I saw a post about the Aerospace Village DC29 badge on twitter and decided to get one to play with, since the DC28 badge was so awesome. It's pretty clear that there are some secrets to unravel here, so I'm making this post to share my findings.
SPOILER WARNING: If you want to explore the badge yourself without my help, stop reading now!
First, let's have a look at the front and back sides and identify some interesting things.
I've annotated the image above to identify the interesting things, ignoring some obvious stuff like the batteries and power switch. It's a little hard to read the chip identification, but I see an ATMEGA88P in 32-QFP packaging [1]. If the label is to be trusted, [2] is probably an in-system programming header (which we may be able to use to extract the firmware) and [3] looks like a UART. There's also a 6-pin header labelled SA01.69, and I have no idea what that means yet. On the lower right of the back of the badge, there's also the writing "Have you connected MFDs?". I suspect in this context MFD means multi-function display.
The back of the badge also has a QR code, which contains the following URL: https://aerospacevillage.org/qr-test/, which displays a message about some password-protected content:
Over on the front of the badge we have some really cool art, which happens to contain 6 MFDs that are conspicuously made from solder pads. I've also annotated some blue LEDs [7] which are illuminated in the picture on the aerospace village website, but not on my badge. I'm guessing this is something that needs to be unlocked by interacting with the badge.
The UART
The UART on the back of the badge seemed like a good place to start, so I soldered some leads to it so that I could connect it to an oscilloscope (and maybe later to a connector of some sort). I connected the ground and tx leads from the UART to my oscilloscope and turned the badge on, and it seems like there's some data there.
Adjusting the time scale a bit, it looks like the symbol time is about 100us, which is really close to 104us, which correspond to a baud rate of 9600. The peak-to-peak voltage is around 5vdc, which is TTL level signalling not RS-232. I don't think I have USB serial adaptor that does TTL level signalling, so I'll connect this UART to a UART on an Arduino Uno and see what it looks like.
I wrote a really simple Arduino sketch that forwards data from the usb/serial port to a soft serial port on pins 2/3, so that I can interact with the badge UART.
#include <SoftwareSerial.h> SoftwareSerial badge(2, 3); //rx, tx pins void setup() { Serial.begin(9600); while (!Serial) { ; } badge.begin(9600); } void loop() { if(badge.available()) { Serial.write(badge.read()); } if(Serial.available()) { badge.write(Serial.read()); } }
When I connected the badge to the Uno and turned it on, I saw this in the serial monitor:
Welcome to the Aerospace Village Airport (KASV) Select from an available option to learn more: 1. Airport Information 2. Aerospace Village Information 3. View current PIREPS 4. About the Badge Enter the desired menu number
Here are the responses that I see from the various menu selections:
1. Airport Information
Airport Information KASV Airport use: Open to the public Elevation: 203 ft Time Zone: UTC -7 (UTC -8 during Standard Time) RWY: 29/11 ATIS: 125.85 GND: 121.9 TWR: 119.35 DEFCON Approach: 120.45 Press ENTER to return to main menu
2. Aerospace Village Information
Aerospace Village Information Build, inspire, and promote an inclusive community of next-generation aerospace cybersecurity expertise and leaders. To learn more about the community, be sure to check out: aerospacevillage.org Press ENTER to return to main menu
3. View current PIREPS
Current PIREPS 05 AUG 2021 0430Z: Pilot reported an "unidentified flying object" in the distance while on short final to RWY29. 05 AUG 2021 0435Z: Police reports of strange blue lights to the WNW of the airfield. To report a PIREP please send an email to pirep@aerospacevillage.org with the subject line: "KASV PIREP" Press ENTER to return to main menu
4. About the Badge
About the Badge Designed by @cybertestpilot, github.com/daneallen/avBadge_2021 Artwork by Dan Ropp - flysurreal.com Have you connected the MFDs in varying combinations? Do you know what "Lost Comms" would look like from the control tower? Are you familiar with Pilot Controlled Lighting? Let us know what you think of the Badge! Press ENTER to return to main menu
I mentioned before that the MFDs in the art on the front of the badge are done with solder pads, so I'm guessing that the message about connecting the MFDs in varying combinations should be interpreted literally.
MFDs
I numbered the MFD/solder pads on the front of the badge in the third picture in this post. Taking the advice from the About the Badge output, I measured the potential between each pad and ground with a multimeter and found the following:
1: 4.57v
2: 0v
3: 0v
4: 0v
5: 0v
6: 4.57v
The output above also mentions Pilot Controlled Lighting. If I understand correctly, this is a system that allows a pilot to control airfield lighting via radio. Using a jumper wire I played around with connecting the pads on the front of the badge and discovered that connecting either pad 1 or 6 to pad 3 toggles through four different runway lighting levels: off, low, medium, and high. I also discovered that if you connect pad 1 or 6 to pad 1 for about 3 seconds, a blue UFO will light up at the end of the runway. So cool! Interestingly, the runway lighting and UFO lighting settings seem to persist when you turn the badge off and on again.
Firmware
I soldered pins to the ISP connector onboard and was able to extract the ATMEGA88P firmware using a USB ASP v3 and a program called avrdude. The command below extracts the firmware and saves it to a file in Intel hex format.
sudo avrdude -c usbasp -p m88p -P usb -F -U flash:r:badge.hex:i
I'm still working on getting Ghidra to make something interesting of the program, but in the meantime I noticed the interesting string "Do you believe?" followed by what looks like ASCII art in the source. This string appears near the output that I pasted above, but it's not actually sent over the UART, so I'm guessing I have to do something to activate it.
I'll update this post as I learn more!