Black box reverse engineering for unknown/custom instruction sets

Video in TIB AV-Portal: Black box reverse engineering for unknown/custom instruction sets

Formal Metadata

Black box reverse engineering for unknown/custom instruction sets
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Have you ever come across a firmware image for which you couldn’t find a disassembler? This talk will cover reverse-engineering techniques for extracting an instruction encoding from a raw binary with an unknown/custom instruction set. The main focus is on static techniques and features of firmware images that you can use to your advantage–but some dynamic techniques will be covered as well.
Area Group action Multiplication sign Binary code Letterpress printing Image registration Black box Number Revision control Proof theory Process (computing) Computer animation Meeting/Interview Resultant God Reverse engineering
Computer animation
Statistical hypothesis testing Point (geometry) Building Dynamical system Functional (mathematics) Code Image resolution Virtual machine Microcontroller Mereology Computer programming Number Twitter Fluid statics Frequency Different (Kate Ryan album) Analogy Touch typing Computer hardware Core dump Energy level Data structure Physical system Covering space Noise (electronics) Multiplication Focus (optics) Assembly language Binary code Constructor (object-oriented programming) Mathematical analysis Sound effect Entire function Computer animation Mixed reality Quicksort Family Reverse engineering Disassembler
Code Multiplication sign Archaeological field survey 1 (number) Set (mathematics) Numbering scheme Water vapor Real-time operating system Mereology Disk read-and-write head Computer programming Neuroinformatik Medical imaging Semiconductor memory Computer configuration Different (Kate Ryan album) Core dump Cuboid Diagram Endliche Modelltheorie Series (mathematics) Information security Thumbnail Exception handling Theory of relativity Block (periodic table) Keyboard shortcut Sampling (statistics) Bit Price index Process (computing) Vector space Chain Heuristic Pattern language Right angle Quicksort Figurate number Reverse engineering Spacetime Asynchronous Transfer Mode Surjective function Point (geometry) Slide rule Functional (mathematics) Game controller Service (economics) Computer file Virtual machine Regular graph Coprocessor Rule of inference Power (physics) Number Element (mathematics) Hausdorff space Self-similarity Causality Term (mathematics) String (computer science) Boundary value problem Representation (politics) Selectivity (electronic) Data structure Analytic continuation Booting Address space Compilation album Hydraulic jump Computer architecture Form (programming) Module (mathematics) Matching (graph theory) Information Hazard (2005 film) Projective plane System call Symbol table Word Computer animation Personal digital assistant Table (information) Family Disassembler
Logical constant Suite (music) Dynamical system Group action Randomization Computer programming Neuroinformatik Fluid statics Sign (mathematics) Mechanism design Different (Kate Ryan album) Core dump Error message Physical system Social class God Exception handling Oracle Theory of relativity Block (periodic table) Structural load Binary code Sampling (statistics) Sound effect Bit Sequence Process (computing) Order (biology) Pattern language Heuristic Summierbarkeit Quicksort Reading (process) Speicheradresse Spacetime Arc (geometry) Point (geometry) Histogram Computer file Similarity (geometry) Translation (relic) Control flow Branch (computer science) Rule of inference Number Crash (computing) Computer hardware Energy level Selectivity (electronic) Data structure Address space Metropolitan area network Distribution (mathematics) Assembly language Key (cryptography) Interface (computing) Counting Set (mathematics) Line (geometry) System call Equivalence relation Compiler Vector potential Word Loop (music) Software Personal digital assistant Window Disassembler Interior (topology) State of matter Differential (mechanical device) Code Plotter Multiplication sign 1 (number) Set (mathematics) Function (mathematics) Coma Berenices Mereology Formal language Programmer (hardware) Virtual memory Hooking Semiconductor memory Analogy Bus (computing) Cuboid Flag Endliche Modelltheorie Thumbnail Scripting language Graphics tablet Predictability Area Data storage device Determinism Fehlererkennung Flow separation Measurement Entire function Vector space Configuration space output Right angle Reverse engineering Ocean current Trail Functional (mathematics) Electronic program guide Heat transfer Coprocessor Hypothesis Power (physics) Causality Operator (mathematics) Software testing Absolute value Hydraulic jump Condition number Module (mathematics) User interface Noise (electronics) Multiplication Validity (statistics) Debugger Bound state Mathematical analysis Cryptography Pointer (computer programming) Computer animation Formal grammar Moment <Mathematik> Transmissionskoeffizient Tuple
Computer animation
I AF bed and action needed a moon to a new version of a and
B the the the the the so have a short
announcement from Travis could speed and will also introduce the stock but that is area the still as is the tradition every recon and a few other neighborly conferences we have the International Journal of proof of concept to get the fuck out this is released number 12 we um we 0 and X this is the 13th release and I believe a 3rd or a 4th that we can't allergies is always generous enough to um to print is far as and ensure that the printing is good the by the registration desk as swing by and grab 1 but don't ask for permission and don't like to slow down and dear God don't mob because their job is not enough and the next talk is by David kind of a body mind from my of from way back 0 I got it has been a long time yeah i j is in Italian how to reverse engineer a black box instruction set and then it by this it's not like instructions that you don't know this is 1 that no way nobody knows but for which you have an example binary and the ability to make changes and observe the results in a binary and nothing else so so without further ado David kind thank you thank you the what the there yeah I'm among the generator of the HMI I wasn't attacking the yeah it nothing you want it would be but I will let's see if I can get it not mirrored otherwise it won't have a speaker notes
and that will go so well the ego
but but but but it we right so as
Travis so most can introduce them my name is David part of the talk i'm doing his
reverse engineering and construction coatings from robberies and this talking about because I was doing some hardware reversing during a custom core and a number of my a number of my sufferers friends were asking about how does 1 approach a problem like this and so I don't have any you don't fancy Austin softer released for use today although I will be putting the disassembler assembler than talking about here up online but it's not that cool the parties in the cold some of the techniques that we talk about a relatively well known but a lot of people apparently haven't seen before so hence the top but in fact so well known that on on Monday that I was a tons of friends I see about that I was going to be doing and they said hey I did someone do something just like this I recon 2012 and much to my dismay trends of the dead so I'm going to begin with the citation to sh share of interesting would become 2012 reverse-engineering of binary programs for customer for machines and 1 on the subject of citations also mention the effects of the Penal building customer disassembles which was presented at 2073 upper reversing and hearing of steps 7 stuff but my focus is as opposed to those 2 is going to be more on microcontrollers and low-level systems you know things that are directly coupled to the hardware and where they were built for a custom reasons because they needed a custom harbor functionality as opposed to trying to deter analysis where what have a custom by code and wait a little bit different down those of low levels you find interesting thing that you don't find in incentive diems and in particular this target wouldn't be looking at today is not really amenable to a lot of automated analysis techniques or or or why statistical techniques the the plain text or image size that we have is just so small and the fact that it's a mix of coding data tends to really reduce the signal to noise ratio for from any kind of you know both statistical or or ball you know and test some automated method so today's example of all 4 of you talk about a couple techniques are the 1st of which is cheating because there's no point in reverse engineering and entire custom core justify out you discover data 51 the 2nd is using a former structures your advantage and I'll touch briefly on static techniques and then M and then followed by some dynamic techniques and I've only got a 30 minute slots in the moving really really fast and covering this in a very high level of you wanna know more details please pigeonhole me after a lunch or something like that and true of Angelina cover the static techniques very well so I'm going to just sort of cover 1 example of recovering code of colorful from that to so today's example is the ATF 72 42 and that's an RF transceiver see as made by Analog Devices and the family includes sort of multiple variants for different frequency bands and all inside of it it is a constant war that interacts directly with the ah hardware and it's interesting for some reasons all talk about later but 1st I should mention that
reversing this has no particular importance in the securities scheme of things at all so I'm not claiming this is an important security binding by the observers and you're right this and you'll need point of interest for going after this thing is I always start on it because of my crime was interested in using this for a better ZigBee sniffer I'm and its inter interesting because can be interfaced with a computer with only a low cost as PI cable like any FDI cable you might have lying around on and since you can execute for on the chip you can do real-time operations like real-time jet of selective jamming or of real-time channel hopping the fall of the channel hopping transmitter of without having to deal with and compensate for the USB latency and of course finally it's it's interesting because it exists it so you know and and a binary out there that's the customer instruction set is a sort of reverse so as part of this project I created similar for the ATF 72 42 and the similar families all oppose later for anyone that wants it if there is anyone the the so 1st the 1st thing we have in the data sheet is that the radio control and Packet management of the park are realized through the use of an 8 bit custom processor and embedded wrong and this is about all the information we have about it that there's a packet manager with a processor that addresses to memory spaces which is the program RAM enrollment in 1 memory space and a bunch of data for various uses in the other so that brings us to technique 1 which is cheating I'm and as a rule of thumb until proven otherwise accustomed cause custom most of the time it usually just ends up being in 8 51 and attend silica extends the core or as synopsis series core and the extends in our course a really commonly found because they allow a processor designer to sort of check a bunch of options and and have a core created for you that you can synthesize new product and get a tool chain that knows how to use it as a they support adding custom instructions as well but they're based around a common core that you know hatcheries hazardous and symbol for some of it I believe that is definitely a disassemblers out there for some of those and those services starting point for a 99 % which only hum of course you have your friends have been locked at cachet which can sometimes it and find architecture for you you lucky as strings is great data presbyterial don't neglect this stuff before you dive right into the fund technical work and it is as an example of why strings is better than 1 might think uh there was a DSP those looking at once upon a time that was effectively a black box this chip you just I gave it a blob that manufacturer said you had to and mention and extends which shelters and extend the court that is the vector DSP instruction set on as well the ah atrocities and so don't neglect the simple stuff but back to the sample that we have so we have a data sheet for the party unloadable firmer marginal and Act No describing what that will will for more model does so that little formal model and extend the functionality of the 72 42 so does things like implement addressing filtering so can automatically say hey this packet coming in is this 1 that's of interest to the processor does this year the match on is of a friend had want OK then interrupt the processor but not otherwise so it's great for low power modes and and this little for model we have is only 1369 bytes so it's a very small sample of in terms of having something to look at the figure how it's behaving and what we wanna know it is 1st of all what kind of machine are we dealing with his it is a stack machine is a register machine water the datapath sizes inside of it and it's a register machine and how many registers does it have and how how larger than we'd like to know whether the operands are the instructions are registered register warm memory to memory and we also like to know whether the memory layout is 1 unified address space that covers everything I'm or whether it's separate spaces for those 2 blocks and it destroyed before and actually already have some hints from the diagrams that we had before that we shown before on and 1 example is that it showed an 8 bit datapath coming from the programmer on and that right away tells you it's probably not a a processor that's using a weird uh for example I could pick a series of 14 bit instruction word because if you building custom silicon I'm and if we assume the data she's telling the truth but there's no reason to actually use a 10 a bit to the path from the wrong 1 you can just use a 14 that 1 just as easily the so before I don't on the next slide does anyone here remember bank-switching which encode is anyone unfortunate enough to be still writing code for something that does bank-switching requires it I guess there's a couple of us here I guess most everyone's lucky and bank switching is when you swap with a bank of memory in no because the processor address space is large enough to encompass the entire look you know code that you wanna run on it and that shows a really really well and when you have a and that shouldn't really really well when you have the floor file of example in this image that I'm showing you right here on you can see regular structure at power of 2 boundaries and that's a real clear indication that whatever cardio looking at is using banking of some kind of a good heuristic is said to have a number of zeros are F repeating bytes right before power to boundaries and and that'll that'll the lowest power of 2 that has that is probably the 1 that you're using banking occur at but actually these days compilers about and so good at allocating code the situations that I had to sort of be the compile over the head to make an image that would show up here and and does so I recommend that the heuristic method that rather than visually on but there's other structure in from
files that we can use to our advantage and that's that they have to have entry points and so this is a loadable module it's you know not a piece of foam or the ones rail like controller so might be a little bit different but still the e to the wrong that's gonna be talking to this little model or if it's just fall off the rod former for the processor the processor still needs to get to the part of the code that you want to execute so it's very it's a very common feature and you actually heard some of this being talked about in the last talk and to have a vector table and the vector table tell the processor hey here's where you going to execute in the case of a certain instruction Our sorry it's an interrupt or in you know for example at receptors and it's very common to have this at the start of the and and sometimes this table takes the form of a number of instructions that will perhaps jump to the code or it might be tightly packed table Madison's and I did a brief survey of a handful of randomly selected better architectures some of which are common so which are less common and as you see the vast majority allocated continuous vector table at the start of the end with the exception of 1 which actually only ever boots from a boot loader so it's a bit different but some of them can be located after the start but it still needs to be at a fixed point on the power of which is generally 1 of those 2 places usually it's tightly packed so as not spread all over the the from words usually tightly packed at 1 end or the other on and as I mentioned before some of them are represented as addresses others representatives instructions and if we go back to our sample of this is the 1st time of shows you the actual sample we had some what we see register file it's a pattern of sort of what I would call stride to us try to pattern right at the start you know to to buy chunks the self-similar on onto but boundary followed by a series of 3 By chunks there are similar on that pattern and if we assume that all of this is the vector table what would be a bit of an odd 1 because you don't normally see a vector table that has different sized elements in it it would be harder for the processor letter to implement so let's think about what we know about vector tables well if it's addresses its the doesn't call because it makes sense for this look at the 1st part because we look at those as big-endian encoded addresses while they only differ by a single byte for each value values so that can be branching to meaningful code or it's a little endian encoding Iris then the space by all its 100 256 bytes and then runs off the size the model we just loaded so that can be a sense clans explanation either and that leaves instructions for the other options they probably aren't absolute jobs because we still have the problem about how you encode the the jump destination but what if the relative jumps and if these are 2 byte relative jumps to E 3 by destruction perhaps an absolute jump the now actually makes sense for the 1 big difference because relative jumps you use the added to the program counter in some way and that turns out to be exactly what the cases for this particular
processor but it's a it's a two-byte relative jump to a 3 by absolute jump goes somewhere somewhere else in the program and this is a trampoline pattern it's very common embedded systems means the same thing is trampoline and in any other system we've looked at it so 1 jump to another to to get the final destination of purchased and may not be able to reach and if we look at the last few bytes on the absolute jump we can start severing those as well and the lowest 12 it's all seem to differ i'm and they are actually end up having address values that all points within the firm or module that we voted they're all within the size bounds of what would load so this this makes sense as a good sign on the right path but we can be a bit easier than this rather than try to reverse it or analyze it from the bit patterns the simplest approach is just make a histogram i'm just take the last 2 byte values and and plot on a shared and see where they go they get sort of a to the 2 main groupings in this distribution and a you see the spread out over you know at sort of around 0 around the 32 K mart and you you look at something like this and say well I really don't think that this processor has a 16 bit address space there is there is no need for it to be using a full 64 K of outer space what's probably more likely it is that the topic 15th bit is actually a selection it's differentiates between 2 different structures that both take an absolute address and so the hypothesis is that the 15th part that is part of the encoding not the address and if we've all that hypothesis we something that we we see something that looks much more reasonable and and I wanna emphasize about a major earlier these histograms are of all by patterns that match you know that start with an all left bite and so that is basically based on every single all efforts sequence in the file and it's a very small files you don't see a lot of noise normally have a lot of random noise on on the baseline but this is such a small sample you don't see it of so this is old things that match AC classes right down into a nice distribution and that's all within the address space of the programmer on that's a orders within the size of a potential program ROM plus the loadable module so we have a pretty good guess at net you know now relative jump absolute jump now possibly what we think might be a call because if you look at it is basically silicon cost money unlike amour via where they're trying to deter you from analyzing at the so is all about how can I build it in the simplest and cheapest way that'll work than the work and an absolute jump is really similar to an absolute call the only difference is that the absolute call have to push the return address on the stack so make sense just have a single bit that says hey on your have to push the return address of or when you execute that and once we have a call we can find wrecked I'm and the value for return and so functions normally look something like this you got a function return that is followed by another function and indeed this is what the heuristics that was proposed by Eichenlaub of interesting that at recon 2012 except they were going the other way around using rectifying call as opposed to Vice versa about but unfortunately a lot of embedded systems are quite that simple are as simple as the picture shown for example you have a constant pools where you have you read only dad allocated or in some cases we write that I've seen a lot of 1 compiler allocated right after the function body and and and in some cases you also have alignment bytes and that might be because the process requires it of because that's what the API calls for were sometimes that's just what the compiler does for no particularly good reason so have thankfully for us the ATF uh 72 42 is pretty simple and so this is a histogram of the byte value immediately before a call target to look for a call points and then make his gram of all the byte values immediately before that and there's 1 like that sticks out as being by far more prevalent than any other Amélie before where call me point and that's a byte value or let's say which is also the new line or return character and it's if if if the the Analog Devices guide iteratively built the score is out there it's it's it's pretty a nice that you made a return instruction he return character it's very convenient and so the while this works for the naive example here where you don't have any spacing between functions are patterns on a heuristic that works quite well and views on other systems were was the more complex is to do sort of a weighted a weighted his grammar were 1st to eliminate the patterning you can figure out what that is the the padding is used the same I'm and then waits the count of the bite based on how far was back so have like a 10 might look back window or something like that before the target and and with those in that usually ends up with red in the top 3 or so so it's that's worth trying as well but there's other function structure that we can use to our advantage and function generally need to save and restore some call safe state and some embedded arcs save it for you but most are pretty simple and and this is where on this particular target that I stopped being able to use that histograms analyses because the sample size is just too small there's everything just gets lost in the noise floor there's no point in looking more but so that the same state is you that the saving of state is using something like a push a pop here at the start of the and and some manual analysis just look if functions identifies a pair of a byte values that the either always occur together or never occur on at the start and the end of the instructions so you have a pretty good clue that that is involved in saving state of some kind and I'm not gonna walk through you know the whole trial and error process of this entire core because they don't have the time and beat all the border reminds so I'm going sort of leave the static analysis process here for now but then just touch on a couple of points before and we want some dynamics of I remember we can cheat and in the laudable processor model have no that they had for this particular up from a file it had a number memory locations in those memory locations were used to configure the ATIS matching so you knew that those memory locations would contain an address ends and therefore those addresses or memory locations had to be unloaded from somewhere inside this that they could be used so we can go constant hunting go hunting for the binary value of the constants of those memory locations and that's an immediate real quick jump to move immediate followed by uh move register indirect and and and you find those right away and if nothing says that the processor has to use the same memory mapping as your external configuration interface those which is over spy in this case but it's unlikely that they would do anything different because if you do something drastically different you need 2 separate sets of Addis the coders for the same blank memory and X address coders causal car and silicon cost money and they're using custom on the 1st place probably because they want to be cheap or or they need to be very high performance that they could do with something off the shelf so this is the end of World talk about for static methods but using similar guess and check and validate mechanisms as I described before God as a conditional jumps role conditional relative jumps and always relative jumps absolute call absolute jumped returned a man as well as moving mediates the register register transfers register indirect a memory of read and write as well as male you operations which we add subtract compare to test a clear and all that came out to sort a guess and check style and methodologies so remember when you're doing this kind of thing is that code is saying your values should be written to a register of and then promptly overwritten uh the ALU in register should behave in 1 way for the vast majority of instructions and then differently from 1 instruction along that there should be a huge number of distinct encodings for the same operation that you think is occurring uh and value should be presumed to teleport up between registers were from register memory or vise versa but ironically the 80th city 242 breaks through those 4 rules ahead so you can take them as a hard and fast rule because the score is very tightly coupled some are around it but those are some general rules of thumb you can use to figure if you're on the right track and in fact all those produced it back together I will I was reminded of an attempt to decipher a linear a and linear a is a as yet undeciphered Ancient Greek Greek script that was for I'm writing down there the spoken language and the review of 1 pose translation remarked that the quality of a new translation could be judged by how many or rather have few I a new gods hitherto unknown history that the translation proposes and I think the same can be said for binary analysis except replace gods with NOPs I if you got 5 or 6 different things that you think are probably not and because you can't you know what else they might be you probably on the wrong path the so but this is our particular by all you need for a test bench this is all you need I put is key parts of their if you want but you can find both on mouse or any other distributor all using FDI cable on and the little Debord you can get so it's really easy to hook up to a computer and action that with me today if anyone wants to see that the torque just completely the and as a side dumping the
intro all on this was really really easy and so this is the documented command set of the of the SPI interface the user interface with a processor and I sort of wonder what this undocumented area of the coil commands that was if if if anyone has any guesses about what them might get 1 access to you as it did was raised on the also has to say so moving on to that method then you have to move really fast cause I think everyone everyone's go for lunch and 6 minutes and unknown keeping through that and is basically make yourself an oracle and then proceed to query it into you learn all sorts of interesting things of a processor has state and this is an example of the state that I knew about at the point I I stopped my static reversing of it I had 3 registers of of various sizes I of course an instruction pointer and around and you when you execute some instruction on the processor well obviously something happens the state otherwise it would be a very useful instruction so observing this would be trivial if we had a debugger because you could a simple single-step in the dump all the values but in this case we don't even know the debugger exists and if it does exist we don't know how to use it so the goal for a test bench to try and go after these things is to set up as much state as possible on the core using instructions we already know about which is moving media and run an instruction that we don't know what it does but collect all the state that we can and then compare it to see where you know compare against a model of what that instruction should have show that excuse me and vanadium 72 42 this looks like you just sharing it has spent program you know compelling on the host with a little simpler on uploading writing the test bench on the hardware and and that has been set up the state with the moving the instructions as I said and and then the testbench writes the state that round window that I discussed very brief because I'm moving pretty quick and this 30 minutes have rights that state the host reads it back in and then compares it and 1 challenge that you have especially when you all know a little bit about the processor is that it can be very hard to retrieve some state without clobbering others for example I I found that the the processor had a condition like structure because I saw some things working with moving tuples there that were then tested in and branch upon and and you had to read the condition flags register but to do so would clobber register and similarly saving the register would trash the condition flags register so I can get both at the same time and it's obviously a simple solution that is just to make 2 2 Test Benches 1 that gathers 1 part of the state and and 1 that gathers the other and then put back together in software so you can see the entire state that changed and when you run of the test bench step like that you then have to characterize the output the 1st output is no effect and that can be that you're actually not but really when you see a whole bunch of things that have no state problem means that there's some states that you don't know about there's there's something that you have to realize is in there yet that's actually been changed sometimes is a constant effect and the most simple that is moving mediator a clearer instructions but it's also could be unset or unchanged input state if there's input state you're not setting up ahead of time and it's always remaining constant and your husband runs and then that would also appear to be a coset instructions this deterministic effects for example and an ALU operation where you add to input register to control and you can predict what the output value will be there are non deterministic deterministic effects which only appear in top non deterministic because hardware usually is deterministic so unless you think for a good reason that there's already Randa already here see equivalence and down in a particular target it probably means there's input state that you're not controlling it and finally as crash as it is a crash condition and that means that you either found a new piece of control flow that you can't that you don't know what it's doing some or you found an instruction that's either unimplemented that results in a processor hang or you found something weird all talk about what the weird things in this chip that we that I came across a little bit and I strongly recommend building a validation test suite and that's model each instruction on and then what you do is you have a test suite run such that it and compares the execution of the model worse the execution the hardware I'm and you should run each test with multiple random input vectors and make sure that you always predicting the correct output and something is really important to do is make sure that you're not trying to predict the entire state just predict the differentials so that as you discover new state over time that you don't necessarily know about at the beginning and then you can just we the entire test bench with then used state being something random and see if the predictions still hold for example that would allow you to detect some of the difference between an ad add see initially you might think both the initially add that they're both out operands but if there's a carry that that you don't know the set and you find out later on then we run it has been told will identify hammer something there on I should go back and check it and so all talk a little bit about the we wonderful things I found there I think I'm down to 1 minute so long to get to this real quick and it ends of having to set at 2 separate address spaces on program memory is addressed with a 13 bit program counter in and that is just with an 11 and bit of data you know it so that the added idea the RAM 1st for data storage is is an 11 bit adders bus internally it has these registers and easily won the Nobel so far and and I'm fairly certain those are most of them but you know you never know with with this kind of this system as so there's a couple registers which I'm calling general-purpose registers that they're not really general purpose I don't have a better name for them uh there's 5 to 10 bit registers and 16 bit register some are 1 and a half are 1 is usually uses the value in a load store operation words are 2 is usually uses the address I had a in R 1 are usually uses a pair of frail you what's so I don't recall that a 4 accumulator but it's the turns out not to be that after about 4 reverse-engineering and is also 2 really weird registers 1 of which the packet pointer register which is a um sort of register indirect access with hardware base offset based on the current packet it's busy spitting out the RF transmitter and is also a specialized a loop counter register which is only ever used by 3 is the instructions which is set to counter the counter and decrementing jump not 0 so that that particular measures touch radial so it's it's sort of weird down at the instructions at level but gets weirder this indirectly coupled I instructions for example there's an instruction that appears to allow I'm turning on and off the power amplifier or city to particular level there's an instruction that directly Elming cues from some bits to be transmitted the end some of this there's also blocking instructions to match those for example block the core until this particular harbor function completes like for example transmitting a bite out the RF port and ironically because of the way that those that's built its encoded you can actually blocked according to any condition that is set to get actually block until 0 which is not of a operand you ever find the disassembled binary because it's not terribly useful once the core halted waiting her to become a non-zero nothing's ever going to make it easier non-zero and there's also specialized mutations instructions of for example that reverses here see Bacon and you see a lot of these kind of weird instructions I did the special-purpose processors in in other words I've looked at I've seen or instructions for accelerating as boxes for cryptography of better be Viterbi acceleration bit shuffle extract on suffer accelerating forward error correction so there's a lot of really interesting things you find on there and so the tools today for this particular core have a disassembler covers the vast majority of the instruction space of the ones that I don't know about our never appear in the distance in similar have so I the best guess I have is that the reader unimplemented you know encoding space or they do something that I haven't found state yet have a basic assembler and I as well as the sum of course and the motor and I library for for playing with this thing and post it soon at github . com slash David Kahn and it's not going to be 1 every conquers I didn't bring ssh keys so thanks for coming to listen and i guess any questions orders everyone just once we lunch pledges