Last july stood the DefCon18 at Las Vegas and I was lucky enough to be there with three friends of mine. As we registered to this event (140 bucks), we got some stickers and a DefCon18 CD and a nice shiny badge which is in fact a real circuit board with a mini-usb port, some leds and a cool LCD display. I was asking myself if there were a way to hack this little badge in order to make it display everything we want to, but I spent my time reversing the firmware source code to unlock the Ninja Party feature of this badge (I coded a short python keygen by the way). Anyway, I went to the Hardware Hacking Village (HHV) located in the sky boxes (near the Lockpicking Village) and met a lot of hardware hackers trying to hack some robots and other cool stuff. I asked a goon if he had any idea about how to flash the DefCon18 badge but he couldn't help, so I decided to figure it out by myself.
Joe Grand's PDF
I took my DefCon CD and decided to make a deep search in the dedicated DefCon18 badge folder it contains, and found a PDF about DefCon electronic badges designed by Joe Grand. This PDF contains all the necessary stuff to flash the badge, but some tricks were missing. I tried it the way it was explained, but I did not succeed. After many long minutes and a very grateful help from a dude, I eventually found the way to do this.
Before flashing this little toy, let's have a look at it:
Follow the guide
First of all, you need an USB to mini-usb adapter, in order to connect to the badge. You also need the correct drivers and install them on your computer. I found the correct drivers on the Internet but you are lucky, I put the installer right after this post. Oh, and remove the battery from the badge and be careful, many badges were broken at the HHV by some people who did not handle it with enough care.
Before connecting the badge to the USB port, press the two buttons of the badge simultaneously, and hold them while plugging the USB cable into your computer. If you did everything correctly, the badge would look like this:
Run an hyperterminal, and create a new connection on the newly appeared COMXX (the virtual COM port associated with the USB cable connected to the DefCon badge). If no COM port is visible you may have done something wrong. Configure the connection (9600 bps, 8 bits, parity:null, stop bits: 1, stream control: Xon/Xoff) and then click OK. Your connection is configured and now active. And now is the great moment, we are going to send the original firmware into the badge, and reset it. When I first try to send the firmware, I was doing it wrong because I was trying to send the firmware as a binary data, but in fact it is only text (great thanks to the dude who helped me on this), and all you have to do is only click the "Send Text File" submenu in the "Transfer" Menu and then select the firmware according to Joe Grand's PDF and click OK.
BUT (because there's always a but) the first try generally fails and you have to do it again and wait 30~ seconds to see the badge LEDs blinking. Once it's done, the badge would reset itself and launch the new firmware. I found a way to fix this up: if you save your connection and reload it from the hyperterminal, it would be ok the next time (no wait) and it would send it correctly on the first try.
I made a little screen cast as a reminder for many of you bored to read a long paragraph of extremely annoying phrases.
<object id="scPlayer" class="embeddedObject" width="635" height="675" type="application/x-shockwave-flash" data="http://content.screencast.com/users/Virtualabs/folders/Jing/media/08d8df84-57dd-4a8a-88f4-6ec7afc43fa9/jingswfplayer.swf" > <param name="movie" value="http://content.screencast.com/users/Virtualabs/folders/Jing/media/08d8df84-57dd-4a8a-88f4-6ec7afc43fa9/jingswfplayer.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#FFFFFF" /> <param name="flashVars" value="thumb=http://content.screencast.com/users/Virtualabs/folders/Jing/media/08d8df84-57dd-4a8a-88f4-6ec7afc43fa9/FirstFrame.jpg&containerwidth=635&containerheight=675&content=http://content.screencast.com/users/Virtualabs/folders/Jing/media/08d8df84-57dd-4a8a-88f4-6ec7afc43fa9/Flashing_DefCon18_Badge.swf&blurover=false" /> <param name="allowFullScreen" value="true" /> <param name="scale" value="showall" /> <param name="allowScriptAccess" value="always" /> <param name="base" value="http://content.screencast.com/users/Virtualabs/folders/Jing/media/08d8df84-57dd-4a8a-88f4-6ec7afc43fa9/" /> </object>
(And yes it is all in french, but f*ck ya :)
All the necessary materials are provided at the end of this post (badge drivers, my custom firmware and Joe Grand's original firmware).
DefCon18 Ninja Badge
I managed to get one of those marvelous electronic geeky toys from the 650 released at the DefCon (well, I'm not going to give any deeper details about the way I got it, but say I just grabbed some juicy informations from an uncommon person present at this DefCon18 and submitted them to the Wall of Sheep crew ;), and here are some extra pictures of this ninja badge !
When caming back from vegas, I was thinking about how to flash this one, but it is not very easy and there is no goon in France able to explain me how to do this (and maybe I'm not a pure hardware hacker too). Nevermind, I'll try to do it later.
<center><embed type="application/x-shockwave-flash" src="http://picasaweb.google.com/s/c/bin/slideshow.swf" width="400" height="267" flashvars="host=picasaweb.google.com&hl=fr&feat=flashalbum&RGB=0x000000&feed=http%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2Fuser%2Fvirtualabs%2Falbumid%2F5514264346484685761%3Falt%3Drss%26kind%3Dphoto%26authkey%3DGv1sRgCIe9rYG-hs2hXg%26hl%3Dfr" pluginspage="http://www.macromedia.com/go/getflashplayer"></embed></center>