 Okay, so we're from Team Rocket and there's a lot of a bunch of other people here also from Team Rocket and Maybe you were on the camp and you also already know much of the rocket But for all of those who didn't learn that the camp here's a short introduction at how everything What's the rocket what the rocket is and? What is going on here in Congress? motivation so You maybe some of you were already on us events like the Hope or DEF CON and They already have a long tradition of Electronical name of badges not necessarily name badges but badges and We found well, that's rather cool. We'd like to do it ourselves, too but Well, we'd like to do it a little bit different not these coin cells which are always empty and Small displays, which you can't see very much and special microcontrollers that you have to program under windows with evaluation Tools limited in size and everything else. You wanted something free with a free controller We chargeable battery and the big display so This was our actually our first batch. It's from the Munich. It's from Munich event a rather small event. We did 300 badges hand-soldered with let's say about five components and we sold 100 kits Which could be populated by the? Participants of the event they sold out in minutes and it was a rather Huge success for us. We didn't expect that it would run so well So We decided let's take it up. Let's take it to a next level. Let's do a batch for a CCC event a big event and the camp offered us the possibility to do this In terms of money it was possible to squeeze the rocket into the camp ticket and Together with lots of sponsoring. We were able to push the price Below 15 euros just below So we added a nice cheap Chinese made Nokia display actually for $1 each we searched for Custom ones and very very expensive we put a battery on it rechargeable a Recharging controller so you can't accidentally overcharge the battery We put on a Well that pointer is useless now We put on a RF interface rather cheap one the same used in the open beacon tags a Arm seven or no a Cortex M3 microcontroller which was sponsored by nxp they gave it to us for free and We added some extension headers so you could develop your own extensions for a rocket and let it serve you as a development board for your own hardware so it was let's say rather a success at camp and lots of people asked us about a new production run of rockets and a We thought about it and you thought about it Rather a long time and it was a question. Where can we actually produce new rockets? our old manufacturer Was a it was a rather it's a one-off. It was a one-off he Sponsored us the production the assembly the soldering and made us a very good price But actually the company is not in business doing this So how much are we going to cost us the next question? We had lots of sponsored parts and sponsored Services and did a lot of things ourselves we sold at 6,000 pin headers and resold out 3000 USB sockets and everything and that's not possible anymore People are getting tired of doing this and we had to do a full assembly and Assembler had to do everything so how many to produce? Well, we had 3000 rockets at camp and now There's going to be about three thousand participants here. So Who's actually going to buy one? Oh? That's not actually a question to you, but thanks We we thought well, maybe a thousand that's a rather optimistic guess we thought and The we started to look around what would that cost and who would pay I mean you have to give you have to give the money to a manufacturer and you get the things and then you get the Money back from the people and actually Thousand pieces at 15 to 30 euros. That's a lot of money and nothing we can personally actually Land to a project So we looked around and Mitch Altman gave us a recommendation at a net in China he's using the web services to do the TV began I think and He gave us the contact there and well the contact said well, okay Let's do a thousand thing pieces, but you have to tell us the price and he say if it's okay Hmm, okay. Well So we gave them a A value a number and they said okay, we can do that for a little bit more. Well, okay, and Actually as it as we asked for a thousand that's a third of the amount of the first run Actually the prices Let's say rather. Okay, I'd say so the 30 euros we are selling them here is not very much There's no much margin in it actually Rather none. Yeah So who's going to pay them We asked the CCC Veranstaltungsgesellschaft, it's a company of the CCC and they said okay Well, we don't believe that you are going to sell 1000. Let's do 300 and our manufacturer said oh Why not do 500 at least the minimum order quantities are so big and We thought about it and we came to a solution. We are we asked pollen pollen is a very special Retail, let's say retail company here. They they ship electronic goods, which are mostly surplus parts and our exotic parts and Things of which are left over from bankrupt companies and everything and we asked them Would you sell our leftover rockets and they said yes We always wanted an arm development board You're going to at least buy from you 300 and everything you have left over but For every one of you who thinks let's buy that pollen not here They are going to add a margin and it's going to be way More than we're selling it right now. Let's say I'd say we are going to sell about 50 euros So prepare for