mrb113/DEFCON 27 Badge Firmware Writeup

## DEFCON 27 Badge Firmware Writeup
Michelle B's DEFCON 27 badge firmware writeup!

Firmware found here on the official Defcon site:
https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20badge/Firmware/

Note: the badges like to reset sometimes - this is not part of the challenge.
if this is happening to you, make sure your battery isn't touching anything else metal. It can short out if it touches metal.
Thread your lanyard cloth through to protect the battery.

OVERVIEW
--------
- You begin in "attract" state. This flashes out the letters "D", "E", "F", "C", "O", "N" in some unknown language.
We guessed maybe Braille, but that doesn't add up. It doesn't really matter, I guess!

- There are 6 levels: D, E, F, C, O, N. You must "pair" your badge with others' badges to move up in levels and complete the quest.

There are two steps to the game: Levels D-O (1-5) and then level N (6), which is different from the others.

SECOND NOTE: There is an alternate route where you can connect your badge to a your computer via serial.
This is called "interactive mode" in the firmware. I don't cover it here since it doesn't seem to have bearing on your
ability to complete this portion of the badge challenge. Let me know if I'm wrong.

Alternatively, you can probably figure out how to flash your own FW onto the device which will take you straight to win-town.
Also not covered here.

LEVELS
------

Here's what the levels will look like on your badge: An "x" means the cell is illuminated, a "-" means it's not.

LEVEL 0 (called "attract" state, means you haven't started. If you're unlucky, your badge might reset and kick you back to level 0.
This does not seem by-design.)


In "attract" state, badge will sequence through all the levels.

LEVEL D:
- x
- x
- x

LEVEL E:
x -
x x
x -

LEVEL F:
x x
x -
x -

LEVEL C:
x -
x -
x -

LEVEL O:
x x
x x
x x

LEVEL N:
x x
x x
- -

WINNING:
Your LEDs will "sparkle" and will play the RickRoll song because of course it does.
There may be more stages to the challenge after this, but this is about all we can gather from the badge firmware.

LEVELING UP
-----------

STAGE 1: Levels D, E, F, C, O
To advance to the next level, you'll need to find someone with a "magic token" badge with each of the badge types.
You won't know who is magic - you just have to keep trying.
EDIT: I've heard from a team member that the token badges look visually distinct. Tell me if it's true!

You need to pair with the FIVE following magic token badges.
There is no particular order you'll need to do it in.
If your badge reset due to unknown forces or removing the battery, alas, you must start over.

The five required types/colors/frequencies are:
1. Speaker (Blue, 375 of them)
2. Village (Orange, 250 of them)
3. Contest (Yellow, 250 of them)
4. Artist  (Light Blue, 100 of them)
5. Goon (Red, 550 of them)
If the badge isn't magic, no dice, you will not progress to the next level. No idea how frequent magic tokens are.

You'll know you progressed to the next level because it'll briefly flash the next letter and supposedly play a tune.
If not, nothing will happen. The badge will not flash anymore like it did in "attract" mode.

You can check your progress at "badge progress" station in chillout lounge.

STAGE 2: Level N

Level N is similar to levels D-O, but without worrying about magic tokens. THESE BADGES DO NOT NEED TO BE MAGIC!
You'll need to pair your badge with the following in any order.
(NOTE: A previous version of this writeup said you have to tap them simultaneously. That's INACCURATE and a mistake on my part.
There's no temporal aspect - thank you Reddit user u/AdamskaOcelot for correcting me)

Human (or contest or artist or cfp or uber), Goon, Speaker, Vendor, Press, and Village badges.
No magic tokens in play here, just old-fashioned people wrangling. Here's how it works:
			switch (nxhRxPacket.type)
			{
				case HUMAN:
				case CONTEST:
				case ARTIST:
				case CFP:
				case UBER:
					group_flags |= FLAG_0_MASK;
					break;
				case GOON:
					group_flags |= FLAG_1_MASK;
					break;
				case SPEAKER:
					group_flags |= FLAG_2_MASK;
					break;
				case VENDOR:
					group_flags |= FLAG_3_MASK;
					break;
				case PRESS:
					group_flags |= FLAG_4_MASK;
					break;
				case VILLAGE:
					group_flags |= FLAG_5_MASK;
					break;
			}


After you complete this step, you'll... advance to the next stage somehow? Win?
Update: It's supposedly the last step. You win! Yay!

ADDITIONAL FUNCTIONALITY UNLOCKED
Someone on Reddit (u/AdamskaOcelot) said
"I talked to Kingpin today and he told me that’s the last step. After getting the rick roll the badge has additional functionality"

Here's what you can do - requires connecting via the serial interface:
1. Generate ASCII art. The default ASCII art is shown here (pastebin): https://pastebin.com/cBeNYZEW
   You can replace "DC27" with a string of your choice via the test application.
2. Generate tones of your choice on the Piezo buzzer.
3. Modify the packets that your badge is sending.
	Michelle B's DEFCON 27 badge firmware writeup!

	Firmware found here on the official Defcon site:
	https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20badge/Firmware/

	Note: the badges like to reset sometimes - this is not part of the challenge.
	if this is happening to you, make sure your battery isn't touching anything else metal. It can short out if it touches metal.
	Thread your lanyard cloth through to protect the battery.

	OVERVIEW
	--------
	- You begin in "attract" state. This flashes out the letters "D", "E", "F", "C", "O", "N" in some unknown language.
	We guessed maybe Braille, but that doesn't add up. It doesn't really matter, I guess!

	- There are 6 levels: D, E, F, C, O, N. You must "pair" your badge with others' badges to move up in levels and complete the quest.

	There are two steps to the game: Levels D-O (1-5) and then level N (6), which is different from the others.

	SECOND NOTE: There is an alternate route where you can connect your badge to a your computer via serial.
	This is called "interactive mode" in the firmware. I don't cover it here since it doesn't seem to have bearing on your
	ability to complete this portion of the badge challenge. Let me know if I'm wrong.

	Alternatively, you can probably figure out how to flash your own FW onto the device which will take you straight to win-town.
	Also not covered here.

	LEVELS
	------

	Here's what the levels will look like on your badge: An "x" means the cell is illuminated, a "-" means it's not.

	LEVEL 0 (called "attract" state, means you haven't started. If you're unlucky, your badge might reset and kick you back to level 0.
	This does not seem by-design.)


	In "attract" state, badge will sequence through all the levels.

	LEVEL D:
	- x
	- x
	- x

	LEVEL E:
	x -
	x x
	x -

	LEVEL F:
	x x
	x -
	x -

	LEVEL C:
	x -
	x -
	x -

	LEVEL O:
	x x
	x x
	x x

	LEVEL N:
	x x
	x x
	- -

	WINNING:
	Your LEDs will "sparkle" and will play the RickRoll song because of course it does.
	There may be more stages to the challenge after this, but this is about all we can gather from the badge firmware.

	LEVELING UP
	-----------

	STAGE 1: Levels D, E, F, C, O
	To advance to the next level, you'll need to find someone with a "magic token" badge with each of the badge types.
	You won't know who is magic - you just have to keep trying.
	EDIT: I've heard from a team member that the token badges look visually distinct. Tell me if it's true!

	You need to pair with the FIVE following magic token badges.
	There is no particular order you'll need to do it in.
	If your badge reset due to unknown forces or removing the battery, alas, you must start over.

	The five required types/colors/frequencies are:
	1. Speaker (Blue, 375 of them)
	2. Village (Orange, 250 of them)
	3. Contest (Yellow, 250 of them)
	4. Artist (Light Blue, 100 of them)
	5. Goon (Red, 550 of them)
	If the badge isn't magic, no dice, you will not progress to the next level. No idea how frequent magic tokens are.

	You'll know you progressed to the next level because it'll briefly flash the next letter and supposedly play a tune.
	If not, nothing will happen. The badge will not flash anymore like it did in "attract" mode.

	You can check your progress at "badge progress" station in chillout lounge.

	STAGE 2: Level N

	Level N is similar to levels D-O, but without worrying about magic tokens. THESE BADGES DO NOT NEED TO BE MAGIC!
	You'll need to pair your badge with the following in any order.
	(NOTE: A previous version of this writeup said you have to tap them simultaneously. That's INACCURATE and a mistake on my part.
	There's no temporal aspect - thank you Reddit user u/AdamskaOcelot for correcting me)

	Human (or contest or artist or cfp or uber), Goon, Speaker, Vendor, Press, and Village badges.
	No magic tokens in play here, just old-fashioned people wrangling. Here's how it works:
	switch (nxhRxPacket.type)
	{
	case HUMAN:
	case CONTEST:
	case ARTIST:
	case CFP:
	case UBER:
	group_flags \|= FLAG_0_MASK;
	break;
	case GOON:
	group_flags \|= FLAG_1_MASK;
	break;
	case SPEAKER:
	group_flags \|= FLAG_2_MASK;
	break;
	case VENDOR:
	group_flags \|= FLAG_3_MASK;
	break;
	case PRESS:
	group_flags \|= FLAG_4_MASK;
	break;
	case VILLAGE:
	group_flags \|= FLAG_5_MASK;
	break;
	}


	After you complete this step, you'll... advance to the next stage somehow? Win?
	Update: It's supposedly the last step. You win! Yay!

	ADDITIONAL FUNCTIONALITY UNLOCKED
	Someone on Reddit (u/AdamskaOcelot) said
	"I talked to Kingpin today and he told me that’s the last step. After getting the rick roll the badge has additional functionality"

	Here's what you can do - requires connecting via the serial interface:
	1. Generate ASCII art. The default ASCII art is shown here (pastebin): https://pastebin.com/cBeNYZEW
	You can replace "DC27" with a string of your choice via the test application.
	2. Generate tones of your choice on the Piezo buzzer.
	3. Modify the packets that your badge is sending.