Hands-On DEFCON 22 Badge

view of front and back

It took a measly 2-hours in line to score myself entry to DEFCON and this nifty badge. I spent the rest of the afternoon running into people, and I took in the RFIDler talk. But now I’m back in my room with a USB cord to see what might be done with this badge.

First the hardware; I need a magnifying glass but I’ll tell you what I can. Tere are huge images available after the break.

  • Parallax P8X32A-Q44
  • Crystal marked A050D4C
  • Looks like an EEPROM to the upper right of the processor? (412W8 K411)
  • Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?
  • Tiny dfn8 package next to that has numbers (3336 412)
  • Bottom left there is an FTDI chip (can’t read numbers)
  • The DEFCON letters are capacitive touch. They affect the four LEDs above the central letters.

I fired up minicom and played around with the settings. When I hit on 57600 8N1 I get “COME AND PLAY A GAME WITH ME”.

Not sure where I’m going from here. I don’t have a programmer with me so not sure how I can make a firmware dump. If you have suggestions please let me know in the comments!

defcon22-front-huge

defcon22-back-huge

 

Comments

  1. NotArduino says:

    Did you reconfigure the FTDI and enable the GPIOs? What happens when you toggle those?

  2. Mike Szczys says:

    Here’s a capture of the output from FTDI. It repeats and then I hit one of the capacitive sensors near the end.

    cat -A /dev/ttyUSB0
    ^@^@ DO NOT QUESTION AUTHORITY^M NO IMAGINATION^M MARRY AND REPRODUCE^M CONFORM^MWATCH TV^M OBEY^M SUBMIT^M MARRY AND REPRODUCE^M NO IMAGINATION^M WORK EIGHT HOURS^M OBEY^MOBEY^MMARRY AND REPRODUCE^M CONFORM^M NO INDEPENDENT THOUGHT^M MARRY AND REPRODUCE^M MARRY AND REPRODUCE^M SUBMIT^M EAT^M BUY^M WORK EIGHT HOURS^M OBEY^M MARRY AND REPRODUCE^M NO INDEPENDENT THOUGHT^M NO IMAGINATION^M SUBMIT^M WATCH TV^M CONSUME^M WORK EIGHT HOURS^M CONSUME^M OBEY^M DO NOT QUESTION AUTHORITY^M CONSUME^M STAY ASLEEP^M BUY^M NO INDEPENDENT THOUGHT^MCONSUME^M WORK EIGHT HOURS^M STAY ASLEEP^M WORK EIGHT HOURS^M BUY^M NO IMAGINATION^MBUY^M NO INDEPENDENT THOUGHT^M DO NOT QUESTION AUTHORITY^M SUBMIT^M NO INDEPENDENT THOUGHT^M CONFORM^M WORK EIGHT HOURS^M OBEY^M EAT^M OBEY^M SUBMIT^M STAY ASLEEP^M WATCH TV^M MARRY AND REPRODUCE^M WORK EIGHT HOURS^M STAY ASLEEP^M OBEY^M NO INDEPENDENT THOUGHT^M SUBMIT^M BUY^M WORK EIGHT HOURS^M MARRY AND REPRODUCE^M DO NOT QUESTION AUTHORITY^M CONSUME^M SUBMIT^M BUY^M EAT^M CONSUME^M CONFORM^M SUBMIT^M EAT^M BUY^M DO NOT QUESTION AUTHORITY^M NO IMAGINATION^MWATCH TV^M CONSUME^M CONSUME^M WORK EIGHT HOURS^M STAY ASLEEP^M MARRY AND REPRODUCE^M EAT^M NO INDEPENDENT THOUGHT^M CONSUME^M WATCH TV^M CONFORM^M OBEY^M MARRY AND REPRODUCE^M STAY ASLEEP^M NO INDEPENDENT THOUGHT^M STAY ASLEEP^M NO IMAGINATION^M CONSUME^M DO NOT QUESTION AUTHORITY^M NO INDEPENDENT THOUGHT^M WORK EIGHT HOURS^M BUY^M BUY^M STAY ASLEEP^M CONSUME^M CONFORM^M EAT^M MARRY AND REPRODUCE^M EAT^M DO NOT QUESTION AUTHORITY^M SUBMIT^M NO INDEPENDENT THOUGHT^M WATCH TV^M WORK EIGHT HOURS^M SUBMIT^M BUY^M SUBMIT^M EAT^MNO IMAGINATION^M OBEY^M NO IMAGINATION^M WATCH TV^M NO IMAGINATION^M NO INDEPENDENT THOUGHT^M WATCH TV^M STAY ASLEEP^M MARRY AND REPRODUCE^M BUY^M^PWELCOME TO DEFCON TWENTY TWO^M^MCOME AND PLAY A GAME WITH ME^M^M

    • Figureitout says:

      Lol neat; been working w/ cap. touch for awhile. Are they sliders or single buttons?

      I prefer being able to visually see traces on boards too…b/c well I’m paranoid.. : /

    • Mike Szczys says:

      Touch Letters and get messages:
      O: WHERE TO BEGIN I KNOW FIND HAROLD^M (LEDs scan back and forth)
      E: ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK^M (LEDs split in half, scanning opposite of each other)
      E-O Together: WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE (lights go off)
      F-C Together: TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER^M^C (four center lights blink quickly and outer two on either side blink alternating)
      F-O Together: DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE^M (alternating chase pattern)

      • Figureitout says:

        So self-cap touch buttons. Oh man, so funny. They really got it programmed. Kind of like you guy’s THP mystery games lol. Well, I wonder where all those pin-holes lead to…

        • Figureitout says:

          Ah, actually I couldn’t see before b/c of the white. You can make out some of those pins, where they lead. Can’t help w/ the programmers though, haven’t worked w/ those chips much… USB access could be fruitful though, if it has like some sort of SWD thru USB.

          Check the sites and maybe get some software/read up: http://www.parallax.com/product/p8x32a-q44

    • Simon says:

      It is quoting “They Live”…

      http://en.m.wikiquote.org/wiki/They_Live

      Subliminal Messages on Billboards and Magazines: “OBEY“, “MARRY AND REPRODUCE“, “NO INDEPENDENT THOUGHT”, “CONSUME“, “CONFORM”, “SUBMIT”, “STAY ASLEEP”, “BUY”, “WATCH TV”, “NO IMAGINATION”, “DO NOT QUESTION AUTHORITY”

  3. Jackass Glass says:

    WHERE TO BEGIN I KNOW FIND HAROLD
    WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE
    TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER
    ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK

    07-21-18-03-18-05-05-22-01-03-14-20-18-06
    10-22-25-25-21-18-25-03-12-02-08-19-22-01
    17-12-02-08-05-16-14-25-25-22-01-20-15-08
    07-17-02-01-07-15-18-17-08-03-18-17-16-08
    07-17-02-10-01-07-21-18-10-02-02-17-06-07
    21-18-12-15-18-18-05-17-02-06-10-57-10-57

  4. David Kuder says:

    If its wired up like normal, the DTR line from the FTDI is used as reset. The prop bootloader will very briefly accept a binary uploaded via serial, and then give up and load the eeprom contents. There are eeprom dumpers out there for the prop which you just load into ram and run.

  5. Kender says:

    Did you try 1057 yet?

  6. Hmmm. I wonder if square pin vs round pin on the side connectors have meanings? Binary?

    Also, holy solder jumpers batman. I wonder if it tries to read the LEDs as inputs as well. So much fun stuff could be hidden.. Hmm…

    Also note “F-O Together: DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE^M (alternating chase pattern)”
    1057 is on the back there.

    • Pins left to right, top to bottom give 0x6576666577468583, assuming round is 0 and square is 1, for what it’s worth. 0x9A89999A88B97A7C if round is 1 and square is 0.

      0b0110010101110110011001100110010101110111010001101000010110000011
      and
      0b1001101010001001100110011001101010001000101110010111101001111100

      • “TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

        Perhaps coincidentally, if you start with ‘657’, there are two phone numbers in 0x6576666577468583, albeit slightly overlapped, 657 area code is from LA. No, I wouldn’t go calling them, but perhaps by some stretch of the imagination, one is part of the answer to this question?

    • icanhazadd says:

      07-21-18-03-18-05-05-22-01-03-14-20-18-06
      10-22-25-25-21-18-25-03-12-02-08-19-22-01
      17-12-02-08-05-16-14-25-25-22-01-20-15-08
      07-17-02-01-07-15-18-17-08-03-18-17-16-08
      07-17-02-10-01-07-21-18-10-02-02-17-06-07
      21-18-12-15-18-18-05-17-02-06-10-57-10-57

      Terminated with “10-57″ twice

  7. Matt C says:

    If you touch the ‘E’ and the ‘O’ together, the LEDs go out, and you get “WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE” on the serial port. It’s another quote from They Live, which was quoting Robert Frost. Frost was responding to a statement by president Eisenhower in 1949 that, “The path to America’s future lies down the middle of the road between the unfettered power of concentrated wealth and the unbridled power of statism or partisan interests.”

    • PunkD!S says:

      ok so it seems it could be Harold Finch’s phone number from person of Interest. But the problem is finch’s isnt really harold last name. if you google Harold finch’s number it comes up with
      9172857362

    • Matt C says:

      I’m not entirely sure how I did it – I was swiping my finger back and forth across the letters – but I got this: “TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

  8. Figureitout says:
  9. Apparently this is on the CD: http://pastebin.com/raw.php?i=v1dxVbQJ

  10. Taniwja says:

    what happens when you scratch the surface off the hidden cap sensors?

  11. notrequired says:

    Don’t forget to run ‘strings’ on images, such as the files on the CD or on the 1057/1057 page?

  12. cirrus says:

    TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER

  13. icanhazadd says:

    DATA=’07-21-18-03-18-05-05-22-01-03-14-20-18-06-10-22-25-25-21-18-25-03-12-02-08-19-22-01-17-12-02-08-05-16-14-25-25-22-01-20-15-08-07-17-02-01-07-15-18-17-08-03-18-17-16-08-07-17-02-10-01-07-21-18-10-02-02-17-06-07-21-18-12-15-18-18-05-17-02-06-10-57-10-57′.split(‘-‘)
    message =”
    for letter in DATA:
    letter = (int(letter)+13)%26
    message=message+”%s”%chr(int(letter)+64)
    print message
    OUTPUT
    THEPERRINPAGESWILLHELPYOUFINDYOURCALLINGBUTDONTBEDUPEDCUTDOWNTHEWOODSTHEYBEERDOSWRWR:

  14. Cory says:
  15. Ron says:

    When a badge with the goon eeprom is in vicinity, terminal displays the message:

    THEY LIVE WE SLEEP

  16. cr0sh says:

    I realize that the source code to the badge was posted, but I haven’t opened the archive – so I can’t comment on what the code actually does. Maybe it is perfectly innocuous…but are you sure it is? Also – is the source code posted the same (compiles to) as the firmware on the badge?

    I don’t know about others, but I would be rather wary about taking an unknown (especially if you didn’t know about the source code up front) device, obtained from one of the largest hacker conferences in the world, and just plugging it into a USB port on a personal machine (unless that machine was specifically meant for such “testing”).

    I know DefCon isn’t the same as the Black Hat conference…

    • lionxl says:

      Most of those are on a pizza and ramen noodles diet, and have no desires to be ‘evil’. I’d trust a cd/usb stick from them long before I would from Sony/MS/Google.

    • Leithoa says:

      It’s just a good practice to not take any electronics you care about to any hacker conference.
      The organizers have a vested interest in keeping the con’s going every year so official contests aren’t likely to be malicious.
      Who knows about attendees though

  17. Jac Goudsmit says:

    Unless the schematics are lying, there’s no reason to believe that there’s any mystery around the FTDI chip. It’s simply used as a USB to serial converter, that’s all.

    The 32-pin headers on the left and right, and the two 8-pin headers near the top are very likely to be based on the Propeller Platform. Jon McPhalen (j0hnnym@c) is the author of the software, and he developed that platform a couple of years ago. The two 8-pin headers are for connecting power to other boards (on a real Prop Platform board they would be in line with the 32-pin headers), and the two 32-pin headers carry the P0 to P15 pins (on the left, top down), and the P16-P31 pins (on the right, bottom-up). Each Propeller pin is connected to two header pins. The square solder islands on the headers are probably hints to the “mystery” but are probably not electrically important. The headers should make it possible to re-use the hardware for other purposes.

    P0 to P3 are set up as touch buttons and from the other responses in this thread I’m seeing that they are connected to the E F C O letters in DEFCON. I can’t see from the pictures in which order they’re connected. It looks like there are 5 touch patterns that the program recognizes: 0001, 0101, 0111, 1000 and 1001. Each touch pattern starts a different sequence on the LEDs, and generates a different message on the terminal.

    Extracting the EEPROM content and running “strings” is not going to help you. But a look at the source code shows that it uses Caesar cyphers where each letter in the alphabet is replaced by another letter that’s n places higher or lower in the alphabet, where n is constant for the entire message.

    It also uses One-Time-Pad encryption, where each letter is replaced by a different letter based on the encryption key where an A in the encryption key means no change, B means shift one letter etc (e,g, A+B=B, K+C=M etc).

    The source code has some encrypted strings, which are decrypted as they’re sent to the serial port. There are also some unused messages in encrypted and clear-text format. The IR transmitter and receiver don’t appear to be used in the published source code; perhaps what’s on the badge when you get it is different from what they put online, or you need to get a different badge (the source file is called “dc22_badge_human.spin”) with so-far unpublished software to get more functionality.

    The EEPROM is 64K but the Prop only uses 32K to run the software; there’s code on-board to access the rest of the EEPROM but it’s apparently not in use in the published source.

    Hope this gets people started…

  18. raz0r says:

    What do you make of the different lanyard types (diskette, rotary, defcon logo, keyhole, etc. They each have special characters on the neck which look like they could be possibly used to configure the board for different purposes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,571 other followers