sputnak.ga

The NorthSec 2018 Badge

Hey! You found a URL on the badge!
Here is some useful information about the NorthSec badge.

Schematics

You can download the full schematics here.

Battery charge

Protip: Charge the badge with LED and display off to minimize charge time.

Customizing your badge

LED patterns

The badge has preprogrammed LED patterns you can chose from the menu. Some of them can be unlocked by finding "codes" in various places during the NorthSec conference.

LED Bluetooth service

The exposed service with UUID `CBCA0000-BFBE-BDBC-BBBA-AFAEADACABAA` controls the RGB LEDs on the badge. The LEDs are driven by a port of the `WS2812FX` Arduino library. The LEDs can be represented as a segment with the following parameters:

When you change the LED pattern or the LED settings, you actually change the segment 0. Over BLE is possible to create your own set of segments, you can create a segment from LED 0 to LED 3 then another one from LED 4 to LED 7. The only common parameter will be the brightness. The service expose every parameter over different characteristics.

Creating your own pattern:

  1. Unlock your service by sending your sync key in text in the Sync Key characteristic, you can read back the `Is Unlock` characteristic to check if your service is unlocked.
  2. Select your segment index with the Selected Segment characteristic
  3. Select the first and last LED with the Start Index and Last Index characteristic (LED index can overlap with other segments, it's just more fun)
  4. Select the mode with the Mode characteristic
  5. Default colors are BLEU-RED-GREEN but you can change them with the Colors characteristic
  6. Optional, change the Speed
  7. Optional, set the Brightness
  8. Set the segment to active using the segment `Is Active` characteristic and tadam. The result will stay even if you turn off your badge. You will lose your pattern if you select the segment 0 when you select a new one from the list.

You can set the segment to active at anytime and then make modification and see the feedback in real time.

Characteristics

UUID Description Size Note
CBCA000B-BFBE-BDBC-BBBA-AFAEADACABAA Sync Key String 4 byte Write only, use the good one, or the service will relock
CBCA000A-BFBE-BDBC-BBBA-AFAEADACABAA Is Unlock Read only, 0 for locked, 1 for unlock
CBCA0001-BFBE-BDBC-BBBA-AFAEADACABAA Selected Segment 1 byte Min = 0, Max = 7
CBCA0002-BFBE-BDBC-BBBA-AFAEADACABAA Start Index 1 byte Min = 0, Max = 7
CBCA0003-BFBE-BDBC-BBBA-AFAEADACABAA Stop index 1 byte Min = 0, Max = 7
CBCA0004-BFBE-BDBC-BBBA-AFAEADACABAA Mode 1 byte Select an index in the basic and extra list,
the one in extra need to be unlocked
CBCA0005-BFBE-BDBC-BBBA-AFAEADACABAA Colors 12 bytes An array of 3 colors (color1, color2, color3) codex in
4 bytes (R, G, B, W)
Ex: Magenta = 0xFF 0x00 0xFF 0x00 (W as no effect)
CBCA0006-BFBE-BDBC-BBBA-AFAEADACABAA Speed 2 bytes Min = 0x0A, Max = 0xFFFF (Min is faster than Max)
CBCA0007-BFBE-BDBC-BBBA-AFAEADACABAA Reverse 1 byte 1 = Reversed, 0 = Normal
CBCA0008-BFBE-BDBC-BBBA-AFAEADACABAA Segment is Active 1 byte 1 = Active, 0 = Inactive
CBCA0009-BFBE-BDBC-BBBA-AFAEADACABAA Led Brightness 1 byte Min = 0 (close), Max = 100

Identity Services

The badge exposes a Bluetooth Low Energy (BLE) service that allows you to customize the name on your badge wirelessly.

The service UUID is CBCA0100-BFBE-BDBC-BBBA-AFAEADACABAA.

UUID Permissions Size Description
CBCA0101-BFBE-BDBC-BBBA-AFAEADACABAA Read-Write 14 bytes The owner name (defaults to Cosmonaut #00).
CBCA0102-BFBE-BDBC-BBBA-AFAEADACABAA Read-Write 4 bytes Sync key. Set this to the sync key displayed in the setting menu
to "unlock" the badge and allow you to upload a new name and avatar.
The badge will relock if you set it to anything else.
CBCA0103-BFBE-BDBC-BBBA-AFAEADACABAA Read-only 1 byte Set to 1 if badge is unlocked, 0 otherwise

To create a customize your badge you shall:

  1. Connect to your badge via BLE. Your badge ID is on the top left of the screen
  2. Write your sync key to to "Sync key" characteristic.
  3. Write your name as an ASCII string to the "name" characteristic.
  4. Write a 128 byte bitmap to change your avatar
  5. Write a random value (or nothing) to the "Sync key" characteristic to relock and protect your badge from so-called "hackers".

Hacking your badge

The USB port exposes a serial device that act as a gdb stub. It is based on the Black Magic Probe. You can use it to read, write memory and debug the nRF52 micro-controller with only a micro USB cable.

All you need to hack the nRF52 firmware is gdb with support for ARM. First, download the following target description:

On Linux the gdb stub should appear as /dev/ttyACM* on recent distros when the USB is plugged in. On macOS, it should be /dev/cu.usbmodem*.

Use the following gdb commands to attach to the badge micro-controller:


        target extended-remote /dev/{badge_serial_device}
        set gnutarget elf32-littlearm
        # Make sure gdb-tdesc-cortex-m4f.xml is in the current working directory
        set tdesc filename gdb-tdesc-cortex-m4f.xml
        monitor swdp_scan
        # You should see the nRF52 listed in the scan.
        attach 1
        set mem inaccessible-by-default off
        set debug arm
    

From there, you can use the usual gdb commands such as break, dump and load.

You can reset the debugger with the RESET button on back of the badge. It's sometimes useful if the gdb stub stops responding.

Source code will be available soon.

Come back later. We will update this page and explain the cool stuff about it.