I'm a 26-year-old engineer based out of Dallas, TX with experience and interest across all layers of the stack. I consider myself to be a strongly motivated self-learner who is not afraid to jump into new fields, be it part of a project or out of curiosity. As a result, I've picked up various skills that show me to be a quick and versatile learner.
JavaScript/TypeScript, NodeJS, Next.js, React, Tailwind, HTML, CSS, REST APIs, WireShark, Burp Proxy, mitmproxy
Java, C#, .NET, Unity, IDA Pro, Ghidra, Android Decompilation, Proxmox, Docker, K8s, Networking, UniFi
Embedded C++, Rust, Saleae Logic, J-Link, GDB
A misconfigured debugging service on a golf launch monitor allowed for root access, enabling further inspection into the device's licensing and validation scheme.
The lack of input sanitation in a third-party integration used across DSG's eCommerce platform allowed customers to order an item at any set price. Lack of checks in the supply chain meant the order would be processed and fulfilled successfully with the modified price.
Improper permissions and SQL injection in Arccos's Caddy service allowed any user to access the internal database and its stored information, including user email addresses, living addresses, and credit card information. A user's trial to the service could also be reset infinitely, allowing use without paying an annual subscription fee.
Using hardware analysis to extract the firmware of a golf cart management tablet, unauthenticated endpoints were found allowing anyone to query the live locations of all golf carts managed by any golf course on the platform.
Exposed server logs and misconfigured file download permissions allowed for the discovery and downloading of sensitive user documents including US passports, vehicle titles/registrations, and birth/marriage certificates.
Originally a project developed for self use, Hindsight now provides remote Golf Simulation software instances for a close group of users. Running on a home server and powered by Proxmox, virtualized instances of Windows with GSPro are provided in order to make golf simulation more accessible. Users with supported launch monitors can play simulation golf without the need for an expensive PC and graphics card, providing the full simulation experience on low power devices such as laptops and tablets.
Hindsight is a Docker-based self-hosted platform using Next.js and React, with a NodeJS backend handling device licensing/authentication and a PocketBase instance as the database. Integration with Proxmox APIs allows spinning up pre-configured Windows images as required with PCIe passthrough to GPUs and streaming support.
Managing various servers across two homes in two countries, running on UniFi network stacks and connected via VPNs. Servers are powered by Proxmox and host a variety of services in LXC, Docker containers, and virtual machines. Remote servers manage a home automation and video security system for observation and safety of a vacation home. Local servers act as hosts for the Hindsight service as well as personal services such as a Git server, family business tools, current projects, and more. A previous iteration of my service stack relied on a set of 5 OptiPlex uSFF PCs in a k8s cluster.
After years of observing the ins and outs of my family's construction business, I stepped in with improvements and suggestions on how to efficiently handle day-to-day tasks, including:
Improved expense tracking on a per-job basis, moving from physical receipts and notebooks to scanned documents processed by OCR and tracked in spreadsheets
Managing proposals and client communications via email and SMS, keeping a record of given quotes and estimates
Coordinating supply and material purchasing as well as deliveries to job sites
Implementing debit/credit cards and electronic checks as supported payment methods alongside modern invoicing
I set out to reverse engineer and understand the protocol used by third-party auto headunits to connect to the SXV300, an aftermarket satellite receiver sold by SiriusXM. By decompiling and reversing various auto headunit firmwares, I could record, decode, and document the serial protocol in use and develop my own client. Using KiCAD, I am prototyping an RP2040-powered board that will allow users to connect a receiver and access radio streams over the network.
Researching, decompiling, and debugging apps and websites of popular sports streaming services lead to the discovery of legacy unauthenticated endpoints and an understanding of their video DRM systems. With this knowledge, I developed and hosted my own implementation of a video player that allows me to watch sports streams without needing an active cable or service subscription.
Analysis of the chipset in a Zebra MC33 lead to finding a derivative with an available exploit. After porting the exploit, I dumped and decompiled the bootloader in order to determine whether unlocking functionality could be restored. Using Android and Qualcomm source code, the bootloader was patched to enable unlocking and the ability to flash custom boot images, including a Magisk-patched kernel to allow root access.
A browser demo of a client for Qualcomm's Emergency Download Mode, powered by WebUSB. bkerler's Python client was usedas reference, with the goal of a portable solution that doesn't require a drivers, udev rules, or a prebuilt Linux ISO.
Implemented the Sony SIRC protocol using a Tiny2040 development board to control and automate VCR functions during the process of digitizing VHS tapes using vhs-decode. The board would expose a serial port that accepted commands from a script or webpage using Web Serial APIs.
After the shutdown and discontinuation of the mobile rhythm game Tap Tap Revenge, I collected all available DLC and wrote a replacement storefront implementation using NodeJS in order to keep the game running. A Cydia Substrate tweak was written to replace the game's API endpoints at runtime.
Alongside reverse engineering and development work, I have an interest in retro and legacy systems. Keeping old devices alive and allowing them to interface with modern software has proven to be a useful learning endeavor. Old PDAs and phones such as early Palm, first generation Android devices, and Java-based feature phones are of particular interest.
Learning to develop and prototype custom hardware designs has also lead to an interest in CAD and 3D printing. I have assembled and built 3D printers such as the Voron 2.4 and Voron 0.2 as well as modified firmware for the embedded boards that power them.
When not on a computer, I find interest in auto racing and golf. While I consider it a change of scenery from the work I do, I find myself thinking of ways I could apply my skills to break into these fields.