 Without further ado, I give you Kingpin and Zoss What is up you guys ready to get B? Sodomized All right, so my name is Kingpin. I'm Joe grand one of the guys that worked on this thing I designed the badge for those who don't know and I'm an electronics guy. I like electronics and I like messing with people and that's why we did this Yeah, I'm Zoss. I also like to fuck with people and I wrote I do code mostly But also a little bit of hardware stuff and I did the family for this So what we're gonna do? This B. Sodomizer device is something that Zoss and I came up with while we're doing a brainstorming session for something completely different And I think he has a good story to tell about that. Yeah This is one of the things about working with Joe. It's like, you know, we work opposite of desk Most of the day and I said to him one day. Hey, you know, I got this idea for Something that would throw up a blue screen of death that lives in a VGA dongle And you wouldn't know where it was like what do you think would be a good micro to use for that and Joe's like Oh, you know, I think you could use a propeller for that and he came in the very next day With a propeller board built and throwing up a blue screen. I was like shit, you know You better leave something for me to do it but fortunately There was it ended up being a lot more to it than I thought to miniaturize all this stuff and get it into a package that could actually be a VGA dongle so yeah, and If you guys haven't actually read the abstract what this thing is is a tiny little board that sits in line With your computer monitor and a PC will not yours, but the targets computer monitor and the PC every once in a while it will throw up a b-sod or Some other things customizable by dip switch settings. It is also enabled by your Defcon badge and Yeah, we'll get into the details of right now So we're gonna go through like designing the hardware Designing the firmware, and then we have some video of a poor friend of ours that got totally Bessotomized yeah, you know a technical person, you know familiar with with computers and stuff So not just some ordinary sap, but you know a guy with a PhD even got totally Bessotomized So this this one this thing really works on people. Yeah, so everything that we're talking about here the All the schematics of building materials the firmware the Gerber plots for the PC board layout Everything is available in the Defcon CD. I'll also have the this final presentation up online and You can build all of this yourself We are gonna have we have like a few PC boards available But we might assemble some kits and the stuff as you'll see they're really small surface mount parts but if you have the skills you can build it yourself and That's the intent. Yeah, and if people are interested in this and they don't want to build it themselves We're thinking about doing a run that's fully assembled So definitely let us know because we'll do that if there's interest for it Yeah, and we'll actually end up telling those through kingpin empire Which is a new thing that I've just started up a new kind of hacker inspired apparel line But donating a percentage of proceeds back to various like hacker related charities. So AFF easy EFF ACLU health related charities. So if you buy a B. Sodomizer money goes to a good cause All right, so the the core of this device is the propeller and this thing is a new microprocessor from The guys at parallax and they make the basic stamp and a lot of hobbyist electronics and robotics things Up in the hardware hacking village. We had a bunch of basic stamp twos little Microprocessor modules that run run basic. So parallax is kind of doing some really cool stuff And this part was designed completely from the ground up from the chip from the chip level From the gate level all by hand by chip Gracie Who's the guy that started parallax and he's just an insane Engineer and just wanted complete control of the whole project. So he just started from scratch eight years. It took him to build this thing Yeah, it's a really interesting hardware design It's as far as a small microcontroller goes it's basically designed for multi-threaded operations So it has a whole bunch of these little cogs inside that are like independent processes But they have a shared memory and they can communicate with each other and so what you can do is you can put out areas of code to an individual cog and The scheduler runs around and it gives time to each cog in turn even if a cog is not active it gives the time so you can do time prediction and So it means that you can really write pretty close to like multi-threaded code on this little micro Yeah, and this thing there's a lot of a kind of community development around it Something that parallax likes to do a lot of so they have discussion forums and object exchange So you can write little modules for this thing called objects put them up on the site and sort of trade with people And yeah, you can write it and spin which is their own sort of language that they develop for the propeller or assembly or C We did ours and spin Requirements for this thing the propeller runs on 3.3 volts. So we needed a linear regulator for that But it can run up to 80 megahertz and lots of IO pins. Oh And the interesting thing is as opposed to most microprocessors these days that have Their flash or their ROM internal for program storage This thing uses an external doubly prom which I'm not exactly sure why it's totally insecure So people won't be able to use this for any security types of applications, but I don't know that was just something chip wanted to do This was our first sketch and This this set it off We were sitting around and sketched this thing out and it was very simple DB 15 in from VGA Some sort of switch DB 15 out and then we had our little feature set and this design No thing was actually useful because the night before we're ready to ship off at Defcon I was going back through the slides and I noticed that it said that there was a Mac or a PC version on this first scrolled note And I've forgotten to do that so shit as I quickly coded up the Mac kernel panic version So this is the initial block diagram of the hardware basically just I Have a propeller doing the the VGA drawing to the screen and that's controlling an analog video switch So essentially we're just passing through the VGA signals from the target computer to the monitor But then every once in a while the propeller will take control switch over to its own VGA output and then dump that to the target so conceptually very simple and The VGA output that's being done from the from the prop is a text display because the B slot is just text So it's not having to store any kind of internal image and render that out but it's drawing at 1024 by 768 and There's I'm sure you could get it to output various kinds of images if you wanted to yeah And the schematic is just a cleaner version of the block diagram. If you look closely, which is very hard on the screen There's two linear regulators. So we have two CR2032 lithium-coin cell batteries stacked in series on the board So we have six volts total coming in We step that down to five volts for the video switcher and then step it down again to 3.3 for the propeller And then we have in Fred receiver standard stuff the doubly prom the memory switch or the video switch and some switches originally I wanted to power it off VGA power signal because the VGA spec does include power on one pin But unfortunately most video cards don't bother to support it. So we had to include the batteries Yeah, the VCC line on there is I don't know if it used to be supported or if it's starting to be supported But I have a feeling it's not I mean now with DVI it's sort of becoming obsolete anyway Yeah, so one thing we figured out the night before we were leaving for DEF CON like Actually right before we were gonna hose our friend Is that one key feature to the b-sod amizer is once you plug it in and it flashes up the b-sod or whatever image You want we wanted a way for it to know if the person had turned off their computer Right because you get a b-sod and the person's like shit They turn off their computer We wanted it that the monitor wouldn't still be displaying the b-sod image from our circuitry I mean this this device can be an extremely sadistic piece of equipment because It knows when you reboot and it has a timer so it'll throw up another b-sod So if you have a really unsuspecting individual they could spend hours Rebooting their computer crashing reformatting their drive whatever So if you do get a circuit board from us from the fact from the view that we have left You need to add your own line in which is just monitoring the the horizontal sink And that way is Oz in his firm work and detect if the monitor is plugged in or not Yeah, we originally intended to take this to have to make a bunch of these and Take them to like a best buy in a circuit city and so on and you know, I stole them on the demo computers But you know as as you know if you came to Joe's badge talk You know getting hardware made can often take longer than you think and this was no exception We had this this one that we put together made about a day or two before we had to leave for Defconn So we didn't have time to do that, but maybe you guys can follow on a footstep. Yeah We sort of expect that you guys would do that and then film it and put it online What's that next year CES show. Yeah, not us, but maybe one of you guys So the bill of materials is here and it's also on the CD pretty basic mostly discreet parts And then you just have the core big features the microprocessor and the video switch and stuff like that Which are all pretty cheap the propeller is the most expensive Which I think was like seven or ten dollars in quantity, but given what it can do. It's sort of cool This is the PC board layout This thing was a complete pain in the ass to route because we wanted it very small We basically wanted to get the unit as small as we could to fit just the VGA connectors and the battery holder And then all of the parts would be mounted on the back side. So I Had to hand route this whole thing a four-layer board only used three layers of it But hand routed