I wanted to provide some follow-up on that. My first instinct was that it was an unsalvageable error, which lead to adding the anti-metal NFC sticker to make it “work” while bypassing the onboard circuit. Not that it matters, nobody at Defcon in their right mind is going to scan your NFC badge. “Sure, I’ll take your malware!”
I’ll dive into an explanation with lots of pictures, to make it easier for folks maybe newer to Kicad to see the issue.
Here is the back copper layer. You can see that there is the antenna, which is the tight loops in a rounded rectangle, and that there is a copper keepout zone defined inside the antenna. This side, we believe to be correct.
And for reference, here’s that same area with the silkscreen showing, so that you can see where the antenna lives on the backside.
With me so far?
Ok, here’s where my attention to detail failed me. Here’s the front side copper layer in the same area. I’ve left the back copper layer visible but dimmed, so you can see how they interact/compare.
You see what I did there? I was in such a hurry to do this that I didn’t think it through. I just copied the keepout zone from the back to the front, thinking they needed to be the same. They absolutely don’t need to be the same. The purpose of the keepout zone is to allow radio waves to travel THROUGH the antenna, energizing it. The back is correct, because you don’t want a keepout zone where you actually want copper (the antenna). The front side, well, the keepout zone should have extended just outside the antenna on the back. I hope that’s clear. The front copper fill (which isn’t even tied to a net, not even ground — it only exists for the unmasked areas to be shiny!) actually overlaps the antenna itself, preventing the thing this circuit needs to the most — radio waves flowing through the antenna.
So here’s a shot with all of it showing, so you can see what part of the copper would need to be removed for the circuit to work (hint: All of the copper on the FRONT side that covers up the antenna).
So I assumed it was a lost cause. That copper is INSIDE the board, or at least under layers of mask and silk. Surely that can’t be repaired, or isn’t WORTH being repaired.
But this is DefCon, of course, and Syntax, who I met in either LineCon or MohawkCon or both at my first DefCon in 2017, speculated that perhaps if one wet-sanded the silk, mask and copper out of that area blocking the antenna (basically the red area highlighted above — while being careful not to destroy the trace between the inside and outside of the antenna across the two vias) it could still work. It would look a little janky, but I might try it when I get home just for the experience. And then BradanLane suggested removing it with a laser and acid etch, which might be a little cleaner.
Idunno. I’m going to try it, because dammit, I really want to see my eye light up when I scan it. If any of you lunatics goes home and tries it as well, I’ll mail you the TSSOP-8 NFC chip if you don’t already have one, and you can install it yourself. It goes here:
Sorry I didn’t bring the NFC chips with to Defcon, but you would have lost them in your sticker bags anyway. I naively thought it was a lost cause, and I mean, it’s not like hackers enjoy the recovery of a lost cause by any means necessary, LOL. It’s not like a point of pride or something to overcome by applying brute force, stimulants, ADHD and procrastination on actual money-making projects, simply for the glory of having WON.
So in the rush to get this done, apparently I mixed up power and ground between the top and bottom boards. So we’re going to disable them by removing those pins from the headers between the two boards. Power and ground on the front board ONLY provides power to the SAO header.
If you want to bodge it, you’re welcome to bodge it, just desolder the 4-pin header on the right and resolder a 6-pin header after cutting and rerouting the traces appropriately. If you want to add a SAO connector to mount an SAO without power, you’re welcome to do so. Just keep in mind it’s disabled for a reason. If you re-enable it without rerouting, it will burn out your SAOs and make your room smell funny.
This will be resolved in official batch #2 later this summer.
I could have retconned this as a “we deliberately disabled power on the SAO header for the Tarot badge so that it could connect to the Tree of Life Badge without concern for power in a future release of the firmware” but then we’d have to follow through on that promise.
First, a little bit of background. We had the idea for a Tarot badge last year, while walking around DefCon and getting so much love for our Kabbalah (Tree of Life) badge. That badge started so many interesting conversations and opened so many doors that we just felt it made sense to keep going down that path. When we started digging in to complete last year’s badge, I decided to commit to learning more about Kabbalah for a year and then to evaluate. I sorta mostly kinda did that, off and on. Once you start going deep on Kabbalah, you start to see it’s complete interconnectedness with Tarot. What happened was we started wishing last year that we had built last year’s badge bigger to include more about the tarot correspondences. The natural answer to badge insufficiency regret is “maybe next year.” So here we are.
