Skip to content
Modifies your DEFCON27 Badge into a Jackp0t badge that will complete other attendee's badge challenge/trigger rick roll when held within a few inches of each other.
C Makefile C++
Branch: master
Clone or download
Latest commit 80183fa Aug 14, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dc27_badge Jackpot Folder Unzipped + More README.md verbaige Aug 11, 2019
imgs Future applications and instructions for LPC Aug 11, 2019
.gitignore Create .gitignore Aug 10, 2019
Jackp0t.zip Add files via upload Aug 11, 2019
LICENSE.md Issue #7 Aug 11, 2019
README.md preferences Aug 14, 2019

README.md

Jackp0t

Modifies your DEFCON27 Badge into a Jackp0t badge that will complete other attendee's badge challenge/trigger rick roll when held within a few inches of each other.

Click the image below to watch the video.

Contributors:

Table of Contents

  1. The Challenge
  2. Required Hardware
  3. Required Software
  4. Flashing
    1. LPC-Link2 Setup
    2. Black Magic Probe Setup
  5. Future Applications
  6. Credits
  7. License
  8. Publicity

The Challenge

This year's DEFCON Badge challenge involved social interactions with an RF Badge. A regular attendee is challenged to find and touch badges with 10 different badge types (including Sponsors, Vendors, Goons, and even Press). This becomes super challenging when you have to find one of the 20 individuals out of a 30,000 person conference with a Black "UBER" badge (an exciting but non-trivial task). It was much easier for us to figure out how to flash the DEFCON27 badge to do three things:

  1. Automatically complete the "touch 10 different badge types" challenge
  2. Easily help our fellow attendees by unlocking their badges with one that can act as a chameleon, emulating all other badge types.
  3. Profit ???

That's what the Jackp0t badge does. It automatically puts you in a "COMPLETE" (or win) state on boot and emulates all the different badge types to complete other attendee's badges in a matter of seconds.

Check out our demo video

How Did you Become a Village?

Quality Rick Roll

Required Hardware

Required Software

  • nxp MCUXpresso IDE 10.2.1
    • an IDE developed by NXP to use with the LPC-Link2. If you are flashing using the Black Magic Probe you won't need this.
  • FRDM-KL27Z SDK 2.4.1
    • the SDK for interacting with the MKL27Z64VDA4 microcontroller with the MCUXpresso IDE.
  • GDB
    • Powerful GNU Project Debugger. Used to interact with the Black Magic Probe to flash images

Flashing

In order to debug or flash your device, you’ll need one of the many ARM programmers available. We've confirmed two different ways to flash. One using the LPC-Link2 + Tag-Connect Cable and one using a Black Magic Probe + Tag-Connect Cable. Depending on your available hardware/software please reference the appropriate section.

LPC-Link2 Setup

  1. Install the MCUXpresso IDE on a Windows Machine.

  2. Install the SDK by dragging and dropping the SDK Zip file into the MCUXpresso IDE.

  3. Clone the Jackp0t repo.

    $ git clone https://github.com/NickEngmann/Jackp0t.git
  1. Copy/Import the Jackp0t/dc27_badge folder into the MCUXpresso IDE.

  2. Plug the Tag-Connect Cable into the LPC-Link2.

  3. Attach the Tag-Connect Cable to the DEFCON27 Badge.

  4. Click on the Flash Button to Flash the Board.

Black Magic Probe Setup

  1. Download the jackp0t.bin binary

  2. Install GDB

  3. Plug in the Black Magic Probe into your computer via USB.

  4. Update the firmware on the Black Magic Probe.

    We initially ran into a lot of issues with the default firmware on the Black Magic Probe. If you update the firmware using the master branch of the wiki, flashing the device was becomes far more consistent. Check out Ross' instructions on how to upgrade the firmware on the Black Magic Probe:

    To update your black magic probe, clone the firmware repo from Github build it with make and then perform a DFU update on your probe with the following command:

    sudo dfu-util -d 1d50:6018,:6017 -s 0x08002000:leave -D src/blackmagic.bin
    

    -- Ross Schlaiker

  5. Open up the arm toolchain.

    $ arm-none-eabi-gdb
    
  6. Connect to the Black Magic Probe Device via GDB.

    $ (gdb) target extended-remote <device> 
    

    On OSX is /dev/cu.usbmodem <some ##>

    On Linux is /dev/ttyUSB0

  7. Touch the Black Magic Probe + Tag-Connect to the SWD pins on the badge.

  8. Use the monitor swdp scan command to connect to the device using the Serial-Wire Debug Protocol.

    $ (gdb) monitor swdp scan
    

    Output:

        Target voltage: 1.8V
        Available Targets:
        No. Att Driver
        1      KL27x64 M0+
        2      Kinetis Recovery (MDM-AP)
    

    If your scan doesn’t return KL27x64 M0+, and instead returns ‘Generic Cortex-M’, close GDB and retry. This seems to be a race condition of some sort. -- Ross Schlaiker

  9. Attach to the KL27 Microcontroller.

    $ (gdb) attach 1
    
  10. Allow GDB to allow access to memory outside of the device's known memory map. This is useful to allow access to memory mapped IO from GDB.

    $ (gdb) set mem inaccessible-by-default off
    
  11. Set the binary file. Make sure the binary is in the current directory.

    $ (gdb) file jackp0t.bin
    
  12. Load the binary onto the board.

    $ (gdb) load
    

Future Applications

Figuring out how to edit the source code and successfully flash these badges opens the door to tons of different future hacks. Feel free to use these instructions as a jumping point to create complex hacks like turning the badge into a custom clock!

Credits

License

This project is MIT licensed.

Publicity

You can’t perform that action at this time.