DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

[Defcon 16] Welcome to the DEFCON Badge Hacking Contest

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • charliex
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    unless i made some cock up in the code, my badge has no PWM on LED's 3/4. (and i can control pwm on all the other leds)
    Last edited by charliex; August 14, 2008, 14:03.

    Leave a comment:


  • kajer
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    The downside to the DC16 badge is most of the CPU pins are unused...

    And if you did develop code that would take advantage of extra pins on the CPU, you'd have to micro slober some wirewrap wire directly to the cpu...

    Going the way of a dev kit or basic stamp is the way to go if your starting out.

    I was thinking about adding a few extra features to the DC16 badge of mine, but right now it looks like i have to slober from the LED2-7 because those are PWM outputs, and I wouldn't have to wire off the CPU.... plus I dont have a iron w/ a tip that small or eyes that can see that small

    Leave a comment:


  • charliex
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    The badge is a pretty good beginner board, it just lacks some switches and interface stuff.

    Freescale sell a starter board which is pretty good.

    However if you are just starting in electronics, but do have a background in programming, i'd got to frys or radio shack/tandy, or whatever your local electronics place is and pick up a basic stamp kit that you have to put together, they're cheaper and don't need extensive dev tools, once you've got the hang of those, the freescale dev boards would be next, or if you want to stick to the basic stamp but play around a bit more with electronics, i really like the comfile CB220/280 dev kit stuff, again reasonably priced but you can do a lot with it, and the dev kit has lots of switches, dials and leds to play with.

    if you want something bigger than that, go with one of the Mikroe EasyPIC/ARM/AVR boards, they're awesome ,but they're pre made (as are the comfile boards)

    the freescale dev boards are fairly simple to play with as well as easy to obtain, it also mostly matches the badge.

    HC08 dev kit
    http://www.freescale.com/files/abstr.../HCS08DEMO.htm

    Comfile's CUBLOC ( different processor, its based on the ATMega, but its a fun and easy board with a ladder logic or basic style language, and it comes complete, all you need is an rs232 to upload code, and you can make production pieces very simply with their proto board, they have displays and all sorts of stuff, spi,i2c etc. Their forums are a little bit inactive with some of the tougher questions, but there is a fair few sample apps on there too.

    http://cubloc.com/product/01_05.php


    Mikroe maybe overwhelming choice here, i have an EasyPIC4 for fast prototyping.
    http://www.mikroe.com/en/tools/
    HC908 based, so freescale, similar to the badge
    http://www.mikroe.com/en/tools/easyhc908/ (not out yet)

    Sparkfun etc have some little dev boards to play around with, but they're not the best for beginners, as they usually just sell you the part and you're on you own, they do supply some stuff, sometimes, but it seems like its aimed more at the more advanced user. http://www.sparkfun.com

    Also for simplistic development with sensors, inputs and so on, can't really go wrong with phidgets, but it gets expensive quickly and you're ultimately limited by their system.
    http://www.phidgets.com/

    Personally i like to teach with the basic stamp kits from places like frys, then move to the comfile, then to the mikroe and then to the freescale kits etc.
    http://shop1.frys.com/product/5229937
    http://shop1.frys.com/product/5229667

    Dependant on where you're located, you'll have different options, but most electronic places carry the little kits that you have to solder up, make radios or small processor circuits with basic stamps.

    mouser and digikey carry most of the large OEM development kits.

    Best of luck
    Last edited by charliex; August 14, 2008, 12:56.

    Leave a comment:


  • Demo
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Can anyone recommend a VERY beginner kit to learn how to work with these MCUs/boards? This DC was my first time soldering anything, ever(yay got my USB port on) ;) and I'm really interested in learning more, but I don't have a big electronics background so I'd really like to learn from the ground up. I'm planning on taking a basic electronics course through my JC but I also want to be able to learn hands on in the meantime, get my soldering skills up, etc.

    Leave a comment:


  • charliex
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Thanks Andreas,

    I picked up the P&E BDM yesterday, so it should arrive today, i've got almost everyone they've got now, people keep picking chips i don't have the BDM for, i expect with my luck next year Joe will use a renesas processor....