The Badge: Technical
We did not stray too far from the technical features of last year’s badge. At the core level, this is still an RP2040-based Pico, some LEDs, an NRF radio and a display. But here’s why we were struggling until just this week to get it out. We lost a lot of time to decision paralysis – there are a lot of screens available. Which ones work with the Pico? Which ones will work with MicroPython? Which ones will work at our power level. A lot of research goes into these decisions. A lot of parts bought that end up never being used. I’m going to quote a prominent member of the badge-making community who recently said “Why do I do this to myself?” The answer has to be a feeling that you’re putting something useful, interesting and/or beautiful into the world. And we kind of hope we did.
We settled on the 2.2″ ILI9341 with integrated SD card. It seems to be the smallest profile screen available with 240×320 resolution, which is critical for displaying tarot cards. Any less resolution would have looked shitty. And it’s sad, but that’s one of the more expensive screens out there, which reflects in the final price of our badge.
Kevin, our developer, like to scoff at those who consider MicroPython as some sort of lesser language. Some still linger in the world of perceptions where led animations are slow, there are blockers everywhere, and too many Python libraries haven’t made it over yet. We’re here to tell you, MicroPython is thriving. Our LED animations are proof that there’s nothing slow about either the RP2040 or MicroPython. We make generous use of the dual core architecture. And Kevin managed to squeeze three SPI devices onto a two SPI bus system. And nobody knows why, but apparently we’ve implemented AES encryption into the badge.
Next year we’re thinking of bypassing the fully-built Pico and working with the RP2040 directly.
Please remember that none of us do this professionally. We’re all learning. This is a labor of learning, and a labor of love. Last year’s badge was the first “big thing” I ever designed in KiCad. After Defcon, this year we plan to develop some PCBs as a group in a group class series, so that more people can be part of the development effort, and we’ll teach each other some group workflow lessons.
The Badge: Features
It wouldn’t have taken much to make a badge that does a Tarot reading. We didn’t want to stop there. What I envisioned last year, and I told at least a few of you this in Vegas, was this. I wanted a badge that could do Tarot readings, but I wanted it to be OPEN. Meaning I wanted to provide at least one deck. In my naive early imaginations, I thought we’d actually find an artist to do a deck specifically for the badge. But Crowley and Harris we are not. They had time and money to pursue their project. We all have day jobs. Then we realized there are public-domain and open-licensed decks available. So we included (at time of writing) three decks on the badge to choose from. The Rider-Waite-Smith deck, a version of the Tarot de Marseille (unfortunately not the Jodorowsky version — I really want to turn more people on to Jodorowsky and the story of that deck), and what we call the Shitty Deck, one that we hand drew over DC540 meetups. Trust me when I tell you that this deck is absolutely shitty.
We’re including instructions on how to add your own decks to the SD card to make them available for display. It’s slightly convoluted, they have to be resized and converted to raw format, and a naming convention is enforced. But think about it — once you do this process once, you have that deck for use on the badge. We could populate the SD card with the hundreds of copyrighted decks out there that can be found on various file-sharing platforms, but that would be violating copyrights, and that would be wrong. So maybe scan the decks you have. Maybe make your own deck.
So you can choose a deck, you can do a reading. What else? We have badge pairing, of course. We have a challenge game, like last year, but unlike last year when all we had to give as a prize was Defcoin, this year we’re offering a badge as the prize. Either an additional Tarot badge, or last year’s Tree of Life badge. Because of quantity issues, there won’t be many badges to go around at the con itself, so that complicates the game a bit. We’ll see how that works out. Maybe we’ll separate out part of the game so that non-badgeholders can play.
Everyone seemed to like the illumination scheme we went with last year. I’m not a fan of surface LEDs beaming photons into my faceholes, so I chose a more subdued look by strategically removing solder mask on both sides of the board and illuminating from a board below. I pushed to expand on that this year, but instead of just beaming through shapes and symbols, I put the shapes and symbols on the surface and opened up an entire wheel for shine-through. As you can see, the color of the FR4 itself tends to adulterate the LED colors a bit when illuminating large areas like that, but not excessively. I found it difficult to get a good blue to shine through, for example. As delivered, there is a lot of bleed between the different segments of the wheel, but in the demo Kevin posted last night, what you see is the result of gluing a light separation wheel to the underside of the top board. There are 24 LEDs on the bottom board this year, each illuminating half a wedge on the the top board. The separator wheel shown in the video only has 12 divisions, but still provides a nice sharp difference between the wedges. We will be providing an STL file for 3d-printing your own separator wheel, and the STL file has the inner ring defined as well, for full separation of all 24 segments. To be fair, I think beauty is in the eye of the beholder. The spinny animation in the first public demo, when run without a separator wheel, tends to lead to some interesting effects that evoke searchlight patterns at times, which is its own meaningful thing.
