<portfolio>

I'm Cody Brocious: reverse engineer, security consultant, and software developer. This portfolio is a selection of my work over the last 7 years, from building kernels to breaking locks to auditing security appliances.

2012

Onity lock system presentation

At Black Hat USA 2012 I had the unique opportunity to speak at the new Zero Hour Briefings. I presented on the design and failings of the Onity hotel lock system, in which I publicized several critical, unpatchable vulnerabilities. These vulnerabilities made it possible to open 4-10 million locks worldwide with $20 in hardware, as well as derive the encryption key from cards. Immediately after the talk, the paper, slides, and code were made public; they received a quarter million downloads in the first 24 hours.

Paper and slides

Press

2011

Kivlad, Android Decompiler

Kivlad was a decompiler for Android (Dalvik) binaries, developed while at Matasano Security. It provided basic decompilation facilities without converting to Java bytecode first, a first in the Android reverse-engineering world.

Code

CCBill bug bounty

CCBill, a major player in the credit card processing space, launched a bug bounty program in 2011, which I participated in. Of the 41 vulnerabilities reported and confirmed, 31 were reported by myself.

Rewards

Superpacking Javascript Demos

I discovered a new technique for packing Javascript, enabling single-file web demos in a smaller size than had ever been achieved before. Within 6 months of its announcement, this technique became the standard used by nearly everyone in the web demo scene. The framework I built for these demos -- Windowpane -- was the top recommended tool for the DemoJS party.

Blog post

Press

  • WebGL.com: 1 2
2010

Hacked the Emotiv Epoc brain-computer interface

The Emotiv Epoc is a $300 consumer EEG device for controlling games with your mind. I reverse-engineered the protocol and encryption used by the Epoc and implemented a library called Emokit to communicate with it. This allows developers to read the raw data, enabling novel uses such as music creation and drastically lowering the cost of scientific research into the brain.

Blog post

Press

Reverse-engineered the Belkin USB Hub

Belkin's Network USB hub enables USB devices to be connected over the network. I reverse-engineered the protocols used and published an article detailing how I did it and how they work. This opens up interesting new options in reverse-engineering and simulating USB devices, as the hub turns them into simple network devices.

Blog post
2009

Injected Python into Eve Online

Eve Online is a massively multiplayer game which uses Stackless Python for scripting. I detailed a technique by which you can inject your own Python code into the game client to extend and automate the client. This has since been taken further and used to build all new functionality into the standard client.

Blog post

Reverse-engineered Pokerstars

Pokerstars is one of the top online poker sites and uses a proprietary protocol to communicate with clients. I reverse-engineered the encryption and compression used in their protocol and provided some insight into how the communication works. While the work was never continued, it serves as a good reference for performing similar hacks.

Blog post

Renraku: Future OS

Renraku was an operating system project with the goal of being written in 100% managed .NET code. Now defunct, it was capable of running on the bare metal or in a hosted environment. It included a basic GUI, networking stack, mouse and keyboard interfaces, and was written to be completely typesafe from the ground up.

Introductory blog post
2008

Modulock

Modulock was a product intended to be a complete replacement for the front desk system used in Onity hotel installations. It was a first of its kind product, enabling hotels to drastically reduce their hardware and maintenance costs by utilizing off-the-shelf equipment and a novel web application interface. In the course of development, nearly the entire Onity hotel lock system was reverse engineered, leading to my Black Hat presentation in 2012.

Press release

IronBabel

IronBabel was an experimental emulation platform with the goal of enabling high-performance emulation on top of the .NET platform. To accomplish this, guest code was recompiled into .NET bytecode and cached on the fly, enabling heavy optimizations to be performed at the expense of increased startup time. Partial x86 PC and Wii emulation were accomplished with performance exceeding expectations.

Project page
2007

Aqualung, ARM decompiler

Aqualung was an ARM decompiler plugin for IDA Pro developed for the iPhone Dev Team. It provided basic decompilation facilities and is used to this day, saving significant time in reverse-engineering iPhone code. Starting as a plugin simply commenting assembly with pseudo-C, it was later extended to provide control flow and statement reconstruction.

iPhone hacking

During 2007 I participated on the iPhone Dev Team, where I assisted in reverse-engineering critical components of the iPhone and building tools to communicate with it. Critically, I reverse-engineered and reimplemented the communication protocol for updating the baseband, leading to the first software-only unlock.

Broke the Yoggie Pico Pro

Yoggie Pico Pro was a security appliance intended to offload firewall, virus scanning, and other functionality to a USB device. Within a day of its launch, I had discovered a vulnerability in its diagnostic interface, enabling remote root command execution.

Full disclosure post
2006

Alky

Alky was a product which enabled users or developers to translate a Windows game into a native game for Mac OS X or Linux without requiring source. We were able to convert a number of games, most notably Prey, and launched to great fanfare. Later, work was done to support DirectX 10 on Windows XP, Mac OS X, and Linux.

Press

2005

PyMusique

PyMusique was the first open source client for the iTunes Music Store, created to enable purchases on Linux. During the course of development, the protocols and encryption were reverse-engineered and completely supported. Due to the application of the DRM technology happening on the client side of iTunes, PyMusique enabled users to buy their music completely DRM-free, years before iTunes dropped DRM on audio files.

Press