-
- Null Space Labs -
Re: Welcome to the DEFCON Badge Hacking Contest
Thanks charliex, I talked to a couple guys in the HHV on sunday (maybe it was you :P) and got the location of the driver and a copy of code warrior.
I'll probably get an instructable on how to get the badges working, now time to figure out how to program this thing...ยงComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
I remember that some people were passing a USB stick with updated software around. What was that about ?
Is there a gcc toolchain available for programming this without having to purchase Freescale's CodeWarrior version? Link ?Comment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Whew! Hope everyone made it back to the real world in one piece. I'm in the process of writing up all the badge hacking contest entries, putting up the page with pics, documentation, etc. I'll come back when I'm done :)
-kpComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Just got back to the Bonz-o-plex.
Here's the Front Row Badge source: http://github.com/bkerley/dc16_badge
And a video demonstration: http://www.youtube.com/watch?v=gPQHFCoAvgEComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
I got codewarrior installed, removed TV-B-GONE source, and made some room to work w/ that 32k limit on the freescale demo program. I got some cleaned up Firmware uploaded to the badge, and now I am ready to put some neat LED things in there as different modes...
Before I do, I still want to retain the InfraRed TX/RX...
I am no coder, but It seems like the file TX bug is in FAT.C. Has anyone patched their FAT.C to actually return a file to the DC16_TX_File routine?
(debug output...
Entering TRANSMIT mode.
No valid file found.
Going to SLEEP
...)Comment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Alright, I spent most of last night poking around the code... Keep in mind I am a total code n00b... It seems like there is a bug in the routine that sends the filename to the DC16 file transfer handler.
If you have a read-only file with a FULL 8x3 FILENAME without a archive/system/hidden attribute set, the badge will work; possibly.
I modded my code to ignore the system/archive/hidden and I got the file transfer to work with a 8x3 filename; OMGHELLO.TXT
The problem seems to be in the code in FAT.C that sends a name to the gau8Minicom buffer. If the filename isn't 8x3 It looks like the code can't handle it, or process it correctly. I have tried variations of a few different things that all seem to pass the incorrect name to the buffer.
I hard set the short filename in the gau8Minicom buffer and it read OK, but thats not what I want, If I was going to have to name my file something every time, why not just give it a full 8x3 in the first place.
So, would somebody else confirm that if you set your attribs to == R and != ASH (lol i suck at C) and give your file a UPPERCASE 8x3, see if you badge works.
Thanks
-KajerComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
There is a codewarrior with a temporary license for defcon, i think there a few days left on it, it was downloadable from the media.defcon link, but you have to manually copy the license.dat.
gcc doesn't support HC08 that i'm aware of, its HC12 support is not that great anyway.
i've been looking at SDCC which has a couple of ports to HC08 but its code generation has been questionable, and no C++ support which isn't really an issue with the badge that i recall and if there was anything it's probably small stuff.
i haven't looked at the transfer bug, since i wasn't aware of it til the closing ceremony, FAT16 doesn't support LFN's (without a patented extension) so its probably not expecting anything else, i'll take a peek sometime.- Null Space LabsComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
I gave a sample of the code to my buddy Snuggles...
He gave me this...
The badge gave me this...Code:UINT8 FAT_LS(void) { UINT8 u8Counter, i; root_Entries *sFileStructure; GetPhysicalBlock(u16FAT_Root_BASE,ag8FATReadBuffer); sFileStructure = (root_Entries*)&ag8FATReadBuffer[RootEntrySize]; // look at each file in the root directory to find the first one with only the Read Only attribute set while(sFileStructure->FileName[0]!=FILE_Clear) { if (sFileStructure->FileName[0]!=FILE_Erased) // if the file isn't erased (since FAT doesn't really erase the file, only flag it as erased...) { i = NibbleSwap(sFileStructure->Attributes); if ((i & AT_READONLY) && !(i & (AT_VOLUME | AT_DIRECTORY))) // the attribute is set { // copy the filename into the gau8Minicom buffer i = 0; for(u8Counter=0;u8Counter<8;u8Counter++) { if(sFileStructure->FileName[u8Counter]!=' ' && sFileStructure->FileName[u8Counter] !='.') { gau8Minicom[u8Counter] = sFileStructure->FileName[u8Counter]; ++i; } } gau8Minicom[i] = '.'; ++i; for(u8Counter=0;u8Counter<3;u8Counter++) { if(sFileStructure->Extension[u8Counter]!=' ') gau8Minicom[u8Counter + i] = sFileStructure->Extension[u8Counter]; } return (1); } } sFileStructure++; } return(0); }
Code:Entering TRANSMIT mode. HELLO.TXT File name: HELLO.TXT File size: 0000001131 bytes Starting IR file transmit. CRC16 = 0x1814 CRC16 = 0x1455 CRC16 = 0xEF43 CRC16 = 0x0000 IR file transmit successful! Going to SLEEP.
The DC16 badge will now use a filename that is shorter than 8x3 and ignore the archive / system / hidden attributes... However, the routine will not work unless your filename is UPPERCASE... There is a step in DC16_TX_File to make the gau8Minicom into uppercase, but from the terminal strings I have my badge output, it looks like the FAT.C can't read lowercase filenames. When I changed hello.txt to HELLO.TXT, then it worked.
Any Ideas?Comment
-
Re: Welcome to the DEFCON Badge Hacking Contest
I'm a tad bit disappointed that our efforts to reverse engineer the bootloader USB protocol, write a Linux software for flashing firmware via USB, and beat sdcc into compiling software for the target, giving a 100% non-Windows, non-CodeWarrior development solution, didn't even result in an honorable mention at the Ceremony.
Still, here's the perl code for flashing. Use at your own risk, YMMV, consult your health care professional. Only flashes on of the two flash regions. Doesn't verify. Doesn't blank check after erase. Etc.
sdcc hackey will follow soon.
Code:#!/usr/bin/perl -w use strict; use Device::USB; my $big = "\000" x 0x10000; my $timeout = 10000; my $VENDOR = 0x15a2; my $PRODUCT = 0x0035; my $CFG = 0x0; my $i; my $usb = Device::USB->new(); my $dev = $usb->find_device( $VENDOR, $PRODUCT ); printf "Device: %04X:%04X\n", $dev->idVendor(), $dev->idProduct(); $dev->open(); $dev->set_configuration( $CFG ); printf "Erasing Flash!\n"; for ($i = 0x1960; $i < 0xfc00; $i += 0x200) { &erase_flash($i, $i + 0x1ff); } printf "Writing Flash!\n"; &parse_s_record(); for($i=0x1960;$i<0xfc00;$i+=8) { my $buffer = substr($big, $i, 8); &write_flash($buffer, $i); } sub parse_s_record { while(<>) { chomp; if (/^S1(..)(....)((..)*)(..)/) { my $buffer = pack("H*", $3); my $address = unpack("n", pack("H*", $2)); unless ($address > 0xfc00) { substr($big,$address,length($buffer)) = $buffer; } } } } sub erase_flash { my $buffer = ""; my $from = shift; my $to = shift; if ($from < 0xfc00 && $to < 0xfc00) { my $res = $dev->control_msg(0x40, 0x82, $to, $from, $buffer, 0, $timeout); if ($res < 0) { die "Error erasing!\n"; } &execute(); } } sub write_flash { my $buffer = shift; my $from = shift; my $length = length($buffer); my $to = $from + $length - 1; if ($from < 0xfc00 && $to < 0xfc00) { my $res = $dev->control_msg(0x40, 0x81, $from, $to, $buffer, $length, $timeout); if ($res < 0) { die "Error writing!\n"; } &execute(); } } sub verify_flash { my $buffer = shift; my $from = shift; my $length = length($buffer); my $to = $from + $length - 1; my $res = $dev->control_msg(0x40, 0x87, $from, $to, $buffer, $length, $timeout); if ($res < 0) { die "Error verifying!\n"; } &execute(); # FIXME: check actual return of command }Comment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Andreas, nice going and its shame you didn't get a mention, definitely earned though.
Thanks for posting the protocol too, the JM60 bootloader on windows is annoyingly bad so it'll be nice to replace it..
Looking forward to seeing your SDCC, i found an offshooted port off the freescale forums but haven't played around with it.
cheers.- Null Space LabsComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Yeah, we've been playing with both the mainline sdcc, and the hc08 branch that's floating around. The latter has been worked on using cygwin, and it's in a sorry state with regard to building it on Linux. The former misses quite a number of libc functions, and it's not possible to override the init sequence (crt0.o, if you will), which is needed to make it play nicely with the existing bootloader.
I'm still at the airport, but will contact the other Andreas (a.k.a. "count") as soon as I'm home, he's got the sdcc hackery on his computer.
If you have JTAG access, and can live with overwriting the original bootloader, the following linker script might get you somewhere with the stock sdcc (assuming you have compiled a main_test.c to main_test.rel):
AndreasCode:-mxsu main_test -b CSEG=0x1960 -b DSEG=0xb0 -g __sdcc_external_startup=0x0000 ; bug, but silence -g __PTAD=0x00000000 -g __PTADD=0x00000001 -g __PTBD=0x00000002 -g __PTBDD=0x00000003 -g __PTCD=0x00000004 -g __PTCDD=0x00000005 -g __PTDD=0x00000006 -g __PTDDD=0x00000007 -g __PTED=0x00000008 -g __PTEDD=0x00000009 -g __PTFD=0x0000000A -g __PTFDD=0x0000000B -g __PTGD=0x0000000C -g __PTGDD=0x0000000D -g __ACMPSC=0x0000000E -g __ADCSC1=0x00000010 -g __ADCSC2=0x00000011 -g __ADCR=0x00000012 -g __ADCCV=0x00000014 -g __ADCCFG=0x00000016 -g __APCTL1=0x00000017 -g __APCTL2=0x00000018 -g __IRQSC=0x0000001B -g __KBISC=0x0000001C -g __KBIPE=0x0000001D -g __KBIES=0x0000001E -g __TPM1SC=0x00000020 -g __TPM1CNT=0x00000021 -g __TPM1MOD=0x00000023 -g __TPM1C0SC=0x00000025 -g __TPM1C0V=0x00000026 -g __TPM1C1SC=0x00000028 -g __TPM1C1V=0x00000029 -g __TPM1C2SC=0x0000002B -g __TPM1C2V=0x0000002C -g __TPM1C3SC=0x0000002E -g __TPM1C3V=0x0000002F -g __TPM1C4SC=0x00000031 -g __TPM1C4V=0x00000032 -g __TPM1C5SC=0x00000034 -g __TPM1C5V=0x00000035 -g __SCI1BD=0x00000038 -g __SCI1C1=0x0000003A -g __SCI1C2=0x0000003B -g __SCI1S1=0x0000003C -g __SCI1S2=0x0000003D -g __SCI1C3=0x0000003E -g __SCI1D=0x0000003F -g __SCI2BD=0x00000040 -g __SCI2C1=0x00000042 -g __SCI2C2=0x00000043 -g __SCI2S1=0x00000044 -g __SCI2S2=0x00000045 -g __SCI2C3=0x00000046 -g __SCI2D=0x00000047 -g __MCGC1=0x00000048 -g __MCGC2=0x00000049 -g __MCGTRM=0x0000004A -g __MCGSC=0x0000004B -g __MCGC3=0x0000004C -g __MCGT=0x0000004D -g __SPI1C1=0x00000050 -g __SPI1C2=0x00000051 -g __SPI1BR=0x00000052 -g __SPI1S=0x00000053 -g __SPI1D16=0x00000054 -g __SPI1M=0x00000056 -g __IICA=0x00000058 -g __IICF=0x00000059 -g __IICC1=0x0000005A -g __IICS=0x0000005B -g __IICD=0x0000005C -g __IICC2=0x0000005D -g __TPM2SC=0x00000060 -g __TPM2CNT=0x00000061 -g __TPM2MOD=0x00000063 -g __TPM2C0SC=0x00000065 -g __TPM2C0V=0x00000066 -g __TPM2C1SC=0x00000068 -g __TPM2C1V=0x00000069 -g __RTCSC=0x0000006C -g __RTCCNT=0x0000006D -g __RTCMOD=0x0000006E -g __SPI2C1=0x00000070 -g __SPI2C2=0x00000071 -g __SPI2BR=0x00000072 -g __SPI2S=0x00000073 -g __SPI2D16=0x00000074 -g __SPI2M=0x00000076 -g __USBCTL0=0x00000080 -g __PERID=0x00000088 -g __IDCOMP=0x00000089 -g __REV=0x0000008A -g __INTSTAT=0x00000090 -g __INTENB=0x00000091 -g __ERRSTAT=0x00000092 -g __ERRENB=0x00000093 -g __STAT=0x00000094 -g __CTL=0x00000095 -g __ADDR=0x00000096 -g __FRMNUML=0x00000097 -g __FRMNUMH=0x00000098 -g __EPCTL0=0x0000009D -g __EPCTL1=0x0000009E -g __EPCTL2=0x0000009F -g __EPCTL3=0x000000A0 -g __EPCTL4=0x000000A1 -g __EPCTL5=0x000000A2 -g __EPCTL6=0x000000A3 -g __SRS=0x00001800 -g __SBDFR=0x00001801 -g __SOPT1=0x00001802 -g __SOPT2=0x00001803 -g __SDID=0x00001806 -g __SPMSC1=0x00001809 -g __SPMSC2=0x0000180A -g __DBGCA=0x00001810 -g __DBGCB=0x00001812 -g __DBGF=0x00001814 -g __DBGC=0x00001816 -g __DBGT=0x00001817 -g __DBGS=0x00001818 -g __FCDIV=0x00001820 -g __FOPT=0x00001821 -g __FCNFG=0x00001823 -g __FPROT=0x00001824 -g __FSTAT=0x00001825 -g __FCMD=0x00001826 -g __PTAPE=0x00001840 -g __PTASE=0x00001841 -g __PTADS=0x00001842 -g __PTBPE=0x00001844 -g __PTBSE=0x00001845 -g __PTBDS=0x00001846 -g __PTCPE=0x00001848 -g __PTCSE=0x00001849 -g __PTCDS=0x0000184A -g __PTDPE=0x0000184C -g __PTDSE=0x0000184D -g __PTDDS=0x0000184E -g __PTEPE=0x00001850 -g __PTESE=0x00001851 -g __PTEDS=0x00001852 -g __PTFPE=0x00001854 -g __PTFSE=0x00001855 -g __PTFDS=0x00001856 -g __PTGPE=0x00001858 -g __PTGSE=0x00001859 -g __PTGDS=0x0000185A -g __FIFO0=0x00000081 -g __F0BADDR=0x00000082 -g __F0SIZE=0x00000083 -g __F0CTL=0x00000085 -e
Comment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Thanks Andreas,
I picked up the P&E BDM yesterday, so it should arrive today, i've got almost everyone they've got now, people keep picking chips i don't have the BDM for, i expect with my luck next year Joe will use a renesas processor....
Have a safe TSA free flight.- Null Space LabsComment
-
Re: Welcome to the DEFCON Badge Hacking Contest
Can anyone recommend a VERY beginner kit to learn how to work with these MCUs/boards? This DC was my first time soldering anything, ever(yay got my USB port on) ;) and I'm really interested in learning more, but I don't have a big electronics background so I'd really like to learn from the ground up. I'm planning on taking a basic electronics course through my JC but I also want to be able to learn hands on in the meantime, get my soldering skills up, etc.Comment
Tweet
Comment