Travis Goodspeed @travisgoodspeed Twitter profile

Pinned Tweet

Travis Goodspeed

6 years

Howdy y'all! In this friendly little tweety-box thread, I'd like to share my new project with you. It's called the GoodWatch, and it will be next month at Shmoocon. 1/n

65

515

1K

Last Seen Profiles

@cardibcaviar

@reeltokpodcast

@devangodedra

@Coach_TMoney

@VERY_web

@peiyao9999

@Heeseiung

@GachaLifeSex1

@Shan96

@SophieZhao94

@EvaLissa585839

@ChayyahsKitchen

@ChrisGa51928331

@lospilares11

@Injective_Bears

@TrapGawdSociety

@dmek69541832

@creamsunberry

@carcassamc

@VyugenOfficial

@BBTS_koushiki

@siketerujinsei

@ren_gojo_

@phil81190

@flo_wershower

@CoinFieldEX

@memesmymemes

@yuu65644786

@MagdalenaW37479

@signmagazine

@cameosweets2

@LA912645785

@novuslabs_io

@SetonHall

@LeilandTanner

@QQtippy

Travis Goodspeed

@travisgoodspeed

5 months

A while back, @david_rysk asked me to dump the firmware of the Wersi SL-M2 51173 Slave Sound Generator, a plugin module for Wersi's DX10 synthesizer. @p4ula sent me three boards from Germany, and this thread will show the extraction process from the saw to the bits. 1/n

14

124

612

Travis Goodspeed

@travisgoodspeed

2 years

This is the @Raspberry_Pi Pico RP2040, internally labelled as RP2B0-2020. Externally it's labelled as RP2B1. 1/5

10

76

570

Travis Goodspeed

@travisgoodspeed

8 months

Geoff Chappell passed away today on his own terms, surrounded by family and while his good humor remained intact. Please listen to a Beatles record and read a little assembly code in his honor.

41

123

519

Travis Goodspeed

@travisgoodspeed

7 years

The PoC||GTFO Bible will be available this summer. Preorder now for only $30, and maybe grab a second for a student.

23

369

495

Travis Goodspeed

@travisgoodspeed

7 years

Want to learn embedded ARM reversing? Here's a quick little tutorial on loading MD380 firmware into IDA Pro.

2

278

494

Travis Goodspeed

@travisgoodspeed

2 years

CIC chip from a Nintendo 64 cartridge.

11

80

492

Travis Goodspeed

@travisgoodspeed

6 years

Final drafts of the Second Book of PoC||GTFO have been delivered to @nostarch , containing all the articles from PoC||GTFO 9, 10, 11, 12, and 13. Look for it this summer wherever fine books are sold, and write plenty of notes in the margins.

15

182

471

Travis Goodspeed

@travisgoodspeed

2 years

Over the summer, I got nerd sniped with extracting bits from microscope photographs of mask ROMs. Here is my C++/Qt6 CAD tool for marking and extracting bits, including Design Rule Checks, a variety of export formats and a CLI.

8

102

430

Travis Goodspeed

@travisgoodspeed

6 years

The second collected volume of PoC||GTFO is available for pickup at @defcon , and also for preorder at @nostarch and wherever fine books are sold. Please write in the margins and give a second copy to a clever student.

15

165

408

Travis Goodspeed

@travisgoodspeed

2 years

This is the CPU from the Game Boy Color, revision C. 1/2

6

38

399

Travis Goodspeed

@travisgoodspeed

2 years

Not all unlicensed NES games cloned Nintendo's CIC chip. Mig-29 Soviet Fighter by Camerica uses a voltage glitch to crash the console's CIC chip, so that the game can continue without generating the right sequence. SW1 switches between two different glitching strategies.

7

65

395

Travis Goodspeed

@travisgoodspeed

2 years

X-Ray of a USB C to Ethernet/RJ45 adapter.

9

48

379

Travis Goodspeed

@travisgoodspeed

1 year

I need some good photographs of the MYK78 Clipper Chip, but the best ones available are my own photos from grad school, and those aren't quite good enough. So let's go step by step and see what's inside! 1/n

9

98

369

Travis Goodspeed

@travisgoodspeed

6 years

Twenty years ago, the web peaked with Hamster Dance and has been going down hill ever since.

16

117

344

Travis Goodspeed

@travisgoodspeed

3 years

Not content to simply theorize about the parrot that traumatized RMS sufficiently to be a part of his speaking rider, @dakami provided the voice sample for an animatronic recreation of the parrot. "RAAAAAWK! OPEN SOURCE!" "RAAAAAWK! GNU SLASH LINUX!"

2

43

345

Travis Goodspeed

@travisgoodspeed

1 year

CPU of a Game Boy Advance.

6

34

321

Travis Goodspeed

@travisgoodspeed

2 years

GeneralPlus GPLB52x from a Tamagotchi toy. This is a mask-programmed 6502 with an LCD controller. 1/4

6

43

317

Travis Goodspeed

@travisgoodspeed

6 years

Friendly reminder that you can now buy PoC||GTFO wherever fine books are sold. This is the Barnes and Noble in Cupertino.

16

66

304

Travis Goodspeed

@travisgoodspeed

6 years

If the only thing you like about Windows is ollydbg, check out EDB, an Olly clone for Linux.

GitHub - eteran/edb-debugger: edb is a cross-platform AArch32/x86/x86-64 debugger.

edb is a cross-platform AArch32/x86/x86-64 debugger. - eteran/edb-debugger

github.com

5

130

304

Travis Goodspeed

@travisgoodspeed

4 years

I managed to open source my Android app for reading, writing and executing shellcode in RF430 NFC tags this morning. (Backdoor password for the RF430TAL152H is redacted, but everything else is there.) cc @cryptax @doegox @PagetPhil

GitHub - travisgoodspeed/GoodV: Android app for the RF430FRL152H and other NFC Type V tags.

Android app for the RF430FRL152H and other NFC Type V tags. - travisgoodspeed/GoodV

github.com

8

122

309

Travis Goodspeed

@travisgoodspeed

7 years

PoC||GTFO 14 will be released on paper in Heidelberg, Canberra, and Miami. It has sixty pages, and its MD5 hash is on the front cover.

15

193

298

Travis Goodspeed

@travisgoodspeed

2 years

The CHV307 from is a Risc-V microcontroller. 1/2

4

32

297

Travis Goodspeed

@travisgoodspeed

1 year

87072 Floppy controller from @intel . 1/n

2

51

293

Travis Goodspeed

@travisgoodspeed

8 years

"How good are you with Linux?" "Well, I've written a few kernel modules, but I can't seem to resize xterm fonts without an external mouse."

5

114

281

Travis Goodspeed

@travisgoodspeed

12 days

So the exploit is to pull a drill bit to 3.3V, then slowly turn it in the right spot while requesting writes over SATA. When the bond wire is broken, write protection will also break, and the EEPROM can be rewritten. Ain't that nifty?

6

50

297

Travis Goodspeed

@travisgoodspeed

3 months

MD5 4d37c6712a2239962005eda3be6367b4

5

98

289

Travis Goodspeed

@travisgoodspeed

4 months

Art from Sun's Java ring, manufactured by Dallas Semi.

10

57

288

Travis Goodspeed

@travisgoodspeed

9 years

http://t.co/pKOkvVEXqT

24

348

270

Travis Goodspeed

@travisgoodspeed

2 years

Such a nifty trick! ADS-B reports position uncertainty, so if you map the uncertainty, you can map the GPS jamming.

John Wiseman

@lemonodor

2 years

Finally, the only daily, global, free map of GPS interference has officially launched: Watch jamming around conflict zones develop over time. Wonder who's jamming GPS all around Moscow. Like all the best maps, it raises more questions than it answers!

