519: The Password Is All Zeros

January 22, 2026 by Elecia White

Mark Omo and James Rowley spoke with us about safecracking, security, and the ethics of doing a bad job.

Mark and James gave an excellent talk on the development of their safecracking tools at DEF CON 33: Cash, Drugs, and Guns: Why Your Safes Aren't Safe. It included a section of interaction involving the lock maker’s lawyers bullying them and how the Electronic Frontier Foundation (EFF) has a Coders’ Rights Project to support security research.

As mentioned in the show, the US Cyber Trust Mark baseline has a very straightforward checklist; NISTIR 8259 is the overall standard, NISTIR 8259A is the technical checklist, NISTIR 8259B is the non-technical (process/maintenance) checklist. Roughly the process is NISTIR 8259 -> Plan/Guidance; NISTIR 8259A -> Build; NISTIR 8259B -> Support.

We discussed ETSI EN 303 645 V3.1.3 (2024-09) Cyber Security for Consumer Internet of Things: Baseline Requirement and the EU’s CRA: Cyber Resilience Act which requires manufacturers to implement security by design, have security by default, provide free security updates, and protect confidentiality. See more here: How to prepare for the Cyber Resilience Act (CRA): A guide for manufacturers.

We didn’t mention Ghidra in the show specifically, but it is a tool for reverse engineering software: given a binary image, what was the code?

Some of the safecracking was helped by the lock maker using the same processor in the PS4 which has many people looking to crack it. See fail0verflow :: PS4 Aux Hax 1: Intro & Aeolia for an introduction.

Mark and James have presented multiple times at Hardwear.io, a series of conferences and webinars about security (not wearables). Some related highlights:

2024: Breaking Into Chips By Reading The Datasheet is about the exploit developed for the older lock version on the safes discussed in the show.
USA 2025: Extracting Protected Flash With STM32-TraceRip is about STM32 exploits.

Transcript

414: Puff, the Magically Secure Dragon

May 26, 2022 by Elecia White

Laura Abbott of Oxide Computer spoke with us about a silicon bug in the ROM of the NXP LPC55, affecting the TrustZone.

More information about the two issues are in the Oxide blog:

More about LPC55S6x and their LPC55Sxx Secure Boot

Ghidra is a software reverse engineering framework… and it is one of the NSA’s github repositories.

Laura will also be speaking about this at Hardwear.io in early June 2022 in Santa Clara.

Twitter handles: @hardwear_io, @oxidecomputer, @openlabbott,

The vulnerability was filed with NIST: NVD - CVE-2021-31532

Transcript

399: Hey, What's Going On?

January 20, 2022 by Elecia White

Jen Costillo joined us to talk about voice acting, reverse engineering, podcasting, and dance.

Jen’s podcast is the Unnamed Reverse Engineering Podcast, found in all your usual podcast places. Jen and her co-host Alvaro were on an episode of Opposable Thumbs podcast.

Find Jen on Twitter at @RebelbotJen (also @unnamed_show and @catmachinesSF). Rebelbot.com has her blog and Cat Machines Dance is her site devoted to dance (including the mentioned video about dancers and the pandemic).

The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks by Jasper van Woudenberg and Colin O'Flynn

Jen is studying voice-overs at VoicetraxSF

Jen has been on the show many times in the past. Some of our favorites include

108: Nebarious about security and privacy
82: I Was a Chewbacca Person about movies that influenced their path to engineering
51: There Is No Crying in Strcpy about interviewing
25: Thunderdome for Antennas about RF and manufacturing consumer products
10: Hands Off, Baby about C keywords

370: This Is the Whey

April 22, 2021 by Elecia White

Alvaro Prieto (@alvaroprieto) spoke with us about cheese, making, work, the reverse engineering podcast, weather, and motivation.

Alvaro is a host of the Unnamed Reverse Engineering podcast. Some of his favorite episodes include #41 with Samy Kamkar, #14 with Joe Grand, and #23 with Major Malfunction. (Jen Costillo co-hosts the show and has been on Embedded several times.)

Alvaro works at Sofar Ocean, making oceanic sensing platforms. He has a personal website linking to his other exploits.

We talked about some Embedded episodes as well:

Also, we’ve all really enjoyed the Disney’s Mandolorian.

352: Baby's First Hydrofluoric Acid

November 19, 2020 by Elecia White

John McMaster (@johndmcmaster) told us about the process of opening up chips to see how the processors are structured and what the firmware says.

See John’s website for information on getting started (as well as digging much deeper).

John has given some interesting Hardwear.io talks including Capturing Mask ROMs and Taming Hydrofluoric Acid to Extract Firmware. His talks and many others are available on the Hardwear.io archive. Or sign up for the Hardwear.io Online Hardware Security Training, Berlin Jan 2021.

As mentioned in the show:

John wrote a blog post about his top lab accidents and explosions.
Paper: Reverse engineering Flash EEPROM memories using Scanning Electron Microscopy by Franck Courbon, Sergei Skorobogatov, and Christopher Woods
Rompar and bitract are the two programs mentioned as helpful for getting from an image to binary code.

304: ADC Channel Six

September 26, 2019 by Elecia White

What do you get when you connect the open-source reverse engineer of Valve’s Steam Controller and the main electrical engineer of said device?

Jeff Keyzer (@mightyohm) and Gregory Gluszek (@greggersaurus) join us to talk about building and taking apart devices.

Greg’s project is on github as the OpenSteamController. He used pinkySim, an ARM simulator.

Jeff has left Valve and is now a freelance engineer as well as selling kits on mightyohm.com. The incredibly useful comic on how to solder lives there: mightyohm.com/soldercomic

I-Opener was the computer discussed.