that Etonette is based in China and Shanghai and Mitch also said to us they have good working conditions Actually, I'm going to China in April and I'll visit them and I'll have a look But I believe Mitch in that regard and So that was also I think a point worth notioning They They source for us all parts they exchange it to parts made in China for some of them which were better available in China and Actually the time between the trends transfer of the money to us They sending the rockets away was just five weeks And they arrived really early let's say for this purpose for Congress in end of November I think that's nice and Actually, we were looking around for custom tariffs for rockets and we found one Well, that's 3% customs and some 0% customs and We sent a sample to German customs to evaluate it and tell us what is okay. Would it be 0% customs and Well, the Chinese thought let's just put on a customs number which says PCB board with no active components And especially no integrated circuits Went through no problem So That's a rather nice thing. I'm not sure if they put that custom code on every single Thing may ship to Europe. Maybe So and now our PCBs this time are actually yellow the PCBs from the camp had some Greenish tone and they should have also been yellow They were also made in China, but actually it seems like a ton it has a better PCB manufacturer we Santa may test from well they tested all rockets made sure that But the hardware parts work that the RF works that the ADC's work at the display connector and everything works turned out. Okay, so They also send us an email and it said below 40 degrees Celsius 15% of your rockets fail Nice Well, not really a concern for us, but it seems like they also tested it in a climate chamber Didn't ask for that, but they did and it's rather nice. I'd have to say I have to say so now sex part Okay Okay About the rocket one of the things we found important was extensibility So we added what is called the module bus Which allows you to plug in custom modules? Which has supports an I to see bus or SPI? That's these two nice black connectors at bottom they Support the the flame module which we sold at at camp which sold out quickly We made new flame modules actually enhanced flame modules with an RGB LED Which are sold here? The current firmware supports supports both of them We invited everyone to Do their own modules. We had a few people doing a few of these Had like the Geiger counter at camp someone made a small Geiger counter So I think we have another slide for that later on One one feature we we did with the pin headers is they're designed in such a way that you can't Turn the module by 180 degrees and it still works So you don't have to Well watch out which way you plug it in and still works I think that's it Yeah, and actually if you have sexual connectors you can plug in multiple Modules into each other and it's it works what you see in a picture all of the flames will work We have the hacker bus which is our which are the nice unpopulated holes that the right right and left of the displays that's also documented on the wiki That's basically most of them are the leftover pins of the CPU which we didn't use which you can use for your own projects In the new revision we sell here. We added two more pins, which are the pins used for the Serial input output Which it chips apart. They're also used for One of the LEDs. I think so if you if you use the serial the LED will maybe blink We actually also managed Schneider may Actually managed to fix the USB serial code. Let's say I also support for USB serial And it actually works now and doesn't crash your rocket every 15 minutes So it's not that important anymore, but it's if you want to hack something. It's quite nice Yeah, we have support Which was actually quite a last-minute addition for the camp was the loadable module support We the firmware supports to load additional code from the data flash It's like two and a half kilobyte maximum size for the loadables they can be loaded and The functions it can call functions from the main firmware if they are exported That's realized by a jump table, which is at the beginning of the flash There's some C Define hackery to so you can just compile it and it's what it will work one important thing is every function you want to use needs to be exported and You need to actually have a firmware flashed which exports this So if you have an old firmware and use new loadables, it will break But if you had used an old loadable with a new firmware that will still work There's some a little bit problems with the loadable support is one of the things is if you want to write one yourself Actually the first function in your C file will get executed the examples the function is called RAM, but actually it's Unimportant the name is unimportant. It's just jumps to the first byte of the loadable And so the first function in your C file will execute it several people got bitten by this if you have a Support function and put it atop because you don't want to pre-define it You will have a hard time debugging it And the second problem is if you have global variables and initialize them That won't actually work I have an idea why this is because we are doing some evil linker tricks to actually get the loadable support working And I think we're dropping the section with the initialized data values So the the