No announcement yet.

Defcon 23 Shoot Electronic Badge

  • Filter
  • Time
  • Show
Clear All
new posts

  • Defcon 23 Shoot Electronic Badge

    Code and Manual:
    Version 2.0: Base version programmed to most boards
    Version 2.1: When using an external relay to control other devices, morse code mode had a bug that was fixed
    Version 2.2: More accurate timer (hopefully), external relay support for soundmode, threshold setting fix, other non critical bugfixes
    Version 2.3: Minor display fix with timer mode when quitting menu

    Chip data sheet:

    Getting Started
    • If the shot counter isn't responding, increase your threshold to 40, there's a multiple count prevention mechanism that requires the mic reading to fall under 1/2 the threshold before a new shot will be counted (see below). If your mic threshold is 20 and there's noise pushing the reading above 10, then a shot will never be counted
    • The other thing to check if the badge isnt responding, is that you didn't turn on "quick mute". In shot counter mode pressing start will mute / unmute the mic. This is so slides closing and other noise won't increment the counter.
    • To check your code version hold start while powering the device on
    • To put the badge to sleep and save power without needing to physically remove the batteries, hold both buttons for ~2 seconds, to power back up hold the start button for ~2 seconds
    • To clear all saved settings (or if something isn't working right), hold both buttons during startup. You should see 3 horizontal lines on each digit, followed by the normal startup
    • If you see one or two "8"s on the display and the badge isn't responding, the batteries are probably dead. Swap them out and you should be good.

    Here's a picture of each badge type, yellow display = normal badge, green display = volunteer, red display = black badge (5 total black badges)

    How To Get A Badge
    If it is after the shoot, I should have a few left. I'm selling them for $25 first come first serve, with the goal of breaking even. The best way to reach me is probably via twitter, I'll also post updates to how many I have left there.
    I'm not taking reservations unless you pay via bitcoin ahead of time (or I responded to you directly). Otherwise I'd probably be left with unsold badges that way from people that never pick them up.

    Contact Info
    twitter @see_ess

    Badge Contest
    There was a prize of 0.5 bitcoin (~140 dollars) for solving the defcon shoot badge contest. Start with the QR code on the badge.
    You will need access to a badge to complete the last step of the contest.


    Here's the write-up of the contest:
    The QR code decoded to "pastebinezr9v916" if I added the .com/ in the QR code it increased the rows/columns and made it harder to scan, so you had to modify it to which gets you to step 2

    Step 2:
     Try pressing start 20 times in hype mode, it should show "FEDCON" if you have 8's displayed after find me for a bugfix release
      Dodge game cheat code, press start 20 times in a row
      Defcon Shoot Contest Step 2/8:
      Get to the next pastebin link...
    This was just ceaser cipher text shifted 23 for defcon 23 from the plain text, which I guess is a shift of 3 working from the encrypted text (oops)
    I added the hint that you have to keep finding the next pastebin link, so that gets you to

    Step 3:
    Defcon Shoot Contest Step 3/8:
    not the key you're looking for, but it might get you to the next step.
    Hint: Get to base 16
    I added the hint pretty early on when I noticed people were getting stuck, You'll notice there's a hint for the "key" and bitcoin private keys start with "5", however that key is entirely too long to be an actual bitcoin key. If you convert to base 16 from base 58 you get ascii:
    that gets you to

    step 4:
    Defcon Shoot Contest Step 4/8:
    I'm no crypto vision-ère like bruce
    The hints here are the "vision-ere which hints toward the Vigenère cipher, and there is a famous cryptographer named bruce schneier whose last name is the right length for a pastebin length. Basically you use "schneier" as the key to the encrypted text MYRKREBW and you get to

    Step 5:
    Defcon Shoot Contest Step 5/8:
    this is probably not on your credit card
    1100100 1111010 1111001 1101011 1100001 1101101 1110000 1110110
    This is 7 bit encoding of track 1 magnetic cards, which gets you to

    Step 6:
    Defcon Shoot Contest Step 6/8:
    ... ..- -.-. -.- ...   - .... .- -   - .... .. ...   .... . -..-   -... .. - -.-. --- .. -.   .- -.. -.. .-. . ... ...   .. ...   -- .. ... ... .. -. --.   - .... .   -.-. .... . -.-. -.- ... ..- --
    You take that hex and caclulate the bitcoin address, and look it the balance.
    The transactions decode to seeess at riseup which is an email service.

    Step 7:
    After I get an encrypted email I responded with "I wonder what my name looks like on the badge"
    If you entered "533355" in set digit mode it would print out the bitcoin mini-key (all badges do this, give it a try!)

    Step 8:
    Figure out this is a bitcoin mini key possibly by the code, and sha256 it to get the actual bitcoin key

    Header Pinout
    Connector J3 Pin Num PIC16F1709TIML Pin Num Pin Description Signal Name Pickit3 Pinout
    Pin 1 Pin 1 RA3 Start Btn CS/Tx
    Pin 2 Pin 2 RC5 Segment E
    Pin 3 Pin 3 RC4 Segment D
    Pin 4 Pin 4 RC3 Segment C
    Pin 5 Pin 5 RC6 Segment F
    Pin 6 Pin 6 RC7 Segment G
    Pin 7 Pin 7 RB7 Digit 4
    Pin 8 Pin 8 RB6 Digit 3
    Pin 9 Pin 18 VDD VDD_VBAT +V
    Pin 10 Pin 17 VSS GND GND
    Pin 11 Pin 9 RB5 Digit 2
    Pin 12 Pin 10 RB4 Digit 1
    Pin 13 Pin 11 RC2 Segment B
    Pin 14 Pin 12 RC1 Segment A
    Pin 15 Pin 13 RC0 Segmnt DP
    Pin 16 Pin 14 RA2 Tilt Sensor
    Pin 17 Pin 15 RA1 Mic SCL/SCK
    Pin 18 Pin 16 RA0 Select Btn SDA/SDI
    Pin 19 Pin 19 RA5 Digit 6
    Pin 20 Pin RA4 Digit 5

    Cost Sheet
    The fab acquired the components except for the batt holder, display, batteries, lanyard, sticky tape, etc.


    Morse Code Mode
    This is probably one of the more programmatically complex modes, so it deserves some explanation here. There are both built in strings, and a way to manually enter your own string (with moderate annoyance using the 2 buttons)
    When you first select Morse Code mode you're prompted with "str 00", pressing start would select the 0'th built in morse code string. Pressing select increments the the string selection up to number 22. The 23 built in strings are:
    0: defcon23
    1: SOS
    2: hack everything
    3: break shit
    4: nothing is impossible
    5: fuck the NSA
    6: I dont play well with others
    7: what are you doing dave
    8: youre either a one or a zero alive or dead
    9: danger zone
    10: bros before apparent threats to national security
    11: im spooning a Barrett 50 cal I could kill a building
    12: there is no spoon
    13: never send a human to do a machines job
    14: guns lots of guns
    15: its not that im lazy its just that i dont care
    16: PC load letter
    17: shall we play a game
    18: im getting too old for this
    19: censorship reveals fear
    20: the right of the people to keep and bear Arms shall not be infringed
    21: all men having power ought to be mistrusted
    22: when governments fear the people there is liberty
    If you press select after "str 22" you'll be prompted with "CUST". Pressing start here lets you enter a custom string
    The initial custom string prompt is "P00.C00"
    The number after "P" is the character position in the custom string (the index basically), and the number after the "C" is the character to enter at this position. Pressing select will increment the number for the current character 0-35. This number equates to a-z, then 0-9. As an example if you wan to enter the string defcon23 you would enter 3,4,5,2,14,13,28,29 (though that is a built in string).
    Now press select one past the character's number 35, and you'll see the prompt "done". Pressing start here ends the string and starts the morse code blink back.
    If you want to generate the character numbers needed for different strings, see the github page for the script.

    ADC Reading to Decibel Conversion
    My friend did a little testing at the range with a few different calibers and suppressed/unsuppressed. The badge was around his neck during this testing, while his dB meter was 1m away from the side of the muzzle.
    There aren't a massive number of samples, and this was just with one badge, but hopefully it gives you a ballpark of how you can estimate dB level to ADC mic reading

    Temperature Indicator
    Microchip's sheet on it: (this has an error in the forumla, but eq 5 is correct)
    This the biggest pain in my ass. It is actually a "temp indicator" meaning you should really only use it for over-temp / under-temp type detection. To get a semi-accurate reading you have to calibrate each badge at two different temperatures which just isn't going to happen in the short amount of time I have left.
    It isn't that important of a feature anyway. It was just a "free" chip feature I was trying to take advantage of, it isn't like I spent money on an external temp sensor that isn't working right.
    Core Problems:
    1. ADC reading varies on supply voltage, since this is powered directly from the batteries as they drain and their voltage drops so does the ADC reading. I attempt to read the battery voltage first to account for this but that reading can be off by a little bit, which increases the temp calculations inaccuracy.
    2. The accuracy of the temp sensor is poor to begin with. For one badge I tested I have 33 steps between 0c and 40c meaning if my ADC temp reading can be off by +/-1, and my battery reading can be off by +/-1 I have a total inaccuracy of +/-2 which is a range of ~6 degrees C
    3. Each badge requires calibration since each will output a slightly different reading, this wouldn't be that big of a problem except the slope is off between badges too, especially over voltage supply changes. So you really need to use a two point calibration method which is beyond the scope of how much I care about getting this to be perfectly accurate.

    So... When you enter temp mode it first reads the batt voltage (once) and uses that as for the calculation of the temperature. There is a single point offset that you can adjust by pressing start (see the manual). But there is not a slope adjustment, so as your battery voltage changes you will almost certainly have to re-adjust the temperature offset.

    Here's a graph of the ADC readings over temperature and voltage for one badge that I threw in an environmental chamber (remember each badge's offset and slope is slightly different)

    External Relay Control
    One secondary goal I had was to make the badge somewhat useful after the con. You can pretty easily hook up an external relay to control external lights or whatever else you want.
    Wiring: The badge's display anodes are hooked to each digit, one digit is turned on at a time. Then on the cathode side the segments that need to be lit up are "sunk" / grounded back to the chip. This means that when the decimal points are lit, pin 15 is set to low (as an example). And when the decimal points are not lit, pin 15 is set high. This is likely the opposite of what you want to drive a relay which I accounted for in some of the modes.
    I used a PVN012PbF (pdf) photovoltaic relay, hooked up using diagram "A" in the spec sheet. Here's a few ideas of what you can do:

    1. To use the badge as a clapper, hook pin 15 on the badge header (decimal point) to a 1k resistor, and then to pin 1 of the relay. Pin 2 of the relay is hooked to pin 10 (ground) on the badge. Pin 6 on the relay is connected to your power source for your external device (12v+ to drive a LED strip in my example), and pin 4 of the relay is connected to the positive side of the led lights I want to light up. The LED strip ground is connected directly to ground on the 12v power supply.
    Now when the badge is in clapper mode you'll notice when it displays "off" all the decimal points are lit, making pin 15 low and not tripping the relay. But once you clap and the badge displays "on" the decimal points are not lit, setting pin 15 high, and tripping the relay which turns on the lights in my example.

    2. You can do a similar thing with morse code mode, if you want to control your xmas lights or something. Note you'll need code version 2.1 or higher for this (most badges were programmed with 2.0, so find me at the con if you care about doing this).
    When you enter morse code mode the "A" and "D" segments (top and bottom) will blink back as you expect. But as I explained above this is the opposite logic that we want to control an external relay (off is on, on is off etc). To flip this logic in morse code mode set "tilt" which will also light the "G" segment (middle) and invert the logic for external relay operation.
    You can now hook up the relay the same way as we did above, except you need to control the relay from segments "A", "D", or "G" and not the decimal point. (use pin 6 on the badge instead of pin 15 to connect to pin 1 on the relay (through a 1k resistor).

    3. You can have a generic sound trip the relay using the "sound" mode. You will again want to set the "tilt" setting which will invert the logic (all segments are on, and segments are turned off based on noise level), along with forcing every digit to light up the same way. You probably want to play with the speed setting in this mode to have the desired effect.

    Shot Detection

    Here's how the shot detection logic and thresholds ended up working, so you can better understand how the setting affects various modes
    (1ms per horizontal line, 500mv per vertical line)

    The mic is sampled around 23k times a second (max the chip can pull off), the maximum and minimum loudness levels are analyzed every 6 ms or so. The difference between the maximum and minimum are calculated and compared with the threshold. If that difference value is higher than the threshold setting (yellow dashed lines) a shot is counted.

    At this point there are a few methods to prevent one shot from being counted multiple times.
    First, there is a brief shotlockout period of time after a shot is detected. No shot will be counted during this shotlockout time no matter what.
    Second, the difference between the maximum and minimum must drop below 1/2 of the threshold (for a 6ms period) before a new shot can be counted (green dashed lines). This prevents a constantly loud noise from continuously incrementing the counter.
    If a badge is powered from a ac/dc supply that seems to cause more noisy readings. And if the threshold is set too low, the noise could constantly break 1/2 of the threshold value, preventing any shots from ever being counted. The fix is to just bump the threshold up one or two values, you can diagnose this issue with the "audio" mode.
    Last edited by seeess; August 11, 2015, 09:19.

  • #2

    (small updates, 5-19. Does this markup not support strikethrough?)
    I decided to play with microcontrollers for the first time (so be gentile), and put together a simple circuit that I'm proposing could be the badge for the 23rd defcon shoot.
    These badges will not be required for the shoot, nor will you get one automatically by signing up. This will be an independent effort, yet supported because they'll be sweet (if everything works out).
    I couldn't find a sponsor to front the entire cost of everything, so you'll have to purchase these. We did get a small sponsor (gigs) which is awesome, and should cut everyone's cost by a few dollars.

    Video Here
    Second Video Here

    Anyway here are the basics:
    Battery powered badge running a pic16f1709 8-bit micro, with a 6 digit 7 segment display that in the normal operating mode acts as a shot counter. There is a microphone, tilt sensor, and two buttons as input, with the rest of the 20 pin chip going to display output (6 digits + 8 segments + power/ground).

    Additional modes include count up, count down, and random modes (all with speed adjustment). "Hype" mode that shows "defcon" then "shoot" (in case too many people ask you want the badge is for), and an audio mode that is more for debugging (it shows the peak to peak microphone ADC value over a time window). There are 6 decimal points after each digit, which I use as a crude decibel/VU meter in some modes. There's two games, a morse code mode, and a temp/batt sensor mode

    I tried to keep this simple, mainly because I have no skills in this area and everything was extremely new to me. This has the side benefit of keeping the cost down.
    Here's the BOM from digikey @ 100 unit pricing (throughhole, will be different for SMD)
    6 digit display from alibaba 0.598
    pic16f1709 1.29
    button x2 0.1638
    mic 0.828
    0.1uf cap x2 0.172
    2.2k resistor x6 0.072
    4.7k resistor 0.02190
    100k resistor x2 .0438
    22ohm resistor 1/2w x8 0.1184 (1000x price x10)
    PNP transistor x6 0.32616
    battery holder 3AA 1.045
    alkaline batts x3 1.24794
    diode 0.28160
    tilt sensor 0.7744
    boards ???
    Lanyards with 2 clips ???
    Total = 6.983 (+shipping +lanyard +board +solder +sticky tape for batt pack +maybe 3 extra batts). It is looking like just over $20, but with the sponsorship from gigs I hope to sell these at $20/each. The shipping for the displays, lanyards, and 8x batts+shipping bumped things up slightly, along with population/NRE of making the boards being way higher than I expected.

    These prices should drop a little if we go to surface mount. I already bought 20x 6 digit displays in yellow, and blew one up. If we wanted different color badges for RSO's/organizers we could use those 19 for them and order another color for shooters.
    The Shipping from china was ~20 bucks, I'll eat the cost of what I've done up to this point (parts + programmer + chip dock).

    I'm using the pic16f1709, though i'm currently only using 33% of the 8k flash code space, and almost none of the 1k sram. Since the original post I added a ton of features, and ate up the entire programming space (I finished the last bit off with pre-programmed morse code strings)

    The settings and shot counter are stored in flash, the low byte of the last few addresses are high endurance flash, claiming 100k writes so I didn't do any write distribution across addresses or buffer x shots before writing, more on this below.
    There's a flash reset (just the configuration/setting space of flash) in case something goes wrong, so you don't have to find me and reprogram it.

    Future Todo's:
    1. Add a battery level measurement (using the fixed voltage ref feature) Done
    2. I could add a temp reading mode, though you're supposed to calibrate each chip at two temps. Done but it sucks (see later comment)
    3. write to multiple banks to increase flash lifetime. Though there is very limited high endurance flash so the max I could achieve is 4x what I have now (400k vs 100k). Fuck it
    4. deal with flash write errors
    5. I haven't taken this to the range yet, so mic thresholds and count frequency need to be tweaked for live fire I tried it out on a pistol to make sure I wouldn't blow out the mic, it survived. I still have to go with a friend to estimate the loudness of the ADC readings
    6. I need to hook this up to an oscilliscope and balance out each digit on time, since I calculate different things during different digits. Done
    7. I could possibly add a clock/shot timer mode, calculate time to first shot, splits etc.

    If you have a pickit3 programmer and a chip with 8k flash or more and 20 pins you can probably get this running. If not the chips are under $2 each. Let me know if you want the code.

    So I guess the question is: Would you pay for this? We're doing this, or at least attempting. Hopefully I don't get screwed by customs or something.
    I'm fronting ~$4,500, and not taking any money until I hand you a working product. Gigs even offered money up front for sponsorship, but I wouldn't feel right taking it since this could crash and burn.

    I'll end up losing money when you consider the programmer, badges that didn't end up working, etc. I'm sure people will still think I'm somehow getting rich off this, oh well.
    Last edited by seeess; July 28, 2015, 10:30.


    • #3
      Re: Defcon Shoot 23 Badge Proposal

      Originally posted by seeess View Post
      (reserved in case there's a text limit and i need to add more info later)
      I think the default for forums is to allow normal users to edit new posts for up to 24 hours after they are created. (Exceptions: /dev/null and "Fucktard Hall" which deny any edits to anyone except mods.) After that, the "edit" option is removed.

      Forum "Leaders/Organizers" are supposed to have access to edit content in forums for which they are leaders/organizers, until the forums are "closed" when a year's content is archived.

      Hope this helps!


      • #4
        Re: Defcon Shoot 23 Badge Proposal

        Looks cool, and I like the idea of a badge slightly more tangible than the paper ones. One thought is we generally pin shooter badges onto the back of a shirt so they can be seen from behind while the registrant is shooting.

        I have no idea about sponsorship, but I'm up for sending you money upfront to help defray the costs.


        • #5
          Re: Defcon Shoot 23 Badge Proposal

          ok, that shit is totally baller and I'd support that.

          last year we had a very tasteful sponsor... maybe this year we'll have one for the badge? a small name on the board is a nice compensation, I'd bet.
          "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
          - Trent Reznor


          • #6
            Re: Defcon Shoot 23 Badge Proposal

            Originally posted by Deviant Ollam View Post
            last year we had a very tasteful sponsor... maybe this year we'll have one for the badge? a small name on the board is a nice compensation, I'd bet.
            (question spam)
            Nice, is the sponsor from last year on board this year? I guessing someone that worked with them last year should contact them to see if they are interested in a badge sponsorship.

            Do you need a total price for the badges? That depends on how many we make obviously, but $15/badge should be enough. Can you share how many people registered last year / the year before?

            I can lay out a board and get a quote from a few companies for a finished product, if we're ready for that. Or if someone is a pro at reflowing let me know.

            Just let me know what would be the next helpful step to take.
            I don't want it to suddenly be 6-8 weeks away and rushed for time getting parts and boards shipped in and put together.


            • #7
              Re: Defcon Shoot 23 Badge Proposal

              i can share some figures and whatnot with you. email me a reminder? i'll get on it after the holidays.
              "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
              - Trent Reznor


              • #8
                +1 for the badge. I like what you've done so far. As with Modafinil, I would toss some money your way to help with development.


                • #9
                  seeess, offer is still open to send money if it will help. PM me if you're still moving forward with the badges and want/need help.


                  • #10
                    I'm still playing with it, I wouldn't want to take money before submitting an order though. Thanks for the offer. If I get to that point I'll let you know.
                    Here's the status:

                    Software: basically done, I added a few games to make it useful outside of the shoot. Still taking feature requests, though I don't have any time right now, I hope to before the shoot. I played with it with an XDs-9 inches from the mic to make sure it wouldn't get damaged, and to get a mic reading. It worked well, the only issue was a shot recorded ~740 and a slide closing came in at ~620. I'll probably allow raw adjustment of the mic threshold. I could probably do something fancy in the time domain to detect a slide vs a shot. But right now i'm just doing max volume on a mic crossing a threshold to record a shot. I'll probably just add a mute button in and call it a day.

                    Hardware: this is the main problem, I've never had a board made before. I can fumble through layout if i had to. But I'd like to find someone to help with layout / manufacturer rather than having me attempt it and discover a problem. This will also be the biggest cost driver, contracting the board layout and assembly could cause the board to cost more than people are willing to pay.

                    Before doing anything board related I want to attempt to find sponsors. I don't want a board made then find a sponsor that will only help if their name is on the board etc. I tweeted and msg'd ello for the hell of it, deviant had some ideas and was going to ask on twitter since he has more visibility.

                    So if you know of any sponsors, send them here or to the video. If we can't find any I'll probably make it anyway, but probably not as many.


                    • #11
                      Originally posted by seeess View Post
                      Before doing anything board related I want to attempt to find sponsors. I don't want a board made then find a sponsor that will only help if their name is on the board etc. I tweeted and msg'd ello for the hell of it, deviant had some ideas and was going to ask on twitter since he has more visibility.
                      I'm below even novice level, but for one project I used to get some boards made. Not an endorsement, (although things worked great), more of a resource.

                      Originally posted by seeess View Post
                      So if you know of any sponsors, send them here or to the video. If we can't find any I'll probably make it anyway, but probably not as many.
                      I'll sponsor a portion, but based on the math, it looks like it would end up being about $15 per badge and probably ~100 badges, so I don't know how much my portion would offset things.


                      • #12
                        Originally posted by Modafinil View Post

                        I'm below even novice level, but for one project I used to get some boards made. Not an endorsement, (although things worked great), more of a resource.
                        Looks like they don't offer SMD stencils or population. I'd prefer to go to a one-stop shop for boards and population so I'm not reflowing, but thanks for the suggestion


                        • #13
                          Seeess, great work. Please put me down for 4.



                          • #14
                            Originally posted by L0g1c10101 View Post
                            Seeess, great work. Please put me down for 4.

                            I'll take five.


                            • #15
                              I wanted to add more features to make it useful outside of the shoot (for when you're sitting in a boring talk or even after defcon), so I added some more features.

                              Second video here

                              There's other changes, mic thresholds are set in steps of 40 to give more control, you can press and hold to change certain values quicker, and probably other things I forgot about. No hardware changes just more code. Debugging the morse code mode was a pain in the ass not knowing morse code. But I plan on hooking that up to my xmas tree lights or something.
                              For the temp sensor, I did try reading the voltage first and using that in the formula so the temp wouldn't drop as the batt voltage drops, It didn't work for me. Maybe I'll look into it again before defcon.

                              I found a few friends that do schematics, and they know someone they hope to talk into doing a layout. Still moving forward slowly. I give the chance of success around 60-70%, if you can help with board design/manufacture let me know.

                              I've failed finding any sponsors which kinda sucks, but at this point I have to start working on getting the board made so I'm not rushing last minute. If you know of any sponsors that might be interested PM me.

                              Also I'll include a badge contest with the prize being around half a bitcoin (so the first people to get to the public key can claim it)