Announcement

**charliex** · August 10th, 2008, 10:06

Re: Welcome to the DEFCON Badge Hacking Contest

Originally posted by nak View Post

Yeah, I did try that, the computer will pop up an un-recognized USB device bubble from the system tray. The only time XP asks for drivers is when it is in 'normal' operation mode. It also doesn't open a serial port when in bootloader mode (BTW).

it'd be the drivers in this folder for bootloader mode

Code:

(Default path)
C:\Program Files\Freescale\Freescale JM60 GUI\JM60 USB Driver

**nak** · August 11th, 2008, 12:22

Re: Welcome to the DEFCON Badge Hacking Contest

Thanks charliex, I talked to a couple guys in the HHV on sunday (maybe it was you :P) and got the location of the driver and a copy of code warrior.

I'll probably get an instructable on how to get the badges working, now time to figure out how to program this thing...

**Cross_** · August 11th, 2008, 12:33

Re: Welcome to the DEFCON Badge Hacking Contest

I remember that some people were passing a USB stick with updated software around. What was that about ?
Is there a gcc toolchain available for programming this without having to purchase Freescale's CodeWarrior version? Link ?

**Kingpin** · August 11th, 2008, 19:04

Re: Welcome to the DEFCON Badge Hacking Contest

Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

-kp

**BonzoESC** · August 11th, 2008, 20:00

Re: Welcome to the DEFCON Badge Hacking Contest

Originally posted by Kingpin View Post

Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)

-kp

Just got back to the Bonz-o-plex.

Here's the Front Row Badge source: http://github.com/bkerley/dc16_badge
And a video demonstration: http://www.youtube.com/watch?v=gPQHFCoAvgE

**kajer** · August 12th, 2008, 00:48

Re: Welcome to the DEFCON Badge Hacking Contest

I got codewarrior installed, removed TV-B-GONE source, and made some room to work w/ that 32k limit on the freescale demo program. I got some cleaned up Firmware uploaded to the badge, and now I am ready to put some neat LED things in there as different modes...

Before I do, I still want to retain the InfraRed TX/RX...

I am no coder, but It seems like the file TX bug is in FAT.C. Has anyone patched their FAT.C to actually return a file to the DC16_TX_File routine?

(debug output...
Entering TRANSMIT mode.
No valid file found.
Going to SLEEP
...)

**kajer** · August 12th, 2008, 13:16

Re: Welcome to the DEFCON Badge Hacking Contest

Alright, I spent most of last night poking around the code... Keep in mind I am a total code n00b... It seems like there is a bug in the routine that sends the filename to the DC16 file transfer handler.

If you have a read-only file with a FULL 8x3 FILENAME without a archive/system/hidden attribute set, the badge will work; possibly.

I modded my code to ignore the system/archive/hidden and I got the file transfer to work with a 8x3 filename; OMGHELLO.TXT

The problem seems to be in the code in FAT.C that sends a name to the gau8Minicom buffer. If the filename isn't 8x3 It looks like the code can't handle it, or process it correctly. I have tried variations of a few different things that all seem to pass the incorrect name to the buffer.

I hard set the short filename in the gau8Minicom buffer and it read OK, but thats not what I want, If I was going to have to name my file something every time, why not just give it a full 8x3 in the first place.

So, would somebody else confirm that if you set your attribs to == R and != ASH (lol i suck at C) and give your file a UPPERCASE 8x3, see if you badge works.

Thanks
-Kajer

**charliex** · August 12th, 2008, 15:24

Re: Welcome to the DEFCON Badge Hacking Contest

There is a codewarrior with a temporary license for defcon, i think there a few days left on it, it was downloadable from the media.defcon link, but you have to manually copy the license.dat.

gcc doesn't support HC08 that i'm aware of, its HC12 support is not that great anyway.

i've been looking at SDCC which has a couple of ports to HC08 but its code generation has been questionable, and no C++ support which isn't really an issue with the badge that i recall and if there was anything it's probably small stuff.

i haven't looked at the transfer bug, since i wasn't aware of it til the closing ceremony, FAT16 doesn't support LFN's (without a patented extension) so its probably not expecting anything else, i'll take a peek sometime.

**kajer** · August 12th, 2008, 20:48

Re: Welcome to the DEFCON Badge Hacking Contest

I gave a sample of the code to my buddy Snuggles...

He gave me this...

Code:

UINT8 FAT_LS(void)
{
    UINT8 u8Counter, i;
    root_Entries *sFileStructure;                                   

    GetPhysicalBlock(u16FAT_Root_BASE,ag8FATReadBuffer);
    sFileStructure = (root_Entries*)&ag8FATReadBuffer[RootEntrySize];
    
    // look at each file in the root directory to find the first one with only the Read Only attribute set
    while(sFileStructure->FileName[0]!=FILE_Clear)
    {
      if (sFileStructure->FileName[0]!=FILE_Erased) // if the file isn't erased (since FAT doesn't really erase the file, only flag it as erased...)
      {
        i = NibbleSwap(sFileStructure->Attributes);
        if ((i & AT_READONLY) && !(i & (AT_VOLUME | AT_DIRECTORY))) // the attribute is set
        {
          // copy the filename into the gau8Minicom buffer 
          i = 0; 
          for(u8Counter=0;u8Counter<8;u8Counter++) 
            {
              if(sFileStructure->FileName[u8Counter]!=' ' && sFileStructure->FileName[u8Counter] !='.')           
                {
                  gau8Minicom[u8Counter] = sFileStructure->FileName[u8Counter];
                  ++i;
                }
            }
             
          gau8Minicom[i] = '.';
          ++i;
          
          for(u8Counter=0;u8Counter<3;u8Counter++) 
            {
              if(sFileStructure->Extension[u8Counter]!=' ')
                gau8Minicom[u8Counter + i] = sFileStructure->Extension[u8Counter];
            }
          return (1);   
        }
      }
      
      sFileStructure++;
    }
      
    return(0);
}

The badge gave me this...

Code:

Entering TRANSMIT mode.
HELLO.TXT
File name: HELLO.TXT
File size:  0000001131 bytes
Starting IR file transmit.

CRC16 = 0x1814

CRC16 = 0x1455

CRC16 = 0xEF43

CRC16 = 0x0000

IR file transmit successful!
Going to SLEEP.

The DC16 badge will now use a filename that is shorter than 8x3 and ignore the archive / system / hidden attributes... However, the routine will not work unless your filename is UPPERCASE... There is a step in DC16_TX_File to make the gau8Minicom into uppercase, but from the terminal strings I have my badge output, it looks like the FAT.C can't read lowercase filenames. When I changed hello.txt to HELLO.TXT, then it worked.

Any Ideas?

**Andreas** · August 12th, 2008, 22:06

Re: Welcome to the DEFCON Badge Hacking Contest

I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.

Still, here's the perl code for flashing. Use at your own risk, YMMV, consult your health care professional. Only flashes on of the two flash regions. Doesn't verify. Doesn't blank check after erase. Etc.

sdcc hackey will follow soon.

Code:

#!/usr/bin/perl -w

use strict;
use Device::USB;

my $big = "\000" x 0x10000;

my $timeout = 10000;
my $VENDOR  = 0x15a2;
my $PRODUCT = 0x0035;
my $CFG     = 0x0;
my $i;

my $usb = Device::USB->new();
my $dev = $usb->find_device( $VENDOR, $PRODUCT );

printf "Device: %04X:%04X\n", $dev->idVendor(), $dev->idProduct();
$dev->open();
$dev->set_configuration( $CFG );

printf "Erasing Flash!\n";
for ($i = 0x1960; $i < 0xfc00; $i += 0x200) {
    &erase_flash($i, $i + 0x1ff);
}

printf "Writing Flash!\n";
&parse_s_record();

for($i=0x1960;$i<0xfc00;$i+=8) {
    my $buffer = substr($big, $i, 8);
    &write_flash($buffer, $i);
}

sub parse_s_record {
    while(<>) {
        chomp;
        if (/^S1(..)(....)((..)*)(..)/) {
            my $buffer = pack("H*", $3);
            my $address = unpack("n", pack("H*", $2));
            unless ($address > 0xfc00) {
                substr($big,$address,length($buffer)) = $buffer;
            }
        }
    }
}

sub erase_flash {
    my $buffer = "";
    my $from = shift;
    my $to = shift;
    if ($from < 0xfc00 && $to < 0xfc00) {
        my $res = $dev->control_msg(0x40, 0x82, $to, $from, $buffer, 0, $timeout);
        if ($res < 0) {
            die "Error erasing!\n";
        }
        &execute();
    }
}

sub write_flash {
    my $buffer = shift;
    my $from = shift;
    my $length = length($buffer);
    my $to = $from + $length - 1;
    if ($from < 0xfc00 && $to < 0xfc00) {
        my $res = $dev->control_msg(0x40, 0x81, $from, $to, $buffer, $length, $timeout);
        if ($res < 0) {
            die "Error writing!\n";
        }
        &execute();
    }
}

sub verify_flash {
    my $buffer = shift;
    my $from = shift;
    my $length = length($buffer);
    my $to = $from + $length - 1;
    my $res = $dev->control_msg(0x40, 0x87, $from, $to, $buffer, $length, $timeout);
    if ($res < 0) {
        die "Error verifying!\n";
    }
    &execute();
  # FIXME: check actual return of command
}

**jeffgus** · August 13th, 2008, 01:35

Re: Welcome to the DEFCON Badge Hacking Contest

Originally posted by Andreas View Post

I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.

This is awesome! I found sdcc during the con, but hadn't yet tried anything with it. I will be looking forward to see what you have.

**charliex** · August 13th, 2008, 15:06

Re: Welcome to the DEFCON Badge Hacking Contest

Andreas, nice going and its shame you didn't get a mention, definitely earned though.

Thanks for posting the protocol too, the JM60 bootloader on windows is annoyingly bad so it'll be nice to replace it..

Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.

cheers.

**Andreas** · August 14th, 2008, 00:35

Re: Welcome to the DEFCON Badge Hacking Contest

Originally posted by charliex View Post

Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.

Yeah, we've been playing with both the mainline sdcc, and the hc08 branch that's floating around. The latter has been worked on using cygwin, and it's in a sorry state with regard to building it on Linux. The former misses quite a number of libc functions, and it's not possible to override the init sequence (crt0.o, if you will), which is needed to make it play nicely with the existing bootloader.

I'm still at the airport, but will contact the other Andreas (a.k.a. "count") as soon as I'm home, he's got the sdcc hackery on his computer.

If you have JTAG access, and can live with overwriting the original bootloader, the following linker script might get you somewhere with the stock sdcc (assuming you have compiled a main_test.c to main_test.rel):

Code:

-mxsu
main_test
-b CSEG=0x1960
-b DSEG=0xb0
-g __sdcc_external_startup=0x0000 ; bug, but silence
-g __PTAD=0x00000000
-g __PTADD=0x00000001
-g __PTBD=0x00000002
-g __PTBDD=0x00000003
-g __PTCD=0x00000004
-g __PTCDD=0x00000005
-g __PTDD=0x00000006
-g __PTDDD=0x00000007
-g __PTED=0x00000008
-g __PTEDD=0x00000009
-g __PTFD=0x0000000A
-g __PTFDD=0x0000000B
-g __PTGD=0x0000000C
-g __PTGDD=0x0000000D
-g __ACMPSC=0x0000000E
-g __ADCSC1=0x00000010
-g __ADCSC2=0x00000011
-g __ADCR=0x00000012
-g __ADCCV=0x00000014
-g __ADCCFG=0x00000016
-g __APCTL1=0x00000017
-g __APCTL2=0x00000018
-g __IRQSC=0x0000001B
-g __KBISC=0x0000001C
-g __KBIPE=0x0000001D
-g __KBIES=0x0000001E
-g __TPM1SC=0x00000020
-g __TPM1CNT=0x00000021
-g __TPM1MOD=0x00000023
-g __TPM1C0SC=0x00000025
-g __TPM1C0V=0x00000026
-g __TPM1C1SC=0x00000028
-g __TPM1C1V=0x00000029
-g __TPM1C2SC=0x0000002B
-g __TPM1C2V=0x0000002C
-g __TPM1C3SC=0x0000002E
-g __TPM1C3V=0x0000002F
-g __TPM1C4SC=0x00000031
-g __TPM1C4V=0x00000032
-g __TPM1C5SC=0x00000034
-g __TPM1C5V=0x00000035
-g __SCI1BD=0x00000038
-g __SCI1C1=0x0000003A
-g __SCI1C2=0x0000003B
-g __SCI1S1=0x0000003C
-g __SCI1S2=0x0000003D
-g __SCI1C3=0x0000003E
-g __SCI1D=0x0000003F
-g __SCI2BD=0x00000040
-g __SCI2C1=0x00000042
-g __SCI2C2=0x00000043
-g __SCI2S1=0x00000044
-g __SCI2S2=0x00000045
-g __SCI2C3=0x00000046
-g __SCI2D=0x00000047
-g __MCGC1=0x00000048
-g __MCGC2=0x00000049
-g __MCGTRM=0x0000004A
-g __MCGSC=0x0000004B
-g __MCGC3=0x0000004C
-g __MCGT=0x0000004D
-g __SPI1C1=0x00000050
-g __SPI1C2=0x00000051
-g __SPI1BR=0x00000052
-g __SPI1S=0x00000053
-g __SPI1D16=0x00000054
-g __SPI1M=0x00000056
-g __IICA=0x00000058
-g __IICF=0x00000059
-g __IICC1=0x0000005A
-g __IICS=0x0000005B
-g __IICD=0x0000005C
-g __IICC2=0x0000005D
-g __TPM2SC=0x00000060
-g __TPM2CNT=0x00000061
-g __TPM2MOD=0x00000063
-g __TPM2C0SC=0x00000065
-g __TPM2C0V=0x00000066
-g __TPM2C1SC=0x00000068
-g __TPM2C1V=0x00000069
-g __RTCSC=0x0000006C
-g __RTCCNT=0x0000006D
-g __RTCMOD=0x0000006E
-g __SPI2C1=0x00000070
-g __SPI2C2=0x00000071
-g __SPI2BR=0x00000072
-g __SPI2S=0x00000073
-g __SPI2D16=0x00000074
-g __SPI2M=0x00000076
-g __USBCTL0=0x00000080
-g __PERID=0x00000088
-g __IDCOMP=0x00000089
-g __REV=0x0000008A
-g __INTSTAT=0x00000090
-g __INTENB=0x00000091
-g __ERRSTAT=0x00000092
-g __ERRENB=0x00000093
-g __STAT=0x00000094
-g __CTL=0x00000095
-g __ADDR=0x00000096
-g __FRMNUML=0x00000097
-g __FRMNUMH=0x00000098
-g __EPCTL0=0x0000009D
-g __EPCTL1=0x0000009E
-g __EPCTL2=0x0000009F
-g __EPCTL3=0x000000A0
-g __EPCTL4=0x000000A1
-g __EPCTL5=0x000000A2
-g __EPCTL6=0x000000A3
-g __SRS=0x00001800
-g __SBDFR=0x00001801
-g __SOPT1=0x00001802
-g __SOPT2=0x00001803
-g __SDID=0x00001806
-g __SPMSC1=0x00001809
-g __SPMSC2=0x0000180A
-g __DBGCA=0x00001810
-g __DBGCB=0x00001812
-g __DBGF=0x00001814
-g __DBGC=0x00001816
-g __DBGT=0x00001817
-g __DBGS=0x00001818
-g __FCDIV=0x00001820
-g __FOPT=0x00001821
-g __FCNFG=0x00001823
-g __FPROT=0x00001824
-g __FSTAT=0x00001825
-g __FCMD=0x00001826
-g __PTAPE=0x00001840
-g __PTASE=0x00001841
-g __PTADS=0x00001842
-g __PTBPE=0x00001844
-g __PTBSE=0x00001845
-g __PTBDS=0x00001846
-g __PTCPE=0x00001848
-g __PTCSE=0x00001849
-g __PTCDS=0x0000184A
-g __PTDPE=0x0000184C
-g __PTDSE=0x0000184D
-g __PTDDS=0x0000184E
-g __PTEPE=0x00001850
-g __PTESE=0x00001851
-g __PTEDS=0x00001852
-g __PTFPE=0x00001854
-g __PTFSE=0x00001855
-g __PTFDS=0x00001856
-g __PTGPE=0x00001858
-g __PTGSE=0x00001859
-g __PTGDS=0x0000185A
-g __FIFO0=0x00000081
-g __F0BADDR=0x00000082
-g __F0SIZE=0x00000083
-g __F0CTL=0x00000085
-e

Andreas

**charliex** · August 14th, 2008, 10:59

Re: Welcome to the DEFCON Badge Hacking Contest

Thanks Andreas,

I picked up the P&E BDM yesterday, so it should arrive today, i've got almost everyone they've got now, people keep picking chips i don't have the BDM for, i expect with my luck next year Joe will use a renesas processor....

Have a safe TSA free flight.

**Demo** · August 14th, 2008, 11:09

Re: Welcome to the DEFCON Badge Hacking Contest

Can anyone recommend a VERY beginner kit to learn how to work with these MCUs/boards? This DC was my first time soldering anything, ever(yay got my USB port on) ;) and I'm really interested in learning more, but I don't have a big electronics background so I'd really like to learn from the ground up. I'm planning on taking a basic electronics course through my JC but I also want to be able to learn hands on in the meantime, get my soldering skills up, etc.

Announcement

[Defcon 16] Welcome to the DEFCON Badge Hacking Contest

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment