Browsed by
Category: Con-Badge Hacking

Hacking of conference badges

QuahogCon 2010 Badge Hardware Hacking – The Beginning

QuahogCon 2010 Badge Hardware Hacking – The Beginning

What I Did:

I took a Cellboost IPR3 that was otherwise destined for a dull life of providing power to an original iPod Shuffle, and converted the cable normally used for charging it into a USB-A-to-2-pin cable using the cable from an old computer case’s hard drive activity light. (Using the cable is a bonus for me, since this cable has been kicking around the junkbox for ages.)

What I Wanted to Do:

I’ll be the first to admit this isn’t so much a ‘hack’ since it’s what the badge was designed to do. I had planned to populate the two 2×16 rows of headers with female headers, then put a piece of perfboard on top either with male headers pointed down or with female headers with double-length legs. The plan was to have something akin to an Arduino shield: Removable, changeable, and replaceable. What you see here is what I got done during the ‘con. I’ll post updates as I progress in badge-hacking now that the ‘con’s over.

About the Cellboost IPR3 Hardware

The Cellboost device contains 1 Li-Ion battery, 5V charging circuitry, and 5V output circuitry; the charging circuitry is the best part, since Li-Ions are a pain to charge otherwise. It includes a USB extension cable (USB-A Male to USB-A Female) that supplies power only (no wires for data) to charge the Cellboost unit with. The unit itself has a USB-A Male (for charging the Li-Ion) and a USB-A Female receptacle on it (for the iPod to plug into).

I acquired a number of these Cellboost devices from Princess Auto; at their last big clearance sale, they were on for (IIRC) $0.79 each. As an aside, I had someone at Quahogcon ask me if I had been to the MIT Garage Sale. Apparently they were sold there as well. Regardless, I still have 4 or 5 in their original packaging to be used to power other projects.

QuahogCon 2010 Loot

QuahogCon 2010 Loot

Here’s what I gained (physically) from QuahogCon 2010 (in no particular order):

(And yes, I would have preferred to photograph against a plain white background, but hey.)

QuahogCon 2010 Humans vs. Zombies Game

QuahogCon 2010 Humans vs. Zombies Game

For those who are curious about some of the particulars of the game, here is what I gleaned from the goings-on at the ‘con (And from a lot of borrowing Jimmie’s badge, and soliciting button-presses from random ‘con attendees).

Spoiler Warning: If you want to try to disassemble, packet-sniff, or otherwise decode the Humans vs Zombies game completely on your own, don’t read on.

Most of this is just a brain dump, it’s not really in any particular order.

  • AFAIK, 5 types of badges existed: Human, Zombie, Cleric, Mussel and Uber. All of these attacks are explained later on in the “giant list ‘o attacks”, with the only exception: Mussels can attack either humans or zombies, and have no unique attack code.
  • I managed to peek at an instruction sheet for a Cleric that was left behind by one of the lovely ladies from the CORE table; however, it held no unexpected information. (Though it was quite nice, and fit with the story in the Attendee pamphlets/schedules
  • Attendees began as humans, and were turned into zombies by attacks from other zombies, or from coaxing from an Uber badge.
  • In the download provided at con-time (q10-pub.tar.gz), there lives a file known as rftest-rx.c. By default, this will list (over UART1), the unencrypted attack type and attack power of whatever attacks it hears.

    rftest-rx.c also has a line commented out that will print the entire packet received. Note that the packet [3] and [4] need to be XOR’d with packet [2] to make any sense. (<– Uber encryption) 
    Example:
    [2] ^ [3] = Attack Type
    [2] ^ [4] = Attack Power

  • From soliciting keypresses, I managed to make a list of the following attacks/powers:
    1,1: Human Defensive
    1,2: Human Normal
    1,3: Human Offensive
    1,6: Human Critical Hit
    2,1: Zombie default attack OR attack with 1 LED of charge
    2,2: Zombie charged to 2 LEDs
    2,3: Zombie charged to 3 LEDs
    2,4: Zombie charged to 4 LEDs
    2,5: Zombie charged to 5 LEDs
    3,20: Cleric Heal Humans
    3,50: Cleric Heal Humans (Critical Hit)
    4,20: (Really? 4:20? *groan*) Cleric Turn Undead
    4,50: Cleric Turn Undead (Critical Hit)
    99,5: Uber ???
    99,6: Uber Epic Win
  • During his talk on 802.15.4 security regarding replay attacks, Josh Wright briefly showed the packets that he managed to sniff from an Uber badge, which turned anyone in range into any of the 6 modes (the 5 discussed above, and also ‘dead’.) He then proceeded to execute a replay attack on the audience, and it apparently hit @innismir (Ben Jackson) in the next room during his presentation. Twitter thread: [1][2][2.5][3][4][5]

I’ll add more here if/when I think of it, and once I start sniffing in earnest. I spent the entire ‘Con trying to reinvent the wheel… Apparently all the good stuff was in the q10-pub/firmware directory… I had been tweaking code in the q10-pub/tests directory. I still managed to sniff the above code, however I didn’t get transmit working in time to pwn the closing ceremonies. Totally looking forward to pwning whatever badge they throw at us next year, though.

QuahogCon Badge Details Released

QuahogCon Badge Details Released

In the fine tradition of hacker con badges, QuahogCon presents its inaugural badge, based on the Freescale MC13224v.

More info and badge specs can be found at mc1322x.devl.org: MC13224 Hardware, and more contest-related info can be found at QuahogCon: Contests.
.
MC1322x-related Open Source tools and guides are available at mc1322x.devl.org.

I’ll be adding more badge-hacking-related stuff before/during/after QuahogCon, once I get to play around with my badge.