CHUCKWAGON design files from DEF CON 22 are released

CHUCKWAGON design files from DEF CON 22 are released

The schematic, EAGLE CAD files, and Bill of Materials for the CHUCKWAGON I2C adapter as presented at DEFCON22 are now available. You can buy the board directly from OSH Park, the components from Digikey, and solder the device yourself. For those looking for some references on using I2C on the BeagleBone Black, check out my I2C references post.

CHUCWAGON soldered to the CryptoCape. I soldered wires underneath and to the male headers just below the CHUCKWAGON.
CHUCWAGON soldered to the CryptoCape. I soldered wires underneath and to the male headers just below the CHUCKWAGON.

It does require surface mount soldering, but it’s a good board on which to practice. The top layer isn’t so bad but the pads for the P-channel MOSFET on the bottom are a bit tight. If you don’t want to deal with the P-Channel MOSFET, you can put a solder bridge over the source and drain and connect the 5V rail from the VGA adapter to the board. Just be careful not to get the gate, which will short the power rail to ground!

The CHUCKWAGON was also in the NSA Playset Deluxe package. This package was auctioned at the EFF auction, theSummit, which sold for over $2,000. A representative from the EFF passed along their thanks:

Thank you very much for your fantastic donation this year! It’s clear how appreciated it was as it is now the highest valued item auctioned at the EFF summits… ever!

The collection of NSA Playset gadgets. There's a CHUCKWAGON in there somewhere... Photo by Michael Ossman
The collection of NSA Playset gadgets. There’s a CHUCKWAGON in there somewhere…
Photo by Michael Ossman

I think the two HackRFs in the bucket were of greater value than the CHUCKWAGON though 😉

Happy Hacking!

DIY Hardware Implant talk at DEF CON time is posted

My DEF CON 22 Talk, NSA Playset: DIY WAGONBED Hardware Implant over I2C, time is now posted on the DEF CON schedule. It’s Sunday at 11:00 am in Track 1. Be sure to stay for the NSA Playset: GSM Sniffing directly following!

The NSA Playset talks have been receiving some attention in the press. You don’t want to miss them!


In this talk we present an open source hardware version of the NSA’s hardware trojan codenamed WAGONBED. From the leaked NSA ANT catalog, WAGONBED is described as a malicious hardware device that is connected to a server’s I2C bus. Other exploits, like IRONCHEF, install a software exploit that exfiltrate data to the WAGONBED device. Once implanted, the WAGONBED device is connected to a GSM module to produce the NSA’s dubbed CROSSBEAM attack.

We present CHUCKWAGON, an open source hardware device that attaches to the I2C bus. With the CHUCKWAGON adapter, we show how to attach an embedded device, like a BeagleBone, to create your own hardware implant. We show how to add a GSM module to CHUCKWAGON to provide the hardware for the CROSSBEAM exploit. We improve the WAGONBED implant concept by using a Trusted Platform Module (TPM) to protect data collection from the target. The talk will demonstrate how these features can be used for good, and evil!

BeagleBone Black I2C References

I’m planning on heavily using I2C for my CryptoCape. I’m still working through issues, but I wanted to capture some of my research in this post. As I’m currently experimenting, please treat this information as notes and not as definitive information. Feel free to post corrections in the comments and I’ll update the content.

The BeagleBone Black (BBB) has three I2C buses (thanks to Smith Winston providing most of this information at his discussion post):