DEFCON 24 Badge Challenge WikiaEdit

A public wiki space for DEFCON 24 1o57 Badge Challenge. We're a few people who cannot attend DEFCON but still wanna participate in the badge challenge. We already have a few people that are going to setup a table in the 1o57 at DEFCON. Feel free to come by, contribute, and collaborate with the community.

Restored Edit

Hey all, someone took over the account and shut the wiki down. I've reset the account and restored the wiki. Sorry for the inconvenience it may have caused.

KeyCards Edit

Special DEFCON key cards are at both hotels, others have gotten different key cards from their hotels, too. It appears that 6 different hotels in the area, somehow associated with con, are giving out their own card versions.

There is no puzzle on the key cards related to the badge challenge.

20160803 210056

Egg of Mantumbi Edit

The Egg of Mantumbi is a red herring and not related to DEFCON 24 badge challenge.

Back of Badge Edit

Back of Badge writing: HINT: Not a ROT cipher. Nonpareil means "having no equal". bimil is secret in Korean

nonpareil bimil: Icnwc lsrbcx kc ntr-yudnv ifz xdgm yduxnw yc iisto-eypzk.

Badges Edit

10000100001 = 1057 in decimal   
{SIGMA}A120215  -> (see below)
Human Badge: 010625110310031312 = AFYKCJCML -> Rot 2 -> CHAMELEON
Speaker Badge: Rot 2 -> STEEL
Goon Badge: 032203011918071312 -> EXECUTION
Vendor Badge: 110712072518191603  -> MINIATURE
Artist: 02191718 -> DUST  <-- doesnt resolve!?!
Press: 11191803 -> MUTE
Black Badge: ???
CFP: 050707 -> EGG
Other1 :

The back of the badges are all names of Twighlight Zone episodes.

Pages seem to be hinting at

Lanyards Edit

Numbers in order

Rotary Phone 00100y 00000y 10010y 10010y 01010y 10001y 00110y 00011y 01000y 10011y 01011y 01111y 01111y 01011y 10000y 01011y 01100y 00110y 01110y 01000y 01000y 01001y 01001y 01000y 00100y

Lanyard order:

Rotary. Smiley, Disk, Key (in the order of DEFCON badge) - NOTE: 1o57 suggested there were more than 4 different lanyards! (there's one more special one, noob)

Rotary Edit

00100y 00000y 10010y 10001y 00110y 00011y 01000y 10011y 01011y 01111y 01011y 10000y 01011y 00110y 01110y 01000y 01001y 01011y 01000y 00100y rotary above appears to be more credible

might be Baudot code

Might also be TTY

- Might be Single Track Gray Code for 30 Positions (Scroll way down on the Wikipedia page linked above)

- 5-bit Gray Code in graphical format

-- 10-bit Gray Code in graphical format Notice how it is very similar to the graphic on the podium behind the podium

Might also be Bacon's Cipher (used in steganography) cleartext

Smiley Edit

0314 1624 2612 1502 1110 2207 2119 2209 1817 0213 1801 2522 0408 0205 2308 2006 = cnpxzlobkjvgusvirqbmrayvdhbewhtf (using

Decrypted: pack my box with five dozen liquor jugs

Disk Edit

0721 1819 2209 1815 0211 2201 2010 2213 1405 1706 2308 2603 0408 2216 2425 12 = gursvirobkvatjvmneqfwhzcdhvpxyl (using

Decrypted: the five boxing wizards jump quickly 

Key Edit

1806 0211 1815 0824 1823 2217 0209 0305 1806 0408 2118 0207 0616 1722 1810 1219 2025 2201 1413 1426

Decrypted: amazingly few discotheques provide jukeboxes  

"double jolly roger"(noob) Edit

00x x10 x01 00x 01x x01 01x 10x 10x x10 00x 01x x01 01x 10x 00x 10x 00x x00 x01 00x 00x x01 x00 00x 

TODO - fill in encryption here

These are all pangrams (uses at least every letter of alphabet).

import string



for row in rows: 




Regarding: {SIGMA}A120215

Taking 120215 and searching gives: Since there is a Sigma, add all of the values of the sequence up to get 247545. 247545 is a subdirectory: View source on this page gives: "4SIkCVurNBs" Searching for "4SIkCVurNBs" gives a Youtube link:

The page at shows a gif from Key and Peele's sketch show, and an image pointing to the "index" finger. Changing the url to /247545/index.* (anything other than .html) reveals another webpage the 404 page (as expected). The error page has a title of "%110010100" which is 404 in binary, an image of Gene Wilder as Willy Wonka, and a poem.

In the page source is found: "! --" (…and then in the HTML there is a clue to a youtube video:) "!--" "ENZUiHgtRuc" (titled "MATT BERRY GHOSTS") Then the string "Watching are you? " repeats 400 times (line 55 to 455) with no close > ) Watching are you? Watching are you? Watching are you? Watching are you? Watching are you? (etc.)

The count of 'Watching are you' seem to form a rolling key for something?

Update to the alert: I just re-read the page source at, and now there are many more lines of "Watching are you? " appended after the  origional 400 (55 to 455) that I found at 4:50PM Thursday.

When I looked at the amount of repetitions on Thursday afternoon, it was 403 repetitions, not 400. Are you positive it was exactly 400? 403 corresponds to an auth error and the reptitions were preceeded by a string of characters (403 - Status forbidden)

As of 9:17PM - 4-Aug-2016 there are 12 more "Watching are you? " appended.

As of 11:16PM - 4-Aug-2016, there are 55-471 "Watching are you?" a

I think it increments another line of "Watching are you? " based on the viewing of the linked video! By inference: Perhaps every time "Love Is A Many-Splendored Thing (1955)" is watched some other page is updated?

The most prevelant part of the video was the word Ghosts, and as it turns out is the next page

Searching Warthog9 leads to a github page that was last updated 17 days ago:

A comment added to the minnow-max-extras says:

# Also noting this LED is going to act "backwards" to likely what you are expecting

# as a value of 1 will be off and a value of 0 will be on, as the LED has a not-gate

# involved in it to help it match the original functionality of the LED

PDF of the DEFCON24 Program: Edit

Outputs Edit

UART pin outs (see bottom of the image) :

"[The badge] is running at 115200baud thanks to @kon_1" -

^[2JDEFCON BIOS - DC24 (C) 2016
CPU : Intel(R) D2000 MCU running @ 32MHz
Checking Memory...

Sorry, DEFCON is cancelled.
Pushing the buttons will do... Things...

Searching for the meaning of life....

(C) 2016 - 4647-4845-5150-206b-7520-6571-6f72-6e67-7667-6e61-2070-7176-2065
Presented by Dark Tangent
Badges by 1o57 & Warthog9

(please assume typos or incorrect transcribing)

"The hex string, rotated 24 places.... DEFCON is completely not cancelled" -

Executing Konami cheat displays the following:

Konami Code unlocked!

Aqw ogcp K ecp'v ycnm vjqwij vjg ecukqp ykvj c hcmg dcfig?

The hex string, ROT24, decodes to "You mean I can't walk though the casion with a fake badge?"

It appears that there is a secure mechanism that initiates the LED lights on the badge to ensure that it's not a fake. Is the badge rigging an antenna?

Other messages:

Uqog hqnmu vjkpm vjg gngxcvqt qpna iqgu fqyp
Some folks think the elevator only goes down


Seems to be referencing Deviant. He was in the 1o57 room earlier talking to some challenge people.... Need to find him for the rest of the clue?

Uqhvyctg Gpikpggtkpi okijv dg uekgpeg; dwv vjcv’u pqv yjcv K fq. K’o c jcemgt, pqv cp gpikpggt. - Lcokg Bcykpumk
Software Engineering might be science; but that’s not what I do. I’m a hacker, not an engineer. - Jamie Zawinski
Aqw ogcp K ecp’v ycnm vjqwij vjg ecukpq ykvj c hcmg dcfig?
You mean I can’t walk though the casino with a fake badge?
NRtkguv: ”Pqy vjcv dtkpiu c yjqng pgy ogcpkpi vq ’Jqpgarqv’”
Priest: ”Now that brings a whole new meaning to ’Honeypot’”
Nqqm, jcemgtu!
Look, hackers!
Nkxg fgoqu pgxgt yqtm, fqwdna uq cv FGHEQP
Live demos never work, doubly so at DEFCON!
Ctg aqw uwtg vjku dcfig kup’v urakpi qp aqw?
Are you sure this badge isn’t spying on you?
Nqqm c hgf!
Look a fed!
”K fqp’v mpqy yjgtg K’o iqkpi htqo jgtg, dwv K rtqokug kv yqp’v dg dqtkpi.” -Fcxkf Dqykg
”I don’t know where I’m going from here, but I promise it won’t be boring.” -David Bowie

