They found a HIDDEN logic bomb!
HTML-код
- Опубликовано: 27 июн 2024
- BECOME A PATREON! / recessim
GET SOME MERCH! recessim.printify.me/products
Reverse Engineering News is a weekly show highlighting topics of interest to Reverse Engineers and Hackers. Watch at your own risk!
Story 1 - Polish Trains
CCC Talk media.ccc.de/v/37c3-12142-bre...
BadCyber Article badcyber.com/dieselgate-but-f...
Mastodon Thread social.hackerspace.pl/@q3k/11...
Story 2 - Mac Touch Bar Hacking
RUclips Video • Reverse Engineering th...
Story 3 - Game Boy Advance
RUclips Video • Dumping the ROM of a G...
Story 4 - TETRA
Original DEFCON Talk • DEF CON 31 - Tetra Tou...
Follow-up CCC Talk* media.ccc.de/v/37c3-11761-all...
RECESSIM Links
DISCORD - / discord
TWITTER - / bitbangingbytes
TIKTOK - / bitbangbytes
INSTAGRAM - / bitbangingbytes
WIKI - wiki.recessim.com/
PATREON - / recessim
IF YOU WANT TO SEND SOMETHING INTERESTING... :)
RECESSIM
7201 Virginia Pkwy
Unit 6131
McKinney, TX 75071
As an Amazon Associate I earn from qualifying purchases.
0:00 Intro
0:11 Train
6:34 TouchBar
8:03 Game Boy
11:03 TETRA
13:01 Outro 
Наука
Imagine being brazen enough to install logic bombs in a public utility like passenger trains, and thinking you'll never get called out. 🤣
They've always done this. The San Francisco and Washington DC metro systems are "sister" systems designed and funded at the same time. The companies who made the systems made sure one could not sell surplus cars to the other. Maintaining those cars is outrageously expensive because of the proprietary nature of vendors. Its the equivalent of a no-bid contract as you cannot procure the parts from any other source. Imagine paying tens of thousands of dollars for a train control board that has maybe $600 worth of bits on it. And of course there is no component level repair as that would void the warranty. Its all assembly swapping. The UN / ISO should have one standard (with security) for all public systems to make the market more competitive.
I read that as "imagine being Brazilian enough" XD
Their CCC talk is great. At Q&A someone asked them if other Newag customers from other countries like Germany contacted them. The guys were "errr... no comment".
@@TheSlyMouse same
I think there needs to be some Global laws on crap like this, because this is one of those things where a majority of everyone can agree that this is highly unethical, however being technically legal in the country that it's in it's very hard to enforce because other countries can't do anything, I think there needs to be a global communion of global atrocities that need to be dealt with
You forgot to mention the best part of the train story. Their bad coding would cause trains to stop working between Nov 21st - 30th and Dec 21st - 31st because of their lockup triggers that were supposed to force them into maintenance. Newag shouldn't be able to brush this under the rug by threatening lawsuits. These companies neeeeeeed to be held accountable for these things.
national compressor failure day))
@@boersme5482 national compressor failure dayS even. Once in November then again in December. Aka, that's not how you do a date comparison.
for reference, this was how they did the date conparison
if{day => 21, month => 11, year => 2023}: fail else run normaly
the problem is the intended thing was (if past 2023 21st november, don't run)
Is there anything inherently wrong with that?
I assume that, during maintenance, they would change the maintenance fail-safe to a new date in the future. So... if the operator met their due maintenance obligations, then the train would never hit this trigger. Would you be equally outraged if a passenger aircraft refused to start up because it had missed two scheduled maintenance periods and was potentially unsafe according to the manufacturer?
As for the (bad) code... is it?....
Ideally, the November failure shouldn't be hit... but maintenance mistakes can and will happen.
The December failure should NEVER be hit. You can AVOID the November failure if necessary, by keeping it in the shed (or having it towed) - and STILL get it running under its own power in December to get it to a repair yard or do some light service. Mistakes sometimes happen, and locking up the train PERMANENTLY would be bad. So... you get a second servicing window to move the train in early December, before you finally blow through the annual check and the train is disabled.
The double-triggering looks like bad code, but I can see why it could be a very deliberate feature that actually works in the operators favour.
Then, there's the contractual obligations...
What if the maintainence schedule was a strict condition of the sale? A part of the commercial contract obligations? Perhaps part of the trains license to operate?
Should a passenger plane permit itself to take off, if it is being operated outside of it's rigorous (and contractually agreed) safety profile?
If not, then why should a train, similarly unmaintained, allow you to raise its pantographs and enter public passenger/cargo service?
No, a passenger aircraft would, quite rightly, refuse to start up if it can't certify fitness!
So, what's wrong with a train refusing to raise its pantographs and enter transport service?
Here's the thing...
This is NOT domestic consumer law - it involves a corporate B2B contract, between parties required to exercise due diligence, with strict obligations and due performance requirements on both sides. It has very little to do with the 'right to repair' of consumers... where the most you stand to lose are the reciprocals (like a warranty obligation)
If they didn't like the maintenance terms in the contract - they should have re-negotiated it.
There are also strict legislative requirements on national operators to perform due maintenance as a part of their license to operate... which they can't negotiate. There's nothing wrong with train manufacturers ensuring that the trains themselves, not just the operators, adhere to these operator licensing conditions. In fact, the manufacturers may be OBLIGED to ensure that their trains cannot be used out-of-service - ESPECIALLY when they themselves are the equipment maintainers, under a maintenance contract.
So...
Depending on the contract, the manufacturer SHOULD have a strong case. The exception being, if they tried to force the operator to maintain at a schedule NOT required under contract or NOT forming a condition of the sale...and where such a service is not otherwise a regulatory requirement under the national rail operators license. If so, they may be in trouble for shady business practices.
The enforcement may not even NEED to be mentioned in their contract - provided that the enforcement is also 'compatible' with the strict requirements of the national operators licensing obligations. After all... if an unmaintained train is not allowed to operate by law, then the fact that it refuses to start is not a harm, but a protection. You see?
But, I think it's far more likely that scheduled maintenance, by authorised personnel, was a condition of sale... and the operator is in breach for cutting corners despite its prior agreements, and is now whining like a b**** ; )
It's 'big boy' contract law. Let the courts sort it out.
And (to me) the compound conditional clause in the code, does make a lot of practical sense.
@@garychap8384 No, the date check is just a bug in the code, nothing more. They have multiple features designed to mess 3rd party workshops. Including the very damning geofencing that makes the train stop working if it's serviced within certain GPS coordinates which all happen to match 3rd party service workshops. This is likely a civil and possibly criminal liability since it undermines the bidding of service contracts. These features are undocumented and they've also made updates to the features without documentation in the service logs, which is likely a breach of relevant train safety laws in Poland.
If you're talking about big boy contract law, Newag will now have to take the consequences of their action like big boys. Investigations are being made in multiple countries, not just Poland, that will likely end up in the courts. And they will forever be viewed with suspicion next time they put a bid on a multi million euro public contract. As they should be.
Newag to John Deere "Hold my beer..."
:D weve got to fight... for our right... to freeeeeee Doom ;)
@@TymexComputing are definitely NOT showing your age lol
meanwhile, apple suggests: have you thought about making them not waterproof?
*hold my BEERE
They're Polish, so "hold my wódka, kurwa".
Seems someone saw the ice cream machines at McDonalds and had a stroke of genius, emphasis on "stroke."
Under German law, using cyberattacks to shut down the railroad infrastructure is one of the definitions of terrorism.
There is no exception for the attacker being the one who manufactured the train.
Shows you what we think of such "companies".
Oh, I'm sure in court they'd argue that since the train was built with these "Safety Features", it's not a cyberattack even if it does shut down the railroad infrastructure.
Do you think the same as everyone else and the company won't face any consequences of the law being applied because capitalism
The train bricking should be illegal to the point of being a death sentence for a company. Not only is it anti-consumer, and anti-competitive, it is destruction of property, and potentially unsafe. They are using nefarious methods to gain an advantage over competitors and give themselves a monopoly, and essentially defraud and rob their customers. Unless the punishment for getting caught is extremely harsh, these companies will just put more effort into hiding it, or write it into the cost of doing business. For the gameboy hack, couldn't you tap into the speaker wire and record the waveform directly to get rid of any distortion from the speaker?
I think that the amplifier also adds some distortion to the signal before being voiced through the speaker. Maybe that's the reason why they had to tap the contacts before the amplifier
Firstly, consumers don't buy trains.... corporations do! And they do so, not at retail as YOU might, but under commercial contracts and strict operating licenses!
When was the last time you, as a domestic consumer, went shopping for a train?
Or, even operated one on shared infrastructure?
Secondly...
Commercial operators are bound under a strictly negotiated commercial contract... AND FURTHER bound under their nationally regulated licenses to operate! This _(and particularly the latter)_ mandates qualified service and maintenance according to a proscribed schedule. Without it, they're NOT allowed to operate. So, there's that! : )
But, the obligations for safe operation don't end with the operator. Both the operator AND the manufacturer are obliged to ensure that the equipment meets these safe operating conditions. The manufacturer may even have the stricter liability - especially where they are also the maintainer - to ensure that the equipment remains compliant and can ONLY be safely operated.
But it ain't just trains...
Passenger/Transport aircraft from airbus and Boeing do the same. They will refuse to start up if not properly maintained... rather than fail in the air. That's a good thing!
Similarly, a train can refuse to raise its pantographs at the start of the day, if it cannot certify its own safety - rather than enter public service...
... absolutely nothing wrong with that!
But it's NOT equivalent to consumer protections or the 'right to repair' (which I support wholeheartedly, by the way)
I hope this post has helped clarify why that's the case.
@garychap8384 the glaring difference is this mfg got caught placing a logic bomb in its code It is possible they would be forced to eat training other repair facilities and providing any special tools required. Boeing provides a VERY detailed set of maintenance requirements operators can perform, or sub it out to qualified maintenance operations.
@@garychap8384 Ah yes, there's always "that guy" that finds a reason to defend DRM. 🤦♂
Guess we know who it is this time lol.
🤡🌎
@@cgarzs When the F did I defend DRM?
I have already said that if ... IF.... the exclusive maintenance obligations didn't form part of the contract, then they're in the wrong. Plain and simple!
I'm not saying they are RIGHT... I'm saying that I CANNOT KNOW! And, unless you've seen the contract or were there in the courtroom, NEITHER CAN YOU.
What I AM arguing against, is the fact that peoples stated bases for belief are entirely flawed ... it's the CONTRACT that matters here, and we ain't got it.
We have one person claiming that "because it was put out to tender" the buyer has a right to repair... this is PATENTLY false. Tender is how contracts are invited - it doesn't affect the CONTENT or EFFECT of those contracts once agreed.
And I'm right! Because the argument is utterly absurd on the face of it. That's not how corporations work... I should know, I'm a former CTO.
Does that means I support DRM? No... that would be YET ANOTHER patently absurd assumption that doesn't follow from the facts.
And there are a LOT of those here : /
I'm also reacting to people insisting that its an 'open and shut, right to repair' issue when that only applies to Consumers at Retail... not to B2B contracts where due diligence and contract law override everything. I ALREADY SAID I FULLY SUPPORT CONSUMERS RIGHT TO REPAIR
I even slammed Apple, elsewhere in this comment section - for their anti-consumer, anti-repair, practices.
Then some people here insist that the fact the code even exists is PROOF of wrongdoing.... IT IS ABSOLUTELY NOT ... NOT ON ITS OWN!
So, I'm pointing out that a 'logic bomb' and a 'maintenance fail-safe' are equivalent (IN TERMS OF CODE)... because ITS NOT THAT SIMPLE!!! Fact!
The thing that ACTUALLY separates them is malicious intent - and whether the manufacturer has the contracted the maintenance rights as part of the contract of sale. If they were bound by contract to approved maintainance - then the code never gets hit unless they miss the maintenance schedule or use a non-approved repair shop. WE CANT KNOW, BECAUSE WE HAVEN'T GOT SIGHT OF THE CONTRACT
This is not the same as the consumers right to repair their car! That's CLEARLY a consumer matter! The car is bought outright at retail - not under a corporate contract with obligations and restrictions placed upon BOTH parties.
See? That's an entirely different thing.
I'm arguing that the contract is what matters here - not peoples personal intuitions about how the world SHOULD work.
But I AGREE ... it would be nice if the world worked like that - but, in the world governed by corporate contracts, IT DOESN'T!