current solution is just don't use static initialization Just initialize in them in your function at first if you want to have initialized values That can take quite a time to debug also I think that's all we invite everyone to write loadables. We had quite a few people at Camp writing loadables Some of them have been added to the default flesh firmware So you have quite a list of loadables on your on your rocket. It's under the execute menu There's For example for the Geiger counter which needs additional hardware, but we we added most of them there There are more out there. We didn't have time to check all the all the submissions We ran a bit out of time here But we invite everyone to write new ones and if you have a cool loaded module send us an email and we Might add it to the repository Yeah, there was at the at the camp the mesh worked Basically all the the RF code Worked encrypted was encrypted because we didn't want people to mess with the stuff and wanted it to work and that Relied on the CRP. There's content read protection feature of the controller. It has different levels and content read protection to This allows reading of the firmware. So you couldn't shouldn't be able to read the keys from the firmware That was the idea we had quite a few people at camp trying to get around And find the keys we had very nice exploits using the font renderer for example, which had a buffer overflow and One a few people were actually printing parts of the flesh as a font on on the display and then counting pixels To get the values back I rather like that And there were social engineering attacks also which worked given Yeah, not too surprising But the most important stuff which we haven't Really talked much about is that also the content read protection was actually broken at camp We had some nice hacker Reading the firmware back and just getting the keys this way We as nxp sponsored the CPUs for us. We actually called them the next day and said hey looks like your chip has this little problem there There were actually I never found out if they were amused or not amused, but I don't think so We were a little bit quiet about it because we didn't hear much back from an XP XP actually Has released or is releasing during this Congress a press release about this they have Produced some kind of software fix which I haven't seen Notified all the customers which use the chips in larger quantities and they have produced a hardware fix Which goes into production in January? It takes quite some time to get it to the actually silicon and it will be fixed chips produced in January and later We'll have this problem fixed One other work around this is to use the even harder content read protection level 3 which Locks the chip down even more this one was not broken But it's rather inconvenient to work with it Okay Yeah, because there was basically no point in trying to keep the key secret We went for the the open approach and their current firmware has absolutely no encryption anymore I Did some changes to the to the mesh code? And disallow most of the the packets because as there was absolutely no encryption I was sure that everyone would try to broadcast their own packets and I didn't want to have 15 entries in the in the mesh table all saying hey, I'm cool I broadcasted my own packets So it only supports the the current time and which currently doesn't work The next starting talk in each room. That's because I didn't have the time to set up the laptop for that the new firmware Also has basic support for an color LCD. There is an Nokia LCD Which which supports color which has the same connector We are I think with have still a few left to sell The current firmware supports the display in the way that you can plug it in and turn it on and it still displays things It doesn't actually do much color because we have space constraints on In the flesh and hadn't weren't able to to squeeze color in there. There are loadables which display color images The current it's not on the on the default flesh, but talk to Ray afterwards He knows where in git you can get the the correct code The firmware also supports the RGP flame. I already told you that and we hadn't having lots of new loadables One new loadable We have is Well, it's not that new. It's the rockets which has a small graphics lip added to the firmware and Is if you turn it on the first time the new rockets, you will see the small rocket ship flying and landing That's actually a small graphics lip, which was graciously donated by. Oh, I Think it's some gimp developer. I actually have forgot the name. I'm sorry. That's quite quite nice All the functions are exported for loadables to use There's a far part far plan app which you can browse through The entire far plan Which talks are when It relies on a on a file some binary blob containing all the talks. So That needs to be semi up-to-date to actually have the correct information But it should be on on the rockets. You buy should be a Granted and there's a new loadable our player, which is the remote player which uses the the RF chip to support Playing games remotely There's Down at the hack center some some people managed to have a four player Tetris On an LED display You can play in four people. I don't know if it's working already. I had some problems, but it was nearly ready we have a Simple pong version where two players can play pong against each