├── README.md
├── dangerous-emfi
    ├── README.md
    └── img
    │   ├── brian_monk_dcschem.gif
    │   ├── dangerous-emfi-crap.png
    │   ├── emfi_types.png
    │   ├── jank1.jpg
    │   └── jank2.jpg
└── rpi-glitching
    ├── README.md
    ├── cw-vglitch.py
    ├── glitchloop.c
    ├── rsaglitch.py
    └── test.key


/README.md:
--------------------------------------------------------------------------------
 1 | # Hardware Hacking Resources
 2 | 
 3 | This repo holds some of the examples used in Colin's Hardware Hacking talk at [Remoticon 2021](https://remoticon.io/).
 4 | 
 5 | You can see the very sketchy glitcher in the [dangerous-emfi](dangerous-emfi) folder.
 6 | 
 7 | You can see the code used on the Raspberry Pi 3 Model B+ in the [rpi-glitching](rpi-glitching) folder.
 8 | 
 9 | Some specific resources used in the talk:
10 | 
11 | * [ChipWhisperer Jupyter Examples](https://github.com/newaetech/chipwhisperer-jupyter)
12 | * [Hardware Hacking Handbook](https://www.nostarch.com/hardwarehacking)
13 | * [Colin's ECU Bootloader Work](https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/)
14 | * [Thomas Roth R-Pi Pico](https://twitter.com/ghidraninja/status/1460330740881702912) [NOTE - this link will be updated with a video once available]
15 | 
16 | Other examples that might be pulled up ad-hoc will be added to this list later.


