DefCon 24 HHV Reverse Engineering Challenge

PCB Front

Sadly, we were unable to attend DEF CON this year.

Fortunately, bunni and the folks over at KBEmbedded were nice enough to hook us up with a free Hardware Hacking Village Reverse Engineering Challenge board so we could partake in the pain and frustration remotely.

Here is an excerpt of relevant text from the document provided with the challenge kit:

DC24 Hardware Hacking Village Reverse Engineering Challenge

The goal of this challenge is to correctly reverse engineer the schematic, assemble the PCB (using deductions made
from RE'ing the schematic), and solve the puzzles to complete the challenge. When successfully assembled, the LED
will blink 4 times, pause, and repeat. Every time a puzzle is successfully completed, the LED will blink one less
time in its pattern. Once the LED is solidly lit up, the main challenge is complete. There are no further clues
about the operation of the device; finding the answers is up to you.

[...]

There are two tiers of entries for this contest. Tier one is only reverse engineering the schematic. The second
tier is reverse engineering the schematic and completing all of the main challenges to end up with the LED solidly
on.

A link to the kbembedded GitHub repo for the challenge was also provided.
(Originally, only the hex file for the firmware was available during the challenge but all of the design files and source now appear to be hosted here.)

The first part of the challenge is to reverse engineer the schematic for the PCB.

As an aside, Joe Grand (Kingpin) gave a great talk at DEF CON 22 about reverse engineering circuit boards.
The slides for this talk can be found here.
A full writeup of his research can be found here.

For reverse engineering this particular board let's start with the components.

There are a total of 9 separate components with a total of 30 pins.
Conveniently, there are 30 through-hole pads on the board.
(Suggestion for next year: Throw in some extra pads and/or components to really mess with folks.)

Here is a quick rundown of the components that came with the kit.

Components

Microcontroller

The main IC is a PIC12F1571

PIC12F1571 Closeup

Here is the pinout from the datasheet:

PIC12F1571 Pinout

It has an input voltage range of +2.3V to +5.5V DC which will probably be good to know later.

Resistors

The single resistor value measures ~99.5Ω on the multimeter.
The two identical resistors measure ~3.5KΩ.

If you don't have a multimeter, do have very good eyesight, or are a masochist, you could simply read the colored bands on the resistors.

Here is a convenient site to decode resistor values based upon their colored bands for the lazy.

The single resistor bands are: BROWN, BLACK, BROWN, GOLD, which indicates a 100Ω, ±5% value.
The two identical resistor bands are: ORANGE, GREEN, RED, GOLD, which indicates a 3.5KΩ, ±5% value.

LED

Perhaps the most reliable way to figure out what color of LED is to hook it up to a power supply set to 0V and slowly turn up the voltage.

It's also not a bad idea to toss a current limiting resistor in series and/or to limit the current output of your power supply.

If you happen to have jittery fingers, an overly-sensitive fine voltage control knob, or a cat brushes against your leg, it is not difficult to destroy an LED.
This is mentioned only because it is exactly what occurred...

There was a bright little flash of red light before things went dark and based upon the voltage of the power supply before the slip, the assumption is that the LED was red.

No point crying over toasted LEDs though; grab another from the box and move on.
Besides, this is a reverse engineering challenge and what fun would it be without some fire?

The forward voltage of a RED 5mm LED is typically around 1.8V with a forward current of around 20mA.

Let's assume it's something like a Kingbright WP710A10SRC/E.

The silkscreen in the bottom left corner on the front of the board reads 'CR2025', which is a 3V nominal coin cell battery.
(If the silkscreen is to be trusted.)

Assuming our input voltage was around 3.3V (which is quite common for microcontrollers) we can calculate the current limiting resistor required for this LED to be:

R = (VS - VF)/I

Where:

Inserting the above terms into the equation gives the required current limiting resistor value to be:

R = (3.3 - 1.8)/.02 = 75Ω

75Ω isn't a common resistor value and it is typical practice to round up to the nearest common value which in this case would be 82Ω.

It is also possible that a Lithium-Ion cell could be a good choice.
Lithium-Ion cells have a nominal voltage of 3.7V which is still within the tolerable voltage range of the microcontroller.

Plugging this value into the above equation yields:

R = (3.7 - 1.8)/.02 = 95Ω

Again, 95Ω is not a common resistor value but 100Ω is.
Fortuitously, we happen to have a 100Ω resistor which should also work just fine as a substitution for the 82Ω resistor we calculated for a 3.3V input.
It is virtually always safe (and often recommended due to the ±whatever% tolerance) to round up resistor values a bit for current limiting of LEDs.

