 Wow, is this thing on? Yeah, good. All right, we're going to get started. My name is Joe Grand. Some of you guys might know me as Kingpin, and I'm here to talk about the badge and stuff. But first, somebody told me to put this up. Apparently there's somebody at Defcon Dateline NBC undercover purse camera trying to get pictures of feds and hackers. And if she's in this room, watch the doors, make sure she doesn't leave. But if you see her, if you see her anywhere in this conference, find a goon as fast as you can because obviously we don't want people like that here. So please somebody find her. Unless you want to film this presentation first, Dateline, you can do that. That's right, apparently you get a letter of accommodation from the NSA. Is that right? You get a recommendation from the feds. It's like a get out of jail free card, I guess. So you're going to want to find her. One other thing is, I've heard there's press in this room that are allowed to be here, but they're taking pictures from the back of the room. So if you don't want your back of your head taken a picture of, cover it. But I just want to tell people so their picture doesn't end up somewhere allowed to be. Alright, now in all seriousness, we need to start this presentation with a little poem. I thought it would be fitting. It's called, An Ode to the Def Con 15 Badge by Joe Grand. You can follow along by the way in page 3. Oh, I do need to apologize for the second year in a row for the stupid picture that they keep putting in the thing. That should never have been taken. Alright, now we have to be serious for a moment. 170 hours of total time spent. Two nights of my honeymoon. Oh, how I lament in my wife's frowning at me right now. Three circuit board revisions to get it all right. 863,600 total components bring them to light. 6800 hackers wearing the badge in all its glory. If you want to learn more, then don't leave and listen to this story. A matrix of 95 LEDs. Five columns by 19 row. Two coin cell batteries make the current flow. Six text cutouts and solder mass colors to show. If you're a human, speaker, goon, vendor, press, or uber bro. Press for that. On power up, the badge will not make a peep. But fear not. It's by design. It's only a sleep. Touch the top icon. It's a button, really. And get a scrolling text message intended for thee. Touch the top icon yet again. Just trust me. And you'll move to the next mode for custom text message entry. Yeah, you can set your own messages if you haven't noticed. Hit the bottom icon to begin your noble quest. Then use either icon to cycle through the list. Tap both icons to save a character to your queue. 16 letters long is the maximum we can do. When you're all done, seek out the solid block. Tap both icons again, and on the screen your message will walk. The next mode sets the speed of your inscription. You can change it like a bot rate or a doctor's drug prescription. Select the scroll velocity between the numbers one and five, which goes from slow and boring to a thrilling autobahn drive. Remember to tap both icons for the badge to come alive. Next, we arrive at our Lodge badge state, finally. A special treat known as Persistence of Vision, or POV. Wave the badge in front of your eyes in one direction, and a secret message appears magically like the morning's first erection. I was trying to get through that without laughing, but... That's my favorite line. If all you see is the jumbled mess of bright lights, try hiding in the darkness, squinting your eyes, or changing those hard-coded bytes. When your badge is not in use, set the mode back to snooze, or your batteries are going to die. The source code is open, and the schematics are free, as in beer. So now you can be a hardware hacking engineer. On populated footprints for a wireless transceiver and accelerometer. If you don't like how the badge acts, then hack it and make it better. You might even win some development tools, a t-shirt, a black badge, or a scarlet letter. For the blood, sweat, and tears behind the scenes of the DEFCON badge, come to my talk on Friday morning, where you're obviously here. It's sort of like The Hodge. Okay, not really, that was bad, I know. Business in front, party in back. Yeah, that's a mullet. I'm Joe Grand, a.k.a. Kingpin from the loft, a hacker, not a poet. But that guy, who's sitting in that seat, is a real poet. He was my inspiration. Alright, so I'm going to go through the trials and tribulations of designing this badge, what it's all about, how it works, and talk a little bit about the contest. But first I'm just going to show all of the major functions, and I'll go through how we actually designed it and stuff. The front of the badge, there's two switches, those two icons, top and bottom, in case you didn't get it in the poem. The capacitive sends buttons, so really the electrodes, the copper traces on the top are the electrodes. So it's not a physical button, you just put your finger on it. I'll explain all that later. Here's some slides that are impossible to see. But it looks great on my screen. I just wanted to highlight all of the different areas. Is there any way that the AV guys can make that look better? Alright, everyone look to the left. Stage right. So I guess we'll start at the top. QT100, there's a capacitive sensor right at the top. We'll go clockwise. The microprocessor is circled. There's an empty area for a 3-axis accelerometer from FreeScale, and we're going to have a bunch of those to give away later on at the vendor area. So that's a little hackable feature. Another capacitive sensor for the bottom button. We have two linear regulators on board to bring the voltage from the batteries from 6 volts down to 2.5. We have our two batteries, obviously. And there's another unpopulated area with a transmit and receive antenna. That's what you see on the left side of your badge. And that's a FreeScale MC13191FC wireless transceiver. It's an 802.15.4 compliant hardware, which is what Zigbee runs on top of, and some other just RF point-to-point stuff. So if you want to hack that stuff, we have parts as well. Man, we should be in the other room. They're partying. And then at the top, of course, we have the background and debug mode, programming and debugging header, because we got to be able to change the software and we want to hack these things. So got all that and I'll get into everything later. Here's the initial blog diagram, which also looks like shit besides my handwriting. This was basically, the DarkTangent contacted me in January when I was filling up my gas at a gas station. I remember this moment. And I'll always remember this moment. They wanted to do another badge. And if you guys were here last year, you remember the badge? Thank you. The skull-shaped badge with the two blinky lights. I sort of thought that was going to be it. You know, a little cool hardware thing. Then we're going to go back to something low tech. But the DarkTangent called me up and said we want to do something else. And they wanted to do something with like a scrolling LCD badge. And they had all these crazy ideas of like maybe doing wireless. And we explored using electro-luminescent wire, EL wire, like to glow, all the stuff you guys see at raves and everything. We did all these different experiments with all these different types of technologies and everything. And trying to figure out how we could still do it at low cost. So we ended up with the LED matrix, which is actually 95 LEDs all in the front. And that's what we're doing, all of our multiplexing to scroll stuff. So anyway, don't rely on that for any hacking. I just wanted to put it there. The schematics are in the slides. But one of the most important things for me was being able to get a development environment that you guys would be able to use right away and not have to pay money for. And something that would be pretty easy to set up for the weekend. Because last year when we used the microchip pick, we had the development tools, but they were still a few hundred dollars. And there were a lot of people hacking the badge, but not as many as I wanted to see. So that was a huge thing for me. I was talking to Freescale at the time who I was using for another project. And they've been trying to get me to use 8-bit microprocessors for a long time. And this was sort of the compelling reason was they have a C-Compiler Freescale Code Warrior that's free for up to 16K. They have a bunch of different ways that you can debug the hardware through an open source BDM or something they call the USB spider, which we're going to have a bunch of them in the vendor area. And just a bunch of other ways that you can actually debug this thing through the background debug mode which is sort of a JTAG-like type of thing. So that was pretty important. And here's the development environment you program and see. Man, you can't see anything on there. Oh well. You can look through the source yourself. It's on the CD. But there's actually code on the screen. Or there's supposed to be. Here's another picture. And that's the little spider module. It's just a tiny little USB. It's like a $20 tool or something. So that's probably the easiest way to hack these things. But all the software's free and you can do it and see which is cool. The neat thing about Code Warrior which I really liked because the one thing I hated about dealing with new micros was figuring out all of the register configurations to just get the thing to turn on in the first place. So this thing had this nice feature called the device initializer or something like that. And it was a whole GUI based thing. You could click on the different modules that were supported by the chip. And it would pop up a box. You could just set all of the registers with nice pull down menus and pretty GUIs and everything. So for a hardware guy like me that was really good. The first step, once I decided I was going to use a free scale part and they threw all these free tools at me and hardware and everything which is if you guys know me, it's hard for me to turn down free stuff. So we ended up using their part and they gave us a really, really good deal. They almost gave us parts at cost I think because they really wanted us to use the part and they really wanted everyone at DEF CON to hack on their part. So free stuff, it was good. The first thing was to create a little development platform since I knew I was going to have a lot of LEDs. I couldn't just build some like breadboard and hack something together. So I had to build at least was sort of representative of what the final badge would be. That circle is the actual diameter of last year's badge because I just used the old circuit board design and ripped out everything and started with the circle. So basically I used through-hole parts for everything so I'd be able to tweak things and remove parts if I broke something and add other components. On the backside, the upper right picture, that little black square is an accelerometer because initially we were going to have all of the user interface controlled by the accelerometer so you'd move the badge left and right up and down to set your badge but it was such a pain in the ass. Mostly because I suck at programming that I decided not to use it and that's why it's there as an optional feature because if you're good at programming, maybe you can do something useful with it and maybe win something. So anyway, that was the first thing. I got all the lights to turn on which is a pretty big feat because I have the three shift registers. I'll get into this later but basically I was multiplexing all these LEDs and turning on five at a time really quickly so I got everything up and running. I was pretty stoked but the accelerometer was really giving me trouble so I decided to add something else. I'm like, alright, well I don't want to use physical buttons because we did that last year. Accelerometer's out. What other cool technologies can we use that are cheap and that are available? So I found this thing from a company called Quantum Research. It's the QT100 device and it's a capacitive touch sensor and it's super easy to use and basically you just have your electrode in a little bit of circuitry and the chip will output a higher low whether it detects any change in capacitance on the electrode. So in our case our body has additional capacitance and we touch it over the electrode and it detects us. So that was really cool and it saved me because at this point we had like three weeks before we were starting production, otherwise we wouldn't have made the deadline for the show. So we got some development board, soldered them in, made sure everything worked and it seemed to so we went with that and that was cool. This is how hardware guys code. So I had the hardware kind of working and it was turning on the lights but I had no idea how I was going to make the thing scroll. I didn't know how I was going to do the persistence of vision and I was cursing myself for actually agreeing to do all of this stuff but somehow on the airplane somewhere I realized how to do it. So I was able to down, went home and it actually seemed to work. But if you look at the code you'll see what I mean. You're going to laugh at me. Here's a little shot of just experimenting with the persistence of vision and this is what you'll see when you enter that mode. My face is behind that and it's sort of a neat picture if the screens didn't suck. Lower left I was actually testing this thing because you need to move the badge from left to right in one direction or maybe right to left for you to actually see the image and since I was getting sort of dizzy going like this trying to see it I stuck it in my bike trainer and the wheel would spin around and I'd watch it try to go so you can see it's like electrical taped to the spokes. And then on the right that's sort of the old school graphics hacking of coming up with the data table I needed. So if you look in the code there's actually a big fat table that you can change to change the graphics coming across the persistence of vision. It's not efficient at all and we waste three bytes of ROM every line because we're only using five of the LEDs but I treat each line as a byte. So anyway that was sort of fun to put in. Does anybody know this guy in the upper left? Because I've had this picture for a really long time and I've wanted to use it for something. So cool. This is basically the first drawing I got from the DEF CON guys about what they wanted the badge to look like without all the scribbles on it and basically they wanted something bigger this year that was easier to see because last years were a little small. They also wanted a way to prevent people from painting their white badges red which I know a lot of you guys tried to do and then probably got dragged out by the goons. So that's why we have the actual cutouts in each badge so even the super old security guys at the front will be able to know who you are or who you're supposed to be. So basically we just figured out all the dimensions, put that into our circuit board program and magically we have parts sort of. There's our quantities, what we actually did this year. We initially were going to have 8,000 badges but since I went way over budget and each badge ended up costing about $10.73 approximately we decided to reduce it down to $6,800 total so there's going to be a lot of people in here bitching at us with cardboard badges wishing they had one so sorry to anybody who I guess no one has one yet. But if you see one just wave your badge at them and stick out your tongue. So we ended up making 6,000 human badges, 200 goon badges, 125 press, 150 other, 225 speaker and 100 of the Uber so if you win contests and stuff you'll get those. Here's the first set of prototypes that came back. I skipped the whole design section because I'll show you that later. But this was basically where I had to spend two nights of my honeymoon among many other late nights putting together the badge because we went away for two weeks on our honeymoon and we needed the prototypes back the day I got back so I could build it, test it, make sure everything was fine and then kick off production. So that didn't actually happen. I spent two nights working on this thing, submitted it and the parts didn't actually get made until I got home which I was really pissed off about. But everything worked out just fine except those missed two nights of sex. But we made up for that too. Alright so this is the first set of prototypes there. They're all green because when you're doing prototype design you normally want to get the standard color because you don't want to have to pay extra money just for prototypes since you know you're going to be messing with them anyway. So they're all green and that's what they all look like. The bottom part, the Uber, part of the B wasn't actually milled outright so that was one thing I wanted to fix. So the first one I brought it back to my lab hand assembled it by hand with love so it sucked. I got five 0603 surface mount LEDs on the front side and all of these tiny components on the back. I actually ended up building four of these along the way so I never want to solder again. So I put it all together and you can notice that there's actually only one battery connector on this one and I'll tell you the story about that right now. So it turned on, it scrolled, everything seemed to work fine until I removed it from the power supply and tried to run it on a battery and it turns out that the capacitive sensors are pretty unreliable when they're running on a battery source that's not properly regulated because it needs a really smooth power supply and I had all this multiplexing going on in really fast digital circuitry so the power supply line looked really bad, it was really noisy and I had noticed this any time along the way because I was testing it on a power supply and not with a battery. And also lithium batteries the coin cells that we're using don't like high discharge high current discharge, they mostly are used for like battery backup type of stuff the Defcon 14 badge, but usually not something where they're actually powering a lot of electronics and this thing draws about 7 to 10 mA as we're displaying stuff. So this was a big problem because we were already under the gun, I'd spent all this time designing the board, we thought we were set, WTF, I was pretty stressed. The moral is RTFM which I've already said to a few people today who didn't read the poem I guess RTFP about the badge, but basically in the datasheet of the quantum research part it said in like big bold letters use a separate power supply, use linear regulator to have smooth power supplies for the capacitive sensors. And I'm like shit, I knew I shouldn't have skipped that page and then actually after that it was like this problem has cost engineers undocumented amount of hours so I felt like a total fool so what I had to do is add another coin cell to bring the actual total initial voltage for the batteries up to 6 volts so we could power the 2 2.5 volt linear regulators which would then separately power the capacitive sensors and then the rest of the circuitry so we could isolate the voltage supplies keep everything much smoother and you can see there's a little bit of wiring and kind of hand hacking stuff on the back to test this out so that was good, problem fixed you can see the top line is the top shot is our oscilloscope screen shot the purple line is the noisy battery voltage and the yellow and green are the very clean power supply signals and they look a little fuzzy because I'm zoomed way way in to I think like 10 millivolts per division or something so they're really really smooth so that solved the problem thumbs up from the popsicle guy we're back in business and here's a little graph oh shit I just spilled water on my laptop here's a graph of a little battery discharge test I did to see how long the batteries would last if I just let it scroll for three days because I know a lot of people are going to get drunk and forget to turn these things off and it turns out that my experiments the batteries basically lasted about 18 hours if it was scrolling and if you didn't turn it off but as soon as you turned it off back into the sleep mode and let the batteries sort of recharge a little bit or at least raise back up to their initial voltage level then it will go on again so it's just because of the high discharge current of the lithium batteries so turn the thing off if you're not using it or you're not going to turn it off or anything here's the final circuit board layout what it looks like in the circuit board program the left side on the bottom you can see all the different cutouts are on different layers of the board so I could cycle through them all and see that they everything worked here are the assembly drawings so if you're actually hacking the board you'll notice on the board there's no part designators or markings or anything for you to know which part is which so we had to put together an assembly drawing and that way the factory would actually know which part is which too. Those are on the CD and obviously they're on the slides but I don't think the slides are on the CD so that doesn't help you but you're going to want to look at this when you're hacking the board to make sure you know what you're hacking and that ties together with the schematic which is this stuff which you can't see at all so the final bomb the bill of materials is also in PDF form on the CD but basically we have a bunch of components like batteries and capacitors and LEDs and stuff here's the microprocessor that I was hoping to show you stuff on but it's even blurry from here the upper right area is the BDM connector and that connects just right up to the microprocessor there's a pull up on there for the reset and then all of the IO pins go off to the different modules here's the LED matrix this is the beauty of the badge I guess on the left side are all of the LEDs on the right side there's three 74 hc 595 shift registers and basically I'm just shifting data into these things really fast and controlling one row of 5 LEDs at a time and how I do that is basically I'll pull there's a on the right side there's column numbers so I'll set all of those high except for the row that I want to enable or sorry there's row numbers so I set all of them high except the one I want to enable which I'll bring low and then I control the 5 anodes for each of the LEDs and I set that and then I scroll in new data and go to the next line and the next line and the next line and just do it really fast and then it appears to us that everything's on at once here the touch sensors you can see how easy it is there's two of them the QT 100 devices there's a few there's a capacitor in there resistor and then another capacitor to set the sensitivity and I'll mention why that's important later and you can see that little loop at the end is just the electrodes so they're super easy to use they debounce for you and everything so you can just put them in place of switches power supply stuff nothing special initially it was just the two batteries and a bunch of the bypass caps and I had to add the linear regulators really cool sidepecs parts here's a three axis accelerometer this is what that unpopulated area looks like so the accelerometers as I mentioned are going to be available in the in the vendor area at my little table way in the back and I do have some of the discreet as well but there's not much to it there's basically the part few resistors and some caps and the inputs go directly into the processor there's a little bit of code that I wrote that's at the end of the source code just commented out but I wouldn't really trust it because as you probably know by now I suck at coding here's what everyone's been bugging me about which is really cool there's a whole wireless transceiver area of the board and again it is unpopulated this is something that we really wanted to do but it was a little bit too expensive and it seemed little too like big brother to me for being at DEF CON like having badges that are communicating with each other or something I know I wouldn't want to wear one so I figured I'd leave it open and see if people wanted to hack with it there's something called a B-kit which you can get freescale.com slash ZigBee because this transceiver supports the 802.15.4 standard it can do the S-MAC which is a simple mac wireless interface like point-to-point type of RF stuff and then also ZigBee but apparently freescale has a ton of tools for free and a bunch of source for free for ZigBee and S-MAC and everything so you can actually start developing with this thing so we'll have parts as well for that here's a little circuit that's not on the board at all but there is a UART on the board that you could use to send out serial data so if you want to just build a level shifter you can do that or you can hack like a USB to serial adapter or something here's just a picture of some of the parts when they came into my house before I had to ship them out I keep track of everything that I'd shipped off to eTechNet which is the manufacturer in China that makes the boards they made the boards last year too and they're in the vendor area if you want to give them a high five we sent them a lot of boxes I think like eight or nine boxes of stuff and you can see the date oh you can't see actually but July 5th was the final date on this page I sent them something as late as July 20th and that's when they started manufacturing the boards once they got all of the parts so it was really really close and then it turns out that I bought the microprocessors I was going to have them programmed by Future Electronics and we go to try to program them and it turns out that no programming house in the country had the socket for the QFN surface mount part which is not a new part it's not a new package because no one's ever programmed the part I guess or something so here we were like a few weeks before DEF CON and no program parts and that really sucked but then it turns out that Arrow Electronics dug one up and they had the socket and they saved our ass and they programmed the parts and we got them so there's a lot of logistics and dealing with vendors and trying to get good pricing and making sure everything comes through that I didn't really talk about here but it was pretty stressful here's some pictures that I got from eTechNet from the actual factory that were building these boards because last year I was really curious about seeing pictures but they just didn't take any so this year I hounded them to get some pictures so all of us can actually see how they're made the top left side are you can see all the stacks of the bare boards and applying solder paste in the machine so they're basically stenciling on all the solder paste then they use a machine first they do the top side so they pick and place all of the LEDs no more humans involved luckily which is how they did this in two weeks then they'll do the back side through that machine where all of the different reels of electronics are hooked up to this thing so the machine can just pick them and know exactly where they go goes through the reflow oven which solders everything and then you have a human there to do the final visual inspection and then we also have somebody doing the final test so that's why these badges should work when you actually get them so they actually pulled it off luckily the final batch of boards arrived on Wednesday while I was at Black Hat and they were shipped to Black Hat and yeah so they all made it and this is actually a picture I sent to the dark tangent when I got the first set of first articles back and this is actually I had reversed the image because I have a Mac and I guess I don't know really how to use it what's that yeah right it was backwards because I used the Mac like photo booth application and I guess it reverses the picture something so I figured they wouldn't care they just wanted to see that there was the badges here but I mailed it to them and I got a response back like a few minutes later emergency emergency call me call me and I got it on my phone and email and like they were going nuts and they're like everything's backwards from what we approved I almost didn't call them back just to be mean but I did and told them don't worry it's fine here they required beauty shots of the six different badges the six different colors I think they all look pretty sweet and there's the back sides so the batch hacking contest now it's a little more organized than last year but you still only have a few days to do it so really submissions due by Sunday at 2pm we do have tools in the vendor area I have a table set up with like covering iron and some extra components someone from free scale is actually going to be here because he wanted to see what Defconn was all about and he's going to be able to provide some engineering support and technical support about all the chips so if you want to start hacking on stuff and have some questions he really knows the stuff and I have a laptop set up with Code Warrior already so you can do some coding and stuff but please don't try to own the box because I don't want to have to reformat everything when I get home and all the schematics are on the CD they'll eventually be on my website but they're not yet because I'm here and so the idea is what can you do with the badge can you add functionality can you make it do something totally different can you make my code better you know can you make it talk or just whatever anything crazy cool obscure unique come show me what you've done by 2pm Sunday I might be in the vendor area I might be walking around but just find me because I'll be here also what I want to say is what can you do by next year Defconn 16 the board is pretty complicated there's a lot of stuff going on so that's sort of a mini contest of bring back what you did with this thing over the year because it's sort of a little reference design little reference platform I plan to use this for all sorts of other stuff just because it's a nice little environment so what can you do in a year bring it back and we'll have a little mini contest and also give out some awards and maybe we'll be able to talk about that on stage at some point so anyway use it where it modify it learn from it break it do whatever you want just have fun with it so I need to give some thanks free scale future electronics our electronics e-tech net even though you know where this hacker conference and sometimes we still need to rely on the man and on big business to get stuff done but these guys pulled out all the stops for us and we definitely wouldn't have these badges without them so that's really cool and then I want to thank all the Black Hat and Defconn staff for dealing with me and letting me spend all their money and that's it so if you have questions I don't know if we have time for questions in here where's the goon I'm going to say I'm going to say yeah we have time for questions email two minutes okay email me around here too if you have questions and if you're afraid to ask them in public but if you have any questions now I guess we have time for like two of them so anybody any hecklers how do you do a backspace when you're setting your scrolling text message there's an arrow like a left facing arrow that you scroll through find that and then hit both buttons and it will go back that's pretty intuitive right it seems so on the airplane any other questions how do you put an arrow were you here for the poem read the poem again any other questions oh wait two at once I heard what's the significance of the something of the geo coordinates in Boston that's a piece of hacker history that should I mention it it's a piece of hacker history that everyone should know about because it was so cool didn't involve a bomb scare or not that I know of any other questions there was one there was someone else how do you prevent the text from changing once you said it you participate in the batch hacking contest and change the code I actually forgot to mention one of the worst things that happened is once we got the final prototypes back we finally took it off the desk for the first time and wore it around the house to see what would happen and I'm like oh shit because the capacitive sensors were sensing my body every time I walked around and that's what happens when you guys are walking around so what I did is reduce the sensitivity to as low as possible so your finger press on the top will still do something usually from the back side it shouldn't trigger but sometimes there's a big enough capacitance change that it does so you still see that or add a switch to lock it or something you can I just didn't so I guess one more question what's the significance of go voice across the bottom man aren't you guys hackers you're asking me all the questions they're easter eggs go voice is a reference to the old BBS days for those who remember like talking to sysops and you're like let's talk on the phone for real go voice and you pick up the phone from your acoustic coupler there is no significance other than that old school that's to prove my ogenus alright so that's it thanks a lot everyone and have fun with the badges thanks