AndrewNohawk
Security

Finding the ‘unlock’ codes on the Hacker Warehouse Badge Defcon 2017

Hacker badges of Defcon 2017 (25)
Defcon every year has many many different electronic badges that you can play with / hack / blind your friends with.  I was lucky enough to get one of these really cool badges and I wanted to figure out the lock codes from the hardware/firmware rather than trying to use the interface.

TL;DR

I didn’t end up going into the firmware beyond strings since they released it on github eventually and there were no other unlocks, but the basics of doing it were as follows:

— Get an FTDI cable ( the hackerwarehouse badge is 3.3v and I have one similar to this: https://www.amazon.com/gp/product/B06ZYPLFNB/ref=oh_aui_detailpage_o01_s02?ie=UTF8&psc=1 )
— Connect the wires up correctly to TX and RX
— Make sure the device is found ( lsusb on linux and system_profiler SPUSBDataType on OSX )
— Get the lastest esptool from https://github.com/espressif/esptool
— Put the badge into firmware mode by booting and holding the down button
— python ./esptool.py –port /dev/tty.usbserial-A106AUUX -b 74880 -c esp8266 read_flash 0 0x400000 badge_flash.bin
— 
strings original_contents.bin | grep -B 15 -A 15 LRLR

 

...snip
region perm unlocked
region unlocked
konami!
UDDDUULR 
RLRLLRDU
UUDDLRLR
see if I don't!
with my blurglecruncheon,
...snip

The Hacker Warehouse badge

The hacker warehouse badge (even on hackaday) was really awesome for me, the design was cool, the LEDs, and old school snake game and more! And by more I mean the “mischief”, which included wi-fi deauth, Pineapple lite and more. However when trying to use these the text “locked” appears on the screen. So I wanted to try and unlock these features. Initially I tried getting high scores in the snake game, using various keypresses in the ‘echo keypress’ and other parts of the badge. I found that using UP, UP, DOWN, DOWN, LEFT, RIGHT, LEFT, RIGHT gave you the text konami, but that was it. So this is how I got the three basic unlock codes. Before digging further into the firmware the code was actually released so I didn’t pursue it further :)

Connecting to the Badge

The first part was of course wiring up to the ESP, in this case the hackerwarehouse guys had nicely left the pins exposed as well as labelled for us! Soldered up some breadboard jumpers as they are easier for me to connect to the FTDI cable and I was away.

Next I connected it up to my FTDI cable, its important to look at the colouring for yours but this was how I did it:

Next we want to make sure it is connected and working, on OSX you can use system_profiler SPUSBDataType and on lsusb on linux, on my mac the output shows that I have the cable connected:


USB:

USB 3.0 Bus:

Host Controller Driver: AppleUSBXHCIWPT
PCI Device ID: 0x9cb1
PCI Revision ID: 0x0003
PCI Vendor ID: 0x8086

FT232R USB UART:

Product ID: 0x6001
Vendor ID: 0x0403 (Future Technology Devices International Limited)
Version: 6.00
Serial Number: A106AUUX
Speed: Up to 12 Mb/sec
Manufacturer: FTDI
Location ID: 0x14100000 / 30
Current Available (mA): 500
Current Required (mA): 90
Extra Operating Current (mA): 0

Now that the cable is connected we have to grab esptool from their github, so you can just run git clone https://github.com/espressif/esptool. Esptool is the tool from espressif that allows you to upload firmware (as well as download) from ESP devices. In this case the ESP8266.

Dumping the firmware

Next we want to connect to the serial port to see whats going on with the badge (Maybe there are more secrets setec astronomy). For this I just used the arduino serial monitor, its easy to change the baud and I wasn’t sure what speed the badge would be running at. You can of course use anything else like putty/minicom/screen/etc :)

Trying the more common baud rates like 9600/112500 returned just /dev/random: p  nn��;�nĒ�� � b�#l`$`nn��܀ ����l���� � b�n��n�$�� � b�ľ~�n�����l` but using the the more common (and often default ESP baud of 74880) gets you some readable output:

ets Jan 8 2013,rst cause:2, boot mode:(3,7)

load 0x4010f000, len 1384, room 16
tail 8
chksum 0x2d
csum 0x2d
v09f0c112
~ld

ets Jan 8 2013,rst cause:2, boot mode:(3,7)

load 0x4010f000, len 1384, room 16
tail 8
chksum 0x2d
csum 0x2d
v09f0c112
~ld

This looks a lot better! However our badge is constantly rebooting, and we need to get it to stop doing that so we can pull the firmware. Using the different buttons will put it into different modes and you can read about the ESP modes over at https://github.com/esp8266/esp8266-wiki/wiki/Boot-Process#esp-boot-modes , however holding the UP button while booting will put it into a stable 1,7 which is what we are looking for.

Next we dump the firmware with the ESPtool as follows:
python ./esptool.py --port /dev/tty.usbserial-A106AUUX -b 74880 -c esp8266 read_flash 0 0x400000 badge_firmware.bin

This will essentially pull off everything from the flash, even though most of it is not used (instead we get many copies of the firmware). We do this at a baud of 74880 (you can push it higher, but this was most reliable for me).

ESPTOOLRUNNING

Finding the unlock codes

Hurrah! We have a bin of the code uploaded to the badge, now we can start digging through the firmware. By default I had a look at binwalk to see if there was any particular known formats in the firmware:


binwalk -e badge_flash.bin

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
191962 0x2EDDA MySQL ISAM compressed data file Version 2
1240538 0x12EDDA MySQL ISAM compressed data file Version 2
2289114 0x22EDDA MySQL ISAM compressed data file Version 2
3337690 0x32EDDA MySQL ISAM compressed data file Version 2

Bah! Nothing there either!

Next I tried to simply strings the file and the output was a lot easier to work with.

And what do you know, line 1337 *drumroll*:

1336: region perm unlocked
1337: region unlocked
1338: konami!
1339: UDDDUULR
1340: RLRLLRDU
1341: UUDDLRLR
1342: see if I don't!

Using these unlock codes in the button echo part of the application makes for unlocking the region temporarily or permanently or the text konami ;)

At this stage I was going to look further into it and decided to ask twitter:

To which I got a great answer:

Browsing to that link are some fantastic resources. At this stage however the HackerWarehouse team released the code for their badge ( https://github.com/hackerwarehouse/HW-DC25-Badge ) and you could see from reading the code that the ‘locked’ screens often just meant the code was not being run, rather than you needing to unlock the features.

-AM

Leave a Reply

Your email address will not be published. Required fields are marked *