Then there are the armchair software development experts (my field)...
These people claim that the code is broken because that's *"not how you do a date check"* ... but that assumes they know what the intended behaviour was...
... the code gives a shutdown in late November _(Which, arguably, you should never hit if following any contractual maintenance obligations)_ Then it re-enables the train again before a final shutdown at the end of December.
This looks a LOT like intended behaviour, because honest mistakes DO happen... and deadlines sometimes get missed.
Unlike others here - I don't pretend to know that the coders intended a simple date check and 'got it wrong' ... that would be an assumption, not a fact.
Do WE know that what they intended was a single date check? A single and final date of failure? No!
Then there's people saying that a train is a 'public utility' ... it's not. It's a commercial object used BY a utility... it may PROVIDE a utility... but that doesn't mean that fail-safes are an interference with public utilities.
Yes, they could BECOME so... if they get it wrong, or if the operator doesn't follow the maintainance instructions... or the operator cuts corners... or... if there was some unlawful intent on the part of the manufacturer. But WE DO NOT KNOW WITHOUT THE CONTRACT AND THE OFFICIAL ENGINEER DOCUMENTS.
And, what does the train do...
It simply refuses to go into service at the start of the day, by refusing to raise its pantographs ... that's classic fail-safe behaviour. Do NOT allow operation of the heavy equipment... as its operation may be unsafe.
There is a LOT of heavy plant equipment that does EXACTLY THE SAME if they are not properly maintained by an AUTHORISED maintainer... including passenger aircraft!
PARTICULARLY things that operate in public and have unusually onerous public liability.
I point this out and I'm supporting DRM? Really? Maybe you just don't like facts much : /
And typically, nobody calls these a 'logic bomb' ... they are intended fail-safes that you ONLY hit, if you're not following the approved maintainance schedules. Calling it a logic bomb presupposes malicious intent.
We can't presuppose this without exposing crippling bias... we need the contract _(or a court ruling, following due weighing of the contract)_
A fail-safe is the manufacture, withdrawing their certification of the safe operating parameters for the equipment... work around it, and YOU are at fault, not the manufacturer. That's an attempt to limit their liability. Do we know that this is not the case here? No, not without the contract!
Literally ALL I'm saying is that there's NOT enough information here. The world works on legal facts... not our personal feelings.
So, NO... not 'arguing for DRM' ... I'm arguing AGAINST ignorant knee-jerk statements with nothing more than an emotional basis.
But this is the problem with internet comment sections these days... people jump down your throat if you DARE to suggest applying a little common sense - or address flaws in their reasoning.
Everyone is starting to see the world in black and white, Us vs Them, terms - it ain't healthy. The fence is a damned fine place to wait!
Pointing out flaws in a statement is NOT the same as disagreeing with their conclusion - it's questioning how they arrive at that conclusion. The conclusion may be entirely correct - but you have to get there properly. That's all.
Jesus, this place is toxic sometimes.
Screw it. I'm done.
And also in the 90's everything was on 900mhz band and your baby monitor would pick up neighbor cordless phone calls because encryption didn't exist on consumer devices because "who cares what I got to say!"
Got the general story but i will add theres some more details if you look for original videos about it.
Starting with they weren’t immediately suspicious about the manufacturer it got to the point they risked losing the maintenance contract first.
Also for legal i would consider this a minimum of industrial sabotage and if polish railways have the level of government infrastructure control as here it could go up to sabotaging government infrastructure which is generally more in line with terrorism on severity.
Just imagine if they did regional blocking on airplanes!
They already do with surface to air missles
This is the type of thing that a lot of companies do. Hp has code in their bios that prevents booting with hardware not purchased from them for example.
LOL, yep. Corruption all the way, through and through. DOOMED.
Stay safe; take care of you and yours.
Best video yet!!! Love the new look. The tractor industry is going through the same "right to repair" issues....
Not only tractors but computers, rotten fruit (Apple), and other avenues! Fascinating video! I subbed!
Every industry. Your heat-sensitive label printer checks for "official" label reels.
This channel is straight to the point. It deserves way more subscribers.
Appreciate that! Help spread the word brother!
If data can be retrieved just by listening to it playing the bytes to the speaker then you can transmit digital data without needing to modulate it. That's neat.
That does depend on the channel quality.