completely it probably took I don't know like ten hours twenty hours to do And it's as small as possible. So it's almost like two two inches by one inch Yeah, the amount of swearing that I heard coming from over at Joe's desk while he was rallying this in Altium I was I felt like he was getting besautomized by it as well Yeah, it really sucked and then of course doing a board like that That's very complicated and we have a bunch of small surface mount parts on there Like I had no idea if this was gonna work before we did it because typically you'd build a prototype first test that out With all of the functionality before you build the board and we spent a few hundred dollars on getting these boards done But I didn't have time to test the video switcher before we did this final board So Zaza had been developing on just a straight Drawing stuff directly to the screen with the propeller. So this was the first time we tested it With the board that was a little nerve-wracking But it worked minus that one blue wire we had to add on Assembly drawings you can hardly see but they're gonna be useful if you want to assemble your own We do have it's a blackboard with red silk screen and the red silk screen is dark and covert So it doesn't stand out too much when you plant this on someone's desk But it's also hard to see if you're assembling your own But you can see all the parts are on the backside pretty much Yeah, we were also planning to put it in an enclosure that made it look just like some kind of VGA to VGA dongle, but cause that was another thing. We didn't have time to do And it looks better this way Here are just some steps of Assembling the board and what it looks like at the end the two images on the right Are the completed versions you can come up and ooh and odd it later if you want And then there's a little programming header on the lower left picture Is something called the prop clip and there's a four pin header on the board You just slide this prop clip on top and that's how you can program the propeller So if you want to make firmware updates, which we which we did up to the last possible minute That's how you do it And here is firmware Yeah, so a lot of the stuff that I that I used was just up from the parallax object exchange So let's save a lot of time I didn't have to write the VGA driver or the infrared decoder, which is good because we added the infrared functionality right at the last Minute, we thought it would be a nice tie-in to the depth comb edge And it's a lot of fun when you can really mess with people in real time, too So the VGA drivers 1024 by 768 the infrared decoder Fills a FIFO so the you don't have to be watching it all the time You can come to it every so often and see if you've received an infrared off code The main goal of the firmware and the main thing that really took took some time was power saving because those two little coin cells Don't really like driving the propeller at the full 80 megahertz But you have to fire it up to 80 megahertz to drive the VGA driver. So The the 43 milliamps that it pulls will pull down those cells really quickly it won't last very long But you you want to have this thing sitting on someone's desk, you know for at least a day or two to really mess with them so What I did was slow down the main loop to just two hertz so You know, you might notice a little bit of delay on a reboot or something like that But chances are the target's not going to notice The rest of the video pass through mode operates at five megahertz And I wanted to slow it down even further the the propeller has a RC slow mode which is actually something like 12 kilohertz and it consumes almost no power at all But I had some problems waking it up from sleep So I bumped it up to five megahertz, but if people wanted to screw around with that I think you could probably get it to work in RC slow mode So the average current while it's passing through video is three and a half milliamps So you can get about 78 hours of runtime with it off the two cells And that's including, you know, throwing up the occasional b-sod Yeah Anything with the CR2032 cells if you guys had the DEF CON badge from last year they don't like Having to provide more than like 10 10 milliamps of peak current So we definitely we had to get the power down and we didn't want you to have to like run up and change the batteries Very often the other thing is it has these two internal oscillators in the propeller And it has a phase-lock loop multiplier. So you can actually go through a lot of different speeds on the fly and it doesn't take long to switch just 10 milliseconds plus 75 microseconds I think So there's no onboard timer that can last longer than the 32-bit counter. So that wraps in about 53 seconds So I had to write a separate timer so that it could throw up b-sods anything up to like a half an hour after someone uses it With the reboot behavior, we just looked at the the video h-sync and that's a normally high signal But you get a low pulse every 20 microseconds So you have to just sample out a few times to make sure that you really are getting a reboot and not