    Have a safe TSA free flight.

    Leave a comment:


  • Andreas
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Originally posted by charliex View Post
    Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.
    Yeah, we've been playing with both the mainline sdcc, and the hc08 branch that's floating around. The latter has been worked on using cygwin, and it's in a sorry state with regard to building it on Linux. The former misses quite a number of libc functions, and it's not possible to override the init sequence (crt0.o, if you will), which is needed to make it play nicely with the existing bootloader.

    I'm still at the airport, but will contact the other Andreas (a.k.a. "count") as soon as I'm home, he's got the sdcc hackery on his computer.

    If you have JTAG access, and can live with overwriting the original bootloader, the following linker script might get you somewhere with the stock sdcc (assuming you have compiled a main_test.c to main_test.rel):

    Code:
    -mxsu
    main_test
    -b CSEG=0x1960
    -b DSEG=0xb0
    -g __sdcc_external_startup=0x0000 ; bug, but silence
    -g __PTAD=0x00000000
    -g __PTADD=0x00000001
    -g __PTBD=0x00000002
    -g __PTBDD=0x00000003
    -g __PTCD=0x00000004
    -g __PTCDD=0x00000005
    -g __PTDD=0x00000006
    -g __PTDDD=0x00000007
    -g __PTED=0x00000008
    -g __PTEDD=0x00000009
    -g __PTFD=0x0000000A
    -g __PTFDD=0x0000000B
    -g __PTGD=0x0000000C
    -g __PTGDD=0x0000000D
    -g __ACMPSC=0x0000000E
    -g __ADCSC1=0x00000010
    -g __ADCSC2=0x00000011
    -g __ADCR=0x00000012
    -g __ADCCV=0x00000014
    -g __ADCCFG=0x00000016
    -g __APCTL1=0x00000017
    -g __APCTL2=0x00000018
    -g __IRQSC=0x0000001B
    -g __KBISC=0x0000001C
    -g __KBIPE=0x0000001D
    -g __KBIES=0x0000001E
    -g __TPM1SC=0x00000020
    -g __TPM1CNT=0x00000021
    -g __TPM1MOD=0x00000023
    -g __TPM1C0SC=0x00000025
    -g __TPM1C0V=0x00000026
    -g __TPM1C1SC=0x00000028
    -g __TPM1C1V=0x00000029
    -g __TPM1C2SC=0x0000002B
    -g __TPM1C2V=0x0000002C
    -g __TPM1C3SC=0x0000002E
    -g __TPM1C3V=0x0000002F
    -g __TPM1C4SC=0x00000031
    -g __TPM1C4V=0x00000032
    -g __TPM1C5SC=0x00000034
    -g __TPM1C5V=0x00000035
    -g __SCI1BD=0x00000038
    -g __SCI1C1=0x0000003A
    -g __SCI1C2=0x0000003B
    -g __SCI1S1=0x0000003C
    -g __SCI1S2=0x0000003D
    -g __SCI1C3=0x0000003E
    -g __SCI1D=0x0000003F
    -g __SCI2BD=0x00000040
    -g __SCI2C1=0x00000042
    -g __SCI2C2=0x00000043
    -g __SCI2S1=0x00000044
    -g __SCI2S2=0x00000045
    -g __SCI2C3=0x00000046
    -g __SCI2D=0x00000047
    -g __MCGC1=0x00000048
    -g __MCGC2=0x00000049
    -g __MCGTRM=0x0000004A
    -g __MCGSC=0x0000004B
    -g __MCGC3=0x0000004C
    -g __MCGT=0x0000004D
    -g __SPI1C1=0x00000050
    -g __SPI1C2=0x00000051
    -g __SPI1BR=0x00000052
    -g __SPI1S=0x00000053
    -g __SPI1D16=0x00000054
    -g __SPI1M=0x00000056
    -g __IICA=0x00000058
    -g __IICF=0x00000059
    -g __IICC1=0x0000005A
    -g __IICS=0x0000005B
    -g __IICD=0x0000005C
    -g __IICC2=0x0000005D
    -g __TPM2SC=0x00000060
    -g __TPM2CNT=0x00000061
    -g __TPM2MOD=0x00000063
    -g __TPM2C0SC=0x00000065
    -g __TPM2C0V=0x00000066
    -g __TPM2C1SC=0x00000068
    -g __TPM2C1V=0x00000069
    -g __RTCSC=0x0000006C
    -g __RTCCNT=0x0000006D
    -g __RTCMOD=0x0000006E
    -g __SPI2C1=0x00000070
    -g __SPI2C2=0x00000071
    -g __SPI2BR=0x00000072
    -g __SPI2S=0x00000073
    -g __SPI2D16=0x00000074
    -g __SPI2M=0x00000076
    -g __USBCTL0=0x00000080
    -g __PERID=0x00000088
    -g __IDCOMP=0x00000089
    -g __REV=0x0000008A
    -g __INTSTAT=0x00000090
    -g __INTENB=0x00000091
    -g __ERRSTAT=0x00000092
    -g __ERRENB=0x00000093
    -g __STAT=0x00000094
    -g __CTL=0x00000095
    -g __ADDR=0x00000096
    -g __FRMNUML=0x00000097
    -g __FRMNUMH=0x00000098
    -g __EPCTL0=0x0000009D
    -g __EPCTL1=0x0000009E
    -g __EPCTL2=0x0000009F
    -g __EPCTL3=0x000000A0
    -g __EPCTL4=0x000000A1
    -g __EPCTL5=0x000000A2
    -g __EPCTL6=0x000000A3
    -g __SRS=0x00001800
    -g __SBDFR=0x00001801
    -g __SOPT1=0x00001802
    -g __SOPT2=0x00001803
    -g __SDID=0x00001806
    -g __SPMSC1=0x00001809
    -g __SPMSC2=0x0000180A
    -g __DBGCA=0x00001810
    -g __DBGCB=0x00001812
    -g __DBGF=0x00001814
    -g __DBGC=0x00001816
    -g __DBGT=0x00001817
    -g __DBGS=0x00001818
    -g __FCDIV=0x00001820
    -g __FOPT=0x00001821
    -g __FCNFG=0x00001823
    -g __FPROT=0x00001824
    -g __FSTAT=0x00001825
    -g __FCMD=0x00001826
    -g __PTAPE=0x00001840
    -g __PTASE=0x00001841
    -g __PTADS=0x00001842
    -g __PTBPE=0x00001844
    -g __PTBSE=0x00001845
    -g __PTBDS=0x00001846
    -g __PTCPE=0x00001848
    -g __PTCSE=0x00001849
    -g __PTCDS=0x0000184A
    -g __PTDPE=0x0000184C
    -g __PTDSE=0x0000184D
    -g __PTDDS=0x0000184E
    -g __PTEPE=0x00001850
    -g __PTESE=0x00001851
    -g __PTEDS=0x00001852
    -g __PTFPE=0x00001854
    -g __PTFSE=0x00001855
    -g __PTFDS=0x00001856
    -g __PTGPE=0x00001858
    -g __PTGSE=0x00001859
    -g __PTGDS=0x0000185A
    -g __FIFO0=0x00000081
    -g __F0BADDR=0x00000082
    -g __F0SIZE=0x00000083
    -g __F0CTL=0x00000085
    -e
    Andreas

    Leave a comment:


  • charliex
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Andreas, nice going and its shame you didn't get a mention, definitely earned though.

    Thanks for posting the protocol too, the JM60 bootloader on windows is annoyingly bad so it'll be nice to replace it..

    Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.

    cheers.

    Leave a comment:


  • jeffgus
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Originally posted by Andreas View Post
    I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.
    This is awesome! I found sdcc during the con, but hadn't yet tried anything with it. I will be looking forward to see what you have.

    Leave a comment:


  • Andreas
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.

    Still, here's the perl code for flashing. Use at your own risk, YMMV, consult your health care professional. Only flashes on of the two flash regions. Doesn't verify. Doesn't blank check after erase. Etc.

    sdcc hackey will follow soon.

    Code:
    #!/usr/bin/perl -w
    
    use strict;
    use Device::USB;
    
    my $big = "\000" x 0x10000;
    
    my $timeout = 10000;
    my $VENDOR  = 0x15a2;
    my $PRODUCT = 0x0035;
    my $CFG     = 0x0;
    my $i;
    
    my $usb = Device::USB->new();
    my $dev = $usb->find_device( $VENDOR, $PRODUCT );
    
    printf "Device: %04X:%04X\n", $dev->idVendor(), $dev->idProduct();
    $dev->open();
    $dev->set_configuration( $CFG );
    
    printf "Erasing Flash!\n";
    for ($i = 0x1960; $i < 0xfc00; $i += 0x200) {
        &erase_flash($i, $i + 0x1ff);
    }
    
    printf "Writing Flash!\n";
    &parse_s_record();
    
    for($i=0x1960;$i<0xfc00;$i+=8) {
        my $buffer = substr($big, $i, 8);
        &write_flash($buffer, $i);
    }
    
    sub parse_s_record {
        while(<>) {
            chomp;
            if (/^S1(..)(....)((..)*)(..)/) {
                my $buffer = pack("H*", $3);
                my $address = unpack("n", pack("H*", $2));
                unless ($address > 0xfc00) {
                    substr($big,$address,length($buffer)) = $buffer;
                }
            }
        }
    }
    
    sub erase_flash {
        my $buffer = "";
        my $from = shift;
        my $to = shift;
        if ($from < 0xfc00 && $to < 0xfc00) {
            my $res = $dev->control_msg(0x40, 0x82, $to, $from, $buffer, 0, $timeout);
            if ($res < 0) {
                die "Error erasing!\n";
            }
            &execute();
        }
    }
    
    sub write_flash {
        my $buffer = shift;
        my $from = shift;
        my $length = length($buffer);
        my $to = $from + $length - 1;
        if ($from < 0xfc00 && $to < 0xfc00) {
            my $res = $dev->control_msg(0x40, 0x81, $from, $to, $buffer, $length, $timeout);
            if ($res < 0) {
                die "Error writing!\n";
            }
            &execute();
        }
    }
    
    sub verify_flash {
        my $buffer = shift;
        my $from = shift;
        my $length = length($buffer);
        my $to = $from + $length - 1;
        my $res = $dev->control_msg(0x40, 0x87, $from, $to, $buffer, $length, $timeout);
        if ($res < 0) {
            die "Error verifying!\n";
        }
        &execute();
      # FIXME: check actual return of command
    }

    Leave a comment:


  • kajer
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    I gave a sample of the code to my buddy Snuggles...

    He gave me this...

    Code:
    UINT8 FAT_LS(void)
    {
        UINT8 u8Counter, i;
        root_Entries *sFileStructure;                                   
    
        GetPhysicalBlock(u16FAT_Root_BASE,ag8FATReadBuffer);
        sFileStructure = (root_Entries*)&ag8FATReadBuffer[RootEntrySize];
        
        // look at each file in the root directory to find the first one with only the Read Only attribute set
        while(sFileStructure->FileName[0]!=FILE_Clear)
        {
          if (sFileStructure->FileName[0]!=FILE_Erased) // if the file isn't erased (since FAT doesn't really erase the file, only flag it as erased...)
          {
            i = NibbleSwap(sFileStructure->Attributes);
            if ((i & AT_READONLY) && !(i & (AT_VOLUME | AT_DIRECTORY))) // the attribute is set
            {
              // copy the filename into the gau8Minicom buffer 
              i = 0; 
              for(u8Counter=0;u8Counter<8;u8Counter++) 
                {
                  if(sFileStructure->FileName[u8Counter]!=' ' && sFileStructure->FileName[u8Counter] !='.')           
                    {
                      gau8Minicom[u8Counter] = sFileStructure->FileName[u8Counter];
                      ++i;
                    }
                }
                 
              gau8Minicom[i] = '.';
              ++i;
              
              for(u8Counter=0;u8Counter<3;u8Counter++) 
                {
                  if(sFileStructure->Extension[u8Counter]!=' ')
                    gau8Minicom[u8Counter + i] = sFileStructure->Extension[u8Counter];
                }
              return (1);   
            }
          }
          
          sFileStructure++;
        }
          
        return(0);
    }
    The badge gave me this...
    Code:
    Entering TRANSMIT mode.
    HELLO.TXT
    File name: HELLO.TXT
    File size:  0000001131 bytes
    Starting IR file transmit.
    
    CRC16 = 0x1814
    
    CRC16 = 0x1455
    
    CRC16 = 0xEF43
    
    CRC16 = 0x0000
    
    IR file transmit successful!
    Going to SLEEP.

    The DC16 badge will now use a filename that is shorter than 8x3 and ignore the archive / system / hidden attributes... However, the routine will not work unless your filename is UPPERCASE... There is a step in DC16_TX_File to make the gau8Minicom into uppercase, but from the terminal strings I have my badge output, it looks like the FAT.C can't read lowercase filenames. When I changed hello.txt to HELLO.TXT, then it worked.

    Any Ideas?

    Leave a comment:


  • charliex
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    There is a codewarrior with a temporary license for defcon, i think there a few days left on it, it was downloadable from the media.defcon link, but you have to manually copy the license.dat.

    gcc doesn't support HC08 that i'm aware of, its HC12 support is not that great anyway.

    i've been looking at SDCC which has a couple of ports to HC08 but its code generation has been questionable, and no C++ support which isn't really an issue with the badge that i recall and if there was anything it's probably small stuff.

    i haven't looked at the transfer bug, since i wasn't aware of it til the closing ceremony, FAT16 doesn't support LFN's (without a patented extension) so its probably not expecting anything else, i'll take a peek sometime.

    Leave a comment:


  • kajer
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Alright, I spent most of last night poking around the code... Keep in mind I am a total code n00b... It seems like there is a bug in the routine that sends the filename to the DC16 file transfer handler.

    If you have a read-only file with a FULL 8x3 FILENAME without a archive/system/hidden attribute set, the badge will work; possibly.

    I modded my code to ignore the system/archive/hidden and I got the file transfer to work with a 8x3 filename; OMGHELLO.TXT

    The problem seems to be in the code in FAT.C that sends a name to the gau8Minicom buffer. If the filename isn't 8x3 It looks like the code can't handle it, or process it correctly. I have tried variations of a few different things that all seem to pass the incorrect name to the buffer.

    I hard set the short filename in the gau8Minicom buffer and it read OK, but thats not what I want, If I was going to have to name my file something every time, why not just give it a full 8x3 in the first place.

    So, would somebody else confirm that if you set your attribs to == R and != ASH (lol i suck at C) and give your file a UPPERCASE 8x3, see if you badge works.

    Thanks
    -Kajer

    Leave a comment:


  • kajer
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    I got codewarrior installed, removed TV-B-GONE source, and made some room to work w/ that 32k limit on the freescale demo program. I got some cleaned up Firmware uploaded to the badge, and now I am ready to put some neat LED things in there as different modes...

    Before I do, I still want to retain the InfraRed TX/RX...

    I am no coder, but It seems like the file TX bug is in FAT.C. Has anyone patched their FAT.C to actually return a file to the DC16_TX_File routine?

    (debug output...
    Entering TRANSMIT mode.
    No valid file found.
    Going to SLEEP
    ...)
    Last edited by kajer; August 12, 2008, 01:49. Reason: added the debug output

    Leave a comment:


  • BonzoESC
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Originally posted by Kingpin View Post
    Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

    -kp
    Just got back to the Bonz-o-plex.

    Here's the Front Row Badge source: http://github.com/bkerley/dc16_badge
    And a video demonstration: http://www.youtube.com/watch?v=gPQHFCoAvgE

    Leave a comment:


  • Kingpin
    replied
    Re: Welcome to the DEFCON Badge Hacking Contest

    Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

    -kp

    Leave a comment:

Working...
X