Searchlight casting for faults in the clouds of delusion
Anyhow, here’s what the beta version of the wheel separator looks like. It’s about 60mm in diameter. Thanks to BradánLaneStudio for creating the STL.
Not Many Copies at Defcon
We are so sorry, but because we got finished so late, we were too timid to drop coin on large quantities of the badge before knowing if it would work, so we won’t have many at Defcon at all. We should have enough to show everyone, and a VERY limited few to sell or trade, but literally don’t get your hopes up. We made 25 in the first batch. There are 10 of us going. We lost a few to testing. So we might have maybe 10 extras if we’re lucky. The good news is, boards and parts have been ordered, so we’ll be able to make more when we get back home.
We haven’t had the deep communications required to figure out how we’re going to distribute such a limited number of badges. We had such a good time distributing badges last year, we wish we could have done the same thing this year. We’ll try to have those discussions by the time the con starts. But seriously, temper your expectations of getting one onsite.
Some Thought About Tarot in General
A lot of people have a lot of thoughts about Tarot. On the ends of the spectrum, there are some pretty heavy expectations people lay on Tarot. As a lifelong rationalist, I see it, much like Kabbalah, as a framework in which to view the world and life events. A structure to be superimposed, for examination and rumination. Sometimes the results can be profound, but I like to believe the results are directly correlated to how much the reader and/or readee are able to open and stretch their minds. I will quote Lon Milo Duquette:
It's all in your head. You just have no idea how big your head is.
DC540’s Status and Mission
Last year, DC540 Nova cemented our status as a 501(c)(3) nonprofit. We have banking, we’re on AmazonSmile, and we have plans to to support people both in and out of the infosec community with our skills, talents, passions and green energy. So when you’re forking over your hard-earned pay to covet one or more of our badges, please keep in mind that it’s going to a good cause. If you’d like to contribute some of that green energy directly to DC540 to support our efforts, you can do so by sending money via Paypal to treasurer@dc540.org. This will help recoup dev and prototype expenses, and support our mission. Now we’re not saying that making a healthy donation might lead you to receive a badge at Defcon, but we can absolutely be bought. And donations are tax-deductible.
Future Thoughts on this badge
We don’t know if it’s possible yet, but what if a new firmware could be developed for this year’s and last year’s badge that expanded the functionality a little bit, so that when a card is displayed on this year’s badge, the corresponding sphere(s) or path could be illuminated on last year’s badge? We exposed two GPIO pins on both badges via the SAO header, so maybe… Food for thought…
Engage with us. Join our Discord. Talk with us on Twitter.
I picked up a batch of NFC tag stickers from you know where.
I started thinking they would be a fun way to host a hunt-type game during a conference, gathering, or other event where the playing field could be large enough and diverse enough, yet still somewhat controlled.
They look innocuous enough, just a plain white circle about 1″ in diameter.
You could direct someone to a landmark — a sign on a building or street, a shelf in a bookstore, a corner of a bar, etc., where you have pre-planted a preprogrammed tag, have them locate and scan the tag, on which they’ll find clues — a URL, a phone#, an email address, or just a block of text. The options are endless.
I think most modern phones support the NFC apps. On my Pixel 6, I’m using NFC Tools by WakDev. Here’s what it looks like on an empty tag:
You can see from this screenshot that it’s writable, can hold 540 bytes of data, and can be made read-only. This is useful to have this choice. In a hunt game, you may want to make the tag read-only so that players can’t corrupt your clue data. If you’re using these tags to exchange data with someone, however, you may want to leave it writable. Imaging using it as a stealth message delivery tool.
Here is the large list of types of data it supports. You’re limited by its 540-byte memory, but anything too large to fit on here can be put somewhere semi-privately on the web and just shared as a URL.
Yesterday I wrote about the mystery Waldorf Astoria Park City room keys that didn’t respond to either 13.56MHz or 125KHz probes. Mystery solved. They use NFC. On a whim, I hit them with NFC-tools on my phone, and the world makes sense again.
I decided to audit my large collection of RFID hotel keys I’ve collected over the years. Just to get an idea what’s out there, and look for patterns and anomalies.
One strange set I found is from the Waldorf Astoria in Park City. Didn’t respond to HF or LF search, but it clearly says right on the card, “hold key within 1/2 inch of locking device.” I wonder what they’re using if it doesn’t register at all on the Proxmark? I have four of them, maybe I’ll see if I can crack one open to see what’s inside.
The Hilton cards, for the most part, revert to hardnested attacks, but fall rather quickly, as opposed to the Sheraton card I was battling earlier in the week.
I guess I have about 75 card dumps in total now, about 40 of which are Hilton.
I’ve been playing with reading/cracking hotel room keys using the Proxmark3 RDV4 lately.
Most hotel room keys I have collected are MiFare Classic 1K. MOST of them are susceptible to autopwn within a minute or so. Coincidentally, most of my collection are from Hilton properties. Recently I came across a Sheraton room key that didn’t fall within the expected timeframe.
The “Weak PRNG” method did not work on this particular card, and so pm3 (RRG/Iceman fork) reverted to a hardnested attack. On my macbook M1 air, that was slated to take 2 days. I moved the task to a more powerful Kali desktop, and it’s now slated to take 9 hours to complete.
I will update this post when experience either success or failure. I do like a challenge.
Hours later: The first run stopped in midstream with “Could not connect to Proxmark.” Running it again for good measure.
Hours later again: Collapsed again after a couple of hours. Might have to try a different approach.
I learned some stuff in my reading, though. Apparently it’s all a game of spy vs spy. There are RFID systems that will detect cloned cards by attempting to write to block 0. If successful, it’s a writable clone card and the system can deny and alert. There are also more advanced CARDS that can be written and then locked, to defeat those features.
For those who choose to join us, Social House in South Riding/Chantilly. We’ll try to get our usual outdoor table. Tonight’s topics are badge artwork and stickers. 1830, first one there grab the big table.
Some of you might have been subject to my old-man ranting about how difficult it has become to install software that “just works.” My raging against the cloud, against everything-as-a-subscription, and against software that requires the capability of phoning home, either during install or on a continual basis.
My task was to install MS Office in a closed lab network, so that the users doing the work in the lab could write reports, etc., without having a separate machine just for that purpose. This network does not connect to the internet. It is a self-contained lab network with only what is needed for the lab installed on it.
It’s been a while since I fucked around with Microsoft products, and I naively assumed it would be a piece of cake. Just install it, give it a key, and be good to go. I was warned by those who had gone before me that it’s no longer that simple. Everything in Microsoft-land requires internet, they told me. “Surely they understand that a use case exists for no internet/no cloud,” I started to respond, before reliving the trauma of having to kill Atlassian when they made their on-prem product completely out of reach for small groups/businesses.
So I started down the road. I bought 12 licenses for “standalone” office 2016, went through the process of installing it on one of the lab machines, and yep, it requires internet to activate. OK, I’ll play along. We use FOG to image these lab workstations, so I set up a fresh install on a golden image candidate, activated it over the internet (very ugly process, by the way, if you buy multiple licenses), confirmed it was functional, and then captured an image of it. Rolled it out to other workstations, only to find that each new clone required its own activation. Well, this will never work.
I managed to get MS to refund the product after a lengthy discussion with a support rep. I decided I wanted to go the way of a volume license, only to learn that the KMS server too needs to touch the internet. I kept reading and reading and learning, and finally came across vlmscd, which is a linux-based open-source KMS server. Its only job is to say yes. When configured as the KMS server for a workstation (using DNS or manually via slmgr), any activation requests received by that KMS server are simply approved.
So I built one, making sure our licensing is properly paid for and accounted for,I of course. I added the SRV record for announcing the KMS service to the closed-network DNS, and installed the VL version of Office. Initially, running OSPP.VBS from the Office16 directory reported that the software was under a grace period with <30 days remaining, but after a reboot it reported it was fully licensed.
I wish vendors would provide a bit more flexibility in their product offerings, and understand that there are use cases that are outside the norm. I understand their need to protect their software from piracy, but this kind of heavy-handed control really makes it difficult for some of us who, for various reasons, don’t want to connect every network in our enterprise to the internet. We still exist.
Tune in to the Discord voice channel at 1830. Good chance to get to know some of us if you haven’t been to an in-person, or to participate in summer camp decisionmaking if you’re a regular.
