Issue with 31-digits only on generation [SOLVED]
JSylvia007 opened this issue · comments
So... My badge only generates 31-digit hashes...
This is unsolved. Not sure why this happens. Stay tuned.
UPDATE: This has been solved sorta!!! See below.
We did some debugging with this, we tried:
- Reflashing a few times
- Verifying current firmware and new firmware with md5sum
- Resetting ROM
Nothing helped, still 31 characters. @JSylvia007 was on a mac and running screen /dev/something 9600 to connect to the badge.
I'm on linux and I've tried screen, putty, and minicom.
So... My badge only generates 31-digit hashes...
I'm having the same issue. I've tried resetting and reflashing, no luck fixing the 31 hash issue.
Appears to stem from a badge ID issue. On badges that are showing 31 bits, the 9th and 10th bit pairs (which hold the badge ID) only contain three bits instead of the expected four.
As an example, take the two following requests:
26EA7D9D7C05DE707A92129F5FB49B2E - Working 32, ID 7A92
A940CB0BADFA86F5EB01207BF092532 - Non-working 31, ID EB0
Other values that are static across requests from the same device (ex. the fifth bit pair) confirm that it is the ID that is having the issue. My current working theory is that affected devices have an ID starting with 0. If the value is stored as an int but is not prepended with a zero when one is required, one would end up with the currently shown ID.
Modifying the input is unlikely to fix this - there is a length check to ensure 32 bits are sent and prepending anything disrupts the expected bit order. A proper fix will likely require a firmware modification, though I don't have any experience with doing so.
i've solved the case!
if the badge's serial number (as seen when in debug mode) starts with a 0, the codes that are generated from the first 8 characters of the number are offset by one, as if the 0 isnt there.
this can be manually corrected by editing the request code like so:
##AB####CD######EFG############
|
v
##0A####BC######DEFG############
but a firmware fix would be appreciated
Well done on finding the issue! I've been working on this and just discovered the same thing a little bit ago. New firmware will be available soon!
This is excellent! Is the new firmware available?
I wrote up a Python script to correct bad request codes into good request codes, following the methodology from @simonomi's comment. It's tested and appears to work:
#!/usr/bin/python3
import argparse
import sys
def main():
parser = argparse.ArgumentParser()
parser.add_argument("BROKEN_CODE")
code = parser.parse_args().BROKEN_CODE
fixed = code[0:2]
fixed += "0"
fixed += code[2]
fixed += code[4:8]
fixed += code[3]
fixed += code[8]
fixed += code[10:16]
fixed += code[9]
fixed += code[16:32]
print(fixed)
return 0
if __name__ == "__main__":
sys.exit(main())
So I just woke up and am kinda tired, but I think I've implemented it correctly, lemme know if isn't working for you
https://rossmarks.uk/git/0xRM/DC29BadgeBot
It should detect if your generating short hashes and fix them automagically.
Thanks @xanarin and @simonomi
This is excellent! Is the new firmware available?
@simonomi @xanarin @compukidmike
Thank you all for your hard work fixing the issue!
i saw on the forum that people are still having issues with generating reply codes so ive found the solution for that, but you need to find the device's serial number first. (on my mac, while the badge is in debug mode, its > ⌥ + System Information > USB > DEF CON 29 Badge)
the 7th character in the serial number needs to be added after the 14th character
for example, if my serial number is:
######AB########################
the solution would be:
##############B################
|
v
##############AB################
There is new firmware available to solve this at defcon.org/signal !
There is new firmware available to solve this at defcon.org/signal !
Unfortunately it still doesn't work on my badge...
Just downloaded and updated the badge..
Enter the request or reply string:731526F27B4CC10934EB127CA97882F6
Send this string back to the person who gave you the request.
9C15426C7B3470534EB134C01D17F30
What info do you need from me to help troubleshoot this?
Can you show the md5sum of the file you're copying onto the badge?
@tbernhardson I've confirmed the issue you're seeing and have a fix. Would you be willing to test it for me?
@tbernhardson I've confirmed the issue you're seeing and have a fix. Would you be willing to test it for me?
yes
Can you show the md5sum of the file you're copying onto the badge?
MD5 hash of .\DC29Human2.uf2:
0877fc9cd7ead1214a7cda81aca9a494
So I can generate a 32 character request, but my responses are only 31 characters.
Yeah, the responses were similarly shifted when the first digit you have was a zero
Here is a regex you can run to fix the response in the same way:
echo "C3B968F50F2D089D99813AC015F7F29" | perl -pe 's/(?<=\w{4})(\w{3})(\w{1})(\w{2})(\w{1})(\w{1})(\w{7})(\w{1})(\w{1})(\w{2})(?=\w{8}\b)/0$1$3$2$4$6$5$7$9$8/g'
CORRECTION: this didn't actually work... I tried a shift based on this post above: #1 (comment)
... but with the ID inclusion mask into (for the responses) looks like this:
xxxxABCDxxEFxxxxxxxGHxxIJxxxxxx
|
/
xxxx0ABCxxDExxxxxxxFGxxHIJxxxxxx
But it appears that doesn't work. Sorry!
i saw on the forum that people are still having issues with generating reply codes so ive found the solution for that, but you need to find the device's serial number first. (on my mac, while the badge is in debug mode, its > ⌥ + System Information > USB > DEF CON 29 Badge)
the 7th character in the serial number needs to be added after the 14th character
for example, if my serial number is:
######AB########################
the solution would be:
##############B################
|
v
##############AB################
So, my serial number is literally 5 chars: 12345 ... did yours actually have a 7th character?
Any idea how to find the Serial # info in Windows? I stepped through every property in the Device manager (both in Debug & Regular Badge Mode) and I didn't find anything like a serial # anywhere.
So, my serial number is literally 5 chars
the badge has to be in debug mode, aka hold down the bottom-right button while turning it on
On Linux, if you are in debug/flashing/blinking red mode and you run lsusb -v, you will be greeted with something akin to the following, which includes the device serial number:
