Shop OBEX P1 Docs P2 Docs Learn Events
How did you hack your DEF CON 20 Badge? — Parallax Forums

How did you hack your DEF CON 20 Badge?

Jen J.Jen J. Posts: 649
edited 2012-08-06 12:26 in General Discussion
DEF CON 20 in Las Vegas came to a close yesterday.
I hope all who attended had a great time, I know the Parallaxians that went sure did.

So tell us... how did you hack your DEF CON 20 badge?

Comments

  • BirukunBirukun Posts: 1
    edited 2012-07-30 16:08
    I had some fun with the badge, originally overwrote everything in favor of custom lighting after modifying the sample lighting code. Later on found this forum and directions on restoring the original image.

    Used HexEdit to read the 'virgin' image and then captured one that had triggered the 'human' interaction switch, only to discover that they simply add 'FF'to the memory space at the end of image. Turned around and edited by hand the image to set everything to 'yes', and modified the categories to display my friends and my PS3 gamertags. Reflashed using 'hacked' version and you can see the below serial output. :-) Nothing elegant but fun.

    2012-07-29_13-48-46_422.jpg
    1024 x 576 - 75K
  • Daniel HarrisDaniel Harris Posts: 207
    edited 2012-07-30 16:16
    Birukun wrote: »
    I had some fun with the badge, originally overwrote everything in favor of custom lighting after modifying the sample lighting code. Later on found this forum and directions on restoring the original image.

    Used HexEdit to read the 'virgin' image and then captured one that had triggered the 'human' interaction switch, only to discover that they simply add 'FF'to the memory space at the end of image. Turned around and edited by hand the image to set everything to 'yes', and modified the categories to display my friends and my PS3 gamertags. Reflashed using 'hacked' version and you can see the below serial output. :-) Nothing elegant but fun.

    2012-07-29_13-48-46_422.jpg

    Not bad, Birukun! Now try injecting your own virus code to infect other badges - or better yet, make your Human act as a Goon badge :D. Welcome to the forums, btw!
  • yakpimpyakpimp Posts: 6
    edited 2012-07-30 20:02
    That is exactly how I started, I took an image dump of my badge and some other guys badge (thanks dan), and compared them in hex workshop. Once I saw that the bytes at 0x7f00 were the only thing different it was only a matter of flipping those flags and boom it showed that I had seen everyone.

    It wasn't until Friday that I actually started playing with the propeller tools and writing some spin code. I wanted to make a&nbsp;Persistence&nbsp;of Vision (POV) hack that would spell something in the air using the LEDs when I waved it back and forth. It took me a while to figure out how to turn the LEDs on the badge on and off individually, and it took me even longer how to figure out how to do function calls with arrays in spin.<br><br>I eventually got it working and I'm very happy with the results. I defined each letter of the alphabet individually which allows me to modify it to say other things without too much work.

    You can check out what I actually wrote up here. http://yakhack.wordpress.com

    IMG_54452.jpg

    You can see that I had the spacing incorrect between the Xs in this picture. Since it took me about 50+ shots to actually capture it, I didn't really want to try again after fixing the bug.

    [video=youtube_share;WyLYN4MSYPs]
    The video doesn't really show it well, but if you want to see it in action you can get the source code here. http://pastebin.com/n5Z5wXDq and just load it up on your badge.
    1024 x 768 - 48K
  • modzeromodzero Posts: 4
    edited 2012-07-30 22:43
    Not too complicated but took a stock goon image that was transmitting the goon code and edited it to transmit the lost code.
  • cavehamstercavehamster Posts: 5
    edited 2012-07-30 23:37
    Thanks to the little EEPROM reading utility and some social engineering, we were able to get a ROM dump of all the different badges except for the uber pretty early on. We also figured out the flags in the human firmware along with the timeout.

    With that, our attention turned to customizing things, now that we knew that no matter what we could restore our own images. We thought it would be fun to broadcast the lockout code ourselves, so I wrote a couple of little utilities. The first of which would reset the lockout on any badge in a couple of seconds. The second was a simple little program that would echo any IR codes it saw broadcast to the serial console. We walked around looking at codes and compiling a matrix of what we saw.