other each other We will still have to set it up, but we can show you downstairs later and If you have time, we will Try a mass pop mass pong with all the people with ever we have a rocket in here We have some new single-player games on the rocket and some other new models like the people's module Which lists the nicknames of people around you as long as they have Privacy off so tracking enabled Okay Yeah So we are trying to set up an open beacon Tracking here to Congress. We already put up the readers like the one above there we're waiting for The knock to patch it for us and we hope that tonight we get the tracking available. It will be a public Jason Jason API available with the tracking results of every single batch which is has tracking enabled So everyone can access it. It's publicly available publicly available Milosh from the open beacon team donated or lend us its Readers which is very generous from him Well, let's hope we got it working and the people nearby app uses also the Open beacon packets which are sent and we added a feature that New rockets will also send their nickname if they have privacy to zero or which equals Trackable and you're trying to put the nicknames also into the Jason. So there's no Central registration form for this tracking Your rockets will just Broadcast your nickname and we are trying to put it into the Jason. So we're working hard on it and I Guess tonight it will be available I actually found out we're running out of time So and will be very quick about the rest there's a Python library to support the remote gaming feature There is an application for the rocket you can flesh on it to announce the that you have a game So the remote player can list it If it supports sending the button movement and the nick and displaying a text back to the player Yeah Yeah, we have some rocket launchers Graciously donated by get digital If you want to do some cool hack with one of these USB rocket launchers and the rocket Stop by at our desk You can you can get one we will have like You will like I have to give us some money. So we we are sure you bring it back You'll get your money back if you bring it back or if you do a cool hack You will get to keep the rocket launcher and get your money back. So You can bring it bring it back in any condition. So if you have to open it, it's not really a problem Yeah, some some modules which were designed as a laser tag module which Will be sold. I think someone is he here back there he Built modules for a laser tag game and will sell them and I think we will try to use them There's the RGB flames, which will be sold and there's some obscure network module. I don't know anything about it Nobody knows Yeah And the the most most interesting announcement is we will the rocket shop will open at I think 7 p.m. Today when at the Info desk or near the info desk again if you want to buy something these are all the URLs we encourage you all to participate we We will do announcements on Twitter as the Jason becomes available or the shop opens And I think we're out completely out of time. Are we three no, okay, then we can try to do the pong stuff So no question answer yet, but sec told you about the player loadable and We have an option for it. So your rocket sends the Position of your joystick and our idea is now we divide the whole room into two groups left and right and we prepared a Pong game running in JavaScript and a web browser and we have set up to open beacon readers from Miloche So who of you has a new rocket All right, okay, so all of you should have the our player loadable And if you start it you will see two games left and right and if you select it you can Your rocket will say now playing left or now playing right We distributed free rockets here in this room which are announcing that game and Hopefully you will be able to play pong and the idea is the two sides every packet you send packets in a regular basis and sex software is well they're playing magic to it and Transferring it into a paddle position on the pong game field I'm not sure. I think he he takes The average of your button movement. So if your side suddenly Has the idea over paddle should go down and you all of you press down the paddle will be instantly down so So you have to decide on a more or less. Let's say a random basis. How much you want to press down now? I think they are still busy with Setting up the VGA port Okay, yeah, well good in the meantime Q&A. I'm sorry Which side is left for me? Oh, all right. No It's seen from you if you so this is the right-hand side and this is the left-hand side All right Yeah, we did this we're doing this all the time And Who of you sees the games? Oh Nice, so we have a good coverage it seems and who of you already has joined the game Have you joined the right side? So well, you can choose any side, but you should choose the side you're on We hope that most of you choose the right side and the few people who think I can hack this contest on this game Won't have much of an influence on the actual outcome So now a question Someone had a question Yeah, we're just trying to put you. Could you repeat the question, please? Yeah, he asked if he could if you're going to display the game on screen and yes, we are Soon Working on it anyone else have any questions because I'll go around the room and give you The microphone or rather hold the microphone for you Yeah, just to