just synchronizing to that that low sync pulse We have a bank of dip switches on there so you can set various different modes. So you can set Windows versus Mac Crash modes the two middle switches let you set timeouts so you can have one where it'll never time out and you can just use the remote They go all the way up to 30 minutes just to be really sadistic to give you a chance to really get back to work and start doing something before you before you make them make me have to reboot and then Switch four is kind of like a kindness mode it After it throws up the b-side it waits 10 seconds and then throws up the goat sea of death to tell them They've been beside of my so if you don't want them to have to reboot you can you can do that one and of course you can make all those changes yourself in the firmware and With the remote control you can throw a b-side just with the power switch. So that's what lets the Defcon badge Trigger this thing and then I added a couple of other things just for testing So that you can actually go back from the b-side to the video screen if you want to have mercy on someone I'll really make them confused and then you can also overlay the blue goat sea of death by doing a channel down and Yeah, so the tie-in that we wanted with the badge When you apply power to the to the badges for this year when you take out the battery and put it back in The red LEDs down at the bottom go or the all the LEDs turn on and the infrared LED up in the ninja's eye Transmits the Sony power off code like five or six times. So that's a good way to do it And also when you enter the TV be gone mode It sends the Sony power off command like towards the beginning of the table so you can just enter that mode And and trigger it that way and that was actually really helpful for development because You know we got to the point the night before I'm testing everything and we didn't have a Sony remote control But fortunately we did have a stuff Defcon badge. So we could actually use that for testing All right, so here's an example of I guess the Mac Yeah, so this is an this is kind of a cheat people people who use max will notice that this is an old school Mac kernel panic screen from Darwin 10.1 But I've just changed some of the numbers to make it look a bit more modern So the Mac mode won't really fool anyone that's used to getting kernel panics on the Mac But hopefully that's not too many people. I think a lot of people that get this would still be fooled and there's the goat's the overlay I'm just gonna leave that up for a second So you can admire it All right, so We put together a video we We filmed our poor friend getting totally hosed and We hope you like it. It's like five or six minutes long So we're gonna stand here and you guys are gonna watch it the b-sautomizer is done and We're gonna go set this thing up on our first victim. That's right. Oh, we gotta move quick that coming back We're just filming something in here. Hold on Yeah, we kicked someone out of the lab for us to go plant this thing Our first b-sautomizer suspect set up for b-sautomy He's gonna be fucked Side the door and Zazz is gonna launch this thing with the remote control Our first victim Do you have any comments like oh shit, it's a blue screen of death Seriously, I think I think we have to tell him something. What the fuck guys you just being besautomized I High-five Mike north has been besautomized Another friend of ours were shown it to you Shit my computer crashed I Say that again Mike so tell me tell me your reaction. I'm just sitting there working my computer It's an important email my roommates are getting evicted from our old house and next thing I know right the middle is email my computer crashes Like blue screen of death and I'm sitting there. No, I got a virus. I got a virus the next thing I know I'm getting brown hole by asking art on my computer Who would do this? I'm thinking the deviant mind on the internet. It was infiltrated me Right there taking away everything. I know at first. I was seeing what Scoundrels would do this what internet hackery is it play here? And then I heard laughing from the hall No deviance behind this you guys get next time Wasn't me Well Fortunately, it wasn't me either because I found it on the internet So yeah poor poor Mike north We feel really bad All right, so here's some things that we're expecting to see in the future. Yeah I I really like the idea of these sort of parasitic modules that you can attach to things you know malicious hardware is going to get better and better as things get small and The besautomizer in in just a couple years. I think we'll be able to have a lot more functionality We had a store screenshots of what's going on by actually decoding the VGA signal that's coming through the switcher and It can transmit those so instead of just turning it off with a remote control you could use the remote control to trigger a wireless transmission so that you could grab screen captures from people and Power requirements are going down too so eventually you'll be able to have these little parasites that can survive on microamps drawn off the signal lines on monitors or network Cables and be smaller. I wanted to get it down to be as well as a VGA connector which it's not quite that small but a lot of that due to the batteries and Once that sort of power climate drops down you'll be able to get this inside a connector And so yeah, maybe we'll maybe we'll go with DVI next You know try to monitor stuff open even overlay on top of existing video instead of just switching back and forth there's all sorts of stuff we can do and Yeah, we'll see we'll see what we can come up with next Yeah, but the bright future that everyone has to expect is that you know formally passive elements like cables will not be How to be trusted you just wouldn't be out of trust anything to plug into your computer. Yeah So that yeah, that's that's our talk If there is enough interest will create an assembled run of these things I don't know a few hundred of them or whatever just email us or Go to the just email email me or go to the website and like submit a form and say I want to be sodomizer or whatever and we'll just keep track Or just come up and tell us and and we'll do that So that is it We have enough time in here to answer questions. So if you guys have anything to ask We can answer them and you can come up and use the mic if There's not really one. We'll repeat the question if the batteries do go down. Does the entire thing fail even passing VGA? Yes Oh, here's another question Right. Yeah Make it look like a security dongle So no one touches it and they think it's something really important Yeah, that's a good idea You guys in the back Yeah, we thought about a form factor of a VGA to DVI adapter like these little white ones That you can't see but it's connected to my Mac and yes, we did We were limited by a lot of things primarily I had to hand solder this thing and the connectors are still big But that's the next step is integrating this thing molding it into something that actually looks like a real product that people won't suspect So definitely yeah, that's basically what I wanted it to look like and when it's plugged in and if it had a box around it It would look like some kind of converter that if you were it were technically unskilled and especially, you know Some kind of office worker that doesn't screw around at the back of their computer I think that you would it would be one of the later things that you'd Suspect if you weren't a hacker and one of the things I was worried about when we were setting this thing up on Mike's desk Is I mean we you saw we just laid this thing out on the back of his desk And he had he didn't even see it and he's staring at the computer and this thing's right behind the monitor I was worried all day because we you know We were gonna we're gonna set it up earlier and I'm like well He's totally gonna see it and Zoss is like no, you know people don't really pay attention that much So I was really worried about it But yeah, I mean even something as blatant as this he didn't see So if you make it anywhere close to being believable as a real cable, then they'll be totally fooled The bandwidth of the video signal. I don't remember offhand the data sheet is I believe on the CD. It's a maximum Forget three six five five or something. I don't know my mind is gone I don't know. It's in the schematic. It's fast enough to support Very high resolutions because it's designed for use in laptops for docking stations and things like that to switch between the like the Internal video generation and going at external so it's a fast fast part off the shelf made by Maxim Yeah, we tried it on Mike's computer up to 1600 by 1200 and definitely works up that far Any other questions? Yep Who do we use as the model for the ASCII art? I just searched it did a Google search for ASCII goat see and it came right up Yeah, so that actually that probably means that Google's now storing ASCII goat see in my profile for all time Someday, I'll get I'll get like things in the mail that you know offered to sell me things related to goat sees Yeah healing the problem Any other questions? No, all right. Oh, there's another one Working to get the kids right now. There's no kit We do have a bunch of parts, but Unless you really want to spend the time soldering everything on which some people do but it's a pain in the ass to distribute the parts right now Because they're all tiny surface mount. So we have a few boards that we can sell Just bare boards and then we'll make a run of the assembled ones But just making kits for something like this is too hard and then of course we'd have to support everybody that Shorts together their TQFP 64 and their QFN 32 and their 0603 parts. So We don't we don't like customer support. So we don't want to have to do that Yeah, if anyone is really super psyched to do it, we do have like a few sets of parts and I'll You know cut them all off the reel and give them to you, but Only if you're super psyched to build this surface mount thing I certainly wouldn't build it after seeing what Joe had to go through to do it and I wouldn't really do it again either All right. Well, thank you guys