Possible debug messages:

Period is too darned short
Duty was negative, resetting to 0
Duty was more than constant, resetting to constant

DefCon CD Edit

The DefCon 24 CD contains a folder in the Extras directory named 1o57. This directory contains 2 files, Origin-Story.txt, and a 2.7MB password-protected rar file 1o57.rar.

File are available at:

Origin Story

As a starting point for working through the origin story, there is a specific reference to 1,001,111,010 seconds. This binary string converts to decimal 634. 634 seconds divided by 60 (for minutes) = 10.56666 repeating, or 10.57 rounded up, or 1o57.

Hardware Edit Edit

Intel(R) MCU info:

Image of the Intel(R) D2000 schematic is here:

PDF of the Quark_Microcontroller_Developer_Kit_D2000 is here:

At the bottom of the Badge under the Battery there are 8 connection Vias - In the reference schematic and PDF above an FT232H USB UART chip. Note the D2000 "connects" via 8 conductors: Ground, Power, Reset, and the F19-F24 UART/JTAG signals. One could hack a FT232H  based USB to Serial dongle to these 8 vias, and I surmise that this bus was how the Badges were factory programed (JTAG mode) with the BIOS.

Pinout of the 8 connections, from the front, from the left:

1. VCC
2. F20_UART_B_TXD_TRST_N (13 on D2000)
3. F21_UART_B_RXD_TCK (14 on D2000)
4. F22_UART_B_RTS_DE_TMS (15 on D2000)
5. F23_UART_B_CTS_RE_TDI (16 on D2000)
6. F19_PWM0_TDO (18 on D2000)
7. F24_PWM1 (21 on D2000)
8. GND

Also at the bottom of the Badge: There is a SOT-23 Transistor (Q1), and an 0402 Resistor (R3) that connect to the adjacent Blue LED. See bottom of page 7 of the PDF schematic for the connections to Q1 and R3.  The SOT-23 marking code on Q1 is "J1" followed by a datecode of a sideways "N".  This marking code matches MfrPart # BSS138LT3G from the D2000's BOM.  Marking code of "J1" is verified on page 1 of datasheet here: . Furthermore R3 connects accross pins 1 (gate), and 2 (source).  The function of Q1 is to invert an input, to drive an LED.  See Warthog9's Github note: "…to help it match the original functionality of the LED." Match it to functionality to the $15 D2000 DevBoard that dozens are going to be running the Badge's BIOS code on today & tomorrow (it has the JTAG USB UART builtin!) and that sure is easier than soldering on a dongle UART. 

Maths puzzles (booklet page 4) Edit

(Note: may not be related to the badge challenge)

During his DC101 talk, 1o57 mentioned using Wolfram Alpha to solve the equations on page 4 of the booklet, and also hinted "Reverse Polish Notation".

It was also implied that maybe once in reverse polish notation that the polish notation might have nothing to do with the code. E.g. the converted codes might transcode to some string rather than being solvable..(some online calcs indicated some were nonsense)


"Nonpareil" (from badges above) also happens to be the name of an HP RPN emulator answers from at least one calculator ROM that has the necessary operations differ significantly from local infix calculations.

Other Resources Edit

DEFCON 24 Video:

DEFCON 24 Program:

The program contains this binary string on page 19: 01000010010001010100010101000110001000000101010001001000010010010100010101000110

Which equates to "BEEF THIEF"

From Urban Dictionary, Beef Thief is "a man who wears pants that are too tight".

It is also a meme from Defcon Hacker Jeopardy! The origin is that there was a sign in the game that was supposed to read "BEER THIEF", but it was misspelled; and the audience liked the alternative spelling so much, it became a running joke. The Hacker J! referee often leads the chant.



Random Edit

via google content list :