Making a Sick Badge

All

right. Well, you get that.

Sorry.

This HDMI thing. >> Yeah. Another one if you want to try that max. Sometimes people have an issue here. USBC on here. >> Uh that's USBC. And >> do you have HDMI coming out anywhere? >> No, only this. >> This apparently does maxed out on occasion. I'm going to steal it. >> That's your one there. >> Do you know any tricks to get this Mac in? Uh, did you install a driver? >> What driver? >> It was emailed out to all the >> connect. Do you know how to use proper operating system?

>> Yeah. >> Thank you, Mr. Mac. >> All right. While we wait for Matt to do it, >> it looks like it's not. >> Welcome to the badge.

>> We're going to be giving up grinding the badge, some of the challenges they can do with it. And then >> there'll be about 30 minutes and then there'll be an opportunity for those of you that want to stay asking etc. They'll be around >> half

download. So Kyle and Kellb are founding members of >> download

you can just extract it and I don't know why it's easy vulnerability management programs lot of simulation and working with a diverse range of science has a has a passion for integrating security into the the whole product development life cycle and the whole area that we've heard about recently is sort of supply chain attacks Baking your security in has become a really important thing to do. And we'll wait to we've got some progress. Yeah. And >> mine stole my copy.

>> Here we are. All right. Good night. Thank you so much. No worries.

>> Spring

trying to figure out what screen he's on.

I've got multiple screens. It's that one is duplicated. If you want to That's the one that's on the

I can any of these days talking about how you just make extraordinary bad all the Thanks. >> You want me to? >> No. >> It's kind of critical to be >> Why am I showing you out of whatever?

Is it one of those situations where you create the new

>> Where is that?

>> Let me select the settings.

Yeah. >> Okay, great. I should have everyone look at my stuff. >> That's fine. >> Amazing. >> All right. Sorry about that. Due to technical difficulties, we will do this talk extremely fast. >> All right. Um, I have been informed by somewhat trustworthy Norwegians that this says what I want it to say, but making a sick badge, meaning hopefully it's not the interpretation of like an actual physically sick, uh, something that's cool and hopefully it is also cool. Um, so we're just going to talk quickly about, you know, the badge that we made and how we did it, steps that we went through, uh, if anyone wants to make a badge, and then also why it's

cool and why we think people should make a badge. taking all these. >> Yeah. No. So, uh, as Caleb said, today is going to be pretty informal. Like, uh, if those of you that were just in the keynote, you know, he was very direct in his message today. We just want to give context of that, something for you guys to look at, to look into, and then we'll be around later today to figure out how to do the the challenges and hack into it and really just understand where everyone is in their story. Because what we're going to get in today is is making this badge and just hardware hacking in general. Everyone hardware hacking is still one

of those topics in security which is fairly newer. It's getting more popularity. So people are at different stages and so for us to give a 15-minute talk on the the intricacies of creating this badge is probably a little audacious. So we're going to try to give you some context and then uh hopefully some questions from there. So, Caleb said, introduce ourselves, uh, give you the timeline, the the worldview or the universe in which we used to create this badge and which we used to develop the badge. U, the the prototyping that went into it, the firmware that's on it, and then how we scaled up and and built it for 150, y'all. So,

>> it just stopped. >> Awesome. Yeah.

Building the badge was much easier than uh doing this presentation. Looks like I lost internet connection.

>> I guess while we're doing that, everyone has their I see I see see a lot of them out. Uh, one thing that you will notice is that the batteries in it, uh, it's gonna go quick. So, mine, there'll be extra batteries that B will have and others will have that, but if you ever look down, like I think mine's already been maxed out. Um, >> there's also a hardware switch on the right side if you want to preserve your battery because it's running a Wi-Fi access point, which we'll talk about. your hotspot on. >> You have internet access.

>> Have you tried turning it on? >> There's a slide on that one. All

right, we'll stick with this one for now. >> Okay. >> All right, we're going to hammer through the rest of this real quick. >> Y, >> so I think we're here. A little bit about us. Um, my name is Caleb Davis, co-founder of Solo Sack. Um, I I made this badge and have made a bunch of badges, but our day job is pin testing. Um, specifically, uh, embedded systems. I have a background in electrical engineering. Um, so that is a little bit about me. >> I think the takeaway here is that uh, Solosc is not a badgemaking company. We are pin testing company, right? This is a side hobby project and something that allows us to come to Norway and other

fun countries. And so we're at Devcon every year making badges for biohacking village. Um, and so yeah, you you'll see us around some of these cons with other custom badges. All right. So why does this matter? Why are we why are we here? Why did you guys decide to spend time this morning to come to our talk in addition to uh filling up your coffee after that keynote? So the the idea is to start to give individuals this development expertise. Um you know I find in security you know it's very easy to to silo yourself into one area of that universe that I was trying to describe and build. But understanding the the stage one the that route the

manufacturing the development piece is so important in understanding why things happen further down in the manufacturing process. Uh the impact obviously you know that's something again why the embedded is becoming so hot these days but understanding how you can make change in the beginning of a process it will affect downstream as well uh the manufacturing awareness you know whenever we give a r uh recommendation of yeah look to see who's manufacturing the product that we hack I think uh we get eye rolls but you know that's where where you have to start and then the last is fun you know I we love this we love figuring out TTFS you know figuring out challenges and keeping how to solder

uh and how to do fun stuff that that seems really dangerous but you know this is uh this is this is awesome to us and it's uh we look forward to chat with you. All right, create the badge timeline. So really you know people get surprised by this but we usually start with a likes slate when we talk to be when we when we start uh engaging in conversation with individuals who want to run a b size or any conference really and create a badge it's a whiteboard. What do you want? What is your end goal in mind? And you see because everyone's been to conferences, they seen sick badges and they've been like, "Oh man,

like I don't even know how we would create something like this." Like what, you know, but also you want to make something meaningful. You want something where people get it and they remember it. They're just not going to throw it to the side when they get home and because they want to uh you know, so adopt hopefully that's meaningful. Um prototyping. So we take this idea sometimes a grandiose in nature and we have to we have to cut it down like we say hey okay that's that was a really cool idea but this is the budget so what do we actually want to do so we start prototyping start throwing ideas part selection from the manufacturers we work

with um and then the fun part you know and Caleb's going to elaborate on this a little bit later is like the hardware and firmware development because it's one thing to make something that looks visibly cool but then something that's actually practically useful and can can teach you things as well. Uh, and so we go through that, build out the pilots, and this is, you know, this is a six-month plus process. So, we've been looking forward to this day and looking forward to this badge for a while. Um, and then issue remediation, which is always a fun part of this conversation where you'll see pictures of us in in the car on the way from Oslo, you know,

soldering in the back and putting these things together. Um, and uh then, yeah, just scaling up and making sure that we have enough. And in this case, you know, a couple hundred. So, all right. Um yeah, brainstorming like like I said, we try to build this uh this platform where there's universal scope to give someone the idea and the creativity to get something that's meaningful to them. Uh but it really starts six months before these conference. So these conversations are happening um the end of last year. Yeah. So it's been a long time coming and then the cost is always the uh the kicker, right? Um and so yeah. >> All right. I I can take this one. Sure.

So, I'll briefly run through this, but some of the main drivers for for us, and it it's really a driver for all badges, but for us specifically looking at, you know, the functionality of the device, we want it to be cool, something you can play with, not just, you know, a light show. So, keep that in mind. I guess we hadn't really talked about it too much, but there are, I think, nine different ways to nine flags associated with this badge that are in a variety of different locations. Um the I'll talk about the core in a second, but it runs an access point so you can connect to your own badge. Hopefully, not everyone else's

badge, but I mean you can do what you want. Um but connect to it. It's got an access point website so you can connect and go find all the flags. Um so we like it where you can you can modify the the badge obviously. Uh availability, this is less of a problem now, but it's been a problem historically where you know these Raspberry Pi PCs is what we're getting. Sometimes they're just not available for whatever reason. So, that's a main driver. Power consumption, you know, your two AA batteries should last as long as you don't hack it and like run these LEDs consistently. Um, but that's a big driver for some of these conferences, especially Defcon or

Black Hat, you know, these longer conferences. You don't want someone carrying around a car battery with them. Um, audience familiarity. This thing's running microython. Um, so if someone connects, and this is kind of a hint if you want to hack your your badge, if you connect like a micro USB cable, it's running like a like a RSL RPL type environment. So you can connect and look at Python code and it's it's very simple. Everyone can understand it. Um, so that's that's a big driver for us. Um, ease of use, once again, um, all all these things are kind of plug-and-play. cost uh main driver. I mean, there's really nothing too cost uh prohibitive with this. I think the the Raspberry Pi

is probably the main thing. And then flexibility. Um the the Raspberry Pi itself has way more IO than we use. We just use a couple uh different pins that I'm not going to talk about because that's those are some of the challenges. Um but it has a ton of IO. So, if you want to build out some crazy mod to this, you you could. All right. So, the initial badge um like like we talked about previously, V, who's the I think uh Weaver of Chaos was the title she wanted us to use, but she came to us with this design, which is I'm told is the crest for Christensen. I don't know if anyone can confirm that or

not, but um this was what kind of where we started. So, I think we've come a long way since then. Um but this is kind of where it starts. We just talk about this idea, this random picture, and then kind of a little bit of functionality, and then we just build around that and iterate consistently. And this is what we ended up with. I was also told that Norwegians love ducks. I don't know if that's a real thing or not. Um, I'm not sure why we went with ducks, but we we did. Um, so this is the the hardware prototype that I'll get into a little bit more. I'll quickly breeze through this as well. Stop by. We're going to be

upstairs all day. So, stop by if you're actually interested in building a badge or building, you know, some electrical components, but uh key component selection is the the main thing, right? Like I said, the Raspberry Pi PC was the main driver for us. And then from there, it's getting into, you know, what kind of power rails do we need? What, you know, what are the other major components? In this case, it's really LEDs in the Raspberry Pi. In bigger boards, those are major drivers that can impact um the entire, you know, selection process. From there, just kind of laying out the schematic, what's connected to what, which interfaces are there. Um, looking at the footprint.

Footprint is basically if anyone's not uh doesn't have a double E background. Um, how it's oriented on the board. So, if you look, each one has, you know, some pads that are connected um to different traces and those have a different footprint. So, you need a specific footprint for a specific component. Um, and it impacts how you lay out your board. Um, PCB layout's the next step. Um, so just arranging the components. And this is honestly one of the most fun parts because basically you put all your components out on the board, you see kind of where they need to connect to each other and you're literally just connecting the dots. So it's almost therapeutic. Um, remaining

component selection. This is a lot of times these passive components like resistors capacitors um inductors things like that that are a little easier to find and don't matter as much. That's when this can come into play. And the reason I like doing it like that is because with a a more densely laid out board, it's it's uh easier to kind of just get your main parts out there and then fill in the gaps later on. Um design rule check. If anyone's done a hardware design before, this is kind of the bane of your existence. Basically, it throws a bunch of errors and says, "Hey, you can't do this. It'll blow up the board." Uh and you have to go change

a bunch of stuff and in my case, ignore a bunch of stuff. Um fabrication. Um, we do these all with a third party. I don't know in Norway. I don't know what's the best. Uh, if y'all can't tell, we're from America, uh, Texas specifically. Um, but so we use PCB way in in China. Uh, and then assembly and testing. We get a lot of them and just do some rapid iterations on testing. All right, briefly go through this. We use Keycad. There's a ton of EDA solutions. Keycad is open source and works good enough for these purposes. Um, I circuit. Once again, I'm on Mac OS, which killed us this morning, but I use that for circuit

simulation, which in this case is not a lot. Um, schematic design. Briefly run through this. We've got a Raspberry Pi. We've got a bunch of LEDs. We've got what is that? A tag connect. It's not actually on there. Um, this is just a power rectification circuit. So, it takes the battery. This is all basic. You can get this from um you can just get that from the component website when I'm looking at what what voltage rail I want. So stepping up three to five. This is a switching circuit. These LEDs pull a ton of current just sitting there off. So what we do is we actually trigger a different voltage rail. So you can see

that enable if anyone can read that enable VLED. So there's actually a pin that triggers to enable that voltage rail so that we can hopefully preserve the battery life. But we'll see how that goes. Um board layout. This is what the two-dimensional board layout looks like. So basically it's just a bunch of layers. Um, I've got the what's called silk screen. I've got the custom board shape. Um, I put all the LEDs on front, so it's pretty picture. And then basically everything on the back side. Um, something that's really nice if you're designing boards is you can do what's called power or ground planes. So the entire top surface of the board is power or the the voltage rail for the

LEDs. On the back plane, it's ground. So what that allows us to do is that when you lay out like the the top and you know, you can kind of see it in here. this top up here, which is the voltage, instead of having to like run a trace and like connect it to a rail, it just fills in automatically uh to that top side, which saves you a ton of layout uh for uh for running traces and it makes it a lot cleaner. All right, 3D modeling. You can just kind of see how it looks in the uh the EDA solution. Run through this firmware prototyping. That's one of the the flags up there.

Luckily, it's small enough that I don't think anyone can read it, but uh motivates you to go start looking for stuff. I got to get through this quickly. So, firmware. Yeah, write firmware. Write it in small parts and then put it all together. That's that's basically as easy as firmware is. Use chat GPT. Um Visual Studio Code is what we use. It's got some good solutions. Like I said, MicroPython Circuit Python is also super popular. and the Raspberry Pi Pico very common platform. Uh that's by design so everyone can mess with it because that is the ultimate goal. Um the software is extremely basic. It is just a just a loop that runs and it's got a few

different uh it's got a thread that runs a different web server and you can interact with with the web server, make the LEDs do a bunch of stuff and hack it a bunch of different ways. Um so I'd highly advise y'all doing that. All right, scaling up. Um, we had to make a few of these by hand and this is my daughter actually soldering these up. So, I had to give her a shout out in this, but scaling up is kind of the bane of your existence. I would definitely advise uh if you have like a boardhouse, they can assemble the them and also fab them for you. It takes a little bit longer, but it's much better. I mean,

she's a good solderer, so it it worked out fine, but you don't want to be doing this for 150 badges. Uh, yeah. What could possibly go wrong? All right. So, I've got Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Mo Proble Problems, which is a rap song in the US. I don't know if it made it to Norway or not. Um, but we actually didn't really have that much go wrong. Uh, my daughter, bless her heart, she did rip up a pad and I had to fix it. So, I'm

not sure who got this board, but it's out there somewhere. Um, and basically, if you get a pad too hot, you can rip it and melt the adhesive that's holding it down. So, we had to just patch that. Uh, whoever got that golden ticket winner. Um, the other thing, would an idiot do that? Um, I flashed these all with a there's a access point configuration file. Uh, I flashed it with the wrong one that I was testing with and didn't realize until I was through all 150 boards. So, on our way from Oslo to uh, Christensen, we were flashing all of these boards in the car. So, that was a that was a fun time.

Um, also watch out when using AI. I use AI to generate a lot of the slide deck here. And uh Benjamin or Abraham Lincoln had this quote that I don't think is actually accurate that it came up with. Um yeah, I don't think he made any sick badges. Closing thoughts. All right, so hopefully I know we ran through this very quickly. Um hopefully you learned how we did this, a few helpful tools. Come talk to us upstairs if you're really interested, but I would highly encourage everyone to build a badge. It's fun and there's a lot of things you can learn from it. That I believe is all we've got. Any >> Okay. Thank you very much. For those of

you that want to change tracks um to go and watch the the talk that's going to be starting shortly in other now if you want to get into the other venue. For anyone else, we've got another half hour set of badge tinkering. Um go back and have a have some more Q&A. Um maybe look at some of the design aspects. Sure. >> A little bit larger. >> Um, so if any of you are wanting to change tracks, now's the time to do it. Um, otherwise we can go on. We'll just let people move and then we can carry on with some Q&A. That's good. Well done on speed. Thank you guys. Thank you. >> Thank you.

>> Yeah. I knew I knew the keynote was going to go long and then >> it was a good keynote so I didn't want to leak but I I felt like I should have came in here to test stuff.

>> All right. Um questions and answers. >> Yeah, that's definitely not malware either. So I would I would go to that website.

Yeah, thank you.

>> My my first impression is that this pledge is very accessible. >> Yeah. >> What do you mean by that? >> It's not not so steep learning curve. >> No, it's actually the goal is to kind of, >> you know, incrementally go up in terms of complexity. There are some that are I wouldn't say anything's like really that crazy of a a vector, but there's the the hardest one um involves a little bit of effort to get into, but um there are some easy ones. I mean, if you just go to the website, you'll get a few of them. >> Yeah. >> So, >> the 24, >> which one was that? That was the um

>> that was the the game the Game Boy one. Yeah, I think it was a interorg x86 controller they used. >> Oh yeah, I thought they used the RP 2035 or something. The new Raspberry Pi Pico. I think it was the daily event. Yeah, that badge. >> But I don't know. There's a ton of badges at at Defcon. Did you go to DevCon? >> Yeah. >> It took me a while to get the console out from that. >> Oh, really? >> We didn't even mess with it. We were so busy at Defcon this last year that we didn't mess with it. We had our own badge. >> I was gonna say if you saw the ambulance

badge we made for Biohack and Village last year at Defcon. >> Yeah, we made a breathalyzer for Las Vegas. >> It was fun. >> It wasn't accurate. >> No, we had to explain it. That wasn't a flag. Like don't try to >> do not try to get the high score. >> Lock the last because that was a real concern. >> Yeah, I have. >> Awesome. Well, I know I ran through that really quickly. I can go back to any slides if anyone had any specific questions, but did y'all have any questions about the badge or the process or or anything like that? >> I've got one for you. And how when you're designing like the challenges

around it, how much of it is >> in your mind sort of getting the balance between software based challenges >> and hardware based? >> That's a good question. Um, for for me, you know, I I lean towards doing the hardware side of it and I think Kyle mentioned it before. It's like hardware is kind of a thing where I think people are kind of weary or scared to to venture into hardware because they think it's more complex for whatever reason. Um, so I I like the hardware side and then we just build software on top of it. But you know the hardware to me and hardware uh exploitation is really just using a different set of tools. It's

kind of the same practice. Um, so just learning these new tools and learning that, you know, there's a just tell tell you guys there's a serial interface on here that basically spits out a flag if you can figure out how to decode the traffic. Um, I see this on like medical devices still in the field. Um, so things like that I I want to make easier for people and then also draw attention to the fact that hey, probably don't do this on a medical device uh in in production that's like giving life life-saving therapy to somebody. single IoT device out there that almost has a >> right default passwords um you know hard-coded keys these are all things

that are that's another thing with the badges like trying to draw attention to common mistakes that people actually do make >> yeah and then going back to accessibility I mean the one the hardware pins we do have on it like we try to make it entry level more beginner just because and this is where I come in because I have to he's an electrical engineer you know I'm the I'm the non-ele electrical engineer right so I have to curtail these isn't making it all hardware hacking for the badge because I realize that there's just there's different levels to this, right? And and you know, he's wearing a recon shirt for uh Montreal later this month,

right? We're giving a an advanced embedded hardware training at that conference, but it's like it's not fair to apply those same methods to 100, you know, 150 of these to >> to tier people even more from getting in bed. Like we want to make it approachable enough that people are interested and then they can dive in. So, What is the best way for people to start interfacing badge? >> Oh, that's a good question. So, I'll tell I'll tell you guys now all the tricks. Um, it is broadcasting its own access point. The access point is driven by the the MAC address of the Raspberry Pi Pico. So, you should all have unique access points. We'll see if that's true

or not. Um but um so it'll broadcast its own access point and then the um the SSID or I'm sorry the PSK is uh actually given to you via Morse code um via an LED on the Raspberry Pi Pico. So after it goes through the boot sequence you'll see a green LED on the back start blinking. Uh I did give you a Morse code decoder because I'm such a nice person. Um but that'll give you access to it. Uh, so that's the that's the intended way to start interfacing with it. And then once you're connected, it's hosting a web server on, you know, I think it's 192.168.4.1. Um, and then you can you have the entire

web app that you can start messing with. Um, but the secret way that I would start accessing with it if I was a hardware hacker would be plug in with a uh micro USB cable to the uh Raspberry Pi itself. Um, and then you can interact with the it's called RPL, which I think is I can't remember what it stands for, but it's like a RS shell connection. And then you can look at the file system and you can do stuff. You can also reset do a soft reset if you want to look up how to do that. Uh, and then it'll actually print out the password for you. So, >> uh, quick question. Uh,

>> is there built-in uh safeguards? If you have the battery en connected at the same time as you connect, >> there's a diode, so you should be okay. I don't know. >> Try it. I think I think you're fine. I don't think it's going to back feed um the way you think it is. Uh because that No, it's not. It's just going to supply more current effectively. >> So, charge the batteries. >> No, you can't charge the batteries. That's so it's expensive to do. >> Disconnect the batteries before >> if you want to be like super duper This is an electro engineer talking. If you want to be super duper safe, you probably should do that. Um but I think

you'll be fine. >> Yeah. I don't know. We can find out. I I don't think I have a micro USB on me. >> The opening talk says that we should never assume. >> Yeah. Well, I make an educated guess that you might be okay >> for varying large values. It might be I've got a board that I'll test it with. Um, we also I think we have a link to the GitHub. The plan is to just update the read me consistently through the day and then just maybe give a few hints on how to access the uh the flags. But I will say there are nine flags and I did kind of an Avengers Infinity Gauntlet

thing. So, we've got the Infinity Stones. So, your jacket is what this is called um will light up different colors the more badges you collect. So hopefully I'll see at the end someone's got all the badges. Mine's special um because it's actually part of the challenge. That's another thing. There's a uh there's like a respond aspect of it where you have to go and find uh I had duck one, duck two, and goose. So I'm duck one, he's duck two, and y'all can just go figure out who goose is at some point, but it'll be blinking a different pattern. >> And then the rest of the day, you guys can just basically direct. >> We'll be up upstairs. We've got a

soldering iron if anyone wants to access the uh the serial port if they don't if they didn't bring their own soldering iron or solder or uh say a logic analyzer. We've got all that stuff. So, if anyone's interested in like decoding signals um we can show you how to do that or uh if you're interested in soldering or tinkering or whatever um or just want to come hang out with us. We're super fun. Um just feel free to stop by up there. >> Yeah. PC Speedway, how are you doing quality insurance? >> I haven't had any problems honestly. Um, the only thing I mean now with the tariffs in the US, we had to deal with a

little bit of that. So, I had to pay I had to pay duties and taxes on the boards like seven different times. Um, which was awesome. Um, but no, they they've been great. I mean, they you can get like 24-hour express delivery and assembly and I can get like these sample boards I got in a week, which is just insane to me. Um, and then assembly is nice. The only thing with assembly is that you have to deal with sourcing parts. And a lot of times, you know, depending on your your experience might be different here, but um sometimes you can get parts easier in the US than they can in in China in this case. um in

China uh they'll also go and source like you know the passive components or the LEDs or something else because you know a lot of times the US provider will just get it from China anyway so it's cheaper for them to do it but it's just some lead time to go and source all those components with with a with this it's pretty easy but with a bigger board it can really take a lot of time. All right, any other questions? All right, let's see. You want to give any more uh Easter eggs? I said too much. >> Give a lot to uh those who stuck around. So, it' be fun to >> y'all y'all make sure and also inspect

the content of the uh the web pages as well. That's the last thing I'll say. All right. And then there's also, like I said, the hardest flag to get gives you all the flags inherently because I don't have a uh a TPM or like a secure element on here. So, if you crack the intense one, then you'll get all of them. And actually, on that badge talk, I had it in there, but I don't think anyone picked up on it. So, if that's it, we're going to run upstairs. Y'all feel free to follow us and we'll turn on that soldering iron and and help some people start looking at stuff if y'all want. But awesome. People, really appreciate

the time and uh yeah, y'all have a great conference. Thank you very much. You have sold us and some new clippers up there as well. Thank you. >> Oh yeah, we also put there's only nine challenges, but we didn't spend a lot of time like making it secure. So there might be some more ways to hack this badge. So let us know if you find like a buffer overflow or something somewhere.