Tweet
Video: https://www.youtube.com/watch?v=awRr_h3DX8c
Code and Manual: https://github.com/seeess/Defcon-Shoot-23-Badge/
Version 2.0: Base version programmed to most boards
Version 2.1: When using an external relay to control other devices, morse code mode had a bug that was fixed
Version 2.2: More accurate timer (hopefully), external relay support for soundmode, threshold setting fix, other non critical bugfixes
Version 2.3: Minor display fix with timer mode when quitting menu
Chip data sheet: http://ww1.microchip.com/downloads/e.../40001729B.pdf
Getting Started
Here's a picture of each badge type, yellow display = normal badge, green display = volunteer, red display = black badge (5 total black badges)
How To Get A Badge
If it is after the shoot, I should have a few left. I'm selling them for $25 first come first serve, with the goal of breaking even. The best way to reach me is probably via twitter, I'll also post updates to how many I have left there.
I'm not taking reservations unless you pay via bitcoin ahead of time (or I responded to you directly). Otherwise I'd probably be left with unsold badges that way from people that never pick them up.
Contact Info
twitter @see_ess
Badge Contest
There was a prize of 0.5 bitcoin (~140 dollars) for solving the defcon shoot badge contest. Start with the QR code on the badge.
You will need access to a badge to complete the last step of the contest.
THE BADGE CONTEST IS HAS BEEN SOLVED BY compukidmike!
https://twitter.com/compukidmike/sta...64116415557633
Here's the write-up of the contest:
The QR code decoded to "pastebinezr9v916" if I added the .com/ in the QR code it increased the rows/columns and made it harder to scan, so you had to modify it to http://pastebin.com/ezr9v916 which gets you to step 2
Step 2:
This was just ceaser cipher text shifted 23 for defcon 23 from the plain text, which I guess is a shift of 3 working from the encrypted text (oops)
Decodes to THIRTEENWOULDHAVEBEENTOOEASY MFGNZJTY
I added the hint that you have to keep finding the next pastebin link, so that gets you to http://pastebin.com/mfgnzjty
Step 3:
I added the hint pretty early on when I noticed people were getting stuck, You'll notice there's a hint for the "key" and bitcoin private keys start with "5", however that key is entirely too long to be an actual bitcoin key. If you convert to base 16 from base 58 you get ascii:
WHENYOUEMAILMEINCLUDEALLANSWERSANDENCRYPTITBHEQGAF M
that gets you to http://pastebin.com/bheqgafm
step 4:
The hints here are the "vision-ere which hints toward the Vigenère cipher, and there is a famous cryptographer named bruce schneier whose last name is the right length for a pastebin length. Basically you use "schneier" as the key to the encrypted text MYRKREBW and you get to http://pastebin.com/UWKXNWXF
Step 5:
This is 7 bit encoding of track 1 magnetic cards, which gets you to http://pastebin.com/dzYkampV
Step 6:
The morse code decodes to "SUCKS THAT THIS BITCOIN ADDRESS IS MISSING THE CHECKSUM"
You take that hex and caclulate the bitcoin address, and look it the balance.
https://blockchain.info/address/12qB...gNbQig9VkP63Dx
The transactions decode to seeess at riseup which is an email service.
Step 7:
After I get an encrypted email I responded with "I wonder what my name looks like on the badge"
If you entered "533355" in set digit mode it would print out the bitcoin mini-key (all badges do this, give it a try!)
Step 8:
Figure out this is a bitcoin mini key possibly by the code, and sha256 it to get the actual bitcoin key
done!
Header Pinout
Cost Sheet
The fab acquired the components except for the batt holder, display, batteries, lanyard, sticky tape, etc.
BOM
Morse Code Mode
This is probably one of the more programmatically complex modes, so it deserves some explanation here. There are both built in strings, and a way to manually enter your own string (with moderate annoyance using the 2 buttons)
When you first select Morse Code mode you're prompted with "str 00", pressing start would select the 0'th built in morse code string. Pressing select increments the the string selection up to number 22. The 23 built in strings are:
The initial custom string prompt is "P00.C00"
The number after "P" is the character position in the custom string (the index basically), and the number after the "C" is the character to enter at this position. Pressing select will increment the number for the current character 0-35. This number equates to a-z, then 0-9. As an example if you wan to enter the string defcon23 you would enter 3,4,5,2,14,13,28,29 (though that is a built in string).
Now press select one past the character's number 35, and you'll see the prompt "done". Pressing start here ends the string and starts the morse code blink back.
If you want to generate the character numbers needed for different strings, see the github page for the asciitomorse.pl script.
ADC Reading to Decibel Conversion
My friend did a little testing at the range with a few different calibers and suppressed/unsuppressed. The badge was around his neck during this testing, while his dB meter was 1m away from the side of the muzzle.
There aren't a massive number of samples, and this was just with one badge, but hopefully it gives you a ballpark of how you can estimate dB level to ADC mic reading
Temperature Indicator
Microchip's sheet on it: http://ww1.microchip.com/downloads/e...tes/01333A.pdf (this has an error in the forumla, but eq 5 is correct)
This the biggest pain in my ass. It is actually a "temp indicator" meaning you should really only use it for over-temp / under-temp type detection. To get a semi-accurate reading you have to calibrate each badge at two different temperatures which just isn't going to happen in the short amount of time I have left.
It isn't that important of a feature anyway. It was just a "free" chip feature I was trying to take advantage of, it isn't like I spent money on an external temp sensor that isn't working right.
Core Problems:
1. ADC reading varies on supply voltage, since this is powered directly from the batteries as they drain and their voltage drops so does the ADC reading. I attempt to read the battery voltage first to account for this but that reading can be off by a little bit, which increases the temp calculations inaccuracy.
2. The accuracy of the temp sensor is poor to begin with. For one badge I tested I have 33 steps between 0c and 40c meaning if my ADC temp reading can be off by +/-1, and my battery reading can be off by +/-1 I have a total inaccuracy of +/-2 which is a range of ~6 degrees C
3. Each badge requires calibration since each will output a slightly different reading, this wouldn't be that big of a problem except the slope is off between badges too, especially over voltage supply changes. So you really need to use a two point calibration method which is beyond the scope of how much I care about getting this to be perfectly accurate.
So... When you enter temp mode it first reads the batt voltage (once) and uses that as for the calculation of the temperature. There is a single point offset that you can adjust by pressing start (see the manual). But there is not a slope adjustment, so as your battery voltage changes you will almost certainly have to re-adjust the temperature offset.
Here's a graph of the ADC readings over temperature and voltage for one badge that I threw in an environmental chamber (remember each badge's offset and slope is slightly different)
External Relay Control
One secondary goal I had was to make the badge somewhat useful after the con. You can pretty easily hook up an external relay to control external lights or whatever else you want.
Wiring: The badge's display anodes are hooked to each digit, one digit is turned on at a time. Then on the cathode side the segments that need to be lit up are "sunk" / grounded back to the chip. This means that when the decimal points are lit, pin 15 is set to low (as an example). And when the decimal points are not lit, pin 15 is set high. This is likely the opposite of what you want to drive a relay which I accounted for in some of the modes.
I used a PVN012PbF (pdf) photovoltaic relay, hooked up using diagram "A" in the spec sheet. Here's a few ideas of what you can do:
1. To use the badge as a clapper, hook pin 15 on the badge header (decimal point) to a 1k resistor, and then to pin 1 of the relay. Pin 2 of the relay is hooked to pin 10 (ground) on the badge. Pin 6 on the relay is connected to your power source for your external device (12v+ to drive a LED strip in my example), and pin 4 of the relay is connected to the positive side of the led lights I want to light up. The LED strip ground is connected directly to ground on the 12v power supply.
Now when the badge is in clapper mode you'll notice when it displays "off" all the decimal points are lit, making pin 15 low and not tripping the relay. But once you clap and the badge displays "on" the decimal points are not lit, setting pin 15 high, and tripping the relay which turns on the lights in my example.
2. You can do a similar thing with morse code mode, if you want to control your xmas lights or something. Note you'll need code version 2.1 or higher for this (most badges were programmed with 2.0, so find me at the con if you care about doing this).
When you enter morse code mode the "A" and "D" segments (top and bottom) will blink back as you expect. But as I explained above this is the opposite logic that we want to control an external relay (off is on, on is off etc). To flip this logic in morse code mode set "tilt" which will also light the "G" segment (middle) and invert the logic for external relay operation.
You can now hook up the relay the same way as we did above, except you need to control the relay from segments "A", "D", or "G" and not the decimal point. (use pin 6 on the badge instead of pin 15 to connect to pin 1 on the relay (through a 1k resistor).
3. You can have a generic sound trip the relay using the "sound" mode. You will again want to set the "tilt" setting which will invert the logic (all segments are on, and segments are turned off based on noise level), along with forcing every digit to light up the same way. You probably want to play with the speed setting in this mode to have the desired effect.
Shot Detection
Here's how the shot detection logic and thresholds ended up working, so you can better understand how the setting affects various modes
(1ms per horizontal line, 500mv per vertical line)
The mic is sampled around 23k times a second (max the chip can pull off), the maximum and minimum loudness levels are analyzed every 6 ms or so. The difference between the maximum and minimum are calculated and compared with the threshold. If that difference value is higher than the threshold setting (yellow dashed lines) a shot is counted.
At this point there are a few methods to prevent one shot from being counted multiple times.
First, there is a brief shotlockout period of time after a shot is detected. No shot will be counted during this shotlockout time no matter what.
Second, the difference between the maximum and minimum must drop below 1/2 of the threshold (for a 6ms period) before a new shot can be counted (green dashed lines). This prevents a constantly loud noise from continuously incrementing the counter.
If a badge is powered from a ac/dc supply that seems to cause more noisy readings. And if the threshold is set too low, the noise could constantly break 1/2 of the threshold value, preventing any shots from ever being counted. The fix is to just bump the threshold up one or two values, you can diagnose this issue with the "audio" mode.
Code and Manual: https://github.com/seeess/Defcon-Shoot-23-Badge/
Version 2.0: Base version programmed to most boards
Version 2.1: When using an external relay to control other devices, morse code mode had a bug that was fixed
Version 2.2: More accurate timer (hopefully), external relay support for soundmode, threshold setting fix, other non critical bugfixes
Version 2.3: Minor display fix with timer mode when quitting menu
Chip data sheet: http://ww1.microchip.com/downloads/e.../40001729B.pdf
Getting Started
- If the shot counter isn't responding, increase your threshold to 40, there's a multiple count prevention mechanism that requires the mic reading to fall under 1/2 the threshold before a new shot will be counted (see below). If your mic threshold is 20 and there's noise pushing the reading above 10, then a shot will never be counted
- The other thing to check if the badge isnt responding, is that you didn't turn on "quick mute". In shot counter mode pressing start will mute / unmute the mic. This is so slides closing and other noise won't increment the counter.
- To check your code version hold start while powering the device on
- To put the badge to sleep and save power without needing to physically remove the batteries, hold both buttons for ~2 seconds, to power back up hold the start button for ~2 seconds
- To clear all saved settings (or if something isn't working right), hold both buttons during startup. You should see 3 horizontal lines on each digit, followed by the normal startup
- If you see one or two "8"s on the display and the badge isn't responding, the batteries are probably dead. Swap them out and you should be good.
Here's a picture of each badge type, yellow display = normal badge, green display = volunteer, red display = black badge (5 total black badges)
How To Get A Badge
If it is after the shoot, I should have a few left. I'm selling them for $25 first come first serve, with the goal of breaking even. The best way to reach me is probably via twitter, I'll also post updates to how many I have left there.
I'm not taking reservations unless you pay via bitcoin ahead of time (or I responded to you directly). Otherwise I'd probably be left with unsold badges that way from people that never pick them up.
Contact Info
twitter @see_ess
Badge Contest
There was a prize of 0.5 bitcoin (~140 dollars) for solving the defcon shoot badge contest. Start with the QR code on the badge.
You will need access to a badge to complete the last step of the contest.
THE BADGE CONTEST IS HAS BEEN SOLVED BY compukidmike!
https://twitter.com/compukidmike/sta...64116415557633
Here's the write-up of the contest:
The QR code decoded to "pastebinezr9v916" if I added the .com/ in the QR code it increased the rows/columns and made it harder to scan, so you had to modify it to http://pastebin.com/ezr9v916 which gets you to step 2
Step 2:
Code:
Try pressing start 20 times in hype mode, it should show "FEDCON" if you have 8's displayed after find me for a bugfix release Dodge game cheat code, press start 20 times in a row Defcon Shoot Contest Step 2/8: Get to the next pastebin link... QEFOQBBKTLRIAEXSBYBBKQLLBXPV JCDKWGQV
Decodes to THIRTEENWOULDHAVEBEENTOOEASY MFGNZJTY
I added the hint that you have to keep finding the next pastebin link, so that gets you to http://pastebin.com/mfgnzjty
Step 3:
Code:
Defcon Shoot Contest Step 3/8: not the key you're looking for, but it might get you to the next step. Hint: Get to base 16 5kJwa9sVb29fRKQLsWCBRVJtfx4GWtRVZizbQsHZ6fouyY4Ltu1ANyfdbi5LkymT3whbAU
WHENYOUEMAILMEINCLUDEALLANSWERSANDENCRYPTITBHEQGAF M
that gets you to http://pastebin.com/bheqgafm
step 4:
Code:
Defcon Shoot Contest Step 4/8: I'm no crypto vision-ère like bruce MYRKREBW
Step 5:
Code:
Defcon Shoot Contest Step 5/8: this is probably not on your credit card 1100100 1111010 1111001 1101011 1100001 1101101 1110000 1110110
Step 6:
Code:
Defcon Shoot Contest Step 6/8: ... ..- -.-. -.- ... - .... .- - - .... .. ... .... . -..- -... .. - -.-. --- .. -. .- -.. -.. .-. . ... ... .. ... -- .. ... ... .. -. --. - .... . -.-. .... . -.-. -.- ... ..- -- 0014149679946FD018904D4FA3B171C529CA4C965E
You take that hex and caclulate the bitcoin address, and look it the balance.
https://blockchain.info/address/12qB...gNbQig9VkP63Dx
The transactions decode to seeess at riseup which is an email service.
Step 7:
After I get an encrypted email I responded with "I wonder what my name looks like on the badge"
If you entered "533355" in set digit mode it would print out the bitcoin mini-key (all badges do this, give it a try!)
Step 8:
Figure out this is a bitcoin mini key possibly by the code, and sha256 it to get the actual bitcoin key
done!
Header Pinout
| Connector J3 Pin Num | PIC16F1709TIML Pin Num | Pin Description | Signal Name | Pickit3 Pinout |
| Pin 1 | Pin 1 | RA3 | Start Btn | CS/Tx |
| Pin 2 | Pin 2 | RC5 | Segment E | |
| Pin 3 | Pin 3 | RC4 | Segment D | |
| Pin 4 | Pin 4 | RC3 | Segment C | |
| Pin 5 | Pin 5 | RC6 | Segment F | |
| Pin 6 | Pin 6 | RC7 | Segment G | |
| Pin 7 | Pin 7 | RB7 | Digit 4 | |
| Pin 8 | Pin 8 | RB6 | Digit 3 | |
| Pin 9 | Pin 18 | VDD | VDD_VBAT | +V |
| Pin 10 | Pin 17 | VSS | GND | GND |
| Pin 11 | Pin 9 | RB5 | Digit 2 | |
| Pin 12 | Pin 10 | RB4 | Digit 1 | |
| Pin 13 | Pin 11 | RC2 | Segment B | |
| Pin 14 | Pin 12 | RC1 | Segment A | |
| Pin 15 | Pin 13 | RC0 | Segmnt DP | |
| Pin 16 | Pin 14 | RA2 | Tilt Sensor | |
| Pin 17 | Pin 15 | RA1 | Mic | SCL/SCK |
| Pin 18 | Pin 16 | RA0 | Select Btn | SDA/SDI |
| Pin 19 | Pin 19 | RA5 | Digit 6 | |
| Pin 20 | Pin | RA4 | Digit 5 |
Cost Sheet
The fab acquired the components except for the batt holder, display, batteries, lanyard, sticky tape, etc.
BOM
Morse Code Mode
This is probably one of the more programmatically complex modes, so it deserves some explanation here. There are both built in strings, and a way to manually enter your own string (with moderate annoyance using the 2 buttons)
When you first select Morse Code mode you're prompted with "str 00", pressing start would select the 0'th built in morse code string. Pressing select increments the the string selection up to number 22. The 23 built in strings are:
0: defcon23
1: SOS
2: hack everything
3: break shit
4: nothing is impossible
5: fuck the NSA
6: I dont play well with others
7: what are you doing dave
8: youre either a one or a zero alive or dead
9: danger zone
10: bros before apparent threats to national security
11: im spooning a Barrett 50 cal I could kill a building
12: there is no spoon
13: never send a human to do a machines job
14: guns lots of guns
15: its not that im lazy its just that i dont care
16: PC load letter
17: shall we play a game
18: im getting too old for this
19: censorship reveals fear
20: the right of the people to keep and bear Arms shall not be infringed
21: all men having power ought to be mistrusted
22: when governments fear the people there is liberty
If you press select after "str 22" you'll be prompted with "CUST". Pressing start here lets you enter a custom string1: SOS
2: hack everything
3: break shit
4: nothing is impossible
5: fuck the NSA
6: I dont play well with others
7: what are you doing dave
8: youre either a one or a zero alive or dead
9: danger zone
10: bros before apparent threats to national security
11: im spooning a Barrett 50 cal I could kill a building
12: there is no spoon
13: never send a human to do a machines job
14: guns lots of guns
15: its not that im lazy its just that i dont care
16: PC load letter
17: shall we play a game
18: im getting too old for this
19: censorship reveals fear
20: the right of the people to keep and bear Arms shall not be infringed
21: all men having power ought to be mistrusted
22: when governments fear the people there is liberty
The initial custom string prompt is "P00.C00"
The number after "P" is the character position in the custom string (the index basically), and the number after the "C" is the character to enter at this position. Pressing select will increment the number for the current character 0-35. This number equates to a-z, then 0-9. As an example if you wan to enter the string defcon23 you would enter 3,4,5,2,14,13,28,29 (though that is a built in string).
Now press select one past the character's number 35, and you'll see the prompt "done". Pressing start here ends the string and starts the morse code blink back.
If you want to generate the character numbers needed for different strings, see the github page for the asciitomorse.pl script.
ADC Reading to Decibel Conversion
My friend did a little testing at the range with a few different calibers and suppressed/unsuppressed. The badge was around his neck during this testing, while his dB meter was 1m away from the side of the muzzle.
There aren't a massive number of samples, and this was just with one badge, but hopefully it gives you a ballpark of how you can estimate dB level to ADC mic reading
Temperature Indicator
Microchip's sheet on it: http://ww1.microchip.com/downloads/e...tes/01333A.pdf (this has an error in the forumla, but eq 5 is correct)
This the biggest pain in my ass. It is actually a "temp indicator" meaning you should really only use it for over-temp / under-temp type detection. To get a semi-accurate reading you have to calibrate each badge at two different temperatures which just isn't going to happen in the short amount of time I have left.
It isn't that important of a feature anyway. It was just a "free" chip feature I was trying to take advantage of, it isn't like I spent money on an external temp sensor that isn't working right.
Core Problems:
1. ADC reading varies on supply voltage, since this is powered directly from the batteries as they drain and their voltage drops so does the ADC reading. I attempt to read the battery voltage first to account for this but that reading can be off by a little bit, which increases the temp calculations inaccuracy.
2. The accuracy of the temp sensor is poor to begin with. For one badge I tested I have 33 steps between 0c and 40c meaning if my ADC temp reading can be off by +/-1, and my battery reading can be off by +/-1 I have a total inaccuracy of +/-2 which is a range of ~6 degrees C
3. Each badge requires calibration since each will output a slightly different reading, this wouldn't be that big of a problem except the slope is off between badges too, especially over voltage supply changes. So you really need to use a two point calibration method which is beyond the scope of how much I care about getting this to be perfectly accurate.
So... When you enter temp mode it first reads the batt voltage (once) and uses that as for the calculation of the temperature. There is a single point offset that you can adjust by pressing start (see the manual). But there is not a slope adjustment, so as your battery voltage changes you will almost certainly have to re-adjust the temperature offset.
Here's a graph of the ADC readings over temperature and voltage for one badge that I threw in an environmental chamber (remember each badge's offset and slope is slightly different)
External Relay Control
One secondary goal I had was to make the badge somewhat useful after the con. You can pretty easily hook up an external relay to control external lights or whatever else you want.
Wiring: The badge's display anodes are hooked to each digit, one digit is turned on at a time. Then on the cathode side the segments that need to be lit up are "sunk" / grounded back to the chip. This means that when the decimal points are lit, pin 15 is set to low (as an example). And when the decimal points are not lit, pin 15 is set high. This is likely the opposite of what you want to drive a relay which I accounted for in some of the modes.
I used a PVN012PbF (pdf) photovoltaic relay, hooked up using diagram "A" in the spec sheet. Here's a few ideas of what you can do:
1. To use the badge as a clapper, hook pin 15 on the badge header (decimal point) to a 1k resistor, and then to pin 1 of the relay. Pin 2 of the relay is hooked to pin 10 (ground) on the badge. Pin 6 on the relay is connected to your power source for your external device (12v+ to drive a LED strip in my example), and pin 4 of the relay is connected to the positive side of the led lights I want to light up. The LED strip ground is connected directly to ground on the 12v power supply.
Now when the badge is in clapper mode you'll notice when it displays "off" all the decimal points are lit, making pin 15 low and not tripping the relay. But once you clap and the badge displays "on" the decimal points are not lit, setting pin 15 high, and tripping the relay which turns on the lights in my example.
2. You can do a similar thing with morse code mode, if you want to control your xmas lights or something. Note you'll need code version 2.1 or higher for this (most badges were programmed with 2.0, so find me at the con if you care about doing this).
When you enter morse code mode the "A" and "D" segments (top and bottom) will blink back as you expect. But as I explained above this is the opposite logic that we want to control an external relay (off is on, on is off etc). To flip this logic in morse code mode set "tilt" which will also light the "G" segment (middle) and invert the logic for external relay operation.
You can now hook up the relay the same way as we did above, except you need to control the relay from segments "A", "D", or "G" and not the decimal point. (use pin 6 on the badge instead of pin 15 to connect to pin 1 on the relay (through a 1k resistor).
3. You can have a generic sound trip the relay using the "sound" mode. You will again want to set the "tilt" setting which will invert the logic (all segments are on, and segments are turned off based on noise level), along with forcing every digit to light up the same way. You probably want to play with the speed setting in this mode to have the desired effect.
Shot Detection
Here's how the shot detection logic and thresholds ended up working, so you can better understand how the setting affects various modes
(1ms per horizontal line, 500mv per vertical line)
The mic is sampled around 23k times a second (max the chip can pull off), the maximum and minimum loudness levels are analyzed every 6 ms or so. The difference between the maximum and minimum are calculated and compared with the threshold. If that difference value is higher than the threshold setting (yellow dashed lines) a shot is counted.
At this point there are a few methods to prevent one shot from being counted multiple times.
First, there is a brief shotlockout period of time after a shot is detected. No shot will be counted during this shotlockout time no matter what.
Second, the difference between the maximum and minimum must drop below 1/2 of the threshold (for a 6ms period) before a new shot can be counted (green dashed lines). This prevents a constantly loud noise from continuously incrementing the counter.
If a badge is powered from a ac/dc supply that seems to cause more noisy readings. And if the threshold is set too low, the noise could constantly break 1/2 of the threshold value, preventing any shots from ever being counted. The fix is to just bump the threshold up one or two values, you can diagnose this issue with the "audio" mode.
Comment