BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//talks.toorcon.net//toorcamp-2026//speaker//YWZK9P
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-toorcamp-2026-C3B9AT@talks.toorcon.net
DTSTART;TZID=PST:20260625T110000
DTEND;TZID=PST:20260625T133000
DESCRIPTION:Learn the fine art of lock bypass with a drill from a professio
 nal locksmith. When lockpicking fails it's good to know the nuclear kineti
 c option.
DTSTAMP:20260625T234057Z
LOCATION:Hardware Hacking Stage
SUMMARY:Lock Drilling Class - qweary
URL:https://talks.toorcon.net/toorcamp-2026/talk/C3B9AT/
END:VEVENT
BEGIN:VEVENT
UID:pretalx-toorcamp-2026-MJBZNN@talks.toorcon.net
DTSTART;TZID=PST:20260626T120000
DTEND;TZID=PST:20260626T125000
DESCRIPTION:I spent years installing Trilogy Alarm Locks for the military. 
 Other locksmiths asked for recommendations\, I let them know of Trilogy's 
 fast response to responsible disclosures (at that time)\, and I soon start
 ed seeing them in pharmacies\, more government buildings\, and banks. Then
 \, after the company stopped responding to my vulnerability disclosures\, 
 I spent a year figuring out how to hack them. Nearly every angle I approac
 hed it from\, I found a new vulnerability. The company never responded\, d
 espite acknowledging through a third party.\n\nThis talk walks through a f
 ive-layer attack chain against the T2/T3 lock platform: physical bypasses 
 that leave little to no trace\, NAND flash manipulation that injects ghost
  users with master privileges\, a firmware hook on the MSP430 microcontrol
 ler that writes a persistent backdoor code during factory reset (using han
 d-patched TI assembly\, because apparently that's a thing I do now)\, and 
 USB emulation of the proprietary audit cable using FaceDancer and a GreatF
 ET One.\n\nOver a year later\, I was able to prove that a lock deployed in
  critical infrastructure has credentials that can be cloned from the trash
 \, firmware that can be rewritten through an unblown JTAG fuse\, and whose
  audit trail (the one used as legal evidence) can be fooled by a device th
 at costs less than the lock itself.\n\nI'm not a firmware engineer\; I'm a
  locksmith who got curious\, bricked a lot of boards\, filled a notebook w
 ith bad hypotheses\, and eventually taught myself enough TI assembly to wr
 ite a 38-byte payload that survives every factory reset method. The tools 
 were a $30 flash programmer\, a soldering iron\, and an unreasonable amoun
 t of stubbornness.\n\nThe talk closes with a constructive argument: self-a
 uditing endpoints are fundamentally broken. If the lock controls access AN
 D writes the audit log\,  you have a suspect writing their own alibi\, not
  a log that should be used in legal evidence. I'll propose an Observer Sys
 tem Model where independent sensors verify what the lock claims\, and disc
 uss why even cheap mitigations (blow the JTAG fuse\, encrypt the NAND\, au
 thenticate the cable\, use a TPM) would have stopped every attack in this 
 chain.\n\nEverything is published: code\, dumps\, patches\, pcaps\, 33 pag
 es of handwritten notes\, and a 4\,000-word research journal documenting e
 very wrong turn. \nRepo:\nhttps://github.com/Qweary/T2-T3-Lock-Exploitatio
 n-Research\nBlog:\nhttps://qweary.github.io/backburner/
DTSTAMP:20260625T234057Z
LOCATION:Prime Dome
SUMMARY:Physical Access\, Digital Lies: How a Locksmith Hacked His Recommen
 ded Lock - qweary
URL:https://talks.toorcon.net/toorcamp-2026/talk/MJBZNN/
END:VEVENT
BEGIN:VEVENT
UID:pretalx-toorcamp-2026-K773U8@talks.toorcon.net
DTSTART;TZID=PST:20260626T200000
DTEND;TZID=PST:20260626T213000
DESCRIPTION:Live jam: Relax with classical and jazz music played on trombon
 e by a guy named Piano (Qweary). Jazz backgrounds over speaker\, bring an 
 instrument if you want to join.
DTSTAMP:20260625T234057Z
LOCATION:Hardware Hacking Stage
SUMMARY:Live Jam Session - qweary
URL:https://talks.toorcon.net/toorcamp-2026/talk/K773U8/
END:VEVENT
BEGIN:VEVENT
UID:pretalx-toorcamp-2026-DFW8YP@talks.toorcon.net
DTSTART;TZID=PST:20260627T110000
DTEND;TZID=PST:20260627T123000
DESCRIPTION:Somewhere in a pharmacy right now\, there's a lock protecting a
  drug cabinet. The lock stores every user code\, privilege level\, and act
 ive flag in plaintext on a NAND flash chip. No encryption. No MAC. No chec
 ksums. No TPM. Just raw bytes in a predictable layout\, readable with a $3
 0 programmer and a clip.\n\nIn this workshop\, you'll learn to decode that
  layout by hand.\n\nWe'll work through real NAND dumps extracted from Alar
 m Lock Trilogy T3 units\; the same locks deployed across healthcare\, gove
 rnment\, and financial facilities in the US. You'll learn how to identify 
 page boundaries (hint: look for 0xFD)\, decode 6-digit user codes stored a
 s interleaved ASCII nibbles with a delightful quirk where zero is encoded 
 as “B”\, parse permission flags to determine who has master access\, a
 nd spot the forensic artifacts that indicate flash tampering (like the "Po
 wer Up Complete\, Data Restored From Flash Memory" audit entry that appear
 s after injection).\n\nAlong the way\, I'll explain the lazy write model t
 hat makes all of this possible: the MSP430 microcontroller only commits vo
 latile RAM to NAND on battery removal or low-voltage interrupt\, creating 
 a window where the flash doesn't reflect the lock's current state. We'll a
 lso look at what happens when you inject malformed data: some edits will s
 how injected codes in its "Print Users" output (using the vendor's older a
 nd less used infrared printer) but silently omit them from "Export Users
 ” in DL-Windows (the vendor audit software used on a computer)\, creatin
 g a stealth window where printed and digital records disagree.\n\nNo solde
 ring required. Bring a laptop with a hex editor (HxD\, wxHexEditor\, or wh
 atever you prefer). I'll provide printed reference sheets with the full NA
 ND page layout and sample binary dumps to work through. If time permits an
 d curiosity demands\, I'll have a T48 universal programmer and a lock boar
 d on hand for a live read/write demo.\n\nYou'll leave knowing how to read 
 embedded flash memory from a class of devices that assumed nobody would bo
 ther\, and take part in showing that assumption is a security failure.
DTSTAMP:20260625T234057Z
LOCATION:Yoga Studio
SUMMARY:Dead Bytes Tell No Lies: Hands-On NAND Flash Decoding for Access Co
 ntrol Locks - qweary
URL:https://talks.toorcon.net/toorcamp-2026/talk/DFW8YP/
END:VEVENT
END:VCALENDAR