AND!XOR DC27 Badge

The trilogy is done

Similar projects worth following


  • Wouldn't you like to know


  • Wouldn't you like to know

WHO:: We are 5 dudes from California (and a guest star from Texas) with backgrounds in HW and SW engineering. We enjoy building and hacking things for fun. AND!XOR pronounced..."AND-NOT-EX-OR"...

WHAT:: We built a hackable, open badge for use at DEFCON 27 in Las Vegas and any other conferences in the future. The badge also serves as a dev board for hardware developers of any experience level from novice to expert sorcerer.

WHY:: The purpose is to put some really awesome hardware around the necks of a bunch of hackers and see what they come up with. We hope to encourage others to make use of the badge and come back with their own flavor in years to come, AND to promote embedded development across the community. Most importantly, the badge serves as a way to teach principles about security and hacking.

HOW:: Pure internet science. We've developed algorithms which calculate the spin rate of cat quarks for generating our ssh keys at a rate of (P+9)/((# of blackberry users)^2), where P is the probability that a cat will leave a house when a door is opened for them.

WHERE:: Paris / Bally's / Planet Hollywood, Las Vegas

WHEN:: Aug 7th - Aug 11th, 2019

EXTRAS:: We are spending our free time and money outside of our busy work schedules to develop this from 5 separate locations across the US. So we are definitely open and encourage feedback, suggestions, and features to be added onto the badge. If you complain that there are not enough blinky's happening then you are welcome to build your own. Feel free to Leave your comments below if you have questions, concerns, comments, philosophical statements, haiku's, or send us a tweet...that works too.

Twitter:: Check out AND!XOR, our official twitter account on twitter for daily and often hourly updates of the badge process.

  • Reverse Engineering with Ghidra - SimTaco Floppy Challenge

    Hyr0n06/07/2019 at 02:21 0 comments

      So we gave it some time to rest, but it's time to walk through what our CypherCon hacking challenge was and the ways the folks who won were able to accomplish it. If we don't share, we don't learn. If you're thinking, WTF does this have to do with your electronic badge project we want to see that... we'll we're keeping that a sekret for a bit longer. So until the reveal, we put out hacking challenges for people to earn free badges.

      Why hacking for badges? Because we want to encourage people to learn new things, reward hackers with blingy electronics that contain even more embedded security puzzles to learn new things. Philanthropic hacker karma with knowledge gained. They're free, you just have to earn them :) Also a big shout out to our Philanthropists and Sponsors who are helping us make this happen: Urbane Security, Macrofab, Mouser, and Rigado.

      We made 40 of these Floppy disks loaded with a special binary and left them around the Wisconsin Conference center during CypherCon. Also this was inspired by the Floppy Disk badge @aprilwright made for DC26. Initially the first part of this challenge was, how the hell do you read the floppy? Conveniently, between the hundreds of hackers at the conference and it butting up against the Midwest Gaming Classic, there was a large collection of vintage computers around. Some folks tried putting the disks in, but were reminded...those computers weren't networked so how the hell would you get the file off anyway? Truth be told, if you don't have a stack of these laying around like Hyr0n does, then you go on Amazon and search for a "USB Floppy Drive." That simple. Now even though there are a dozen different brands, be forewarned they are all the same manufacturer and all are garbage. 1000000% Garbage where you have to pop in the disk just at the right time. Regardless they do work. So once a person got that disk being read by a computer, they found a file to copy off: "simtaco"

      First things first, chmod +x that binary to make it executable, cross your fingers it's not not not malware...and run it.

      So if you're thinking "42" - yeah that's the good cult reference, but no... this is a hacking challenge. You don't earn free badges that easily. For this we're gonna have to get up in that binaries guts. Last year I showed you my free open source software of choice for RE which was RadaRE2. We'll the NSA has spoiled us with their warez, because I've gone Ghidra and I'm never going back (sorry HexRays I dont have 1 BTC worth of license fees to shell out ANNUALLY for Ida). In case you aren't familiar with the name, the NSA open sourced their internal binary reverse engineering tool, Ghidra, back in February when Rob Joyce gave his talk at RSA. We were also curious in 2 months time how many people would flock to it. Actually every person who solved the challenge told us they were using Ghidra as well, which made all the sense to title this project log the way we did. Now there are ton's of write ups and tutorials on YouTube showing how to use Ghidra in depth. This post is NOT that. The intent of this is to show you just enough to peak your curiosity and show you that reverse engineering isn't black magic wizardry (like RF is). 

      For your reference here's a copy of the binary to play along:

      Install Ghidra

      This is going to assume you run the same Linux system we do, Ubuntu 18.04.2 

      1. Download Ghidra:
      2. Install Java OpenJDK 11
        1. sudo apt install openjdk-11-jdk
      3. Unzip your Ghidra download anywhere then run "./ghidraRun"
        1. If Ghidra says it can't find your JDK, then you don't have the right version...
    Read more »

  • CypherCon - Hotel Hackery, Good Friends, and Good Times

    Hyr0n04/14/2019 at 02:56 0 comments

    HAI 2600

    So you may be wondering why the first log of our DEF CON badge project is titled after another conference: CypherCon. Something we briefly talk about but don't emphasize enough is that the members of AND!XOR are geographically distributed; i.e. we don't live near one another. So a few times a year we try to meet up at security conferences. From a "working on the badge" perspective this is what allows us to do things IRL, hang out together in the hotel rooms at night, debug the badge, design puzzles and hack the night away. See actual photo below... 

    But more importantly, socialization within other conferences, going to talks, and their villages is the main reason we go. Zapp has been there before and this was Hyr0n's first visit to Wisonsin. Overall a wonderful experience. Got to see old friends (Addie, Whisker ,Wire, GoetzmanWill, Krux, CarFucar, Mike SzczysViGreyTech), make new ones, even meet people we've talked to on Twitter for the past couple of years and have always missed one another in person (Rick Ridgley comes to mind, also we just need to say @d1g1t4l_t3mpl4r is a gentleman and a phreaking badass). It stresses me out to write this right now in fear that I forget to list someone's name from the weekend for love and shoutouts. If I did forget, don't hate me. I'm on 3 hours of sleep writing on an airplane with a screaming child behind me (I'm lucky to even get coherent sentences typed at this point). Just a reminder that you should always expand your scope beyond a single conference, attend as many as you can across the globe, since each one has a different vibe and you get to meet many awesome people. What can we say about CypherCon? It feel's like family. Everyone is so nice and welcoming, we love visiting the mid-west and need to get out there more often. We'll be back next year for certain.

    CypherCon TyMkrs Badge Challenge

    The ToyMakers created an amazing badge this year, it read paper tapes. As in, 50 years ago technology paper tapes and you had to either hand punch or submit jobs to create punched paper tape. You can see Hackaday Mike showing it here. Its not our place to go in to the depths of how their challenge worked, the scoring, etc... (that's someone else's write up to be done), but we can explain our part in it. Like many of the other villages, we were given code cards by Whisker to hand out in "whatever manner we see fit." Note, this also unofficially makes AND!XOR the first nomadic village right? See Zapp & Hyr0n brainstorm below...

    Actually what we came up with isn't at all that original (many groups have used SSTV in the past) but it added layers of fun for some folks to learn something new while trying to get punch codes. We took a photo of the card and used Robot36 Slow Scan TV encoding. After all, if we are using 50+ year old computer program technology, what better way to transmit photos than with 50+ year old RF encoding technology? This creates a 36 second audio file which sounds amazing and was used as a voicemail. The phone number was released. Boy did we get some great voicemails from the conference attendees :) Anyway, once someone heard our recording they used an SSTV Decoder on their computer to translate the noise into a photo (assuming they knew what it was, if not then there was a lot of talk with the HAM folks or scouring the SigIDWiki.

    Yeah its really bad quality. In fact any background noise affects the decoding. It made us smile to walk into the restroom and to see a few hackers huddled in the corner calling the voicemail since it was the quietest place they could find? Here's the original photo for comparison.

    As you can see it probably took quite a few phone calls from devoted individuals to get enough samples...

    Read more »

View all 2 project logs

Enjoy this project?



Mike Szczys wrote 03/19/2019 at 00:20 point

I'm cornering the world's supply of potatoes... better hope you secured your supplychain before giving away that nugget of info.


  Are you sure? yes | no

Sophi Kravitz wrote 03/13/2019 at 14:20 point

WOOOHOO excited to see this one! Internet science of cats LOL.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates