Skip to content

Instantly share code, notes, and snippets.

@reteps

reteps/writeup.md

Created August 16, 2022 00:08
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save reteps/dff4266d32cc280f51889a62949a5e75 to your computer and use it in GitHub Desktop.
Save reteps/dff4266d32cc280f51889a62949a5e75 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
writeup.md

Defcon Badge Writeup

Hello! I ended up reverse-engineering the badge to get the correct note sequence, get the correct codes for the friends, and flashing a custom boot image to my badge. This short README will include the relevant functions to the challenges + boot images.

Whoami

Cybersecurity club admin at the University of Illinois, SIGPwny. We do CTFs and fun stuff! This year, we had Minh present on Rick Rolling his high school, and an alum, Ravi, present on PACMAN M1 Attacks. This summer, I was reverse-engineering and exploiting cellular modems.

Setup

In order to perform the analysis, I originally just downloaded the files provided by @scuzz and @byte_how of the badge firmware. Later, when I wanted to modify the firmware, I dumped my own firmware.

If you are interested in dumping the firmware, you want to perform the following steps:

  1. Take off the front plate

  2. Turn off your badge, Short J1, and turn it back on with USB. This will put it in bootloader mode

  3. Use picotool to dump your badge contents. This involves installing the PICO SDK and building picotool from source, which wasn't too difficult.

  4. Load your badge into Ghidra. You want to use ARMv6/ARMv7 32 bit little endian (As this is the architecture of the ARM Cortex chip used by the board) at the offset specified by picotool info -a, 0x1000000

Challenge 1

Challenge 1 checks that you played a sequence of notes correctly. There is a whole wiki about this, so this will be about the code that checks the note sequence. This was actually solved so fast I found the check after the challenge was solved by @Mintopia

image

This corresponds to the following ASCII representation of the note sequence needed to be played (NOTE that it appears that one note press is equivalent to multiple symbols):

C@><>@C@><>@C@CE@EC@><C@><>@C@><>@>@C@CE@EGDB@

The code is pretty self-explanatory, just waits till you press N notes, and then checks that those N notes are all correct. If so, a flag in memory is set marking the challenge correct.

image

Challenge selection

After this success, the if/else branch changes to show Challenge 2. We can also verify there are no more challenges looking at the disassembly.

image

Challenge 2

This is the friends challenge. The check is rather simple:

image

Essentially, we take the user input as a string of digits to the function. Then, we roll your input digits to the right once and convert to hex. Finally, your input digits are xorred with your badge ID and compared to some magic constants.

image

From here, a small python script can be created to emulate this process:

badgeNum = 3675924015

# Constants found at BASE + 0x297c in memory
# Used Ghidra ArmV6 LE:32 W/ Base address 0x10000000
lookup_table = {
  0xA5FA3B7F: 'alice',
  0xE35C2742: 'bob',
  0xBEC5CA0F: 'carol',
  0x87E35D46: 'dan',
  0x5ACD14F9: 'eve',
  0xABDE1FCF: 'trevor'
}

for secret, name in lookup_table.items():
  s = str(badgeNum ^ secret).rjust(10, '0')
  print(name, s[-1] + s[:-1])

Further Hacking

A custom firmware bootup image was my final goal. After Identifying the function which prints images (turns out it just sets bits in a buffer region)

image

I was able to identify the DEFCON image bitmap, and download it!

00000000000000000000000000000000011111111100000000000000000000000000000000000000
00000000000000000000000000000011111111111111100000000000000000000000000000000000
00000000000000000000000000001111111111111111111000000000000000000000000000000000
00000000000000000000000000111111111111111111111110000000000000000000000000000000
00000000000000000000000001111111111111111111111111000000000000000000000000000000
00000000000000000000000011111111111111111111111111100000000000000000000000000000
00000000000000000000000111111111111111111111111111110000000000000000000000000000
00000000000000000000001111111111111111111111111111111000000000000000000000000000
00000000000000000000011111111111111111111111111111111100000000000000000000000000
00000000000000000000011111111111111111111111111111111100000000000000000000000000
00000000000000000000111111111000011111111110000111111110000000000000000000000000
00000000000000000000111111110000001111111100000011111110000000000000000000000000
00000000000000000001111111100000000111111000000001111111000000000000000000000000
00000011110000000001111111100000000111111000000001111111000000000000000000000000
00000111111000000001111111100000000111111000000001111111000000000000000000000000
00001111111100000011111111110000001111111100000011111111100000000001100000000000
00001111111100000011111111111000011111111110000111111111100000000111111000000000
00001111111100000011111111111111111111111111111111111111100000001111111000000000
00001111111100000011111111111111111111111111111111111111100000001111111100000000
00001111111100000011111111111111111111111111111111111111100000001111111100000000
00000111111000000011111000011111111111111111111110000111100000001111111100000000
00111111111100000011111000011111111111111111111110000111100000001111111100000000
01111111111111000011111100111111111111111111111111001111100000000111111000000000
11111111111111100011111100111111111111111111111111001111100000001111111110000000
11111111111111111111111100111111111111111111111110011111000000011111111111100000
11111111111111111111111110011111111111111111111110011111000001111111111111100000
11111111111111111111111110011111111111111111111100111111000111111111111111110000
11111111111111111111111111001111111111111111111100111110011111111111111111110000
01111110001111111111111111100111111111111111111001111111111111111111111111110000
00111100000011111111111111100011111111111111110011111111111111111111111111110000
00000000000000111111111111110001111111111111000111111111111111111000011111100000
00000000000000001111111111111100011111111110001111111111111111100000011111000000
00000000000000000111111111111110000000000000111111111111111110000000000000000000
00000000000000000001111111111111110000000111111111111111111000000000000000000000
00000000000000000000011111111111111111111111111111111111100000000000000000000000
00000000000000000000000111111111111111111111111111111110000000000000000000000000
00000000000000000000000011111111111111111111111111111000000000000000000000000000
00000000000000000000000000111111111111111111111111100000000000000000000000000000
00000000000000000000000000001111111111111111111110000000000000000000000000000000
00000000000000000000000000000011111111111111001000000000000000000000000000000000
00000000000000000000000000000001111111111111100000000000000000000000000000000000
00000000000000000000000000000110011111111111111000000000000000000000000000000000
00000000000000000000000000011111100111111111111110000000000000000000000000000000
00000000000000000000000001111111111001111111111111100000000000000000000000000000
00000000000000000000000111111111111100011111111111111000000000000000000000000000
00000000000000000000011111111111111000001111111111111100000000000000000000000000
00000000000000000001111111111111100000000011111111111111000000000000000000000000
00000011110000000111111111111110000000000000111111111111110000001110000000000000
00000111111000011111111111111000000000000000001111111111111100011111100000000000
00000111111111111111111111100000000000000000000111111111111111111111100000000000
00001111111111111111111110000000000000000000000001111111111111111111100000000000
00001111111111111111111000000000000000000000000000011111111111111111100000000000
00001111111111111111100000000000000000000000000000000111111111111111100000000000
00000111111111111110000000000000000000000000000000000001111111111111100000000000
00000111111111111000000000000000000000000000000000000000111111111111000000000000
00000011111111110000000000000000000000000000000000000000001111110000000000000000
00000000011111100000000000000000000000000000000000000000000111111000000000000000
00000000011111110000000000000000000000000000000000000000001111111000000000000000
00000000111111110000000000000000000000000000000000000000001111111000000000000000
00000000111111110000000000000000000000000000000000000000001111111000000000000000
00000000111111110000000000000000000000000000000000000000001111111000000000000000
00000000011111110000000000000000000000000000000000000000000111111000000000000000
00000000011111100000000000000000000000000000000000000000000111110000000000000000
00000000001111000000000000000000000000000000000000000000000001100000000000000000

This script dumps all the friends as well:

from dataclasses import dataclass

def print_bitmap(bits, width, height):
  sequence = ''.join([bin(n)[2:].rjust(8, '0') for n in bits])

  for i in range(height):
    row = sequence[width*i:width*(i+1)]
    print(row)

@dataclass
class Friend:
  name: str
  size: int
  width: int
  height: int

# Define all friends and sizes
all_bytes = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x1f\x00\x3f\xdf\x3f\xc0\x7f\xff\xff\xc0\x7f\xff\xe3\xe0\xfc\xf3\xe1\xe0\xf9\xe1\xe0\xf0\xf1\xc0\xf0\xf0\xf1\x12\x30\xf0\xf1\x00\x10\xf8\xf1\x00\x10\xf8\xf1\x33\x20\x00\x00\x9e\x20\x00\x00\x4c\x40\x00\x00\x20\x80\x00\x00\x1f\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x03\xf9\xf8\x00\x07\xe0\x7c\x00\x07\xf0\xfc\x00\x07\xff\xfc\x00\x07\xff\xfc\x00\x07\xff\xfc\x00\x07\xe4\xfc\x00\x07\xdb\x7c\x00\x07\xdf\x7c\x00\x04\xdf\x64\x00\x04\xee\xe4\x00\x04\xf5\xe4\x00\x04\xfb\xe4\x00\x04\xff\xe4\x00\x04\xff\xe4\x00\x04\xff\xe4\x00\x04\x24\x84\x00\x04\x24\x84\x00\x06\x66\x4c\x00\x03\xc0\x68\x00\x01\x00\x18\x00\x03\x00\x08\x00\x02\x04\x08\x00\x02\x04\x08\x00\x02\x04\x08\x00\x02\x0e\x08\x00\x02\x0a\x08\x00\x02\x0a\x08\x00\x02\x0a\x08\x00\x02\x0a\x08\x00\x03\xfb\xf8\x00\x1e\xfb\xee\x00\x1f\xfb\xff\x00\x1f\xfb\xff\x00\x1f\xf1\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\xe0\x1f\x00\x1e\xb0\x15\x7f\xfa\xb0\x35\xbf\xf8\x30\x30\x3f\xfc\x38\x70\xfc\xfe\x78\x79\x78\x7a\x78\x79\x70\x3e\x78\x79\x44\x8e\x7c\x79\x40\x06\x7c\x79\x40\x0e\x7c\x79\x4c\xca\x7c\x09\x67\x8a\x40\x09\x33\x1e\x40\x09\x18\x74\x40\x09\x8f\xc4\x40\x08\xc4\x8c\x40\x08\xe4\x9f\xc0\x05\xfc\xff\xc0\x07\xf8\x1f\xc0\x03\xfc\x3f\x80\x01\xff\xff\x80\x00\xff\xff\x00\x00\x3f\xfe\x00\x00\x39\x38\x00\x00\x36\xd8\x00\x00\x37\xd8\x00\x00\x37\xd8\x00\x00\x3b\xb8\x00\x00\x3d\x78\x00\x00\x3e\xf8\x00\x00\x3f\xf8\x00\x00\x3f\xf8\x00\x00\x3f\xf8\x00\x00\x2d\x28\x00\x00\x39\x28\x00\x00\x31\xb8\x00\x00\x20\x18\x00\x00\x60\x0c\x00\x00\x40\x04\x00\x00\x41\x04\x00\x00\x41\x04\x00\x00\x41\x04\x00\x00\x43\x84\x00\x00\x42\x84\x00\x00\x42\x84\x00\x00\xc2\x84\x00\x00\x82\x86\x00\x00\xfe\xfe\x00\x07\xbe\xfb\x80\x07\xfe\xff\xc0\x07\xfe\xff\xc0\x07\xfc\x7f\xc0\x00\x30\x10\x00\x0c\x38\x30\x00\x06\x18\xe0\x00\x07\x9d\xe1\x80\x03\xdf\xc7\x80\x01\xff\xdf\x00\x01\xff\xfe\x00\x00\xff\xfc\x00\x00\x30\xf8\x00\x00\x20\xf0\x00\x00\x20\xe0\x00\x00\x28\xc0\x00\x00\x20\x40\x00\x00\xc3\x40\x00\x00\x81\x40\x00\x00\x73\x40\x00\x00\x60\x80\x00\x00\x20\x80\x00\x00\x20\x80\x00\x00\x19\x00\x00\x00\x0f\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x03\x89\x00\x00\x06\xbf\x80\x00\x1d\xa9\xc0\x00\x31\x69\x40\x00\x21\x49\x40\x00\x61\x4f\x40\x00\x99\x4f\x40\x00\xfc\xc9\x40\x00\x04\xd9\x40\x00\x06\x73\x40\x00\x03\x06\x40\x00\x01\x9c\x40\x00\x00\x70\x40\x00\x00\x40\x40\x00\x00\xff\xe0\x00\x00\x93\x20\x00\x00\xd2\xa0\x00\x00\xb2\xf0\x00\x00\x9a\x70\x00\x01\x96\x10\x00\x01\x93\x18\x00\x01\xd2\xd8\x00\x03\x9a\x1c\x00\x02\x9e\x14\x00\x02\x93\x16\x00\x02\x92\x92\x00\x02\xf2\xf2\x00\x03\x9f\x1e\x00\x00\x09\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x00\x09\x00\x00\x00\x1f\x80\x00\x00\x10\x80\x00\x00\x18\x80\x00\x00\x10\x80\x00\x00\x18\x80\x00\x03\xf0\x80\x00\x02\x00\x80\x00\x03\xff\x80\x00\x00\xc0\x00\x00\xc0\x00\x00\xe0\x00\x01\xe0\x00\x01\xe0\x00\x01\xf0\x00\x03\xf0\x00\x03\xf0\x00\x02\x10\x00\x04\x08\x00\x04\x08\x00\x0d\x2c\x00\x0c\x0c\x00\x0c\x0c\x00\x0c\x0c\x00\x05\x28\x00\x05\xe8\x00\x04\x08\x00\x06\x18\x00\x03\x30\x00\x01\xe0\x00\x00\xa0\x00\x00\xa0\x00\x01\xa0\x00\x0f\x3f\x00\x3b\x11\x00\x21\xf1\x80\x60\x00\x80\x40\x00\x80\xc1\x20\x80\xe9\x24\x80\xb8\x07\x80\x98\x04\x80\x9a\xa4\x80\x99\x54\x80\xd8\x05\x80\x58\x05\x00\x4f\xfd\x00\x6d\x49\x00\x35\x4b\x00\x3f\x4a\x00\x29\xce\x00\x29\x66\x00\x39\x77\x00\x79\x5d\x00\x6f\x46\x80\xeb\x47\xc0\xa9\xc4\xc0\xad\x64\xc0\xbf\x7e\xc0\xfb\xe7\xc0\x09\x24\x00\x09\x24\x00\x09\x24\x00\x09\x24\x00\x0f\x3c\x00\x1f\x3f\x00\x11\x21\x00\x19\x23\x00\x11\x21\x00\x79\x23\xc0\xc1\x20\x60\x81\x20\x20\xff\x3f\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x0f\x80\xb4\x00\x0e\x80\xb7\x80\x3a\xc0\xb6\x80\x3a\x40\x81\x9e\x28\x40\x83\x7f\x30\x40\x8e\xff\x98\xc0\xc9\xe7\xec\x80\x4b\xe1\xe4\x80\x4b\xc0\xf4\x80\x4b\x00\xf4\x80\x4b\x22\x74\x80\x4b\x00\x74\x80\x4b\x00\x74\x80\x4b\x22\xf4\x80\x4b\x9c\xf4\x80\x4b\xc1\xf4\x80\x4b\xe3\xf4\x80\x4b\xe3\xfc\x80\x4f\xe3\xf8\x80\x46\x41\x10\x80\x66\x41\x10\x80\x22\x7f\x11\x80\x32\x00\x1b\x00\x1e\x00\x0e\x00\x0c\x00\x08\x00\x04\x00\x04\x00\x04\x00\x04\x00\x04\x00\x08\x00\x06\x00\x18\x00\x03\xff\xf0\x00\x01\x00\x10\x00\x01\x00\x10\x00\x01\x04\x10\x00\x01\x00\x10\x00\x01\x00\x10\x00\x03\xff\xfc\x00\x03\x84\x3c\x00\x07\x84\x1e\x00\x07\x86\x1e\x00\x07\x80\x1e\x00\x07\x80\x1f\x00\x0c\x00\x01\x00\x08\x00\x01\x80\x1e\x00\x07\x80\x1e\x00\x07\xc0\x1e\x02\x07\xc0\x3e\x07\x07\xc0\x3e\x05\x07\xe0\x3e\x0d\x80\x20\x60\x08\x80\x30\x40\x18\xc0\x10\x40\x10\x40\x10\x7f\xf0\x7f\xf0\x30\x30\x30\x60\xff\xf0\x3f\xf8\xff\xe0\x1f\xf8\x7f\xc0\x0f\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x7f\x00\x00\x00\xff\x80\x00\x01\xf7\xe0\x00\x03\xe3\xe0\x00\x03\xc0\xf0\x00\x07\x00\xf0\x00\x07\x22\x70\x00\x07\x00\x70\x00\x07\x00\x70\x00\x07\x22\xf0\x00\x07\x9c\xf0\x00\x07\xc1\xf0\x00\x07\xe3\xf0\x00\x07\xe3\xf0\x00\x00\x22\x00\x00\x0f\xe3\xfc\x00\x3a\x41\x27\x00\x62\x7f\x21\x00\x42\x00\x39\x80\x46\x00\x08\x80\x46\x00\x0