DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

[Defcon 16] Welcome to the DEFCON Badge Hacking Contest

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Re: Welcome to the DEFCON Badge Hacking Contest

    Originally posted by nak View Post
    Yeah, I did try that, the computer will pop up an un-recognized USB device bubble from the system tray. The only time XP asks for drivers is when it is in 'normal' operation mode. It also doesn't open a serial port when in bootloader mode (BTW).
    it'd be the drivers in this folder for bootloader mode

    Code:
    (Default path)
    C:\Program Files\Freescale\Freescale JM60 GUI\JM60 USB Driver
    - Null Space Labs

    Comment


    • #62
      Re: Welcome to the DEFCON Badge Hacking Contest

      Thanks charliex, I talked to a couple guys in the HHV on sunday (maybe it was you :P) and got the location of the driver and a copy of code warrior.

      I'll probably get an instructable on how to get the badges working, now time to figure out how to program this thing...
      ยง

      Comment


      • #63
        Re: Welcome to the DEFCON Badge Hacking Contest

        I remember that some people were passing a USB stick with updated software around. What was that about ?
        Is there a gcc toolchain available for programming this without having to purchase Freescale's CodeWarrior version? Link ?

        Comment


        • #64
          Re: Welcome to the DEFCON Badge Hacking Contest

          Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

          -kp

          Comment


          • #65
            Re: Welcome to the DEFCON Badge Hacking Contest

            Originally posted by Kingpin View Post
            Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

            -kp
            Just got back to the Bonz-o-plex.

            Here's the Front Row Badge source: http://github.com/bkerley/dc16_badge
            And a video demonstration: http://www.youtube.com/watch?v=gPQHFCoAvgE

            Comment


            • #66
              Re: Welcome to the DEFCON Badge Hacking Contest

              I got codewarrior installed, removed TV-B-GONE source, and made some room to work w/ that 32k limit on the freescale demo program. I got some cleaned up Firmware uploaded to the badge, and now I am ready to put some neat LED things in there as different modes...

              Before I do, I still want to retain the InfraRed TX/RX...

              I am no coder, but It seems like the file TX bug is in FAT.C. Has anyone patched their FAT.C to actually return a file to the DC16_TX_File routine?

              (debug output...
              Entering TRANSMIT mode.
              No valid file found.
              Going to SLEEP
              ...)
              Last edited by kajer; August 12th, 2008, 00:49. Reason: added the debug output

              Comment


              • #67
                Re: Welcome to the DEFCON Badge Hacking Contest

                Alright, I spent most of last night poking around the code... Keep in mind I am a total code n00b... It seems like there is a bug in the routine that sends the filename to the DC16 file transfer handler.

                If you have a read-only file with a FULL 8x3 FILENAME without a archive/system/hidden attribute set, the badge will work; possibly.

                I modded my code to ignore the system/archive/hidden and I got the file transfer to work with a 8x3 filename; OMGHELLO.TXT

                The problem seems to be in the code in FAT.C that sends a name to the gau8Minicom buffer. If the filename isn't 8x3 It looks like the code can't handle it, or process it correctly. I have tried variations of a few different things that all seem to pass the incorrect name to the buffer.

                I hard set the short filename in the gau8Minicom buffer and it read OK, but thats not what I want, If I was going to have to name my file something every time, why not just give it a full 8x3 in the first place.

                So, would somebody else confirm that if you set your attribs to == R and != ASH (lol i suck at C) and give your file a UPPERCASE 8x3, see if you badge works.

                Thanks
                -Kajer

                Comment


                • #68
                  Re: Welcome to the DEFCON Badge Hacking Contest

                  There is a codewarrior with a temporary license for defcon, i think there a few days left on it, it was downloadable from the media.defcon link, but you have to manually copy the license.dat.

                  gcc doesn't support HC08 that i'm aware of, its HC12 support is not that great anyway.

                  i've been looking at SDCC which has a couple of ports to HC08 but its code generation has been questionable, and no C++ support which isn't really an issue with the badge that i recall and if there was anything it's probably small stuff.

                  i haven't looked at the transfer bug, since i wasn't aware of it til the closing ceremony, FAT16 doesn't support LFN's (without a patented extension) so its probably not expecting anything else, i'll take a peek sometime.
                  - Null Space Labs

                  Comment


                  • #69
                    Re: Welcome to the DEFCON Badge Hacking Contest

                    I gave a sample of the code to my buddy Snuggles...

                    He gave me this...

                    Code:
                    UINT8 FAT_LS(void)
                    {
                        UINT8 u8Counter, i;
                        root_Entries *sFileStructure;                                   
                    
                        GetPhysicalBlock(u16FAT_Root_BASE,ag8FATReadBuffer);
                        sFileStructure = (root_Entries*)&ag8FATReadBuffer[RootEntrySize];
                        
                        // look at each file in the root directory to find the first one with only the Read Only attribute set
                        while(sFileStructure->FileName[0]!=FILE_Clear)
                        {
                          if (sFileStructure->FileName[0]!=FILE_Erased) // if the file isn't erased (since FAT doesn't really erase the file, only flag it as erased...)
                          {
                            i = NibbleSwap(sFileStructure->Attributes);
                            if ((i & AT_READONLY) && !(i & (AT_VOLUME | AT_DIRECTORY))) // the attribute is set
                            {
                              // copy the filename into the gau8Minicom buffer 
                              i = 0; 
                              for(u8Counter=0;u8Counter<8;u8Counter++) 
                                {
                                  if(sFileStructure->FileName[u8Counter]!=' ' && sFileStructure->FileName[u8Counter] !='.')           
                                    {
                                      gau8Minicom[u8Counter] = sFileStructure->FileName[u8Counter];
                                      ++i;
                                    }
                                }
                                 
                              gau8Minicom[i] = '.';
                              ++i;
                              
                              for(u8Counter=0;u8Counter<3;u8Counter++) 
                                {
                                  if(sFileStructure->Extension[u8Counter]!=' ')
                                    gau8Minicom[u8Counter + i] = sFileStructure->Extension[u8Counter];
                                }
                              return (1);   
                            }
                          }
                          
                          sFileStructure++;
                        }
                          
                        return(0);
                    }
                    The badge gave me this...
                    Code:
                    Entering TRANSMIT mode.
                    HELLO.TXT
                    File name: HELLO.TXT
                    File size:  0000001131 bytes
                    Starting IR file transmit.
                    
                    CRC16 = 0x1814
                    
                    CRC16 = 0x1455
                    
                    CRC16 = 0xEF43
                    
                    CRC16 = 0x0000
                    
                    IR file transmit successful!
                    Going to SLEEP.

                    The DC16 badge will now use a filename that is shorter than 8x3 and ignore the archive / system / hidden attributes... However, the routine will not work unless your filename is UPPERCASE... There is a step in DC16_TX_File to make the gau8Minicom into uppercase, but from the terminal strings I have my badge output, it looks like the FAT.C can't read lowercase filenames. When I changed hello.txt to HELLO.TXT, then it worked.

                    Any Ideas?

                    Comment


                    • #70
                      Re: Welcome to the DEFCON Badge Hacking Contest

                      I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.

                      Still, here's the perl code for flashing. Use at your own risk, YMMV, consult your health care professional. Only flashes on of the two flash regions. Doesn't verify. Doesn't blank check after erase. Etc.

                      sdcc hackey will follow soon.

