Difference between revisions of "Red Bull Creation 2011"

From i3Detroit
Jump to: navigation, search
(Credits)
Line 107: Line 107:
 
===Dumped JTAG of ATMega===
 
===Dumped JTAG of ATMega===
 
We found nothing interesting so far
 
We found nothing interesting so far
 +
 +
===Dump of SPI Storage Chip===
 +
A full dump of the SPI storage chip (16Mb) was created by desoldering it, and using a Bus Pirate to directly communicate with it. After getting a complete dump and examining it's contents, there are 4 audio files (which we had captured above), as well as a plain text credits at address 0x1AF300.
 +
[[file:IMG_2329.sm.jpg|450px]]
  
 
===Empty Chip Pads===
 
===Empty Chip Pads===

Revision as of 14:36, 4 April 2011

Contents

Ongoing Work

  • Audio storage chip unmounted and placed in breakout for data dump
  • Possibly place audio storage in empty chip location
  • Trying to get a X-Ray
  • JTAG dump PICs

Findings

Credits

Found in a full dump of the SPI chip at address 0x1AF300

This SPI flash was lovingly stuffed by JoeJoe Martin (rabby@badrabby.com). Big ups to John Taylor (aka Parts Dept), Tyler Hanson, Jason Naumoff, Chris Dadzitis (aka DingDong), Jesse Wilson (aka Roadkill), and Erin B. for their help with this project. Viva la Creation!

The Password

Under-the-Foam password: JMT479

Board Layout

Image01.jpg

  1. - ATMega - runs the ‘video game’
  2. - PIC33FJ64 - Runs the audio headphone output
  3. - PIC24FJ64 - Runs USB Mass Storage
  4. - PIC - Runs TTY out and 2 morse code LEDs
  5. - 16Mb Serial Storage device - for storing audio files
  6. - Analog Devices chip that runs video output

Each PIC has a pogo-pin JTAG port which still needs exploring.

Morse Code

Two blue LEDs on the board were connected to a small microcontroller and blinked in a seemingly erratic pattern. We all agreed that these blinks looked like Morse Code, but none of us knew Morse Code... so we winged it. After utilizing an advanced logic sniffer to decode the dits and dahs (we’re aware of the irony) the short message decoded to 48007e2 and the longer message decoded to WinstonChurchill. Both of these hints gave us a part of the solution to other hidden gems, or they would have if we didn’t figure them out through other means first.

USB Storage

Upon plugging the device into a computer, we found that USB provided more than just power, It offered the computer a tiny mass storage device containing two files. CLUE.TXT:

Looking for a password?! He might have enlisted Bletchly Park to figure it out, but you've probably got what it takes... and it's not "SamuelMorse" either. Good luck with this mystery inside an enigma!

In retrospect, this clue was likely directing us to look at the blinkenlights on the board. In actuality, we tapped into the near encyclopedic knowledge of crypto history in our group and quickly found the password to the encrypted text file.

Encrypted zip file (password: WinstonChurchill):

K, that was an easy one… but you’re not there just yet. The riddle that ol’ Winston mentioned was Russia, but we’re talking about a different kind of puzzle altogether. Somewhere in this box there is another password, this time for a website. Poke, probe, and hack away at this circuit board… it’s an egg hunt. When you find the url and the password… go tell us what else you’ve found along the way. Good luck for real this time… you’ll need it!

Not too much to say on this one, we decrypted the zip, read the file, tore back the foam and found...exactly the same thing we did when the video game section told us to do it an hour earlier!

TTL Serial Port

By attaching a logic analyzer to the TTL and GND pads (this was before we know the baud rate and config given by the morse code lights), we were able to decode:

Strong work. Now peel up the foam that was under the circuit board to get a password to the website.

The baud rate was hinted at in the Morse Code message, however as previously stated, none of us were familiar with it so we did it the hard way. Brute force is sometimes the best way!

Headphone Jack

When we plugged a pair of headphones into the audio jack connected to chip 2, we heard a digitized voice spell out LOOKDONTLISTEN into our right ear while crazy static blasted us in the left. While still much less grating than listening to Rick Astley, it wasn’t very understandable, at least until one of our members walked into the room and upon hearing the sound declared “I hear shapes!” After our team ensured that he was of sound mind, we recorded the audio signal, passed it through a spectrum analyzer and dropped our jaws as the image below took shape on our screen, clearly indicating the ownership of our bulls.

Right channel - Robot voice that spells out: LOOKDONTLISTEN

Left channel - Audio, using spectrum analysis you see: All your bulls are belong to us

Image04.jpg

Extra Audio Pads

Extra audio pads (1 and 2 below) are 180 degrees out of phase of their neighbor.

Provides a possible balanced output.

Image10.jpg

Extra Audio Tracks

Solder pads (3 and 4 above) allow you to select between different audio tracks, which give the outputs below. When you select different channels, the LED attached to the audio PIC changes from a 60% duty cycle to a 30% duty cycle. Significance of this is unknown.

1 - Audio Image - BAD RABBY - who appears to be the be the designer of the board!

Image08.jpg

2 - Audio Image - Rick Astley

Image06.jpg

3 - Double Rainbow audio

Video Game/TV

Powering up or resetting the board causes the “Red Bull Creation” screen to appear as well as a jaunty tune (Never Gonna Give You Up). After entering “The Code” (Up, Up, Down, Down, Left, Right, Left, Right, Start) the display cycles through the following not so secret screens including a series of codes at the bottom of the screen. When converted from hexadecimal values to ASCII, they spelled PEEL THE FOAM and SUP, GOLD DIGGA? before advancing to a stern talking to from HAL followed by what we have dubbed as the “Kill Screen” despite this game being a far cry from Donkey Kong.

Image09.png Image12.png Image07.png

Image05.png Image11.png Image00.png


Board Text

Silkscreened on the board was the cryptic string U2V0ZWMgQXN0cm9ub215 but did not require any magic box to convert this Base64 encoded string back to “Setec Astronomy”.

U2V0ZWMgQXN0cm9ub215 - Base64 encode of Setec Astronomy

Dumped JTAG of ATMega

We found nothing interesting so far

Dump of SPI Storage Chip

A full dump of the SPI storage chip (16Mb) was created by desoldering it, and using a Bus Pirate to directly communicate with it. After getting a complete dump and examining it's contents, there are 4 audio files (which we had captured above), as well as a plain text credits at address 0x1AF300. IMG 2329.sm.jpg

Empty Chip Pads

Image02.jpg

Pin connections match that of the serial storage device connected to the audio driving PIC. The USB PIC does not seem to poll for this chips existence though (no activity seen on CS, CLK, or DIN), which indicates the code on the USB PIC was not extended to use it. Maybe previous plan was to do the mass storage on an external storage device, but ultimately it was decided to do it with the PICs internal memory? Still may move serial storage there and see if anything happens.

There are also empty pads in the top right of this image (not numbered). When shorted it ties ground to a input pin of the USB chip. No noticeable effect.

Empty pads near middle of board

Image03.jpg

Seems to just be a place for a possible additional, larger, decoupling cap - runs from VCC to ground plane.