BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//talks.toorcon.net//toorcamp-2026//talk//DFW8YP
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-toorcamp-2026-DFW8YP@talks.toorcon.net
DTSTART;TZID=PST:20260627T110000
DTEND;TZID=PST:20260627T123000
DESCRIPTION:Somewhere in a pharmacy right now\, there's a lock protecting a
  drug cabinet. The lock stores every user code\, privilege level\, and act
 ive flag in plaintext on a NAND flash chip. No encryption. No MAC. No chec
 ksums. No TPM. Just raw bytes in a predictable layout\, readable with a $3
 0 programmer and a clip.\n\nIn this workshop\, you'll learn to decode that
  layout by hand.\n\nWe'll work through real NAND dumps extracted from Alar
 m Lock Trilogy T3 units\; the same locks deployed across healthcare\, gove
 rnment\, and financial facilities in the US. You'll learn how to identify 
 page boundaries (hint: look for 0xFD)\, decode 6-digit user codes stored a
 s interleaved ASCII nibbles with a delightful quirk where zero is encoded 
 as “B”\, parse permission flags to determine who has master access\, a
 nd spot the forensic artifacts that indicate flash tampering (like the "Po
 wer Up Complete\, Data Restored From Flash Memory" audit entry that appear
 s after injection).\n\nAlong the way\, I'll explain the lazy write model t
 hat makes all of this possible: the MSP430 microcontroller only commits vo
 latile RAM to NAND on battery removal or low-voltage interrupt\, creating 
 a window where the flash doesn't reflect the lock's current state. We'll a
 lso look at what happens when you inject malformed data: some edits will s
 how injected codes in its "Print Users" output (using the vendor's older a
 nd less used infrared printer) but silently omit them from "Export Users
 ” in DL-Windows (the vendor audit software used on a computer)\, creatin
 g a stealth window where printed and digital records disagree.\n\nNo solde
 ring required. Bring a laptop with a hex editor (HxD\, wxHexEditor\, or wh
 atever you prefer). I'll provide printed reference sheets with the full NA
 ND page layout and sample binary dumps to work through. If time permits an
 d curiosity demands\, I'll have a T48 universal programmer and a lock boar
 d on hand for a live read/write demo.\n\nYou'll leave knowing how to read 
 embedded flash memory from a class of devices that assumed nobody would bo
 ther\, and take part in showing that assumption is a security failure.
DTSTAMP:20260626T010224Z
LOCATION:Yoga Studio
SUMMARY:Dead Bytes Tell No Lies: Hands-On NAND Flash Decoding for Access Co
 ntrol Locks - qweary
URL:https://talks.toorcon.net/toorcamp-2026/talk/DFW8YP/
END:VEVENT
END:VCALENDAR