86

1K

4K

0

89

274

Travis Goodspeed

@travisgoodspeed

7 years

My favorite Phrack article. There is no better deep dive introduction to ARM machine language.

5

106

267

Travis Goodspeed

@travisgoodspeed

4 years

I brought one hundred NFC Type 5 microcontroller boards to Shmoocon, which are OTA programmable from Android. You can have one for free if you install the compiler toolchain documented on the Github page.

31

64

262

Travis Goodspeed

@travisgoodspeed

6 years

After half a decade without one, I am proud to announce the first official PoC||GTFO website can be found at . Best viewed with Microsoft Internet Explorer 4 on Windows NT.

7

100

249

Travis Goodspeed

@travisgoodspeed

2 years

PIC18F84-10 from @MicrochipTech in 1995.

18

31

236

Travis Goodspeed

@travisgoodspeed

1 year

Unknown chip from a pink cat walkie talkie.

3

24

235

Travis Goodspeed

@travisgoodspeed

5 months

Does anyone know this three pin telephone standard from Yugoslavia? I'd like to adapt it to an American telephone line simulator, but I can't figure out the third pin. There's no semblance of a dial tone or a ring with any pair of pins.

45

40

239

Travis Goodspeed

@travisgoodspeed

6 years

The only downside to this casing is that strangers in bars think I'm insane when I tell them it's my own electronics and software. 22/n

5

17

234

Travis Goodspeed

@travisgoodspeed

6 months

I find myself wondering what a Soviet ROM looks like, so let's tear apart the КР1801РЕ2 from a PDP11 clone, the Электроника БК. If 108 is the mask number, this should hold a part of the BASIC interpreter. 1/n

4

27

234

Travis Goodspeed

@travisgoodspeed

2 years

This is the STM32F405, a 32-bit ARM Cortex M microcontroller from @ST_World . 1/3

6

26

222

Travis Goodspeed

@travisgoodspeed

2 years

Dallas DS5002, an early secure microcontroller. Nonvolatile memory is encrypted with a 64-bit key. The chip is also available with an internal microprobe shield, but I don't think that was included in my sample. 1/n

3

41

223

Travis Goodspeed

@travisgoodspeed

3 years

You youngins won't believe this, but back in the day, we had source code listings in grocery store magazine racks, and the expectation was that by now everyone would learn enough to write their own short programs, rather than just the professionals who did it as a career.

YORE COMPUTER 🕹

@yorecomputer

3 years

1984: Your Spectrum Magazine Issue 06, page 77 Full mag -->

1

10

36

15

62

215

Travis Goodspeed

@travisgoodspeed

6 years

PoC||GTFO 17 will be released on paper next week in Leipzig and next month in Washington, DC. I hope you enjoy reading it.

3

76

212

Travis Goodspeed

@travisgoodspeed

1 year

Ever wanted to try your hand at decoding photographs of a mask ROM into a .bin file that you can emulate or disassemble, but didn't quite know where to begin? I wrote a tutorial around the GameBoy's boot ROM today, featuring MaskROMTool and Zorrom.

GitHub - travisgoodspeed/gbrom-tutorial: Tutorial for extracting the GameBoy ROM from photographs...

Tutorial for extracting the GameBoy ROM from photographs of the die. - travisgoodspeed/gbrom-tutorial

github.com

5

64

213

Travis Goodspeed

@travisgoodspeed

10 months

MK51, a single-chip RPN calculator from Электроника. The program ROM is on the right side, but bits are not surface visible. Maybe I can reveal them with delayering or a Dash etch.

8

33

213

Travis Goodspeed

@travisgoodspeed

2 years

NXP (née Phillips) PCF7941, used in some car keys many decades after cars became boring. 1/2

3

21

201

Travis Goodspeed

@travisgoodspeed

4 years

For students who know C but haven't yet done firmware, I can't recommend enough this write up by @jg_lim . All the tools are described, and nothing is left as a magic trick or a mystery.

0

65

209

Travis Goodspeed

@travisgoodspeed

1 year

Zilog Z84C0008FEC from a TI 83+ graphing calculator. 1/2

2

23

206

Travis Goodspeed

@travisgoodspeed

10 months

LED digit from an Elektronika wristwatch. (Soviet electronics monopoly.)

6

26

200

Travis Goodspeed

@travisgoodspeed

1 year

Atmega328P from Atmel

4

24

197

Travis Goodspeed

@travisgoodspeed

5 years

I'll be bringing a few hundred GoodWatch30 boards to give away at Defcon. Bill of materials and schematic are on the github page.

GitHub - travisgoodspeed/goodwatch: Replacement board for Casio Calculator Watches using the...

Replacement board for Casio Calculator Watches using the CC430F6147 - travisgoodspeed/goodwatch

github.com

11

45

193

Travis Goodspeed

@travisgoodspeed

8 years

A little piece of me dies every time I read a paragraph like this in a paper.

17

123

186

Travis Goodspeed

@travisgoodspeed

6 months

X-Ray of an NCR 6500/1P with particularly good contrast on the bond wires.

3

23

195

Travis Goodspeed

@travisgoodspeed

10 months

It's crazy how much space is wasted in a DIP package, just to keep the 0.1" pitch.

8

19

187

Travis Goodspeed

@travisgoodspeed

1 year

Dallas iButton chip, the DS1463. You might have one of these on a keyfob somewhere. 1/n

2

26

185

Travis Goodspeed

@travisgoodspeed

6 years

PoC||GTFO 18 is ready and waiting at @reconmtl in Montreal! The electronic release will follow sometime next week.

5

79

185

Travis Goodspeed

@travisgoodspeed

6 years

The #TR18 badge is an FM receiver with pirate number stations! Troopers18 1552-5653-7270-5437-5441

9

55

179

Travis Goodspeed

@travisgoodspeed

1 year

ARM6 CPU, from an Acorn Computer module.

3

21

182

Travis Goodspeed

@travisgoodspeed

1 year

Nintendo MAD-1 chip, from an SNES cartridge.

2

20

179

Travis Goodspeed

@travisgoodspeed

5 months

Hey, schematics were hidden inside!

14

5

183

Travis Goodspeed

@travisgoodspeed

7 years

As our first release that (hopefully) doesn't lose money, royalties from the Book of PoC||GTFO will go to charity.

7

102

178

Travis Goodspeed

@travisgoodspeed

9 years

PoC||GTFO 4:13 by @rantyben , for David Cameron when he needs help on his cryptography homework. http://t.co/3P9lgb7kwg

6

189

172

Travis Goodspeed

@travisgoodspeed

3 years

Back in January, I complained to @evm_sec about not having a decent database of Thumb2 functions to recover from statically linked firmware, so we wrote a web API at and clients for IDA, GHIDRA, and Binja. Upload 18 bytes of a function, download the name.

3

51

170

Travis Goodspeed

@travisgoodspeed

1 year

I finally have a bit-perfect copy of the MYK82 Fortezza chip's ROM. Comparing it against an older dump shows that I had only 0.1% of the bits wrong. To get that perfect dump, I just marked two photographs and then reconciled errors until they matched.

1

21

167

Travis Goodspeed

@travisgoodspeed

6 years

In all my years of embedded systems, @Voja_Antonic is the only fellow I've ever bugged for an autograph. It embarrassed the hell out of him, as it annoys the hell out of me, but now that he's the first to ship a badge that runs BASIC, I regret nothing.

3

37

165

Travis Goodspeed

@travisgoodspeed

1 year

How often do you lock your car? I bought my pickup without door keys, so I've been leaving it unlocked in the city for three or four years. It was finally broken into today, and I snapped a photo of the perpetrator.

16

10

169

Travis Goodspeed

@travisgoodspeed

6 years

The radio is based on the same CC1101 core that the GirlTech IMME used, so all the old IMME hacks are portable. My reflexive jammer for P25, Mike Ossmann's iClicker emulator, and Samy's OpenSesame can all be adapted to this platform. 10/n

4

21

155

Travis Goodspeed

@travisgoodspeed

2 years

TMS320C10NL from Texas Instruments.

5

18

159

Travis Goodspeed

@travisgoodspeed

2 years

Tempted to try a voltage glitching attack, but worried that you can't make the timing precise enough? Turns out it's possible to glitch out the firmware protection on the STM8 with a pair of 555 timers!

1

43

160

Travis Goodspeed

@travisgoodspeed

1 year

Dallas DS5000. This module contains a CPU, SRAM and a battery backup for the SRAM. 1/n

10

7

158

Travis Goodspeed

@travisgoodspeed

1 year

X-Ray of a Dutch train ticket. The RFID chip is that little bright spot in the northeast.

11

14

154

Travis Goodspeed

@travisgoodspeed

6 years

And while the GoodWatch10 was certainly the coolest hex editor watch to wear last month, things can be niftier. In this photo, it a GoodWatch20 is beaconing my #hamradio callsign to a Yaesu 817 as Morse code. 7/n

5

25

148

Travis Goodspeed

@travisgoodspeed

7 years

Windows batch files can be modified while executing, and execution will continue from the byte offset of the expected next line. Why?

28

87

151

Travis Goodspeed

@travisgoodspeed

11 months

At @reconmtl in a couple of weeks, I'll be teaching how to reverse engineer ROMs from photographs. Today I pushed an example to Github. This is a dump of the MYK82 chip in a Fortezza card, a successor to the Clipper Chip. 1/n

GitHub - travisgoodspeed/myk82rom: ROM dump of the MYK82 chip in a Fortezza Card. Successor to the...

ROM dump of the MYK82 chip in a Fortezza Card. Successor to the Clipper Chip. - travisgoodspeed/myk82rom

github.com

3

50

155

Travis Goodspeed

@travisgoodspeed

6 years

I'll be speaking about the GoodWatch project at Defcon's @WiFi_Village today, 11h00. Learn how to make your own, with frequency counter, hex editor, and years of battery life in a stylish Casio case. Code and hardware at

4

44

148

Travis Goodspeed

@travisgoodspeed

7 years

PoC||GTFO 15 will debut this week! It has 100 pages to keep you busy until the book comes out. Bibles available at

3

100

151

Travis Goodspeed

@travisgoodspeed

7 years

The next time I specify 0201 components in something that I will hand solder, please send me this photograph.

17

46

151

Travis Goodspeed

@travisgoodspeed

3 years

The good folks at @nostarch are running a sale this weekend, so maybe it's time to order some fine technical books and build a crazy project with what you learn in them?

2

26

144

Travis Goodspeed

@travisgoodspeed

4 years

In case you missed it this weekend, @BitBangingBytes dumped the firmware from a Kenwood TH-D74 ham radio, and I posted some initial notes on reverse engineering the string localization and CAT commands at

4

44

147

Travis Goodspeed

@travisgoodspeed

8 months

Motorola 68HC11A8, top metal, minimum magnification.

9

22

149

Travis Goodspeed

@travisgoodspeed

7 years

PoC||GTFO 16 is camera ready, and with a little luck it will be available at @h2hconference and @hacktivityconf . It is a damned fine read.

6

59

144

Travis Goodspeed

@travisgoodspeed

2 years

If you pirated TV twenty years ago, could you kindly look through your smart card collection for any Nagra1 cards? They look like this, and I'd very much like to have more of them for a history project, even though they have long been useless for watching TV.

14

84

144

Travis Goodspeed

@travisgoodspeed

2 years

It's always weird taking apart soviet electronics. This Электроника МК-52 uses white blobs instead of black blobs for its wire bonded chips. Anyone know which blob holds the main ROM?

11

22

143

Travis Goodspeed

@travisgoodspeed

2 months

When you have a speaking lesson in @duolingo on Android, try hitting the button to speak immediately as the sentence appears. Because of a race condition, Lily will speak for you and the speech recognition will pass.

6

12

145

Travis Goodspeed

@travisgoodspeed

2 years

CPU chip from a Nintendo GameBoy (DMG-01).

2

20

143

Travis Goodspeed

@travisgoodspeed

7 years

I've been told that I'm no longer allowed to keep these two together next to pizza when house guests are around. #everyruleabody

12

20

142

Travis Goodspeed

@travisgoodspeed

8 years

Here's rabin2 finding Chinese strings in the MD380 firmware without any trouble. Stop using GNU Strings and learn @radareorg .

5

77

144

Travis Goodspeed

@travisgoodspeed

5 years

Today I drove my Studebaker to the local Radio Shack. Don't ever let someone tell you that you'll never enjoy a wacky time travel adventure!

7

13

138

Travis Goodspeed

@travisgoodspeed

2 years

What kind of a psychopath writes an entire book about BASIC with no mention of PEEK and POKE?

18

7

140

Travis Goodspeed

@travisgoodspeed

9 months

I released a new build of for Windows and Mac today. It includes a new CLI tool for decoding ROM bits and has OpenGL enabled by default. Dual-screen support was added in the last release, but it's handy enough that I'll mention it again.

GitHub - travisgoodspeed/maskromtool: A CAD tool for extracting bits from Mask ROM photographs.

A CAD tool for extracting bits from Mask ROM photographs. - travisgoodspeed/maskromtool

github.com

4

42

137

Travis Goodspeed

@travisgoodspeed

2 years

Lately I've been digging back into the MSP430F449, an old microcontroller that's used in some battery powered medical equipment. It has a 160-segment LCD controller, 60kB of code memory, and 2kB of RAM. It's 12-bit ADC can be used for sampling the outside world. 1/4

2

14

138

Travis Goodspeed

@travisgoodspeed

6 years

The GoodWatch and other projects were helpfully financed by @skytee , who has been funding my recent sabbatical by paying me one dollar for every day since I last wasted an hour of my life in a daily SCRUM meeting. Thanks, neighbor! 16/n

4

10

137

Travis Goodspeed

@travisgoodspeed

3 years

Nifty deal at the Knoxville hamfest today. It's an SDR for shortwave frequencies that's used over a LAN.

9

7

138

Travis Goodspeed

@travisgoodspeed

2 years

Slow-cooked a Tengen Rabbit today. This chip replaced Nintendo's CIC chip, allowing unlicensed games to run on the Nintendo NES.

3

20

137

Travis Goodspeed

@travisgoodspeed

7 years

Geoff Chappel posted a quick userland memory corruption PoC that crashes NT 3.51 to Windows 10 and 2016. Details at

5

117

133

Travis Goodspeed

@travisgoodspeed

10 years

I used to love freedom, but then I used OpenOffice, and now I'm not so sure.

8

157

135

Travis Goodspeed

@travisgoodspeed

7 years

How many hours of frustration would be saved if we adopted SPI naming conventions for UART pins?

16

30

137

Travis Goodspeed

@travisgoodspeed

1 year

AT88SC0808C Internally labelled as AT29657

1

18

134

Travis Goodspeed

@travisgoodspeed

8 years

How is German beer like a packet with TTL=0? No hops!

9

116

132

Travis Goodspeed

@travisgoodspeed

5 years

I documented how to load the MD380 radio's firmware and symbols from the md380tools project into GHIDRA. Should work as a handy example for other embedded ARM targets, including stubborn compatibility between the decompiler and Thumb literal pools.

4

46

133