DEFCON is huge. Last year attendance tipped at about 16k, and we’d wager this year will be even bigger. [Brian] and I will both be among those attending (more on that below) but I wanted to take this time to show you the right way to do a Hacker Conference.
Build Your Own Badge
We met a ton of people at DEFCON 22 last year, but the Whiskey Pirates made a lasting impression. I first ran across two of their crew walking the hallways of the con with this awesome badge. How can you not stop and strike up a conversation about that? Turns out this group of friends have been meeting up here for years. This year they went all out, designing one badge to rule them all. And like any good hacker project, they weren’t able to finish it before getting to the hotel.
Set Up Your Electronics Lab
Binoc microscope for rework
This badge’s LEDs changed to purple
Rack of equipment
Hot air and more
So, you didn’t stuff your boards before leaving home? For the Whiskey Pirates this is not even remotely a problem. They just brought the electronics lab to their suite in the Rio Hotel.
On the bathroom vanity you find the binocular microscope which was good for troubleshooting an LED swap on the official conference badge. An entire cart with hot-air, multiple solder stations, oscilloscopes, and more was on hand. I populated the surface mount LEDs on the badge the crew gave to me. When I was having trouble seeing my work they called the front desk for an additional lamp. You should have seen the look on the bellhop’s face when he walked in!
A bit of marathon assembly and everyone from the Whiskey Pirates (plus me) had a working badge, demonstrated in the video below. But this isn’t where the fun stops.
Nothing says “Welcome to Vegas” like a massive turbulence on a plane full of drunk people who, instead of holding on to their seats, frantically laugh and shout “we’re all going to die!” At 105 Fahrenheit outside, the heat was getting into everyone’s head. After a bumpy touchdown, the in-flight entertainment system rebooted, and a black terminal screen flashed onto everyone’s face:
RedBoot(tm) bootstrap and debug environment [RAM]
(MAS eFX) release, version ("540060-212" v "0.1.02") - built 12:00:35,
Nov 19 2004
Now, that was a beautiful sight – an IFE system that hadn’t been updated for almost a decade. For people who didn’t come here to participate in a big zero-sum game that is Vegas, this was a sign.
DEFCON was waiting for us right outside of that front cabin door.
If you go to DEFCON next year (and you should), prepare for extreme sleep deprivation. If you’re not sleep deprived you’re doing it wrong. This was the state in which we ran into [LosT] and [J0nnyM@c], the brains behind the DEFCON 22 badge and all of the twisted tricks that torture people trying to solve the badge throughout the weekend. They were popular guys but wait around until late into the night and the throngs of hint-seekers subside just a bit.
Plans, within plans, within plans are included in the “crypto” which [LosT] talks about in the interview above. We were wondering how hard it is to produce a badge that is not only electrically perfect, but follows the planned challenge to a ‘T’. This includes things like holding off soldering mask from some pads, and different ones on a different version of the badge. Turns out that you just do as well as you can and then alter the puzzle to match the hardware.
Speaking of hardware. A late snafu in the production threw the two into a frenzy of redesign. Unable to use the planned chip architecture, [J0nnyM@c] stepped up to transition the badges over to Propeller P8X32a chips, leveraging a relationship with Parallax to ensure they hardware could be manufactured in time for the conference.
This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).
The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.
I got a great seat on the main floor for the first big DEFCON 22 talk which is a welcome to the con and discussion of the badge hardware. [LosT], the creator of this year’s badge, started the discussion with a teaser about the badge… there’s a phone number hidden as part of the challenge. [LosT] took a call from someone chasing the puzzles. The guy was in the audience which was pretty fun.
The process of building a puzzle that can be solved at DEFCON is really tough. How do you make it just hard enough that it won’t get pwned right away but easy enough that a large number of attendees will be able to figure it out during the weekend? The answer is to build a secure system and introduce strategic flaws which will be the attack vectors for the attendees solving the badge challenge.
Of course the badge can be used as a development platform. The populated electronics on the board all have these nice little footprints which can be cut to disconnect them from the chip. The breakout headers on either side of the board allow you to connect headers for your own uses. Great idea!
The back of the lanyards have special characters on them too. This encourages community at the conference. To solve the puzzle you need to find others with different lanyards. Compare the glyphs and crack the code (so far I have no clue!!).
Know what I’m doing wrong? Have suggestions on where to go from here? I’ll be checking the comments!
It took a measly 2-hours in line to score myself entry to DEFCON and this nifty badge. I spent the rest of the afternoon running into people, and I took in the RFIDler talk. But now I’m back in my room with a USB cord to see what might be done with this badge.
First the hardware; I need a magnifying glass but I’ll tell you what I can. Tere are huge images available after the break.
Crystal marked A050D4C
Looks like an EEPROM to the upper right of the processor? (412W8 K411)
Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?
Tiny dfn8 package next to that has numbers (3336 412)
Bottom left there is an FTDI chip (can’t read numbers)
The DEFCON letters are capacitive touch. They affect the four LEDs above the central letters.
I fired up minicom and played around with the settings. When I hit on 57600 8N1 I get “COME AND PLAY A GAME WITH ME”.
Not sure where I’m going from here. I don’t have a programmer with me so not sure how I can make a firmware dump. If you have suggestions please let me know in the comments!