At some time in the next 6 billion years I will complete the writeup for the badges about how they were put together. For now this is just how to get your badge working at home as well as how to unlock all the challenges now that BSides Cape Town is over.

For those of you that missed it here is a picture of em and a potatocam video of it:

As some of you may have noticed (and people have asked), your badges are simply not doing anything once you take them home. This is a quick writeup on how to get your badge going again as well as how to unlock all the challenges and their addons (pong / wifi scanner / etc).

First off, if you want to find out about the badges for now you can go to this will describe the screens / options as well as explain the game:

Why they dont start up at home

In case you missed the small segment we did at the end of the conference, the badges won’t start up again unless they can connect to a wifi network. You have three options for how to configure this:

Create a WiFi Network

The badges are looking for a WiFi network with and SSID of “Highway” and a password of “dangerzone” ( note those are CaSeSeNsiTiVe. If you create this network and reset your badge (there is a reset button on the back), it will simply work.

Connect via Serial to tell the badge what network to connect to

The badges initially will try connect to the default WiFi network, if that fails they will try reading from the EEPROM (non volatile memory) and if that fails they will drop to a prompt asking the user for their SSID and Password. To view this simply install the CH430 driver so your machine picks up the device. Then you can connect to it at a baud rate of 74880 (this is the baud of the ESP8266’s debug channel).

Personally I’m just using the Arduino application since it was easier to have it connect at the baud rate. Using it you should see the following screens and be able to input your SSID and Password:

In this case I used the SSID “ExampleNetwork” and password “ExamplePassword”, it connected and saved it to the EEPROM, for now on I can just wait for this badge to fail and if that network is available I will be connected.

Upload new firmware

If you don’t want to wait for it to timeout or run the Highway SSID you can also change the following line in the firmware and then re-upload it via esptool or Arduino

Unlocking all the extras

I have updated the page at that near the bottom you can simply put in your badge number and it will output a series of correct hashes that you can use to unlock all the challenges for your badge.

Keep it punk.


First off let me just say a big thank you to the MWR guys who put this CTF together, usually I don’t partake in CTFs because the skillset required is usually out of my grasp (IANAP).

To have developed this CTF in a manner that allows people who do not work with crypto/hackz0r wizardry to still have a chance of solving the problems is awesome! I didn’t solve all of the problems, but I did spend far too much of my free time and apologise to the many bars I had to let down during that time. After this writeup I shall resume my social responsibilities ;)

Each of the various problems took my many hours of frustrating, wallpunching, facepalming and omgnoobing to complete, however I will just go over the solutions to each of them without the hours of frustration — the tl;dr of each one if you will.


Challenge 1 ( GUASS RIFLE ) — A book cipher requiring you to parse various words from lines in books
Challenge 2 ( RADIATION POISONING ) — An LSB Stego QR code that needed to be decoded and then parsed
Challenge 3 — Not completed
Challenge 4 ( FACSIMILE ) — A audio fax that needed to be decoded
Challenge 5 ( GREEN SKIN ) — A literal jigsaw puzzle representing 4 sides of a puzzle piece with 3 characters
Challenge 6 ( WHIRLPOOL ) — A multiple times rotated image that needed to be ‘unrotated’
Challenge 7 ( SCORCHED EARTH ) — An Office document with a weak password
Challenge 8 ( SMOG AND SMOKE ) — A Modified playfair cipher that needed to be recronstructed based on solar systems
Challenge 9 — Not completed
Challenge 10 — Not completed

If you have the writeup to challenges 3/9/10 please let me know so I can link to them!


All the challenges/instruction text and solutions are available on the following github:

Read more »

This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).

However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at This blog entry will be more discussing the integral parts of how it works and how easy it is to do.

I was optimistic that the 2015 talk @elasticninja and myself did at zacon on this topic would be published so that I could lazily just link to the video instead of having to write it up, but alas, here we are! ;)

Naturally its important to have a spoiler before the long boring text. Here is a video carefully crafted by my friend Roelof Temmingh showing us opening a VW car with two YS1 (YardStick One):

Read more »


Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.

One of the pains of the previous method was that it was a rather tedious to do the following:

* Finding the key for the remote essentially it was broken into:

* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat

* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.

So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.


Read more »

The ZaCon badges were a ton of work on the hardware side (see ZaCon V Badge [1/2]: Build Time), however they provided their own challenges on the software side as well.

Since my knowledge of chipsets only extended to the Arduino the badges are essentially a complete Arduino without the UBS->FTDI breakout. This means that each badge includes an Arduino bootloader which is _really_ nice if you are coming from an Arduino background or simply have an Arduino and want to play.

The idea behind the badges was that they would provide a means of tracking communication between individuals at the conference. Additionally I wanted this information transmitted to a central location so that it could be stored and visualised (yes yes, Maltego and all). Additionally because people would be moving around I needed to create a ‘mesh network’ of sorts so that anytime someone came into range of any other badges they would be automatically be part of the network. This blog entry is going to cover how the badges did this and the challenges faced, if you are not interested make like a heartbleed and go away.

Eye Candy:

Here is a video of a few of the black badges communicating to each and flashing for all the valid messages received:

Read more »

Recent Posts


Not the quickest of cats
on the best of days.

Tag cloud


For electronics/other to play with: