,970 --> 00:36:37,099 to everyone. You know, at least I mean, 1130 00:36:37,100 --> 00:36:38,749 I guess it is US law. 1131 00:36:38,750 --> 00:36:40,159 So I don't know what is like out here, 1132 00:36:40,160 --> 00:36:42,409 but, you know, we hope that it's it's 1133 00:36:42,410 --> 00:36:44,659 a it's pretty similar in this in this 1134 00:36:44,660 --> 00:36:45,769 area. 1135 00:36:45,770 --> 00:36:47,209 And then we go ahead and we create this 1136 00:36:47,210 --> 00:36:49,399 framework to help avoid this problem of 1137 00:36:49,400 --> 00:36:51,199 sort of subconscious plagiarism, this 1138 00:36:51,200 --> 00:36:53,479 problem where, you know, particularly 1139 00:36:53,480 --> 00:36:54,979 good coders can go ahead and read a piece 1140 00:36:54,980 --> 00:36:56,689 of code essentially committed to memory 1141 00:36:56,690 --> 00:36:58,939 and just blotted out exactly the right 1142 00:36:58,940 --> 00:37:00,769 way, you know, an hour or two hours a 1143 00:37:00,770 --> 00:37:01,909 week later or something like that. 1144 00:37:01,910 --> 00:37:04,519 And so by going ahead and 1145 00:37:04,520 --> 00:37:06,049 looking at one piece of code, plant the 1146 00:37:06,050 --> 00:37:08,299 facts and re re expressing 1147 00:37:08,300 --> 00:37:10,099 it in the terms of these assembler 1148 00:37:10,100 --> 00:37:12,739 macros, we go ahead and 1149 00:37:12,740 --> 00:37:13,939 create a mechanism to go ahead and 1150 00:37:13,940 --> 00:37:15,679 discipline ourselves to avoid the 1151 00:37:15,680 --> 00:37:17,719 subconscious plagiarism. 1152 00:37:17,720 --> 00:37:20,339 And so we're at now is that we have this, 1153 00:37:20,340 --> 00:37:22,339 you know, an open platform that's 1154 00:37:22,340 --> 00:37:24,469 compliant to sort of the Western 1155 00:37:24,470 --> 00:37:26,689 standards. We have the system 1156 00:37:26,690 --> 00:37:28,009 that consists of three boards. 1157 00:37:28,010 --> 00:37:30,739 We have an example with us up here, 1158 00:37:30,740 --> 00:37:33,169 know consists of the main board, the 1159 00:37:33,170 --> 00:37:36,079 expansion board, the analog front end 1160 00:37:36,080 --> 00:37:38,299 schematics and layout are licensed, you 1161 00:37:38,300 --> 00:37:40,399 know, sort of biase 1162 00:37:40,400 --> 00:37:42,679 with an Apache rider for the patents. 1163 00:37:42,680 --> 00:37:43,849 It's a perfect license. 1164 00:37:43,850 --> 00:37:45,979 But, you know, we're continuing to work 1165 00:37:45,980 --> 00:37:47,599 on trying to find the right license for 1166 00:37:47,600 --> 00:37:48,919 the sort of stuff. But it's an open 1167 00:37:48,920 --> 00:37:49,920 license. 1168 00:37:50,720 --> 00:37:52,729 We have a custom bootloader flashing 1169 00:37:52,730 --> 00:37:54,889 tool. So if you want to go ahead 1170 00:37:54,890 --> 00:37:56,839 and develop for this, you don't have to 1171 00:37:56,840 --> 00:37:59,059 actually, you could stay completely 1172 00:37:59,060 --> 00:38:00,469 within your open framework. 1173 00:38:00,470 --> 00:38:02,629 Download are the open source 1174 00:38:02,630 --> 00:38:04,969 code for the for the bootloader download 1175 00:38:04,970 --> 00:38:07,429 a toolchain which is just Klingner GCSE 1176 00:38:07,430 --> 00:38:09,679 and you can also boot your 1177 00:38:09,680 --> 00:38:10,909 OS, which is not X. 1178 00:38:10,910 --> 00:38:12,979 So this is in contrast to 1179 00:38:12,980 --> 00:38:14,689 what the Shandi guys are doing, which is 1180 00:38:14,690 --> 00:38:16,249 they're taking the mediatheque IP 1181 00:38:16,250 --> 00:38:18,499 directly, copying the reference designs, 1182 00:38:18,500 --> 00:38:20,599 tweaking it, running the nucleosomes, 1183 00:38:20,600 --> 00:38:22,249 which is from what, mental graphics or 1184 00:38:22,250 --> 00:38:23,359 something like that. Right. 1185 00:38:23,360 --> 00:38:25,459 And in compiling it, using proprietary 1186 00:38:25,460 --> 00:38:26,749 compilers and so and so forth. 1187 00:38:26,750 --> 00:38:29,509 So we've managed to go ahead and take 1188 00:38:29,510 --> 00:38:31,879 a lot of this IP from this 1189 00:38:31,880 --> 00:38:33,889 ecosystem and hopefully bring it into an 1190 00:38:33,890 --> 00:38:36,199 area where people who, 1191 00:38:36,200 --> 00:38:37,759 you know, don't necessarily want to get 1192 00:38:37,760 --> 00:38:39,709 tainted with all of the Chinese stuff can 1193 00:38:39,710 --> 00:38:41,299 go ahead and start playing with it and 1194 00:38:41,300 --> 00:38:43,219 start developing with it and hopefully 1195 00:38:43,220 --> 00:38:45,529 innovating with something that is pretty 1196 00:38:45,530 --> 00:38:46,849 interesting and relatively cheap. 1197 00:38:48,050 --> 00:38:49,729 If people here are interested in playing 1198 00:38:49,730 --> 00:38:51,619 with the hardware and so forth, we 1199 00:38:51,620 --> 00:38:53,749 actually have a couple dozen 1200 00:38:53,750 --> 00:38:55,699 boards around here that we're willing to 1201 00:38:55,700 --> 00:38:57,769 share with people who have a genuine 1202 00:38:57,770 --> 00:38:59,209 interest in playing with. 1203 00:38:59,210 --> 00:39:00,109 So just come find us. 1204 00:39:00,110 --> 00:39:02,299 We're sitting with the failover 1205 00:39:02,300 --> 00:39:04,429 group in the back and the 1206 00:39:04,430 --> 00:39:06,139 big hall in the back. 1207 00:39:06,140 --> 00:39:08,269 And we would love to sort of engage 1208 00:39:08,270 --> 00:39:10,519 with people here and try and expand 1209 00:39:10,520 --> 00:39:11,520 the project further. 1210 00:39:13,190 --> 00:39:15,199 And also, we'd like to extend a special 1211 00:39:15,200 --> 00:39:17,419 thanks to much for enabling 1212 00:39:17,420 --> 00:39:19,549 our research again this year. 1213 00:39:19,550 --> 00:39:21,079 We appreciate that. 1214 00:39:21,080 --> 00:39:23,089 And thanks for your attention. 1215 00:39:23,090 --> 00:39:24,529 We'll take questions. 1216 00:39:24,530 --> 00:39:26,009 And if you want to play along with those 1217 00:39:26,010 --> 00:39:27,889 our Twitter handles, you can find us 1218 00:39:27,890 --> 00:39:29,299 typically through there. 1219 00:39:29,300 --> 00:39:30,300 Thanks. 1220 00:39:41,500 --> 00:39:42,489 We talk fast. 1221 00:39:42,490 --> 00:39:44,409 Wow, that was awesome. 1222 00:39:46,240 --> 00:39:48,249 Great talk, guys, thanks. 1223 00:39:48,250 --> 00:39:49,250 Great work. 1224 00:39:50,130 --> 00:39:52,239 Um, are there any 1225 00:39:52,240 --> 00:39:54,399 questions either from 1226 00:39:54,400 --> 00:39:56,379 insights from the Web? 1227 00:39:56,380 --> 00:39:58,569 So you are first, please go 1228 00:39:58,570 --> 00:39:59,570 ahead. 1229 00:40:00,250 --> 00:40:02,679 Since Linux can run on emulous 1230 00:40:02,680 --> 00:40:04,509 systems. So what is still missing for 1231 00:40:04,510 --> 00:40:06,280 running Linux on that device? 1232 00:40:08,830 --> 00:40:10,749 Question is what is missing from Linux? 1233 00:40:10,750 --> 00:40:13,119 I actually do have Linux. 1234 00:40:13,120 --> 00:40:16,239 You see build going. 1235 00:40:16,240 --> 00:40:17,559 There are a few things that are missing. 1236 00:40:17,560 --> 00:40:20,949 One is it's an ARM seven with 1237 00:40:20,950 --> 00:40:23,139 an RMV five instruction set and that is 1238 00:40:23,140 --> 00:40:25,149 the kind of thing that in general isn't 1239 00:40:25,150 --> 00:40:25,569 supported. 1240 00:40:25,570 --> 00:40:27,639 So you need to build 1241 00:40:27,640 --> 00:40:30,879 it with an RMV five type 1242 00:40:30,880 --> 00:40:33,039 build without any of the core processor 1243 00:40:33,040 --> 00:40:35,049 stuff. So that's doable. 1244 00:40:35,050 --> 00:40:37,269 The problem is the kernel was about 1245 00:40:37,270 --> 00:40:39,279 a megabyte and for whatever reason, the 1246 00:40:39,280 --> 00:40:41,289 loader that I had just died after about 1247 00:40:41,290 --> 00:40:43,599 800 K, so 1248 00:40:43,600 --> 00:40:44,600 eventually it should work. 1249 00:40:48,150 --> 00:40:49,170 Anything from the Web? 1250 00:40:51,490 --> 00:40:53,109 Yeah, so the I.R.S. 1251 00:40:53,110 --> 00:40:55,449 is asking, is this only for the 1252 00:40:55,450 --> 00:40:57,219 empty 60 to 60? 1253 00:40:58,270 --> 00:41:00,339 How well does your works for a similar 1254 00:41:00,340 --> 00:41:02,469 MEDITECH chip, for example, empty 1255 00:41:02,470 --> 00:41:05,159 six to twenty seven? 1256 00:41:05,160 --> 00:41:07,689 OK, the question is, is this specific 1257 00:41:07,690 --> 00:41:09,069 to the six to 16? 1258 00:41:09,070 --> 00:41:11,289 Does it apply to other mediatheque chips? 1259 00:41:11,290 --> 00:41:13,419 So there's 1260 00:41:13,420 --> 00:41:15,189 two parallel paths we're exploring here. 1261 00:41:15,190 --> 00:41:16,959 One is, of course, the specific instance 1262 00:41:16,960 --> 00:41:18,819 and the other is a methodology that we're 1263 00:41:18,820 --> 00:41:21,099 using to try and reverse engineer. 1264 00:41:21,100 --> 00:41:22,539 The methodology, of course we apply is 1265 00:41:22,540 --> 00:41:24,369 not just the phones, but broadly to other 1266 00:41:24,370 --> 00:41:26,079 things you might want to try and look at 1267 00:41:26,080 --> 00:41:27,190 from these ecosystems. 1268 00:41:28,240 --> 00:41:30,159 The port itself is, of course, specific 1269 00:41:30,160 --> 00:41:32,169 to this hardware. But as we had noted, 1270 00:41:32,170 --> 00:41:34,119 there's lots of docks and a lot of shared 1271 00:41:34,120 --> 00:41:35,679 IP between the blocks. 1272 00:41:35,680 --> 00:41:37,419 So it probably targeting another system 1273 00:41:37,420 --> 00:41:39,549 would just be a matter of rewriting 1274 00:41:39,550 --> 00:41:41,029 the few drivers of change, particularly 1275 00:41:41,030 --> 00:41:43,059 the interrupt controller and maybe a 1276 00:41:43,060 --> 00:41:44,799 couple of addresses. But it should be 1277 00:41:44,800 --> 00:41:46,159 read targetable to other platforms. 1278 00:41:46,160 --> 00:41:47,160 A little bit of work. 1279 00:41:48,610 --> 00:41:49,619 Number four, please. 1280 00:41:50,860 --> 00:41:52,779 I was wondering if you have any comments 1281 00:41:52,780 --> 00:41:55,569 about contributors to the project 1282 00:41:55,570 --> 00:41:57,639 or similar projects 1283 00:41:57,640 --> 00:41:59,349 about maintaining the reverse engineering 1284 00:41:59,350 --> 00:42:01,269 methodology when you're getting patches 1285 00:42:01,270 --> 00:42:02,270 and things like that? 1286 00:42:03,370 --> 00:42:04,569 Yeah, I mean, I think that. 1287 00:42:04,570 --> 00:42:06,039 So he's asking about what? 1288 00:42:06,040 --> 00:42:07,839 About contributors to the project and so 1289 00:42:07,840 --> 00:42:10,029 forth. Probably is as if people start 1290 00:42:10,030 --> 00:42:10,689 contributing. 1291 00:42:10,690 --> 00:42:12,429 We're going to have to do a review to 1292 00:42:12,430 --> 00:42:13,899 make sure people aren't doing copy and 1293 00:42:13,900 --> 00:42:16,059 paste if they happen to find a code 1294 00:42:16,060 --> 00:42:18,459 that is they're not adhering 1295 00:42:18,460 --> 00:42:20,199 to methodology generally. 1296 00:42:20,200 --> 00:42:22,599 We think that by putting this cryptic 1297 00:42:22,600 --> 00:42:24,459 method in there and sort of saying, OK, 1298 00:42:24,460 --> 00:42:26,619 if you give us a C function for doing 1299 00:42:26,620 --> 00:42:28,539 the initialization, there's a lot of risk 1300 00:42:28,540 --> 00:42:31,239 of of some sort of arrangement. 1301 00:42:31,240 --> 00:42:32,709 But if you go ahead and recode it into 1302 00:42:32,710 --> 00:42:34,809 this sort of macro language, I 1303 00:42:34,810 --> 00:42:36,349 think it helps with it. 1304 00:42:36,350 --> 00:42:38,019 So we will do a bit of review to try and 1305 00:42:38,020 --> 00:42:40,119 make sure things are fairly clean. 1306 00:42:40,120 --> 00:42:41,919 But that is that is an issue we're going 1307 00:42:41,920 --> 00:42:43,759 to have to address as the community grows 1308 00:42:43,760 --> 00:42:44,760 around it. Thanks. 1309 00:42:45,760 --> 00:42:46,760 Number six, please. 1310 00:42:48,190 --> 00:42:50,289 Hello. OK, first 1311 00:42:50,290 --> 00:42:52,719 I want to say thank you for your Novita 1312 00:42:52,720 --> 00:42:54,879 project because this is probably getting 1313 00:42:54,880 --> 00:42:57,369 me started in hardware hacking. 1314 00:42:57,370 --> 00:42:59,649 So, OK, and the second 1315 00:42:59,650 --> 00:43:01,959 question is, how does 1316 00:43:01,960 --> 00:43:04,659 this Chinese ecosystem 1317 00:43:04,660 --> 00:43:06,729 actually work? I mean, if you have a 1318 00:43:06,730 --> 00:43:08,919 layer chip like that, how 1319 00:43:08,920 --> 00:43:11,199 does the development process go 1320 00:43:11,200 --> 00:43:13,299 for building a three dollar chip like 1321 00:43:13,300 --> 00:43:14,300 that? 1322 00:43:15,340 --> 00:43:16,959 He had it. He had a question, General, 1323 00:43:16,960 --> 00:43:18,819 about how does the Chinese ecosystem 1324 00:43:18,820 --> 00:43:21,159 work? And that's almost another 1325 00:43:21,160 --> 00:43:23,289 entire talk in itself that 1326 00:43:23,290 --> 00:43:24,849 we probably had time to go into the more 1327 00:43:24,850 --> 00:43:25,900 of it. But 1328 00:43:28,030 --> 00:43:30,099 it's it's interesting that so 1329 00:43:30,100 --> 00:43:32,559 the Western ecosystem tends to have this 1330 00:43:32,560 --> 00:43:34,219 what I call a broadcast view of IP. 1331 00:43:34,220 --> 00:43:35,139 We have strictly. 1332 00:43:35,140 --> 00:43:36,369 Can you speak a little bit louder, 1333 00:43:36,370 --> 00:43:37,370 please? I'm sorry. 1334 00:43:39,230 --> 00:43:41,559 The Western kind of IP 1335 00:43:41,560 --> 00:43:43,989 ecosystem has a view of 1336 00:43:43,990 --> 00:43:46,209 what I call broadcast view of IP, 1337 00:43:46,210 --> 00:43:48,939 where you have clearly defined 1338 00:43:48,940 --> 00:43:51,489 holders of the IP who then broadcast 1339 00:43:51,490 --> 00:43:52,749 it to the world and then you pay a 1340 00:43:52,750 --> 00:43:54,969 royalty back to me or obey my license. 1341 00:43:54,970 --> 00:43:57,309 And the Chinese ecosystem 1342 00:43:57,310 --> 00:43:58,569 is a little more what I call a network 1343 00:43:58,570 --> 00:43:59,979 based system where you have 1344 00:43:59,980 --> 00:44:01,779 contributor's, but they all have to rely 1345 00:44:01,780 --> 00:44:03,909 upon each other and so they all tend 1346 00:44:03,910 --> 00:44:06,039 to trade IP back 1347 00:44:06,040 --> 00:44:08,469 and forth. So it'd be like I have 1348 00:44:08,470 --> 00:44:10,299 a specialty and circuit board design. 1349 00:44:10,300 --> 00:44:12,489 You have a specialty in plastics 1350 00:44:12,490 --> 00:44:14,589 and tooling. You have a specialty in 1351 00:44:14,590 --> 00:44:16,809 the OS stack and 1352 00:44:16,810 --> 00:44:18,699 as favors to each other, we go ahead and 1353 00:44:18,700 --> 00:44:21,279 just trade it IP back and forth 1354 00:44:21,280 --> 00:44:23,019 and this sort of propagates all the way 1355 00:44:23,020 --> 00:44:25,059 into the supply chain and getting the 1356 00:44:25,060 --> 00:44:26,799 bits and pieces. So when a new platform 1357 00:44:26,800 --> 00:44:29,529 comes out, typically there's actually 1358 00:44:29,530 --> 00:44:30,939 the best I can tell. It seems there's 1359 00:44:30,940 --> 00:44:33,219 people from the inside who 1360 00:44:33,220 --> 00:44:34,719 kind of look the other way and see the 1361 00:44:34,720 --> 00:44:36,999 ecosystem with some references. 1362 00:44:37,000 --> 00:44:38,739 Those people get into the network and 1363 00:44:38,740 --> 00:44:40,449 trade favors with other people and they 1364 00:44:40,450 --> 00:44:41,949 eventually build a whole phone together 1365 00:44:41,950 --> 00:44:44,049 for relatively low cost and 1366 00:44:44,050 --> 00:44:45,580 a very rapid development cycle. 1367 00:44:47,020 --> 00:44:48,819 OK, so it's actually more effective, 1368 00:44:48,820 --> 00:44:51,129 Eco-System, you could say, yeah, I mean, 1369 00:44:51,130 --> 00:44:53,169 it would be as if everyone here didn't 1370 00:44:53,170 --> 00:44:55,359 have to worry about the IP laws 1371 00:44:55,360 --> 00:44:57,459 and we just talk to each other honestly 1372 00:44:57,460 --> 00:44:58,869 without having to be like, well, you 1373 00:44:58,870 --> 00:45:00,429 know, I'm under NDA and this is really 1374 00:45:00,430 --> 00:45:01,689 cool tool. I can't tell you. 1375 00:45:01,690 --> 00:45:03,579 But, you know, whatever that kind of 1376 00:45:03,580 --> 00:45:04,929 thing, it's like we'll just tell you this 1377 00:45:04,930 --> 00:45:06,219 stuff and we'll work on it together. 1378 00:45:06,220 --> 00:45:07,839 Right. That's kind of what it is. 1379 00:45:07,840 --> 00:45:09,250 So Christian answer. 1380 00:45:10,540 --> 00:45:11,859 Yeah. OK, thanks. 1381 00:45:11,860 --> 00:45:13,539 Anything from the web. 1382 00:45:13,540 --> 00:45:15,669 Yeah. So another question from the IFC 1383 00:45:15,670 --> 00:45:18,009 is if MEDITECH is using Linux, 1384 00:45:18,010 --> 00:45:19,570 shouldn't they share the sources? 1385 00:45:21,570 --> 00:45:23,729 So the question from the Web is that if 1386 00:45:23,730 --> 00:45:25,559 mediatheque is using Linux, shouldn't 1387 00:45:25,560 --> 00:45:28,439 they share the sources maybe to be clear 1388 00:45:28,440 --> 00:45:29,729 for those low end chips? 1389 00:45:29,730 --> 00:45:31,859 They aren't using Linux, they're using 1390 00:45:31,860 --> 00:45:33,750 a proprietary OS called nuclease. 1391 00:45:34,830 --> 00:45:36,609 And so because it's proprietary, you 1392 00:45:36,610 --> 00:45:38,339 don't have to share the source. 1393 00:45:38,340 --> 00:45:40,439 Some of their Android phones do use 1394 00:45:40,440 --> 00:45:42,509 Linux, for example, but those 1395 00:45:42,510 --> 00:45:43,209 are shared. 1396 00:45:43,210 --> 00:45:45,419 And actually a lot of their Android 1397 00:45:45,420 --> 00:45:47,549 CPU's do use the same IP 1398 00:45:47,550 --> 00:45:50,159 blocks as these mobile phones. 1399 00:45:50,160 --> 00:45:52,259 And so the Linux 1400 00:45:52,260 --> 00:45:54,149 source code can be a source of 1401 00:45:54,150 --> 00:45:56,459 documentation, just like the MTA 1402 00:45:56,460 --> 00:45:58,199 11 B source code that we got. 1403 00:45:58,200 --> 00:46:00,059 So you can use Linux drivers as a 1404 00:46:00,060 --> 00:46:02,189 reference when you don't have access 1405 00:46:02,190 --> 00:46:03,749 to the original PDF docs. 1406 00:46:05,430 --> 00:46:08,189 So I have another issue here. 1407 00:46:08,190 --> 00:46:11,189 Could you please be more quiet, 1408 00:46:11,190 --> 00:46:13,349 walk less around, be more 1409 00:46:13,350 --> 00:46:15,749 quiet because they do an awesome job. 1410 00:46:15,750 --> 00:46:17,939 They did a lot of research and 1411 00:46:17,940 --> 00:46:19,859 a lot of interesting questions. 1412 00:46:19,860 --> 00:46:21,689 And it's very difficult for for the other 1413 00:46:21,690 --> 00:46:24,089 ones who want to to learn something 1414 00:46:24,090 --> 00:46:27,089 to to attract. 1415 00:46:27,090 --> 00:46:28,090 Um, 1416 00:46:29,820 --> 00:46:30,820 also. 1417 00:46:33,410 --> 00:46:35,509 Number one, please, how 1418 00:46:35,510 --> 00:46:37,639 would you recommend sourcing hardware 1419 00:46:37,640 --> 00:46:39,709 for projects like this, I mean, 1420 00:46:39,710 --> 00:46:41,929 immediately, can we find a 1421 00:46:41,930 --> 00:46:44,089 lot on Alibaba to order 1422 00:46:44,090 --> 00:46:45,259 to the US? 1423 00:46:45,260 --> 00:46:48,019 But long term, how can we get 1424 00:46:48,020 --> 00:46:49,759 the vendors to actually sell hardware 1425 00:46:49,760 --> 00:46:52,219 into our market, into the market? 1426 00:46:52,220 --> 00:46:53,129 Right. 1427 00:46:53,130 --> 00:46:55,069 That's that's an interesting question and 1428 00:46:55,070 --> 00:46:57,199 something that we'll need to be 1429 00:46:57,200 --> 00:46:58,609 played out. He is asking basically, how 1430 00:46:58,610 --> 00:47:00,679 do people out here get access 1431 00:47:00,680 --> 00:47:01,579 to the hardware? 1432 00:47:01,580 --> 00:47:03,589 So, of course, there's an entire 1433 00:47:03,590 --> 00:47:05,239 ecosystem in China for handling this 1434 00:47:05,240 --> 00:47:07,399 because people build not only 1435 00:47:07,400 --> 00:47:09,439 development runs iPhones, but like one 1436 00:47:09,440 --> 00:47:10,789 hundred thousand million unit runs on 1437 00:47:10,790 --> 00:47:12,319 their phones. These mediatheque chips are 1438 00:47:12,320 --> 00:47:13,759 selling at a rate of like a million a 1439 00:47:13,760 --> 00:47:15,319 month or something ridiculous like that. 1440 00:47:15,320 --> 00:47:16,609 Right. 1441 00:47:16,610 --> 00:47:18,769 The vendor that I went to, I 1442 00:47:18,770 --> 00:47:20,959 just walked around in the kind of open 1443 00:47:20,960 --> 00:47:23,089 air market there, and I was like, hey, 1444 00:47:23,090 --> 00:47:24,049 can I get one? 1445 00:47:24,050 --> 00:47:25,309 You know, the chips, like, no problem. 1446 00:47:25,310 --> 00:47:27,039 Can I buy ten thousand chips? 1447 00:47:27,040 --> 00:47:28,609 Like, no problem. Just give me like a few 1448 00:47:28,610 --> 00:47:29,989 hours to go to the warehouse and grab it 1449 00:47:29,990 --> 00:47:30,889 for you. Right. 1450 00:47:30,890 --> 00:47:31,890 And so 1451 00:47:33,200 --> 00:47:34,849 the ecosystem is kind of different from 1452 00:47:34,850 --> 00:47:37,129 this key lead time 1453 00:47:37,130 --> 00:47:38,130 world. 1454 00:47:38,870 --> 00:47:41,449 It it's not flawless. 1455 00:47:41,450 --> 00:47:43,669 Like for example, in the fourth quarter, 1456 00:47:43,670 --> 00:47:45,169 the demand is very high for the chip. 1457 00:47:45,170 --> 00:47:46,669 And so I couldn't find anyone who could 1458 00:47:46,670 --> 00:47:48,739 sell me spare chips in the last 1459 00:47:48,740 --> 00:47:50,299 couple of months, except for some people 1460 00:47:50,300 --> 00:47:52,309 who are selling. Some seemed to be some 1461 00:47:52,310 --> 00:47:54,379 rebound chips from taking off of other 1462 00:47:54,380 --> 00:47:55,579 phones and so forth. 1463 00:47:55,580 --> 00:47:57,829 So I think I think that as 1464 00:47:57,830 --> 00:47:59,419 we move forward, we can probably find 1465 00:47:59,420 --> 00:48:00,889 some vendors who are willing to sell it 1466 00:48:00,890 --> 00:48:02,869 and kind of we can share the information 1467 00:48:02,870 --> 00:48:04,969 and maybe find a way to get more of 1468 00:48:04,970 --> 00:48:06,259 it into the hands of people here. 1469 00:48:06,260 --> 00:48:07,639 But that's you know, that's something we 1470 00:48:07,640 --> 00:48:09,559 need to figure out for sure. 1471 00:48:09,560 --> 00:48:12,199 So it worked for five seconds. 1472 00:48:12,200 --> 00:48:14,989 Please, everyone who comes in, 1473 00:48:14,990 --> 00:48:17,869 I know you want to hear the next talk. 1474 00:48:17,870 --> 00:48:20,059 Please be quiet, move 1475 00:48:20,060 --> 00:48:22,039 quiet and everyone will be happy. 1476 00:48:22,040 --> 00:48:24,329 You say no to peace. 1477 00:48:24,330 --> 00:48:26,569 No question about this cryptic 1478 00:48:26,570 --> 00:48:27,589 language. 1479 00:48:27,590 --> 00:48:29,900 I got that right. You made that a 1480 00:48:31,040 --> 00:48:33,289 interpreted language instead of computer 1481 00:48:33,290 --> 00:48:34,290 language. 1482 00:48:34,790 --> 00:48:36,439 Why is that so? 1483 00:48:36,440 --> 00:48:38,269 And interpreted language instead of a 1484 00:48:38,270 --> 00:48:39,270 compiled language. 1485 00:48:41,840 --> 00:48:43,189 The idea was that it 1486 00:48:44,630 --> 00:48:45,439 would be easy. 1487 00:48:45,440 --> 00:48:47,839 Well, it's not quite interpreted 1488 00:48:47,840 --> 00:48:50,209 either. It's interpreted simply 1489 00:48:50,210 --> 00:48:51,649 macros like could compile. 1490 00:48:51,650 --> 00:48:54,019 Yes, go ahead. But it's a bitstream. 1491 00:48:54,020 --> 00:48:56,209 Yeah. And it could 1492 00:48:56,210 --> 00:48:57,359 could have been one way or the other. 1493 00:48:57,360 --> 00:48:59,659 It just happened to work out that it 1494 00:48:59,660 --> 00:49:01,909 seemed to be more it 1495 00:49:01,910 --> 00:49:04,299 seemed to lend itself more to a 1496 00:49:04,300 --> 00:49:06,049 interpreted language than a compiled 1497 00:49:06,050 --> 00:49:08,299 language. So it just happened to to end 1498 00:49:08,300 --> 00:49:10,399 up that way. Also a lot of 1499 00:49:10,400 --> 00:49:12,529 the CPU's that we were kind of 1500 00:49:12,530 --> 00:49:15,649 trying to emulate, when they do 1501 00:49:15,650 --> 00:49:17,329 boot time initialization, they tend to 1502 00:49:17,330 --> 00:49:19,069 also have a kind of an interpreted 1503 00:49:19,070 --> 00:49:20,719 language. So if they're doing it for 1504 00:49:20,720 --> 00:49:22,459 that, it seems like it's a good thing to 1505 00:49:22,460 --> 00:49:24,289 also try to emulate. 1506 00:49:24,290 --> 00:49:25,290 Thanks. 1507 00:49:26,810 --> 00:49:28,909 Yeah, another 1508 00:49:28,910 --> 00:49:30,979 thing, the angels at the Doors, could 1509 00:49:30,980 --> 00:49:33,289 you please limit the the stream 1510 00:49:33,290 --> 00:49:35,749 of people if it's too loud, 1511 00:49:35,750 --> 00:49:37,519 it's too noisy, it's too much walking 1512 00:49:37,520 --> 00:49:39,529 around. We still have ten minutes left 1513 00:49:39,530 --> 00:49:40,580 for this talk. 1514 00:49:41,720 --> 00:49:43,609 There will be a break after this talk. 1515 00:49:43,610 --> 00:49:46,099 Then you can move, you can move freely. 1516 00:49:46,100 --> 00:49:48,829 But now for this talk, please 1517 00:49:48,830 --> 00:49:50,389 be a bit more quiet. 1518 00:49:50,390 --> 00:49:52,729 So I think 1519 00:49:52,730 --> 00:49:53,730 number four, 1520 00:49:55,250 --> 00:49:56,250 thank you very much. 1521 00:49:58,320 --> 00:50:00,279 I have one question. 1522 00:50:00,280 --> 00:50:02,999 You're the guy that 1523 00:50:03,000 --> 00:50:05,199 built a laptop for himself, the 1524 00:50:05,200 --> 00:50:06,780 movie, not OK. 1525 00:50:07,970 --> 00:50:10,319 I was interested in one particular 1526 00:50:10,320 --> 00:50:12,629 part of that laptop, namely the battery 1527 00:50:12,630 --> 00:50:15,569 controller, and 1528 00:50:15,570 --> 00:50:18,089 yes, sure, 1529 00:50:18,090 --> 00:50:18,569 sure. 1530 00:50:18,570 --> 00:50:20,939 Actually, I 1531 00:50:20,940 --> 00:50:23,099 tried to build a laptop myself, 1532 00:50:23,100 --> 00:50:24,569 kind of succeeded on. 1533 00:50:24,570 --> 00:50:25,890 The worst part 1534 00:50:27,240 --> 00:50:29,999 right now is the USB power pack, 1535 00:50:30,000 --> 00:50:32,519 which sucks. 1536 00:50:32,520 --> 00:50:34,619 You can't use it and charge 1537 00:50:34,620 --> 00:50:36,299 it at the same time. 1538 00:50:36,300 --> 00:50:37,199 Yeah. 1539 00:50:37,200 --> 00:50:39,509 So I would like to have a replacement 1540 00:50:39,510 --> 00:50:41,519 for that. And I know that there are cheap 1541 00:50:41,520 --> 00:50:43,589 chips that do that because that's one 1542 00:50:43,590 --> 00:50:45,719 in every laptop, but you can't 1543 00:50:45,720 --> 00:50:47,219 get those. 1544 00:50:47,220 --> 00:50:49,379 So my question for you 1545 00:50:49,380 --> 00:50:51,659 is when when you made 1546 00:50:51,660 --> 00:50:53,879 the Nubeena parts and those 1547 00:50:53,880 --> 00:50:56,579 kits available, why didn't you 1548 00:50:56,580 --> 00:50:58,739 include an option to just 1549 00:50:58,740 --> 00:51:01,050 buy the battery board? 1550 00:51:02,430 --> 00:51:03,419 OK. 1551 00:51:03,420 --> 00:51:05,669 He's talking about the way that 1552 00:51:05,670 --> 00:51:07,019 I think the short answer to that is we 1553 00:51:07,020 --> 00:51:08,400 didn't actually think anyone wanted it. 1554 00:51:09,540 --> 00:51:10,879 That was his idea. 1555 00:51:10,880 --> 00:51:11,439 Yeah. 1556 00:51:11,440 --> 00:51:13,769 And after we had launched the 1557 00:51:13,770 --> 00:51:15,719 campaign, you just can't change. 1558 00:51:15,720 --> 00:51:17,489 We couldn't change the pledge levels and 1559 00:51:17,490 --> 00:51:19,769 whatnot. And so probably 1560 00:51:19,770 --> 00:51:21,659 I mean, this this will come out later on 1561 00:51:21,660 --> 00:51:23,219 in backor updates and stuff, but probably 1562 00:51:23,220 --> 00:51:25,559 will we we'll figure out a way to address 1563 00:51:25,560 --> 00:51:27,659 the community needs and and 1564 00:51:27,660 --> 00:51:29,189 also, of course, everything's open. 1565 00:51:29,190 --> 00:51:31,169 And so there's actually people who are 1566 00:51:31,170 --> 00:51:33,449 like building their own boards and maybe 1567 00:51:33,450 --> 00:51:34,619 they'll start selling them to you as 1568 00:51:34,620 --> 00:51:36,509 well. I mean, like, there's a lot of it's 1569 00:51:36,510 --> 00:51:37,919 open. Right. So I think the community 1570 00:51:37,920 --> 00:51:39,989 will figure out the demand or 1571 00:51:39,990 --> 00:51:41,099 hopefully figure out the demand is 1572 00:51:41,100 --> 00:51:43,079 necessary. But we also try to meet that 1573 00:51:43,080 --> 00:51:43,889 as well. 1574 00:51:43,890 --> 00:51:46,109 Also, yeah, here's 1575 00:51:46,110 --> 00:51:47,279 a battery controller as well. 1576 00:51:47,280 --> 00:51:49,049 This will do three point seven single 1577 00:51:49,050 --> 00:51:51,119 cell. So that's another thing that you 1578 00:51:51,120 --> 00:51:52,569 can use this for, for three dollars. 1579 00:51:52,570 --> 00:51:54,719 So, well, not only for your 1580 00:51:54,720 --> 00:51:56,569 laptop, but if you need one cell, right. 1581 00:51:56,570 --> 00:51:58,139 Yeah. It's also pretty good to get better 1582 00:51:58,140 --> 00:51:59,529 controller for three bucks. 1583 00:51:59,530 --> 00:52:00,449 Yeah. 1584 00:52:00,450 --> 00:52:02,429 Anything from the web. 1585 00:52:02,430 --> 00:52:04,439 Yeah. So another question from the I.R.S. 1586 00:52:04,440 --> 00:52:06,509 is, is a Paul Airport really 1587 00:52:06,510 --> 00:52:09,149 Nida's are two layers enough for a basic 1588 00:52:09,150 --> 00:52:11,529 functionality since you won't need 1589 00:52:11,530 --> 00:52:14,039 to throw out the extent of the RAM. 1590 00:52:14,040 --> 00:52:16,229 Um yeah if you wanted 1591 00:52:16,230 --> 00:52:17,519 to. 1592 00:52:17,520 --> 00:52:18,839 I think you're talking about the base for 1593 00:52:18,840 --> 00:52:19,589 it here. 1594 00:52:19,590 --> 00:52:21,599 If you wanted to build a really, really 1595 00:52:21,600 --> 00:52:23,939 basic version of this mediatheque 1596 00:52:23,940 --> 00:52:26,309 Chip, I've seen 1597 00:52:26,310 --> 00:52:28,379 people who got really cheap and got away 1598 00:52:28,380 --> 00:52:30,209 with two layers, but you might have some 1599 00:52:30,210 --> 00:52:32,639 power integrity, signal integrity issues 1600 00:52:32,640 --> 00:52:34,829 and also you would have to use a design 1601 00:52:34,830 --> 00:52:36,929 rule, geometry that's so thin 1602 00:52:36,930 --> 00:52:38,849 to root, you know, traces between the 1603 00:52:38,850 --> 00:52:40,469 balls in some areas and the drill size to 1604 00:52:40,470 --> 00:52:42,629 be so small that it actually will offset 1605 00:52:42,630 --> 00:52:43,109 the cost. 1606 00:52:43,110 --> 00:52:44,429 It turns out for layer boards are so 1607 00:52:44,430 --> 00:52:46,499 cheap that at least 1608 00:52:46,500 --> 00:52:47,909 in the world that we operate in, there's 1609 00:52:47,910 --> 00:52:50,099 like almost no reason not to use more 1610 00:52:50,100 --> 00:52:52,169 layers in a 1611 00:52:52,170 --> 00:52:53,759 design. It just makes makes things 1612 00:52:53,760 --> 00:52:55,260 easier, more better yielding. 1613 00:52:56,400 --> 00:52:57,400 So 1614 00:52:59,030 --> 00:53:00,539 great. 1615 00:53:00,540 --> 00:53:02,639 We have so we have 1616 00:53:02,640 --> 00:53:03,779 the two, we have the one. 1617 00:53:03,780 --> 00:53:05,280 And number six is 1618 00:53:06,330 --> 00:53:08,429 someone saying sending at the six, 1619 00:53:08,430 --> 00:53:09,419 please audience. 1620 00:53:09,420 --> 00:53:11,309 Be quiet in the background. 1621 00:53:11,310 --> 00:53:12,380 It's very annoying. 1622 00:53:13,920 --> 00:53:14,920 Thank you. 1623 00:53:15,930 --> 00:53:16,889 Number one, please. 1624 00:53:16,890 --> 00:53:17,789 Yes. 1625 00:53:17,790 --> 00:53:20,129 I thought you showed a little bit about 1626 00:53:20,130 --> 00:53:21,839 the multichip package and there were 1627 00:53:21,840 --> 00:53:23,759 actually four days in there. 1628 00:53:23,760 --> 00:53:25,019 Do you know a little bit more about those 1629 00:53:25,020 --> 00:53:26,399 individual dyes are already coming from 1630 00:53:26,400 --> 00:53:29,009 several manufacturers or several 1631 00:53:29,010 --> 00:53:29,649 styles? 1632 00:53:29,650 --> 00:53:30,569 Yeah. 1633 00:53:30,570 --> 00:53:32,849 So I would 1634 00:53:32,850 --> 00:53:34,709 if I can find that slide and pull it back 1635 00:53:34,710 --> 00:53:35,710 up again, 1636 00:53:36,990 --> 00:53:38,849 it's actually kind of kind of pretty neat 1637 00:53:38,850 --> 00:53:39,989 thing that I didn't know if I had enough 1638 00:53:39,990 --> 00:53:41,579 time to walk to talk through 1639 00:53:44,290 --> 00:53:45,339 Jesus. 1640 00:53:45,340 --> 00:53:46,949 Anyways, I have to go all the way back to 1641 00:53:46,950 --> 00:53:49,319 it's like basically the 1642 00:53:49,320 --> 00:53:51,059 if you look at the outlines of it and you 1643 00:53:51,060 --> 00:53:52,559 count the number of bond wires going 1644 00:53:52,560 --> 00:53:54,299 between different chips, you can actually 1645 00:53:54,300 --> 00:53:56,489 call out which one's the DRAM chip, 1646 00:53:56,490 --> 00:53:58,469 which one's the CPU chip, which one's the 1647 00:53:58,470 --> 00:54:00,389 analog front end and which one is like 1648 00:54:00,390 --> 00:54:02,459 the spy EPROM by kind of counting the 1649 00:54:02,460 --> 00:54:04,169 number of wires going between chips. 1650 00:54:04,170 --> 00:54:05,789 So you get a sense that they're the 1651 00:54:05,790 --> 00:54:07,349 reason why they broke it up as they broke 1652 00:54:07,350 --> 00:54:09,549 it up on the basis of the number of mass 1653 00:54:09,550 --> 00:54:11,849 players involved in. 1654 00:54:11,850 --> 00:54:13,319 Oh, thanks. Thanks, John. 1655 00:54:13,320 --> 00:54:15,149 So, yeah, if you if you look here, for 1656 00:54:15,150 --> 00:54:17,129 example, on the bottom, you see a bunch 1657 00:54:17,130 --> 00:54:19,379 of bond wires going into a rectangle 1658 00:54:19,380 --> 00:54:20,759 on the bottom. If you count it, you can 1659 00:54:20,760 --> 00:54:22,889 actually see a sixteen bit bus going 1660 00:54:22,890 --> 00:54:24,059 through in the bond wire and say that 1661 00:54:24,060 --> 00:54:25,559 must be the DEVAM chip in the bottom, the 1662 00:54:25,560 --> 00:54:26,909 little ones, the CPU, the top ones, the 1663 00:54:26,910 --> 00:54:28,409 analog front end and the lower right hand 1664 00:54:28,410 --> 00:54:30,609 corner seems to be some double 1665 00:54:30,610 --> 00:54:31,739 EPROM chip in there. 1666 00:54:31,740 --> 00:54:34,199 Right. And and every time 1667 00:54:34,200 --> 00:54:36,089 there's a trend lately of putting 1668 00:54:36,090 --> 00:54:38,159 everything on one chip and in order to 1669 00:54:38,160 --> 00:54:39,599 do so, if you build really good 1670 00:54:39,600 --> 00:54:41,729 transistors for CPU's, it turns out 1671 00:54:41,730 --> 00:54:43,199 they're not great for analog. 1672 00:54:43,200 --> 00:54:44,669 If you build really good transistors for 1673 00:54:44,670 --> 00:54:46,379 DRAM, it turns out the bad for everything 1674 00:54:46,380 --> 00:54:48,239 else. And so what you end up doing is 1675 00:54:48,240 --> 00:54:49,619 multiple diffusion and multiple 1676 00:54:49,620 --> 00:54:51,299 transistor types and that cost really 1677 00:54:51,300 --> 00:54:53,159 adds up. And the other thing that you 1678 00:54:53,160 --> 00:54:54,929 really want to do in these chips is 1679 00:54:54,930 --> 00:54:57,179 because the models change very rapid. 1680 00:54:57,180 --> 00:54:59,309 You want to be a celebration with more 1681 00:54:59,310 --> 00:55:01,589 delaminate for a rêve 1682 00:55:01,590 --> 00:55:03,119 or something like this, and you don't 1683 00:55:03,120 --> 00:55:04,679 have to pay for a whole Masset. 1684 00:55:04,680 --> 00:55:06,839 So essentially what Mediatheque has done 1685 00:55:06,840 --> 00:55:09,029 is developed this competency in 1686 00:55:09,030 --> 00:55:11,399 wire bonding and doing it extremely 1687 00:55:11,400 --> 00:55:13,469 cheaply and sourcing all these 1688 00:55:13,470 --> 00:55:14,699 separate components from different 1689 00:55:14,700 --> 00:55:17,009 vendors and essentially 1690 00:55:17,010 --> 00:55:18,779 pushing them down to a specialty supply 1691 00:55:18,780 --> 00:55:20,339 chain and then wrapping together into a 1692 00:55:20,340 --> 00:55:22,379 single system. So if you look at some of 1693 00:55:22,380 --> 00:55:23,629 the other developments, like there's a 1694 00:55:23,630 --> 00:55:25,799 there's a chip called the 1695 00:55:25,800 --> 00:55:27,779 empty K twenty five or two, which is used 1696 00:55:27,780 --> 00:55:29,879 to link at one, it looks very, 1697 00:55:29,880 --> 00:55:31,529 very similar to this one in terms of spec 1698 00:55:31,530 --> 00:55:32,609 wise with a couple of the features, 1699 00:55:32,610 --> 00:55:34,679 probably same courtships, 1700 00:55:34,680 --> 00:55:36,419 different wire bond, different package. 1701 00:55:36,420 --> 00:55:38,219 They can just do SKU variants all day 1702 00:55:38,220 --> 00:55:39,220 long. So 1703 00:55:40,920 --> 00:55:41,920 it just takes place. 1704 00:55:43,080 --> 00:55:45,269 You mentioned that there are 1705 00:55:45,270 --> 00:55:47,759 some chipsets for GSM 1706 00:55:47,760 --> 00:55:49,469 and Bluetooth in there. 1707 00:55:49,470 --> 00:55:51,840 Those tend to utilize some 1708 00:55:53,940 --> 00:55:54,940 firmware. 1709 00:55:55,590 --> 00:55:57,959 What do you know about these 1710 00:55:57,960 --> 00:55:59,709 when you take that one? 1711 00:55:59,710 --> 00:56:01,799 I've only just begun looking at 1712 00:56:01,800 --> 00:56:03,479 Bluetooth and the GSM stuff. 1713 00:56:03,480 --> 00:56:05,609 So the question is, what do we know about 1714 00:56:05,610 --> 00:56:09,089 the Bluetooth and GSM stacks? 1715 00:56:09,090 --> 00:56:11,189 I do know that there is a function that 1716 00:56:11,190 --> 00:56:13,419 is called Gorm 1717 00:56:13,420 --> 00:56:15,599 Empty six two six zero and 1718 00:56:15,600 --> 00:56:17,669 it which appears to initialize the 1719 00:56:17,670 --> 00:56:19,829 Bluetooth stack. I haven't found 1720 00:56:19,830 --> 00:56:21,599 what where that function is located and 1721 00:56:21,600 --> 00:56:22,709 what it does. 1722 00:56:22,710 --> 00:56:24,419 So there does appear to be some sort of 1723 00:56:24,420 --> 00:56:25,979 firmware that gets loaded onto this 1724 00:56:25,980 --> 00:56:27,779 separate arm core that drives the 1725 00:56:27,780 --> 00:56:28,889 Bluetooth. 1726 00:56:28,890 --> 00:56:31,259 That'll be interesting to see what 1727 00:56:31,260 --> 00:56:33,479 how extensive that firmware is and 1728 00:56:33,480 --> 00:56:35,009 what is needed for it. 1729 00:56:35,010 --> 00:56:37,589 As far as the GSM stuff, 1730 00:56:37,590 --> 00:56:40,019 I've seen the controls for the layer one 1731 00:56:40,020 --> 00:56:42,119 stuff, the layer one control. 1732 00:56:42,120 --> 00:56:44,579 And that's not terribly complicated. 1733 00:56:44,580 --> 00:56:47,189 As far as the layer two and layer three, 1734 00:56:47,190 --> 00:56:48,569 I haven't found that. I haven't looked 1735 00:56:48,570 --> 00:56:49,570 for it. 1736 00:56:50,490 --> 00:56:51,809 We don't know at this point. 1737 00:56:51,810 --> 00:56:54,029 We just don't know how difficult 1738 00:56:54,030 --> 00:56:56,249 it will be to get GSM working on this in 1739 00:56:56,250 --> 00:56:59,099 a manner that is complementary 1740 00:56:59,100 --> 00:57:01,349 to the open source ecosystem. 1741 00:57:03,340 --> 00:57:04,349 Right. 1742 00:57:04,350 --> 00:57:05,550 And number two, please. 1743 00:57:07,890 --> 00:57:11,129 My question is regarding the catalysts. 1744 00:57:11,130 --> 00:57:13,679 I understand that you tend to use term 1745 00:57:13,680 --> 00:57:14,729 for obvious reasons. 1746 00:57:14,730 --> 00:57:16,919 It's it's more appropriate 1747 00:57:16,920 --> 00:57:18,419 for things like the Nubeena. 1748 00:57:19,620 --> 00:57:20,969 But how do you see 1749 00:57:22,380 --> 00:57:24,479 using the collaboration between 1750 00:57:24,480 --> 00:57:26,639 people who might not have access 1751 00:57:26,640 --> 00:57:28,919 to to Altium and may use kickout or 1752 00:57:28,920 --> 00:57:29,569 can you go? 1753 00:57:29,570 --> 00:57:32,099 Well, I'd actually love to answer this. 1754 00:57:32,100 --> 00:57:34,289 One of the guys in our forums has 1755 00:57:34,290 --> 00:57:36,359 actually written a series of Perl scripts 1756 00:57:36,360 --> 00:57:39,179 that convert from Altium to Kickett. 1757 00:57:39,180 --> 00:57:41,279 And so it actually we have 1758 00:57:41,280 --> 00:57:43,109 this working with the Navina, and I've 1759 00:57:43,110 --> 00:57:44,429 done it with our battery board as well. 1760 00:57:44,430 --> 00:57:46,049 I'm sure it would work with Fernvale as 1761 00:57:46,050 --> 00:57:48,449 well. It actually does a pretty good job 1762 00:57:48,450 --> 00:57:50,159 of converting the schematic files and the 1763 00:57:50,160 --> 00:57:51,479 PCB files. 1764 00:57:51,480 --> 00:57:53,339 And right now, who's working on doing the 1765 00:57:53,340 --> 00:57:55,379 3D files, using the free card? 1766 00:57:55,380 --> 00:57:57,509 So there is it is possible 1767 00:57:57,510 --> 00:57:59,579 to open up the files that he 1768 00:57:59,580 --> 00:58:01,799 produces in Altium on 1769 00:58:01,800 --> 00:58:03,989 the arm Navina in cokehead 1770 00:58:03,990 --> 00:58:05,819 and view the nets and you can actually 1771 00:58:05,820 --> 00:58:07,139 get the schematics. And it's really 1772 00:58:07,140 --> 00:58:09,689 useful for me who 1773 00:58:09,690 --> 00:58:11,369 uses a Naveena. 1774 00:58:11,370 --> 00:58:13,469 And sometimes I need to probe a 1775 00:58:13,470 --> 00:58:15,719 particular net to now with this tool, 1776 00:58:15,720 --> 00:58:18,029 I can actually do 1777 00:58:18,030 --> 00:58:19,349 that, highlight the net and figure out 1778 00:58:19,350 --> 00:58:21,299 where to probe it. So Kickout is 1779 00:58:21,300 --> 00:58:23,579 definitely possible with the Nubeena 1780 00:58:23,580 --> 00:58:24,839 files these days. 1781 00:58:24,840 --> 00:58:27,389 OK, thank you, Craig. 1782 00:58:27,390 --> 00:58:29,429 We have one and a half minutes left. 1783 00:58:30,690 --> 00:58:33,899 Is there something from from the net? 1784 00:58:33,900 --> 00:58:36,089 So there's another question from the IAC. 1785 00:58:36,090 --> 00:58:38,009 Do you plan to kick start or something 1786 00:58:38,010 --> 00:58:40,519 similar for developing off the boards? 1787 00:58:41,610 --> 00:58:43,709 What do we kick start or are we 1788 00:58:43,710 --> 00:58:44,789 going to kick start something? 1789 00:58:45,960 --> 00:58:47,789 I don't know. That's that was an 1790 00:58:47,790 --> 00:58:50,249 interesting question that we we 1791 00:58:50,250 --> 00:58:52,829 we toyed with the idea. 1792 00:58:52,830 --> 00:58:54,179 I guess the question is really, 1793 00:58:55,200 --> 00:58:56,729 are people really interested in this sort 1794 00:58:56,730 --> 00:58:58,289 of stuff? We we did it because we're 1795 00:58:58,290 --> 00:58:59,729 personally very interested in it and 1796 00:58:59,730 --> 00:59:00,659 we're presenting it here. 1797 00:59:00,660 --> 00:59:02,849 And I guess will, based upon 1798 00:59:02,850 --> 00:59:04,709 the coming days and the feedback we get, 1799 00:59:04,710 --> 00:59:07,079 if if there isn't a lot of developer 1800 00:59:07,080 --> 00:59:08,969 interest, we'll make it, you know, like, 1801 00:59:08,970 --> 00:59:10,229 for example, do a Kickstarter 1802 00:59:10,230 --> 00:59:12,119 crowdfunding campaign around it. 1803 00:59:12,120 --> 00:59:13,859 But if it's still just a smaller group of 1804 00:59:13,860 --> 00:59:16,019 people and we can sort of manage 1805 00:59:16,020 --> 00:59:18,269 just by, you know, just seeding 1806 00:59:18,270 --> 00:59:19,679 the community with boards and stuff that 1807 00:59:19,680 --> 00:59:21,479 may be a cleaner and easier way to 1808 00:59:21,480 --> 00:59:23,249 proceed. We already have like two 1809 00:59:23,250 --> 00:59:25,319 campaigns right now, so we don't want 1810 00:59:25,320 --> 00:59:27,479 a third one at this very minute. 1811 00:59:29,220 --> 00:59:31,440 Great. Thank you very much for listening. 1812 00:59:32,460 --> 00:59:35,219 A big applause for the two guys 1813 00:59:35,220 --> 00:59:37,260 for the great Rivers's.