The DISC2021 badge is an intricate, high quality, premium badge by the Tymkrs (Pronounced “toymakers”) badgemaker duo. It’s definitely one of the top badges of my collection.
Their Reddit sub already has a nice post that goes into the construction of the badge and it’s design in great depth. Looking at the stats and counting the part types in the pictures it appears 775 total were made. Though a lot is shared about the style and design of the badge, there isn’t much public info on the processor or the code written for it. Unless I’ve missed it, the tymkrs don’t seem to be in a habit of open sourcing their badges. That’s fine, they’re still one of my favorite badge teams. Several more of their creations are in the queue or not quite ready for a Part 1 post. Besides, dumping the flash is on the roadmap for many of these badges. TBD.
Now DISC is the Dragos ICS/OT security conference, which is Industrial and Operational technologies. Instead of the traditional IT mindset of a typical security conference, the ICS/OT folks have a whole different set of priorities. Their focus is on availability of resources and continuous operation above the usual priority of just keeping attackers out and patching ASAP. It can be frustrating to an IT person, the concept of leaving something in a known vulnerable state instead of immediately patching. However, taking down an industrial system can shut down the entire operation, which could take hours or days to restart. And nobody wants the power or water or gas to shut off, even for a minute. Changes to the software stack or network design requires very careful planning.
This is all stuff I learned at BSides ICS which was last in Miami early 2026, and announced to be at Tampa in early 2027. If you’re a badge nut, consider looking into OT, they definitely need more people, and have been putting out the trainings and working hard on getting the next generation of ICS/OT security professionals ready to go.
Getting this badge fully unlocked required a bit of sleuthing. Originally at the conference, the idea was that each of the four industries highlighted on the badge had a secret code hidden somewhere in their area. Now that it’s long over, there’s not much to go on. But let me walk you through what I found.
Googling won’t find a lot, this conference is archived on X. Remember when the Internet was an open platform?
Walking through the #disc2021 posts here’s what we find.
- The crank and USB serial connection are two different ways to enter the same codes.
- This is a Geneva drive and limits the gear to 8 specific positions.
- A freebie code of 7313 is provided.
- Line up the cogs on the crank and spin it in.
- Or in the serial connection use the format A7B3C1B3 for the same code.
- 3 utilities show as red when OFF, but electrical is GREEN when off.
- There’s a few hidden commands and a debug mode.
- There’s a post-con demo display mode.
- Electrical Utility is first to activate.
- The codes spell something.
At first my crank wouldn’t turn and felt really jammed, slightly loosening one of the bolts holding it down got it moving. It probably got bumped, and alignment had it pinched. I hadn’t read all the tweets at that point and decided to focus on the serial connection.
The scenario is that 4 industries are OFFLINE and an operator needs to turn them back on by entering a manual activation sequence. This is designed to mimic real world situations where a PLC will have a precondition required to activate. All four industries are in AUTOMATIC start mode, and for whatever reason cannot turn themselves back on without manual intervention, somewhere in the line there’s a fault. Imagine a complicated system with hundreds or thousands of controllers each handling one specific part of operation suddenly slamming to a halt. What is the recovery? What is the safe order of restart? Do we need people to clear out a batch of now useless product, or chemicals? Does some system require turning a key and pressing a button? And in that concept is a clue I’d missed … the order of recovery is critical.
Let’s find some codes!
Firstly I’d whipped up a quick Python script that checked the entry screen and navigated to the sequence code prompt. It then looped from 0000 to 9999. Yeah I was kind of lazy and was just guessing from the crank what the value ranges were. I let that run overnight and in the morning did not have a successful code. Hmmmm…. as mentioned previously, google didn’t have much at all on this badge, but twitter was a gold mine. Finding the clues up there I knew 7313 was the electrical code and the format needed was A7B3C1D3. Manually confirming with a quick screen session:
screen `ls -lt /dev/cu*|head -n 1` 9600
Indeed the electrical utility was now ONLINE and it’s LED flipped from green to red.
Alright quick quiz… the numeric values are from 1-8, does anybody recognize that number system?
Beuller?
That’s right! OCTAL! 🥳 Or rather octal values 0-7 shifted 1 digit. Instead of doing goofy math with modulo and skipping the 0 and 9 digits, or keeping a separate integer for each number’s place and manually carrying the one’s…. we can simply count up 4 octal digits from 0 to 4095 and cleanly move through the sequence of 1111 - 8888 without any silliness.
But first a quick quiz. Where else is octal used in modern computing?
You got it! UNIX file permissions! That’s how you get stuff like chmod 600
Anyways…
code=0 # Our counter value
width=4 # 4 digits every time
code_str=f"{code:0{width}o}" # Output it as a 0-padded 4 digit octal string
abc_str=[] # Going to build up the A1B1C1D1 pattern here
for idx, item in enumerate(code_str): # For each char of "0000"
abc_str.append(chr(int(ord("A")+idx))) # From A to D
abc_str.append(chr(int(ord(item)+1))) # From 1 to 8
code_str=''.join(abc_str) # Array to string
print(f"Testing: {code_str}\n") # Looks good!
(For a cool party trick, practice converting hex to octal on your fingers, and YOU TOO can be King of the Nerds for a day)
Then all I had to do was change my loop from trying 10,000 items to 4,096 and bob’s our uncle right?
Not quite.
I run this updated script against the next utility in order… Oil… and… nothing. Final sequence A8B8C8D8 Incorrect staring at me. Hmmm…. what did I miss?
Let’s run it against electrical and see if it correctly catches the code we already know.
Hmmm…. that worked. It looks weird, but it worked. Why the corrupted text?
I’d been sending the codes over serial with “\r” slapped on the end, so when I output to the console:
print(f"CORRECT SEQ IS:{code_str}!!\n")
The “\r” (AKA Carriage Return) would move the cursor to the start of the line and then final “!!” would overwrite the start of “CORRECT”.
Neat. But why wasn’t it catching Oil? Oh right, SEQUENCE OF RESTART IS CRITICAL!! I didn’t realize that yet. And there’s another gotcha, the utility activation has a timeout of oh, half an hour or so. Which means if I burn through the Oil code combos and move on to Gas, the electrical will be OFFLINE again and I won’t find ANY codes.
After a few passes of frustration and quadruple checking my script logic, I finally noticed that the electrical utility LED was GREEN again instead of the activated RED. Doh!
Now the process was, restart the badge, manually activate electrical, and then brute force a utility, repeating this each time.
We got GAS!!
Finally it clicks to me the real world restart sequence, obviously electrical is needed for all other utilities, the gas only requires power, but the oil might also need gas!
After restarting the badge, entering electric and gas codes, we brute the oil.
Now finally, with electric, oil and gas ONLINE, obviously the manufacturing plant would be the last that could restart operations.
| Utility | Code | Order | Word |
|---|---|---|---|
| Electrical | A7B3C1D3 | 1 | Elite |
| Oil | A3B8C7D5 | 3 | ???? |
| Gas | A3B1C5D6 | 2 | ???? |
| Manufacturing | A7B7C3D5 | 4 | Sell |
Hmmm…. lmk if you figured out the meaning of the oil and gas codes.
Maybe in part 2 I’ll record cranking in all the codes…. maybe even open this thing up a bit. Honestly it’s so slick I don’t wanna damage it. What a fantastic badge! Props to the tykmrs and @DragosInc for an extremely memorable badge.
If this got you a little bit interested in the ICS/OT world…. there’s a ton of resources out there but it’s a bit spread out. It’s a vast industry, here’s a nice list I found. ICS Resources Essentially there’s a spectrum of hardware labs replicating real world environments such as airports, trains, chemical factories, etc… some fit on a desk, others take up an entire wall rack. For example: CERL Test Environments such as in Idaho and the Pacific Northwest where people can actually go and spend days working through a functional reproduction of entire environments. That kind of explains why I saw so many folks from Idaho presenting at BSides ICS Miami. At the opposite end are the virtual devices (such as OpenPLC) and mockup APIs for CTF and trainings. You can start on the virtual side and gradually fill in real hardware as you build your personal lab.
Shout outs to Oren Niskin, Mike Holcomb, Jenee and Morgan of Fox-Pick, Remy Stolworthy, and Faith Hubbard some amazing people I met at BSides ICS Miami.
Note: The tymkrs have a ton of video on their youtube channel. I’m not watching all that, but there could be some solid badge insider stuff buried in there.
Lost footage :(