Thursday, August 9, 2012

The DEFCON 20 Badge

It's been quite a long while since my last update but I have been busy studying and practicing at software reverse engineering, particularly with malware. My latest project on that front has been analyzing a Poison Ivy RAT variant used in a targeted attack last year. It's been a lot of fun and a great learning experience that I plan to share here once I feel I am done with it. Until then, I wanted to share the experience and fun I had playing with this year's DEFCON badge. For those who are not familiar, DEFCON is the world's largest and longest running hacking conference that is held annually in Las Vegas typically during the hottest week of the summer. It's a lot of fun and I highly recommend checking it out. For the last few years anyways, they have had a highly involved mystery/puzzle contest that involves the badge you wear to get into the conference. Often times the badges are electronic and part of the puzzle involves hacking them in some way or another. I've never gone too far into the entire puzzle, but I do enjoy playing with the badge and seeing what's in it. This year's badge is basically a Parallax Propeller development board. I have never played with a Propeller before and I have to say I quite enjoyed it. To learn more about the badge from Parallax and also to find the tools and resources used to read and write the raw EEPROM data, check out this forum post. Here is a picture of a human badge.

And here is a picture of my badge with the VGA and PS2 ports that came with it soldered on.

After dumping the EEPROM off the DEFCON badge, you can see some strings near the beginning.

The strings are referencing all the different badge types: human (for regular attendees), vendor, speaker, uber, etc. The uber badge is very special in that it can only be awarded and earning one takes a lot of effort. If you get your hands on one, you have free admission to DEFCON for life! Looking further down in the strings, a URL is referenced. Visiting that URL brings you to this page that reveals further hints about the mystery/puzzle.

Looking at the schematics of the badge that were provided on the DEFCON DVD, I saw that an IR receiver and transmitter were included. For those who don't know, IR is infrared, the technology used by your TV remote to talk to your TV. After reading the serial output from the badge and spending some time at the conference, it became clear that part of the puzzle involved having different badge types "talk" to each other using IR.

I decided to save an image of the badge code and data before and after scanning another badge and then comparing them to see if I can find where the data is stored that keeps track of scanned badge types.

As you can see there is a large range of FF bytes followed by a large range of 00 bytes and right where these ranges meet, there is one byte that was changed from 00 to FF. After some experimentation, I found that flipping the contiguous bytes from 00 to FF marked the other badge types as scanned.

After that, I decided to see if I can change the badge type code that my badge was transmitting. The DEFCON DVD also includes library code used by the badge including the IR code. It turns out the DEFCON badges are using the Sony IR protocol (SIRCS). I wrote a simple program that merely waits for any incoming SIRCS communication and prints it out to the serial terminal. It was easy enough to ask a friend to let me see what his human badge code was. After that, I asked a Goon (DEFCON volunteers who keep things running smoothly) if I could scan his badge and he was happy to oblige. After looking at these two badge codes, I realized that they were 6 apart which happens to be the same number of badge types apart they are on the serial display output and in the EEPROM bytes. I figured it likely that the other badge type codes would follow this pattern and wrote a SIRCS transmitter program for my badge that simply repeats sending out the different badge codes. This confirmed my theory and also confirmed rumors I had heard that the Goon and Uber badges will actually put your badge out of commission for some amount of time. The badge will blink with a different funky pattern and you will not be able to read it out to the serial terminal or scan other badges.

I found that the timer for the lockout period is stored in a WORD (little endian) shortly below the scanned badge bytes.

Since I was having fun with the IR components on the badge, I thought it would be cool to get my badge to interact with my TV and remote at home. However, I have Samsung TVs which use a different protocol than SIRCS. There was not much available on the internet for the Samsung protocol but I did find one great article here. After a few hours of studying the Propeller programming language SPIN and its assembly counterpart, PASM, I was able to modify the SIRCS code provided by DEFCON to create new libraries that can send and receive using the Samsung IR protocol. For anyone interested, you can download the code here. Here is a demo program that lets me toggle the LEDs on my badge using my TV remote.

I also wrote a demo program that causes my badge to repeatedly transmit the "ON" button code for Samsung TVs.

Lastly, I wrote a program just to play with the LEDs.