Red Bull Creation 2011

From i3Detroit
Jump to: navigation, search

Findings

Credits

Found in a full dump of the SPI chip at address 0x1AF300

This SPI flash was lovingly stuffed by JoeJoe Martin (rabby@badrabby.com). Big ups to John Taylor (aka Parts Dept), Tyler Hanson, Jason Naumoff, Chris Dadzitis (aka DingDong), Jesse Wilson (aka Roadkill), and Erin B. for their help with this project. Viva la Creation!

The Password

Under-the-Foam password: JMT479

Board Layout

Image01.jpg

  1. - ATMega - runs the ‘video game’
  2. - PIC33FJ64 - Runs the audio headphone output
  3. - PIC24FJ64 - Runs USB Mass Storage
  4. - PIC - Runs TTY out and 2 morse code LEDs
  5. - 16Mb SPI Storage device - for storing audio files
  6. - Analog Devices chip that runs video output

Each PIC has a pogo-pin JTAG port which still need exploring.

Morse Code

Two blue LEDs on the board were connected to a small microcontroller and blinked in a seemingly erratic pattern. We all agreed that these blinks looked like Morse Code, but none of us knew Morse Code... so we winged it. After utilizing an advanced logic sniffer to decode the dits and dahs (we’re aware of the irony) the short message decoded to 48007e2 and the longer message decoded to WinstonChurchill. Both of these hints gave us a part of the solution to other hidden gems, or they would have if we didn’t figure them out through other means first.

USB Storage

Upon plugging the device into a computer, we found that USB provided more than just power, it offered the computer a tiny mass storage device containing two files. CLUE.TXT:

Looking for a password?!

He might have enlisted Bletchly Park to figure it out, but you've probably got what it takes... and it's not "SamuelMorse" either.

Good luck with this mystery inside an enigma!

In retrospect, this clue was likely directing us to look at the blinkenlights on the board. In actuality, we tapped into the near encyclopedic knowledge of crypto history in our group and quickly found the password to the encrypted text file.

Encrypted zip file (password: WinstonChurchill):

K, that was an easy one… but you’re not there just yet.

The riddle that ol’ Winston mentioned was Russia, but we’re talking about a different kind of puzzle altogether.

Somewhere in this box there is another password, this time for a website.

Poke, probe, and hack away at this circuit board… it’s an egg hunt.

When you find the url and the password… go tell us what else you’ve found along the way.

Good luck for real this time… you’ll need it!

Not too much to say on this one, we decrypted the zip, read the file, tore back the foam and found...exactly the same thing we did when the video game section told us to do it an hour earlier!

TTL Serial Port

By attaching a logic analyzer to the TTL and GND pads (this was before we know the baud rate and config given by the morse code lights), we were able to decode:

Strong work. Now peel up the foam that was under the circuit board to get a password to the website.

The baud rate was hinted at in the Morse Code message, however as previously stated, none of us were familiar with Morse Code so we did it the hard way. Brute force is sometimes the best way!

Headphone Jack

When we plugged a pair of headphones into the audio jack connected to chip 2, we heard a digitized voice spell out LOOKDONTLISTEN into our right ear while crazy static blasted us in the left. While still much less grating than listening to Rick Astley, it wasn’t very understandable. At least it was until one of our members walked into the room and upon hearing the noise track declared, “I hear shapes!” After our team ensured that he was of sound mind, we recorded the audio signal, passed it through a spectrum analyzer and dropped our jaws as the image below took shape on our screen, clearly indicating the ownership of our bulls.

Right channel - Robot voice that spells out: LOOKDONTLISTEN

Left channel - Audio, using spectrum analysis you see: All your bulls are belong to us

Image04.jpg

Extra Audio Pads

Beside the two pads that connected the audio PIC to the headphone jack were a pair of unconnected pads (1 and 2 below.) Looking at them on an oscilloscope, they appeared to be a clone of the audio signal but 180 degrees out of phase. Our best guess at this point is that they are vestigial, and were intended to produce a balanced output, but in the final design were no longer needed. Feel free to tweet us if you figure out a better reason for these pads!

Image10.jpg

Extra Audio Tracks

When the board originally arrived, the two solder pads (3 and 4 above) had nothing attached. When presented with situations like this, the wise words of Dr. Zoidberg come to mind, "I'm a surgeon; when I see two body parts I sew them together and see what happens!" If that's not a ringing endorsement of blindly bridging unknown pads, it's hard to imagine something that is! Upon attaching the lovely blue wires you see in the photo to the pads and connecting them together, two interesting things became immediately apparent: the LED attached to the audio PIC changed from a 60% duty cycle to a 30% duty cycle and we were informed that double rainbows are quite intense. By shorting 1 pad, then the other, then both, we were able to find a total of 3 additional audio tracks in addition to the "All Your Bulls" track above, where two were images encoded the same way as the image above and the third was a short audio clip from the double rainbow video. We're currently unsure why the LED blinking changes when these pads are utilized, but we're assuming that it's for testing. It would be easier to power the board before shipping and check for the fast blinking LED than to listen to the audio on each one to ensure there were no shorts on these two key pads. If you've got a better explanation, again, tweet us your thoughts!

1 - Audio Image - BAD RABBY - who appears to be the be the designer of the board!

Image08.jpg

2 - Audio Image - Rick Astley

Image06.jpg

3 - Double Rainbow audio

Video Game/TV

Powering up or resetting the board causes the “Red Bull Creation” screen to appear as well as a jaunty tune (Never Gonna Give You Up). After entering “The Code” (Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start) the display cycles through the following not so secret screens including a series of codes at the bottom of the screen. When converted from hexadecimal values to ASCII, they spelled PEEL THE FOAM and SUP, GOLD DIGGA? before advancing to a stern talking to from HAL followed by what we have dubbed as the “Kill Screen” despite this game being a far cry from Donkey Kong.

Image09.png Image12.png Image07.png

Image05.png Image11.png Image00.png


Board Text

Silkscreened on the board was the cryptic string, U2V0ZWMgQXN0cm9ub215 but did not require any magic box to convert this Base64 encoded string back to “Setec Astronomy”. (If you don't get it, go watch the movie Sneakers. You'll thank us later.)

U2V0ZWMgQXN0cm9ub215 - Base64 encode of Setec Astronomy

Dump of SPI Storage Chip

A full dump of the SPI storage chip (16Mb) was created by desoldering it and using a Bus Pirate to directly communicate with it. After getting a complete dump and examining its contents, there were found to be 4 audio files (which we had captured above), as well as plain text credits at address 0x1AF300. The dump process produced a high rate of errors, so the chip was copied and compared multiple times to complete a clean duplicate.

IMG 2329.sm.jpg

The full dump can be downloaded here: File:RedBull.Spi.bin.

Remaining Mysteries

Dumped JTAG of ATMega

We dumped the JTAG of the ATMega running the game and found a handful of strings, but nothing too compelling was apparent with a casual skimming of the dump...yet!

Empty Chip Pads

Image02.jpg

The pin connections on these pads match that of the serial storage device connected to the audio driving PIC. The USB PIC does not seem to poll for this chips existence though (no activity seen on CS, CLK, or DIN), which indicates the code on the USB PIC was not extended to use it. We theorized that previous plans included doing the mass storage on an external storage chip, but ultimately it was decided to do it with the PICs internal memory. Despite the indications, we tried moving the SPI storage chip here in case additional files were embedded in it that would be revealed by the mass storage PIC, but no effect was observable.

There were also empty pads in the top right of this image (not numbered). When shorted it ties ground to a input pin of the USB chip. Given our prior success shorting random pads together, we tried bridging it but found no observable effect.

Empty Pads Near Middle of Board

Image03.jpg

This pad seems to just be a place for an additional, larger decoupling cap as it runs from VCC to ground plane.

Structure Analysis Attempts

In the process of analyzing the board, we wanted to see the internal structure of the board. We theorized about hiding RFID devices under the bull designs, etching a design into a copper layer (those sneaky guys over at Chumby Industries did it!), or something even more tricky so we were fairly motivated to get a peek inside.

Unfortunately since we couldn't get an X-Ray image in time, we tried some less conventional approaches including heating the board with a heat gun while watching it with a thermal camera to detect heat absorption variations, shining a bright light through it for an extended period with a long exposure photograph, waving it around RFID readers and more. Unfortunately, none of our approaches turned up anything interesting, but who knows for the next challenge!