HITCON Badge 2019 is based on M2351ZIAAE MCU.
There are four pages, you can use LEFT and RIGHT button on the badge to switch them.
- Badge will show the status of 24 LEDs.
- Locked: white color
- Unlocked: Bright and colorful
- Press
UP+A/Bto decrease/increase the brightness. - You can unlock each LED by playing the game or completing the mission with sponsors.
- Use
UPandDOWNbutton to select patterns. - Pattern 0 will be unlocked by unlocking led 0 1 2.
- Pattern 1: led 3 4 5.
- Pattern 2: led 6 7 8.
- ..
- If the pattern is still locked, it will render the error pattern (all LED are red).
- There are 11 patterns in total.
- In this page, you can customize the color of LEDs!
- Select the LEDs by pressing
UPDOWNLEFTRIGHT. - Change the color by pressing
AB. - Press
AB(at the same time) and then pressLEFT/RIGHTto leave paint mode.
################################
# #
# #
# #
# #
# #
# #
# #
# @@@@@@@ o #
# #
# #
# #
# #
# #
# #
# #
# #
################################
[Score] 6 pt
- Let badge connect to the computor with Micro USB cable.
- Use any client you like to connect the serial com port.
- Linux/macOS: You can use
screencommand.- example:
screen /dev/tty.usbmodemxxx(replace/dev/tty.usbmodemxxxwith correct path)
- example:
- Windows: You can use
PuTTY(Connection type: Serial) to connect the COM port.
- Linux/macOS: You can use
- Control the snake by pressing
UPDOWNLEFTRIGHT. - Press
ABat the same time to pause the game.- Press
ABagain to continue the game,LEFTto exit.
- Press
- Score
- score >= 50, snake pattern (pattern 8) will unlocked!
- score == 2147483647: Well done, hacker :)
_ _ ___ _____ ___ ___ _ _ ___ __ _ ___
| || |_ _|_ _/ __/ _ \| \| | |_ ) \/ / _ \
| __ || | | || (_| (_) | .` | / / () | \_, /
|_||_|___| |_| \___\___/|_|\_| /___\__/|_|/_/
HitconBadge2019 >>
- There is a simple command line interface running on the badge.
- You can use it by connecting the badge to computer with micro usb.
Type help for all available commands.
HitconBadge2019 >> help
show
info
unlock
setname
clear
hello
angelboy
yuawn
ping
ls
id
cat
echo
alias
whoami
help
Show command will display the status of all LEDs and patterns.
HitconBadge2019 >> show
Pattern 0: Lock
led 00: Lock
led 01: Lock
led 02: Lock
Pattern 1: Lock
led 03: Lock
led 04: Lock
led 05: Lock
Pattern 2: Lock
led 06: Lock
led 07: Lock
led 08: Lock
Pattern 3: Lock
led 09: Lock
led 10: Lock
led 11: Lock
Pattern 4: Lock
led 12: Lock
led 13: Lock
led 14: Lock
Pattern 5: Lock
led 15: Lock
led 16: Lock
led 17: Lock
Pattern 6: Lock
led 18: Lock
led 19: Lock
led 20: Lock
Pattern 7: Lock
led 21: Lock
led 22: Lock
led 23: Lock
Badge challenge:
[Stage 1] Snake pattern: Lock
[Stage 2] Pwned NS pattern: Lock
[Stage 3] Pwned the whole badge pattern: Lock
Badge source code, solution and exploits will be released within the talk
HITCON Badge 2019 秘辛: MCU ARM TrustZone challengesat R0 (Day2 14:40 - 15:30).
There are 11 pattern in total, but three of them are special, so you need to get them in special way :)
- Before pwning the badge, why not play some game first.
- Get the score higher than 50, you can unlock the snake pattern.
- Try to let the score == 2147483647 by playing the game.
- Or pwn the badge :)
- You will know how to do it by reversing the binary of normal world (NonSecure world) in this MCU TrustZone.
- To make life easier, the binary is not striped and not a raw binary, just take them all (See
firmware/)
- The final target is protected by TrustZone in Secure Region.
- I put my secret in the TrustZone, it is pretty safe, isn't it?
- Try to pwn the badge for all patterns!