Insomni’hack 2013 – Life is hard(ware)

Intro

For this challenge, I wanted the attendees to reverse a microcontroller firmware, but most of all, I wanted them to actually see the result “live” to prove that the code actually works on a real device. The main idea was to use a keypad and a small screen to display the flag once the correct code has been entered.

I initially started writing the firmware on a Teensy++ 2.0 I had at hand. The firmware was almost complete when I received the new Teensy 3.0 at home. As I was playing with it, I found one cool feature :

Teensy 3.0 pinout

“Touch”, by the use of capacity sensors, really means that it can recognize a user’s finger. I found this so cool that I changed my plans and modified the firmware to use the touch inputs.

Touch input

One of the biggest advantages I saw with this feature is that I didn’t need push buttons nor direct access to the electronics. After some tests, I found that even with 5mm of material between my finger and the touch sensor, the returned value is large enough to correctly detect which sensor was activated.

As I had nine touch input pins available (I didn’t want to use the back of the Teensy), I used a keypad with nine inputs, from 1 to 9. Each digit having its own input on the Teensy. Since each sensor had its own base, value, I used threshold values to detect which number has been touched. The corresponding code is the following :

[code language=”cpp”]
int inputs[] = {0, 1, 15,16,17,18,19, 22,23};
int thresholds[] = {800,800,800,800,800,1000,1000,900,1000};

int readStatus(){
while (1) {
for (int i=0;i<10;i++){ //Test each input
if (touchRead(inputs[i]) > thresholds[i] ){ //Does the input value go over the threshold ?
delay(300); // Delay
return i+1; //Return the keypad value
}
}
}
delay(10);
}
[/code]

Case

I wanted the case to be as wide open as it can be, so people could actually see how it looks like on the inside and something that could resist 200 hackers that would play with it. I chose to use glass, as I had access to all the stuff I needed to create this case (Thanks, Mom 😉 )

The front face is made of 4mm float glass. I tried to engrave the digits on the glass, but the digits were not quite readable, so I used black glass powder that I melted in the front plate. To provide a wide touch zone for each number, I used a copper sheet that I sticked at the back of the glass. I then soldered a wire at the back of the copper sheets to get to the Teensy input :

Keypad

The screen used is a 2×16 LiquidCrystal that I wired to pins 7 to 12 on the Teensy. Using sugru, I glued the screen to the front plate and let all the wires flowing to give a “hacked” look to the whole thing.

Full

Full source

[code language=”cpp”]
int inputs[] = {0, 1, 15,16,17,18,19, 22,23};
int thresholds[] = {800,800,800,800,800,1000,1000,900,1000};

#include <LiquidCrystal.h>

LiquidCrystal lcd(12,11,10,9,8,7);

void setup(){

lcd.begin(16,2);

for (int i=0;i<10;i++){
pinMode(inputs[i], INPUT);
}
}

int readStatus(){
while (1) {
for (int i=0;i<10;i++){
if (touchRead(inputs[i]) > thresholds[i] ){
delay(300);
return i+1;
}
}
}
delay(10);
}

void printFlag(){
lcd.clear();
lcd.setCursor(0,0);
lcd.print(“Flag is b2sum of”);
delay(2000);
lcd.setCursor(0,1);
lcd.print(“XXXXXXXXXXXXXXXX”);
delay(5000);
lcd.clear();
}

void printWrong(){
lcd.clear();
lcd.setCursor(0,0);
lcd.print(” WRONG”);
delay(2000);
lcd.clear();
}

//Serial must be 598264
boolean checkSerial(int serial){
if ( (serial % 10) != 4) {
return false;
}
int tmp = 1;
for (int i=0;i<6;i++){
tmp = tmp << 1;
}
if ( (serial % 100) != tmp) {
return false;
}
if ( (serial & 0xff) != 248) {
return false;
}
if ( ((serial >> 8) & 0xff) != tmp/2) {
return false;
}
if ( (serial >> 16) != 9 ) {
return false;
}
return true;
}

void loop(){
int serial = 0;
lcd.clear();
lcd.setCursor(0,0);
lcd.print(“Enter code :”);
for (int i=0;i<6;i++) {
serial = 10*serial + readStatus();
lcd.setCursor(0,1);
lcd.print(serial);
}
if ( checkSerial(serial) ) {
printFlag();
}else{
printWrong();
}
lcd.clear();
}
[/code]

Challenge

The arduino GUI creates a temporary folder containing all the compiled files, so I took the .elf file and gave it to the contestants. As the binary is not stripped, reversing it is not too complicated :

disassembly

Video

Here is the device working, once you have the correct PIN code (598264) :

[youtube=http://www.youtube.com/watch?v=VOQBLBCgZtU]

One thought on “Insomni’hack 2013 – Life is hard(ware)”

  1. Pingback: Reverse engineering challenge starts off simple

Comments are closed.