In the video example of the console, the DC levels of the DAC output should be recorded as directly as possible to obtain all DC levels verbatim. Any added circuitry or other extra length of the signal path will rapidly add challenges.
Thank You :) and greetings from Poland :). The problem issue reaches back many years ;)
A! Jest i mój wierny widz! Jaki ten RUclips jest mały!
Cześć :), może to tylko zbieżność nickname ;) "permanentna inwigilacja , nie wytrzymam"
Fascinating material! I enjoyed the entire video. Well done!
Always a good morning with a news update from recessim
Setting the bar high out here!
Thanks! Trying to improve and learn new skills, the hacker way 😁
Why do the guys in Midnight Blue look like they're in a Norwegian metal band?
I just realized how much better of a mood I'm in when a Recessim video drops. thanks!
By far the best content on youtube! Sorry that I hack the crap out of the youtube add blocker while I watch it! No advertisements for me!
man your videos just keep getting better! pimp lab setup by the way
Really enjoy your videos and the format you make them in! Totally new to me, just popped up on my feed today. subscribed!
Glad yer back!
Awesome content as always
Have not forgotten the dumpster fire that is e-bike batteries and motors, just been busy with life
the game boy ROM dump video is wild 😅🤣
Thanks for the tip with the screens, much appreciated
Newag has a headquarter in my home city. Living here for most of my miserable life, I´m not surprised they did it. Knowing the way they did it - crudely, in a primitive manner and without any finesse I´m absolutely sure that the employees from my city are behind it. Here we have a saying: "somehow it will be"...
The last time I heard someone say "hunkie-dorie" in regular conversation was as a kid in the 90s at church.
Dig the new look! Great start to 2024
"You look marvelous!"
8:40 even earlier me thinks my Atari 2600 used to fail audibly.
It was nearly halfway through before I realised you were actually talking about trains and not talking about John Deere using euphemisms. Maybe I'm slow. Or maybe there are just so many anti-consumer companies out there that it's hard to tell anymore.
You’re not slow, we’re literally getting raped via all forms of transportation!
Best episode yet 🔥🔥🔥 rock on 🤘😎🤘
Love the new look and feel. 🎉
I miss the bankers lamp though ;)
Hey Hash!!! I'm a reverse engineer too. I watched all your videos and found them really interesting. I hope you keep this channel going for a long time. I have learned a lot from your program. I imagine you are the type of guy who has a really interesting day job. You know what's really easy to reverse engineer? Vaporizers. Disposable vaporizers. You should mention that in your program. All you have to do is get a pair of pliers and take the two ends off, or put it in a vice and pop the panel off and disconnect the wires from the battery. Then you just put a laptop battery in a vice and take out the cells, take one cell, touch the wires from the coil to both ends of the battery and the thing will fire up and last quite a bit longer than intended. You can even put more vape juice in the pod.
truly a stoner moment
great video!
Is TETRA used on Polish trains? 😳
In fact yes it is used by the PKP - Polskie Koleje Państwowe - Polish State Owned Rails. Not on every train tho...But a lot of current used trains use it, as does the SOK - Służba Ochrony Kolei - Railroad Police - Formation responsible for security of train depots, train stations, and trains. TETRA is used also by Polish Police, Polish Fire Dep. Polish Border Guard and etc.....
4:56
I think those also the ones to activate Scorpions flaming skull fatality in Mortal Kombat II for the Super Nintendo
Thanks Hash.
Hilarious! Glad i subscribed
Modem over sound card? So old school, so gangster.
Greetings from Poland :)
Nice, enjoyed this one. Well I enjoy basically all of them lol.
liking the 2024 look a lot :D
So what became of the train issue? We’re they able to disable the geo fencing and restart the trains!. Funny cloning on the old Amps cellular system. Motorolas biggest flaw on their first generation mobile was that the ESN chip used the exact same PROM chip that was used to program the subscriber data on. Reading the pin out of the actual chip to the plug used to connect the serial number chip to the logic board, one would find that pins 1 and 16 or was it 8 and 9 were reversed, can’t remember now. All that you needed. To do was make an adapter that reversed the two wires and you could read the serial number chip in the raw data mode of the Curtis programmer, then write the data to a new PROM. IT took the industry at least two years to implement new firmware in the cell site infrastructure to shut down the phones in question if they showed up between two non adjacent cell towers. Well it did not stop those who wanted a phone in two of their fancy cars. They could only drive one at a time, this way they shared multiple phones between several cars but knew better to only have one active at a time. If someone had 3 cars they saved on not having two additional accounts, especially when were using only one car at a time.
It's a bit tricky business with "fixing" the trains, because in some cases it would require patching/modifying the software, which you can't really do due to safety/certification issues. Essentially you can't transport people on a train with "cracked" software. The trains which could be unlocked via existing built-in feature (like pressing fatality key combination) were unlocked.
There was a talk organised by polish MP where NEWAG showed rusted bolts and said everything else was a slander campaign. Next talk will be in couple of weeks
I would have paid another consultancy to remove all thei control crap out and sing a contract with a proper manufacturer like Siemens to do the migration.
you could use that "sound" one for breaching an airgap.....
9:08 It's objective truth that hacking is far more powerful when you've got the Uplink soundtrack blasting in the background while coding 👀
The thing that lifts and connects to the overhead power line is called a panograph.
Contra-code cameo!!
the "a" in Newag is a frontal "a", like in British "dance" or "bath".
Their talk was good(train talk). I have to check the Tetra talk out.
Huge fan of your content. I want the merch. But 11oz is tiny. Does your supplier offer larger sizes ?
Just created a 15oz for you!
Cheers
Right to repair removed...
BTW fascinating train story!
The things companies do never ceases to amaze me! Thanks for watching!
This is my kinda news. Thank you.
Much appreciated! Lots more to come this year!
Excellent future-proofing spyware and malware
Greetings from Poland.
Poland mentioned GG
I really hope he has a sidekick called kief
I wonder if the GBA would do something similar when you straight up disconnect the onboard memory too. maybe easier to do it in an emulator just to see what happened.
They had Konami code to re-enable the train? 😮😂
Artificial supply and demand 👍
Whatever keeps that stock ticker 📈
I wish that hacking ted talk style channel was in English 😢
others are learning from apple, planned obsolesce and failure.
Newag chapter 11 coming very soon.
only open source! that's the way
For projects paid for and funded by THE PEOPLE, I completely agree! Being held hostage by corporations is some bullshit
What happened to 2160p HDR?
I really want HDR to be a thing, but it seems the viewing experience is very different for everyone. Hard to control consistency, I might revisit it again.
@@RECESSIM oh right, that makes sense. I want 60fps to be a thing, i feel like its a significant improvement and it’s widely supported but its not been widely adopted by yt creators.
Konami code would have been cool
it’s comparable to a ransomware. Demanding payment to use the device. Newag, more like NeWang.
Bet Apple coded the train firmware 😂
Sounds like apple
This is a Mr Burns Standard Oil Rockefeller 1930s bulshit if I ever seen it😂😂😂 it blows my mind that is the year 2024 and there are still people in this world like this. Bruh....
Swag engineer that this this "ñapa" justi went to college with his Vw and Toyota programmers friends... What a loose of talent....
LOLZ...they used the Konami cheat code in their presentation for the train unlock code
😅
The real codes are way more boring though
😅
I know a NES cheat code when i see one 😅
This is very old knowledge and nothing new. This is normal geofencing. More systems have this than you think. Cars, trains, military technology, etc.
Isn't that code sequence is the same one you are using in Nintendo games cheats
Yes, it's the famous Konami-Code.
Life is a video game 🎮
ai:7
Simmer down meow
Did you just say “meow?”
@@RECESSIM when? Just meow?
Tinder or tender?
👆🏽 Asking the important questions
@@RECESSIM just call me coffeezilla
I think it's amazing that people will piss and moan about these kinds of problems but as soon as Apple does these kinds of things people really don't seem to care because they love their iPhone too much😂😂😂 people's political opinions are centered around what they want, not what's ethically correct or what is actually what they believe... I know people that will immediately swing from democratic to Republican if it means getting what they want vice versa...
Trash title is trash.
Have a downvote.
Found the Newag employee
@@RECESSIM who?
Also what do you exactly do here? Rehash/react to some other videos?
Right, useless otherwise.
Takin'a Train TINO? Think Twice... @LostBattlefields