Telephreak 11 Badge Release Notes
Welcome to the Telephreak 11 badge!
This was a very hasty project, with just over six weeks from concept to “finished” product. It was stressful, but I had fun and learned a TON. Expect bugs and all sorts of weird behavior.
Nine total PCB revisions were actually fabbed, and the final one still had a couple of bugs. This was my first time designing or building electronics, and I had to dive into a lot of stuff I didn’t expect. I understand digital logic fairly well, but I didn’t realize that I would have to modify the SPI Flash library I used to send extra raw bytes down the SPI bus because the Flash chips I ordered had a secondary write-protect mode that I needed to toggle a couple bits for. That was a fun day. There are also a few scenarios I can think of that might send the badges into an inifite loop or one that might take a very long time to complete, but fortunately there’s a reset button on the front. I wrote fixes for a few of them but they broke some other things and I didn’t have any time left to debug further.
The basic way these communicate is a store-and-forward implementation – each badge will beacon out periodically with a token signifying the image it’s currently displaying. If a badge sees another unit with a newer image, it will send a request for that image, and after a handshake the image will be sent over. This can take a couple minutes to complete. This is due to write speeds on the SPI flash itself, also because some of the mods I made to the SPI Flash library were horribly inefficient, but this gives other radios a chance to communicate with each other in a congested environment.
When an image is received, it is stored in a temporary section of the Flash, and if enough CRC-correct, SEQ-correct packets are received from the correct source node, the badge assumes it’s gotten a complete and valid image, and it will be copied to the primary store of the Flash and then displayed. There is no input validation AT ALL for images received (and other things), so bugs and unexpected corruption and interference can make all sorts of cool glitchy things happen.
There’s an output-only serial console:
TX PD1, 115200 8n1
and ICSP:
MOSI, MISO, SCK0, PC6 = Reset (Be sure to tie nSS on the radio, CS on the display, and CS on the Flash chip all to VCC before using)
** After a reset, if you see the serial console output “No! I don’t want that!” after it brings up any hardware, it means that component probably needs to be resoldered. Shoot me a message. **
These should be fun to hack on, and I think the hardware is way more solid than the software. I’ll be releasing full schematics and source code after DEFCON to make it easier for everyone to use these as a hackable packet radio platform.
Enjoy, be patient with them, and please don’t brick everyone’s badges with Goatse on the first day!
Reverse-Engineering the Casio SK-1, part 2: The ROM is now an Arduino
A Geiger Counter for WiFi Deauthentication Frames: the Telephreak 12 Badge
Everything Always Returns 0: Adventures in Adding “Volkswagen Mode” to FreeBSD
About The Author