                      Code:
                      #!/usr/bin/perl -w
                      
                      use strict;
                      use Device::USB;
                      
                      my $big = "\000" x 0x10000;
                      
                      my $timeout = 10000;
                      my $VENDOR  = 0x15a2;
                      my $PRODUCT = 0x0035;
                      my $CFG     = 0x0;
                      my $i;
                      
                      my $usb = Device::USB->new();
                      my $dev = $usb->find_device( $VENDOR, $PRODUCT );
                      
                      printf "Device: %04X:%04X\n", $dev->idVendor(), $dev->idProduct();
                      $dev->open();
                      $dev->set_configuration( $CFG );
                      
                      printf "Erasing Flash!\n";
                      for ($i = 0x1960; $i < 0xfc00; $i += 0x200) {
                          &erase_flash($i, $i + 0x1ff);
                      }
                      
                      printf "Writing Flash!\n";
                      &parse_s_record();
                      
                      for($i=0x1960;$i<0xfc00;$i+=8) {
                          my $buffer = substr($big, $i, 8);
                          &write_flash($buffer, $i);
                      }
                      
                      sub parse_s_record {
                          while(<>) {
                              chomp;
                              if (/^S1(..)(....)((..)*)(..)/) {
                                  my $buffer = pack("H*", $3);
                                  my $address = unpack("n", pack("H*", $2));
                                  unless ($address > 0xfc00) {
                                      substr($big,$address,length($buffer)) = $buffer;
                                  }
                              }
                          }
                      }
                      
                      sub erase_flash {
                          my $buffer = "";
                          my $from = shift;
                          my $to = shift;
                          if ($from < 0xfc00 && $to < 0xfc00) {
                              my $res = $dev->control_msg(0x40, 0x82, $to, $from, $buffer, 0, $timeout);
                              if ($res < 0) {
                                  die "Error erasing!\n";
                              }
                              &execute();
                          }
                      }
                      
                      sub write_flash {
                          my $buffer = shift;
                          my $from = shift;
                          my $length = length($buffer);
                          my $to = $from + $length - 1;
                          if ($from < 0xfc00 && $to < 0xfc00) {
                              my $res = $dev->control_msg(0x40, 0x81, $from, $to, $buffer, $length, $timeout);
                              if ($res < 0) {
                                  die "Error writing!\n";
                              }
                              &execute();
                          }
                      }
                      
                      sub verify_flash {
                          my $buffer = shift;
                          my $from = shift;
                          my $length = length($buffer);
                          my $to = $from + $length - 1;
                          my $res = $dev->control_msg(0x40, 0x87, $from, $to, $buffer, $length, $timeout);
                          if ($res < 0) {
                              die "Error verifying!\n";
                          }
                          &execute();
                        # FIXME: check actual return of command
                      }

                      Comment


                      • #71
                        Re: Welcome to the DEFCON Badge Hacking Contest

                        Originally posted by Andreas View Post
                        I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.
                        This is awesome! I found sdcc during the con, but hadn't yet tried anything with it. I will be looking forward to see what you have.

                        Comment


                        • #72
                          Re: Welcome to the DEFCON Badge Hacking Contest

                          Andreas, nice going and its shame you didn't get a mention, definitely earned though.

                          Thanks for posting the protocol too, the JM60 bootloader on windows is annoyingly bad so it'll be nice to replace it..

                          Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.

                          cheers.
                          - Null Space Labs

                          Comment


                          • #73
                            Re: Welcome to the DEFCON Badge Hacking Contest

                            Originally posted by charliex View Post
                            Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.
                            Yeah, we've been playing with both the mainline sdcc, and the hc08 branch that's floating around. The latter has been worked on using cygwin, and it's in a sorry state with regard to building it on Linux. The former misses quite a number of libc functions, and it's not possible to override the init sequence (crt0.o, if you will), which is needed to make it play nicely with the existing bootloader.

                            I'm still at the airport, but will contact the other Andreas (a.k.a. "count") as soon as I'm home, he's got the sdcc hackery on his computer.

                            If you have JTAG access, and can live with overwriting the original bootloader, the following linker script might get you somewhere with the stock sdcc (assuming you have compiled a main_test.c to main_test.rel):

                            Code:
                            -mxsu
                            main_test
                            -b CSEG=0x1960
                            -b DSEG=0xb0
                            -g __sdcc_external_startup=0x0000 ; bug, but silence
                            -g __PTAD=0x00000000
                            -g __PTADD=0x00000001
                            -g __PTBD=0x00000002
                            -g __PTBDD=0x00000003
                            -g __PTCD=0x00000004
                            -g __PTCDD=0x00000005
                            -g __PTDD=0x00000006
                            -g __PTDDD=0x00000007
                            -g __PTED=0x00000008
                            -g __PTEDD=0x00000009
                            -g __PTFD=0x0000000A
                            -g __PTFDD=0x0000000B
                            -g __PTGD=0x0000000C
                            -g __PTGDD=0x0000000D
                            -g __ACMPSC=0x0000000E
                            -g __ADCSC1=0x00000010
                            -g __ADCSC2=0x00000011
                            -g __ADCR=0x00000012
                            -g __ADCCV=0x00000014
                            -g __ADCCFG=0x00000016
                            -g __APCTL1=0x00000017
                            -g __APCTL2=0x00000018
                            -g __IRQSC=0x0000001B
                            -g __KBISC=0x0000001C
                            -g __KBIPE=0x0000001D
                            -g __KBIES=0x0000001E
                            -g __TPM1SC=0x00000020
                            -g __TPM1CNT=0x00000021
                            -g __TPM1MOD=0x00000023
                            -g __TPM1C0SC=0x00000025
                            -g __TPM1C0V=0x00000026
                            -g __TPM1C1SC=0x00000028
                            -g __TPM1C1V=0x00000029
                            -g __TPM1C2SC=0x0000002B
                            -g __TPM1C2V=0x0000002C
                            -g __TPM1C3SC=0x0000002E
                            -g __TPM1C3V=0x0000002F
                            -g __TPM1C4SC=0x00000031
                            -g __TPM1C4V=0x00000032
                            -g __TPM1C5SC=0x00000034
                            -g __TPM1C5V=0x00000035
                            -g __SCI1BD=0x00000038
                            -g __SCI1C1=0x0000003A
                            -g __SCI1C2=0x0000003B
                            -g __SCI1S1=0x0000003C
                            -g __SCI1S2=0x0000003D
                            -g __SCI1C3=0x0000003E
                            -g __SCI1D=0x0000003F
                            -g __SCI2BD=0x00000040
                            -g __SCI2C1=0x00000042
                            -g __SCI2C2=0x00000043
                            -g __SCI2S1=0x00000044
                            -g __SCI2S2=0x00000045
                            -g __SCI2C3=0x00000046
                            -g __SCI2D=0x00000047
                            -g __MCGC1=0x00000048
                            -g __MCGC2=0x00000049
                            -g __MCGTRM=0x0000004A
                            -g __MCGSC=0x0000004B
                            -g __MCGC3=0x0000004C
                            -g __MCGT=0x0000004D
                            -g __SPI1C1=0x00000050
                            -g __SPI1C2=0x00000051
                            -g __SPI1BR=0x00000052
                            -g __SPI1S=0x00000053
                            -g __SPI1D16=0x00000054
                            -g __SPI1M=0x00000056
                            -g __IICA=0x00000058
                            -g __IICF=0x00000059
                            -g __IICC1=0x0000005A
                            -g __IICS=0x0000005B
                            -g __IICD=0x0000005C
                            -g __IICC2=0x0000005D
                            -g __TPM2SC=0x00000060
                            -g __TPM2CNT=0x00000061
                            -g __TPM2MOD=0x00000063
                            -g __TPM2C0SC=0x00000065
                            -g __TPM2C0V=0x00000066
                            -g __TPM2C1SC=0x00000068
                            -g __TPM2C1V=0x00000069
                            -g __RTCSC=0x0000006C
                            -g __RTCCNT=0x0000006D
                            -g __RTCMOD=0x0000006E
                            -g __SPI2C1=0x00000070
                            -g __SPI2C2=0x00000071
                            -g __SPI2BR=0x00000072
                            -g __SPI2S=0x00000073
                            -g __SPI2D16=0x00000074
                            -g __SPI2M=0x00000076
                            -g __USBCTL0=0x00000080
                            -g __PERID=0x00000088
                            -g __IDCOMP=0x00000089
                            -g __REV=0x0000008A
                            -g __INTSTAT=0x00000090
                            -g __INTENB=0x00000091
                            -g __ERRSTAT=0x00000092
                            -g __ERRENB=0x00000093
                            -g __STAT=0x00000094
                            -g __CTL=0x00000095
                            -g __ADDR=0x00000096
                            -g __FRMNUML=0x00000097
                            -g __FRMNUMH=0x00000098
                            -g __EPCTL0=0x0000009D
                            -g __EPCTL1=0x0000009E
                            -g __EPCTL2=0x0000009F
                            -g __EPCTL3=0x000000A0
                            -g __EPCTL4=0x000000A1
                            -g __EPCTL5=0x000000A2
                            -g __EPCTL6=0x000000A3
                            -g __SRS=0x00001800
                            -g __SBDFR=0x00001801
                            -g __SOPT1=0x00001802
                            -g __SOPT2=0x00001803
                            -g __SDID=0x00001806
                            -g __SPMSC1=0x00001809
                            -g __SPMSC2=0x0000180A
                            -g __DBGCA=0x00001810
                            -g __DBGCB=0x00001812
                            -g __DBGF=0x00001814
                            -g __DBGC=0x00001816
                            -g __DBGT=0x00001817
                            -g __DBGS=0x00001818
                            -g __FCDIV=0x00001820
                            -g __FOPT=0x00001821
                            -g __FCNFG=0x00001823
                            -g __FPROT=0x00001824
                            -g __FSTAT=0x00001825
                            -g __FCMD=0x00001826
                            -g __PTAPE=0x00001840
                            -g __PTASE=0x00001841
                            -g __PTADS=0x00001842
                            -g __PTBPE=0x00001844
                            -g __PTBSE=0x00001845
                            -g __PTBDS=0x00001846
                            -g __PTCPE=0x00001848
                            -g __PTCSE=0x00001849
                            -g __PTCDS=0x0000184A
                            -g __PTDPE=0x0000184C
                            -g __PTDSE=0x0000184D
                            -g __PTDDS=0x0000184E
                            -g __PTEPE=0x00001850
                            -g __PTESE=0x00001851
                            -g __PTEDS=0x00001852
                            -g __PTFPE=0x00001854
                            -g __PTFSE=0x00001855
                            -g __PTFDS=0x00001856
                            -g __PTGPE=0x00001858
                            -g __PTGSE=0x00001859
                            -g __PTGDS=0x0000185A
                            -g __FIFO0=0x00000081
                            -g __F0BADDR=0x00000082
                            -g __F0SIZE=0x00000083
                            -g __F0CTL=0x00000085
                            -e
                            Andreas

                            Comment


                            • #74
                              Re: Welcome to the DEFCON Badge Hacking Contest

                              Thanks Andreas,

                              I picked up the P&E BDM yesterday, so it should arrive today, i've got almost everyone they've got now, people keep picking chips i don't have the BDM for, i expect with my luck next year Joe will use a renesas processor....

                              Have a safe TSA free flight.
                              - Null Space Labs

                              Comment


                              • #75
                                Re: Welcome to the DEFCON Badge Hacking Contest

                                Can anyone recommend a VERY beginner kit to learn how to work with these MCUs/boards? This DC was my first time soldering anything, ever(yay got my USB port on) ;) and I'm really interested in learning more, but I don't have a big electronics background so I'd really like to learn from the ground up. I'm planning on taking a basic electronics course through my JC but I also want to be able to learn hands on in the meantime, get my soldering skills up, etc.

                                Comment

                                Working...
                                X