Exploration of Cellular Based IoT Technology - Deral HEILAND

Show video

[Applause] so I just want to say thanks a lot  for having me here and uh I'm looking forward   to this hopefully everyone will enjoy this so our  presentation exploration of cellular-based iot   Technology again my name is darl Highland I am a  principal security researcher at rapid 7 I've been   there about 10 years so before we start I just  want to put a shout out uh Carla carot bidner   uh A friend of mine has been a co-researcher on  this cellular project and also I want to make a   shout out to Damian uh he did a presentation at  hack in Paris in uh 2018 and in that he talked   about transposing images to figure out the layout  of circuit boards and we kind of use that in here   also so I just want to give him credit for that so  let's go ahead and get started so the first part   we want to talk about is what we typically see  in iot devices there's two standards of cellular   modules that are used there's MB iot and LTE M uh  significant difference between the two MB iot mb1   mb2 have kind of a lower bandwidth they're half  duplex you often see these being used in devices   that do Telemetry data and only Telemetry data  an example of that would be GPS trackers so you   definitely see these and GPS trackers the next one  is LTM LT M1 M2 these particular cellular modules   that we see are higher bandwidth as you can see  in the picture uh one in four megabits they can   actually move real data uh things like images  audio video you can make phone calls across these   particular devices and in this case they also  support full duplex communication so that's the   typical two devices that I've seen in almost every  device that we've actually tore down and took a   look at so let's dig oh all the other part of this  is we talked about uh release 134 and 15 that laid   out those but since then the 3gpp group has come  out with other releases 15 16 17 the core devices   never really changed what they ended up adding was  more resources more functionality an example of   that is like small cell support or 5G support so  kind of keep the technology moving forward keep it   up with what's changing in the cellular world but  other than that the core devices haven't really   changed much so why are we here besides talking  about cellular to give you an idea why did I do   this what was our purpose in this the goal is to  get an understanding of Cellular in iot because   we're seeing more and more of these devices show  up a cellular an example would be uh home home   security systems will actually have uh cellular  capability for back haul we actually have camera   systems that are purely cellular so we're seeing  more and more devices start building Cellular in   there medical devices is an example I just got  a a device shipped to my house it happens to be   a blood pressure cuff that you would give to  you know a family member and all the data is   cellular based up to the cloud makes it possible  for the doctors to review that family members   review that things like that so A more and more  transition towards cellular for the communications   one of the things I like to do anytime I'm  looking at a new technology or an advancement   of technology is literally tear it apart I want  to tear it down top to bottom figure how it's   built how it's constructed how I can interact  with it and the goal of that is to be able to   teach other people to understand the technology so  much everyone's into hey let's a buffer over flow   or format string or flaw or some of attack but  often you can leverage technology against itself   so if you really really understand how it works it  gives you the ability to go much farther in your   testing and your examination of that technology  for security purposes so literally let's take   it apart figure out how it works figure out how  we can communicate with it how we can actually   leverage the technology itself to carry on further  attack are testing within the environment so as it   says here IR ovens hot plates hot air Reflow let's  take the device apart let's see what it's made up   of so we start taking the shield off we find out  components are packed in there pretty good every   time I get a device that has a cellular module  type in it I go buy extras and I throw it into an   oven I strip it bare of all of its components and  I start reverse engineering the circuit board's   layout out so I can see how the components are  laid out can an attacker if he wanted to gain   more access most of these devices are LGA devices  land grid array devices so all of the connections   of the circuit board are underneath it so to  keep from taking it off the circuit board can   I find access to usable data by taking the shield  off and going in from the top so literally that's   what we do we figure the LGA layout we strip the  board we start figuring out the components flash   memory start figuring out the CPU and then we  delve into things like hey can I get access to   J tag on this device so we start mapping out the  J tag from that circuit level and then trace it   out on the surface of the board and go hey can  I get access to things like this without doing   other more intrusive stuff now obviously that's  intrusive okay we've destroyed a chip but hey   I've lost count of the number of chips I've  totally destroyed so here's a memory chip so you   have a memory chip on these devices it uh happens  to be a multi-chip package a multi-chip so if you   look at the pin layout and you're familiar with  this it looks just like it 162 ball BGA embedded   multi-chip package the thing is this does not have  an internal embedded controller on it so you just   can't pull it off drop it into reader and mount  it up as a file system it's a little more complex   than that what we want to do is hey I want to get  memory off this the chip reader sockets cost about   800 bucks a piece every one of them's different  size