c\x80\x4c\x00\x04\xc0\x4c\x00\x06\x40\x4c\x00\x0e\x40\x4e\x00\x1a\x40\x4b\xff\xf2\x40\x49\xff\xf2\x40\x4d\x00\x12\x40\x45\x04\x12\x40\x47\x00\x12\x40\x63\x00\x12\x40\x23\xff\xf2\x40\x31\x84\x36\x40\x19\x84\x3c\xc0\x09\x86\x39\x80\x0c\x80\x39\x00\x07\x80\x1f\x00\x0c\x00\x01\x00\x08\x00\x01\x80\x1e\x00\x07\x80\x1e\x00\x07\xc0\x1e\x02\x07\xc0\x3e\x07\x07\xc0\x3e\x05\x07\xe0\x3e\x0d\x80\x20\x60\x08\x80\x30\x40\x18\xc0\x10\x40\x10\x40\x10\x7f\xf0\x7f\xf0\x20\x30\x30\x20\xff\xf0\x3f\xf8\xff\xe0\x1f\xf8\x7f\xe0\x1f\xf8\x00\x19\x34\x53\x6c\x02\x00\x1e\x34\x50\x6a\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x40\x40\x40\x40\x0b\x40\x40\x40\x40\x40\x0b\x20\x20\x20\x20\x18\x18\x20\x18\x20\x20\x18\x20\x00\xfe\x00\x00\x03\x83\x80\x00\x06\x00\xc0\x00\x0e\xfc\x40\x00\x0f\xff\xe0\x00\x0f\xff\xe0\x00\x0f\xff\xc0\x00\x08\xcc\x40\x00\x08\x00\xc0\x00\x0c\x00\xc0\x00\x0f\xff\xc0\x00\x0f\xff\xc0\x00\x0f\x39\xc0\x00\x0f\x83\xc0\x00\x07\xff\xc0\x00\x03\xff\x80\x00\x03\xff\x80\x00\x01\xff\x00\x00\x7f\xff\xf0\x00\x61\xfe\x18\x00\xc0\xfe\x0c\x00\x80\xfe\x04\x00\x80\xfc\x06\x00\x80\x00\x02\x00\x80\x7c\x02\x00\x84\x44\x02\x00\x8c\x82\x62\x00\x8c\xaa\x62\x00\xfc\x82\x7e\x00\xcf\xc7\xe2\x00\x8c\xfe\x62\x00\xcc\x7c\x62\x00\x44\x3c\x62\x00\x44\xe6\x62\x00\x44\x83\x62\x00\x46\x00\x66\x00\x62\x00\x44\x00\x23\x00\x8c\x00\x31\xff\x88\x00\x11\xef\x18\x00\x11\xef\x10\x00\x09\xef\x90\x00\x1f\xe3\xf0\x00\x1f\xff\xf8\x00\x1f\xff\xfc\x00\x1f\xff\xfc\x00\x3f\xff\xfe\x00\x3f\xfb\xfe\x00\x3f\xf3\xff\x00\x7f\xf3\xff\x00\x7f\xf3\xff\x80\x7f\xf3\xff\x80\x08\x80\x44\x00\x08\x80\x44\x00\x08\x80\x44\x00\x08\x80\x44\x00\x0f\x80\x7c\x00\x08\x80\x44\x00\x0c\x80\x4c\x00\x3c\x80\x4f\x80\xe0\x80\x40\xc0\x80\x80\x40\x40\x80\x80\x40\x40\xff\x80\x7f\xc0\xf0\x1f\xc0\xfe\xb6\x70\x73\xaa\xbe\xc0\x3a\x02\xab\xdf\x89\x02\x87\xff\xfd\x84\xc5\xff\xfc\x84\x45\xff\xf8\x84\x45\x19\x88\x8c\x45\x00\x18\x88\x45\x80\x19\x88\x45\xff\xf9\x08\x45\xff\xf9\x08\x45\xe7\x39\x18\x47\xf0\x79\x10\x42\xff\xfb\x10\x42\x7f\xf2\x30\x43\x7f\xf2\x20\x41\x3f\xf7\x20\x43\xff\xfd\x20\x24\x3f\xe1\xe0\x2c\x1f\xc0\x40\x30\x1f\xc0\x40\x10\x1f\x80\xc0\x08\x00\x00\x80\x04\x0f\x81\x80\x04\x88\x83\x00\x03\x98\xc6\x00\x00\x95\x44\x00\x00\x90\x44\x00\x00\xf8\xf4\x00\x00\xbf\xe4\x00\x00\x8f\x84\x00\x00\x87\x84\x00\x00\x9c\xc4\x00\x00\x90\x64\x00\x00\x80\x04\x00\x00\x80\x04\x00\x00\x80\x04\x00\x00\xff\xfc\x00\x00\xdd\xdc\x00\x01\xdd\xde\x00\x03\xdd\xde\x00\x02\x1c\x47\x00\x03\xff\xff\x00\x03\xff\xff\x80\x03\xff\xff\x80\x07\xff\xff\xc0\x07\xff\x7f\xe0\x07\xfe\x7f\xe0\x0f\xfe\x7f\xe0\x0f\xfe\x7f\xf0\x0f\xfe\x7f\xf0\x01\x10\x08\x80\x01\x10\x08\x80\x01\x10\x08\x80\x01\x10\x08\x80\x01\xf0\x0f\x80\x01\x10\x08\x80\x01\x90\x09\x80\x07\x90\x09\xf0\x1c\x10\x08\x18\x10\x10\x08\x18\x10\x10\x08\x08\x1f\xf0\x0f\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x00\x00\x7e\x00\x00\xff\x00\x00\xbf\x80\x01\x3f\x80\x01\x5f\xc0\x01\x0d\xc0\x02\x15\xc0\x02\x04\xc0\x01\x4c\xc0\x01\xc0\x80\x01\x00\x80\x00\x81\x00\x00\x42\x00\x0f\x3c\x00\x1f\x14\x00\x7b\x14\x00\xf3\x17\x00\xc3\x3f\x00\xc3\x7f\x80\xc3\x7f\x80\xc3\x6d\x80\xc3\xed\x80\xc6\xed\x80\xcd\x73\x80\xda\xf3\x80\xf5\x03\x80\xeb\x07\x80\xff\x7f\x80\x07\xff\x80\x00\x7f\x80\x00\x40\x80\x00\x7f\x80\x00\xff\xc0\x00\xaa\xc0\x00\xd5\x40\x01\xaa\xc0\x01\x55\x60\x01\xaa\xa0\x03\x55\x60\x02\xaa\xa0\x03\xff\xe0\x03\xff\xe0\x00\x1e\x00\x00\x12\x00\x00\x12\x00\x00\x12\x00\x00\x33\x00\x00\x3f\x00\x00\x21\x00\x00\x31\x00\x00\x21\x00\x01\xf1\x00\x01\x01\x00\x01\x01\x00\x01\x01\x00\x01\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x00\x00\x7e\x00\x00\xff\x00\x01\xc3\x80\x01\x81\x80\x03\x00\xc0\x02\x24\x40\x02\x00\x40\x02\x00\x40\x01\x00\x40\x01\x66\x80\x01\x3c\x80\x01\x81\x80\x00\xff\x00\x00\x14\x00\x00\x14\x00\x00\xf7\xc0\x7b\xc0\xf0\xcb\xc1\xf0\x8f\xe1\xf8\x8b\xf3\xf8\x83\xff\xf8\x87\xff\xf8\xcf\xff\xf8\x4c\xff\x88\x64\xff\x88\x20\xff\x98\x31\xff\x90\x1b\xff\x90\x0e\xff\x90\x00\xff\xa0\x00\x80\xa0\x01\xff\xa0\x01\x55\x40\x01\xaa\xc0\x01\x55\x60\x02\xaa\xa0\x03\x55\x50\x02\xaa\xb0\x07\x55\x58\x06\xaa\xa8\x05\x55\x5c\x0e\xaa\xac\x0f\xff\xfc\x00\x4a\x40\x00\x4a\x40\x00\x4a\x40\x00\xfb\xe0\x00\xca\x60\x00\xca\x60\x00\xca\x60\x01\xca\x30\x03\x0a\x18\x06\x0a\x08\x04\x0a\x08\x04\x0a\x08\x07\xfb\xf8\x00\x00\x21\x00\x00\x23\x00\x00\x3e\x07\xff\x66\x7c\xc3\xe6\xc1\x80\xfc\xe7\x07\x80\x3c\x7d\x00\x0f\xc9\x80\x00\x8c\x00\x00\xc0\x00\x00\x00\x00\x00\x01\x80\x00\x00\x00\xf3\xc0\x00\x00\x3e\x00\x07\xff\x66\x00\x7c\xc3\xe6\x00\xc1\x80\xfc\x00\xe7\x07\x80\x00\x3c\x7c\x00\x00\x0f\xc8\x00\x00\x08\x48\x00\x00\x0e\x6c\x00\x00'
friends = [
  Friend("", 256, 0x20, 0x40), # 1A
  Friend("", 256, 0x20, 0x40), # 1B
  Friend("", 256, 0x20, 0x40), # 2A
  Friend("", 192, 0x18, 0x40), # 2B
  Friend("", 256, 0x20, 0x40), # 3A
  Friend("", 256, 0x20, 0x40), # 3B
  Friend("", 12*4, 0, 0), # Skip, contains dimension info for friends
  Friend("", 256, 0x20, 0x40), # 4A
  Friend("", 256, 0x20, 0x40), # 4B
  Friend("", 192, 0x18, 0x40), # 5A
  Friend("", 192, 0x18, 0x40), # 5B
  Friend("", 36, 0x18, 0x0b), # 6A
  Friend("", 44, 0x20, 0x0b), # 6B
]

# Print Defcon logo
defcon_bits = '00 00 00 00 7f c0 00 00 00 00 00 00 00 03 ff f8 00 00 00 00 00 00 00 0f ff fe 00 00 00 00 00 00 00 3f ff ff 80 00 00 00 00 00 00 7f ff ff c0 00 00 00 00 00 00 ff ff ff e0 00 00 00 00 00 01 ff ff ff f0 00 00 00 00 00 03 ff ff ff f8 00 00 00 00 00 07 ff ff ff fc 00 00 00 00 00 07 ff ff ff fc 00 00 00 00 00 0f f8 7f e1 fe 00 00 00 00 00 0f f0 3f c0 fe 00 00 00 00 00 1f e0 1f 80 7f 00 00 00 03 c0 1f e0 1f 80 7f 00 00 00 07 e0 1f e0 1f 80 7f 00 00 00 0f f0 3f f0 3f c0 ff 80 18 00 0f f0 3f f8 7f e1 ff 80 7e 00 0f f0 3f ff ff ff ff 80 fe 00 0f f0 3f ff ff ff ff 80 ff 00 0f f0 3f ff ff ff ff 80 ff 00 07 e0 3e 1f ff ff 87 80 ff 00 3f f0 3e 1f ff ff 87 80 ff 00 7f fc 3f 3f ff ff cf 80 7e 00 ff fe 3f 3f ff ff cf 80 ff 80 ff ff ff 3f ff ff 9f 01 ff e0 ff ff ff 9f ff ff 9f 07 ff e0 ff ff ff 9f ff ff 3f 1f ff f0 ff ff ff cf ff ff 3e 7f ff f0 7e 3f ff e7 ff fe 7f ff ff f0 3c 0f ff e3 ff fc ff ff ff f0 00 03 ff f1 ff f1 ff ff 87 e0 00 00 ff fc 7f e3 ff fe 07 c0 00 00 7f fe 00 0f ff f8 00 00 00 00 1f ff c0 7f ff e0 00 00 00 00 07 ff ff ff ff 80 00 00 00 00 01 ff ff ff fe 00 00 00 00 00 00 ff ff ff f8 00 00 00 00 00 00 3f ff ff e0 00 00 00 00 00 00 0f ff ff 80 00 00 00 00 00 00 03 ff f2 00 00 00 00 00 00 00 01 ff f8 00 00 00 00 00 00 00 06 7f fe 00 00 00 00 00 00 00 1f 9f ff 80 00 00 00 00 00 00 7f e7 ff e0 00 00 00 00 00 01 ff f1 ff f8 00 00 00 00 00 07 ff e0 ff fc 00 00 00 00 00 1f ff 80 3f ff 00 00 00 03 c0 7f fe 00 0f ff c0 e0 00 07 e1 ff f8 00 03 ff f1 f8 00 07 ff ff e0 00 01 ff ff f8 00 0f ff ff 80 00 00 7f ff f8 00 0f ff fe 00 00 00 1f ff f8 00 0f ff f8 00 00 00 07 ff f8 00 07 ff e0 00 00 00 01 ff f8 00 07 ff 80 00 00 00 00 ff f0 00 03 ff 00 00 00 00 00 3f 00 00 00 7e 00 00 00 00 00 1f 80 00 00 7f 00 00 00 00 00 3f 80 00 00 ff 00 00 00 00 00 3f 80 00 00 ff 00 00 00 00 00 3f 80 00 00 ff 00 00 00 00 00 3f 80 00 00 7f 00 00 00 00 00 1f 80 00 00 7e 00 00 00 00 00 1f 00 00 00 3c 00 00 00 00 00 06 00 00'
print_bitmap(bytes.fromhex(defcon_bits), 0x50, 0x40)
print()

