Travis Goodspeed
@travisgoodspeed
Followers
25K
Following
1K
Media
2K
Statuses
30K
Merchant of Dead Trees and Licensed Proselytizer of the Gospel of the Weird Machines with Pwnage, PoC, and Secular Rock.
Joined October 2009
Howdy y'all! In this friendly little tweety-box thread, I'd like to share my new project with you. It's called the GoodWatch, and it will be next month at Shmoocon. 1/n
53
475
1K
A while back, @david_rysk asked me to dump the firmware of the Wersi SL-M2 51173 Slave Sound Generator, a plugin module for Wersi's DX10 synthesizer. @p4ula sent me three boards from Germany, and this thread will show the extraction process from the saw to the bits. 1/n
14
116
570
This is the @Raspberry_Pi Pico RP2040, internally labelled as RP2B0-2020. Externally it's labelled as RP2B1. 1/5
10
75
541
Geoff Chappell passed away today on his own terms, surrounded by family and while his good humor remained intact. Please listen to a Beatles record and read a little assembly code in his honor.
39
114
500
The PoC||GTFO Bible will be available this summer. Preorder now for only $30, and maybe grab a second for a student.
21
345
462
Want to learn embedded ARM reversing? Here's a quick little tutorial on loading MD380 firmware into IDA Pro.
2
269
473
Final drafts of the Second Book of PoC||GTFO have been delivered to @nostarch, containing all the articles from PoC||GTFO 9, 10, 11, 12, and 13. Look for it this summer wherever fine books are sold, and write plenty of notes in the margins.
14
166
438
Over the summer, I got nerd sniped with extracting bits from microscope photographs of mask ROMs. Here is my C++/Qt6 CAD tool for marking and extracting bits, including Design Rule Checks, a variety of export formats and a CLI.
7
92
403
This is the CPU from the Game Boy Color, revision C. 1/2
6
36
357
Not all unlicensed NES games cloned Nintendo's CIC chip. Mig-29 Soviet Fighter by Camerica uses a voltage glitch to crash the console's CIC chip, so that the game can continue without generating the right sequence. SW1 switches between two different glitching strategies.
7
55
362
I need some good photographs of the MYK78 Clipper Chip, but the best ones available are my own photos from grad school, and those aren't quite good enough. So let's go step by step and see what's inside! 1/n
8
92
342
Twenty years ago, the web peaked with Hamster Dance and has been going down hill ever since.
13
100
305
Not content to simply theorize about the parrot that traumatized RMS sufficiently to be a part of his speaking rider, @dakami provided the voice sample for an animatronic recreation of the parrot. "RAAAAAWK! OPEN SOURCE!"."RAAAAAWK! GNU SLASH LINUX!"
2
37
309
GeneralPlus GPLB52x from a Tamagotchi toy. This is a mask-programmed 6502 with an LCD controller. 1/4
6
40
294
If the only thing you like about Windows is ollydbg, check out EDB, an Olly clone for Linux.
4
125
282
Friendly reminder that you can now buy PoC||GTFO wherever fine books are sold. This is the Barnes and Noble in Cupertino.
14
62
289
I managed to open source my Android app for reading, writing and executing shellcode in RF430 NFC tags this morning. (Backdoor password for the RF430TAL152H is redacted, but everything else is there.). cc @cryptax @doegox @PagetPhil.
8
116
297
PoC||GTFO 14 will be released on paper in Heidelberg, Canberra, and Miami. It has sixty pages, and its MD5 hash is on the front cover.
12
179
269
So the exploit is to pull a drill bit to 3.3V, then slowly turn it in the right spot while requesting writes over SATA. When the bond wire is broken, write protection will also break, and the EEPROM can be rewritten. Ain't that nifty?
6
47
288
"How good are you with Linux?". "Well, I've written a few kernel modules, but I can't seem to resize xterm fonts without an external mouse.".
2
106
257
Art from Sun's Java ring, manufactured by Dallas Semi.
9
55
263
Just got notice that my preorder of The Art of ARM Assembly: Vol 1 is shipping next month!.
3
39
269
Such a nifty trick! ADS-B reports position uncertainty, so if you map the uncertainty, you can map the GPS jamming.
Finally, the only daily, global, free map of GPS interference has officially launched: Watch jamming around conflict zones develop over time. Wonder who's jamming GPS all around Moscow. Like all the best maps, it raises more questions than it answers!
0
79
240
My favorite Phrack article. There is no better deep dive introduction to ARM machine language.
5
102
248
I brought one hundred NFC Type 5 microcontroller boards to Shmoocon, which are OTA programmable from Android. You can have one for free if you install the compiler toolchain documented on the Github page.
30
62
246
A good friend of mine died this morning, and there is nothing you can do to change that, but please do call those friends of yours whom you've not seen in a while. Share a beer, swap stories of the good old days. Maybe watch a sunset or two. Not one second will have been wasted.
20
18
251
After half a decade without one, I am proud to announce the first official PoC||GTFO website can be found at Best viewed with Microsoft Internet Explorer 4 on Windows NT.
7
90
226
Does anyone know this three pin telephone standard from Yugoslavia? I'd like to adapt it to an American telephone line simulator, but I can't figure out the third pin. There's no semblance of a dial tone or a ring with any pair of pins.
43
37
230
The only downside to this casing is that strangers in bars think I'm insane when I tell them it's my own electronics and software. 22/n
5
17
216
I find myself wondering what a Soviet ROM looks like, so let's tear apart the КР1801РЕ2 from a PDP11 clone, the Электроника БК. If 108 is the mask number, this should hold a part of the BASIC interpreter. 1/n
4
25
223
Dallas DS5002, an early secure microcontroller. Nonvolatile memory is encrypted with a 64-bit key. The chip is also available with an internal microprobe shield, but I don't think that was included in my sample. 1/n
3
39
211
You youngins won't believe this, but back in the day, we had source code listings in grocery store magazine racks, and the expectation was that by now everyone would learn enough to write their own short programs, rather than just the professionals who did it as a career.
1984:. Your Spectrum Magazine Issue 06, page 77. Full mag -->
15
56
191
MK51, a single-chip RPN calculator from Электроника. The program ROM is on the right side, but bits are not surface visible. Maybe I can reveal them with delayering or a Dash etch.
6
31
203
Ever wanted to try your hand at decoding photographs of a mask ROM into a .bin file that you can emulate or disassemble, but didn't quite know where to begin? I wrote a tutorial around the GameBoy's boot ROM today, featuring MaskROMTool and Zorrom.
5
58
201
PoC||GTFO 17 will be released on paper next week in Leipzig and next month in Washington, DC. I hope you enjoy reading it.
3
70
200
For students who know C but haven't yet done firmware, I can't recommend enough this write up by @jg_lim. All the tools are described, and nothing is left as a magic trick or a mystery.
0
62
192
NXP (née Phillips) PCF7941, used in some car keys many decades after cars became boring. 1/2
2
21
190
Zilog Z84C0008FEC from a TI 83+ graphing calculator. 1/2
2
22
194
LED digit from an Elektronika wristwatch. (Soviet electronics monopoly.)
6
23
184
Not yet ready to share, but my assembler is getting pretty good at SM83, the GameBoy's architecture that is sort of like Z80 or 8080. Shown here, disassembling the GameBoy's boot code in Mask ROM Tool. Comments on the right are auto-generated from the instruction definitions.
7
31
194
Periodic but friendly reminder to remove the batteries from old electronics.
12
29
186
I'll be bringing a few hundred GoodWatch30 boards to give away at Defcon. Bill of materials and schematic are on the github page.
11
43
184
MaskRomTool now has a GUI for its solver, so you can rapidly try different ways of decoding a ROM until the right content jumps out at you. In this example, the correct decoding can be identified by an ASCII string. You can also search for bytes and strings, of course.
2
37
190
X-Ray of an NCR 6500/1P with particularly good contrast on the bond wires.
3
20
184
A little piece of me dies every time I read a paragraph like this in a paper.
16
111
176
Does anyone recognize this old smartcard devkit? It's configured with an early CANAL+ emulator for France and the Netherlands, I think.
26
24
180
It's crazy how much space is wasted in a DIP package, just to keep the 0.1" pitch.
8
19
177
The #TR18 badge is an FM receiver with pirate number stations! . Troopers18 1552-5653-7270-5437-5441
10
55
170
PoC||GTFO 18 is ready and waiting at @reconmtl in Montreal! The electronic release will follow sometime next week.
5
72
175
Dallas iButton chip, the DS1463. You might have one of these on a keyfob somewhere. 1/n
2
25
176
As our first release that (hopefully) doesn't lose money, royalties from the Book of PoC||GTFO will go to charity.
6
98
171
PoC||GTFO 4:13 by @rantyben, for David Cameron when he needs help on his cryptography homework. http://t.co/3P9lgb7kwg.
6
178
160
Back in January, I complained to @evm_sec about not having a decent database of Thumb2 functions to recover from statically linked firmware, so we wrote a web API at and clients for IDA, GHIDRA, and Binja. Upload 18 bytes of a function, download the name.
3
49
166
In all my years of embedded systems, @Voja_Antonic is the only fellow I've ever bugged for an autograph. It embarrassed the hell out of him, as it annoys the hell out of me, but now that he's the first to ship a badge that runs BASIC, I regret nothing.
3
35
154
I finally have a bit-perfect copy of the MYK82 Fortezza chip's ROM. Comparing it against an older dump shows that I had only 0.1% of the bits wrong. To get that perfect dump, I just marked two photographs and then reconciled errors until they matched.
1
18
158
How often do you lock your car?. I bought my pickup without door keys, so I've been leaving it unlocked in the city for three or four years. It was finally broken into today, and I snapped a photo of the perpetrator.
15
9
158
The radio is based on the same CC1101 core that the GirlTech IMME used, so all the old IMME hacks are portable. My reflexive jammer for P25, Mike Ossmann's iClicker emulator, and Samy's OpenSesame can all be adapted to this platform. 10/n
4
19
141
Dallas DS5000. This module contains a CPU, SRAM and a battery backup for the SRAM. 1/n
8
7
152
X-Ray of a Dutch train ticket. The RFID chip is that little bright spot in the northeast.
9
12
147
Tempted to try a voltage glitching attack, but worried that you can't make the timing precise enough? Turns out it's possible to glitch out the firmware protection on the STM8 with a pair of 555 timers!.
1
41
144
And while the GoodWatch10 was certainly the coolest hex editor watch to wear last month, things can be niftier. In this photo, it a GoodWatch20 is beaconing my #hamradio callsign to a Yaesu 817 as Morse code. 7/n
4
23
137
X-Ray of a Radioshack Tone Dialer. The blobbed microchip is near the upper right of this image, but it's too small to see more than the copper it's glued to. Greetz to all you fine folks who used these on payphones back when calls cost money!
12
22
148
Windows batch files can be modified while executing, and execution will continue from the byte offset of the expected next line. Why?.
27
85
142
PoC||GTFO 15 will debut this week! It has 100 pages to keep you busy until the book comes out. Bibles available at
2
97
144
I'll be speaking about the GoodWatch project at Defcon's @WiFi_Village today, 11h00. Learn how to make your own, with frequency counter, hex editor, and years of battery life in a stylish Casio case. Code and hardware at
4
42
138
At @reconmtl in a couple of weeks, I'll be teaching how to reverse engineer ROMs from photographs. Today I pushed an example to Github. This is a dump of the MYK82 chip in a Fortezza card, a successor to the Clipper Chip. 1/n.
3
49
143
The good folks at @nostarch are running a sale this weekend, so maybe it's time to order some fine technical books and build a crazy project with what you learn in them?
1
24
138
In case you missed it this weekend, @BitBangingBytes dumped the firmware from a Kenwood TH-D74 ham radio, and I posted some initial notes on reverse engineering the string localization and CAT commands at
3
40
139
When you have a speaking lesson in @duolingo on Android, try hitting the button to speak immediately as the sentence appears. Because of a race condition, Lily will speak for you and the speech recognition will pass.
6
12
145
Mask ROM Tool now supports disassembly through its graphical solver. Here the correct solution to the GameBoy's ROM is the fourth of six, revealed by the stack pointer being set in the first instruction.
6
40
142
Motorola 68HC11A8, top metal, minimum magnification.
9
23
141
The next time I specify 0201 components in something that I will hand solder, please send me this photograph.
15
41
139
PoC||GTFO 16 is camera ready, and with a little luck it will be available at @h2hconference and @hacktivityconf. It is a damned fine read.
5
58
137
If you pirated TV twenty years ago, could you kindly look through your smart card collection for any Nagra1 cards?. They look like this, and I'd very much like to have more of them for a history project, even though they have long been useless for watching TV.
12
74
132
It's always weird taking apart soviet electronics. This Электроника МК-52 uses white blobs instead of black blobs for its wire bonded chips. Anyone know which blob holds the main ROM?
10
20
128
I've been told that I'm no longer allowed to keep these two together next to pizza when house guests are around. #everyruleabody
11
17
129
Here's rabin2 finding Chinese strings in the MD380 firmware without any trouble. Stop using GNU Strings and learn @radareorg.
4
71
135
What kind of a psychopath writes an entire book about BASIC with no mention of PEEK and POKE?
17
7
129
Today I drove my Studebaker to the local Radio Shack. Don't ever let someone tell you that you'll never enjoy a wacky time travel adventure!
7
11
130
The GoodWatch and other projects were helpfully financed by @skytee, who has been funding my recent sabbatical by paying me one dollar for every day since I last wasted an hour of my life in a daily SCRUM meeting. Thanks, neighbor! 16/n
3
9
130
Nifty deal at the Knoxville hamfest today. It's an SDR for shortwave frequencies that's used over a LAN.
8
6
126