    Armed with this information, I put together some custom code (all using the libraries that had been provided to us) to modify the LED blink sequence to something different just to make people ask questions, as well as broadcast the uber badge lockout at a much higher rate. It certainly made wandering around at parties more entertaining. There were multiple people who had goon images who were actively 'infecting' others who were rather amused to see our badges doing something entirely different.

    From here, I kind of got side tracked to further development with other puzzles, but I did discover I rather like working with propeller chips, and am looking forward to using one in my next hardware design.

    It was indicated that the full source of the badges would be posted after defcon, when/where will this be? We had some hints from Lost about some other interesting tidbits in the code that we pursued, but we didn't have enough resources to fuzz out what might happening, and as such, I am rather curious what else I overlooked.

    Good job on the hardware, it was very accessible. I brought nothing more than my netbook and a USB cable as I didn't expect an electronic badge after last year, but still felt I had accomplished a lot. Our team was very informal, mostly it consisted of me and a friend being bored and poking at the badge on Thursday and random people dropping by to see what we were doing, ultimately resulting in a bunch of great friendships. Very good year!
  • Beau SchwabeBeau Schwabe Posts: 6,545
    edited 2012-07-30 23:56
    I didn't get to go, but I was there in spirit .... up til about 4 am Friday and Saturday night ... Some DC groups had contacted me via E-mail for some help with code....

    Did someone say NTSC video from their DC20 badge?
    ... here is a badge hack to send NTSC video out of your DEFCON badge through the PS/2 mouse and keyboard ports using just 3 resistors.

    Note: - This hack will also work with the Propeller Demo Board.
    - For this to work, the "tv_pins" need to be changed from "001_0101" to "011_0000" in software with the existing TV driver.


    Video Output of the attached code:
    http://www.youtube.com/watch?v=s6ObUNcavao
    1024 x 718 - 67K
  • JohnRLewisJohnRLewis Posts: 2
    edited 2012-07-31 15:22
    I wrote my own program that did two things, first, I wrote a function that output Morse code over the visible light LED's, and second, I transmitted through the IR LED the code for each other badge type, including goon, uber, and lost's special badge. Everyone who came up to see why my badge was flashing something different got their badge hammered, and locked out for a random amount of time from a few minutes to a few hours.
  • mstcmstc Posts: 4
    edited 2012-07-31 17:37
    Thanks to the little EEPROM reading utility and some social engineering, we were able to get a ROM dump of all the different badges except for the uber pretty early on. We also figured out the flags in the human firmware along with the timeout.

    On the last day we got a dump of DT's badge. We wrote a simple program to broadcast the Lost code constantly.

    Can anyone confirm whether or not someone who had "seen lost" could disable other badges while they were locked out? I've heard that it worked that way but was never able to get it to work my self.
  • cavehamstercavehamster Posts: 5
    edited 2012-07-31 19:22
    mstc wrote: »
    On the last day we got a dump of DT's badge. We wrote a simple program to broadcast the Lost code constantly.

    Can anyone confirm whether or not someone who had "seen lost" could disable other badges while they were locked out? I've heard that it worked that way but was never able to get it to work my self.

    As near as I could tell mucking about with broadcasting different codes that I had found to be broadcasting, it seemed the only that varied was how long your badge was locked out based on what badge code you had seen. Some people claimed some codes would nuke a badge, but I never was able to duplicate those claims. Lost indicated he would give us the source on the badges, I'm hoping to see it somewhat soon to see what I might have missed out on.
  • herpderpherpderp Posts: 1
    edited 2012-08-05 14:49
    I would really like to get a copy of a couple of the images, especially two of differing types so I can diff them and see the changes; since the conference is over, would anyone be willing to upload them?

    I'd like to hack the badge more, but I'm not sure where to get started without an image of it. The serial port just tells me what badge types I've seen, and doesn't seem to allow user input at all.
  • yakpimpyakpimp Posts: 6
    edited 2012-08-06 11:27
    Some guys posted them up on github. https://gist.github.com/3191236
  • PublisonPublison Posts: 12,366
    edited 2012-08-06 12:26
    yakpimp wrote: »
    Some guys posted them up on github. https://gist.github.com/3191236

    I was getting a checksum error with a few that I downloaded.

    Jim
Sign In or Register to comment.