--------------------------------------------------------------------------------
/dangerous-emfi/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | **WARNING: THIS PAGE SHOWS USAGE OF HIGH VOLTAGE CIRCUITRY - YOU CAN EASILY GET A DANGEROUS OR LETHAL SHOCK FROM ATTEMPTING TO FOLLOW THESE INSTRUCTIONS. I BUILT THE [CHIPSHOUTER](https://www.newae.com/chipshouter) TOOL SPECIFICALLY TO AVOID EXPOSING YOU TO THE TYPES OF RISKS THAT ARE SHOWN IN THE CONSTRUCTION ON THIS PAGE. CONSIDER THE FOLLOWING FOR ENTERTAINMENT PURPOSES ONLY.**
  3 | 
  4 | Colin O'Flynn
  5 | Nov 20 / 2021
  6 | 
  7 | The following are some details to go along with my Hackaday Remoticon 2021 presentation.
  8 | 
  9 | ## EMFI Architectures
 10 | 
 11 | Generally, EMFI is one of three types of architectures:
 12 | 
 13 | ![](img/emfi_types.png)
 14 | 
 15 | (This figure is from my book [Hardware Hacking Handbook](https://nostarch.com/hardwarehacking) if you'd like more details it's got a section on EMFI as well).
 16 | 
 17 | Of those three, "direct drive" is somewhat easiest to swap probe tips for. But the downside is that it can expose the high voltage most directly to the probe tip (and thus user or DUT). Of the two "direct drive" architectures the low-side switching is easiest to build, but by far the most dangerous. This is because the capacitor bank is *always* present at the output, rather than being switched on only when needed.
 18 | 
 19 | My commercial tool, the [ChipSHOUTER](https://www.newae.com/chipshouter) contains several safety features, including:
 20 | 
 21 | * 'High-side switching' drive ensures high voltage present only during pulses.
 22 | * Passive HV bleed resistor on capacitor bank, discharges in ~30 seconds.
 23 | * Active HV bleed resistor when unit is disarmed or safety interlocks trigger, discharges in < 5 seconds.
 24 | * Three different conformal/potting compounds used around high-voltage circuitry.
 25 | * High-temp PCB.
 26 | * Detection of probe tip break or open (which means pulse will discharge into something besides the inductor coil).
 27 | * Over-temp detection (interlock).
 28 | * Case open detection (interlock).
 29 | * Detection of out-of-spec voltage on input (power supply) or output (HV charge generation).
 30 | 
 31 | The following example will have *none* of those. Zero. It will also use the more dangerous low-side switching.
 32 | 
 33 | ## About a Disposable Camera Flash
 34 | 
 35 | When these cameras were much more common, you use to be able to get tens of the disposable cameras for free just by asking (they would ship the bodies back after film was removed). Worst case you can still buy them for fairly cheap - the example I'm using was a 2-pack of cameras from Walmart for $20. 
 36 | 
 37 | You can find reverse engineering of the camera flash details in a few places. The closest one to my camera was by Brian Mork, available at [http://www.increa.com/reverse/dc/](http://www.increa.com/reverse/dc/).
 38 | 
 39 | For quick reference, I've mirrored the schematic Brian reverse engineered here, but see his page for more details of the operation:
 40 | 
 41 | ![](img/brian_monk_dcschem.gif)
 42 | 
 43 | **WARNING: The circuitry contains various "buttons" such as charge and flash. These buttons will be at HIGH VOLTAGE RELATIVE TO OTHER PARTS OF THE CIRCUIT. Do NOT touch the metal "buttons" yourself, but use an insulated screwdriver to trigger them.**
 44 | 
 45 | This last point is the most important - don't just hold a battery in the charger, as it's *very easy* to shock yourself when doing this.
 46 | 
 47 | If you haven't worked with these units before, the typical way to "safely" handle them is:
 48 | 
 49 | * Trigger the flash to discharge the capacitor a little bit.
 50 | * Short the main capacitor - commonly done with a screwdriver, if you were fancy you'd use a resistor.
 51 | * Use alligator clips to short out the main capacitor now that it's discharged, to prevent charge from building back up or you from accidentally turning it on.
 52 | 
 53 | Watch out for the problem that it's easy to shock yourself when attempting to remove the battery too, so short the capacitor out before you touch *anything*.
 54 | 
 55 | ## Safely Operating a Low-Side Switch
 56 | 
 57 | As mentioned, using a low-side switch is inherently a very dangerous operation. The exposed "coil" will be charged to 400V anytime the device is on, *not* only during the discharge operation.
 58 | 
 59 | The only safe way to use a low-side switching EMFI tool is to isolate everything else, such the exposed coil has no ground reference (and thus no path to discharge). This means you must use either battery powered or an isolated power supply. In this example we'll stick with battery powered which is much easier to build.
 60 | 
 61 | **WARNING: Do not use a random wall-wart power supply and assume that counts as isolated. The DC negative may be connected to earth ground, I've also had wall-warts where the DC negative was connected through to the neutral blade.**
 62 | 
 63 | This means we'll do the following:
 64 | 
 65 | * Power the charger from 1.5V battery (as designed)
 66 | * Power anything else (trigger circuitry) from a different 9V battery.
 67 | * Use plastic/isolated buttons as needed.
 68 | * Optoisolate any signals passing to the tool.
 69 | 
 70 | **WARNING: I really must stress that you shouldn't try to derive one of the supplies from each other, or try to use a plug-in supply or bench supply. This unit is very unsafe even as-is, and the only small margin of safety comes from the battery power giving the floating supplies.**
 71 | 
 72 | ## Camera Flash Modifications for EMFI
 73 | 
 74 | The camera flash is basically going to be our high-voltage source. We'll do the following modifications:
 75 | 
 76 | * Replace main capacitor with smaller ceramic capacitor.
 77 | * Add high-voltage IGBT/MOSFET.
 78 | * Add resistor to 'turn off' mosfet by default.
 79 | * Add output connector or coil.
 80 | * Add insulated arm button.
 81 | * Add insulated trigger button.
 82 | * OPTIONAL: Add opto-isolator for trigger input.
 83 | 
 84 | ![](img/dangerous-emfi-crap.png)
 85 | 
 86 | The opto-isolator isn't shown, but almost any one should work. The only important specification would be that the "collector to emitter voltage" is at *least* 20V, but that covers almost all common units. If you want to use an optoisolator (so you can trigger the unit on demand), simply do the following:
 87 | 
 88 | * Optoisolator collector to 9V battery positive.
 89 | * Optoisolator emmiter to IGBT gate.
 90 | * Change the 10k-ohm gate drain resistor to something smaller (1k-ohm), but may need to test this.
 91 | 
 92 | Note even with the switch using a smaller resistor may be helpful (again, faster turn-off, the 10k was one I happened to have on-hand).
 93 | 
 94 | ## Parts Selection
 95 | 
 96 | #### Capacitor
 97 | The main cap should be around 0.33 to 1uF, 630V or higher rated (the higher-than-needed voltage helps with loss of capacitance due to voltage biasing along with a safety margin). I used B58031U7504M062 in my example (0.5uF, 700V rated) as I had it on-hand.
 98 | 
 99 | If redoing this, I'd try using C350C474KBR5TA which is a through-hole part, so may actually fit correctly onto the PCB.
100 | 
101 | #### MOSFET/IGBT
102 | 
103 | The switch element will need to be rated with sufficient voltage & current. I had on-hand a RGT16BM65DTL which is rated for 650V, and 16A continuous (24A pulsed). We'll only be using these in pulse modes.
104 | 
105 | The on/off test time was 13ns/33ns - you want something relatively fast. When I was looking before I found mostly SMD seemed to meet the requirements, so I'd use SMD for this. Both MOSFETs and IGBT should be fine.
106 | 
107 | I would *avoid* logic-level switching devices (fully turned on at 3.3V/5V). They will be more sensitive to gate punch-through due to the lower rating on the maximum Vges. We are going to have lots of "bad noise" around our circuit, and since the source for our switching supply is a 9V battery we can mostly turn on a regular MOSFET/IGBT.
108 | 
109 | The Vges of this device is +/- 30V.
110 | 
111 | 
112 | #### Coil / Injector
113 | 
114 | You'll need something to inject the pulse - I'm using ChipSHOUTER tips I had on-hand. But you can create something by finding a 2mm to 6mm ferrite rod, and wrapping 6 to 10 around it of ~22AWG magnet wire (adafruit sells an assortment that includes 22AWG). Search digikey for 'ferrite rod' in the *Ferrite Cores* category for the cores.
115 | 
116 | You can also just buy ferrite-core inductors - there was a line from Wurth Electronics that seems to be discontinoued now, so I don't have useful part numbers to give you.
117 | 
118 | Add some polymide tape (the 'Kapton' brandname) which is very thin but has good high voltage properties. While the fully isolated nature of your probe should avoid any higher-current paths from the probe tip which would certainly fry your device under test, there may be coupling with direct contact.
119 | 
120 | ## Modification Example
121 | 
122 | The following shows the SMD cap soldered on. Notice I replaced the charge button with one with a very large plastic plunger which I can mount through a case:
123 | 
124 | ![](img/jank1.jpg)
125 | 
126 | Lots of hot glue are used to hold everything in place. Once the case is (almost) closed I only need to touch the plastic charge & pulse buttons.
127 | 
128 | ![](img/jank2.jpg)
129 | 
130 | In this example I mounted a SMA connector, as my coils were built with SMA connectors on them. There is no need to do this if you're only using one coil.
131 | 
132 | You can also use different output methods such as screw terminals if you want to swap coils, but don't want the hassle of building things into SMA connectors.
133 | 
134 | **WARNING: EVERYTHING ON THIS PAGE IS NOT PRESENTED AS A SAFE OR GOOD EXAMPLE OF WAYS TO DO THINGS. THIS IS PRESENTED FOR ENTERTAINMENT PURPOSES ONLY.**


