Badge ARG / Console / Command Line Puzzle / Whatevs U Call it

A project log for AND!XOR DC26 Badge

The Wild West of IoT

Hyr0nHyr0n 05/14/2018 at 16:041 Comment

So the best way to start this log is brutal honesty, I just don't know what to call it. It could be that I was up late coding the badge and watching Westworld until a few hours before my flight (then decided to pack last minute). It could be due to the morning airport mimosas, ginger-ale, and vodka cheersing my liver at 30000 feet right now too. Probably a combo of "all the above."

There's many different words we all use for the same thing here. Originally, in the Joe Grand days of badgery, you would just hear of them being called hardware hacking challenges. Then it turned into puzzles. Then devices like the Sparkfun Harp started using the term Alternate Reality Gaming (ARG) / Hardware Alternate Reality Prototype (HARP), since it was an electronic hardware based puzzle that went beyond the device using external mediums and a story line to immerse the player in a challenge beyond the puzzle itself. Well this year we've increased the hacker difficulty from simple Easter eggs to actual hacking challenges on the badge, which are accessed through a command line interface / UART console, text based adventure RPG...ARG...thing; think of playing Colossal Cave but your actions in the game use the badge hardware to cause things to real life. As you can see it's a lot of stuff, but overall it's a bunch of hacker challenges, meant to entice you for some fun, and perhaps the first few people who solve the AND!XOR "thing" will get something special... 

Can we agree on wut 2 call this?

But first things first, help us name this shit. Nothing surprises us more than the creativeness of the internet. Do your worst internet, do your worst. We 100%  promise to use whatever recieves the most votes, but please lets make it somewhat describe the fact that this is a challenge, a puzzle, a type of ARG, etc... For the purposes of this write up, I'll refer to it simply as "the console."


Prior Work At Consoling

We have used embedded UART one way or another on our past two badges. We're hackers, we like command like interfaces, especially when it's green on black. DC24 Bender had an integrated console over UART, solving a couple of puzzles and discovering Easter eggs provided unlocks on the badge (more bling, games, etc). Last years DC25 bender built on that concept, except the console was done over Bluetooth from a fone app @bitstr3m wrote, and allowed anyone to wirelessly terminal in to your badge. It dovetailed in to our BOTNET game as a backdoor in about 500 badges with a default root password... but... more people downloaded it AFTER the CON when they got home to mess with the badge than during the CON (we had about 70 people using the wireless console during DC25). So... metrics...lessons learned, going back to an embedded console (non RF based for interfacing) and focusing more on a single player aspect of hacking challenges.

By hacking challenges, we mean that yes you will actually hack the badge. Not dumb shit life hack it "e.g. hack BUTTON with FINGER" (okay there is some of that...) but actually attempt to circumvent the security of the badge presented in this alternate text based world in order to achieve intel and l337ness. I am not going to give hints as to what those types of challenges will be (since that would ruin the surprise), but they involve the various skill-sets you would find throughout the DEF CON Villages. They also are limited to things we can do with our badge, which includes LEDs (blinks, colors), RF (Wifi and Bluetooth), Hardware Interfaces (Shitty, I2C, SPI,  JTAG), etc... So if you do not understand how to accomplish a certain type of challenge, this is your queue to go get a bunch of beer / liquor / wine / absinthe / defcoin and approach the nice people at the villages with a "Hey there! Im a padawn Haxor, I would love to learn how to <INSERT SKILL HERE> so I could try and defeat this AND!XOR badge console arg challenge thing, i don't have much, but I would love to give you some drinks if you would be willing to teach me. Or whatevs, you hangry? I can get some ramen or BK Lounge instead xoxoxoxo." 

Point is, we want our badge to not only challenge you mentally, but socially. Use it as an excuse to go learn something new, talk to people, attend a new village you've never been to before, admit that you DON'T know everything in the world and would like to learn, and most importantly make some new friends to add to your Hacker family tree. 

In the prior years badges, we had implemented the Natural Tiny Shell (NT-Shell). It's free, open source, and very lightweight. Simple concept, but operates like most C frameworks for IO, it's a parser with build in argument handling for command line switches. Essentially allowing you to make an integrated Unix style command line interface. 

#include "ntshell.h"
#include "chip.h"
#include "uart.h"
#include "ntlibc.h"

#define UNUSED_VARIABLE(N)  do { (void)(N); } while (0)

static int func_read(char *buf, int cnt, void *extobj)
  int i;
  for (i = 0; i < cnt; i++) {
    buf[i] = uart_getc();
  return cnt;

static int func_write(const char *buf, int cnt, void *extobj)
  int i;
  for (i = 0; i < cnt; i++) {
  return cnt;

static int func_callback(const char *text, void *extobj)
  ntshell_t *ntshell = (ntshell_t *)extobj;
  if (ntlibc_strlen(text) > 0) {
    uart_puts("User input text:'");
  return 0;

int main(void)
  ntshell_t ntshell;
      (void *)&ntshell);
  ntshell_set_prompt(&ntshell, "AND!XOR>");
  return 0;

So if you think about it, a text based adventure game is really just a structured set of commands, which parse the inputs, against known values, and default responses, contextually tied into a storyline of some sorts...making shells and embedded consoles the perfect front for designing a console based puzzle around...did i just kill the magic? 

ESP-IDF Console

Well this year, we are using the ESP32-WROVER. My god do I miss ARM...but thats another post for another day... A feature of the SDK is  that it comes with an embedded console. It's been extended and modified slightly to our needs, but if you look at any of the ESP console examples it becomes pretty clear how it works. For an rpg-adventure type game, Its more contextual that one designs a console around a actions one would use in a storyline for their challenges. Example: part of the player setup in our storyline is getting a sex change (it's not graphic, just a change to a struct member). And yes, it matters for one of the challenges and lets just put this out there: Our badge and humor is not for people who are easily offended (or children). If that bothers you, go read a phone book.

static int gender(int argc, char** argv){
    //This is used to change the players gender, default is non-binary
    bool error_flag = false;

    if(user.GENDER_CHANGE == true){
                //You only get to change your gender once
        printf("  You already changed your gender. Deal with it or restart the game.\n\n");
    else if(argc == 2){
        if ((strcmp(argv[1], "M") == 0)||(strcmp(argv[1], "m") == 0)){
            user.GENDER = 'M';
            user.GENDER_CHANGE = true;
            printf("  Sex change successful: Man-Bot!\n\n");
        else if ((strcmp(argv[1], "F") == 0)||(strcmp(argv[1], "f") == 0)){
            user.GENDER = 'F';
            user.GENDER_CHANGE = true;
            printf("  Sex change successful: Fem-Bot!\n\n");
        else if ((strcmp(argv[1], "N") == 0)||(strcmp(argv[1], "n") == 0)){
            user.GENDER = 'N';
            user.GENDER_CHANGE = true;
            printf("  Sex change successful: NonBinary-Bot!\n\n");
        else error_flag = true;
    else error_flag = true;

    if (error_flag){
        printf("  That doesn't make must be gender drunk \n\n");
    return 0;

static void register_gender(){
    //This is what sets up the output of the HELP command
    const esp_console_cmd_t cmd = {
        .command = "gender",
        .help = "Change your robo-gender to a Fem-bot (F), Man-bot (M), or NonBinary-bot (N) can only do this ONCE!",
        .hint = "[determination F, M, or N]",
        .func = &gender
    ESP_ERROR_CHECK( esp_console_cmd_register(&cmd) );

Here's an example console capture, note that I still need to add more context (but am obviously leaving it out to not ruin the surprise of the game).

#ANDNXOR> gender  asdf
    That doesn't make must be gender drunk

#ANDNXOR> gender  M
    Sex change successful: Man-Bot!

#ANDNXOR> gender  F
    You already changed your gender. Deal with it or restart the game!

So now that you have an idea of what is going on are you interested in what the other console commands are?

Getting excited yet? Well here's what you need to do so you can setup everything ahead of time (since you lamerz really have nothing going on for the next  couple months as it is)

Download The Drivers

One more hardware related detail we haven't mention yet...just cuz everyone goes with FTDI doesn't mean we had to. I mean if everyone was jumping off a cliff would you...well if it was Cliff-CON, a new security conference, I guess we would... but we went with the SiLabs CP2102N. Why? Same reduction in parts and high speed 3M baud rate as the FTDI (which u need for development and flashing firmware), but at a cheaper price. Now the downside...Windows and OSX do not natively include CP210X drivers like they do with FTDI. So if you use Linux, you're cool (for many reasons). But if not, we will include them on our SD card anyway.  Note that any security conscious person should not trust drivers just being handed to you on some rogue SD card...cyber pathogens and whatnot. But we're putting them on there anyway, trust us or not, that's your choice.

Drivers for CP2102N USB to Serial

Download and Configure PuTTY

PuTTY is HIGHLY recommended for the full experience of the console. You technically only need a terminal which supports ANSI and ASCII escape sequences, but PuTTY is the only one that Ill just flat out recommend since its pretty much idiot proof. If you use a terminal which doesn't support the escape sequences, nice features like our ANSI graphics, color, and auto-complete wont work. Your funeral..

Configure Putty

Quick reminder for folks who do not venture into the land of UART that often...


kevvyg wrote 07/30/2018 at 20:12 point

For anyone trying to access the B.E.N.D.E.R. console game on the badge on modern versions of macOS, install these drivers, then open a Terminal session and run "screen /dev/tty.SLAB_USBtoUART 115200".  For older versions of OS X, use the Legacy driver

  Are you sure? yes | no