Defcon 21 Badge

We started looking at the Defcon 21 badge today and noticed the sequence of numbers on the back of each badge is different.

I got the 7 (defcon) badge, and a friend got the King (Disk). We assume there are four suits.

The numbers:

  • 7 (Defcon) 05020707212205071818011614011518190801
  • King (Disk) 050207072122571818010305021514152512220601070522202107

Since all the numbers were below 26, we assumed it was some sort of ROT.  This is similar to the data that was on the ring of the main entrance at Defcon 20.

Writing a quick tool we got the following output

7 (Defcon)

Rot 8: NKPPDENPAAJYWJXABQJ
Rot 9: OLQQEFOQBBKZXKYBCRK
Rot 10: PMRRFGPRCCLAYLZCDSL
Rot 11: QNSSGHQSDDMBZMADETM
    Rot 12: ROTTHIRTEENCANBEFUN
Rot 13: SPUUIJSUFFODBOCFGVO
Rot 14: TQVVJKTVGGPECPDGHWP
Rot 15: URWWKLUWHHQFDQEHIXQ
Rot 16: VSXXLMVXIIRGERFIJYR

King (Disk)

Rot 8: NKPPDENAAJLNKXWXHUEOJPNECDP
Rot 9: OLQQEFOBBKMOLYXYIVFPKQOFDEQ
Rot 10: PMRRFGPCCLNPMZYZJWGQLRPGEFR
Rot 11: QNSSGHQDDMOQNAZAKXHRMSQHFGS
    Rot 12: ROTTHIREENPROBABLYISNTRIGHT
Rot 13: SPUUIJSFFOQSPCBCMZJTOUSJHIU
Rot 14: TQVVJKTGGPRTQDCDNAKUPVTKIJV
Rot 15: URWWKLUHHQSUREDEOBLVQWULJKW
Rot 16: VSXXLMVIIRTVSFEFPCMWRXVMKLX

I’m not sure what to make of it yet. Need to gather the data from a couple other badges first.

::UPDATE::

After posting this I stumbled on some data someone else posted. https://github.com/john-defcon/badge/blob/master/result.txt I’m not sure if it’s all the badges, but it’s a big set of them.

Putting each badge in order by 3 digit binary you get a couple phrases:

The first is the last in the real order the first is the last be exclusive or has it registered that tap at zero and done will be all the feedback you need in the real order.

  • Dial 000 Q THEFIRSTISTHELAST
  • Dial 001 A INTHEREALORDERTHE
  • Dial 010 J FIRSTISTHELASTBEE
  • Dial 011 5 XCLUSIVEORHASITRE
  • Dial 100 7 GISTEREDTHATTAPAT
  • Dial 101 K ZEROANDONEWILLBEA
  • Dial 110 2 LLTHEFEEDBACKYOUN
  • Dial 111 10 EEDINTHEREALORDER

The sky will clear up not in black and white but shade of the bits help you turn this key x.

  • Key 000 2 THESKYSWI
  • Key 001 7 LLCLEARUP
  • Key 010 K NOTINBLAC
  • Key 011 J KANDWHITE
  • Key 100 5 BUTSHADEO
  • Key 101 10 FTHEBITSH
  • Key 110 A ELPYOUTUR
  • Key 111 Q NTHISKEYX

Rot thirteen probably isn’t right but this is fun right though his mind is not for rent don’t put him down as arrogant his reserve a quiet defense riding out the days events catch the mist catch the myth catch the mystery catch the drife,

  • Disk 000 K ROTTHIRTEENPROBABLYISNTRIGHT
  • Disk 001 7 BUTTHISISFUNRIGHT
  • Disk 010 10 THOUGHHISMINDISNOTFORRENT
  • Disk 011 A DONTPUTHIMDOWNASARROGANT
  • Disk 100 5 HISRESERVEAQUIETDEFENSE
  • Disk 101 Q RIDINGOUTTHEDAYSEVENTS
  • Disk 110 J CATCHTHEMISTCATCHTHEMYTH
  • Disk 111 2 CATCHTHEMYSTERYCATCHTHEDRIFE

Rot thirteen can be fun but sometimes leads a stray try something else and you will see that finding answers may take you down paths not often repeated not all who wander are lost.

  • Skull 000 7 ROTTHIRTEENCANBEFUN
  • Skull 001 10 BUTSOMETIMESLEADSASTRAY
  • Skull 010 5 TRYSOMETHINGELSE
  • Skull 011 2 ANDYOUWILLSEE
  • Skull 100 q THATFINDINGANSWERS
  • Skull 101 J MAYTAKEYOUDOWN
  • Skull 110 K PATHSNOTOFTENREPEATED
  • Skull 111 A NOTALLWHOWANDERARELOST

I’m still not sure what the other symbols mean yet. Pi, e, LFSR, and whatever the last one is.

ITB-100HD Time Lapse

A friend and I spent some time playing around with FFMPEG today, and put together a sweet little time lapse video using about 14 hours of footage. After trimming out frames it compressed down to about 25 minutes.

If anyone is interested in doing this yourself I’ll post details about the process, and can provide a tool to make it much easier.

ITB-100SP MPH Hack

Itronics ITB-100HD SP Smart Plus

A forum user requested that the MPH modification be made to the itb-100SP firmware for the newer device. I spent some time on it last night and have a working version for anyone interested.

http://yakhack.com/downloads/itb100spfw.bin (itb100spfw.bin v1.0)

itb-100sp Running MPH Hack

itb-100sp Running MPH Hack

I’ll add details about how I did it when I get some time.

ITB-100HD MPH Hack *Update*

It turns out that the branch that I removed in the original ITB-100HD MPH hack was not what I thought it was. It was actually a check to see if the GPS had received a signal yet.  This causes some problems because the string that prints the speed would get all messed up and overwrite itself.

I went back to the drawing board armed with a little more skill and came up with a pretty standard solution to the problem. I decided to try my hand at jumping to another area in the code, doing my conversion and then jumping back. I found a couple test functions that had no callers and figured that they would probably be a good place to start.

I already had the code I wanted to run, so that was easy to just stomp over the newly claimed test function. The harder part was figuring out how to branch correctly to end up with the results I wanted. I know branch with link was the way to go, but had no idea how to determine the offset of the branch. After looking around online it turns out it’s not as hard as I thought.

First you take the target location and subtract from it the starting location + 8 (account for prefetch), then right shift that by 2 and that’s your value.

After a few iterations and running it through IDA to make sure I got what I wanted, I was able to build a 100% working MPH firmware that no longer had strange behavior prior to GPS ready.

I also think I’ve learned quite a bit doing all this and look forward to tackling a couple other improvements. Some folks have requested an increase in the bitrate, but I’m not sure I want to run such a firmware on my camera.

http://yakhack.com/downloads/itb100hdfw.bin  (itb100hdfw.bin v2.1)

ITB-100HD MPH Hack

Itronics ITB-100HD

Itronics ITB-100HD

Last week I decided to get myself a dashboard camera to record crazy things I see on the road while driving. After lots of reading and comparing different cameras, I decided to buy the Itronics ITB-100HD.

There are a couple things about the camera that I’d like to change.

  1. The onscreen speed output it written in km/h. Since I’m in the USA that doesn’t mean anything to me and I’d rather have it in MPH.
  2. All video files are saved to the root of the attached SD card. This isn’t really so much a problem as it is an unfortunate implementation detail. I’d like to use an Eye-Fi card with the device so that I can automatically transfer files to my home network when I pull into the garage. More on this later.

I had seen online that there was a guy that spent some time working to make the device display in mi/h instead of km/h. He did some great work, but ended up selling the patched image on ebay rather than sharing the binary with other folks who wanted to do the same thing. Also mi/h, while technically correct is not what I expect when I see a speed. I much prefer MPH since that is how speedometers are typically labeled.

I decided to see if I could reproduce the same type of mod to the firmware that the other guy did, but do it without paying for it, and then share it with anyone else who wanted to do the same.

The device has the ability to update its firmware from the attached SD card slot. It’s as simple as putting the binary on the SD card and booting up the device. I figured that would be a good place to start, so I downloaded the latest v2.1 firmware and got to work. What I found was pretty interesting. I spent some time looking at the binary to see if it was a well known format. It turns out it was a gzip file, which contained a tar file, which contained to gzip files, which contained more tar files. I’ve drawn the structure below to make it a bit easier.

File Layout

File Layout

Once you get through the layers of the onion you find out there are a bunch of files in the ipnc folder within the itb100_fw file. Using IDA I was able to disassemble the binaries in this folder and find that there was actually a lot of symbol information in the files, which made it a lot easier. It took me a while to find what I was looking for, but eventually I found a function called AVSERVER_getCurrentSpeed. This seemed like a good place to start and after a bit of time I followed the logic and figured out what I had to do.

Original code that used getCurrentSpeed

Original code that used getCurrentSpeed

If you look at the above code you can see that the getCurrentSpeed function is called from within swosdDisplay. At that point it does some flag check and then prints the current speed. The flag appears to be the flag that sets if the speed is printed on the video or not. I figured I didn’t need that and could steal that code space from 00025F1C -> 00025F28. My goal was to apply a simple medication to the km value that was returned from getCurrentSpeed prior to when it’s used in sprintf. After some quick google searching I found the conversion 1 kilometer = 0.621371192 miles. I just needed to write some new code that multiplied the km value by 0.62137. Here’s what I came up with.

asm

What this basically does is load 636 into R1, then multiply the km value by R1, then divide it by 1024. This essentially multiplies the value by 0.62109375 which is pretty close to the conversion value. It also fits nicely into the space that the old four instructions were using.

I didn’t have an ARM encoder, but had some friends encode the instructions for me so I could drop it into the original binary. There are several tools to do this, I just hadn’t used them before and I’m glad I knew some people who had. Once I had the raw bytes I was able to modify the binary file directly and replace the old code bytes with the new ones.

Modified code bytes

Original code bytes

Original unmodified code bytes

Modified code bytes

I wanted to make sure the bytes were right so I loaded the newly modified binary into IDA again to see if the change resulted in the correct disassembly. I’m happy to say after loading the bytes in the wrong order the first time. A quick fix solved the problem and I had the exact code change that I wanted.

Modified IDA output

Modified IDA output

The only thing left to do was to find the constant string that was used in the sprintf, and convert the ascii from “km/h” to “ MPH” I decided to add a space for aesthetic reasons.

km/h ascii text

km/h ascii bytes

MPH ascii bytes

MPH ascii bytes

The final step was to package the whole thing back up in the reverse order of how I unpacked it. tar->zip->tar->zip. The end result is — MPH instead of — km/h. Hopefully this helps other people who want to make this modification.

Have Fun!

20130330_202402_21.4

Download: http://yakhack.com/downloads/itb100hdfw.bin (itb100hdfw.bin v2.1)

Special thanks to the folks that helped out… You know who you are.