It is possible that the LED which released the magic smoke was bidirectional.
(Bi-directional LEDs were used as a hack on the badges for the i-hacked party at a previous DefCon so it's not unheard of.)
Though somewhat unlikely, we may never know for certain.

These are popcorn parts so the part numbers are largely irrelevant.
(Though, 3.5KΩ through-hole resistors <1W are surprisingly difficult to come by for some reason.)

Capacitor

In capacitor labeling, a number such as 104 (which is what's printed on the cap supplied) typically indicates a value of 10, followed by four zeros expressed in picofarads (100,000 picofarads).

100,000 picofarads is 0.1μF (micro-farads)

If you happen to have a multimeter covered in cat fur (it really does help) capable of measuring farads you can save yourself some eye strain:

Capacitor

Based upon the value, BC logo marking, formed leads, lead spacing, availability, and market price, a best guess would be that it is a Vishay BC K104K10X7RF5UH5 50V ceramic capacitor or similar.

Pin Headers

Nothing particularly magical, nor mysterious about these components.
We have two 1X4 and one 2X2 .1" pitch male headers that presumable fit in the nice pin header holes on the PCB.

Part numbers are unlikely to matter but let's just assume bunni is cheap and that they are Amphenol FCI 68002-404HLF and
67997-404HLF respectively.

The only uncertainty about them is what they're all meant to connect to...

BOM

From the above we are able to take a stab at a BOM for this board.

DesignatorQuantityPart NumberValueDatasheet
Q11PIC12F1571-I/PPIC μControllerLink
R11Generic axial resistor100Ω
R2, 32Generic axial resistor3.5KΩ
C11K104K10X7RF5UH50.1μF ceramic capLink
D11WP710A10SRC/ELED, RedLink
P1, 2268002-404HLF1X4, .1” pitch male headerLink
P3167997-404HLF2X2, .1” pitch male headerLink

We can also now generate all of the schematic symbols we'll require.

Schematic Parts

PCB

The PCB is where things start to get really interesting.

The routing looks like it was done with either painstaking care by a human being designing it to be intentionally confusing or by any standard autorouter (because they all suck).

While it is possible that the PCB has more than two layers (stackup height is not a reliable measure of this), the general lack of all but a handful of vias which line up on both sides of the board tend to suggest against this.

As a note, it may seem a bit absurd to reverse engineer a circuit visually but in fact it's not at all unprecedented.
The Intel 4004 was reverse engineered from its masks and the MOS 6502 was painstakingly reverse engineered largely from die shots.

The back of the PCB is fairly easy to see under magnification:

PCB Back

Some quick and dirty work with the GIMP path tool makes it fairly easy to see the mess of traces:

PCB Back Highlight

Next we'll flip the highlighted back of the board image horizontally so it's easier to compare with the front of the board:

PCB Back Highlight Flip

Knowing where each trace starts and stops makes it fairly easy to draw a simplified version of the layout:

PCB Back Highlight Flip Simplified

We can then do the same with the front of the board which is a bit tricker due to the silkscreen and my inconsistent lighting:

PCB Front

It's really quite a bit easier to zoom in on one section of the board at a time:

PCB Front Zoom

Here's another shot with a really sloppy trace:
(May want to rethink your fab for next year bunni)

PCB Ugly Trace

Again, we can use the path tool to carefully highlight all of the traces in their own colors:

PCB Front Highlight

And simplify the crazy traces:

PCB Front Highlight Simplified

You may notice the blue trace in the above image.
The reality is that it turned out to be rather difficult to find a clean way to route this trace.
As it turns out, this happens to be quite fortuitous for reasons that will become clear momentarily.

Now for the magic.
We can blend both of the simplified images together to give us a fairly reasonable representation of the layout of the board:

PCB Highlight Simplified Merged

One fun thing to note from this image is that it appears as though the solder jumper labeled "Open Me" on the back side of the board is either entirely superfluous, as it is also shorted with a trace on the front side of the board, or perhaps the trace on the front is meant to be cut as well.
We'll certainly have to come back to that one soon...

That blue trace (the one that was hard to route cleanly from the front side of the board) is still kind of an eyesore.
What could it be connected to?

PCB Highlight Simplified Merged Extra Trace

As it turns out...absolutely nothing!
In fact, it appears to be just a handful of vias connect to one another with no connections to any other pins or traces.

We can easily eliminate them and simplify our layout even further:

PCB Highlight Simplified Merged Simplified

Now we've got somehting pretty reasonable to work with.

Orienteering

The next step is to figure out how all of the components fit onto the board.

Headers, resistors, and the capacitor (non-polarized in this case) can go in either direction so they're pretty straightforward.
We only have two components who's polarity matter in this case; the LED and the microcontroller.
Again, for the sake of the schematic the LED's orientation doesn't really matter to us.
Of course, it does in practice but hooking an LED up backwards generally won't hurt it as it is a diode after all.
(Assuming we don't exceed its reverse breakdown voltage.)

We already know from the PIC's datasheet (mentioned above) that PIN 1 (VDD) and PIN 8 (VSS) are positive and Ground voltage rails respectively.

PIC12F1571 Pinout

It is common practice to include a decoupling capacitor (often several) across the positive and Ground voltage rails of a microcontroller to smooth out high-frequency noise.

Following the traces from the capacitor symbol silkscreen on the PCB (assuming this is really where the capacitor goes) shows that indeed each of the leads connects to only one or two pins on the microcontroller which correspond nicely to what we would expect to be our positive and Ground pins:

Decoupling Capacitor

From this we can deduce that the most likely orientation for the microcontroller is as such:

PIC Orientation

Schematic

Well we've come all this way with the intention of drawing a schematic so let's get to it.

One quick thing to note is some terminology here; namely VDD, VCC, VSS, and VEE.

Simply put:

VDD = VCC = Positive supply voltage
VSS = VEE = Negative supply voltage or Ground

This confusing terminology goes back to the days of TTL ICs which were originally based upon BJT technology and CMOS ICs based upon FET technology.

VCC often referred to the voltage applied to BJT COLLECTORS
VEE to the voltage applied to BJT EMITTERS
VDD to FET DRAINS
VSS to FET SOURCES

Though often no longer the case, much of the archaic terminology has survived and is used interchangeable as noted above.

From the pinout in its datasheet, we know that PIN 1 of the microcontroller is VCC (or VDD if you prefer.)
Using our merged and simplified top and bottom layers as a reference, we can then highlight all of the traces (and subsequently pins) that ought to be contiguously connected to it.

PCB VCC

We can then use this information to draw the corresponding connections on our schematic diagram:

Schematic VCC

That's 8 pins down and only 22 left to go!

We can then repeat the process with the Ground (VSS) pin of the microcontroller.

We'll just keep drawing on top of our existing image so we can keep track of which pins we have left to connect:

PCB VSS

In this image we've drawn the traces we know must be connected to our assumed Ground pin in green. The blue traces correspond to those connected across the jumper labeled "Open Me" on the back side of the board and the solid trace running directly over it on the front side of the board.

For the time being, we'll go ahead and draw these blue connections on our schematic but we'll use wires instead of the Ground reference symbol used on the other pins to make it easier to see what they're connected to later.

Schematic Ground

There are also a number of traces on the board that simply connect one through-hole pad to another.

While drawn in the same color here, just to make things easier to visualize, it is important to note that the traces in this case are not connected to one another.

PCB Single Traces

We will then add these to our schematic as well.

Rather than drawing a tangle of wires we'll use signal labels to keep our schematic cleaner.
So far as the schematic editor is concerned, wires and signal labels are exactly the same thing and the labels are purely a human convenience.

Some schematic symbols have also been moved around a bit to fit better.
Again, it makes no difference where we physically place the symbols but it is common practice to group componenents based on type, function, or as part of sub-circuits together.

It is also generally good practice to spread schematic symbols out a bit as bunching things together can make schematics difficult to read.
This was not done very well here simply for the sake of fitting everything in nicely sized images for this site.

Schematic Single Traces

We'll then do the same with our penultimate set of traces:

PCB Penultimate

And create signals on the schematic for them as well:

Schematic Penultimate

We can then add the final set of connected traces to the layout:

PCB Complete

It is rather odd to see two microcontroller pins shorted to one-another, especially when neither of them are connected to power rails.
While there are instances, such as multiplexing LEDs, where this is done it is somewhat suspicious.
The safe bet is to simply assign each pin of the microcontroller its own signal label and then just short the signals.

We'll also simply assign each one of the header pins this trace is connected to a signal name based upon whichever is physically closest for the time being.
This may not be turn out to be correct in the long run but since we've shorted the two signals in the schematic anyway and we know for certain that they are physically connected it makes no difference other than to help visualize what might eventually go where.
The schematic is no more or less correct for assigning two separate signal names in this case.

As an aside, we could have had much less fun generating the above completed PCB routing diagram, skipping virtually all of the above steps, by simply numbering each pin and probing every possible combination of two pin pairs with the continuity function of a multimeter to generate a table of connected pins like such:

We could have then used this table to draw the connections between the pins.
Of course, we may never have discovered the wholly useless set of traces looping back on themselves, nor the apparent extra short on the top side of the "Open Me" jumper, and we most certainly wouldn't have appreciated all of the hard work bunni put in to intentionally try to confuse us.

In either case, we can use the above diagram to finally complete our schematic:

Schematic Complete

Hooray!

© 2016 Noctivore