Difference between revisions of "Red Bull Creation 2011"
|Line 6:||Line 6:|
Under-the-Foam password: <code>JMT479</code>
Under-the-Foam password: <code>JMT479</code>
Revision as of 16:22, 4 April 2011
- 1 Ongoing Work
- 2 Findings
- Audio storage chip unmounted and placed in breakout for data dump
- Possibly place audio storage in empty chip location
- Trying to get a X-Ray
- JTAG dump PICs
Found in a full dump of the SPI chip
This SPI flash was lovingly stuffed by JoeJoe Martin (email@example.com). Big ups to John Taylor (aka Parts Dept), Tyler Hanson, Jason Naumoff, Chris Dadzitis (aka DingDong), Jesse Wilson (aka Roadkill), and Erin B. for their help with this project. Viva la Creation!
- - ATMega - runs the ‘video game’
- - PIC33FJ64 - Runs the audio headphone output
- - PIC24FJ64 - Runs USB Mass Storage
- - PIC - Runs TTY out and 2 morse code LEDs
- - 16Mb Serial Storage device - for storing audio files
- - Analog Devices chip that runs video output
Each PIC has a pogo-pin JTAG port which still needs exploring.
Two blue LEDs on the board were connected to a small microcontroller and blinked in a seemingly erratic pattern. We all agreed that these blinks looked like Morse Code, but none of us knew Morse Code... so we winged it. After utilizing an advanced logic sniffer to decode the dits and dahs (we’re aware of the irony) the short message decoded to
48007e2 and the longer message decoded to
WinstonChurchill. Both of these hints gave us a part of the solution to other hidden gems, or they would have if we didn’t figure them out through other means first.
Upon plugging the device into a computer, we found that USB provided more than just power, It offered the computer a tiny mass storage device containing two files. CLUE.TXT:
Looking for a password?!
He might have enlisted Bletchly Park to figure it out, but you've probably got what it takes... and it's not "SamuelMorse" either.Good luck with this mystery inside an enigma!
In retrospect, this clue was likely directing us to look at the blinkenlights on the board. In actuality, we tapped into the near encyclopedic knowledge of crypto history in our group and quickly found the password to the encrypted text file.
Encrypted zip file (password: WinstonChurchill):
K, that was an easy one… but you’re not there just yet.
The riddle that ol’ Winston mentioned was Russia, but we’re talking about a different kind of puzzle altogether.
Somewhere in this box there is another password, this time for a website.
Poke, probe, and hack away at this circuit board… it’s an egg hunt.
When you find the url and the password… go tell us what else you’ve found along the way.Good luck for real this time… you’ll need it!
Not too much to say on this one, we decrypted the zip, read the file, tore back the foam and found...exactly the same thing we did when the video game section told us to do it an hour earlier!
TTL Serial Port
By attaching a logic analyzer to the TTL and GND pads (this was before we know the baud rate and config given by the morse code lights), we were able to decode:
Strong work. Now peel up the foam that was under the circuit board to get a password to the website.
The baud rate was hinted at in the Morse Code message, however as previously stated, none of us were familiar with it so we did it the hard way. Brute force is sometimes the best way!
When we plugged a pair of headphones into the audio jack connected to chip 2, we heard a digitized voice spell out
LOOKDONTLISTEN into our right ear while crazy static blasted us in the left. While still much less grating than listening to Rick Astley, it wasn’t very understandable, at least until one of our members walked into the room and upon hearing the sound declared “I hear shapes!” After our team ensured that he was of sound mind, we recorded the audio signal, passed it through a spectrum analyzer and dropped our jaws as the image below took shape on our screen, clearly indicating the ownership of our bulls.
Right channel - Robot voice that spells out:
Left channel - Audio, using spectrum analysis you see: All your bulls are belong to us
Extra Audio Pads
Extra audio pads (1 and 2 below) are 180 degrees out of phase of their neighbor.
Provides a possible balanced output.
Extra Audio Tracks
Solder pads (3 and 4 above) allow you to select between different audio tracks, which give the outputs below. When you select different channels, the LED attached to the audio PIC changes from a 60% duty cycle to a 30% duty cycle. Significance of this is unknown.
1 - Audio Image - BAD RABBY - who appears to be the be the designer of the board!
2 - Audio Image - Rick Astley
3 - Double Rainbow audio
Powering up or resetting the board causes the “Red Bull Creation” screen to appear as well as a jaunty tune (Never Gonna Give You Up). After entering “The Code” (Up, Up, Down, Down, Left, Right, Left, Right, Start) the display cycles through the following not so secret screens including a series of codes at the bottom of the screen. When converted from hexadecimal values to ASCII, they spelled
PEEL THE FOAM and
SUP, GOLD DIGGA? before advancing to a stern talking to from HAL followed by what we have dubbed as the “Kill Screen” despite this game being a far cry from Donkey Kong.
Silkscreened on the board was the cryptic string
U2V0ZWMgQXN0cm9ub215 but did not require any magic box to convert this Base64 encoded string back to “Setec Astronomy”.
U2V0ZWMgQXN0cm9ub215 - Base64 encode of
Dumped JTAG of ATMega
We found nothing interesting so far
Empty Chip Pads
Pin connections match that of the serial storage device connected to the audio driving PIC. The USB PIC does not seem to poll for this chips existence though (no activity seen on CS, CLK, or DIN), which indicates the code on the USB PIC was not extended to use it. Maybe previous plan was to do the mass storage on an external storage device, but ultimately it was decided to do it with the PICs internal memory? Still may move serial storage there and see if anything happens.
There are also empty pads in the top right of this image (not numbered). When shorted it ties ground to a input pin of the USB chip. No noticeable effect.
Empty pads near middle of board
Seems to just be a place for a possible additional, larger, decoupling cap - runs from VCC to ground plane.