--------------------------------------------------------------------------------
/dangerous-emfi/img/brian_monk_dcschem.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/51638fc67c8c45013a312e6ad43e53dbf86f115c/dangerous-emfi/img/brian_monk_dcschem.gif


--------------------------------------------------------------------------------
/dangerous-emfi/img/dangerous-emfi-crap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/51638fc67c8c45013a312e6ad43e53dbf86f115c/dangerous-emfi/img/dangerous-emfi-crap.png


--------------------------------------------------------------------------------
/dangerous-emfi/img/emfi_types.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/51638fc67c8c45013a312e6ad43e53dbf86f115c/dangerous-emfi/img/emfi_types.png


--------------------------------------------------------------------------------
/dangerous-emfi/img/jank1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/51638fc67c8c45013a312e6ad43e53dbf86f115c/dangerous-emfi/img/jank1.jpg


--------------------------------------------------------------------------------
/dangerous-emfi/img/jank2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/51638fc67c8c45013a312e6ad43e53dbf86f115c/dangerous-emfi/img/jank2.jpg


--------------------------------------------------------------------------------
/rpi-glitching/README.md:
--------------------------------------------------------------------------------
 1 | # Rasperry Pi Glitching Examples
 2 | 
 3 | These are run on a "R-Pi 3 Model B+".
 4 | 
 5 | The base image was "Raspberry Pi OS (32-Bit), Released 2021-10-30".
 6 | 
 7 | ## Glitch Loop
 8 | 
 9 | 
10 | ## RSA Glitching
11 | 
12 | This file is based on a [ChipWhisperer DFA tutorial](https://github.com/newaetech/chipwhisperer-jupyter/blob/master/courses/fault201/SOLN_Lab%202_1%20-%20Fault%20Attack%20on%20RSA.ipynb). You'll find this also detailed in the [Hardware Hacking Handbook](nostarch.com/hardwarehacking) which details a different derivation of how the fault attack works.
13 | 
14 | The description of the fault attack in the ChipWhisperer lab follows a blog post from [David Wong](https://www.cryptologie.net/article/371/fault-attacks-on-rsas-signatures/), who also wrote the great [Real World Cryptography](https://www.manning.com/books/real-world-cryptography) book.
15 | 
16 | This requires you to insert a glitch during the signing operation. To do this we'll use `pycryptodome`, but we're using an old version as current versions have fault protection which you can see [at this line for example](https://github.com/Legrandin/pycryptodome/blob/v3.11.0/lib/Crypto/PublicKey/RSA.py#L171). The protection is to perform a validation that the generated signature validates OK. Note you can bypass that with a more targeted fault injection attack.
17 | 
18 | To run `rsaglitch.py` you'll need to install pycryptodome 3.1 and an accelerated library to perform the factoring. This can be done with:
19 | 
20 | ```
21 | pip install pycryptodome==3.1
22 | sudo apt-get install python3-gmpy2
23 |  ```
24 | 
25 | ## Voltage Glitching
26 | 
27 | If you want to run voltage glitching from the Raspberry Pi itself, you can connect a ChipWhisperer-Lite. This will require you to install ChipWhisperer and fix a few packages on the R-Pi default install:
28 | 
29 | ```
30 | pip install chipwhisperer
31 | pip install -U numpy
32 | sudo apt-get install libilmbase-dev
33 | sudo apt-get install libatlas-base-dev
34 |  ```
35 | 
36 | You'll need to setup the `udev` file as normally required for a [Linux install](https://chipwhisperer.readthedocs.io/en/latest/prerequisites.html#prerequisites-linux), see the or the lazy instructions:
37 | 
38 | ```
39 | sudo bash -c 'printf "SUBSYSTEM==\"usb\", ATTRS{idVendor}==\"2b3e\", ATTRS{idProduct}==\"*\", TAG+=\"uaccess\"\\n" >> /etc/udev/rules.d/50-newae.rules'
40 | sudo bash -c 'printf "SUBSYSTEM==\"tty\", ATTRS{idVendor}==\"2b3e\", ATTRS{idProduct}==\"*\", TAG+=\"uaccess\", SYMLINK+=\"cw_serial%n\"\\n" >> /etc/udev/rules.d/50-newae.rules'
41 | sudo bash -c 'printf "SUBSYSTEM==\"tty\", ATTRS{idVendor}==\"03eb\", ATTRS{idProduct}==\"6124\", TAG+=\"uaccess\", SYMLINK += \"cw_bootloader%n\"\\n" >> /etc/udev/rules.d/50-newae.rules'
42 | sudo udevadm control --reload-rules
43 | sudo usermod -a -G dialout $USER
44 | ```


--------------------------------------------------------------------------------
/rpi-glitching/cw-vglitch.py:
--------------------------------------------------------------------------------
 1 | import chipwhisperer as cw
 2 | scope = cw.scope()
 3 | 
 4 | scope.clock.clkgen_freq = 100E6
 5 | scope.glitch.clk_src = 100E6
 6 | scope.glitch.output = "enable_only"
 7 | 
 8 | scope.io.glitch_hp = True
 9 | 
10 | #Around 1000 causes reset, around 350-400 seemed good
11 | scope.glitch.repeat = 350
12 | 
13 | scope.glitch.manual_trigger()


--------------------------------------------------------------------------------
/rpi-glitching/glitchloop.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 |  
 3 | //gcc glitchloop.c -o glitchloop
 4 | //./glitchloop
 5 |  
 6 | int main(void){
 7 | 	volatile int i, j, k,l;
 8 |  
 9 | 	char status[] = "<>";
10 |  
11 | 	while(1){
12 |  
13 | 	k = 0;
14 | 	for (i=0; i < 10000; i++){
15 | 		for (j=0; j < 10000; j++){
16 | 			k++;
17 | 		}
18 | 	}
19 |  
20 | 	printf("%d %d %d %c\n", i, j, k, status[l++ % 2]);
21 |  
22 | 	}
23 |  
24 |  
25 | }


--------------------------------------------------------------------------------
/rpi-glitching/rsaglitch.py:
--------------------------------------------------------------------------------
 1 | import RPi.GPIO as GPIO
 2 | from Crypto.Signature import PKCS1_v1_5
 3 | from Crypto.Hash import SHA256
 4 | from Crypto.PublicKey import RSA
 5 | from binascii import hexlify, unhexlify
 6 | import gmpy2
 7 | from gmpy2 import mpz
 8 |  
 9 | from tqdm import tqdm
10 |  
11 | message = b'Hello World'
12 | key = RSA.importKey(open('test.key').read())
13 | h = SHA256.new(message)
14 |  
15 | print("Loaded SECRET KEY:")
16 | print("  SECRET KNOWN p: {}".format(key._key['p']))
17 | print("  SECRET KNOWN q: {}".format(key._key['q']))
18 |  
19 | GPIO.setmode(GPIO.BCM)
20 | GPIO.setup(18, GPIO.OUT)
21 |  
22 | p = PKCS1_v1_5.new(key)
23 |  
24 | GPIO.output(18, GPIO.LOW)
25 | GPIO.output(18, GPIO.HIGH)
26 | known_good = p.sign(h)
27 | GPIO.output(18, GPIO.LOW)
28 |  
29 | pbar = tqdm(total=0)
30 |  
31 | while True:
32 | 	GPIO.output(18, GPIO.LOW)
33 | 	GPIO.output(18, GPIO.HIGH)
34 | 	output = p.sign(h)
35 | 	GPIO.output(18, GPIO.LOW)
36 |  
37 | 	#output = b'\x93\x07\xc0\x02\xc9\x85\n\xb3lY\xad\xb4hY\xf1\x18\x8c\x05\xc0\xa7\xf5\x02y\xd907/\xb7\xc8>\x99d\xba\xdf\xda_\xb29\x9ao\xf2\x11X\x883u\xa0Wm\x921\xb3_H\x89T\x8c\xd2\xb9\xa0\xeb7\xa2\x14\xd4&y\x88Xf\xfb\xb0%\xbb2\x08`\xb8l\xaa\x93\x85\x8965\x17\xef(\x07\x04P\xb9\xc0E\x14\xeeD\x9e2\xd2"\x93i\xd3$x\x82\xdd\x81*g\xd8\x7f\xf7\xf3\x91\x913\x04\xffL\x89<\x9f\x1d\xeb:x\xf4\x86\xcf\x8b\xa8\xf1\xf8"G!\xcf\x15\xee\xd63\xe0js\x17t@\x84{\xc8\x0f\xe7:q\xccn\xf7\xeey<\x0e\xab\x01\x19 \xe8{a\xb4\xa1\x8b\x19~\x87\xb1\xe2W9\xa2HC\x1c\x9fOU\x1f\x8d\xcdk\\]\t\x8e(\xe2\x1c\x96\xed]\xb1M\xb5F\xa3\xca\xd6\xbe\xccb\x87C\xbfE>\xbbU\xe6\xf4\xba\xe5\x95K!\xce\xad\nW{+0\xca\x0eX\x92<\x91\x89\rK\xdb\x00]\x0c\xe1\x04"\x1c\xf8/\xcd\x96\xc3\xfa\x9f'
38 | 	#output = b'\xc9\xa0\x14\x0f\xad\xd3\xb2\x9dK\x15\xe7Zg{\x98\x04n{\xedP\xbc\xb2Ek\x04\xa4\x14\x00\xe5wEg}\x13\x98\x9e\xfe\x82\x90\xbdl\x81\n!\xf9\xf1uAE\x8e\x13\xf6\xb0[\xaab\x89d\x10\xfc\x91\x19s6\xaaRz\xa9\x06F\xc8\xf3\xd4+\x14*!S3\x93hU\xf7\xf12i,\xbdq\x1dS*&\xac\xab\xdc\xad\xbe\xa0\x0e\xef\xa6\xb1\xb1\x95r\xa1\xd8\x95\xcb)\x02\xcd\xc1\xe4\x98\xfeD\xbd\xb1\xa2\x13\xa8\\\xedSt^\xb72k\x89\x08%\x7fy+B\xc7\xe5>A1f\x05h\xec\xfc53\xb1\xb1\xa4\xbc-\x9bI\x7f\xb0V\xccw\x9f\x96\xe8\x83\xef\x1cq-\x1b+\x16\xa6n\x0e\xa6\x98V\xf0\xcf\x93\x97WO\t\xe4/\xeb8\xf4\xb5:\x1bc\x02\x1fz\x1fb\x8d\xcf\xac\xf0\xd2|\xb8\x13\xa62h\x85\x10\xa5\xc61\xe4em\xdcT=1*\x1a\xa2v;\x862<-\x8d\xbdJ\xd32\n\x96\xbb\xac\xb13\xda\xf6A\x00\xc9\x01\xcb\x10\xe4R\xee\xaeE'
39 |  
40 | 	if output != known_good:
41 | 		print(output)
42 | 		break
43 | 	pbar.update(1)
44 |  
45 | pbar.close()
46 |  
47 | def build_message(m, n):
48 |     sha_id = "3031300d060960864801650304020105000420"
49 |     pad_len = (len(hex(n)) - 2) // 2 - 3 - len(m)//2 - len(sha_id)//2
50 |     padded_m = "0001" + "ff" * pad_len + "00" + sha_id + m
51 |     return padded_m
52 |  
53 | e = mpz(int.from_bytes(key._key['e'].to_bytes(), "big"))
54 | n = mpz(int.from_bytes(key._key['n'].to_bytes(), "big"))
55 |  
56 | print("PUBLIC e: {}".format(e))
57 |  
58 | hashed_m = hexlify(h.digest()).decode()
59 | padded_m = build_message(hashed_m, n)
60 | print("Hashed: {}".format(hashed_m))
61 | print("Padded: {}".format(padded_m))
62 |  
63 | sig = output
64 |  
65 | sig_int = mpz(int.from_bytes(sig, "big"))
66 | m_int = mpz(int.from_bytes(unhexlify(padded_m), "big"))
67 | p_test = gmpy2.gcd(m_int - sig_int ** e, n)
68 |  
69 | print("RECOVERED 0: {}".format(p_test))
70 | print("RECOVERED 1: {}".format(n//p_test))


--------------------------------------------------------------------------------
/rpi-glitching/test.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEpQIBAAKCAQEA2ArcZYaa4c6/iBiCKYqh2Nt063+YXWrtXQeJd2XdAL6Q+JSP
 3 | amDzA+W4ag34xio1iIoLL0ax66ZsIxTQg3rEz0HhPkOCiaYXIHC6MMi2atlXfUht
 4 | 47hDiJpWnZDcKMTWD7JpvXIlDsQI/kZqaeZNRcRLC2ZDaYvSE7XpV8pGvVl+xMGs
 5 | +LaNwmk+f4wSXrSOGLR0O3x3ekKkU3cy/qmc2/4D7rLaft/4Gu7PuWHFyYbK4S4s
 6 | s2IFQAbrZNbi0r5tfaZ6VqtMc9UgBK3JKFHJvGgjSo7Ni5WqEgFUrSlyJ7MicjYg
 7 | UxfnzWsBIWbbt2YZXsjuz0xD6iENu2FDy5rzpwIDAQABAoIBAQCEs08jMWXrM3Ik
 8 | J2G0IIo/SLVtfcdaAjbgQKPoafIw5dzoQ2BAKGK8zxrSUdiv5/dP8fLizBq3M1cS
 9 | yVM2n29KGx4+f3ssD4//Bh7nnjGmOe/qbVXKXUFmI972E6eXhygxJhabHgSzKCiZ
10 | /yiX+bUXGHY7/0mDCDY2kzNMEFwZK0DHUFql1QJhWeKKlMx6GMHJeU5LB7xdqaLi
11 | RZqsbKgxwrLmNFXHl6nl968w7ZCXyAypZNqtvYmS5C2kWF4B1UG3eEVmNFwrZNp+
12 | hIIlA8ARm1j/rWaC4tSvxauqLfA+BeWEevriAzH8dahOsTyY6t6FSOTmy/Fk/G3K
13 | zfV0JviRAoGBAP6ikVU/wvHOV2c7hfYd63d7Pwv7sYk0zt5JUNv/LDhVaywfYG0s
14 | CfjfFFMpmGl8eQOet0CzIpCNDcmvmY5wVIdNvszsib7z2lWw4gbMEMY2VYN90Npg
15 | 6/MA4hajF1ZL7EgH5Kg7KOj7Pk8FX9B0ZTOctsWDEc0++VIogQsOw60vAoGBANkz
16 | VUW0dsjN6uixq+as4C/HKdH3eQZW3UrojLVYxKV/Y1pM2Y8s6WJFoW9S4JG7ICeF
17 | Gh4qvYr3myRP4Eg68FdKtc6vKh3V8/lFPteVvN67Y0cCRFsXUlhgh8N8txiO5XoW
18 | EKHTBaDzg10p+gl8iNjitH3eKOxGRRbhoGpg/rMJAoGBAJjXp/jNvww52QjkF7L1
19 | nqMnXV6qA5TiF9Ihm+GRt09RJnVjmBOvvYSfEqoga5XV2yWrHUA+xl6R7FbFipyP
20 | HI3iwsZqrPvrj4CkHegKkX8ImifFW5nZV4eTXiJMXvOzuu45nqzEZfgC5xGzniGX
21 | 3C8wwByqYgMa67i/C0ZB5H6NAoGAdgcEFn3LcrEbLtmlnRNiO/RRUGzXUk+Pry4R
22 | kFYtffVsatyJ+Nih9in6YME7kVWLUo5ss+nr2AFXR/Mz4GxOwFCz3R2omE/0ZQdw
23 | 77vJx4sylpqvxIQ21hmWjO9Pm8PDBYXKAfXnACBzyQOPgOowfxMqm59Gw6Yn0xhG
24 | kKgmn+kCgYEAknYJF+DrvSGEw0+WRGIHFrXbxpsJa0BwXbchzUxJBwLYPx+DfICz
25 | sJPKCEE2qWmvN3EM63wwGDpGqJI5SYxP0Oi6aqWYl0WpIU10hQF38qlyNNcEg1Pl
26 | y4AJf+xzD9BBZyRAeW1hDO9Yb7m8joObdhiigJGEcDZS8lak0ZlxgfU=
27 | -----END RSA PRIVATE KEY-----


--------------------------------------------------------------------------------