that means every one of these chips the pin   out pitch is the same but the body of the chip  will change 8 by 10 millim 9 by 11 mm 13x 11 mm   so if you have to die a different buy a different  socket for everyone the money goes up you start   looking at several thousand EUR to get sockets  for this and I'm cheap I like to do things the   cheap way not necessarily the easy way but there's  a method to my madness and and I've published it   you'll see that in a minute so what we do is you  get a pin pin diagram for the device now these   particular chips there are no data sheets for them  but I was able to find a pin out the pinout for   this manufacturer and the other manufacturers are  all the same the reason why is if the Chip's not   available a manufacturer of a module will go buy  it from another manufacturer and just drop it into   place so then what we do is we map that to the  chip and then we ball the chip so we put balls on   the chip we can see it here so we add Balls to the  chip and the purpose of that I found out instead   of trying to just solder straight to it with a  wire which is mad okay it's not that easy but   once you put the balls on there you can take fine  gauge wire like 40 gauge wire press it against the   Ball tap it with a solder iron and it instantly  connects to it and we can wire up one of these   chips on our microscope fairly quickly and then  well we're dealing with the fact that we don't   have the data sheet on this but found out if you  go by get the Sal slick you can find out critical   information about the chip silicon how big it is  bit speed its rate its function structure all that   for an N Flash and then what you do is you go to  same manufacturer and you look through all of his   chips different package Styles and try to find  a chip that has that same specifications because   companies do not produce new silicon they re reuse  the same silicon and just put it in a different   body so then you go ahead and I built out a 48 pin  zif socket I go to the manufacturer I find a t-a   48 that uses the same silicon or at least I think  uses the same silicon I wire it up like it does   and then I try to read it with a chip reader I'd  say about 50% of the time it'll tell me it has the   same chip identifier between the two chip bodies  and then it reads no problem if it says that it   doesn't match I said ignore it run anyways I have  yet to have this not work and not able to dump   all the memory off these chips using this process  it works fairly well down at the bottom is a link   uh to a blog or a paper where I go through this  entire process and like I said the ultimate goal   is to process this stuff to the point where other  people repeat it and learn from it so that data is   out there uh and it's very effective actually able  to pull memory off these chips so then we want to   get into kind of the interaction with the hardware  so when you want to talk to a cellular module Oh   wrong slide I'm a little ahead of myself I  apologize so you want to interact with the   actual Hardware what you want to do is a process  that Damian talked about at Tack and compis in   2018 you want to actually make opposite image of  the back side of the board and then transpose them   over each other and by setting these at like 50%  density and then overlaying them you can see the   reference between all the components on one side  or the other side it makes it easier for tracing   out critical things on the board that you want  to uh tap into and actually look at to take it to   another level I go ahead and get the actual land  grid array for the cellular module and I overlay   it now quickly I can look at this and go hey the  Yellow Boxes up there are uart the coral boxes in   the lower leftand corner are USB now I know where  everything's connected on the board and the most   likely place that I'm going to have areas that I  can connect into to access the USB and the uart   and it's very effective I use this on a regular  basis it simplifies it saves me a little bit of   time because sometimes these chips are oriented  these modules are oriented very different on the   boards and you can easily be trying to trace out  something on one side of the board or one end of   the board when in reality it's on the other end  of the board and this makes it easier to get that   image in your head and Target the right area on  the board so then we start thinking you know I'm   sitting in my lab at home and I'm like okay so we  can trace it out what happens if the manufacturer   the circuit board this module's attached to  design a really well board and that board all   of the connections that I'm interesting looking  at are not on the surface they're on a su layer   so they go from the LGA which is underneath the  chip body they go over to the CPU who's a BGA and   everything's one of the sublayers and I can't  get access to it so I started thinking about   this and I'm thinking these modules are fairly  good size the cool thing is if you look at these   land grid array all of the critical stuff is  always on the outer edges always on the edge   outer edges so I started thinking what if and you  can see them there in that picture there you can   see the actual L grid arrays along the edge what  if I used acupuncture needles so I went out and   uh you can't normally in the US buy acupuncture  needles because they're like medical things but   you can buy these things that are used to clean  out uh printers 3D printers that are basically the   same acupuncture needles they just label them as  non-medical and you can buy them you get them in   different sizes I think I have .1 mm 0.15 0.2.3  and. 35 in my lab and what you do is you make   up a rig and you inserted underneath the edge of  the Chip and attach to the critical communication   circuits you want to talk to this works pretty  good especially on the smaller modules I did   notice on some of the larger modules where the  land grids are further up underneath they may be   upwards of 2 and 1 12 millim sometimes when these  are are put on the board the actual modules have   a tendency to Cup and when they cup they close  up the edge and makes it difficult to do that   but they don't always do that so if there's a gap  along the edge acupuncture needles will let you   tap into those circuits very effectively capture  data and communicate with the module if you need to so circuit board communication so how do you  communicate to a cellular module so I don't know   how many people in here are familiar with old  modems at commands on modems okay we we have a   few well it turns out that most RF devices  have that capability including these These   are completely controlled and managed via AT  commands now if you're looking at the old Haze   at compatible at command structure it's not the  same this this is way more advanced there's way   more commands that can be sent to these devices  to actually uh control them another important   fact if you have a device that takes AT commands  and you get an at command manual for it it'll list   all the commands all the data well not all the  commands and that seems to be the problem it turns   out on a lot of these cellular modules there can  often be a number of commands that aren't listed   it in the 18 manuals so to solve this problem  me and my friend Carla went out and gathered   all the at command manuals for each manufacturer  and compiled them into a list and then we wrote   some python script which at the end of this  slide deck there'll be a link for that uh   that list and we wrote some uh scripts that we  can connect into the modules and run all these   at commands in the standard help check mode  which basically it's a command that actually   will say does this command exist and what is  its syntax and we can easily scan a device and   figure out what are all the AT commands that  do work and the cool thing is there's a lot   of cool commands in there and they're not always  documented in the manual which we're going to show here so the communication types on cellular  modules are USB and uart so there's generally   three types of communication capabilities  on these devices it's often USB high-speed   inter chip which is 480 megabits per second and  then there's also I I list a couple other there   because they do exist there is an esub which is an  embedded USB structure I haven't really seen them   on modems but I've seen them on other devices and  then you can see standard the difference between   the standard and the highspeed intership typically  is related to the fact that on standard there is a   negotiation that takes place on the bus to figure  out and assign an ID to a a device because you can   have multiple devices on a USB bus thing is when  you're looking at intership communications there   is not typically multiple devices on the bus  there's one you have the CPU and the devices   talking to so there's no need to negotiate and  that's where high-speed interships kind of a   a a subset of standard then you have Ur you have  two different URS on a cellular module you have   an external debug Ard you can tap into that and  you can watch the device boot up often a lot of   those will actually have a log on prompt  you can actually log on the device if you   know the password the other one which is called  main uart is an inter chip art it'll go from a   microprocessor to the module now both of these are  used for communication and data but they're never   used at the same time so a device is designed  to use USB it'll send commands it'll send data   it send control information or it uses Ur to do  the same thing yeah I've never seen a device that   will actually do both so if you can identify  communication on either one of these you can   make the Assumption the other one's not going  to be used often I found them to be completely   disconnected in the circuit there's no runs or  traces associated with those the device we're   going to show today in our demo videos it did  actually have both of them connected but only   USB was used even though the uart was connected to  the CPU it did nothing no responses on it from the   CPU there was response on it from the other thing  so when both these are up there even though one's   not used let's say USB is being used which is our  example today the urart can still be connected to   it and take commands and take data so it makes  for an interesting Vector for you to control the   device so when we start talking about interchip  Communications there's a couple key things to   think about so we're looking at this here this  would be how that CPUs uh main yor connects   to the EG 91 module if you wanted to listen to  traffic on this and it was a normal full Traffic   uart main uart the thing is is you can't hook it  up like a regular uart you're going to have to   listen to RX on both sides remember both sides are  communicating both directions the CPUs is talking   and the modules talking and it goes back and forth  so you have to use two ftdi devices connect up to   the device and then you're able to capture data  but if I want to communicate to the device I want   to send commands to the device it has to be done  a little different turns out you have to sever the   circuit standard Ur Communications if they're  connected on both ends and you hook to it will   not take your commands it's electronic thing  go figure unless there is one exception I did   document it in a paper if there is a terminating  resistor or an impedance matching resistor on both   sides of this between the devices or a voltage  translator because one's 1.8 or 3.3 often in   those cases you can hook your your your own ftdi  device up there and put a resistor a terminating   resistor in the circuit yourself and you can  also communicate so it's about 75% of the time   80% of the time I see them directly connected  I don't see any resistors in place in those   cases