make sure I got this correctly. There's still rockets available and when can I buy one? All right. Well, the thing is we have to share the desk at which we sell them with some Some Some official CCC business and then they have opened we can't sell rockets And we also have to spare the people to sell them, but I think at 19 o'clock today it will be the sale open Yes, it's the big queue next to the info desk There's always lots of people wanting to buy rockets. It's the same yesterday. You had no idea that That something like yesterday would happen we thought well We're going to sell on day zero so we can stretch it out a little bit and don't have the big queues during the day one to four and We thought it would be a oh all right. Okay. It seems something is working actually so so Just to test the right side put down everyone. Oh, no. Oh, you're playing already. Oh, okay What what you don't know we are faking all of this it's just a computer game you have no influence The numbers at the bottom are an amount of players registered on each side So in theory the site of the more with more players should have the advantage as if you would be only one player You had three positions middle full up and full down. So Just steady steady. Oh, I remember we thought about increasing the pedal size Did you increase the pedal size? Did you increase the pedal size? Oh, okay So who's leading? Oh three to three To be actually at the top everyone needs to be atop if even three people though Every person who doesn't push up will keep you from reaching the top We plan to reserve a small slot on one of the lightning talks To do this once again If you want to I don't know how much time we have left how much time do we have it's about 15 15 minutes What 15? Okay. No go ahead please. I thought we were running out of time If anyone has a question. Yes, and there is one question on the IRC Yeah, I'm joined here from the ICs asking is there any Estimates when a day will be sellable on the internet even if there are no leftovers probably We will After the after the Congress when we had time to go back and sleep a few days We will we will pack up all the rest of the rockets and send them to pollen And we don't actually know how long it will take to show up in the shop then But I'd suspect like a month maybe Yeah, Pauline is going to re-package them and I think they want to print a Manual for it and everything and we already sent them some. I'm not sure how far they are but one thing Oh There are going to be rockets available at pollen. We had to make a deal So we had to make a deal that pollen needs at least 300 So we have 700 rockets here available and 300 are definitely going to pollen Else we would probably have no rockets at all here. So yeah Are there any more questions in the audience? Please raise your hand I can't see you when you're talking like this with a small voice Okay questions anyone Yeah over here The sale that we have updated information on the sale it will start on 1930 hours So I Yeah, I have a question to the game. I am playing currently And so that I understand it right the transmission is now done through the mesh network So what is the latency of the messages when I'm in the back? No, it's actually not doing done through the message The the game transmission is actually done direct to have two nice readers here one for the right right players and one for the left players and that's Going directly so beyond Beyond this room you won't be able to participate Any more questions, or are you all busy playing? Yes, one thing I want to say here about the mesh network I actually found a rather embarrassing bug in Release version for firmware for the Congress it actually we didn't check the CRC check some That that that happened when we disabled the encryption The CRC was actually checked after the decryption and when we and it disabled it we didn't even check the CRC Which means that the the all up to our for our various very buggy met and mesh network because a single bit errors will not be detected and then your time and text will be broken You can flash the new versions are five It's on the wiki and we have a flash station down was downstairs Where is sitting where you can flash your rocket with the current firmware? We have a question here in front row Was at the net the only Producer you asked or did you had some alternatives you asked for an offer? No, actually not Yes, it was the only Producer in China. Yes Some in Germany for the production at the camp, but they were way too expensive for us and actually By the time we decided we're going to do this. We don't really had time To look around much. We had to say let's do it. Let's do it with him Let's do it with our contact at ethernet and he gave us a lot of support And I think he he wanted to well land this contract to have an amplification But it was a rather nice experience. Yes We have two more questions on the IRC channel first question. Yeah FWG is asking what the punk score is Okay Let's see left side nine right side 12 So Seems like the right side with fewer players. Oh is winning about just By a little bit 32 players on the left side 25 players on the right side And the second question on the channel and Chanty again is asking if that software for this game is already on get The source code The Java script Pong implementation is in get I've made some small last-minute changes Which I'm going to commit after the talk the Python script Collecting the the reader information is currently not in a in a workable state in git You will I will I plan to commit it later There there are two versions of the script one which works with the read actually the hardware readers And there's another version which uses a rocket as receiver, which will be more accessible to the rest of you There in the tools game sub directories all the stuff Yeah, we we mostly hack that together an hour ago For that I have to say it's working quite nice Any more questions in the room Please raise your hand At the front row Well, how difficult would you say it is to? Rebuild the rocket maybe not in the same shape, but just like taking the parts finding the parts building something similar Impossible difficult easy no problem at all. You mean for for the John dough for Someone well, it's just it's just a two-layer board. So that's not really a problem You can order it for cheap everywhere, but the RF chip is a Leetless chip you have to solve it at least with a hot air gun better reflow But it's possible with hot air. We saw our prototypes if a hot air gun Yeah Yeah, and and schematics and PCB layouts are very eagle schematics and eagle layouts are all available in our git repository And there are licensed under some creative comm license. I think yeah Should be no problem But if you're doing it again, I Advise you to have a look at the power distribution system. It's not the best. Yeah It's working, but could be improved Anyone else any more questions Anyone still busy playing There's not so many people playing now Still some I was wondering how I would come across color display here Ray is selling them at the team rocket help desk As a team rocket help desk down in the hack center at In your hardware hacking area and we're in the back right corner I'm not sure if there are still some left We don't have very much of the color displays. I think have it like 30 or so left So basically if you want to do something here at Congress as a color display come down and get one But the reason why we didn't bring so many is they're very easy to get you can get them on eBay or Chinese sellers are selling them with two weeks shipping and it doesn't cost more than we sell here So if you just want to have it for at home, just order it after Congress if we run out of them So it's no problem, but feel free to come down and buy one if you want to do something here or Want one, but so it's not that bad if you don't get one And if you want one here be quick we get another question on IRC Yeah Polter is asking if the tracking is legal in you and Switzerland and he'd like to use these rockets in a public event whatever it means I'm not sure why it should be illegal If you turn it on for the first time it asks you if you want to be tracked or not there are three settings which is Like one is full tracking and the second one is enables only in a mesh So it doesn't allow tracking but the RF chip is still in use and the third day setting completely disables the RF Functionality of the firmware. So if you don't want to be tracked turn it off It's it's a setting is available in the conflict menu at any time The other thing is the chip is using the 2.4 gigahertz spectrum Removed the channels all out of the way of all the way wave line in use here It's in the area reserved for educational and Personal use on ISM band. So if you want to do it commercially I don't think you you're allowed to use it as for commercial applications But we are not doing that But you could always change the channel downwards to someone where the wave line is and then you could do other stuff We have a very few minutes left. So last-minute questions Over here in the middle Hmm Thank you. I'm your teacher and at my school. We have some smart boards What were the active boards and I think this system is a very cheap way for Interactive use for the students for such boards There's somebody who builds something connections for the rocket. I'm not sure I understood it correctly. Sorry Can you can you maybe could you repeat it rephrase your question? At my school we have smart boards active boards. Okay, and it's No, okay So the interactive whiteboards are a projector onto a whiteboard. Okay. Yes. Yeah draw with I get you active pens And it despises a projector. Okay, and what are you planning to do with the smart board? When I use this interactive board as the students cannot Do anything interactive only one at the wall acts and so I think Such rockets are a possibility that all the students can can do something Yes by using this communication You can buy very expensive pets for the students, but There's no chance to get the money. Do you know we I am me it's it's a American in America it's available some kind of Mini Instant messenger with works in the vicinity and has a small keypad and a small display and it's come comes in a rocket Case with batteries and everything in it so it can be thrown into a back or something Maybe that's more of a thing you're looking for I think Travis Goodspeed has hacked them to death Everything he does everything these these things so the I am me I am me. Yeah instant message me. Yeah, is there one more super last-minute question one more question Maybe No, people are already leaving. Hey, okay Okay, then have a nice camp. Thank you very much. Please give it up for the speakers