Announcement

Collapse
No announcement yet.

DEF CON 26 Badge, Curated Content

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DEF CON 26 Badge, Curated Content

    Hello,

    I am going to try to collect information about the DEF CON 26 badge, published online, and paste content found online here, with citations for source of information. Almost none of this content is my own. See original data in context by following URL from which data was duplicated.

    Comment: I have completed the re-flashing of a badge to the latest firmware (version 2) using Ubuntu and using Windows, and can confirm that process works.
    In one case, the upgrade claimed success, but it did not. Re-flashing it again worked.
    After flashing, choose "disconnect" in the software, then disconnect the badge, then disconnect power to the badge, then reconnect power to the badge (reboot.)

    Content hosted on the DEF CON Media server for this badge: PDF, docs, firmware, more:
    URL0 = https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20badge/

    URL1 = https://www.reddit.com/r/Defcon/comments/973jik/dc26_official_badge_hardware_ama/

    Originally posted by URL1, Part1
    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    14 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e458hsz/)
    There is still 1 bug we missed and will get worked on by the ninja soon as the tymkrs get there. There was a V1 release at DC that fixed the badge bus alignment bug "V1". I think that got posted to the reddit badge hacking thread but have not found it yet.

    As for reprogramming you need a programmer: (The Pickit 4 is newer and faster than the 3 on these parts)

    https://media.defcon.org/DEF%20CON%2...e%20update.pdf:
    Originally posted by DEF CON 26 badge firmware update.pdf
    [Image]Shows number assignment of pins on badge, where "1" is towards the top of the badge (away from the batteries) while "5" is nearest to the bottom of the badge.
    [Image]ScreenShot of using MPLAB X IPE to flash firmware on a badge
    [Image]Screenshot of having used MPLAB X IPE to complete flash firmware update to badge
    Text:
    Updating the Badge Firmware:
    You can use any method to program the PIC32MM0256GPM048 that supports it. This example uses Microchip’s tools as that is what we have.The PICkit 3 Programmer will program the chip in ~32 seconds and the PICkit 4 will program them in ~8s each. Both are available on Digikey, or Microchip’s website.

    1.Plug in the USB port to supply 5V power to the badge. Plug the PICKit 3/4 to USB as well.

    2.Attach the PICkit 3/4 to the pads shown. (fig1) I use a spring probe adapter to make the connection.

    3.Start the Mplab x IPE (comes with the Mplab X IDEhttp://www.microchip.com/mplab/mplab-x-ide)

    4.Configure IPE as shown. (figs 2,3)As long as your PICKit is plugged in, the Tool field will automatically populate. Be sure to choose the correct hex file!:

    5.Click program and wait for all operations to complete (8 to 35 seconds). You may need to click “Connect” first before clicking “Program” depending on what state IPE comes up in.

    6.Verify program was successful (see output below) make sure there are no error or failure messages.

    Please feel free to reach out to @wireengineer/@whixr for any questions on reflashing the firmware
    Twitter: https://twitter.com/tymkrs
    Twitter: https://twitter.com/wireengineer
    Twitter: https://twitter.com/whixr


    https://www.digikey.com/product-deta...130-ND/2171224

    MPLAB PICKit4: Plusses/Minuses
    * claimed speed to update badge with PICKit4: ~8 seconds , around 4 times faster than PICKit3
    * PTG Diiscussion: As of July 2019, and MPLAB X IDE 5.20 : you can't push an image and config to use the "PTG" "Programmer To Go" function the maker (Microchip) claims this unit supports. (This feature as described would allos you to connect to an MPLAB PICKit4 with MPLAB X IDE (some future version) and write out an image/config to a SanDisk on the programmer. Then, you could take the programmer without a laptop/computer, and attach it to a device to be programmed, and then press a button on the programmer, watch for different colored lights to inform you when it was idle, starting, in errored state, or completed with success.
    * Testing with MPLAB X IDE 5.20 and PICKit4, I was unable to flash the badge at "Normal" speed.

    https://www.digikey.com/product-deta...140-ND/8536593
    * claimed speed to update badge firmware with PICKit3: ~32 seconds, around 4 times slower than PICKit4
    * Some users claim that the "PTG" feature (see description in PICKit4 Pluses/Minuses above) in the PICKit3 is working, but I don't see report of it working with the hardware used on the DC 26 badge.

    MPLAB X software: (free, near the bottom of the page click on the downloads tab)

    https://www.microchip.com/mplab/mplab-x-ide

    Once that is installed the easiest way to program the PIC32MM is to use the "IPE" utility.

    Connect the pickit pins 1 - 5 (pin 6+ is not used) to the pads between the lower battery holder pins. Pin 1 is near the top of the badge and pin 5 is near the bottom.

    Once that is done start IPE and pick "PIC32MM0256GPM048" under Device, Your pickit under tool, and the firmware hex file under Hex File then click connect. Once connected click program to program the badge. If all goes well you get a "programming complete" at the end.
    Revised process from my testing:
    * Connect your badge to power: most reliable power from my testing was use of a good USB cable to a reliable USB power hub or computer USB port. Maybe try your luck with fresh batteries? You don't want to have low power when flashing firmware.
    * If you have properly attached pins 1-5 to your badge and have the PICKit4 attached to a USB port, and then start the "MPLAB X IPE" then it should auto-detect the "Device" and "Tool" and fill those out for you. If no, then you can specify manually:
    # Family: 32-bit MCUs (PIC32) (to limit choices for "Device:"
    # Device: PIC32MM0256GPM048
    # Tool: (Choose wither the PICKit3 or PICKit4, whichever you are using.)
    * Hex File (browse to "DEF CON 26 badge by Tymkrs-V2.hex")
    * Change speed from "Normal" to "Slow":
    # "Setting" menu drop/down, top
    # Choose "Advanced Mode"
    # Complete password prompt (default password is "microchip")
    # Left-side, locate rectangle "Settings" and choose
    # Right-side, top "Special Settings" : scroll and look to the far right and find "Program Speed"
    # Change "Program Speed" from "Normal" to "Low" (I tested on USB2.0 port, and USB3.0 port, and "normal" speed did not work for me.)
    # Locate the tabs, top left "Operate" , "Settings" and choose "Operate"
    * If you have not yet connected Pins 1 through 5 to the badge, do that now. Pin1 is closer to the top of the badge. Pin 5 is closest to the bottom of the badge)
    * In the MPLAB X IPE application, now find and choose "connect"
    # If you see communications complaints in MPLAB X IPE when choosing to connect, re-check and re-connect pins 1-5 to the badge, and try again.
    * Once the MPLAB X IPE indicates the connection worked, the grayed-out option "Program" should now be available.
    * Choose "Program" to flash new firmware to your badge.
    * If you see communication errors at any stage in the "Program" of the badge, re-check pins to badge, reposition, and choose "Program" again.
    * It may take a few tries before you find good contact with all 5 pins to all 5 pads on the badge.
    * Once you complete the programming of one badge with everything above configured, you can probably remove the pins from that badge, and connect those 5 pins to another badge, and choose the "Program" option again. If the "Program" option becomes grayed-out again, and you want to program more badges, you will need to go back to the "connect" step above, and proceed from there.

    Items of caution: be careful with placement of pins. Don't bridge pin-pads on badge when you attach connectors from the PICKit[3||4] to the badge.
    Don't let unused pin 6 from PICKit make contact with other leads on the badge.
    If you happen to short the badge with the pins, you may harm your badge or your PICKit.
    There are some protections inthe PICKit and IPE software to "disconnect" under several circumstances, which include unexpected voltage/current changes.
    If you happen to "brick" your PICKit and your PICKit appears to be unresponsive, consider following the procedure suggested on vendor forums:
    * QUIT the "MPLAB X IPE" application. Disconnect the PICKit from your USB port. Disconnect 1-6 pins from badge/device. Reconnect the PICKit to a USB port. Launch the "MPLAB X IDE" (IDE not IPE): Locate "Debug" menu drop-down and select, "Hardware Tool Emergency Boot Firmware Recovery" utility, and run this to see if you can "unbrick" your PICKit. (Technically, it wouldn't be bricked if you can recover it, but when in a broken state, where recovery options are not known, "bricked" is an understandable perceived state.)
    * If that fails, consider contacting their "CiSAR 'Development Tool Replacement Service Site'": https://www.microchip.com/cisar/Home.aspx


    URL2 = https://www.microchip.com/mplab/mplab-x-ide
    Originally posted by URL2
    Develop Fast Prototypes with Microchip's Powerful, Easy-to-Use Ecosystem

    Get your code off to a head start with MPLAB Code Configurator ( https://www.microchip.com/mplab/mplab-code-configurator)
    Graphically configure peripherals and software libraries with MPLAB Harmony (32-bit PIC® and SAM MCUs only) (https://www.microchip.com/mplab/mplab-harmony)
    Download a free MPLAB XC Compiler, or unlock the full potential of code size savings and code execution speed with PRO licenses (https://www.microchip.com/mplab/compilers)
    Take advantage of MPLAB X IDE’s support for the open-source AVR® and SAM GCC compilers (https://www.microchip.com/mplab/avr-...ns-c-compilers)
    Select the best debugger for your project:

    MPLAB ICD 4 In-Circuit Debugger/Programmer is our full-featured, most robust debugger (does not support AVR devices at this time) (https://www.microchip.com/Developmen...tails/DV164045)
    MPLAB PICkit™ 4 In-Circuit Debugger/Programmer is fast and our most popular debugger and programmer (https://www.microchip.com/developmen...artNO/PG164140)
    MPLAB Snap In-Circuit Debugger/Programmer is our most affordable debugger (https://www.microchip.com/Developmen...tails/pg164100)

    All of Microchip’s tools can run on Windows®, macOS®, and Linux® operating systems for maximum workstation flexibility. To view a complete listing of supported products, see the MPLAB X IDE Device Support List found in the documentation tab below.
    Originally posted by URL1, Part Terminal Settings
    detaer (https://www.reddit.com/user/detaer/)
    6 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45l0wj/)
    What are the terminal settings to get the art to render?

    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    6 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45p3hz/)
    You need to enable Code page 437 / CP437 translators in your terminal program. In PuTTY it is under window -> translation -> remote character set

    ec0nr4d (https://www.reddit.com/user/ec0nr4d/)
    4 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45pwei/)
    This wiki page explains how to set this on terminals of most popular OSes https://nethackwiki.com/wiki/IBMgraphics
    Originally posted by URL1, Wire Service Menu
    mothball187 (https://www.reddit.com/user/mothball187/)
    1 point ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e4bkjwu/)
    How do you access the "wire service menu"? I saw in the code you had to set your baud rate to one of two specific values, but what else needs to be done to reach it? Awesome badge this year, I loved it!

    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    3 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comments/973jik/dc26_official_badge_hardware_ama/e4bofkf/)
    One value unlocks the menu forever (and changes the status ligths) so you can connect at any baud rate after the first connect. The other value just unlocks it for that session. The key to accessing it is using a OTG cable plugged into the USB port on the badge. This grounds the 5th pin in the connector and signals my code to swap over to my debug menus vs the standard path to the internal game.
    How do you know which firmware version your badge has? How can you see if you have the latest firmware?
    https://twitter.com/wireengineer/sta...19089660485632 and https://twitter.com/wireengineer/sta...19521376051201
    Originally posted by theseURL
    wireengineer‏ @wireengineer Jul 16
    Did some checking and there are 2 places you could get the firmware version. 1.) The first is in the last block of flash there is a text string with the code description (human readable) which contains the version string. But you would need to dump the flash with a pickit
    wireengineer‏ @wireengineer Jul 16
    2.) If you connect to the service menus and do option "s" (Processor status) that will also list out the current version. Though it was also exported over badge bus but looks like that did not get in the code. Latest version of the firmware is "2"
    Gaining access to the "service menu" is or can be part of the puzzle. You can solve it on your own, or try a search with google or ask other people for how to gain access to it.
    I can confirm that once I gained access, I could see a new badge, pre-upgraded, was claiming version "0".
    I would expect the version with some fixes distributed are con was version 1.
    The latest version in the hexfile on media ( https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20badge/DEF%20CON%2026%20badge%20by%20Tymkrs-V2.hex, with sha256 (of 325bc7ff71f6b5a4c4feb382bc89e326e65092dea5e288c42f 5e00908701db06 DEF CON 26 badge by Tymkrs-V2.hex) flashed a badge up to version 2.
    Last edited by number6; 3 days ago.
    6: "Who is Number1?"
    2: "You are number6"
    6: "I am not a number!..."
Working...
X