BSides Adelaide 2025 Hardware Badge Writeup
Overview
Taking a break from the security research, I recently attended the BSides Adelaide conference and obtained a hardware badge full of challenges, this post is a write up of the various challenges and how they were solved.
Updates: It appears my methods for several challenges worked because the words ZERO and ONE both produce a pattern as a byproduct of the words length, the correct methods were added at the end of each section but my methods were left as-is to show the problem solving approach I took
How do the badge challenges work?
This badge consists of 3 key components on first inspection
- 7x small LEDs
- To be soldered at hardware village
- 1x RGB LED
- Closer inspection reveals this LED only has two pins (eg. DC input)
- Pattern is likely random and unrelated to challenges, logic is likely inside LED itself
- 3x push buttons
- 1x Labelled
CTF - 2x Labelled
1or0
- 1x Labelled
From the badges website we can find further instructions on how to use the badge and what to look for in each challenge
BSides Adelaide’s second conference badge with a CTF and onboard keys to play.
Turn on the slide switch to see the sneak preview for 3 seconds. Solve fun crypto challenges and earn your bragging rights with your badge glowing maximum LEDs.
To play the CTF, simply press the CTF key then type the flag in binary using switches 1 and 0.
Each challenge results in a binary flag. The badge registers and unlocks the challenge LEDs instantly after pressing the correct binary flag. Challenges can be solved in any order.
To reset the CTF progress, press and hold 1 and 0 keys at the same time for a few seconds.
Mysteries encountered - if any - can be exploited via 1010101010.
In short we are looking for 10 bit binary values, which can be entered with either 1 or 0 buttons after pressing the CTF button, if the binary was correct the LED corresponding to the challenge should light up.
Challenge A - Vocal Processor Unit: CARKED IT!
FALKEN was meant to chuck out beaut one-liners like “Dig’s done, ya legend!” but nah - he’s gone full galah. Now he’s spittin’ out old-school telly ads from the 90s… backwards. Every time he opens his gob, he kicks off impromptu karaoke, crankin’ out disco bangers about firmware like he’s on Australia’s Got Malfunctions.
Status: “Oi! Now with BONUS steak knives?!”
Error Code: —– .—- .—- .—- .—- / .—- —– .—- —– .—-
Looking at the “Error Code:” we can see what looks like a pattern consisting of dashes and dots, which rings bell of “Morse Code” so lets give that a shot using an online translator
This quickly confirms the theory as it neatly translates into 01111 10101 and to confirm once entered into the badge we can see the A LED light up
Challenge B - Memory Bank Omega: STUCK IN A BLOODY SPIN
FALKEN’s Memory Bank Omega was where he kept all his top-shelf brain bits - y’know, important stuff like “Don’t stack it into rocks” and “Oi, remember the good worms.” But now the poor tin can’s caught in an eternal defrag loop, like a tradie lookin’ for his smoko break that never comes. Every time it tries to sort itself out, it forgets what it was even doin’. Real headless chook behaviour.
Status: “Sortin’ food… wait, where’s bloody food?!”
Error Code: babbb aabaa baaaa abbab babbb aabaa baaaa abbab abbab abbaa aabaa babbb aabaa baaaa abbab babbb aabaa baaaa abbab abbab abbaa aabaa abbab abbaa aabaa babbb aabaa baaaa abbab abbab abbaa aabaa abbab abbaa aabaa
Once again it looks like the “Error Code” is where we can expect the challenge to be, in this one we find a long string consisting of 35x five character sections separated by a space.
We also notice only two characters are in use a and b which could be swapped for 1 or 0 for a potential binary answer, applying this logic we get two versions to test
b = 0, a = 1
01000 11011 01111 10010 01000 11011 01111 10010 10010 10011 11011 01000 11011 01111 10010 01000 11011 01111 10010 10010 10011 11011 10010 10011 11011 01000 11011 01111 10010 10010 10011 11011 10010 10011 11011
b = 1, a = 0
10111 00100 10000 01101 10111 00100 10000 01101 01101 01100 00100 10111 00100 10000 01101 10111 00100 10000 01101 01101 01100 00100 01101 01100 00100 10111 00100 10000 01101 01101 01100 00100 01101 01100 00100
Using a quick tool such as CyberChef with the “b = 0, a = 1” version, we discover that CyberChef has “Auto Magic” found this is a Bacon Cipher which decodes into the string ZEROZEROONEZEROZEROONEONEZEROONEONE which when turned into digits is our 10 bit binary answer
00100 11011
Entering this into our badge we confirm success as the B LED lights up
Challenge C - Optic Sensor Array: SEEN TOO MUCH, COBBA
FALKEN was built to suss out dirt ‘n’ tree roots, right? But nah, now his peepers are pickin’ up heat from people’s deep thoughts and bloody radio stations from who-knows-where. Bloke just stares off into the void muttering, “The code… it’s alive…” like he’s seen the bottom of a goon sack and found enlightenment.
Status: “Mate… I’ve seen things. Codey-lookin’ things.”
Error Code: Codey-Lookin-Things
This time the Error Code is a link to a picture…
In the image we can observe some glyph like characters, my first thought was to extract if the glyph had a solid dot in the center or not, but this turned out to be a dead end, following that we can start to look for patterns in the characters.
For this walk through we will convert the glpyhs into normal characters
| Glyph | Character |
|---|---|
 |
A |
 |
B |
 |
C |
 |
D |
 |
E |
With this conversion we end up with the string
ABCDDEBABCDDEBABCD
DEBABCDDEBCEBABCD..