there you're going to have to cut the runs  Connect into it with the device so and and that's   pretty straightforward so we start thinking about  this here's an example here so this is a device   we're going to show today so we Trace everything  out we see we have a transmit and receive right   here so we connect wires here we go further up  the runs we follow up the runs connect two more   wires and then just cut the runs and if you have  a device that's actually used in the uart for real   Communications cutting the runs is typically a  bad thing so the solution to that is we actually   put into it a control board we pull everything  out here control board gives us wire strips uh   I build these like oh gosh all the time so I  have tons of these laying on my lab and it has   on and off switches so it gives us the ability  to hook everything up turn the switches on so   Communications let the device run normal and at  some point when we want to send the command open   it up send our commands close it back up most of  the time there's no latencies issues you will once   in a while encounter a device that sends out a lot  of Watch Dogs and if it misses like three Watch   Dogs it'll reset the device you got to watch for  that uh when you're working with these devices so   now that we've taken this device just so you know  what this device is so I brought one in it happens   to be a trail camera used for Capt capturing  wildlife in the woods is what this device is it's no sense in not know what it is I know you  can see it's a camera but hey so then we take the   thing apart we've cut the runs we've rerouted  uart this particular device uses USB for all   of its commands and we're going to look at the USB  traffic here shortly but since it uses USB for all   of its commands we know it doesn't use uart so  literally we can cut the runs leave the circuit   open we don't have to work worry about that so  we have a quick little video here so what we're   going to do is we're going to power the device up  and we're going to see a ready command come from   the microc or from the uh cellular module when it  Powers up it's going to send some commands out on   both channels the CPU cares less about this one  it cares about the one that's on the other side   so when it sends out the ready command what we're  going to do is we're just going to start talking   to it this happens to be a Quil EG 91 we hook the  wires in we cut the runs all the anti wires I like   the breakout boards because I could put put all  these headers on there and I can hook any kind of   tested gear into this device that I need to for  whatever I'm doing and I'm using really small   1.8 volt uh ftdi devices on this that are easy  to mount on a circuit board uh for design and   there we go me pointing at that so that's cool but  let's go ahead and we're going to power it up and   then we're going to see a ready command come up  so what I did in this so when we fire it up and   we get a ready command up here I'll send an at  command to make sure it's okay and everything's fine okay we got a ready command I put an at  command in there and then I can just start sending   AT commands to it okay so we instantly see that I  can actually check the configuration I can see who   it's connecting to and then out of kicks I went  ahead and actually carried out an FTP transaction   I connected to the internet to an FTP server on  the internet while this device is still being   a trail camera that functionality has never  changed and I actually had it bring Brown a   directory listing on a device this particular  command's not in the command manual there's a   lot of communication commands that were not in the  manual so you can see now even though the device   is functioning normal it came up ready through  other monitoring we validate that it connected   out registered to the cell service everything's  working and that's based on some of those commands   I ran there showed me that the connections were  there and everything was synced up properly   at that point I could do whatever I want with  this device it's going to carry out my cans my transactions so the next thing I want to look  at is USB so we know the Art's there we know   we can communicate with it what does USB communic  Communications look like this was more problematic   this took me a while to get around to figuring it  out appropriately there is a lot of there is a lot   of USB sniffers out there that are open source  but I assure you I don't think any of them can   do interner chip communication sniffing almost  all of them are pass through devices so you have   to have a USB device a machine and then you put  the listener in between well we can't do that   here when you get into circuit design related to  USB communication I think the limitation is really   short like 10 less than 10 cmet like 3 4 cmet  on a circuit board if you extend it out beyond   that without proper termination it'll quit working  and if you try to put a device in between it route   it off Route it like we did with the art it won't  work so it turns out I end up picking up a device   called a beagle this is the only Manu ufacturer  I could actually find that said their devic is   capable of interchip communication sniffing on  the USB bus unless you want to spend 10 grand   this on the other hand was not cheap this was  probably ,200 so not cheap so I'm looking for   open- Source solution out there that somebody may  be aware of that will do inner chip I just don't   want to spend a th000 2,000 EUR buying devices to  find out they don't work so if you have a device   try this out let me know and I'll share it with  the community but for you to communicate to this   device we traced out the USB runs on the device  it's often to see terminating resistors at least   that's what I thought these were terminating  resistors on the circuit between a CPU and a   cellular module turned out that these are zero  resistance resistors so basically jumpers put in   place but to make this device work you can't just  tap into a circuit it will load the circuit down   manufacturers said put a 20 to 40 Ohm resistor in  place so that's what we did we soldered in couple   20 ohm or 33 ohm in this case 33 ohm resistors in  the circuit and then we go ahead and we can hook   our wires into that to our device as we see hooked  up here since there was no 5vt uh us be 5 volts   taable on the device that's why you see the red  back wire I just fed back into the Beagle device   5 volts to tell it like yeah there's like a device  there uh to trick it so we have a video here and   it's going to go showing capturing the USB traffic  and when I first filed this up man I was like my   wife thought I gone crazy it's like yeah it's like  screaming and running around because I actually   got a device would do it right um so when we start  this out uh I know I I'll expand some of these out   so you can see more of the detail I apologize it's  kind of hard to adjust this stuff out but let's   take a look at what's going on here so we just  powered up the device and we're seeing all this   data but we're all seeing seeing USB communication  traffic all mixed in there we don't want that so   we can come over here and actually pick data and  filter it only so instantly we can stream out all   of the information that's USB Communications uh  and actually only get the data so we're seeing   all the commands hit the actual cellular module  some of the same commands you see me run from   the UR console and this is all coming from the  CPU and the CPU is very verbose as you can see   it's repeating the commands over and over and  over and over so it's constantly using that as   a Watch Dog to make sure the circuit is up and  everything's running that happens to be the firm   Ware version that is on the chip so there's  commands you can get the firmware version   that the Chip's on and I think here eventually  I actually had it took me a while to get this   thing to start triggering taking pictures and  sending them to Cloud but eventually it actually did it's still thinking about it come on  you know when you film these things for   video you think this will go fast then you  stand in front of 500 people and it's like   it's thinking about it so we can go asky we  could search all the data so we're looking   for bucket because I know bucket happens to  be an Amazon S3 bucket name so here we can   actually see the keys uh as you notice as we  go through this I do not show you enough that   you could break in and steal all of my stuff okay  so that's half of one of the keys and you'll see   this was kind of cool so we get in here we  can see we have the S3 Amazon Cloud we can   see the location the bucket names trail camera  it has a key name and I don't think I show the   password apparently the device has a password  and all that stuff so literally I can capture   all the communications which is considered in this  case machine to machine uh Communications and now   I can take it offline you know if I'm testing a  product or testing an ecosystem for somebody now   I have enough data I can connect straight up to  that S3 bucket and start testing to see if it's   secure because now I've captured all the comms  on how this thing works let's go ahead and move forward so this brings up an interesting  story and the story goes like this when   I run run and start looking at devices most of  the certain percentage of devices just connect   to the internet via cellular coms but not all  of them do we run into some that have actually   started used in private connections so it'll be  private VLAN or private Cloud connections so this   device doesn't do it but I've seen devices not  too long ago that actually did this what that   means is when they connect to the cloud or connect  to these private connections people from the   internet can't get to it the only thing you can  get to it is through this machine and now we've   actually showed that we can control the machine  so in that private VLAN we start thinking about   it we have a device it connects out and if this  is purely private all of these Key Systems in   the back end the machine has has access to it we  don't have access to it well until now okay what   we can do with the device this device has a ton  of really cool commands so again we tapped into   it we cut the runs we move the data out let's have  a little little fun so what I wanted to do is is   this thing had socket capability now I assure  you there's way more possibilities here this is   just scraping the CCH circuit and I was wanting  to know hey can I build a port scanner and use   the modem to do Port scanning for me so I wrote  a script the script's fairly simple it opens up   a socket it connects to a port it gets a response  back whether the port's open or closed closes the   port moves on to the next one so we're going  to do a quick example and here's kind of the   commands or the error messages that can come back  back so you get a lot of different error messages   so we're going to go ahead and kick this off  so we're listening up here and we see we end   up got a ready command so we're going to close  it we know the mo modem's uppr running and now   we're going to run our scanner and it connects  out we got a z 0 Port 80 is open we know that now Port 3389 is closed there only two Port  open on this particular device I'm pointing   this at this was a device I had legal access  to do this to on the internet so I got to worry   about things like that as you can see maybe  not the fastest scanner in the world but if   I'm connecting into backend virtual cloud services  or if I'm connecting to through a private vland   to a subset of critical systems that are only  accessible by this device or maybe even other devices then I think this is sufficient we can  quickly analyze see what port are open and then   use the device as a pivot point into that