More Research, More Fun – I’m now an Assistant Professor

Are you interested in this area of research? If you’ve followed some of my work you know I enjoy a combination of fundamental research & hands-on practical experiences.

It led me to co-found NewAE Technology Inc out of my PhD, with the objective of taking some of the research I was doing and pushing it ever further out into the world. I’m going to be continuing that work as C.T.O., but at the same time taking a leap forward in building up a larger research group under an academic affiliation.

I’ve joined Dalhousie University as an assistant professor in the electrical & computer engineering department. This is a bit of a unique position as I’m also going to be helping with some of the new innovation work being done in the “IDEA Building”, which means I’ll be mandated (and thus have time) to work with companies interested in cyber-security (emphasizing the sort of cyberphysical work I do, like IoT and automotive).

I’ll be shortly looking for students as well – if you are interested in a MASc or PhD in this area, I’d love to hear from you! Get in touch with my Dalhousie email (COFLYNN – AT – DAL.CA), if you don’t hear back sometimes I’m travelling quite a bit so may be slow, so please follow up to make sure I didn’t drop it. Or say hello at a conference – I’ll be at RECON and Black Hat in the next few months.

More details & update on this to come, but it’s an exciting chance for me to continue pushing the fundamental research I love, while engaging the local start-up community and helping encourage students that starting a business out of research isn’t such a bad idea.

Nova Scotia Embarrassment –

Just a quick post to have someone with the text. In case you aren’t aware, Nova Scotia’s “Freedom of Information and Protection of Privacy” (FOIPOP) system allows you to request various information from the government, including information about yourself. When you request information about yourself it’s not redacted (i.e., your SIN and other information they have would be in the document), but when you request it about someone/something else information is redacted to protect their privacy.

They were serving these documents using a system with URLs like “”, where the last number was the document. Which is fine until they decided to use this for both the sensitive and non-sensitive one, with no log-in or password checks. To a point, these documents were automatically indexed by Google and other services, as they didn’t even put a ROBOTS.txt is seems.

Evan D’Entremont has a great write-up, so I’ll just refer you there for details.

While somebody downloaded documents they “weren’t supposed to”, and they are now claiming he is a hacker. Note most of the documents accessed were public, and there was no way to tell them apart based on URL (so it’s not even an attempt at hacking). The following is my open letter to the province regarding this silliness:

April 17, 2018

The Honourable Stephen McNeil, Premier of Nova Scotia

Re: Nova Scotia handling of FOIPOP information leak

I’m writing to you with considerable alarm regarding the response to the exposure of confidential information via the FOIPOP portal. In particular, I am greatly alarmed by the handling of an individual accessing a public government website.

It is clear the document storage and display system was designed for public documents only, as no attempt was made to authorize or validate the user. I can only assume this was a miscommunication about the intended use of this particular document storage system, as many of the documents appear on Google and other archives. Notably, even the most basic web configurations have a list of non-public directories which search engines such as Google will not access out of courtesy. There is no authentication or lock on these pages eith­er, but the fact that no attempt was made to prevent such access clearly points to this being a publicly accessible document repository.

Attempts to claim this was somehow a “hack” or even “vulnerability exploitation” do not pass muster. Neither do explanations make sense that this is a case of someone stealing an unlocked bicycle, and thus they have still done something wrong. Rather this is a case of someone (hint – not the person that had their house stormed) leaving sensitive documents in the library stacks, and someone else finding them while looking through the books. They were placed in a public location without any access control – the “attacker” simply picked them up from this public space. In fact, in this case the sensitive documents even had the same labeling and numbering system as the public books on the shelf. They are completely indistinguishable until you look at the contents.

Despite this, the person finding the documents is being aggressively handled, and a story being created that is attempting to spin them into the antagonist. Heavy-handed attempts at pursuing “computer crime” have been widely recognized as being counter-productive of achieving a more productive and secure society – even when some actual crime may have occurred (which in itself appears questionable for the case at hand).

On one hand, the government is claiming they want to encourage investment and growth of technology in Nova Scotia. Cyber-security in particular has been recognized as a particular growth area of importance to Canada, with the latest federal budget spending $1 billion on cybersecurity. But the handling of this case sends a crystal-clear message to potential researchers and entrepreneurs that Nova Scotia is not somewhere you want to be, as they are still working under long disproven and outdated cyber-security enforcement tactics.

I do not believe the current outcome was malicious, but the result of many levels of confusion, miscommunication, and attempts to divert blame. Ultimately this miscommunication resulted in Halifax Regional Police conducting a raid under the pretense that a computer crime occurred.

There is still some hope of salvaging Nova Scotia’s reputation and future ability to attract critical cyber-security talent from across Canada and the world. This would require a frank admission of the failures within the government (this does not require scapegoating any specific employee), while also outlining remediation steps to provide justice for the “hacker”, and a plan to prevent such heavy-handed reactions from occurring in the future (such as some level of expert validation of computer crime complaints). Regaining public trust regarding handling of sensitive data involves additional work, but I believe the first three items outlined are the most time-critical for the matter at hand.


Colin O’Flynn, Ph.D.

C.T.O., NewAE Technology Inc.


MeatBag PnP – Simple Pick-n-Place

Have you ever hand-built a PCB prototype with lots of parts? If so you’ll know the annoyance of hand-building something from a big stack of Digi-Key parts. Having to Ctrl-F the part value in the design, and dealing with hits on both top & bottom side. Instead I’m introducing Meat-Bag Pick-n-Place, which helps you the human meatbag become a PnP machine! Here’s a photo of it running:

You can either click on an item, and it finds the first hit of it (i.e., click on a 200-ohm resistor) and shows you. You can then use spacebar to move through the placement list. It also interfaces to barcode scanners so you can just scan Mouser or Digikey bags. Here’s a short video demo:



All this is posted on the GitHub Repo, so hopefully you find it useful!

PhD Thesis Finally Done

If you’ve seen my presentations anytime over the past few years, you’ll know the introduction about “PhD Student at Dalhousie University finishing ‘soon'” has been the claim for the past several years. Finally ‘soon’ actually happened!

You can see my complete thesis entitled “A Framework for Embedded Hardware Security Analysis” on the DalSpace website. It’s been a ton of fun doing the PhD, and I’ve had a lot of help over the years which I’ve very grateful for. For the foreseeable future I’ll be continuing to spin up NewAE Technology Inc., and keeping my ChipWhisperer project alive.

Black Hat Slides – PIN-Protected HD Enclosure / MB86C311A Research

This is a quick post to link to slides from my Black Hat USA 2016 work.

This work stands directly on the work done by Joffrey Czarny & Raphaël Rigo presented at last year (2015). They discovered the issues w.r.t. the stream-mode cipher being used by all manufactures on the MB86C311A, and the fact that secrets are stored on the HD itself. Their work is available at:

They have some newer work coming out which looks to be very interesting, so please keep your eyes out for that. Anyway onto my stuff. The following is a link to my slides:

Brute-Forcing Lockdown Harddrive PIN Codes [Slides]


A Low-Cost X-Y Scanner using 3D Printer

This summer, our summer intern Greg d’Eon made a quick project to build a X-Y Scanner from a 3D printer (by ‘quick’, I mean it took him less than 2 days!). You can see the source code up on GitHub. Anyway, 3D printers are very nice as they have fairly high resolution and fairly low cost. Here’s a quick video:

We’re using it to measure EM emissions frequencies over a PCB, but you could also use this for side-channel emissions, or fault injection. While the resolution might not be high enough for getting at specific features on a chip surface, it can still be used for general positioning.

With your EM emissions, you can graph X-Y vs. amplitude – here I’ve constrained the range to get an idea where the 96 MHz emissions are concentrated. Probably more interesting would have been to use a 2D plot with colour overlaid over the PCB design:em_plotYou can also do things like plot frequency vs. position with strength of the signal given by color. In the following graph the X position is fixed, and only the Y position is varied. You can see here the 96MHz oscillator of the SAM3U microcontroller on the ChipWhisperer-Lite for example:



Low-Cost SMD Soldering Setup

The following blog post shows some details of my SMD soldering process. This was based on a larger video I did (linked below) showing the entire soldering process.

Video of Soldering Setup

The following shows me soldering a complete board with BGA device.

Equipment Used

In the above video, there are several pieces of equipment used. The following shows you some of the important ones.

Reflow Oven

I’m using a T962A reflow oven. I recommend this over the T962, which is a smaller version. The T962A has 3 heat lamps so has a more even heat distribution. Be aware you can’t use the full surface area – about the middle half I find is successful, but depends a little on complexity of the PCB.

I specifically purchased mine from this seller on AliExpress, check other sellers as prices change over time. You might turn it on quickly to confirm it works, but before doing much there are some important fixes:

  • Removing masking tape, replace with Kapton (Polymide) tape. See instructables post for details.
  • Fixing missing ground connections. Some versions have poor grounding between the outer (metal!) case and the wall plug. See the wiki page for a photo of this fix.
  • Updating the firmware and adding a cold-junction sensor. This is the most complex task, and requires soldering a DS18B20 to the mainboard, then using a USB-Serial adapter to reflash the firmware. See the front page of the T962-Improvements Github Repo, which has links to the required soldering. There is also an optional fix to reduce the very noisy small fan.

Fume Hood

I built a fume hood out of the following:

  • 2×4’s for frame.
  • Thick plastic drop-sheet.
  • Powerful vent booster fan with variable speed control.
  • Active charcoal oven range hood filter (mounted in top of fume hood).
  • Active charcoal filter for car cabin (mounted in cardboard box used as exhaust).

You can also improve one out of a range hood from an oven. See video for general fume hood construction.

Manual Pick-n-Place


This requires three things:

  1. Vacuum pump, which you can make from a Tetra Whisper pump (see instructables link). Get some of the nice silicon tubing at the same time (like $3 from Amazon).
  2. Syringe with hole drilled into body. You can get syringes (don’t need the pointy bit!) from pharmacy, or order from Newark/Digikey. When you cover the hole, you force the vacuum through the tip, picking up the part. Release your finger from the hole to drop the part. See the above video for details.
  3. The tips for pick and place, which are “Luer Lock” needles bent slightly (for small parts) or commercially available tips (for larger parts).

The tips are the only somewhat tricky thing. I had a good selection from a previous SMD picker tool, something like this kit for example (which is Chip Quick Inc. part #V8910). These tips are actually the same “Luer Lock” that fits into syringes, check E-Bay for cheaper kits:

V8910 Chip Quik Inc. | V8910-ND DigiKey Electronics

You can also buy Chip Quik Inc part #VCS-9-B which has a bunch of these tips. It’s not the cheapest way, but if you are in a hurry will do! But all of these tips are for larger parts (i.e. maybe SOT23-3 at smallest). If you get into chip resistors, you need to go smaller.

For the small parts, you can bend “needle tips” slightly. You can buy packs of 50 from Digikey (search “Luer Lock”), but might find it cheaper to get individual ones from either medical supply places, or buying products which use them. For example some static-safe squeeze bottles come with a few tips. Again the expensive but easy route is Chip Quik part # SMDTA200 which has a bunch of different sized tips.


There is three main options for stencils:

  1. Laser cut stainless steel.
  2. Third-party cut Kapton film.
  3. Self-cut Kapton/Mylar film.

For laser-cut stainless steel, this can typically be ordered with your PCB fab. For example and Dirty PCBs offer them very cheaply (~$25) when ordering PCBs. This is almost always the best choice, as the stainless steel stencils are very reliable and I’ve had great success with BGA devices.

You can also use third-party services to cut Mylar or Kapton film for you. OSHStencils is one example of a supplier.

Finally, you can make your own. You’ll need some practice to cut BGA parts, but it’s quite easy to cut stencils for less demanding applications. I have a previous blog post on my method.

I’ve been making my own stencils with this process for some time with great success.


Solder Paste/Squeegee

I purchased the squeegee from Dirty PCBs. There are some other blog posts on squeegee options you might look at.

I generally just buy solder past from Digikey. Digikey does a great job of cheaply shipping to Canada, and the paste comes in an awesome cold pack thingy that keeps it cool during the trip. Chip Quik (again with the Chip Quik sorry, I don’t have a connection with them but just end up using their stuff!) sells some nice small syringes. Be aware it does have a shelf life… I’ve used past about 6-12 months paste that date, but you will eventually see issues (balling, flux separates). I recommend keeping to the suggested date to avoid giving yourself the headache of discovering your paste is bad after you’ve tried soldering your PCB. The cost of all your parts is probably a lot more expensive than the cost of replacing your paste.


SECT-2015 Talk Slides

On Friday at 14:15 I’m giving a talk about my open-source power analysis and glitching projected called ChipWhisperer at SEC-T. Here is some useful links if you watched the presentation:

See information about the entire project at too! Video will be posted online at some point too.

ESC SV 2015 – USSSSSB: Talking USB From Python

At ESC 2015 SV I gave a talk on using USB From Python, see the talk description here. This blog post is serving as a placeholder to allow me to update links to software used during the live demo.

For SuperCon 2015, there is a Project Page with these details too. You can also ask questions on the project page.

Download Slides

There is two versions of the slides. Use the SuperCon slides, but I left a copy of the ESC ones here in case you wanted the original for some reason.

Download Slides from Hackaday SuperCon 2015 (Newer Version for SAMD21) [PDF, 10MB]

Download Slides from ESC2015 (Older version for SAMD11) [PDF, 10MB]

Tools to Install

  1. Atmel Studio 6.2
  2. WinPython-2.7
  3. libusb-win32-devel-filter (NB: No need to open the filter install wizard when done)
  4. USBView

SAMD11 Errata

For ESC I used a SAMD11 device, which needs a bit of a hack.

There is a bit of an “oopsie” in the SAMD11 devices. This bug isn’t in the official errata yet, and I’ve been told it’s limited to engineering sample devices (which were used in some of the early dev boards).

Basically the 48MHz oscillator calibration byte is wrong, and you need to manually tune this. You’ll know this problem exists as the device won’t be detected by Windows:


The work-around isn’t super-fun. First, use the programming interface to see the starting value of the DFLL48M_COARSE_CAL fuse:


Next, search in the source code for reference to the dfll_conf.coarse_value variable. You will find where it is being setup, and you can override the value. Basically you have to experiment a bit to find a working value:


 Reference Code

USB Test – Slide 87

import usb.core
dev = usb.core.find(idVendor=0x03eb, idProduct=0x2402)
print dev

If you get “None”, make sure you installed the “Filter Driver” using the LibUSB tools!

Control Endpoint Read – Slide 94

import usb.core
dev = usb.core.find(idVendor=0x03eb, idProduct=0x2402)

data = dev.ctrl_transfer(0b10100001, 0x01, 3<<8, 0, 4)

print data

If you get a “device is not functioning” error just skip this one…

Sending Output Report

import usb.core
dev = usb.core.find(idVendor=0x03eb, idProduct=0x2402)
print dev


data = [ord('1'), ord('1'), 0, 0, 0, 0, 0, 0]
dev.write(0x02, data)

Receiving Input Data (Press button to see change)

import usb.core
dev = usb.core.find(idVendor=0x03eb, idProduct=0x2402)
print dev


for i in range(0, 10):
    while True:
            test =, 8, timeout=50)
        except usb.core.USBError, e:            
            if str(e).find("timeout") >= 0:
                raise IOError("USB Error: %s"%str(e))
    print test

 Full GUI Example

#Public domain - simple USB GUI Example by Colin O'Flynn

from PySide.QtCore import *
from PySide.QtGui import *
import usb.core
import sys

class USBForm(QDialog):
    def __init__(self, parent=None):
        super(USBForm, self).__init__(parent)
        self.setWindowTitle("ESC 2015 Demo")

        layout = QVBoxLayout()

        self.pbConnect = QPushButton("Connect")
        self.isConnected = False

        self.pbLED = QPushButton("LED Blinking")


        self.swStatus = QLineEdit()

        self.butTimer = QTimer(self)

    def con(self):
        if self.isConnected == False:
            #Do USB Connect Here
   = usb.core.find(idVendor=0x03eb, idProduct=0x2402)

            #Sync changeLED
            self.isConnected = True
            self.isConnected = False

    def changeLED(self):
        if self.pbLED.isChecked():
            #Send command to make LED on
  , [ord('1'), ord('1'), 0, 0, 0, 0, 0, 0])

            self.pbLED.setText("LED On")            
            #Send command to make LED blink
  , [ord('0'), ord('1'), 0, 0, 0, 0, 0, 0])
            self.pbLED.setText("LED Blinking")

    def pollButton(self):
            data =, 8, timeout=50)
            if data[0]:
                self.swStatus.setText("Button Pressed")
                self.swStatus.setText("Button Released")
        except usb.core.USBError, e:
            if str(e).find("timeout") >= 0:
                raise IOError("USB Error: %s"%str(e))

if __name__ == "__main__":
    app = QApplication(sys.argv)
    form = USBForm()