Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Joe Fitz Profile picture
Joe Fitz
@securelyfitz
Hardware Security Trainer and Researcher
Nat Welch Profile picture 1 subscribed
Sep 7, 2021 14 tweets 4 min read
Bidirectional level shifting is cursed and should be avoided at all costs.

Here's a thread where I'll walk through a few of the specs you can look for to determine if you can safely just skip level shifting all together. Most of what you want will be in the 'I/O', 'Electrical' or 'DC' characteristics part of the datasheet. You'll need to refer to the datasheet for both devices. Here's an example from the ESP8266 datasheet:
Aug 26, 2021 16 tweets 4 min read
I learned something yesterday that I realize I've probably misrepresented far too many times:

screen will only set a small handful of standard baud rates.

Let me walk through how i observed, confirmed, debugged, and worked around this: 99.9% of the time i use screen, i'm using it to talk to a serial port at 115200bps.
(I have been told screen has other uses, not sure I believe this)

Some devices use odd baud rates. Sometimes intentionally, sometimes due hardware, code, or competency limitations.
Apr 7, 2019 7 tweets 2 min read
The @BlackHatEvents CFP closes Monday before you submit consider a few things that can help the reviewers understand and accept your submission. Start with my tips from last year: Your objective is to appeal to the reviewers, but the reviewers are focused on picking the content that will appeal to attendees.
Jan 23, 2019 16 tweets 3 min read
Hey Twitter: Reply to this tweet with things that you don't like about, and reasons you avoid technical training! Why? I know there's people who avoid it for a number of reasons -
Worrying about holding the class back
Worrying about being asked questions on the spot
Worrying about their questions being criticized
Worrying about having to work with someone
Dec 18, 2018 4 tweets 2 min read
Remember the auto-play sponsor video loop @BSidesPDX? Here's how, finally documented:
Get a raspberry pi with a standard image. Then:
sudo raspi-config # initial setup, set rpi to boot-to-console
sudo apt install omxplayer
echo 'omxplayer --loop video-to-loop.mp4' >> .bashrc Get a 2-port auto HDMI switch:
- plug RPi into input 1
- plug presenter's cable into input 2
- plug output to the projector
- many projectors have a usb port that can power the RPi
Oct 8, 2018 23 tweets 4 min read
Do I Have a Hardware Implant?

I’ve gotten lots of inquiries if I could analyze some hardware for or could recommend someone who might.

I’ll be blunt - most of you don’t need this. Here are some things you should consider before seeking out services like this: 1. It’s unlikely you’re affected. Really. Even assuming every claim is true, and even if there is a secret device on every single X brand motherboard, it’s unlikely you’re targeted by whatever payload the implant carries.
Oct 5, 2018 12 tweets 3 min read
Hector and others have identified the component used in the bloomberg article to represent the hardware implant. I'd like to share my perspective on whether it's realistically possible: If someone said that the implant was found inside a coupler, first I'd check component suppliers for couplers that might fit the bill. And the one displayed is pretty much the smallest one you can find with 'coupler' in the name.
Oct 4, 2018 17 tweets 4 min read
At one point in time I had a conversation about how I would put a hardware implant into a system. I'm delighted to see @qrs had a very similar assessment: Given a photo of a server motherboard, this was my response after a few minutes. You'll have to take my word i wrote this 4 Sept 2017.

" Well, you picked an easy one, it already has a backdoor :)"
Oct 4, 2018 32 tweets 6 min read
There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: securinghardware.com/articles/hardw… The core of the claim is that someone implanted extra components on some server motherboards that would do malicious stuff, subvert the system and possibly allow it to ‘phone home’. I looked at the claims through a technical and feasibility lens.
Jul 24, 2018 12 tweets 4 min read
Remember the USB fans from Singapore that were in the news? @HackingThings and I took some more of them apart and there's plenty of potential for foul play. This is an older lightning port fan that @HackingThings had. No surprise there's a chip in there to speak SDQ to tell the iPhone to supply power
Jun 4, 2018 20 tweets 4 min read
Congratulations, your talk has been declined! Many of us have been disappointed or relieved by a rejection in the past few days. As a follow-on to my previous post about the CFP process and writing an abstract, I figured it would be fitting to write a bit about what to do now. Long form posted and will be updated here: securinghardware.com/articles/congr…

Don’t worry, a post about what to do if you’re *accepted* should come right on time, about a week before Black Hat and Defcon.
Mar 29, 2018 23 tweets 3 min read
Thinking about submitting to a CFP? You should, no matter how n00b or 1337 you think you are. But picking the right topic and venue can be tough. My experience is mostly infosec but likely applies to many fields. These are some examples of talks l'd attend: 1. So you've been in the industry for a year (or more)? You've learned a lot. Share with others the resources you found helpful, the mistakes you made, and what you wish you knew a year ago. Many BSides have first time attendees and people looking to get into the field.
Jan 5, 2018 15 tweets 4 min read
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have) Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
Jan 4, 2018 10 tweets 2 min read
Here's my layman's not-totally-accurate-but-gets-the-point-across story about how  #meltdown & #spectre type attacks work:

Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10 You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book." 2/10