Intrepidus Group
Insight

Fun With The DefCon 20 Ninja Badge

Posted: August 6, 2012 – 11:09 am | Author: | Filed under: Uncategorized

This year marked the 20th anniversary of the DefCon conference. Each year at DefCon, there’s a mad dash from attendees to try to gain access to what many perceive to be the best party during the con. The party is hosted by a group of folks known as Ninja Networks, and for the past 3 years, access to the party was granted through obtaining a custom badge, known as the Ninja badge.

Sadly, the folks that comprise Ninja Networks announced (in this post on the DefCon forum) that this would be the last year of the Ninja party. To celebrate, the ninjas went all out when they came up with badges this year. This post is going to talk about the ninja badge, and how we were able to earn one this year.

A Bit About the Badge

The Ninja badge this year was an HTC One V Android smartphone. That’s right: by obtaining one of the badges, you were handed a mobile device that costs roughly $300. The ninjas wrote their own custom ROM for the devices, as well as multiple applications to be used during the conference. The applications included things like a game that could be played with other ninja badge holders, a centralized chat application, and an app which communicated with a vending machine via bluetooth to dispense beverages to badge holders.

That’s all very cool, “But wait! There’s more!“.

NinjaTel Logo

A Hacker Cell Network

The ninjas didn’t stop at making a cool badge this year. In addition to having custom smartphones the ninjas set up their own cell network called NinjaTel. This cell network allowed the ninja badges to communicate with other badge holders during DefCon. Badge holders could call, IM, and send private messages to each other.

So amazing was this setup, that the Wall Street Journal has a post on their blog about it. The NinjaTel network was created using USRP devices - set to GSM frequencies. Voice traffic was managed by an  Asterisk VoIP infrastructure. The contact database on the phone was synchronized with a central directory maintained by the ninjas, and each person that got a badge was registered with the NinjaTel network. The whole shebang was managed and run out of a cargo van parked in the DefCon Vendor area.

Needless to say, being interested in all things mobile, we were drooling when we found out about all of this. We made it a personal goal to do everything we could to get one of these badges to play with. For those that aren’t aware, the ninja badge is intended to be a social thing. They are given out to friends and family, and to people that the ninjas feel contribute back to the community.

Since none of us knew any of the ninjas personally, chances were slim that we’d be able to get one. After about a day of talking to everyone we knew that had a ninja badge, it was clear that the only way we were going to get one was by somehow earning it. Fortunately, a good friend was willing to lend us hers for a while.

First Impressions

Once we had one of devices in our hands, we disappeared into our hotel room for the rest of the day, to begin hacking. The first thing we did was reboot it. We were immediately floored by how nifty the ROM was. The ninjas created their own boot animation, complete with Pat Fleet welcoming us to NinjaTel.

Once the device had booted up, we immediately powered it down and booted it again – this time into the bootloader menu (by holding the VOL-DOWN button while powering the device on). The device was running an HTC dev build, and the bootloader was locked.

Because this wasn’t our own badge, we were hesitant to do anything too disruptive, like unlocking the bootloader and flashing recovery with clockworkmod or similar. Instead, we brought the device back up, and dumped the /system and /data directories via ADB. We had no problems getting the device recognized by ADB, but it seems that others needed to add entries to their configuration. Travis Goodspeed posted the following settings to pastebin:

#NinjaTel HTC One V 0bb4:0ce5, 0bb4:0ff9, 0bb4:0ff0
#The first allows for adb, while the latter two are needed for fastboot.
SUBSYSTEMS=="usb" ATTRS{idVendor}=="0bb4" ATTRS{idProduct}=="0ce5" MODE:="0666" SYMLINK+="HTCONEV"
SUBSYSTEMS=="usb" ATTRS{idVendor}=="0bb4" ATTRS{idProduct}=="0ff9" MODE:="0666" SYMLINK+="HTCONEV"
SUBSYSTEMS=="usb" ATTRS{idVendor}=="0bb4" ATTRS{idProduct}=="0ff0" MODE:="0666" SYMLINK+="HTCONEV"

Hacking the Badge

We then spent the next few hours dissecting the various ninja applications, and poking around on the system. We quickly came to the conclusion that the device was running Android ICS, because we noticed the presence of the directory /system/etc/security/cacerts/  (this directory doesn’t exist prior to ICS, in earlier versions the certificate store is in a BKS formatted file at /system/etc/security/cacerts.bks). It didn’t seem likely that the devices would be running JellyBean, and this guess seemed confirmed when we observed the following entry in the /system/build.prop file:

ro.build.project=PRIMO_U_ICS_40A:264337

This was all neat, but none of it was helping us to earn a badge. The ninjas had created a very cool launcher, but there was no apparent way to get to any apps other than those built into their custom UI. Similarly, there was no way to access the system settings. A picture of what the main screen looked like is below:

ninja badge home screen

It struck us as odd that there would be no mechanism to access settings, so we looked a little deeper to see if there was some hidden way of accessing these items.

Android Hidden Codes

One of the tools we created for our testing checks the device for applications that have configured secret codes. Secret codes can be used by applications to launch intents. Access to the intent is gained by dialing a specific string of digits in the dialer application. For example, many Android devices contain an information activity which can be accessed by dialing *#*#4636#*#*.

An application registers secret codes by using the following elements in the AndroidManifest.xml file:

<action android:name="android.provider.Telephony.SECRET_CODE" />;
<data android:scheme="android_secret_code" android:host="3333" />;

Running through all the applications on the NinjaTel device didn’t show any helpful secret codes. Just the usual Google and HTC specific codes were present:

APK CODE
CheckinProvider.apk *#*#682#*#*
CheckinProvider.apk *#*#682226#*#*
CheckinProvider.apk *#*#682364#*#*
CheckinProvider.apk *#*#682668#*#*
FieldTest.apk *#*#7262626#*#*
FlexNet.apk *#*#361066#*#*
FlexNet.apk *#*#361166#*#*
FlexNet.apk *#*#362066#*#*
FlexNet.apk *#*#366633#*#*
FlexNet.apk *#*#36666#*#*
FlexNet.apk *#*#3688633#*#*
FlexNet.apk *#*#368866#*#*
FlexNet.apk *#*#7669633#*#*
GSD.apk *#*#3424#*#*
GooglePartnerSetup.apk *#*#759#*#*
GoogleServicesFramework.apk *#*#2432546#*#*
GoogleServicesFramework.apk *#*#46#*#*
GoogleServicesFramework.apk *#*#7867#*#*
GoogleServicesFramework.apk *#*#8255#*#*
GoogleServicesFramework.apk *#*#947322243#*#*
Phone.apk *#*#2347#*#*
Settings.apk *#*#2900#*#*
Settings.apk *#*#29000#*#*
Settings.apk *#*#2911#*#*
Settings.apk *#*#29111#*#*
Settings.apk *#*#4636#*#*

 

Since we couldn’t really do a whole lot through the device UI, any ideas we came up with to try to earn a badge required us to be more hands-on with the device than we were willing to risk with a friend’s phone. Disheartened, we quit for the night at around 2am.

When All Else Fails, Code Your Own Way

Friday was pretty busy for all of us, so we didn’t get much of a chance to play with the badge. We heard a lot of friends that had one asking about what version of Android the device was running, and wondering how to get to system settings and other apps. We also heard about an OTA update that NinjaTel was performing, and a lot of folks trying to guess whether or not they had received it. It occurred to us about halfway through the morning that writing a simple app to launch system settings – and showing which version of NinjaTel the device was running – could be useful to a number of folks. Since the ninja badge had a dialer app, this launcher could be called by registering our own Android secret code. Once things calmed down a bit, we sat down to do just that.

We wrote up a very simple app: just one activity, and a BroadcastReceiver (to catch the secret code when the dialer broadcasts it out). The activity had 3 buttons, one to bring up the system settings, one to launch Facebook, and one to launch Google Music. We set it up so that the app would launch when the user dialed *#*#303#*#* from the dialer app. Here’s what it looked like once it was running:

Mission Accomplished!

We wanted to show the OTA version information on the screen as well, so we went up to the NinjaTel booth in the Vendor area, and showed them what we had, and asked where the version information was being stored. They told us, and then asked if we wanted a badge! Of course, we said yes – how could we not?

Now that we had one of our very own to play with, we could appreciate more the effort that went into creating the ninja badges. Among other things, the ninjas had created their own SIM cards:

Dump & Flash

One of the first things we did was dump the ROM, and make a Nandroid image. To do that, we needed to unlock the boot loader. We next installed clockworkmod by running the following: fastboot flash recovery recovery-clockwork-5.8.4.5-primou.img Once we had all that done, we flashed the Modaco ROM image (with HTC Sense) onto the device.

Props & Thanks

Serious Kudos to the ninjas for going all out and making what is probably the coolest “badge” we’ve ever seen. The badge is so well done, that people are still playing with it: One gentleman tweaked a stock ROM image to retain the NinjaTel branding, the badge was used to prank a Radio Shack employee. To encourage the fun, the ninjas have begun posting the source code for their apps over at github. We’re glad we got a chance to play along this year.

Both comments and trackbacks are currently closed.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24501 items have been purified.