CypherCon - Hotel Hackery, Good Friends, and Good Times

A project log for AND!XOR DC27 Badge

The trilogy is done

hyr0nHyr0n 04/14/2019 at 02:560 Comments

HAI 2600

So you may be wondering why the first log of our DEF CON badge project is titled after another conference: CypherCon. Something we briefly talk about but don't emphasize enough is that the members of AND!XOR are geographically distributed; i.e. we don't live near one another. So a few times a year we try to meet up at security conferences. From a "working on the badge" perspective this is what allows us to do things IRL, hang out together in the hotel rooms at night, debug the badge, design puzzles and hack the night away. See actual photo below... 

But more importantly, socialization within other conferences, going to talks, and their villages is the main reason we go. Zapp has been there before and this was Hyr0n's first visit to Wisonsin. Overall a wonderful experience. Got to see old friends (Addie, Whisker ,Wire, GoetzmanWill, Krux, CarFucar, Mike SzczysViGreyTech), make new ones, even meet people we've talked to on Twitter for the past couple of years and have always missed one another in person (Rick Ridgley comes to mind, also we just need to say @d1g1t4l_t3mpl4r is a gentleman and a phreaking badass). It stresses me out to write this right now in fear that I forget to list someone's name from the weekend for love and shoutouts. If I did forget, don't hate me. I'm on 3 hours of sleep writing on an airplane with a screaming child behind me (I'm lucky to even get coherent sentences typed at this point). Just a reminder that you should always expand your scope beyond a single conference, attend as many as you can across the globe, since each one has a different vibe and you get to meet many awesome people. What can we say about CypherCon? It feel's like family. Everyone is so nice and welcoming, we love visiting the mid-west and need to get out there more often. We'll be back next year for certain.

CypherCon TyMkrs Badge Challenge

The ToyMakers created an amazing badge this year, it read paper tapes. As in, 50 years ago technology paper tapes and you had to either hand punch or submit jobs to create punched paper tape. You can see Hackaday Mike showing it here. Its not our place to go in to the depths of how their challenge worked, the scoring, etc... (that's someone else's write up to be done), but we can explain our part in it. Like many of the other villages, we were given code cards by Whisker to hand out in "whatever manner we see fit." Note, this also unofficially makes AND!XOR the first nomadic village right? See Zapp & Hyr0n brainstorm below...

Actually what we came up with isn't at all that original (many groups have used SSTV in the past) but it added layers of fun for some folks to learn something new while trying to get punch codes. We took a photo of the card and used Robot36 Slow Scan TV encoding. After all, if we are using 50+ year old computer program technology, what better way to transmit photos than with 50+ year old RF encoding technology? This creates a 36 second audio file which sounds amazing and was used as a voicemail. The phone number was released. Boy did we get some great voicemails from the conference attendees :) Anyway, once someone heard our recording they used an SSTV Decoder on their computer to translate the noise into a photo (assuming they knew what it was, if not then there was a lot of talk with the HAM folks or scouring the SigIDWiki.

Yeah its really bad quality. In fact any background noise affects the decoding. It made us smile to walk into the restroom and to see a few hackers huddled in the corner calling the voicemail since it was the quietest place they could find? Here's the original photo for comparison.

As you can see it probably took quite a few phone calls from devoted individuals to get enough samples to clearly piece together the image. Just to guide you through the process in a quick manner here's how one would solve our card. If you want more details of punch cards, look at wikipedia

So its an image of punched tape. You have two options.

1) Manually feed new tape through your badge and hand punch it (BOOOORRRING)

2) Decode it, write it on a job card, and turn in to the TyMkrs to print a perfect tape for you (EDUCATION)

Duh, go with option 2. Knowledge is power. (And if we say something wrong in explaining this do not hesitate to correct us in the comments below).

Rotating it this way is going to help make a lot more sense. So lets start with parity and self clocking sprocket holes. The parity helps determine whether this is ASCII or EIA formatted. Do not count the sprocket holes and count left to right.

So you can see there is an even number of bits per row, on every row of the tape, this means ASCII. The parity bit is only added such that there is an even number of bits in the row for ASCII, conversely if this was EIA you would only add a parity bit to make sure the total was odd. For example, as shown above the first row only has 2 bits and is already even, so the value in your parity column is zero. But the fourth row had 3 bits, so 1 parity bit was added to make it even. That's all that it is used for, you essentially ignore it once you know if this is ASCII or EIA. Fun fact, back in the day when you would process punched tape, if you had a single parity error the entire program would stop and fail. Boooo! Anyway the job submission required you to put it in hexadecimal and we know this is ASCII due to even parity, so....

Convert each row to binary, find the hex value of that binary, then convert that hex to decimal and get its ASCII value (Simple right?)

The Code is (go bottom to top given how the tape is read in) : 5011D1F1ED50DAC0DA

One would then write this on a job card, turn it in, get a tape made, run it through their badge to get points, then share the tape with others because sharing is caring. We feel very humbled the TyMkrs included us in this and gave us the freedom to hand out the cards as we see fit. We heart you!

AND!XOR DC27 Free Badge Challenge

Oh did you see this? The other reason we like going to cons is so we can put our own challenges out there to let hackers earn free stuff.

IF((Do you hackers want to earn one of our badges) && (you were at CypherCon this weekend) && (you found a floppy disk)) == TRUE) ... Then you may be wondering, who could have access to a Floppy Drive over the weekend? You still have time... the deadline isn't until 1557014400 (PLENTY OF TIME TO GET THIS DONE). Well one person already won, congrats to Phyxius! So there are only two more free badges left to be earned. There are multiple ways to win this challenge so if you picked up one of the 40 floppies we hid around the conference I suggest you at least grab an original or USB Floppy drive and get hacking.

AND!XOR DC27 Badge Progress

So what did we get done on the badge with all this going on at CypherCon? Improving our provisioning scripts to ensure the initial setup and flashing of the badges using a <REDACTED> is turn key easy for the folks over at Macrofab. Don't forget, an important part of Design For Manufacturing (DFM) is taking in to account whatever needs to be done to initially provision the badges, needs to be done over...and over...and over... and you are paying by the minute so whatever you are thinking it better scale well. Minimize error and cost, make it easy and everyone wins.

Also we were able to knock out some awesome dynamic <REDACTED> bling from the classic  <REDACTED> leveraging some fancy algorithm reverse engineering. We hope you like it as much as we do. Additionally two of the puzzles were refactored and white boarded (many tiny hotel room paper pads, which Hyr0n flushed so good luck dumpster diving). All in all it was a very productive trip making progress on the badge. April is crunch time for us, since we lock the baseline down in May to be feature complete; i.e. only bug fixes until DEF CON. It's all coming together and we're very excited about it. TTFN!