Hands-On DEFCON 22 Badge

It took a measly 2-hours in line to score myself entry to DEFCON and this nifty badge. I spent the rest of the afternoon running into people, and I took in the RFIDler talk. But now I’m back in my room with a USB cord to see what might be done with this badge.

First the hardware; I need a magnifying glass but I’ll tell you what I can. Tere are huge images available after the break.

  • Parallax P8X32A-Q44
  • Crystal marked A050D4C
  • Looks like an EEPROM to the upper right of the processor? (412W8 K411)
  • Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?
  • Tiny dfn8 package next to that has numbers (3336 412)
  • Bottom left there is an FTDI chip (can’t read numbers)
  • The DEFCON letters are capacitive touch. They affect the four LEDs above the central letters.

I fired up minicom and played around with the settings. When I hit on 57600 8N1 I get “COME AND PLAY A GAME WITH ME”.

Not sure where I’m going from here. I don’t have a programmer with me so not sure how I can make a firmware dump. If you have suggestions please let me know in the comments!

defcon22-front-huge

defcon22-back-huge

 

45 thoughts on “Hands-On DEFCON 22 Badge

      1. FTDI chips allow you to repurpose the other lines (RTS, CTS, etc) as GPIO pins. You can reconfigure them with a special utility that writes to the EEPROM in the chip. You should probably read the EEPROM first before writing though…maybe there’s another clue in it.

        1. From the looks of the image they didn’t save money by going with the FT230X…they went with more pins for a reason I’m guessing. If you have a multimeter and patience, you could determine if any connections other than RX and TX and GND connect between the FTDI and the processor.

  1. Here’s a capture of the output from FTDI. It repeats and then I hit one of the capacitive sensors near the end.

    cat -A /dev/ttyUSB0
    ^@^@ DO NOT QUESTION AUTHORITY^M NO IMAGINATION^M MARRY AND REPRODUCE^M CONFORM^MWATCH TV^M OBEY^M SUBMIT^M MARRY AND REPRODUCE^M NO IMAGINATION^M WORK EIGHT HOURS^M OBEY^MOBEY^MMARRY AND REPRODUCE^M CONFORM^M NO INDEPENDENT THOUGHT^M MARRY AND REPRODUCE^M MARRY AND REPRODUCE^M SUBMIT^M EAT^M BUY^M WORK EIGHT HOURS^M OBEY^M MARRY AND REPRODUCE^M NO INDEPENDENT THOUGHT^M NO IMAGINATION^M SUBMIT^M WATCH TV^M CONSUME^M WORK EIGHT HOURS^M CONSUME^M OBEY^M DO NOT QUESTION AUTHORITY^M CONSUME^M STAY ASLEEP^M BUY^M NO INDEPENDENT THOUGHT^MCONSUME^M WORK EIGHT HOURS^M STAY ASLEEP^M WORK EIGHT HOURS^M BUY^M NO IMAGINATION^MBUY^M NO INDEPENDENT THOUGHT^M DO NOT QUESTION AUTHORITY^M SUBMIT^M NO INDEPENDENT THOUGHT^M CONFORM^M WORK EIGHT HOURS^M OBEY^M EAT^M OBEY^M SUBMIT^M STAY ASLEEP^M WATCH TV^M MARRY AND REPRODUCE^M WORK EIGHT HOURS^M STAY ASLEEP^M OBEY^M NO INDEPENDENT THOUGHT^M SUBMIT^M BUY^M WORK EIGHT HOURS^M MARRY AND REPRODUCE^M DO NOT QUESTION AUTHORITY^M CONSUME^M SUBMIT^M BUY^M EAT^M CONSUME^M CONFORM^M SUBMIT^M EAT^M BUY^M DO NOT QUESTION AUTHORITY^M NO IMAGINATION^MWATCH TV^M CONSUME^M CONSUME^M WORK EIGHT HOURS^M STAY ASLEEP^M MARRY AND REPRODUCE^M EAT^M NO INDEPENDENT THOUGHT^M CONSUME^M WATCH TV^M CONFORM^M OBEY^M MARRY AND REPRODUCE^M STAY ASLEEP^M NO INDEPENDENT THOUGHT^M STAY ASLEEP^M NO IMAGINATION^M CONSUME^M DO NOT QUESTION AUTHORITY^M NO INDEPENDENT THOUGHT^M WORK EIGHT HOURS^M BUY^M BUY^M STAY ASLEEP^M CONSUME^M CONFORM^M EAT^M MARRY AND REPRODUCE^M EAT^M DO NOT QUESTION AUTHORITY^M SUBMIT^M NO INDEPENDENT THOUGHT^M WATCH TV^M WORK EIGHT HOURS^M SUBMIT^M BUY^M SUBMIT^M EAT^MNO IMAGINATION^M OBEY^M NO IMAGINATION^M WATCH TV^M NO IMAGINATION^M NO INDEPENDENT THOUGHT^M WATCH TV^M STAY ASLEEP^M MARRY AND REPRODUCE^M BUY^M^PWELCOME TO DEFCON TWENTY TWO^M^MCOME AND PLAY A GAME WITH ME^M^M

    1. Lol neat; been working w/ cap. touch for awhile. Are they sliders or single buttons?

      I prefer being able to visually see traces on boards too…b/c well I’m paranoid.. : /

      1. Of course visually the traces can be completed falsified…nm. And a PCB antenna could be EASILY hidden on that board of yours.

    2. Touch Letters and get messages:
      O: WHERE TO BEGIN I KNOW FIND HAROLD^M (LEDs scan back and forth)
      E: ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK^M (LEDs split in half, scanning opposite of each other)
      E-O Together: WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE (lights go off)
      F-C Together: TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER^M^C (four center lights blink quickly and outer two on either side blink alternating)
      F-O Together: DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE^M (alternating chase pattern)

      1. So self-cap touch buttons. Oh man, so funny. They really got it programmed. Kind of like you guy’s THP mystery games lol. Well, I wonder where all those pin-holes lead to…

        1. Ah, actually I couldn’t see before b/c of the white. You can make out some of those pins, where they lead. Can’t help w/ the programmers though, haven’t worked w/ those chips much… USB access could be fruitful though, if it has like some sort of SWD thru USB.

          Check the sites and maybe get some software/read up: http://www.parallax.com/product/p8x32a-q44

    3. It is quoting “They Live”…

      http://en.m.wikiquote.org/wiki/They_Live

      Subliminal Messages on Billboards and Magazines: “OBEY“, “MARRY AND REPRODUCE“, “NO INDEPENDENT THOUGHT”, “CONSUME“, “CONFORM”, “SUBMIT”, “STAY ASLEEP”, “BUY”, “WATCH TV”, “NO IMAGINATION”, “DO NOT QUESTION AUTHORITY”

  2. WHERE TO BEGIN I KNOW FIND HAROLD
    WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE
    TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER
    ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK

    07-21-18-03-18-05-05-22-01-03-14-20-18-06
    10-22-25-25-21-18-25-03-12-02-08-19-22-01
    17-12-02-08-05-16-14-25-25-22-01-20-15-08
    07-17-02-01-07-15-18-17-08-03-18-17-16-08
    07-17-02-10-01-07-21-18-10-02-02-17-06-07
    21-18-12-15-18-18-05-17-02-06-10-57-10-57

    1. That can substitution cipher to THE PERRIN PAGES WILL HELP YOU MIND YOUR CALLING BUT DON T BE DUPED CUT DOWN THE WOODS THEY BEER DO S

  3. If its wired up like normal, the DTR line from the FTDI is used as reset. The prop bootloader will very briefly accept a binary uploaded via serial, and then give up and load the eeprom contents. There are eeprom dumpers out there for the prop which you just load into ram and run.

    1. > Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?

      From http://forums.parallax.com/showthread.php/156782-DEFCON-22-Badge-Code-Schematics-and-Information-Here

      …an infrared LED and receiver for badge-to-badge communication…

      … The contest code is available as a zip archive, below. The contest code initially excludes the infrared communication method required for the contest, yet the infrared objects are included…

      A short video showing how the Uber badge controls the other ones:

  4. Hmmm. I wonder if square pin vs round pin on the side connectors have meanings? Binary?

    Also, holy solder jumpers batman. I wonder if it tries to read the LEDs as inputs as well. So much fun stuff could be hidden.. Hmm…

    Also note “F-O Together: DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE^M (alternating chase pattern)”
    1057 is on the back there.

    1. Pins left to right, top to bottom give 0×6576666577468583, assuming round is 0 and square is 1, for what it’s worth. 0x9A89999A88B97A7C if round is 1 and square is 0.

      0b0110010101110110011001100110010101110111010001101000010110000011
      and
      0b1001101010001001100110011001101010001000101110010111101001111100

      1. “TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

        Perhaps coincidentally, if you start with ’657′, there are two phone numbers in 0×6576666577468583, albeit slightly overlapped, 657 area code is from LA. No, I wouldn’t go calling them, but perhaps by some stretch of the imagination, one is part of the answer to this question?

    2. 07-21-18-03-18-05-05-22-01-03-14-20-18-06
      10-22-25-25-21-18-25-03-12-02-08-19-22-01
      17-12-02-08-05-16-14-25-25-22-01-20-15-08
      07-17-02-01-07-15-18-17-08-03-18-17-16-08
      07-17-02-10-01-07-21-18-10-02-02-17-06-07
      21-18-12-15-18-18-05-17-02-06-10-57-10-57

      Terminated with “10-57″ twice

  5. If you touch the ‘E’ and the ‘O’ together, the LEDs go out, and you get “WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE” on the serial port. It’s another quote from They Live, which was quoting Robert Frost. Frost was responding to a statement by president Eisenhower in 1949 that, “The path to America’s future lies down the middle of the road between the unfettered power of concentrated wealth and the unbridled power of statism or partisan interests.”

    1. ok so it seems it could be Harold Finch’s phone number from person of Interest. But the problem is finch’s isnt really harold last name. if you google Harold finch’s number it comes up with
      9172857362

    2. I’m not entirely sure how I did it – I was swiping my finger back and forth across the letters – but I got this: “TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER”

  6. DATA=’07-21-18-03-18-05-05-22-01-03-14-20-18-06-10-22-25-25-21-18-25-03-12-02-08-19-22-01-17-12-02-08-05-16-14-25-25-22-01-20-15-08-07-17-02-01-07-15-18-17-08-03-18-17-16-08-07-17-02-10-01-07-21-18-10-02-02-17-06-07-21-18-12-15-18-18-05-17-02-06-10-57-10-57′.split(‘-’)
    message =”
    for letter in DATA:
    letter = (int(letter)+13)%26
    message=message+”%s”%chr(int(letter)+64)
    print message
    OUTPUT
    THEPERRINPAGESWILLHELPYOUFINDYOURCALLINGBUTDONTBEDUPEDCUTDOWNTHEWOODSTHEYBEERDOSWRWR:

  7. I realize that the source code to the badge was posted, but I haven’t opened the archive – so I can’t comment on what the code actually does. Maybe it is perfectly innocuous…but are you sure it is? Also – is the source code posted the same (compiles to) as the firmware on the badge?

    I don’t know about others, but I would be rather wary about taking an unknown (especially if you didn’t know about the source code up front) device, obtained from one of the largest hacker conferences in the world, and just plugging it into a USB port on a personal machine (unless that machine was specifically meant for such “testing”).

    I know DefCon isn’t the same as the Black Hat conference…

    1. Most of those are on a pizza and ramen noodles diet, and have no desires to be ‘evil’. I’d trust a cd/usb stick from them long before I would from Sony/MS/Google.

    2. It’s just a good practice to not take any electronics you care about to any hacker conference.
      The organizers have a vested interest in keeping the con’s going every year so official contests aren’t likely to be malicious.
      Who knows about attendees though

  8. Unless the schematics are lying, there’s no reason to believe that there’s any mystery around the FTDI chip. It’s simply used as a USB to serial converter, that’s all.

    The 32-pin headers on the left and right, and the two 8-pin headers near the top are very likely to be based on the Propeller Platform. Jon McPhalen (j0hnnym@c) is the author of the software, and he developed that platform a couple of years ago. The two 8-pin headers are for connecting power to other boards (on a real Prop Platform board they would be in line with the 32-pin headers), and the two 32-pin headers carry the P0 to P15 pins (on the left, top down), and the P16-P31 pins (on the right, bottom-up). Each Propeller pin is connected to two header pins. The square solder islands on the headers are probably hints to the “mystery” but are probably not electrically important. The headers should make it possible to re-use the hardware for other purposes.

    P0 to P3 are set up as touch buttons and from the other responses in this thread I’m seeing that they are connected to the E F C O letters in DEFCON. I can’t see from the pictures in which order they’re connected. It looks like there are 5 touch patterns that the program recognizes: 0001, 0101, 0111, 1000 and 1001. Each touch pattern starts a different sequence on the LEDs, and generates a different message on the terminal.

    Extracting the EEPROM content and running “strings” is not going to help you. But a look at the source code shows that it uses Caesar cyphers where each letter in the alphabet is replaced by another letter that’s n places higher or lower in the alphabet, where n is constant for the entire message.

    It also uses One-Time-Pad encryption, where each letter is replaced by a different letter based on the encryption key where an A in the encryption key means no change, B means shift one letter etc (e,g, A+B=B, K+C=M etc).

    The source code has some encrypted strings, which are decrypted as they’re sent to the serial port. There are also some unused messages in encrypted and clear-text format. The IR transmitter and receiver don’t appear to be used in the published source code; perhaps what’s on the badge when you get it is different from what they put online, or you need to get a different badge (the source file is called “dc22_badge_human.spin”) with so-far unpublished software to get more functionality.

    The EEPROM is 64K but the Prop only uses 32K to run the software; there’s code on-board to access the rest of the EEPROM but it’s apparently not in use in the published source.

    Hope this gets people started…

  9. What do you make of the different lanyard types (diskette, rotary, defcon logo, keyhole, etc. They each have special characters on the neck which look like they could be possibly used to configure the board for different purposes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s