Announcement

number6 · July 30, 2019, 21:22

Badge Flashing Station at DEF CON 27 for DEF CON 26 Badges:

(A duplicate of this document will likely be placed here: https://forum.defcon.org/node/228626...308#post229308 ; as we find mistakes in the original versions we print and include with the badge flashing stations, we will try to address those mistakes in the online document.)

Initial Setup of stations and equipment:

Connect power strip to wall power
Connect laptop power bricks to power strip
Connect cable from power brick to each laptop's power port
Power-on / Boot all of the laptops if not already powered on
Example:

6-Pin cable, 6-pin straight assembly, 6-pin right-angle assembly: Connect one at each end. For the right-angle assembly, make sure pin-1 side of cable is as shown here, and remove pin-6 on the right-angle assembly, to avoid it accidentally making contact with a circuit on the badge:
Example:

Arrange the PICKit4 and other end of the cable with the 6-pin straight assembly like this, and notice how the triangle icon on the PICKit which identifies where pin-1 should be inserted does not match the position of the cable:
Example:

So, we flip this end of the cable with the 6-pin straight assembly such that the "1" printed on the cable will actually be inserted into the same slot on the PICKit4 with the triangle:
Example:

Now, fully seat the 6-pin straight assembly and cable into the PICKit4:
Example:

When you are finished, your PICKit4 plus pin assemblies and cable with pin-6 removed on right-angle 6-pin assembly may look like this:
Example:

REMOVE any batteries during this process: USB power is likely going to be more reliable, and we don't want to have an under-power issue while flashing the firmware.
Connect Black USB-A to USB-Micro cable to badge and laptop
Connect silver USB-A to USB-Micro cable to PICKit4 and laptop

(To be continued n next post)

number6 · August 1, 2019, 14:50

In the previous post, you should have prepared all of the badge flashing stations. Now we continue with....

Run software, flash badge

Use a badge flashing station. Example desktop. The program you are primarily interested in using is "MPLAB X IPE v5.20". Double click the icon for that to launch it:
Example:

After it is running, if it does not show your "device" as "PIC32MM0256GPM048" then click on the drop-down for "Family" and choose in that drop-down the one that matches "32-bit MCUs (PIC32)", and after selected, click on the drop-down for "Device" and locate the device that matches "PIC32MM0256GPM048". If the field for "Tool" does not display something like "PICKit 4 S.No : BUR123456789" then you may need to disconnect and re-connect the USB cables for the PICKit4 from the computer and the PICKit4, and see if you can choose it under the drop-down for "Tool". What it might look like when it is all selected:
Example:

Now we need to change the speed for programmer from "Normal" to "Low" to give you the best chances at being able to successfully re-flash your badge. First step, visit the "Settings" menu and see drop-down, example, and choose "Advanced Mode":
Example:

Once you have selected "Advanced Mode" will will need to login:
Example:

Once logged-in, then locate the "settings" option on the left side, and select it, which should expose (top-right) options for changing "Program Speed" from "Normal" to "Low": choose "Low":
Example:

Find the tab for "operate" (near top-left) and choose it to bring you back to the view we started with:
Now we need to connect the 5-pins from the right-angle pin assembly such that pin-1 is connected to the badge like one of these two:
- Angled-connection / technique 1: Make contact at a slight angle where pin-5 is on the badge lead closest to the bottom of the badge, while pin-1 is closer to the top of the badge:

closer:

Flat-connection / technique 2: Make contact with all 5 pins laying flat on the leads where pin-5 is on the badge lead closest to the bottom of the badge, while pin-1 is closer to the top of the badge:

Closer:

closer:

Once you are holding the 5-pins attached to the PICKit4 and the DEF CON 26 badge, find and press "Connect" : (If someone else has already connected to a badge, then you may skip ahead to the NEXT step.)

Once the software connects through the PICKit4 to a DEF CON 26 badge, it may look like this: (The "Connect" option has become a "Disconnect" option and previously grayed-out options ("Program" , "Erase" , "Read" , "Verify" , "Blank Check" etc.) are not longer grayed-out.)
Now locate the "Hex File:" section with field "click on browse to select hex file" and then a "browse" button. Click the "browse" button. (If someone else has flashed a badge here, they may have already loaded the new firmware version 2 for the DEF CON 26 badges as a hex file. If so, you may skip to "Ready to Program")

After you click "browse" locate the new firmware file for version 2. It should be on "Desktop" in a folder called "firmware" and be the only file that ends with ".hex"

"Ready to Program" : Now, while firmly holding the 5-pin assembly connected to your badge, click the "Program" option, and if the programming of your badge succeeds, then you may see something like this AND when your badge is disconnected from power and re-connected to power, the multiple colored lights of the badge should be present. If after upgrading, it claims complete, but only one or two orange/yellow lights are on, then you should try to re-flash it again. I've seem the software claim success, but after upgrade, and powering down, then back up the badge, if only 2 lights are on, the badge won't work to help solve its puzzle:
HINT: SAVE TIME:: Once you have things in this state, after you program one badge, you can connect the same 5 pins to another badge, and click "Program": you can keep programming badges from this point until the "Program" option becomes grayed-out.
What causes "Program" to become grayed-out?: if you accidentally touch one of the 5 pins to an incorrect item on the badge, you could create an electrical short, or and under/over-voltage issue, or something else. These can risk "bricking" the PICKit4, or more likely, lead to a "Disconnect" forcing you to go back to an earlier step to again choose to "Connect" to a badge.
If you "bricked" the PICKit4: Scroll to the end of this document for suggestions to try to remedy that.

What if it did not work? Then try again:

In using the above technique to re-flash ~300 badges, out of every 5 tries to flash a badge, 2 failed and required another attempt. Even with failures, all ~300 badges were eventually, successfully upgraded. If it does not work the first time, try again with a few changes.
Disconnect, then re-position the 5-pin connectors to different parts of the same leads.
Make sure the badge, and PICKit4 have power: lights should be on for both devices.
If you previously tried the "angled" connection technique to the badge, try the "flat" connection technique.
Try changing the pressure you apply in the pin assembly to the badge leads; if you are bending the pin assembly, you are applying too puch pressure.
Make sure the pin assemblies have not started to separate from the cable or the PICKit4; if you can see more than a sliver of shiney metal pins where they should be seated, try re-seating them.
Make sure you are not torquing the pin assembly, causing some pins to make very good contact, while the others are barely touching.
Try letting the pin assembly gently rake against the badge leads for a few strokes; imagine you are putting tiny-groves into the leads, then stop and apply a little pressure to see if that helps make better contact.
Make sure the "speed" for programming is set to "low" (see step above) : using "low" makes the process more resilient to bad connections.
Ask for help

THANKS!

Thanks to everyone that helped provide information needed to complete this. Some citations and references:

The Dark Tangent: He purchased the equipment and paid for the time to make this documents and arrange to have it all made available for you at DEF CON 27
l33tbunni in the Hardware Hacking Village for working to help people upgrade the firmware on their badges and allow them to finish the game/puzzle!
https://www.reddit.com/r/Defcon/comm..._hardware_ama/ : Contributors on reddit who asked good questions and provided good answers.
twitter: @tymkrs
twitter: @wireengineer
twitter: @whixr
MPLAB for thier X IDE/IPE software and PICKIT4

Attached Files

number6 · August 1, 2019, 15:26

How can you tell if your badge really has the latest firmware?

It is possible for the IPE software to claim a successful upgrade of your firmware, but it still fails, and leaves you badge in a bad state. When this happens, most badge functions do not work as they should.
Here is an example video of a badge in such a bad state:

https://www.youtube.com/watch?v=J0q_luwbLg0

Testing Embedding A Video: use the link above if the embedded video does not work.

Here is an example video of a badge which is working as it should after a firmware upgrade:

https://www.youtube.com/watch?v=Pk5JdcvNdww

Testing Embedding A Video: use the link above if the embedded video does not work.

After re-flashing/upgrading around 300 badges, this happened on only 5 or 6, and when it did happen, flashing it again worked, and allowed it to leave the broken state with only a few orange/yellow lights flickering.

POSSIBLE SPOILERS IN THIS MESSAGE FOR SOLVING THE BADGE PUZZLE.
SKIP TO THE NEXT POST IF YOU WANT TO AVOID SPOILERS.

Last Chance!

How to Confirm upgrade worked?

BONUS Info: How can you verify your badge was flashed and upgraded to the new firmware?

(Possible Spoilers beyond this point)

First, disconnect power from the badge, wait a second, the reconnect power. If the badge includes mult-color lights and flashing, that is a great sign.
If only 2 lights are lit, and they are yellow/orange, even if one is fliskering, even if the badge-flashing software claims "success" , these symptoms imply the firmware update did not work. Try to flash it again

If you know how to get to the "Wire's service menu" in the badge you can choose "s" for "processor status" and see details about "Firmware ver:".

If it is "0" then it has never been upgraded.
If it is "1" then it was probably upgraded last year at DEF CON 26 to an incomplete fix.
If it is "2" then You have the latest firmware.

Example images from wire service menu:

Displaying the "Wire's service menu" options:

Choosing "s" and seeing the results when upgraded to latest firmware: This badge has been upgraded.
Note the line "Firmware ver: 2" : the 2 is the latest release as of July, 2019.

Choosing "s" and seeing the results when upgraded to latest firmware: This badge has NOT been upgraded.
Note the line "Firmware ver: 0" : the 0 was the original release when fresh badges were taken out of their packages.

Almost at the end of this post.

END of post.

number6 · August 1, 2019, 15:27

Advice for people with some hardware experience:

Did you break the PICKit4?

What if you broke the PICKit4?

It depends on how it is broken. If it seems like it has been "bricked" and is no longer recognized by MPLAB X IPE, then try a recovery with the MPLAB X IDE: https://www.microchip.com/forums/m1102128.aspx :

QUIT the "MPLAB X IPE" application.
Disconnect the PICKit from your USB port.
Disconnect 1-6 pins from badge/device.
Reconnect the PICKit to a USB port.
Launch the "MPLAB X IDE" (IDE not IPE): Locate "Debug" menu drop-down and select, "Hardware Tool Emergency Boot Firmware Recovery" utility, and run this to see if you can "unbrick" your PICKit.

If that fails, don't throw it away! Document what appears to be wrong and tape that to the PICKit4; we may be able to get a replacement with: https://www.microchip.com/cisar/Home.aspx CiSAR 'Development Tool Replacement Service'

l33tbunni · August 3, 2019, 01:12

In order to make this a little smoother to re-flash devices at DEF CON 27, I whacked together a handful of card edge connectors that have been dremmeled to fit the DC26 badges.

The DC26 programming interface has a couple of handy points of interest.

The PIC ISCP uses (usually) 5 signals, RST, VCC, VSS, CLK, DAT.
There are 5 pads placed on the backside of the DC26 PCB, nestled between two of the leads for the lower battery connector.
The battery leads guide the connector and prevent sliding and shifting.
These pins are in the same order as the PICkit ordering, and are 0.1" spaced
The battery connector is a small distance above the PCB. This is because of the components on the backside as well as the double sided sticky tape.
The PCB thickness is pretty standard

There was not enough time to get a card edge connector on order that would readily fit, so one needed to be Dremmel'ed to bits and soldered up. I started from the last card edge socket I had (from another project for dumping N64 ROMs), used a cutoff wheel to cut 5 pin lengths, and used a rotary sandpaper attachment to fine tune everything.

The end result is a slightly fragile connector (since a lot of the support plastic was removed), but one that can slide on to the edge of the PCB to make an electrically secure connection without having to hold everything at just the correct angle. Add in some hot-snot (didn't have any shrink tube of the right size) and its no longer pointy and can be handled pretty well. Each plug should be good for a few hundred cycles at a minimum each.

Announcement

DEF CON 26 Badge, Curated Content

DEF CON 26 Badge, Curated Content

Comment

Comment

Comment

Comment

Comment