In this string we start to notice patterns as each line ends with ABCD so lets look for reoccurring strings of characters
ABCD | DEB | ABCD | DEB | ABCD
DEB | ABCD | DEB | DEB | ABCD
We now have 10 sections, which could become 10 bits? If we assign 0 to the ABCD sections and 1 to the DEB sections, we get the following binary
0 | 1 | 0 | 1 | 0
1 | 0 | 1 | 1 | 0
Entering 01010 10110 into the badge we confirm this and find the C LED light up
Update: Turns out this is not the correct solution and instead using the Pigpen cipher it decodes directly using the key - Thanks Dirk!
Challenge D - Temperature Regulation Node: OVERCOMPENSATING
Designed to maintain optimal internal conditions, the node now fluctuated between “Arctic Tundra” and “Volcanic Spa” every 45 seconds. Steam vents hissed while icicles formed on Wally’s chassis, which only added dramatic flair to his existential burrowing meltdown.
Status: “Am I hot? Am I cold? What even is thermal neutrality?”
Error Code: mrebmrebmrebbarbar mrebbarmrebbarbar
Coming from the previous challenge, its hard to not apply the same pattern logic, we can see bar is at the end of both strings, lets try to break it up with that pattern
mrebmrebmreb | bar | bar mreb | bar | mreb | bar | bar
It would appear that mreb is also another pattern, so continuing to break it up we get
mreb | mreb | mreb | bar | bar | mreb | bar | mreb | bar | bar
Assigning 1 to mreb and 0 to bar we get 0 | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 1 | 1
Entering 00011 01011 into the badge we confirm the solution and see the D LED light up
Update: Turns out this is not the correct solution and instead a simple ROT13 is the answer which can be achieved via CyberChef - Thanks Kudostring!
Challenge E - Servo Cluster : ENGAGED IN EXPRESSIVE KINETICS
The back-left paw servo, in a baffling act of mechanical rebellion, has forsaken all known burrowing subroutines in favor of interpretive movement. It pirouettes with intent. It tap-dances with soul. Occasionally, it attempts a moonwalk with questionable traction. Tunnel progress? None. Hidden deep in its motion subroutines, engineers discovered a cryptic sequence labeled “br41n”-believed to be some kind of secret recipe, or perhaps just a jazz step.
Status: “Burrow to the beat.”
Error Code: ++++++++++[>+>+++>+++++++>++++++++++««-]»++++++++++++++++++….+.—————–.+++++++++++++++++….-.
This challenge had me for a moment as I could not identify any patterns, but with modern technology we can simply consult good ol’ ChatGPT to see if it has any clues…
Sure! That string is Brainfuck, a minimalistic esoteric programming language. Let’s break down what it does and find what output it produces — likely this output will help us derive the 10 binary bits answer you’re seeking.
Amazing! Unfortuantley ChatGPT struggled decode program into a working binary solution, but with a possible language at hand lets try a dedicated tool for the task.
This tool quickly produces a binary response, and entering this into the badge we confirm the solution as the E LED lights up
Challenge F & G - Navigation GyroSphere: SPINNING INFINITY
Designed to guide seamless subterranean turns, the Navigation GyroSphere has instead embraced a meditative state of constant rotation-affectionately dubbed “perma-spin” by the engineering team. Wally now spins in place with unwavering commitment, occasionally consulting passing squirrels for navigational wisdom. An intern was last seen flipping through the original blueprints, whispering, “Was this… always supposed to happen?”
Status: “Existentially unmoored. Elegantly dizzy.”
Error Code: Wombat Blueprints
This challenge we are given a link to a zip file, upon downloading and reviewing the contents we discover it appears to be the PCB design files for the badge with gerber related files.
Using a free online viewer we can upload the ZIP file to see the design, which reveals some text not seen on the badge itself
Stripping away the layers to only leave the yellow and blue layers, we can get a better view
As the text is reversed, lets flip the image and get a better look at the text
At first look we notice the blue text appears to contain a incomplete binary with only 8 of the 10 bits set, leaving 4 potential combinations left, so lets try brute forcing the code starting with 11000 11100…. which after entering in the badge we confirm this is the answer for challenge G as its LED lights up
Onto the last challenge, extracting the yellow text (eecy drwo zxi bse kovb eecy saj oyo drwo zxi) we can see what appears to be another pattern with 10 sections separated by spaces so should be a direct answer
Looking past the characters themselves we notice that each section is either 3 or 4 characters long, so we have 2 distinct values now, lets assign 0 to the 3 character sections, and 1 to the 4 character sections
00110 01101
Entering this we confirm the solution as the final LED for F lights up… or is it the final LED….
Update: Turns out this is not the correct solution and is actually a Vigenere cipher with our lovely wombat’s name as the key (falken) the key could also be brute forced as we can assume the words ZERO and ONE may be present based on previous challenged - Thanks uǝɹʍ!
Secret Challenge
When we look at the back of the badge, we notice a potentially unpopulated LED at D9 in the top left, in addition to being unpopulated we can observe the traces for those pads are connected to anything…
Generally a LED is connected with a resistor to avoid burn out, observing other sections of the board we notice the resistor at R11 goes to a pad thats not connected to anything…
What if we attach the pad from R11 to the + pad for D9, and connect the - pad to a near by ground pad?
Attaching these jump wires, the LED blinks when the badge is turned on but stays off afterwards…
Recalling to the original instructions, they provided another binary code we could enter
Mysteries encountered - if any - can be exploited via 1010101010.
Entering this code the LED begins to give a morse code looking response, to make it easier to visualise I used a logic analyser to capture the code