private  virtual Cloud private vlam so uh so I don't know   if you guys caught them all Port 80 was open  and Port 22 was open the rest of them were   closed in this particular case in this example  so what other possible capabilities are there I   think in this case here this particular device  also has the ability to set up a USB Ethernet   I haven't done that yet it's on a list of  things to do so can I establish a completely   functioning ethernet where I can actually  send data out the other thing we can think   about during this whole attack Vector is  since we have this level of access we have   the ability to pull all the configurations out  of the device off the modem we're able to pull   all of the other critical data from the cloud  because we can capture USB by doing inter chip   communication analysis now we could easily Port  all this out to a breakout board and then take   it to the next level now we have the ability  to authenticate all to all these components   all of these type of things and then possibly  we could turn that into basically EET port and   I think that's doable here with a little more  research in time not sure where we at on time oh looks like we got 10 minutes I'm a  little ahead of myself but let's kind   of move on so we happen to have some listed  items here uh I recommend checking them out   I will be releasing a paper here right before  Defcon on the cellular stuff where we kind of   expand out more on some of the stuff because  it's kind of hard to do it all in 45 minutes   but you can gain access to this data it's all  available online please check it out follow   me on Twitter uh reach out through me email  if you have any questions feedback input do   not hesitate to reach out to me I very much a  community-driven person all of my research is   open- Source I share it freely with everybody  uh and I'm excited uh to take this project even   further or find other people who' have done  similar things or are working on other things   so so kind of in conclusion as you can see by  looking at devices via interchip Communications   USB Ur we can capture a wealth of information  and get a good understanding of what in to-end   security looks in this technology versus attacking  it externally We Go From the Inside Out we also   have the ability to change configure and modify  the functionality of a device through interchip   Communications and the cellular modules are  brilliant I mean with the amount of command   sets are available everything that device does is  being done through at commands all the capture all   the tunnels all the commands all the structure  all the communication of data it's all being   done through at commands take those at commands  and disguise the limit on what you could possibly   get these devices to do so I I hope you guys found  this interesting and useful thank you very much will you do cuning I'll take questions do you have any questions  please raise your arm stand up hello well first of all thanks for the  presentation it was very interesting uh as   was just wondering what is the most unexpected  thing you ever found on an iot device in terms   of backdoors or undocumented functionality yeah  undocumented functionality on iot devices is   some something I always look for unfortunately  I never find as much as I want uh but I had a   device number of years ago that was being uh  associate with press was actually using these   panic buttons which were cellular based panic  buttons to actually be protected from being   kidnapped by Colombian drug lords in Columbia  South America and they wanted me to look at these   things I found out with a single SMS command  I could flush the device reconfigure it turn   it into a listening device and a tracking device  through SMS messages and then the next step was   well how do I identify what the SMS message  phone number is I found out I could identify   the phone number address range and I found an  undocumented command that hadn't been quite   implemented completely and when I sent that  command the device would air out with an SMS   response back to me that I could fingerprint it  as a listening device uh so yeah there's there's   crazy things uh from the area of undocumented  commands and I think everyone needs at least try   to find those when you get into that firmware  it's one of the things I look for um and the   case with this is not that the commands are not  documented they documented by these manufacturers   they don't list them always in the at manuals  for that particular product but they still exist yes hey Damian hi uh was just wondering  if you have ever tested uh you know just um   some kind of at command at module emulation  by just unpluging the quick tail module for   instance and then emulate it with something in  order to see what going on or make the device   believe that something else well the one  thing the the one thing so so one of the   things I tell manufacturers it turns out that  many of these cellular modules do not contain   all the information to make them run for that  product it's all sent from the CPU the thing   is is many of these modules have capability of  having a file system and a secure file system so   I always recommend the manufacturers at some  point either at the manufacturing process or   the initial pairing process of the device to  actually push that stuff into the secure file   system structure unless you know the name of it  you can't get it back out but I've only had one   of them actually take me up on it uh and I think  I think that's critical because because as you can   see I can just listen to it and we get everything  underneath the sun U but if they leverage the   devices at their level of capability and I think  this one actually has a secure file system too   for actually putting config files I hope that  answers your question yes thank you you're welcome right we're done yep  thank you very much darl Halen

2024-10-21

Show video