# Print all friends
offset = 0
for friend in friends:
  if friend.width == 0:
    continue
  print(f"--------------")
  print_bitmap(all_bytes[offset:offset+friend.size], friend.width, friend.height)

  offset += friend.size

Finally, I needed to modify this bitmap. I took our club logo, A cyber-looking horse head, and converted it to this bitmap format. Then, I wrote it to a version of modified firmware.

from PIL import Image
'''
Convert image to bitmap, and flash firmware
'''
width = 0x50
height = 0x40
img = Image.open(open('pwny7-dark.png', 'rb')).resize((width, height), Image.ANTIALIAS)

# Create bit sequence
seq = ''
for j in range(height):
  for i in range(width):
    bit = img.getpixel((i, j))
    if bit == (0, 0, 0, 255):
      seq += '0'
    else:
      seq += '1'

# Print pixel map
for i in range(height):
  row = seq[width*i:width*(i+1)]
  print(row)

# Convert bit sequence to hex
assert len(seq) == width * height
logo_bytes = bytearray(int(seq[i : i + 8], 2) for i in range(0, len(seq), 8))
assert len(logo_bytes) == width * height // 8

file = 'firmware.bin'

# Write logo over defcon logo
firmware = bytearray(open(file, 'rb').read())
logo_base = 0x13d24
logo_size = width * height // 8
for i in range(logo_size):
  firmware[logo_base + i] = logo_bytes[i]

# Write patched firmware to file
with open('firmware_new.bin', 'wb') as f:
  f.write(firmware)

After flashing it to my board with:

picotool load firmware_new.bin

I got a custom boot image!

IMG_1771

Thanks for reading!

  • spicypete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment