Announcement

Collapse
No announcement yet.

DEF CON 26 Badge, Curated Content

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    DEF CON 26 Badge, Curated Content

    Hello,

    I am going to try to collect information about the DEF CON 26 badge, published online, and paste content found online here, with citations for source of information. Almost none of this content is my own. See original data in context by following URL from which data was duplicated.

    Comment: I have completed the re-flashing of a badge to the latest firmware (version 2) using Ubuntu and using Windows, and can confirm that process works.
    In one case, the upgrade claimed success, but it did not. Re-flashing it again worked.
    After flashing, choose "disconnect" in the software, then disconnect the badge, then disconnect power to the badge, then reconnect power to the badge (reboot.)

    Content hosted on the DEF CON Media server for this badge: PDF, docs, firmware, more:
    URL0 = https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20badge/

    URL1 = https://www.reddit.com/r/Defcon/comments/973jik/dc26_official_badge_hardware_ama/

    Originally posted by URL1, Part1
    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    14 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e458hsz/)
    There is still 1 bug we missed and will get worked on by the ninja soon as the tymkrs get there. There was a V1 release at DC that fixed the badge bus alignment bug "V1". I think that got posted to the reddit badge hacking thread but have not found it yet.

    As for reprogramming you need a programmer: (The Pickit 4 is newer and faster than the 3 on these parts)

    https://media.defcon.org/DEF%20CON%2...e%20update.pdf:
    Originally posted by DEF CON 26 badge firmware update.pdf
    [Image]Shows number assignment of pins on badge, where "1" is towards the top of the badge (away from the battery compartment) while "5" is nearest to the bottom of the badge.
    [Image]ScreenShot of using MPLAB X IPE to flash firmware on a badge
    [Image]Screenshot of having used MPLAB X IPE to complete flash firmware update to badge
    Text:
    Updating the Badge Firmware:
    You can use any method to program the PIC32MM0256GPM048 that supports it. This example uses Microchip’s tools as that is what we have.The PICkit 3 Programmer will program the chip in ~32 seconds and the PICkit 4 will program them in ~8s each. Both are available on Digikey, or Microchip’s website.

    1.Plug in the USB port to supply 5V power to the badge. Plug the PICKit 3/4 to USB as well.

    2.Attach the PICkit 3/4 to the pads shown. (fig1) I use a spring probe adapter to make the connection.

    3.Start the Mplab x IPE (comes with the Mplab X IDEhttp://www.microchip.com/mplab/mplab-x-ide)

    4.Configure IPE as shown. (figs 2,3)As long as your PICKit is plugged in, the Tool field will automatically populate. Be sure to choose the correct hex file!:

    5.Click program and wait for all operations to complete (8 to 35 seconds). You may need to click “Connect” first before clicking “Program” depending on what state IPE comes up in.

    6.Verify program was successful (see output below) make sure there are no error or failure messages.

    Please feel free to reach out to @wireengineer/@whixr for any questions on reflashing the firmware
    Twitter: https://twitter.com/tymkrs
    Twitter: https://twitter.com/wireengineer
    Twitter: https://twitter.com/whixr


    https://www.digikey.com/product-deta...130-ND/2171224

    MPLAB PICKit4: Plusses/Minuses
    * claimed speed to update badge with PICKit4: ~8 seconds , around 4 times faster than PICKit3
    * PTG Diiscussion: As of July 2019, and MPLAB X IDE 5.20 : you can't push an image and config to use the "PTG" "Programmer To Go" function the maker (Microchip) claims this unit supports. (This feature as described would allos you to connect to an MPLAB PICKit4 with MPLAB X IDE (some future version) and write out an image/config to a SanDisk on the programmer. Then, you could take the programmer without a laptop/computer, and attach it to a device to be programmed, and then press a button on the programmer, watch for different colored lights to inform you when it was idle, starting, in errored state, or completed with success.
    * Testing with MPLAB X IDE 5.20 and PICKit4, I was unable to flash the badge at "Normal" speed.

    https://www.digikey.com/product-deta...140-ND/8536593
    * claimed speed to update badge firmware with PICKit3: ~32 seconds, around 4 times slower than PICKit4
    * Some users claim that the "PTG" feature (see description in PICKit4 Pluses/Minuses above) in the PICKit3 is working, but I don't see report of it working with the hardware used on the DC 26 badge.

    MPLAB X software: (free, near the bottom of the page click on the downloads tab)

    https://www.microchip.com/mplab/mplab-x-ide

    Once that is installed the easiest way to program the PIC32MM is to use the "IPE" utility.

    Connect the pickit pins 1 - 5 (pin 6+ is not used) to the pads between the lower battery holder pins. Pin 1 is near the top of the badge and pin 5 is near the bottom.

    Once that is done start IPE and pick "PIC32MM0256GPM048" under Device, Your pickit under tool, and the firmware hex file under Hex File then click connect. Once connected click program to program the badge. If all goes well you get a "programming complete" at the end.
    Revised process from my testing:
    * REMOVE ANY BATTERIES: Connect your badge to USB power: most reliable power from my testing was use of a good USB cable to a reliable USB power hub or computer USB port. If you absolutely want to try using batteries then to be safe DO NOT CONNECT USB POWER TO BADGE WHILE YOU HAVE BATTERIES IN YOUR BADGE.
    * If you have properly attached pins 1-5 to your badge and have the PICKit4 attached to a USB port, and then start the "MPLAB X IPE" then it should auto-detect the "Device" and "Tool" and fill those out for you. If no, then you can specify manually:
    # Family: 32-bit MCUs (PIC32) (to limit choices for "Device:"
    # Device: PIC32MM0256GPM048
    # Tool: (Choose wither the PICKit3 or PICKit4, whichever you are using.)
    * Hex File (browse to "DEF CON 26 badge by Tymkrs-V2.hex")
    * Change speed from "Normal" to "Slow":
    # "Setting" menu drop/down, top
    # Choose "Advanced Mode"
    # Complete password prompt (default password is "microchip")
    # Left-side, locate rectangle "Settings" and choose
    # Right-side, top "Special Settings" : scroll and look to the far right and find "Program Speed"
    # Change "Program Speed" from "Normal" to "Low" (I tested on USB2.0 port, and USB3.0 port, and "normal" speed did not work for me.)
    # Locate the tabs, top left "Operate" , "Settings" and choose "Operate"
    * If you have not yet connected Pins 1 through 5 to the badge, do that now. Pin1 is closer to the top of the badge. Pin 5 is closest to the bottom of the badge)
    * In the MPLAB X IPE application, now find and choose "connect"
    # If you see communications complaints in MPLAB X IPE when choosing to connect, re-check and re-connect pins 1-5 to the badge, and try again.
    * Once the MPLAB X IPE indicates the connection worked, the grayed-out option "Program" should now be available.
    * Choose "Program" to flash new firmware to your badge.
    * If you see communication errors at any stage in the "Program" of the badge, re-check pins to badge, reposition, and choose "Program" again.
    * It may take a few tries before you find good contact with all 5 pins to all 5 pads on the badge.
    * Once you complete the programming of one badge with everything above configured, you can probably remove the pins from that badge, and connect those 5 pins to another badge, and choose the "Program" option again. If the "Program" option becomes grayed-out again, and you want to program more badges, you will need to go back to the "connect" step above, and proceed from there.

    Items of caution: be careful with placement of pins. Don't bridge pin-pads on badge when you attach connectors from the PICKit[3||4] to the badge.
    Don't let unused pin 6 from PICKit make contact with other leads on the badge.
    If you happen to short the badge with the pins, you may harm your badge or your PICKit.
    There are some protections inthe PICKit and IPE software to "disconnect" under several circumstances, which include unexpected voltage/current changes.
    If you happen to "brick" your PICKit and your PICKit appears to be unresponsive, consider following the procedure suggested on vendor forums:
    * QUIT the "MPLAB X IPE" application. Disconnect the PICKit from your USB port. Disconnect 1-6 pins from badge/device. Reconnect the PICKit to a USB port. Launch the "MPLAB X IDE" (IDE not IPE): Locate "Debug" menu drop-down and select, "Hardware Tool Emergency Boot Firmware Recovery" utility, and run this to see if you can "unbrick" your PICKit. (Technically, it wouldn't be bricked if you can recover it, but when in a broken state, where recovery options are not known, "bricked" is an understandable perceived state.)
    * If that fails, consider contacting their "CiSAR 'Development Tool Replacement Service Site'": https://www.microchip.com/cisar/Home.aspx


    URL2 = https://www.microchip.com/mplab/mplab-x-ide
    Originally posted by URL2
    Develop Fast Prototypes with Microchip's Powerful, Easy-to-Use Ecosystem

    Get your code off to a head start with MPLAB Code Configurator ( https://www.microchip.com/mplab/mplab-code-configurator)
    Graphically configure peripherals and software libraries with MPLAB Harmony (32-bit PIC® and SAM MCUs only) (https://www.microchip.com/mplab/mplab-harmony)
    Download a free MPLAB XC Compiler, or unlock the full potential of code size savings and code execution speed with PRO licenses (https://www.microchip.com/mplab/compilers)
    Take advantage of MPLAB X IDE’s support for the open-source AVR® and SAM GCC compilers (https://www.microchip.com/mplab/avr-...ns-c-compilers)
    Select the best debugger for your project:

    MPLAB ICD 4 In-Circuit Debugger/Programmer is our full-featured, most robust debugger (does not support AVR devices at this time) (https://www.microchip.com/Developmen...tails/DV164045)
    MPLAB PICkit™ 4 In-Circuit Debugger/Programmer is fast and our most popular debugger and programmer (https://www.microchip.com/developmen...artNO/PG164140)
    MPLAB Snap In-Circuit Debugger/Programmer is our most affordable debugger (https://www.microchip.com/Developmen...tails/pg164100)

    All of Microchip’s tools can run on Windows®, macOS®, and Linux® operating systems for maximum workstation flexibility. To view a complete listing of supported products, see the MPLAB X IDE Device Support List found in the documentation tab below.
    Originally posted by URL1, Part Terminal Settings
    detaer (https://www.reddit.com/user/detaer/)
    6 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45l0wj/)
    What are the terminal settings to get the art to render?

    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    6 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45p3hz/)
    You need to enable Code page 437 / CP437 translators in your terminal program. In PuTTY it is under window -> translation -> remote character set

    ec0nr4d (https://www.reddit.com/user/ec0nr4d/)
    4 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e45pwei/)
    This wiki page explains how to set this on terminals of most popular OSes https://nethackwiki.com/wiki/IBMgraphics
    Originally posted by URL1, Wire Service Menu
    mothball187 (https://www.reddit.com/user/mothball187/)
    1 point ·
    $TIME ago (https://www.reddit.com/r/Defcon/comm...e_ama/e4bkjwu/)
    How do you access the "wire service menu"? I saw in the code you had to set your baud rate to one of two specific values, but what else needs to be done to reach it? Awesome badge this year, I loved it!

    wireng (https://www.reddit.com/user/wireng/)
    tymkrs - DC26 Badge
    3 points ·
    $TIME ago (https://www.reddit.com/r/Defcon/comments/973jik/dc26_official_badge_hardware_ama/e4bofkf/)
    One value unlocks the menu forever (and changes the status ligths) so you can connect at any baud rate after the first connect. The other value just unlocks it for that session. The key to accessing it is using a OTG cable plugged into the USB port on the badge. This grounds the 5th pin in the connector and signals my code to swap over to my debug menus vs the standard path to the internal game.
    How do you know which firmware version your badge has? How can you see if you have the latest firmware?
    https://twitter.com/wireengineer/sta...19089660485632 and https://twitter.com/wireengineer/sta...19521376051201
    Originally posted by theseURL
    wireengineer‏ @wireengineer Jul 16
    Did some checking and there are 2 places you could get the firmware version. 1.) The first is in the last block of flash there is a text string with the code description (human readable) which contains the version string. But you would need to dump the flash with a pickit
    wireengineer‏ @wireengineer Jul 16
    2.) If you connect to the service menus and do option "s" (Processor status) that will also list out the current version. Though it was also exported over badge bus but looks like that did not get in the code. Latest version of the firmware is "2"
    Gaining access to the "service menu" is or can be part of the puzzle. You can solve it on your own, or try a search with google or ask other people for how to gain access to it.
    I can confirm that once I gained access, I could see a new badge, pre-upgraded, was claiming version "0".
    I would expect the version with some fixes distributed are con was version 1.
    The latest version in the hexfile on media ( https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20badge/DEF%20CON%2026%20badge%20by%20Tymkrs-V2.hex, with sha256 (of 325bc7ff71f6b5a4c4feb382bc89e326e65092dea5e288c42f 5e00908701db06 DEF CON 26 badge by Tymkrs-V2.hex) flashed a badge up to version 2.
    Last edited by number6; August 2nd, 2019, 15:08.
    6: "Who is Number1?"
    2: "You are number6"
    6: "I am not a number!..."
    Tags: badge, dc26, dc26badge, firmware, hardware hacking, update, upgrade
  • #2
    Badge Flashing Station at DEF CON 27 for DEF CON 26 Badges:

    (A duplicate of this document will likely be placed here: https://forum.defcon.org/node/228626...308#post229308 ; as we find mistakes in the original versions we print and include with the badge flashing stations, we will try to address those mistakes in the online document.)

    Initial Setup of stations and equipment:
    • Connect power strip to wall power
    • Connect laptop power bricks to power strip
    • Connect cable from power brick to each laptop's power port
    • Power-on / Boot all of the laptops if not already powered on
    • Example:
    Click image for larger version Name: 0-All-Laptops-With-Power-800x.png Views: 0 Size: 522.7 KB ID: 229359
    • 6-Pin cable, 6-pin straight assembly, 6-pin right-angle assembly: Connect one at each end. For the right-angle assembly, make sure pin-1 side of cable is as shown here, and remove pin-6 on the right-angle assembly, to avoid it accidentally making contact with a circuit on the badge:
    • Example:
    Click image for larger version Name: 1-3-Other-End-of-cable-right-angle-pin-inserted-pin-1-OK-ping-6-removed-zoom-in.png Views: 0 Size: 405.4 KB ID: 229360
    • Arrange the PICKit4 and other end of the cable with the 6-pin straight assembly like this, and notice how the triangle icon on the PICKit which identifies where pin-1 should be inserted does not match the position of the cable:
    • Example:
    Click image for larger version Name: 2-Number-1-Pin-in-cable-opposite-to-number-1-pin-receiver-triangle-in-PICKit4-800x.png Views: 0 Size: 882.1 KB ID: 229361
    • So, we flip this end of the cable with the 6-pin straight assembly such that the "1" printed on the cable will actually be inserted into the same slot on the PICKit4 with the triangle:
    • Example:
    Click image for larger version Name: 3-2-rotated-cable-so-1-pin-aligns-with-1-pin-slot-triangle-on-PICKit4-800x.png Views: 0 Size: 803.7 KB ID: 229362
    • Now, fully seat the 6-pin straight assembly and cable into the PICKit4:
    • Example:
    Click image for larger version Name: 4-2-z-fully-seated-in-PICKit4-800x.png Views: 0 Size: 756.0 KB ID: 229363
    • When you are finished, your PICKit4 plus pin assemblies and cable with pin-6 removed on right-angle 6-pin assembly may look like this:
    • Example:
    Click image for larger version Name: 5-3-Other-End-of-cable-right-angle-pin-inserted-pin-1-OK-ping-6-removed-800x.png Views: 0 Size: 292.9 KB ID: 229364
    • REMOVE any batteries during this process: USB power is likely going to be more reliable, and we don't want to have an under-power issue while flashing the firmware.
    • Connect Black USB-A to USB-Micro cable to badge and laptop
    • Connect silver USB-A to USB-Micro cable to PICKit4 and laptop
    Click image for larger version Name: 6-0-All-USB-Connected-800x.png Views: 6455 Size: 683.9 KB ID: 229365


    (To be continued n next post)


    Last edited by number6; August 1st, 2019, 14:43.
    6: "Who is Number1?"
    2: "You are number6"
    6: "I am not a number!..."

    Comment

    • #3
      In the previous post, you should have prepared all of the badge flashing stations. Now we continue with....

      Run software, flash badge
      • Use a badge flashing station. Example desktop. The program you are primarily interested in using is "MPLAB X IPE v5.20". Double click the icon for that to launch it:
        Example:
      Click image for larger version Name: 7-00-Desktop-of-Badge-Flashing-Station-800x.png Views: 0 Size: 31.5 KB ID: 229367
      • After it is running, if it does not show your "device" as "PIC32MM0256GPM048" then click on the drop-down for "Family" and choose in that drop-down the one that matches "32-bit MCUs (PIC32)", and after selected, click on the drop-down for "Device" and locate the device that matches "PIC32MM0256GPM048". If the field for "Tool" does not display something like "PICKit 4 S.No : BUR123456789" then you may need to disconnect and re-connect the USB cables for the PICKit4 from the computer and the PICKit4, and see if you can choose it under the drop-down for "Tool". What it might look like when it is all selected:
      • Example:
      Click image for larger version Name: 8-01-IPE-Config-1-800x.png Views: 0 Size: 76.5 KB ID: 229368
      • Now we need to change the speed for programmer from "Normal" to "Low" to give you the best chances at being able to successfully re-flash your badge. First step, visit the "Settings" menu and see drop-down, example, and choose "Advanced Mode":
        Example:
      Click image for larger version Name: 9-02-IPE-Settings-Advanced-Mode-1-800x.png Views: 0 Size: 87.0 KB ID: 229369
      • Once you have selected "Advanced Mode" will will need to login:
      • Example:
      Click image for larger version Name: a-03-IPE-Login-Settings-Advanced-Mode-1-800x.png Views: 0 Size: 83.5 KB ID: 229370
      • Once logged-in, then locate the "settings" option on the left side, and select it, which should expose (top-right) options for changing "Program Speed" from "Normal" to "Low": choose "Low":
      • Example:
      Click image for larger version Name: b-04-Settings-Program-Speed-Set-Low-1-800x.png Views: 0 Size: 46.6 KB ID: 229371
      • Find the tab for "operate" (near top-left) and choose it to bring you back to the view we started with:
      • Now we need to connect the 5-pins from the right-angle pin assembly such that pin-1 is connected to the badge like one of these two:
        • Angled-connection / technique 1: Make contact at a slight angle where pin-5 is on the badge lead closest to the bottom of the badge, while pin-1 is closer to the top of the badge:
      Click image for larger version Name: c-1-Number-1-Pin-Far-Right-angled-connection-technique-zoom-out-max-800x.png Views: 0 Size: 738.1 KB ID: 229372





      closer:
      Click image for larger version Name: c-1-Number-1-Pin-Far-Right-angled-connection-technique-zoom-out-800x.png Views: 0 Size: 739.5 KB ID: 229373






      closer:
      Click image for larger version Name: c-1-Number-1-Pin-Far-Right-angled-connection-technique-800x.png Views: 0 Size: 851.0 KB ID: 229374
      1. Flat-connection / technique 2: Make contact with all 5 pins laying flat on the leads where pin-5 is on the badge lead closest to the bottom of the badge, while pin-1 is closer to the top of the badge:
      Click image for larger version Name: d-1-Number-1-Pin-Far-Right-flat-connection-technique-zoom-out-max-800x.png Views: 0 Size: 624.0 KB ID: 229381





      Closer:
      Click image for larger version Name: d-1-Number-1-Pin-Far-Right-flat-connection-technique-zoom-out-800x.png Views: 0 Size: 489.6 KB ID: 229382





      closer:
      Click image for larger version Name: d-1-Number-1-Pin-Far-Right-flat-connection-technique.png Views: 0 Size: 264.5 KB ID: 229383
      • Once you are holding the 5-pins attached to the PICKit4 and the DEF CON 26 badge, find and press "Connect" : (If someone else has already connected to a badge, then you may skip ahead to the NEXT step.)
      Click image for larger version Name: e-05-click-operate-tab-1-800x.png Views: 0 Size: 79.5 KB ID: 229384
      • Once the software connects through the PICKit4 to a DEF CON 26 badge, it may look like this: (The "Connect" option has become a "Disconnect" option and previously grayed-out options ("Program" , "Erase" , "Read" , "Verify" , "Blank Check" etc.) are not longer grayed-out.)
      • Now locate the "Hex File:" section with field "click on browse to select hex file" and then a "browse" button. Click the "browse" button. (If someone else has flashed a badge here, they may have already loaded the new firmware version 2 for the DEF CON 26 badges as a hex file. If so, you may skip to "Ready to Program")
      Click image for larger version Name: f-07-press-connect-after-connected-to-badge-1-800x.png Views: 0 Size: 83.0 KB ID: 229385
      • After you click "browse" locate the new firmware file for version 2. It should be on "Desktop" in a folder called "firmware" and be the only file that ends with ".hex"
      Click image for larger version Name: g-08-select-hex-file-800x.png Views: 0 Size: 91.8 KB ID: 229386
      • "Ready to Program" : Now, while firmly holding the 5-pin assembly connected to your badge, click the "Program" option, and if the programming of your badge succeeds, then you may see something like this AND when your badge is disconnected from power and re-connected to power, the multiple colored lights of the badge should be present. If after upgrading, it claims complete, but only one or two orange/yellow lights are on, then you should try to re-flash it again. I've seem the software claim success, but after upgrade, and powering down, then back up the badge, if only 2 lights are on, the badge won't work to help solve its puzzle:
      • HINT: SAVE TIME:: Once you have things in this state, after you program one badge, you can connect the same 5 pins to another badge, and click "Program": you can keep programming badges from this point until the "Program" option becomes grayed-out.
      • What causes "Program" to become grayed-out?: if you accidentally touch one of the 5 pins to an incorrect item on the badge, you could create an electrical short, or and under/over-voltage issue, or something else. These can risk "bricking" the PICKit4, or more likely, lead to a "Disconnect" forcing you to go back to an earlier step to again choose to "Connect" to a badge.
      • If you "bricked" the PICKit4: Scroll to the end of this document for suggestions to try to remedy that.
      Click image for larger version Name: h-09-program-the-device-programming-complete-800x.png Views: 0 Size: 70.3 KB ID: 229387
      • What if it did not work? Then try again:
      1. In using the above technique to re-flash ~300 badges, out of every 5 tries to flash a badge, 2 failed and required another attempt. Even with failures, all ~300 badges were eventually, successfully upgraded. If it does not work the first time, try again with a few changes.
      2. Disconnect, then re-position the 5-pin connectors to different parts of the same leads.
      3. Make sure the badge, and PICKit4 have power: lights should be on for both devices.
      4. If you previously tried the "angled" connection technique to the badge, try the "flat" connection technique.
      5. Try changing the pressure you apply in the pin assembly to the badge leads; if you are bending the pin assembly, you are applying too puch pressure.
      6. Make sure the pin assemblies have not started to separate from the cable or the PICKit4; if you can see more than a sliver of shiney metal pins where they should be seated, try re-seating them.
      7. Make sure you are not torquing the pin assembly, causing some pins to make very good contact, while the others are barely touching.
      8. Try letting the pin assembly gently rake against the badge leads for a few strokes; imagine you are putting tiny-groves into the leads, then stop and apply a little pressure to see if that helps make better contact.
      9. Make sure the "speed" for programming is set to "low" (see step above) : using "low" makes the process more resilient to bad connections.
      10. Ask for help
      THANKS!

      Thanks to everyone that helped provide information needed to complete this. Some citations and references:
      Attached Files
      Last edited by number6; August 3rd, 2019, 10:03.
      6: "Who is Number1?"
      2: "You are number6"
      6: "I am not a number!..."

      Comment

      • #4
        How can you tell if your badge really has the latest firmware?

        It is possible for the IPE software to claim a successful upgrade of your firmware, but it still fails, and leaves you badge in a bad state. When this happens, most badge functions do not work as they should.
        Here is an example video of a badge in such a bad state:

        https://www.youtube.com/watch?v=J0q_luwbLg0

        Testing Embedding A Video: use the link above if the embedded video does not work.


        Here is an example video of a badge which is working as it should after a firmware upgrade:

        https://www.youtube.com/watch?v=Pk5JdcvNdww

        Testing Embedding A Video: use the link above if the embedded video does not work.



        After re-flashing/upgrading around 300 badges, this happened on only 5 or 6, and when it did happen, flashing it again worked, and allowed it to leave the broken state with only a few orange/yellow lights flickering.



        POSSIBLE SPOILERS IN THIS MESSAGE FOR SOLVING THE BADGE PUZZLE.
        SKIP TO THE NEXT POST IF YOU WANT TO AVOID SPOILERS.













        Last Chance!











        How to Confirm upgrade worked?

        BONUS Info: How can you verify your badge was flashed and upgraded to the new firmware?

        (Possible Spoilers beyond this point)

        First, disconnect power from the badge, wait a second, the reconnect power. If the badge includes mult-color lights and flashing, that is a great sign.
        If only 2 lights are lit, and they are yellow/orange, even if one is fliskering, even if the badge-flashing software claims "success" , these symptoms imply the firmware update did not work. Try to flash it again

        If you know how to get to the "Wire's service menu" in the badge you can choose "s" for "processor status" and see details about "Firmware ver:".
        • If it is "0" then it has never been upgraded.
        • If it is "1" then it was probably upgraded last year at DEF CON 26 to an incomplete fix.
        • If it is "2" then You have the latest firmware.

        Example images from wire service menu:
        • Displaying the "Wire's service menu" options:
        Click image for larger version Name: i-0a-terminal-status-special-1.png Views: 0 Size: 19.8 KB ID: 229389
        • Choosing "s" and seeing the results when upgraded to latest firmware: This badge has been upgraded.
        • Note the line "Firmware ver: 2" : the 2 is the latest release as of July, 2019.
        Click image for larger version Name: j-0b-terminal-status-special-press-s-firmware-ver-is-2-upgraded-1.png Views: 0 Size: 21.8 KB ID: 229390
        • Choosing "s" and seeing the results when upgraded to latest firmware: This badge has NOT been upgraded.
        • Note the line "Firmware ver: 0" : the 0 was the original release when fresh badges were taken out of their packages.
        Click image for larger version Name: k-0c-terminal-status-special-press-s-firmware-ver-is-0-NOT-upgraded-1.png Views: 0 Size: 22.3 KB ID: 229391

























        Almost at the end of this post.



















        END of post.
        Last edited by number6; August 1st, 2019, 16:25.
        6: "Who is Number1?"
        2: "You are number6"
        6: "I am not a number!..."

        Comment

        • #5
          Advice for people with some hardware experience:

          Did you break the PICKit4?

          What if you broke the PICKit4?

          It depends on how it is broken. If it seems like it has been "bricked" and is no longer recognized by MPLAB X IPE, then try a recovery with the MPLAB X IDE: https://www.microchip.com/forums/m1102128.aspx :
          1. QUIT the "MPLAB X IPE" application.
          2. Disconnect the PICKit from your USB port.
          3. Disconnect 1-6 pins from badge/device.
          4. Reconnect the PICKit to a USB port.
          5. Launch the "MPLAB X IDE" (IDE not IPE): Locate "Debug" menu drop-down and select, "Hardware Tool Emergency Boot Firmware Recovery" utility, and run this to see if you can "unbrick" your PICKit.

          If that fails, don't throw it away! Document what appears to be wrong and tape that to the PICKit4; we may be able to get a replacement with: https://www.microchip.com/cisar/Home.aspx CiSAR 'Development Tool Replacement Service'
          6: "Who is Number1?"
          2: "You are number6"
          6: "I am not a number!..."

          Comment

          • #6
            In order to make this a little smoother to re-flash devices at DEF CON 27, I whacked together a handful of card edge connectors that have been dremmeled to fit the DC26 badges.

            The DC26 programming interface has a couple of handy points of interest.
            • The PIC ISCP uses (usually) 5 signals, RST, VCC, VSS, CLK, DAT.
            • There are 5 pads placed on the backside of the DC26 PCB, nestled between two of the leads for the lower battery connector.
            • The battery leads guide the connector and prevent sliding and shifting.
            • These pins are in the same order as the PICkit ordering, and are 0.1" spaced
            • The battery connector is a small distance above the PCB. This is because of the components on the backside as well as the double sided sticky tape.
            • The PCB thickness is pretty standard

            There was not enough time to get a card edge connector on order that would readily fit, so one needed to be Dremmel'ed to bits and soldered up. I started from the last card edge socket I had (from another project for dumping N64 ROMs), used a cutoff wheel to cut 5 pin lengths, and used a rotary sandpaper attachment to fine tune everything.

            The end result is a slightly fragile connector (since a lot of the support plastic was removed), but one that can slide on to the edge of the PCB to make an electrically secure connection without having to hold everything at just the correct angle. Add in some hot-snot (didn't have any shrink tube of the right size) and its no longer pointy and can be handled pretty well. Each plug should be good for a few hundred cycles at a minimum each.

            Click image for larger version Name: 20190802_083039.jpg Views: 6408 Size: 770.0 KB ID: 229425 Click image for larger version Name: 20190802_230457.jpg Views: 6473 Size: 1.18 MB ID: 229426
            • 2 likes

            Comment

            Previous template Next
            Working...
            X